One of the pieces of feedback we received on the earlier post to integrate your temporary COVID tenant with your on-premises environment, was the fear of introducing errors and interrupting processes that now rely on the Azure AD tenant. This, indeed, may be the case when you rely solely on Azure AD Connect’s soft matching capabilities and wield a narrow scope for synchronization of objects.
Let me explain.
The initial state of your Azure AD
When integrating an Azure AD tenant with an Active Directory environment, you’re bound to start with the situation where you have accounts on both sides that you need to combine. You encounter this situation when you’re integrating your COVID Azure AD tenant with your AD, but you might also find self-service accounts in Azure AD when performing a straightforward Hybrid Identity implementation.
As an admin, taking ownership of an Azure AD tenant means you’re going to actively manage and monitor the Azure AD tenant. This includes taking care of any objects you may or may not feel are in scope of your work. If you don’t, people may find themselves confronted with changed passwords, a different sign-in method suddenly pointing to the corporate federation solution and/or lockouts.
The approach to combining the objects in both Active Directory and Azure AD consists of three steps:
- Match userPrincipalName suffixes in Active Directory to Azure AD Custom domain names
- Communicate to people with self-service accounts
- Match objects in Active Directory to objects in Azure AD
Matching and fixing userPrincipalName suffixes
Microsoft’s strong recommendation is to align the userPrincipalName attribute with the user object’s primary email address in Active Directory. This way, the on-premises userPrincipalName can be used in Azure AD.
In Active Directory, you can add additional userPrincipalName suffixes. This is the part in a user object’s sign-in name and email address after the ‘@’. Your organization may struggle with *.local Active Directory domain names or other DNS domain names that your organization doesn’t own or that aren’t registrable DNS domain names. In this case, you should add the DNS domain names your organization does own and use in its email addresses. Then, you should change the userPrincipalName attributes for all user objects in scope for synchronization to Azure AD to match their email addresses.
This is the point where things may break on-premises. Applications might have objects stored with the old suffixes in their databases, services may be programmed with hardcoded suffixes, etc. Luckily, you can test these changes with a small pilot audience and you can revert changes quickly.
Taking care of self-service accounts
The quintessential step to taking ownership of an Azure AD tenant is verifying the DNS domain names of your organization as Azure AD custom domain names in the Azure AD tenant.
No doubt, when you verify DNS domain names that resemble your email domains, you’ll face self-service accounts. These accounts have been created by people in your organization in the past when:
- they were invited to use functionality together with other organizations;
- they entered into a trial period for a Microsoft cloud license, and/or;
- they manage(d) Microsoft cloud licenses for your organization.
People have provided a password for these self-service accounts and have already setup multi-factor authentication to prevent getting locked out from their accounts when they forget these passwords. They use these passwords to access the functionality. These passwords may or may not be different from their passwords in Active Directory.
If your goal is to only synchronize a few objects from Active Directory to Azure AD, you should include the user accounts in Active Directory for people with Azure AD self-service accounts in the synchronization scope of Azure AD Connect. This way, you eliminate shadow IT and provide the benefits of single sign-on to these people.
During your project, their sign-in experience changes. When Azure AD Connect matches up these accounts to their on-premises accounts based on their email address, their sign-in method changes from cloud-only to:
- Password hash synchronization;
- Pass-through authentication, or;
- Federation with AD FS, PingFederate or a 3rd-party federation solution.
In the first two cases, their passwords may change. In the third case, they get redirected to the federation sign-in experience when they access Azure AD and Azure AD-integrated applications, services and systems.
If the email address they registered their self-service account with doesn’t match the primary SMTP address for their Active Directory account, you should change one of these values. From my experience, changing the sign-in name in Azure AD is the way to go.
You should communicate the changes in sign-in name and sign-in method to them beforehand, together with a clear point in time for these changes. It goes without saying that I think you should automate and test these steps. From my experience, PowerShell suits this job well.
With the email addresses and userPrincipalName attributes aligning for your people, Azure AD Connect will automatically match any on-premises object in scope with the pre-existing Azure AD object through soft matching.
Through soft matching, an on-premises Active Directory user object is matched to an Azure AD user object, when:
- The attributes match for both objects;
- The attribute for the user object in Active Directory matches with the primary email address (denoted with in the attribute) of the Azure AD user object, and/or;
- The primary email address (denoted with in the attribute) for the user object in Active Directory matches the of the Azure AD user object.
There are scripts available that will check these matches and report on any mismatches. For mismatched objects, all is not lost. There’s also the ability to hard match.
Azure AD Connect and other synchronization solutions between Active Directory and Azure AD use the construct of a source anchor attributes. The source anchor is specified when Azure AD Connect is configured. This source anchor attribute acts as the end-to-end matching construct.
During normal operations, the source anchor object defaults to the mS-DS-ConsistencyGuid attribute for Active Directory objects. Upon initial synchronization of user objects and group objects by Azure AD Connect, the base64 representation of the objectGUID value is written to:
- The mS-DS-ConsistencyGuid attribute for the Active Directory object, and;
- The ImmutableID attribute of the Azure AD object.
However, the mS-DS-ConsistencyGuid and ImmutableID attributes can be filled manually by entering the same value to the source anchor attributes of the objects in both directories.
This is hard matching. The userPrincipalName and primary email address attribute are ignored; soft matching does not occur. Azure AD Connect creates the match between the on-premises Active Directory object and the Azure AD object at the admin’s request.
Thinking before acting
The beforementioned approach requires thinking before acting. The configuration of Azure AD Connect can be erroneous without verified DNS domain names without the proper userPrincipalName suffixes and without the right values for the userPrincipalName, proxyAddresses and mS-DS-ConsistencyGuid attributes.
In the last case, mismatches may occur. This may introduce improper access for unauthorized people and interruptions of critical processes like software asset management; an admin’s nightmare. Hard matching is the way to go when you foresee issues with soft matching.
Azure AD and Active Directory monitoring
The entire process should be assisted using Azure AD and Active Directory monitoring. Every action that Azure AD Connect performs is logged in the Azure AD audit log. You can use the Azure Portal to filter the log to include only the synchronization account to focus on its activities, but Enow’s Office 365 Monitoring and Reporting capabilities allow you to drill deeper and show graphs of Azure AD Connect’s activities.