How to Setup Azure AD Hybrid Identity

Have you ever wondered how Azure AD Hybrid Identity works?

In my latest YouTube video I show you how to setup Azure AD Hybrid Identity from scratch. You’ll see how to register a custom domain with your Azure AD tenant and how to deploy and configure Azure AD Connect.

If you’re studying for the AZ-104 or AZ-30* exams this may help you answer some related questions.

Resources from this episode:

Full Transcript:

Mike Pfeiffer:
Hey, what’s up everyone. This is Mike Pfeiffer. And in this hands on lab, I’m going to walk you through architecting and implementing Azure AD Hybrid Identity. The goal with this is just to have a single set of credentials for your users and administrators that they can use, regardless of whether they’re working on premises or in the Azure cloud. Single set of credentials, no matter what.

Mike Pfeiffer:
Let’s jump over to the Azure documentation, specifically, the Azure Architecture Center. I’m in the reference architectures. This is the document called Integrate on-prem Active Directory domains with Azure Active Directory. And this reference architecture has got a ton of awesome information in it, just for real world stuff, certification in general, but also it has a nice diagram. And it’s a nice way to visualize what we’re going to work on. We’re not going to be spinning up a ton of infrastructure in Azure, but looking at the on premises architecture, we can see that we’re going to need a domain controller. In a real on-prem environment, we’ve got one or more domain controllers typically in an IT enterprise. And what we need to do is we need to deploy Azure AD Connect Sync.

Mike Pfeiffer:
And this is a service that will look at our active directory domain controllers, our active directory forest, synchronize any content that we tell it to into the Azure active directory tenant. We can synchronize our users and groups to make sure that those identities exists in the Azure cloud and we can continue to keep those up to date as changes are made over time. Because we’re continuously keeping everything up to date with Azure AD Connect Sync. This enables us of course to sign in on prem with our credentials, sign into the Azure environment with the same set of credentials. And of course, when it comes to Azure, once we’ve got these identities synchronized, we can do things like role based access control assignments, app registrations and publication of apps to users. And it makes for a really nice hybrid identity story. There is some dependencies. We need domain controller infrastructure. We’re going to need actual domains themselves. Let’s go to the next video and I’ll explain some of the dependencies that we’re going to have to think about.

Mike Pfeiffer:
Okay. Here we are inside my Azure account, very basic setup here. Single pay as you go subscription and a single basic Azure Active Directory tenant. Over on the left hand side, just going to go over to Azure Active Directory. I’m actually on the Azure AD free version right now so I don’t need any premium licenses for what I’m going to be doing. This synchronization process, when we do Azure AD Connect, once we set this up, we just have to have Azure AD free. And then going over to my users, you can see that right now I’ve just got some cloud only users. These users were basically created number one, this guy here was created inside my Azure AD tenants. Inside Azure Active Directory. And then this was my Microsoft account that I used to create the Azure subscription and the Azure AD tenant. Ultimately, we’re going to want all of our on prem users and the on premises active directory environment to show up in here as well. That’s one consideration.

Mike Pfeiffer:
And so let’s scroll down here on the left hand side, go to custom domain names and you can see that the default namespace for this Azure AD tenants mikepfeiffercloudskills.onmicrosoft.com. That is the pattern for brand new Azure AD tenants. It’s always something .onmicrosoft.com. Now, obviously our end users are going to be using something different because we’re talking about synchronizing on premises users into the cloud and their user principal name or their UPN suffix, I should say, the domain after the @ sign in their user principle name is going to need to be something else. It can’t be this domain. We’re going to have to create a custom domain and we’re going to want that to match what we’re using in the on premises world. This will need to be a verified, publicly routable domain that we can use both on premises and in the Azure cloud.

Mike Pfeiffer:
And so let me show you what I’m going to do for this. Let me go to my resource groups. Let me go into this resource group I’ve got called Global Resource Group or global-rg. And you can see right here that I’ve got an app service demo domain already registered. You can register a domain here in Azure. And when you do that, if you use the app service domain resource type and register a domain, it’ll give you a public DNS zone. We’re going to need a public domain that actually works for this hands on lab. If you don’t want to register your domains here in Azure, that’s fine. You can use any other public domain name service like GoDaddy or Namecheap or any of those. Let me show you the process here if you were doing this in Azure.

Mike Pfeiffer:
When you click on create a resource, search the marketplace for app service domains and then you can create an app service domain from here. Registration costs are pretty typical, usually about 10 or 12 bucks for a .com domain. And again, when you create this domain resource, this is just one way to do it here in Azure. And I’m going to go ahead and use the one that I’ve already got called appservicedemo. In addition to that, over here, back in the reference architecture, remember we’re going to need a domain controller in Azure AD Connect Sync running in the on premise network. But the big question is, how do we simulate the on premises network? Well, we’re going to use Azure virtual machines to do that. Let’s go ahead and go to the next video. I’ll show you how to set up a domain controller running on an Azure virtual machine.

Mike Pfeiffer:
One of the fastest ways to set up a domain controller on an Azure virtual machine is to use a resource manager template. Head over to github.com/mikepfeiffer, go to repositories and then just search for domains or domain. And you’ll see a repo here called Azure domain controller. And this is just a resource manager template with some PowerShell DSC automation. And this will allow us to spin up an active directory domain controller in one shot just by clicking on deploy to Azure and then filling out the information here. Once we get to the portal, I’ll go ahead and deploy this into a brand new resource group. And for the name, I’ll just call this ADDS, or active directory domain services.

Mike Pfeiffer:
And then I’m going to put it in a region close to myself. You’re going to see me using West US 2 quite a bit. That region is actually located in Washington here in the United States. It’s close to where folks are that work in Microsoft. And as you could imagine, that region gets a lot of attention from Microsoft and it tends to be pretty consistent when I’m working through these labs. I’m going to use that one. If you have any issues launching this template, you may want to switch your region to West US 2, if you’re running into any major issues. But let’s scroll down here. What we’re going to do is set the admin username and password. This will be our active directory username and password. I’m just going to do sysadmin for the username. And then for the password I’m going to put in a complex password and then we need to set the domain name for active directory.

Mike Pfeiffer:
The FQDN, the fully qualified domain name of the active directory forest. Now, if you remember, let me go back over to this other tab here. I have a domain in Azure called app service demo or appsvcdemo. I’m going to use that same domain in my on premises active directory environments. That way when we’re assigning it on prem or we’re signing into the cloud, our domain is always going to be app service demo. Back over here, that’s what we’re going to plug in right here, appsvcdemo.com. And then this resource manager template does spin up a load balancer sitting in front of the domain controller as well. And we need to have a DNS prefix for the public IP address that’s going to be on that load balancer. To be honest, a load balancer is not really required for this particular set of infrastructure, but what I’m going to do here is just use my initials and then we’ll put in a random number here.

Mike Pfeiffer:
We’ll go ahead and stick with 2016 Datacenter for Windows server. Artifacts location is just referencing the GitHub repo to go download the DSC automation once the server comes online and we’ll go and agree to this and click on purchase. Let’s make sure this template kicks off correctly and I’ll show you kind of how to monitor this to make sure it’s going to work properly because there is a chance that a few things could go wrong depending on the scenario. Let me let this spin up just a bit and we’ll proceed in just a second.

Mike Pfeiffer:
All right. And a couple of minutes later, you can see that it started to build all the resources, all the dependencies, the virtual network and the availability set, the storage, all that kind of stuff. Even the VM came up and is running. And now we can see that we’ve got this thing spinning up called CreateADForest. Let me show you what’s going on here. Basically you want to make sure that you get to this point when you’re launching the template. If you’re looking at your deployment is underway and any of these things broke, you’re going to need to start over by deleting the resource group, troubleshooting the issue and proceeding from there. But let me show you what I got here. Let me go to resource groups. This is what you’re looking for. Go into the resource group, go to the virtual machine itself. In this case, adVM. And then on the left side, go to extensions. You should see this thing here, CreateADForest, Microsoft PowerShell DSC extension and a transitioning status.

Mike Pfeiffer:
And then basically this virtual machine is not going to be ready until this says, “Succeeded.” That could take about half hour. You’re going to want to let this thing run, give it plenty of time to spin up. And so let’s give this thing a little bit longer and I’ll show you what happens when the implementation is complete.

Mike Pfeiffer:
All right, so we can see a while later here, it says, “Provisioning succeeded.” This complete build is done. I want to point out a couple more things. We go back to overview and actually let me go to the resource group itself, we’ll head over to deployments. And the one thing that I want to show you here, once this loads up, you can see here, there was basically three things along the way to build the infrastructure. We had to lay down basically the template and then the virtual network, do some other things. But notice overall, we’re looking at about a half hour here. Give yourself anywhere from 30 minutes to 45 minutes. And if you get any red errors along the way, obviously you got to delete the resource group and start over because something went wrong. But hopefully that makes sense. Let’s go to the next video and I’ll show you how to log in and start configuring this domain controller.

Mike Pfeiffer:
We’ve spun up this domain controller template, everything’s running, but we got to make sure it’s actually working. And what we want to do here is RDP to the public IP address of this virtual machine. One way you can do that, just go to connect here, download the RDP file, or at least get the RDP information. And then of course on this screen, you want to change this to being the load balancer’s public IP address, download the RDP file. I’m actually on a Mac so what I’m going to do here is use jump desktop. This is the IP address that we’re looking at in the portal. Let me jump over to this guy and then let me maximize the screen here a little bit so we can see what is going on.

Mike Pfeiffer:
And once everything starts loading up here, I’m going to go ahead and click a no on this. And then one thing I’ll do here in server manager on Windows server, even though we probably won’t be surfing the internet from our servers in real life, I’m going to come over here under local server, come over to this setting, IE enhanced security configuration. Just going to turn this off. And the reason I’m turning this off is just in case I need to open a web browser. I want to make sure that I can get to what I want to get to. The biggest thing that we need to do here to verify that this machine is set up and ready to go is we need to open PowerShell and then install the active directory management tools. This machine has been built as a domain controller, according to the automation, but we don’t know yet because we can’t really work with the active directory tools. They’re not installed yet. Let me clean up the screen here, just a little bits.

Mike Pfeiffer:
And then what I’m going to do here is simply run install windows feature and then it’s going to be rsat-adds. Remote server administration tools for active directory domain services. There shouldn’t be any dependencies for this tool, but you could even say minus include all sub features and hit enter here. That’ll go ahead and install the components that we’re going to need to manage active directory. Let’s go ahead and let this run.

Mike Pfeiffer:
And we can see that that was installed successfully. And what you could do here is there’s a couple of ways to get to the tools for active directory. You can go to the start menu. You could go into Windows administrative tools, and when this comes up, you could run active directory users and computers, all the different active directory tools. You could also from the command line, you can just type dsa.msc. This will bring up active directory users and computers. As we can see, appsvcdemo.com is the DNS name for our active directory forest. And then we go to users here, we’ll see on the lists, scrolling down. We only have really one user at this point, but under accounts, we could see that sysadmin can basically use the app service demo domain appsvcdemo.com is the UPN suffix.

Mike Pfeiffer:
People are going to be signing in on premises with a UPN of [email protected]. And then when they sign into resources in the cloud, they’ll use the same username and ultimately the same password. I’m not going to save this configuration because later I’m going to show you how to generate some realistic user accounts that we can synchronize to the Azure AD tenants. But for now, let’s move to the next video and we’ll register our custom domain with Azure Active Directory.

Mike Pfeiffer:
Back in the Azure portal, you can see that I’ve got all my resource groups here. I want to remind you about this resource group that had my custom domain in here. I registered this as an app service domain resource. Also keep in mind that you could follow these steps that I’m going to show you using a domain you registered somewhere else like GoDaddy or Namecheap or any other public domain registrar. Ultimately, you’re going to need to be able to get into the public DNS zone and make changes to that, to verify that you own the domain. Here is the public DNS zone that Azure created for me when I registered this domain in Azure. But again, if you’re using another provider, you’re just going to go into the public DNS zone for your domain. Let’s go ahead and set this up.

Mike Pfeiffer:
I’m going to open another tab and go back to Azure portal because I want to be able to do two things at once. I’m going to navigate away from this screen for now. We’ll go to active directory, Azure Active Directory and then I’m going to scroll down to where it says, “Custom domain names.” And then we’re going to add a custom domain. And then we’re going to say, “appsvcdemo.com.” And so when we go into add this domain, this is the important part. In here, they’re saying, "Okay, if you want to use this domain with Azure, you need to either add a TXT record of DNS or an MX record. And they’re pretty much saying here’s the value for the record that you need to put in public DNS. We’ll do the TXT record type. Either way, doesn’t matter what you do. I’m going to copy this value. I’m going to leave this screen up here. And then in the Azure portal in the other tab, I’m going to go to the DNS zone for my domain.

Mike Pfeiffer:
At this point, you might have to do this portion in your own DNS console. I’m going to add a record here, just on the root of the appsvcdemo domain. This will be a TXT record and then here’s the value straight from the Azure portal. This looks good. Let’s go ahead and click okay. We created that DNS record and showing up in the list here. We can see that there is a TXT record without a value. Now that that’s available in public DNS, just heading back over to this tab, we should be able to click on verify here and we can see the verification succeeded and I’m going to go ahead and make this domain primary. And now we’re all set.

Mike Pfeiffer:
The next step here, just want to show you this. Let’s go to Azure Active Directory again. We’ll go to users. Let’s create a new user. And then notice as we’re creating new users, we can create them under appsvcdemo.com. But if I create a user here in the cloud, if we take a look, that’s going to mean we’re creating users of a source at Azure Active Directory. But the whole point of this lab is to actually let people sign into Azure resources and authenticate to the Azure platform using their on premises identity. Let’s go to the next video and I’ll show you how to add some users to your on premises domain controller.

Mike Pfeiffer:
At this point, we’re ready to set up some users in on premises active directory environment. We’re going to have to RDP back into the domain controller to do this. And I’m going to give you a script to do this. There’s a script I’ve got right here called New-LabUser.ps1 and this is a Jst out in GitHub and I’ll put a link to this JST on the page where you’re watching this video. But this is going to let us spin up a bunch of realistic looking users. What I’m going to do here is just right click on the raw link, copy the link address to the raw version of this scripts, and then go back over to jump desktop. Let’s maximize the screen on this domain controller and then back in our PowerShell window, let me clear the screen. We’re going to do a bits transfer. We’ll start a bits transfer. The source will be the URL, the JST that I just was talking about out on GitHub. And then we’ll say the destination is going to be C:\ or just the C drive.

Mike Pfeiffer:
And after running that command, if we do a directory listing here, we can see that on the file system, we’ve got New-LabUser.ps1. Let’s clear the screen and then we’ll just kick off New-LabUser.ps1 and we’re going to say here is the counts of users. Let’s create five users and then we’ll say that UPN suffix is appsvcdemo.com. We’ll just put it in some kind of secure random password here. Let’s go and run this, see if this creates the users that we want. And there we go, we get the output back of realistic usernames and these are just randomized usernames coming out of the US Census Bureau database. Let’s create a few more. Let’s rerun the command. I’m just going to change this to 50 users because I want to have a lot of users to synchronize so we’re going to create a bunch here.

Mike Pfeiffer:
And then while that’s running, let’s just go back into Azure Active Directory or sorry, active directory users and computers. And we’ll do a refresh right here and then boom, we see a bunch of users out there. This is a good simulation of an on premises environments. Obviously we still have to set up Azure AD Connect, which is going to look at our directory here, grab these users and groups and all that definitions and then synchronize those into Azure. Let’s go and head to the next video and we’ll take a look at how to do that.

Mike Pfeiffer:
We’re now at the point where we can set up Azure AD Connect sync and I wanted to bring you back to this reference architecture for integrating active directory with Azure AD. Remember we’re going to need Azure AD Connect sync, the software component to run on a physical or virtual machine in the on premises network, where it has direct line of sight connectivity to your domain controllers. We already have a domain controller in our lab. We’re running a domain controller on Azure Virtual Machine. I could spin up another virtual machine and install the software, but I think that that’s overkill for spending too much money and just really kind of practicing this and setting it up. We don’t really need to go that far.

Mike Pfeiffer:
What I’m going to do is I’m going to install Azure AD Connect sync on the domain controller, just for this demonstration to minimize the amount of infrastructure that we’re going to use. Just remember in real life you’re going to put Azure AD Connect sync on its own dedicated machine. Now let’s jump back over to the portal. And then over here on the left, we’ll scroll down to Azure Active Directory. Want to point out, Azure AD Connect is not set up. It’s never been synchronized and this is one area of the portal you can come in here and start checking the system. How’s it set up? Download the components and you can also just download Azure AD Connect straight off of the internet. It’s a free download. It’s an MSI package.

Mike Pfeiffer:
Let me head back over to my lab based on premises infrastructure, so my domain controller. Let me maximize this screen here and let me go to a browser on Google. We’re just going to search for Azure AD Connect and taking a look at the download information here. The first link on the list, download Active Directory Connect or Azure AD Connect for Microsoft. Let’s click on that. And then when we get to the screen with a bunch of ads on it and stuff basically want to scroll down and we’re looking for this. We want to download this package here, and then we’ll just say, we’ll go ahead and save this, do a save as, and we’ll go ahead and save it just in the downloads folder. That works.

Mike Pfeiffer:
And with that download complete, let’s just go ahead and open the folder. We can see the MSI package in there. Let’s get out of Internet Explorer. It’s insanely slow on this virtual machine and let’s just run this MSI package here. Go ahead and run it. Close out of all this other stuff that we’ve got open right now. And this takes us into the setup wizard for Azure AD Connect. And there’s going to be some important settings that you want to remember. I’m going to walk you through a couple of things that are important to keep in mind.

Mike Pfeiffer:
Here we are in the wizard and by default, this thing wants to do, what’s called an express setup, meaning it’s just going to kind of shotgun things out without asking you too much information. And so what I’m going to do instead of using express settings, I’m going to use custom settings so you can understand some of the things that this wants to do. There is a database component involved in keeping up with what’s on premises versus what’s in Azure in synchronizing the changes. You can use your own existing SQL implementation by enabling this option here. If you don’t use an existing SQL server, it’s going to install SQL Express on the local machine. For this demonstration that works. Let’s go ahead and click uninstall. It’s going to go ahead and install a couple of components that are required.

Mike Pfeiffer:
Okay. And a minute later here, we can see that we’re now on the user sign in configuration screen, the required components are installed and we’ve got our option for configuring the sign in method. Are we going to use password hash synchronization? Which is pretty much the default and easiest way to go. Pass through authentication? Federation with ADFS? Well, in this case, we’re going to use password hash synchronization because again, it’s the easiest way to go. And so that’s what we’re going to pick here. We’re not going enable single sign on right now. Let’s go ahead and just hit next. And then one of the things we have to do here and this is tricky, is we have to enter Azure AD global administrator credentials. And so this is kind of difficult because we got to make sure that we’re using the right kind of global administrator accounts.

Mike Pfeiffer:
Let’s go back over to the Azure portal here. Let’s go back over to users and pretty much what they’re asking us for right now is they’re looking for a global administrator in Azure AD. Right now I’ve only got one. [email protected]. The problem with that though is I’m a Microsoft account. You’re going to need a global administrator that is sourced as an Azure Active Directory account. What we’ll do here is we’ll create a new user. We’ll call this guy [email protected]. We’ll just say the name is AAD Sync. First name AAD, last name Sync. And then let me create the password here. This will be our initial password. And scrolling down we’ll just go ahead and click on create. That’s step one, getting the user created.

Mike Pfeiffer:
Let’s head over to the user account and what we need to make sure we also do is assign an Azure AD role to this service account. This needs to be a global administrator so we’re going to click on add assignments, we’re going to look for global admin. And this is the one we want here, global administrator. One of the things we’re going to need to do since this is a brand new account and since I created a graphically in the portal, is we’re going to need to sign in the first time because right now the initial password is only a temporary password. Let me go and open a new incognito window so we can sign into the portal as this user.

Mike Pfeiffer:
It’s AAD. [email protected]. Let’s go ahead and log in with that. And then it’s going to ask us our initial password and then it’s going to want the current password again. And then we’re going to have to put a new one in here. I’m going to go and try that. Click on yes, just to confirm and there we go. We know that this service account works. Let’s jump back over to the domain controller and right here, we’re going to put [email protected]. Let me go ahead and put in this new password here. And I click on next. This is actually going to validate these credentials against Azure AD and this is the service account credentials that the on premises AAD Connect sync machine is going to use to populate Azure AD with our on premises users. This looks good. And then we’re going to take our local forest here, click on add directory. And then we’re going to use this UI here to create a service account on premises.

Mike Pfeiffer:
Just like we had to have authentication and a strategy for getting into Azure AD, we need to be able to have the service look at the on prem environment as well. We need to enter enterprise admin credentials here to create a new service account. This is just going to be APPSVCDEMO/sysadmin. This is my local domain administrator. This is the same username and password I used to create the domain controller. Let’s go ahead and click okay there. Then we got a green check so everything is good. We’ll click on next here. Let me go and maximize this window while I’m thinking about it. And then on the sign in configuration screen, they’re pretty much asking, “What’s the on prem attribute to use as the Azure AD username?”

Mike Pfeiffer:
And we’re going to use the user principle name. It will be [email protected]. Let’s go and hit next. Here on domain and OU filtering, we’re just going to synchronize everything in the directory here. We’re not going to do any filtering. We’re just going to take all the OUs, everything that we got and we’ll send all of our users and groups into Azure AD. We’re going to click on next here and then the rest of the settings for this demonstration we’re just going to keep on the defaults and you can always come back in here and reconfigure the application later on, the Azure AD Connect sync service. Notice that once we hit the install here, it’s going to configure synchronization services and then it’s going to start our first synchronization when this completes. Let’s go ahead and click on install here. And then finally the configuration is now complete.

Mike Pfeiffer:
We’ll go ahead and exit out of the wizard and we should expect to see all of these random users that we created showing up inside our Azure AD tenant. Let’s go ahead and minimize this. We’ll jump back over to the Azure portal and let’s see, right here in Azure AD we’ll go to all users. Hit the little context menu here, refresh. And there we go. Boom. We can see all the users from the on prem environment and notice that their source is listed as Windows server AD. Let’s go out and validate this configuration by moving to the next video and we’ll see if we can sign in as one of these users.

Mike Pfeiffer:
The last step in his hands on lab is to validate everything that we’ve done actually works. And we’re going to take one of these users source on premises. We’re going to make sure we can sign into Azure using the same credentials sourced on prem. To simulate this, what I’ll do here is I’m just going to open Chrome in an incognito window. We’ll go to portal.azure.com. And I’m going to sign in with that user that we were looking at, so [email protected]. Click on next here. And then it’s asking for a password, which is a good sign. I’m going to enter the on premises password. This is the password I assigned to all the users when I created the user accounts on premises. Let’s click on sign in and you can see, hey, it’s like, you want to stay signed in? Clearly that works. And clicking on, yes, that just redirects us into the portal. This person does not have any permissions to anything. He can sign in, he just doesn’t have access to do anything, but we validated the credentials are working. These are the on premises credentials that we just signed in with.

Mike Pfeiffer:
That brings us to the end of this hands on lab. The last thing you probably want to do to clean up this environment is delete the resource group with your domain controller. But before you do that, what you’ll want to do is check out this document, this article in Microsoft documentation, to turn off directory synchronization. On your machine running Azure AD Connect sync, you just run this command Set-MsolDirSyncEnabled - EnableDirSync $false. And then at that point you could come in here, delete this resource group by simply clicking the delete resource group button, putting the name of the resource group in. And then of course you could go into Azure Active Directory, clean up your users from there. Delete anybody that you don’t want in the directory. That brings us to the end of this hands on lab. I hope you enjoyed it. I’ll see you in the next one.

Subscribe to the CloudSkills Weekly Newletter

Get exclusive access to special trainings, updates on industry trends, and tips on how to advance your career in the tech industry.