Microsoft Azure/Entra AD Connect - Custom Setting

In the domain of hybrid identity solutions, Microsoft Entra AD Connect introduces a Custom Install Setting crafted for organizations with intricate deployment requirements. When the straightforward express installation proves insufficient, this custom configuration becomes indispensable, granting administrators the flexibility to finely adjust the integration process. Whether orchestrating across multiple forests or implementing optional features, the Custom Install Setting empowers organizations to address distinct topology needs, guaranteeing a seamless and precisely tailored deployment of Azure/Entra AD Connect.

Previously, we explained the Express setting configuration. Now, let's explore the ‘Custom installation setting’ option. So, after the Entra AD sync tool installation is complete, you will get the below screen; you need to accept the license terms & privacy notice, then click on ‘Continue’ to proceed.

Click on ‘Customize’

In this page you’ll get some optional components. You can ignore these & click on install.

If you want to know about these components, kindly go through the below document image which is also available in Microsoft learning page

In the next process you should select the sign-in methods. [All Sign-in methods are explained below]

Password Hash Synchronization: Enable "Password hash synchronization" during initial AD sync setup to enable users to use a consistent password for Microsoft cloud services, ensuring seamless and secure sign-in experiences across on-premises and cloud environments through synchronized password hashes in Microsoft Entra ID.[This sign in method is commonly used in every AD synchronization]

Pass-through authentication: Enable "Pass-through authentication" in AD sync setup for users to sign in to Microsoft cloud services with their local network password, ensuring secure logins by validating passwords directly through the on-premises Active Directory domain controller and leveraging existing infrastructure.

​Federation with AD FS: Opt for "Federation with AD FS" in AD sync setup for users to sign in to ​Microsoft cloud services with their on-premises network password. This method adds an extra layer of security by redirecting users to on-premises Azure AD FS for direct authentication, ensuring a seamless and secure experience within the organization's network.

Federation with PingFederate: Opt for "Federation with PingFederate" in the initial AD sync setup to empower users to sign in to Microsoft cloud services, such as Microsoft 365, using their on-premises network password. Authentication occurs directly on-premises, enhancing security, with users directed to their on-premises PingFederate instance, ensuring a seamless and secure authentication experience within the organization's network.

Do not configure: Choosing "Do not configure" in the AD sync setup means no specific user sign-in feature is installed, ideal if your organization already has a third-party federation server managing user authentication for Microsoft cloud services. This option streamlines the process, relying on an existing tailored authentication solution outside the AD sync setup's scope, eliminating the need for additional configurations.

Enable single sign-on: Enabling "Single Sign-On" (SSO) in the AD sync setup, available with password hash synchronization or pass-through authentication, streamlines the user experience. Users within corporate networks can log in once to access Microsoft cloud services, like Microsoft 365, without repeated credential entries. Note that this SSO option is not applicable to Active Directory Federation Services (AD FS) users, as AD FS inherently provides a similar SSO experience across corporate networks and Microsoft cloud services.

Now To Connect with Azure/Entra ID enter your AZURE AD Global Admin credentials & click on ‘Next’.

In the Sync section, the process involves connecting to Active Directory Domain Services (AD DS) through Microsoft Entra Connect. To establish this connection, you'll need to provide the forest name and the credentials of an account with adequate permissions. This ensures that Microsoft Entra Connect can effectively interact with AD DS and perform synchronization tasks. The forest name and permissions of the specified account play a crucial role in facilitating a secure and authorized connection between the synchronization tool and the Active Directory environment.

Create New AD Account: If you choose the "Create new account" option, you initiate the process of generating the necessary Active Directory Domain Services (AD DS) account for Microsoft Entra Connect to establish a connection during directory synchronization. Following this selection, you'll be prompted to enter the username and password for an enterprise admin account. Microsoft Entra Connect utilizes this enterprise admin account to create the specific AD DS account required for synchronization purposes.

During this setup, flexibility is provided in entering the domain part, allowing you to use either NetBIOS format (e.g., DOMAIN\administrator) or Fully Qualified Domain Name (FQDN) format (e.g., DOMAIN.COM\administrator). This ensures compatibility with different domain naming conventions, making the configuration process more adaptable to diverse Active Directory environments.

Use existing AD Account: Certainly, if you select "Use existing account," you will need to specify an already-existing Active Directory Domain Services (AD DS) account that Microsoft Entra Connect will utilize for establishing a connection during directory synchronization. When providing this existing account, you have the flexibility to enter the domain part in either NetBIOS format (e.g., DOMAIN\syncuser) or Fully Qualified Domain Name (FQDN) format (e.g., DOMAIN.COM\syncuser).

It's important to note that the chosen account can be a regular user account since it requires only default read permissions. However, depending on your specific scenario, additional permissions might be necessary. For a more in-depth understanding of the required permissions and configurations, it is recommended to refer to the provided article for comprehensive guidance on the setup process: Microsoft Entra Connect accounts and permissions.

On the Microsoft Entra sign-in configuration page, carefully examine the user principal name (UPN) domains within your on-premises Active Directory Domain Services (AD DS). These UPN domains should have been previously verified in Microsoft Entra ID. On this configuration page, you are tasked with specifying the attribute to be used for the userPrincipalName.

In case there are unverified domains, they will be marked as Not Added or Not Verified, as shown in a screenshot on the page. It's crucial to thoroughly review each domain with these statuses and ensure that the domains in use have been successfully verified in Microsoft Entra ID. After verifying your domains, click the circular refresh icon to update the information.

Users utilize the userPrincipalName attribute when signing in to both Microsoft Entra ID and Microsoft 365. Microsoft Entra ID needs to verify these domains, also known as UPN-suffix, before the synchronization of users takes place. Microsoft recommends retaining the default attribute, userPrincipalName.

If, for any reason, the userPrincipalName attribute is nonroutable and cannot be verified, you have the option to select an alternative attribute. For instance, you may choose to use the email attribute as the sign-in ID. When opting for an attribute other than userPrincipalName, it is referred to as an alternate ID.

In the default configuration, all domains and organizational units (OUs) are synchronized to Microsoft Entra ID. However, if there are specific domains or OUs that you do not wish to synchronize, you have the option to customize this by clearing the appropriate selections. This allows you to tailor the synchronization process to match the specific needs and structure of your organization, ensuring that only the desired domains and OUs are included in the synchronization to Microsoft Entra ID.

When configuring the setup for identification of users :

1. Identifying users in on-premises directories:

   - Utilize the Matching across forests feature to specify how users from your Active Directory Domain Services (AD DS) forests are portrayed in Microsoft Entra ID.

   - Users may be uniquely represented once across all forests, have a combination of enabled and disabled accounts, or even be represented as a contact in certain forests. This feature provides flexibility in accommodating different user representations across multiple AD DS forests. [For better understanding I’ve added the Microsoft learn page image]

2. Identifying users using a source anchor:

   - The sourceAnchor attribute serves as a crucial element in uniquely identifying users. This attribute remains immutable throughout the user object's lifespan.

   - Functioning as the primary key, the sourceAnchor links the on-premises user with their corresponding representation in Microsoft Entra ID. This ensures a robust and reliable connection between on-premises user data and the corresponding Microsoft Entra ID profiles, contributing to the accuracy and integrity of user identification across both environments. [For better understanding I’ve added the Microsoft learn page image]

To leverage the sync filtering based on groups feature, create a dedicated group within your on-premises Active Directory. This group serves as a filter, allowing you to sync only a specific subset of objects for a pilot or focused synchronization.

Add users, groups, contacts, and computers or devices directly to this group as members. It's crucial to note that all objects you want to synchronize must be direct members of this group. Nested group membership is not resolved; only the group itself is added when included.

This approach provides flexibility in managing the objects to be synchronized. You can easily adjust the list by adding or removing users from the designated group, allowing you to maintain precise control over the objects present in Microsoft Entra ID based on your evolving requirements.

On the next page for selecting optional features, you'll notice that the sign-in method "Password hash sync" has already been checked, reflecting your earlier selection. A notable feature on this page is the frequently utilized 'Device writeback' functionality. With this feature enabled, any device that is joined with on-premises Active Directory Domain Services (AD DS), and where the user updates the device password, will also trigger a change in the Azure/Entra ID password.

It's important to be aware that for the Device writeback feature to be operational, your Azure/Entra tenant must have an Entra AD P1 license. This license ensures the necessary capabilities for syncing and updating device-related password changes between on-premises AD DS and Azure/Entra ID. Implementing this feature enhances the synchronization process, providing a seamless and secure experience for users managing their passwords across devices in both environments.

Once the whole setup is done click on ‘Install’. Also, you can find two options, if you select the first one ‘Start the synchronization process when configuration completed’ after install the AD connect tool instantly

With the configuration now complete, click on "Exit" and proceed to open the synchronization service to inspect the synchronization status. It's essential to note that if you reopen the AD sync tool, the synchronization service will halt. However, once you close the tool again, the synchronization will automatically resume. This ensures a seamless and efficient management of synchronization processes, allowing you to monitor and control the status based on your needs.

Within the domain of hybrid identity solutions, Microsoft Entra AD Connect introduces a Custom Install Setting tailored for organizations with intricate deployment requirements. When the straightforward express installation proves insufficient, this custom configuration becomes indispensable, granting administrators the flexibility to finely adjust the integration process. Whether orchestrating across multiple forests or implementing optional features, the Custom Install Setting empowers organizations to address distinct topology needs, guaranteeing a seamless and precisely tailored deployment of Azure/Entra AD Connect.

Microsoft Azure/Entra AD Connect - Express Setting