ASD's Blueprint for Secure Cloud

Identity Synchronisation

This section describes the design decisions associated with on-premises identity synchronisation for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 5 minutes

Entra Connect, previously known as Azure Active Directory Connect, is a product designed to synchronise directory objects and changes between Active Directory and Entra ID. Entra Connect enables the on-premises directory service to be the source of truth for identities within the environment and ensures that changes are replicated to Entra ID.

Entra Connect can be deployed in several patterns. These patterns follow the guiding principles of:

  • Only one Entra Connect instance can be actively synchronising to an Entra tenant
  • On-premises AD can only be synchronised to one Entra tenant unless directory synchronisation and Microsoft Identity Manager (MIM) are leveraged

As only one Entra Connect instance can be actively synchronising at a time, high availability is not possible. A warm standby can be configured using a second Entra Connect server in Staging Mode.

Within the Entra Connect client the synchronisation process can be customised in several ways including:

  • Group Filtering - Group filtering limits the scope of the synchronisation to the members of a group within the on-premises directory
  • Organisational Unit (OU) Filtering - OU filtering limits the scope of the synchronisation to the objects in one or more OUs within the directory
  • Attribute Filtering - Attribute filtering controls which attributes from an object are synchronised to the cloud
  • Entra ID App Filtering - Entra ID app filtering assists in limiting the number of attributes synchronised to the cloud based on which Microsoft 365 services are in use

Each of the above customisations provide control over what directory information is synchronised to the cloud from the on-premises directory service. The Entra Connect client can also be leveraged to configure Single Sign-On (SSO) and Exchange Hybrid. Entra Connect must run on a domain joined server running Windows Server 2016 or later. It will likely synchronise many Active Directory objects to Entra ID and hence there is a range of hardware requirements to consider based on the number of objects in Active Directory that will be synchronised, see Entra ID Connect Prerequisites for further information.

When Entra Connect is leveraged, an object or identity created within the on-premises directory service (Active Directory) is synchronised via the Entra Connect client into Entra ID (the cloud-based directory service). Organisations must implement specific firewall rules needed in order for Entra Connect to connect to Active Directory and Entra ID. Further details on firewall configuration can be found within the Network Configuration section.

Configuration

The below is the Entra Connect configuration applicable to organisations leveraging a hybrid implementation.

ConfigurationValueDescription
Installation ModeCustomThe type of installation - Default or Custom. The Default install does not allow customisation of the filtering.
SQL ModeLocal DBThe location of the Entra Connect database. Local DB is the default configuration and the simplest to manage.
Directory to Connect to<organisation.gov.au>Entra ID Tenant of the organisation.
On-premises attribute to use for Entra ID (used for logging in to Entra ID)User IDThis attribute is commonly used for logins as it will ensure that the same credentials are maintained for on-premises and in-cloud authentication.
Alternate IDNot requiredThis is required in scenarios where primary ID may be duplicated between users in the organisation.
OU FilteringEnabled
{organisation to determine}
OU filtering should be used to ensure that specific OUs containing entities such as service accounts are not synchronised with Entra ID. OU filtering should be finalised during deployment and documented in As-Built-As-Configured documentation.
Uniquely Identifying UsersUsers are represented only once across all directories.
Let Azure manage the source anchor (ms-DS-ConsistencyGuid)
Default configuration. As users are not duplicated within the environment, this setting meets the solution requirements. The ms-DS-ConsistencyGuid is used when Azure manages the source anchor.
Entra ID AttributesDefault – All attributesDefault configuration. All attributes to be synchronised.
Synchronisation Interval30 minutesDefault synchronisation interval.
Note: Password resets and new accounts are synchronised immediately.

Security & Governance

  • None identified

Design

  • None identified

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra