Configure Identity Federation with Microsoft Office 365

Objective

During this lab, you will configure identity federation with Microsoft^®Office 365™. You will perform the necessary steps to synchronize your organization’s on-premises directory with your Office 365 tenant. You will use both express and custom installations of the Azure™ Active Directory^® Connect (Azure AD Connect) tool.

Estimated time to complete: 60 minutes

Before You Begin

To complete this lab, you need to have already signed up for a Microsoft Office 365 Enterprise E3 or E5 trial tenant.

You can sign up for a free trial tenant at one of the following URLs:

https://products.office.com/en-us/business/office-365-enterprise-e3-business-software

https://products.office.com/en-us/business/office-365-enterprise-e5-business-software

What You Will Learn

After completing the exercises, you will be able to:

Add and verify a custom domain in Office 365.
Activate directory synchronization in Office 365.
Install and configure the Azure AD Connect tool using express settings.
Install and configure the Azure AD Connect tool using a custom installation.

Scenario

You are tasked with federating and synchronizing your on-premises directory with your Office 365 tenant. You want to first set up synchronization with your tenant and then later you want to use single sign-on to make your on-premises directory the source for all your users’ authentication. You want to complete this installation using the Azure AD Connect tool.

Virtual Machines

AAD-DC1
AAD-SRV1
AAD-SRV2

Exercise 1: Configuring the On-Premises Organization

In this exercise, you will configure the virtual machine lab environment that will be used throughout the lab. Scripts will be used to configure aspects of the on-premises organization to facilitate the objectives of this lab.
The second-level domain, O365Ready.com, is being managed by the organization delivering this course. Records that point to your on-premises organization have been created to route name record lookups for your lab domain to your gateway virtual machine’s DNS server.
You must already have an Office 365 E3 or E5 tenant in order to complete this lab. Due to configuration changes made by this lab to the Office 365 tenant, it is recommended to use a new trial tenant to ensure your production tenant is not impacted.

Sign up for a new Office 365 Trial tenant

If you have not been provided a tenant for use in this lab, you can sign up for a new Office 365 E5 trial tenant from here: https://products.office.com/en-us/business/office-365-enterprise-e5-business-software
Or, an Office 365 E3 trial tenant from here:
https://products.office.com/en-us/business/office-365-enterprise-e3-business-software
Complete the Office 365 trial registration

On the Office 365 Enterprise page, click Free trial and then complete the questionnaire. You should write down your tenant administrator username and password because it will be used throughout the lab.
Sign in to new Office 365 trial tenant

Once you have signed up for a tenant, sign in to your tenant and verify that it has finished provisioning.
Switch to DC1

Switch to the DC1 virtual machine.
Click Yes to allow network discovery

For any virtual machine, if you see a Networks notification, click Yes to allow network discovery.
Open Internet Explorer

On DC1, open Internet Explorer®.
Browse to http://www.bing.com

Browse to www.bing.com, and verify that you can access the website.
Close Internet Explorer

After you have verified that Internet access is available, close Internet Explorer.
Internet access is required to complete this lab.
Switch to SRV2

Switch to SRV2.
Open Internet Explorer

Open Internet Explorer.
Browse to http://www.bing.com

Browse to www.bing.com and verify that you can access the website.
Search What is My IP

In Bing, in the Search box, type What is My IP and then press Enter.
Write down the IP address displayed in the Your IP Address box. The IP address displayed is your organization’s public IP address.
Browse to http://www.O365Ready.com

Switch to Internet Explorer and browse to http://www.O365Ready.com.
Click the Generate Student Lab Number tab

On the Welcome page, click the Generate Student Lab Number tab.

The DNS server that hosts the O365Ready.com domain also hosts delegated DNS zones that point to the name server on SRV2 in your lab environment. Each lab environment needs a unique lab number that becomes part of the on-premises domain. When this task is completed, you will be assigned a lab number and a delegated DNS zone for your lab number will be created, which will enable you to use the DNS server on SRV2 to respond to name record lookup requests from public queries.
Type your public IP address and click Submit

In the Please type your public IP address box, type your public IP address and then click Submit.
Write down the five-digit lab number

Write down the five-digit lab number that is assigned to you. You will refer to this five-digit number throughout the labs.
You will be using all five digits as part of your organization’s on-premises domain.
Close Internet Explorer

Close Internet Explorer.
Switch to DC1

Switch to DC1 signed in as Contoso\Administrator with a password of Pa$$w0rd
Open File Explorer and browse to C:\Scripts

Open File Explorer and browse to C:\Scripts.
Run ConfigureAADConnectLab as administrator

Right-click ConfigureAADConnectLab.exe and then click Run as administrator.

The script in this task will add your DNS zone and UPN suffix that will be used for the remainder of this lab. The script will also create several user accounts that are referenced throughout the labs.
Type your lab number and then click OK

In the Lab Number window, type your five-digit student lab number and then click OK.
The student lab number will become part of your lab domain’s fully qualified domain name (FQDN) used throughout the labs.
Click OK

Review the information in the On-premises Domain Name dialog box and then click OK.
Your on-premises domain name will be in the form of LabXXXXX.O365Ready.com where XXXXX represents your five-digit lab number. For example, if your lab number is 00102, your lab domain name will be Lab00102.O365Ready.com.
Wait for the script to complete.

Throughout these labs, your unique LabXXXXX.O365Ready.com domain name may be referred to as "your lab domain name." The full lab domain name format may be used to help clarify a step.
In the Script Complete dialog box, click OK

In the Script Complete dialog box, click OK.
In File Explorer, browse to C:\LabFiles

On DC1, in File Explorer, browse to C:\LabFiles.
Double-click CertReq-yourlabdomainname.txt

Double-click CertReq-yourlabdomainname.txt.
This certificate request was created by the configuration script.
Copy the certificate request to the clipboard

In Notepad, select all of the text in the file and then press Ctrl+C to copy the contents to the clipboard.
Browse to the MS Event CSR Submission page

Open Internet Explorer and then browse to https://www.digicert.com/friends/exchange.php.
Paste the CSR text in the Paste CSR box

On the Microsoft Event CSR Submission page, in the Paste CSR box, right-click inside the box, and then click Paste.
Verify that you have pasted the contents of your certificate request.
Verify the common name

Under Certificate Details, in the Common Name box, verify that the common name is fs.LabXXXXX.O365Ready.com where XXXXX is your lab number.
You may have to click in the Common Name box to verify this information.
Review the Subject Alternative Names information that will be assigned to the certificate.
Type an accessible email address

Under Certificate Delivery, in the Email Address and Email Address (again) boxes, type an email address you have access to that can receive compressed files (.zip file format). This email account should also be accessible via web browser.
Agree to the terms of service

Select the I agree to the Terms of Service above check box.
Click Submit

Click Submit.
Close Notepad

Close Notepad.
In Internet Explorer, browse to your email

In Internet Explorer, browse to the address of your web accessible email and sign in.
For example, Outlook.com.
Open the email from DigiCert

In the message list, locate and open the email from DigiCert with the zip file attachment.
Download the DigiCert_cert.zip file attachment

Download the DigiCert_certs.zip file attachment to C:\LabFiles.
You may have to wait for the message to arrive.

Do not open or extract the zip file. The script will do this in the next task.
In File Explorer, browse to C:\Scripts

On DC1, in File Explorer, browse to C:\Scripts.
Run ImportExportLabCert.exe as administrator

Right-click ImportExportLabCert.exe and then click Run as administrator.

The script used in this task will extract the public certificate file, import the certificate into DC1 and SRV2, and export the certificate to PFX.
In the Script Complete dialog box, click OK

In the Script Complete dialog box, click OK.
Close Internet Explorer and File Explorer

Close Internet Explorer and close File Explorer.

Exercise 2: Adding a Custom Domain to Office 365

In this exercise, you will add your lab domain to your Office 365 tenant.

Switch to SRV2

Switch to SRV2.
Browse to http://portal.office.com

Open Internet Explorer and browse to http://portal.office.com.
Sign in to Office 365 as administrator

Sign in to Office 365 using your tenant administrator account name and password.
Scroll down and then click Admin

On the Office 365 page, scroll down and then click Admin.

If your tenant administrator has not been assigned a license, in the top navigation, click the app launcher icon, and then click Admin.
In the navigation menu, click DOMAINS

Close the Tour prompt. Optionally you could click next and take the tour of the new Admin center. In the navigation menu, click Settings (cog). You can also expand the navigation menu by clicking the right facing arrow near the top. Under Settings, click Domains.
Click Add domain

Click Add domain.
Type your lab domain name and then click Next

In the Enter a domain you own box, type your lab domain name, and then click Next.

For example, LabXXXXX.O365Ready.com where XXXXX is your lab number.
Write down the TXT value column information

On the Verify domain page, in the TXT records table, write down the information from the TXT value column.
This information will be similar to MS=ms54802849.
On SRV2, switch to Server Manager

On SRV2, switch to Server Manager.
Click Tools and then click DNS

On the menu, click Tools, and then click DNS.
Expand SRV2

In DNS Manager, expand SRV2.
Expand Forward Lookup Zones

Expand Forward Lookup Zones.
Click your lab domain name DNS zone

In the console tree, click your lab domain name DNS zone.
Right-click your lab domain name DNS zone

Right-click your lab domain name DNS zone.
Click Other New Records

Click Other New Records.
Click Text (TXT)

In the Resource Record Type window, in the Select a resource record type list, scroll down, click Text (TXT).
Click Create Record

Click Create Record.
Type the text record data and then click OK

In the New Resource Record window, in the Text box, type the text record data that you wrote down earlier, and then click OK.
Do not type any information in the Record name box.
In the Resource Record Type window, click Done

In the Resource Record Type window, click Done.
Leave the DNS Manager open.
Switch to Internet Explorer

Switch to Internet Explorer.
Click Verify

On the Verify domain page, click Verify.
Close the Update DNS Settings window or Exit

At the top of the Update DNS Settings page, ensure that there is a green check mark visible indicating that your domain has been verified, scroll down and click Exit.

If the domain was not able to be verified, review the DNS record creation and verify that you have entered the correct TXT record in your lab domain name DNS zone. Try to verify your domain again. You may need to contact a lab proctor if your domain cannot be verified.

DNS for your lab domain is being hosted on premises. There is no need in this lab to create the additional DNS records on the Update DNS settings page.
Notice the Setup in progress

On Home > Domains page, note that the lab domain name is listed as (Default) Setup in progress. Setup in progress is expected.
Close Internet Explorer

Close Internet Explorer.

Exercise 3: Performing Directory Synchronization

In this exercise, you will configure directory synchronization between your on-premises environment and your Office 365 tenant.

Switch to SRV1

Switch to SRV1.
Open Internet Explorer

Open Internet Explorer.
Browse to http://portal.office.com

Browse to http://portal.office.com.
Sign in to Office 365 as administrator

Sign in to Office 365 using your tenant administrator account name and password.
Click Admin

On the Office 365 page, scroll down and then click Admin or click the app launcher icon, and then click Admin.
Click Users and then click Active users

In the feature pane, click the User icon, and then click Active users.
Click More

Click More.
Click Directory synchronization

Click Directory synchronization.
Click Go to the DirSync readiness wizard

Click Go to the DirSync readiness wizard.
Select 51-250 and click Next

On the Is directory sync right for you page, select 51-250, scroll down, and then click Next.
Click Next

On the Sync your local directory with the cloud page, read the information and then click Next.
Click Next

On the Let’s check your directory page, click Next.
Click Start scan

On the Let’s check your directory page, click Start scan.
Click Run checks

On the Evaluating directory synchronization setup page, click Run checks.
If the page fails to load, perform the following steps:
a.  Close the tab.
b.  On the Let’s check your directory page, click Back and then click continue manually.
c.  On the Find your on-premises domains page, click Next.
d.  On the Get your domains ready page, review the information and then click, Ok, I’ve added and verified all my domains.
e.  On the Clean up your environment page, review the information and then click Next.
f.  Skip to the next task.
Click Run

In the Application Run – Security Warning dialog box, review the information and then click Run.
Click Run

In the Open File – Security Warning dialog box, click Run.
Wait for the app to install.
Return to the Let’s check your directory page

On the Evaluation scan completed successfully page, close the Internet Explorer tab and return to the Let’s check your directory page.
Verify the scan is complete and click Next

On the Let’s check your directory page, verify that Scan complete is shown and then click Next.
Scroll down and then click Next

On the Here’s what we found page, review the information, scroll down, and then click Next. You may need to close the tab.
Click Next

On the Get your domains ready page, review the information and then click Next.
Click Next

On the Verify ownership of your domains page, review the information, scroll down, and then click Next.
Click Next

On the Your Domains are ready page, click Next.
Click Next

On the Clean up your environment page, click Next.
Click Download

On SRV1, on the Run Azure Active Directory Connect page, click Download.
Click Download

On the Microsoft Azure Active Directory Connect page, click Download.
In the Internet Explorer banner, click Run

In the Internet Explorer banner, click Run.
Wait for the download to complete and the installation to start.
The installation wizard may open behind the Internet Explorer window.
Select the I agree to license terms check box

In the Microsoft Azure Active Directory Connect window, on the Welcome to Azure AD Connect page, review the information, select the I agree to the license terms and privacy notice check box.
Click Continue

Click Continue
Click Use express settings

On the Express Settings page, review the information and then click Use express settings.
Type your Office 365 administrator credentials

On the Connect to Azure AD page, type your Office 365 tenant administrator username and password, and then click Next.
On the AD DS page, type Contoso\Administrator

On the Connect to AD DS page, in the USERNAME box type Contoso\Administrator
Type Pa$$w0rd and then click Next

In the PASSWORD box, type Pa$$w0rd, and then click Next.
Click Next

On the Azure AD sign-in configuration page, review the information and click Next.
Clear the Start synchronization check box

On the Ready to configure page, clear the Start the synchronization process as soon as the configuration completes check box.

When the Start the synchronize process check box is selected, the Azure AD Sync Scheduler task in Task Scheduler is enabled and will synchronize the directory automatically every three hours. For this lab, the Azure AD Sync Scheduler task will be enabled later.
On the Ready to configure page, click Install

On the Ready to configure page, click Install. Wait as the connector is installed and configured.
On the Configuration complete page, click Exit

On the Configuration complete page, click Exit.
Open Azure AD Connect

On SRV1, on the desktop, double-click Azure AD Connect.
On the Welcome page, click Configure

In the Microsoft Azure Active Directory Connect window, click Configure.
Click Customize synchronization options

In the Microsoft Azure Active Directory Connect window, click Customize synchronization options and then click Next.
Type your Office 365 administrator credentials

On the Connect to Azure AD page, type your Office 365 tenant administrator username and password, and then click Next.
Type your local credentials

In the USERNAME box, type CONTOSO\Administrator.
Type your password

In the PASSWORD box, type Pa$$w0rd
Verify that Contoso.local is shown

On the Connect your directories page, under Forest verify that Contoso.local is shown.
Click Next

Click Next.
Select Sync selected domains and OUs

On the Domain and OU filtering page, select Sync selected domains and OUs.
Expand Contoso.local

Expand Contoso.local.
Review the currently selected OUs

Review the currently selected OUs.
Clear the check boxes from the selected OUs

Clear the check boxes from all of the selected OUs.
Select specific OUs to sync

Select only the Accounts, Managers, and Online check boxes and then click Next.
Review the selected items then click Next

On the Optional features page, review the selected items and then click Next.
Select the Start the synchronization check box

On the Ready to configure page, select the Start the synchronization process as soon as the configuration completes check box.
Click Configure

Click Configure.
On the Configuration complete page, click Exit

On the Configuration complete page, click Exit.
On SRV1, switch to Internet Explorer

On SRV1, switch to Internet Explorer.
Close the Download tab

Close the Download tab.
Complete directory synchronization setup

On the portal.office.com tab, if you are on the Run Azure Active Directory Connect page, use the steps detailed in the knowledge feature [bulb in head icon] , otherwise, continue to the next step.

1.  On the Run Azure Active Directory Connect page, scroll down and then click Next.
2.  On the Make sure sync worked as expected page, verify that the page reads Directory synchronization is enabled and the click Next. [Note] If you see Directory synchronization isn’t enabled yet, you may not be able to configure Skype for Business hybrid later in this lab. This message may also appear when directory synchronization has been activated however the wizard did not update properly.
3.  On the Activate users page, in the upper right corner, click the X. Users will not be activated at this time.
4.  In the Do you want to save your spot dialog box, click Yes, save my spot.
In the top navigation, click Admin

In the top navigation, click Admin.
Click Users and then click Active Users

In the features pane, click Users and then click Active Users.
Review the list of synchronized users

On the Home > Active users page, review the list of synchronized users. Notice that the Status column shows the synchronized users as Unlicensed.

If the users are not listed, you may need to click Refresh in the toolbar. If the users’ status is listed as In cloud, sign out of the Office 365 admin center and then sign back in. In the feature pane, click USERS and then click Active Users.
Sign out of the Office 365 admin center

Sign out of the Office 365 admin center.
Close Internet Explorer

Close Internet Explorer.

Exercise 4: Customizing Azure AD Connect

In this exercise, you will change the user sign-in option. You will also configure single sign-on and Active Directory Federation Services (AD FS) and the AD FS Proxy using the Azure AD Connect installation wizard.

Open Azure AD Connect

On SRV1, on the desktop, click Start, and then on the Start screen, click the down arrow icon to view all applications.
Scroll right, and then click Azure AD Connect.
Click Change user sign-in and then click Next

In the Microsoft Azure Active Directory Connect window, click Change user sign-in and then click Next.
Type your Office 365 administrator credentials

On the Connect to Azure AD page, type your Office 365 tenant administrator username and password, and then click Next
Click Federation with AD FS

On the User sign-in page, click Federation with AD FS.
Click Next

Review the information and then click Next.
Under CERTIFICATE FILE, click Browse

In the Microsoft Azure Active Directory Connect window, on the AD FS Farm page, under CERTIFICATE FILE, click Browse.
Browse to C:\LabFiles

Browse to C:\LabFiles.
Click Labcert.pfx

Click Labcert.pfx.
Click Open

Click Open.
In the PASSWORD box, type Pa$$w0rd

In the Certificate password window, in the PASSWORD box, type Pa$$w0rd.
Click OK

Click OK.
Under SUBJECT NAME click the menu

Under SUBJECT NAME click the menu.
Click fs.yourlabdomainname

Click fs.yourlabdomainname.
On the AD FS Farm page, click Next

On the AD FS Farm page, click Next.
Add SRV1.Contoso.local

On the AD FS Servers page, in the SERVER box, type SRV1.Contoso.local and then click Add.
In the User name box type Administrator

In the Windows Security dialog box, in the User name box, type Administrator.
In the Password box, type Pa$$w0rd

In the Password box, type Pa$$w0rd.
Click OK

Click OK.
Click Next

Verify that SRV1.Contoso.local has been added and then click Next.
Add SRV2.Contoso.local

On the Web application proxy servers page, in the SERVER box, type SRV2.Contoso.local, click Add.
In the User name box type Administrator

In the Windows Security dialog box, in the User name box, type Administrator.
In the Password box, type Pa$$w0rd

In the Password box, type Pa$$w0rd.

SRV2 is not a domain joined server. The server has already been configured for remote Windows PowerShell and additional settings for remote management.
Click OK

Click OK
Click Next

Verify that SRV2.Contoso.local has been added and then click Next.
Type Contoso\Administrator

On the Domain Administrator credentials page, in the USERNAME box, type Contoso\Administrator.
Type Pa$$w0rd and then click Next

In the PASSWORD box, type Pa$$w0rd and then click Next.
Type Contoso\Administrator

On the AD FS service account page, in the DOMAIN USERNAME box, type Contoso\Administrator.
Type Pa$$w0rd and then click Next

In the DOMAIN USERNAME PASSWORD box, type Pa$$w0rd and then click Next.
Click the DOMAIN menu

On the Azure AD Domain page, click the DOMAIN menu.
Click your lab domain name

Click your lab domain name.
Click Next

Click Next.
On the Ready to configure page, click Install

On the Ready to configure page, review the information and then click Install.
Wait for the installation to complete.
Switch to DC1

Switch to DC1.
Switch to Server Manager

Switch to Server Manager.
Click Tools and then click DNS

In Server Manager, on the menu, click Tools, and then click DNS.
Expand DC1 and expand Forward Lookup Zones

In DNS Manager, expand DC1, expand Forward Lookup Zones
Click your lab domain DNS zone

In the console tree, click your lab domain DNS zone.
Verify the IP address

Verify that the fs host is present with the 192.168.0.180 IP address assigned.

This host was created by the configuration script run at the beginning of this lab and will direct internal users to the AD FS server on SRV1.
Switch to SRV2 and DNS Manager

Switch to SRV2 and DNS Manager.
Right-click your lab domain DNS zone

Right-click your lab domain DNS zone.
Click New Host (A or AAAA)

Click New Host (A or AAAA).
In the Name box, type fs

In the New Host window, in the Name box, type fs
Type your public IP address

In the IP address box, type your public IP address. This is the address you can find using the What is my IP tool on the desktop.
Click Add Host

Click Add Host.
In the DNS dialog box, click OK

In the DNS dialog box, click OK.
In the New Host window, click Done

In the New Host window, click Done.
Switch to SRV1 and the Azure AD Connect window

Switch to SRV1 and the Microsoft Azure Active Directory Connect window.
On the Installation complete page, click Verify

On the Installation complete page, review the information and then click Verify.
Click Exit

Review the reported name to IP resolution information and then click Exit.
Open Internet Explorer

On SRV1, open Internet Explorer.
Browse to the AD FS sign in page

Browse to https://fs.LabXXXXX.O365Ready.com/adfs/ls/idpInitiatedSignon.aspx where XXXXX is your lab number.
Verify the Sign-in page is displayed

Verify that you are able to browse to the Sign-in page.
Close Internet Explorer

Close Internet Explorer.

WN

Friday, March 17, 2017