Azure AD/Office 365 seamless sign-in – Understand and implement PHS and seamless SSO

Introduction

Microsoft Office 365 provides secure anywhere access to professional email, shared calendars, instant messaging (IM), video conferencing, document collaboration, etc. It represents the cloud version of the Microsoft communication and collaboration products with the latest version of the Microsoft desktop suite for businesses of all sizes.

Azure Active Directory (Azure AD) is the directory behind Office 365 used to store user identities and other tenant properties. Just like the on-premises Active Directory stores the information for Exchange, SharePoint, Lync and your custom Line of Business (LOB) apps, Azure AD stores the information for Exchange Online, SharePoint Online, Skype for Business Online, etc., and any custom applications built in the Microsoft's cloud.

Through the password hash synchronization (PHS) feature, user passwords are synchronized from the organization's on-premises Active Directory to the organization's cloud-based Azure AD tenant. This feature enables end-users to sign into Azure AD services, such as Office 365, Dynamics 365, Intune, and Azure AD Domain Services, using the same password they're using to sign in to their organization's on-premises Active Directory. This is sometimes referred as to "same" sign-on.

In addition, the seamless single sign-on (SSO) feature allows end-users to only need to type their username and not their password to sign in to Azure AD/Office 365 or other cloud apps and services when they are on their corporate machines and connected on the organization's corporate network.

Note For more information, see blog post Introducing #AzureAD Pass-Through Authentication and Seamless Single Sign-on.

Objectives of this paper

This document complements Part 1 and Part 2 of this whitepaper by providing an end-to-end walkthrough to rollout a working PHS and seamless SSO configuration for Azure AD/Office 365.

Non-objectives of this paper

It doesn't provide an understanding of the different seamless sign-in deployment options with Azure AD/Office 365. This is specifically the intent of the aforementioned first part that covers all the key aspects the readers should understand to successfully achieve seamless sign-in with Azure AD/Office 365 for their organization.

Organization of this paper

To cover the aforementioned objectives, this document is organized in the following 4 sections:

Setting up the base configuration test lab.
Setting up PHS and seamless SSO with the Azure AD/Office 365 tenant.
Understanding PHS and seamless SSO.
Monitoring your on-premises deployment (Optional).

These sections provide the information details necessary to (hopefully) successfully build a working environment for the scenario. They must be followed in order.

About the audience

This document is intended for system architects and IT professionals who are interested in understanding this capability of Azure AD/Office 365 from a hand-practice perspective.

Setting up the base configuration test lab

By following the instructions outlined hereafter, you should be able to successfully prepare your on-premises test lab environment based on virtual machines (VMs) running in Azure to later deploy and configure the test environment, install and configure it.

In order to complete the document's walkthrough, you need an environment that consists of the following components for the Azure-based test lab infrastructure:

Two computers running Windows Server 2012 R2 (named DC1 respectively DC2 by default) that will be configured as a domain controller with a test user and group accounts, and Domain Name System (DNS) servers. DC1 will host Azure AD Connect for the sync between the Azure-based test lab infrastructure and the Azure AD/Office 365 subscription.
One intranet computer running Windows 8.1 (named LAPTOP1).

If you've already followed the walkthrough of Part 2, the DC1 and DC2 computers that pertain to the Azure-based test lab infrastructure should already be in place. If you haven't yet conducted this rollout, this is the time to do so.

The rest of this document makes the assumption that such an evaluation environment is in place. You don't need the ADFS1, ADFS2, WAP1, and WAP2 computers that are part of this lab environment. You can leave them turned off for the rest of this document.

The above Azure VMs will enable you to:

Connect to the Internet to install updates, and access Internet resources in real time.
Later configure them with Azure AD Connect to finally get a relevant Azure-based test infrastructure.
Remotely managed those using a Point-to-Site (P2S) connection and then Remote Desktop (RDP) connections by your computer that is connected to the Internet or your organization network.

Note You must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group.

Create snapshots so that you can easily return to a desired configuration for further learning and experimentation.

For illustration purposes, we've opted to configure the domain litware369.com (LITWARE369). You will have to choose in lieu of a domain name of yours. For checking purpose, you can for instance use the domain search capability provided by several popular domain name registrars.

Whenever a reference to litware369.com is made in a procedure, it has to be replaced by the DNS domain name of your choice to reflect accordingly the change in naming. Likewise, any reference to LITWARE369 should be substituted by the NETBIOS domain name of your choice.

For the sake of simplicity, the same password "Pass@word1!?" is used throughout the procedures detailed in this document. This is neither mandatory nor recommended in a real-world scenario.

To perform all the tasks in this guide, we will use the local administrator account AzureAdmin or alternatively the LITWARE369 domain administrator account AzureAdmin for each VM, unless instructed otherwise.

Deploying the LAPTOP1 computer in the test lab environment

To illustrate the newly introduced seamless single sign-on (SSO) feature, a Windows 8.1 based client image needs to be added to the test lab environment built with Part 2.

Note For Windows 10 based clients, the recommendation is to use Azure AD join for the best experience with Azure AD. For more information, see article Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join.

As of this writing, the gallery of Microsoft Azure only provides Windows-based client images for MSDN and Visual Studio subscribers.

If you already benefit from such a subscription, this is the way to go to provision the LAPTOP1 computer and you can skip the rest of this section. Please, directly jump to the section Joining the LAPTOP1 computer to the LITWARE369 domain.

However, since you aren't necessarily such a subscriber, we will also illustrate hereafter an approach that allows you to upload your own custom VHD image.

The requirements for a custom Windows 8.1 image that can be uploaded for use with Microsoft Azure are as follows:

The image size must be 1,023 GB or smaller.
It must be on a VHD file. The VHDX format is not currently supported.
The VHD file must be a generation 1 VM. Generation 2 VMs are currently not supported.
The VHD file must be fixed-size.
The disk must be initialized using the Master Boot Record (MBR) partitioning style. The GUID partition table (GPT) partition style is not supported.
The VHD file must contain a single installation of Windows 8.1. It can contain multiple volumes, but only one that contains an installation of Windows.
The VHD image must be generalized by running the Sysprep.exe tool before uploading the VHD for Azure. The parameters /oobe /generalize /shutdown must be used in lieu of the /mode:vm parameter.

Note A generalized VHD image has had all of your personal account information removed using the Sysprep.exe tool. For more information, see article Generalize a Windows virtual machine using Sysprep.

Uploading a VHD file from a snapshot chain is not supported.

The next sections depict how to build a custom Windows 8.1 image and deploy on that basis a LAPTOP1 VM in the test lab environment.

Important note For more information, see article Generalize a Windows virtual machine using Sysprep.

Building your own custom VHD file

To build your own custom VHD file, proceed with the following steps:

Download an evaluation copy of Windows 8.1 Enterprise from https://www.microsoft.com/en-gb/evalcenter/evaluate-windows-8-1-enterprise:
1. Click Sign in and then sign-in with your Microsoft Account credentials.

Note If you don't have a Microsoft account yet, you can create one at http://signup.live.com.

Click Register to continue and fulfill the form with notably the version of Windows 8.1 Enterprise to download. Specify the 64-bit one. Click Continue.

Download the ISO file and save it to your local computer.

Create a VHD file by using Disk Management (diskmgmt.msc).
1. Create a fixed size VHD. Click Action > Create VHD.
2. Specify the location, for instance "C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks\win81-enterprise-eval.vhd" in our illustration, the size, e.g. 40 GB or more in size, and the VHD format. Select Fixed size (recommended), and then click OK.
  
  This may run for several minutes. When the VHD file creation is complete, you should see a new disk without any drive letter and in Not initialized state in the Disk Management console.
3. Right-click the disk (not the unallocated space), and then click Initialize Disk. Select MBR (Master Boot Record) as the partition style, and then click OK.
4. Create a new volume. Right-click the unallocated space, and then click New Simple Volume. You can accept the defaults in the wizard, but make sure you assign a drive letter to avoid potential problems when you upload the template image.
5. Right-click the disk, and then click Detach VHD.
Create a new VM. Use the New Virtual Machine Wizard in Hyper-V Manager on your local machine:

Note If Hyper-V is not already available on your local computer, please refer to the article Install Hyper-V on Windows 10 to enable this feature.
1. On the Specify Generation page, choose Generation 1.
2. On the Connect Virtual Hard Disk page, select Use an existing virtual hard disk, and browse to the VHD file created in the above step 2.
3. Choose other options in the wizard necessary to install Windows 8.1 Enterprise. Finish the wizard.
4. After the wizard finishes, edit the settings of the virtual machine, select the DVD Reader and under Media, point to the location of your Windows 8.1 Enterprise ISO file in Image File. Make any other changes necessary to install Windows 8.1 Enterprise, and then click OK.
5. Boot the VM, connect to it, and then proceed with the installation of Windows 8.1 Enterprise. Use express settings.
6. Follow all the steps outlined in the article Prepare a Windows VHD or VHDX to upload to Azure to prepare the resulting custom image for Microsoft Azure, starting at section Set Windows configurations for Azure to prepare a suitable generalized VHD image for Azure.
Note A generalized VHD image has all of your personal account information removed using the Sysprep.exe tool. For more information, see article Generalize a Windows virtual machine using Sysprep.

At this stage, you are now ready to upload the custom image to Azure.

Uploading the custom VHD file to Azure

To upload the generalized custom VHD to Azure, proceed with the following steps:

Connect to your Azure subscription:
- Open a Windows PowerShell or PowerShell Integrated Scripting Environment (ISE) prompt, and then run the following command:

PS C:\> Add-AzureRmAccount

Sign-in with your admin credentials.

Get the storage account to store the uploaded VM image. You will use one of the three existing storage accounts in the resource group of your test lab environment. Run the following command to show the available storage accounts:

PS C:\> Get-AzureRmStorageAccount –ResourceGroupName 'LITWARE369-RG'

This cmdlet outputs the followings:

ResourceGroupName : litware369-rg StorageAccountName : cmitpcd2yhw42sa1 Id : /subscriptions/8848a529-9d69-4049-8469-8218547a61e2/resourceGroups/litware369-rg/pro viders/Microsoft.Storage/storageAccounts/cmitpcd2yhw42sa1 Location : northeurope Sku : Microsoft.Azure.Management.Storage.Models.Sku Kind : Storage Encryption : AccessTier : CreationTime : 05/01/2017 16:52:59 CustomDomain : LastGeoFailoverTime : PrimaryEndpoints : Microsoft.Azure.Management.Storage.Models.Endpoints PrimaryLocation : northeurope ProvisioningState : Succeeded SecondaryEndpoints : SecondaryLocation : StatusOfPrimary : Available StatusOfSecondary : Tags : {} Context : Microsoft.WindowsAzure.Commands.Common.Storage.LazyAzureStorageContext ResourceGroupName : litware369-rg StorageAccountName : cmitpcd2yhw42sa2 Id : /subscriptions/8848a529-9d69-4049-8469-8218547a61e2/resourceGroups/litware369-rg/pro viders/Microsoft.Storage/storageAccounts/cmitpcd2yhw42sa2 Location : northeurope Sku : Microsoft.Azure.Management.Storage.Models.Sku Kind : Storage Encryption : AccessTier : CreationTime : 05/01/2017 16:52:59 CustomDomain : LastGeoFailoverTime : PrimaryEndpoints : Microsoft.Azure.Management.Storage.Models.Endpoints PrimaryLocation : northeurope ProvisioningState : Succeeded SecondaryEndpoints : SecondaryLocation : StatusOfPrimary : Available StatusOfSecondary : Tags : {} Context : Microsoft.WindowsAzure.Commands.Common.Storage.LazyAzureStorageContext

ResourceGroupName : litware369-rg StorageAccountName : cmitpcd2yhw42sa3 Id : /subscriptions/8848a529-9d69-4049-8469-8218547a61e2/resourceGroups/litware369-rg/pro viders/Microsoft.Storage/storageAccounts/cmitpcd2yhw42sa3 Location : northeurope Sku : Microsoft.Azure.Management.Storage.Models.Sku Kind : Storage Encryption : AccessTier : CreationTime : 05/01/2017 16:52:59 CustomDomain : LastGeoFailoverTime : PrimaryEndpoints : Microsoft.Azure.Management.Storage.Models.Endpoints PrimaryLocation : northeurope ProvisioningState : Succeeded SecondaryEndpoints : SecondaryLocation : StatusOfPrimary : Available StatusOfSecondary : Tags : {} Context : Microsoft.WindowsAzure.Commands.Common.Storage.LazyAzureStorageContext Upload the VHD to a container in the selected storage account, for example cmitpcd2yhw42sa1 in our illustration. Run the following commands in order: PS C:\> $rgName = "LITWARE369-RG" PS C:\> $urlUploadedImageVhd = https://cmitpcd2yhw42sa1.blob.core.windows.net/customvhds/win81-enterprise-eval.vhd PS C:\> $pathImageVhd2Upload = "C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks\win81-enterprise-eval.vhd" PS C:\> Add-AzureRmVhd -ResourceGroupName $rgName -Destination $urlUploadedImageVhd ` -LocalFilePath $pathImageVhd2Upload

This command uploads the generalized VHD file win81-enterprise-eval.vhd from "C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks\" to the cmitpcd2yhw42sa1 storage account in the LITWARE369-RG resource group. The file will be placed into the container named customvhds and the file will keep the win81-enterprise-eval.vhd filename.

Depending on your network connection and the size of your VHD file, the Add-AzureRmVhd cmdlet may take a while to complete. it will begin to generate a MD5 hash of the generalized VHD image. This aims at ensuring that, once the image blob has been created, it's exactly the same as it was when it left your local computer. The hashing and upload takes a while.

Note If the upload process of the VHD image is taking too long, you can consider increasing the thread count by specifying the -NumberOfUploaderThreads parameter.

If successful, you finally get a response that looks similar to this:

MD5 hash is being calculated for the file  C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks\win81-enterprise-eval.vhd.
MD5 hash calculation is completed.
Elapsed time for the operation: 00:17:05
Creating new page blob of size 42949673472...
Detecting the empty data blocks in the local file.
Detecting the empty data blocks completed.
Elapsed time for upload: 00:13:28
LocalFilePath                                                                   DestinationUri
-------------                                                                   --------------
C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks\win81-enterprise-eval.vhd  https://cmitpcd2yhw42sa1.blob.core...

Note For more information, see article Upload a Windows VHD from an on-premises VM to Azure.

To view and interact with your Azure Storage resources, you can use the free Microsoft Azure Storage Explorer tool. This tool can be freely downloaded at http://storageexplorer.com/.

It's now time to create the LAPTOP1 VM in the test lab environment from the uploaded generalized VHD image.

Creating the LAPTOP1 VM from the generalized VHD image

To create the LAPTOP1 VM from the generalized VHD image, proceed with the following steps:

From the previous Windows PowerShell or PowerShell Integrated Scripting Environment (ISE) prompt, set some variables;

PS C:\> $rgName = "LITWARE369-RG"
PS C:\> $location = "North Europe"
PS C:\> $vmName = "LAPTOP1"

Get the existing virtual network (adfs-infra-subnet) in the test lab environment:

PS C:\> $vnetName = "adfs-infra-subnet"
PS C:\> $vnet = Get-AzureRmVirtualNetwork -ResourceGroupName $rgName -Name $vnetName

Create a network interface on the internal subnet (Internal-sn):

PS C:\> $nicName = '{0}-nic' -f $vmName.ToLower()
PS C:\> $nic = New-AzureRmNetworkInterface -Name $nicName -ResourceGroupName $rgName -Location $location `
     -SubnetId $vnet.Subnets[0].Id -IpConfigurationName "ipconfig1"

Set the name and the size of the virtual machine. We will create a "Standard_A0" sized VM.

Note For more information, see article Sizes for virtual machines in Azure.

PS C:\> $vmSize = "Standard_A0"
PS C:\> $vmConfig = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize

Specify the credentials to use as the local administrator account for remotely accessing the VM. When prompted, specify "AzureAdmin" for the user name and "Pass@word1!?" for the password.

PS C:\> $cred = Get-Credential

Set the Windows operating system configuration and add the above created network interface.

PS C:\> $vm = Set-AzureRmVMOperatingSystem -VM $vmConfig -Windows -ComputerName $vmName `
        -Credential $cred -ProvisionVMAgent -EnableAutoUpdate
PS C:\> $vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic.Id

Set the URI of the generalized VHD image, for example in our illustration:

https://cmitpcd2yhw42sa1.blob.core.windows.net/customvhds/win81-enterprise-eval.vhd

PS C:\> $imageURI = "https://cmitpcd2yhw42sa1.blob.core.windows.net/customvhds/win81-enterprise-eval.vhd"

Get the storage account where this generalized VHD image is stored.

PS C:\> $storageAccName = "cmitpcd2yhw42sa1"
PS C:\> $storageAcc = Get-AzureRmStorageAccount -ResourceGroupName $rgName -AccountName $storageAccName

Configure the OS disk to be created from the existing VHD image (-CreateOption fromImage).

PS C:\> $osDiskName = "osdisk"
PS C:\> $osDiskUri = '{0}vhds/{1}-{2}.vhd' `
    -f $storageAcc.PrimaryEndpoints.Blob.ToString(), $vmName.ToLower(), $osDiskName
PS C:\> $vm = Set-AzureRmVMOSDisk -VM $vm -Name $osDiskName -VhdUri $osDiskUri `
    -CreateOption fromImage -SourceImageUri $imageURI -Windows

Create the new LAPTOP1 VM.

PS C:\> New-AzureRmVM -ResourceGroupName $rgName -Location $location -VM $vm

This above PowerShell script sets up the LAPTOP1 VM configuration and use the uploaded generalized VHD image as the source for this new installation.

Verify that the LAPTOP1 VM has been created. When complete, you should see the newly created LAPTOP1 VM in the Azure portal under Browse > Virtual machines, or by running the following commands:

PS C:\> $vmList = Get-AzureRmVM -ResourceGroupName $rgName
PS C:\> $vmList.Name

Note For more information, see article Create a VM from a generalized VHD image and/or video Create a Custom Virtual Machine Image in Azure Resource Manager with PowerShell.

Joining the LAPTOP1 computer to the LITWARE369 domain

To join the LAPTOP1 computer to the LITWARE369 domain, proceed with the following steps:

Open a remote desktop connection on the LAPTOP1 computer. Follow the instructions as per section Accessing the various machines of the test lab environment in Part 2 of this whitepaper. Log on as the local account AzureAdmin with "Pass@word1!?" as password.
Open a Windows PowerShell or PowerShell Integrated Scripting Environment (ISE) prompt, and the run the following commands in order.

PS C:\> $domain = "litware369.com"
PS C:\> $password = "Pass@word1!?" | ConvertTo-SecureString -asPlainText -Force
PS C:\> $username = "$domain\AzureAdmin
PS C:\> $cred = New-Object System.Management.Automation.PSCredential($username,$password)
PS C:\> Add-Computer -DomainName $domain -Credential $cred -Restart

Once completed, the LAPTOP1 computer will reboot.

Accessing the various machines of the test lab environment

See eponym section in Part 2 of this whitepaper.

Setting up PHS and seamless SSO with the Azure AD/Office 365 tenant

This section provides a walkthrough on how to setup password hash synchronization and seamless single sign-on (SSO) between the on-premises Active Directory (e.g. litware369.com) and the Azure AD/Office 365 tenant (e.g. litware369.onmicrosoft.com) to offer a seamless user experience to access cloud resources, for example an Office 365 Enterprise E3 subscription in our configuration.

For the sake of simplicity, and to set up the directory synchronization and the password hash synchronization between the on-premises infrastructure of our test lab environment in Azure and the litware369.onmicrosoft.com tenant in the cloud, we will leverage the single and unified wizard Azure Active Directory Connect (Azure AD Connect).

Azure AD Connect indeed provides a single and unified wizard that streamlines the overall onboarding process for both directory synchronization (single or multiple directories) AND single sign-on if you want to, and thus that automatically performs the following steps: download and setup of all the pre-requisites, download, setup and guided configuration of the synchronization engine, activation of the synchronization in the Azure AD tenant, setup, and/or configuration of AD FS, etc.

Azure AD Connect is the one stop shop for connecting your on-premises directories to Azure AD, whether you are evaluating, piloting, or in production.

Note For more information, see articles Integrating your on-premises identities with Azure Active Directory.

This section walks you through the use of the single wizard Azure AD Connect on the ADFS1 computer to fully configure the Azure-based infrastructure from an identity perspective and establish the identity bridge between it and your Azure AD/Office 365 subscription.

It comprises the following seven steps:

Downloading Azure AD Connect.
Executing Azure AD Connect.
Configuring additional tasks.
Configuring the seamless single sign-on in the LITWARE369 domain
Verifying the synchronization on the Azure AD/Office 365 tenant.
Verifying the simple sign-on with the Azure AD/Office 365 tenant.
Verifying the seamless single sign-on (SSO) with the Azure AD/Office 365 tenant.

The following subsections describe each of these steps in the context of our test lab environment.

Downloading Azure AD Connect

Azure AD Connect is a single wizard that performs all the steps you would otherwise have to do manually to connect your Active Directory (and local directories if any) to Azure AD.

Azure AD Connect will:

Install pre-requisites like the Azure Active Directory Module for Windows PowerShell (64-bit version) and Microsoft Online Services Sign-In Assistant.

Note The Azure Active Directory PowerShell Module is regularly updated with new features and functionality. The above link should always point to the most current version of the module. For more information, see article Microsoft Azure Active Directory PowerShell Module Version Release History.

Install and configure the sync engine, and enable directory synchronization in the customer's Azure tenant.
Configures either password sync (w/ optional seamless single sign-on), path-through authentication (w/ optional seamless single sign-on), or AD FS, depending on which sign-on option the customer prefers, and includes any required configuration in Azure.
Verifies everything is working.

Azure AD Connect is the best way to connect your on-premises directory with Azure AD and Office 365. Azure AD Connect is replacing DirSync and Azure AD Sync and these two older sync engines are deprecated from April 13, 2016 reaching end of support April 13,2017.

Note For more information, see article Upgrade Windows Azure Active Directory Sync ("DirSync") and Azure Active Directory Sync ("Azure AD Sync").

To download the latest version of Azure AD Connect (e.g. version 1.1.380.0 at the time of this writing), proceed with the following steps:

Open a remote desktop connection on the DC1 computer. Follow the instructions as per section Accessing the various machines of the test lab environment and specify in step 2 "10.0.0.101" for the DC1 computer. Log on as the LITWARE369 domain administrator account AzureAdmin with "Pass@word1!?" as password.
Open a browsing session and navigate to:

http://www.microsoft.com/en-us/download/details.aspx?id=47594.
Click Download to download the Azure AD Connect MSI file (AzureADConnect.msi).

Click Save.

Executing Azure AD Connect

Before executing Azure AD Connect, you must know the credentials:

A domain account that is local administrator on the aforementioned computers.
Active Directory enterprise administrator credentials.
Azure AD tenant global administrator credentials.

If you've followed in order all the steps outlined before, all the above prerequisites should be enforced at this stage. So you should be good to go.

To execute Azure AD Connect and configure your identity infrastructure, proceed with the following steps:

Open a remote desktop connection on the DC1 computer that will be also your sync server. Follow the instructions as per section Accessing the various machines of the test lab environment and specify in step 2 "10.0.0.101" for the DC1 computer. Log on as the LITWARE369 domain administrator account AzureAdmin with "Pass@word1!?" as password.
Run AzureADConnect.msi to launch the wizard.

On the Welcome to Azure AD Connect page, check I agree to the license terms and privacy notice and click Continue.

On the Express Settings page, click Customize.

On the Install required components page, review the information, select any optional configuration that you require, although it's okay to leave these unselected, and click Install.

On the User sign-in page, leave Password Synchronization selected, and select Enable single sign on.

Click Next.

On the Connect to Azure AD page, enter your global admin Azure AD credentials when prompted.

Username: admin@litware369.onmicrosoft.com

Password: Pass@word1!?

Click Next.

On the Connect your directories page, select your local active directory and enter AD credentials.

Username: LIWARE369\AzureAdmin

Password: Pass@word1!?

Click Add Directory.

Click Next.

On the Azure AD sign-in configuration page, leave USER PRINCIPAL NAME as is, i.e. userPrincipalName selected, and click Next.

On the Domain and OU filtering page, leave Sync all domains and OUs selected, and click Next.

On the Uniquely identifying your users page, leave Users are represented only once across all directories selected, leave SOURCE ANCHOR as is, i.e. objectGUID selected, and click Next.

On the Filter users and devices page, leave Synchronize all users and devices selected, and then click Next.

On the Optional features page, select any additional features that you need, although it's okay to leave these unselected, and then click Next.

On the Enable single sign on page, click Enter domain administrator credentials. A Windows Security dialog pops up.

Enter AD credentials, and then click OK.

Username: AzureAdmin

Password: Pass@word1!?

Click Next.

On the Ready to configure page, leave checked Start the synchronization process as soon as the configuration completes for starting the synchronization process.

Note You may assume the synchronization process will automatically start at a later time if the check mark is removed. This is not correct as you will need to enable the task in Scheduled Tasks on the server where the synchronization tool is installed. After the task is enabled, synchronization occurs every 30 minutes by default.

Click Install. When installation completes, verify the installation and then exit.

Note Logs regarding the Azure AD Connect installation can be found in the %LocalAppData%\AADCONNECT folder.

Configuring additional tasks

You may wish to add scale or refine your options right away, or after some time has passed.

To configure additional task, proceed with the following steps:

Whilst still being connected on the DC1 computer, launch the wizard again using the Start page or the desktop icon called Azure AD Connect.

Click Configure.

The Additional tasks page lists the tasks that are relevant to your configuration. Select the relevant task to your configuration you'd like to conduct, click Next, and follow the instructions.

Note that with the first task, you can validate your current configuration

Once completed, click Exit.

Now let's see how to verify the synchronization on the Azure AD/Office 365 tenant.

Verifying the synchronization on the Azure AD/Office 365 tenant

To verify the synchronization on the Azure AD tenant, proceed with the following steps:

Open a browsing session and navigate to the Azure portal at https://portal.azure.com.
Sign in with your administrative credentials to your Azure subscription.
On the left pane of the Azure management portal, click Azure Active Directory. A Litware369 blade opens up.

Note If Azure Active Directory is not listed, click More Services, type "Azure", and the select Azure Active Directory.

In the Quick tasks tile, click Find a user. A Users and groups – All Users blade appears.
Confirm that both Janet Schorr and Robert Hatley are listed.

Note If the Active Directory users Janets and Roberth are not replicated in your Azure AD tenant, please refer to section Troubleshooting PHS to see how you can force the replication using PowerShell commands.

Verifying the status of password sync settings

To view the status of password sync setting, you can run the following command on the DC1 computer from a Windows PowerShell or PowerShell Integrated Scripting Environment (ISE) prompt:

Import-Module ADSync
$connectors = Get-ADSyncConnector
$aadConnectors = $connectors | Where-Object {$_.SubType -eq "Windows Azure Active Directory (Microsoft)"}
$adConnectors = $connectors | Where-Object {$_.ConnectorTypeName -eq "AD"}
if ($aadConnectors -ne $null -and $adConnectors -ne $null)
{
    if ($aadConnectors.Count -eq 1)
    {
        $features = Get-ADSyncAADCompanyFeature -ConnectorName $aadConnectors[0].Name
        Write-Host
        Write-Host "Password sync feature enabled in your Azure AD directory: "  $features.PasswordHashSync
        foreach ($adConnector in $adConnectors)
        {
            Write-Host
            Write-Host "Password sync channel status BEGIN ------------------------------------------------------- "
            Write-Host
            Get-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector.Name
            Write-Host
            $pingEvents =
                Get-EventLog -LogName "Application" -Source "Directory Synchronization" -InstanceId 654  -After (Get-Date).AddHours(-3) |
                    Where-Object { $_.Message.ToUpperInvariant().Contains($adConnector.Identifier.ToString("D").ToUpperInvariant()) } |
                    Sort-Object { $_.Time } -Descending
            if ($pingEvents -ne $null)
            {
                Write-Host "Latest heart beat event (within last 3 hours). Time " $pingEvents[0].TimeWritten
            }
            else
            {
                Write-Warning "No ping event found within last 3 hours."
            }
            Write-Host
            Write-Host "Password sync channel status END ------------------------------------------------------- "
            Write-Host
        }
    }
    else
    {
        Write-Warning "More than one Azure AD Connectors found. Please update the script to use the appropriate Connector."
    }
}
Write-Host
if ($aadConnectors -eq $null)
{
    Write-Warning "No Azure AD Connector was found."
}
if ($adConnectors -eq $null)
{
    Write-Warning "No AD DS Connector was found."
}
Write-Host

Configuring the seamless single sign-on in the LITWARE369 domain

Seamless single sign-on (SSO) is an option that can be enabled in Azure AD Connect with either password (hash of) hash synchronization (PHS) or pass-through authentication (PTA) (see Part 7 of this whitepaper). When enabled, users only need type their username and do not need not to type their password to sign in to Azure AD or other cloud services when they are on their corporate machines and connected on the corporate network.

For users to use seamless SSO in your environment, you need to ensure that they are:

On a domain joined computer.
Have a direct connection to a domain controller, for example on the corporate wired or wireless network or via a remote access connection such as a VPN connection. This role is played by the LAPTOP1 computer that you've previously provisioned on the test lab environment.
Define the Kerberos end-points in the cloud as part of the browsers' Intranet zone.

If any of the above items are not present, such as the computer is off the corporate network and Active Directory is not available, then users will simply be prompted to enter their password as they would without seamless SSO.

Note For more information, see article What is Single Sign On (SSO) (preview).

Ensuring clients sign-in automatically from the corporate network

By default, browsers will not attempt to send credentials to web servers unless the URL is defined in the Intranet zone. In so far as the URLs used for seamless SSO in Azure AD contain a period because they are globally routable hostnames, they have to be explicitly added to the computer's Intranet zone, so that the browser will automatically send the currently logged in user's credentials in the form of a Kerberos ticket to Azure AD.

The easiest way to add the required URLs to the Intranet zone is to simply create a group policy in Active Directory or use an existing one.

Proceed with the following steps:

Whilst still being connected on the DC2 computer, open an elevated command prompt if none, and run the following command:

PS C:\> gpmc.msc

A Group Policy Management window brings up.

Double-click the name of the forest, double-click Domains, and double-click the name of the domain.

Right-click Default Domain Policy, and then click Edit. A Group Policy Management Editor window brings up.

In the console tree, expand Group policy that will be applied to all users. For example, the Default Domain Policy.
Navigate to User Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page and select Site to Zone Assignment List.

Enable the policy by clicking on the Enabled radio button, then, in the Options part, click the Show… button.
Inside the dialog box, and enter the following values:
- Value Name: https://autologon.microsoftazuread-sso.com Value: 1
- Value Name: https://aadg.windows.net.nsatc.net Value: 1

Click OK twice.
Close the Groupe Policy Management Editor.
Close the Group Policy Management console.

Verifying the "same sign-on" with the Azure AD/Office 365 tenant

To verify the "same" sign-on with the Azure AD/Office 365 tenant (e.g. litware369.onmicrosoft.com), proceed with the following steps:

Open a browsing session from your external local computer and navigate to the Office 365 portal at https://portal.office.com .

Type janets@litware369.com and specify your Active Directory password.

If simple sign-on is correctly set up, you should have a seamless access to the signed in user settings in the Office 365 portal.

No tiles are displayed for the online apps. This is expected for the test user as in fact you have not assigned a license to the test user.

Verifying the seamless single sign-on (SSO) with the Azure AD/Office 365 tenant

To verify the seamless single sign-on (SSO) with the Azure AD/Office 365 tenant (e.g. litware369.onmicrosoft.com), proceed with the following steps:

Open a remote desktop connection on the LAPTOP1 computer. Follow the instructions as per section Accessing the various machines of the test lab environment and specify in step 2 the IP address for the LAPTOP1 computer. Log on as the LITWARE369 user account JanetS with "Pass@word1!?" as password.
Open a browsing session from your external local computer and navigate to the Office 365 portal at https://portal.office.com.

If seamless single sign-on (SSO) is correctly set up, you should have a seamless access to the signed in user settings in the Office 365 portal.

No tiles are displayed for the online apps. This is expected for the test user as in fact you have not assigned a license to the test user.

Troubleshooting the configuration

Troubleshooting PHS

Troubleshooting the PHS feature consists in verifying the synchronization between the on-premises Active Directory environment and Azure AD.

If you want to force Azure AD Connect to replicate:

Open a remote desktop connection on DC1.
Open a Windows PowerShell or PowerShell Integrated Scripting Environment (ISE) prompt, and then run the following command to import the ADSync cmdlets:

PS C:\> Import-Module ADSync

Then force a delta synchronization

PS C:\> Start-ADSyncSyncCycle -PolicyType Delta

This cmdlet must output Result, Success.

You can also verify the status of the password synchronization as per previous eponym section Verifying the status of password sync settings.

Note For more information, see article Implementing password synchronization with Azure AD Connect sync.

Troubleshooting seamless SSO

It is important to make sure the client is correctly configured for seamless SSO including the following:

Note For more information, see article What is Single Sign On (SSO) (preview).

Both https://autologon.microsoftazuread-sso.com and https://aadg.windows.net.nsatc.net are defined within the Intranet zone.
Ensure the computer is joined to the domain, for example the LITWARE369 domain in our configuration.
Ensure the user is logged on with a domain account.
Ensure the computer is connected to the corporate network, for example on the Internal-sn in our test lab configuration.
Ensure that the computer's time is synchronized with the Active Directory and the domain controllers time is within 5 minutes of the correct time.
Purge the clients existing Kerberos tickets, for example by running the following command from an elevated command prompt.

C:\> "klist purge"

Ensure the Kerberos SPNs are present and correct for the AzureADSSOAcc$ account in Active Directory.

If you have been able to confirm the above requirements, you can review the console logs of the browser for additional information. The console logs can be found under developer tools. This will help you determine the potential problem.

Every time a user logs in with single sign on, an entry is recorded in the event log of the domain controller, if success auditing is enabled. To find these events, you can review the Event logs for the security Event 4769 associated with computer account AzureADSSOAcc$.

The filter below finds all security events associated with the computer account:

<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[EventData[Data[@Name='ServiceName'] and (Data='AZUREADSSOACC$')]]</Select> </Query> <QueryList>

You are now in a position to further test the environment.

Understanding PHS and seamless SSO

Understanding PHS

As introduced at the beginning of this document, the PHS (or Password Hash Synchronization) feature consists in retrieving by Azure AD Connect the user account password hashes from an on-premises Active Directory and replicating a digest of this hash to a cloud-based Azure AD/Office 365 tenant.

From a security standpoint, the password information that is replicated in Azure AD is the result of a one-way function (SHA-256) applied to the user's password hash stored in an encrypted form, which means that, even if this secret leaks, it cannot be used to access to any resource on your corporate internal network.

Note For a detailed description of the password synchronization mechanism, see blog post AAD Password Sync, Encryption and FIPS compliance.

This feature then enables users to sign into Azure AD services, such as Office 365, Dynamics 365, Intune, and Azure AD Domain Services, using the same password they're using to sign in to their organization's on-premises Active Directory.

Note For more information, see article Implementing password synchronization with Azure AD Connect sync.

Such a feature provides a "same sign-on" experience, where users sign in to their corporate machine and Azure AD/Office 365 with the same credentials.

To provide a better experience, a password change is replicated within 2 minutes. Moreover, after a successful authentication, the users can be optionally asked for a multifactor authentication (MFA) in the cloud.

Understanding seamless SSO

Supported clients

The seamless SSO feature is supported via web browser based clients and Office clients that support modern authentication on computers that are capable of Kerberos authentication, such as Windows.

The following table provides details of the browser based clients on various operating systems.

Table 1 Supported clients per OS/Browsers

Operating systems	Internet Explorer	Chrome	Firefox	Edge
Windows 10	Yes	Yes	Yes*	No
Windows 8.1	Yes	Yes	Yes*	N/A
Windows 8	Yes	Yes	Yes*	N/A
Windows 7	Yes	Yes	Yes*	N/A
Mac OS/X	N/A	N/A	N/A	N/A

* Requires separate configuration

A word about modern authentication

Modern authentication is an OAuth-based authentication stack used by Office 2013/2016 client applications against Office 365. This enables sign-in features such as Multi-Factor Authentication (MFA), SAML 2.0-based third-party identity providers with Office 2013/2016 client applications, smart card and certificate-based authentication, and it removes the need for Outlook to use the basic authentication protocol.

From a technical implementation standpoint, the Active Directory Authentication Library (ADAL) replaces, for Windows clients, the Microsoft Online Sign-in Assistant (SIA).

Understanding seamless SSO flows

Let's illustrate a typical seamless SSO flow.

Figure 1 Seamless SSO flow

First the user attempts to access a resource that trusts security tokens issued from Azure AD, such as SharePoint Online (SPO) for Office 365. SharePoint Online then redirects the user to authenticate against Azure AD. The user is then invited to provide their username so that Azure AD can establish if the seamless SSO feature is enabled for their organization. Assuming seamless SSO is enabled for the organization, the following occurs:

Azure AD challenges the client, via a 401 unauthorized response, to provide a Kerberos ticket.
The client requests a ticket from Active Directory for the Azure AD.
Active Directory locates the computer account, created by Azure AD Connect and returns a Kerberos ticket to the client, encrypted with the machine account's secret. The ticket includes the identity of the user currently signed in to the computer.
The client sends the Kerberos ticket it acquired from Active Directory to Azure AD.
Azure AD decrypts the Kerberos ticket using the previously shared key, and then either returns a token to the user or asks the user to provide additional proofs such as multi-factor authentication as required by the resource.

Seamless SSO is an opportunistic feature, which means that if it fails for some reason, the user simply need only enter their password on the sign-in page as usual.

Monitoring your on-premises deployment (Optional)

This last section of this document provides and introduction to Azure Active Directory Connect Health (Azure AD Connect Health). This cloud based service in the new Azure Portal helps you monitor and gain insight into health, performance and login activity of your on-premises identity infrastructure. It thus offers you the ability to view alerts, performance, usage patterns, configuration settings, enables you to maintain a reliable Azure AD connection, and much more.

Azure AD Connect Health represents a key part of our effort to help you monitor and secure your cloud and on-premises identity infrastructure.

Note For more information, see article Monitor your on-premises identity infrastructure and synchronization services in the cloud.

Note Azure AD Connect Health is a feature of the Azure AD Premium P1 edition. For a description of this edition below and a comparison table, see article Azure Active Directory editions.

This section walks you through the process of configuring this service for your existing on-premises deployment as per this document. The process consists in the following five steps:

Getting started with the Azure AD Connect Health service.
Configuring Azure AD Connect Health for Sync.
Configuring Azure AD Connect Health for AD DS.
Using the Azure AD Connect Health service.

The following subsections describe in the context of our test lab environment each of these steps.

Like before, and unless noticed otherwise, all the instructions should be done on the DC1 computer.

Getting started with the Azure AD Connect Health service

To get started with and use the Azure AD Connect Health service, proceed with the following tasks:

Open a browsing session for your external personal computer and navigate to the Azure portal at https://portal.azure.com/.

Username: admin@litware369.onmicrosoft.com

Password: Pass@word1!?

Click Next.

Click the Marketplace tile, and then select Security + Identity, or search for it by typing "Identity".

Under recommended, click Azure AD Connect Health. An introductory blade opens up.

Click Create. This will open another blade with your directory information.

Click Create.

Note If you do not have an Azure Active Directory Premium P1 license, you will need one to use Azure AD Connect Health as previously noticed. See article What is Microsoft Azure Active Directory licensing?. You can sign-up for a trial at https://portal.office.com/Signup/Signup.aspx?OfferId=01824d11-5ad8-447f-8523-666b0848b381.

Once created, you can now access the Azure AD Connect Health Portal that allows you to view alerts, performance monitoring, and usage analytics. Upon first accessing Azure AD Connect Health, a first blade is presented.

In order to see any data in your instance of Azure AD Connect Health, you will need to install the Azure AD Connect Health agents on your targeted servers, for example the six computers in our configuration. This is the purpose of the next sections.

Configuring Azure AD Connect Health for Sync

The Azure AD Connect Health agent for Sync is installed as part of the Azure AD Connect installation (version 1.0.9125.0 or higher). So this is already completed with our prior installation and configuration of Azure AD Connect (version 1.1.380.0 in our configuration). See section Integrating your on-premises AD forest(s) with your Azure AD/Office 365 tenant.

To verify the agent has been installed, look for the following services on the DC1 computer. If you completed the configuration, they should already be running:

Azure AD Connect Health Sync Insights Service.
Azure AD Connect Health Sync Monitoring Service.

Note For more information, see article Azure AD Connect Health Agent Installation.

Configuring Azure AD Connect Health for AD DS

Downloading the health agent for AD DS

To download the latest version of health agent for AD DS, proceed with the following steps:

Open a remote desktop connection on the DC1 computer that will be also your sync server. Follow the instructions as per section Accessing the various machines of the test lab environment and specify in step 2 "10.0.0.101" for the DC1 computer. Log on as the LITWARE369 domain administrator account AzureAdmin with "Pass@word1!?" as password.
Open a browsing session and navigate to the Azure AD Connect Health portal.
Click the Quick Start tile. An eponym Quick Start blade opens up.
Under Get tools, click Download Azure AD Connect Health for AD DS to download the health agent (AdHealthAddsAgentSetup.exe)

Click Save.
Repeat above steps on the DC2 computer.

Installing and configuring the health agent for AD DS

To download the latest version of health agent for AD DS, proceed with the following steps:

Open a remote desktop connection on the DC1 computer that will be also your sync server. Follow the instructions as per section Accessing the various machines of the test lab environment and specify in step 2 "10.0.0.101" for the DC1 computer. Log on as the LITWARE369 domain administrator account AzureAdmin with "Pass@word1!?" as password.
Double-click the AdHealthAddsAgentSetup.exe file you've downloaded in the previous section. A dialog pops up.
The Azure Active Directory Connect Health Setup dialog shows up.

On the first screen, read the EULA, and then click Install. The install begins.

Once the installation is finished, click Configure Now. A command prompt with elevated privileges opens up.

As stated, an elevated PowerShell command prompt is then launched to execute the following command while the initial command prompt closes:

Register-AzureADConnectHealthADDSAgent

A Sign in to your account dialog opens up.

Type "admin@litware369.onmicrosoft.com" for your Azure AD/Office 365 Enterprise global administrator and click Continue.

Enter the password of the admin@litware369.onmicrosoft.com user, e.g. "Pass@word1!?" in our configuration, and then click Sign in. The health agent registration process starts.

Executing Elevated PowerShell Command: Register-AzureADConnectHealthADDSAgent
2017-01-05 10:37:00.735 ProductName: Microsoft Azure AD Connect Health agent for AD DS, FileVersion:
 UTC Time: 2017-01-05 10:37:00Z
2017-01-05 10:37:00.893 AHealthServiceUri (ARM): https://management.azure.com/providers/Microsoft.ADH/
2017-01-05 10:37:00.893 AdHybridHealthServiceUri: https://adds.aadconnecthealth.azure.com/
2017-01-05 10:37:03.098 AHealthServiceApiVersion: 2014-01-01
2017-01-05 10:43:28.828 Detecting AdDomainService roles...
2017-01-05 10:43:29.562 Detected the following role(s) for litware369.com:
2017-01-05 10:43:29.562         Active Directory Domain Services
2017-01-05 10:43:34.915 Aquiring Monitoring Service certificate using tenant.cert
2017-01-05 10:43:42.506 Successfully aquired and stored Monitoring Service certificate: Subject=CN=DC
c-4be2-9b86-5b3513ecb22e, OU=Microsoft ADFS Agent, Issuer=CN=Microsoft PolicyKeyService Certificate A
nt=25E0F7EE2D344DF31888B7E223795DFD29D4DFBF
2017-01-05 10:43:42.521 Fetched and stored agent credentials successfully...
2017-01-05 10:43:44.432 Started agent services successfully...
Test-AzureADConnectHealthConnectivity completed successfully...
2017-01-05 10:44:02.807 Agent registration completed successfully.
Detailed log file created in temporary directory:
C:\Users\AzureAdmin.LITWARE369\AppData\Local\Temp\2\AdHealthAddsAgentConfiguration.2017-01-05_10-37-00.log
PS C:\Users\AzureAdmin.LITWARE369\Downloads>

To verify the agent has been successfully installed and configured, click Tools in Server Manager, and then select Services. An eponym window Services opens up.
Look for the following services:

Azure AD Connect Health AD DS Insights Service.
Azure AD Connect Health AD DS Monitoring Service.

These services should be started automatically and the agent will be now monitoring and gathering data.

Repeat above steps on the DC2 computer.

Note For more information, see article Azure AD Connect Health Agent Installation.

At this stage, you should now be in position to monitor your on-premises deployment.

Using the Azure AD Connect Health service

To now use the Azure AD Connect Health service, proceed with the following tasks:

Open a browsing session and navigate to the Azure Preview Portal at https://portal.azure.com/.

Username: admin@litware369.onmicrosoft.com

Password: Pass@word1!?

Select Azure AD Connect Health. An introductory blade opens up.
Click Azure Active Directory Connect (Sync). An eponym blade opens up. Synchronization should appear as healthy.

Back to introductory blade of Azure AD Connect Health, finally click Active Directory Domain services. A new blade opens up for AD DS as you might expect.

Note For more information on the various health topics (alerts, performance monitoring, usage analytics, properties, etc.), see articles Azure AD Connect Health Operations, Using Azure AD Connect Health for sync, and Using Azure AD Connect Health with AD DS.