On Saturday, February 29th, 2020, I presented at Azure Saturday Belgrade on Hybrid Identity.
The First Session of Its Kind
I have presented and co-presented a lot of sessions telling and showing people how to set up and manage Hybrid Identity. In more recent years, you might have witnessed me present on the most common mistakes when implementing and managing Hybrid Identity. However, as my experience grew, so did the complexity of my implementations.
The news got around and I was called into a couple of horror stories regarding Hybrid Identity. My ‘six horror stories of Hybrid Identity mismanagement’ session showcases these stories. For me, this was the first time I presented this session and it resonated with the audience.
About Hybrid Identity
Hybrid Identity emerges when you extend the on-premises Active Directory to Azure Active Directory. The easiest way to achieve it is to deploy Azure AD Connect, Microsoft’s free synchronization solution. Objects and their attributes are automatically synchronized from AD to Azure AD. Azure AD knows how to authenticate these users and will act according to the sign-in method specified in Azure AD Connect.
Benefits of Hybrid Identity include:
My Recommendations for Hybrid Identity Management
For those not able to attend my session, of course, I’ll share my conclusion below. It’s a simple three-point approach:
• Keep current
• Implement multi-factor authentication
• Keep thinking
Organizations have grown used to implementing IT resources and writing them off in four or five years. That approach no longer works. Windows Server releases may still be every three years, but other Hybrid Identity components are updated much faster: Azure AD Connect has a new major release every 6 months. Azure AD appears to change daily.
These different release cycles require continuous integration and an attention to detail on-premises.
You can’t use many features of Hybrid Identity in the following scenarios:
• when your Domain Controllers still run Windows Server 2008
• when your Active Directory still operates at the Windows Server 2003 functional levels
• when your Azure AD Connect server runs Windows Server 2012
Your Hybrid Identity project wouldn’t be the first to go 300% over budget because of everything you need to do to get Active Directory in shape for Hybrid Identity…
You have to keep within the boundaries of support. Microsoft intends to layout these boundaries more sharply starting November 2020 with an 18-month support period by default for Azure AD Connect releases. You have been warned…
Implement Multi-factor Authentication
Multi-factor authentication (or MFA for short) is a method to allow additional verification when people authenticate with their combination of username and password. It extends beyond the things people know (and can convey or leak to an attacker) by requiring proof of something they own (a phone number, or an Authenticator App installation) or requiring proof of something they are (a fingerprint, a face scan, etc.).
Today, requiring multi-factor authentication is the best way to ensure information security. It’s not perfect, but it’s the best thing we’ve got.
Microsoft has been fumbling around in the MFA space the past couple of years but has now finally found its MFA mojo with Conditional Access and Azure AD Identity Protection.
If you’re using Azure MFA Server, then it’s time to say goodbye to it, because it’s getting deprecated; You can’t perform new installs of MFA Servers at the moment, so the deprecation is in its final stages already. Migrate MFA Server to Azure MFA using the built-in Azure MFA Adapter in AD FS on Windows Server 2016, or use the Azure MFA NPS Extension to integrate RADIUS-based resources.
Don’t hesitate because of the price. When you use the new Security Defaults feature in Azure AD, you can require multi-factor authentication for free, and your people can use the free Microsoft Authenticator App to authenticate themselves.
My last horror story focused on an organization hat followed every information security manual from Microsoft and had a perfect Secure Score. Unfortunately, a fire burned down one of their central offices and they got locked out of their Azure tenant.
There’s a lot of good information out there and Microsoft’s own Docs pages are the best. However, as an admin, you still have to apply your own common sense. Think about your Identity Single Points of Failure (SPoFs), and mitigate them, before they snag your environment.
I hope you liked my session or at least find my recommendations useful. Until we meet again at an event near you, in a webinar of your interest or on dirteam.com.
About the author – Sander Berkouwer
Sander Berkouwer is a Dutch IT Professional and has been a Microsoft Most Valuable Professional (MVP) in Directory Services for the past ten years.
He works as senior identity consultant at SCCT in the Netherlands, where he helps colleagues and customers make the most out of Microsoft products, strategies and technologies. Sander is blogging almost daily about Active Directory, his favourite Microsoft technology, on DirTeam.com. He regularly gets invited as a speaker for his enthusiastic approach, his in-depth real-world knowledge and of course as the author of the much-appraised Active Directory Cookbook.