IT-Camp Azure Labs
Lab Home Page… Includes DOCx and PPTx
Description and Live links to Series
Lab 3 Working with Identity
Azure Active Directory is a service that provides identity and access management capabilities in the cloud. In much the same way that Active Directory is a service made available to customers through the Windows Server operating system for on-premises identity management, Azure Active Directory (Azure AD) is a service that is made available through Azure for cloud-based identity management. Azure AD can be used as a standalone cloud directory for your organization, but you can also integrate existing on-premises Active Directory with Azure AD. Some of the features of integration include directory sync, password sync and single sign-on, which further extend the reach of your existing on-premises identities into the cloud for an improved admin and end user experience.
Create a new Azure Active Directory environment
In this task, you will create a new Azure Active Directory tenant.
Perform the following tasks in the Azure management portal.
- In the Azure management portal, click ACTIVE DIRECTORY.
- Click NEW, click APP SERVICES, click ACTIVE DIRECTORY, click DIRECTORY, and then click CUSTOM CREATE.
- In NAME, type Contoso-AZ-Directory.
- In DOMAIN NAME, type AzureCONTOSO<ID> (where <ID> is your unique ID).
- In COUNTRY OR REGION, select UNITED STATES, and then click the Complete icon.
- If you are not in the United States, select it anyway to ensure the consistency of the lab steps.
Create an Azure Active Directory Administrator account
In this task, you will create a user account to serve as the administrator of your Azure Active Directory service.
Perform the following tasks in the Azure management portal.
- In the Azure management portal, click ACTIVE DIRECTORY, and then click Contoso-AZ-Directory.
- Under Contoso-AZ-Directory, click USERS, located on the top menu.
- In the bottom bar, click ADD USER.
- In USER NAME, type AADAdmin, and then click the Next arrow.
- In FIRST NAME, type AAD, and then in Last Name, type Admin.
- In DISPLAY NAME, type AADAdmin.
- In ROLE, select Global Administrator.
- In ALTERNATE EMAIL ADDRESS, type any valid e-mail address you have access to, and then click the Next arrow.
- Under Get temporary password, click create.
- MAKE NOTE of this password as you will need it later.
- Click the Complete icon.
- Note the USER NAME value of the user; you will need this later.
- The USERNAME value will be based on the account you used to manage Microsoft Azure.
Set a password for your admin account
In this task, you will perform an initial logon to set the password for the admin account.
Perform the following tasks on your local workstation.
- Close out of all web browser sessions. Using Internet Explorer, navigate to manage.windowsazure.com.
- Log in as AADAdmin using the Unique <ID> and password you noted previously. i.e. AADAdmin@AzureContoso<ID>.onmicrosoft.com
- You will need to use the username value you noted earlier.
- You may need to sign out first.
- When prompted, change the password to Passw0rd! and then click Update password and sign in.
- You will see a message “No subscriptions found.” This is expected. The user is not permitted to manage subscription level details.
- Close Internet Explorer.
Configure and test the AADSync Service
In this task, you will configure Windows Server 2012 R2 and create a new user to test your synchronization when you enable DirSync, and then perform an initial sync to populate your Azure Active Directory service with copies of your local user accounts.
Connect using RDP to DC01:
- Close all web browsing sessions then reopen Internet Explorer and navigate to http://manage.windowsazure.com
- Log in with your Microsoft account used in the previous labs, not the AD administrator account from the previous section.
- On the left menu of the Azure management portal, click VIRTUAL MACHINES.
- Next to DC01, click the DNS Name to open the Service dashboard.
- Click DASHBOARD.
- On the bottom bar, click CONNECT, and then click Open.
- Click Connect.
- When prompted, log on as sysadmin using Passw0rd! as the password.
- Click yes.
- You are now logged on to your virtual machine.
- Open Server Manager and click Local Server on the left hand navigation pain.
- Click on IE Enhanced Security Configuration and click on.
- In the Security Configuration screen click off for both administrators and users. This is just for testing in this lab.
- Click OK.
- In Server Manager click tools and select Active Directory Users and Computers
- Right click on ContosAzure.com and select New -> Organizational Unit
- In the name type AADUsers and click OK
- Right click on AADUsers and select New User
- In name user your unique <ID> from earlier followed by sync for the logon name for example MHSync. Click Next
- On the password screen enter a password, Passw0rd! and check the box Password never expires. Click Next.
- Review the new user and click Finish.
- Using Internet Explorer, navigate to http://manage.windowsazure.com.
- Log in as your subscription user, not the user you just created
- In the Azure management portal, scroll to and click on ACTIVE DIRECTORY.
- Click Contoso-AZ-Directory, and then click Directory Integration.
- Next to DIRECTORY SYNC, click Activated.
- Click Save, and then click Yes
- Wait for the job to complete before proceeding.
- Open Internet Explorer and go to http://aka.ms/azureadsync to download the Microsoft Azure Active Directory Sync Services
- Click download
- Save the tool to your desktop.
- On the desktop, right click on the MicrosoftAzureADConnectionTool and select Run As Administrator. This will install and configure the tool.
- Check the I agree to the terms and click Install
- In User name, type AADAdmin@AzureContoso<ID>.onmicrosoft.com, replacing <ID> with the unique ID for your domain name.
- In Password, type Passw0rd! and then click Next.
- In the Forest type in ContosoAzure.com
- In User name, type contosoazuresysadmin.
- In Password, type Passw0rd! and then click Add Forest
- Click Next.
- On User Matching, leave the defaults and click Next
- On optional features select Password synchronization and click Next
- On the Configure screen review the options and click Configure..
- When configuration has completed review the screen, verify Synchronize now is selected and then click Finish.
- Switch to your Azure management portal, and then click ACTIVE DIRECTORY.
- Click Default Directory, and then click Users and look for the user you created earlier
- · You should eventually see the user you created in AD on DC01 now having been synchronized to your Azure Active Directory.
Implementing Multi-Factor Authentication
Multi-factor or two-factor authentication is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the following verification methods:
- Something you know (typically a password)
- Something you have (a trusted device that is not easily duplicated, like a phone)
- Something you are (biometrics)
The security of multi-factor authentication lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user’s password, it is useless without also having possession of the trusted device. Conversely, if the user happens to lose the device, the finder of that device won’t be able to use it unless he or she also knows the user’s password. Azure Multi-Factor Authentication is the multi-factor authentication service that requires users to also verify sign-ins using a mobile app, phone call or text message. It is available to use with Azure Active Directory, to secure on-premise resources with the Azure Multi-Factor Authentication Server, and with custom applications and directories using the SDK.
In this task, you will configure Multi-Factor Authentication (MFA) with Microsoft Azure. To complete this module fully, you need to have a phone which can send and receive text messages or calls. You will configure this lab to use your phone as a second authentication factor this is done via replying to a system-generated text or voice message.
We will start by enabling the MFA service
- Using Internet Explorer, navigate to manage.windowsazure.com.
- Log on using your tenant account.
- In Microsoft Azure, click ACTIVE DIRECTORY.
- Click MULTI-FACTOR AUTH PROVIDERS, and then click CREATE A NEW MULTI-FACTOR AUTHENTICATION PROVIDER.
- In NAME, type Contoso-MFA, ensure the correct subscription is selected (If you have multiple subscriptions tied to your live ID).
- For directory select Contoso-AZ-Directory and then click CREATE.
Testing Multi-Factor Authentication
In this task, you will test multi-factor authentication. Ensure you have the phone readily available as you will have a limited time to receive and reply to the text message generated by Microsoft Azure.
Perform this task on your local machine.
- In the Microsoft Azure active directory portal click directory and click Contoso-AZ-Directory.
- On the top bar click Configure
- Under the multi-factor authentication section click Manage Service Settings
- If prompted enter your tenant credentials
- In multi-factor authentication click users on the top navigation bar.
- Select the User you created earlier and click Enable under quick steps
- On the information screen, review the message and click enable multi-factor auth.
- Click Close
- Open a new tab in Internet Explorer and navigate to http://aka.ms/MFASetup Note: If you are signed in, sign out to continue
- On the Sign in screen type in the username and password you created earlier and click sign in.
- Since this is the first time the user has logged in you will need to configure MFA, click Set it up now
- Fill in your contact information (phone number of your mobile phone), select the Call me radio button, and click Contact me
- Answer your phone when it rings, and listen to the instructions. Press # to finish the authentication process. On the Additional security verification click Done.
- Your sign-in process will continue and you will be called again. Answer your call and type # to finish the logon process.