Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Microsoft 365 Security, Compliance, and Identity Administration
Microsoft 365 Security, Compliance, and Identity Administration

Microsoft 365 Security, Compliance, and Identity Administration: Plan and implement security and compliance strategies for Microsoft 365 and hybrid environments

Arrow left icon
Profile Icon Peter Rising
Arrow right icon
$19.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.9 (17 Ratings)
Paperback Aug 2023 630 pages 1st Edition
eBook
$24.99 $35.99
Paperback
$44.99
Subscription
Free Trial
Renews at $19.99p/m
Arrow left icon
Profile Icon Peter Rising
Arrow right icon
$19.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.9 (17 Ratings)
Paperback Aug 2023 630 pages 1st Edition
eBook
$24.99 $35.99
Paperback
$44.99
Subscription
Free Trial
Renews at $19.99p/m
eBook
$24.99 $35.99
Paperback
$44.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Microsoft 365 Security, Compliance, and Identity Administration

Planning for Hybrid Identity

This book aims to act as a general administration guide for security, compliance, identity, management, and privacy administrators of Microsoft 365 environments, whether they are cloud-only or hybrid. You will learn about umbrella terms for technology principles, such as Microsoft Defender, Microsoft Purview, and Microsoft Entra, and understand their purpose and how they relate to each other. You will see how to access, plan, and configure these technologies via administrative portals, as well as by using PowerShell. In this first chapter, we begin by focusing on identity.

Configuring a Microsoft 365 hybrid environment requires an understanding of your organization’s identity needs. This will enable you to plan and deploy the correct Azure Active Directory (AD) authentication and synchronization method within your environment. This chapter discusses how you can plan your identity methodology and describes the process of monitoring and understanding the events recorded by Azure AD Connect.

By the end of this chapter, you will be able to determine your business needs, analyze on-premises identity infrastructure, and develop a plan for hybrid identity. You will understand how to design and implement authentication and application management solutions, how to enhance data security through strong identity, and how to analyze events and configure alerts in Azure AD Connect.

This chapter covers the following topics:

  • Planning your hybrid environment
  • Authentication methods in Azure AD
  • Synchronization methods with Azure AD Connect
  • Azure AD Connect cloud sync
  • Event monitoring and troubleshooting in Azure AD Connect

Planning your hybrid environment

Identity is key when planning and implementing a Microsoft 365 environment. While the default identity method within Microsoft 365 is cloud-only, many organizations with reliance on legacy on-premises infrastructure and applications need to plan the deployment of hybrid identities when introducing Microsoft 365 to their organization.

So, what is a hybrid identity? In simple terms, it is the process of providing your users with an identity in the cloud that is based on their on-premises identity. There are several ways in which this can be achieved and they will be explained in detail throughout this chapter.

The basic principles of hybrid identity in Microsoft 365 are shown in the following diagram:

Figure 1.1: Hybrid identity

Figure 1.1: Hybrid identity

We will now explain how you can start planning for hybrid identities in Microsoft 365.

You should start by establishing the correct identity type for the business needs of your organization. It is important, at this stage, to recognize who your stakeholders will be in this process, understand their current working tools and practices, and assess how Microsoft 365 could be used best enabling them to work more efficiently and securely.

The following are some examples of your possible stakeholders:

  • Users
  • Power users
  • IT team
  • Security team
  • Compliance team
  • Business owners

Each stakeholder will have their challenges that need to be considered. However, your users account for the highest percentage of your stakeholders. Therefore, your primary focus should be to ensure that the transition to new ways of working is seamless. This is because many users will be nervous about change. How you introduce them to new technologies and working practices is directly related to the success or failure of your project. If your users buy into the changes you are introducing and can realize the benefits, then the rest of your stakeholders are also more likely to follow suit.

While your main users will be focused on doing their job, the remaining stakeholders will have a deeper interest in how a Microsoft 365 hybrid environment meets business requirements. Some of the common business requirements are as follows:

  • The modernization of existing IT services and tools
  • Providing and securing cloud Software as a Service (SaaS) applications
  • Reducing risk by establishing a modern identity-based security perimeter

For addressing these requirements, a logical starting point is to examine how on-premises identities are currently configured. This will give you a better understanding of what you need to plan and implement for identity authentication in the cloud. You need to be aware of any current on-premises synchronization solutions that may be in place, including any third-party solutions. You will also need to consider any existing use of cloud applications in the organization. These will need to be identified and plans made for their continued use, integration, or possible replacement.

Note

Cloud App Discovery using Microsoft Defender for Cloud Apps can be used to analyze existing SaaS app usage within your organization. This will be covered in a later chapter of this book.

Understanding your on-premises identity infrastructure will help you to plan for modernization or digital transformation. So, what is modernization considered to be in the world of information technology? Essentially, it is based on the principle that IT users now wish and expect to be more mobile. They want quick and easy access to their emails, chats, and documents anywhere, anytime, and on any device.

This requirement creates the challenge of how to effectively secure and protect the services within the Microsoft 365 platform while simultaneously ensuring that they are easily available and accessible to users. How is this achieved? It is not possible to wrap a firewall around Microsoft 365 in the traditional sense. Instead, you need to look at the various modern authentication security methods that are available within Azure AD. Let’s discuss these methods in detail in the next section.

Authentication methods in Azure AD

Several approaches can be leveraged to authenticate your users to Azure AD. In this section, you will explore these methods and understand their use cases.

The authentication security methods available in Microsoft 365 are as follows:

  • Multi-factor authentication (MFA)
  • Self-service password reset (SSPR)
  • Conditional Access
  • Passwordless

The following sections will briefly introduce the principles of these methods; however, each of these will be explored in greater detail in Chapter 2, Authentication and Security, and Chapter 3, Implementing Conditional Access Policies.

Multi-factor authentication

MFA in Azure AD provides two-step verification for Microsoft services via a combination of approved authentication methods determined by Microsoft 365 administrators. The available methods can be based on the following:

  • Something you know, such as your password
  • Something you own, such as your mobile phone or an OAuth hardware token
  • Something you are, such as biometric identification (fingerprint or facial recognition)

When setting up MFA for users in your Microsoft 365 environment, users must first complete a registration process to provide information about themselves to Azure AD and set their authentication method preferences.

Once set, users will be challenged with an MFA prompt when accessing Microsoft 365 services and applications using their Azure AD credentials, as shown in the following diagram:

Figure 1.2: Azure MFA

Figure 1.2: Azure MFA

MFA can also be configured to work in conjunction with Conditional Access, with trusted locations that you define by entering the IP ranges of your business operating units so that users will not be issued an MFA challenge when working in these locations. Conditional Access with MFA also enables you to apply another layer of security by ensuring that any access requests to specific apps and resources can be secured and protected, by requiring the requesting user to complete an MFA challenge before being granted the access they require.

Note

It is recommended that you configure MFA for all privileged user accounts within your Microsoft 365 environment, except for your permanent break-glass accounts, which should be cloud-only accounts with the domain suffix of the .onmicrosoft.com domain name. Alternative authentication protection should be applied to these break-glass accounts. Break-glass accounts will be covered in more detail in Chapter 3, Implementing Conditional Access Policies.

Self-service password reset

Whilst not strictly an authentication method in itself, SSPR is a user feature designed to remove the requirement of IT staff to respond to user requests to reset their passwords in Azure AD. An initial registration process is required at https://aka.ms/SSPRSetup for each user to set up SSPR, during which time they must provide authentication methods to verify their identity.

Note

To reset the password, the user visits https://passwordreset.microsoftonline.com.

SSPR can be used for both cloud-only and hybrid identity users. If the user is cloud-only, then their password is always stored encrypted in Azure AD, whereas hybrid users have their password written back to on-premises AD. This is achieved using a feature that can be enabled in Azure AD Connect called password writeback.

The basic principles of SSPR are illustrated in the following diagram:

Figure 1.3: Self-service password reset

Figure 1.3: Self-service password reset

The process of registering your users for SSPR is now combined with that of the MFA registration process. Previously, there were two separate registration processes for these technologies.

When SSPR is enabled on your Azure AD environment, you can assist your users by configuring notifications that make them aware when their passwords have been reset. You can also increase security by setting administrator notifications to monitor and alert whenever an administrator changes a password. It is also possible to customize a helpdesk email or URL to provide immediate guidance to users who experience problems when attempting to reset their passwords.

Note

When using SSPR with password writeback for your hybrid identities, you will require Azure AD Premium P1 licenses.

Conditional Access

Conditional Access is a powerful feature of Azure AD Premium P1 that allows Microsoft 365 administrators to control access to applications and resources within your organization. With Conditional Access, you can automate the process of controlling the level of access that users will have to these applications and resources by setting Conditional Access policies. Azure AD will then make decisions on whether to grant or deny access based on the conditions that you set in these policies. The basic principles are shown in the following diagram:

Figure 1.4: Conditional Access

Figure 1.4: Conditional Access

While it is possible to apply some default security settings to your Microsoft 365 environment with security defaults (auto-applied on newer tenants), you will undoubtedly need to plan and define custom policies with specific conditions and exceptions. For example, you would not wish to force MFA on your permanent break-glass global administrator account. We will examine Conditional Access in greater detail in Chapter 3, Implementing Conditional Access Policies.

Note

Conditional Access settings frequently require some additional features of Azure AD to be configured, for example, Azure AD Identity Protection. This will have an impact on your decision-making process as it relates to licensing. While Conditional Access is a feature of Azure AD Premium P1, the use of Azure AD Identity Protection features would necessitate Azure AD Premium P2 licenses.

Passwordless authentication

Passwords are more vulnerable than ever before and can be exploited and compromised by malicious actors using techniques such as phishing, spray attacks, and social engineering attacks. Switching to a passwordless authentication method helps mitigate such risks.

Microsoft provides three types of passwordless authentication for Azure AD. These are as follows:

  • Microsoft Authenticator: Can enable iOS or Android phones to be used as passwordless credentials by providing numerical challenges.
  • FIDO2-compliant security keys: Hardware keys provided by a number of third-party manufacturers; ideal for highly privileged identities or shared machines in kiosks.
  • Windows Hello for Business: Available on Windows computers and ideal for users with their own designated Windows device. Biometric and PIN credentials are directly configured on the device to prevent access from anyone but the authorized user.

Note

Links to further resources on Microsoft Authenticator, FIDO2-compliant security keys, and Windows Hello for Business can be found in the Further reading section at the end of this chapter.

Now that you understand the available authentication methods, let’s explore the directory synchronization methods supported by Azure AD Connect.

Synchronization methods with Azure AD Connect

Having covered the concept of hybrid identity and authentication, you will now go through the process that makes hybrid identity possible—directory synchronization. The tool used to configure directory synchronization is called Azure AD Connect (previously known as Azure AD Sync Service and DirSync). Azure AD Connect consists of, or can leverage, the following components:

  • Synchronization services
  • Active Directory Federation Services (AD FS)—an optional component
  • Health monitoring

Azure AD Connect supports multiple AD forests and multiple Exchange organizations to a single Microsoft 365 tenant. It leverages a one-way process, where it synchronizes users, groups, and contact objects from your on-premises AD to Microsoft 365.

Although this is almost exclusively a one-way process, there are some writeback capabilities that can be leveraged if chosen or required, which will allow attributes from passwords and groups set in Microsoft 365 to be written back to an on-premises AD.

The principles of Azure AD Connect are shown in the following diagram:

Figure 1.5: Azure AD Connect

Figure 1.5: Azure AD Connect

Once Azure AD Connect is configured and in place, the source of authority for these newly synchronized objects remains with the on-premises AD. Therefore, these objects must be managed by on-premises tools, such as AD Users and Computers or PowerShell. Microsoft 365 administrators will, therefore, not be able to make changes to cloud objects in the Microsoft 365 portal that are synchronized from the on-premises AD.

When setting up Azure AD Connect for the first time, the installation wizard will guide you to select either an Express Settings installation or a customized settings installation. The Express Settings installation is the default setting for Azure AD Connect and is designed for use with password hash synchronization from a single AD forest. The installation dialog is shown in the following screenshot:

Figure 1.6: Express settings

Figure 1.6: Express settings

The custom settings installation provides a richer selection of optional features that can be configured to provide enhanced functionality if required. You can start a custom settings installation by clicking on Customize:

Figure 1.7: Custom settings

Figure 1.7: Custom settings

With the custom settings installation, you are provided with the following options to extend your on-premises identities in the cloud using Azure AD Connect:

  • Password hash synchronization
  • Pass-through authentication
  • Federation with AD FS
  • Federation with PingFederate
  • Enable single sign-on
  • Do not configure

The following sections will explain how to configure the first five of these options in detail.

Password hash synchronization

Password hash synchronization is the simplest method to establish a hybrid identity with Azure AD. Also commonly known as same sign-on, password hash synchronization can be set up using Azure AD Connect. This will synchronize a hash of the user passwords to Azure AD from your on-premises AD.

With password hash synchronization, users logging onto their cloud accounts via the Microsoft 365 portal will authenticate directly to Microsoft 365 cloud services as opposed to leveraging on-premises authentication and security:

Figure 1.8: Password hash synchronization

Figure 1.8: Password hash synchronization

How does this work? Here is the process in a few simple steps:

  1. The password synchronization agent within Azure AD Connect will request the stored password hashes at 2-minute intervals from a domain controller. In response to this, the domain controller will encrypt the hash. This encryption is executed with a key that is acquired from the Remote Procedure Call (RPC) session key and then salted. Salting is a process pertaining to password hashing. Essentially it involves adding a unique value to the end of the password to create a different hash value. This provides an additional layer of security and helps protect against brute-force attacks.
  2. The domain controller will then send the result, along with the salt, to the sync agent using RPC. The agent can now decrypt the envelope. It is important to point out that the sync agent never has any access to the password in cleartext.
  3. Once decrypted, the sync agent performs a re-hash on the original password hash, changing it to a SHA256 hash by imputing this into the PKDF2 function.
  4. The agent will then sync the resulting SHA256-hashed password hash from Azure AD Connect to Azure AD using SSL.
  5. When Azure AD receives the hash, it will be encrypted with an AES algorithm and then stored in the Azure AD database.

Therefore, when a user signs into Azure AD with their on-premises AD username and password, the password is taken through this process. If the hash result is a match for the hash stored in Azure AD, the user will be successfully authenticated.

Pass-through authentication

Pass-through authentication is an alternative to password hash synchronization. This method is commonly used when Microsoft 365 administrators require users to authenticate their Microsoft 365 logins on-premises as opposed to directly to Azure AD:

Figure 1.9: Pass-through authentication

Figure 1.9: Pass-through authentication

Unlike password hash synchronization, pass-through authentication does not synchronize passwords from on-premises AD to Microsoft 365. Instead, it allows users to log on to both on-premises and cloud applications and services using the same password. This provides a far more cohesive experience for users, with the added benefit that on-premises passwords are never stored in the cloud in any form.

A lightweight agent is all that is needed to set this up with Azure AD Connect and this agent is automatically installed on the Azure AD Connect server when you run the initial setup for pass-through authentication. To provide resiliency to your pass-through authentication solution, the agent can be installed onto additional servers in your on-premises AD sites. The agents should ideally be installed on servers close to your domain controllers to improve sign-in latency. Servers on which the agent is installed should also be security hardened to the same extent that you would protect domain controllers.

Note

It is recommended to configure a minimum of three authentication agents in your environment. The maximum number of agents that can be installed is 40. It is generally good practice to have at least one agent deployed to each of your AD sites to make pass-through authentication resilient and highly available.

The authentication agents must be able to make outbound requests to Azure AD over the following ports in order to function:

Port

Requirement

80

SSL certificate validation and certificate revocation list download

443

Provides outbound communication for the service

8080

While this port is optional and not required for user sign-ins, it is useful to configure this as authentication agents will report status through port 8080 at 10-minute intervals.

Table 1.1: Azure AD ports

Federation

Federation, in simple terms, can be described as domains that trust each other. They share access to resources across organizations, with authentication and authorization settings configured to control the trust.

It is possible to federate your on-premises AD environment with Azure AD to provide authentication and authorization. As is the case with pass-through authentication, a federated sign-in method enforces all user authentication via on-premises methods as opposed to the cloud.

The main benefits of federation are that it provides enhanced access controls to administrators. However, the drawback of this method is that additional infrastructure will inevitably need to be provisioned and maintained.

In Azure AD Connect, there are two methods available to configure federation with Azure AD. These are AD FS and the more recently added PingFederate.

To explain the infrastructure requirements in more detail, AD FS can be used as an example. In order to configure AD FS in line with Microsoft’s best practices, you will need to install and configure a minimum of two on-premises AD FS servers on your AD environment and two web application proxy servers on your perimeter network.

This configuration provides the necessary security principles to ensure that both internal and (especially) remote users authenticate to the services within your hybrid environment in a manner that provides appropriate authentication and authorization. The process of federation is shown in the following diagram:

Figure 1.10: Federation

Figure 1.10: Federation

So, how does federation actually work? Well, there are two main principles that you need to understand. These are claims-based authentication and federated trusts. The following sections will explain each of these in detail.

Claims-based authentication

Claims-based authentication works on the principle of users making statements about themselves in order to authenticate and gain access to applications by using industry-standard security protocols. User claims rely on the claims issuer, which is the Security Token Service (STS). The STS can be configured on your AD FS server. The statements provided by users can relate to name, identity, key, group, privilege, or capability.

A claim is issued by the user to the claims issuer. It is then assigned values and packaged into a security token by the claims issuer (the STS). This security token is essentially an envelope that contains the claims relating to the user. The token is sent back to the user and then passed to the application that the user wishes to access.

The claim relies on the explicit trust that is established with the issuer. The application that the user wishes to access will only trust the user’s claim if it subsequently trusts the claims issuer (the STS).

With claims-based authentication, you can configure a number of authentication methods. The most commonly used ones are as follows:

  • Kerberos authentication
  • Forms authentication
  • X.509 certificates
  • Smart cards

Although many older applications do not support claims-based authentication, the main use-case argument for applications that do support it is that it simplifies the process of trust for those target applications. Instead of having to place their trust directly in the user making the claim, they can be secure in the knowledge that they can absolutely trust the claims issuer instead.

Federated trust

Federated trusts expand on the capabilities of claims-based authentication by enabling your issuer to accept security tokens from other issuers as opposed to a user having to directly authenticate. In this scenario, the issuer can both issue and accept security tokens from other trusted issuers utilizing the federation trust. This process essentially establishes a business relationship or partnership between two organizations.

Federated trusts enable trusted issuers to represent the users on their side of the trust. The benefit of this configuration is that should you need to revoke the trust, you can do so through a single action. Rather than revoking a trust with many individual external users, you can simply terminate the trust with the issuer.

A good example of how this works in practice would be that if you need to authenticate remote users to your environment, a federated trust will remove the requirement to provide direct authentication for those users. Instead, you will have a trust relationship with the remote user from their organization. This enables these remote users to continue using their own single sign-on methodology and provides an efficient, decentralized way for them to authenticate to your organization.

Note

An alternative method of providing many of the features that federation offers is to use pass-through authentication in conjunction with the rich features of Azure AD Premium, such as Conditional Access and Identity Protection.

Although additional licensing may be required within Azure AD to deploy these features, this method offers simplified setup and administration and also removes the requirement for any additional infrastructure.

Azure AD Seamless Single Sign-On

Azure AD Seamless Single Sign-On (Azure AD Seamless SSO) is a free-to-use feature of Azure AD that provides a single set of credentials for your users to authenticate to applications within Azure AD, when connecting to your organization’s network using a business desktop device. This means that once connected to your organization’s network on their Windows 10/11 domain-joined devices, they will not be asked to provide further credentials when opening any Azure AD applications. The principles of Seamless SSO are shown in the following diagram:

Figure 1.11: Seamless SSO

Figure 1.11: Seamless SSO

Seamless SSO is configured via the Azure AD Connect wizard or PowerShell and can be used in conjunction with password hash synchronization and pass-through authentication. It is not compatible with federations such as AD FS or PingFederate.

There are some prerequisites to be aware of when planning to implement Seamless SSO. These include the following:

  • If you are using Azure AD Connect with password hash sync, ensure that you are using Azure AD Connect Version 1.1.644.0 or later. Further, if possible, ensure that your firewall or proxy is set to allow connections to the *.msappproxy.net URLs over port 443. Alternatively, allow access to the Azure data center IP ranges.
  • Be aware of the supported topologies that are shown at https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies.
  • Ensure that modern authentication is enabled on your tenant.
  • Ensure that the version of your users’ Office desktop clients is a minimum of 16.0.8730.xxxx or above.

Note

Although at the time of writing this book, version 1.1.644.0 is still listed as the minimum required version of Azure AD Connect when using Seamless SSO with password hash synchronization, it is important to be aware that version 1 of AD Connect was retired by Microsoft at the end of August 2022. Further details of this can be found in the Further reading section at the end of the chapter.

Once you have verified these prerequisites, you can go ahead and enable the feature. This is most commonly done when setting up Azure AD Connect for the first time by performing a custom installation using the Azure AD Connect wizard and, from the User sign-in page, ensuring that the Enable single sign-on option is selected:

Figure 1.12: User sign-in methods

Figure 1.12: User sign-in methods

It is also possible to use PowerShell to set up Seamless SSO. This is a particularly useful method if you need to specify a particular domain(s) in your AD forest to use the feature.

If you need to enable the feature when you already have Azure AD Connect deployed, then you can rerun the setup wizard and choose the Change user sign-in option under the Additional tasks section:

Figure 1.13: Additional tasks

Figure 1.13: Additional tasks

Note

You will need domain administrator credentials to complete setting up Seamless SSO. However, these credentials are only required to enable the feature and will not be required after the setup is complete.

To verify that the setup of Seamless SSO has been completed successfully, log on as a global administrator to https://portal.azure.com and navigate to Azure Active Directory | Azure AD Connect.

From this page, you will be able to verify that Seamless SSO has the status Enabled:

Figure 1.14: User sign-in settings

Figure 1.14: User sign-in settings

Finally, when completing your custom settings installation of Azure AD Connect, you are presented with several additional Optional features, as shown in the following screenshot:

Figure 1.15: Optional features

Figure 1.15: Optional features

The most commonly used features are Exchange hybrid deployment and Password writeback. Further information on all of the available optional features can be viewed at https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom#optional-features.

To deploy the Azure AD Seamless single sign-on feature for your users, you need to ensure that the following URL is added to the required user’s Intranet Zone settings by using Group Policy: https://autologon.microsoftazuread-sso.com.

One of the advantages of deploying this setting with Group Policy is that you can roll out Seamless SSO to groups of users at your own pace.

A more recent alternative to Azure AD Connect to accomplish hybrid identity goals is Azure AD Connect cloud sync, which we will discuss in the next section.

Azure AD Connect cloud sync

Instead of the Azure AD Connect application, a cloud provisioning agent can be used. However, Azure AD Connect cloud sync can also be leveraged along with Azure AD Connect sync to enable the synchronization of data to a tenant from a multi-forest disconnected AD forest environment, which is a functionality that is often used in merger and acquisition scenarios. It also facilitates simplified installation using lightweight provisioning agents, with the management of all sync configuration taking place in the cloud. In addition, it offers multiple provisioning agents to simplify high-availability deployments. Azure AD Connect cloud sync is controlled by Microsoft Online services. Locally, only a lightweight agent needs to be deployed, which acts as a bridge between the on-premises AD and Azure AD.

A detailed comparison of features between Azure AD Connect and Azure AD Connect cloud sync can be viewed at https://learn.microsoft.com/en-us/azure/active-directory/cloudsync/what-is-cloud-sync#comparison-between-azure-ad-connect-and-cloud-sync.

While Azure AD Connect cloud sync does include some powerful features, it also has some limitations. The most notable one is no support for Exchange hybrid writeback, which prevents many organizations still relying on Exchange on-premises from leveraging this technology.

Note

Federation is becoming less used in favor of pass-through authentication, but it is still important to understand AD FS scenarios.

Next, we will look at the monitoring and troubleshooting methods for Azure AD Connect.

Event monitoring and troubleshooting in Azure AD Connect

Now that you have your hybrid identity method configured, it should all run smoothly. However, occasionally, you may still encounter some problems. This is where the ability to assess and troubleshoot Azure AD Connect with tools from the Microsoft 365 portal can assist administrators in quickly identifying and resolving issues. Administrators will be able to perform the following tasks as part of troubleshooting in Azure AD Connect:

  1. Review and interpret synchronization errors by accessing the Microsoft 365 admin center via https://admin.microsoft.com and examining the Azure AD Connect directory sync status. Here, you will see an overview of all directory synchronization errors. A common example may be a duplicate proxy address or UPNs causing conflicts and preventing an object from syncing. The following screenshot shows the Azure AD Connect tile in the admin center. Any issues with synchronization will be shown here by using red circles for critical warnings or yellow triangles for lesser warnings. A green circle means all is OK and healthy:

Figure 1.16: Azure AD Connect sync status

Figure 1.16: Azure AD Connect sync status

The preceding figure shows a sync status of only 37 minutes ago, which results in a yellow warning. Figure 1.17 shows more serious red warnings when sync has not completed for 3 days:

Figure 1.17: Azure AD Connect status

Figure 1.17: Azure AD Connect status

  1. If you scroll down further, you will see additional details about your Directory sync status, as shown in the following screenshot. One of the tools you can download from here is IdFix. You can run this tool from any domain-joined workstation in your environment. It provides detailed information on synchronization issues and guidelines on how to resolve them:

Figure 1.18: Directory sync status

Figure 1.18: Directory sync status

  1. Receive and act on email notifications relating to an unhealthy identity synchronization. These email alerts are configured by default to alert only the technical contact defined in your Microsoft 365 tenant under the organization profile. The technical contact will continue receiving these emails until the issue is resolved.
  2. Check Synchronization Service Manager on the Azure AD Connect server to confirm that the operations required for successful synchronization have been completed. If any errors occur, they will be displayed here with explanations for why the operation failed:

Figure 1.19: Synchronization Service Manager

Figure 1.19: Synchronization Service Manager

  1. Directory synchronization occurs every 30 minutes by default. However, you can generate a synchronization on demand by opening the Connectors tab and manually starting the process, as shown in the following screenshot:
Figure 1.20: Synchronization Service Manager

Figure 1.20: Synchronization Service Manager

  1. Click on Actions and select Run:

Figure 1.21: Connector actions

Figure 1.21: Connector actions

  1. You will be able to run the desired connectors from here, as shown:

Figure 1.22: Connector options

Figure 1.22: Connector options

  1. It is also possible, and far simpler, to run a manual synchronization process using PowerShell from your AD Connect server with the following commands:
    • To initiate a full synchronization:
      Start-ADSyncSyncCycle -PolicyType Initial
    • To initiate a delta synchronization
      Start-ADSyncSyncCycle -PolicyType Delta

In this section, we examined event monitoring and troubleshooting techniques in Azure AD Connect. We learned how to review, interpret, and respond to synchronization errors in the Office 365 portal and by checking the Synchronization Service Manager tool. We also explored how you can manually trigger the synchronization process from the Synchronization Service Manager tool and by using PowerShell.

Summary

This chapter presented the steps and considerations for planning and implementing hybrid identity in Microsoft 365. You should now have an understanding of the synchronization methods available and how to choose the correct one for your environment, along with the principles of additional security authentication. You also learned how to troubleshoot events and alerts when required.

The next chapter will dive deeper into security and authentication features within Microsoft 365, including MFA and SSPR. You will also take a look at Azure AD dynamic groups and managing B2B and Office 365 external sharing.

Questions

  1. Which of the following is not one of the identity methods available with Azure AD?
    1. Pass-through authentication
    2. Federation
    3. MFA
    4. Password hash sync
  2. Your organization needs to synchronize an on-premises Active Directory with Azure AD. Users must authenticate to the on-premises infrastructure while connecting to services with their Microsoft 365 credentials. You need to recommend an identity methodology that accomplishes the goal but minimizes costs and complexity. What should you recommend?
    1. Cloud-only identity
    2. Pass-through authentication
    3. Active Directory Federation Services
    4. Password hash synchronization
  3. True or false? Azure AD Connect Cloud sync includes support for Exchange hybrid writeback.
    1. True
    2. False
  4. Which of the following Microsoft 365 licenses allows users to use SSPR (choose two)?
    1. Azure AD Premium P2
    2. Intune
    3. Azure Information Protection P1
    4. Azure AD Premium P1
  5. Which of the following PowerShell commands could you use to run a full Azure AD Connect sync manually?
    1. Start-ADSyncSyncCycle -PolicyType Initial
    2. Start-ADSyncSyncCycle -PolicyType Delta
    3. Start-ADSyncSyncCycle -PolicyType Full
    4. Start-ADSyncSyncCycle -PolicyType Immediate
  6. True or false? Self-service password reset is automatically enabled for Global Administrator accounts in Microsoft 365.
    1. True
    2. False
  7. What is the maximum number of authentication agents that can be configured in Azure AD for pass-through authentication?
    1. 5
    2. 10
    3. 30
    4. 40
  8. How frequently (by default) does Azure AD Connect automatically synchronize on-premises AD changes to Azure AD?
    1. Every 20 minutes
    2. Once an hour
    3. Every 30 minutes
    4. Every 15 minutes
  9. Which of the following could be a possible cause for Azure AD Connect synchronization issues or errors?
    1. A duplicate proxy address is detected.
    2. SSPR has been incorrectly configured.
    3. You are using password hash sync rather than pass-through authentication.
    4. The AD Connect wizard was run with express installation settings rather than a customized installation.
  10. When deploying federation with AD FS, what is the minimum number of web application proxy servers you should configure on your perimeter network?
    1. 5
    2. 2
    3. 3
    4. 7

Further reading

Please refer to the following links for more information:

Left arrow icon Right arrow icon

Key benefits

  • Discover techniques to reap the full potential of Microsoft security and compliance suite
  • Explore a range of strategies for effective security and compliance
  • Gain practical knowledge to resolve real-world challenges

Description

The Microsoft 365 Security, Compliance, and Identity Administration is designed to help you manage, implement, and monitor security and compliance solutions for Microsoft 365 environments. With this book, you’ll first configure, administer identity and access within Microsoft 365. You’ll learn about hybrid identity, authentication methods, and conditional access policies with Microsoft Intune. Next, you’ll discover how RBAC and Azure AD Identity Protection can be used to detect risks and secure information in your organization. You’ll also explore concepts such as Microsoft Defender for endpoint and identity, along with threat intelligence. As you progress, you’ll uncover additional tools and techniques to configure and manage Microsoft 365, including Azure Information Protection, Data Loss Prevention (DLP), and Microsoft Defender for Cloud Apps. By the end of this book, you’ll be well-equipped to manage and implement security measures within your Microsoft 365 suite successfully.

Who is this book for?

This book is for IT professionals, administrators, or anyone looking to pursue a career in security administration and wants to enhance their skills in utilizing Microsoft 365 Security Administration. A basic understanding of administration principles of Microsoft 365 and Azure Active Directory is a must. A good grip of on-premises Active Directory will be beneficial.

What you will learn

  • Get up to speed with implementing and managing identity and access
  • Understand how to employ and manage threat protection
  • Manage Microsoft 365's governance and compliance features
  • Implement and manage information protection techniques
  • Explore best practices for effective configuration and deployment
  • Ensure security and compliance at all levels of Microsoft 365

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Aug 18, 2023
Length: 630 pages
Edition : 1st
Language : English
ISBN-13 : 9781804611920

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Aug 18, 2023
Length: 630 pages
Edition : 1st
Language : English
ISBN-13 : 9781804611920

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 119.96 134.97 15.01 saved
Mastering Microsoft 365 Defender
$34.98 $49.99
Azure Security Cookbook
$39.99
Microsoft 365 Security, Compliance, and Identity Administration
$44.99
Total $ 119.96 134.97 15.01 saved Stars icon
Banner background image

Table of Contents

24 Chapters
Part 1: Implementing and Managing Identity and Access Chevron down icon Chevron up icon
Chapter 1: Planning for Hybrid Identity Chevron down icon Chevron up icon
Chapter 2: Authentication and Security Chevron down icon Chevron up icon
Chapter 3: Implementing Conditional Access Policies Chevron down icon Chevron up icon
Chapter 4: Managing Roles and Identity Governance Chevron down icon Chevron up icon
Chapter 5: Azure AD Identity Protection Chevron down icon Chevron up icon
Part 2: Implementing and Managing Threat Protection Chevron down icon Chevron up icon
Chapter 6: Configuring a Microsoft Defender for Identity Solution Chevron down icon Chevron up icon
Chapter 7: Configuring Device Threat Protection with Microsoft Defender for Endpoint and Intune Chevron down icon Chevron up icon
Chapter 8: Configuring Microsoft Defender for Office 365 Chevron down icon Chevron up icon
Chapter 9: Using Microsoft Sentinel to Monitor Microsoft 365 Security Chevron down icon Chevron up icon
Chapter 10: Configuring Microsoft Defender for Cloud Apps Chevron down icon Chevron up icon
Part 3: Implementing and Managing Information Protection Chevron down icon Chevron up icon
Chapter 11: Managing Sensitive Information Chevron down icon Chevron up icon
Chapter 12: Managing Microsoft Purview Data Loss Prevention Chevron down icon Chevron up icon
Chapter 13: Managing Microsoft Purview Data Lifecycle Management Chevron down icon Chevron up icon
Part 4: Managing Compliance Features in Microsoft 365 Chevron down icon Chevron up icon
Chapter 14: Monitoring and Analyzing Audit Logs and Reports in Microsoft Purview Chevron down icon Chevron up icon
Chapter 15: Planning For, Conducting, and Managing eDiscovery Cases Chevron down icon Chevron up icon
Chapter 16: Managing Regulatory and Privacy Requirements Chevron down icon Chevron up icon
Chapter 17: Managing Insider Risk Solutions in Microsoft 365 Chevron down icon Chevron up icon
Answers Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.9
(17 Ratings)
5 star 94.1%
4 star 5.9%
3 star 0%
2 star 0%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




N/A Feb 21, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Pubblicazioni interessanti scritti con il giusto livello tecnico ma soprattutto in modo chiaro.
Feefo Verified review Feefo
Seth Keyser Feb 06, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book lays out the foundational knowledge for any level of IT Professionals wanting to be successful in securing, being in compliance, and administering Microsoft's suite of applications. A must have resource! I highly recommend this great read!
Amazon Verified review Amazon
Nathan Aug 26, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book provides all of the foundational knowledge and information needed to take on the role of an M365 administrator.The M365 SCI stack is broad and Peter does a fantastic job of thoroughly explaining the technical configuration elements across the main product set of this side of M365.I especially like the notes dotted throughout the book, these have some tid-bits of information that are worth remembering, such as Microsoft best practices and recommendations.A must read book for entry level and experienced M365 administrators alike.
Amazon Verified review Amazon
Dwayne Natwick Sep 04, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
There is no one that I would trust more to teach me about Microsoft 365 Security, Compliance, and Identity than Peter Rising. Peter does not disappoint in the Packt Publishing book that he has authored on these topics. Peter provides an in-depth guide to administration of Microsoft 365 with easy to follow examples and step-by-step exercises. This book is a great addition to your bookshelf and can assist you in preparing for Microsoft 365 administration.
Amazon Verified review Amazon
Terence Hamilton Sep 04, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book is a great guide and deep dive reference. If you need to setup, configure and/or administer Microsoft 365 Applications for your employer, client or personal organization it is all here. Everything you need is in here from the history, architectures, configuration options, compatibility and implementations.I highly recommend this! I will be using this book often!
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.