Chapter 9 Implementing and Managing Azure AD

This Chapter covers following Topic Lessons

1. Azure AD Introduction
2. Default Azure AD Domain
3. Azure AD Basic & Premium License upgrade options
4. Azure AD Users
5. Azure AD Groups
6. Custom Domains
7. Self Service Password Reset (SSPR)
8. Device Management in Azure AD
9. Azure AD Join
10. Enterprise State Roaming
11. Managing Multiple Azure AD Directory Tenant

This Chapter covers following Lab Exercises

1. Exploring Dashboard of Default Azure AD
2. Activating Premium P2 Free Trial Licenses
3. Create User (User1 with Global Administrator Role)
4. Create User (User2 with Limited Administrator Role)
5. Create User (User3 with Directory Role User)
6. Exploring Dashboard of User
7. Checking User3 Access level
8. Create Group and add users manually
9. Assigning Azure AD Premium P2 License to Users
10. Add Custom Domain
11. Create TXT record in Domain Name Registrar
12. Verify the Custom Domain in Azure AD
13. Change Azure AD Login names to custom domain for User2
14. Enabling SSPR for Cloud Users
15. Setup SSPR Authentications for User3
16. Test SSPR for User3
17. Checking Device Settings for Azure AD Users
18. Joining Windows 10 PC to Azure AD using Azure AD Join
19. Log on to Windows 10 PC with User2
20. Enabling Enterprise State Roaming for Users
21. Creating New Azure AD Tenant
22. Associating Azure AD Tenant with the Subscription

Chapter Topology

In this chapter we will configure Default Azure AD Tenant. We will also create a new Azure AD Tenant.

Azure AD Introduction

Microsoft Azure Active Directory (Azure AD) is a Multi-tenant cloud-based directory & identity management solution that combines core directory services, application access management, and identity protection into a single solution.

Azure AD also provides enterprise service’s such as multifactor authentication service, a centralized application access panel for SaaS applications, an application proxy by which you can setup remote access for your on premises applications as well as Graph API that you can use to directly interact with Azure AD objects.

One of the Advantage of Azure AD is that application developers can easily integrate identity management in their application without writing complex code.

Azure AD can also act as SAML Identity provider. It Provides identity and authentication services to application using SAML, WS-Federation and OpenID connect protocols.

Azure Active Directory editions

Azure AD is offered in 4 Tiers: Free, Basic, Premium P1 and Premium P2.

Azure Active Directory Free edition can manage users and groups, synchronize with on-premises directories, get single sign-on across Azure, Office 365, and thousands of popular SaaS applications.

Azure AD Basic edition adds features such as group-based access management, self-service password reset for cloud applications, and Azure Active Directory Application Proxy.

Azure Active Directory Premium P1 edition add enterprise class features such as enhanced monitoring & security reporting, Multi-Factor Authentication (MFA), and secure access for your mobile workforce.

Azure Active Directory Premium P2 edition adds Identity Protection and Privileged Identity Management features.

Comparing Azure AD Editions

Note: A default Azure AD (Free Edition) tenant is automatically created when you sign for Azure Subscription.

Azure AD Identity Management Features

Connect on-premises Active Directory with Azure AD: In today’s scenario, Organizations have large number of on-premises Active Directory users. Using Azure AD connect synchronize on-premises directory objects (users and groups) with Azure AD. This makes users more productive by providing a common identity for accessing resources regardless of location. Users and organizations can then use single sign on (SSO) to access both on-premises resources and Azure cloud services.

Manage and control access to corporate resources: Enable application access security by using Multi-Factor Authentication for both onpremises and cloud applications.

Improve user productivity with self-service password reset (SSPR).

Protecting Administrative Accounts: Using Azure AD Privileged Identity Management you can restrict and monitor administrators and their access to resources and provide just-in-time access when needed.

Provide secure remote access to on-premises application using Application Proxy without configuring VPN.

Default Azure AD Domain

A Default Azure AD Free Edition is automatically created with the subscription. You can upgrade Default Free edition to Basic or Premium Edition.

Domain name of the default Azure AD is in the following format: <System generated Name>.onmicrosoft.com

System generated Name is based on the name and mail id used to create the subscription. You can check default Azure AD by going to Azure AD Dashboard and click Azure Active Directory in left pane.

Figure below shows dashboard of default Azure AD Tenant mikescottoutlook.onmicrosoft.com which I am using for this book.

Note 1: User name should be in email format with a verified domain. Verified domain can be default domain or custom Domain. User login name for the above domain will be xyzxyz@mikescottoutlook.onmicrosoft.com

Note 2: You can assign custom Domain to your Default Azure AD. For example you can assign test.com. User login names will then be xyzxyz@test.com

Exercise 84: Exploring Dashboard of Default Azure AD

Login to Azure Portal @ https://portal.azure.com> Click Azure Active Directory in left Pane> Default Azure AD Tenant Dashboard Opens.

With Users and Groups option you can create user and Groups and Add users to groups.

With Enterprise application option you can provide single sign-on to SaaS and custom application.

With Licenses option you can assign Basic or Premium licenses to Users.

With Custom domain Name option you can assign custom Domain Names to Default Azure AD.

With Application Proxy option you can provide secure remote access to on-premises application.

With AD Connect option you can synchronize on-premises users to Azure AD.

Azure AD Basic & Premium License upgrade options

The Basic and Premium editions Licenses are available for purchase through following options:

• Microsoft Enterprise Agreement.
• Open Volume License Program.
• Cloud Solution Providers.
• Online using credit card (Azure Subscribers only).
• Premium P2 Free Trial licenses.

After you have purchased license through one of the above method the licenses will then be available in Azure Portal after activation. You can then assign these licenses to Azure users or groups.

Exercise 85: Activating Premium P2 Free Trial Licenses

In Azure Portal you get 2 options to activate Premium P2 Free Trial Licenses.

One option is Enterprise Mobility + Security E5 option which includes Azure Active Directory Premium P2, Microsoft Intune and Azure Rights Management Trial Licenses for 250 users for 90 days.

Second Option is Azure AD Premium P2 trial licenses for 100 users for 30 days.

1. Go to Default Azure AD dashboard> In the middle pane click start a free trial> Activate Blade opens> For this book I selected Azure AD Premium P2 license>Click Free trial Under Azure AD Premium P2>Activate Premium P2 trial blade opens> Click Activate> Close the activate pane.

2. Refresh your Azure AD Dashboard using F5 keyboard button couple of times> It will take few minutes to show Azure AD Premium P2 option on Azure AD Dashboard.

3. Click licenses in left pane> You can see 100 licenses. None of the license is assigned.

Azure AD Users

User name in Azure AD should be in email format with a verified domain. Verified domain can be default domain or custom Domain.

Directory Role for User

User is assigned Directory role during user creation time. A user can be assigned one of the following 3 directory roles:

User : User can login to Azure portal but cannot create, manage or view a resource. For a user to create, view or manage a resource in Azure Portal it needs to be assigned permissions Using Role based Access Control (RBAC). Global Administrator : The Global administrators have full control over all directory (Azure AD) resources.

Limited Administrator : Limited administrator role has full access to particular Azure AD feature. Following Limited Administrative roles are available in Azure.

Note : You can change user Directory role from Azure AD Dashboard.

Azure AD Password Policies for Cloud Users

The following table describes the available password policy settings that can be applied to user accounts that are created and managed in Azure AD:

Exercise 86: Create User (User1 with Global Administrator Role)

1. In Azure AD Dashboard>Click Users in left pane> All Users blade open>+New User> Add user blade opens> Enter name User1 and User name as user1@mikescottoutlook.onmicrosoft.com>Assign Directory role of Global Administrator to user1> Click Ok>Click Show Password>Click create.

2. Note down the system generated Password>Open firefox and https://portal azure.com and Log on with User1 Credentials and change the password> Logout from Azure Portal. Please do this step.

Exercise 87: Create User (User2 with Limited Administrator Role)

1. In Azure AD Dashboard>Click Users in left pane> All Users blade open>+New User> Add user blade opens> Enter name User2 and User name as user2@mikescottoutlook.onmicrosoft.com>Assign Directory role of Limited Administrator to user2 and Choose Billing Administrator Role> Click Ok>Click Show Password>Click create.

2. Note down the system generated Password. Open firefox and https://portal azure.com and Log on with User2 Credentials and change the password.

Exercise 88: Create User (User3 with Directory Role User)

1. In Azure AD Dashboard>Click Users in left pane> All Users blade open>+New User> Add user blade opens> Enter name User3 and User name as user3@mikescottoutlook.onmicrosoft.com>Assign Directory role of User to user3> Click Ok>Click Show Password>Click create.

2. Note down the system generated Password. Open firefox and https://portal azure.com and Log on with User3 Credentials and change the password.

Exercise 89: Exploring Dashboard of User

1. In Azure AD Dashboard>Click Users in left pane>All Users blade open> Dashboard shows Subscription administrator and 3 users (User1, User2 & User3) we created in previous exercises.

2. Select User3>user3 blade opens>From here you can assign Azure AD license, Change Directory role, Reset Password or delete the User etc.

Exercise 90: Checking User3 Access level

In this exercise we will check User3 Access level in Azure Portal.

Log on to Azure portal @ https://portal.azure.com with User3 Credentials (user3@mikescottoutlook.onmicrosoft.com) and password. You can see there are no resources to display for User3 and user has no access to resources and User cannot create any resources.

Note: In Chapter 16 Directory Role and RBAC we will discuss how we can assign Administrative permissions and Roles to Users.

Azure AD Groups

Group is a collection of users. The advantage of group is that it lowers administrative overhead of managing users. For Example instead of assigning Azure AD Basic or premium licenses to individual users, assign to group.

Adding users to group: Users can be added to group by manual selection or by using dynamic membership rules. Adding users by Dynamic rules requires an Azure AD Premium P1 or P2 license for each user member added.

Creating Group and Adding members manually: In Azure AD Dashboard>Click Users and Groups >All Groups>+ New Group> Add Group Blade opens>Select Membership type assigned.

Adding members by Dynamic rules: Select membership type Dynamic user.

Exercise 91: Create Group and add users manually

In this exercise we will create Group AZ-103 and add 4 users (Mike Scott, User1, User2 and User3) to the group.

1. In Azure AD Dashboard>Click Groups >All Groups Blade open>Click + New Group> Add Group Blade opens>Select Group type as Security>For name I entered AZ-103>Select Membership type assigned>In Members Select Mike Scott, User1, User2 and User3 and click select and then create.

   Note: You need to scroll the right pane to see the Users- Mike Scott, User1, User2, User3. If you don’t see your User then enter name of User in search pane, click enter and then select the User in the pane.

2. Figure below shows AZ-103 Group.

3. Click on AZ-103 Group and AZ-103 group dashboard opens.

   Note the Licenses option in left pane. We will use this option to assign Azure AD Premium P2 License to AZ-103 Group.

Exercise 92: Assigning Azure AD Premium P2 License to Users

In this exercise we will assign Premium P2 license to users. Instead of assigning Licenses to users individually we will assign to AZ-103 group created in previous exercise.

1. In Azure AD Dashboard>Click Groups in left pane>All Groups Blade open>Click AZ-103 Group Created in previous exercise>AZ-103 Group dashboard opens>Click licenses in left pane> License blade opens.

2. Click + Assign>Assign License blade opens>Click Products>In Right pane select Premium P2 >Click select (Not shown)> Click Assign (Not shown).

3. In AZ group license blade refresh the screen with F5 couple of times and you can see the licenses. It takes 3-4 min for licenses to get updated in Azure AD license blade.

Note 1 : When I tried to assign licenses to individual users it gave error. It wants Location to be specified in User Profile for license to be assigned on User basis.

Note 2: If you want to assign license per user then make sure to specify location in User profile.

Create Bulk Users using CSV files and PowerShell

You can create Bulk users by importing a list of users from CSV files which then will create corresponding users in Azure Active Directory.

Step by Step Creating Bulk Users

1. Make sure Azure AD PowerShell Module is installed on your desktop.
2. Create CSV file with required user updates.
3. Create PowerShell script (*.ps1) for User Creation. This script will refer to CSV file on your system. Alternatively you can download and edit sample PS script from link shown below. https://gallery.technet.microsoft.com/scriptcenter/Update-ActiveDirectory-cd5c5513/file/168800/1/UpdateUsersCsv.ps1
4. Run the PowerShell script (*.ps1) which was created in step 3 with required new user information.

Add Custom Domains

Every Azure AD directory comes with an initial domain name in the form of <System generated Name>.onmicrosoft.com. System generated Name is based on the name and mail id used to create the subscription.

It would be difficult for users to remember the format of Default Azure AD domain name. Adding custom domain names to Azure AD allows you to assign user names in the format such as mike@fabrikam.com instead of hari@<System generated Name>.onmicrosoft.com.

Pre-Requisite for Adding Custom domain

You own a domain name and have sign-in rights to update DNS records with the Domain Name Registrar.

Note about Adding Custom Domain lab Exercise

In next page we will add Custom Domain mykloud.in to Azure AD Tenant.

I did this exercise at the end of the Book. I suggest that readers should also do this exercise at end of the book as it might create problems in succeeding exercises.

Readers are requested to Exercise 92- 95 at the end of the book.

Exercise 93: Add Custom Domain

In this exercise we will add Domain mykloud.in . Recall that in Chapter 1, Ex 13 we delegated administration of mykloud.in domain to Azure DNS from Registrar Go Daddy.

Step 1: Add domain mykloud.in to Azure AD

In Azure AD dashboard click Custom domain names in left pane>In right pane click + Add Custom Domain> Add Custom Domain pane opens>Enter domain name mykloud.in and click Add Domain (Not shown).

Step 2: Copy TXT Record Information from Custom Domain name pane.

Click Custom Domain created >Copy TXT Record information.

Exercise 94: Create TXT record in Domain Name Registrar

Recall that in Chapter 1, Ex 13 we delegated administration of mykloud.in domain to Azure DNS from Registrar Go Daddy. In Azure DNS we will create TXT record with TXT record information copied from previous Exercise.

1. In Azure Portal Click All Services in left pane> In Right pane under Networking click DNS Zones>DNS Zones pane opens>Click DNS Zone mykloud.in> DNS Zone dashboard opens as shown below.

2. Click + Record Set in right pane> Add Record set blade opens>In name enter @>Select TXT from Dropdown box>In Value enter destination or point copied from step 2> Click OK (Not shown).

3. Txt Record is created and you can see in DNS Zone Dashboard.

Exercise 95: Verify the Custom Domain in Azure AD

In Azure AD dashboard click Custom domain names in left pane>In Right pane click the custom domain mykloud.in>Custom Domain pane opens>Click verify.

New pane opens and it shows verification is successful or you will get notification that verification is successful.

Exercise 96: Change Azure AD Login names to custom domain for User2

1. In Azure AD dashboard click Users in left pane>All Users pane opens>Click User2>User2 Profile opens>Click Edit> In user name box change user2@mikescottoutlook.onmicrosoft.com to user2@mykloud.in> Click save.

2. Open Firefox Browser and log on to Azure portal with user2@mykloud.in> Login was successful. In top right you can see user2@mykloud.in.

Self Service Password Reset (SSPR)

SSPR options allows users to change, reset and unlock there Azure AD login passwords.

SSPR option free’s the helpdesk of password service queries and allow them to concentrate on more pressing issues. Helpdesk is an expensive resource. With SSPR option you can reduce the helpdesk cost.

Azure AD license Requirement for SSPC and SSPR

Self-Service Password Reset for cloud users : Requires AD Basic or Premium P1 or Premium P2 editions.

Self-Service Password Reset/Change/Unlock with on-premises writeback for hybrid users : Requires AD Premium P1 or Premium P2 editions.

Number of authentication methods required

This option determines the minimum number of the available authentication methods a user must go through to reset or unlock their password. It can be set to either one or two.

Authentication methods available for Self-Service Password Reset

If SSPR is enabled, you must select at least one or two of the following options for the authentication methods.

Mobile app notification (preview)
Mobile app code (preview)
Email
Mobile phone
Office phone
Security questions

Figure below shows Authentication methods available for password reset.

Exercise 97: Enabling SSPR for Cloud Users

1. In Azure AD Dashboard Click Password reset in left pane>Password Reset Blade opens> select either Selected or All. For this exercise I selected All > Click save .

2. In Password reset blade click Authentication Methods>Select 1 and select Mobile Phone and click save.

3. In Password reset blade click Registration> Select Yes. Note that save option is not highlighted as Yes is default option. You have the option change the number of days.

   Note1 : After these steps are enabled whenever users log in, they will be asked to update their Mobile Number.

   Note 2 : If we selected No option, than it this case Administrator has to update Mobile Number in User Profile dashboard.

Exercise 98: Setup SSPR Authentications for User3

Open a different Browser than what is used for Administrator. I am using Chrome for Administrator. I will use Firefox for users.

1. Open Firefox and log on with user3@mikescottoutlook.onmicrosoft.com > System will ask tuopdate your Authentication Phone number.

2. Note : Admin can also update phone from User Profile dashboard

3. Click the link set it up now in browser to update User3 Phone number> Select your country and enter your mobile number and click text me>enter the verification code sent to your mobile>Click verify.

4. Log out of User3 account.

Exercise 99: Test SSPR for User3

1. In Firefox open https://portal.azure.com and enter username but don’t enter password. user3@mikescottoutlook.onmicrosoft.com

2. In browser windows click Forgot my password>Get back into your account pane opens> enter User3 user-id and capcha and click next.

3. Enter Your Mobile Number and click text.

4. Enter Verification code sent to your number and click next.

5. Password change pane opens> Enter your new password and click finish.

6. You can now log on with your new password.

You can see from above that User3 Reset its password without involving helpdesk.

Exercise 100: Disabling Self Service Password Reset (SSPR)

1. In Azure AD Dashboard Click Password reset in left pane>Password Reset Blade opens> select none >Click save .

Device Management in Azure AD

In Today’s scenario users are accessing corporate applications not only from on-premises but also from home using corporate owned or personal devices.

In Security paranoid world IT administrators want to make sure that devices accessing corporate resources meet their standards for security and compliance.

Device management using Azure AD is foundation for device-based conditional access. With device-based conditional access, you can ensure that access to resources in your environment is only possible with trusted devices.

To manage devices using Azure AD you have 2 options:

1. Registering
2. Joining (AD Join or Hybrid AD Join).

In this Chapter we will focus on Azure AD Join only.

Azure AD Join

With Azure AD Join you join Windows 10 (Professional or Enterprise) computer to Azure AD using user’s Azure AD identity. Joining the Device to Azure AD enables you to manage device identity. With Azure AD Join you sign-in to a device using an organizational work or school account instead of a personal account.

Azure AD Join is intended for organizations that are cloud-first / cloudonly. These are typically small- and medium-sized businesses that do not have an on-premises Windows Server Active Directory infrastructure.

Benefits of Azure AD Join

1. With Azure AD Join you can separate the personal and official work on Windows 10 Computer as you get separate screen for official work when you logon with your Azure AD Identity.
2. With Azure AD Join you can provide Single-Sign-On (SSO) to Azure managed SaaS apps and services.
3. With Azure AD Join you can restrict access to apps from devices that meet compliance policy.
4. Enterprise compliant roaming of user settings across joined devices. Users don’t need to connect a Microsoft account (for example, Hotmail) to see settings across devices.
5. Access to Windows Store for Business using an Azure AD account. Your users can choose from an inventory of applications pre-selected by the organization.
6. Windows Hello support for secure and convenient access to work resources.
7. Seamless access to on-premises resources when the device has line of sight to the on-premises domain controller.

Exercise 101: Checking Device Settings for Azure AD Users

By default all users can AD Join Devices to Azure AD.

In Azure AD Dashboard Click Devices in left pane>Devices pane opens>Click Device Settings in left pane> In right pane you can see All Users can join devices to Azure AD (First Row).

Word of Caution for Next Exercise: I joined my Windows 10 device to Azure AD using AD Join and User2 Credentials. It worked perfectly well. But after a recent Windows update a serious problem arose. I logged in using User2 credentials. When I logged out of system I could not get any option to log on my local desktop with my Local user account. It took me 4-5 hours of R&D to get back to my local desktop.

I would suggest avoid this Exercise.

Exercise 102: Joining Windows 10 PC to Azure AD using Azure AD Join

1. On your Windows 10 Pro Laptop>Click start>Settings Icon>Accounts>Access Work or School>+Connect> In bottom click join this device to Azure Active Directory> In Sign-in page enter User-id of User2 and click next.

2. Enter your password and click sign-in

3. After Sign-in you get following message>Click Done (not Shown).

4. Setting Pane now shows User2 Connected to Default AD>Close the Pane.

5. Devices Blade now shows Windows 10 AD Joined.

Exercise 103: Log on to Windows 10 PC with User2

1. On your Windows 10 laptop Logout of your personal account.
2. Log on with User2-id - user2@mikescottoutlook.onmicrosoft.com.
3. System will ask you verify your account. Use Text message for verifying the account.
4. System will ask you to generate a Pin.
5. You are now logged on to the system.

The laptop screen will now show your work account with no files or folders from your personal Account.

If you are logging from multiple devices then you can sync settings and app data from work account using Enterprise State Roaming.

Enterprise State Roaming

With Enterprise State Roaming Users can sync settings and app data across devices.

By default users are not enabled for Enterprise State Roaming. You can enable Enterprise State Roaming for all the users or for Selected Users.

Exercise 104: Enabling Enterprise State Roaming for Users

1. In Azure AD Dashboard Click Devices in left pane>Devices pane opens>Click Enterprise State Roaming in left pane> ESR pane opens.

2. In Right Pane you can select Selected or All. For this exercise we will select All. >Click save.

Enterprise State Roaming data

Enterprise State Roaming data is hosted in one or more Azure regions that best align with the country/region value set in the Azure Active Directory instance.

Data synced to the Microsoft cloud using Enterprise State Roaming is retained until it is manually deleted or until the data in question is determined to be stale.

Managing Multiple Azure AD Directory Tenant

A Subscription can be associated with a Single Azure AD Tenant only. But Azure AD tenant can be associated with Multiple Subscriptions.

Instead of Default Azure AD Tenant you can associate a New Azure AD Tenant with the Subscription.

Exercise 105: Creating New Azure AD Tenant

1. In Azure Portal Click +Create a Resource in left pane> Identity> Azure Active Directory> Create Azure Active Directory blade opens> Enter a name, aadncloud for initial Domain name and select Country and click create.

Exercise 106: Associating Azure AD Tenant with the Subscription

In this exercise we will just demonstrate how to associate our subscription with AD tenant created in previous Exercise. Actual association will not happen as we have to do more exercises with default AD tenant.

1. In Azure Portal Click Cost Management + Billing in left pane> Cost Management + Billing Dashboard opens>Click Subscriptions in left pane> In right pane click your subscription>Subscription Dashboard opens> You can see Subscription is associated with Default Azure AD Tenant.

2. Click Change Directory in Right pane>Change Directory Blade opens>From Dropdown Box Select MyKloud Azure AD Tenant created in Previous Exercise. Don’t proceed further as we need to more exercises with Default Tenant. Close the Change Directory Blade.