I’m trying to teach myself a really basic ‘crash course’ on the basics of a hybrid environment in terms of Azure and on-prem AD, specific to user accounts, access/permissions and the administration thereof.
As an end-user, we use SharePoint Online and Exchange Online for email/document management services, but the majority of other line of business apps and legacy file storage is located on internal servers that are joined to a 'local' AD (perhaps not the correct phrase?).
Based on the overall architecture of our IT services, there are some very basic questions I would benefit from some help with:
- Does such a setup have a technical name in the industry? e.g. hybrid AD?
- Does it mean the users will likely actually require x2 accounts, one for governing access to the online 365 apps, and one for governing access to the on-prem infrastructure? I’m guessing it can only be x1 account as we don’t have multiple passwords/account names, but that may be due to some form of synchronization between the two systems?
- What would you refer to the two types of accounts as, as an AD support engineer?
- When a user leaves a company, does the Admin have to disable x2 accounts, one for the 365 access such as Exchange/SharePoint, and the on-prem AD account, or if they are synched can they disable just the on-prem AD account, or just the account in Azure AD?
- Under what circumstances/for what types of users and access would an account only be created in Azure AD? As opposed to created in the on-prem AD system?
- Would all on-prem AD accounts be ‘synched’ to Azure AD, or only specific accounts?
- Where do you perform basics like password resets? Or can you do this in either Azure AD or on-prem AD and it synchronizes between both AD databases? Or would there be some accounts which need reset in Azure and others on-prem?
- If you create an account in Azure AD, is that then synched with local-AD ?
