Setting up Azure AD Connect - brian-anderson01/Capstone GitHub Wiki

Prerequisites

  • To start off, you are going to need a Windows server with ADDS and DNS roles installed
  • Once the server has the required setup, continue on to implement Azure AD Connect

Implementation

  • Making server a DC
    • Open server manager and select promote this server to a domain controller
    • Create a new forest and name it
    • Input a password for the DSRM on the next page then leave the rest default and install
    • The server will reboot, once done log back in
    • Set a static IP address on the server and make sure the DNS is set to the server itself
  • Setting up Azure AD Connect
    • Start off by adding the Azure DNS server as a forwarder in DNS Manager
      • Open DNS manager and click on your server
      • Right-click it and choose properties, then forwarders
      • Edit or add the forwarder and put in 168.63.129.16
    • Now open Active Directory Domains and Trusts
      • Right click on the top left where it says Active Directory Domains and Trusts and choose properties
      • Now add the domain name of your Azure AD domain as an alternative UPN suffix
    • Open AD users and computers
      • Create a new user named adadmin and make sure to set the logon domain as your Azure domain when setting the user logon name
      • Add the new user to the Enterprise Admins group and close that out
  • Install and configure AD Connect
    • Download the AD connect installer from microsoft
    • Run the msi and it should just install AD Connect and then launch it
    • Agree to the terms
    • Click Use express settings, then login with the Azure Admin account
    • Once logged in with the Azure admin account, login with the local enterprise admin account you just created
    • Now, click next and the configuration will load. Leave the box checked to start syncing when the configuration completes
    • Click install and wait while it configures
    • Now if we go to Azure AD on a web browser and choose Azure AD connect we can see the connection status
    • We can also see local synced users by going to the users page
    • Now to test it is syncing, create a new user on the server and check in Azure to see if it appears
    • Once you have created the user, run the following in powershell Start-ADSyncSyncCycle -PolicyType Delta
    • This will sync any changes that have not already been added to Azure
    • To run a full sync you can run Start-ADSyncSyncCycle -PolicyType Inital this isn't neccisarry to do for every sync
    • Once the sync is complete the user should show up in the Azure users page and the user shouild be able to login to the azure portal themselves. If they can then Azure AD Connect is working!

Configuring Azure AD Connect to join new devices to the local domain and Azure AD (hybrid join)

  • On your on-premise DC open Azure AD Connect
  • Click tasks on the left, and choose configure device options
  • Click next and next again
  • Login with your Azure admin account
  • Now choose "Configure Hybrid Azure AD join" and click next
    • Choose Windows 10 or later domain-joined devices, as we only have windows 10 or later computer on the domain
    • Check the box next to your local domain forest and choose Azure Active Directory in the drop-down, then click add
    • A pop-up will appear, log in with an Enterprise Admin account, the enterprise admin should appear in the list and look like the screenshot below
    • Click next then wait for the program to load, then click configure
    • If everything worked properly, you should see "Configuration complete"

Configuring SSO and Pass-through authentication

  • Open Azure AD connect on the on-premise server
  • Click tasks on the left, and choose "Change user sign-in"
  • Login as the Azure admin to proceed
  • On the next page choose "Pass-through authentication" and check the box to enable single sign-on then click next
    • Now login with the domain admin account to enable SSO, by clicking "Enter credentials" once signed in, click next
    • Wait for the application to check everything and click configure
    • Once that loads, you should see "Configuration Complete" if so, SSO and pass-through authentication is now enabled

Implementing seamless SSO

  • With everything above done, SSO should now be enabled
  • To check the status go to the Azure portal, then to Azure AD, and click Azure AD Connect on the left
  • Under user sign-in Seamless single sign-on should say enabled
  • Now back on the server, open group policy
    • Right click on the default domain policy and go to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page. Then select Site to Zone Assignment List.
    • Enable the policy, then click "Show" next to enter assignment zones here
    • For Value Name input https://autologon.microsoftazuread-sso.com
    • For Value input 1
    • Next, browse to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone
    • Right-click "Allow updates to status bar via script"
    • Enable the policy and click ok
    • Now you can close out of GP and SSO should be enabled