Organizations that use Microsoft cloud services such as Microsoft 365, Teams, SharePoint Online and OneDrive for Business, may also need to maintain an on-premise Active Directory environment.
Perhaps they are still using legacy software, and migrating to a different platform would take too long and require too many resources.
Alternatively, they might not feel comfortable storing large amounts of classified information in the cloud. Whatever the reason, it’s not really practical for them to ask their users to maintain two separate identities.
This is where Azure AD Connect comes in. Essentially, Azure AD Connect acts as a Single Sign-On by automatically syncing your Microsoft cloud identities with your on-premise AD environment. Below are some guidelines to follow when using Azure AD Connect.
Best Practices for Using Azure AD Connect
1. Protect the Server Running Azure AD Connect
Make sure that the server running the Azure AD Connect agent is properly secured. Limit which accounts are able to logon to the server, specifically those with local administrative rights. You will also need to control physical access to the server and enforce a strong password policy. If you need to allow other uses to access the Azure AD Connect Sync tool, you can add them to the ADSyncAdmins group on the local server. As always, check that they really need access to the tool before doing so.
2. Determine Which User and Group Objects Can Sync to Azure AD
By default, all user and group objects will be synced to Azure AD. However, many on-premise groups don’t actually need to be synced to the cloud. In fact, many of them may no longer be required. It’s a good idea to remove any redundant groups from your on-premise AD, regardless of whether you are using Azure AD Connect or not. You can also use the sync engine’s filtering capabilities to exclude any groups that are not relevant. It’s also a good idea to temporarily disable the scheduled sync task before making any important changes, as this will prevent any mistakes from being automatically synced between Azure AD and your on-premise environment.
3. Don’t Sync On-Premises Admin Groups to Azure AD
There’s no reason to sync admin groups to Azure AD as they are specific to your on-premise environment, and are thus not relevant to your cloud environment. In fact, doing so will only introduce unnecessary risks as more potential adversaries will know which groups (and thus administrators) to target.
4. Ensure that the Synchronization Cycle is Run at Least Once Every 7 Days
By default, a synchronization cycle is run every 30 minutes. Microsoft recommends that if you choose to modify the synchronization cycle, for whatever reason, make sure that it is run at least once every 7 days. A failure to do so might lead to issues that must be resolved by running a full synchronization. This can take a long time to complete.
5. Don’t Assume that AD Connect Will Serve as a Reliable Backup & Recovery Solution
While it is true that Azure AD connect will sync your cloud data with your on-premise AD environment, it should not be seen as a reliable backup and recovery solution. The issue is that Azure AD objects contain certain attributes which are specific to the cloud services that use them.
Were you to accidentally delete an object in Azure AD, and thus try to restore a backup from your on-premise environment, those attributes would be lost. In which case, the restored objects would not be accessible to Microsoft 365, Teams, SharePoint Online, OneDrive, and other cloud-based services. The same problem arises when you delete an object’s attributes, as opposed to the object itself. As such, it is crucially important that you use an enterprise-grade backup and recovery solution as opposed to relying on Azure AD Connect.
6. Protect Azure AD Accounts with Admin-Level Privileges
Ensure that all admin accounts are assigned to pre-defined roles. Since a Global Administrator account will have access to all administrative settings in your Azure AD environment, ensure that no more than five people are assigned to this role. Use multi-factor authentication (MFA), identity access management (IAM), and a real-time change auditing solution to protect the Global Administrator account, and other accounts with admin-level privileges.