Lepide Blog: A Guide to IT Security, Compliance and IT Operations

What is Azure AD Connect: How it Works and Best Practices

Best Practices for Using Azure AD Connect

Organizations that use Microsoft cloud services such as Microsoft 365, Teams, SharePoint Online and OneDrive for Business, may also need to maintain an on-premise Active Directory environment.

Perhaps they are still using legacy software, and migrating to a different platform would take too long and require too many resources.

Alternatively, they might not feel comfortable storing large amounts of classified information in the cloud. Whatever the reason, it’s not really practical for them to ask their users to maintain two separate identities. This is where Azure AD Connect comes in.

What is Azure AD Connect?

Azure AD Connect is a Microsoft tool designed to help organizations with hybrid IT environments. It allows organizations to automatically synchronize identity data (which includes user accounts, groups, credential hashes, User Principal Name and security identifier) between their on-premise Active Directory environment and Azure AD. This enables a single sign-on, as users can use the same credentials to access both on-premises applications and cloud services such as Microsoft 365.

Azure AD Connect comprises of the following technologies:

  • Azure AD Connect Health: This offers end-to-end analysis and monitoring of Azure AD Connect together with other hybrid environments across Active Directory.
  • Azure ADConnect Sync: The primary component of Azure AD Connect. Azure AD Connect Synchronization services (Sync) takes care of all operations related to linking on-premise and in the cloud user identity data.
  • Active Directory Federated Services (ADFS): ADFS unifies identity and access management services across platforms.
  • PHS/PTA/SSSO provisioning connector: This includes authentication methods such as password hashing services, pass-through authentication and seamless single sign-on services required to confirm user identity.

How Does Azure AD Connect Work?

The default installation option for Azure AD Connect is Express, which is used for the most common scenario where the user has single-forest topology and less than 100,000 objects in their on-premise Active Directory. A custom installation option is available giving more installation scenarios and would be used if you have, for example, multiple forests or more than 100,000 objects in your Active Directory.

By default, the sync is one way: from on-premise AD to Azure AD. However, you can configure the writeback function to sync changes the other way round. That way, for example, if a user changes their password using the Azure AD self-service password management function, the password will be updated in the on-premises AD.

Best Practices for Using Azure AD Connect

1. Protect the Server Running Azure AD Connect

Make sure that the server running the Azure AD Connect agent is properly secured. Limit which accounts are able to logon to the server, specifically those with local administrative rights. You will also need to control physical access to the server and enforce a strong password policy. If you need to allow other uses to access the Azure AD Connect Sync tool, you can add them to the ADSyncAdmins group on the local server. As always, check that they really need access to the tool before doing so.

2. Determine Which User and Group Objects Can Sync to Azure AD

By default, all user and group objects will be synced to Azure AD. However, many on-premise groups don’t actually need to be synced to the cloud. In fact, many of them may no longer be required. It’s a good idea to remove any redundant groups from your on-premise AD, regardless of whether you are using Azure AD Connect or not. You can also use the sync engine’s filtering capabilities to exclude any groups that are not relevant. It’s also a good idea to temporarily disable the scheduled sync task before making any important changes, as this will prevent any mistakes from being automatically synced between Azure AD and your on-premise environment.

3. Don’t Sync On-Premises Admin Groups to Azure AD

There’s no reason to sync admin groups to Azure AD as they are specific to your on-premise environment, and are thus not relevant to your cloud environment. In fact, doing so will only introduce unnecessary risks as more potential adversaries will know which groups (and thus administrators) to target.

4. Ensure that the Synchronization Cycle is Run at Least Once Every 7 Days

By default, a synchronization cycle is run every 30 minutes. Microsoft recommends that if you choose to modify the synchronization cycle, for whatever reason, make sure that it is run at least once every 7 days. A failure to do so might lead to issues that must be resolved by running a full synchronization. This can take a long time to complete.

5. Don’t Assume that AD Connect Will Serve as a Reliable Backup & Recovery Solution

While it is true that Azure AD connect will sync your cloud data with your on-premise AD environment, it should not be seen as a reliable backup and recovery solution. The issue is that Azure AD objects contain certain attributes which are specific to the cloud services that use them.

Were you to accidentally delete an object in Azure AD, and thus try to restore a backup from your on-premise environment, those attributes would be lost. In which case, the restored objects would not be accessible to Microsoft 365, Teams, SharePoint Online, OneDrive, and other cloud-based services. The same problem arises when you delete an object’s attributes, as opposed to the object itself. As such, it is crucially important that you use an enterprise-grade backup and recovery solution as opposed to relying on Azure AD Connect.

6. Protect Azure AD Accounts with Admin-Level Privileges

Ensure that all admin accounts are assigned to pre-defined roles. Since a Global Administrator account will have access to all administrative settings in your Azure AD environment, ensure that no more than five people are assigned to this role. Use multi-factor authentication (MFA), identity access management (IAM), and a real-time change auditing solution to protect the Global Administrator account, and other accounts with admin-level privileges.

If you’d like to see how Lepide Azure AD auditor can audit Azure Active Directory changes, schedule a demo with one of our engineers.