Essential Azure AD Configuration

Introduction

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud based directory and identity management service.

More in-depth detail about Azure AD can be found here.

a fresh Azure AD installation will have the following constraints:

  1. Usernames at this stage will be <username>@<AzureADName>.onmicrosoft.com;

    Users will be required to remember usernames. (Most users find it difficult remember their passwords);

  2. Manual process is required for creating user accounts (GUI, PowerShell or CSV import);
  3. User passwords will not be in-sync with their network password;

This article will only focus in addressing the constraints above, with the least possible effort. More complex options are available and will depend on security & business requirements.

Configuration / Installation

Each optional tasks below should be followed chronological order to address the constraints above.

1. Add Email Domain (Optional)

This step should be done first before proceeding with step 2.

Only one Azure AD can own the organization email domain and Microsoft will not allow registering the email domain into another Azure AD Subscriptions.

Follow these steps to allow usernames to be the same as the organization email address:

  1. Go to https://manage.windowsazure.com
  2. On the left menu click “Active Directory”
  3. Open your new create Azure AD, you should see the following screen:
  4. AzureADFree-ScreenShot3
  5. Click “Domain” Tab
  6. Click “ADD A CUSTOM DOMAIN”, the following wizard will appear:
  7. AzureADFree-ScreenShot4
  8. Enter company domain name, example: “schmarr.com”, click “add”
  9. On Page 2, will have the TXT record that should be created in the company domain external DNS service. Please see example:
  10. AzureADFree-ScreenShot5
  11. Once the DNS TXT record is created, Click “verify” (Please allow DNS replication to complete up to 48 hours)
  12. Change the user accounts manually to reflect user emails addresses

    For automating user creation and password sync, please proceed to step 2.

2. Automate Account creation in Azure AD (Optional)

It is recommended that step 1 should be completed first, otherwise all users account will be created with system created domain name e.g. “<username>@<AzureADName>.onmicrosoft.com”

Assumptions / Requirements

The following assumptions are made in this section:

  • Internal Active Directory up and running
  • Windows 2012 R2 Member server of the Active Directory, ready to install Azure AD Connect
  • The member server has internet access
  • Active Directory userPrincipalName(UPN) reflects the user’s mail address
    • This assumption is in most cases are a challenge for most organizations and the following options are available:
      • Run the Azure AD Connect (Steps below is expert install) in advanced mode and choose “mail” attribute instead of userPrincipalName(UPN) – Easy fix;
      • Fix the UPN to be the same as email address, here is a microsoft tool that can assist;
  • Azure AD
  • A Active Directory enterprise administrator account
  • global admin account is created with default domain context e.g. admin@<AzureADName>.onmicrosoft.com

Azure AD Configuration

  1. Go to https://manage.windowsazure.com
  2. On the left menu click “Active Directory”
  3. Open your new create Azure AD, you should see the following screen:
  4. AzureADFree-ScreenShot3
  5. Click “DIRECTORY INTEGRATION” Tab
  6. Click “ATIVATED”, then click “SAVE”

Azure AD Connect Installation

The following tasks will be completed on the domain member server.

  1. Download Azure AD Connect from Here
  2. Run the downloaded setup file on the Windows 2012 R2 member server
  3. Click “Continue”
  4. Click “Use express settings”
  5. Enter your Azure AD Admin username e.g. admin@<AzureADName>.onmicrosoft.com and password
  6. Click “Next”
  7. Enter the Active Directory Enterprise Admin account and password
  8. Click “Next”
  9. Click “Install”
  10. AzureADFree-ScreenShot6

Once the installation is complete all user accounts will be created in Azure AD automatically with the current user email address. Password synchronization will also be automatically enabled.

Advanced installation will allow disabling password sync if not required.

Conclusion

User will be now be able to login into Azure AD using exiting email address and network password.

 

 

 

Advertisements

One thought on “Essential Azure AD Configuration

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s