CDP-H210 Introduction to Azure Active Directory This is an infrastructure lab, useful to both ITPro s and Developers to learn the basics of Azure Active Directory. The main focus is on understanding the basics of the directory itself, how to create one, users and groups and one of the key scenarios for the ITPro which is connecting and synchronizing the directory with on-premise Active Directory. You will create a domain controller using an Azure Virtual Machine as a proxy for your on-premise domain controller. You will install the Azure AD Connect tool on this DC to synchronize user names and passwords. The lab will also enable Multi-factor authentication. Azure Active Directory is a comprehensive identity and access management cloud solution. It combines core directory services, advanced identity governance, security, and application access management. Azure AD also offers developers an identity management platform to deliver access control to their applications, based on centralized policy and rules. You can use Azure AD to secure and manage access to both Microsoft cloud applications like Office365 as well as hundreds of non-microsoft applications. 1. Login to the Azure Management Portal The first task is to get you signed into the Azure Management Portal and to do that you need a valid subscription for Azure. You can: Use your own subscription, Sign up for a free trial (http://azure.microsoft.com/en-us/pricing/free-trial ) Get a subscription from one of the lab proctors. On your lab computer, fire up Internet Explorer and browse to http://manage.windowsazure.com and login using the user ID and password from one of the above methods. 2. Core Setup You are going to be doing a number of things with Azure AD. One of the more complex things you will do is synchronize Azure AD with your on premise Windows Server active directory. Well, since you can t lift and shift your AD to this lab, you will actually create your own test on premise network and AD infrastructure and you will do this on Azure using Azure Virtual Networks and Virtual Machines. To save some time and also to show you how to upload and create your own VM on Azure, you will be copying an existing virtual hard disk file (.VHD) from an existing domain controller (the author s) and then spinning up a Virtual Machine from this.vhd file. The very first thing to do then is to copy the.vhd file to your subscription as this can take some time. For this lab, a virtual disk has already been copied to a set of storage accounts in Azure. Appendix 2 (as a reference) will P a g e 1 13
explain how you would do this if you want to try when you get back to the office. You just need to copy the.vhd file to your own storage account. So first, you need a storage account. Click the + NEW icon at the bottom left and select DATA SERVICES and STORAGE and QUICK CREATE In the URL box, enter a name for your storage service use <youralias>vhdstore For example, if your name is Ann Green, your work email alias is agreen@contoso.com, use agreenvhdstore as the storage account name (there can be NO UPPERCASE letters or symbols). You will get a red tick next to the URL name if it is OK. Choose a location this is which DataCenter in the world you want to place your storage account You MUST select North Europe (your copy of the.vhd file will be very slow if you do not). Select Locally Redundant replication this means data in your storage account is NOT replicated to another Azure data center (we don t need it for this lab, it s also cheaper and faster). Click on CREATE STORAGE ACCOUNT. It will take around 30 seconds for the account to get created (status: ONLINE). Now you can copy the.vhd file. You will do this using PowerShell and specifically using the PowerShell commands for Azure. First you need to install these commands. On your lab machine, open another browser tab and go to this url: https://github.com/azure/azure-sdk-tools/releases Click on the Windows Standalone link, RUN the.msi file and follow all the prompts to get PowerShell installed. After install, Click the Window button and type Powershell ISE. Right-Click the Powershell ISE application and select Run as Administrator. Click the Script button (as show opposite) to show the script window. At the command prompt, enter: Add-AzureAccount P a g e 2 13
This will launch a login Window. Login using the credentials you used earlier. PowerShell is now connected to your Azure subscription and you can now interact with it. For example, type the following to get details about all your subscriptions: Get-AzureSubscription To copy the.vhd file, you will use a script which will prompt you for the subscription and storage account to use (if you have more than one), then it will randomly select from one of 5 storage accounts the.vhd file is stored in, then finally it will initiate the copy. In Appendix 1 in this lab guide copy the entire script and paste it into your script window in PowerShell (the top section with a tab called untitled1.ps1). Press RUN. The script will run and keep checking the status of the copy operation. It can take just a few seconds or 10-15 minutes to copy the 20GB.vhd file it depends on other activity at the time. You will come back to this later in the lab when you need your on-premise domain controller. One other thing you will need when you create your Virtual Machine/Domain Controller from the.vhd file you are copying, is a Virtual Network. This will allow you later to add your Domain Controller to this network, as well as put other VM s in the network and have network connectivity and name resolution between them. On the Management Portal, select + NEW -> NETWORK SERVICES -> VIRTUAL NETWORK -> QUICK CREATE Enter a NAME (which must be unique suggest <alias>-vnet for example agreen-vnet as per the naming of your storage account (you can have symbols for most other services in your name, just not storage). P a g e 3 13
LOCATION - Select the same location as your storage account preferably North Europe. Leave the other values alone and then click OK. Your network will get created. Once created (it will take just 20-30 seconds), click on the network and then click on the CONFIGURE tab. In the DNS Servers section, enter the name of your domain controller VM yes you have not actually created this yet. Use <alias>-dcvn for example agreen-dcvm. Since the VM will be the first VM in your network, and the default IP address scheme for your network is a 10.0.0.0 scheme, we know that the IP address given to the first machine will be 10.0.0.4. Enter this value in the IP address and click SAVE and YES to the warning. You are doing this step now in the lab to save you a little time and not have to do a reboot of your domain controller to pick up the DNS value. That s all you need to do right now. Let s get started actually learning Azure Active Directory itself 3. First Steps with Azure AD 3.1 Setting Up Your first step with Azure AD is the easy part just creating the directory itself. On the Azure Portal, Click + NEW, select APP SERVICES, select Active Directory and then Directory and Custom Create. Enter a name for the directory whatever you want e.g. <alias> Azure AD Then a DOMAIN NAME use <alias>aad and make sure the domain is valid/not taken change it if it is. Select the Country/Region pick a country in the same region that you choose when you created your Network/Storage Account.. P a g e 4 13
3.2 Changing your Directory-Subscription Mapping Now there is a relationship between Azure subscriptions and Azure Active Directory. Each subscription has to be associated with a single directory a directory can apply to multiple subscriptions. There is a default hidden directory with the domain microsoft.onmicrosoft.com. When you created your directory above, the subscription you are using is not associated with this new directory it s actually associated with the hidden default directory (or it might even be some other directory depending on your subscription). You can see this initial directory and you can also change it so that your subscription is mapped to your new directory (although you cannot change this back currently). IF you are a service administrator on the subscription you are using for this lab, you will be able to do the change below to your directory. Click on Settings (the last icon on the left nav). The list of subscriptions shows for each subscription what the associated directory is. As you can see, for your subscription, the default directory is NOT the directory you just created. Select the subscription and Click Edit Directory at the bottom of the portal. The new directory you created will get populated as the only choice. If you do not see this new directory, close the Edit Directory dialog and refresh your browser and try again. Click Next and OK. You will get a message about re-loading the portal. Click OK. Now the subscription will show it is associated with your new directory. This means that you can create new users in your new directory and use the directory for your Azure subscription management. For example you can create a new user and make them a co-admin on your subscription. You will do this next. Go back to your Azure AD in the Management Portal. Click YOUR directory, and click the users tab. You will see your current Microsoft account listed. Click on ADD USER. You want a New User in Your Organization. Enter AzureCoAdmin as the username. Click NEXT. Enter the Firstname (Azure) Lastname (Coadmin) Displayname (Azure CoAdmin) For Role, select Global Administrator and then enter any alternate email address (this is not validated so it can be any well formed address e.g. foo@foo.com). DO NOT check enable MFA you will do this in a later step. P a g e 5 13
On the Get Temporary Password screen, click the create button and then click the clipboard icon to copy the temporary password to the clipboard (you will change this password to something you can remember next). Click OK Now you have a user in your directory, the user has global admin permission on the directory itself, but the user is not yet a co-admin on the subscription. On the Portal on the left nav, click on Settings and select the Administrators tab and click ADD Enter the name of your coadmin which would be azurecoadmin@<alias>aad.onmicrosoft.com. If you do this correctly, your user will be validated in the Azure AD. Check the subscription you want to add the user as a co-admin to and click OK. Now open up a new In-Private browser session (this is so that you can be logged into two Azure Portal Sessions using two different accounts at the same time) and go to the Azure Management Portal http://manage.windowsazure.com Login with your full azurecoadmin@<alias>aad.onmicrosoft.com account and paste the password in from the clipboard (Ctrl-V). After login, you will be prompted to change your password, use 1stAzure as the new password. NOTE: if you lose the password, you can reset it go to the users tab on your directory, select the azurecoadmin user and click the reset password button at the bottom. After login, you will now see all the same services as your Microsoft account login. Click though the getting started tour. So you have your first user, and you actually have an application (the Azure Management Portal) that uses Azure AD to authenticate against and get user information from the directory. Of course you can build your own applications that do this as well. Other commercial applications such as Office 365, Dynamics CRM and Visual Studio Online use Azure AD. P a g e 6 13
4. Back to AD More stuff - Branding So the basic capability of Azure AD is users and groups and using Azure AD as a directory and user account store for your applications. Azure itself uses AD as you just saw when you created your coadmin. One of the first things that Organizations want to do with their directory and as an added precaution to give their users more certainty that they are visiting an approved place is to brand their directory/sign-in experience. For this, you need to turn on Azure AD Premium feature set. Select your Directory again from the Active Directory node on the portal (you can use either the initial login or the co-admin account). Click on Licenses and click the link to Try AD Premium and accept the trial message - this will take 10-20 seconds to setup. Click the REFRESH link. When completed, click on Assign on the bottom of the Portal. Click BOTH the two users you see to assign licenses to them. Now these users can access premium features. Now click the CONFIGURE tab and you will see a Customize Branding button. However, before you can use it, you need to download some branding assets (images, icons etc that have been already created for you). Get the set of assets for this lab from the lab download folder here: http://1drv.ms/1dcueni Check the Azure_Intro_to_ActiveDirectory folder and select DOWNLOAD in the header. Save the file to your desktop, right click the file on your desktop and select EXTRACT ALL Go back to the Azure Portal and click the Customize Branding button. a. For the Banner Logo select: Contoso_BannerLogo_default.png from your downloaded folder b. For the Tile Logo Select the Contoso_Tilelogo_default c. For the Sign in Page text: enter some text such as Need help? Contact Contoso Help Desk at (206) 555-1234. This site is operated by Microsoft on behalf of Contoso Inc and is for the exclusive use of Contoso employees and partners. Visit www.contoso.com/terms for details. d. For the Sign-In Page Illustration, Select: Contoso_Illustration_default.jpg OK. Then in your in-private session, you are logged in as your azurecoadmin. Click on your username on the top right and select Sign Out. On the You have been Signed Out page, click signin. You will see your branding updates as soon as Azure detect you want to use a login from the AD Domain that you have applied your branding updates to i.e. your azurecoadmin@<alias>aad.onmicrosoft.com account. P a g e 7 13
5. Continue with Active Directory Test Lab By now, your copy of the virtual hard disk should have completed. Switch to your PowerShell session to make sure it has. If it has not, you can continue with the Multi-Factor Authentication section. Let s first make sure you actually have a.vhd file in your storage account remember this.vhd file is the virtual disk on which is installed Windows Server 2012 R2, it has AD installed and configured as a single forest (contoso.com) domain controller. There are a bunch of users and groups in the directory. DNS is configured. 5.1 Creating your Domain Controller VM. So you have a VHD file which sits in Azure storage, but you need a VM. The basic way you do this is to create a virtual disk in Azure, pointing at your.vhd file. You then create a VM using this virtual disk. Let s do this In Azure, click on STORAGE, click your storage account - <alias>vhdstore, click the CONTAINERS tab and click the vhdimages container (this was created for you by the script). You should have a 20GB file in this container called teazuredisk.vhd Click on the Virtual Machines category in the left nav bar of the portal. Click on the DISKS tab and click the + CREATE button at the bottom. Enter the details as you see opposite, pointing at the.vhd file in your storage account (click the folder icon to browse for the file) and making sure to check the VHD contains OS box and the OS Family. Click OK. This action creates a logical disk that you can then use to spin up a virtual machine from. This should take around 20-30 seconds and you will see the disk in the portal when it is completed. Now in the portal click the bottom left + NEW button and select COMPUTE -> VIRTUAL MACHINE -> FROM GALLERY. On the first page of the gallery wizard, click on the MY DISKS option on the lower left side. You will see your teazuredc disk. Select it and click NEXT. Choose a name for your VM such as <alias>-dcvm e.g. agreen-dcvm. Choose BASIC tier and A2 Size. P a g e 8 13
On the next screen, there are TWO important values. The CLOUD SERVICE DNS NAME and the REGION/AFFINITY GROUP/VIRTUAL NETWORK selection. The DNS Name will default to your VM name make sure this resolves to a valid/unique value change it if it does not. Make sure to select the Virtual Network you created earlier. Click Next and then FINISH. Your VM will go through the process of getting created and booting up. It will take around 3-5 minutes for this to complete. While it is doing this, click on NETWORKS section in the portal, click on your network and click on DASHBOARD. Locate the IP address that your VM gets on the network. Then click the CONFIGURE tab and in the DNS Servers section. Make sure the IP address you entered here is the same as the IP address you entered at the very start of the lab. If it s different, change it here and after your VM has been created you will need to restart it so it picks up the correct DNS server IP address (which of course is itself). Once your VM is ready, you can select it in the Portal and click on Connect. When you get to the login screen for the VM, enter contoso\azureadmin as the username and 1stAzure as the password (remember this is a Domain Controller, so you need to login as the uber admin to the Domain). Enter something on the shutdown warning and click OK. Now on your Domain Controller, open Active Directory Users and Computers (Server Manager -> Tools). You will see two Organisational Unit Marketing and IT Group. Both have users in them. The passwords for all the users are the same 1stAzure. At the Contoso.com level, there are also three groups AzureAdmins, Contoso_FTE and Managers and each has some members from the 5 users in the directory. 5.2 Connecting your DC to your Azure AD You have an Azure Active Directory and now you have a Domain Controller You now need to install the directory synchronization tool on your DC and setup your Azure AD to integrate with this domain controller. From your Virtual Machine/DC, open a browser and go to this download link: http://www.microsoft.com/enus/download/details.aspx?id=44225 P a g e 9 13
On the Microsoft Azure Active Directory Sync Services page, click the download button and click on RUN to start the install after download. Accept the license terms and click on install After install, the tool will start the configuration wizard. The first thing it needs is an Azure credential that has global admin access to your directory. Go to the Azure Portal. You are going to create a new user in your Azure AD that you will use for the dirsync operation. Go to the users tab in Azure AD and create a new user called aadsyncadmin as the username and make this user a global admin also. Copy the temporary password to the clipboard. Go to either of your open Azure Portal browser sessions (the supplied admin account or your azurecoadmin account) sign out and then Sign-In using the new aadsyncadmin account (which will be aadsyncadmin@<alias>aad.onmicrosoft.com. Paste (CTRL-V) the temporary password into the password field. On the change password screen, change the temporary password to 1stAzure. You won t be able to access the Azure portal with this account, as it is not a coadmin on the subscription. Sign Out. Close the browser and switch to your other Azure Portal browser session. Select your Azure AD and then click the DIRECTORY INTEGRATION tab. Click the ACTIVATED link as shown opposite to ACTIVATE your directory for synchronization and then click SAVE. Now, switch back to your domain controller and the AD Sync Wizard. Enter the credentials you created for the aadsyncadmin user (aadsyncadmin@<alias>aad.onmicrosoft.com and 1stAzure). P a g e 10 13
After validating, you need to enter the forest name and an admin username\password for your domain controller VM. This will be contoso.com, contoso\azureadmin and 1stAzure. After entering these values, click Add Forest and click NEXT. Click past the user matching screen and on the Optional Features screen, check the Password Sync and Password Write-Back options. Click NEXT and CONFIGURE. Once complete, click FINISH and the synchronization will happen. It will take a couple of minutes for the users and groups to show up in your Azure AD. You will see new users in the directory and the users will show they have been sourced from a Local Active Directory. If you open up any of these users, their properties will not be available for editing as the single master for these properties is your on-premise Active Directory. Click on Groups. There were three groups back in your DC Managers, Contoso-FTE and Azure-Admins. None of these groups are showing up in Azure AD. This is because these were set as distribution groups. You need to change them to security groups. Go back to your DC, open AD users/computers and click on the top level contoso.com object. You will see the three groups in there. Click on each one and change the group type to security group. Now you will manually run the sync tool which is simply a scheduled task on your DC. Click on Window and type Task Scheduler and launch it. Click on the Task Scheduler Library folder, select the Azure AD Sync Scheduler and click the RUN button. Go back to your Azure AD and the groups tab. Refresh until you see the new groups appear. So you have the core skills now and the infrastructure setup to play around some more. Some things to try: Set a user from your local AD to be a co-admin on the Azure Subscription make sure that the user can login (their password is synced with AD all the user passwords are 1stAzure on the DC. Disable the user in your local AD and make sure the user can no longer login to the Azure subscription THE END P a g e 11 13
Appendix 1: Copy.VHD File Script "==================================================================================" "==> Running - Getting all subscription details..." $mysubs = Get-AzureSubscription "==> List of Subscriptions..." If ($mysubs.count -gt 1) { for($i=0;$i -le $mysubs.count - 1;$i++) { $adname = $mysubs[$i].defaultaccount $output = "==> " + $i.tostring() + ": " + $adname + ":" + $mysubs[$i].subscriptionname $output } $input = read-host "==> Enter the Number of the subscription to select: " } else {$input = 0} $mysubscription = $mysubs[$input].subscriptionname Select-AzureSubscription -SubscriptionName $mysubscription "==> Running - Getting all storage accounts for subscription: " + $mysubscription $staccounts = Get-AzureStorageAccount -WarningAction SilentlyContinue "==> List of Storage Accounts..." if ($staccounts.count -eq 0) { "ERROR: No Storage Accounts" stop} if ($staccounts.count -gt 1) { for($i=0;$i -le $staccounts.count - 1;$i++) { $output = "==> " + $i.tostring() + ": " + $staccounts[$i].storageaccountname $output } $stselect = read-host "==> Enter Number to select: "} else {$stselect = 0} "==> Copying VHD File to your storage account..." $mystorage = $staccounts[$stselect].storageaccountname set-azuresubscription -SubscriptionName $mysubscription -CurrentStorageAccountName $mystorage Out-Null select-azuresubscription $mysubscription Out-Null $deststoragekey = (Get-AzureStorageKey -StorageAccountName $mystorage).primary $deststoragecontext = New-AzureStorageContext StorageAccountName $mystorage - StorageAccountKey $deststoragekey -Protocol Http $selectsa = Get-Random -minimum 1 -maximum 6 $vhdcopyname = "teazuredisk.vhd" New-AzureStorageContainer -Name "vhdimages" -ErrorAction SilentlyContinue -WarningAction SilentlyContinue Out-Null $destcontainer = "vhdimages" $loc = "https://teazurestore" + $selectsa + ".blob.core.windows.net/vhdimages/teazuredisk.vhd" $Time = [System.Diagnostics.Stopwatch]::StartNew() $blob1 = Start-AzureStorageBlobCopy -AbsoluteUri $loc -DestContainer $destcontainer - DestBlob $vhdcopyname -DestContext $deststoragecontext -ErrorAction Stop $status = $blob1 Get-AzureStorageBlobCopyState $status While($status.Status -eq "Pending"){ $status = $blob1 Get-AzureStorageBlobCopyState Start-Sleep 10 ### Print out status ### $status } "Copy Time: " + $Time.Elapsed.Minutes + ":" + $Time.Elapsed.Seconds P a g e 12 13
Appendix 2 Creating/Uploading Your VM s If you want to create your own VMs for use in Microsoft Azure from your local machine using Hyper-V, there are just a few critical things that you must do as follows:- Create a new Virtual Disk FIRST make it a fixed disk and use the VHD format Create your VM, using the Virtual Disk and make sure to select Generation 1 Then do everything as normal to get your VM OS installed and all the software you need installed and configured. For this lab, the.iso image for a trial edition of Windows Server 2012 R2 was downloaded and used to boot the OS and then the Domain Services role was installed and the machine promoted to a Domain Controller. There are TWO special things you have to do in your VM BEFORE you upload it to Azure. TURN ON/Allow remote desktop connection (Control Panel->System). The second is to check the Public option for the Remote Desktop firewall rules on the Windows Firewall (Window->Type Firewall) Then you need to install the latest version of the Azure PowerShell Commands on your machine you will do the upload from. Then you can shut down your VM and copy just the.vhd file up to Azure using the following PowerShell script: Add-AzureAccount Select-Azuresubscription <your subscription> $sourcevhd = "<Path to.vhd file e.g. c:\myvhdfiles\myazurevm.vhd" $destinationvhd = "https://<your storage account>.blob.core.windows.net/<your container>/<your uploaded vhd e.g. myazurevm.vhd>" Add-AzureVhd -LocalFilePath $sourcevhd -Destination $destinationvhd - NumberOfUploaderThreads 5 If you already have a VM but it is not a fixed disk, the Add-AzureVHD command will actually do a conversion to a fixed disk for you. The VHD file though must be in VHD format, NOT VHDX. The resulting.vhd file will be in your Azure storage account you can then create a disk from this file and then create a Virtual Machine using the disk, putting your VM in a Virtual Network (as per the lab steps). The VM used in this lab was also configured to be a domain controller and prepped for the Azure AD Sync tool install. The core steps are:- 1. Run Windows Update and install all the latest critical patches 2. Add the Domain Services Role and also install.net Framework 3.5 (you will need this for Azure AD Sync tool). 3. Configure DNS to remove the default forwarder. P a g e 13 13