MS-100 Design Identity Strategy

May 25th, 2019 | Posted by admin in Exchange

Evaluate requirements and solution for synchronization

Directory synchronization is the Identity provisioning choice for enterprise customers moving to Office 365. Directory synchronization allows identities managed in the on-premises AD and all updates to that identity synchronized to Office 365.

Azure AD connect is solution to Synchronize the On-Premise Objects to Azure AD.

As part of Directory preparation, you need to know how to configure these parameters.

Attribute updates – Know the attributes that are going to Sync to Azure AD. It is recommended to leave the default selection when configuring the Azure AD Connect for Directory Synchronization with Azure AD. You should know how to stop a Sync of an attribute or an object to Azure AD.

Domain controller placement – It is obvious to keep the Directory Sync server on the site, which has the DC.

Determining the permissions required – Azure AD Connect requirement the below accounts

For Synchronization:

  • AD DS Connector account: used to read/write information to Windows Server Active Directory
  • ADSync service account: used to run the synchronization service and access the SQL database
  • Azure AD Connector account: used to write information to Azure AD

For Installation and Configuration:

  • Local Administrator Permission
  • AD Enterprise Administrator
  • Azure AD Global Administrator
  • SQL delegation to configure the DB

Planning for multi-forest/directory scenarios – Microsoft recommends to consolidate the multi forest into single forest before migrating o Office 365.

Capacity planning for Directory Sync – We need a server with decent configuration for directory Synchronization and normal hardware for SQL installation.

Two-way synchronization – You to understand the write back options available and required for your organization.

By default, Hybrid exchange will write back below attributes from Azure AD to On-Premise AD.

In addition, AD connect has an option of Group Write Back, Device write back and Password write back options.

Evaluate requirements and solution for identity management

Two identity models are available as Cloud Identity & Federated Identity.

Cloud Identity: Identities created directly in Azure AD and Authentication and Authorization done at Azure AD only. We can create objects using PowerShell or from Office 365 Admin Portal.


Federated Identity: Source of Authority will be in On-Premise AD and the On-Premise AD objects Synced to Azure AD using Azure AD Connect to enable the Microsoft 365 services by assigning a license. When a user tries to access Microsoft 365 service, Azure AD redirects the user to get an authentication token from On-Premise AD through web application proxy and ADFS server and with the valid token from On-Premise AD to Azure AD, the services allowed for user.

We need to Plan and understand the requirements for Azure AD connect deployment and ADFS servers

Evaluate requirements and solution for authentication

When it comes to Authentication, like Identity methods we have cloud Authentication and Federated Authentication methods.

Cloud Authentication: Identity will be in On-Premise or Azure AD but the authentication happens at Azure AD.


Cloud Authentication: Users created in Azure AD and the Authentication and Authorization will happen at Azure AD itself.


Password Hash Sync with Seamless SSO: User management will be in On-Premise and you Synchronize objects and Password Hash to Azure AD.


Pass through authentication with Seamless SSO: User management will be in On-Premise and you Synchronize objects. Authentication done by Azure AD Authentication Services by running a small agent in On-Premise to validate the User identity with On-Premise AD. A max of 12 Pass-Through Authentication agents installed, 1 Primary and 11 standalones.


Federated Authentication:

On-premises directory objects synchronized with Office 365 and users accounts are managed on-premises. When a user access an Office 365 services, he will be redirected to On-Premise AD via ADFS servers. Below are the options available for planning based on your requirement.

You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback.

Leave a Reply