Connect with us

Azure AD Connect Best Practices

by | Sep 16, 2022 | Azure

Azure AD Connect is a Microsoft product that is primarily designed to provide seamless exposure to on-premises Active Directory and Azure Active Directory. It includes a number of technologies:

  • Azure AD Connect Sync
  • Azure AD Connect Health
  • ADFS (Active Directory Federation Services)
  • PHS/PTA/SSSO Preparation Connector

The main component (and what people often mean when they say "Azure AD Connect") is Azure AD Connect Sync. It's a synchronization service designed to work between AD (Active Directory) and Azure AD (though it can actually do much more). The interface looks the same as FIM or MIM Synchronization Service Manager (and that's because it's based on FIM 2010), but with far fewer types of management agents ("connectors") available.

The significant difference is that the synchronization rules have little correspondence to the FIM or MIM rules and are configured in a special interface, entirely through the user interface (no coding).

Best practices for using Azure AD Connect

1. Secure the server running Azure AD Connect.

Make sure the server running the Azure AD Connect agent is secure. Limit which accounts can log into the server, especially those with local administrator rights. You will also need to control physical access to the server and enforce a strong password policy. If you need to allow other users to access the Azure AD Connect synchronization tool, you can add them to the ADSyncAdmins group on your local server. As always, make sure they actually need access to the tool before doing this.

2. Determine which user and group objects can sync with Azure AD.

By default, all user and group objects will be synced to Azure AD. However, many on-premises groups don't actually need to be synced to the cloud. In fact, many of them may no longer be needed. It is recommended to remove all redundant groups from on-premises AD, whether you are using Azure AD Connect or not. You can also use the sync module's filtering capabilities to eliminate any irrelevant groups. It's also recommended to temporarily disable the scheduled sync task before making any important changes, as this will prevent errors from automatically syncing between Azure AD and your on-premises environment.

3. Don't sync local admin groups with Azure AD.

There is no reason to sync admin groups with Azure AD since they are specific to your on-premises environment and therefore not relevant to your cloud environment. In fact, it will only create unnecessary risks since more potential adversaries will know which groups (and therefore administrators) should be targeted.

4. Make sure the sync cycle runs at least once a week.

By default, the sync cycle runs every 30 minutes. Microsoft recommends that if you decide to change the sync cycle for any reason, make sure that it runs at least once every 7 days. Failure to do so may result in problems that must be resolved by running a full synchronization. This may take a long time.

5. Don't expect AD Connect to be a reliable backup and recovery solution.

While it is true that Azure AD Connection will sync your cloud data with your on-premises AD environment, it should not be considered a reliable backup and recovery solution. The problem is that Azure AD objects contain certain attributes that are specific to the cloud services that use them.

If you accidentally delete an object in Azure AD and thus try to restore a backup from on-premises, these attributes will be lost. In this case, the restored items will not be available to Microsoft 365, Teams, SharePoint Online, OneDrive, or other cloud services. The same problem occurs when you remove the attributes of an object rather than the object itself. Therefore, it is critical to use an enterprise-grade backup and recovery solution rather than relying on Azure AD Connect.

6. Protect Azure AD accounts with admin rights

Make sure that all administrator accounts are assigned predefined roles. Because the Global Administrator account will have access to all administrative settings in your Azure AD environment, ensure that no more than five people are assigned to this role. Use multi-factor authentication (MFA), identity access management (IAM), and real-time change auditing solution to protect the global administrator account and other administrative accounts.

Conclusion

Still have questions? Just contact us. Fanetech is a Microsoft gold partner in Kazakhstan. We will help you choose the optimal Microsoft license packages with convenient management through your personal account.

en_GBEnglish (UK)
ru_RUРусский kkҚазақ тілі kirКыргызча uz_UZO‘zbekcha en_GBEnglish (UK)