Hands-on-Lab

Create and Manage a Microsoft Azure Active Directory

August 2014


Contents

Contents

Create and Manage a Microsoft Azure Active Directory

Overview

Objectives

Exercise 1: Create an Azure Active Directory using the Microsoft Azure Management Portal

Task 1 – Login to the Azure Management Portal

Task 2 – Create a new Active Directory

Task 3 - Associate the Active Directory with your Azure subscription

Exercise 2: Add Users to Active Directory

Task 1 – Add a Global Administrator to the Active Directory

Task 2 – Add a User to the Active Directory

Task 3 – Add a Co-Administrator for the Microsoft Azure Subscription

Exercise 3: Create a Security Group and add Users to the Group

Task 1 – Sign-in to the Azure Management Portal as the Global Administrator

Task 2 – Create a Security Group

Task 3 – Add a User to the Security Group

Exercise 4: Sign-in to the Azure Management Portal as a User

Overview

In this lab, you will learn how to create an Azure Active Directory and associate it with your Azure Subscription. Next, you will create users as regular users in the directory as well as global administrators in the directory. Signed in as a global administrator, you will create a security group and added users to the group.

Objectives

This demo will walk you through how to:

  • Create a Microsoft Azure Active Directory using the Azure Management Portal
  • Associate the Active Directory with your Azure subscription
  • Add Users to the Active Directory
  • Show Capabilities of the Global Administrator Role
  • Show Capabilities of the User Role

Estimated time to complete this lab: 15 Minutes

Exercise 1: Create an Azure Active Directory using the Microsoft Azure Management Portal

Task 1–Login to the Azure Management Portal

  1. Launch a browser and navigate to When prompted, sign-inwith your credentials to access your Azure Subscription.

Note: You may need to launch an "in-private" session in your browser if you have multiple Windows Accounts.

Task 2 – Create a new Active Directory

  1. In the Windows Azure Management Portal, select +NEW -> APP SERVICES -> ACTIVE DIRECTORY -> DIRECTORY -> CUSTOM CREATE.
  2. In the Add directory window specify the new directory settings.
  3. Set Directory to Create new directory.
  4. Set Name to a name of PPE Labs AD.
  5. Set Domain Name to a globally unique name of your choice.
  6. Set Country to your country.

Task 3 - Associate the Active Directory with your Azure subscription

  1. Now that your Active Directory for your organization exists, the next thing you need to do is associate this directory with the Windows Azure subscription. What this means is that when you login to the Azure Management Portal for this subscription, you will be doing so in the realm of your new Active Directory.
  1. Click on SETTINGS on the left of the screen.
  2. Click on SUBSCRIPTIONS at the top of the screen.
  3. Highlight your Windows Azure Subscription and click on the EDIT DIRECTORY button at the bottom of the screen.
  4. Select the new Active Directory you created in the previous task.

  1. Click the right arrow to go to the next screen.
  2. Click the check mark to save the change.
  3. The Windows Azure Management Portal will reload as result of this change. Notice the change in the URL with respect to the realm. It will show the new Active Directory as the realm in the URL.

Exercise 2: Add Users to Active Directory

Task 1 – Add a Global Administrator to the Active Directory

  1. In the Azure Management Portal, click on the ACTIVE DIRECTORY link on the left of the screen.
  1. Click on the name of the directory you created previously.
  2. Click on the USERS tab at the top of the screen.
  1. At the bottom of the screen, click the ADD USER link to add a new user.
  1. In the Add User window specify the new user settings.
  2. Set Type of User to New user in your organization.
  3. Set User Name to a name of johndoe.
  1. In the user profile window, specify properties for this user as a Global Administrator.
  2. Set FIRST NAME to John.
  3. Set LAST NAME to Doe.
  4. Set DISPLAY NAME to John Doe (Global Admin).
  5. Set ROLE to Global Administrator.
  6. Set Alternate Email Address to an email address of your choices. Recommend using the Microsoft Account email address for the subscription. That is, the Account Administrator.
  7. Click the right arrow to continue
  1. In the Get temporary password window, click the green create button to generate a temporary password for the user.
  2. In the New Password field, click the Copy icon to copy the password to your clipboard. Save this to notepad along with the user name for this user. You will need this information shortly.
  3. Click the check mark button to create the user in the directory.

This user will be able to administer the active directory only. This user will not be able to login to the Windows Azure Management Portal or provision services in the Subscription (Virtual Machines, Networks, etc.) because this user is not a Co-Administrator for the Microsoft Azure Subscription.

Task 2 – Add a User to the Active Directory

  1. Repeat Task 1 to add a user as Jane Smith.
  2. Set USER NAME to janesmith.
  3. Set ROLE to User.

This user is a user in the directory right now. This user cannot administer the Active Directory nor can this user login to the Azure Management Portal and provision services.

Task 3 – Add a Co-Administrator for the Microsoft Azure Subscription

  1. Click on the SETTINGS link on the left of the screen.
  2. Click on the ADMINISTRATORS tab at the top of the screen.
  3. Click on the ADD button at the bottom of the screen.
  4. Enter the email address for John Doe. When you do this, the portal will verify the user name and show a green check mark. Notice that the user account is an Organizational Account, identified by the organizational account icon (the badge) next to the user.

  1. Click on the check box next to the Azure Subscription.
  2. Click the check mark to add the user as a Co-Administrator of the Azure Subscription.

This user, now being a Co-Administrator for the Azure Subscription, will be able to login to the portal and provision services on the Subscription. This user is also a Global Administrator so this user can also administer the Active Directory.

  1. Sign-out of the Azure Management Portal.

Exercise 3: Create a Security Group and add Users to the Group

Task 1 – Sign-in to the Azure Management Portal as the Global Administrator

  1. Sign-in to the portal at as the John Doe user. Since this is the first time to sign-in as this user, you will need to enter the temporary password(copy from notepad).

  1. Enter the temporary password and then provide a new permanent password as demo@pass1. Press the submit button.
  1. Click through the new user tour dialogs for user John Doe. In the Azure Management Portal, you will see user John Doe signed-in as an Organizational User in the upper-right corner of the screen.

Task 2 – Create a Security Group

  1. Click on ACTIVE DIRECTORY on the left navigation.
  2. Click on the PPE Labs AD directory name.
  3. Click the ADD GROUP button at the bottom of the screen.
  4. Set the NAME to Help Desk.
  5. Set the DESCRIPTION to Users staffing the help desk.
  6. Click the checkmark button to create the group.

Task 3 – Add a User to the Security Group

  1. Click on the Help Desk group.
  1. Click on the ADD MEMBERS link at the bottom of the screen.
  2. Click on Jane Smith, which will result in Jane Smith appearing in the SELECTED section and then click the checkmark button.
  1. Jane Smith is now a member of the Help Desk security group.

Exercise 4: Sign-in to the Azure Management Portal as a User

  1. From the Internet Explorer main menu, select Tools -> InPrivate Browsing.
  2. In the new browser window, sign-in to the portal at as the Jane Smithr. Since this is the first time to sign-in as this user, you will need to enter the temporary password (copy from notepad).

  1. Enter the temporary password and then provide a new permanent password as demo@pass1. Press the submit button.
  1. As the portal starts to load, you will get a message indicating that there were no subscriptions found for the Jane Smith user. This is expected. Recall, Jane Smith is not a Co-Administrator on the Azure Subscription. Therefore, Jane is not able to sign-in to the Azure Portal and provision services.

  1. Close the Internet Explorer window that is in InPrivate Browsing mode.

Summary

In this lab, you learned how to create an Azure Active Directory and associate it with your Azure Subscription. You then learned how to create users as regular users in the directory as well as global administrators in the directory. Signed in as a global administrator, you created a security group and added users to the group. Finally, you observed that users that are not co-administrators on the Azure subscription are not able to sign-in to the Azure Management Portal.

Page 1