LAB 2: Identity Management

(1)

LAB 2: Identity Management

Lab 2: Identity Management

Before you begin...

This lab depends on the completion of the previous exercises, more specifically the registration of an Office 365 tenant.

What you will learn

After completing the exercises, you will be able to:

 Install the Microsoft Online Services module for Windows PowerShell

 Install the Microsoft Online Services Sign-in Assistant.

 Add and verify federated domains

 Connect to the Microsoft Online Services portal

Scenario

(3)

Exercise 1: install and configure prerequisites for configuring AD FS

In this exercise, you will install the Microsoft Online Services Module for Windows PowerShell as well as the Microsoft Online Services Sign-in Assistant.

Tasks

1. Install the Microsoft Online Services Sign-in Assistant.

User credentials are managed by Microsoft Online Services ID. To sign in to the services, users must install the Microsoft Online Services Sign-In Assistant. The Single Sign-in Assistant is required by the Microsoft Online Services Module for Windows PowerShell.

a. Switch to HYBRID-DC01 and log on as ONPREM\Admin with a password of pass@word1 b. Open the Start Menu and then click Internet Explorer.

c. In the Address box, type http://download.microsoft.com and then press Enter. d. On the Download Center page, in the search box, type Online Services Sign-in

Assistant and then press Enter.

e. On the results page, click Microsoft Online Services Sign-In Assistant for IT Professionals RTW (version of 02/17/2014)

f. Click Download.

g. On the Choose the download you want page, click en\msoidcli_64.msi and click Next.

h. Click Run.

Wait for the download to complete. The setup will start automatically when finished downloading.

i. In the Microsoft Online Services Sign-In Assistant setup, make sure that the checkbox next to I accept the terms in the License... is selected and then click Install.

j. If a User Account Control window pops up, click Yes. k. After the installation completes, click Finish.

2. Install the Microsoft Online Services Module for Windows PowerShell

After you have deployed Active Directory Federation Services, the next step to set up single sign-on (also called identity federation) is to download, install, and configure the Microsoft Online Services Module for Windows PowerShell. This doesn’t necessarily have to happen from the AD FS server, but makes things a little easier.

a. Switch back to Internet Explorer.

b. Open the Start Menu and then click Internet Explorer.

c. In the Address box, type https://portal.microsoftonline.com and then press Enter. d. On the Microsoft Online Services page, in the top input box ([email protected]),

(4)

e. In the Password box, type your password and verify that the Keep me signed in check box is selected, and then click Sign in.

f. Once signed in, click Admin > Office 365

g. On the Office 365 admin center page, in the left side navigation, click USERS and then click Active Users

h. On the Active Users page, click Set up next to Single Sign On at the top of the page. i. On the Set up and manage single sign-on page, under step 3, click Windows 64-bit

version and then click Download. j. Click Run

k. On the Welcome to the Windows Azure Active Directory Module for Windows PowerShell Setup page, click Next.

l. On the License Terms page, select the I accept the terms in the License Terms radio button and then click Next.

m. On the Install Location page, review the default values, and then click Next. n. On the Ready to Install page, click Install.

o. If a User Account Control window pops up, click Yes.

p. On the Completing the Windows Azure Active Directory Module for Windows PowerShell Setup page, click Finish.

Exercise 2: adding and verifying a standard domain to Office 365

In this exercise, you will add a standard domain to Office 365. When using a standard domain, Windows Azure AD remains the identity provider for your cloud users. This means that your users will use a different set of credentials on-premises and in Office 365. In the next exercise, you will setup Password Synchronization which should make the difference between both identities as transparent as possible.

Tasks

1. Add and verify a standard domain

a. On HYBRID-DC01, double-click the Windows Azure Active Directory Module for Windows PowerShell shortcut on the desktop.

b. At the PS prompt, type in the following command and then press Enter: $cred = Get-Credential

c. In the Windows PowerShell Credential Request window, in the User name box, type the account name you use to sign in the Microsoft Online Services.

This is the user you created while registering for a trial account, earlier in the exercises.

d. In the Password box, type your password and click OK

e. At the PS prompt, type in the following command and then press Enter: Connect-MSOLService –Credential $cred

(5)

Note this step is only required if you run the Azure AD Module for PowerShell from another computer which is not the AD FS server.

g. At the PS prompt, type in the following command and then press Enter: New-MSOLDomain –Name studentprefix.hybridexchangeworkshop.com

The domain name you enter here should match the domain name, which is also used as UPN in your on-premises Active Directory.

h. At the PS prompt, type in the following command and then press Enter: Get-MSOLDomainVerificationDns –DomainName

studentprefix.hybridexchangeworkshop.com This command should return information, similar to this: CanonicalName : ps.microsoftonline.com ExtensionData : System.Runtime.Serialization.ExtensionDataObject Capability : None IsOptional : Label : ms23567999.std12.hybridexchangeworkshop.com ObjectId : fe8b277b-6665-477a-82a5-13d12093c912 Ttl : 3600

The relevant portion of the output is highlighted in bold and red.

i. Logon to the GoDaddy DNS panel as described in the first chapter of this workshop. Create a new TXT record in the public DNS zone of your child domain name. The value of the TXT record should match “MS=”, plus the first part of the “Label” attribute (highlighted in red, above).

i. click “Quick Add” (1)

ii. enter your student prefix in the host field (2) iii. enter the value as described above (3) iv. click Save Zone File (black button)

To add a record to the Public DNS zone, please follow the instruction provided in the introduction of the LAB guide. Please note that the value in the textbox is just an example. Please use the value returned after having run the command above. j. Once you have configured the DNS records in the public DNS zone, continue with the

following steps.

k. At the PS prompt, type in the following command and then press Enter:

(6)

Get-MSOLDomain –DomainName studentprefix.hybridexchangeworkshop.com Verify that the Status now shows Verified.

m. Close the Windows Azure Active Directory Module for Windows PowerShell.

(7)

Exercise 3: download and install Windows Azure AD Synchronization

In this exercise, you will install the Windows Azure AD Synchronization tool which will be used to synchronize on-premises accounts to Windows Azure AD (and thus also Office 365).

Tasks

1. Download and install Windows Azure AD Sync

a. Switch to HYBRID-SRV01 and log on as ONPREM\Admin with a password of pass@word1 b. Open the Start Menu and then click Internet Explorer.

type your Microsoft Online Services ID. This should be the ID you used when signing up for the trial account.

e. In the Password box, type your password and verify that the Keep me signed in check box is selected, and then click Sign in.

f. Once signed in, click Admin > Office 365

g. On the Office 365 admin center page, in the left side navigation, click USERS and then Active Users

h. On the Active Users page, click Manage next to Active Directory synchronization at the top of the page.

i. Under step 4 Install and configure the Directory Sync tool, click Download. j. Click Save.

k. After the download completes, navigate to the folder in which you stored the dirsync.exe program. Right-click the file and select Run as administrator.

l. As you will notice, the DirSync program requires .NET 3.5.1. be installed. To do so, open up PowerShell as Administrator and run the following command:

Install-WindowsFeature Net-Framework-Core

Wait for the process to complete (this might take a few moments) and then try running the DirSync setup again.

m. In the User Account Control windows, click Yes.

n. On the Windows Azure Active Directory Sync Setup Welcome page, click Next. o. On the Microsoft Software License Terms page, select I accept and then click Next. p. On the Select Installation Folder page, accept the default location and click Next.

Wait for the setup to complete. This might take a few moments. q. After the setup completes, on the Installation page, click Next. r. Un-check Start Configuration Wizard and click Finish

s. Log-off from HYBRID-SRV01.

t. You should definitely log off from Hybrid-SRV01. Really. No kidding!

(8)

Exercise 4: create a new organizational unit, users, contacts and

distribution groups

In this exercise, you will create a new Organization Unit and add new users and groups to Active Directory.

Tasks

1. Create a new contact and distribution group.

a. Switch to HYBRID-DC01 and log in as ONPREM\Admin with password pass@word1 b. Open the Start Menu and then click Active Directory Users and Computers. c. In Active Directory Users and Computers, in the Navigation pane, expand

ONPREM.LOCAL and then click Accounts.

d. Right-click Accounts, click New and then click Organizational Unit.

e. In the New Object – Organizational Unit window, in the Name box, type Online and then click OK.

f. Right-click Online, click New, and then click User. g. In the First name box, type Eli

h. In the Last name box, type Bowen

i. In the User logon name box, type Ebowen j. Click the UPN suffix menu and then click

@studentprefix.hybridexchangeworkshop.com k. Click Next.

l. In the Password and Confirm password boxes, type pass@word1.

m. Clear the User must change password at next logon check box, click Next, and then click Finish.

n. Perform steps f through m to create accounts for the following users, using the first name as the logon name.

First name Last name

Todd Rowe

Hao Chen

Wendy Wheeler

o. Highlight all user accounts in the Online organizational unit. p. Right-click the selected accounts and then click Properties.

q. In the Properties of Multiple Items window, click the Organization tab. r. Select the Job Title check box.

s. In the Job Title box, type Online and then click OK. 2. Create a new contact

a. Open the Start Menu and then click Internet Explorer. b. In the Address box, type

https://mail.studentprefix.hybridexchangeworkshop.com/ecp and then press Enter. c. On the Exchange Admin Center logon page, in the Domain\User name box, enter your

on-premises Administrator account credentials.

d. In the Password box, enter the password and then press Enter.

e. In the Exchange Admin Center, click recipients and then click contacts. f. Click the plus-sign and then click Mail contact.

(9)

ii. Last name: Phillips iii. Alias: JeffP

iv. External email address: [email protected] h. Under Organizational unit, click browse.

i. In the select an organizational unit, expand accounts, click Online and then click OK. j. Click save.

3. Create a new distribution group

a. In the Exchange Admin Center, click recipients and then click groups. b. Click the plus-sign and then click Distribution group

c. On the new distribution group page, enter the following details: i. Display name: All Online Users

ii. Alias: AllOnlineUsers

d. Under Organizational unit, click browse.

e. In the select an organizational unit, expand accounts, click Online and then click OK. f. Click save.

Exercise 5: configure and review Windows Azure AD Password Sync

In this exercise, you will install the Microsoft Online Services Module for Windows PowerShell as well as the Microsoft Online Services Sign-in Assistant.

Tasks

1. Configure Windows Azure AD Synchronization and enable Password Sync

a. Log on to HYBRID-SRV01 as ONPREM\Admin with a password of pass@word1 Note the log-off/log-on is required to reflect the changes in group membership during the installation of DirSync.

b. Right-click the Directory Sync Configuration shortcut on the desktop and select Run as administrator.

c. In the User Account Control windows, click Yes.

d. On the Windows Azure Active Directory Sync tool Configuration Wizard Welcome page, click Next.

e. On the Windows Azure Active Directory Credentials page, in the User name box, enter the admin credentials of your Office 365 trial tenant.

f. In the Password box, enter the password and then click Next.

g. On the Active Directory Credentials page, in the User name box, enter the admin credentials of your on-premises Active Directory (ONPREM\Admin).

h. In the Password box, enter the password and then click Next.

i. On the Hybrid Deployment page, select Enable Hybrid Deployment and then click Next.

j. On the Password Synchronization page, select Enable Password Sync and then click Next.

(10)

l. On the Finished page, make sure Synchronize your directories now is selected and click Finish.

m. On the Windows Azure Active Directory Sync Tool Configuration Wizard popup window, click OK.

2. Verify DirSync synchronized successfully in the Office 365 portal

a. On HYBRID-SRV01, open Windows Explorer and navigate to C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell

b. Double-click miisclient.exe

c. In the Synchronization Service Manager on HYBRID-SRV01 window, on the Operations tab, verify that the Directory Synchronization completed successfully. The Status of all three operations should state success.

d. Open the Start Menu and then click Internet Explorer.

e. In the Address box, type https://portal.microsoftonline.com and then press Enter. f. On the Microsoft Online Services page, in the top input box ([email protected]),

g. In the Password box, type your password and verify that the Keep me signed in check box is selected, and then click Sign in.

h. Once signed in, click Admin > Office 365

i. On the Office 365 admin center page, in the left side navigation, click USERS and then Active Users.

j. In the users list, verify that the user name for Billy Weaver is set to [email protected]

3. Verify that Password Sync works as expected

a. Switch to HYBRID-SRV01 and log on as ONPREM\BWeaver with a password of pass@word1

type [email protected] e. In the password box, enter pass@word1

f. Verify that Billy can log in successfully. g. Log out from the portal.

h. Log off from HYBRID-SRV01.

i. Switch to HYBRID-DC01 and log on as ONPREM\Admin with a password of pass@word1 j. Open the Start Menu and then click Active Directory Users and Computers.

k. In Active Directory Users and Computers, in the Navigation pane, expand ONPREM.LOCAL and then click Accounts.

l. Right-click Billy Weaver and then click Reset Password.

m. In the Reset Password window, in the New password box enter pass@word2. n. In the Confirm password box, enter pass@word2.

o. Click OK.

p. Switch to HYBRID-SRV01 and log on as ONPREM\BWeaver with a password of pass@word2

q. Open the Start Menu and then click Internet Explorer.

(11)

s. On the Microsoft Online Services page, in the top input box ([email protected]), type [email protected]

t. In the password box, enter pass@word2 u. Verify that Billy can log in successfully. v. Log out from the portal.

4. Change attributes and force a directory synchronization

a. Switch to HYBRID-DC01 and log on as ONPREM\Admin with a password of pass@word1 b. Open the Start Menu and then click Active Directory Users and Computers.

c. In Active Directory Users and Computers, in the Navigation pane, expand ONPREM.LOCAL, click Accounts and then click Online.

d. Double-click Eli Bowen. e. Click the Organization tab

f. On the Organization tab, for the Job Title, type Online Manager and click OK.

g. Switch to HYBRID-SRV01 and log on as ONPREM\Admin with a password of pass@word1 h. Open PowerShell as Administrator from the task bar and click on Yes when prompted

by UAC.

i. In PowerShell, type the following command:

Cd “c:\Program Files\Windows Azure Active Directory Sync\DirSync” j. After the command completes successfully, run the following command:

.\ImportModules.ps1

k. Next, run the following command: Start-OnlineCoexistenceSync l. Close Windows PowerShell. 5. Verify the updated information

a. Open HYBRID-SRV01 and log on as ONPREM\Admin with a password of pass@word1 b. Open the Start Menu and then click Internet Explorer.

e. Once signed in, click Admin > Office 365

f. On the Office 365 admin center page, in the left side navigation, click USERS and then click Active Users

(12)

Exercise 6: adding a federated domain

In this exercise, you will convert the domain that was previously added as a standard domain to a federated domain.

Tasks

1. Convert a standard domain to a federated domain

a. Switch to HYBRID-DC01 and log on as ONPREM\Admin with a password of pass@word1 b. Right-click the Windows Azure Active Directory Module for Windows PowerShell

shortcut on the desktop and select Run as Administrator. When prompted by UAC, click Yes.

c. At the PS prompt, type in the following command and then press Enter: $cred = get-Credential

d. In the Windows PowerShell Credential Request window, in the User name box, type the account name you use to sign in the Microsoft Online Services.

This is the user you created while registering for a trial account, earlier in the exercises.

e. In the Password box, type your password and click OK

f. At the PS prompt, type in the following command and then press Enter: Connect-MSOLService –Credential $cred

g. At the PS prompt, type in the following command and then press Enter: Set-MSOLADFSContext –Computer Hybrid-DC01

h. At the PS prompt, type in the following command and then press Enter: Convert-MSOLDomainToFederated –DomainName

studentprefix.hybridexchangeworkshop.com

i. At the PS prompt, type in the following command and then press Enter:

Get-MSOLDomain –DomainName studentprefix.hybridexchangeworkshop.com Verify that the domain was successfully converted to a Federated domain and that the domain Authentication now shows Federated.

j. At the PS prompt, type in the following command and then press Enter: Get-MSOLDomainFederationSettings –DomainName

studentprefix.hybridexchangeworkshop.com

(13)

2. Verify identity federation is working as expected

a. Switch to HYBRID-SRV01 and log on as ONPREM\Bweaver with a password of pass@word2

type [email protected] Note your login request should now be redirected to

adfs.studentprefix.hybridexchangeworkshop.com

e. In the Windows Security basic authentication prompt, in User name, type [email protected]

f. In the Password box, type the password (pass@word2) and then click OK. g. Verify that Billy can successfully sign in to the portal.

h. Log off from the portal.

i. In Internet Explorer, click the cog-wheel to open the options menu and select Internet options.

j. Click the Security tab and then click Local intranet.

k. Click Sites and in the Local Intranet window, click Advanced. l. In the Add this website to the zone box, type

https://adfs.studentprefix.hybridexchangeworkshop.com, click Add and then click Close.

m. In the Local Intranet window, click OK. n. In the Internet Options window, click OK. o. Close Internet Explorer.

p. Repeat steps b. to h. Verify that now you are no longer required to enter your credentials manually.

LAB 2: Identity Management