Cybersecurity Home Lab - Going hybrid using Azure AD connect
- Jv Cyberguard
- Feb 25, 2023
- 4 min read
Updated: Jul 18, 2023
Part 4- Going hybrid - Connecting your AD to Azure AD
Part 4- Going hybrid - Connecting your AD to Azure AD
In the previous part of our home lab series we just completed our AD environment setup. Most businesses have services both in the cloud and on premise. To authenticate and use cloud services require having an identity provider in the cloud which is our Azure AD tenant.
We will be connecting our on prem deployment to our Office 365 tenant through Azure AD connect.
Prerequisites: . You need to have an E5 tenant.. Do you need to pay??? No..
I won't go through it here but you can get a free trial developer Microsoft 365 develop subscription.
Use this guide as a reference. But we will revisit this later. I will put this link here for now. 42. Install and Configure Azure AD Connect to Sync On Premises AD Users
Configuring Azure AD connect
Google Azure AD connect in your DC and download the installer.
Install Azure AD Connect
Double click and it should pop up with this screen below.
On your host machine, navigate to portal.azure.com. If you created the account etc with the developer e5 subscription you should be able to login.
Go to All Services > Azure AD.
In overview, you should see the fancy premium license that you would have been assigned.
At this time azure AD connect is not enabled, so we will work on getting that completed.
We will pivot to our DC in VMware. The Azure AD Connect application should be open now at the screen below.
In my environment, I do not have a verified domain in Azure AD, so it's not routable. Do not get thrown off by this as we can still complete the lab however, the domain name you have set for your DC will have '.onmicrosoft.com' appended to it instead of .local
We will next click customize.
The next page shows us components we can install based on our needs. However, since the purpose of this part of the lab is to simply expose us to creating a hybrid environment we will leave the customizations on this page unselected. Next, select install and it will begin the process.
After the install is complete, we can now select from an array of sign-in options. We will choose password hash synchronization and enable single sign-on.
On the next page, we need to enter our Azure AD global admin credentials. Go into users, find your account and enter your UserPrincipalName(upn) in the field as well as the password.
It will prompt you to sign in again as it connects to Microsoft Online to verify username and password. You will likely have to MFA.
Next you will have to connect your directories. Click Add directory to add our local AD.
We created an administrator account on our DC that has enterprise admin privileges so we can enter that at this part of the wizard so the Azure AD Connect can create a synchronization account with enough permissions.
It's now added.
The next screen tells us that typically our AD UPN suffix should be matched with a routable domain. As a result, our domain name in AD is not verified in our Azure AD tenant. However, we can proceed by ticking, 'Continue without matching all UPN suffixes to verified domains.' So what happens as I mentioned earlier, is that any UPN on our domain (which is a non routable domain) will be synced with a .onmicrosoft.com' domain in Azure AD.
We click next and now we select sync selected domains and OUs untick everything except the OU where your users are located, computers, and groups. Now this is what I selected below. I selected Builtin because that's where the built in security groups are located. I created a separate OU for users that I created, so for them to be included I ticked 'VictimNetworkUsers'. Feel free to default to 'Synce all domains and OUs'.
We can leave the default on this page.
On the filtering page leave default.
We will also leave the default here. You can take initiative later on and manipulate these for example to enable SSPR in your environment.
We enabled single sign on so enter the admin account credentials again to approve. The admin account for you DC not Azure AD.
It will now be ready for install. You may proceed. It will take some time.
And voila it's done. We can now verify by checking our Azure portal.
Go back to Azure AD scroll down.
Now, how all of this works is that the Azure AD connector account which was created by the Azure AD connect application will sync AD objects between on prem AD and Azure AD.
We can get further insight into the synchronization process by clicking Start menu> Synchronization service (run as admin).
If we click on one of the earlier exports to jvhomelab.onmicrosoft.com we see that 2 users were added which would be the 2 users we have in the VictimNetworkUsersOU. To see their names double click add which will display the object details windows and then click properties for each distinguished name to identify their name.
You notice that the UPN is changed as expected.
I just logged on as one of my users (using their upn in Azure AD), we will check if sign on logs appear and if he can log on to portal.office.com with his account now that they're synced.
That's it for now. Feel free to check out MSFT WEbCast videos on other cool stuff to do in your setup such as finish configuring SSO.
Comments