1. Azure AD – Basic vs Premium
So I’ve created a second virtual machine using the portal and we can see in the resource group that there are now two network security groups. So Azure creates you are security group. When you create VMs using the portal, it doesn’t even ask you or let you opt out of that, it will create one for you. But it is best practice to create network security groups that serve specific roles. If you have 100 virtual teams in your production environment, you definitely do not want 100 network security groups. Not only does that create extra clutter in your interface, it adds a security risk because how are you going to keep in touch with 100 different network security groups and what is allowed and what is not allowed? So, best practice is to create a role specific security groups.
And by that I mean if you have servers that serve as front end servers, you might need one set of network security group rules like the RDP, Https, traffic, et cetera. If you have back end servers, you might need different network security group rules, et cetera. So create network security groups that are specific to the role that the server is playing. Let’s go into network interfaces here and we can see here we’ve got this network security group by default, it’s only pointing to one virtual machine. What I want to do is I want to connect the other network interface card that we just created.
So let’s go back up to the resource group. We can see that we’ve got virtual machines being created, network faces. So one is seven, seven, three and one is seven, six, eight. We want this network interface to be connected to the other network security group and then we’ll delete the one that Microsoft created. Go into the network interface actually. And we can see here that we’ve got a network security group set up here.
If we go down to effective security rules, we can see that they’re basically going to calculate based on the NSG settings what security rules there are, right? So we can see the defaults here. What we want to do is associate this device with another network security group. So I’m going to go over to network security groups here on Cart, we’re going to say edit and instead of this network security group, we’ll switch over to the other one which we just customized. So you’ll see that I was able to switch and say save it’s, going to do some work to get that net interface card switched over to the new network security group that seems to have worked.
And if I go back down to effective security rules, it’ll calculate it again. This time it should tell me the RDP, Https and Http rules because we’ve changed the rules on the Clear network card. And so we can see that the active rules have been updated to have these additional rules. So now we have two VMs that are pointing to a single network security group. And now this network security group that’s upgraded for us should have no devices connected to it. So let’s go over to network interfaces. No results. Subnet says no results. So this is an orphan and we should be able to delete it. So that’s how you should be setting up your network secure. Make one never security group for each individual role. And that makes it easier for you to manage the secures because confusion is the enemy of security.
2. Create Azure AD
Now, if you don’t have Azure Active Directory, it’s as simple as going in Marketplace. So you click the green plus sign, search for Active Directory and you’ll see Azure Active Directory listed among the results, we say Create. Then it’s very simple to create an Active Directory. You give it a name and then you basically have to create domain name which is onmicrosoft. com. You basically give an initial domain name and your organizational name, pick your region and then click Create. Microsoft will create for you an empty free Azure Active Directory. Now, I’m just going to use the Active Directory that I’ve previously created. You can see that my organization name is Scott’s course Outlook, and the domain name is Scottscourse Outlook. com. This is an Azure free account. And the basic concept with Azure Active Directory, the core of it is going to be around users and roles.
Okay? Now you add application to your Active Directory and they can basically be assigned to roles and permissions based on that. So if I go into the user section, I can see that I’ve previously created three, two of them being members of my Active Directory and one being an external be guest user. And I can very easily manually add more users, up to 500,000 to my free account simply by just going and adding a new user into here. Now those users can then be grouped into perhaps their roles. So if you have your customers and your application, then you can create a customer’s group and you could have members of that group and based on the membership of the group, they might have certain permissions within your application. Employees, supervisors, accounting department, It department, developers. You can create groups of similar people and then assign users to that group.
3. Add Custom Domains
Now we said before that Active Directory is for managing users identity as a service. And so theoretically you can go into your Active Directory and you can say, I want a new user. Let’s add Joe Smith as a user. Now. Joe Smith. His email is Joe Smith@gmail. com. Okay. We’re going to Joe Smith. But we’ll see right away that we cannot add Joe Smith as a full on user because@gmail. com is not our domain name. And of course it’s a Google account, never be our domain name. So we have to use a domain for Joe Smith. And so it’s company. com. But even Company. com is not a managed verified domain name in this Active Directory. So the first thing that we’re going to need to do is add a custom name. Now something will work. I’ll show you what will work because we created this to directory as Scottscourse Outlook@onmicrosoft. com. So if I put Joe Smith at Scottscourse Outlook onmicrosoft. com as the email address, that will work because this domain is managed by this Active Directory.
Even though this isn’t a real email account, we could create a user with email account and it would be a valid user to log into our applications. But many of us want to single sign on. We want users to be able to use the same user ID and password in Active Directory in their company as much as well as using our applications that connect to Azure Directory. So to do that, we’re going to need to add a custom domain name. So I’m going to close off that, go up to the top level and we’re going to see custom domain names down the settings here, go into here. And right now we’ve got the default, which was when we get Scott’s course. I looked on Microsoft. com.
This I added a long time ago, Cafe Co, it is a verified domain. But what we want to do, let’s add another verified domain. What this means is we’ll be able to add our company domain to this Azure Directory and if we can verify that we own it and users can use those domain names to create accounts and to log in. Now, I happen to own a number of domain names and so we’re going to use one of my domain names, Hero Courses net. So we’re going to tell my Microsoft Azure Active Directory that we use Domain and then we should be able to manage users that have this domain name. So I’m going to say add domain. Now we do need to prove that we own it. This is very similar to the way that Microsoft requires proof for a DNS when you’re doing these records managed applications. So we need to prove that we own it.
In order to prove that, we need to add the following information into our dean name service. So this is a TXT record with this alias and this text field basically. And so we’re going to have to go to our register, modify this to add a TXT record and prove that we own this. Now my register happens to be namecheap and so I’m going to have to go into DNS section. So I’ll go down here, go into DNS and we’re going to have to add, like it says, a TXT record. Now there already is one TXT record, so we’re going to have to add a new record. This is a TXT record. Host is an at symbol according to this value. And they want the TTL to be one, which is 3600. And so I’m going to say save. So this is saved. And if we go back to the Azure website, we can click the verify button.
But for now it’s not going to find this TXT record that it’s looking for. We’ll give the DNS, let’s give it a day to update. So to order to add a custom domain, you just have to add it very simply, but then you have to prove that you own it. And you prove that you own it by making changes to the DNS records. So it’s the next morning and I go into the Herocourses. net domain. I click Verify and it see says domain name verified and so it was successfully verified and closed this out. And we can see that nowherecourses. net is a valid domain and sub domains. If I go over to the user section and create a new user, I can create test user. And if I use the Herocourses net domain, then you see that Microsoft puts a green check mark next to it which means it’s a valid domain. So in this video we’ve added a custom domain to Active Directory which we can start using for users and system.
4. Trial Upgrade to Premium P2
So I want to keep playing with the Azure Active Directory features. But to do that, I think I want to get up to the Azure Premium P Two level. So I’m going to go into my Azure active directory. This is a test account that I can play with and eventually delete when I need. And I’m going to basically start the free trial. So because I want the identity protection, I want to start the Premium P Two free trial. So the trial includes 100 licenses. It will be active for days. If I wish to upgrade, I’ll need to purchase. Okay, so I’m going to say activate. So we’re going to let this activate. Successfully activated. Then coming up we can start are playing with the Premium P two features.
5. Azure AD Join
So back when I first started teaching Azure, there was an exam for 75 three. Three. A few years ago, I used to say that Azure Active Directory was not meant to be a replacement for on premises Directory, that you had your on premises Active Directory acting as the directory for all of the basis, the registrations, all of the objects of your corporation. And Azure active directory was a synchronized extension of that. And you only used it for your cloud based applications. So you can enable single sign on, for instance. Well, that advice has changed a little bit over yours. There are now capabilities for Azure Active Directory to be the sign in authentication service for Windows Ten devices. And so this is for what they call a cloud or a cloud only Active Directory.
That’s one of the intended use cases where you don’t even have an on premises Active Directory, and all of your devices log into the cloud effectively when the users put their username and password into the Windows Ten login screen. Now, maybe you do have an Active Directory and you’re synchronizing it with Ad connect with the Azure Active Directory, and you don’t want to pollute your local Directory with a lot of temporary users. So maybe you’ve got students, partners, turns, other corporations that need access to your applications, and you don’t want to put them in as in your On Prem. And so having this mixture of users where your company employees are in your on prem Active Directory and your temporary users and your other external users are in your Azure Active Directory. Now, this was b to b. The purpose of Azure B to B was to synchronize this, but you could have the users actually primarily managed within your Azure Active Directory. This also could be for your own locations where you have ad infrastructure installed everywhere. So you have a main office, you have the ad server running on the local network, but you have some remote office with only two or three users. And you can’t justify stalling an Active Directory server in that location and setting up the whole forest and things. And so what you do is use those remote servers to log into the Azure Active Directory as their price, while the rest of the employees use the on prem. And so there’s lots of different use cases, but this is called Ad Join or Azure Adjoin. So I took this diagram from Microsoft website. See that you do have a laptop. It does point to Azure Active Directory as its authentication device. Not the on prem Active Directory domain services. And so that’s a hybrid setup. It’s perfectly fine as well. I’m not going to get into how to set that up. Basically, what you need to do is there are obviously the devices themselves have to be physically configured. And so you’re either use what’s called Windows Autopilot when you’re setting up a device for the first time and you’re installing your version of Windows and all your software, you’re going to set up the Azure adjoining things. You can also use a bulk of deployment model where maybe you’re managing your Windows devices using something like Intune, something like this. And then you can or Windows configuration design. And then you can push out that configuration to those devices. And finally there is a way, it’s called a self service experience. Experience where you can go into a device, customize it manual and then sign into Azure ad instead of your company ad. So those are the three options adjoining.
