Mastering Identity and Access Management with Microsoft Azure
上QQ阅读APP看书,第一时间看更新

Configuring your administrative workstation

First of all, we need to set a functional administrative workstation to work through this guide. You need to have a Windows 10 Enterprise client machine in a work group configuration. We recommend using a freshly installed Windows 10 Enterprise virtual machine. We need a Windows 10 device to use the Azure AD Join later in the book. If you are not able to access the Volume Licensed or MSDN version, you can use the Enterprise Evaluation version at https://www.microsoft.com/en-gb/evalcenter/evaluate-windows-10-enterprise.

In the code section of this chapter, you will find the following cmdlets to install the needed administrative tools on your client machine, basically, the Azure AD, MSOnline and the Azure Resource Manager PowerShell modules:

  1. Install the Azure Active Directory PowerShell module:
Install-Module -Name AzureADPreview
  1. Install the MSOnline PowerShell module:
Install-Module -Name MSOnline
  1. Install the Azure Resource Manager PowerShell module:
Install-Module AzureRM
  1. Connect to the MSOnline interface with PowerShell:
Connect-MsolService
# Provide your global administrator credentials
# View your assigned subscriptions
Get-MsolAccountSku
# View all actual users
Get-MsolUser
  1. Create your first test user to prove the Azure AD administrative connection:
New-MsolUser -UserPrincipalName "jochen.nickel@inovitcloudlabs.onmicrosoft.com" -DisplayName "Jochen Nickel" -FirstName "Jochen" -LastName "Nickel" -UsageLocation "CH" -LicenseAssignment "inovitlabs:ENTERPRISEPREMIUM","inovitcloudlabs:EMSPREMIUM"

Get-MsolUser -UserPrincipalName jochen.nickel@inovitcloudlabs.onmicrosoft.com | fl
  1. Connect directly to the Azure AD interface to compare the output and capabilities with the MSOnline PowerShell module:
Connect-AzureAD
Get-AzureADUser -all $true | where userprincipalname -eq jochen.nickel@inovitcloudlabs.onmicrosoft.com | fl
  1. Unpack the deployment package from the code package. The C:\Configuration\HRExports directory contains the needed HR import and group creation scripts to configure your Azure AD tenant with some test data:
Example script set

In the HRImportToAAD.ps1 script, the following important variables will be used:

$domain = Get-MsolDomain | where {$_.Name -notlike "*mail*"}
$dir = "C:\Configuration\HRExports"

# Also configure your PowerShell Execution Policy to RemoteSigned with the following cmdlet
# More information about this topic can be found under http://bit.ly/1EWLG03
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

The domain variable will contain the domain.onmicrosoft.com name of your Azure AD default directory. We use this directory and not a registered domain name for different steps. At the end of the chapter, we will change to a custom domain so that you can explore the needed tasks. As you can see, the dir variable contains the path to the scripts and the simple HR export file called NewHire.csv. The contoso.com domain in the file will be replaced with your domain name, stored in the domain variable.

The NewHire.csv file contains the following demo user set, which will be used in future configurations to demonstrate the different functionalities:

userPrincipalName,DisplayName,FirstName,LastName,password
Don.Hall@contoso.com,Don Hall,Don,Hall,Pass@word1
Ellen.Adams@contoso.com,Ellen Adams,Ellen,Adams,Pass@word1
Jeff.Simpson@contoso.com,Jeff Simpson,Jeff,Simpson,Pass@word1
Brian.Cox@contoso.com,Brian Cox,Brian,Cox,Pass@word1
Doris.Sutton@contoso.com,Doris Sutton,Doris,Sutton,Pass@word1
Petro.Mitchell@contoso.com,Petro Mitchell,Petro,Mitchell,Pass@word1

With the next step, we will assign an EMS E5 plan license to our global administrator, admin@domain.onmicrosoft.com. The Office 365 E5 was already assigned through the creation process. Later in the chapter, we will assign licenses through dynamic group membership, which is an Azure AD Premium P2 license feature:

License assignment operation

Click Assign and add the EMS E5 plan license to your global administrator. The expected result will be as follows:

Assigned license overview

We will get the correct message that we have no active subscription assigned to this user ID. Next, sign up for a Microsoft Azure subscription.