Guest accounts are used to provide controlled access to corporate resources for temporary or external users. These accounts are often created for partners, consultants, or temporary employees and provide an isolated environment that restricts access to specific, necessary resources. Guest accounts are separate from regular user accounts and are subject to stricter policies to meet the company’s security requirements.
The management of these accounts is done through central policies that define which resources are accessible and how long access is permitted. This helps protect the integrity of the network and prevents the misuse of access rights. Additionally, using guest accounts allows for better implementation of audit and compliance requirements, as access logs and user activities can be accurately tracked.
Index
Synchronizing Guest Accounts from Active Directory with Entra ID: Is it Worthwhile?
Guest accounts from Active Directory can be synchronized to Entra ID. The tool Entra Connect V2 is used for this, enabling directory synchronization between on-premises Active Directory and Entra ID. It is important that the guest accounts in the local Active Directory are appropriately configured to ensure smooth synchronization. Even better is synchronization with Entra Cloud Sync, which we will also discuss in this article.
Synchronization between AD and Entra ID typically occurs through one-way replication, where data from the local AD is transferred to Entra ID. After synchronization, the guest accounts in Entra ID can be used to access cloud-based resources and services. They retain their specific access rights and restrictions defined in the local Active Directory. Accordingly, users can access resources locally and simultaneously access resources in the cloud. This works for Azure and resources from Microsoft 365, such as SharePoint or Teams.
Synchronizing Guest Accounts with Entra ID
In general, the best way to synchronize accounts from AD with Entra ID is to use Entra Cloud Connect. Here, multiple agents can be installed in the network simultaneously, improving high availability. Additionally, Entra Cloud Sync allows for the parallel synchronization of multiple domains and AD forests with a single Entra ID directory. Management is done through the Entra Admin Center, not through the locally installed agent.
The settings can be quickly found by searching for “Entra Connect” in the Entra Admin Center (entra.microsoft.com). Central management is done through “Manage Microsoft Entra Cloud Synchronization.”
The window displays the existing synchronization partnerships. Here, additional agents can be distributed in parallel with “New Configuration,” or the already existing synchronizations can be adjusted.
For synchronization, an agent is required on the respective server in the local network, which can be downloaded during the configuration setup or by clicking on an existing connection. The setup is done via the file “AADConnectProvisioningAgentSetup.exe.” Existing configurations can be viewed by clicking on the corresponding domain. The download is done via “Download Local Agent.”
Under “Agents,” the locally connected servers and their external IP addresses can be seen. It is also indicated whether the corresponding agent is active. This allows for the operation of multiple agents in the network and the addition of new agents at any time.
By selecting “New Configuration” and choosing “AD to Microsoft Entra ID Synchronization,” the configuration for the synchronization from Active Directory to Entra ID is carried out.
Once the first agent is installed and configured, it will appear under “Agents” in the Entra Admin Center under “Cloud Synchronization.” The synchronization is then set up through “Configuration -> New Configuration -> AD to Microsoft Entra ID Synchronization.” Here, the domains registered with Entra ID via the agents can be seen.
By clicking “Create,” Entra ID binds the domain. Management is then also done in the Entra Admin Center. By clicking on “Disabled” under “Status,” information can be retrieved. By clicking on the domain, the synchronization can be activated by selecting “Check and Enable” and then “Activate Configuration.”
After this, the status for the domain should show “Error-Free.” The synchronization of user accounts and their password hashes from the respective domain/forest to Entra ID will now take place. This also applies to the guest accounts present in the domain.
By using the menu item with the three dots on the right side, all installed agents can be displayed in the web interface with “View Agents.” It is also possible to download the agent, for example, for other servers in the network. This allows for a highly available deployment. It is important that in the Entra Admin Center, in the settings of the respective domain, the value “Enabled” is displayed for “Configuration Status” and the number of agents used is shown under “Agents.”
If only certain accounts are to be synchronized, filters can be defined in the settings under “Scope Filter,” “Attribute Mapping,” or “Expression Generator” to filter the guest accounts or other accounts.
What Companies Should Consider When Synchronizing Guest Accounts
The synchronization of guest accounts from Active Directory with Entra ID via Entra Cloud Sync presents several challenges. One of the main difficulties lies in the correct configuration and management of the synchronization settings to ensure that the guest accounts receive the correct permissions and access rights. Different policies and attributes between the local AD and Entra ID can lead to inconsistencies and synchronization issues.
The scalability and performance of the synchronization can also be challenging, especially with large and complex directory structures. Network bandwidth and latency can affect the efficiency of the synchronization. Additionally, regular monitoring and maintenance of the synchronization tools require additional resources and expertise to detect and resolve potential errors and interruptions early.
Alternatives to Synchronization
There are alternatives for synchronizing guest accounts from Active Directory (AD) with Entra ID, depending on the specific requirements and infrastructure of a company.
Direct Federation
One option is Direct Federation, where external users from a partner directory are authenticated directly in Entra ID without the need for a full synchronization of accounts. A trust relationship is established between the partner’s local AD and Entra ID.
Azure B2B Collaboration
Another alternative is Azure B2B Collaboration. With this method, guest users from other directory services or with other email domains can be invited to access resources in Entra ID. This does not require synchronization of accounts while still allowing secure and controlled access.
Identity Provisioning Tools
Moreover, companies can also turn to third-party Identity Provisioning Tools. These tools offer advanced features for managing and synchronizing identities across different directory services and cloud platforms. They can provide tailored solutions for specific requirements and help simplify complex synchronization scenarios.
Local Authentication Services
Finally, there is the option to rely on local authentication services that bridge the local AD and Entra ID. These services allow for local verification of user logins and issuing tokens for accessing Azure resources without the need to directly synchronize the accounts.
Azure AD Application Proxy: Remote Access to Web Applications
The Azure AD Application Proxy enables remote access to internal web applications. The proxy service acts as a bridge between local applications and external users who are authenticated via Entra ID.
By using the Application Proxy, guest users can access internal applications securely without having to provide full access to the local network. The guest accounts created in Entra ID can be used here as well. This makes it possible to offer an isolated access solution for external users while ensuring that sensitive data remains protected.
Best Alternative: Manage AD Guest Accounts with an IAM System (IDM Portal)
If numerous guest accounts are actively used in local environments and in Entra ID, IAM solutions can help. IAM systems (Identity and Access Management), such as the FirstWare IDM Portal from FirstAttribute, can play a crucial role in the management of guest accounts in Active Directory, especially in conjunction with the use of Entra ID. Such systems provide a central platform for managing user identities and access rights from AD and Entra ID, including the creation, updating, and deactivation of guest accounts. The IDM Portal enables administrators to manage guest accounts centrally while adhering to corporate policies and security standards.
In the IDM Portal, you can centrally manage the AD and Entra ID permissions (groups) of your guest accounts. More information about the Central Management of Guest Accounts in Hybrid Environments – AD and Entra ID can be found here.
IAM systems also support the automation of workflows and approval processes, simplifying and speeding up the management of guest accounts. By integrating IAM systems with Entra ID, companies can ensure that only authorized guests have access to the necessary resources while maintaining compliance and security requirements.
FirstAttribute AG – Identity Management & IAM Cloud Services
We would be happy to present our services and solutions to you. Get in touch and find out how we can help you.
Leave a Reply
<p>Your email is safe with us.<br/>Information about our <a href="https://activedirectoryfaq.com/contact-us/">data protection policies</a></p>