Back in June I had the pleasure of delivering a training on Azure Active Directory to two customer crowds.  I say pleasure because not only do I love to share knowledge but also, the preparation of the training forces me to go deep on some aspects of what I’m going to teach.

In that training there were 8 labs and I thought it would be great to share them to the more general public.  The labs follow each other and build on each other.

You can find the exhaustive list in Cloud Identity & Azure Active Directory page.  This is the seventh lab.

In the current lab we will explore the Microsoft Graph API, which is a superset of the Azure AD Graph API, including Office 365 entities.

Log in

1. Open an in private browser session
2. Go to https://graph.microsoft.io/en-us/graph-explorer
3. Sign in with SyncAdmin full name, e.g. SyncAdmin@vpllab.onmicrosoft.com
   That account is Global admin on the tenant and can therefore see more things than a simple user

Explore

1. Next to the “GET” verb type https://graph.microsoft.com/v1.0/me
   
2. Type Enter
3. You should get a JSON / OData payload describing the user
4. Type https://graph.microsoft.com/v1.0/users
5. You should get all the user in the tenant
6. Scroll to Alan Scott user
7. With your mouse, click its ID
8. This should open the link https://graph.microsoft.com/v1.0/users/<UID of the user>
9. Append /memberof to that link
10. You should see the groups Alan Scott is in

Post Lab

Open https://graph.microsoft.io/en-us/docs and try different queries.

Back in June I had the pleasure of delivering a training on Azure Active Directory to two customer crowds.  I say pleasure because not only do I love to share knowledge but also, the preparation of the training forces me to go deep on some aspects of what I’m going to teach.

In that training there were 8 labs and I thought it would be great to share them to the more general public.  The labs follow each other and build on each other.

You can find the exhaustive list in Cloud Identity & Azure Active Directory page.  This is the sixth lab.

In the current lab we configure AD Connect to synchronize on premise AD with Azure AD.  We will install AD Connect on one of the Domain Controller created in an earlier lab. In a more realistic environment you would install AD Connect on a separate VM joined to the Domain Controller’s domain. The configuration would be very similar.

Configure Azure AD

1. Go to the legacy portal @ https://manage.windowsazure.com
2. Scroll down the left menu to the bottom and select Active Directory
   
3. You should see the following screen
   
4. Select a tenant you created for this lab & enter it
   
5. Select the Users menu
6. At the screen bottom, click the Add User button
7. An Add User dialog should appear
8. For User Name, type SyncAdmin
9. Click the next arrow at the bottom of the pop up
10. Fill the User Profile form
    • First Name: Sync
    • Last Name: Admin
    • Display Name: Sync Admin
    • Role: Global Admin
    • Alternate email address: type your corporate email here
11. Click the next arrow at the bottom of the pop up
12. Click the Create button
13. Copy the temporary password
14. Create a permanent password for the newly created account
    1. Open an In private Browser Window
    2. Navigate to https://portal.azure.com
    3. In the Email or Phone, type the full name of the account
       You can find the name in the full name of your account in the last Add User screen (of course, you need to remove the single quotes)
       
    4. In the password text box, paste the new password you copied previously
    5. Click Sign In
    6. You’ll be prompted to update the password ; do so & remember the new password
    7. Close the In private browser
15. Back in the classic Azure portal, select the Directory Integration menu
    
16. Next to the Directory Sync select Activated option
    
17. At the bottom of the screen, click the Save button

Installing AD Connect

1. Go to the Azure portal @ https://portal.azure.com
2. In the left column menu, select Resource Groups
   
3. Select DCGroup
4. Select adBDC Virtual machine
5. RDP into it
6. Go to http://go.microsoft.com/fwlink/?LinkId=615771
7. Download the AD Connect tool
8. Install it
9. Agree on terms & conditions
10. Given the simplicity of the setup (one forest, same VM as the DC), we can use the express settings
    Select Use express settings
    
11. The tool will install components as part of Synchronisation Service install, click Install
12. Fill the Connect to Azure AD form
    
    1. In the User name box, type the full name of the SyncAdmin account you created
    2. In the password box, type the password you typed when you updated the password of the account
13. Click the Next button
14. Fill Connect to AD DS form
    
    1. In user name box, type dm.demo.com\syncaccount
    2. Enter the password you gave that account (likely Abc123!@#)
15. Click the Next button
16. Select Continue without any verified domains and click Next
    
17. You are ready to start synchronization, click Install
    
18. The installation & synchronization takes a few minutes
19. Configuration should complete
    

Validate synchronization

Here we’ll validate that the synchronization occurs.

1. Back in the Azure AD tenant, select the Users menu
2. You should now see more users
3. Moreover, the users synchronized from on premise should be sourced from Local Active Directory (Sourced From column)
   
4. Select Max Eisenhardt (one of the synchronized account)
5. You should see that fields are grayed out: you can’t modified synchronized objects since Azure AD isn’t the master of record of those objects
   
6. Open an In Private browser window
7. Navigate to https://portal.azure.com
8. In email box, type meisenhardt followed by @ & the name of your Azure AD (e.g. meisenhardt@vpllab.onmicrosoft.com)
9. In password box, type the password you gave to on premise accounts (likely Abc123!@#)
10. You should login to the portal with Max Eisenhardt credentials

Refine configuration

Here we’ll look at how we could refine the configuration of AD Connect.

1. In the Active Directory VM, press the Windows key
2. Press the down key
   
3. Click the Azure AD Connect App
   
4. In the tasks view, select Customize synchronization options
   
5. Click Next
6. Fill the Connect to Azure AD form
   
   1. In the User name box, type the full name of the SyncAdmin account (Azure AD)
   2. In the password box, type the password you typed when you updated the password of the account
7. Click Next
8. Fill Connect Directories form
   
   1. In user name box, type dm.demo.com\syncaccount
   2. Enter the password you gave that account (likely Abc123!@#)
9. Click the Next button
10. Here we could filter on which domains / OUs we synchronize
    
11. Click the Next button
12. Here we could configure other features, e.g. password writeback
    

Post Lab

None.

Back in June I had the pleasure of delivering a training on Azure Active Directory to two customer crowds.  I say pleasure because not only do I love to share knowledge but also, the preparation of the training forces me to go deep on some aspects of what I’m going to teach.

In that training there were 8 labs and I thought it would be great to share them to the more general public.  The labs follow each other and build on each other.

You can find the exhaustive list in Cloud Identity & Azure Active Directory page.  This is the fifth lab.

In the current lab we configure a Virtual Machine (VM) with an Active Directory forest (on premise AD).  This lab is a preparation to the next lab where we’ll synchronize that forest with the Azure AD tenant we’ve created before.

Run Template

1. Go to https://azure.microsoft.com/en-us/documentation/templates/active-directory-new-domain-ha-2-dc/
   This is a community based ARM template for creating an AD forest on Azure VMs.
2. Fill in the template parameters
   • NEWSTORAGEACCOUNTNAME should be a unique name (storage account name)
   • ADMINUSERNAME can be changed to your favorite admin name ; that’s the name of the admin on the VM
   • ADMINPASSWORD should be a secret password
   • ADVMSIZE should be Standard_A1
   • DOMAINNAME should be dm.demo.com
   • DNSPREFIX should be unique, for instance demo-42
3. Accept the parameters
4. Create a new resource group named DCs
5. Chose the East-US 2 location
6. Read & agree to legal terms (you do this by clicking Purchase but the template itself is free, you only pay for the Azure resources it creates)
7. Click Create

Install AD DS MMC snap in

1. RDP into the adBDC VM
2. Validate that for that VM the RDP should be on port 13389 ; this is done by the load balancer NATing 2 VMs RDP on the same IP
3. Server Manager application should be opened
4. Right click on ADBDC and select Add Roles and Features
   
5. Click next on each tab until Features
6. Scroll down to Remote Server Administration Tools
7. Open the node and dig until you find AD DS Tools ; make sure you have it selected
   
8. Click Next
9. Click install
10. You’ll need to reboot

Add a few users

1. Server Manager application should be opened
2. Right click on ADBDC and Active Directory Users and Computers should now be available ; select it
   
3. Under the dm.demo.com domain, select the Users folder
4. Right-click the Users folder
5. Select the New contextual menu option and the User sub menu option
   
6. Fill the form with the following fields
   First Name: Pietro
   Initials: D
   Last Name: Maximoff
   Full Name: Pietro D. Maximoff (should be filled automatically)
   User logon name: pmaximoff
   
7. Click Next
8. Enter the following password and repeat it in the Confirm password field: Abc123!@#
9. Unselect User must change password at next logon
10. Select Password never expires
    
11. Click Next
12. Click Finish
13. Repeat the steps for another user (use the same password):
    First Name: Max
    Initials: (none)
    Last Name: Eisenhardt
    Full Name: Max Eisenhardt (should be filled automatically)
    User logon name: meisenhardt
14. Repeat the steps for another user (use the same password):
    First Name: Steve
    Initials: (none)
    Last Name: Rogers
    Full Name: Steve Rogers (should be filled automatically)
    User logon name: srogers
15. You should see the users you created in the object list
    

Add a few groups

1. Right-click the Users folder
2. Select the New contextual menu option and the Group sub menu option
   
3. Enter Goodies in the Group name box
4. Click Ok
5. Perform the same sequence for a group named Baddies

Add a Sync User

We will add a user to connect to the directory for syncing with Azure AD

1. Right-click the Users folder
2. Select the New contextual menu option and the User sub menu option
   
3. Fill the form with the following fields
   
   • First Name: Sync
   • Initials: (None)
   • Last Name: Account
   • Full Name: Sync Account (should be filled automatically)
   • User logon name: syncaccount
4. Click Next
5. Enter the following password and repeat it in the Confirm password field: Abc123!@#
6. Unselect User must change password at next logon
7. Select Password never expires
   
8. Click Next
9. Click Finish
10. In the object list, find Enterprise Admins & double-click on it
11. Select the Members tab
12. Click the Add button
    
13. Type Sync Account in the text box & click the Check Names button ; the user account you just created should be resolved
    
14. Click OK to accept the account
15. Click OK to accept the modification to members
16. The Sync Account now is a member of the Enterprise Admins, which is a prerequisite for AD Connect

Post Lab

Make sure you find all the objects you created in the object list.

Back in June I had the pleasure of delivering a training on Azure Active Directory to two customer crowds.  I say pleasure because not only do I love to share knowledge but also, the preparation of the training forces me to go deep on some aspects of what I’m going to teach.

In that training there were 8 labs and I thought it would be great to share them to the more general public.  The labs follow each other and build on each other.

You can find the exhaustive list in Cloud Identity & Azure Active Directory page.  This is the fourth lab.

In the current lab we configure Azure AD application to emit more claims in the authentication token.

Download the application manifest

1. Go to the legacy portal @ https://manage.windowsazure.com
2. Scroll down the left menu to the bottom and select Active Directory
   
3. You should see the following screen
   
4. Select a tenant you created for this lab & enter it
   
5. Select the Applications sub menu
   
6. Select the application you’ve created in a previous lab (i.e. WebDemo)
7. At the bottom of the screen, click the Manage Manifest button
   
8. In the sub menu, click Download Manifest
9. In the dialog box, click Download Manifest
10. Look for the downloaded file, in your download folder, it should have the file name <application’s client ID>.json

Modify the manifest

1. Open the manifest json file into an editor (e.g. Visual Studio)
2. Find the property “groupMembershipClaims” (around line 7^th)
3. Replace null by “SecurityGroup”
4. Save the file

Upload the manifest

1. Back in the portal click again on the Manage Manifest button
   
2. In the sub menu, click Upload Manifest
3. Browse for the file on your disk
4. Click the check button

Test Web App

If you test the Web App (deployed in a previous lab), you should see that you have new claims of type “groups” with the unique identifier of the groups the user is member of as value.

Post Lab

None

Back in June I had the pleasure of delivering a training on Azure Active Directory to two customer crowds.  I say pleasure because not only do I love to share knowledge but also, the preparation of the training forces me to go deep on some aspects of what I’m going to teach.

In that training there were 8 labs and I thought it would be great to share them to the more general public.  The labs follow each other and build on each other.

You can find the exhaustive list in Cloud Identity & Azure Active Directory page.

In the current lab we create an Azure Web App and force authentication against an Azure AD application (created in a previous lab) in order to access it.  You can read Securing REST API using Azure Active Directory for something similar but with a REST API as opposed to a Web App.

Create Resource Group

1. Go to the Azure portal @ https://portal.azure.com
2. In the left column menu, select Resource Groups
   
3. Select Add
   
4. In Resource Group name, type AAD-Web-App and in location, select East US 2
   
5. Press the create button
6. In the resource group pane, click refresh until you can see your newly created group

Create App Service Plan

1. Select the newly create group
2. In the top menu of the resource group pane, select +ADD
   
3. In the search box, type App Service Plan
   
4. In the results, select the one published by Microsoft with the name App Service Plan
   
5. Click Create
6. For the name of your app service plan, type MyAppPlan, use the existing resource group you just created and select East US 2 as a location
   
7. Select Pricing Tier
8. Select view all in the top right corner to show all pricing tier
   
9. Scroll down until you find F1 Free
   
10. Select the free tier and click the select button down the pane
11. Press the create button in the App Service Plan pane

Create Web App

1. In the left column menu, select Resource Groups
   
2. Select the resource group you created, i.e. AAD-Web-App
3. In the top menu of the resource group pane, select +ADD
   
4. In the search box type Web App
5. In the results, select the one published by Microsoft with name Web App
6. Click the create button
7. For the App name, you’ll need something unique as it is mapped to a domain name, e.g. webdemovpl
8. Use the existing resource AAD-Web-App
9. Select the existing App Plan you created in the previous section, i.e. MyAppPlan
10. Press the Create button

Configure Web App

1. In the left column menu, select Resource Groups
   
2. Select the resource group you created, i.e. AAD-Web-App
3. Select the web app you just created
   
4. You should see the Web App pane
   
5. Make sure the settings are open (otherwise, click the Settings option in the menu)
6. In the settings pane, scroll down until the Features section (towards the bottom)
7. Click Authentication / Authorization
   
8. Turn the App Service Authentication on
   
9. Leave the default action there
   
   This will force user to authenticate against Azure AD when they hit you site the first time
10. In Authentication Providers, select the first provider, i.e. Azure AD
    
11. Select the Advanced option
    
12. The client id can be found in the Azure AD application
    1. In order to get your client ID, Go to the legacy portal @ https://manage.windowsazure.com
    2. Scroll down the left menu to the bottom and select Active Directory
       
    3. You should see the following screen
       
    4. Select a tenant you created for this lab & enter it
       
    5. Select the Applications sub menu
       
    6. Select the application you’ve created in a previous lab (i.e. WebDemo)
    7. Select the configure menu within the application
       
    8. Scroll down until you find the client ID
       
13. The issuer id will be the concatenation of https://sts.windows.net/ & your tenant ID
    1. In order to get your tenant ID, Go to the legacy portal @ https://manage.windowsazure.com
    2. Scroll down the left menu to the bottom and select Active Directory
       
    3. You should see the following screen
       
    4. Select a tenant you created for this lab & enter it
       
    5. Select the Applications sub menu
       
    6. Select the application you’ve created in a previous lab (i.e. WebDemo)
    7. At the bottom of the screen select View Endpoints
       
    8. In any of the text box, extract the GUID ; this is your tenant ID
       
14. You should have filled the fields like this
    
15. Click OK
16. Click Save in the Authentication / Authorization pane

Configure Reply URL

We need to match the application’s reply URL with the web app we just created.

When we created the AAD application we did enter http://nowhere.com because we didn’t know the web application URL.

The Reply URL will be <your web app root URL>/.auth/login/aad/callback (for instance https://webdemovpl.azurewebsites.net/.auth/login/aad/callback). The App Service gateway handles the authentication for the Web App.

1. Go to the legacy portal @ https://manage.windowsazure.com
2. Scroll down the left menu to the bottom and select Active Directory
   
3. You should see the following screen
   
4. Select a tenant you created for this lab & enter it
   
5. Select the Applications sub menu
   
6. Select the application you’ve created in a previous lab (i.e. WebDemo)
7. Select the configure menu within the application
   
8. Scroll down until you find the reply url list
   
9. Remove http://nowhere.com
10. Add <your web app root URL>/.auth/login/aad/callback (for instance https://webdemovpl.azurewebsites.net/.auth/login/aad/callback)

Deploy Web App

We could test the authentication at this point. It would land us to an empty Web app page.

But instead, we’ll deploy an ASP.NET web app to have some web content.

1. Open Visual Studio 2015
2. Create a web application named DemoWebApp
3. There are two modifications to do from the vanilla template:
   1. Open Global.asax.cs. In method Application_Start, add the line AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier
      This ensures only that claim is looked up for when testing for forgery (see https://brockallen.com/2012/07/08/mvc-4-antiforgerytoken-and-claims/ for details).
   2. Open \Views\Home\Index.cshtml.  In order to output the claims, add the following HTML after <h1>ASP.NET</h1>

      
      <h2>Claims</h2>
      
      
      <table border=”1″>
      
      <thead>
      
      <tr>
      
      <th>Issuer</th>
      
      
      <th>Type</th>
      
      
      <th>Value</th>
      
              </tr>
      
          </thead>
      
      
      <tbody>
              @foreach (var c in ((ClaimsIdentity)User.Identity).Claims.OrderBy(c => c.Type))
              {
      
      <tr>
      
      <td>@c.Issuer</td>
      
      
      <td>@c.Type</td>
      
      
      <td>@c.Value</td>
      
                  </tr>
      
              }
          </tbody>
      
      </table>
      
      

4. Right click on the web project and click Publish…
   
5. Select Microsoft Azure App Service
   
6. Make sure to select your subscription and find the web app under the AAD-Web-App resource group
   
7. Select the web app
8. Click OK
9. On the connection tab, click Publish
10. The project should deploy to Azure in your web app
11. Your web app should open in your browser
12. If you aren’t logged in yet, you should be invited to
13. You should see your user name in the top right corner
14. You can see the claims Azure AD provided to your web app

Test Web App

1. Open an in-private session on your browser
   This will allow you to start a session afresh without Azure AD remembering your account
2. Navigate to your web app
3. You’ll be redirected to https://login.microsoftonline.com/
4. In Email or Phone, type the full user name as it appear in the Azure AD console (users tab)
   
   The user name should be suffixed by @<name of your tenant>.onmicrosoft.com
5. You’ll notice that when you tab away from the email textbox, the browser does an online validation. This is because Azure AD now knows in which tenant you want to login (which could be different than then tenant your application is using since you can bring users from other tenants) and it could apply policies of that tenant, e.g. requiring a PIN.
6. In password, type the password of the user you’ve copied when you created it
   (If you didn’t note the password, you can reset it)
7. Click the sign in button
   
8. You’ll be prompted to change your password ; do so
9. You’ll be redirected to your web app
10. You’ll see that Alan Scott is logged in & you can see its claims
11. Repeat the same process (starting by opening a new in-private session) with the Harley Quinn user, which we didn’t assign to the application
12. You should be denied access
    

Post Lab

Let’s look at a few claims sent by AAD

See https://azure.microsoft.com/en-us/documentation/articles/active-directory-token-and-claims/ for details.

Back in June I had the pleasure of delivering a training on Azure Active Directory to two customer crowds.  I say pleasure because not only do I love to share knowledge but also, the preparation of the training forces me to go deep on some aspects of what I’m going to teach.

In that training there were 8 labs and I thought it would be great to share them to the more general public.  The labs follow each other and build on each other.

You can find the exhaustive list in Cloud Identity & Azure Active Directory page.

In the current lab we create an Azure AD application that will be useful in future labs.  You can also read Azure Active Directory Application to learn more about the conceptual side of applications in AAD.

Lab objectives

Create a new application in an Azure Active Directory tenant.

We will use this application in another lab to protect an Azure Web App.

Create Application

1. Go to the legacy portal @ https://manage.windowsazure.com
2. Scroll down the left menu to the bottom and select Active Directory
   
3. You should see the following screen
   
4. Select a tenant you created for this lab & enter it
   
5. Select the Applications sub menu
   
6. In the middle-bottom of the screen, click ADD
   
7. In the pop up window, select the first option
   
8. For the name of the application, type WebDemo
   
9. Leave the type of application to Web Application and / or Web API
10. Click the next button at the bottom of the dialog
11. For sign-on URL, at the moment it is unimportant, so type http://nowhere.com
12. For App ID URI, type uri://webdemo.mydemos
    Type URI is a unique identifier within your tenant for the application ; it doesn’t need to be a URL (i.e. having a valid protocol), as we do here we prefix it with uri://
13. Click the check box to create the application

Limit Access to application

We will limit the access of this application to a selected group of users

1. Select the configure menu on the application
   
2. Scroll down until you find User Assignment Requied to access App and select Yes
   
3. Click the save button at the bottom of the screen
4. Wait for it to finish saving
5. Select the Users menu on the application
   
6. Select the first user, i.e. Alan Scott
7. Click the assign button at the bottom of the screen
   
8. Answer yes (you want to enable access for the user)
9. Repeat the step for the second user, i.e. Barry Allen
10. Note: with Azure AD Premium, you can assign groups and users

Post Lab

1. Select the configure menu on the application and look at the configuration
   

Back in June I had the pleasure of delivering a training on Azure Active Directory to two customer crowds.  I say pleasure because not only do I love to share knowledge but also, the preparation of the training forces me to go deep on some aspects of what I’m going to teach.

In that training there were 8 labs and I thought it would be great to share them to the more general public, here they are.  This is the first of the series.

The labs follow each other and build on each other.  For instance, in the current lab we create users that will be useful in future labs.

UPDATE (30-08-2016):  All labs will be available from the Cloud Identity / Azure Active Directory page.

Lab objectives

Create a new Azure Active Directory tenant and populates it with a few users and groups.

Creating an AAD tenant

1. Go to the legacy portal @ https://manage.windowsazure.com
2. Scroll down the left menu to the bottom and select Active Directory
   
3. You should see the following screen
   
4. At the bottom left, click the +NEW
   
5. Select Directory
   
6. Select Custom Create
   
7. You should have the follow web pop up
   
   1. Under Name, type a display name for the directory
   2. Under Domain Name, enter a unique name
      1. The domain name doesn’t need to be the same as the display name, but of course it does help for management purposes when they are
      2. The domain name needs to be unique throughout all Azure Active Directories of all customers since it is used in a DNS resolution
      3. The domain name can only contain letters and numbers
   3. Under country or region, select your country (e.g. Canada)
   4. Do not select B2C feature
8. Your newly created directory should appear in the list as follow (vpl-2 in the example)
   

Creating users

1. Select the tenant you just created & enter it
   
2. In the top menu, select users
   
3. You should already be a user of the tenant: your name should appear in the user list
4. At the bottom of the screen, click Add User
   
5. In the dialog box, leave “New user in your organization” & type “ballen” as the user name
   
6. Click for the next screen then for the first name type “Barry”, last name “Allen”, full name “Barry Allen”, leave the role as user and do not select multi-factor
   
7. You should get to this screen ; click create
   
8. Copy the password somewhere: you’ll need it to log in in a later lab
9. Repeat the same steps for 2 more users (keep the passwords too):
   1. ascott, Alan Scott
   2. hquinn, Harley Quinn

Creating groups

1. In the top menu, select groups
   
2. There should be no group in your tenant
3. At the bottom of the screen, click Add Group
   
4. In the dialog box, enter SuperHeroes for Name and leave the group type as Security ; you can leave Description blank
   
5. Create another group named SuperVillains

Assign users to groups

1. Select the SuperHeroes group & enter it
   
2. Select Add Members
   
3. For Alan Scott, select the plus sign
   
4. Do the same for Barry Allen
5. You should have both users in the Selected column
   
6. Accept the selection by clicking the check box at the bottom right of the dialog box
7. Click the back button to go back the group list
   
8. Repeat the same sequence of steps, selecting the SuperVillains group and adding Harley Quinn as a member

Post Lab

You can enter inside your directory and explore each menu in the portal.