Azure Active Directory Proof

of Concept Playbook
Explore and quickly implement Identity and Access Management scenarios

Executive Summary
This document provides guidelines to explore different Azure AD capabilities in a Proof of concept (POC). The intended
audience of this document is Identity Architects, IT Professionals, and System Integrators.
 Azure AD Proof of Concept Playbook

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed
as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted
to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented
after the date of publication.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright,
no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or
by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the
furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual
property.

The descriptions of other companies products in this document, if any, are provided only as a convenience to you. Any
such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their
accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid
understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their
respective manufacturers.

2016 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express authorization
of Microsoft Corp. is strictly prohibited.

Microsoft and Windows are either registered trademarks of Microsoft Corporation in the United States and/or other
countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

2|Page
 Azure AD Proof of Concept Playbook

Contents
Executive Summary ................................................................................................................................................................. 1
Contents .................................................................................................................................................................................. 3
How to use this Playbook........................................................................................................................................................ 4
PoC Ingredients ....................................................................................................................................................................... 4
Theme ................................................................................................................................................................................. 4
Environment........................................................................................................................................................................ 4
Target Users ........................................................................................................................................................................ 5
PoC Implementation ............................................................................................................................................................... 5
Foundation - Syncing AD to Azure AD ................................................................................................................................. 5
Theme Lots of apps, one identity..................................................................................................................................... 6
Theme Increase your security .......................................................................................................................................... 7
Theme Scale with Self Service .......................................................................................................................................... 7
PoC Building Blocks ................................................................................................................................................................. 8
Catalog of Actors ................................................................................................................................................................. 8
Common Prerequisites for all building blocks .................................................................................................................... 9
Directory Synchronization Password Hash Sync (PHS) New Installation ...................................................................... 9
Branding ............................................................................................................................................................................ 10
Group based licensing ....................................................................................................................................................... 12
SaaS Federated SSO Configuration ................................................................................................................................... 12
SaaS Password SSO Configuration .................................................................................................................................... 13
SaaS Shared Accounts Configuration ................................................................................................................................ 15
Groups Delegated Ownership ........................................................................................................................................ 16
SaaS and Identity Lifecycle ................................................................................................................................................ 16
Self Service Password Reset .............................................................................................................................................. 17
Self Service Access to Application Management .............................................................................................................. 18
Azure Multi-Factor Authentication with Phone Calls ....................................................................................................... 19
MFA Conditional Access for SaaS applications ................................................................................................................. 20
Privileged Identity Management (PIM)............................................................................................................................. 21
Discovering Risk Events ..................................................................................................................................................... 22
Deploying Sign-in risk policies ........................................................................................................................................... 23

3|Page
 Azure AD Proof of Concept Playbook

How to use this Playbook

1. Use the Theme section and pick the area(s) of interest based on your needs.
2. Scope the PoC by choosing the scenarios that align with your business goals. The shorter the better. We
recommend to do it as short and concise as possible to convey the value to the stakeholders while minimizing
the complexity to realize it.
3. Use the PoC Implementation section to understand the scenarios, and what would they mean for your
environment. In each scenario, we describe how to set it up (what we call building blocks), and how to navigate
the scenarios.
4. Each building block explains the pre-requisites needed, as well as an approximate time to complete. This can
help you during the planning process.
5. Based on 1-3 Above, define the environment in which to execute. We encourage to strive for a production
environment to get a good feel of the experience for your users.
6. When having conflicting requirements, use this helpful tradeoff matrix
a. Theme-centric showing of value
b. Smoothness to prepare, to set up, and to execute the scenarios
c. Minimal time to execute the target scenarios
d. As close to production as feasible within your constraints

Note: Throughout this document, you will see some specific third party applications and products mentioned as examples
for convenience. Azure AD supports thousands of applications in our application gallery that you can use based on your
needs and environment.

PoC Ingredients
Theme
Azure AD provides identity and access solutions across multiple areas in the enterprise. We classify the scenarios in the
following areas:

Lots of apps, one identity

Increase your security
Scale with Self Service

Defining a theme to frame the PoC helps to focus the efforts that resonates with business goals, which oftentimes are
the triggers of the interest in a proof of concept in the first place.

Environment
It is important to determine the details of the environment where you will deliver the PoC. Ideally you can build upon it
after the PoC is completed. The target environment is crucial and you should find the right balance between making it as
real as possible and the overhead of constraints or extra considerations. The typical environments for PoCs are:

Production: The scenarios will be implemented in your live environment and already deployed Microsoft Cloud
services (production AD, Office 365, Azure AD tenant/SSO solution).
User Acceptance Test (UAT)/Dev environment: You have test infrastructure (parallel AD and potentially Azure
AD tenant/SSO solution) with test data that resembles production. Typically, the test environment is shared
across multiple projects in the enterprise.

4|Page
 Azure AD Proof of Concept Playbook

Most scenarios in this guide are additive in nature. As a result, they can be deployed in the production tenant without
affecting users outside the PoC. Throughout this document, we will be calling out which scenarios would have tenant-
wide effect. In those cases, you might want to consider a non-production environment.

Target Users
It is important to determine the target set of users that will exercise the scenarios, especially when the environment is
production or test. The categories of target users for PoC are:

Pilot Users: Real users in the environment that will be using the solution with the account they use for their day
to day job functions
Test Users: Test accounts created in the environment

Most scenarios in this guide can be exercised by pilot users. Throughout this document, we will be calling out target user
considerations if needed.

PoC Implementation
Foundation - Syncing AD to Azure AD
A hybrid identity is the foundation for most of the enterprise customers who already have an on-premises directory. The
goal here is to intentionally spend as less time here as possible to show the value of the actual identity and access
scenarios.

Scenario Building Blocks

Extending your on-premises identity to the cloud Directory Synchronization - Password
Hash Sync
Note: If you already have DirSync/ADSync or
earlier versions of Azure AD Connect, this step is
optional. Some scenarios in this guide might
require newer version of Azure AD Connect.
Branding
Assigning Azure AD licenses using groups Group based licensing

Extending your on-premises identity to the cloud

1. Bob is the Active Directory administrator at Contoso. He gets the requirement to enable identity as a service for
a set of users. After execution of Azure AD Connect wizard, the identity of the target users available in the cloud.
2. Bob asks Susie, one of the target users, to access the Azure Active Directory access panel and confirm that she
can authenticate. Susie sees a branded login page and an empty access panel which is ready for enabling future
application access.

Assigning Azure AD licenses using Groups

1. Bob is the Azure AD Global Admin and wants to allocate Azure AD licenses to a specific set of users as part of the
initial rollout of Azure AD.
2. Bob creates a group for the pilot users.
3. Bob assigns the licenses to the group
4. Susie, one of the information workers, is added to the security group as part of her job functions
5. After some time, Susie has access to the Azure AD premium license. This will enable more of the POC scenarios
later on.

5|Page
 Azure AD Proof of Concept Playbook

Theme Lots of apps, one identity

Scenario Building Blocks
Integrate SaaS Applications Federated SSO SaaS Federated SSO Configuration
Groups - Delegated Ownership
Integrate SaaS Applications Password SSO SaaS Password SSO Configuration
SSO and Identity Lifecycle Events SaaS and Identity Lifecycle
Secure Access to Shared Accounts SaaS Shared Accounts Configuration

Integrate SaaS Applications Federated SSO

1. Bob is the Azure AD Global Admin and receives a request from the Marketing department to enable access to
their ServiceNow Instance. Bob finds the step-by-step tutorial in Azure AD documentation and follows it, and
delegates the assignment of users to the app to Kevin, the head of Marketing team.
2. Kevin logs in as the owner of ServiceNow entitlements and assigns Susie to the app. Kevin also notices that
Susies profile was created in ServiceNow automatically
3. Susie is an information worker in the Marketing department. She logs in to azure AD and finds all SaaS
applications she is assigned to in myapps portal. From there, she seamlessly gets access to ServiceNow.
4. The Marketing department wants to audit who accessed ServiceNow. Bob downloads an activity report and
shares it with Kevin over email.

SSO and Identity Lifecycle Events

1. Susie takes a leave of absence, and by corporate policy the on-premises AD account is temporary disabled. Susie
now cant log in to Azure AD and therefore cant access ServiceNow.
2. Susie makes a lateral move from Marketing to Sales. Kevin removes her access from ServiceNow. Susie logs in
the azure ad myapps and she no longer sees the ServiceNow Tile. After 10 minutes, Kevin confirms that Susie
account was disabled from ServiceNow Management console.

Integrate SaaS Applications Password SSO

1. Bob configures access to Atlassian HipChat. HipChat has Password SSO integration and grant access to Susie
2. Susie logs in to the myapps portal and sees a link to download the Azure AD IE browser extension, which she
downloads
3. Upon clicking, she gets prompted for her HipChat username and password credentials. This is a one-time
operation, and after completing it she has access to HipChat
4. A few days later, Susie opens myapps portal and clicks HipChat again. This time around, she gets seamless access
5. Kevin, the HipChat app owner, wants to audit who accessed the application. Bob downloads an audit report and
shares it with Kevin over email.

Secure Access to Shared Accounts

1. Bob is tasked to secure the shared Twitter handle for members of the Sales team. He adds Twitter as an SSO
application, and assigns it to the security group of the Sales Team. He was given the credentials to the shared
account and he supplies it in the system.
2. Sharing Twitter credentials is no longer trusted due to multiple people knowing it. Bob enables automatic
rollover of the Twitter password.
3. Susie, a member of the Sales team, logs in to the myapps portal and sees a link to download the Azure AD IE
browser extension. She installs it.
4. Upon clicking she get access directly to Twitter. She does not know the password.
5. Arnold is also part of the sales team. He has the same experience as Susie in steps 3-4
6|Page
 Azure AD Proof of Concept Playbook

6. The Sales department wants to audit who accessed Twitter. Bob downloads an activity report and shares it with
Kevin over email.

Theme Increase your security

Scenario Building Blocks
Secure administrator account access Azure MFA with Phone Calls
Secure access for applications Conditional Access for SaaS applications
Enable Just In Time administration Privileged Identity Management
Protect identities based on risk Discovering risk events
Deploying Sign-in risk policies

Secure administrator account access

1. Bob is the Azure AD Global Administrator. He has identified Stuart as a co-administrator of the service.
2. Bob configures Stuarts account to always require MFA to improve the security posture
3. Stuart logs in to the Azure management portal, and notices that he needs to register his phone number to
continue the login
4. Subsequent logins from Stuart are now protected with Multi-Factor Authentication, and he now gets a phone
call to verify his identity.

Secure access to applications

1. Kevin is the business owner of ServiceNow. The company now wants those users to login with MFA when
accessing outside the corporate network.
2. Bob, our Azure AD Global admin, adds a conditional access policy to the ServiceNow application to enable MFA
for outside access
3. Susie, our information worker, logs in my apps portal and clicks the ServiceNow tile. She is now challenged with
MFA.

Enable Just in time (JIT) administration

1. Bob and Stuart are Azure AD Global Admins. They want to enable JIT access to the management roles and also
to keep records on the usage of the privileged roles.
2. Bob enables PIM in the Azure AD tenant and becomes the security administrator. He changes both himself and
Stuarts global admin role membership from permanent to eligible.
3. Bob and Stuart now require to activate their role through the Azure Portal before doing any changes to Azure
AD Configuration.

Protect Identities based on risk

1. Susie, an information worker attempts logging in from a tor browser.
2. Bob checks the Azure AD identity protection dashboard, and sees Susies login from an anonymous IP address.
The security team wants to challenge such accesses users with MFA
3. Bob enables Azure AD Identity Protection Policy to challenge MFA for medium or higher risk events
4. Time goes by, and Susie logs in from Tor browser again. This time, she will see the MFA challenge

Theme Scale with Self Service

Scenario Building Blocks
Self Service Password Reset Self Service Password Reset
Self Service Access to Applications Self Service Access to Applications

7|Page
 Azure AD Proof of Concept Playbook

Self Service Password Reset

1. Bob is the Azure AD Global admin and enables Self Service Password Management to a subset of users, including
Susie.
2. Susie logs in to myapps portal and see a message to register her security information for future password reset
events.
3. Fast forward a few days, Susie forgets her password, and resets it through Azure AD portal

Self Service Access to Applications

1. Kevin is the business owner of ServiceNow. He wants users to sign up for it on demand, instead of adding
them all at once
2. Bob, our Azure AD Global admin, modifies the ServiceNow application to enable self service requests
3. Susie, our information worker, logs in my apps portal and clicks the Add more applications button and see
ServiceNow as one of the recommended applications. Then she navigates back to my apps portal and see the
ServiceNow application.

PoC Building Blocks

Catalog of Actors
Actor
Identity Architecture /
development team
On-Premises Identity
Operations team
Application Technical Owners
Azure AD Global Admin
Description
This team is usually the one that
designs the solution,
implements prototypes, drives
approvals and finally hands off
to operations
Manages the different identity
sources on-premises: Active
Directory Forests, LDAP
directories, HR systems, and
Federation Identity Providers.
Technical owners of the
different cloud apps and
services that will integrate with
Azure AD
Manages the Azure AD
configuration
PoC Responsibility
They provide the environments and are the ones
evaluating the different scenarios from the
manageability perspective
Provide access to onpremises resources needed for
the PoC scenarios.
They should be involved as little as possible
Provide details on SaaS applications (potentially
instances for testing)
Provide credentials to configure the synchronization
service. Usually the same team as Identity
Architecture during PoC but separate during the
operations phase

Database team Owners of the Database Provide access to SQL environment (ADFS of Azure AD
infrastructure Connect) for specific scenario preparations.
They should be involved as little as possible
Network team Owners of the Network Provide required access at the network level for the
infrastructure synchronization servers to properly access the data
sources and cloud services (firewall rules, ports
opened, ipsec rules etc.)
Security team Defines the security strategy, Provide target security evaluation scenarios
analyzes security reports from

8|Page
 Azure AD Proof of Concept Playbook

various sources and follows

through on findings.

Common Prerequisites for all building blocks

Below are some pre-requisites needed for any POC with Azure AD Premium.

Id Pre-requisite Resources
1 Azure AD tenant defined with a https://azure.microsoft.com/en-us/documentation/articles/active-directory-
valid azure subscription howto-tenant/

Note: If you already have an environment with Azure AD Premium licenses, you can get a zero cap
subscription by navigating to
https://aka.ms/accessaad

Learn more at: https://blogs.technet.microsoft.com/enterprisemobility/2016/02/26/azure-ad-

mailbag-azure-subscriptions-and-azure-ad-2/ and https://technet.microsoft.com/en-
us/library/dn832618.aspx
2 Domains defined and verified https://azure.microsoft.com/en-us/documentation/articles/active-directory-add-
domain/

Note: Some workloads such as Power BI could have provisioned an azure AD tenant under the covers.
To check if a given domain is associated to a tenant, navigate to
https://login.microsoftonline.com/<domain>/v2.0/.well-known/openid-configuration. If you get a
successful response, then the domain is already assigned to a tenant and take over might be needed.
If this is the case, please contact Microsoft for further guidance. Learn more about the takeover
options at: https://azure.microsoft.com/en-us/documentation/articles/active-directory-self-service-
signup/

3 Azure AD Premium or EMS trial https://azure.microsoft.com/en-us/trial/get-started-active-directory/

Enabled
4 You have assigned Azure AD https://azure.microsoft.com/en-us/documentation/articles/active-directory-
Premium or EMS licenses to PoC licensing-what-is/
users
5 Azure AD Global Admin credentials Assigning administrator roles in Azure Active Directory
6 Optional but strongly Azure AD Connect: Prerequisites and hardware
recommended: Parallel lab
environment as a fallback

Directory Synchronization Password Hash Sync (PHS) New Installation

Approximate time to Complete: 1 hour for less than 1,000 PoC users

Prerequisites
Id Pre-requisite
1 Server to Run Azure AD Connect
2 Target POC users, in the same
domain and part of a security
group, and OU
3 Azure AD Connect Features needed
for the POC are identified
Resources
Azure AD Connect: Prerequisites and hardware
Azure AD Connect: Custom installation
Azure AD Connect: Integrating your on-premises identities with Azure Active
Directory -- Configure Sync Features

9|Page
 Azure AD Proof of Concept Playbook

4 You have needed credentials for on Azure AD Connect: Accounts and permissions
prem and cloud environments

Steps
Step Resources
1 Download the latest version of Download Microsoft Azure Active Directory Connect from Official Microsoft
Azure AD Connect Download Center

2 Install Azure AD Connect with the Azure AD Connect: Custom installation: Domain and OU filtering
simplest path Express Azure AD Connect: Custom installation: Group based filtering
1. Filter to the target OU to Azure AD Connect: Integrating your on-premises identities with Azure Active
minimize the Sync Cycle time Directory -- Configure Sync Features
2. Choose target set of users in the
on-premises group.
3. Deploy the features needed by
the other POC Themes

3 Open the Azure AD Connect UI and Azure AD Connect sync: Scheduler

see the running profiles completed
(Import, sync, and export)

4 Open the azure management Administer your Azure AD directory

portal, go to the Users tab and see Azure classic portal
that the users appear, marked
properly as coming from on
premises directory

Considerations
1. Please look at the security considerations of password hash sync here. If password hash sync for pilot
production users is definitively not an option, then consider the following alternatives:
a. Create test users in the production domain. Make sure you dont synchronize any other account
b. Move to an UAT environment
2. If you want to pursue federation, it is worthwhile to understand the costs associated a federated solution with
on premises Identity Provider beyond the POC and measure that against the benefits you are looking for:
a. It is in the critical path so you have to design for high availability
b. It is an on-premises service you need to capacity plan
c. It is an on-premises service you need to monitor/maintain/patch
Learn more:
a. Understanding Office 365 identity and Azure Active Directory - Federated Identity

Branding
Approximate time to Complete: 15 minutes

10 | P a g e
 Azure AD Proof of Concept Playbook

Prerequisites
Id Pre-requisite Resources
1 Assets (Images, Logos, etc.); For Add company branding to your sign-in and Access Panel pages | What elements
best visualization make sure the can I customize?
assets have the recommended
sizes.
2 Optional: If the environment has Customizing the AD FS Sign-in Pages
an AD FS server, access to the
server to customize web theme
3 Optional: If the environment has AD FS Requirements
an AD FS server, credentials to
manage AD FS server are required
4 Client computer to perform end
user login experience
5 Optional: Mobile devices to
validate experience
6 Optional: access to PC, and target
mobile devices

Steps
Step
1 Go to azure management portal and select
your directory
2 Navigate the customization experience
3 Upload the assets for the login page (hero
logo, small logo, labels, etc.). Optionally if
you have AD FS, align the same assets with
AD FS login pages
Resources
Azure classic portal
Add company branding to your sign-in and Access Panel pages -
Configure your directory with company branding
Add company branding to your sign-in and Access Panel pages -
Customizable Elements

4 Wait a couple of minutes for the change to

fully take effect
5 Login with the POC user credential to
https://myapps.microsoft.com/<yourdomain>
6 Confirm the look and feel in browser Add company branding to your sign-in and Access Panel pages - Access
Panel Page customization
Add company branding to your sign-in and Access Panel pages - Testing
and examples
7 Optionally, confirm the look and feel in other
devices

Considerations
If the old look and feel remains after the customization then flush the browser client cache, and retry the
operation.

11 | P a g e
 Azure AD Proof of Concept Playbook

Group based licensing

Approximate time to Complete: 10 minutes

Prerequisites
Id Pre-requisite Resources
2 All POC users are part of a security Managing groups in Azure Active Directory
group (either cloud or on-
premises)

Steps
Step Resources
1 Log in as a global admin in the Azure classic portal
Azure management portal
2 Assign the licenses to the security Simplified License Assignment with Azure AD and EMS Enterprise Mobility and
group with POC users. Security Blog

Considerations
Since the POC will have potentially more scenarios, it is good to have all of them in a security group to assign the
license to those users.
The current functionality assigns all service plans within the license. For EMS licenses, this means access to all
components in the suite (i.e. Azure AD Premium, Intune and Azure RMS)

SaaS Federated SSO Configuration

Approximate time to Complete: 20 minutes

Prerequisites
Id Pre-requisite Resources
1 test environment of the SaaS Go to https://developer.servicenow.com/app.do#!/home to start the process of
application available. In this guide, getting a test instance
we use ServiceNow as an example.
We strongly recommend to use a
test instance to minimize friction
on navigating existing data quality
and mappings.
2 Admin access to the ServiceNow Tutorial: Azure Active Directory integration with ServiceNow
management console
3 Target set of users to assign the Azure AD and Applications: Assigning Users to an Application
application to. A security group
containing the POC users is
recommended.

IF creating the group is not

feasible, then assign the users to
directly to the application for the
POC

12 | P a g e
 Azure AD Proof of Concept Playbook

Steps
Step Resources
1 Share the tutorial to all actors from Microsoft Tutorial: Azure Active Directory integration with ServiceNow
Documentation
2 Set a working meeting and follow the tutorial Tutorial: Azure Active Directory integration with ServiceNow
steps with each actor.
3 Assign the app to the group identified in the Azure AD and Applications: Assigning Users to an Application
Prerequisites. If the POC has conditional Managing groups in Azure Active Directory
access in the scope, you can revisit that later
and add MFA, and similar.
Note this will kick in the provisioning process
(if configured)
4 Wait for a few minutes while provisioning How can I track the progress of the current provisioning Job?
completes. In the meantime, you can check
on the provisioning reports

5 Log in to Introduction to the Access Panel

https://myapps.microsoft.com/<yourdomain>
as a test user that has access

6 Click on the tile for the application that was Launching Applications
just created. Confirm access
7 Optionally, you can check the application View your access and usage reports
usage reports. Note there is some latency, so Azure Active Directory Reporting Latencies
you need to wait some time to see the traffic
in the reports.

Considerations
1. If the target application is not present in the gallery, then you can use bring your own app. Learn more:
Configuring single sign-on to applications that are not in the Azure Active Directory application gallery

SaaS Password SSO Configuration

Approximate time to Complete: 15 minutes

Prerequisites
Id Pre-requisite Resources
1 test environment for SaaS HipChat on Microsoft Azure Marketplace
applications. An example of Twitter on Microsoft Azure Marketplace
Password SSO is HipChat and
Twitter.
For any other application, you
need the exact URL of the page
with html sign in form.
2 Test accounts for the applications. Sign up for Twitter

13 | P a g e
 Azure AD Proof of Concept Playbook

Sign Up for Free | HipChat

3 Target set of users to assign the
application to. A security group
contained the users is
recommended.
4 Local administrator access to a
computer to deploy the Access
Panel Extension for IE/Chrome or
Firefox
Azure AD and Applications: Assigning Users to an Application
Managing groups in Azure Active Directory
Access Panel Extension for IE
Access Panel Extension for Chrome
Access Panel Extension for Firefox

Steps
Step Resources
1 Sign up for a test account Sign up for Twitter
Sign Up for Free | HipChat
2 Configure the application in Azure AD
3 Assign the app to the group identified in the Azure AD and Applications: Assigning Users to an Application
Prerequisites.

4 Log in to Introduction to the Access Panel

https://myapps.microsoft.com/<yourdomain>
as a test user that has access

5 Install the browser extension Access Panel Extension for IE

Access Panel Extension for Chrome
Access Panel Extension for Firefox
6 Supply the application credential Introduction to the Access Panel Launching Applications
7 Click on the tile for the application that was Introduction to the Access Panel Launching Applications
just created.
8 Close the browser and repeat the login. This Introduction to the Access Panel Launching Applications
time around the user should see seamless
access to the application.
9 Optionally, you can check the application View your access and usage reports
usage reports. Note there is some latency, so Azure Active Directory Reporting Latencies
you need to wait some time to see the traffic
in the reports.

Considerations
1. If the target application is not present in the gallery, then you can use bring your own app. Learn more:
a. Configuring single sign-on to applications that are not in the Azure Active Directory application gallery
Keep in mind the following requirements:
Application should have a known login URL
The sign in page should contain an HTML form with one more text fields that the browser extensions can
auto-populate. At the minimum, it should contain username and password.
2. The IE extension can deployed at scale via group policy at : https://azure.microsoft.com/en-
us/documentation/articles/active-directory-saas-ie-group-policy/

14 | P a g e
 Azure AD Proof of Concept Playbook

SaaS Shared Accounts Configuration

Approximate time to Complete: 30 minutes

Prerequisites

Id Pre-requisite
1 the list of target applications and
the exact sign in URLS ahead of
time. As an example, you can use
Twitter.
2 Shared credential for this SaaS
applications.
3 Credentials for at least two team
members who will access the same
account. They must be part of a
security group
4 Local administrator access to a
computer to deploy the Access
Panel Extension for IE/Chrome
Resources
Sign up for Twitter
Sharing accounts using Azure AD
Azure AD automated password roll-over for Facebook, Twitter and LinkedIn now
in preview! Enterprise Mobility and Security Blog
Azure AD and Applications: Assigning Users to an Application
Access Panel Extension for IE
Access Panel Extension for Chrome
Access Panel Extension for Firefox

Steps
Step Resources
1 Configure the SaaS application What is application access and single sign-on with Azure Active Directory?
adding
2 setting up the access to a security Sharing accounts using Azure AD
group and map to a shared account

3 If using Twitter, Facebook or
LinkedIn, set up and discuss the
password rollover capabilities
4 Log in as different users that log in
as the same shared account.
5 Optionally, you can check the
application usage reports. Note
there is some latency, so you need
to wait some time to see the traffic
in the reports.
Azure AD automated password roll-over for Facebook, Twitter and LinkedIn now
in preview! Enterprise Mobility and Security Blog
Introduction to the Access Panel Launching Applications
View your access and usage reports
View your access and usage reports
Azure Active Directory Reporting Latencies

Considerations
1. If the target application is not present in the gallery, then you can use bring your own app. Learn more:
a. Configuring single sign-on to applications that are not in the Azure Active Directory application gallery
Keep in mind the following requirements:
Application should have a known login URL
The sign in page should contain an HTML form with one more text fields that the browser extensions can
auto-populate. At the minimum, it should contain username and password.

15 | P a g e
 Azure AD Proof of Concept Playbook

Groups Delegated Ownership

Approximate time to Complete: 10 minutes

Prerequisites
Id Pre-requisite Resources
1 SaaS application (Federated SSO or Building block: SaaS Federated SSO Configuration
Password SSO) has been already
configured
2 Cloud Group that is assigned Building block: SaaS Federated SSO Configuration
access to the application in #1 is
identified

3 Credentials for the group owner Managing access to resources with Azure Active Directory groups
are available

4 Credentials for the information Introduction to the Access Panel Launching Applications
worker accessing the apps has
been identified

Steps
Step Resources
1 Identify the group that has been Managing owners for a group
granted access to the application,
and configure the owner
2 Log in as the group owner, see the Introduction to the Access Panel
group membership Manage your groups

3 Add the information worker you Managing groups in Azure Active Directory How do I add or remove individual
want to test users in a security group?
4 Log in as the information worker, Introduction to the Access Panel Launching Applications
confirm the tile is available

Considerations
1. If the application has provisioning enabled, you might need to wait a few minutes for the provisioning to
complete before accessing the application as the information worker.

SaaS and Identity Lifecycle

Approximate time to Complete: 15 minutes

Prerequisites
Id Pre-requisite Resources
1 SaaS application has been already Building block: SaaS Federated SSO Configuration
configured

16 | P a g e
 Azure AD Proof of Concept Playbook

2 Group that is assigned access to Building block: SaaS Federated SSO Configuration
the application in #1 is identified

3 Credentials for the information

worker accessing the apps has
been identified

Steps
Step Resources
1 Remove the user from the group Managing groups in Azure Active Directory How do I add or remove individual
the app is assigned to users in a security group?

2 Wait for a few minutes for de- Automated SaaS App User Provisioning in Azure AD - How does automated
provisioning provisioning work?

3 On a separate browser session, log Accessing the Access Panel

in as the information worker to my
apps portal and confirm that tile is
missing

4 Check the provisioning reports to Automated SaaS App User Provisioning in Azure AD How can I track the progress
show the de-provisioning of the current provisioning Job?
happened. Also, check the
management console of the SaaS
app to see the status update of the
user.

Considerations
1. Extrapolate the POC scenario to leavers and/or leave of absence scenarios. If the user gets disabled in on-
premises AD or removed, there is no longer a way to log in to the SaaS application.

Self Service Password Reset

Approximate time to Complete: 15 minutes

Prerequisites
Id Pre-requisite Resources
1 Enable self service password Enable users to reset or change their AD Passwords
management in your tenant.
2 Enable password write-back to Password Writeback prerequisites
manage passwords from on-
premises. Note this requires
specific Azure AD Connect versions
3 Identify the POC users that will use Customize: Azure AD Password Management Restrict Access to password reset
this functionality, and make sure
they are members of a security
group. The users must be non-
17 | P a g e
 Azure AD Proof of Concept Playbook

admins to fully showcase the

capability
Steps
Step Resources
1 Login as a global admin Azure classic portal

2 Determine the password reset Getting Started: Azure AD Password Management Configure Password Reset
policy. For POC purposes, you can Policy
use phone call and Q & A.
It is recommended to enable
registration to be required on login
to access panel

3 Log out and log in as an information Accessing the Access Panel

worker
4 Supply the Self-Service Password http://aka.ms/ssprsetup
Reset data as configured per step 2
5 Close the browser
6 Start over the login process as the Accessing the Access Panel
information worker you used in
step 4
7 Reset the password How to update your own password using Azure Active Directory
8 Try logging in with your new
password to Azure AD as well as to
on-premises resources

Considerations
1. If upgrading the Azure AD Connect is going to cause friction, then consider using it against cloud accounts or
make it a demo against a separate environment
2. The administrators have a different policy and using the admin account to reset the password might taint the
POC and cause confusion. Make sure you use a regular user account to test the reset operations

Self Service Access to Application Management

Approximate time to Complete: 10 minutes

Prerequisites
Id Pre-requisite Resources
1 Identify POC users that will request Building block: SaaS Federated SSO Configuration
access to the applications, as part
of the security group
2 Target Application deployed Building block: SaaS Federated SSO Configuration
Steps
Step Resources
1 Login as a global admin Azure classic portal
2 Turn on delegated group Making a group available for end user self-service
management

18 | P a g e
 Azure AD Proof of Concept Playbook

3 Set the group with POC Users in the Making a group available for end user self-service
setting Users who can self-service
for security groups
4 Locate the target application, and Configuring Self-Service application access
turn on self-service application
access
5 Login as the information worker to Accessing the Access Panel
my apps portal
6 Notice the add applications tile Accessing the Access Panel
and click in it notice that the
target application appears

Considerations
1. The applications chosen might have provisioning requirements, so going immediately to the app might cause
some errors. If the application chosen supports provisioning with azure ad and it is configured, you might use
this as an opportunity to show the whole flow working end to end. See the building block for federated SSO
applications for further recommendations

Azure Multi-Factor Authentication with Phone Calls

Approximate time to Complete: 10 minutes

Prerequisites
Id Pre-requisite Resources
1 Identify POC users that will use
MFA
2 Phone with good reception for Methods available for multi-factor authentication
MFA challenge

Steps
Step Resources
1 Login as a global admin Azure classic portal
2 Navigate to the MFA portal Getting started with Microsoft Azure Multi-Factor Authentication in the cloud
3 In the Service Settings, select call Getting started with Microsoft Azure Multi-Factor Authentication in the cloud
to phone as one of the methods
chosen
4 In the User settings select the Getting started with Microsoft Azure Multi-Factor Authentication in the cloud
POC users
5 Login as the POC user, and walk Accessing the Access Panel
through the proof-up process

19 | P a g e
 Azure AD Proof of Concept Playbook

Considerations
1. The POC steps in this building block explicitly setting MFA for a user on all logins. There are other tools such as
Conditional Access, and Identity Protection that engage MFA on more targeted scenarios. This will be something
to consider when moving from POC to production.
2. The POC steps in this building block are explicitly using Phone Calls as the MFA method for expedience. As you
transition from POC to production, we recommend using applications such as the Microsoft Authenticator as
your second factor whenever possible.
Learn more: DRAFT NIST Special Publication 800-63B

MFA Conditional Access for SaaS applications

Approximate time to Complete: 10 minutes

Prerequisites
Id Pre-requisite Resources
1 Identify POC users to target the Building block: SaaS Federated SSO Configuration
policy. These users should be in a
security group to scope the
conditional access policy
2 SaaS application has been already Building block: SaaS Federated SSO Configuration
configured
3 POC users are already assigned to Building block: SaaS Federated SSO Configuration
the application

4 Credentials to the POC user are Building block: SaaS Federated SSO Configuration
available
5 POC user is registered for MFA. http://aka.ms/ssprsetup
Using a phone with Good reception
6 Device in the internal network. IP Find your ip address:
Address configured in the internal https://www.bing.com/search?q=what%27s+my+ip
address range
7 Device in the external network
(can be a phone using the carriers
mobile network)
Steps
Step Resources
1 Login as a global admin Azure classic portal
2 Navigate to the SaaS application Azure Conditional Access for SaaS Apps
configuration
3 Deploy the conditional access policy to Azure Conditional Access for SaaS Apps
require MFA access from external
network. It is recommended to scope this
policy to security group that contains the
POC users
4 In the internal network device, log in to Accessing the Access Panel
https://myapps.microsoft.com/<domain>
. Notice no MFA challenge happened

20 | P a g e
 Azure AD Proof of Concept Playbook

5 In the external network device, log in to Accessing the Access Panel

https://myapps.microsoft.com/<domain>.
Notice that MFA challenge happened

Considerations
1. IF you are using federation, you can use the on-prem Identityt Provider (IdP) to communicate the inside/outside
corporate network state with claims. You can use this technique without having to manage the list of IP addresses
which might be complex to assess and manage in large organizations. In that setup, you need account for the
network roaming scenario (a user logging from the internal network, and while logged in switches locations such
as a coffee shop) and make sure you understand the implications.

Privileged Identity Management (PIM)

Approximate time to Complete: 15 minutes

Prerequisites
Id Pre-requisite
1 Identify the global admin that will
be part of the POC for PIM
2 Identify the global admin that will
become the Security Administrator
Resources
The Azure AD Privileged Identity Management security wizard
The Azure AD Privileged Identity Management security wizard
Roles in PIM

3 Register the global admins with Getting started with Microsoft Azure Multi-Factor Authentication in the cloud
MFA. Make sure to use a phone
with good reception
4 Optional: Confirm if the global Configure the role activation settings
admins have email access to
exercise email notifications in PIM
Steps
Step Resources
1 Login to https://portal.azure.com as The Azure AD Privileged Identity Management security wizard
a global admin (GA) and bootstrap
the PIM blade. The Global Admin
that performs this step is seeded as
the security administrator. Lets call
this actor GA1

2 Identify the global admin and move How to add or remove a user role
them from permanent to eligible. How to manage role activation settings
This should be a separate admin
from the one used in step 1 for
clarity. Lets call this actor GA2

3 Now, log in as GA2 to

https://manage.windowsazure.com.
Navigate to the Users tab and
notice the message about not

21 | P a g e
 Azure AD Proof of Concept Playbook

having permissions. This

corresponds to the non-activated
role state.

4 In a new tab and in the same Add the Privileged Identity Management application
session as step 3, navigate now to
https://portal.azure.com and add
the PIM blade to the dashboard.
5 Request activation to the Global Activate a role
Administrator role

6 Go back to the original tab in step 3,

and click the refresh button in the
browers. Note that you now have
access to the management console
when clicking the Users tab.
7 Optionally, if your global
administrators have email enabled,
you can check GA1 and GA2s inbox
and see the notification of the role
being activated

8 Check the audit history and observe Review role activity

the report to confirm the elevation
of GA2 is shown.

Considerations
3. This capability is part of Azure AD Premium Level 2 and/or EMS E5

Discovering Risk Events

Approximate time to Complete: 20 minutes

Prerequisites
Id Pre-requisite Resources
1 Device with Tor browser Download Tor Browser
downloaded and installed
2 Access to POC user to do the login Azure Active Directory Identity Protection playbook
Steps
Step Resources
1 Open tor browser Download Tor
2 Log in to Simulating Risk Events
https://myapps.microsoft.com with
the POC user account

3 Wait 5-7 minutes Simulating Risk Events

22 | P a g e
 Azure AD Proof of Concept Playbook

4 Log in as a global admin to https://aka.ms/aadipgetstarted

https://portal.azure.com and open
up the Identity Protection blade

5 Open the risk events blade. You Simulating Risk Events

should see an entry under Sign-ins
from anonymous IP addresses

Considerations
1. This capability is part of Azure AD Premium Level 2 and/or EMS E5
2. You can discuss other risk events as well

Deploying Sign-in risk policies

Approximate time to Complete: 10 minutes

Prerequisites
Id Pre-requisite Resources
1 Device with Tor browser Download Tor
downloaded and installed
2 Access as a POC user to do the Sign-in risk
login testing
3 POC user is registered with MFA. Building Block: Azure Multi-Factor Authentication with Phone Calls
Make sure to use a phone with
good reception
Steps
Time to complete: 10 minutes

Step Resources
1 Log in as a global admin to https://aka.ms/aadipgetstarted
https://portal.azure.com and open
up the Identity Protection blade
2 Enable a sign-in risk policy as Sign-in risk
follows:
Assigned to: POC user
Conditions: Sign in risk
medium or higher (sign-in
from anonymous location is
deemed as a medium risk
level)
Controls: Require MFA

3 Open tor browser Download Tor

4 Log in to Accessing the Access Panel
https://myapps.microsoft.com with
the POC user account
5 Notice the MFA challenge Risky sign-in recovery

23 | P a g e
 Azure AD Proof of Concept Playbook

Considerations
1. This capability is part of Azure AD Premium Level 2 and/or EMS E5
2. You can discuss other risk events as well. Learn more:
Types of risk events detected by Azure Active Directory Identity Protection
3. For more step by step guidance on other Azure AD Identity Protection Scenarios, check Azure Active Directory
Identity Protection playbook

24 | P a g e