Microsoft 365 | Planning and configuring identify federation




View Post: 148 người truy cập bài viết
Tags :

Lab: Planning and configuring identity federation

Exercise 1: Deploying Active Directory Federation Services (AD FS) and Web Application Proxy

Task 1: Add DNS records required for AD FS

  1. Sign in to the LON-DS1 virtual machine as ADATUM\Administrator with a password of Pa55w.rd.
  2. On LON-DS1, select Start and then select Windows PowerShell.
  3. Type IPConfig and press Enter.
  4. Record the IPv4 address assigned to the server.
  5. On LON-DC1, open Server Manager, select Tools, and then select DNS.
  6. Expand LON-DC1, expand Forward Lookup Zones, and then select Adatumyyxxxxx.hostdomain.com, where yyxxxxx is your unique Adatum number.
  7. Right-click Adatumyyxxxxx.hostdomain.com, where yyxxxxx is your unique Adatum number, and then select New Host (A or AAAA).
  8. In the New Host dialog box, leave the Name box empty, in the IP address box, type the External IP address provided by the hosting partner.
  9. Select Add Host, and then select OK.
  10. In the New Host dialog box, leave the Name box empty, in the IP address box, type the LON-DS1 IP address that you recorded in Step 3.
  11. Select Add Host, select OK, and then select Done.

Task 2: Create an Office 365 administrator account

  1. On LON-CL1, in the Microsoft 365 Admin center, select Users, then select Active users.
  2. Select Add a user.
  3. In the Display name field, enter Admin.
  4. In the Username field, enter admin and verify that Adatumyyxxxx.onmicrosoft.com, where yyxxxxx is your unique Adatum number, is selected as the Domain.
  5. Under Password, select Let me create the password, and enter the password you created on Module 1.
  6. Clear the Make this user change their password when they first sign in option.
  7. Under Roles, select Global administrator.
  8. Under Product licenses, enable the Create user without product license option, then select Add.
  9. Close the Admin user window.

Task 3: Configure and verify Azure AD Connect federation with AD FS

  1. Switch to LON-DS1.
  2. On the Desktop, double-click Azure AD connect.
  3. Select Configure.
  4. Select Change user sign-in and select Next.
  5. Sign in as [email protected], replacing yyxxxxx with your unique Adatum number, with password created in Module 1
  6. Select Federation with AD FS, then select Next.
  7. On the Domain Administrator credentials page, enter the USERNAME ADATUM\Administrator and PASSWORD Pa55w.rd, then select Next.
  8. Select Use a certificate installed on the federation servers and select Browse.
  9. In the Search box enter LON-DS1 and select the Search icon.
  10. Select LON-DS1.Adatum.com, then select OK.
  11. In the CERTIFICATE FILE drop-down, select the certificate provided by the lab provider.
  12. In the SUBJECT NAME drop-down, select the subject name that matches the certificate.
  13. In the SUBJECT NAME PREFIX box enter Adatumyyxxxxx, replacing yyxxxxx with your unique Adatum number, and select Next.
  14. On the AD FS servers page select Browse.
  15. In the Search box type LON-DS1 and select the Search icon.
  16. Select LON-DS1 then select OK.
  17. After the connection has been verified, select Next.
  18. On the Web Application Proxy servers page, select Browse.
  19. In the Search box type LON-WAP1 and select the Search icon.
  20. Select LON-WAP1, select OK, then select Next.
  21. On the AD FS service account page, select Create a group Managed Service Account, enter the following ENTERPRISE ADMIN USERNAME credentials, then select Next:
    • User name: ADATUM\Administrator
    • Password: Pa55w.rd
  22. On the Azure AD Domain page, in the drop-down select Adatumyyxxxxx.hostdomain.com, where yyxxxxx is your unique Adatum number, and select Next.
  23. On the Ready to configure page, select Configure.
  24. On the Verify federation configuration page, select I have created DNS a records that allow clients to resolve my federation service
  25. Select Verify.

The wizard will verify the AD FS server resolves to both internal and external DNS. You may need to select Verify multiple times to verify external DNS.

  1. Select Exit.

Result: After completing this exercise, you should have deployed the AD FS server in a federation server farm, and deployed the Web Application Proxy server to support AD FS.

Exercise 2: Verifying single sign-on (SSO)

Task 1: Verify SSO for internal users

  1. Switch to LON-CL3.
  2. On LON-CL3, open Microsoft Edge, and then connect to https://portal.office.com.
  3. Type [email protected], replacing yyxxxxx with your unique Adatum number, as the user name, and then press Tab.
  4. Verify that you are redirected to the Adatum sign in page.
  5. Type Pa55w.rd as the password, and then press Enter.
  6. Verify that you are connected to Office 365.
  7. Close Microsoft Edge.

Task 2: Verify SSO for external users

  1. On your local computer, open a Web browser (use an InPrivate browsing window, if possible).
  2. In the Address bar, type https://portal.office.com, and then press Enter.
  3. Type [email protected], replacing yyxxxxx with your unique Adatum number, as the user name, and then press Tab.
  4. Verify that you are redirected to the Adatum sign in page.
  5. Type Pa55w.rd as the password, and then press Enter.
  6. Review the Office 365 page for Grover Chambliss, and then close the Web browser window.

Result: After completing this exercise, you should have verified SSO authentication to Office 365 for a user on your corporate network and for a user on your host computer that is connected to the Internet.

 

5 1 vote
Article Rating
guest
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments