Salaam, Namaste, Ola and Hello!
I have done a lot of project recently for customers where they are starting there cloud journey, and rather than going ‘all or nothing’, they are taking a hybrid approach and using on-premises services along side cloud services.
In this blog I am going to go discuss Azure Hybrid options available from a SaaS (Software as a Service) perspective and how best to configure them. The three main areas I touch on will be:
- Hybrid Identity (Azure AD and Active Directory on-premises)
- Hybrid Device (Intune and Group Policy)
- Hybrid Exchange (Exchange Online and Exchange on-premises)
Hybrid Identity: Hybrid Identity is where the user objects are stored and managed in Active Directory on-premises and synchronised to Azure AD. To achieve hybrid identity with Azure AD, one of three authentication methods can be used, depending on your scenarios. The three methods are:
- Password Hash Synchronisation
- Pass-through Authentication
All three methods are configured using Azure AD Connect tool which is traditionally installed on a domain controller within the on-premises Infrastructure. Password Hash Synchronisation is an extension to the directory synchronisation feature implemented by Azure AD Connect sync. You can use this feature to sign in to Azure AD services like Office 365.
Azure Active Directory Pass through Authentication provides the same benefit to Password Hash Synchronisation, however you would use pass through authentication if you want to enforce your Active Directory on-premises (Group Policy) password policy onto your users. There are some key benefits to using pass through authentication:
- Great user experience
- Easy to deploy and administer for the IT team
- Secure as no passwords are stored in the cloud, only on-premises
- Can be highly available by installing multiple agents on premises
Federation is where two or more domains have established trust between them. The level of trust can vary but typically includes authentication and authorisation.
You can federate your on-premises environment with Azure AD and use this federation for authentication and authorisation. This sign-in method ensures that all user authentication occurs on-premises. This method allows administrators to implement more rigorous levels of access control. As you can see, all three methods share a common theme, which is that the identity details and authentication process is controlled by the on-premises part of the hybrid setup
Hybrid Device: I have found recently that a lot of businesses want to start their journey into the cloud by utilising the MDM service available in Azure, which is Intune. The main issue with this has been that traditionally Group Policy is embedded for a lot of businesses and they use this to ensure all corporate Windows based machines follow the same security guidelines.
Since Intune has come into the picture as a Cloud MDM platform, it has slowly started to develop features that are also available in Group policy, but unfortunately no where enough for Intune to replace it. This is where having Hybrid device management allows you to have the best of both worlds. You can continue to manage devices with Group policy but also take advantage of some of the great features in Intune.
This specific feature is known as ‘Hybrid Azure AD Join’. User Azure AD Hybrid joined devices if:
- You have Win32 apps deployed to these devices that rely on Active Directory machine authentication
- You want to continue to use Group Policy to manage device configuration
- You want to continue to use existing imaging solutions to deploy and configure devices.
- You must support down-level Windows 7 and 8.1 devices in addition to Windows 10
When setting up your Infrastructure for Hybrid Azure AD join you need to ensure you have configured Azure AD connect for Hybrid devices as well as configuring Group policies to add specific URLs to Intranet Zone assignments and a Group policy to enable automatic enrolment. You then need to ensure that the machines you wish to be Hybrid Azure AD Joined reside in the Organisational Unit you link the various Group policies to. For a full list of prerequisites, have a read of this link: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan
Hybrid Exchange: In its standard default configuration there is no link between Exchange on premises and Exchange online. You cannot have mailboxes in both platforms using the same domain without some sort of Hybrid configuration.
A hybrid deployment enables the following features:
- Secure mail routing between on-premises and Exchange Online organisations.
- A unified global address list (GAL), also called a “shared address book.”
- A single Outlook on the web URL for both the on-premises and Exchange Online organisations.
- Mail routing with a shared domain namespace. For example, both on-premises and Exchange Online organisations use the @yourdomain.com SMTP domain.
- Centralised mailbox management using the on-premises Exchange admin centre.
Some companies implement Exchange Hybrid when they are planning on migrating to Exchange Online from on premises Exchange via either a staged or cut-over migration method. A hybrid deployment involves several different services and components:
- Exchange Servers
- Office 365 subscription that includes Exchange online
- Hybrid Exchange configuration wizard installed on-premises
- Azure AD Authentication
- Azure AD connect Synchronisation
A common mistake made when implementing Hybrid Exchange for migration purposes is that once the migration is completed you should decommission Exchange on premises. The reason this is a mistake is due to the fact that within this implementation you will have configured Azure AD synchronisation between Active Directory on premises and Azure AD, where the user objects stored in Active Directory are synchronised to the cloud.
In an on premises Exchange environment, Active Directory objects get a lot of information from Exchange servers, and in turn with the AD synchronisation process this is then sent to the identity objects in the cloud. If you decommission all your Exchange servers on premises, this automatically removes all Exchange attributes from the Active Directory account, which in turn will synchronise with Azure AD accounts which will have a massive impact on your email service. Therefore Microsoft recommend you should have at least one Exchange Server that stays on premises in a Hybrid setup.
The reason i have written this post is that i have been doing a lot of work recently with various customers around different Hybrid deployments (all three in this post), and have learnt a lot whilst doing this so just wanted to share some of my thoughts.
Hope you find this helpful, if you would like any more information feel free to tweet me @shabazdarr or ask a question in the comments section below! Until next time, ‘IamITGeek’ over and out!