by Contributed | Apr 15, 2021 | Technology
This article is contributed. See the original author and article here.
Hey folks, Eric Woodruff here – Customer Engineer still living and breathing in the world of Azure Active Directory.
Today we are going to dive into the specifics of how user accounts in Active Directory are matched to user accounts in Azure Active Directory.
For organizations that started their Azure AD journey with services such as Office 365, the implementation of Azure AD Connect (now including Azure AD Connect Cloud Sync) is relatively low effort when there is not an existing stake in the cloud.
On the flip side, when working with organizations that have already been on their cloud journey, but never synchronized their Azure AD (AAD) tenant with Active Directory (AD), there is more concern about how this process works when the same user exists in both directories.
And with this concern comes some common questions, which I hope to bring some clarity to here.
Before we jump into things, note that we have some excellent documentation that covers a lot of the details of this as well, which can be found here:
Azure AD Connect: When you already have Azure AD | Microsoft Docs
Is configuring Azure AD Connect “destructive”?
While the term destructive can be interpreted a few ways, the sum of the question is whether existing user accounts in the Azure AD tenant will be deleted or overwritten by Azure AD Connect.
One of the main reasons behind this question, is the concern that users already have group membership, RBAC roles assigned, applications they are accessing, and so on; losing this would require having to reconfigure these assignments.
The answer is no – Azure AD Connect synchronizes in a way such that any existing AAD users (referred to as cloud-mastered, but also informally as “cloud-only” or “cloud-sourced”) will remain in the directory, and new user objects from Active Directory will be created in the cloud.
What about when the same user already exists in both places?
Before we talk about how user account matching happens, let’s get a quick background on what defines object uniqueness within directories.
Object Uniqueness
In both AD and AAD, every object has an immutable ID – a unique attribute that persists for the lifetime of the user object. The immutable ID attribute in AAD is ObjectId; in AD it is objectGUID. And while many times we are used to referring to on-premises user objects in terms of their SID (security Identifier), from a directory perspective the immutable ID is what represents object uniqueness.
Because these values are what represent a unique user object, it’s what allows you to change the User Principal Name (UPN), or on-premises samAccountName, and all the groups, ACL’s, and everything assigned to that user object remain.
How Azure AD aligns user objects
If you inspect ObjectId and objectGUID, you will notice these attributes are not the same, both in format as well as value. It is up to AAD and/or Azure AD Connect to align existing user objects, which is based on sourceAnchor. Technically the attribute name is ImmutableId in AAD, sourceAnchor in the metaverse in Azure AD Connect, and usually (but not always) mS-DS-ConsistencyGuid in Active Directory. Logically immutable ID and sourceAnchor terminology can be used interchangeably when discussing the attribute that represents the tie between the AAD and AD user object.
If the user object is new, then by default Azure AD Connect will take the objectGUID of the user object, calculate the Base64 of the value, and then write it to the user object mS-DS-ConsistencyGuid attribute in AD.
Certain customer scenarios may call for using a different attribute as the data source for sourceAnchor from Active Directory, but generally customers should allow Azure AD Connect to manage this for their environment.
You can read further about sourceAnchor within Azure AD Connect here:
Azure AD Connect: Design concepts | Microsoft Docs
Handling the duality issue
The background on sourceAnchor helps paint the picture when we start to talk about user matching. We have two types of object matching within Azure AD – soft-matching and hard-matching.
Soft-matching
Soft-matching is the case where we attempt to match two disparate user objects without existing sourceAnchor information; Azure AD will attempt to match user objects based on either UPN or email address.
Soft-match by UPN
Here we are going to look at soft-matching based on the UPN. We have our user, Lee Gu, existing as a cloud-mastered user – Lee has no ImmutableId, and Directory synced is no (keyed off the hidden attribute cloudMastered being true).
To synchronize Lee, we will need to move the user object into an OU that is scoped for synchronization by Azure AD Connect, but first let’s look at the user data – note that mS-DS-ConsistencyGuid is empty.
While not required for the match itself, if we want to see what the sourceAnchor of Lee is going to be, we can leverage a quick PowerShell command:
[system.convert]::ToBase64String(([guid](get-aduser -identity $_).objectguid).ToByteArray())
Because we are impatient, we force a delta sync of Azure AD Connect, and check out the results of the UPN soft-match.
Key Takeaways:
- The user object has been changed to a directory synchronized user account; cloudMastered has been changed from true to false.
- User attributes from AD have flown through and updated on the user object in AAD; this is because AD is the authoritative directory.
- The ImmutableId/sourceAnchor we calculated matches what was calculated by Azure AD Connect and written to AAD, as well as populated in AD for mS-DS-ConsistencyGuid.
- The ObjectId in AAD has not changed. This is one is critical in showing that, whatever Lee had access to prior, that access will persist.
Soft-match by mail
This time we are going to look at soft-matching by the email address. We have our user, Foster Caleb, existing as a cloud-mastered user – Foster has no ImmutableId, and Directory synced is no.
Before we move Foster into scope for synchronization, let’s look at the user account in AD. Note that the UPN does not match between the directories, but the mail attribute does.
After our Azure AD Connect delta sync, let’s examine the results of the soft-match by mail. Because the UPN has changed, in AAD we must either query by the ObjectId or the updated UPN for our results.
Key Takeaways:
- The user object has been changed to a directory synchronized user account; cloudMastered has been changed from true to false.
- User attributes from AD have flown through and updated on the user object in AAD, including the UPN; this is because AD is the authoritative directory.
- The ImmutableId/sourceAnchor has been calculated and populated in AAD and AD.
- The ObjectId in AAD has not changed. This is one is critical in showing that, whatever Foster had access to prior, that access will persist.
Hard-matching
Unlike soft-matching, hard-matching is more common when we are discussing DR scenarios for Azure AD Connect, or cross-forest user migrations. In our example, however, we are going to show how hard-matching can effectively match two user objects that have neither a matching UPN nor email address.
A word of caution – incorrectly setting the wrong ImmutableId can cause cascading negative impact on users, which can flow into not just AAD, but also Exchange Online, as well as other services and applications that consume and key off UPN or email address.
We have our user, Lidia Holloway, existing as a cloud-mastered user – Lidia has no ImmutableId, and Directory synced is no. Note that the user object in AAD has no matching UPN nor email address in AD.
Before moving Lidia under scope for synchronization, we need to generate the ImmutableId and write it to AAD; it’s important to do this prior to scoping the user object for sync, otherwise it will just be created as a new user in AAD. Keying off the objectGUID in AD, we calculate and write the value for ImmutableId in AAD.
We run our Azure AD Connect delta sync and examine the results of the match.
Key Takeaways:
- The user object has been changed to a directory synchronized user account; cloudMastered has been changed from true to false.
- User attributes from AD have flown through and updated on the user object in AAD, including the UPN and mail; this is because AD is the authoritative directory.
- The ObjectId in AAD has not changed. This is one is critical in showing that, whatever Lidia had access to prior, that access will persist.
What else is important to know about matching?
Be careful with email address matching.
Email address matching has potentially higher ramifications on the user object. Many Enterprise Applications consume the UPN as the Name ID claim, which defines the uniqueness of the user object; if this has changed the application may see the user as a new user. If Azure AD Provisioning handles user object synchronization to the application, it can usually manage these changes, but manual user provisioning or just-in-time (JIT) may see the user as a different object.
Users with administrative roles in Azure AD will bypass matching.
To prevent unaccounted for account takeover of roles with privilege assignment, any user object that has an admin role assigned in AAD will be bypassed for matching.
Speaking of administrative roles and synchronization in general, highly privileged user accounts should be separated out from regular user accounts. Further, privileged accounts should be cloud-mastered, to prevent account takeover, as well as bypass dependencies on federated identity providers. For more information about protecting Azure AD from on-premises attack vectors, refer to this blog post by our Alex Weinert:
Protecting Microsoft 365 from on-premises attacks – Microsoft Tech Community
Groups and Contact objects work too.
If the group or contact has a mail address populated, they can be soft-matched based on this attribute. We can’t set the ImmutableId on these objects, so we don’t have a method of providing for hard-matching.
Understanding where matches are evaluated.
Soft-matching happens in Azure AD, which is why a user will show as an add in Azure AD Connect instead of an update. Hard-matching can be performed by Azure AD Connect, which helps expedite directory re-synchronization in the event of a disaster; this also helps accelerate the process of standing up a staging server for Azure AD Connect and having existing users matched.
Happy Matching!
For those that are either starting their cloud journey, apprehensive about connecting their directories, or just curious about how things work under the hood, I hope this post helps shed some light.
by Contributed | Apr 15, 2021 | Technology
This article is contributed. See the original author and article here.
Last month many of you joined our Ask The Experts (ATE) sessions at Microsoft Ignite, specifically ATE-FS191 – Ask the Expert: Microsoft Teams Manageability and ATE-FS191-R1 – Ask the Expert: Microsoft Teams Security and Compliance. We promised that we would pull together the questions and answers and post them in a blog post, so here we are making good on that promise.
1. How easy is it to retrospectively apply data sensitivity labels at the Teams or channel level?
a. Once you get sensitivity labels enabled and set up to apply to Microsoft 365 groups/sites/teams, you’ll be able to edit a team to apply a label published. See: https://docs.microsoft.com/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-worldwide
2. Are shared private channels available to all tenants now?
a. Private channels have been around for a while, but shared channels are not yet available.
3. Are there any plans to allow real-time reporting out of the management solution? Right now, reports are delayed until, at the very least, the meeting or call is over.
a. We will introduce this capability to Private Preview in April 2021.
4. How can an admin retrieve Teams chats if a user leaves the company and/or does a forensic audit must be done?
a. You will need to use content search and eDiscovery investigation. Note that with E5 compliance license, you can put conversations together; with basic eDiscovery, you will get the single chat messages. See: https://docs.microsoft.com/microsoftteams/ediscovery-investigation
5. Will there be a way to find which apps are being used by a team?
a. Yes, use the app usage reports by using a Graph call to enumerate apps installed per team. See: https://docs.microsoft.com/graph/api/team-list-installedapps?view=graph-rest-1.0&tabs=http
6. Will the Teams client installer change from being profile-based to computer-based? Customers mentioned that they had shared devices in learning spaces that they want to update, so users don’t have to wait or, in some cases, quit Teams and re-launch before class.
a. Yes, you can install per machine. See: https://docs.microsoft.com/microsoftteams/teams-for-vdi
7. Will we ever get the ability to delete Teams chats? Customers have mentioned that chats are really cluttered right now without this function.
a. Yes, you can do this with Retention Policies at compliance.microsoft.com. You can age conversations that are greater than a specific number of days.
8. Does Microsoft have a recommended Teams naming taxonomy/naming convention?
a. No, best practice is to follow your organization’s guidelines/requirements and take advantage of custom dictionary/taxonomy controls like preventing names. My personal recommendation is always leave room for organizational growth/expansion when creating your taxonomy.
9. Is there a way to report on activity outside the 90 days? Customers have mentioned that extended unused Teams that need to be cleaned, but identifying them might be problematic?
a. You can use the Graph API for that purpose. It can access historical data up to a year.
10. Are there any good resources for managing Teams sprawl, guest users, and general Teams hygiene?
a. You can restrict the creation of Teams and put a gating process in front of it. You can get creative with Forms and Flows via Power Automate to have users submit requests and then the helpdesk can create the team.
11. Can you manage Teams membership via a domain security group?
a. Currently, you cannot manage Teams membership using an AD security group. The Office 365 Group membership drives Teams membership, and as of right now, you cannot add nested groups to an Office 365 Group.
12. When will real-time/live analytics be available for Teams Live Events and traditional Teams meetings? It is challenging right now as an admin to troubleshoot exec calls for townhall-type sessions.
a. This feature is coming in April 2021.
13. Could someone give a basic overview of the purpose of the Network Planner in the Teams Admin Center?
a. The Network Planner is meant to give you an idea of what the impact of Teams will be on your network. It allows you to define all your network subnets and user personas so that you can pre-determine the network impact of Teams.
14. Can you talk about the controls or policies for Teams Connect regarding adding external people to channels? How are the permissions different than that for external guests today?
a. Guest access uses guest accounts that are created in the source Azure AD hosting the guest access. Teams Connect, or shared channels, does not use this method; it works by allowing federated Teams users to have access to the shared channel. Expect to have more published on this in the coming weeks.
15. Is there a Microsoft recommended solution or app to install in Teams to manage user requests for creating new Teams?
a. There is no Microsoft recommended solution I’m aware of for this. However, approaches I have seen work well involve using PowerApps that have users submit their Team request and then have the back-end helpdesk review the request and approve/reject the request. You can create some pre-checks in the flow to see if the team already exists, for example.
16. With the coming enhancements to Teams meetings recordings around captioning/speech to text, will this be discoverable with core and/or advanced eDiscovery?
a. Yes, the plan after the Stream migration of the recordings to OneDrive and SharePoint will have this functionality to retain and search with eDiscovery.
17. I have not seen wherein Teams policy in Admin Centre changed to OneDrive from Stream, is it global or group based?
a. It has been rolled out globally to most tenants, and you can delay it through PowerShell. The change is done via PowerShell today, it can be set on meeting policy level, and if it is not available yet in your tenant, you can follow this guide: https://docs.microsoft.com/microsoftteams/tmr-meeting-recording-change. It should, however, be default for all tenants.
18. We have a ton of distribution groups created on-prem and maintained with scripts. How can we use these existing groups to create and maintain Teams?
a. There are few steps you may need to consider for this: (1) Clean up the distribution groups; (2) Sync your on-prem AD with Azure AD; convert your distribution group to a Microsoft 365 group; create a team from the Microsoft 365 group. Keep in mind when you do so, the membership management will be within the converted Microsoft 365 Group after you upgrade the distribution list.
19. Will it be possible at some point to specify policies for a user group to block them completely from all external communication?
a. You can create an ExternalAccessPolicy and use New-CsBatchPolicyAssignmentOperation to assign it to multiple users at a time, based on a group in AAD regularly, though, it will not automatically add it to new users in the group.
20. We need to record all calls for our call center associates. Is there a way to make this based on group membership?
a. Compliant call recording is possible through third parties such as Verint and Numonix. I would reach out to them to check for this functionality. It should be possible in a direct routing configuration.
21. Is it possible to enable guest access per Team like you can in SharePoint, or is it all or nothing?
a. Yes, you can restrict guest access for certain Teams (Office 365 groups). The configuration is only performed via PowerShell. See: https://docs.microsoft.com/microsoft-365/solutions/per-group-guest-access?view=o365-worldwide
22. Any plans to consolidate Guest and External entities for 1:1 chat (not switching organization and minimizing end-user confusion)? Also, group chat with External entities without having to switch organizations.
a. Guest access and External access will continue to function as they are, as they each have their own use cases. However, with the new Teams Connect, you will have channels shared outside of your tenant into an external user tenant.
23. How come policies take forever to roll out – up to days??
a. It can take time, usually 2 – 4 hours. I would recommend periodically logging out and clearing cache, and logging back in. If it persists for more than a day, I recommend raising a ticket to Microsoft support. That seems like a very long time.
24. Is it possible for end-users to create a team in a different domain than the default? We would want them to be able to pick the domain; for example, teams.company.com.
a. Yes! See: https://docs.microsoft.com/microsoft-365/solutions/choose-domain-to-create-groups?view=o365-worldwide
25. Are there any licensing requirements to be able to add members of a group to a private team?
a. There are no specific license requirements.
26. Is there a way to list all applications in Teams and which are enabled or disabled?
a. Yes, in admin.teams.microsoft.com you can see all apps and enable/disable them.
27. Hello, I work at a school with children from 4 till 18 years old. In the last couple of weeks, we have some students who like to start big group chats and add a lot of (younger) students. In these chats, there is a lot of swearing and cursing. We want to protect our younger students from this, and I am wondering if there is an option that can block being added to a group chat or at least give them a choice of being added. I know it is possible to disable the chat for these users, but that has a lot of impact on their schoolwork. I know it is not a specific security question, but it is a safety question to protect our (younger) students, but this can be a security question too if there is a breached account.
a. Have a look at Communication Compliance: https://docs.microsoft.com/microsoft-365/compliance/communication-compliance?view=o365-worldwide
28. I want to enforce MFA for all guest accounts to create secure Teams channels. Should the guest accounts have any Microsoft licenses to use MFA with their respective domain accounts?
a. You can use Conditional Access for this. The license model here is based on the licenses you have in your tenant.
29. SafeLinks are coming to Teams (which is good). Will the SafeLinks wrapper be visible to Teams participants? If so, some may read “protection.outlook.com” and assume the link to Microsoft.
a. SafeLinks act the same as they do in Outlook.
30. How can we ensure the coherence/governance of all the controls/labels we put in place? Any tool/method to use before diving into Teams configuration?
a. This is all controlled from the Compliance Center under Information Protection, where you can implement your labels and label policies.
31. Can we use the OCR example to check that sent pictures in Teams don’t contain privileged info?
a. You can use Advanced eDiscovery to check this.
32. Is it possible to prevent your users from joining Teams meetings hosted by external orgs? Currently, everyone can click on a Teams meeting link someone sent to them, and that will either load their Teams client, and they will join as authenticated or via browser as anonymous?
a. No, if the meeting or Live Event is available to “everyone”.
33. How is end-to-end encryption 1:1 different compared to an average Teams meeting?
a. E2EE is encrypted same “key” from start to endpoint, with no interception. Teams standard is encryption in transit and at rest so customers can access content as needed.
34. Is there a possibility to invite external users within channels and manage permissions on a per folder basis within the channel so that R/RW is possible within a channel and subfolders?
a. You can use granular SharePoint permissions for this.
35. Who can follow up on GDPR requests from attendees of a meeting held a while ago and provide them information on what data has been collected from them?
a. You can use the Data Subject Request (DSR) case tool by the compliance administrator. See: https://docs.microsoft.com/compliance/regulatory/gdpr-manage-gdpr-data-subject-requests-with-the-dsr-case-tool
36. What levels of staff will be able to turn on E2E encryption? IT staff generally do not lose passwords.
a. IT will have full control over what users/user groups can opt into E2EE.
37. Can you use a retention policy to prevent team owners from deleting a team?
a. Not at this time, but a retention policy will ensure all the files are saved for compliance purposes. Be mindful that Teams retention policies must exist on their own, independent of other Teams workloads. So, you need to have EOL policy for 1:1 chats, Microsoft 365 groups for group chat, and SPO policy for files held in teams
38. Is there any way to stop anyone from sharing files in Teams? We have certain locations where they don’t want to use it for file sharing.
a. Those policies are the ones set in OneDrive and SharePoint. You would need to adjust those there.
39. Is it possible having a person out of the company, out of my network become part of the Organizer Team in a Teams Live Event and so actively contribute?
a. Yes, that’s possible. Either as a Guest in your org, or they have an AAD account in their own org. There will also be improvements coming to this to make it easier.
Thank you again if you attended these sessions. We hope this recap helps you as you continue to support Teams for your customers and organizations.
For more information about all the exciting announcements around Microsoft Ignite, be sure to check out the recap episode on Inside Microsoft Teams. We have special guests Mary Jo Foley, Paul Thurrott, and Brad Sams in this episode that you don’t want to miss out.
Recent Comments