After completing the next configuration tasks, you will see the rich functionality of Microsoft Azure in the field of identity and access management, starting with cloud identities. You can demonstrate the different capabilities in your own Microsoft Azure environment. The guidance will focus on the most essential feature sets to give you an idea about their capabilities. We will start to use the default directory, which we call domain.onmicrosoft.com for now, and will change it later to a custom domain name. Domain stands for your desired name like example.com , this is also used for the userPrincipalName of the users in this chapter, e.g. don.hall@doamin.onmicrosoft.com is represented in the chapter by my example domain called inovitcloudlabs. Be aware that this name will be visible in different applications, such as SharePoint Online and...

The first step we need to take is to get an Azure AD tenant. There are many ways to do this. You can start with an Azure subscription or use any other service from the Microsoft SaaS portfolio. The easiest way to get your solution to a working state is to start with an Office 365 trial subscription.

Open your browser and navigate to http://bit.ly/1RVpFXe. Subscribe to a free Office 365 Enterprise E5 plan:

Follow the registration process and define your user ID, such as admin@domain.onmicrosoft.com. We recommend using a nonpersonal ID, as shown in the next screenshot. Enter your new user ID and password. Your default directory will get the name you define behind the @:

Afterward, you need to prove your identity with a text message or a phone call and enter...

In the next steps, we connect to our Azure AD and generate the test users and groups.

Start the Azure AD PowerShell console and connect to Azure AD by executing the following cmdlets and scripts:

$msolcred = get-credential
# Enter your global administrator credentials
connect-msolservice -credential $msolcred
C:\Configuration\HRExports\HRImportToAAD.ps1

After starting the script, go directly to https://portal.azure.com with your admin@domain.onmicrosoft.com credentials. Select the users' section under your Azure AD. You should find the users from the HireUsers.csv file under the All users tab:

Open https://portal.office.com | Admin | Active Users, and you can see your users with active licenses in Office...

To delegate tasks, we use the creation of administrative units (AUs) and assign roles for specific tasks. In this configuration, we generate an HR [AU] , and we assign the manager of the HR department with the role to manage user accounts in this scope.

First of all, we need to connect to our Azure AD with the PowerShell cmdlet Connect-AzureAD for the admin@domain.onmicrosoft.com user.

Use the following cmdlets to create the HR [AU]:

New-AzureADAdministrativeUnit -Description "Human Resources Users" -DisplayName "HR"

View the expected output:

Next, we will add the related users.

In this section, we will use Azure AD Premium P2 PIM to protect an administrative account in a quick intro.

Open https://portal.azure.com as admin@domain.onmicrosoft.com to start the configuration.

Click All Services and choose the Azure AD Privileged Identity Management.

Now, we need to Consent to PIM to use the service:

You will need to verify your identity and provide your preferred security verification option, as you can see in the following screenshot:

Finish the verification process and click Consent—proceed:

Next, we sign up under Azure AD Roles, so that users can enable Azure AD roles. Click Sign up PIM for...

In this section, we configure a typical workplace, which a user can access under the Access Panel UI (https://myapps.microsoft.com). We assign applications to users and groups to see the different capabilities. The steps don't contain all single sign-on or provisioning options. We will discuss these feature sets later in specific chapters.

In this section, we configure the password reset capabilities of Azure AD to reduce support costs and 24/7 availability. We use no restrictions on the service and we require just one verification option to reset the password:

To verify the reset, we use several methods:

The next option we activate forces the user to register:

Next, we configure the related notifications.

In this section, we configure the notifications options so that the administrator will be notified if anomalous...

In this section, we will configure and simulate some typical events that get reported in the Azure AD Monitoring section.

First, we configure a Password protection feature, Custom smart lockout. We set the value to 10 incorrect logins:

You should receive the following message if you provide a wrong password 10 times:

You can see the activity under Monitoring | Sign-In:

You can also test Sign-ins from multiple geographies with simulation software such as CyberGhost (http://www.cyberghostvpn.com/en_us). Another option would be to use an Azure Virtual Machine.

Log in with an account between geographic regions that are far apart, such as Europe and Asia. This requires a remote machine from your location and in a different time...

In this section, we will configure the Azure AD Join functionality and join our first Windows 10 client to Azure AD.

We configure a maximum of five devices per user and leave the other default values:

In the next section, we will join our client to Azure AD.

Log in to your freshly installed Windows 10 client machine and go to Settings. Choose Connect in the Access work or school section:

We sign in with don.hall@domain.onmicrosoft.com and join the Windows 10 client to Azure AD:

Click through the Next sections and finish joining the client. Afterwards, we will...

Under the Azure Active Directory | Custom domain section, click Add custom domain and complete the verification process to prove that you are the owner of the domain:

Add the TXT entry shown to your DNS zone to verify the domain:

Click the Verify button on your Azure portal, and after successful verification, the new DOMAIN NAME will appear under DOMAINS. Choose the Make primary option:

Open https://portal.office.com to complete the domain setup process under the admin section:

Choose the custom domain to be used for email addresses:

The last step we need to take is to set the new UserPrincipalNames to the existing users. We do...

To integrate a legacy application based on Kerberos authentication in an Azure infrastructure as a service (IaaS) scenario, we configure Azure AD Domain Services. In this section, we configure the basic service and integrate an active example application:

To start the configuration, we need to specify the DNS domain name, the Azure Subscription we want to use, and the name of the Resource group:

When enabling Azure AD Domain Services, you will need to specify which Azure virtual network to use. We use a range 192.168.x.x/20 to configure the network:

Add the admin account and your test user as a member of the Azure AD Domain Services Administrator group:

The summary should look like the...

After working through this implementation scenario, you will be able to configure and manage a suitable Azure AD tenant for the most important tasks. You will also be able to integrate Windows 10 and Office 365 to build a productive workforce for your users without an on-premises infrastructure. Don't worry if you missed some functionality. This was just a warm-up.

In the next chapter, we will discuss the identity synchronization needed to start with your hybrid integration and to provide the correct identity synchronization scenario for your requirements.