Azure Active Directory Labs Series – Graph API

Back in June I had the pleasure of delivering a training on Azure Active Directory to two customer crowds.  I say pleasure because not only do I love to share knowledge but also, the preparation of the training forces me to go deep on some aspects of what I’m going to teach.

In that training there were 8 labs and I thought it would be great to share them to the more general public.  The labs follow each other and build on each other.

You can find the exhaustive list in Cloud Identity & Azure Active Directory page.  This is the seventh lab.

In the current lab we will explore the Microsoft Graph API, which is a superset of the Azure AD Graph API, including Office 365 entities.

Log in

  1. Open an in private browser session
  2. Go to https://graph.microsoft.io/en-us/graph-explorer
  3. Sign in with SyncAdmin full name, e.g. SyncAdmin@vpllab.onmicrosoft.com
    That account is Global admin on the tenant and can therefore see more things than a simple user

Explore

  1. Next to the “GET” verb type https://graph.microsoft.com/v1.0/me
    clip_image002
  2. Type Enter
  3. You should get a JSON / OData payload describing the user
  4. Type https://graph.microsoft.com/v1.0/users
  5. You should get all the user in the tenant
  6. Scroll to Alan Scott user
  7. With your mouse, click its ID
  8. This should open the link https://graph.microsoft.com/v1.0/users/<UID of the user>
  9. Append /memberof to that link
  10. You should see the groups Alan Scott is in

Post Lab

Open https://graph.microsoft.io/en-us/docs and try different queries.

Azure Active Directory Labs Series – AD Connect

Back in June I had the pleasure of delivering a training on Azure Active Directory to two customer crowds.  I say pleasure because not only do I love to share knowledge but also, the preparation of the training forces me to go deep on some aspects of what I’m going to teach.

In that training there were 8 labs and I thought it would be great to share them to the more general public.  The labs follow each other and build on each other.

You can find the exhaustive list in Cloud Identity & Azure Active Directory page.  This is the sixth lab.

In the current lab we configure AD Connect to synchronize on premise AD with Azure AD.  We will install AD Connect on one of the Domain Controller created in an earlier lab. In a more realistic environment you would install AD Connect on a separate VM joined to the Domain Controller’s domain. The configuration would be very similar.

Configure Azure AD

  1. Go to the legacy portal @ https://manage.windowsazure.com
  2. Scroll down the left menu to the bottom and select Active Directory
    clip_image002
  3. You should see the following screen
    clip_image004
  4. Select a tenant you created for this lab & enter it
    clip_image006
  5. Select the Users menu
  6. At the screen bottom, click the Add User button
  7. An Add User dialog should appear
  8. For User Name, type SyncAdmin
  9. Click the next arrow at the bottom of the pop up
  10. Fill the User Profile form
    • First Name: Sync
    • Last Name: Admin
    • Display Name: Sync Admin
    • Role: Global Admin
    • Alternate email address: type your corporate email here
  11. Click the next arrow at the bottom of the pop up
  12. Click the Create button
  13. Copy the temporary password
  14. Create a permanent password for the newly created account
    1. Open an In private Browser Window
    2. Navigate to https://portal.azure.com
    3. In the Email or Phone, type the full name of the account
      You can find the name in the full name of your account in the last Add User screen (of course, you need to remove the single quotes)
      clip_image008
    4. In the password text box, paste the new password you copied previously
    5. Click Sign In
    6. You’ll be prompted to update the password ; do so & remember the new password
    7. Close the In private browser
  15. Back in the classic Azure portal, select the Directory Integration menu
    clip_image010
  16. Next to the Directory Sync select Activated option
    clip_image012
  17. At the bottom of the screen, click the Save button

Installing AD Connect

  1. Go to the Azure portal @ https://portal.azure.com
  2. In the left column menu, select Resource Groups
    clip_image014
  3. Select DCGroup
  4. Select adBDC Virtual machine
  5. RDP into it
  6. Go to http://go.microsoft.com/fwlink/?LinkId=615771
  7. Download the AD Connect tool
  8. Install it
  9. Agree on terms & conditions
  10. Given the simplicity of the setup (one forest, same VM as the DC), we can use the express settings
    Select Use express settings
    clip_image016
  11. The tool will install components as part of Synchronisation Service install, click Install
  12. Fill the Connect to Azure AD form
    clip_image018
    1. In the User name box, type the full name of the SyncAdmin account you created
    2. In the password box, type the password you typed when you updated the password of the account
  13. Click the Next button
  14. Fill Connect to AD DS form
    clip_image020
    1. In user name box, type dm.demo.com\syncaccount
    2. Enter the password you gave that account (likely Abc123!@#)
  15. Click the Next button
  16. Select Continue without any verified domains and click Next
    clip_image022
  17. You are ready to start synchronization, click Install
    clip_image024
  18. The installation & synchronization takes a few minutes
  19. Configuration should complete
    clip_image026

Validate synchronization

Here we’ll validate that the synchronization occurs.

  1. Back in the Azure AD tenant, select the Users menu
  2. You should now see more users
  3. Moreover, the users synchronized from on premise should be sourced from Local Active Directory (Sourced From column)
    clip_image028
  4. Select Max Eisenhardt (one of the synchronized account)
  5. You should see that fields are grayed out: you can’t modified synchronized objects since Azure AD isn’t the master of record of those objects
    clip_image030
  6. Open an In Private browser window
  7. Navigate to https://portal.azure.com
  8. In email box, type meisenhardt followed by @ & the name of your Azure AD (e.g. meisenhardt@vpllab.onmicrosoft.com)
  9. In password box, type the password you gave to on premise accounts (likely Abc123!@#)
  10. You should login to the portal with Max Eisenhardt credentials

Refine configuration

Here we’ll look at how we could refine the configuration of AD Connect.

  1. In the Active Directory VM, press the Windows key
  2. Press the down key
    clip_image032
  3. Click the Azure AD Connect App
    clip_image034
  4. In the tasks view, select Customize synchronization options
    clip_image036
  5. Click Next
  6. Fill the Connect to Azure AD form
    clip_image038
    1. In the User name box, type the full name of the SyncAdmin account (Azure AD)
    2. In the password box, type the password you typed when you updated the password of the account
  7. Click Next
  8. Fill Connect Directories form
    clip_image040
    1. In user name box, type dm.demo.com\syncaccount
    2. Enter the password you gave that account (likely Abc123!@#)
  9. Click the Next button
  10. Here we could filter on which domains / OUs we synchronize
    clip_image042
  11. Click the Next button
  12. Here we could configure other features, e.g. password writeback
    clip_image044

Post Lab

None.

Azure Active Directory Labs Series – Creating an AD Forest

Back in June I had the pleasure of delivering a training on Azure Active Directory to two customer crowds.  I say pleasure because not only do I love to share knowledge but also, the preparation of the training forces me to go deep on some aspects of what I’m going to teach.

In that training there were 8 labs and I thought it would be great to share them to the more general public.  The labs follow each other and build on each other.

You can find the exhaustive list in Cloud Identity & Azure Active Directory page.  This is the fifth lab.

In the current lab we configure a Virtual Machine (VM) with an Active Directory forest (on premise AD).  This lab is a preparation to the next lab where we’ll synchronize that forest with the Azure AD tenant we’ve created before.

Run Template

  1. Go to https://azure.microsoft.com/en-us/documentation/templates/active-directory-new-domain-ha-2-dc/
    This is a community based ARM template for creating an AD forest on Azure VMs.
  2. Fill in the template parameters
    • NEWSTORAGEACCOUNTNAME should be a unique name (storage account name)
    • ADMINUSERNAME can be changed to your favorite admin name ; that’s the name of the admin on the VM
    • ADMINPASSWORD should be a secret password
    • ADVMSIZE should be Standard_A1
    • DOMAINNAME should be dm.demo.com
    • DNSPREFIX should be unique, for instance demo-42
  3. Accept the parameters
  4. Create a new resource group named DCs
  5. Chose the East-US 2 location
  6. Read & agree to legal terms (you do this by clicking Purchase but the template itself is free, you only pay for the Azure resources it creates)
  7. Click Create

Install AD DS MMC snap in

  1. RDP into the adBDC VM
  2. Validate that for that VM the RDP should be on port 13389 ; this is done by the load balancer NATing 2 VMs RDP on the same IP
  3. Server Manager application should be opened
  4. Right click on ADBDC and select Add Roles and Features
    clip_image002
  5. Click next on each tab until Features
  6. Scroll down to Remote Server Administration Tools
  7. Open the node and dig until you find AD DS Tools ; make sure you have it selected
    clip_image004
  8. Click Next
  9. Click install
  10. You’ll need to reboot

Add a few users

  1. Server Manager application should be opened
  2. Right click on ADBDC and Active Directory Users and Computers should now be available ; select it
    clip_image006
  3. Under the dm.demo.com domain, select the Users folder
  4. Right-click the Users folder
  5. Select the New contextual menu option and the User sub menu option
    clip_image008
  6. Fill the form with the following fields
    First Name: Pietro
    Initials: D
    Last Name: Maximoff
    Full Name
    : Pietro D. Maximoff (should be filled automatically)
    User logon name: pmaximoff
    clip_image010
  7. Click Next
  8. Enter the following password and repeat it in the Confirm password field: Abc123!@#
  9. Unselect User must change password at next logon
  10. Select Password never expires
    clip_image012
  11. Click Next
  12. Click Finish
  13. Repeat the steps for another user (use the same password):
    First Name: Max
    Initials: (none)
    Last Name: Eisenhardt
    Full Name
    : Max Eisenhardt (should be filled automatically)
    User logon name: meisenhardt
  14. Repeat the steps for another user (use the same password):
    First Name: Steve
    Initials: (none)
    Last Name: Rogers
    Full Name
    : Steve Rogers (should be filled automatically)
    User logon name: srogers
  15. You should see the users you created in the object list
    clip_image014

Add a few groups

  1. Right-click the Users folder
  2. Select the New contextual menu option and the Group sub menu option
    clip_image016
  3. Enter Goodies in the Group name box
  4. Click Ok
  5. Perform the same sequence for a group named Baddies

Add a Sync User

We will add a user to connect to the directory for syncing with Azure AD

  1. Right-click the Users folder
  2. Select the New contextual menu option and the User sub menu option
    clip_image017
  3. Fill the form with the following fields
    clip_image019
    • First Name: Sync
    • Initials: (None)
    • Last Name: Account
    • Full Name: Sync Account (should be filled automatically)
    • User logon name: syncaccount
  4. Click Next
  5. Enter the following password and repeat it in the Confirm password field: Abc123!@#
  6. Unselect User must change password at next logon
  7. Select Password never expires
    clip_image020
  8. Click Next
  9. Click Finish
  10. In the object list, find Enterprise Admins & double-click on it
  11. Select the Members tab
  12. Click the Add button
    clip_image022
  13. Type Sync Account in the text box & click the Check Names button ; the user account you just created should be resolved
    clip_image024
  14. Click OK to accept the account
  15. Click OK to accept the modification to members
  16. The Sync Account now is a member of the Enterprise Admins, which is a prerequisite for AD Connect

Post Lab

Make sure you find all the objects you created in the object list.

Azure Active Directory Labs Series – Adding Claims

Back in June I had the pleasure of delivering a training on Azure Active Directory to two customer crowds.  I say pleasure because not only do I love to share knowledge but also, the preparation of the training forces me to go deep on some aspects of what I’m going to teach.

In that training there were 8 labs and I thought it would be great to share them to the more general public.  The labs follow each other and build on each other.

You can find the exhaustive list in Cloud Identity & Azure Active Directory page.  This is the fourth lab.

In the current lab we configure Azure AD application to emit more claims in the authentication token.

Download the application manifest

  1. Go to the legacy portal @ https://manage.windowsazure.com
  2. Scroll down the left menu to the bottom and select Active Directory
    clip_image002
  3. You should see the following screen
    clip_image004
  4. Select a tenant you created for this lab & enter it
    clip_image006
  5. Select the Applications sub menu
    clip_image008
  6. Select the application you’ve created in a previous lab (i.e. WebDemo)
  7. At the bottom of the screen, click the Manage Manifest button
    clip_image009
  8. In the sub menu, click Download Manifest
  9. In the dialog box, click Download Manifest
  10. Look for the downloaded file, in your download folder, it should have the file name <application’s client ID>.json

Modify the manifest

  1. Open the manifest json file into an editor (e.g. Visual Studio)
  2. Find the property “groupMembershipClaims” (around line 7th)
  3. Replace null by “SecurityGroup
  4. Save the file

Upload the manifest

  1. Back in the portal click again on the Manage Manifest button
    clip_image009[1]
  2. In the sub menu, click Upload Manifest
  3. Browse for the file on your disk
  4. Click the check button

Test Web App

If you test the Web App (deployed in a previous lab), you should see that you have new claims of type “groups” with the unique identifier of the groups the user is member of as value.

Post Lab

None

Azure Active Directory Labs Series – Protect Web App

Back in June I had the pleasure of delivering a training on Azure Active Directory to two customer crowds.  I say pleasure because not only do I love to share knowledge but also, the preparation of the training forces me to go deep on some aspects of what I’m going to teach.

In that training there were 8 labs and I thought it would be great to share them to the more general public.  The labs follow each other and build on each other.

You can find the exhaustive list in Cloud Identity & Azure Active Directory page.

In the current lab we create an Azure Web App and force authentication against an Azure AD application (created in a previous lab) in order to access it.  You can read Securing REST API using Azure Active Directory for something similar but with a REST API as opposed to a Web App.

Create Resource Group

  1. Go to the Azure portal @ https://portal.azure.com
  2. In the left column menu, select Resource Groups
    clip_image002
  3. Select Add
    clip_image004
  4. In Resource Group name, type AAD-Web-App and in location, select East US 2
    clip_image006
  5. Press the create button
  6. In the resource group pane, click refresh until you can see your newly created group

Create App Service Plan

  1. Select the newly create group
  2. In the top menu of the resource group pane, select +ADD
    clip_image008
  3. In the search box, type App Service Plan
    clip_image010
  4. In the results, select the one published by Microsoft with the name App Service Plan
    clip_image012
  5. Click Create
  6. For the name of your app service plan, type MyAppPlan, use the existing resource group you just created and select East US 2 as a location
    clip_image014
  7. Select Pricing Tier
  8. Select view all in the top right corner to show all pricing tier
    clip_image016
  9. Scroll down until you find F1 Free
    clip_image018
  10. Select the free tier and click the select button down the pane
  11. Press the create button in the App Service Plan pane

Create Web App

  1. In the left column menu, select Resource Groups
    clip_image019
  2. Select the resource group you created, i.e. AAD-Web-App
  3. In the top menu of the resource group pane, select +ADD
    clip_image020
  4. In the search box type Web App
  5. In the results, select the one published by Microsoft with name Web App
  6. Click the create button
  7. For the App name, you’ll need something unique as it is mapped to a domain name, e.g. webdemovpl
  8. Use the existing resource AAD-Web-App
  9. Select the existing App Plan you created in the previous section, i.e. MyAppPlan
  10. Press the Create button

Configure Web App

  1. In the left column menu, select Resource Groups
    clip_image019[1]
  2. Select the resource group you created, i.e. AAD-Web-App
  3. Select the web app you just created
    clip_image022
  4. You should see the Web App pane
    clip_image024
  5. Make sure the settings are open (otherwise, click the Settings option in the menu)
  6. In the settings pane, scroll down until the Features section (towards the bottom)
  7. Click Authentication / Authorization
    clip_image026
  8. Turn the App Service Authentication on
    clip_image028
  9. Leave the default action there
    clip_image030
    This will force user to authenticate against Azure AD when they hit you site the first time
  10. In Authentication Providers, select the first provider, i.e. Azure AD
    clip_image032
  11. Select the Advanced option
    clip_image034
  12. The client id can be found in the Azure AD application
    1. In order to get your client ID, Go to the legacy portal @ https://manage.windowsazure.com
    2. Scroll down the left menu to the bottom and select Active Directory
      clip_image036
    3. You should see the following screen
      clip_image038
    4. Select a tenant you created for this lab & enter it
      clip_image040
    5. Select the Applications sub menu
      clip_image042
    6. Select the application you’ve created in a previous lab (i.e. WebDemo)
    7. Select the configure menu within the application
      clip_image044
    8. Scroll down until you find the client ID
      clip_image046
  13. The issuer id will be the concatenation of https://sts.windows.net/ & your tenant ID
    1. In order to get your tenant ID, Go to the legacy portal @ https://manage.windowsazure.com
    2. Scroll down the left menu to the bottom and select Active Directory
      clip_image036[1]
    3. You should see the following screen
      clip_image038[1]
    4. Select a tenant you created for this lab & enter it
      clip_image040[1]
    5. Select the Applications sub menu
      clip_image042[1]
    6. Select the application you’ve created in a previous lab (i.e. WebDemo)
    7. At the bottom of the screen select View Endpoints
      clip_image048
    8. In any of the text box, extract the GUID ; this is your tenant ID
      clip_image050
  14. You should have filled the fields like this
    clip_image052
  15. Click OK
  16. Click Save in the Authentication / Authorization pane

Configure Reply URL

We need to match the application’s reply URL with the web app we just created.

When we created the AAD application we did enter http://nowhere.com because we didn’t know the web application URL.

The Reply URL will be <your web app root URL>/.auth/login/aad/callback (for instance https://webdemovpl.azurewebsites.net/.auth/login/aad/callback). The App Service gateway handles the authentication for the Web App.

  1. Go to the legacy portal @ https://manage.windowsazure.com
  2. Scroll down the left menu to the bottom and select Active Directory
    clip_image053
  3. You should see the following screen
    clip_image054
  4. Select a tenant you created for this lab & enter it
    clip_image055
  5. Select the Applications sub menu
    clip_image056
  6. Select the application you’ve created in a previous lab (i.e. WebDemo)
  7. Select the configure menu within the application
    clip_image044[1]
  8. Scroll down until you find the reply url list
    clip_image058
  9. Remove http://nowhere.com
  10. Add <your web app root URL>/.auth/login/aad/callback (for instance https://webdemovpl.azurewebsites.net/.auth/login/aad/callback)

Deploy Web App

We could test the authentication at this point. It would land us to an empty Web app page.

clip_image060

But instead, we’ll deploy an ASP.NET web app to have some web content.

  1. Open Visual Studio 2015
  2. Create a web application named DemoWebApp
  3. There are two modifications to do from the vanilla template:
    1. Open Global.asax.cs. In method Application_Start, add the line AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier
      This ensures only that claim is looked up for when testing for forgery (see https://brockallen.com/2012/07/08/mvc-4-antiforgerytoken-and-claims/ for details).
    2. Open \Views\Home\Index.cshtml.  In order to output the claims, add the following HTML after <h1>ASP.NET</h1>
      
      <h2>Claims</h2>
      
      
      <table border=”1″>
      
      <thead>
      
      <tr>
      
      <th>Issuer</th>
      
      
      <th>Type</th>
      
      
      <th>Value</th>
      
              </tr>
      
          </thead>
      
      
      <tbody>
              @foreach (var c in ((ClaimsIdentity)User.Identity).Claims.OrderBy(c => c.Type))
              {
      
      <tr>
      
      <td>@c.Issuer</td>
      
      
      <td>@c.Type</td>
      
      
      <td>@c.Value</td>
      
                  </tr>
      
              }
          </tbody>
      
      </table>
      
      
  4. Right click on the web project and click Publish
    clip_image062
  5. Select Microsoft Azure App Service
    clip_image064
  6. Make sure to select your subscription and find the web app under the AAD-Web-App resource group
    clip_image066
  7. Select the web app
  8. Click OK
  9. On the connection tab, click Publish
  10. The project should deploy to Azure in your web app
  11. Your web app should open in your browser
  12. If you aren’t logged in yet, you should be invited to
  13. You should see your user name in the top right corner
  14. You can see the claims Azure AD provided to your web app

Test Web App

  1. Open an in-private session on your browser
    This will allow you to start a session afresh without Azure AD remembering your account
  2. Navigate to your web app
  3. You’ll be redirected to https://login.microsoftonline.com/
  4. In Email or Phone, type the full user name as it appear in the Azure AD console (users tab)
    clip_image068
    The user name should be suffixed by @<name of your tenant>.onmicrosoft.com
  5. You’ll notice that when you tab away from the email textbox, the browser does an online validation. This is because Azure AD now knows in which tenant you want to login (which could be different than then tenant your application is using since you can bring users from other tenants) and it could apply policies of that tenant, e.g. requiring a PIN.
  6. In password, type the password of the user you’ve copied when you created it
    (If you didn’t note the password, you can reset it)
  7. Click the sign in button
    clip_image070
  8. You’ll be prompted to change your password ; do so
  9. You’ll be redirected to your web app
  10. You’ll see that Alan Scott is logged in & you can see its claims
  11. Repeat the same process (starting by opening a new in-private session) with the Harley Quinn user, which we didn’t assign to the application
  12. You should be denied access
    clip_image072

Post Lab

Let’s look at a few claims sent by AAD

Name Claim Type Value
Audience aud The client ID of the application
Issuer iss The issuer Url you configured for the web app
Issued at iat The time at which the token was issued ; JSON time notation (i.e. integer number of seconds since January 1st 1970)
Not before nbf Time the token was issued (in JSON time notation)
Not on after exp Time when the token will be expired (in JSON time notation)
Name http:/…/name Full name of the account (with @<directory name>)

See https://azure.microsoft.com/en-us/documentation/articles/active-directory-token-and-claims/ for details.

Azure Active Directory Labs Series – Create Application

Back in June I had the pleasure of delivering a training on Azure Active Directory to two customer crowds.  I say pleasure because not only do I love to share knowledge but also, the preparation of the training forces me to go deep on some aspects of what I’m going to teach.

In that training there were 8 labs and I thought it would be great to share them to the more general public.  The labs follow each other and build on each other.

You can find the exhaustive list in Cloud Identity & Azure Active Directory page.

In the current lab we create an Azure AD application that will be useful in future labs.  You can also read Azure Active Directory Application to learn more about the conceptual side of applications in AAD.

Lab objectives

Create a new application in an Azure Active Directory tenant.

We will use this application in another lab to protect an Azure Web App.

Create Application

  1. Go to the legacy portal @ https://manage.windowsazure.com
  2. Scroll down the left menu to the bottom and select Active Directory
    clip_image002
  3. You should see the following screen
    clip_image004
  4. Select a tenant you created for this lab & enter it
    clip_image006
  5. Select the Applications sub menu
    clip_image008
  6. In the middle-bottom of the screen, click ADD
    clip_image010
  7. In the pop up window, select the first option
    clip_image012
  8. For the name of the application, type WebDemo
    clip_image014
  9. Leave the type of application to Web Application and / or Web API
  10. Click the next button at the bottom of the dialog
  11. For sign-on URL, at the moment it is unimportant, so type http://nowhere.com
  12. For App ID URI, type uri://webdemo.mydemos
    Type URI is a unique identifier within your tenant for the application ; it doesn’t need to be a URL (i.e. having a valid protocol), as we do here we prefix it with uri://
  13. Click the check box to create the application

Limit Access to application

We will limit the access of this application to a selected group of users

  1. Select the configure menu on the application
    clip_image016
  2. Scroll down until you find User Assignment Requied to access App and select Yes
    clip_image018
  3. Click the save button at the bottom of the screen
  4. Wait for it to finish saving
  5. Select the Users menu on the application
    clip_image020
  6. Select the first user, i.e. Alan Scott
  7. Click the assign button at the bottom of the screen
    clip_image022
  8. Answer yes (you want to enable access for the user)
  9. Repeat the step for the second user, i.e. Barry Allen
  10. Note: with Azure AD Premium, you can assign groups and users

Post Lab

  1. Select the configure menu on the application and look at the configuration
    clip_image023

Azure Active Directory Labs Series – Creating a tenant

clinic-doctor-health-hospitalBack in June I had the pleasure of delivering a training on Azure Active Directory to two customer crowds.  I say pleasure because not only do I love to share knowledge but also, the preparation of the training forces me to go deep on some aspects of what I’m going to teach.

In that training there were 8 labs and I thought it would be great to share them to the more general public, here they are.  This is the first of the series.

The labs follow each other and build on each other.  For instance, in the current lab we create users that will be useful in future labs.

UPDATE (30-08-2016):  All labs will be available from the Cloud Identity / Azure Active Directory page.

Lab objectives

Create a new Azure Active Directory tenant and populates it with a few users and groups.

Creating an AAD tenant

  1. Go to the legacy portal @ https://manage.windowsazure.com
  2. Scroll down the left menu to the bottom and select Active Directory
    clip_image002
  3. You should see the following screen
    clip_image004
  4. At the bottom left, click the +NEW
    clip_image006
  5. Select Directory
    clip_image008
  6. Select Custom Create
    clip_image010
  7. You should have the follow web pop up
    clip_image012

    1. Under Name, type a display name for the directory
    2. Under Domain Name, enter a unique name
      1. The domain name doesn’t need to be the same as the display name, but of course it does help for management purposes when they are
      2. The domain name needs to be unique throughout all Azure Active Directories of all customers since it is used in a DNS resolution
      3. The domain name can only contain letters and numbers
    3. Under country or region, select your country (e.g. Canada)
    4. Do not select B2C feature
  8. Your newly created directory should appear in the list as follow (vpl-2 in the example)
    clip_image014

Creating users

  1. Select the tenant you just created & enter it
    clip_image016
  2. In the top menu, select users
    clip_image018
  3. You should already be a user of the tenant: your name should appear in the user list
  4. At the bottom of the screen, click Add User
    clip_image020
  5. In the dialog box, leave “New user in your organization” & type “ballen” as the user name
    clip_image022
  6. Click for the next screen then for the first name type “Barry”, last name “Allen”, full name “Barry Allen”, leave the role as user and do not select multi-factor
    clip_image024
  7. You should get to this screen ; click create
    clip_image026
  8. Copy the password somewhere: you’ll need it to log in in a later lab
  9. Repeat the same steps for 2 more users (keep the passwords too):
    1. ascott, Alan Scott
    2. hquinn, Harley Quinn

Creating groups

  1. In the top menu, select groups
    clip_image028
  2. There should be no group in your tenant
  3. At the bottom of the screen, click Add Group
    clip_image030
  4. In the dialog box, enter SuperHeroes for Name and leave the group type as Security ; you can leave Description blank
    clip_image032
  5. Create another group named SuperVillains

Assign users to groups

  1. Select the SuperHeroes group & enter it
    clip_image034
  2. Select Add Members
    clip_image036
  3. For Alan Scott, select the plus sign
    clip_image038
  4. Do the same for Barry Allen
  5. You should have both users in the Selected column
    clip_image040
  6. Accept the selection by clicking the check box at the bottom right of the dialog box
  7. Click the back button to go back the group list
    clip_image042
  8. Repeat the same sequence of steps, selecting the SuperVillains group and adding Harley Quinn as a member

Post Lab

You can enter inside your directory and explore each menu in the portal.

clip_image044