Azure AD/Office 365 seamless sign-inPart 6 – Understand and implement PHS and seamless SSO

Microsoft FrancePublished: January 2017Version: 1.0

Authors: Philippe Beraud (Microsoft France)Contributors/Reviewers: Daniel Pasquier, Jean-Yves Grasset (Microsoft France), Philippe Maurent (Microsoft Corporation)

For the latest information on Azure Active Directory, please see http://azure.microsoft.com/en-us/services/active-directory/

Copyright © 2017 Microsoft Corporation. All rights reserved.

Abstract: Password hash synchronization (PHS) is a feature to synchronize user passwords from an on-premises Active Directory to a cloud-based Azure AD tenant. This feature enables end-users to sign into Azure AD services, such as Office 365, Microsoft Intune, CRM Online, and Azure AD Domain Services, using the same password they’re using to sign in to their organization’s on-premises Active Directory.Moreover, the seamless single sign-on (SSO) feature allows end-users to only need to type their username and not their password to sign in to Azure AD/Office 365 or other cloud apps and services when they are on their corporate machines and connected on the organization’s corporate network.In addition to the first part, which is intended to provide a better understanding of the multiple seamless sign-in deployment options provided by Azure AD/Office 365, this document more specifically discusses how to enable PHS and seamless SSO using corporate Active Directory credentials to access Azure AD/Office 365, and the different configuration elements to be aware of for such a deployment. This document provides a complete end-to-end walkthrough to rollout a fully operational configuration in Azure.By following the steps outlined in this document you should be able to successfully configure your environment to deploy the PHS and seamless SSO features, and start

using it within your organization to provide a seamless sign-in experience for end-users accessing Azure AD/Office 365 resources.

Table of ContentsINTRODUCTION..................................................................................................

OBJECTIVES OF THIS PAPER................................................................................................NON-OBJECTIVES OF THIS PAPER.........................................................................................ORGANIZATION OF THIS PAPER............................................................................................ABOUT THE AUDIENCE.......................................................................................................

SETTING UP THE BASE CONFIGURATION TEST LAB...............................................DEPLOYING THE LAPTOP1 COMPUTER IN THE TEST LAB ENVIRONMENT.......................................JOINING THE LAPTOP1 COMPUTER TO THE LITWARE369 DOMAIN.........................................ACCESSING THE VARIOUS MACHINES OF THE TEST LAB ENVIRONMENT.......................................

SETTING UP PHS AND SEAMLESS SSO WITH THE AZURE AD/OFFICE 365 TENANT12DOWNLOADING AZURE AD CONNECT................................................................................EXECUTING AZURE AD CONNECT......................................................................................CONFIGURING ADDITIONAL TASKS......................................................................................VERIFYING THE SYNCHRONIZATION ON THE AZURE AD/OFFICE 365 TENANT..............................CONFIGURING THE SEAMLESS SINGLE SIGN-ON IN THE LITWARE369 DOMAIN...........................VERIFYING THE "SAME SIGN-ON" WITH THE AZURE AD/OFFICE 365 TENANT.............................VERIFYING THE SEAMLESS SINGLE SIGN-ON (SSO) WITH THE AZURE AD/OFFICE 365 TENANT......TROUBLESHOOTING THE CONFIGURATION............................................................................

UNDERSTANDING PHS AND SEAMLESS SSO.......................................................UNDERSTANDING PHS....................................................................................................UNDERSTANDING SEAMLESS SSO......................................................................................

MONITORING YOUR ON-PREMISES DEPLOYMENT (OPTIONAL).............................GETTING STARTED WITH THE AZURE AD CONNECT HEALTH SERVICE........................................CONFIGURING AZURE AD CONNECT HEALTH FOR SYNC.........................................................CONFIGURING AZURE AD CONNECT HEALTH FOR AD DS......................................................USING THE AZURE AD CONNECT HEALTH SERVICE...............................................................

IntroductionMicrosoft Office 3651 provides secure anywhere access to professional email, shared calendars, instant messaging (IM), video conferencing, document collaboration, etc. It represents the cloud version of the Microsoft communication and collaboration products with the latest version of the Microsoft desktop suite for businesses of all sizes.Azure Active Directory (Azure AD) is the directory behind Office 365 used to store user identities and other tenant properties. Just like the on-premises Active Directory stores the information for Exchange, SharePoint, Lync and your custom Line of Business (LOB) apps, Azure AD stores the information for Exchange Online, SharePoint Online, Skype for Business Online, etc., and any custom applications built in the Microsoft’s cloud.Through the password hash synchronization (PHS) feature, user passwords are synchronized from the organization’s on-premises Active Directory to the organization’s cloud-based Azure AD tenant. This feature enables end-users to sign into Azure AD services, such as Office 365, Dynamics 365, Intune, and Azure AD Domain Services, using the same password they’re using to sign in to their organization’s on-premises Active Directory. This is sometimes referred as to "same" sign-on.In addition, the seamless single sign-on (SSO) feature allows end-users to only need to type their username and not their password to sign in to Azure AD/Office 365 or other cloud apps and services when they are on their corporate machines and connected on the organization’s corporate network.

Note For more information, see blog post INTRODUCING #AZUREAD PASS-THROUGH AUTHENTICATION AND SEAMLESS SINGLE SIGN-ON 2.

Objectives of this paperThis document complements Part 1 and Part 2 of this whitepaper by providing an end-to-end walkthrough to rollout a working PHS and seamless SSO configuration for Azure AD/Office 365.

Non-objectives of this paperIt doesn’t provide an understanding of the different seamless sign-in deployment options with Azure AD/Office 365. This is specifically the intent of the aforementioned first part that covers all the key aspects the readers should understand to successfully achieve seamless sign-in with Azure AD/Office 365 for their organization.

Organization of this paperTo cover the aforementioned objectives, this document is organized in the following 4 sections:

SETTING UP THE BASE CONFIGURATION TEST LAB. SETTING UP PHS AND SEAMLESS SSO WITH THE AZURE AD/OFFICE 365 TENANT. UNDERSTANDING PHS AND SEAMLESS SSO. UNDERSTANDING PHS AND SEAMLESS SSO.

1 Microsoft Office 365: http://office.microsoft.com/en-us/business/2 INTRODUCING #AZUREAD PASS-THROUGH AUTHENTICATION AND SEAMLESS SINGLE SIGN-ON: https://blogs.technet.microsoft.com/enterprisemobility/2016/12/07/introducing-azuread-pass-through-authentication-and-seamless-single-sign-on/

Azure AD/Office 365 seamless sign-in 1

These sections provide the information details necessary to (hopefully) successfully build a working environment for the scenario. They must be followed in order.

About the audienceThis document is intended for system architects and IT professionals who are interested in understanding this capability of Azure AD/Office 365 from a hand-practice perspective.

2 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

Setting up the base configuration test labBy following the instructions outlined hereafter, you should be able to successfully prepare your on-premises test lab environment based on virtual machines (VMs) running in Azure to later deploy and configure the test environment, install and configure it.In order to complete the document’s walkthrough, you need an environment that consists of the following components for the Azure-based test lab infrastructure:

Two computers running Windows Server 2012 R2 (named DC1 respectively DC2 by default) that will be configured as a domain controller with a test user and group accounts, and Domain Name System (DNS) servers. DC1 will host Azure AD Connect for the sync between the Azure-based test lab infrastructure and the Azure AD/Office 365 subscription.

One intranet computer running Windows 8.1 (named LAPTOP1).If you’ve already followed the walkthrough of Part 2, the DC1 and DC2 computers that pertain to the Azure-based test lab infrastructure should already be in place. If you haven’t yet conducted this rollout, this is the time to do so.The rest of this document makes the assumption that such an evaluation environment is in place. You don’t need the ADFS1, ADFS2, WAP1, and WAP2 computers that are part of this lab environment. You can leave them turned off for the rest of this document.The above Azure VMs will enable you to:

Connect to the Internet to install updates, and access Internet resources in real time.

Later configure them with Azure AD Connect to finally get a relevant Azure-based test infrastructure.

Remotely managed those using a Point-to-Site (P2S) connection and then Remote Desktop (RDP) connections by your computer that is connected to the Internet or your organization network.

Note You must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group.

Create snapshots so that you can easily return to a desired configuration for further learning and experimentation.

For illustration purposes, we’ve opted to configure the domain litware369.com (LITWARE369). You will have to choose in lieu of a domain name of yours. For checking purpose, you can for instance use the domain search capability provided by several popular domain name registrars. Whenever a reference to litware369.com is made in a procedure, it has to be replaced by the DNS domain name of your choice to reflect accordingly the change in naming. Likewise, any reference to LITWARE369 should be substituted by the NETBIOS domain name of your choice.For the sake of simplicity, the same password "Pass@word1!?" is used throughout the procedures detailed in this document. This is neither mandatory nor recommended in a real-world scenario.

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 3

To perform all the tasks in this guide, we will use the local administrator account AzureAdmin or alternatively the LITWARE369 domain administrator account AzureAdmin for each VM, unless instructed otherwise.

Deploying the LAPTOP1 computer in the test lab environmentTo illustrate the newly introduced seamless single sign-on (SSO) feature, a Windows 8.1 based client image needs to be added to the test lab environment built with Part 2.

Note For Windows 10 based clients, the recommendation is to use Azure AD join for the best experience with Azure AD. For more information, see article EXTENDING CLOUD CAPABILITIES TO WINDOWS 10 DEVICES THROUGH AZURE ACTIVE DIRECTORY JOIN 3.

As of this writing, the gallery of Microsoft Azure only provides Windows-based client images for MSDN and Visual Studio subscribers.

If you already benefit from such a subscription, this is the way to go to provision the LAPTOP1 computer and you can skip the rest of this section. Please, directly jump to the section § JOINING THE LAPTOP1 COMPUTER TO THELITWARE369 DOMAIN .However, since you aren’t necessarily such a subscriber, we will also illustrate hereafter an approach that allows you to upload your own custom VHD image.The requirements for a custom Windows 8.1 image that can be uploaded for use with Microsoft Azure are as follows:

The image size must be 1,023 GB or smaller. It must be on a VHD file. The VHDX format is not currently supported.

3 EXTENDING CLOUD CAPABILITIES TO WINDOWS 10 DEVICES THROUGH AZURE ACTIVE DIRECTORY JOIN: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azureadjoin-overview

4 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

The VHD file must be a generation 1 VM. Generation 2 VMs are currently not supported.

The VHD file must be fixed-size. The disk must be initialized using the Master Boot Record (MBR) partitioning style.

The GUID partition table (GPT) partition style is not supported. The VHD file must contain a single installation of Windows 8.1. It can contain

multiple volumes, but only one that contains an installation of Windows. The VHD image must be generalized by running the Sysprep.exe tool before

uploading the VHD for Azure. The parameters /oobe /generalize /shutdown must be used in lieu of the /mode:vm parameter.

Note A generalized VHD image has had all of your personal account information removed using the Sysprep.exe tool. For more information, see article GENERALIZE A WINDOWS VIRTUAL MACHINE USING SYSPREP 4.

Uploading a VHD file from a snapshot chain is not supported.The next sections depict how to build a custom Windows 8.1 image and deploy on that basis a LAPTOP1 VM in the test lab environment.

Important note For more information, see article GENERALIZE A WINDOWS VIRTUAL MACHINE USING SYSPREP 5.

Building your own custom VHD fileTo build your own custom VHD file, proceed with the following steps:

1. Download an evaluation copy of Windows 8.1 Enterprise from https://www.microsoft.com/en-gb/evalcenter/evaluate-windows-8-1-enterprise:

a. Click Sign in and then sign-in with your Microsoft Account credentials.

Note If you don’t have a Microsoft account yet, you can create one at http://signup.live.com.

b. Click Register to continue and fulfill the form with notably the version of Windows 8.1 Enterprise to download. Specify the 64-bit one. Click Continue.

c. Download the ISO file and save it to your local computer.2. Create a VHD file by using Disk Management (diskmgmt.msc).

a. Create a fixed size VHD. Click Action > Create VHD.b. Specify the location, for instance "C:\Users\Public\Documents\Hyper-V\

Virtual Hard Disks\win81-enterprise-eval.vhd" in our illustration, the size, e.g. 40 GB or more in size, and the VHD format. Select Fixed size (recommended), and then click OK.

4 GENERALIZE A WINDOWS VIRTUAL MACHINE USING SYSPREP: https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-windows-generalize-vhd5 GENERALIZE A WINDOWS VIRTUAL MACHINE USING SYSPREP: https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-windows-generalize-vhd

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 5

This may run for several minutes. When the VHD file creation is complete, you should see a new disk without any drive letter and in Not initialized state in the Disk Management console.

c. Right-click the disk (not the unallocated space), and then click Initialize Disk. Select MBR (Master Boot Record) as the partition style, and then click OK.

d. Create a new volume. Right-click the unallocated space, and then click New Simple Volume. You can accept the defaults in the wizard, but make sure you assign a drive letter to avoid potential problems when you upload the template image.

e. Right-click the disk, and then click Detach VHD.3. Create a new VM. Use the New Virtual Machine Wizard in Hyper-V Manager on

your local machine:

Note If Hyper-V is not already available on your local computer, please refer to the article INSTALL HYPER-V ON WINDOWS 10 6 to enable this feature.

a. On the Specify Generation page, choose Generation 1.b. On the Connect Virtual Hard Disk page, select Use an existing virtual

hard disk, and browse to the VHD file created in the above step 2.c. Choose other options in the wizard necessary to install Windows 8.1

Enterprise. Finish the wizard.d. After the wizard finishes, edit the settings of the virtual machine, select the

DVD Reader and under Media, point to the location of your Windows 8.1 Enterprise ISO file in Image File. Make any other changes necessary to install Windows 8.1 Enterprise, and then click OK.

e. Boot the VM, connect to it, and then proceed with the installation of Windows 8.1 Enterprise. Use express settings.

f. Follow all the steps outlined in the article PREPARE A WINDOWS VHD OR VHDX TO UPLOAD TO AZURE TO PREPARE THE RESULTING CUSTOM IMAGE FOR MICROSOFT AZURE 7, starting at section § SET WINDOWS CONFIGURATIONS FOR AZURE to prepare a suitable generalized VHD image for Azure.

Note A generalized VHD image has all of your personal account information removed using the Sysprep.exe tool. For more information, see article GENERALIZE A WINDOWS VIRTUAL MACHINE USING SYSPREP 8.

At this stage, you are now ready to upload the custom image to Azure.

Uploading the custom VHD file to AzureTo upload the generalized custom VHD to Azure, proceed with the following steps:

1. Connect to your Azure subscription: a. Open a Windows PowerShell or PowerShell Integrated Scripting

Environment (ISE) prompt, and then run the following command:

PS C:\> Add-AzureRmAccount

6 INSTALL HYPER-V ON WINDOWS 10: https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v7 PREPARE A WINDOWS VHD OR VHDX TO UPLOAD TO AZURE TO PREPARE THE RESULTING CUSTOM IMAGE FOR MICROSOFT AZURE: https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-windows-prepare-for-upload-vhd-image8 GENERALIZE A WINDOWS VIRTUAL MACHINE USING SYSPREP: https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-windows-generalize-vhd

6 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

b. Sign-in with your admin credentials.2. Get the storage account to store the uploaded VM image. You will use one of the

three existing storage accounts in the resource group of your test lab environment. Run the following command to show the available storage accounts:

PS C:\> Get-AzureRmStorageAccount –ResourceGroupName 'LITWARE369-RG'

This cmdlet outputs the followings:

ResourceGroupName : litware369-rgStorageAccountName : cmitpcd2yhw42sa1Id : /subscriptions/8848a529-9d69-4049-8469-8218547a61e2/resourceGroups/litware369-rg/pro viders/Microsoft.Storage/storageAccounts/cmitpcd2yhw42sa1Location : northeuropeSku : Microsoft.Azure.Management.Storage.Models.SkuKind : StorageEncryption :AccessTier :CreationTime : 05/01/2017 16:52:59CustomDomain :LastGeoFailoverTime :PrimaryEndpoints : Microsoft.Azure.Management.Storage.Models.EndpointsPrimaryLocation : northeuropeProvisioningState : SucceededSecondaryEndpoints :SecondaryLocation :StatusOfPrimary : AvailableStatusOfSecondary :Tags : {}Context : Microsoft.WindowsAzure.Commands.Common.Storage.LazyAzureStorageContext

ResourceGroupName : litware369-rgStorageAccountName : cmitpcd2yhw42sa2Id : /subscriptions/8848a529-9d69-4049-8469-8218547a61e2/resourceGroups/litware369-rg/pro viders/Microsoft.Storage/storageAccounts/cmitpcd2yhw42sa2Location : northeuropeSku : Microsoft.Azure.Management.Storage.Models.SkuKind : StorageEncryption :AccessTier :CreationTime : 05/01/2017 16:52:59CustomDomain :LastGeoFailoverTime :PrimaryEndpoints : Microsoft.Azure.Management.Storage.Models.EndpointsPrimaryLocation : northeuropeProvisioningState : SucceededSecondaryEndpoints :SecondaryLocation :StatusOfPrimary : AvailableStatusOfSecondary :Tags : {}Context : Microsoft.WindowsAzure.Commands.Common.Storage.LazyAzureStorageContext

ResourceGroupName : litware369-rgStorageAccountName : cmitpcd2yhw42sa3Id : /subscriptions/8848a529-9d69-4049-8469-8218547a61e2/resourceGroups/litware369-rg/pro viders/Microsoft.Storage/storageAccounts/cmitpcd2yhw42sa3Location : northeuropeSku : Microsoft.Azure.Management.Storage.Models.SkuKind : StorageEncryption :AccessTier :CreationTime : 05/01/2017 16:52:59CustomDomain :LastGeoFailoverTime :PrimaryEndpoints : Microsoft.Azure.Management.Storage.Models.EndpointsPrimaryLocation : northeuropeProvisioningState : SucceededSecondaryEndpoints :SecondaryLocation :StatusOfPrimary : AvailableStatusOfSecondary :Tags : {}Context : Microsoft.WindowsAzure.Commands.Common.Storage.LazyAzureStorageContext

3. Upload the VHD to a container in the selected storage account, for example cmitpcd2yhw42sa1 in our illustration. Run the following commands in order:

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 7

PS C:\> $rgName = "LITWARE369-RG"PS C:\> $urlUploadedImageVhd = "https://cmitpcd2yhw42sa1.blob.core.windows.net/customvhds/win81-enterprise-eval.vhd"PS C:\> $pathImageVhd2Upload = "C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks\win81-enterprise-eval.vhd"PS C:\> Add-AzureRmVhd -ResourceGroupName $rgName -Destination $urlUploadedImageVhd ` -LocalFilePath $pathImageVhd2Upload

This command uploads the generalized VHD file win81-enterprise-eval.vhd from "C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks\" to the cmitpcd2yhw42sa1 storage account in the LITWARE369-RG resource group. The file will be placed into the container named customvhds and the file will keep the win81-enterprise-eval.vhd filename.Depending on your network connection and the size of your VHD file, the Add-AzureRmVhd9 cmdlet may take a while to complete. it will begin to generate a MD5 hash of the generalized VHD image. This aims at ensuring that, once the image blob has been created, it's exactly the same as it was when it left your local computer. The hashing and upload takes a while.

Note If the upload process of the VHD image is taking too long, you can consider increasing the thread count by specifying the -NumberOfUploaderThreads parameter.

If successful, you finally get a response that looks similar to this:

MD5 hash is being calculated for the file C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks\win81-enterprise-eval.vhd.MD5 hash calculation is completed.Elapsed time for the operation: 00:17:05Creating new page blob of size 42949673472...Detecting the empty data blocks in the local file.Detecting the empty data blocks completed.Elapsed time for upload: 00:13:28

LocalFilePath DestinationUri------------- --------------C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks\win81-enterprise-eval.vhd https://cmitpcd2yhw42sa1.blob.core...

Note For more information, see article UPLOAD A WINDOWS VHD FROM AN ON-PREMISES VM TO AZURE 10.

To view and interact with your Azure Storage resources, you can use the free Microsoft Azure Storage Explorer tool. This tool can be freely downloaded at http://storageexplorer.com/.It’s now time to create the LAPTOP1 VM in the test lab environment from the uploaded generalized VHD image.

Creating the LAPTOP1 VM from the generalized VHD imageTo create the LAPTOP1 VM from the generalized VHD image, proceed with the following steps:

1. From the previous Windows PowerShell or PowerShell Integrated Scripting Environment (ISE) prompt, set some variables;

PS C:\> $rgName = "LITWARE369-RG"PS C:\> $location = "North Europe"PS C:\> $vmName = “LAPTOP1"

9 ADD-AZURERMVHD: https://docs.microsoft.com/en-us/powershell/resourcemanager/azurerm.compute/v1.3.4/add-azurermvhd10 UPLOAD A WINDOWS VHD FROM AN ON-PREMISES VM TO AZURE: https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-windows-upload-image

8 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

2. Get the existing virtual network (adfs-infra-subnet) in the test lab environment:

PS C:\> $vnetName = "adfs-infra-subnet"PS C:\> $vnet = Get-AzureRmVirtualNetwork -ResourceGroupName $rgName -Name $vnetName

3. Create a network interface on the internal subnet (Internal-sn):

PS C:\> $nicName = '{0}-nic' -f $vmName.ToLower()PS C:\> $nic = New-AzureRmNetworkInterface -Name $nicName -ResourceGroupName $rgName -Location $location ` -SubnetId $vnet.Subnets[0].Id -IpConfigurationName "ipconfig1"

4. Set the name and the size of the virtual machine. We will create a "Standard_A0" sized VM.

Note For more information, see article SIZES FOR VIRTUAL MACHINES IN AZURE 11.

PS C:\> $vmSize = "Standard_A0"PS C:\> $vmConfig = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize

5. Specify the credentials to use as the local administrator account for remotely accessing the VM. When prompted, specify "AzureAdmin" for the user name and "Pass@word1!?" for the password.

PS C:\> $cred = Get-Credential

6. Set the Windows operating system configuration and add the above created network interface.

PS C:\> $vm = Set-AzureRmVMOperatingSystem -VM $vmConfig -Windows -ComputerName $vmName ` -Credential $cred -ProvisionVMAgent -EnableAutoUpdatePS C:\> $vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic.Id

7. Set the URI of the generalized VHD image, for example in our illustration:https://cmitpcd2yhw42sa1.blob.core.windows.net/customvhds/win81-enterprise-eval.vhd

PS C:\> $imageURI = "https://cmitpcd2yhw42sa1.blob.core.windows.net/customvhds/win81-enterprise-eval.vhd"

8. Get the storage account where this generalized VHD image is stored.

PS C:\> $storageAccName = "cmitpcd2yhw42sa1"PS C:\> $storageAcc = Get-AzureRmStorageAccount -ResourceGroupName $rgName -AccountName $storageAccName

9. Configure the OS disk to be created from the existing VHD image (-CreateOption fromImage).

PS C:\> $osDiskName = "osdisk"PS C:\> $osDiskUri = '{0}vhds/{1}-{2}.vhd' ` -f $storageAcc.PrimaryEndpoints.Blob.ToString(), $vmName.ToLower(), $osDiskNamePS C:\> $vm = Set-AzureRmVMOSDisk -VM $vm -Name $osDiskName -VhdUri $osDiskUri ` -CreateOption fromImage -SourceImageUri $imageURI -Windows

10. Create the new LAPTOP1 VM.

PS C:\> New-AzureRmVM -ResourceGroupName $rgName -Location $location -VM $vm

11 SIZES FOR VIRTUAL MACHINES IN AZURE: https://azure.microsoft.com/documentation/articles/virtual-machines-windows-sizes/

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 9

This above PowerShell script sets up the LAPTOP1 VM configuration and use the uploaded generalized VHD image as the source for this new installation.

11. Verify that the LAPTOP1 VM has been created. When complete, you should see the newly created LAPTOP1 VM in the Azure portal under Browse > Virtual machines, or by running the following commands:

PS C:\> $vmList = Get-AzureRmVM -ResourceGroupName $rgNamePS C:\> $vmList.Name

Note For more information, see article CREATE A VM FROM A GENERALIZED VHD IMAGE 12 and/or video CREATE A CUSTOM VIRTUAL MACHINE IMAGE IN AZURE RESOURCE MANAGER WITH POWERSHELL 13.

Joining the LAPTOP1 computer to the LITWARE369 domainTo join the LAPTOP1 computer to the LITWARE369 domain, proceed with the following steps:

1. Open a remote desktop connection on the LAPTOP1 computer. Follow the instructions as per section ACCESSING THE VARIOUS MACHINES OF THE TEST LAB ENVIRONMENT in Part 2 of this whitepaper. Log on as the local account AzureAdmin with “Pass@word1!?” as password.

2. Open a Windows PowerShell or PowerShell Integrated Scripting Environment (ISE) prompt, and the run the following commands in order.

PS C:\> $domain = "litware369.com"PS C:\> $password = "Pass@word1!?" | ConvertTo-SecureString -asPlainText -ForcePS C:\> $username = "$domain\AzureAdminPS C:\> $cred = New-Object System.Management.Automation.PSCredential($username,$password)PS C:\> Add-Computer -DomainName $domain -Credential $cred -Restart

Once completed, the LAPTOP1 computer will reboot.

Accessing the various machines of the test lab environmentSee eponym section in Part 2 of this whitepaper.

12 UPLOAD A WINDOWS VHD FROM AN ON-PREMISES VM TO AZURE: https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-windows-upload-image13 CREATE A CUSTOM VIRTUAL MACHINE IMAGE IN AZURE RESOURCE MANAGER WITH POWERSHELL: https://azure.microsoft.com/en-us/resources/videos/create-a-custom-virtual-machine-image-in-azure-resource-manager-with-powershell/

10 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

Setting up PHS and seamless SSO with the Azure AD/Office 365 tenantThis section provides a walkthrough on how to setup password hash synchronization and seamless single sign-on (SSO) between the on-premises Active Directory (e.g. litware369.com) and the Azure AD/Office 365 tenant (e.g. litware369.onmicrosoft.com) to offer a seamless user experience to access cloud resources, for example an Office 365 Enterprise E3 subscription in our configuration.For the sake of simplicity, and to set up the directory synchronization and the password hash synchronization between the on-premises infrastructure of our test lab environment in Azure and the litware369.onmicrosoft.com tenant in the cloud, we will leverage the single and unified wizard Azure Active Directory Connect (Azure AD Connect).Azure AD Connect indeed provides a single and unified wizard that streamlines the overall onboarding process for both directory synchronization (single or multiple directories) AND single sign-on if you want to, and thus that automatically performs the following steps: download and setup of all the pre-requisites, download, setup and guided configuration of the synchronization engine, activation of the synchronization in the Azure AD tenant, setup, and/or configuration of AD FS, etc.Azure AD Connect is the one stop shop for connecting your on-premises directories to Azure AD, whether you are evaluating, piloting, or in production.

Note For more information, see articles INTEGRATING YOUR ON-PREMISES IDENTITIES WITH AZURE ACTIVE DIRECTORY 14.

This section walks you through the use of the single wizard Azure AD Connect on the ADFS1 computer to fully configure the Azure-based infrastructure from an identity perspective and establish the identity bridge between it and your Azure AD/Office 365 subscription. It comprises the following seven steps:

1. Downloading Azure AD Connect.2. Executing Azure AD Connect.3. Configuring additional tasks.4. Configuring the seamless single sign-on in the LITWARE369 domain5. Error: Reference source not found.6. Verifying the "same sign-on" with the Azure AD/Office 365 tenant.7. Verifying the seamless single sign-on (SSO) with the Azure AD/Office 365 tenant.

The following subsections describe each of these steps in the context of our test lab environment.

14 INTEGRATING YOUR ON-PREMISES IDENTITIES WITH AZURE ACTIVE DIRECTORY: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 11

Downloading Azure AD ConnectAzure AD Connect is a single wizard that performs all the steps you would otherwise have to do manually to connect your Active Directory (and local directories if any) to Azure AD. Azure AD Connect will:

Install pre-requisites like the Azure Active Directory Module for Windows PowerShell (64-bit version)15 and Microsoft Online Services Sign-In Assistant16.

Note The Azure Active Directory PowerShell Module is regularly updated with new features and functionality. The above link should always point to the most current version of the module. For more information, see article MICROSOFT AZURE ACTIVE DIRECTORY POWERSHELL MODULE VERSION RELEASE HISTORY 17.

Install and configure the sync engine, and enable directory synchronization in the customer's Azure tenant.

Configures either password sync (w/ optional seamless single sign-on), path-through authentication (w/ optional seamless single sign-on), or AD FS, depending on which sign-on option the customer prefers, and includes any required configuration in Azure.

Verifies everything is working.Azure AD Connect is the best way to connect your on-premises directory with Azure AD and Office 365. Azure AD Connect is replacing DirSync and Azure AD Sync and these two older sync engines are deprecated from April 13, 2016 reaching end of support April 13,2017. 

Note For more information, see article UPGRADE WINDOWS AZURE ACTIVE DIRECTORY SYNC (“DIRSYNC”) AND Azure ACTIVE DIRECTORY SYNC (“AZURE AD SYNC”) 18.

To download the latest version of Azure AD Connect (e.g. version 1.1.380.0 at the time of this writing), proceed with the following steps:

1. Open a remote desktop connection on the DC1 computer. Follow the instructions as per section § ACCESSING THE VARIOUS MACHINES OF THE TEST LAB ENVIRONMENT and specify in step 2 "10.0.0.101" for the DC1 computer. Log on as the LITWARE369 domain administrator account AzureAdmin with “Pass@word1!?” as password.

2. Open a browsing session and navigate to:http://www.microsoft.com/en-us/download/details.aspx?id=47594.

3. Click Download to download the Azure AD Connect MSI file (AzureADConnect.msi).

4. Click Save.

15 Azure Active Directory Module for Windows PowerShell (64-bit version): http://go.microsoft.com/fwlink/p/?linkid=23629716 Microsoft Online Services Sign-In Assistant for IT Professionals: http://go.microsoft.com/fwlink/?LinkId=28615217 MICROSOFT AZURE ACTIVE DIRECTORY POWERSHELL MODULE VERSION RELEASE HISTORY: http://social.technet.microsoft.com/wiki/contents/articles/28552.microsoft-azure-active-directory-powershell-module-version-release-history.aspx18 UPGRADE WINDOWS AZURE ACTIVE DIRECTORY SYNC (“DIRSYNC”) AND AZURE ACTIVE DIRECTORY SYNC (“AZURE AD SYNC”): https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-dirsync-deprecated

12 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

Executing Azure AD ConnectBefore executing Azure AD Connect, you must know the credentials:

1. A domain account that is local administrator on the aforementioned computers.2. Active Directory enterprise administrator credentials.3. Azure AD tenant global administrator credentials.

If you’ve followed in order all the steps outlined before, all the above prerequisites should be enforced at this stage. So you should be good to go.To execute Azure AD Connect and configure your identity infrastructure, proceed with the following steps:

1. Open a remote desktop connection on the DC1 computer that will be also your sync server. Follow the instructions as per section § ACCESSING THE VARIOUS MACHINESOF THE TEST LAB ENVIRONMENT and specify in step 2 "10.0.0.101" for the DC1 computer. Log on as the LITWARE369 domain administrator account AzureAdmin with "Pass@word1!?” as password.

2. Run AzureADConnect.msi to launch the wizard.

3. On the Welcome to Azure AD Connect page, check I agree to the license terms and privacy notice and click Continue.

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 13

4. On the Express Settings page, click Customize.

5. On the Install required components page, review the information, select any optional configuration that you require, although it’s okay to leave these unselected, and click Install.

14 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

6. On the User sign-in page, leave Password Synchronization selected, and select Enable single sign on.

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 15

7. Click Next.

8. On the Connect to Azure AD page, enter your global admin Azure AD credentials when prompted.Username: admin@litware369.onmicrosoft.comPassword: Pass@word1!?Click Next.

16 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

9. On the Connect your directories page, select your local active directory and enter AD credentials.Username: LIWARE369\AzureAdminPassword: Pass@word1!?Click Add Directory.

10. Click Next.

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 17

11. On the Azure AD sign-in configuration page, leave USER PRINCIPAL NAME as is, i.e. userPrincipalName selected, and click Next.

12. On the Domain and OU filtering page, leave Sync all domains and OUs selected, and click Next.

18 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

13. On the Uniquely identifying your users page, leave Users are represented only once across all directories selected, leave SOURCE ANCHOR as is, i.e. objectGUID selected, and click Next.

14. On the Filter users and devices page, leave Synchronize all users and devices selected, and then click Next.

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 19

15. On the Optional features page, select any additional features that you need, although it’s okay to leave these unselected, and then click Next.

16. On the Enable single sign on page, click Enter domain administrator credentials. A Windows Security dialog pops up.

20 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

17. Enter AD credentials, and then click OK.Username: AzureAdminPassword: Pass@word1!?

,18. Click Next.

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 21

19. On the Ready to configure page, leave checked Start the synchronization process as soon as the configuration completes for starting the synchronization process.

Note You may assume the synchronization process will automatically start at a later time if the check mark is removed. This is not correct as you will need to enable the task in Scheduled Tasks on the server where the synchronization tool is installed. After the task is enabled, synchronization occurs every 30 minutes by default.

20. Click Install. When installation completes, verify the installation and then exit.

Note Logs regarding the Azure AD Connect installation can be found in the %LocalAppData%\AADCONNECT folder.

Configuring additional tasksYou may wish to add scale or refine your options right away, or after some time has passed.

22 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

To configure additional task, proceed with the following steps:1. Whilst still being connected on the DC1 computer, launch the wizard again using

the Start page or the desktop icon called Azure AD Connect.

2. Click Configure.

3. The Additional tasks page lists the tasks that are relevant to your configuration. Select the relevant task to your configuration you’d like to conduct, click Next, and follow the instructions.Note that with the first task, you can validate your current configuration

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 23

4. Once completed, click Exit.Now let’s see how to verify the synchronization on the Azure AD/Office 365 tenant.

Verifying the synchronization on the Azure AD/Office 365 tenantTo verify the synchronization on the Azure AD tenant, proceed with the following steps:

1. Open a browsing session and navigate to the Azure portal at https://portal.azure.com.

2. Sign in with your administrative credentials to your Azure subscription.3. On the left pane of the Azure management portal, click Azure Active Directory.

A Litware369 blade opens up.

Note If Azure Active Directory is not listed, click More Services, type "Azure", and the select Azure Active Directory.

4. In the Quick tasks tile, click Find a user. A Users and groups – All Users blade appears.

5. Confirm that both Janet Schorr and Robert Hatley are listed.

24 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

Note If the Active Directory users Janets and Roberth are not replicated in your Azure AD tenant, please refer to section § TROUBLESHOOTING PHS to see how you can force the replication using PowerShell commands.

Verifying the status of password sync settingsTo view the status of password sync setting, you can run the following command on the DC1 computer from a Windows PowerShell or PowerShell Integrated Scripting Environment (ISE) prompt:

Import-Module ADSync$connectors = Get-ADSyncConnector$aadConnectors = $connectors | Where-Object {$_.SubType -eq "Windows Azure Active Directory (Microsoft)"}$adConnectors = $connectors | Where-Object {$_.ConnectorTypeName -eq "AD"}if ($aadConnectors -ne $null -and $adConnectors -ne $null){ if ($aadConnectors.Count -eq 1) { $features = Get-ADSyncAADCompanyFeature -ConnectorName $aadConnectors[0].Name Write-Host Write-Host "Password sync feature enabled in your Azure AD directory: " $features.PasswordHashSync foreach ($adConnector in $adConnectors) { Write-Host Write-Host "Password sync channel status BEGIN ------------------------------------------------------- " Write-Host Get-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector.Name Write-Host $pingEvents = Get-EventLog -LogName "Application" -Source "Directory Synchronization" -InstanceId 654 -After (Get-Date).AddHours(-3) | Where-Object { $_.Message.ToUpperInvariant().Contains($adConnector.Identifier.ToString("D").ToUpperInvariant()) } | Sort-Object { $_.Time } -Descending if ($pingEvents -ne $null) { Write-Host "Latest heart beat event (within last 3 hours). Time " $pingEvents[0].TimeWritten } else { Write-Warning "No ping event found within last 3 hours." } Write-Host Write-Host "Password sync channel status END ------------------------------------------------------- " Write-Host } } else { Write-Warning "More than one Azure AD Connectors found. Please update the script to use the appropriate Connector." }}Write-Hostif ($aadConnectors -eq $null){ Write-Warning "No Azure AD Connector was found."}if ($adConnectors -eq $null){ Write-Warning "No AD DS Connector was found."}Write-Host

Configuring the seamless single sign-on in the LITWARE369 domainSeamless single sign-on (SSO) is an option that can be enabled in Azure AD Connect with either password (hash of) hash synchronization (PHS) or pass-through authentication (PTA) (see Part 7 of this whitepaper). When enabled, users only need type their username

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 25

and do not need not to type their password to sign in to Azure AD or other cloud services when they are on their corporate machines and connected on the corporate network.For users to use seamless SSO in your environment, you need to ensure that they are:

1. On a domain joined computer.2. Have a direct connection to a domain controller, for example on the corporate

wired or wireless network or via a remote access connection such as a VPN connection. This role is played by the LAPTOP1 computer that you’ve previously provisioned on the test lab environment.

3. Define the Kerberos end-points in the cloud as part of the browsers’ Intranet zone.If any of the above items are not present, such as the computer is off the corporate network and Active Directory is not available, then users will simply be prompted to enter their password as they would without seamless SSO.

Note For more information, see article WHAT IS SINGLE SIGN ON (SSO) (PREVIEW) 19.

Ensuring clients sign-in automatically from the corporate networkBy default, browsers will not attempt to send credentials to web servers unless the URL is defined in the Intranet zone. In so far as the URLs used for seamless SSO in Azure AD contain a period because they are globally routable hostnames, they have to be explicitly added to the computer's Intranet zone, so that the browser will automatically send the currently logged in user's credentials in the form of a Kerberos ticket to Azure AD. The easiest way to add the required URLs to the Intranet zone is to simply create a group policy in Active Directory or use an existing one.Proceed with the following steps:

1. Whilst still being connected on the DC2 computer, open an elevated command prompt if none, and run the following command:

PS C:\> gpmc.msc

A Group Policy Management window brings up.

2. Double-click the name of the forest, double-click Domains, and double-click the name of the domain.

19 WHAT IS SINGLE SIGN ON (SSO) (PREVIEW): https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso

26 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

3. Right-click Default Domain Policy, and then click Edit. A Group Policy Management Editor window brings up.

4. In the console tree, expand Group policy that will be applied to all users. For example, the Default Domain Policy.

5. Navigate to User Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page and select Site to Zone Assignment List.

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 27

6. Enable the policy by clicking on the Enabled radio button, then, in the Options part, click the Show… button.

7. Inside the dialog box, and enter the following values:o Value Name: https://autologon.microsoftazuread-sso.com Value: 1 o Value Name: https://aadg.windows.net.nsatc.net Value: 1

8. Click OK twice.9. Close the Groupe Policy Management Editor.10. Close the Group Policy Management console.

Verifying the "same sign-on" with the Azure AD/Office 365 tenantTo verify the “same” sign-on with the Azure AD/Office 365 tenant (e.g. litware369.onmicrosoft.com), proceed with the following steps:

28 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

1. Open a browsing session from your external local computer and navigate to the Office 365 portal at https://portal.office.com.

2. Type janets@litware369.com and specify your Active Directory password.If simple sign-on is correctly set up, you should have a seamless access to the signed in user settings in the Office 365 portal.

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 29

No tiles are displayed for the online apps. This is expected for the test user as in fact you have not assigned a license to the test user.

Verifying the seamless single sign-on (SSO) with the Azure AD/Office 365 tenantTo verify the seamless single sign-on (SSO) with the Azure AD/Office 365 tenant (e.g. litware369.onmicrosoft.com), proceed with the following steps:

1. Open a remote desktop connection on the LAPTOP1 computer. Follow the instructions as per section § ACCESSING THE VARIOUS MACHINES OF THE TEST LABENVIRONMENT and specify in step 2 the IP address for the LAPTOP1 computer20. Log on as the LITWARE369 user account JanetS with "Pass@word1!?” as password.

2. Open a browsing session from your external local computer and navigate to the Office 365 portal at https://portal.office.com.If seamless single sign-on (SSO) is correctly set up, you should have a seamless access to the signed in user settings in the Office 365 portal.No tiles are displayed for the online apps. This is expected for the test user as in fact you have not assigned a license to the test user.

Troubleshooting the configurationTroubleshooting PHSTroubleshooting the PHS feature consists in verifying the synchronization between the on-premises Active Directory environment and Azure AD.If you want to force Azure AD Connect to replicate:

1. Open a remote desktop connection on DC1.2. Open a Windows PowerShell or PowerShell Integrated Scripting Environment (ISE)

prompt, and then run the following command to import the ADSync cmdlets:

PS C:\> Import-Module ADSync

4. Then force a delta synchronization

PS C:\> Start-ADSyncSyncCycle -PolicyType Delta

This cmdlet must output Result, Success.You can also verify the status of the password synchronization as per previous eponym section § ERROR: REFERENCE SOURCE NOT FOUND.

Note For more information, see article IMPLEMENTING PASSWORD SYNCHRONIZATION WITH AZURE AD CONNECT SYNC 21.

Troubleshooting seamless SSOIt is important to make sure the client is correctly configured for seamless SSO including the following:20 This address has been assigned dynamically and can be found using the Azure Portal when selecting the LAPTOP1 VM and the Network interfaces.21 IMPLEMENTING PASSWORD SYNCHRONIZATION WITH AZURE AD CONNECT SYNC: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization

30 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

Note For more information, see article WHAT IS SINGLE SIGN ON (SSO) (PREVIEW) 22.

1. Both https://autologon.microsoftazuread-sso.com and https://aadg.windows.net.nsatc.net are defined within the Intranet zone.

2. Ensure the computer is joined to the domain, for example the LITWARE369 domain in our configuration.

3. Ensure the user is logged on with a domain account.4. Ensure the computer is connected to the corporate network, for example on the

Internal-sn in our test lab configuration.5. Ensure that the computer's time is synchronized with the Active Directory and the

domain controllers time is within 5 minutes of the correct time.6. Purge the clients existing Kerberos tickets, for example by running the following

command from an elevated command prompt.

C:\> "klist purge"

7. Ensure the Kerberos SPNs are present and correct for the AzureADSSOAcc$ account in Active Directory.

If you have been able to confirm the above requirements, you can review the console logs of the browser for additional information. The console logs can be found under developer tools. This will help you determine the potential problem.Every time a user logs in with single sign on, an entry is recorded in the event log of the domain controller, if success auditing is enabled. To find these events, you can review the

22 WHAT IS SINGLE SIGN ON (SSO) (PREVIEW): https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 31

Event logs for the security Event 4769 associated with computer account AzureADSSOAcc$. The filter below finds all security events associated with the computer account:

<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[EventData[Data[@Name='ServiceName'] and (Data='AZUREADSSOACC$')]]</Select> </Query><QueryList>

You are now in a position to further test the environment.

32 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

Understanding PHS and seamless SSOUnderstanding PHSAs introduced at the beginning of this document, the PHS (or Password Hash Synchronization) feature consists in retrieving by Azure AD Connect the user account password hashes from an on-premises Active Directory and replicating a digest of this hash to a cloud-based Azure AD/Office 365 tenant.From a security standpoint, the password information that is replicated in Azure AD is the result of a one-way function (SHA-256) applied to the user’s password hash stored in an encrypted form, which means that, even if this secret leaks, it cannot be used to access to any resource on your corporate internal network.

Note For a detailed description of the password synchronization mechanism, see blog post AAD PASSWORD SYNC, ENCRYPTION AND FIPS COMPLIANCE 23.

This feature then enables users to sign into Azure AD services, such as Office 365, Dynamics 365, Intune, and Azure AD Domain Services, using the same password they’re using to sign in to their organization’s on-premises Active Directory.

Note For more information, see article IMPLEMENTING PASSWORD SYNCHRONIZATION WITH AZURE AD CONNECT SYNC 24.

Such a feature provides a "same sign-on" experience, where users sign in to their corporate machine and Azure AD/Office 365 with the same credentials. To provide a better experience, a password change is replicated within 2 minutes. Moreover, after a successful authentication, the users can be optionally asked for a multifactor authentication (MFA) in the cloud.

Understanding seamless SSOSupported clientsThe seamless SSO feature is supported via web browser based clients and Office clients that support modern authentication25 on computers that are capable of Kerberos authentication, such as Windows.

23 AAD PASSWORD SYNC, ENCRYPTION AND FIPS COMPLIANCE: https://blogs.technet.microsoft.com/enterprisemobility/2014/06/28/aad-password-sync-encryption-and-fips-compliance/24 IMPLEMENTING PASSWORD SYNCHRONIZATION WITH AZURE AD CONNECT SYNC: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization25 Modern authentication: Ibid

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 33

The following table provides details of the browser based clients on various operating systems.

Table 1 Supported clients per OS/Browsers

Operating systems Internet Explorer

Chrome Firefox Edge

Windows 10 Yes Yes Yes* NoWindows 8.1 Yes Yes Yes* N/AWindows 8 Yes Yes Yes* N/AWindows 7 Yes Yes Yes* N/AMac OS/X N/A N/A N/A N/A

* Requires separate configuration

A word about modern authenticationModern authentication is an OAuth-based authentication stack used by Office 2013/2016 client applications against Office 365. This enables sign-in features such as Multi-Factor Authentication (MFA), SAML 2.0-based third-party identity providers with Office 2013/2016 client applications, smart card and certificate-based authentication, and it removes the need for Outlook to use the basic authentication protocol.From a technical implementation standpoint, the Active Directory Authentication Library (ADAL) replaces, for Windows clients, the Microsoft Online Sign-in Assistant (SIA).

Understanding seamless SSO flowsLet’s illustrate a typical seamless SSO flow.

LITWARE369 Customer Premises

On-premises directory

Office 365 Identity Platform

Azure Active Directory Sign-in Service

Directory Store

4. Returns Kerberos ticket

1. Challenge for Kerberos ticket2. Ticket request from

Active Directory3. DC returns

result

Figure 1 Seamless SSO flowFirst the user attempts to access a resource that trusts security tokens issued from Azure AD, such as SharePoint Online (SPO) for Office 365. SharePoint Online then redirects the user to authenticate against Azure AD. The user is then invited to provide their username so that Azure AD can establish if the seamless SSO feature is enabled for their organization. Assuming seamless SSO is enabled for the organization, the following occurs:

1. Azure AD challenges the client, via a 401 unauthorized response, to provide a Kerberos ticket.

2. The client requests a ticket from Active Directory for the Azure AD.3. Active Directory locates the computer account, created by Azure AD Connect and

returns a Kerberos ticket to the client, encrypted with the machine account's secret. The ticket includes the identity of the user currently signed in to the computer.

4. The client sends the Kerberos ticket it acquired from Active Directory to Azure AD.

34 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

5. Azure AD decrypts the Kerberos ticket using the previously shared key, and then either returns a token to the user or asks the user to provide additional proofs such as multi-factor authentication as required by the resource.

Seamless SSO is an opportunistic feature, which means that if it fails for some reason, the user simply need only enter their password on the sign-in page as usual.

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 35

Monitoring your on-premises deployment (Optional)This last section of this document provides and introduction to Azure Active Directory Connect Health (Azure AD Connect Health). This cloud based service in the new Azure Portal26 helps you monitor and gain insight into health, performance and login activity of your on-premises identity infrastructure. It thus offers you the ability to view alerts, performance, usage patterns, configuration settings, enables you to maintain a reliable Azure AD connection, and much more. Azure AD Connect Health represents a key part of our effort to help you monitor and secure your cloud and on-premises identity infrastructure.

Note For more information, see article MONITOR YOUR ON-PREMISES IDENTITY INFRASTRUCTURE AND SYNCHRONIZATION SERVICES IN THE CLOUD 27.

Note Azure AD Connect Health is a feature of the Azure AD Premium P1 edition. For a description of this edition below and a comparison table, see article AZURE ACTIVE DIRECTORY EDITIONS 28.

This section walks you through the process of configuring this service for your existing on-premises deployment as per this document. The process consists in the following five steps:

1. Getting started with the Azure AD Connect Health service.2. Configuring Azure AD Connect Health for Sync.3. Configuring Azure AD Connect Health for AD DS.4. Using the Azure AD Connect Health service.

The following subsections describe in the context of our test lab environment each of these steps.Like before, and unless noticed otherwise, all the instructions should be done on the DC1 computer.

Getting started with the Azure AD Connect Health serviceTo get started with and use the Azure AD Connect Health service, proceed with the following tasks:

1. Open a browsing session for your external personal computer and navigate to the Azure portal at https://portal.azure.com/.

2. Sign in when prompted with your Azure AD/Office 365 Enterprise global administrator account such as:Username: admin@litware369.onmicrosoft.comPassword: Pass@word1!?Click Next.

26 Azure Preview Portal: https://portal.azure.com/27 MONITOR YOUR ON-PREMISES IDENTITY INFRASTRUCTURE AND SYNCHRONIZATION SERVICES IN THE CLOUD: https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health28 AZURE ACTIVE DIRECTORY EDITIONS: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-editions

36 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

3. Click the Marketplace tile, and then select Security + Identity, or search for it by typing “Identity”.

4. Under recommended, click Azure AD Connect Health. An introductory blade opens up.

5. Click Create. This will open another blade with your directory information.

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 37

6. Click Create.

Note If you do not have an Azure Active Directory Premium P1 license, you will need one to use Azure AD Connect Health as previously noticed. See article WHAT IS MICROSOFT AZURE ACTIVE DIRECTORY LICENSING? 29. You can sign-up for a trial at https://portal.office.com/Signup/Signup.aspx?OfferId=01824d11-5ad8-447f-8523-666b0848b381.

Once created, you can now access the Azure AD Connect Health Portal30 that allows you to view alerts, performance monitoring, and usage analytics. Upon first accessing Azure AD Connect Health, a first blade is presented.

In order to see any data in your instance of Azure AD Connect Health, you will need to install the Azure AD Connect Health agents on your targeted servers, for example the six computers in our configuration. This is the purpose of the next sections.

Configuring Azure AD Connect Health for SyncThe Azure AD Connect Health agent for Sync is installed as part of the Azure AD Connect installation (version 1.0.9125.0 or higher). So this is already completed with our prior installation and configuration of Azure AD Connect (version 1.1.380.0 in our configuration). See section § . To verify the agent has been installed, look for the following services on the DC1 computer. If you completed the configuration, they should already be running:

1. Azure AD Connect Health Sync Insights Service.2. Azure AD Connect Health Sync Monitoring Service.

29 WHAT IS MICROSOFT AZURE ACTIVE DIRECTORY LICENSING?: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-what-is30 Azure AD Connect Health Portal: https://aka.ms/aadconnecthealth

38 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

Note For more information, see article AZURE AD CONNECT HEALTH AGENT INSTALLATION 31.

Configuring Azure AD Connect Health for AD DSDownloading the health agent for AD DSTo download the latest version of health agent for AD DS, proceed with the following steps:

1. Open a remote desktop connection on the DC1 computer that will be also your sync server. Follow the instructions as per section § ACCESSING THE VARIOUS MACHINESOF THE TEST LAB ENVIRONMENT and specify in step 2 "10.0.0.101" for the DC1 computer. Log on as the LITWARE369 domain administrator account AzureAdmin with "Pass@word1!?" as password.

2. Open a browsing session and navigate to the Azure AD Connect Health portal.3. Click the Quick Start tile. An eponym Quick Start blade opens up. 4. Under Get tools, click Download Azure AD Connect Health for AD DS to

download the health agent (AdHealthAddsAgentSetup.exe)

5. Click Save.6. Repeat above steps on the DC2 computer.

Installing and configuring the health agent for AD DSTo download the latest version of health agent for AD DS, proceed with the following steps:

1. Open a remote desktop connection on the DC1 computer that will be also your sync server. Follow the instructions as per section § ACCESSING THE VARIOUS MACHINESOF THE TEST LAB ENVIRONMENT and specify in step 2 "10.0.0.101" for the DC1 computer. Log on as the LITWARE369 domain administrator account AzureAdmin with "Pass@word1!?" as password.

2. Double-click the AdHealthAddsAgentSetup.exe file you’ve downloaded in the previous section. A dialog pops up.

3. The Azure Active Directory Connect Health Setup dialog shows up.

4. On the first screen, read the EULA, and then click Install. The install begins.

31 AZURE AD CONNECT HEALTH AGENT INSTALLATION: https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health-agent-install

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 39

5. Once the installation is finished, click Configure Now. A command prompt with elevated privileges opens up.

As stated, an elevated PowerShell command prompt is then launched to execute the following command while the initial command prompt closes:

Register-AzureADConnectHealthADDSAgent

6. A Sign in to your account dialog opens up.

40 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

7. Type "admin@litware369.onmicrosoft.com" for your Azure AD/Office 365 Enterprise global administrator and click Continue.

8. Enter the password of the admin@litware369.onmicrosoft.com user, e.g. “Pass@word1!?” in our configuration, and then click Sign in. The health agent registration process starts.

Executing Elevated PowerShell Command: Register-AzureADConnectHealthADDSAgent2017-01-05 10:37:00.735 ProductName: Microsoft Azure AD Connect Health agent for AD DS, FileVersion: UTC Time: 2017-01-05 10:37:00Z

2017-01-05 10:37:00.893 AHealthServiceUri (ARM): https://management.azure.com/providers/Microsoft.ADH/

2017-01-05 10:37:00.893 AdHybridHealthServiceUri: https://adds.aadconnecthealth.azure.com/

2017-01-05 10:37:03.098 AHealthServiceApiVersion: 2014-01-01

2017-01-05 10:43:28.828 Detecting AdDomainService roles...

2017-01-05 10:43:29.562 Detected the following role(s) for litware369.com:

2017-01-05 10:43:29.562 Active Directory Domain Services

2017-01-05 10:43:34.915 Aquiring Monitoring Service certificate using tenant.cert

2017-01-05 10:43:42.506 Successfully aquired and stored Monitoring Service certificate: Subject=CN=DCc-4be2-9b86-5b3513ecb22e, OU=Microsoft ADFS Agent, Issuer=CN=Microsoft PolicyKeyService Certificate Ant=25E0F7EE2D344DF31888B7E223795DFD29D4DFBF

2017-01-05 10:43:42.521 Fetched and stored agent credentials successfully...

2017-01-05 10:43:44.432 Started agent services successfully...

Test-AzureADConnectHealthConnectivity completed successfully...

2017-01-05 10:44:02.807 Agent registration completed successfully.

Detailed log file created in temporary directory:

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 41

C:\Users\AzureAdmin.LITWARE369\AppData\Local\Temp\2\AdHealthAddsAgentConfiguration.2017-01-05_10-37-00.logPS C:\Users\AzureAdmin.LITWARE369\Downloads>

9. To verify the agent has been successfully installed and configured, click Tools in Server Manager, and then select Services. An eponym window Services opens up.

10. Look for the following services: a. Azure AD Connect Health AD DS Insights Service.b. Azure AD Connect Health AD DS Monitoring Service.

These services should be started automatically and the agent will be now monitoring and gathering data.

11. Repeat above steps on the DC2 computer.

Note For more information, see article AZURE AD CONNECT HEALTH AGENT INSTALLATION 32.

At this stage, you should now be in position to monitor your on-premises deployment.

Using the Azure AD Connect Health serviceTo now use the Azure AD Connect Health service, proceed with the following tasks:

1. Open a browsing session and navigate to the Azure Preview Portal at https://portal.azure.com/.

2. Sign in when prompted with your Azure AD/Office 365 Enterprise global administrator account such as:Username: admin@litware369.onmicrosoft.comPassword: Pass@word1!?

3. Select Azure AD Connect Health. An introductory blade opens up.4. Click Azure Active Directory Connect (Sync). An eponym blade opens up.

Synchronization should appear as healthy.

5. Back to introductory blade of Azure AD Connect Health, finally click Active Directory Domain services. A new blade opens up for AD DS as you might expect.

32 AZURE AD CONNECT HEALTH AGENT INSTALLATION: https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health-agent-install

42 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO

Note For more information on the various health topics (alerts, performance monitoring, usage analytics, properties, etc.), see articles AZURE AD CONNECT HEALTH OPERATIONS 33, USING AZURE AD CONNECT HEALTH FOR SYNC 34, and USING AZURE AD CONNECT HEALTH WITH AD DS 35.

This concludes the sixth part of the whitepaper.

33 AZURE AD CONNECT HEALTH OPERATIONS: https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health-operations

Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO 43

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this document.Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.© 2017 Microsoft Corporation. All rights reserved.The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Microsoft, list Microsoft trademarks used in your white paper alphabetically are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

34 USING AZURE AD CONNECT HEALTH FOR SYNC: https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health-sync35 USING AZURE AD CONNECT HEALTH WITH AD DS: https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health-adds

44 Azure AD/Office 365 seamless sign-in - Part 6 – Understand and implement PHS and seamless SSO