Hybrid identity considerations for the Azure Government cloud
This article describes considerations for integrating a hybrid environment with the Microsoft Azure Government cloud. This information is provided as a reference for administrators and architects who work with the Azure Government cloud.
Note
To integrate a Microsoft Active Directory environment (either on-premises or hosted in an IaaS that is part of the same cloud instance) with the Azure Government cloud, you need to upgrade to the latest release of Microsoft Entra Connect.
For a full list of United States government Department of Defense endpoints, refer to the documentation.
Microsoft Entra pass-through authentication
The following information describes implementation of Pass-through Authentication and the Azure Government cloud.
Allow access to URLs
Before you deploy the Pass-through Authentication agent, verify whether a firewall exists between your servers and Microsoft Entra ID. If your firewall or proxy allows Domain Name System (DNS) blocked or safe programs, add the following connections.
Important
The following guidance applies only to the following:
- the pass-through authentication agent
- Microsoft Entra private network connector
For information on URLS for the Microsoft Entra provisioning agent see the installation pre-requisites for cloud sync.
| URL | How it's used |
|---|---|
| *.msappproxy.us*.servicebus.usgovcloudapi.net | The agent uses these URLs to communicate with the Microsoft Entra cloud service. |
mscrl.microsoft.us:80 crl.microsoft.us:80 ocsp.msocsp.us:80 www.microsoft.us:80 |
The agent uses these URLs to verify certificates. |
| login.windows.us secure.aadcdn.microsoftonline-p.com *.microsoftonline.us *.microsoftonline-p.us *.msauth.net *.msauthimages.net *.msecnd.net*.msftauth.net *.msftauthimages.net*.phonefactor.net enterpriseregistration.windows.netmanagement.azure.com policykeyservice.dc.ad.msft.netctldl.windowsupdate.us:80 | The agent uses these URLs during the registration process. |
Install the agent for the Azure Government cloud
Follow these steps to install the agent for the Azure Government cloud:
In the command-line terminal, go to the folder that contains the executable file that installs the agent.
Run the following commands, which specify that the installation is for Azure Government.
For Pass-through Authentication:
AADConnectAuthAgentSetup.exe ENVIRONMENTNAME="AzureUSGovernment"For Application Proxy:
MicrosoftEntraPrivateNetworkConnectorInstaller.exe ENVIRONMENTNAME="AzureUSGovernment"
Single sign-on
Set up your Microsoft Entra Connect server
If you use Pass-through Authentication as your sign-on method, no additional prerequisite check is required. If you use password hash synchronization as your sign-on method and there is a firewall between Microsoft Entra Connect and Microsoft Entra ID, ensure that:
You use Microsoft Entra Connect version 1.1.644.0 or later.
If your firewall or proxy allows DNS blocked or safe programs, add the connections to the *.msappproxy.us URLs over port 443.
If not, allow access to the Azure datacenter IP ranges, which are updated weekly. This prerequisite applies only when you enable the feature. It isn't required for actual user sign-ons.
Roll out Seamless Single Sign-On
You can gradually roll out Microsoft Entra seamless single sign-on to your users by using the following instructions. You start by adding the Microsoft Entra URL https://autologon.microsoft.us to all or selected users' Intranet zone settings by using Group Policy in Active Directory.
You also need to enable the intranet zone policy setting Allow updates to status bar via script through Group Policy.
Browser considerations
Mozilla Firefox (all platforms)
Mozilla Firefox doesn't automatically use Kerberos authentication. Each user must manually add the Microsoft Entra URL to their Firefox settings by following these steps:
- Run Firefox and enter about:config in the address bar. Dismiss any notifications that you might see.
- Search for the network.negotiate-auth.trusted-uris preference. This preference lists the sites trusted by Firefox for Kerberos authentication.
- Right-click the preference name and then select Modify.
- Enter
https://autologon.microsoft.usin the box. - Select OK and then reopen the browser.
Microsoft Edge based on Chromium (all platforms)
If you have overridden the AuthNegotiateDelegateAllowlist or AuthServerAllowlist policy settings in your environment, ensure that you add the Microsoft Entra URL https://autologon.microsoft.us to them.
Google Chrome (all platforms)
If you have overridden the AuthNegotiateDelegateWhitelist or AuthServerWhitelist policy settings in your environment, ensure that you add the Microsoft Entra URL https://autologon.microsoft.us to them.
Next steps
Tilbakemeldinger
Kommer snart: Gjennom 2024 faser vi ut GitHub Issues som tilbakemeldingsmekanisme for innhold, og erstatter det med et nytt system for tilbakemeldinger. Hvis du vil ha mer informasjon, kan du se: https://aka.ms/ContentUserFeedback.
Send inn og vis tilbakemelding for