The first step we need to take is to get an Azure AD tenant. There are many ways to do this. You can start with an Azure subscription or use any other service from the Microsoft SaaS portfolio. The easiest way to get your solution to a working state is to start with an Office 365 trial subscription.
Open your browser and navigate to http://bit.ly/1RVpFXe. Subscribe to a free Office 365 Enterprise E5 plan:
Office 365 E5 trial request
Follow the registration process and define your user ID, such as [email protected]. We recommend using a nonpersonal ID, as shown in the next screenshot. Enter your new user ID and password. Your default directory will get the name you define behind the @:
First Global Administrator creation
Afterward, you need to prove your identity with a text message or a phone call and enter the received code. Next, you need to click Create my account. Keep in mind that the provisioning process takes a few minutes and should end with a success message.
After the successful creation of your brand new Azure AD with an associated Office 365 E5 plan, you should be able to log on with your administrative credentials and see the following screen:
Office 365 management portal
In the next step, we will assign an Enterprise Mobility Suite (EMS) E5 plan to the freshly created Azure AD tenant.
Click on the Admin icon on the right, and you should see your current assigned Subscriptions under the Billing tab:
Office 365 subscription management
Click Add subscriptions to add the EMS E5 trial plan to your Azure AD tenant:
EM+S E5 trial request
Choose the EMS E5 plan and click Start free trial and follow the subscription process. After a successful subscription process, you can see the assigned Office 365 E5 and the EMS E5 plan in your Azure AD tenant.
Now that we have created our Azure AD tenant, we need to subscribe for an Azure free trial subscription. This step is necessary to use Azure resources such as the Azure AD Domain Services or other functionality we will discuss in the next chapters.
You can also use the following ways to get an Azure subscription:
- Use an Azure subscription from scratch (https://account.azure.com/organization)
- Use an agreement-based Azure subscription
- Use an MSDN Azure subscription, as shown in the following figure:
Visual Studio subscription benefits
Let's go to configure your administrative workstation and your personal Azure AD tenant.
First of all, we need to set a functional administrative workstation to work through this guide. You need to have a Windows 10 Enterprise client machine in a work group configuration. We recommend using a freshly installed Windows 10 Enterprise virtual machine. We need a Windows 10 device to use the Azure AD Join later in the book. If you are not able to access the Volume Licensed or MSDN version, you can use the Enterprise Evaluation version at https://www.microsoft.com/en-gb/evalcenter/evaluate-windows-10-enterprise.
In the code section of this chapter, you will find the following cmdlets to install the needed administrative tools on your client machine, basically, the Azure AD, MSOnline and the Azure Resource Manager PowerShell modules:
- Install the Azure Active Directory PowerShell module:
Install-Module -Name AzureADPreview- Install the
MSOnlinePowerShell module:
Install-Module -Name MSOnline- Install the Azure Resource Manager PowerShell module:
Install-Module AzureRM- Connect to the
MSOnlineinterface with PowerShell:
Connect-MsolService # Provide your global administrator credentials # View your assigned subscriptions Get-MsolAccountSku # View all actual users Get-MsolUser
- Create your first test user to prove the Azure AD administrative connection:
New-MsolUser -UserPrincipalName "[email protected]" -DisplayName "Jochen Nickel" -FirstName "Jochen" -LastName "Nickel" -UsageLocation "CH" -LicenseAssignment "inovitlabs:ENTERPRISEPREMIUM","inovitcloudlabs:EMSPREMIUM"
Get-MsolUser -UserPrincipalName [email protected] | fl- Connect directly to the Azure AD interface to compare the output and capabilities with the
MSOnlinePowerShell module:
Connect-AzureAD Get-AzureADUser -all $true | where userprincipalname -eq [email protected] | fl
- Unpack the deployment package from the code package. The
C:\Configuration\HRExportsdirectory contains the needed HR import and group creation scripts to configure your Azure AD tenant with some test data:
Example script set
In the HRImportToAAD.ps1 script, the following important variables will be used:
$domain = Get-MsolDomain | where {$_.Name -notlike "*mail*"} $dir = "C:\Configuration\HRExports" # Also configure your PowerShell Execution Policy to RemoteSigned with the following cmdlet # More information about this topic can be found under http://bit.ly/1EWLG03 Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
The domain variable will contain the domain.onmicrosoft.com name of your Azure AD default directory. We use this directory and not a registered domain name for different steps. At the end of the chapter, we will change to a custom domain so that you can explore the needed tasks. As you can see, the dir variable contains the path to the scripts and the simple HR export file called NewHire.csv. The contoso.com domain in the file will be replaced with your domain name, stored in the domain variable.
The NewHire.csv file contains the following demo user set, which will be used in future configurations to demonstrate the different functionalities:
userPrincipalName,DisplayName,FirstName,LastName,password [email protected],Don Hall,Don,Hall,Pass@word1 [email protected],Ellen Adams,Ellen,Adams,Pass@word1 [email protected],Jeff Simpson,Jeff,Simpson,Pass@word1 [email protected],Brian Cox,Brian,Cox,Pass@word1 [email protected],Doris Sutton,Doris,Sutton,Pass@word1 [email protected],Petro Mitchell,Petro,Mitchell,Pass@word1
With the next step, we will assign an EMS E5 plan license to our global administrator, [email protected]. The Office 365 E5 was already assigned through the creation process. Later in the chapter, we will assign licenses through dynamic group membership, which is an Azure AD Premium P2 license feature:
License assignment operation
Click Assign and add the EMS E5 plan license to your global administrator. The expected result will be as follows:
Assigned license overview
We will get the correct message that we have no active subscription assigned to this user ID. Next, sign up for a Microsoft Azure subscription.
Most companies like to see how they can apply their corporate identity to Azure services. With a few easy steps, you can show the most important capabilities. To add custom branding, you need to use an Azure Active Directory Premium 1, Premium 2, Basic, or Office 365 license. With the following simple example, you can see what you can customize. You can provide the customizing in different languages to address your own or your customers' needs. These configuration tasks are always a good starting point in a demo or a proof of concept. You are free to use your pictures and designs for this setup:
Customized portal example
The first thing we are going to change is the Name of the directory in the properties section. Just enter your desired name. We used INOVITCLOUDLABS by inovit GmbH. You can also provide your own technical and privacy contacts and links on the login page:
Azure AD tenant properties
Click Customize Branding, and you will see the following options. So that you can prepare your pictures and brands, we summarized the help information provided in Microsoft TechNet:
Azure AD portal-customizing options
Next, you will see a configuration summary.
The following section provides you with several capabilities and summarizes the most important corporate identity features to customize your environment:
- Banner logo: Choose between the following options:
- Sign-in page text body: Choose between the following options:
- Appears at the bottom of the Azure AD sign-in page
- Unicode text only with a maximum length of 256 characters
- Use to communicate the phone number to your help desk or include a legal statement
- Recommendation—don't add links or HTML tags
- Sign-in page background image: Choose from the following options:
- Displayed on the side of the Azure AD sign-in page
- PNG or JPEG
- Recommended 1420 x 1200 with a supported file size of 300 KB (max. 500 KB)
- Keep the exciting part in the top-left corner (image gets resized and cropped)
- Username hint: Hint text that appears to users if they forget their username:
- Unicode, without links or code
- Maximum 64 characters
- Show option to remain signed in: Let your users remain signed in to Azure AD until explicitly signing out:
Login experience
Note
You are also able to do some extensive customization with the help of the following article https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/customize-branding.
Your expected result should be this:
Portal-customizing effect
Now that we have provided an essential company branding, we can start to create and manage users and groups.