Azure AD instance set up basic walkthrough

Posted by Mikhail Rodionov on September 14, 2017
No ratings yet.

Probably we are still a bit far away from moving to the cloud completely, yet all sorts of hybrid topologies prompt us to be more and more knowledgeable about Microsoft Azure. Requirements to depth of this knowledge may vary depending on your line of work, but some Azure stack knowledge becomes a must-have almost for any IT professional these days. This article intended to give basic walkthrough on how to set up an Azure Active Directory instance and demonstrate some simple example of what you can do with it once it has been set up – sort of AAD “show and tell”. I believe a lot of people prefer hands on approach, where you trying to use technology right off the bat, throwing glances at documentation as necessary. This blogpost can be a good starting point for such type of learning journey.

There is much confusion about what is AAD and how it compares against on-premise AD and covering this is bit out of scope for the goal of the blogpost declared above. In a nutshell, we can define AAD as a central identity integrated with on-premises and cloud services. And if you want more details there is a ton of theoretical information available in the internet on what it is and how it stacks up against battletested and beloved by many on-premise AD DS. Yet, what I want to do in this article is just to give you a bit of AAD overview from the practical side of things – how we can set it up and use. Let’s begin with this task without further ado.

Process of AAD set up starts from logging-on to portal.azure.com site, clicking New and doing a search for Azure Active Directory. Once you found it you initiate the process by clicking Create (there is only one button available to in the bottom part of the the screen, so no questions here I think 😀 ):

Microsoft Azure Active Directory - Main Menu

On the next step you have to specify Organization Name and Initial domain name (which will be appended by .onmicrosoft.com domain suffix) and select Country or region from corresponding dropdown:

Microsoft Azure Active Directory - Create Directory

I will be covering adding additional public domain name to our AAD service later in this blogpost. For now, we just clicking Create and observing message “Directory is being created now” for a while:

Microsoft Azure Active Directory - Create Directory - in progress

Once this process completes you should get a notification similar to one which shown below:

Microsoft Azure Active Directory - Create Directory - Notification

In case you already have AAD instances prior to provisioning this one while going through these steps, you may need to switch from your current Azure directory to newly created one by clicking on your user name in top right corner of Azure Portal page and selecting it:

Microsoft Azure Active Directory - Sign out

Once you switched to it, you can click on Azure Active Directory on the left side of Azure Portal page to manage it:

Microsoft Azure Active Directory - Azure Portal page

Before we move on to creating our first test user we can add a trial subscription to have full feature set available to us (note that you don’t need this subscription for anything described in this tutorial). For adding a new subscription, you just access Subscriptions area as shown below:

Microsoft Azure Active Directory - Subscriptions

Be sure to click/highlight “Star” icon on the left to enable quick access to Subscriptions.

Once you are in Subscriptions area, click on Add button:

Microsoft Azure Active Directory - Subscriptions - Add

It will open new tab/window and navigate to account.azure.com where you will be presented with an option to set up Free Trial subscription:

Microsoft Azure Active Directory - Add Subscriptions - Select An Offer

I won’t be adding screenshots of Trial Subscription activation but essentially there you have to provide your contact data and do a phone/text message confirmation. Once it was added you will see your subscription in Subscriptions console:

Microsoft Azure Active Directory - Subscriptions Console

As I already mentioned it is quite handy to pin a shortcut for Subscriptions console on the left panel with icons by clicking on “>” aka “More Services” button on the left, searching for “Subscriptions” and clicking on “Star” icon to make it yellow as shown below:

Microsoft Azure Active Directory - Subscriptions - Star icon

Let’s now create our test user and test AAD logon. For that we have a handy “Add a user” link in Quick tasks area which allows you to perform create user operation:

Microsoft Azure Active Directory - Users and Groups - Add a User

Once you clicked on “Add a user” link you presented with create user dialog which looks as follows:

Microsoft Azure Active Directory - Users and Groups - User

Here you need to fill in mandatory fields (Name and User name) and click Create. Pay attention that for the domain part of user name we have to use domain name we selected during AAD creation appended with onmicrosoft.com suffix (this is something we will change later after adding our own domain). I also ticked Show Password check box to grab autogenerated user’s first logon password which we will use upon first logon. We can see our Don Quixote user under Users and groups:

Microsoft Azure Active Directory - Users and Groups - Users and Groups

The way AAD user provisioned on the portal is with autogenerated password which we have to change upon first logon. Let’s try to do a log on? For a simple test we will just do our first logon on https://login.microsoftonline.com:

Microsoft Azure Active Directory - First logon

Once credentials typed we hit Sign in and getting expected password change prompt:

Microsoft Azure Active Directory - First logon - Update your Password

Typing in current password and new one twice and hitting “Update password and sign in” button next. And voila, we logged in to our AAD account page and can check out our user profile or perform password change if necessary:

Microsoft Azure Active Directory - User Profile

As you can see our full user name is quixote@zlatagroup.onmicrosoft.com. Now we are going make things look a bit better by adding custom public domain to our AAD application and making our user name shorter. In order to do this we have to navigate to AAD > Domain names and click on Add a domain name button:

Microsoft Azure Active Directory - Domain Names

Next, we need to type in some domain name we own, I used one of domains I have available to me named zlatagroup.com:

Microsoft Azure Active Directory - Domain Names

Once we clicked on Add Domain we proceed to domain ownership verification step which requires you to add a specified TXT or MX record into DNS zone of your domain. I had some issue using TXT record, so ended up doing verification with MX one:

Microsoft Azure Active Directory - Domain Ownership Verification

Steps for adding TXT/MX record may vary depending on your DNS server/provider. As I host my domain on gandi.net, specialized DNS service provider which recently redesigned their side and introduced so called “live DNS”, all that was necessary for me was to log in into my gandi.net dashboard, select domain, then DNS records and click on Add button:

DNS Records

Once you clicked Add button you just need to fill in record properties as required by Microsoft:

Record Properties

Note that it may take some time for DNZ zone update to be properly applied. I was creating this record late in the evening so as I was not able to get through this test within 10 minutes after DNS record creation I’ve just get back to it later in the morning and it worked out just fine so that I got the following confirmation:

Microsoft Azure Active Directory - Domain Names - Confirmation

After this test completed, our new domain is listed in Domains list, allowing us to set it as a primary domain:

Microsoft Azure Active Directory - Domain

To set new domain as primary we just clicking on it to open its properties and click on “Make primary”:

Microsoft Azure Active Directory - Domain - Primary

Let’s now see if we can benefit from it immediately using nicer and shorter logon name for a user we created earlier. For that we once again launch web browser and open https://login.microsoftonline.com and trying to logon as quixote@zlatagroup.com:

Microsoft Azure Active Directory - LogOn menu

As you can see from screenshot above this attempt fails, and it happened just because we have not updated user name. For existing users which have been created before adding custom domain we need to change domain part of their username property, i.e. the part on the right from @ sign, like this:

Microsoft Azure Active Directory - Users Profile

Once that change has been done we can try our logon one more time and it should work out well this time:

Microsoft Azure Active Directory - Users Profile - My Accounts

Now we have users and nice custom domain name added but just logging in to different Microsoft portals and services is not very practical unless you are doing everything using cloud services.

Let’s try something more practical for on-premise side of things, like joining Windows 10 machine to AAD. In order to do that we first need to make sure that relevant Device settings are set in our AAD instance to allow this. Settings in question reside in Device Settings section under Users and Groups options of your Azure Active Directory and entitled “Users may join devices to Azure AD” and “Users may register their devices with Azure AD” respectfully:

Microsoft Azure Active Directory - Users and Groups - Device Settings

As we can see all users are allowed to join/register devices with AAD and we can proceed and test this functionality. But in case you wonder what is the difference between “Users may join devices to Azure AD” and “Users may register their devices with Azure AD”, last option allows users to register their devices with Azure AD by means of Workplace Join and required for MDM for Office 365. Anyhow we are doing basic demo here so let’s try to join Windows 10 machine to AAD now.

First we need to logon to Windows 10 machine and invoke Windows Settings app either by means of searching for “Settings” in Start menu or by clicking on “All settings” tile in Action Center, once there click on Accounts:

Windows Settings - Accounts

Once there, click on “Other people” option, and then “Add a work or school user”:

Windows Settings - Accounts - Add user

Note that screenshots here has been taken on machine not joined to domain, as options available to you will look a bit different on domain-joined machine. Domain joined machines can automatically register to Azure AD providing special group policy was configured and latest version of Azure AD connect has been set up. Here we just going to use stand-alone Windows 10 machine.

Clicking on Connect button will invoke the following dialogue where we just need to specify our AAD user name and click Next:

Windors Settings - Accounts - Set up a Work or School Account

After clicking Next, we can type in user’s password and click on Sign in:

Windors Settings - Accounts - Set up a Work or School Account - Password

If password was typed in correctly you will be presented with the following dialogue:

Windors Settings - Accounts - Set up a Work or School Account - Password - In progress

And after a bit of waiting you should see this:

Windors Settings - Accounts - Set up a Work or School Account - Password - Done

Once you click on Done to close this window you will see your newly added account in “Connect to work or school” section of Accounts Settings:

Windors Settings - Accounts - Connect to Work or School

These steps will enable access to your organization’s apps and services using this AAD user account from this machine but won’t enable login to machine using AAD account. So, at this stage you are unable to use this account for logon to this machine, at least I was not able to do so, so I’ve decided to perform AAD device join. For that we just once again clicking on the same Connect button:

Windors Settings - Accounts - Connect to Work or School - Connect

But, once we are in “Set up a work or school account” window instead of typing in our AAD user name and clicking Next, we are clicking on “Join this device to Azure Active Directory” under Alternate actions:

Join the device to Azure Active Directory

If you are an old school IT professional you may also notice that next to “Join this device to Azure Active Directory” link there is “Join this device to local Active Directory domain”, which is a new way of performing domain join in addition to one familiar to you from old versions of Windows. So once again we are typing our AAD user account and click on Next button:

Join the device to Azure Active Directory - Signed in

Next, we typing in password and click on Sign In button:

Join the device to Azure Active Directory - Password

If password was typed correctly you will receive “Make sure this is your organization” pop up, where you can finally click on Join button:

Microsoft Azure Active Directory - Verification

And after a bit of waiting we are getting confirmation that device has been connected to our AAD domain:

Microsoft Azure Active Directory - Confirmation

Machine still looks as stand-alone/workgroup joined in System properties but as previous message explains you can now sign in to machine with AAD account, by means of logging off and logging with ADD account. Once logged off, you can click on other user icon and type in your AAD credentials as shown below (note that system indicates that you will be performing sign in to your work or school account).

Other user

We are doing this with default settings/newly created AAD instance, so after typing in users’ password we are receiving “Your organization requires Windows Hello” dialogue which asks us to set up PIN.

PIN set up

Once you click on Set up PIN series of PIN setup wizard windows will be presented to you as shown below:

Security Verification

We click on Set it up now.

Verify your identity

Assuming we’ve opted out for text message verification method we next need to type in code from SMS and hit Next:

Verification Code requirement

If code has been typed in correctly you’ll be presented with Set up a PIN dialog box where you just need to type in PIN code of your choice twice:

Windows Security - Set up a PIN

After clicking OK here, we receive confirmation that all was set up correctly:

Windows Security - Confirmation

And we finally can sign in using either PIN code or password:

Windows Sign In - PIN

We can confirm that log on was performed with AAD users in a couple of ways shown below. First, by navigating to Settings > Accounts > Your info:

Windows Settings - Accounts - Info

Or using something as old-fashioned as whoami command:

Windows Settings - Whoami Command

We can also try to login to http://portal.office.com to see that we have transparent SSO to this resource with our AAD account with no extra prompts for authentication (you sometimes still need to click on sign in button though):

Microsoft Office 365 - Sign In - Connected to Windows

With this type of set up Windows 10 Mail application automatically recognizes the signed in user and opens the Office 365 hosted inbox (if user has it) and any application written to use the Web Account Manager will automatically recognize the signed in user. AAD user can also get SSO to applications published in the Azure AD Access Panel. And as I already mentioned above, when user access web applications like http://portal.office.com, Outlook Web Access and SharePoint Online in the Edge browser he gets no extra prompts for authentication. And obviously manage your account page of windowsazure.com won’t ask you for any passwords too:

Microsoft Access - Profile

You can also see AAD user’s devices on portal.azure.com listed under Devices for each user along with Trust type info:

Microsoft Azure - Devices

After going through all these steps, we have an AAD instance, AAD user and even Windows 10 machine to which we can log on with our AAD user account which I think quite good thing to have when you just beginning familiarizing yourself with AAD and from this starting point it is possible to move on to more complex and interesting things you can do with AAD. I hope this “screenshot heavy” tutorial has been useful for you and as usual you can post your follow up questions in comments below this blog post.

 

Related materials:

Views All Time
7
Views Today
12
Return to all posts

Microsoft Introduces Azure Confidential Computing, Always Encrypted Data
The release of vSphere 6.5 Update 1 and some updates of other products. The review to keep you updated.

Please rate this

The following two tabs change content below.
Mikhail Rodionov
Mikhail is IT engineer focusing on applications and infrastructure support domains. He works closely with K2 platform and Microsoft technology stack and holds number of certifications from these software vendors.

Latest posts by Mikhail Rodionov (see all)

Leave a Reply

You must be logged in to post a comment.