MS-102 Identity Sync Flashcards
(35 cards)
cloud-only identity
uses user accounts that exist only in Microsoft Entra ID. Small and medium-sized organizations that don’t have on-premises servers or don’t use AD DS to manage local identities typically use cloud-only identity.
Microsoft Entra ID authenticates user credentials based on its stored user accounts and passwords.
Hybrid identity
Hybrid identity uses accounts that originate in an on-premises AD DS and have a copy in the Microsoft Entra tenant of a Microsoft 365 subscription
Organizations can choose between Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync to provide the ongoing account synchronization.
Microsoft Entra Connect Sync.
An on-premises solution that runs on an on-premises server, checks for changes in the AD DS, and forwards those changes to Microsoft Entra ID.
features include password synchronization (known as password hash synchronization), device registration, and Active Directory Federation Services (AD FS) integration
Microsoft Entra Cloud Sync.
cloud-based solution that Microsoft hosts and manages in the Azure cloud. It only synchronizes user accounts, groups, and contact objects from on-premises Active Directory to Microsoft Entra ID.
for smaller organizations with simpler Active Directory environments.
Managed authentication
Microsoft Entra ID handles the authentication process. It either uses a locally stored hashed version of the password, or it sends the credentials to an on-premises software agent that authenticates them using the on-premises AD DS.
Federated authentication.
Microsoft Entra ID redirects the client computer requesting authentication to another identity provider. Good for SSO
Password hash synchronization (PHS).
Microsoft Entra ID performs the authentication itself. PHS enables users to use the same username and password that they use on-premises.
Pass-through authentication (PTA)
, Microsoft Entra ID has AD DS perform the authentication. This option is similar to password hash sync, but provides a simple password validation using on-premises software agents for organizations with strong security and compliance policies.
Directory synchronization
The synchronization of identities or objects (users, groups, contacts, and computers) between two different directories. For Microsoft 365 deployments, synchronization is typically between an organization’s on-premises Active Directory environment and Microsoft Entra ID
Microsoft 365 IdFix tool
identifies and fixes most of the object synchronization errors in Active Directory forests.
Source of authority
Source of authority transfers from Microsoft 365 to an organization’s on-premises directory service after an object is synchronized.
identity governance
to ensure the right people have the right access to the right resources at the right time.
Microsoft Entra Connect Health
provides robust health monitoring and a central location in the Microsoft Entra admin center to view this activity.
Microsoft Entra Connect Sync.
provisioning configuration is stored on the on-premises sync server. Provisioning also runs on the on-premises sync server.
Microsoft Entra Cloud Sync.
The provisioning configuration is stored in the cloud. Provisioning also runs in the cloud
Microsoft Entra Connect Sync must be installed on servers running Windows Server………
2016 or later. Microsoft recommends using Windows Server 2022
Microsoft Entra Connect Sync in staging mode
set up in parallel to the active Microsoft Entra Connect Sync server. However, the staging server doesn’t perform any changes or synchronization to Microsoft Entra ID. It’s used for testing and validating configuration changes,
SQL Server used by Microsoft Entra Connect Sync
By default, a SQL Server 2019 Express LocalDB (a light version of SQL Server Express) is installed. SQL Server Express has a 10-GB size limit that enables you to manage approximately 100,000 objects.
Microsoft Entra Connect Sync Express setup
When an organization runs Express setup, Microsoft Entra Connect Sync deploys synchronization with the password hash synchronization (PHS) option. This option is for a single forest only.
Organizations use the Entra Connect Customized Settings option for various reasons, including:
They have multiple forests.
They want to use single sign-on (passwords hash synchronization plus pass-through authentication), or just password hash synchronization, or AD FS (federation) for their sign-in option.
They use a non-Microsoft identity provider.
They have customized synchronization features, such as filtering or writeback.
icrosoft Entra Connect Health
enables an organization to maintain a reliable connection to Microsoft 365 by using an agent that Microsoft Entra Connect Sync installs on the targeted servers.
Email notifications for critical alerts.
Group managed service account (gMSA)
A gMSA is a managed domain account that provides:
automatic password management
simplified service principal name (SPN) management
the ability to delegate the management to other administrators.
Cloud Sync: Firewall and proxy requirements
80 Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate.
443 Handles all outbound communication with the service.
Cloud Sync: Verify the agent is installed
After finishing the prior task of installing the Microsoft Entra provisioning agent, you should still be on the Cloud sync | Agents page in the Microsoft Entra admin center.
Refresh this page by selecting the Refresh icon in your browser.
On the Cloud sync | Agents page, verify the agent you installed appears and that its Status is active
