In Part 6 we securely published our Exchange Services using Microsoft Active Directory Federation Services (ADFS) and Web Application Proxy (WAP). In Part 7 we will be setting up an Office 365 Tenant and utilizing Azure AD Connect to sync our On-Premise users to this Tenant.
In order to start Part 7 of our Lab we will need access to an Office 365 Plan that includes at least Exchange. At the writing of Part 7 the most cost effective package for what we'll need is Office 365 Business Essentials. In order to Sign-up (Credit Card will be required), we will need to head to the following URL:
Follow the steps below to sign up for an Office 365 Business Essentials account:
1. Scroll down and find the Select a plan section then under Office 365 Business Essentials use the pull-down, select $6.00 user/month then click Buy now.
2. Under the set up your account section complete the fields shown below.
2. Under the create your new user ID section complete the fields shown below.
3. Under the Verify your phone number section select Call me, enter your valid Phone number then click Call me.
4. After the Call me button is pushed the Verification code section will appear. You will receive a call from Microsoft with a 6-Digit Code which should be entered under the Verification Code then click Continue.
5. At the Customize your order screen enter the amount of Users you would like for your tenant (In my case 2) then click Check out
6. At the Review your order click Next.
7. At the legal agreement screen check the Agreement then re-type the same name shown under Customer under the Full name section then click Next
8. At the Payment screen enter your payment information then click Place order.
9. At the order completed screen click on Continue.
10. At the Welcome screen you will notice that some things are still being setup. While this is taking place let's head over to our Admin console by click on Admin.
11. Under the Office 365 Business Essentials subscription setup is incomplete section click on Go to setup.
12. At the Add a domain screen under I already own a domain section enter it.dmgva.com then click Next.
!!!Note: Replace it.dmgva.com with your externally registered domain
13. At the Verify domain screen make note of the details provided for the DNS TXT Record. This record will need to be created within your Name Registrar before continuing then once completed click Verify.
14. At the Add users screen click on Exit and continue later.
Instead of using the wizard to create our first user, we will utilize the standard method of user creation by using our Admin Center Console. Follow the procedures below to create our first user:
1. In the Left-pane click on Users then select Active users.
2. In the Middle-Pane under Home> Active users click on + Add a user.
3. At the New user pop-up enter the information below
First name: Test
Last name: User2
User name: TUser2
Then make sure to use the Domain pull-down menu and select gelvade.onmicrosoft.com, use the Password drop-down and select Let me create the password, enter a password, and uncheck Make this user change their password when they first sign in then click Add.
4. At the User was added screen uncheck Send password in email then click Close.
As you can see we now have 2 users within our Office 365 Tenant. The first is our Admin Account which was created when we signed up and the second is the Test User2 Account that we just created. Now it is time to sync our On-Premise accounts to our Tenant as well. In order to do this we will be using a Tool called Azure AD Connect. This product is based on Microsoft Identity Manager (MIM) and will be used to sync our account to Office 365 as well as help us configure our existing ADFS Server for Single Sign-On. In a production environment, you will have dedicated servers responsible for Azure AD Connect, however for our lab we will be installing this product on our Azure Domain Controller (KHL-DC) so let's head over and get it installed and configured :
In preparation for our Azure AD Connect customization we will need to create a specific OU that will be used to determine users that will by synced to our Office 365 Tenant. Follow the steps below to create the OU:
1. Logon onto KHL-DC.
2. Open Server Manager then in the Upper-Right corner click on Tools and select Active Directory Users and Computers.
3. In the Left-Pane right-click killerhomelab.com and select New | Organizational Unit.
4. At the New Object - Organizational Unit pop-up enter Office 365 Users then click OK.
5. In the Left-pane click on Users and locate Test User1.
6. Right-click Test User1 and select Move.
7. At the Move pop-up select Office 365 Users then click OK.
From within Internet Explorer navigate to the following URL and download Azure AD Connect:
1. From your Downloads folder double-click AzureADConnect.msi.
2. At the Welcome to Azure AD Connect screen select I agree to the license terms and privacy notice then click Continue.
3. At the Express Settings screen click Customize.
4. At the Install required components screen click Install.
5. At the User sign-in screen select Federation with AD FS then click Next.
6. At the Connect to Azure AD screen enter the Admin Credentials you used during your Office 365 Sign Up then click Next.
7. At the Connect your directories screen enter the Domain Credentials for your killerhomelab.com Forest and click Add Directory then click Next.
8. At the Azure AD sign-in configuration screen make sure that <mydomainname>.com is showing as Verified then click Next.
9. At the Domain and OU filtering screen select Sync selected domains and OUs, expand killerhomelab.com and uncheck everything except Office 365 Users then click Next.
10. At the Uniquely identifying your users screen click Next.
11. At the Filter users and devices screen click Next.
12. At the Optional features screen select Exchange hybrid deployment then click Next.
13. At the AD FS Farm screen select Use an existing Windows Server 2012 R2 AD FS farm then click the Browse button.
14. At the Select Federation Servers screen enter KHL-ADFS in the Search field and hit Enter then select KHL-ADFS.killerhomelab.com and select OK, then click Next.
15. At the Domain Administrator credentials screen enter your KHL Domain Admin Credentials then click Next.
!!!Note: In the event that this connection fails, log onto KHL-ADFS and run the following command:
16. At the Azure AD Domain screen use the DOMAIN pull-down menu and select it.dmgva.com then click Next.
17. At the Ready to configure screen make sure Start the synchronization process when configuration completes is selected then click Install.
18. At the Installation complete screen make sure the I have created DNS records that allow clients to resolve my federation service (it.dmgva.com) from both the intranet and the extranet has been selected then click Verify.
(!!!Note: These records should have been created in Part 6 of this Series)
19. Once the ADFS Internal & External URL have been verified click Ext.
Now that we have completed our initial Azure AD Connect deployment, lets take a look at the changes it has made. We will start right here on KHL-DC which is our Azure AD Connect Server as well by taking a look at the Synchronization Service Manager. This tool can be launched form the following location:
C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe
Once we are inside of the Synchronization Service Manager we will want to click on Connectors as shown below:
As you can see their are 2 connectors that Azure AD Connect created. The first is to our actual Active Directory Domain which is killerhomelab.com and the second is to our Office 365 Tenant. Since Microsoft Identity Management (MIM) is beyond the scope of this blog I will not go into great detail on the inner workings of MIM Synchronization, but will note that the purpose of these two connectors is to pull/push data from their respective sources (Active Directory/Office 365). The default synchronization time is every 30 Minutes however if you would like to speed up this process you can follow the steps below to initiate an immediate Synchronization with Office 365:
1. Under Connectors in the Middle-Pane, right-click killerhomelab.com and select Run.
2. At the Run Connector windows under Run Profiles select Delta Import (Stage Only) then click on OK. (Wait for the connector to complete all of it's steps before moving on)
3. At the Run Connector windows under Run Profiles select Delta Sychronization then click on OK. (Wait for the connector to complete all of it's steps before moving on)
4. Under Connectors in the Middle-Pane, right-click gelvade.onmicrosoft.com and select Run.
5. At the Run Connector windows under Run Profiles select Export then click on OK. (Wait for the connector to complete all of it's steps before moving on)
Now we can head back over to Office 365 to verify that Test User1 which was an On-Premise user has synced successfully.
From a InPrivate Browsing session within Internet Explorer navigate to the following URL:
At the Sign-in Page enter your Office 365 Admin Credentials. Once logged in on the Left-Pane navigate to Users | Active Users. You will now see that our On-Premise User (Test User1) has now been synced up to Office 365.
Now it is time for us to test and review each users logon process. We will start with our On-Premise User, Test User1. Close your existing browser and the re-launch and InPrivate Browsing session for Internet Explorer and follow the steps below:
1. Navigate to https://portal.office365.com
2. Enter the Username for Test User1. (You will be redirected to your ADFS Logon page since this user is using a Federated Domain.
3. You will now notice that you have been redirected to your ADFS Logon page and your Username has been Auto populated. Click on Sign in using an X.509 certificate as shown below.
4. At the Certificate pop-up
5. As shown below, you have now successfully used your On-Premise account to logon to Office 365 using a Federated Logon.
Now we have confirmed that our On-Premise account has been synced to Office 365 and that we can use it to logon to Office 365. We know that the account was synced using Azure AD Connect. Now it is time to see what Azure AD Connect did to our ADFS Server to allow Federated Logon. Follow the steps below to review KHL-ADFS.
1. Logon to KHL-ADFS.
2. Open Server Manager then in the Top-right corner click Tools | AD FS Management.
3. In the Left-Pane expand Trust Relationships and select Relying Party Trusts.
In addition to our Device Registration, OWA and ECP Relying Party Trusts, you will see that Azure AD Connect has also added an Relying Party Trust called "Microsoft Office 365 Identity Platform". This Relying Party Trust is used to allow ADFS to trust logon requests redirected from the Office 365 Portal.
Now that we have our Synchronization and Authentication for User Accounts worked out, we are now finished with Part 7 of this Series. In Part 8 of our Series (Configuring Exchange Hybrid Configuration Wizard), we will be Configuring our On-Premise Exchange 2016 to work with our Office 365 Exchange Tenant. Have fun with the lab!!!