User Profile
rosaliod
Brass Contributor
Joined 7 years ago
User Widgets
Recent Discussions
Re: Write user data back to onpremise AD
Hello Stefan, This is not possible today. AAD Connect primarily syncs identities from on prem AD to Azure AD, there are some write back capabilities but these are features like device write back, exchange hybrid write back, password write back and Other attributes here like msds-keycredentiallink for when a user provisions windows hello for business. You will need to provide a way for your users to update the local directory so that information is synced then to Azure AD. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized2.6KViews0likes1CommentRe: Migration from AD FS 2012 to 2019 Prerequisites
Hello, The document that is out there for upgrading to ADFS 2016 also applies when upgrading to ADFS 2019 Upgrading a Windows Server 2012 R2 or 2016 AD FS farm to Windows Server 2019 https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server#:~:text=To%20upgrade%20your%20AD%20FS%20farm%20to%20Windows,open%20AD%20FS%20management%20...%20More%20items...%2019KViews1like0CommentsRe: Azure AD Identity Protection Policies Powershell
Hello, I don't believe the capability to manage AAD identity protection policies is provided with the Azure AD PowerShell Module. There also no way to manage policies with MS graph however, there is capability to monitor risk data using this API preview feature. https://docs.microsoft.com/en-us/graph/api/resources/identityprotection-root?view=graph-rest-beta2.4KViews0likes0CommentsRe: Azure tenant restriction headers setup
Hello, The use case for AAD tenant restrictions is to prevent your on premises users from accessing SaaS apps from other AAD tenants other than your own. Yes you will need some form of proxy server to add the 2 required http headers in the request to AAD during authentication. This is what allows AAD to know which tenants to permit for authentication. You can read more about the feature in the link below. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions7.1KViews0likes1CommentRe: Using onPremisesDistinguishedName Attribute in Group Base License (GBL)
Hey there. You wouldn't be able to directly use on prem DN for Dynamic membership. What you can do though is use AAD Connect custom sync rule to write the DN to one of the extension attributes and in turn configure a Dynamic membership rules using that specific extension attributes.12KViews0likes0CommentsRe: Replace multi forest on prem ADs with AAD
This is correct you can only have one AAD Connect server syncing to an AAD tenant at any given time. However you don't need a trust between forests. The AAD Connect server needs to be able to communicate to the other three forests so a VPN or another method of connectivity is needed. https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/cloud-consolidation-aad-connect1.5KViews0likes0CommentsRe: Domain Functional Level and AAD Hybrid Join
Hello! The minimum FFL and DFL for Hybrid azure AD join is 2008 R2. You can see that the wording was changed on this doc about 22 days ago. https://github.com/MicrosoftDocs/azure-docs/commit/8bdd03c7ec77379b4d57fd24520896a1869067a811KViews1like1CommentRe: Active Directory
Hello Azure AD is not a replacement for AD. It's an identity management platform for Microsofts Azure cloud. You can configure a hybrid identity model by using AAD Connect to sync users from your on premises AD to Azure AD. This will allow your organization to take advantage of features like SSO to sign into the different workloads mentioned in your post with same username and password. Here is a starting point https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-hybrid-identity2.1KViews0likes0CommentsRe: AAD Connect and WinRM on WAP
Michele Casazza Hello 1. If you are not going to deploy ADFS or WAP in your environment then this does not apply. 2. Yes, the machine running the wizard would be your AAD Connect server. 3. Yes, That is referring to the name of the WAP server but if you are not deploying ADFS and WAP no need to worry about this. 4. Yes if you are deploying ADFS with WAP then you would need to do the action on all WAP servers These steps are to ensure that the AAD connect wizard will be able to execute the PowerShell cmdlets necessary to deploy ADFS and WAP servers. Hope that helps!3.7KViews0likes0CommentsRe: Tree AD trust with AAD Connect
You mentioned an AD Tree trust however there are only 4 types of trusts I know of. 1.external trust 2. Realm trust 3. Forest trust 4. Shortcut trust Which trust is configured? Is this a domain in the same Forest or a domain in another Forest?7.9KViews0likes3CommentsRe: Login to AD joined devices with your Azure AD credentials
Hey there! If your server is joined to Azure ADDS then yes. If this is a server joined to your on premises AD then no unless that Azure AD account is also synced from on premises. If the account is cloud only then no you would not be able to log into a server joined to your local AD. I hope this answers your question. https://docs.microsoft.com/en-us/azure/active-directory-domain-services/overview2.5KViews1like0CommentsRe: Azure AD Connect - Synchronization Service Installation fails
mmw_it Sounds like your issue might be due to connectivity to a DC in your network. System.DirectoryServices.AccountManagement.PrincipalServerDownException: The server was unable to connect. ---> System.DirectoryServices.Protocols.LdapException: The LDAP server is not available. Is ADDS installed on this server? Was the server promoted to a DC? Installing Azure AD Connect on a Domain Controller is not recommended due to security practices and more restrictive settings that can prevent Azure AD Connect from installing correctly. I suggest going through these prerequisites. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites6.4KViews0likes1CommentRe: Tree AD trust with AAD Connect
mathiassii The ADDS connector space agent needs to have at least the following permissions in the other forest. Did you verify this? https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account#permissions-for-password-hash-synchronization Allow AD DS Connector Account Replicating Directory Changes This object only (Domain root) Allow AD DS Connector Account Replicating Directory Changes All This object only (Domain root)8KViews0likes6CommentsRe: Question on Baseline policy: End user protection (preview)
Echo this.. The goal of these four policies is to ensure that all organizations have a baseline level of security enabled at no extra cost. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-baseline-protection2.2KViews1like0Comments
Recent Blog Articles
No content to show