From the course: Career Essentials in System Administration by Microsoft and LinkedIn
Azure AD and directory services
From the course: Career Essentials in System Administration by Microsoft and LinkedIn
Azure AD and directory services
- [Instructor] Many SYS admins need to synchronize their on-premises Active Directory into Entra ID. But here's where things get a little tricky. That's because there's two different Entra ID products and they are completely separate products and they work in two different ways. So let's take a look. Azure Entra ID is unlike on-premises Active Directory. Its main job is to hold usernames, passwords, groups and devices for user access to the applications and resources in Azure and in Microsoft 365. Remember, Microsoft 365 is that application type of service and it's also the place where you go to purchase licenses for both Azure and Microsoft 365 products. Entra ID domain services is completely different. Its sole purpose is to mimic on-premises Active Directory as much as it can so SYS admins can decide to replace on-premises Active Directory with this cloud version. Azure Hybrid is a combination of on-premises Active Directory and Azure Entra ID, but without Azure Entra ID domain services. This creates a one-way sync from on-premises to Azure Entra ID so users won't have to use different passwords while accessing on-premises resources and Microsoft 365 applications. For example, a user won't have to enter a second username and password when opening Outlook after logging into their computer. Here's how Azure Entra ID Hybrid Works. You start out with on-premises Active Directory, which we've been talking about throughout this course. Then you have a one-way sync application called Microsoft Entra Connect. It used to be called Microsoft Azure Active Directory Connect. But since that time they've gone ahead and renamed it. Now you're going to connect to Azure Entra ID into the Azure Cloud. So this is a one-way sync. All of the usernames, groups, other resources, they're all going to synchronize into Entra ID. So that way when you open up those applications like Outlook, you won't have to type in a username and password again. Using Entra ID Hybrid is mostly about single-sign-on but it also links to Intune in case you're using Intune for mobile device management and application management. Now, let's take a look at the second product, which is Entra ID Native. Entra ID Native means you don't use on-premises Active Directory at all. You create all of your users and your groups and every other resource inside Entra ID. And then there's a one-way sync to Azure Entra ID domain services. Entra ID domain services are then managed by the SYS admin the same way they would manage on-premises Active Directory. You get two virtual machines from Microsoft running Active Directory and DNS services. You then connect to those using the Windows tools by installing Active Directory domain services onto your Windows 2025 server. And in the end, it looks exactly like on-premises Active Directory. It's managed the same way, you use group policies the same way, groups, security, everything works the same way, but it's now in the Azure Cloud. One of the big differences to keep in mind is there's a monthly fee for Azure entry ID domain services, and this could be in the hundreds or thousands of dollars a month. So keep that in mind if you're going to replace on-premises Active Directory with Azure Entra ID domain services. I've connected to portal.azure.com and I'm going to select Microsoft Entra ID. If you don't see it in the list, just go ahead and type it in in the search option. I'm going to expand where it says manage and go to users, and here's all my users. But these users weren't all created in Entra ID. They were synchronized with an on-premises Active Directory using Microsoft Entra ID Connect and you can tell which ones were originally on-premises by looking at the column where it says here on-premises sync enabled. So if it says no, it means it was created here in Entra ID. If it says yes, it means it was created with on-premises Active Directory and synchronized with Entra ID. So for instance, when Al wants to log in, they're going to log into on-premises Active Directory using their Windows username and password, and possibly a multifactor authentication tool as well. Once they log in, they'll open up any applications that might have been reserved or licensed through Microsoft 365, such as the office products, and they're going to open those up and they're not going to be prompted for the username and password again because all that information has been synchronized with Entra ID and shared with Microsoft 365. I'm going to go back up one level and click on groups and I'll click on all groups. And once again, we see a lot of different groups. And if I scroll down a little bit, look at the right hand side where it says source. On source you can see this particular group called DNS admins was a synchronized group that came from on-premises Active Directory and then got copied up to Azure Entra ID. And you'll see that's true of many different groups as I scroll down. I also have another section called devices. So when I click on devices, I'll just click on all devices to show them all. And here are all the Microsoft Entra registered devices in this domain. If you see that it's Entra registered, it just means that it was registered using a username and password, which I'm going to show you here shortly. If you see it registered with Intune under security settings, that means I've also added it into Intune so it can be managed there. You also see that some of these devices are just registered and some of them are joined. So joined means they're going to be part of Active Directory. Registered means that they were not necessarily part of Active Directory, they were just registered. So let's see how you can register a particular device into Entry ID. So we're going to go into the settings of the computer, and then inside settings you'll go to email accounts. Then you can go to where it says add a work or school account. And when you add that account, it adds it into Entra ID, and then it will show up as a registered device if it's not part of any Active Directory, and it'll show up as a joined device if it is. Entra ID and domain services are two ways that you can add resources into the Azure Cloud when you would like to manage the devices in that cloud.
Contents
-
-
-
-
-
On-premises and cloud identity services3m 41s
-
Active Directory from scratch8m 41s
-
Azure AD and directory services7m 23s
-
Multi-factor authentication4m
-
Single sign-on2m 28s
-
Group creation and management9m 55s
-
Group policy application7m 2s
-
Shared folder security10m 17s
-
Security in the modern era3m 49s
-
-
-
-
-
-
-
-