Professional Documents
Culture Documents
of Concept Playbook
Explore and quickly implement Identity and Access Management scenarios
Executive Summary
This document provides guidelines to explore different Azure AD capabilities in a Proof of concept (POC). The intended
audience of this document is Identity Architects, IT Professionals, and System Integrators.
Azure AD Proof of Concept Playbook
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed
as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted
to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented
after the date of publication.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright,
no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or
by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the
furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual
property.
The descriptions of other companies products in this document, if any, are provided only as a convenience to you. Any
such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their
accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid
understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their
respective manufacturers.
2016 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express authorization
of Microsoft Corp. is strictly prohibited.
Microsoft and Windows are either registered trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
2|Page
Azure AD Proof of Concept Playbook
Contents
Executive Summary ................................................................................................................................................................. 1
Contents .................................................................................................................................................................................. 3
How to use this Playbook........................................................................................................................................................ 4
PoC Ingredients ....................................................................................................................................................................... 4
Theme ................................................................................................................................................................................. 4
Environment........................................................................................................................................................................ 4
Target Users ........................................................................................................................................................................ 5
PoC Implementation ............................................................................................................................................................... 5
Foundation - Syncing AD to Azure AD ................................................................................................................................. 5
Theme Lots of apps, one identity..................................................................................................................................... 6
Theme Increase your security .......................................................................................................................................... 7
Theme Scale with Self Service .......................................................................................................................................... 7
PoC Building Blocks ................................................................................................................................................................. 8
Catalog of Actors ................................................................................................................................................................. 8
Common Prerequisites for all building blocks .................................................................................................................... 9
Directory Synchronization Password Hash Sync (PHS) New Installation ...................................................................... 9
Branding ............................................................................................................................................................................ 10
Group based licensing ....................................................................................................................................................... 12
SaaS Federated SSO Configuration ................................................................................................................................... 12
SaaS Password SSO Configuration .................................................................................................................................... 13
SaaS Shared Accounts Configuration ................................................................................................................................ 15
Groups Delegated Ownership ........................................................................................................................................ 16
SaaS and Identity Lifecycle ................................................................................................................................................ 16
Self Service Password Reset .............................................................................................................................................. 17
Self Service Access to Application Management .............................................................................................................. 18
Azure Multi-Factor Authentication with Phone Calls ....................................................................................................... 19
MFA Conditional Access for SaaS applications ................................................................................................................. 20
Privileged Identity Management (PIM)............................................................................................................................. 21
Discovering Risk Events ..................................................................................................................................................... 22
Deploying Sign-in risk policies ........................................................................................................................................... 23
3|Page
Azure AD Proof of Concept Playbook
Note: Throughout this document, you will see some specific third party applications and products mentioned as examples
for convenience. Azure AD supports thousands of applications in our application gallery that you can use based on your
needs and environment.
PoC Ingredients
Theme
Azure AD provides identity and access solutions across multiple areas in the enterprise. We classify the scenarios in the
following areas:
Defining a theme to frame the PoC helps to focus the efforts that resonates with business goals, which oftentimes are
the triggers of the interest in a proof of concept in the first place.
Environment
It is important to determine the details of the environment where you will deliver the PoC. Ideally you can build upon it
after the PoC is completed. The target environment is crucial and you should find the right balance between making it as
real as possible and the overhead of constraints or extra considerations. The typical environments for PoCs are:
Production: The scenarios will be implemented in your live environment and already deployed Microsoft Cloud
services (production AD, Office 365, Azure AD tenant/SSO solution).
User Acceptance Test (UAT)/Dev environment: You have test infrastructure (parallel AD and potentially Azure
AD tenant/SSO solution) with test data that resembles production. Typically, the test environment is shared
across multiple projects in the enterprise.
4|Page
Azure AD Proof of Concept Playbook
Most scenarios in this guide are additive in nature. As a result, they can be deployed in the production tenant without
affecting users outside the PoC. Throughout this document, we will be calling out which scenarios would have tenant-
wide effect. In those cases, you might want to consider a non-production environment.
Target Users
It is important to determine the target set of users that will exercise the scenarios, especially when the environment is
production or test. The categories of target users for PoC are:
Pilot Users: Real users in the environment that will be using the solution with the account they use for their day
to day job functions
Test Users: Test accounts created in the environment
Most scenarios in this guide can be exercised by pilot users. Throughout this document, we will be calling out target user
considerations if needed.
PoC Implementation
Foundation - Syncing AD to Azure AD
A hybrid identity is the foundation for most of the enterprise customers who already have an on-premises directory. The
goal here is to intentionally spend as less time here as possible to show the value of the actual identity and access
scenarios.
5|Page
Azure AD Proof of Concept Playbook
6. The Sales department wants to audit who accessed Twitter. Bob downloads an activity report and shares it with
Kevin over email.
7|Page
Azure AD Proof of Concept Playbook
Database team Owners of the Database Provide access to SQL environment (ADFS of Azure AD
infrastructure Connect) for specific scenario preparations.
They should be involved as little as possible
Network team Owners of the Network Provide required access at the network level for the
infrastructure synchronization servers to properly access the data
sources and cloud services (firewall rules, ports
opened, ipsec rules etc.)
Security team Defines the security strategy, Provide target security evaluation scenarios
analyzes security reports from
8|Page
Azure AD Proof of Concept Playbook
Id Pre-requisite Resources
1 Azure AD tenant defined with a https://azure.microsoft.com/en-us/documentation/articles/active-directory-
valid azure subscription howto-tenant/
Note: If you already have an environment with Azure AD Premium licenses, you can get a zero cap
subscription by navigating to
https://aka.ms/accessaad
Note: Some workloads such as Power BI could have provisioned an azure AD tenant under the covers.
To check if a given domain is associated to a tenant, navigate to
https://login.microsoftonline.com/<domain>/v2.0/.well-known/openid-configuration. If you get a
successful response, then the domain is already assigned to a tenant and take over might be needed.
If this is the case, please contact Microsoft for further guidance. Learn more about the takeover
options at: https://azure.microsoft.com/en-us/documentation/articles/active-directory-self-service-
signup/
Prerequisites
Id Pre-requisite Resources
1 Server to Run Azure AD Connect Azure AD Connect: Prerequisites and hardware
2 Target POC users, in the same Azure AD Connect: Custom installation
domain and part of a security
group, and OU
3 Azure AD Connect Features needed Azure AD Connect: Integrating your on-premises identities with Azure Active
for the POC are identified Directory -- Configure Sync Features
9|Page
Azure AD Proof of Concept Playbook
4 You have needed credentials for on Azure AD Connect: Accounts and permissions
prem and cloud environments
Steps
Step Resources
1 Download the latest version of Download Microsoft Azure Active Directory Connect from Official Microsoft
Azure AD Connect Download Center
2 Install Azure AD Connect with the Azure AD Connect: Custom installation: Domain and OU filtering
simplest path Express Azure AD Connect: Custom installation: Group based filtering
1. Filter to the target OU to Azure AD Connect: Integrating your on-premises identities with Azure Active
minimize the Sync Cycle time Directory -- Configure Sync Features
2. Choose target set of users in the
on-premises group.
3. Deploy the features needed by
the other POC Themes
Considerations
1. Please look at the security considerations of password hash sync here. If password hash sync for pilot
production users is definitively not an option, then consider the following alternatives:
a. Create test users in the production domain. Make sure you dont synchronize any other account
b. Move to an UAT environment
2. If you want to pursue federation, it is worthwhile to understand the costs associated a federated solution with
on premises Identity Provider beyond the POC and measure that against the benefits you are looking for:
a. It is in the critical path so you have to design for high availability
b. It is an on-premises service you need to capacity plan
c. It is an on-premises service you need to monitor/maintain/patch
Learn more:
a. Understanding Office 365 identity and Azure Active Directory - Federated Identity
Branding
Approximate time to Complete: 15 minutes
10 | P a g e
Azure AD Proof of Concept Playbook
Prerequisites
Id Pre-requisite Resources
1 Assets (Images, Logos, etc.); For Add company branding to your sign-in and Access Panel pages | What elements
best visualization make sure the can I customize?
assets have the recommended
sizes.
2 Optional: If the environment has Customizing the AD FS Sign-in Pages
an AD FS server, access to the
server to customize web theme
3 Optional: If the environment has AD FS Requirements
an AD FS server, credentials to
manage AD FS server are required
4 Client computer to perform end
user login experience
5 Optional: Mobile devices to
validate experience
6 Optional: access to PC, and target
mobile devices
Steps
Step Resources
1 Go to azure management portal and select Azure classic portal
your directory
2 Navigate the customization experience Add company branding to your sign-in and Access Panel pages -
Configure your directory with company branding
3 Upload the assets for the login page (hero Add company branding to your sign-in and Access Panel pages -
logo, small logo, labels, etc.). Optionally if Customizable Elements
you have AD FS, align the same assets with
AD FS login pages
Considerations
If the old look and feel remains after the customization then flush the browser client cache, and retry the
operation.
11 | P a g e
Azure AD Proof of Concept Playbook
Prerequisites
Id Pre-requisite Resources
2 All POC users are part of a security Managing groups in Azure Active Directory
group (either cloud or on-
premises)
Steps
Step Resources
1 Log in as a global admin in the Azure classic portal
Azure management portal
2 Assign the licenses to the security Simplified License Assignment with Azure AD and EMS Enterprise Mobility and
group with POC users. Security Blog
Considerations
Since the POC will have potentially more scenarios, it is good to have all of them in a security group to assign the
license to those users.
The current functionality assigns all service plans within the license. For EMS licenses, this means access to all
components in the suite (i.e. Azure AD Premium, Intune and Azure RMS)
Prerequisites
Id Pre-requisite Resources
1 test environment of the SaaS Go to https://developer.servicenow.com/app.do#!/home to start the process of
application available. In this guide, getting a test instance
we use ServiceNow as an example.
We strongly recommend to use a
test instance to minimize friction
on navigating existing data quality
and mappings.
2 Admin access to the ServiceNow Tutorial: Azure Active Directory integration with ServiceNow
management console
3 Target set of users to assign the Azure AD and Applications: Assigning Users to an Application
application to. A security group
containing the POC users is
recommended.
12 | P a g e
Azure AD Proof of Concept Playbook
Steps
Step Resources
1 Share the tutorial to all actors from Microsoft Tutorial: Azure Active Directory integration with ServiceNow
Documentation
2 Set a working meeting and follow the tutorial Tutorial: Azure Active Directory integration with ServiceNow
steps with each actor.
3 Assign the app to the group identified in the Azure AD and Applications: Assigning Users to an Application
Prerequisites. If the POC has conditional Managing groups in Azure Active Directory
access in the scope, you can revisit that later
and add MFA, and similar.
Note this will kick in the provisioning process
(if configured)
4 Wait for a few minutes while provisioning How can I track the progress of the current provisioning Job?
completes. In the meantime, you can check
on the provisioning reports
6 Click on the tile for the application that was Launching Applications
just created. Confirm access
7 Optionally, you can check the application View your access and usage reports
usage reports. Note there is some latency, so Azure Active Directory Reporting Latencies
you need to wait some time to see the traffic
in the reports.
Considerations
1. If the target application is not present in the gallery, then you can use bring your own app. Learn more:
Configuring single sign-on to applications that are not in the Azure Active Directory application gallery
Prerequisites
Id Pre-requisite Resources
1 test environment for SaaS HipChat on Microsoft Azure Marketplace
applications. An example of Twitter on Microsoft Azure Marketplace
Password SSO is HipChat and
Twitter.
For any other application, you
need the exact URL of the page
with html sign in form.
2 Test accounts for the applications. Sign up for Twitter
13 | P a g e
Azure AD Proof of Concept Playbook
Steps
Step Resources
1 Sign up for a test account Sign up for Twitter
Sign Up for Free | HipChat
2 Configure the application in Azure AD
3 Assign the app to the group identified in the Azure AD and Applications: Assigning Users to an Application
Prerequisites.
Considerations
1. If the target application is not present in the gallery, then you can use bring your own app. Learn more:
a. Configuring single sign-on to applications that are not in the Azure Active Directory application gallery
Keep in mind the following requirements:
Application should have a known login URL
The sign in page should contain an HTML form with one more text fields that the browser extensions can
auto-populate. At the minimum, it should contain username and password.
2. The IE extension can deployed at scale via group policy at : https://azure.microsoft.com/en-
us/documentation/articles/active-directory-saas-ie-group-policy/
14 | P a g e
Azure AD Proof of Concept Playbook
Prerequisites
Id Pre-requisite Resources
1 the list of target applications and Sign up for Twitter
the exact sign in URLS ahead of
time. As an example, you can use
Twitter.
2 Shared credential for this SaaS Sharing accounts using Azure AD
applications. Azure AD automated password roll-over for Facebook, Twitter and LinkedIn now
in preview! Enterprise Mobility and Security Blog
3 Credentials for at least two team Azure AD and Applications: Assigning Users to an Application
members who will access the same
account. They must be part of a
security group
4 Local administrator access to a Access Panel Extension for IE
computer to deploy the Access Access Panel Extension for Chrome
Panel Extension for IE/Chrome Access Panel Extension for Firefox
Steps
Step Resources
1 Configure the SaaS application What is application access and single sign-on with Azure Active Directory?
adding
2 setting up the access to a security Sharing accounts using Azure AD
group and map to a shared account
3 If using Twitter, Facebook or Azure AD automated password roll-over for Facebook, Twitter and LinkedIn now
LinkedIn, set up and discuss the in preview! Enterprise Mobility and Security Blog
password rollover capabilities
4 Log in as different users that log in Introduction to the Access Panel Launching Applications
as the same shared account. View your access and usage reports
5 Optionally, you can check the View your access and usage reports
application usage reports. Note Azure Active Directory Reporting Latencies
there is some latency, so you need
to wait some time to see the traffic
in the reports.
Considerations
1. If the target application is not present in the gallery, then you can use bring your own app. Learn more:
a. Configuring single sign-on to applications that are not in the Azure Active Directory application gallery
Keep in mind the following requirements:
Application should have a known login URL
The sign in page should contain an HTML form with one more text fields that the browser extensions can
auto-populate. At the minimum, it should contain username and password.
15 | P a g e
Azure AD Proof of Concept Playbook
Prerequisites
Id Pre-requisite Resources
1 SaaS application (Federated SSO or Building block: SaaS Federated SSO Configuration
Password SSO) has been already
configured
2 Cloud Group that is assigned Building block: SaaS Federated SSO Configuration
access to the application in #1 is
identified
3 Credentials for the group owner Managing access to resources with Azure Active Directory groups
are available
4 Credentials for the information Introduction to the Access Panel Launching Applications
worker accessing the apps has
been identified
Steps
Step Resources
1 Identify the group that has been Managing owners for a group
granted access to the application,
and configure the owner
2 Log in as the group owner, see the Introduction to the Access Panel
group membership Manage your groups
3 Add the information worker you Managing groups in Azure Active Directory How do I add or remove individual
want to test users in a security group?
4 Log in as the information worker, Introduction to the Access Panel Launching Applications
confirm the tile is available
Considerations
1. If the application has provisioning enabled, you might need to wait a few minutes for the provisioning to
complete before accessing the application as the information worker.
Prerequisites
Id Pre-requisite Resources
1 SaaS application has been already Building block: SaaS Federated SSO Configuration
configured
16 | P a g e
Azure AD Proof of Concept Playbook
2 Group that is assigned access to Building block: SaaS Federated SSO Configuration
the application in #1 is identified
Steps
Step Resources
1 Remove the user from the group Managing groups in Azure Active Directory How do I add or remove individual
the app is assigned to users in a security group?
2 Wait for a few minutes for de- Automated SaaS App User Provisioning in Azure AD - How does automated
provisioning provisioning work?
4 Check the provisioning reports to Automated SaaS App User Provisioning in Azure AD How can I track the progress
show the de-provisioning of the current provisioning Job?
happened. Also, check the
management console of the SaaS
app to see the status update of the
user.
Considerations
1. Extrapolate the POC scenario to leavers and/or leave of absence scenarios. If the user gets disabled in on-
premises AD or removed, there is no longer a way to log in to the SaaS application.
Prerequisites
Id Pre-requisite Resources
1 Enable self service password Enable users to reset or change their AD Passwords
management in your tenant.
2 Enable password write-back to Password Writeback prerequisites
manage passwords from on-
premises. Note this requires
specific Azure AD Connect versions
3 Identify the POC users that will use Customize: Azure AD Password Management Restrict Access to password reset
this functionality, and make sure
they are members of a security
group. The users must be non-
17 | P a g e
Azure AD Proof of Concept Playbook
2 Determine the password reset Getting Started: Azure AD Password Management Configure Password Reset
policy. For POC purposes, you can Policy
use phone call and Q & A.
It is recommended to enable
registration to be required on login
to access panel
Considerations
1. If upgrading the Azure AD Connect is going to cause friction, then consider using it against cloud accounts or
make it a demo against a separate environment
2. The administrators have a different policy and using the admin account to reset the password might taint the
POC and cause confusion. Make sure you use a regular user account to test the reset operations
Prerequisites
Id Pre-requisite Resources
1 Identify POC users that will request Building block: SaaS Federated SSO Configuration
access to the applications, as part
of the security group
2 Target Application deployed Building block: SaaS Federated SSO Configuration
Steps
Step Resources
1 Login as a global admin Azure classic portal
2 Turn on delegated group Making a group available for end user self-service
management
18 | P a g e
Azure AD Proof of Concept Playbook
3 Set the group with POC Users in the Making a group available for end user self-service
setting Users who can self-service
for security groups
4 Locate the target application, and Configuring Self-Service application access
turn on self-service application
access
5 Login as the information worker to Accessing the Access Panel
my apps portal
6 Notice the add applications tile Accessing the Access Panel
and click in it notice that the
target application appears
Considerations
1. The applications chosen might have provisioning requirements, so going immediately to the app might cause
some errors. If the application chosen supports provisioning with azure ad and it is configured, you might use
this as an opportunity to show the whole flow working end to end. See the building block for federated SSO
applications for further recommendations
Prerequisites
Id Pre-requisite Resources
1 Identify POC users that will use
MFA
2 Phone with good reception for Methods available for multi-factor authentication
MFA challenge
Steps
Step Resources
1 Login as a global admin Azure classic portal
2 Navigate to the MFA portal Getting started with Microsoft Azure Multi-Factor Authentication in the cloud
3 In the Service Settings, select call Getting started with Microsoft Azure Multi-Factor Authentication in the cloud
to phone as one of the methods
chosen
4 In the User settings select the Getting started with Microsoft Azure Multi-Factor Authentication in the cloud
POC users
5 Login as the POC user, and walk Accessing the Access Panel
through the proof-up process
19 | P a g e
Azure AD Proof of Concept Playbook
Considerations
1. The POC steps in this building block explicitly setting MFA for a user on all logins. There are other tools such as
Conditional Access, and Identity Protection that engage MFA on more targeted scenarios. This will be something
to consider when moving from POC to production.
2. The POC steps in this building block are explicitly using Phone Calls as the MFA method for expedience. As you
transition from POC to production, we recommend using applications such as the Microsoft Authenticator as
your second factor whenever possible.
Learn more: DRAFT NIST Special Publication 800-63B
Prerequisites
Id Pre-requisite Resources
1 Identify POC users to target the Building block: SaaS Federated SSO Configuration
policy. These users should be in a
security group to scope the
conditional access policy
2 SaaS application has been already Building block: SaaS Federated SSO Configuration
configured
3 POC users are already assigned to Building block: SaaS Federated SSO Configuration
the application
4 Credentials to the POC user are Building block: SaaS Federated SSO Configuration
available
5 POC user is registered for MFA. http://aka.ms/ssprsetup
Using a phone with Good reception
6 Device in the internal network. IP Find your ip address:
Address configured in the internal https://www.bing.com/search?q=what%27s+my+ip
address range
7 Device in the external network
(can be a phone using the carriers
mobile network)
Steps
Step Resources
1 Login as a global admin Azure classic portal
2 Navigate to the SaaS application Azure Conditional Access for SaaS Apps
configuration
3 Deploy the conditional access policy to Azure Conditional Access for SaaS Apps
require MFA access from external
network. It is recommended to scope this
policy to security group that contains the
POC users
4 In the internal network device, log in to Accessing the Access Panel
https://myapps.microsoft.com/<domain>
. Notice no MFA challenge happened
20 | P a g e
Azure AD Proof of Concept Playbook
Considerations
1. IF you are using federation, you can use the on-prem Identityt Provider (IdP) to communicate the inside/outside
corporate network state with claims. You can use this technique without having to manage the list of IP addresses
which might be complex to assess and manage in large organizations. In that setup, you need account for the
network roaming scenario (a user logging from the internal network, and while logged in switches locations such
as a coffee shop) and make sure you understand the implications.
Prerequisites
Id Pre-requisite Resources
1 Identify the global admin that will The Azure AD Privileged Identity Management security wizard
be part of the POC for PIM
2 Identify the global admin that will The Azure AD Privileged Identity Management security wizard
become the Security Administrator Roles in PIM
3 Register the global admins with Getting started with Microsoft Azure Multi-Factor Authentication in the cloud
MFA. Make sure to use a phone
with good reception
4 Optional: Confirm if the global Configure the role activation settings
admins have email access to
exercise email notifications in PIM
Steps
Step Resources
1 Login to https://portal.azure.com as The Azure AD Privileged Identity Management security wizard
a global admin (GA) and bootstrap
the PIM blade. The Global Admin
that performs this step is seeded as
the security administrator. Lets call
this actor GA1
2 Identify the global admin and move How to add or remove a user role
them from permanent to eligible. How to manage role activation settings
This should be a separate admin
from the one used in step 1 for
clarity. Lets call this actor GA2
21 | P a g e
Azure AD Proof of Concept Playbook
4 In a new tab and in the same Add the Privileged Identity Management application
session as step 3, navigate now to
https://portal.azure.com and add
the PIM blade to the dashboard.
5 Request activation to the Global Activate a role
Administrator role
Considerations
3. This capability is part of Azure AD Premium Level 2 and/or EMS E5
Prerequisites
Id Pre-requisite Resources
1 Device with Tor browser Download Tor Browser
downloaded and installed
2 Access to POC user to do the login Azure Active Directory Identity Protection playbook
Steps
Step Resources
1 Open tor browser Download Tor
2 Log in to Simulating Risk Events
https://myapps.microsoft.com with
the POC user account
22 | P a g e
Azure AD Proof of Concept Playbook
Considerations
1. This capability is part of Azure AD Premium Level 2 and/or EMS E5
2. You can discuss other risk events as well
Prerequisites
Id Pre-requisite Resources
1 Device with Tor browser Download Tor
downloaded and installed
2 Access as a POC user to do the Sign-in risk
login testing
3 POC user is registered with MFA. Building Block: Azure Multi-Factor Authentication with Phone Calls
Make sure to use a phone with
good reception
Steps
Time to complete: 10 minutes
Step Resources
1 Log in as a global admin to https://aka.ms/aadipgetstarted
https://portal.azure.com and open
up the Identity Protection blade
2 Enable a sign-in risk policy as Sign-in risk
follows:
Assigned to: POC user
Conditions: Sign in risk
medium or higher (sign-in
from anonymous location is
deemed as a medium risk
level)
Controls: Require MFA
23 | P a g e
Azure AD Proof of Concept Playbook
Considerations
1. This capability is part of Azure AD Premium Level 2 and/or EMS E5
2. You can discuss other risk events as well. Learn more:
Types of risk events detected by Azure Active Directory Identity Protection
3. For more step by step guidance on other Azure AD Identity Protection Scenarios, check Azure Active Directory
Identity Protection playbook
24 | P a g e