https://github.com/epomatti/azure-directory-security
Azure directory cloud sync with Entra ID and Active Directory.
https://github.com/epomatti/azure-directory-security
active-directory azure azure-ad azure-security entra entra-id powershell terraform
Last synced: 7 months ago
JSON representation
Azure directory cloud sync with Entra ID and Active Directory.
- Host: GitHub
- URL: https://github.com/epomatti/azure-directory-security
- Owner: epomatti
- License: mit
- Created: 2023-12-02T04:07:14.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2024-01-06T02:12:03.000Z (almost 2 years ago)
- Last Synced: 2025-01-17T18:34:52.279Z (9 months ago)
- Topics: active-directory, azure, azure-ad, azure-security, entra, entra-id, powershell, terraform
- Language: HCL
- Homepage:
- Size: 36.1 KB
- Stars: 1
- Watchers: 2
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Azure Directory Security
Implementation for Active Directory integrations with Entra ID.
Copy the template for the `.auto.tfvars`:
```sh
cp config/template.tfvars .auto.tfvars
```
Set you public IP to be allowed in the firewalls:
```sh
dig +short myip.opendns.com @resolver1.opendns.com
```
Create the infrastructure:
```sh
terraform init
terraform apply -auto-approve
```
Terraform will install `AD-Domain-Services` via custom scripts extension.
Install the AD Domain Services package:
> If possible , set the domain to be the same as the Entra tenant. Needs to be <= 15 characters due to Active Directory dependency on NetBIOS.
```sh
# You'll need to type in the password and select "A" for all
Install-ADDSForest -DomainName contoso.local -InstallDNS
```
🔴🟢 The server will be restarted.
Management of the forest can be implemented
Synchronization options are performed in the agent. There are two offerings for sync:
- Entra Connect Cloud Sync
- Entra Connect V2
Terraform will also have created an `administrator` account with `Hybrid Identity Administrator` privilege to be used during Entra sync setup. Use it to configure synchronization.
It is possible to configure these types of authentication on Entra ID:
- Password Hash Synchronization
- Pass-through Authentication
- Federated Authentication
## Cloud Sync
Follow the [instructions][4] to install the Cloud Sync agent.
> It will be required to enable advanced features in Active Directory
When creating an Organizational Unit named `Cloud`, this is an example fo a "Distinguished Name".
```
OU=Cloud,DC=contoso,DC=local
```
It might be required to set this [KDS Root key][3]:
```
Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
```
## Entra Connect V2
Download and install the agent.
[1]: https://www.dell.com/support/kbdoc/en-us/000121955/installing-active-directory-domain-services-and-promoting-the-server-to-a-domain-controller
[2]: https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/what-is-cloud-sync
[3]: https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/create-the-key-distribution-services-kds-root-key#to-create-the-kds-root-key-in-a-test-environment-for-immediate-effectiveness
[4]: https://learn.microsoft.com/en-us/entra/identity/hybrid/install