👍

Thanks Richard! Please share The Azure Academy with others, and let me know what other videos we can make for you!

Thanks @Andrew that is what we do here ☺️ Engaging videos that are to the point and hopefully worth passing on to others 👍 Let me know what other videos I can make for you!

Glad to help!

WOW, Thanks Mahmoud, I appreciate that...please keep sharing The Azure Academy with others so they can learn learn too!

WOW...thanks Clint, that is quite the compliment. Let me know what other videos or topics you are interested in me creating.

Awesome, let me know what else you are interested in!

Wow…that is a great compliment, THANKS!!! ☺️

Thanks Ahmed 👍👍

Awesome...thanks! Let me know what other videos you want me to create.

You're very welcome!

Thanks for the feedback...happy to help!

Thanks for letting me know!

👍👍

Happy to help! Let me know what else you are interested in so I can create it.

Thanks Blaze!

Thanks!

👍 Thanks 👍

Thank you Sas Kn The Azure Academy is not an official Microsoft or a partner channel at this time. Azure Academy is privately owned and operated by myself...Dean Cefola. I do work for Microsoft in the FastTrack for Azure engineering group but my comments and opinions are my own. With that said I always respect the Microsoft brand and remain professional, keeping this channel focused on empowering everyone on the Azure cloud and not on myself. #HappyLearning

Happy to help!

Thank you, you should check out the next gen version of this tool Cloud Sync 👉 kzfaq.info/get/bejne/Y95hjNamq668iGw.html

Glad you enjoy it!

Thanks for helping to clarify it Parvez!

What other videos are you interested in?

Metaverse search, export, sync and import, disconnected since... More off reviewing the changes done on prem that get synced to cloud

Thanks for the feedback!

LOL...thanks! I have been offered courses on Udeny and Pluralsight...and if I did that I could make a lot of money. But then how would people who can’t pay to get access to those sites have high quality videos to help them learn about Azure?

@@AzureAcademy thanks for your ...quick question...I configured AD connect and it was successful, but I noticed it was already configured, how do I get rid of that...shall I stop AD connect service because there are two running.

not sure what you mean here...are you saying that Azure AD Connect was somehow already installed in your environment? Was it installed on the same computer you set it up on, or a different one?

@@AzureAcademy yes it was already set up, and it is running two AD connect services on the domain controller

if they ware both running in the same domain...you only need 1 to make everything work. You can uninstall the AzureAD Connect application...just make sure the other server is still working first.

👍👍

Thanks for the feedback Graham! I use OBS to record the screen and Audacity to record the audio Then I edit in Adobe Premiere

Thanks Len! As to your question...Azure AD Connect will sync with Azure AD over the internet, encrypted. Express Route is not encrypted, unless you build a VPN inside the ER, and works by peerings. Today there are 2 options. Private Peering - private network traffic to your Azure Virtual Network Microsoft Peering - PaaS & SaaS traffic for Azure services like Storage, SQL and Office 365 ExpressRoute for Azure Active Directory on Microsoft peering is not supported unless there is Office 365 and there will still be parts of AAD related services that are not supported over ER...AAD Connect is one of them however once the identities are synced to AzureAD, the logins will process over ER docs.microsoft.com/en-us/office365/enterprise/azure-expressroute?redirectSourcePath=%252farticle%252f6d2534a2-c19c-4a99-be5e-33a0cee5d3bd#what-office-365-services-are-included The 2nd part of your question for SQL MI I am not sure I am getting your question here? Are you asking if logins to SQL Admin studio to connect to SQL MI instances can use Azure AD Connect? Or can it they use Azure AD Based logins?

Thanks for the feedback!

This was a VM in my home lab, but you could just as easily do it in Azure

You're welcome!

Thanks for the feedback! It will be soon, I have 2 others in the pipeline before it but it is in progress...stay tuned

@@AzureAcademy thanks for reply... Ur videos are far better than entire youTube and online trainings.... You rock Dean

Thanks for the feedback...glad to help!

The wizard, check the box for the new OU and you’re done. Of course if the new OU is a sub OU to one that is already checked, you don’t need to do anything

Good question Mark. Azure AD Connect works by either syncing all AD data or only specific data. So first you need to decide on the sync strategy. Btw if you do sync all, this will NOT sync the admins groups. If only syncing specific stuff then I would treat AD as your “source of truth” and make your groups in AD and put users in them. Let them sync to Azure AD then use them in Azure.

That is one of my enterprise admin accounts You can search ADUC for the enterprise admins group. And use one of those users

👍👍

LOL...actually I put them in the same OU...can't we all just get along 😁🐱‍🏍🐱‍👤

@@AzureAcademy Hahaha well we should :D

😉😎

hey Craig...do you want to use your Azure AD user to log into stuff or do you want to JOIN your Mac to Azure AD as a device?

@@AzureAcademy I would like to have all our mac users have to log in and provide a username and password that gets authenticated in Azure AD. We will also have app services within azure that the users will need to have access to as well. Does that make sense?

YES. The user logins will user Azure AD...if you are logging into an Azure AD registered app. for example, the Azure Portal. If you have a 3rd party app, that app needs to be registered in the Azure AD tenant first, then you can authenticate to it with Azure AD credentials

agreed...some buttons get renamed over time and it is always a question of how much does the platform change impact the usability of the video...it is an ongoing process 🤔

Thanks for sharing with the community Andrew!

Cloud Pachehra You cannot connect your external identity solution directly with Azure AD domain services. Azure ADDS speaks or relies on Azure AD for the source of identities and using Azure ADDS has a special use case like if you have any legacy app that still uses the legacy protocol like Kerberos then using Azure ADDS makes sense. But definitely would love to see a video from Dean to learn more about it.

So in short...No. AADDS is a world unto itself. It is an isolated forest that you cannot trust and it cannot trust you so the only thing you can do is have a domain name that is the same across them both. However the UPNs of your users will not be the same, even if they look the same. The immutable ID will be different. After some updates to AADDS maybe it will be different

Good question Ravi! DNS access is required in order to validate that you own a domain name. For example my environment is configured like this. 1. bought the MSAzureAcademy.com domain name from a provider 2. created Azure DNS Public Zone 3. added domain information that Azure AD told me to add for a TXT record or MX record. 4. added the Azure DNS servers in my Azure DNS Public Zone into my Domain providers DNS records. Now when you validate my DNS Name it is directed across the world to my DNS provider then bounced to Azure DNS and you find my record and validate that the TXT / MS record exists with the correct information and you are done. I hope this helps...but if you need more info check out this link docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns

@@AzureAcademy thank you. I wanted to lab on this with my own custom domain. Are there any free site available for domain name creation and DNS access. Please help me!!

ravi kumar go for freenom.com to create free domain which will also give access to the dns

Thanks for jumping in Ganesh!

The "just enough permissions" that you need are enterprise admin and global admin...Here is the official doc on Azure AD Connect Permissions - docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions

@@AzureAcademy Thank's for your reactivity and for the doc I've noticed that the entreprise admin account is used optionally to create an AD Connector account. Thank's again

@@nazimmatoub9564 Anytime!

kinda both...sort of. If you are making changes to a user account that already exists in your Active Directory then you can make changes and edits to users and groups. However If you want to create Azure AD cloud users accounts and then hope to have them sync to Active Directory...this isn't supported today

Not sure on this one...I don’t have much of the Office 365 knowledge... Does someone else in our community know the answer?

I haven’t run into this issue...what is the error message?

That depends on HOW the office 365 accounts were setup. I am assuming that they are “cloud only” accounts in office...correct? Then since they already exist in Azure you will not be able to reverse sync them to AD. You may be able to sync the user from on prem into Azure...but you would need to read socials mailboxes and other resources to your users. I have not had to do this process before...sorry don’t have more info on this.

@@AzureAcademy Hi thank you for the response! They are cloud only accounts yes. What do you mean by I "would need to read socials mailboxes and other resources to your users" ? And no problem, I understand.

👍👍

Unless you are decommissioning active directory…then you need to keep it around However if you are ready to go all cloud…then you can. When you stop dirsync the users in azure will convert to cloud accounts After you use it for a bit then you can decommission

@@AzureAcademy thank you so much Dean for your prompt response.

👍👍

Since your m365 account is linked to Azure AD, you are probably already using Azure AD Connect. But if not, as long as you sign in with a global admin from that same Azure AD Tenant it will use the same Azure AD

No. Azure AD Connect does not sync cloud users to on prem

Sure...can you identify for me what you mean by multi cloud identity

@@AzureAcademy i meant identity federation between on prem, azure aws, google etc where we can design a solution for multiple clouds to use centralized IAM or utilize onprem. Something like that :)

I suggest for multi cloud, google and other 3rd parties that you look into the next video in my Azure AD series on ADFS. - kzfaq.info/get/bejne/gp6apLl0vNCUeZc.html There is another possible way to do this with Azure B2B and external identities...but it depends on exactly what you need

@@AzureAcademy thank you. Appreciate it

anytime!

So are you saying that you had to build a NEW Active Directory and you created the same user names and now you want to connect it together with you Office 365 users and data from the cloud??? If so...that would be something I would recommend going through Microsoft support with. There could be dozens of issues in doing this. If the problem is something else...let me know more.

M365 AzureAD is the same Azure Active directory as Azure Subscriptions Unless you have more then 1 Azure AD in your environment. So if it is the same you shouldn’t have to do anything to a user you are already syncing With that said, if your users have multiple UPNs in Active Directory Then you can modify the sync rules to have the users show up in Azure AD with the UPN you want

As far as I know we don't create groups, but we do create a computer object in the Computers container. This computer account is used by AzureAD Connect for authentication to your Active Directory

@@AzureAcademy This is what i was referring to gotoguy.blog/2016/04/13/missing-groups-prevents-upgrade-of-azure-ad-connect/

ah...now I understand what you mean...YES those groups are: ADSyncAdmins ADSyncBrowse ADSyncOperators ADSyncPasswordSet and they are created by installing AzureAD Connect Those groups have been around a long time...perhaps your version of AD Connect is very old but yes you need them to upgrade to a new version today. here is a link on what each group does. blogs.technet.microsoft.com/iamsupport/2017/03/21/support-info-azure-ad-connect-sync-security-groups/

nope...writeback is a function that you can enable inside AzureAD Connect

this is a great question...I love the amount of detail in your process and conceptually it looks like you are hitting all the right points in order. Funny enough however...I don't do much on the Office 365 side of things...so I can't speak to some of the specifics 😢

@@AzureAcademy ah okay, no problem! Thank you for taking a look at my question and answering though!

Sure...if you need anything on the Azure side...let me know 😉

@@AzureAcademy Will do!!

😁👍👌

Thanks for watching! Interesting question...let me see if I understand. You want to know if you have a P1 license can you "Migrate" your domain to Azure, but specifically the FSMO roles. The answer is NO. The FSMO roles are related to Active Directory, which is NOT the same thing as Azure Active Directory. Active Directory Services use NTML / Kerberos with a directory, Forests, Domains, Trusts, OU structure FSMO roles and much more. Azure Active Directory uses OAuth. and is not really a directory, and does not have the structure and no FSMO roles. You CAN however build a new Domain Controller in the cloud in the same Forest and same domain, then migrate your FSMO roles to the new VM in the cloud running Active Directory Services. Then if you want you can run the DCPROMO command to decommission your on prem domain controllers. This is not normally recommended because you want to shorten log on times as much as possible and that means having a DC Near by. I would suggest you speak with your Microsoft account team on the technical problem you are trying to solve with this scenario to make sure you are not missing anything before proceeding. You also asked about Office 365 and Exchange. These solutions can be run on prem or part of the Azure SaaS Services. There are a lot of questions that need to be answered before a recommendation can be made here...talk to your Microsoft account team about Exchange Online and Office 365 SaaS solutions and what a migration path would look like. If I have misunderstood your questions please let me know and I will try to help you further.

Thank you so much for your quick reply. You understood very well and I'm so sorry my terrible English. Well, if we need to migrate our resources to azure we will have short journey. Our exchange it was migrate to exchange online all mailboxes and all users has the office 365. Just I want to know how to decommission our exchange on premises because the attributes keep in the local exchange and when we need to edit some attributes we need the on premises exchange

Decommissioning Exchange on prem can involve a lot of different things so I suggest you speak with your Microsoft account team to have a technical resource take a look and see where things are at and what it will take to finish the process. Or if you are working with another partner, ISV or system integrator I am sure they will be able to help you complete this as well.

Start you will have your domainname.onmicrosoft.com You have to verify your domain name first. This is generally done with DNS records. This is done on the left under custom domain name. If you want multiple UPNs then you should add them all first

@@AzureAcademy Thank you very much, I got it working!

thats great @@adamkorba3915

Do your users have multiple UPNs in Active Directory... The .local and the .com?

@@AzureAcademy Thank you, No I did not do that. Today, I disabled ad sync, removed users on Azure, removed ad connect on local server, then add UPN .com to on-prem, changed UPN for all user to .com, run ad connect again using UPN match. then I still can not log in azure with those accounts. it said incorrect password. I don't know what is the problem.

Are you using password hash sync by itself or ADFS

@@AzureAcademy I chose hash sync and single sign-on. I run ad connect on DC server. I saw in the Synchronization Service Manager, I see the operation: export: completed-export-errors. clicked on that, I see error 8344: insufficient access rights to perform the operation. Then I add permission for ad account sync: replication directory change and replication directory changes all. Checked all users are permission inheritance. but it's still fail.

sounds like you setup your own service account and didn't get all the right permissions granted... docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions AD DS Connector account required permissions for express settings The AD DS Connector account is created for reading and writing to Windows Server AD and has the following permissions when created by express settings: Permission Used for • Replicate Directory Changes • Replicate Directory Changes All Password hash sync Read/Write all properties User Import and Exchange hybrid Read/Write all properties iNetOrgPerson Import and Exchange hybrid Read/Write all properties Group Import and Exchange hybrid Read/Write all properties Contact Import and Exchange hybrid Reset password Preparation for enabling password writeback Create the AD DS Connector account Important A new PowerShell Module named ADSyncConfig.psm1 was introduced with build 1.1.880.0 (released in August 2018) that includes a collection of cmdlets to help you configure the correct Active Directory permissions for the Azure AD DS Connector account. For more information see Azure AD Connect: Configure AD DS Connector Account Permission The account you specify on the Connect your directories page must be present in Active Directory prior to installation. Azure AD Connect version 1.1.524.0 and later has the option to let the Azure AD Connect wizard create the AD DS Connector account used to connect to Active Directory. It must also have the required permissions granted. The installation wizard does not verify the permissions and any issues are only found during synchronization. Which permissions you require depends on the optional features you enable. If you have multiple domains, the permissions must be granted for all domains in the forest. If you do not enable any of these features, the default Domain User permissions are sufficient. Feature Permissions ms-DS-ConsistencyGuid feature Write permissions to the ms-DS-ConsistencyGuid attribute documented in Design Concepts - Using ms-DS-ConsistencyGuid as sourceAnchor. Password hash sync • Replicate Directory Changes • Replicate Directory Changes All Exchange hybrid deployment Write permissions to the attributes documented in Exchange hybrid writeback for users, groups, and contacts. Exchange Mail Public Folder Read permissions to the attributes documented in Exchange Mail Public Folder for public folders. Password writeback Write permissions to the attributes documented in Getting started with password management for users. Device writeback Permissions granted with a PowerShell script as described in device writeback. Group writeback Allows you to writeback Office 365 Groups to a forest with Exchange installed.

Yes users and groups sync from on prem to Azure. Just be aware that if you created groups or users in Azure…those do not sync back to on prem

@@AzureAcademy Thank you

Anytime

can you clarify...Azure AD Connect is not a migration tool, it is a sync tool...not sure what you mean by migrate here?

@@AzureAcademy i mean when we select domain to sync in ad connect can we select multiple domain objects to sync?

yes you can...it is in the setup wizard

when do you get the error?

@@AzureAcademy In the beginning when it asks me to login into my azure ad account

nevermind, i was able to fix it, but thanks for answering so fast.

🤷‍♂️ are you signing in with an Azure AD Global Admin account? 🤷‍♂️

cool...what was the issue?

do you get ANY users sync over? Do you have a firewall that could be blocking traffic?

@@AzureAcademy Yes, i have many users on azure ad and one on ad. And when i go to users and computers on local domain, there is only one user from local ad

I dont think that firewall causes the trouble. Internet runs without a problem

@@Eines88 here is a doc with the network and port requirements for Azure AD Connect - docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-ports

@@AzureAcademy thank you!

WVD can only user users that are synced to Azure AD. So out of the 3 domains you have are all those users synced to Azure AD? Secondly is the users must be part of the same domain as the session hosts.

@@AzureAcademy yes all the 3 domain users are sync to azure and all users UPN is different on azure as there are from different domain but under same forest

right...ok. The users of WVD can only sign in to the domain that the session hosts are joined to. I am not sure if they can use domain trusts across your domains...or if you even have trusts

@@AzureAcademy yes all the 3 domains are Trusted domains..how can we achieve the users from 3 domains can use same hostpoll?..or else i should deploy different hostpools with individual service account from that domain and add that domain use to hostpoll for wvd access?

I have never tried this and do not know if it is officially supported with WVD. Domain trusts are not something Microsoft can give a blanket statement on because there are so many ways to configure them. I suggest you try the following. 1. get WVD working with 1 domain so we know WVD is working 2. Setup a new Host Pool and try to join VMs from domain 2 into that hostpool If the VMs can't join the domain then you can try it the other way around 3. from the Host Pool and domain from the first step that is working...try to take a user from domain 2 and add them to the application group. If the user can't be added then crossing trusts is not working

Thanks M G. If I understand what you are asking...you have multiple untrusted domains that all sync to 1 Azure AD and want to "reverse sync" from Azure AD your "super user" account to all the domains so you can centrally manage everything...no can do my friend. 😒 Sounds like you need more "traditional" Trusts between the domains. See, Even though it is called Azure AD it is NOT Active Directory. Azure AD is an identity management system...2 very different things. The only account that can sync within a domain are accounts from that domain...also Azure AD Connect cannot "reverse sync" in this way. You can sync data and attributes but not an entire account from cloud down to domain...maybe in the future, but Not sure if it will ever happen.

not sure what you mean Jawahar. Do you mean what do you have to give up to enable password hash sync? In my opinion...nothing. PHS enables you to use your Azure AD account with the same password as your AD account...I don't think there is a downside...what do you think?

@@AzureAcademy I believe that we need to generate hash value for all the user accounts while we configure azure adds

The hash values are what allow the users to log in with the same passwords without needing to copy the passwords out of your AD. This is a great security feature, and one of the reasons why PHS is strongly recommended.

Can you help me understand more. Do you have an example of what you want?

@@AzureAcademy Thanks for reply, how to install and develop on prem like tht

@@sangeethapriyau3293 so you want to have Azure DevOps on prem...? but not team foundation server...?

Thanks for the feedback. I hear you on the dark theme. I stare at my screen for up to 16 hours a day...so the dark saves my eyes. But I do understand how you feel so when I need you to read something I zoom in more. If you have another idea I am open to it

I like the Dark Mode

Thank you Ivan ☺️

Every Azure Subscription is connected to an Azure AD Tenant

you are correct! All my users are Marvel / DC characters...enjoy!

great question Moayad! Are the O365 accounts or the AzureAD accounts cloud only accounts or are they synced using AzureAD Connect?

@@AzureAcademy they are cloud accounts only as of now. The plan is to start the sync from the on-premise AD and link the synced accounts with the cloud mailboxes.

ok, last question, are the AzureAD and the O365 AzureAD, the ONLY Azure Active Directory you have? or are your AzureAD cloud accounts spread across multiple AzureAD tenants?

@@AzureAcademy to clarify things. If AzureAD is something different than O365 users. Then I don't have AzureAD. I have on-premise AD (3 DCs) and Office365. No sync between them and I don't have cloud services other than O365 E1 and E3

Azure AD and O365 are 2 different things, however if you have users in O365, then you MUST have at least 1 AzureAD. the reason for the question is that having Azure AD does NOT mean you have an Azure Subscription. Azure AD is for identities and Azure Subscription is for resources like VMs, WVD, networking etc. Do you know if you have an Azure Subscription connected with your Azure AD...and is that the same Azure AD that is connected to your O365 users?

Ya think so Robert? How many bouncing bunnies did I chase?

Thanks Rahul