Forum Discussion
Rebuild Azure AD Connect and Hybrid
There was a security bridge through a ransomware in the local company servers and the Azure AD Connect is not working anymore. It is not possible for the users to sign in to the cloud. How can I rebuild the Hybrid environment and to set up again the Azure AD Connect? How can I avoid in the future such hacking attacks?
Hi AtanasM,
I wrote some instructions on enabling AAD Connect with PHS and compared to Cloud sync (if plausible for you) Section 4 – Implement an Identity Management Solution – Implement and manage hybrid identity – AADC, Cloud Sync and PHS – Set-AzWebApp -name "Anything Microsoft and other stuff on the side" (cloudpartner.fi)
And for PTA, SSO and ADFS integration Section 5 – Implement an Identity Management Solution – Implement and manage hybrid identity – PTA, SSO and ADFS – Set-AzWebApp -name "Anything Microsoft and other stuff on the side" (cloudpartner.fi)
The first security practices are to use the new Hybrid Administrator as sync account and treat your AAD Connect servers as Tier0 servers, just like Domain controllers and ADFS.
Never give too much rights for anyone and use different accounts, preferably GMSA accounts, not single users.
Hope this helps,
- Ruslan_KhabibulinCopper Contributor
Hello AtanasM!
What authentication model are you using (PHS/PTS/Federation)? Based on your description that users can't login, it's probably not PHS. Are federation servers or PTA agents server available? Maybe the better option is to build a new server and make the that primary and then remove AADConnect from the current one.p/s you can use PHS as a failover to PTA and Federate
Hi AtanasM,
I wrote some instructions on enabling AAD Connect with PHS and compared to Cloud sync (if plausible for you) Section 4 – Implement an Identity Management Solution – Implement and manage hybrid identity – AADC, Cloud Sync and PHS – Set-AzWebApp -name "Anything Microsoft and other stuff on the side" (cloudpartner.fi)
And for PTA, SSO and ADFS integration Section 5 – Implement an Identity Management Solution – Implement and manage hybrid identity – PTA, SSO and ADFS – Set-AzWebApp -name "Anything Microsoft and other stuff on the side" (cloudpartner.fi)
The first security practices are to use the new Hybrid Administrator as sync account and treat your AAD Connect servers as Tier0 servers, just like Domain controllers and ADFS.
Never give too much rights for anyone and use different accounts, preferably GMSA accounts, not single users.
Hope this helps,