How to Govern both your On-premises infrastructure & Azure Cloud services using Microsoft Entra ID & AD-Connect
Microsoft Entra ID, formerly known as Azure Active Directory (AAD), enables organizations to effectively handle and safeguard identities, allowing employees, partners, and customers seamless access to necessary applications and services. This identity solution from Microsoft seamlessly integrates across a wide spectrum, encompassing on-premises legacy applications to a multitude of leading software-as-a-service (SaaS) applications. This integration enhances the end-user experience while providing improved visibility and control. A little fun fact Entra derived from the Latin word “intrare”, meaning “to enter”. Azure active directory now Entra ID started since companies needed an Intranet friendly approach to authenticating to remote work and for mobile apps etc. and since the windows active directory uses private protocols like LDAP, Kerberos which may not be ideal or even work over the public internet. Azure Active directory allows organizations to securely authenticate over the internet using internet known protocols like TCP and even HTTPS.
Key terms:
Governance In the context of IT security, governance refers to the overall framework, policies, processes, and controls that organizations establish and adhere to in order to manage and protect their information technology resources and data. IT security governance is an integral part of overall corporate governance, focusing specifically on the protection of digital assets and information.
Active directory domain services (ADDS)
Active Directory Users and Computers | Microsoft Learn
Tenant a “tenant” refers to a logical and isolated instance of the directory service that is dedicated to a specific organization. Active Directory is a directory service developed by Microsoft for Windows domain networks, and it provides a centralized and standardized way for managing and organizing information about network resources, including users, computers, and other devices.
Accounts is
Identities
Subscriptions
Access Control is Implementing controls to manage and restrict access to sensitive information and IT systems. This includes user authentication, authorization processes, and the principle of least privilege, which ensures that individuals have access only to the resources necessary for their role.
Role-based access control (RBAC) is a method of managing and controlling access to computer systems or networks based on the roles or responsibilities of individual users within an organization. In an RBAC system, access permissions are associated with specific roles, and users are assigned to these roles based on their job functions or responsibilities
In this Lab I will be doing a proof of concept on how it looks to integrate an on-premises infrastructure to Azure service I.E O365 and utilize Entra ID connect to synchronize between the workloads. I will be building a virtualized on-premise infrastructure using windows Hyper-V manager.
- I will build a server & client integration using windows server 2019 and a windows 10 client.
- I will enable and start these services from within the windows server 2016: Active Directory, DHCP and DNS.
- I will create a tenant in Azure with its own subscription and O365 licensing.
- Synchronize between my on-premises tenant with my Azure tenant using AD-connect.
Pre-requisites:
- A Host machine with Windows 8 or later
- Enabled and turn on windows feature for Hyper-V and install Hyper-
- Free tier account with Microsoft Azure
1. Install the Hyper-V role on your computer.
To install Hyper-V on a client computer running Windows 8 (or later):
1. In Control Panel, open Programs and Features.
2. Click Turn Windows features on or off.
3. Select Hyper-V.
4. Click OK and restart
2. Reboot your computer EVEN IF NOT PROMPTED.
Enabled Hyper-V.
Lets build our virtual network and “On-premises” infrastructure.
Next, you will create your first Windows Server 2019 virtual machines.
1. On your host machine, on the root of the C:\ drive, create a folder named VMs.
2. In Hyper-V Manager, create a new virtual machine with the following settings.
o Name: ADDS Server
o Location: C:\VMs
Store all virtual Machines in this location
- Generation: Generation 1
- Startup memory: 1024 MB
- Use Dynamic Memory for this virtual machine: Yes
- Connection: External
- Virtual hard disk Name: Server1.vhdx
- Size: Default (127 GB)
Install an operating system from a bootable CD/DVD-ROM
Browse to https://www.microsoft.com/en-us/evalcenter/download-windows-server-2019 to download the ISO image of the server. The site may prompt you to register to obtain the free trial for windows server 2019.
3. In Hyper-V Manager, connect to and start the virtual machine and complete Windows Server 2019 setup with the following settings:
when I attempted to start up the ADDS server, I get an error with not enough memory.
Finally got my memory upgraded, got a great Black Friday deal out of it.
o Language, Time and currency format, and Keyboard: Defaults
o Operating system: Windows Server 2019 Datacenter Evaluation (Desktop Experience)
o Installation type: Custom
When your VM reboots during the installation process, don’t press any keys when it reboots. You’ll be tempted. It actually tells you to press any key to boot from CD. That’s not what you want to do. Don’t listen to the voices. Stay strong. Don’t press any key. #donottouchyourcomputer
This step takes several minutes. While we wait let's go ahead and install the client VM.
4. Set the Administrator password to Pa$$w0rd
Use Pa$$w0rd for all account passwords.
Login to the virtual machine by selecting Action > Ctrl+Alt+Del from the top of the virtual machine window.
Now you will create a Windows 10 client virtual machine.
1. Create the Windows 10 virtual machine. You will use the ISO files that you downloaded.
a. Create a new virtual machine with the following settings.
· Name: Client PC 1
· Store in the same location as your other VMs and disks.
· Startup memory: 1024Mb
· Use Dynamic Memory for this virtual machine: Yes
· Connection: External
· ISO: Windows 10 Enterprise Eval Windows 11 Enterprise | Microsoft Evaluation Center
IMPORTANT. At the end of the setup you are prompted to “Sign in with Microsoft”. Do NOT login into the client machine using your Microsoft corporate credentials, nor your personal Microsoft live accounts. Select “Domain Join Instead” on the bottom left part of the screen and proceed with a local user + Pa$$w0rd creation.
b. Start the virtual machine and complete installation.
Now that you have created the virtual machines, it’s time to prepare the virtual machines to communicate on a private network by configuring the computer name and network for each virtual machine.
1. Change the computer name for each virtual machine
a. Change the computer name for each virtual machine, to match the virtual machine name. For example:
· Virtual machine: ADDS-Server
· Computer name: ADDS-Server
b. When prompted, restart the virtual machine.
c. Identify your external adapter and rename it to External Adapter.
To locate your adapter settings
- Server: Connect and log into the virtual machine. In the Server Manager console, click the address next to the network adapter to open the Network Connections window.
- Client: Connect and log into the virtual machine. Go to Settings and click Network & Internet.
d. Repeat until you have renamed each virtual machine and its network interface.
2. Shutdown all of the virtual machines
3. Add the Private network adapter to each virtual machine
a. In Hyper-V Manager, click ADDS-Server and then click Settings.
b. Under Hardware, click Add Hardware.
c. Click Network Adapter and then click Add.
d. Under Virtual Switch, select Private.
e. Repeat this process for each virtual machine.
4. Configure network settings
Before you configure each network adapter, use the ipconfig command to validate that you are configuring the right adapter.
a. Start each virtual machine.
b. On each of the virtual machines, open a command prompt, run the following command, and answer these questions:
Ipconfig /all
This is the virtual IP address handed out to the virtual machine via the Hyper-V Network adapter.
If this virtual machine defaults to Enhanced Session Mode and does not allow you to log in, remotely, go to Hyper-V settings and uncheck Allow enhanced session mode.
c. Identify your private adapter and rename it to Private Adapter.
To locate your adapter settings
- Server: Connect and log into the virtual machine. In the Server Manager console, click the address next to the network adapter to open the Network Connections window.
- Client: Connect and log into the virtual machine. Go to Settings and click Network & Internet.
d. Configure the Private network adapter network settings for each virtual machine as follows:
Manually configure IP address information for your virtual machines by performing the following steps:
- Server: Connect and log into the virtual machine. In the Server Manager console, click the address next to the network adapter that you want to configure. In the Network Connections window, right-click the network adapter for which you want to configure an address, and then click Properties. In the Adapter Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. Enter the following IPv4 address information, and then click OK twice:
• IP address
• Subnet Mask
• Preferred DNS server
- Client: Connect and log into the virtual machine. Go to Settings and click Network & Internet. Then click Ethernet in the left pane. Click Change adapter options. Enter the IPv4 address information.
e. Open the Network Connections control panel
f. Disable the External Adapter on the client.
The reason you are disabling the External adapter on the client is to make sure you have properly configured the Private network, and the client is able to reach the server on that Private network only.
g. Now, let’s check the network settings using the ipconfig command again. On each of the virtual machines, open a command prompt, run the ipconfig command.
h. Finally, test that your network configuration is working. On Client1, attempt to ping the ADDS server using the ping 192.168.0.1 command.
In this task, your objective is to set up ADDS Server as a domain controller by incorporating the AD DS role.
- Install the AD DS role on Server1. a. If Server1 is not already running, start it and log in as an administrator. b. Utilize the Add Roles and Features wizard to introduce the Active Directory Domain Services role.
The subsequent exercise will guide you through the configuration steps for the domain controller.
After successfully installing Active Directory Domain Services on Server1, the next step is to establish your initial domain controller. Follow these steps for the AD DS post-deployment configuration:
- Promote Server1 to a domain controller with the specified settings:
a. Choose to add a new forest.
b. Set the root domain name to cloudythoughts.com.
c. Assign the DSRM password as Pa$$w0rd.
2. For the remaining configuration options, carefully review any notifications, accept the default settings, and proceed with the installation.
3. It’s possible that a few yellow warnings may appear during the process, but these should not obstruct the installation, and it should conclude successfully.
Utilize either the Active Directory Administrative Center or Active Directory Users and Computers to establish these accounts.
1. Generate user accounts, OUs, and Security Groups.
a. Establish the user accounts with the specified configurations:
i. Password: Pa$$w0rd
ii. Password options: Password never expires.
iii. Generate the specified Active Directory Objects.
There are a few ways to create these user objects the OU’s and group memberships they belong to, but I will be using PowerShell to speed up the process.
Reference: New-ADUser (ActiveDirectory) | Microsoft Learn
Now that you have a domain controller and AD with all your users, it’s time to add the client virtual machines to the domain.
1. Add virtual machine to the domain
a. Log on to client virtual machine and join it to the cloudythoughts.com domain using cloudythoughts\Administrator credentials.
b. Reboot the client when prompted.
2. Login to the client VM with Jimmy Danger’s account
If you encounter an error that prevents you from logging on remotely using the designated account, go to View at the top of the VM window and uncheck Allow enhanced session mode.
