Search This Blog

Dec 14, 2022

Set up a hybrid Azure AD lab

 General steps

  1. Set up an on-premise AD with forest name johnfoo.tk
  2. get a free domain from freenom (johnfoo.tk)
  3. In Freenom, configure to use your own DNS server, pointing to on-prem DC IP
  4. set up Azure AD 
  5. create an Azure account for AAD Connect, make it Global Admin
  6. create an AD service account for AD, give it DC Sync permission (or let AD Connect create for you)
  7. Add and verify Custom Domain in AAD. Create the TXT record on your AD DNS. The "@" -named record required by Azure is equivalent of "(same as parent)" record in Windows DNS. Just leave the record name blank when create the TXT record.
  8. Install AD Connect, enable
    1. PHA (recommended, for auth fault tolerance, or PTA). Of course, use federation is also possible depending on if you are using ADFS right now on prem
    2. Enable Seamless SSO (for on prem users SSO into Azure)
    3. Be careful what attribute to use for join rule (?). UPN is a good candidate. Unless on prem users are already having email address, using mail for linkage will not work

Manually join Windows clients into Azure AD

  1. Enable join/register option for regular users: AAD|Devices|Device Settings|Users may join devices to Azure AD
  2. On Win client, Accounts, connect to work, then select "join this device to Azure AD", follow on screen instructions 
  3. use "AzureAD\azureUPN" to log into the newly joined machine (e.g. AzureAD\jlan@johnfoo.tk)

Manually register Windows clients into Azure AD

  1. Same steps as above, but in step 2, do not select "join this device to AZure AD", instead, just click on "next" button 

Create a B2C Tenant

  1. Run "az provider register --namespace Microsoft.AzureActiveDirectory"
  2. Follow on screen instruction

Grant Admin access to an Azure-joined machine

  1. Tenant wide permission
    1. Azure AD has a "Device administrators" role that is used for this purpose
    2. Go to Devices | Device Settings | Manage Addtional local administrators on all Azure AD Joined devices | +assignment
  2. Individual machine
    1. Locally on the machine, using Account Settings to elivate a user
    2. "net localgroup administrators /add "Contoso\username" for adding on-prem user
    3. "net localgroup administrators /add "AzureAD\UserUpn" for adding Azure user
    4. use MDM solution

Enabled Hybrid AD join

  1. Run ADC, select Configure | additional tasks | Configure device options
  2. Follow on screen instruction

Tags: , , ,