Great video Andy. I did find the magnifying glass a bit difficult in this video since it hides some of the text around the magnifying circle. I prefer your large arrow and the yellow highlight circle instead because it doesn’t hide any of the surrounding text or menu items.
Thank you Andy, this was very timely for me. Nice use of the magnifying glass tool, it helped me focus on where I should be looking. Also, nice update on the music settings. Appreciate the effort put in to step through the process methodically, and looking forward to the content in 2023 - Happy New Year.
@@AndyMaloneMVP Hello Andy, I have 2 questions, can you show a video with Power Shell, it is not very clear to me. I have just attended training on Microsoft Teams admin center functions, the one one that stroke me the most was how to assign, allow and call settings, using teams.
Thanks Andy. How do you deal with multiple identities when you connect a local domain to Azure with user accounts? All users end up with their custom domain email plus their Active Directory user account in Azure. Thanks.
With a hybrid identity you’re on premises AD accounts are synced into Azure AD and essentially become connected. When you make changes on premises, for example, adding a new attribute etc, this would then sync to the cloud. As I mentioned in many videos, your user account - computer accounts have to be authenticated either by active directory on premises, or Azure AD in the cloud. If you had purely cloud-based users, and devices they will live simply in the Cloud and there would be no need for any synchronisation. I hope this helps and makes some sense to you. Thanks again Rich, for the question, all the best, Andy
Thanks Andy, another useful video. One thing to watch out for, Azure AD Cloud Sync isnt compatible with Hybrid Exchange (or at least it wasnt a few months back). Hopefully, Microsoft will address this as most AD Hybrid organisations also have an on-prem Exchange server.
At the moment this can only be accomplished in power shell. This will be available in the product though shortly. Watch out for more details soon. Here is an article double help you. learn.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-sso
Thank you! Is it possible to manage on premise AD security group membership via Azure administrative units using MS Graph for unlicensed accounts created in AD on premise?
@@AndyMaloneMVP - thanks Andy for your reply - most appreciated. What about via the hybrid connection manager? Is it not possible to manage on premise AD user objects via running PowerShell commands?
Hi Andy. Great video. One thing I don't understand, and I watched your video on joining Windows 11 to Azure AD hoping to find the answer, but I'm still struggling: if you have existing PCs joined to your ADDS domain, and then you use AAD Connect or Cloud Sync, do these devices automatically become AAD domain joined, or do you have to do this manually, or can you not do this? If it needs to be done manually, do you have to remove the ADDS domain first? Do you need hybrid join here or is that just a Group Policy vs Intune decision? Hope that makes sense!
That was great, kindly make a video starts from zero to end, Creating AD for group of company and connect with AAD Hybrid . like a complete project. it will be awesome for beginners those are new to AD.
Hello, I used Cloud Sync, but cannot join computers as Azure Hybrid. Running DSregcmd /status it does show not provisioned and not Azure hybrid joined. Since I did not use AD Connect Sync, there is not a SCP setting that I found in ADSI edit. What would recommend I look at? Thank you,
Install Entra ID Connect Sync on a DC beforehand ensure that you’ve correctly followed the Microsoft instructions from the learn.microsoft.com site and any prerequisites
If you’re in single sign-on, then I’d leave it alone. Other than that you can use Azure AD connect, and then just reinstall as your AD connect cloud sync on top. But in all cases ensure that you read the Microsoft documentation that can be found docs.microsoft.com
Yes, you can you first need to stop the directory sink service on your current server Set-MsolDirSyncEnabled -EnableDirSync $false Once stopped install the AzureAD . Cloud, sync agent and configure uninstall, Azure AD connect. If you google search your question, it will take you to a docs.microsoft.com article which shows you the step-by-step guide. Just be aware, that it does not support PTA only password hash sync with SSO
Hi Andy, great video! Does Azure AD cloud sync support user matching between on-prem and Azure AD and then taken over by on-premises users(like Azure AD Connect), or can it only create new users in azure ad when users from on-prem are matched with user in Azure AD?
There is a certain number of attributes that you can match. But it is limited. Personally, I would play around with the software first before I put this into production.
@@AndyMaloneMVP maybe I wasn't the clearest, what I really want to know is if I can link an AD user to an already existing user in Azure AD when they have the same UserPrincipalName? It is quite a common scenario where you want to connect AD users with already existing Auzre AD users, so that they use the same login data to log in to on-prem and Microsoft 365 resources. Nowhere in the documentation did I find it written whether this is supported or not, and when I tested the synchronization of AD users with the same UserPrincipalName as the user in AzureAD AD cloud sync, it always created a new one iz Azure AD with some numbers in name instead of connecting them(as is the case with azure ad connect).
@@denisdebijadji9963 hi Dennis, thanks for your question. The problem with duplicate UPNs is that technically they have to be unique in Azure active directory. You can match them up, so, for example, you can sync them in from windows Active Directory to azure active directory, and this will link the accounts together. As I’ve said, AD. would remain the source of authority in this case, so any changes to the account would be replicated into Azure. Although we use a UPN to identify users. The directory uses an object ID to identify every object which must be unique. You can to a point match certain attributes up, but it’s very hard work and wouldn’t require a considerable amount of consultancy. I’m sure that this is not the answer you were looking for in this case however that’s it I’m afraid. I would check out the documentation on learn.microsoft.com and I wish you all the best, Andy.
Hi Andy, very insightful video here. Please I get the below error on the "Agent configuration" page after inputting the Domain admin credentials, "Error while creating group managed service account (gMSA). Error: There is no such object on the server. Please any suggestions on getting past this error.
Hmm sounds like you're trying to use an account that does not have the correct privileges. Here's an article that may help learn.microsoft.com/en-us/azure/active-directory/cloud-sync/reference-cloud-sync-faq
I appreciate the fantastic video. How do I perform a hybrid join to an Office 365 account after changing the motherboard on the system? Is there any way I can activate the user account using PowerShell? Thanks
Hi Andy, great video. I would like to ask you. When syncing devices with Azure Ad Connect tool, we had to configure it. If I'm correct you have covered users and group sync with new tool, what would be the process to make devices hybrid? Thanks in advance and also happy new year to you. 🙂
As a traditional AD person I am still confused as to whether you can have a hybrid environment, non joined Windows laptops managed with Intune but the devices able to access resources like on prem shared drives, etc. great channel by the way.
With Entra ID (Azure AD) Joined devices in intune & hybrid users auth in AD. There are connectors to allow shared data. But if I were you I'd migrate the date to 365. It's more secure.
It can be activated in Powershell. But will soon find it's way into the client. Here's a doc that you may find useful. learn.microsoft.com/en-us/azure/active-directory/cloud-sync/reference-cloud-sync-faq
Hello Andy! I have been enjoying your videos thank you so much for the time taken to do a good explanation. Over the last weekend, I saw a flash of your post about the nomination for Microsoft MVP, and I missed it. I will appreciate it if you could send me the link here privately. I also have a question: Is it the same process of migrating from on-premises to Azure that is also required for Hybrid to Azure-only infrastructure?
Hello Andy, Greetings, hope you are doing great. Loving all your tutorials which will be befitting me alot thanks for making these. I have one question how do we setup corporate email in personal devices I mean what is the requirement to acheive this please note that the environment is hybrid ofcourse the devices should be managed through MDM. Looking forward to hear from you and thanks in advance 😊 Regards,
Hi Mohammed great to have you on board and for the question. I'm actually planning a session on this in the not too distant future so watch out for it :-) In the meantime here is an article that will help. Thanks again and all the best, Andy learn.microsoft.com/en-us/microsoft-365/admin/setup/set-up-mobile-devices?view=o365-worldwide&tabs=iPhone
@@AndyMaloneMVP thanks for your prompt reply much appreciate 👍🏼 🙏 Actually I am looking for setting up email access on corporate devices with on-prem exchange with AD setup(already setup AAD) but exchange still on-prem do I need to make exchange hybrid as well to be use email on mobile devices.
I have AAD + AADDS = (Hybrid) I have a custom domain I created a VM in Azure (F16s_v2) with Windows 11 Enterprise multi-session. The VM is domain join I have 10 users that RDP to this VM - Question-1: why can't i get single sign-on to work on first sign on. once the user sign-in using m365-account, they still have to manually sign-in to Teams, OneDrive, Edge and Outlook. If they now sign-out now it will remember their sign-on afterwards?
Install Azure AD Connect (If you have not already done so). Open up and re run the configuration tool. Then select PHS with SSO. I would also use Azure Bastion rather than plain RDP for security reasons. If you still can't connect I'd check firewall settings. Or give support a call. Good luck :-)
@@AndyMaloneMVP I also have a Site-2-Site VPN to Azure. I have no Server on-prem, just a very good firewall with 2 ISP. AAD & AADDS are Azure services. I have 1 VM in Azure. - are you saying, to let the 10 users connect to the VM via Azure Bastion? - AAD & AADDS sync automatic, unless i miss something. So, are you saying i still need AAD Connect?
Hi sir, I interesting with AADDS extend. VNET to on-promise S2S VPN .my question 1.client hosted in on-promise can Join AADDS with Authentication with AADDS ?
Has MS effectively compromised itself by not wishing to decimate its sales of Win Server, and thus not providing a cloud-only directory that can replace the directory side of Win Server? If Jumpcloud can do it, surely so can they. On premise is and should be history by now except for some really edge cases. Or am I missing the point? For all my small biz customers on prem AD is simply a massive white elephant.
I'd love to pick your brains further, as this all-cloud seems to be shrouded in mystery! Or maybe you could do a clarification video? I have never managed to get a straight answer out of anyone on the topic, hence why I have just migrated a Win2012r2 customer to JumpCloud.
@@nickharvey5149 sure I can do that for you. FYI, you should know that 95% of my videos are cloud based and I’m not using any of the premises kit whatsoever.
This is so timely for me. Thank you so much for this video. Good job!
You're so welcome!
Great content, as always! I'm really grateful for your channel! Thanks a lot, Andy. Wishing you the best for 2023.
Aw thanks so much I really appreciate that😀
Great video Andy. I did find the magnifying glass a bit difficult in this video since it hides some of the text around the magnifying circle. I prefer your large arrow and the yellow highlight circle instead because it doesn’t hide any of the surrounding text or menu items.
So noted. I’ll return to that with the next video 👍
Andy one of the best videos to get a clear understanding on this new feature , thanks a ton,
Thanks so much. I really appreciate that.
Thank you Andy, this was very timely for me. Nice use of the magnifying glass tool, it helped me focus on where I should be looking. Also, nice update on the music settings. Appreciate the effort put in to step through the process methodically, and looking forward to the content in 2023 - Happy New Year.
You're very welcome
Great video Andy as per usual. I've been reading up on Azure AD Connect Cloud Sync, so nice to see a live demo of it in action so to speak 👍
Glad it was helpful!
great video. Nice that there now is a provisioning agent for Azure AD connect
Thank you, Andy, although I have never been an admin, (except for software deployment on Corporate machines), I learned so much from your videos!
Thank you most kindly I appreciate that👍😊
@@AndyMaloneMVP Hello Andy, I have 2 questions, can you show a video with Power Shell, it is not very clear to me. I have just attended training on Microsoft Teams admin center functions, the one one that stroke me the most was how to assign, allow and call settings, using teams.
Thank you Andy, great content as always and a happy New year.
You’re very welcome, and thank you very much
Amazing Video ! Mr.Andy thanks a lot for your time and effort for making all amazing videos for free . God bless you :)
Glad you like them! Many thanks😊
WOW, your intro, mind blowing 🥰😀
Thank you 😊
Happy New Year to you and your family Andy, Good wishes from Kolkata, West Bengal, India 🇮🇳
Why thank you., and greetings from Stirling in Scotland to you and yours. I hope that 2023 will be a great year for you 👍 😊
Waited for this !!
Thanks for this Post Malone
many blessings to you, thank you.
Thanks Andy. How do you deal with multiple identities when you connect a local domain to Azure with user accounts? All users end up with their custom domain email plus their Active Directory user account in Azure. Thanks.
With a hybrid identity you’re on premises AD accounts are synced into Azure AD and essentially become connected. When you make changes on premises, for example, adding a new attribute etc, this would then sync to the cloud. As I mentioned in many videos, your user account - computer accounts have to be authenticated either by active directory on premises, or Azure AD in the cloud. If you had purely cloud-based users, and devices they will live simply in the Cloud and there would be no need for any synchronisation. I hope this helps and makes some sense to you. Thanks again Rich, for the question, all the best, Andy
Thanks very much Andy...!!!
You’re very welcome thanks
Thanks Andy, another useful video.
One thing to watch out for, Azure AD Cloud Sync isnt compatible with Hybrid Exchange (or at least it wasnt a few months back).
Hopefully, Microsoft will address this as most AD Hybrid organisations also have an on-prem Exchange server.
You are indeed correct, although I know this is currently inbound and you should see it soon. :-)
@18:12 - How do you enable single sign-on?
in this video i see it's disabled but when you select it, we don't see an option to enable it.
At the moment this can only be accomplished in power shell. This will be available in the product though shortly. Watch out for more details soon. Here is an article double help you. learn.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-sso
Thank you! Is it possible to manage on premise AD security group membership via Azure administrative units using MS Graph for unlicensed accounts created in AD on premise?
No I’m afraid not
@@AndyMaloneMVP - thanks Andy for your reply - most appreciated. What about via the hybrid connection manager? Is it not possible to manage on premise AD user objects via running PowerShell commands?
Awesome video. One quick question. What if you have existing users on both systems?
You can manually link them but it’s VERY difficult. Best delete cloud accounts and re sync accounts
Hi Andy. Great video. One thing I don't understand, and I watched your video on joining Windows 11 to Azure AD hoping to find the answer, but I'm still struggling: if you have existing PCs joined to your ADDS domain, and then you use AAD Connect or Cloud Sync, do these devices automatically become AAD domain joined, or do you have to do this manually, or can you not do this? If it needs to be done manually, do you have to remove the ADDS domain first? Do you need hybrid join here or is that just a Group Policy vs Intune decision? Hope that makes sense!
If your PC is joined to ADDS You will need to reset it before you can join.Entra ID.
Thanks @@AndyMaloneMVP. Do you mean reboot, or a full windows reset/refresh, i.e. reinstalling Windows, or something in between the two?
@@JoeNewton99 I mean reset as it has to come out of AD. Visit Learn.Microsoft.com for more
That was great, kindly make a video starts from zero to end, Creating AD for group of company and connect with AAD Hybrid . like a complete project. it will be awesome for beginners those are new to AD.
Hello, I used Cloud Sync, but cannot join computers as Azure Hybrid. Running DSregcmd /status it does show not provisioned and not Azure hybrid joined. Since I did not use AD Connect Sync, there is not a SCP setting that I found in ADSI edit. What would recommend I look at? Thank you,
Install Entra ID Connect Sync on a DC beforehand ensure that you’ve correctly followed the Microsoft instructions from the learn.microsoft.com site and any prerequisites
@@AndyMaloneMVP Thank you very much.
Andy, how do we move from the old Azure Connect to the new Cloud Sync? Anything we need to do in particular?
If you’re in single sign-on, then I’d leave it alone. Other than that you can use Azure AD connect, and then just reinstall as your AD connect cloud sync on top. But in all cases ensure that you read the Microsoft documentation that can be found docs.microsoft.com
how to synchronize devices with cloud sync? Do I have to install something else?
Honestly, I’ve not tried it. Take a look at my in tune deployment videos they cover this
Hello Andy great Channel , question do have a video on how to setup Archive Policy and Tags and PS commands to run the setup quickly Thanks
Archiving yes, specific to Powershell, No. Check out the playlist and thanks for the visit. Probably under compliance / Purview
Great video Andy! I would be grateful if you could create a video on Azure back up. Many thanks!
Great suggestion!
great learning video again
Great video Andy. I would like to know if you already have Azure AD Connect installed, how do you change it to the Azure Cloud Sync?
Yes, you can you first need to stop the directory sink service on your current server Set-MsolDirSyncEnabled -EnableDirSync $false Once stopped install the AzureAD . Cloud, sync agent and configure uninstall, Azure AD connect. If you google search your question, it will take you to a docs.microsoft.com article which shows you the step-by-step guide. Just be aware, that it does not support PTA only password hash sync with SSO
Hi Andy, great video! Does Azure AD cloud sync support user matching between on-prem and Azure AD and then taken over by on-premises users(like Azure AD Connect), or can it only create new users in azure ad when users from on-prem are matched with user in Azure AD?
There is a certain number of attributes that you can match. But it is limited. Personally, I would play around with the software first before I put this into production.
@@AndyMaloneMVP maybe I wasn't the clearest, what I really want to know is if I can link an AD user to an already existing user in Azure AD when they have the same UserPrincipalName? It is quite a common scenario where you want to connect AD users with already existing Auzre AD users, so that they use the same login data to log in to on-prem and Microsoft 365 resources. Nowhere in the documentation did I find it written whether this is supported or not, and when I tested the synchronization of AD users with the same UserPrincipalName as the user in AzureAD AD cloud sync, it always created a new one iz Azure AD with some numbers in name instead of connecting them(as is the case with azure ad connect).
@@denisdebijadji9963 hi Dennis, thanks for your question. The problem with duplicate UPNs is that technically they have to be unique in Azure active directory. You can match them up, so, for example, you can sync them in from windows Active Directory to azure active directory, and this will link the accounts together. As I’ve said, AD. would remain the source of authority in this case, so any changes to the account would be replicated into Azure. Although we use a UPN to identify users. The directory uses an object ID to identify every object which must be unique. You can to a point match certain attributes up, but it’s very hard work and wouldn’t require a considerable amount of consultancy. I’m sure that this is not the answer you were looking for in this case however that’s it I’m afraid. I would check out the documentation on learn.microsoft.com and I wish you all the best, Andy.
Does this tool automatically upgrade Azure AD Connect - what happens if both azure AD connect and this tool run concurrently?
Generally you would it the other way around. Ie cloud sync to Azure AD connect.
@@AndyMaloneMVP Hi
Does it means if we already use azure ad connect we should not replace it by this agent ?
@@elmsroth8850 correct
Hi Andy, very insightful video here. Please I get the below error on the "Agent configuration" page after inputting the Domain admin credentials, "Error while creating group managed service account (gMSA). Error: There is no such object on the server. Please any suggestions on getting past this error.
Hmm sounds like you're trying to use an account that does not have the correct privileges. Here's an article that may help learn.microsoft.com/en-us/azure/active-directory/cloud-sync/reference-cloud-sync-faq
Great video
I appreciate the fantastic video. How do I perform a hybrid join to an Office 365 account after changing the motherboard on the system? Is there any way I can activate the user account using PowerShell? Thanks
I'm sure there will be. Check out the Microsoft Tech community or learn.microsoft.com for more details.
Hi Andy, great video.
I would like to ask you. When syncing devices with Azure Ad Connect tool, we had to configure it. If I'm correct you have covered users and group sync with new tool, what would be the process to make devices hybrid? Thanks in advance and also happy new year to you. 🙂
I believe this one a what you need th-cam.com/video/gcH0AEzyJ4g/w-d-xo.html
Love it, thank you!
You are so welcome!
Please add license requirement info. Is entra an additional purchase? Included w e5 or what, P2? Thanks.
Min E3 licence for this. I’m using an E5
Good stuff!
Thanks!
As a traditional AD person I am still confused as to whether you can have a hybrid environment, non joined Windows laptops managed with Intune but the devices able to access resources like on prem shared drives, etc. great channel by the way.
With Entra ID (Azure AD) Joined devices in intune & hybrid users auth in AD. There are connectors to allow shared data. But if I were you I'd migrate the date to 365. It's more secure.
@@AndyMaloneMVP Thanks - think everything is needed yesterday and that is back of the queue.🤣
Ironic I've been having a bunch of password hash encryption errors on our hybrid AD sync finally fixed today.
Awesome vid thank you
No problem 👍
Great Video Andy.
Is Windows Hybrid Join supported with Azure AD connect yet? Or is that something we are still awaiting for
It can be activated in Powershell. But will soon find it's way into the client. Here's a doc that you may find useful. learn.microsoft.com/en-us/azure/active-directory/cloud-sync/reference-cloud-sync-faq
This won’t sync computer between Ad and Azure or when you use intune to deploy new computer in Hybrid mode.
You need to view my Intune video that will demo how to sync devices 😃 and more
@@AndyMaloneMVP oups, my bad and I will watch it.
Hello Andy! I have been enjoying your videos thank you so much for the time taken to do a good explanation. Over the last weekend, I saw a flash of your post about the nomination for Microsoft MVP, and I missed it. I will appreciate it if you could send me the link here privately. I also have a question: Is it the same process of migrating from on-premises to Azure that is also required for Hybrid to Azure-only infrastructure?
Great suggestion!
seems much easier to manage the Azure AD sync settings from the Entra portal
I agree but it’s not entirely at 100% yet. But it’s getting better 😊
Hello Andy,
Greetings, hope you are doing great.
Loving all your tutorials which will be befitting me alot thanks for making these. I have one question how do we setup corporate email in personal devices I mean what is the requirement to acheive this please note that the environment is hybrid ofcourse the devices should be managed through MDM.
Looking forward to hear from you and thanks in advance 😊
Regards,
Hi Mohammed great to have you on board and for the question. I'm actually planning a session on this in the not too distant future so watch out for it :-) In the meantime here is an article that will help. Thanks again and all the best, Andy learn.microsoft.com/en-us/microsoft-365/admin/setup/set-up-mobile-devices?view=o365-worldwide&tabs=iPhone
@@AndyMaloneMVP thanks for your prompt reply much appreciate 👍🏼 🙏 Actually I am looking for setting up email access on corporate devices with on-prem exchange with AD setup(already setup AAD) but exchange still on-prem do I need to make exchange hybrid as well to be use email on mobile devices.
I have AAD + AADDS = (Hybrid)
I have a custom domain
I created a VM in Azure (F16s_v2) with Windows 11 Enterprise multi-session.
The VM is domain join
I have 10 users that RDP to this VM
- Question-1:
why can't i get single sign-on to work on first sign on. once the user sign-in using m365-account, they still have to manually sign-in to Teams, OneDrive, Edge and Outlook. If they now sign-out now it will remember their sign-on afterwards?
Install Azure AD Connect (If you have not already done so). Open up and re run the configuration tool. Then select PHS with SSO. I would also use Azure Bastion rather than plain RDP for security reasons. If you still can't connect I'd check firewall settings. Or give support a call. Good luck :-)
@@AndyMaloneMVP I also have a Site-2-Site VPN to Azure.
I have no Server on-prem, just a very good firewall with 2 ISP. AAD & AADDS are Azure services.
I have 1 VM in Azure.
- are you saying, to let the 10 users connect to the VM via Azure Bastion?
- AAD & AADDS sync automatic, unless i miss something. So, are you saying i still need AAD Connect?
Hi , may be add GPO link to users in User SSO?
Hi sir, I interesting with AADDS extend. VNET to on-promise S2S VPN .my question
1.client hosted in on-promise can Join AADDS with Authentication with AADDS ?
✌
Has MS effectively compromised itself by not wishing to decimate its sales of Win Server, and thus not providing a cloud-only directory that can replace the directory side of Win Server? If Jumpcloud can do it, surely so can they. On premise is and should be history by now except for some really edge cases. Or am I missing the point? For all my small biz customers on prem AD is simply a massive white elephant.
Windows server income currently only represents about 8% of Microsoft income compared to it's cloud sales. So no I'm afraid it';s just progress.
@@AndyMaloneMVP so is cloud only ad of some style a thing? Something that requires no on prem services?
@@nickharvey5149 all users and computer accounts are managed by the cloud using as your ID.
I'd love to pick your brains further, as this all-cloud seems to be shrouded in mystery! Or maybe you could do a clarification video? I have never managed to get a straight answer out of anyone on the topic, hence why I have just migrated a Win2012r2 customer to JumpCloud.
@@nickharvey5149 sure I can do that for you. FYI, you should know that 95% of my videos are cloud based and I’m not using any of the premises kit whatsoever.
10-Q can't stay & play
Respectfully, NHG