Hybrid Cloud IT Camp Hands-On Labs

Contents
Lab Requirements ......................................................................................................................................... 2
Getting Set for Success ................................................................................................................................. 2
Concentrate on What You Need Most.......................................................................................................... 2
Lab 1: Building the Foundation ..................................................................................................................... 3
Login to the Azure Portal .......................................................................................................................... 4
Create a new virtual network and subnets for objects............................................................................. 4
Connect to Azure with PowerShell ........................................................................................................... 5
Create a new storage account using PowerShell ...................................................................................... 7
Alternatively - Create a new storage account from the Azure management portal ................................ 8
Create a new service with PowerShell ...................................................................................................... 8
Alternatively - Create a new service from the Microsoft Azure management portal .............................. 9
Lab 2: Building Workloads ............................................................................................................................ 9
Deploy domain controllers in Microsoft Azure ....................................................................................... 10
Preparing to Remotely Connect to Azure Virtual Machines ................................................................... 10
Create users in your Active Directory. .................................................................................................... 12
Explore the virtual machines and connect via RDP ................................................................................ 13
DC01 designated static IP – Using the New Preview Portal.................................................................... 14
Next you will deploy the 2nd domain controller for your forest. ............................................................ 16
Lab 3: Working with Identity....................................................................................................................... 17
Create a new Azure Active Directory environment ................................................................................ 17
Create an Azure Active Directory Administrator account ...................................................................... 18
Set a password for your admin account ................................................................................................. 19
Configure and test the AADSync Service ................................................................................................ 20
Implementing Multi-Factor Authentication............................................................................................ 23
Testing Multi-Factor Authentication....................................................................................................... 23
Lab 4: Automating Deployments of SQL and IIS ......................................................................................... 25
APPENDIX - Perform the following tasks in the Azure management portal to set up your Virtual
Machines. .................................................................................................................................................... 26

Version 4.4 1
Lab Requirements
The following components are required to successfully complete this Hands-on Lab:
 A Microsoft Azure Account and Credentials
 A modern web-browser with HTML5 and JavaScript enabled
 Remote Desktop Client connection software
 Internet connectivity
 Identification for building access
 10” or larger screen recommended
 Your own wireless hotspot (if you have one)
 The ability to install software (admin rights) for the installation of the Azure PowerShell
Module

In addition, this hands-on lab guide assumes that lab participants are comfortable with
performing the steps involved in implementing Windows Server 2012 and Active Directory in an
on-premises datacenter environment.
The goal of this lab set up an Active Directory environment in Azure using PowerShell,
PowerShell Remoting and if necessary, the Azure portal.

Getting Set for Success

Throughout this lab you will be required to name items in a unique manner. Wherever you see
“XXX” or <ID> replace them with three letters of your choosing, like your initials.
Your Azure Region/Location for this IT Camp is: __________________
For your convenience, all the PowerShell code and commands you will need to complete this
lab can be found at http://bit.ly/AzureQ4Snippets. You can choose to type the commands
individually from the lab guide, copy each line from the file, or copy the entire file into the ISE
scripting window for ease of use.
Note: You may not have time to complete all labs today. Please finish at home or office if
needed. If you have questions or need additional support, email itcamp@microsoft.com, please
be as specific as possible and include screenshots of results. If at a camp, include city.

Concentrate on What You Need Most

Not all parts of the lab are dependent on others, so you can adjust you lab experience to focus
on the tasks that interest you the most.
 If you are interested in seeing automation in action, do:
o Lab 4
 If you are interested in syncing traditional AD witih Azure AD and/or using Multifactor
Authentication, do:
o Lab 1
o Lab 2 (deploy 1st DC and configure AD, but skip deploying the 2nd DC

Version 4.4 2
 o Lab 3
 If you are interested in using Availability Sets to take advantage of the Azure SLA and/or
to get hands-on with PowerShell, do:
o Lab 1
o Lab 2

Lab 1: Building the Foundation

In this first lab of building a core IaaS in Microsoft Azure, you will install the Azure Module for
PowerShell, connect to your subscription and create the core building blocks for your Azure
services:

 Virtual Network (using the Azure Portal)

 Storage (using PowerShell)
 Cloud Service (using PowerShell)

The services mentioned above are the core components that provide a foundation for your
applications, virtual machines and hybrid connectivity in Azure. Having this well thought out,
provides a great architecture for all of your cloud services. Here is a conceptual model of this
lab:

Version 4.4 3
Login to the Azure Portal
In this task you will login into the Azure Portal to ensure your subscription is ready to go. You
will find yourself checking the portal to confirm your PowerShell actions and check your work.
Perform the following tasks:
1. Open a browser, and then navigate to http://manage.windowsazure.com.
2. Click PORTAL located at the top of the Microsoft Azure site.
3. Log in using your Microsoft Azure credentials for your Microsoft Azure subscription.
4. If this is your first time logging into your Azure management portal, close the WINDOWS
AZURE TOUR.

Create a new virtual network and subnets for objects

First, you will create a Microsoft Azure network object and corresponding subnet. Virtual
Network lets you provision and manage virtual networks in Azure and, optionally, link them via
secured VPN tunnels with your on-premises IT infrastructure to create hybrid and cross-
premises solutions. With virtual networks, IT administrators can control network topology,
including configuration of DNS and IP address ranges.

You can use a virtual network to:

 Create a dedicated private cloud-only virtual network

 Securely extend your data center
 Enable hybrid cloud scenarios

With the virtual network you are creating will provide IP addresses assigned to objects and
virtual machines you create in other labs that will be associated with this virtual network. You
will also leverage subnets to help organize your IP addresses as well.

Perform the following tasks in the Azure management portal.

1. In the Azure management portal (in the leftmost column), scroll to and click
NETWORKS.
2. Click NEW (Plus “+” Sign) located at the bottom of the Azure management portal
3. Click CUSTOM CREATE.
4. In NAME, type XXX-VNet and then in LOCATION, select your location, and then
click the Next arrow.
5. Set your DNS server to DNS-DC01 with an IP Address of 192.168.10.4. (This is the
IP Address of the domain controller you will be creating later in the lab, which will
also be handling the DNS for this virtual network.)
6. Click the Right Arrow.
7. In STARTING IP, type 192.168.0.0.
8. In CIDR (ADDRESS COUNT), select /16.

Version 4.4 4
 9. Under SUBNETS, highlight Subnet-1, and then replace it with Core-Subnet
10. Under STARTING IP, type 192.168.10.0.
11. Under CIDR (ADDRESS COUNT) select /24.
12. Under SUBNETS, click add subnet.
13. Replace Subnet-2 with App-Subnet
14. Set the STARTING IP to 192.168.11.0.
15. Set the CIDR (ADDRESS COUNT) to /24.
16. Click the Complete icon (Check Mark).

Connect to Azure with PowerShell

Before you can manage virtual machines from PowerShell on your local administration station
you need to download the tools.
1. In the Azure portal; click Azure the arrow next to Azure in the upper right corner of the
portal then click downloads. You can also get to download directly by navigating to
http://azure.microsoft.com/en-us/downloads/
2. Scroll down to Command-line tools section and under Windows PowerShell, click Install

3. When prompted click run and follow the installation prompts. You may be prompted to
download and install additional components.
4. After installation is complete, on your Start Screen or Start Menu locate Microsoft Azure
PowerShell ISE and start it. You will want to run ISE as an Administrator.
5. In the scripting pane at the top you can either type the code from this manual or copy in
all the code from http://bit.ly/AzureQ4Snippets. Then run the various lines individually
or in small groups.
6. You will now need to connect Microsoft Azure PowerShell to your Azure subscription. In
your PowerShell session run:
Add-AzureAccount
Press Enter.

Version 4.4 5
 7. A small browser windows will appear, prompting for your credentials. Enter your
Microsoft Account and Password.
8. Next, you will need set your default subscription. Your subscription will have a friendly
name like “Visual Studio Ultimate with MSDN” or “Free Trial”. Find your subscription
name with:

Get-AzureSubscription

9. Write the name of the Azure Subscription you will be using for the lab here:
_____________________________________________________________

10. Update the script copy with all the variables you will need to customize the lab you’re
your deployment. First, replace the words “Free Trial” for the variable $subscrName in
the code with the correct name of your subscription. Then go through and make any
necessary edits to include your unique identifier. For reference, you will set the
following variables:
 $subscrName = "Free Trial" # Replace with the friendly name of your
subscription, if not using the free trial
 $storageAccountName = "xxxstore" # Storage name must be all
lowercase. Replace xxx with your initials or some unique ID
 $domainCloudService = "XXXdomainservice" # Must be globally unique
(used in a URL). Replace XXX with your initials or some unique ID
 $dcAvalSet = "XXX-DCSet" # Replace XXX with your initials or some
unique ID
 $firstDC = "XXX-DC01" # Replace XXX with your initials or some unique
ID
 $secondDC = "XXX-DC02" # Replace XXX with your initials or some
unique ID

These variables must match what you configured for your network in Lab #1

 $VnetName = "XXX-Vnet" # <-- Edit to match your virtual network name

 $locationName = "West US" # <-- Edit to match your network location
choice
 $subnet = "Core-Subnet" # <-- Edit if your network configuration first
subnet name is different than the lab manual suggested$locationName
These variables can be left as they are found in the script. If you edit them, be
sure to take note of the values for later.

Version 4.4 6
  $serverImages = Get-AzureVMImage | Where {$_.ImageFamily -eq
"Windows Server 2012 R2 Datacenter" } | sort-object -descending -
Property PublishedDate
 $image = $serverImages[0].ImageName
 $instancesize = "Small”
 $un = "SysAdmin" # Remember the Username and Password
 $pwd = "Passw0rd!" # You'll use these creditials to connect to and/or
login to your Domain Controllers

11. Select ALL of the variables once they are correct and run those lines as a group.

12. Then select the correct subscription with:

Select-AzureSubscription -SubscriptionName
$subscriptionName -current

You are now ready to use Azure Cmdlets to manage your Azure subscription.

Create a new storage account using PowerShell

Microsoft Azure Storage is a massively scalable, highly available, and elastic cloud storage
solution that empowers developers and IT professionals to build large-scale modern
applications. Azure Storage is accessible from anywhere in the world, from any type of
application, whether it’s running in the cloud, on the desktop, on an on-premises server, or on a
mobile or tablet device. In this lab, you will create a storage account to contain all objects for
your Azure services. Your VHDs, which you will create in lab 2 for your Azure virtual machines,
will be stored in this storage account.

Perform this task from PowerShell ISE on your local workstation.

Create your new storage account:

New-AzureStorageAccount -StorageAccountName $storageAccountName
–Location $locationName

Version 4.4 7
 Alternatively - Create a new storage account from the Azure management portal

1. In the leftmost column, scroll to and click STORAGE.

2. Click NEW (“+”), located at the bottom of the Azure management portal.
3. Make sure STORAGE is highlighted and click QUICK CREATE
4. In URL, type $storageAccountName (PLEASE NOTE: has to be all lowercase)
5. In LOCATION/AFFINITY GROUP, select the same location you used for your network.
6. In REPLICATION, select Locally Redundant
7. Click CREATE STORAGE ACCOUNT.
(Image is an example only, adjust your entries to reflect your lab environment.)

Create a new service with PowerShell

By creating a cloud service, you are creating a boundary around a group of virtual machines
that share the same external IP address and external firewall. When deploying a multi-tier
application in Azure, you can define multiple roles to distribute processing and allow flexible
scaling of your application. A cloud service consists of one or more web roles and/or worker
roles, each with its own application files and configuration. Azure Websites and Virtual
Machines also enable web applications on Azure. The main advantage of cloud services is the
ability to support more complex multi-tier architectures.

In this section you will create a new cloud service to contain your domain controller virtual
machines. By assigning your new VMs to this service, they will be able to communicate
internally.

Perform the following tasks in PowerShell ISE.

1. Set-AzureSubscription -SubscriptionName $subscriptionName

–CurrentStorageAccount $storageAccountName

Version 4.4 8
 2. New-AzureService –ServiceName $domainCloudService –
Location $LocationName

Alternatively - Create a new service from the Microsoft Azure management portal

Perform the following tasks in the Azure management portal.

1. In the leftmost column, scroll to and click CLOUD SERVICES.

2. Click NEW (“+”) located at the bottom of the Azure management portal
3. Make sure CLOUD SERVICE is highlighted and click QUICK CREATE.
4. In URL, type $domainCloudService. NOTE: ID should be between 3-6 alpha-numeric. Must be
unique in all of Azure (all customers/all accounts)
5. In REGION OR AFFINITY GROUP, select the same region you used for your network and
storage account.
6. Click CREATE CLOUD SERVICE.

(Image is an example only, adjust your entries to reflect your lab environment.)

Lab 2: Building Workloads

Azure virtual machines give you the flexibility of virtualization without spending the time and
money to buy and maintain the hardware that hosts the virtual machine. However, you do
need to maintain the virtual machine -- configuring, patching, and maintaining the operating
system and any other software that runs on the virtual machine. In this lab you are going to
deploy 2 virtual machines into Azure, in the same availability set.

 Domain Controller with Full GUI (DC01)

 Domain Controller with Server Core (DC02)

Version 4.4 9
Deploy domain controllers in Microsoft Azure

In this task, you will deploy two virtual machines (VM) to function as a domain controllers in
your newly created virtual network created in Lab 1. During the last portion of the lab you will
also configure the AD service as the DNS server for the virtual network you created in Lab 1,
and you’ll assign it a static IP Address (technically speaking this is a DHCP reservation in the
subnet but it will be referred to as a static IP pretty much everywhere in Azure documentation.)

Perform the following tasks in PowerShell ISE.

Create your first VM in the domain

1. Setup your first VM:

$newVM = New-AzureVMConfig -Name $firstDC -InstanceSize
$instancesize -Image $image | Add-AzureProvisioningConfig
-Windows -Password $pwd -AdminUsername $un | Set-
AzureSubnet -SubnetNames $subnet
2. Deploy your first VM:
New-AzureVM -VMs $newVM -ServiceName $domainCloudService
-VNetName $VnetName

3. Move the VM into the Availability Set:

Get-AzureVm -ServiceName $domainCloudService -Name
$firstDC | Set-AzureAvailabilitySet -AvailabilitySetName
$dcAvalSet | Update-AzureVM

At this point you have created a single VM in Azure, running Windows Server 2012 R2. No
modifications have been made to the OS. Next, you will remotely connect to this VM to install
Active Directory and switch the OS to Server Core.

Preparing to Remotely Connect to Azure Virtual Machines

With the previous download, you installed the Azure Module to manage your Azure
subscription. In order to remotely connect to the Virtual Machines you create, you will need to
install a connection certificate for each machine you want to connect with. Download the
following script from TechNet (https://aka.ms/psremotingscript) and put it someplace easy to
access on your local machine. Open this file in another PowerShell ISE scripting tab. You will
need to call on this script later once your virtual machines are created.

4. To install the remote access certificate on your local machine, open the script saved
earlier in the lab into another tab in PowerShell ISE.

5. Add the variables for your environment at line 70 in the script.

Version 4.4 10
 $SubscriptionName = $SubscrName
$ServiceName = $domainCloudService
$Name = $firstDC

6. Run the entire script. It will be saved and you should get a confirmation that the
certificate has been imported to your local machine.

Now you will be able to remotely connect to your machine via PowerShell. At for these next
steps, understand that you are using PowerShell to connect directly to a VM. This VM happens
to be in Azure, but these PowerShell commands would work for on-prem machines as well.

Note: Make sure your VM has completed configuration and is in the “running” state at this
point.

7. Set the variables for your cloud service and server, then prompt for credentials:
$uri = Get-AzureWinRMUri -ServiceName $cloudServiceName -
Name $Name
$cred = Get-Credential
8. Start a PS-Session with your remote machine. You will be prompted to enter the
username and password you set for the machine.

Enter-PSSession -ConnectionUri $uri -Credential $cred

You will see your PowerShell prompt change as you connect directly to a single machine instead
of your Azure subscription. Next you will install Active Directory and configure some users to
use in the next lab.

NOTE: Much of this process can be automated by leveraging a custom script extension as a part
of the provisioning process. Custom Script Extensions can automatically download scripts and
files from Azure Storage and launch a PowerShell script on the VM. These scripts can be used
to install additional software components in addition to Active Directory. Custom Script
Extensions can be added during VM creation or after the VM has been running. However, in
order for you to understand how you can remotely connect to VMs in Azure and perform
familiar tasks with PowerShell, you will be performing this process step-by-step.

9. Install Active Directory and Configure the Forest. You will prompted to enter a
password for Active Directory Safe mode. Enter the same password you have been
using for everything in this lab. For your reference, ForestMode 6 and DomainMode
6 will set the forest and domain at the Server 2012 R2 functional level.

Add-WindowsFeature -name ad-domain-services –

IncludeManagementTools

Version 4.4 11
 Install-ADDSForest -DomainName "contosoazure.com" -
ForestMode 6 -DomainMode 6

Once your VM completes the reboots and is in the running state, DC01 should have the IP
address of 192.128.10.4. You can look in the Azure Management Portal to confirm this.

Create users in your Active Directory.

Once your machine reboots after the installation of Active Directory, you will need to initiate a
new remote PowerShell session and add some components to your AD for use in Lab 3.

Note: When you are prompted for credentials be sure to enter sysadmin@contosoazure.com as
the username because your local Admin account has become a domain administrator for the
contosoazure.com domain.

1. Set the variables for your cloud service and server, then prompt for credentials:
$uri = Get-AzureWinRMUri -ServiceName $cloudServiceName -
Name $firstDC
$cred = Get-Credential
2. Start a PS-Session with your remote machine. You will be prompted to enter the
username and password you set for the machine.

Enter-PSSession -ConnectionUri $uri -Credential $cred

3. Create OUs:
New-ADOrganizationalUnit –Name “FINANCE” –Path
“DC=contosoazure, DC=Com”
New-ADOrganizationalUnit –Name “IT” –Path
“DC=contosoazure, DC=Com”
New-ADOrganizationalUnit –Name “SALES” –Path
“DC=contosoazure, DC=Com”

4. Add Users:
$newPassword = (Read-Host -Prompt "Provide New Password"
-AsSecureString)

New-ADUser -Name "Matt Deen" -Path

"OU=FINANCE,dc=contosoazure,dc=com" -AccountPassword
$newPassword -Department "Finance" -SamAccountName
"MattDeen" -Surname "Deen" -GivenName "Matt" -DisplayName
"Matt Deen"

New-ADUser –Name “Bob Smith” -Path

"OU=SALES,dc=contosoazure,dc=com" -SamAccountName
"BobSmith" -GivenName "Bob" -Surname "Smith" -DisplayName

Version 4.4 12
 "Bob Smith" –Department “Sales" -AccountPassword
$newPassword

New-ADUser –Name “Pat Holden” -SamAccountName "Pat

Holden" -GivenName "Pat" -Surname "Holden" -DisplayName
"Pat Holden" –Department “Finance" -AccountPassword
$newPassword

New-ADUser –Name “Dan Chun” -SamAccountName "Dan Chun" -

GivenName "Dan" -Surname "Chun" -DisplayName "Dan Chun" –
Department “Finance" -AccountPassword $newPassword

New-ADUser –Name “Karen Vogue” -Path

"OU=sales,dc=contosoazure,dc=com" -SamAccountName
"KarenVogue" -GivenName "Karen" -Surname "Vogue" -
DisplayName "Karen Vogue" –Department “Sales" -
AccountPassword $newPassword

5. Enable a user:

Enable-ADAccount –Identity KarenVogue

Explore the virtual machines and connect via RDP

Now that the virtual machine is created, you want to log on and verify that it looks, feels, and
behaves just like any server on your network.

Perform the following tasks in the Azure management portal.

1. On the left menu of the Azure management portal, scroll to and click VIRTUAL
MACHINES.
2. On the end of the line containing <ID>-DC01, click the DNS Name to open the Cloud
Service dashboard.
3. Click on the DASHBOARD tab.
o You can review information about the running virtual machines, as well
as view the current health.
4. Click the MONITOR tab.
o You can view performance and data statistics.
5. Click the INSTANCES tab
o Here you can view the fault and update domains assigned to each VM in
your Availablity Set.
6. Click DC01 to open the VM dashboard.

Version 4.4 13
 7. Click the DASHBOARD tab.
o You can review information about this specific virtual machine, as well as
view its current health.
8. Click the MONITOR tab.
o You can view performance and data statistics for this virtual machine.
9. Click the ENDPOINTS tab.
o You can configure published endpoints, which are similar to firewall rules,
to allow applications to access services running on the VM.
10. Click the CONFIGURE tab.
o You can modify the properties of the virtual machine. You can also
configure monitoring from multiple locations to ensure your endpoint is
operational.
11. Click the DASHBOARD tab.
12. To open a remote desktop connection to the virtual machine, at the bottom of the
screen click CONNECT, and then click Open.
13. Click Connect.
14. When prompted, log on as sysadmin@contosoazure.com using Passw0rd! as the
password. (Substitute the username and password you used during VM Creation if
different than the lab recommendations.)
15. Click Yes.
o You are now logged on to the desktop of your newly created virtual
machine.
16. Click No when prompted to enable discovery of devices.

Once connected, you can confirm the installation of the Active Directory service and the
creation of the domain if you desire.

DC01 designated static IP – Using the New Preview Portal

The new portal offers some great enhancements to managing Azure. It is still in preview, but
this task will give you a glimpse into the new portal. You’ll perform a task here that otherwise
you would have to use PowerShell for.

1. In the Azure management portal, click on your Account ID (e-mail address) in the
upper right hand corner and click on Switch to new portal. Notice a new browser
tab automatically opens

Version 4.4 14
 2. If prompted for your credentials, enter your ID and password to enter the new
portal
3. On the left hand toolbar in the portal click Browse and scroll to and select Virtual
machines

4. In the Virtual machine list select your <ID>DC01

5. In the DC01 journey pane select SETTINGS

6. In the SETTINGS options select IP addresses

7. In the IP addresses journey, NOTE that the Private IP address is set to Dynamic.
Change it to STATIC and press Save. This reserves the IP address for this machine.

You may now close the new preview portal tab.

Version 4.4 15
Next you will deploy the 2nd domain controller for your forest.

First, exit your remote session to DC01 by typing “exit” at the PowerShell prompt for your
remote server. You will be returned to your local, Azure-connected session.

Create the second VM in the domain. This time you will automatically deploy the machine to
the correct Availability Set. Take note of the “AvailabilitySetName” parameter in the New-
AzureVMConfig command below:

1. Setup your second VM:

$newVM = New-AzureVMConfig -Name $secondDC -InstanceSize
$instancesize -Image $image -AvailabilitySetName
$dcAvalSet | Add-AzureProvisioningConfig -Windows -
Password $pwd -AdminUsername $un | Set-AzureSubnet -
SubnetNames $subnet

2. Deploy your second VM:

New-AzureVM -VMs $newVM -ServiceName $domainCloudService

Like the first VM, you will need to remotely connect to configure Active Directory and change
any roles or features.

3. To install the remote access certificate on your local machine, return to the script
saved in the other tab in PowerShell ISE. Edit the variables for your environment to
reflect the name of the second machine.

$subscriptionName = $subscrName
$ServiceName = $domainCloudService
$Name = $secondDC

4. Run the entire script. You should get a confirmation that the certificate has been
imported to your local machine.

5. Set the variables for your cloud service and server, then prompt for credentials:
$uri = Get-AzureWinRMUri -ServiceName $cloudServiceName -
Name $Name
$cred = Get-Credential
6. Start a PS-Session with your remote machine. You will be prompted to enter the
username and password you set for the machine.

Version 4.4 16
 Enter-PSSession -ConnectionUri $uri -Credential $cred
7. Install Active Directory and join the existing domain. You will be prompted for
credentials to join the domain (use sysadmin@contososazure.com) and enter a
password for the Safe Mode.

Add-WindowsFeature -name ad-domain-services –

IncludeManagementTools

Install-ADDSDomainController -Credential (Get-Credential)

-DatabasePath 'C:\Windows\NTDS' -DomainName
'contosoazure.com' -InstallDns:$true -LogPath
'C:\Windows\NTDS' -NoGlobalCatalog:$false -SiteName
'Default-First-Site-Name' -SysvolPath 'C:\Windows\SYSVOL'
-NoRebootOnCompletion:$true -Force:$true -Verbose

8. (Optional) Change from Full GUI to Server Core. Be patient, this takes a while. Once
the machine is back up and running, connect to it via Remote Desktop to verify that
it’s just the core OS. You can continue on to Lab 3 while this reconfiguration is
taking place.
Remove-WindowsFeature -name User-Interfaces-Infra
Restart-Computer –Force

Lab 3: Working with Identity

Azure Active Directory is a service that provides identity and access management capabilities in the cloud. In much
the same way that Active Directory is a service made available to customers through the Windows Server
operating system for on-premises identity management, Azure Active Directory (Azure AD) is a service that is made
available through Azure for cloud-based identity management. Azure AD can be used as a standalone cloud
directory for your organization, but you can also integrate existing on-premises Active Directory with Azure AD.
Some of the features of integration include directory sync, password sync and single sign-on, which further extend
the reach of your existing on-premises identities into the cloud for an improved admin and end user experience.

Create a new Azure Active Directory environment

In this task, you will create a new Azure Active Directory tenant.

Perform the following tasks in the Azure management portal.

1. In the Azure management portal, click ACTIVE DIRECTORY.

2. Click NEW, click APP SERVICES, click ACTIVE DIRECTORY, click DIRECTORY, and then click CUSTOM
CREATE.

Version 4.4 17
 3. In NAME, type Contoso-AZ-Directory.
4. In DOMAIN NAME, type AzureCONTOSO<ID> (where <ID> is your unique ID).
5. In COUNTRY OR REGION, select UNITED STATES, and then click the Complete icon.
o If you are not in the United States, select it anyway to ensure the consistency of the lab
steps.

Create an Azure Active Directory Administrator account

In this task, you will create a user account to serve as the administrator of your Azure Active Directory service.

Perform the following tasks in the Azure management portal.

1. In the Azure management portal, click ACTIVE DIRECTORY, and then click Contoso-AZ-Directory.
2. Under Contoso-AZ-Directory, click USERS, located on the top menu.
3. In the bottom bar, click ADD USER.
4. In USER NAME, type AADAdmin, and then click the Next arrow.

5. In FIRST NAME, type AAD, and then in Last Name, type Admin.
6. In DISPLAY NAME, type AADAdmin.
7. In ROLE, select Global Administrator.

Version 4.4 18
 8. In ALTERNATE EMAIL ADDRESS, type any valid e-mail address you have access to, and then click the
Next arrow.

9. Under Get temporary password, click create.

10. MAKE NOTE of this password as you will need it later.

11. Click the Complete icon.
12. Note the USER NAME value of the user; you will need this later.
o The USERNAME value will be based on the account you used to manage Microsoft
Azure.

Set a password for your admin account

In this task, you will perform an initial logon to set the password for the admin account.

Perform the following tasks on your local workstation.

1. Close out of all web browser sessions or open an “In-Private” browser session. Using Internet
Explorer, navigate to manage.windowsazure.com.
2. Log in as AADAdmin using the Unique <ID> and password you noted previously. i.e.
AADAdmin@AzureContoso<ID>.onmicrosoft.com
o You will need to use the username value you noted earlier.
o You may need to sign out first.
3. When prompted, change the password to Passw0rd! and then click Update password and sign in.
o You will see a message “No subscriptions found.” This is expected. The user is not
permitted to manage subscription level details.

Version 4.4 19
 4. Close Internet Explorer.

Configure and test the AADSync Service

In this task, you will configure Windows Server 2012 R2 and create a new user to test your synchronization when
you enable DirSync, and then perform an initial sync to populate your Azure Active Directory service with copies of
your local user accounts.

Connect using RDP to DC01:

1. Close all web browsing sessions then reopen Internet Explorer and navigate to
http://Manage.WindowsAzure.com.
2. Log in with your Microsoft account used in the previous labs, not the AD administrator account from
the previous section.
3. On the left menu of the Azure management portal, click VIRTUAL MACHINES.
4. Next to DC01, click the DC01 computer name to open the Virtual Machine Quick Start or Dashboard.
5. Click DASHBOARD.
6. On the bottom bar, click CONNECT, and then click Open.
7. Click Connect.
8. When prompted, log on as sysadmin@contosoazure.com using Passw0rd! as the password.
9. Click yes.
o You are now logged on to your virtual machine.

8. Open Server Manager and click Local Server on the left hand navigation pain.
9. Click on IE Enhanced Security Configuration and click on.
10. In the Security Configuration screen click off for both administrators and users. This is just for
testing in this lab.
11. Click OK.

Version 4.4 20
 12. In Server Manager click tools and select Active Directory Users and Computers

10. As you browse the Users and Computers, you should see the names of the users you created via
PowerShell.
11. Still on DC01: Using Internet Explorer, navigate to http://Azure.Microsoft.com
12. Log in as your subscription user, not the user you just created
13. In the Azure management portal, scroll to and click on ACTIVE DIRECTORY.
14. Click Contoso-AZ-Directory, and then click Directory Integration.
15. Next to DIRECTORY SYNC, click Activated.
16. Click Save, and then click Yes
o Wait for the job to complete before proceeding.

17. Open Internet Explorer on the Domain Controller and go to http://aka.ms/azureadsync to download
the Microsoft Azure Active Directory Sync Services
18. Click download
19. Save the tool to the desktop of the Domain Controller
20. On the DC’s desktop, right click on the MicrosoftAzureADConnectionTool and select Run As
Administrator. This will install and configure the tool.
21. Check the I agree to the terms and click Install

Version 4.4 21
 NOTE: dirSync may take about 10 minutes or longer to install.

22. In User name, type AADAdmin@AzureContoso<ID>.onmicrosoft.com, replacing <ID> with the

unique ID for your domain name.
23. In Password, type Passw0rd! and then click Next.
24. In the Forest type in ContosoAzure.com
25. In User name, type contosoazure\sysadmin.
26. In Password, type Passw0rd! and then click Add Forest
27. Click Next.

28. On User Matching, leave the defaults and click Next

29. On optional features select Password synchronization and click Next
30. On the Configure screen review the options and click Configure..
31. When configuration has completed review the screen, verify Synchronize now is selected and then
click Finish.

32. Switch to your Azure management portal, and then click ACTIVE DIRECTORY.
33. Click the Domain that synchronized, and then click Users and look for the users you created earlier
o You should eventually see the users you created in AD now synchronized to your Azure
Active Directory.

Version 4.4 22
Implementing Multi-Factor Authentication

Multi-factor or two-factor authentication is a method of authentication that requires the use of more than one
verification method and adds a critical second layer of security to user sign-ins and transactions. It works by
requiring any two or more of the following verification methods:

 Something you know (typically a password)

 Something you have (a trusted device that is not easily duplicated, like a phone)
 Something you are (biometrics)

The security of multi-factor authentication lies in its layered approach. Compromising multiple authentication
factors presents a significant challenge for attackers. Even if an attacker manages to learn the user's password, it is
useless without also having possession of the trusted device. Conversely, if the user happens to lose the device,
the finder of that device won't be able to use it unless he or she also knows the user's password. Azure Multi-
Factor Authentication is the multi-factor authentication service that requires users to also verify sign-ins using a
mobile app, phone call or text message. It is available to use with Azure Active Directory, to secure on-premise
resources with the Azure Multi-Factor Authentication Server, and with custom applications and directories using
the SDK.

In this task, you will configure Multi-Factor Authentication (MFA) with Microsoft Azure. To complete this module
fully, you need to have a phone which can send and receive text messages or calls. You will configure this lab to
use your phone as a second authentication factor this is done via replying to a system-generated text or voice
message.

We will start by enabling the MFA service

1. Using Internet Explorer, navigate to manage.windowsazure.com.

2. Log on using your tenant account.
3. In Microsoft Azure, click ACTIVE DIRECTORY.
4. Click MULTI-FACTOR AUTH PROVIDERS, and then click CREATE A NEW MULTI-FACTOR
AUTHENTICATION PROVIDER.
5. In NAME, type Contoso-MFA, ensure the correct subscription is selected (If you have multiple
subscriptions tied to your live ID).
6. For directory select Contoso-AZ-Directory and then click CREATE.

Testing Multi-Factor Authentication

In this task, you will test multi-factor authentication. Ensure you have the phone readily available as you will have a
limited time to receive and reply to the text message generated by Microsoft Azure.

Version 4.4 23
Perform this task on your local machine.

1. In the Microsoft Azure active directory portal click directory and click Contoso-AZ-Directory.
2. On the top bar click Configure
3. Under the multi-factor authentication section click Manage Service Settings

4. If prompted enter your tenant credentials

5. In multi-factor authentication click users on the top navigation bar.
6. Select one of the users from your sync from Active Directory and click Enable under quick steps

(Image is an example only, select a user that reflects your lab environment.)

7. On the information screen, review the message and click enable multi-factor auth.
8. Click Close
9. Open a new tab in Internet Explorer and navigate to http://aka.ms/MFASetup Note: If you are signed
in, sign out to continue
10. On the Sign in screen type in the username and password you created earlier (such as
KarenVogue@AzureContoso<ID>.onmicrosoft.com and Passw0rd!) and click sign in.
11. Since this is the first time the user has logged in you will need to configure MFA, click Set it up now
12. Fill in your contact information (phone number of your mobile phone), select the Call me radio
button, and click Contact me

13. Answer your phone when it rings, and listen to the instructions. Press # to finish the authentication
process. On the Additional security verification click Done.

Version 4.4 24
Lab 4: Automating Deployments of SQL and IIS
This lab gives you an opportunity to experience using PowerShell to drive the automation of
deployments.

You can download the full script to run at: http://aka.ms/tiy or at http://aka.ms/lab4script

The script demonstrates automatic deployment of Microsoft Azure Infrastructure Services using
Azure PowerShell. This particular demo illustrates the concept from deploying a set of VMs
forming an application architecture (IaaS) to configure a target runtime environment (PaaS) and
create/start a two-tier application instance (SaaS). What it deploys are not just VMs, but a set
of VMs collectively delivering a data management application as shown below. The value
proposition of this exercise is an end-to-end highly automated deployment of a target
application instance on demand, i.e. application deployment as a service.
Azure Region
The requirements to run this script are:
Service
EP/LB
1. Have Azure PowerShell installed locally
Ref: http://aka.ms/AzureCmdlets WEBFE01 SQL01
2. Be able to log in with an Azure account 1433

Here are the steps to run the script:

1. Access the script at http://aka.ms/TIY and click Lab4 Script.

2. Click RAW to open as text.
3. Ctrl-a to select all and Ctrl-c to copy.
4. Start a PowerShell ISE session as administrator on your local desktop.
5. If do not see the script pane, Ctrl-r to show it.
6. Click the white space of the script pane and Ctrl-v paste the script.
7. Save the script to your intended location.
8. Press F5 to run the script.
9. Follow the screen output and respond to the prompts.
10. Log in the Contoso data management app with 12345 as the password and test the
application.
11. Answer yes or no in the ISE session to delete/keep the deployment upon finishing your
tests.

The coding style and the organization of this script are for clarity and readability, instead of
efficiency and optimization. Notice that in this script all credentials are provided and passed
as plain text for simplicity. There is very limited error handling. This script is for learning and
training, and not for production use.

Version 4.4 25
APPENDIX - Perform the following tasks in the Azure management portal to
set up your Virtual Machines.
If you would rather us the portal to set up VMs in Azure without PowerShell, you can do so following this
sample guide.

1. In the Azure management portal, click VIRTUAL MACHINES.

2. Click NEW (Plus “+” Sign) located at the bottom of the Azure management portal
3. Click COMPUTE, click VIRTUAL MACHINE, and then click FROM GALLERY.
4. In Choose an Image, click Windows Server 2012 R2 Datacenter, and then click the Next arrow.

5. Create a new virtual machine using the values in the following table. Please note: You can user your own
username and password, just make sure to remember it!

Property Value
VIRTUAL MACHINE ABC-DC01
NAME
TIER Standard
SIZE A1
USER NAME SysAdmin
NEW PASSWORD and Passw0rd!
CONFIRM

6. then click the Next arrow

7. On the Virtual machine configuration page 3, in CLOUD SERVICE, select the correct cloud service or create a
new one based on your lab instructions.
o ABC-VNet will be automatically selected. If you do not have ABC-VNet available, you likely have
the ABC-VNet in a different Location. Go back and fix location to make sure it’s the same.
8. In STORAGE ACCOUNT, select <ID>storage (From Lab 1)
o If your storage account is not in the list, you may have to cancel out of this wizard, wait a few
minutes for it to finish building, and try again.
9. In REGION/AFFINITY GROUP/VIRTUAL NETWORK, verify that ABC-VNet is selected.
10. In VIRTUAL NETWORK SUBNETS , verify that the correct subnet is selected (either Core-Subnet or App-
Subnet), and then click the Next arrow.
11. Click the Complete icon.

Version 4.4 26