P a g e 1 | 13
CDP-H210 Introduction to Azure Active Directory This is an infrastructure lab, useful to both ITPro’s and Developers to learn the basics of Azure Active Directory. The
main focus is on understanding the basics of the directory itself, how to create one, users and groups and one of
the key scenarios for the ITPro which is connecting and synchronizing the directory with on-premise Active
Directory. You will create a domain controller using an Azure Virtual Machine as a proxy for your on-premise
domain controller. You will install the Azure AD Connect tool on this DC to synchronize user names and passwords.
The lab will also enable Multi-factor authentication.
Azure Active Directory is a comprehensive identity and access management cloud solution. It combines core
directory services, advanced identity governance, security, and application access management. Azure AD also
offers developers an identity management platform to deliver access control to their applications, based on
centralized policy and rules. You can use Azure AD to secure and manage access to both Microsoft cloud
applications like Office365 as well as hundreds of non-Microsoft applications.
1. Login to the Azure Management Portal The first task is to get you signed into the Azure Management Portal – and to do that you need a valid subscription
for Azure. You can:
Use your own subscription,
Sign up for a free trial (http://azure.microsoft.com/en-us/pricing/free-trial )
Get a subscription from one of the lab proctors.
On your lab computer, fire up Internet Explorer and browse to http://manage.windowsazure.com and login using
the user ID and password from one of the above methods.
2. Core Setup You are going to be doing a number of things with Azure AD. One of the more complex things you will do is
synchronize Azure AD with your on premise Windows Server active directory. Well, since you can’t lift and shift
your AD to this lab, you will actually create your own test on premise network and AD infrastructure – and you will
do this on Azure using Azure Virtual Networks and Virtual Machines. To save some time and also to show you how
to upload and create your own VM on Azure, you will be copying an existing virtual hard disk file (.VHD) from an
existing domain controller (the author’s) and then spinning up a Virtual Machine from this .VHD file.
The very first thing to do then is to copy the .VHD file to your subscription as this can take some time. For this lab,
a virtual disk has already been copied to a set of storage accounts in Azure. Appendix 2 (as a reference) will
P a g e 2 | 13
explain how you would do this if you want to try when you get back to the office. You just need to copy the .VHD
file to your own storage account. So first, you need a storage account.
Click the “ + NEW “ icon at the bottom left and select DATA SERVICES and STORAGE and
QUICK CREATE
In the URL box, enter a name for your storage service… use <youralias>vhdstore…
For example, if your name is Ann Green, your work email alias is [email protected], use
agreenvhdstore as the storage account name (there can be NO UPPERCASE letters or symbols).
You will get a red “tick” next to
the URL name if it is OK.
Choose a location – this is
which DataCenter in the world
you want to place your storage
account… You MUST select
North Europe (your copy of
the .VHD file will be very slow if
you do not).
Select Locally Redundant replication – this means data in your storage account is NOT replicated to
another Azure data center (we don’t need it for this lab, it’s also cheaper and faster).
Click on CREATE STORAGE ACCOUNT. It will take around 30 seconds for the account to get created
(status: ONLINE).
Now you can copy the .vhd file. You will do this using PowerShell and specifically using the PowerShell
commands for Azure. First you need to install these commands. On your lab machine, open another
browser tab and go to this url:
https://github.com/Azure/azure-sdk-tools/releases
Click on the Windows Standalone link, RUN
the .msi file and follow all the prompts to
get PowerShell installed.
After install, Click the Window button and
type “Powershell ISE”. Right-Click the
Powershell ISE application and select Run
as Administrator.
Click the Script button (as show opposite)
to show the script window.
At the command prompt, enter:
Add-AzureAccount
P a g e 3 | 13
This will launch a login Window. Login using the credentials you used earlier. PowerShell is now
“connected” to your Azure subscription and you can now interact with it. For example, type the following
to get details about all your subscriptions:
Get-AzureSubscription
To copy the .VHD file, you will use a script which will prompt you for the subscription and storage account
to use (if you have more than one), then it will randomly select from one of 5 storage accounts the .VHD
file is stored in, then finally it will initiate
the copy.
In Appendix 1 in this lab guide – copy
the entire script and paste it into your
script window in PowerShell (the top
section with a tab called untitled1.ps1).
Press RUN.
The script will run and keep checking the
status of the copy operation. It can take
just a few seconds or 10-15 minutes to
copy the 20GB .vhd file – it depends on
other activity at the time.
You will come back to this later in the lab when you need your “on-premise” domain controller.
One other thing you will need when you create your Virtual Machine/Domain Controller from the .vhd file you are
copying, is a Virtual Network. This will allow you later to add your Domain Controller to this network, as well as
put other VM’s in the network and have network connectivity and name resolution between them.
On the Management Portal, select “+ NEW” -> NETWORK SERVICES -> VIRTUAL NETWORK -> QUICK
CREATE
Enter a NAME (which must be unique – suggest <alias>-vnet for example agreen-vnet as per the naming
of your storage account (you can have symbols for most other services in your name, just not storage).
P a g e 4 | 13
LOCATION - Select the same location as your storage account – preferably North Europe.
Leave the other values alone and then click OK. Your network will get created.
Once created (it will take just 20-30 seconds), click on the network and then click on the CONFIGURE
tab.
In the DNS Servers section, enter the name of your
domain controller VM – yes – you have not actually
created this yet. Use <alias>-DCVN – for example
agreen-DCVM.
Since the VM will be the first VM in your network, and
the default IP address scheme for your network is a
10.0.0.0 scheme, we know that the IP address given to
the first machine will be 10.0.0.4.
Enter this value in the IP address and click SAVE and
YES to the warning. You are doing this step now in the
lab to save you a little time and not have to do a reboot of your domain controller to pick up the DNS
value.
That’s all you need to do right now. Let’s get started actually learning Azure Active Directory itself…
3. First Steps with Azure AD
3.1 Setting Up
Your first step with Azure AD is the easy part – just creating the directory itself.
On the Azure Portal, Click “+ NEW”, select APP SERVICES, select Active
Directory and then Directory and Custom Create.
Enter a name for the directory –whatever you want e.g. <alias> Azure AD
Then a DOMAIN NAME – use <alias>AAD and make sure the
domain is valid/not taken – change it if it is.
Select the Country/Region – pick a country in the same region
that you choose when you created your Network/Storage Account.
.
P a g e 5 | 13
3.2 Changing your Directory-Subscription Mapping
Now there is a relationship between Azure subscriptions and Azure Active Directory. Each subscription has to be
associated with a single directory – a directory can apply to multiple subscriptions.
There is a default “hidden” directory – with the domain microsoft.onmicrosoft.com. When you created your
directory above, the subscription you are using is not associated with this new directory – it’s actually associated
with the “hidden” default directory (or it might even be some other directory depending on your subscription).
You can see this initial directory and you can also change it so that your subscription is mapped to your new
directory (although you cannot change this back currently).
IF you are a service administrator on the subscription you are using for this lab, you will be able to do the change
below to your directory.
Click on Settings (the last icon on the left nav).
The list of subscriptions shows for each subscription what the associated directory
is. As you can see, for your subscription, the default directory is NOT the directory
you just created.
Select the subscription and Click Edit Directory at the bottom of the portal. The
new directory you created will get populated as the only choice. If you do not see
this new directory, close the Edit Directory dialog and refresh your browser and try
again.
Click Next and OK. You will get a message about re-loading the portal. Click OK.
Now the subscription will show it is associated with your new directory. This means that you can create new users
in your new directory and use the directory for your Azure subscription management. For example you can create
a new user and make them a co-admin on your subscription. You will do this next.
Go back to your Azure AD in the Management Portal.
Click YOUR directory, and click the users tab. You will see your current Microsoft account listed.
Click on ADD USER. You want a New User in Your Organization.
Enter AzureCoAdmin as the username. Click NEXT.
Enter the Firstname (Azure)
Lastname (Coadmin)
Displayname (Azure CoAdmin)
For Role, select Global Administrator and then enter any alternate email address (this is not validated so
it can be any well formed address e.g. [email protected]).
DO NOT check enable MFA – you will do this in a later step.
P a g e 6 | 13
On the Get Temporary Password screen, click the create button and then click the clipboard icon
to copy the temporary password to the clipboard (you will change this password to something you can
remember next).
Click OK
Now you have a user in your directory, the user has global admin permission on the directory itself, but
the user is not yet a co-admin on the subscription.
On the Portal on the left nav, click on Settings and select the Administrators tab and click ADD
Enter the name of your coadmin – which would be
azurecoadmin@<alias>aad.onmicrosoft.com. If you
do this correctly, your user will be validated in the
Azure AD.
Check the subscription you want to add the user as
a co-admin to and click OK.
Now open up a new In-Private browser session
(this is so that you can be logged into two Azure
Portal Sessions using two different accounts at the
same time) and go to the Azure Management Portal
http://manage.windowsazure.com
Login with your full azurecoadmin@<alias>aad.onmicrosoft.com account and paste the password in
from the clipboard (Ctrl-V). After login, you will be prompted to change your password, use 1stAzure as
the new password.
NOTE: if you lose the password, you can reset it – go to the users tab on your directory, select the
azurecoadmin user and click the reset password button at the bottom.
After login, you will now see all the same services as your Microsoft account login. Click though the
getting started tour.
So you have your first user, and you actually have an application (the Azure Management Portal) that uses Azure
AD to authenticate against and get user information from the directory. Of course you can build your own
applications that do this as well. Other commercial applications such as Office 365, Dynamics CRM and Visual
Studio Online use Azure AD.
P a g e 7 | 13
4. Back to AD – More stuff - Branding So the basic capability of Azure AD is users and groups and using Azure AD as a directory and user account store for
your applications. Azure itself uses AD as you just saw when you created your coadmin. One of the first things
that Organizations want to do with their directory and as an added precaution to give their users more certainty
that they are visiting an approved place – is to brand their directory/sign-in experience. For this, you need to turn
on Azure AD Premium feature set.
Select your Directory again from the Active Directory node on the portal (you can use either the initial
login or the co-admin account). Click on Licenses and click the link to Try AD Premium and accept
the trial message - this will take 10-20 seconds to setup. Click the REFRESH link.
When completed, click on Assign on the bottom of the Portal. Click BOTH the two users you see
to assign licenses to them. Now these users can access premium features.
Now click the CONFIGURE tab and you will see a Customize Branding button. However, before
you can use it, you need to download some branding assets (images, icons etc that have been already
created for you).
Get the set of assets for this lab from the lab download folder here: http://1drv.ms/1DcUEnI
Check the “Azure_Intro_to_ActiveDirectory” folder and select DOWNLOAD in the header. Save
the file to your desktop, right click the file on your desktop and select EXTRACT ALL…
Go back to the Azure Portal and click the Customize Branding button.
a. For the Banner Logo – select: Contoso_BannerLogo_default.png from your downloaded folder
b. For the Tile Logo – Select the Contoso_Tilelogo_default
c. For the Sign in Page text: enter some text such as…
Need help? Contact Contoso Help Desk at (206) 555-1234. This site is operated by Microsoft on
behalf of Contoso Inc and is for the exclusive use of Contoso employees and partners. Visit
www.contoso.com/terms for details.
d. For the Sign-In Page Illustration, Select: Contoso_Illustration_default.jpg
OK. Then in your in-private session, you are logged in as your azurecoadmin. Click on your
username on the top right and select Sign Out. On the “You have been Signed Out” page, click sign-
in.
You will see your branding updates as soon as Azure detect you want to use a login from the AD Domain
that you have applied your branding updates to – i.e. your azurecoadmin@<alias>aad.onmicrosoft.com
account.
P a g e 8 | 13
5. Continue with Active Directory “Test Lab” By now, your copy of the virtual hard disk should have completed. Switch to your PowerShell session to make sure
it has. If it has not, you can continue with the Multi-Factor Authentication section. Let’s first make sure you
actually have a .vhd file in your storage account – remember this .vhd file is the virtual disk on which is installed
Windows Server 2012 R2, it has AD installed and configured as a single forest (contoso.com) domain controller.
There are a bunch of users and groups in the directory. DNS is configured.
5.1 Creating your Domain Controller VM.
So you have a VHD file which sits in Azure storage, but you need a VM. The basic way you do this is to create a
virtual disk in Azure, pointing at your .VHD file. You then create a VM using this virtual disk. Let’s do this…
In Azure, click on STORAGE, click your storage account -
<alias>vhdstore, click the CONTAINERS tab and click the vhdimages
container (this was created for you by the script). You should have a 20GB
file in this container called teazuredisk.vhd
Click on the Virtual Machines category in the left nav
bar of the portal. Click on the DISKS tab and click the “+
CREATE” button at the bottom.
Enter the details as you see opposite, pointing at the .vhd
file in your storage account (click the folder icon to browse
for the file) and making sure to check the VHD contains OS
box and the OS Family.
Click OK. This action creates a logical disk that you can
then use to spin up a virtual machine from. This should
take around 20-30 seconds and you will see the disk in the portal when it is completed.
Now in the portal click the bottom left “+ NEW” button and select COMPUTE ->
VIRTUAL MACHINE -> FROM GALLERY.
On the first page of the gallery wizard, click on the MY DISKS option on the lower left
side. You will see your teazureDC disk. Select it and click NEXT.
Choose a name for your VM such as <alias>-DCVM – e.g. agreen-DCVM. Choose
BASIC tier and A2 Size.
P a g e 9 | 13
On the next screen, there are TWO important values.
The CLOUD SERVICE DNS NAME and the
REGION/AFFINITY GROUP/VIRTUAL
NETWORK selection. The DNS Name will default to
your VM name – make sure this resolves to a
valid/unique value – change it if it does not. Make sure
to select the Virtual Network you created earlier.
Click Next and then FINISH. Your VM will go through
the process of getting created and booting up. It will
take around 3-5 minutes for this to complete.
While it is doing this, click on NETWORKS section in
the portal, click on your network and click on DASHBOARD. Locate the IP address that your VM gets on
the network.
Then click the CONFIGURE tab and in the DNS Servers section. Make sure the IP address you entered
here is the same as the IP address you entered at the very start of the lab. If it’s different, change it here
and after your VM has been created you will need to restart it so it picks up the correct DNS server IP
address (which of course is itself).
Once your VM is ready, you can select it in the Portal and click on Connect.
When you get to the login screen for the VM, enter contoso\azureadmin as the username and
1stAzure as the password (remember this is a Domain Controller, so you need to login as the uber
admin to the Domain). Enter something on the shutdown warning and click OK.
Now on your Domain Controller, open Active Directory Users and Computers (Server Manager ->
Tools).
You will see two Organisational Unit – Marketing and IT Group. Both have users in them. The passwords
for all the users are the same – “1stAzure”. At the Contoso.com level, there are also three groups –
AzureAdmins, Contoso_FTE and Managers and each has some members from the 5 users in the directory.
5.2 Connecting your DC to your Azure AD
You have an Azure Active Directory and now you have a Domain
Controller…You now need to install the directory synchronization
tool on your DC and setup your Azure AD to integrate with this
domain controller.
From your Virtual Machine/DC, open a browser and go
to this download link:
http://www.microsoft.com/en-
us/download/details.aspx?id=44225
P a g e 10 | 13
On the Microsoft Azure Active Directory Sync Services page, click the download button and click on
RUN to start the install after download.
Accept the license terms and click on install
After install, the tool will start the
configuration wizard. The first thing it
needs is an Azure credential that has
global admin access to your directory.
Go to the Azure Portal. You are going
to create a new user in your Azure AD
that you will use for the dirsync
operation.
Go to the users tab in Azure AD and
create a new user called aadsyncadmin as the username and make this user a global admin also.
Copy the temporary password to the clipboard.
Go to either of your open Azure Portal browser sessions (the supplied admin account or your
azurecoadmin account) – sign out and then Sign-In using the new aadsyncadmin account (which will
be aadsyncadmin@<alias>AAD.onmicrosoft.com. Paste (CTRL-V) the temporary password into the
password field. On the change password screen, change the temporary password to 1stAzure.
You won’t be able to access the Azure
portal with this account, as it is not a
coadmin on the subscription. Sign Out.
Close the browser and switch to your
other Azure Portal browser session.
Select your Azure AD and then click the
DIRECTORY INTEGRATION tab.
Click the ACTIVATED link as shown
opposite to ACTIVATE your directory for
synchronization and then click SAVE.
Now, switch back to your domain
controller and the AD Sync Wizard.
Enter the credentials you created for the aadsyncadmin user
(aadsyncadmin@<alias>AAD.onmicrosoft.com and 1stAzure).
P a g e 11 | 13
After validating, you need to enter the forest name and an admin username\password for your domain
controller VM. This will be contoso.com, contoso\azureadmin and
1stAzure. After entering these values, click Add Forest and click
NEXT.
Click past the user matching screen and on the Optional Features screen,
check the Password Sync and Password Write-Back options. Click
NEXT and CONFIGURE.
Once complete, click FINISH and the synchronization will happen. It will take a couple of minutes for
the users and groups to show up in your Azure AD. You will see new users in the directory and the users
will show they have been sourced from a “Local Active Directory”.
If you open up any of these users, their properties
will not be available for editing as the single master
for these properties is your on-premise Active
Directory.
Click on Groups. There were three groups back in
your DC – Managers, Contoso-FTE and Azure-Admins.
None of these groups are showing up in Azure AD.
This is because these were set as distribution groups.
You need to change them to security groups.
Go back to your DC, open AD users/Computers and click on the top level contoso.com object. You will see
the three groups in there. Click on each one and change the group type to security group.
Now you will manually run the sync tool – which is simply a scheduled task on your DC. Click on Window
and type “Task Scheduler” and launch it.
Click on the Task Scheduler Library folder, select
the Azure AD Sync Scheduler and click the RUN
button.
Go back to your Azure AD and the groups tab.
Refresh until you see the new groups appear.
So you have the core skills now and the infrastructure setup to play around some more. Some things to try:
Set a user from your local AD to be a co-admin on the Azure Subscription – make sure that the user can
login (their password is synced with AD – all the user passwords are “1stAzure” on the DC.
Disable the user in your local AD and make sure the user can no longer login to the Azure subscription
THE END
P a g e 12 | 13
Appendix 1: Copy .VHD File Script "=================================================================================="
"==> Running - Getting all subscription details..."
"==>"
$mysubs = Get-AzureSubscription
"==> List of Subscriptions..."
If ($mysubs.Count -gt 1) {
for($i=0;$i -le $mysubs.Count - 1;$i++) {
$adname = $mysubs[$i].DefaultAccount
$output = "==> " + $i.ToString() + ": " + $adname + ":" +
$mysubs[$i].SubscriptionName
$output }
"==>"
$input = read-host "==> Enter the Number of the subscription to select: " }
else {$input = 0}
$mysubscription = $mysubs[$input].SubscriptionName
Select-AzureSubscription -SubscriptionName $mysubscription
"==>"
"==> Running - Getting all storage accounts for subscription: " + $mysubscription
"==>"
$staccounts = Get-AzureStorageAccount -WarningAction SilentlyContinue
"==> List of Storage Accounts..."
if ($staccounts.count -eq 0) {
"ERROR: No Storage Accounts"
stop}
if ($staccounts.count -gt 1) {
for($i=0;$i -le $staccounts.Count - 1;$i++) {
$output = "==> " + $i.ToString() + ": " + $staccounts[$i].StorageAccountName
$output }
"==>"
$stselect = read-host "==> Enter Number to select: "}
else {$stselect = 0}
"==>"
"==> Copying VHD File to your storage account..."
"==>"
$mystorage = $staccounts[$stselect].StorageAccountName
set-azuresubscription -SubscriptionName $mysubscription -CurrentStorageAccountName
$mystorage | Out-Null
select-AzureSubscription $mysubscription | Out-Null
$deststoragekey = (Get-AzureStorageKey -StorageAccountName $mystorage).Primary
$deststoragecontext = New-AzureStorageContext –StorageAccountName $mystorage -
StorageAccountKey $deststoragekey -Protocol Http
$selectSA = Get-Random -minimum 1 -maximum 6
$vhdcopyname = "teazuredisk.vhd"
New-AzureStorageContainer -Name "vhdimages" -ErrorAction SilentlyContinue -WarningAction
SilentlyContinue | Out-Null
$destcontainer = "vhdimages"
$loc = "https://teazurestore" + $selectSA +
".blob.core.windows.net/vhdimages/teazuredisk.vhd"
$Time = [System.Diagnostics.Stopwatch]::StartNew()
$blob1 = Start-AzureStorageBlobCopy -AbsoluteUri $loc -DestContainer $destcontainer -
DestBlob $vhdcopyname -DestContext $deststoragecontext -ErrorAction Stop
$status = $blob1 | Get-AzureStorageBlobCopyState
$status
While($status.Status -eq "Pending"){
$status = $blob1 | Get-AzureStorageBlobCopyState
Start-Sleep 10
### Print out status ###
$status
}
"Copy Time: " + $Time.Elapsed.Minutes + ":" + $Time.Elapsed.Seconds
P a g e 13 | 13
Appendix 2 – Creating/Uploading Your VM’s If you want to create your own VMs for use in Microsoft Azure from your local machine using Hyper-V, there are
just a few critical things that you must do as follows:-
Create a new Virtual Disk FIRST – make it a fixed disk and use the VHD format
Create your VM, using the Virtual Disk and make sure to select Generation 1
Then do everything as normal to get your VM OS installed and all the software you need installed and
configured. For this lab, the .ISO image for a trial edition of Windows Server 2012 R2 was downloaded
and used to boot the OS and then the Domain Services role was installed and the machine promoted to a
Domain Controller.
There are TWO special things you have to do in your VM BEFORE you upload it to Azure.
TURN ON/Allow remote desktop connection (Control Panel->System).
The second is to check the Public option for the Remote Desktop firewall rules on the Windows Firewall
(Window->Type Firewall)
Then you need to install the latest version of the Azure PowerShell Commands on your machine you will do the
upload from.
Then you can shut down your VM and copy just the .vhd file up to Azure using the following PowerShell script:
Add-AzureAccount
Select-Azuresubscription <your subscription>
$sourceVHD = "<Path to .vhd file e.g. c:\myvhdfiles\myazurevm.vhd"
$destinationVHD = "https://<your storage account>.blob.core.windows.net/<your
container>/<your uploaded vhd e.g. myazurevm.vhd>"
Add-AzureVhd -LocalFilePath $sourceVHD -Destination $destinationVHD -
NumberOfUploaderThreads 5
If you already have a VM but it is not a fixed disk, the Add-AzureVHD command will actually do a conversion to a
fixed disk for you. The VHD file though must be in VHD format, NOT VHDX.
The resulting .VHD file will be in your Azure storage account – you can then create a disk from this file and then
create a Virtual Machine using the disk, putting your VM in a Virtual Network (as per the lab steps).
The VM used in this lab was also configured to be a domain controller and prepped for the Azure AD Sync tool
install. The core steps are:-
1. Run Windows Update and install all the latest critical patches
2. Add the Domain Services Role and also install .NET Framework 3.5 (you will need this for Azure AD Sync tool).
3. Configure DNS to remove the default forwarder.
Top Related