Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Azure AD connect - a few questions

Copper Contributor

I've used Azure AD connect for two clients of mine on a very limited test basis and it now has me asking myself several questions I'm hoping someone can answer for me.

 

I understand the concept of Azure AD connect and I've read in KB articles about the benefits.  One is the sync options (keeping local AD and Azure AD users and their passwords in sync).  Easier to manage overall (as opposed to having to manage local AD users/passwords, and Azure users & passwords).

 

What I was and wasn't aware of:  On the local AD, all the users have cheap not-strong passwords.  Passwords they have been using for years.  No password policy for the local AD.  I wasn't aware, until after I did my 1st sync - that all those local AD passwords would replace the Azure user passwords (which stemmed from their Office 365 subscription).  That would explain why the test users contacted me saying "my outlook is nagging me for a password, and I'm using my office 365 password, but it doesn't work" - and I'd tell them to use their computer password because their computer is in a domain environment, thus the local AD password, which is now synced with their Azure account.

 

OK - lesson learned.  Now I shall implement a password policy so the user will be forced to make a strong password.  I wish I knew this ahead of time as I would have set up a policy on my local AD and forced everyone to redo their passwords.  

 

Moving on - I've noticed that Azure AD joined devices don't show up my local AD devices/computers.  Aww, I'm not using Device Writeback.  And since I'm not and this new Windows 10 machine which is Azure AD joined, but not showing up in my local AD devices/computers - well, my local AD doesn't even know it exists, thus, it's running in batch files during login to map network drives.  OK, I understand.  I can run the batch file manually for a few computers as I set them up - but I don't want to do it for 100 users!  So I should be using Device Writeback in my Azure AD Connect tool.  That should solve that problem.

 

Sorry, I don't really have any technical questions.  More ranting a conversation here.  Any other hidden tips I should be aware of before rolling this out for an entire company?  I've read just about everything possible on the Azure AD Connect, but as I do more stuff, I find more stuff I've never read about.  I'm sure there are some hidden tricks, secrets, and other stuff hiding (if you do this, that will happen, which in turn will cause this/that to happen too - so be aware).

 

Thanks for listening.

1 Reply
Tips:
Use Seamless SSO when configuring ADConnect.

Sync AD Devices to Cloud so you can use Intune policies for hybrid config.

Make sure you check proxyaddress and mail attributes (on prem) before syncing existing user in cloud and learn more about soft/hard match if you have existing users in cloud.

Hope it helps!
Moe