Azure Hybrid IAM

Something catchy should go here!!!

Azure Hybrid IAM

May 20, 2020 Uncategorized 0

Quite often when I am giving the tech briefing sessions on Azure IAM, I feel the need for an active LAB where my audience can simply go to follow some high level steps to better visualise the true power of Azure hybrid Identity and Management. I would like to keep this intro section short and crack on with the LAB build. The reason simply being there are tonnes of material available on MS DOCS such as:

  • AAD: and
  • AAD Connect:

LAB Module 1: Leveraging the power of AAD Connect to synschronize AD to Azure AD. This Lab consists of 3 fundamental steps:

  • We will start with creating an Azure Virtual Machine to mirror an on-prem Domain Controller. 

  • Then we will create an Azure AD Tenant and

  • At last we will leverage the power of AAD Connect to sync accounts from onprem AD to Azure AD.

NOTE: For simplicity on this temporary LAB build please try to keep all the passwords same to avoid any confusions.

STEP1: Create a VM to mirror onprem DC server

  • Create RG for your Domain Controller:

    • az group create --name RG-ADLAB --location uksouth

  • Create a Network Security Group and a NSG rule to allow port 3389:

    • az network nsg create --name NSG-ADLAB --resource-group RG-ADLAB --location uksouth

    • az network nsg rule create --name AllowRDP --nsg-name NSG-ADLAB --priority 100 --resource-group RG-ADLAB --access Allow --source-address-prefixes "*" --source-port-ranges "*" --direction Inbound --destination-port-ranges 3389

  • Create a VNET and a SUBNET:

    • az network vnet create --name VNet-ADLAB --resource-group RG-ADLAB --address-prefixes --location uksouth

    • az network vnet subnet create --address-prefix --name Subnet-ADLAB --resource-group RG-ADLAB --vnet-name VNet-ADLAB --network-security-group NSG-ADLAB

  • Create the VM to mirror onprem DC Server:

    • az vm create --resource-group RG-ADLAB --name ONPREMDC --size Standard_DS1_v2 --image Win2019Datacenter --admin-username ADLABadmin --admin-password <ChoosePassword> --nsg NSG-ADLAB --private-ip-address

STEP2: Installation and Configuration of AD

  • RDP to the ONPREMDC created under STEP1 above. 

  • Now launch a powershell cmd and run following cmdletsL

    • Install AD DS module: Install-windowsfeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools

    •  Import Deployment Modules: Import-Module ADDSDeployment

    • Promote ONPREMDC server to a domain controller: Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath "C:\Windows\NTDS” -DomainMode “Win2012R2” -DomainName “onpremADdomain.TLD" -DomainNetbiosName “<onpremADdomain>" -ForestMode “Win2012R2” -InstallDns:$true -LogPath “C:\Windows\NTDS” -SysvolPath "C:\Windows\SYSVOL” -Force:$true

    • Enter and reconfirm your previously selected Password from STEP1 <ChoosePassword>. This will be use for Directory Services Restore Mode (DSRM). IGNORE the warnings. ONPREMDC VM will restart automatically at this point.

  • STEP3: Configure the DNS for your ONPREMDC VM:

    • The ONPREMDC VM (simulating an onprem Domain Controller) is pointing to Azure DNS (as a default). We will need to repoint it to the DNS of the Domain Controller.

    • On Azure Portal > Click on ONPREMDC VM and make a note of its private IP (

    • Now under the virtual network VNet-ADLAB > Settings > DNS Servers > Custom > mention the ONPREMDC VM’s private IP which is > Save. 

  • STEP4: Create some Domain Accounts on your ONPREMDC VM: 
    •  RDP to ONPREMDC VM using your domain credentials created earlier such as ADLABadmin@onpremADdomain.tld and <Password>
    • Open AD Users and Computers and create 2 new dummy users under Users section:
      • onpremad.acct1
      • onpremad.acct2
      • Choose a password for both > Set password to never expire and untick User must change password at next logon.
  • STEP5: Create a VM to host AAD Connect:
    • From > Create a new VM:
      • az vm create --resource-group RG-ADLAB --name ADConnect --size Standard_DS1_v2 --image Win2019Datacenter --admin-username ADConnectAdmin --admin-password <ChoosePassword> --nsg NSG-ADLAB --private-ip-address
  • STEP6: Install Azure AD
    • From within Azure Portal > Create a resource > Identity > AAD > Create directory
      • Org Name: azureADLab
      • Domain Name: testazureADLab
      • Create.
  • STEP7: SYNC Account:
    • This sync account is used by the AD Connect to sync things between onprem domain controller (ONPREMDC VM) and Azure AD (testazureADLab).
    • Under AAD > Click +New User > Put AADSync as Username and Name > Click Let me create the password > <ChoosePassword>
    • Under groups and roles click on User > Select Global Administrator > Select > United Kingdom as location > Click Create.
    • Now test by opening and login with and Password.
  • STEP8: Join ADConnect VM to Domain:
    • RDP to ADConnect VM using ADConnectAdmin.
    • Change the domain (under local server) by entering FQDN as onpremADdomain.tld > OK > Enter ADLABadmin and Password chosen earlier in STEP 1 > Restrat the VM.
  • STEP9: Install AAD Connect:
    • Now we need to install AD Connect tool on ADConnect VM. 
    • RDP to ADConnect VM using onpremADdomain\ADLABadmin (do not use the local account ADConnectAdmin).
    • Under Server Manager > turn off the IE Security Config for admins.
    • Open IE > Browse to > Download and run the tool.
  • STEP10: Configure AAD Connect on the ADConnect VM:
    • Double click and open the AD Connect tool from desktop > Select I agree > Continue > Use Express Settings.
    • On the Connect to Azure AD screen, enter your Azure AD Details:
      • and Password from STEP7. > Next > Confirm.
    • On the Connect to AD DS Screen, enter the AD DS domain admin details:
      • onpremADdomain\ADLABadmin from STEP2.
    • On the Azure AD Sign-in config screen, tick Continue without any verified domain (as this is a temp lab setup) > Next.
    • On the Ready to Configure screen, click Install > Once completed click Exit and Exit RDP session.
  • STEP11: Final Verification 🙂
    • Go to Azure Portal and check your AAD under your directory > Click on Manage > Users > Here you should now have the 2 dummy accounts we created earlier in STEP4:
      • onpremad.acct1
      • onpremad.acct2
      • Also note they appear as Windows Server AD. This proves that these are the sync’d accounts from onprem AD to Azure AD.

Now relax and take a cuppa! You have completed a full LAB of sync’ing onprem accounts to Azure AD.

NOTE: Please remember to clear the LAB once you are done with it. As we have users synchronized from on-premises, the sync must first be turned off, and the users must be deleted in the cloud directory using the Azure portal. If for any reason you have deleted the entire resource group then you will have to forcefully get rid off those sync’d users via powershell:

Open Powershell as admin and install AAD module: 

Install-Module -Name MSOnline

Say Y and Y twice.

Then enter your O365 admin credentials and connect to AAD: Connect-MsolService

Get the list of users and make a note of principal name: Get-MsolUser

Now finally remove them: Remove-MsolUser -UserPrincipalName <userprincipalname>

For ex:

PS C:\> Install-Module -Name MSOnline
NuGet provider is required to continue
PowerShellGet requires NuGet provider version '' or newer to interact with NuGet-based repositories. The NuGet provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' You can also install the NuGet provider by running 'Install-PackageProvider -Name NuGet -MinimumVersion -Force'. Do you want PowerShellGet to install and
import the NuGet provider now?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 'PSGallery'?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): Y

PS C:\> Get-MsolGroup
PS C:\>
PS C:\> Get-MsolUser
UserPrincipalName DisplayName isLicensed
----------------- ----------- ---------- On-Premises Directory Synchronization Service Account False admin False

PS C:\>
PS C:\> Remove-MsolUser -UserPrincipalName ""
Continue with this operation?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
PS C:\>

Hits: 429


Leave a Reply

Your email address will not be published. Required fields are marked *

I accept that my given data and my IP address is sent to a server in the USA only for the purpose of spam prevention through the Akismet program.More information on Akismet and GDPR.

This site uses Akismet to reduce spam. Learn how your comment data is processed.