P a g e 1 | 13

CDP-H210 Introduction to Azure Active Directory This is an infrastructure lab, useful to both ITPro’s and Developers to learn the basics of Azure Active Directory. The

main focus is on understanding the basics of the directory itself, how to create one, users and groups and one of

the key scenarios for the ITPro which is connecting and synchronizing the directory with on-premise Active

Directory. You will create a domain controller using an Azure Virtual Machine as a proxy for your on-premise

domain controller. You will install the Azure AD Connect tool on this DC to synchronize user names and passwords.

The lab will also enable Multi-factor authentication.

Azure Active Directory is a comprehensive identity and access management cloud solution. It combines core

directory services, advanced identity governance, security, and application access management. Azure AD also

offers developers an identity management platform to deliver access control to their applications, based on

centralized policy and rules. You can use Azure AD to secure and manage access to both Microsoft cloud

applications like Office365 as well as hundreds of non-Microsoft applications.

1. Login to the Azure Management Portal The first task is to get you signed into the Azure Management Portal – and to do that you need a valid subscription

for Azure. You can:

Use your own subscription,

Sign up for a free trial (http://azure.microsoft.com/en-us/pricing/free-trial )

Get a subscription from one of the lab proctors.

On your lab computer, fire up Internet Explorer and browse to http://manage.windowsazure.com and login using

the user ID and password from one of the above methods.

2. Core Setup You are going to be doing a number of things with Azure AD. One of the more complex things you will do is

synchronize Azure AD with your on premise Windows Server active directory. Well, since you can’t lift and shift

your AD to this lab, you will actually create your own test on premise network and AD infrastructure – and you will

do this on Azure using Azure Virtual Networks and Virtual Machines. To save some time and also to show you how

to upload and create your own VM on Azure, you will be copying an existing virtual hard disk file (.VHD) from an

existing domain controller (the author’s) and then spinning up a Virtual Machine from this .VHD file.

The very first thing to do then is to copy the .VHD file to your subscription as this can take some time. For this lab,

a virtual disk has already been copied to a set of storage accounts in Azure. Appendix 2 (as a reference) will

P a g e 2 | 13

explain how you would do this if you want to try when you get back to the office. You just need to copy the .VHD

file to your own storage account. So first, you need a storage account.

Click the “ + NEW “ icon at the bottom left and select DATA SERVICES and STORAGE and

QUICK CREATE

In the URL box, enter a name for your storage service… use <youralias>vhdstore…

For example, if your name is Ann Green, your work email alias is agreen@contoso.com, use

agreenvhdstore as the storage account name (there can be NO UPPERCASE letters or symbols).

You will get a red “tick” next to

the URL name if it is OK.

Choose a location – this is

which DataCenter in the world

you want to place your storage

account… You MUST select

North Europe (your copy of

the .VHD file will be very slow if

you do not).

Select Locally Redundant replication – this means data in your storage account is NOT replicated to

another Azure data center (we don’t need it for this lab, it’s also cheaper and faster).

Click on CREATE STORAGE ACCOUNT. It will take around 30 seconds for the account to get created

(status: ONLINE).

Now you can copy the .vhd file. You will do this using PowerShell and specifically using the PowerShell

commands for Azure. First you need to install these commands. On your lab machine, open another

browser tab and go to this url:

https://github.com/Azure/azure-sdk-tools/releases

Click on the Windows Standalone link, RUN

the .msi file and follow all the prompts to

get PowerShell installed.

After install, Click the Window button and

type “Powershell ISE”. Right-Click the

Powershell ISE application and select Run

as Administrator.

Click the Script button (as show opposite)

to show the script window.

At the command prompt, enter:

Add-AzureAccount

P a g e 3 | 13

This will launch a login Window. Login using the credentials you used earlier. PowerShell is now

“connected” to your Azure subscription and you can now interact with it. For example, type the following

to get details about all your subscriptions:

Get-AzureSubscription

To copy the .VHD file, you will use a script which will prompt you for the subscription and storage account

to use (if you have more than one), then it will randomly select from one of 5 storage accounts the .VHD

file is stored in, then finally it will initiate

the copy.

In Appendix 1 in this lab guide – copy

the entire script and paste it into your

script window in PowerShell (the top

section with a tab called untitled1.ps1).

Press RUN.

The script will run and keep checking the

status of the copy operation. It can take

just a few seconds or 10-15 minutes to

copy the 20GB .vhd file – it depends on

other activity at the time.

You will come back to this later in the lab when you need your “on-premise” domain controller.

One other thing you will need when you create your Virtual Machine/Domain Controller from the .vhd file you are

copying, is a Virtual Network. This will allow you later to add your Domain Controller to this network, as well as

put other VM’s in the network and have network connectivity and name resolution between them.

On the Management Portal, select “+ NEW” -> NETWORK SERVICES -> VIRTUAL NETWORK -> QUICK

CREATE

Enter a NAME (which must be unique – suggest <alias>-vnet for example agreen-vnet as per the naming

of your storage account (you can have symbols for most other services in your name, just not storage).

P a g e 4 | 13

LOCATION - Select the same location as your storage account – preferably North Europe.

Leave the other values alone and then click OK. Your network will get created.

Once created (it will take just 20-30 seconds), click on the network and then click on the CONFIGURE

tab.

In the DNS Servers section, enter the name of your

domain controller VM – yes – you have not actually

created this yet. Use <alias>-DCVN – for example

agreen-DCVM.

Since the VM will be the first VM in your network, and

the default IP address scheme for your network is a

10.0.0.0 scheme, we know that the IP address given to

the first machine will be 10.0.0.4.

Enter this value in the IP address and click SAVE and

YES to the warning. You are doing this step now in the

lab to save you a little time and not have to do a reboot of your domain controller to pick up the DNS

value.

That’s all you need to do right now. Let’s get started actually learning Azure Active Directory itself…

3. First Steps with Azure AD

3.1 Setting Up

Your first step with Azure AD is the easy part – just creating the directory itself.

On the Azure Portal, Click “+ NEW”, select APP SERVICES, select Active

Directory and then Directory and Custom Create.

Enter a name for the directory –whatever you want e.g. <alias> Azure AD

Then a DOMAIN NAME – use <alias>AAD and make sure the

domain is valid/not taken – change it if it is.

Select the Country/Region – pick a country in the same region

that you choose when you created your Network/Storage Account.

.

P a g e 5 | 13

3.2 Changing your Directory-Subscription Mapping

Now there is a relationship between Azure subscriptions and Azure Active Directory. Each subscription has to be

associated with a single directory – a directory can apply to multiple subscriptions.

There is a default “hidden” directory – with the domain microsoft.onmicrosoft.com. When you created your

directory above, the subscription you are using is not associated with this new directory – it’s actually associated

with the “hidden” default directory (or it might even be some other directory depending on your subscription).

You can see this initial directory and you can also change it so that your subscription is mapped to your new

directory (although you cannot change this back currently).

IF you are a service administrator on the subscription you are using for this lab, you will be able to do the change

below to your directory.

Click on Settings (the last icon on the left nav).

The list of subscriptions shows for each subscription what the associated directory

is. As you can see, for your subscription, the default directory is NOT the directory

you just created.

Select the subscription and Click Edit Directory at the bottom of the portal. The

new directory you created will get populated as the only choice. If you do not see

this new directory, close the Edit Directory dialog and refresh your browser and try

again.

Click Next and OK. You will get a message about re-loading the portal. Click OK.

Now the subscription will show it is associated with your new directory. This means that you can create new users

in your new directory and use the directory for your Azure subscription management. For example you can create

a new user and make them a co-admin on your subscription. You will do this next.

Go back to your Azure AD in the Management Portal.

Click YOUR directory, and click the users tab. You will see your current Microsoft account listed.

Click on ADD USER. You want a New User in Your Organization.

Enter AzureCoAdmin as the username. Click NEXT.

Enter the Firstname (Azure)

Lastname (Coadmin)

Displayname (Azure CoAdmin)

For Role, select Global Administrator and then enter any alternate email address (this is not validated so

it can be any well formed address e.g. foo@foo.com).

DO NOT check enable MFA – you will do this in a later step.

P a g e 6 | 13

On the Get Temporary Password screen, click the create button and then click the clipboard icon

to copy the temporary password to the clipboard (you will change this password to something you can

remember next).

Click OK

Now you have a user in your directory, the user has global admin permission on the directory itself, but

the user is not yet a co-admin on the subscription.

On the Portal on the left nav, click on Settings and select the Administrators tab and click ADD

Enter the name of your coadmin – which would be

azurecoadmin@<alias>aad.onmicrosoft.com. If you

do this correctly, your user will be validated in the

Azure AD.

Check the subscription you want to add the user as

a co-admin to and click OK.

Now open up a new In-Private browser session

(this is so that you can be logged into two Azure

Portal Sessions using two different accounts at the

same time) and go to the Azure Management Portal

http://manage.windowsazure.com

Login with your full azurecoadmin@<alias>aad.onmicrosoft.com account and paste the password in

from the clipboard (Ctrl-V). After login, you will be prompted to change your password, use 1stAzure as

the new password.

NOTE: if you lose the password, you can reset it – go to the users tab on your directory, select the

azurecoadmin user and click the reset password button at the bottom.

After login, you will now see all the same services as your Microsoft account login. Click though the

getting started tour.

So you have your first user, and you actually have an application (the Azure Management Portal) that uses Azure

AD to authenticate against and get user information from the directory. Of course you can build your own

applications that do this as well. Other commercial applications such as Office 365, Dynamics CRM and Visual

Studio Online use Azure AD.

P a g e 7 | 13

4. Back to AD – More stuff - Branding So the basic capability of Azure AD is users and groups and using Azure AD as a directory and user account store for

your applications. Azure itself uses AD as you just saw when you created your coadmin. One of the first things

that Organizations want to do with their directory and as an added precaution to give their users more certainty

that they are visiting an approved place – is to brand their directory/sign-in experience. For this, you need to turn

on Azure AD Premium feature set.

Select your Directory again from the Active Directory node on the portal (you can use either the initial

login or the co-admin account). Click on Licenses and click the link to Try AD Premium and accept

the trial message - this will take 10-20 seconds to setup. Click the REFRESH link.

When completed, click on Assign on the bottom of the Portal. Click BOTH the two users you see

to assign licenses to them. Now these users can access premium features.

Now click the CONFIGURE tab and you will see a Customize Branding button. However, before

you can use it, you need to download some branding assets (images, icons etc that have been already

created for you).

Get the set of assets for this lab from the lab download folder here: http://1drv.ms/1DcUEnI

Check the “Azure_Intro_to_ActiveDirectory” folder and select DOWNLOAD in the header. Save

the file to your desktop, right click the file on your desktop and select EXTRACT ALL…

Go back to the Azure Portal and click the Customize Branding button.

a. For the Banner Logo – select: Contoso_BannerLogo_default.png from your downloaded folder

b. For the Tile Logo – Select the Contoso_Tilelogo_default

c. For the Sign in Page text: enter some text such as…

Need help? Contact Contoso Help Desk at (206) 555-1234. This site is operated by Microsoft on

behalf of Contoso Inc and is for the exclusive use of Contoso employees and partners. Visit

www.contoso.com/terms for details.

d. For the Sign-In Page Illustration, Select: Contoso_Illustration_default.jpg

OK. Then in your in-private session, you are logged in as your azurecoadmin. Click on your

username on the top right and select Sign Out. On the “You have been Signed Out” page, click sign-

in.

You will see your branding updates as soon as Azure detect you want to use a login from the AD Domain

that you have applied your branding updates to – i.e. your azurecoadmin@<alias>aad.onmicrosoft.com

account.

P a g e 8 | 13

5. Continue with Active Directory “Test Lab” By now, your copy of the virtual hard disk should have completed. Switch to your PowerShell session to make sure

it has. If it has not, you can continue with the Multi-Factor Authentication section. Let’s first make sure you

actually have a .vhd file in your storage account – remember this .vhd file is the virtual disk on which is installed

Windows Server 2012 R2, it has AD installed and configured as a single forest (contoso.com) domain controller.

There are a bunch of users and groups in the directory. DNS is configured.

5.1 Creating your Domain Controller VM.

So you have a VHD file which sits in Azure storage, but you need a VM. The basic way you do this is to create a

virtual disk in Azure, pointing at your .VHD file. You then create a VM using this virtual disk. Let’s do this…

In Azure, click on STORAGE, click your storage account -

<alias>vhdstore, click the CONTAINERS tab and click the vhdimages

container (this was created for you by the script). You should have a 20GB

file in this container called teazuredisk.vhd

Click on the Virtual Machines category in the left nav

bar of the portal. Click on the DISKS tab and click the “+

CREATE” button at the bottom.

Enter the details as you see opposite, pointing at the .vhd

file in your storage account (click the folder icon to browse

for the file) and making sure to check the VHD contains OS

box and the OS Family.

Click OK. This action creates a logical disk that you can

then use to spin up a virtual machine from. This should

take around 20-30 seconds and you will see the disk in the portal when it is completed.

Now in the portal click the bottom left “+ NEW” button and select COMPUTE ->

VIRTUAL MACHINE -> FROM GALLERY.

On the first page of the gallery wizard, click on the MY DISKS option on the lower left

side. You will see your teazureDC disk. Select it and click NEXT.

Choose a name for your VM such as <alias>-DCVM – e.g. agreen-DCVM. Choose

BASIC tier and A2 Size.

P a g e 9 | 13

On the next screen, there are TWO important values.

The CLOUD SERVICE DNS NAME and the

REGION/AFFINITY GROUP/VIRTUAL

NETWORK selection. The DNS Name will default to

your VM name – make sure this resolves to a

valid/unique value – change it if it does not. Make sure

to select the Virtual Network you created earlier.

Click Next and then FINISH. Your VM will go through

the process of getting created and booting up. It will

take around 3-5 minutes for this to complete.

While it is doing this, click on NETWORKS section in

the portal, click on your network and click on DASHBOARD. Locate the IP address that your VM gets on

the network.

Then click the CONFIGURE tab and in the DNS Servers section. Make sure the IP address you entered

here is the same as the IP address you entered at the very start of the lab. If it’s different, change it here

and after your VM has been created you will need to restart it so it picks up the correct DNS server IP

address (which of course is itself).

Once your VM is ready, you can select it in the Portal and click on Connect.

When you get to the login screen for the VM, enter contoso\azureadmin as the username and

1stAzure as the password (remember this is a Domain Controller, so you need to login as the uber

admin to the Domain). Enter something on the shutdown warning and click OK.

Now on your Domain Controller, open Active Directory Users and Computers (Server Manager ->

Tools).

You will see two Organisational Unit – Marketing and IT Group. Both have users in them. The passwords

for all the users are the same – “1stAzure”. At the Contoso.com level, there are also three groups –

AzureAdmins, Contoso_FTE and Managers and each has some members from the 5 users in the directory.

5.2 Connecting your DC to your Azure AD

You have an Azure Active Directory and now you have a Domain

Controller…You now need to install the directory synchronization

tool on your DC and setup your Azure AD to integrate with this

domain controller.

From your Virtual Machine/DC, open a browser and go

to this download link:

http://www.microsoft.com/en-

us/download/details.aspx?id=44225

P a g e 10 | 13

On the Microsoft Azure Active Directory Sync Services page, click the download button and click on

RUN to start the install after download.

Accept the license terms and click on install

After install, the tool will start the

configuration wizard. The first thing it

needs is an Azure credential that has

global admin access to your directory.

Go to the Azure Portal. You are going

to create a new user in your Azure AD

that you will use for the dirsync

operation.

Go to the users tab in Azure AD and

create a new user called aadsyncadmin as the username and make this user a global admin also.

Copy the temporary password to the clipboard.

Go to either of your open Azure Portal browser sessions (the supplied admin account or your

azurecoadmin account) – sign out and then Sign-In using the new aadsyncadmin account (which will

be aadsyncadmin@<alias>AAD.onmicrosoft.com. Paste (CTRL-V) the temporary password into the

password field. On the change password screen, change the temporary password to 1stAzure.

You won’t be able to access the Azure

portal with this account, as it is not a

coadmin on the subscription. Sign Out.

Close the browser and switch to your

other Azure Portal browser session.

Select your Azure AD and then click the

DIRECTORY INTEGRATION tab.

Click the ACTIVATED link as shown

opposite to ACTIVATE your directory for

synchronization and then click SAVE.

Now, switch back to your domain

controller and the AD Sync Wizard.

Enter the credentials you created for the aadsyncadmin user

(aadsyncadmin@<alias>AAD.onmicrosoft.com and 1stAzure).

P a g e 11 | 13

After validating, you need to enter the forest name and an admin username\password for your domain

controller VM. This will be contoso.com, contoso\azureadmin and

1stAzure. After entering these values, click Add Forest and click

NEXT.

Click past the user matching screen and on the Optional Features screen,

check the Password Sync and Password Write-Back options. Click

NEXT and CONFIGURE.

Once complete, click FINISH and the synchronization will happen. It will take a couple of minutes for

the users and groups to show up in your Azure AD. You will see new users in the directory and the users

will show they have been sourced from a “Local Active Directory”.

If you open up any of these users, their properties

will not be available for editing as the single master

for these properties is your on-premise Active

Directory.

Click on Groups. There were three groups back in

your DC – Managers, Contoso-FTE and Azure-Admins.

None of these groups are showing up in Azure AD.

This is because these were set as distribution groups.

You need to change them to security groups.

Go back to your DC, open AD users/Computers and click on the top level contoso.com object. You will see

the three groups in there. Click on each one and change the group type to security group.

Now you will manually run the sync tool – which is simply a scheduled task on your DC. Click on Window

and type “Task Scheduler” and launch it.

Click on the Task Scheduler Library folder, select

the Azure AD Sync Scheduler and click the RUN

button.

Go back to your Azure AD and the groups tab.

Refresh until you see the new groups appear.

So you have the core skills now and the infrastructure setup to play around some more. Some things to try:

Set a user from your local AD to be a co-admin on the Azure Subscription – make sure that the user can

login (their password is synced with AD – all the user passwords are “1stAzure” on the DC.

Disable the user in your local AD and make sure the user can no longer login to the Azure subscription

THE END

P a g e 12 | 13

Appendix 1: Copy .VHD File Script "=================================================================================="

"==> Running - Getting all subscription details..."

"==>"

$mysubs = Get-AzureSubscription

"==> List of Subscriptions..."

If ($mysubs.Count -gt 1) {

for($i=0;$i -le $mysubs.Count - 1;$i++) {

$adname = $mysubs[$i].DefaultAccount

$output = "==> " + $i.ToString() + ": " + $adname + ":" +

$mysubs[$i].SubscriptionName

$output }

"==>"

$input = read-host "==> Enter the Number of the subscription to select: " }

else {$input = 0}

$mysubscription = $mysubs[$input].SubscriptionName

Select-AzureSubscription -SubscriptionName $mysubscription

"==>"

"==> Running - Getting all storage accounts for subscription: " + $mysubscription

"==>"

$staccounts = Get-AzureStorageAccount -WarningAction SilentlyContinue

"==> List of Storage Accounts..."

if ($staccounts.count -eq 0) {

"ERROR: No Storage Accounts"

stop}

if ($staccounts.count -gt 1) {

for($i=0;$i -le $staccounts.Count - 1;$i++) {

$output = "==> " + $i.ToString() + ": " + $staccounts[$i].StorageAccountName

$output }

"==>"

$stselect = read-host "==> Enter Number to select: "}

else {$stselect = 0}

"==>"

"==> Copying VHD File to your storage account..."

"==>"

$mystorage = $staccounts[$stselect].StorageAccountName

set-azuresubscription -SubscriptionName $mysubscription -CurrentStorageAccountName

$mystorage | Out-Null

select-AzureSubscription $mysubscription | Out-Null

$deststoragekey = (Get-AzureStorageKey -StorageAccountName $mystorage).Primary

$deststoragecontext = New-AzureStorageContext –StorageAccountName $mystorage -

StorageAccountKey $deststoragekey -Protocol Http

$selectSA = Get-Random -minimum 1 -maximum 6

$vhdcopyname = "teazuredisk.vhd"

New-AzureStorageContainer -Name "vhdimages" -ErrorAction SilentlyContinue -WarningAction

SilentlyContinue | Out-Null

$destcontainer = "vhdimages"

$loc = "https://teazurestore" + $selectSA +

".blob.core.windows.net/vhdimages/teazuredisk.vhd"

$Time = [System.Diagnostics.Stopwatch]::StartNew()

$blob1 = Start-AzureStorageBlobCopy -AbsoluteUri $loc -DestContainer $destcontainer -

DestBlob $vhdcopyname -DestContext $deststoragecontext -ErrorAction Stop

$status = $blob1 | Get-AzureStorageBlobCopyState

$status

While($status.Status -eq "Pending"){

$status = $blob1 | Get-AzureStorageBlobCopyState

Start-Sleep 10

### Print out status ###

$status

}

"Copy Time: " + $Time.Elapsed.Minutes + ":" + $Time.Elapsed.Seconds

P a g e 13 | 13

Appendix 2 – Creating/Uploading Your VM’s If you want to create your own VMs for use in Microsoft Azure from your local machine using Hyper-V, there are

just a few critical things that you must do as follows:-

Create a new Virtual Disk FIRST – make it a fixed disk and use the VHD format

Create your VM, using the Virtual Disk and make sure to select Generation 1

Then do everything as normal to get your VM OS installed and all the software you need installed and

configured. For this lab, the .ISO image for a trial edition of Windows Server 2012 R2 was downloaded

and used to boot the OS and then the Domain Services role was installed and the machine promoted to a

Domain Controller.

There are TWO special things you have to do in your VM BEFORE you upload it to Azure.

TURN ON/Allow remote desktop connection (Control Panel->System).

The second is to check the Public option for the Remote Desktop firewall rules on the Windows Firewall

(Window->Type Firewall)

Then you need to install the latest version of the Azure PowerShell Commands on your machine you will do the

upload from.

Then you can shut down your VM and copy just the .vhd file up to Azure using the following PowerShell script:

Add-AzureAccount

Select-Azuresubscription <your subscription>

$sourceVHD = "<Path to .vhd file e.g. c:\myvhdfiles\myazurevm.vhd"

$destinationVHD = "https://<your storage account>.blob.core.windows.net/<your

container>/<your uploaded vhd e.g. myazurevm.vhd>"

Add-AzureVhd -LocalFilePath $sourceVHD -Destination $destinationVHD -

NumberOfUploaderThreads 5

If you already have a VM but it is not a fixed disk, the Add-AzureVHD command will actually do a conversion to a

fixed disk for you. The VHD file though must be in VHD format, NOT VHDX.

The resulting .VHD file will be in your Azure storage account – you can then create a disk from this file and then

create a Virtual Machine using the disk, putting your VM in a Virtual Network (as per the lab steps).

The VM used in this lab was also configured to be a domain controller and prepped for the Azure AD Sync tool

install. The core steps are:-

1. Run Windows Update and install all the latest critical patches

2. Add the Domain Services Role and also install .NET Framework 3.5 (you will need this for Azure AD Sync tool).

3. Configure DNS to remove the default forwarder.