Tag Archives: Azure Active Directory Domain Service

Manage Azure Active Directory with PowerShell – Part 01

In this series of articles, it which will explain how to use PowerShell to manage your Azure Active Directory instance. In Part 01, I am going to show how to connect with Azure AD using PowerShell and show actions of some day to day operation related commands.

In order to use PowerShell with Azure AD, first we need to install Azure Active Directory Module in local computer. there is two version of Azure active directory PowerShell module. One was made for the Public Preview and the latest one released after announces Azure AD GA. You can download module from http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185

If you had the previous version installed, highly recommended to replace it with the new version.

Once installed let’s check its status.

Get-Module MSOnline

mson1

In order to list down all the commands associate cmdlets with the module we can use

Get-Command -Module MSOnline

mson2

Next step is to connect to Azure AD Instance. In order to do that we can use,

Connect-MsolService

It will prompt for the login details. Please use your Azure DC Admin account details. Please note login via Microsoft account not supported.

First, we can list down all the domain under the given subscription. To do that we can use,

Get-MsolDomain

mson3

As next steps I like to list down all the users in Azure AD Setup.

Get-MsolUser

mson4

It will list down all the Users in the Azure AD.

I also can search for a specific user based on text patterns. In below example I am searching users with Name which match text “Dishan”

Get-MsolUser -SearchString "Dishan"

Idea of my search is to find some object values for this user. I can combine above command to return all the object value.

Get-MsolUser -SearchString "Dishan" | Select-Object *

mson5

Now we know what are the objects been use and I can make more unique search.

Get-MsolUser | Select-Object DisplayName,whenCreated,LastPasswordChangeTimestamp

Above command will list me all the users with Display Name, Date and Time It was created, and Date and Time of Last Password Change Action.

mson6

Get-MsolUserRole another handy cmdlet. It can use to check the role of a user account.

Get-MsolUserRole -UserPrincipalName "dcadmin@REBELADMIN.onmicrosoft.com" | fl

The above command will find the role for the given user account.

mson7

Get-MsolGroup cmdlet can use to list, filter Groups in the Azure AD.

mson8

Using searchstring can search for the groups based on text patterns.

Get-MsolGroup -SearchString "AAD"

mson9

Get-MsolGroupMember can use to list down the members in the group.

Get-MsolGroupMember -GroupObjectId "77a76005-02df-48d5-af63-91a19ed55a82"

mson10

Remove-MsolUser cmdlet can use to remove the user object from the Azure AD. This can combine with searchstring to search for user and then remove the object same time.

Get-MsolUser -SearchString "user2" | Remove-MsolUser

Above command will search for the user object which have display name similar to user2 and then delete it.

mson11

In next post let’s dig further in to cmdlets which can use to manage Azure AD.

If there is any question, please feel free to contact me on rebeladm@live.com

Which azure active directory edition I should buy?

4ac52e5b-b3ac-4fbd-bbc7-bd4bae8403da

Azure active directory is responsible for providing identity service for Microsoft online service’s needs. When I talk to people about azure AD one of most common problem they ask is what version I should buy? my existing subscription will work for the features I looking for? The myth is, lot of people still thinks azure subscriptions and prices are complicated, but if you understand what each subscription can do it’s not that hard. I have seen people paying for Azure AD premium version when azure AD free version can give the features they needed for their environment and some people struggling to implement features only available for premium version using their free azure AD instance. In this blog post I am going to list down the features for each azure AD version and hope it will help you to decide the version you need for your setup.

There are 4 Azure AD editions,

1) Free

2) Basic

3) Premium P1

4) Premium P2

Free – if you subscribed to any Microsoft online service such as azure or office 365 you will get the free azure AD version. You do not need to pay for this. But it got limited features which I will explain later in this post.

Basic – Designed for task workers with cloud-first needs, this edition provides cloud centric application access and self-service identity management solutions. With the Basic edition of Azure Active Directory, you get productivity enhancing and cost reducing features like group-based access management, self-service password reset for cloud applications, and Azure Active Directory Application Proxy (to publish on-premises web applications using Azure Active Directory), all backed by an enterprise-level SLA of 99.9 percent uptime.
 
Premium P1 – Designed to empower organizations with more demanding identity and access management needs, Azure Active Directory Premium edition adds feature-rich enterprise-level identity management capabilities and enables hybrid users to seamlessly access on-premises and cloud capabilities. This edition includes everything you need for information worker and identity administrators in hybrid environments across application access, self-service identity and access management (IAM), identity protection and security in the cloud. It supports advanced administration and delegation resources like dynamic groups and self-service group management. It includes Microsoft Identity Manager (an on-premises identity and access management suite) and provides cloud write-back capabilities enabling solutions like self-service password reset for your on-premises users.
 
Premium P2 – Designed with advanced protection for all your users and administrators, this new offering includes all the capabilities in Azure AD Premium P1 as well as our new Identity Protection and Privileged Identity Management. Azure Active Directory Identity Protection leverages billions of signals to provide risk-based conditional access to your applications and critical company data. We also help you manage and protect privileged accounts with Azure Active Directory Privileged Identity Management so you can discover, restrict and monitor administrators and their access to resources and provide just-in-time access when needed.
 
azure ad version 1
azure ad version 2
azure ad version 3
 
You can find more info about the subscriptions from 
 
if you got any question feel free to contact me on rebeladm@live.com

 
Note : Image Source https://f.ch9.ms/thumbnail/4ac52e5b-b3ac-4fbd-bbc7-bd4bae8403da.png

Getting Started with Azure AD B2B collaboration

What is Azure AD B2B ?

By now I assume you have idea what is Azure AD and how it works. If you are new to my blog, please search for Azure AD on my blog and you will be able to find articles explaining about it and its capabilities. Azure AD manage identities for the company and it will allow to control access to resources such as applications. Sometime based on business requirements companies have to share their resources with partners, other companies in group etc. in such scenario Azure AD B2B collaboration supports to share resources with another party using their own identities.

Using Azure AD B2B partners can use Azure AD account they create using the invitation process. Then azure admins can control the access to the applications. Once the tasks are completed those accounts easily can remove from the azure AD and all the permissions to the resources will be revoked. The partner company do not need to have any azure subscription and it allow to provide quick access to the resource with minimum changes.  

How it works?

1) Administrator invites the partner users by uploading the user details using CSV file. This file need to create with specific fields and values and more details can find on https://azure.microsoft.com/en-gb/documentation/articles/active-directory-b2b-references-csv-file-format/

2) Azure portal sends invite emails to the users which is imported using CSV file

3) Users click on email link and sign in using their work credentials (if they have azure AD account) or sign up as an Azure AD B2B collaboration user

4) User log in and access the shared resources

Let’s see it in action 

To enable azure AD B2B collaboration for an Azure AD instance you need to have global administrator privileges. So before you start make sure you got the relevant permissions. 

As I said previously the user accounts details need to be uploaded via a CSV file. In here I have created a simple CSV file with test account.

b2b1

After that log in to azure portal and load the Azure AD instance you already have.

b2b2

Then go to users and click on Add

b2b3

From the wizard select the “Users in Partner Companies” as the type of the user

b2b4

then brows for the CSV file and import

b2b5

after few minutes the user got email with link

b2b6

once click on the link it will load up a page and click next to continue

b2b7

in next page provide a password and click next

b2b8

it will send code to verify email address and once you put it there click on finish

b2b9

once process finish, we can see the new user under the azure AD users

b2b10

now I have application under my directory and when I go to users I can see the new user we setup. I have assign the permission for the new user for the app.

b2b11

So when login to the azure portal as the new partner user now can see the applications which is assigned for the user.

b2b12

Hope this was helpful and if you have questions feel free to contact me on rebeladm@live.com 

Azure Rights Management (Azure RMS) – Part 1

Microsoft Right management service help organizations to protect organization’s sensitive data getting unauthorized access. This service been used on-premises active directory infrastructures in years and it’s also available in azure.

If you not familiar with RMS let me explain it in simpler way. Let’s say user A got a document which contain some sensitive data about company stock prices. User A sending it to User B. This we know should be a conversation between user A and B. and how we can verify these data not been to pass to another user? What if someone gets a printed copy of this document? What if the user B edit this and add some false information? Using RMS you can prevent those. RMS can use to encrypt, managed identities and apply authorization policies in to your files and emails. The files you can define to open only by the person who you wished to open it, set it to read-only and also prevent user from printing it.

Using Azure RMS you can integrate the above features with your cloud applications, office 365 to protect the confidential data.

azrms_elements

In order to enable the Azure RMS you need the following prerequisites.

1)    Valid Azure Subscription – You need to have valid azure subscription to start with. If you not have paid version you still can start with a trial.
2)    Azure AD – You must have Azure AD configured to have RMS. I have written articles about how to get Azure AD services enable and you can simply search the blog if you need help with it. Also you can integrate it with your on-premises Ad infrastructure.
3)    RMS Supported Devices – you need to have devices runs with RMS supported OS to use this features. The list is available at https://docs.microsoft.com/en-us/rights-management/get-started/requirements-client-devices
4)    RMS Supported Applications – to use RMS features its need to be used with RMS supported applications. The list is available here https://docs.microsoft.com/en-us/rights-management/get-started/requirements-client-devices

Once you are ready with above first step is to enable the Azure RMS Service.
1)    Log in to the Azure Portal with a privileged account
2)    Go to Brows and then type rms, then it will list the RMS service then click on it.

rms1

3)    It will load the classic portal. In here you can see all the azure Ad instance running and its RMS service status. In my demo I do not have any instance enable with RMS.

rms2

4)    To enable the RMS service, select the AD instance and the click on “Activate” button in the bottom of the page.

rms3

Once it’s activated we have RMS enabled. In next part of the article let’s see how to use its features.

If you have any questions feel free to get back to me on rebeladm@live.com

Step-by-Step Guide to create Organizational Unit (OU) in Azure AD Domain Service Managed Domain

Organizational unit in active directory is a container where you can place users, computers, groups and other organization units even. OU are helps to create logical structure of the AD. You can use it to assign group policies and manage the resources.  This is common procedure in in-house domain environment, but what about the Azure managed domain? Can engineers use same method?

Answer is YES, but with some limitations. It is managed domain so you do not have full control over the functions such as complex group policies etc. I will explain those in later article but for the Organizational units, we can create those and manage those in azure managed domain. There is no option in azure portal to create this, this need to be created using a PC, server which is connected to the Azure Ad managed domain.

I wrote an article about adding a VM to the Azure managed domain. It is good place to start with http://www.rebeladmin.com/2016/05/step-step-guide-manage-azure-active-directory-domain-service-aad-ds-managed-domain-using-virtual-server/ . To create OU, you must have this done before start.

You also need be a member of AAD DC Administrators group.

Let’s see how we can create OU.

In my demo I am using a windows 2016 TP5 server which is connected to managed domain. Also I logged in as a member of AAD DC Administrators group.

ou1

Also I have already installed AD DS and AD LDS Tools (Remote server administration tools > Role administration tools > AD DS and AD LDS Tools)

ou2

To start the process, go to Server Manager > Tools > Active Directory Administrative Center

ou3

In left hand side in the console click on the managed domain

ou4

In the right hand under the Tasks click on New > Organizational Unit

ou5

In next window we can provide the information about new OU and click OK to complete.

ou6

Then you can see the new OU added.

ou7

By default the user account I used for to create the OU got full permissions to control the OU.

ou8

Now you can create new users, groups under this OU. But keep in mind you CANNOT move any users, groups which is already under AADDC users OU. It’s the default OU for the users, groups added via azure portal.

ou13

Also the users and groups added under new OU will not be visible on azure portal. It’s only valid inside the managed domain environment.

Hope this article was helpful. If you got any questions feel free to contact me on rebeladm@live.com

Step-by-Step guide to enable Secure LDAP (Lightweight Directory Access Protocol) on Azure AD managed domain

In active directory environment, LDAP (Lightweight Directory Access Protocol) is responsible for read and write data from AD. By default LDAP traffic transmitted un-secure. You can make this secured transmit based on SSL. In security prospective even in more “local” network it’s important to make secure even though most of engineers not using it. But when you have hybrid or cloud only setup this is more important. Idea of this post is to demonstrate how to enable secure LDAP on Azure AD managed domain.

There is few prerequisite required to perform this task.

1)    Azure AD Domain Service – Azure AD domain service must be enabled and configured with all prerequisite. If you need any help over please refer to my last few posts which explain how to configure.
2)    SSL Certificate – It is need to have valid SSL certificate and it need to be from valid certificate authority such as public certificate authority, enterprise certificate authority. Also you can still use self-sign SSL certificate.

In my demo,
1)    I have already configured a Azure AD managed domain and running with active subscription

sldap1

2)    I got an Azure VM connected to Azure managed domain and I will be using it to demonstrate to enable Secure LDAP.
3)    I am going to use self-signed certificate to create the secure LDAP

Create self-signed certificate

1)    Log in to domain joined server, or PC and open windows power-shell session as administrator.
2)    Execute following

$validtill=Get-Date
New-SelfSignedCertificate -Subject *.rebeladmin.onmicrosoft.com -NotAfter $validtill.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment -Type SSLServerAuthentication -DnsName *.rebeladmin.onmicrosoft.com

In here you can replace rebeladmin.onmicrosoft.com with your managed domain name.

This will generate the self-sign certificate.

sldap2

Export the SSL Certificate

Now we have the certificate, but we need to export it to use to enable secure LDAP.
1)    Log in to the PC or Server which generated certificate as administrator
2)    Go to run > mmc

sldap3

3)    File > Add/remove Snap-in

sldap4

4)    Select Certificates and click on button Add

sldap5

5)    Then select the Computer Account and click next

sldap6

6)    Select local computer and click on finish

sldap7

7)    Click on OK to open the certificate mmc

sldap8

8)    Then in console go to Personal > Certificates and you can see the new self-signed certificate we just created in previous step

sldap9

9)    Right click on the certificate and click on All tasks > export

sldap10

10)    Then its start the certificate export wizard, click on next to start

sldap11

11)    In this window select option “Yes, export the private key” and click on next
12)    Leave the .pfx option selected and click next

sldap12

13)    In next window define a password and click on next

sldap13

14)    Then define the location to save the file and click on next

sldap14

15)    Click on finish to complete the export process

sldap15

Enable Secure LDAP

Now we got the SSL exported and ready. Now it’s time to enable the secure LDAP.
1)    Log in to the azure portal and load the Azure Domain Services configuration page for your relevant directory

sldap16

2)    Then to the domain service section and click on “configure certificate” button

sldap17

3)    Then brows for the .pfx file we just exported and provide the password, then click ok to proceed

sldap18

4)    After few minutes we can see the secure LDAP is enabled

sldap19

5)    The next step is to enable the secure LDAP connection over the internet for your managed domain. For that click on the “Yes” for the option “Enable secure LDAP access over the internet” and the click save

sldap20

sldap21

6)    After few minute we can see the feature is enabled and also displaying the public ip address which can use on this.

sldap22

7)    If you wish to use secure ldap over the internet you need to create DNS entry in your dns provider and create A record to point domain to the public ip address its given.

Hope this was helpful post and if you have any question on this feel free to contact me on rebeladm@live.com

Step-by-Step Guide to manage Azure Active Directory Domain Service (AAD-DS) managed domain using Virtual Server

In my last two blog post I explain how to enable Azure Active Directory Domain Service and how to configure it properly. If you still not read those you can find those in following links.

Step-by-Step Guide to enable Azure AD Domain Services

Step-by-Step Guide to enable password synchronization to Azure Active Directory Domain Services (AAD DS)

In this post I am going to demonstrate how to add a virtual server which is setup on azure in to the managed domain and how to use Active Directory administration tools to manage the AAD-DS managed domain.

One thing I need to make clear is since it’s a managed domain services you do not going to have same manageability as in house domain controller.

According to Microsoft

Administrative tasks you can perform on a managed domain

•    Join machines to the managed domain.
•    Configure the built-in GPO for the 'AADDC Computers' and 'AADDC Users' containers in the managed domain.
•    Administer DNS on the managed domain.
•    Create and administer custom Organizational Units (OUs) on the managed domain.
•    Gain administrative access to computers joined to the managed domain.

Administrative privileges you do not have on a managed domain

•    You are not granted Domain Administrator or Enterprise Administrator privileges for the managed domain.
•    You cannot extend the schema of the managed domain.
•    You cannot connect to domain controllers for the managed domain using Remote Desktop.
•    You cannot add domain controllers to the managed domain.

Create VM

As the first step I am going to setup new VM under the same virtual network as the managed domain.

1)    In order to join VM to the same virtual network, we have to use Azure classic portal to build the VM.
2)    Log in to the azure classic portal > New > Compute > Virtual Machine > From Gallery ( The reason is using this option can define the advanced options)

md1

3)    Then select the template from the list. I am going to use windows server 2016 TP 5. Click on arrow to proceed.

md2

4)    In next window provide the info for the new VM (such as name, resources and local admin account) and click proceed arrow.

md3

5)    In Next window select the Virtual network as same as the one you setup the AAD-DS managed domain. If you do not select correct virtual network you will not be able to connect this vm to the managed domain. Once done, click on button to proceed.

md4

6)    In next window can add the extensions you like and click to button to setup the vm.

md5

Connect VM to the Managed Domain

1)    Once New VM is up and running, click on connect to log in to the VM

md6

2)    Now the server is ready, next step is to join it to the domain.

md7

3)    In domain, type the managed domain name and type the credentials. The use account used for authentication should be member of AAD DC Administrators group ( I explain on my first article how to setup this group)

md8

md9

md10

4)    Once connected to the domain, reboot it to complete the process.

Manage domain using AD administration tools

In this step I am going to install AD admin tools using that we can manage the Azure managed domain.
Note – This also can do using desktop operating system as well. Ex- windows 10. To do it, need to install RSAT for windows 10. (https://www.microsoft.com/en-gb/download/details.aspx?id=45520)

1)    Log in to the server as member of AAD DC Administrators group
2)    Server Manager > Add Roles and Features

md11

3)    Click next in the wizard

md12

4)    In next window keep the default and click next

md13

5)    In next window keep the default and click next to proceed

md14

6)    On the roles page, keep default values and click next

md15

7)    In features select Remote server administration tools > Role administration tools > AD DS and AD LDS Tools and then click next to proceed.

md16

8)    In next window click on install to proceed with the installation

md17

9)    Once install done go to Server Manager > Tools > Active Directory Users and Computers
Here we can see the AD console which Admins familiar with.

md18

md19

md20

Hope this is helpful and if you have any question feel free to contact me on rebeladm@live.com