Loading...
 
HOME  /  BLOG  /  INTEGRATING ON-PREMISES ACTIVE DIRECTORY DOMAINS WITH AZURE ACTIVE DIRECTORY

Blog

Integrating On-Premises Active Directory Domains with Azure Active Directory

The purpose of this document is to explain how to integrate your on-premises Active Directory domain with Azure Active Directory, what tools to use, and what to consider before starting the implementation.

PURPOSE OF INTEGRATING YOUR ON-PREMISES ACTIVE DIRECTORY TO AZURE AD

Microsoft Azure is a growing collection of integrated cloud services—analytics, computing, database, mobile, networking, storage, and web—for moving faster, achieving more, and saving money. Also, it is a Microsoft Cloud computing platform and infrastructure for building, deploying, and managing applications and services through a global network of Microsoft-managed and Microsoft partner hosted datacentres.

Azure AD is the latest technology regarding cloud-base directory and identity developed by Microsoft. It is based on local Active Directory management solutions with additional features and benefits. With this service, the employees can access external resources like Microsoft 365, and the Azure portal, as well as a variety of other SaaS applications (software as a service). They can also access internal resources through Azure Active Directory such as apps on your corporate, as well as any cloud applications developed for your organization. Azure AD can be integrated with existing on-premises AD for providing single sign-on functionality for the users to access the cloud applications. So, it is essential for organizations to keep the credentials in both on-premises AD and Azure AD to be in sync.

WHAT IS NEEDED TO BE ABLE TO HAVE AZURE ACTIVE DIRECTORY ON THE CLOUD?

To be able to use and implement your on-premises Active Directory with Azure AD you need to subscribe to any Microsoft Online business service and automatically you will get Azure AD with all the free features. For the integration of the on-premises Active Directory to Azure AD, you will need to upgrade to Azure Active Directory Premium P1 or Premium P2 licenses. Each license has different features.

  1.   Azure Active Directory Premium P1. In addition to the Free features, P1 also lets your hybrid users’ access both on-premises and cloud resources. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager, and cloud write-back capabilities, which allow a self-service password to reset for your on-premises users.
  2.  Azure Active Directory Premium P2. In addition to the Free and P1 features, P2 also offers Azure Active Directory Identity Protection to help provide risk-based Conditional Access to your apps and critical company data and Privileged Identity Management to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed.

IMPLEMENTATION TOOLS TO BE ABLE TO HAVE AZURE ACTIVE DIRECTORY

To have the ability to connect your on-premises active directory basic steps are required to make the synchronization. If you have your subscription created in the Microsoft application, then you already have the Azure AD. The basic tool for synchronization is the application Azure AD connect. You can run the Azure AD connect on a VM or a computer hosted on-premises. Before implementing Azure AD connect is good to have a plan for what to synchronize, from what domains and how frequently.

The best practice is to test with a small group before synchronizing for the whole organization. A good option is to test the feature with a small group that has knowledge of IT. With this option, you will have an advantage in the feedback and the testing that will perform.

The basic configuration on Azure AD Connect is the User sign-in, with this feature you have 3 options available when executing the installation. Password Synchronization, Federation with AD FS and do not configure. The best option here depends on your organization or the organization that you are supporting what is the best option.

Password synchronization will give you the ability to have a single sign-in to all your apps that are synchronized with Azure AD with the password that you have on-premises Active directory. This feature you can enable it anytime.

As gold members of Microsoft in Cyprus, the approach we have for our customers and our organization is to have the ability to satisfy at any time the needs that the customer is requesting. As a security measure for synchronization and the user single sign-in, we recommend an extra security level for the users to enable the 2FA feature that Microsoft can provide.

PROS

  • Azure AD is created by one of the largest tech companies. This means that you can have support and security.
  • Crashes and data loss are all the worries of Microsoft, but that is to a limit. Microsoft will take care of the software and hardware they host and offer as services. Administrators won’t have to worry about the security of backend devices and solutions.
  • Updates and upgrades.

CONS

  • There is a very small possibility to worry about when Azure AD could be down and affect productivity. While it is highly impossible, it isn’t unheard of.
  • Connectivity, if the internet connection fails to connect to Azure AD would also mean that connection to other solutions like Microsoft 365, SharePoint, Teams, and even the Azure Portal could be affected.
  • And then there is the matter of problems that could be caused by failures in the architecture between a network and the Azure AD services, which is usually also out of the scope of both Microsoft and the local administrator’s reach.

COMPARISON FEATURES

 

Azure Active Directory

On-premises Active Directory

Communication

Representational state Transfer (APIs)

Lightweight Directory Access Protocol LDAP

Authentication

Cloud-based protocols

Kerberos and NTLM

Network

Flat structure of Users and groups

Organizational Units, domain, and forests

Management

Admins organize users into groups

Admins or data owners assign users to groups

Devices access

Mobile device management

No mobile device management

Desktops

Windows desktop can join with Microsoft intunes

Desktops are governed by group policy (GPOs)

Servers

Uses domain services to manage servers

Managed by GPOs or other on-premises server management system

 

All in all, IBSCY as a Gold Microsoft partner in Cyprus offers Cloud Services with multiple solutions that enable businesses to grow smoothly and effortlessly at a time when digital business upgrades require major changes.

 

 

Senior Engineer 

Meet Elias Christoforou, a Senior Engineer at IBSCY Ltd. He holds a BSc degree from Frederick University, specializing in the Theory of Computer Science. He has been a dedicated part of the IBSCY’s team since 2022.

His responsibilities include managing various implementation projects, resolving support tickets, and ensuring seamless operation of clients’ IT systems.

Latest Articles
Configuring Microsoft Defender for Endpoint Using Microsoft Best Practices

Configuring Microsoft Defender for Endpoint Using Microsoft Best Practices

Implementing Microsoft Defender for Endpoint effectively involves several key steps. These include leveraging threat-hunting capabilities to proactively ...more