Archives October 2021

Preparing for Identity Synchronization by Using IdFix– Implementing and Managing Identity Synchronization with Azure AD

Since the purpose of Azure AD Connect and Azure AD Connect Cloud Sync is to synchronize user, group, contact, and device objects to Azure AD, you’ll need to make sure your objects meet the minimum requirements.

Microsoft has guidance surrounding the preparation of user objects for synchronization. Some attributes (specifically those that are used to identify the user throughout the system) must be unique throughout the organization. For example, you cannot have two users that have the same userPrincipalName value.

The following attributes should be prepared before synchronizing the directory to Azure AD:

AttributeConstraintsMustRequired
  be unique 
displayName≤ 256 characters X
givenName≤ 64 characters  
mail≤ 113 charactersX 
 ≤ 64 characters before the @ symbol  
 Adheres to the  
 RFC 822/2822/5322 standards  
mailNickName≤ 64 charactersX 
 Cannot start with a .  
 Cannot contain certain characters such as &  
proxyAddresses≤ 256 characters per valueX 
 No spaces  
 Diacritical marks are prohibited  
sAMAccountName≤ 20 charactersXX
AttributeConstraintsMustRequired
  be unique 
sn≤ 64 characters  
targetAddress≤ 256 charactersX 
 No spaces  
 Includes a prefix (such as SMTP:).  
 Value after prefix adheres to the  
 RFC 822/2822/5322 standards  
userPrincipalName≤ 113 charactersXX
 Must use a routable domain name  
 Unicode characters are converted  
 to underscores  
 Table 4.1 – Azure AD Connect attributes  

As you can see, very few attributes are actually required for an object to synchronize. Each attribute that is synchronized has some core requirements around formatting, including length and allowed characters. Several attributes (such as mailNickname, userPrincipalName, mail, sAMAccountName, and proxyAddresses) must contain unique values—that is, no other object in the directory of any type can share the value.

Further Reading

You can learn more about the required and supported values for attributes at https:// learn.microsoft.com/en-us/powershell/module/exchange/set-mailbox and https://learn.microsoft.com/en-us/microsoft-365/enterprise/ prepare-for-directory-synchronization.

IdFix is Microsoft’s tool for detecting common issues with on-premises AD identity data. While it doesn’t fix all possible errors, it is able to identify and remediate data formatting errors so that objects have valid data to synchronize.

IdFix supports the following features:

  • Transaction rollback
  • Verbose logging
  • Exporting data to CSV and LDF formats for offline review and editing

To get started with the tool, follow these steps:

1.Navigate to https://aka.ms/idfix.

      2. Scroll to the bottom of the page and click Next.

      3. Review the prerequisites for the tool. Scroll to the bottom of the page and click Next.

      4. Click setup.exe to download the file and start the installation.

      5. After the installation wizard starts, click Install.

      6. Acknowledge the IdFix privacy statement by clicking OK.

      7. IdFix, by default, targets the entire directory. You can select Settings (the gear icon) to change the options for IdFix. You can edit the Filter option to scope to certain object types. You can also select Search Base to specify a starting point for IdFix to begin its query. After modifying any settings, click OK, as shown in Figure 4.1:

      Figure 4.1 – IdFix Settings

      8. Click Query to connect to Active Directory and begin the analysis.

      Schema Warning

      If you receive a schema warning, such as the one in Figure 4.2, you can click Yes to proceed or No to return to the IdFix tool. The schema warning is generally presented when attributes are present in the AD schema but have not been marked for replication (usually because Exchange Server has not been installed or replication hasn’t been completed successfully in your organization for an extended period of time). If you receive this error, you should check to ensure that you have at least run the Exchange Server setup with the /PrepareSchema and /PrepareAD switches and have validated that AD replication is working correctly.

      Figure 4.2 – IdFix schema warning

      After IdFix has analyzed the environment, results are returned to the data grid, shown in Figure 4.3.

      The DISTINGUISHEDNAME column shows the full path to the object in question, while the

      ATTRIBUTE column shows the attribute or property impacted. The ERROR column shows what type of error was encountered (such as an invalid character or duplicate object value). The VALUE

      column shows the existing value and the UPDATE column shows any suggested value.

      Figure 4.3 – IdFix data grid

      After you have investigated an object, you can choose to accept the suggested value in the UPDATE column (if one exists). You can also choose to either enter or edit a new value in the UPDATE column.

      Once you’re done investigating or updating an object, you can use the dropdown in the ACTION column to mark an object:

      • Selecting EDIT indicates you want to configure the object attribute with the value in the UPDATE column
      • Selecting COMPLETE indicates you want to leave the object as it is
      • Selecting REMOVE instructs IdFix to clear the offending attribute

      In addition, you can select Accept to accept any suggested values in the UPDATE column. Choosing this option will configure all objects with a value in the UPDATE column to EDIT, indicating that the changes are ready to be processed.

      Once you have configured an action for each object, select Apply to instruct IdFix to make the changes.

      IdFix will process the changes. Transactions are written to a log that can be imported and used to roll back any mistakes.

      Once you have ensured that your on -premises directory data is ready to synchronize to Azure AD, you can deploy and configure one of the Azure AD Connect synchronization products.

      Alerting– Managing Roles in Microsoft 365

      PIM also has built-in alerting functions. The alerts are designed to provide notifications if certain risk conditions are detected. Several of the role alerts have sliders for notifications that can be used to tune them for your organization. Alerts are accessed through the Azure portal by going to the Identity Governance | Microsoft Entra roles| Alerts page. By clicking on the gear icon, you can see all of the pre-configured alerts and edit them to your needs, as shown in Figure 3.27:

      Figure 3.27 – Viewing PIM Alert settings

      Note

      Users can only edit and manage pre-configured alerts; creating new alerts is not an option.

      PIM is a tool to help reduce the surface area of your organization. By reducing the number of accounts with standing privileges, you can greatly reduce the risks presented by compromised administration accounts.

      Summary

      In this chapter, you learned about what it means to manage Azure AD from a least-privilege perspective. Reducing the scope and privileges used to administer an environment can greatly reduce the possible impacts of administrative actions—whether they are unintentional or targeted attacks by malicious users.

      The next chapter will explore authentication options and configurations in the Microsoft 365 platform.

      Exam Readiness Drill – Chapter Review Questions

      Benchmark Score: 75%

      Apart from a solid understanding of key concepts, being able to think quickly under time pressure is a skill that will help you ace your certification exam. That’s why, working on these skills early on in your learning journey is key.

      Chapter review questions are designed to improve your test-taking skills progressively with each chapter you learn and review your understanding of key concepts in the chapter at the same time. You’ll find these at the end of each chapter.

      Before You Proceed

      You need to unlock these resources before you start using them. Unlocking takes less than 10 minutes, can be done from any device, and needs to be done only once. Head over to thestart of Chapter 7, Managing Security Reports and Alerts by Using the Microsoft 365 Defender Portal in this book for instructions on how to unlock them.

      To open the Chapter Review Questions for this chapter, click the following link:

      https://packt.link/MS102E1_CH03. Or, you can scan the following QR code:

      Figure 3.28 – QR code that opens Chapter Review Questions for logged-in users

      Once you login, you’ll see a page similar to what is shown in Figure 3.29:

      Figure 3.29 – Chapter Review Questions for Chapter 3

      Once ready, start the following practice drills, re-attempting the quiz multiple times:

      Exam Readiness Drill

      For the first 3 attempts, don’t worry about the time limit.

      ATTEMPT 1

      The first time, aim for at least 40%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix your learning gaps.

      ATTEMPT 2

      The second time, aim for at least 60%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix any remaining learning gaps.

      ATTEMPT 3

      The third time, aim for at least 75%. Once you score 75% or more, you start working on your timing.

      Tip

      You may take more than 3 attempts to reach 75%. That’s okay. Just review the relevant sections in the chapter till you get there.

      Working On Timing

      Target: Your aim is to keep the score the same while trying to answer these questions as quickly as possible. Here’s an example of how your next attempts should look like:

      Table 3.3 – Sample timing practice drills on the online platform

      Note

      The time limits shown in the above table are just examples. Set your own time limits with each attempt based on the time limit of the quiz on the website.

      With each new attempt, your score should stay above 75% while your time taken to complete should decrease. Repeat as many attempts as you want till you feel confident dealing with the time pressure.