Azure Active Directory

Modern Access
Demo Guide

Updated: June 12th, 2019

This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site
references, may change without notice. You bear the risk of using it.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and
use this document for your internal, reference purposes.

© 2019 Microsoft. All rights reserved.

1
Contents
Demo Overview: Azure Active Directory – Core Features................................................................................ 3
Increase productivity and reduce helpdesk costs with self-service and single sign-on
experiences ................................................................................................................................................................... 3
Manage and control access to corporate resources ..................................................................................... 3
Scenarios and Features............................................................................................................................................. 3
Demo Prerequisites.................................................................................................................................................... 4
Demo Personas ........................................................................................................................................................... 4
Intended Audience ..................................................................................................................................................... 4
Provide Seamless Access Demo Steps .................................................................................................................... 5
Cloud Connect Seamlessly Intro ........................................................................................................................... 5
Single Sign-On............................................................................................................................................................. 6
Bring-Your-Own-Apps .............................................................................................................................................. 8
Demo Reset Steps ................................................................................................................................................... 12
Facilitate Collaboration Demo................................................................................................................................. 13
Pre-Demo Steps ....................................................................................................................................................... 13
Cross-Organization Collaboration .................................................................................................................... 13
Demo Reset Steps ................................................................................................................................................... 16
Unlock IT Efficiencies Demo Steps......................................................................................................................... 17
Pre-Demo Steps ....................................................................................................................................................... 17
Advanced User Lifecycle Management ........................................................................................................... 17
Ease of Use for End Users ..................................................................................................................................... 20
Low IT Overhead ...................................................................................................................................................... 22
Demo Reset Steps ................................................................................................................................................... 23
Appendix: Set up the Demo Tenant...................................................................................................................... 25
Send Welcome Email to Isaiah Langer to Join Group ............................................................................... 25
Configure BrowserStack SaaS Application with Azure AD ....................................................................... 25
Configure Salesforce Integration with Azure AD......................................................................................... 27
Install Access Panel Extension ............................................................................................................................ 32

2
Demo Overview: Azure Active Directory – Core Features
As employees bring their personal devices to work and adopt readily available SaaS applications,
maintaining control over their applications across corporate datacenters and public cloud
platforms has become a significant challenge.
Microsoft has proven experience in identity management through Windows Server Active
Directory and Microsoft Identity Manager. Now we have extended our offerings to provide you
with a powerful set of cloud-based identity and access management solutions on Azure Active
Directory.

Increase productivity and reduce helpdesk costs with self-service and single sign-
on experiences
Employees are more productive when they have a single username and password to remember
and a consistent experience from every device. They also save time when they can perform self-
service tasks like resetting a forgotten password, or requesting access to an application, without
waiting for assistance from the helpdesk.

Manage and control access to corporate resources

Microsoft identity and access management solutions help IT protect access to applications and
resources across the corporate datacenter and into the cloud, enabling additional levels of
validation such as multi-factor authentication and conditional access policies. Monitoring
suspicious activity through advanced security reporting, auditing and alerting helps mitigate
potential security issues.

Scenarios and Features

The Azure Active Directory: Core demo guide will cover the technical scenarios listed below.
Please note some scenarios are available as PowerPoint click through demos only as these
require a lot of setup to perform live using a demo environment.
Scenario & Value Prop Technical Scenario This Guide’s Locations

Provide seamless access Cloud Connect Seamlessly N/A

I want to provide my employees
Single Sign-On Demo Guide
access to every app from any location
and any device Bring Your Own Apps Demo Guide
Facilitate collaboration
Cross-Organization Collaboration (B2B) Demo Guide
I want my customers and partners to
access the apps they need
Unlock IT efficiencies Advanced User Lifecycle Management Demo Guide
I want to automate the user identity
Ease of Use for End Users Demo Guide
lifecycle and cut down on helpdesk
costs Low IT Overhead Demo Guide

3
Demo Prerequisites
The following is required for the demo presentation:
 A Microsoft 365 Enterprise Demo Content demo environment provisioned through
https://cdx.transform.microsoft.com portal.
 A Windows PC or Virtual Machine running Windows 10.
The demo tenant is pre-provisioned with a lot of content and settings for instant leveraging.
However, some settings need to be manually configured. Please ensure the following activities
are performed against the tenant prior to the first demo:
Appendix: Set up the Demo Tenant

Demo Personas
The recommended demo personas to use for performing demos in this guide, unless otherwise
stated, are:
 Administrator scenarios: admin@<tenant>.onmicrosoft.com
 End user scenarios (Hero User): Isaiah Langer, IsaiahL@<tenant>.onmicrosoft.com
The default password for both users can be found on your tenants information card under My
Environments at https://cdx.transform.microsoft.com.

Intended Audience
IT Pros, Business Decision Makers

4
Provide Seamless Access Demo Steps
Pre-Demo Steps
1. Ensure all sign in information for all users/personas required for this demo is obtained.
2. Use multiple browser sessions (using a combination of regular and InPrivate sessions) or
Chrome browser with multiple identities to switch between identities in this demo.
3. Ensure demo reset steps at the end of this demo, have been performed (if this is a repeat
of the demo).
4. Prepare a browser session for administrator experience:
a. Launch Edge browser in In-Private mode, or in another browser, or using
DevEdge profiles.
b. Log in to the Azure Portal (https://portal.azure.com) as the Global Admin,
admin@<tenant>.onmicrosoft.com using the tenant password from your
tenant card on https://cdx.transform.microsoft.com .
c. In the left-hand navigation, click Azure Active Directory.
5. Prepare a browser session for end user experience:
a. Launch Edge browser.
b. Log in to the My Apps Portal (https://myapps.microsoft.com) as the user Isaiah
Langer, IsaiahL@<tenant>.onmicrosoft.com using the tenant password from
your tenant card on https://cdx.transform.microsoft.com.

Cloud Connect Seamlessly Intro

Azure AD Connect integrates on-premises directories with Azure Active Directory. This provides
a common identity for users of Office 365, Azure, and SaaS applications integrated with Azure
AD. Integrating on-premises directories with Azure AD makes users more productive by
providing a common identity for accessing both cloud and on-premises resources.
 Users can use a single identity to access on-premises applications and cloud services
such as Office 365.
 A Single tool provides an easy deployment experience for synchronization and sign-in.
 Azure AD Connect replaces older versions of identity integration tools such as DirSync
and Azure AD Sync. For more information, see Hybrid Identity directory integration tools
comparison.

5
Single Sign-On
Speaker Script Click Steps
Introduction No click steps.
Azure AD integrates with thousands of today’s
popular SaaS applications (e.g., Concur,
SuccessFactors, WorkDay and so on),
supporting single sign-on (SSO) authentication
and identity, and providing secure access
management to applications.
Azure AD supports federated SSO through
Microsoft Azure AD Single Sign-on and
password SSO to third party apps and internal
custom apps.

Single sign on authentication NOTE: This demo scenario assumes the Salesforce
Single sign-on allows users to access all the enterprise application is already configured for SSO.
applications and resources they need to do
business, by signing in only once using a single
user account. Once signed in, users can access
all the applications they need without being Open the browser with the Global Admin user
required to authenticate (e.g. type a password) signed in to the Azure Portal and opened to the
a second time.
Azure Active Directory blade.
Azure AD supports three types of single sign-
Under Manage, click Enterprise applications.
on authentication:

 SAML-based Sign-on – This option In All applications, click Salesforce.

uses federated sign-on to allow Under Manage, click Single sign-on.
users to automatically sign into a
At the top, click Change single sign-on mode and
SaaS app using the user account
point to the available authentication types.
information from Azure AD.
Click SAML to return to the Salesforce – SAML-based
 Password Single Sign-On – This sign-on blade.
option enables users to be
automatically signed into the third-
party application by Azure AD using
a specific set of credentials.
 Linked Single Sign-on – This option
supports single sign-on to the app
using Active Directory Federation
Services (ADFS) or another third-
party single sign-on provider.

6
Azure AD SSO (federated) with Salesforce
Contoso is onboarding the Salesforce
application for availability to all employees to
provide on-demand services that help with
global customer communications. The admin
has added the Salesforce application to Azure
AD from the Azure AD Application Gallery. To
simplify access to the application, the admin
configured Salesforce with federated SSO. Let’s
review how it was configured. Under Basic SAML Configuration, point to the Sign
The Sign on URL points to the web-based sign- on URL field.
in page for this application. If the application Point to the SAML Signing Certificate section and
is configured to perform service provider- note the properties of the certificate.
initiated single sign on, then when a user
navigates to this URL, the service provider In the Set up Salesforce section, click View step-by-
step instructions.
will do the necessary redirections to
authenticate and log the user in to the Scroll down the Configure sign-on blade reviewing
application. the instructions specific to this tenant, then click X to
The admin had to do some configurations close the blade to return to Salesforce – SAML-
within the Salesforce application. This based sign-on blade.
included uploading the certificate that was In the Salesforce – SAML- based sign on blade, under
downloaded from here and configuring the Manage, click Provisioning.
Salesforce authentication provider.
Review the Settings:
Beyond single sign-on, Azure AD also
 Click Admin Credentials to expand and review
supports account provisioning so when
the section
users from Azure AD are assigned access to
Salesforce, they find their user account in  Click Mappings to expand and review the
Salesforce automatically. section
 Point to Settings configuration
 Point to Synchronization Details
Assign groups and users to Salesforce
The last step to enabling SSO Integration is Under Manage, click Users and groups.
to assign users and groups who can access
the app.
The admin has assigned the Sales and
Marketing security group access to
Salesforce, so any members of this group
has access to this app.
Click to the left of sg-Sales and Marketing to check
mark it.
At the top, click Edit.

7
Anyone who joins the Sales and Marketing
group will automatically have access to the
Salesforce application.
The admin can add individual users also.
Because automated user provisioning is
enabled, the admin receives a prompt to
define what type of Salesforce profile the
user should have.
Newly provisioned users will have access to
Salesforce via the Application Panel as
soon as they are granted access by the
Administrator.
End user experience
The Azure AD access panel is a cross-
device/cross-browser portal, supporting iOS,
Android, Mac, and Windows.
To reach the Access Panel, users authenticates
against Azure AD once, they can view or access
any of the applications listed in the MyApps
portal. If the application was configured for SSO
by the administrator, the users don’t need to
re-authenticate to access the application: single
sign-on will take care of the authentication
automatically.
Here, Isaiah Langer is logged into the Access
Panel using his corporate credentials and can
see all the applications available to him. He has
seamless access to various line-of-business and
custom applications, without having to
remember multiple logins and passwords for
each.
Click Select Role and, review the roles that are available.
Click the X to close the Select Role blade (without making
any changes).
Click the X to close the Edit Assignment blade (without
making any changes).
At the top right, click the X close the Salesforce – Users
and Groups blade (without making any changes).
Switch to the browser session for
https://myapps.microsoft.com logged in as
IsaiahL@<tenant>.onmicrosoft.com.
Point to the various enterprise application icons on the
page.
Click Salesforce. Salesforce will launch in a new browser
tab.
NOTE: If prompted, enter the tenant password again to
confirm.
NOTE: If the display message reading ‘Access to
Salesforce is Monitored’ appears, click Continue to
Salesforce.
Point out the automated login to Salesforce.
Click the user icon, in the top right corner of the page, to
see the name Isaiah Langer.
Close Salesforce browser tab to return to Apps.
Sign out and close the Access Panel Application browser
window.

Bring-Your-Own-Apps
Speaker Script Click Steps
Introduction No click steps.
Azure AD application gallery features
thousands of applications that may be added to
the organization, but if a third-party application

8
cannot be found, one may be added as a
custom app for the organization to use.
Azure Active Directory also has an Application
Proxy that provides secure remote access to
on-premises web applications. After a single
sign-on to Azure AD, users can access both
cloud and on-premises applications through an
external URL or an internal application portal.
For example, Application Proxy can provide
remote access and single sign-on to Remote
Desktop, SharePoint, Teams, Tableau, Qlik, and
line of business (LOB) applications.

SSO for third party services

Contoso uses a third-party expense Open a new browser session of the browser with the
management and reporting solution. The My Apps Secure Sign In extension enabled, navigate
solution is provided as a SaaS application by a to the Azure Portal (https://portal.azure.com) and log in
vendor called Woodgrove. The IT administrator
as admin@<tenant>.onmicrosoft.com using the
would like everyone in the Sales and Marketing
tenant password from your tenant card on
organization to have access to this service in
https://cdx.transform.microsoft.com.
such a way that they don’t need to log in to
access the service. Furthermore, Contoso uses In the left-hand navigation, click Azure Active
only one login for the entire group, so the Directory, and then under Manage, click Enterprise
admin doesn’t want to share the password with applications.
everyone.
Click + New application at the top of the page.
Although the Woodgrove Expense Manager
application is not listed among the thousands Under the Add your own app section, click Non-
of applications in the Azure SaaS Application gallery application.
Gallery, Azure still gives the admin tools to
onboard it into the organization’s Application
In the Name field of the Add your own application
portfolio as a “Non-gallery Application”. blade, type Woodgrove Expense Manager, and
then at the bottom, click Add.
Once added, the admin can now assign single
sign-on so once signed in to the Contoso
network, users can access the Expense
Reporting Tool without being required to
authenticate (e.g. type a password) a second
time.

Password single sign-on

This function allows Azure AD to Under Manage, click Single sign-on.
automatically sign users in to third-party
Under Select a single sign-on method, select
SaaS applications, like the Expense
Password-based.
Reporting Tool, using the app’s user
account information.

9
The admin adds the URL to the Woodgrove
Expense Report sign in page.
The admin can now test drive the Expense
Reporting App’s sign in page, which opens
in a new tab.
A sign in form was successfully detected at
the provided URL so the admin can now
assign users to the application or view and
edit sign in field labels.
The admin assigns the Sales and Marketing
security group access to the Woodgrove
Expense Reporting app, so all members of
this group have access to the app.
Also, anyone who joins the Sales and
Marketing group will automatically have
access to the app application.
10
In the Sign-on URL textbox, copy/paste this URL:
https://woodgroveexpensemanager.azurewebsites.ne
t
Click Save.
When the changes have successfully saved, click
Configure Woodgrove Expense Manager
Password Single Sign-on Settings.
NOTE: This make take a minute or two, to process.
In the Configure sign-on blade, select Manually detect
sign-in fields option.
Click the Capture sign-in fields link. A new browser tab
will open the sign in page for the Expense Reporting app .
NOTE: Should you be prompted for a Microsoft Login, use
the admin@<TENANT>onmicrosot.com credentials from
the tenant card.
NOTE: If you are not redirected to the Woodgrove login
page close all tabs and return to the Azure Portal >
Enterprise Applciations > Woodgrove Expense Manager.
Fill in the sign in form as follows:
 Email: achimm@woodgrove.com
 Password: pass@word1
Click Sign in.
In the browser message box “Save Captured login
details?” click OK. The browser tab with Expense
Reporting App will close automatically in a few
seconds.
Configure sign-on blade, click the checkbox Ok, I
was able to sign-in to the app successfully.
NOTE: If the right hand blade is not still visible with Ok, I
was able to sign-in… then close all tabs and navigate
back to the Azure Portal > Enterprise Applications >
Woodgrove Expense Manager and repeat the credential
capture.
Click OK at the bottom of the blade to save.
Under Manage, click Users and groups.
Click + Add user.
Click Users and groups.

OPTIONAL: Azure AD allows custom apps
to be configured with custom icons to
make it easy for administrators to apply
custom branding. It also allows for easy
identification for end users.
End user experience
Here, Isaiah Langer is logged into the
Access Panel using his corporate
credentials and can see all the applications
available to him. He has seamless access to
various line-of-business and custom
applications, without having to remember
multiple logins and passwords for each.
11
Type sg-s, and click sg-Sales and Marketing security
group.
At the bottom of the blade, click Select.
Click Assign credentials.
Set Assign credentials to be shared among all
group members? to Yes.
Fill in the credentials form as follows:
 Account Name: achimm@woodgrove.com
 Password: pass@word1
At the bottom of the blade, click OK.
At the bottom of the blade, click Assign to save all
changes. OPTIONAL: Upload a logo for this application:
a. In a new browser tab, navigate to
http://emsassetspub.blob.core.windows.net/demoasset
s/WoodgroveBank.png
b. Save the image to a suitable location.
c. Return to the Azure Portal browser tab.
d. Under Manage, click Properties.
e. Under Logo, click Select a file.
f. Select the logo file downloaded, then click Open.
g. Click Save.
Close the browser window.
Open a new browser session (either in another
browser, in a different profile in DevEdge, or in a new
In-Private session), sign in to the Access Panel Apps
portal (https://myapps.microsoft.com) as Isaiah Langer
(IsaiahL@<tenant>.onmicrosoft.com).
NOTE: It may take up to 10 minutes for the application to
appear in the Access Panel.
Click on the Woodgrove Expense Manager tile.
If necessary, login as
IsaiahL@<tenant>.onmicrosoft.com.
The app will launch in a new browser tab. Point out
the automated login to the app.
Close the browser window.
Demo Reset Steps
Perform these steps after each demo presentation to ensure re-usability of this demo only if
redoing this demo without continuing on. Not required if continuing on.
1. Remove the custom application, Woodgrove Expense Manager, from the list of Azure
AD Enterprise applications. Remove any duplicates if they appear.

12
Facilitate Collaboration Demo

Pre-Demo Steps
Prior to each demo, follow these steps to ensure a smooth presentation:
1. Ensure all the sign in information for all users/personas required for this demo is
available.
2. Use multiple browser sessions (using a combination of regular and InPrivate sessions) or
Chrome browser with multiple identities to switch between identities in this demo.
3. Ensure demo reset steps have been performed (if this is a repeat of the demo).
4. Prepare a browser session for administrator experience:
a. Launch Edge browser.
b. Log in to the Azure Portal (https://portal.azure.com) as the Global Admin,
admin@<tenant>.onmicrosoft.com using the tenant password from your
tenant card on https://cdx.transform.microsoft.com .
c. In the left-hand navigation, click Azure Active Directory.
5. Access to email for an external user experience:
a. You will either need to use your work email or create an “demo” email address
(can be done with an @outlook.com email), that is not part of your demo tenant.
b. You will need to login to this to open an email.

Cross-Organization Collaboration
Speaker Script Click Steps
Introduction No click steps.
Azure Active Directory (Azure AD) business-to-
business (B2B) collaboration lets you securely
share your company's applications and services
with guest users from any other organization,
while maintaining control over your own
corporate data. Work safely and securely with
external partners, large or small, even if they
don't have Azure AD or an IT department. A
simple invitation and redemption process lets
partners use their own credentials to access
your company's resources.

13
Users supported by Azure AD
Azure Active Directory B2B collaboration 1. Switch to the Global Admin user’s browser session, on the
supports cross company relationships by Azure Active Directory blade.
enabling partners to selectively access 2. Under Manage, click Groups.
corporate applications and data using self-
managed identities.
Azure AD supports adding four types of users:

 New user in an organization

 User with an existing Microsoft
account
 User in another Microsoft Azure AD
directory
 Users in partner company.
The Contoso Bug Bashers group is Contoso’s
3. Search for and click ssg-Contoso Bug Bashers.
internal security user group that’s dedicated for
cross-platform testing and QA. Contoso has 4. Under Manage, click Members.
recently taken on a large project where the 5. Click + Add members.
testing needs to be performed in collaboration 6. In the Select member or invite an external user, type
with a Partner firm. How can Contoso users and the external user’s email address (the email address
the Partners work seamlessly on the same created or chosen in step 5 of the pre-demo steps).
project and access the same assets online?
NOTE: you can only invite an external user once. A
The Azure AD B2B capabilities allow Contoso to different user must be used on subsequent demos.
invite Partner users to their directory and allow 7. In Include a personal message with the invitation, type
them access to only the resources they need. Access to Bug Basher group.
The Contoso Bug Bashers security group 8. Click Invite.
owner or a Global Administrator can add new 9. Click Select.
members to the group. If the new members are
10. Switch to the external user’s email inbox (on a separate
not yet part of the Contoso directory, they can
browser, client app or mobile).
invite to join the directory via an automated
email. 11. Locate and open the new email from MOD
Administrator.

Here, the Partner receives an email to join the

Contoso directory. The Partner need simply
click on the link on the email and authenticate
with their own existing credentials. Contoso
need not manage their passwords.

14
As soon as the Partner user accepts the
invitation to join Contoso’s directory, and is
added to the Bug Bashers security group, they
have access to the same apps and resources
that other Contoso members of the group have
access to. In this case, they are all able to access
BrowserStack SaaS application, and collaborate
on their testing.
Access by external users to corporate
applications can be gated by the conditional
access policies, the same as corporate users.
Here Azure AD is requiring that multi-factor
authentication is performed to access the
BrowserStack application. Other conditional
access rules can also be applied to internal or
external users.
Our external user can now access the
BrowserStack application, but first they must
complete the initial configuration of MFA.
12.
13. Click Get Started in the email body. The link will open in a
new browser tab.
14. If needed, follow set up prompts.
15. On the Review permissions screen, click Accept.
16. In the Access Panel, click BrowserStack (Browserstack
will open in a new browser tab).
17. Close the BrowserStack tab.
18. Switch to the Global Admin user browser session (Add
Members blade).
19. In the left-hand navigation, click Azure Active Directory.
20. Under Manage, click Security.
21. Under Protect, click Conditional Access
22. Click the Require two-factor authentication for
BrowserStack policy.
23. Under Enable policy, click On.
24. Click Save.
25. Switch to the external user browser session.
26. Refresh the Access Panel Apps page. The BrowserStack
app icon should appear on the page.
27. Click BrowserStack.
28. Follow the prompts to configure multi-factor
authentication.
29. Point out that the app launches and logs in the external
user automatically.
30. Close the browser sessions.
15
Demo Reset Steps
Perform these steps after each demo presentation to ensure re-usability of this demo only if
redoing this demo without continuing on. Not required if continuing on.
1. In the Global Admin user browser session (Add Members blade), delete the External
User account from the tenant’s Azure AD.

16
Unlock IT Efficiencies Demo Steps

Pre-Demo Steps
Prior to each demo, follow these steps to ensure a smooth presentation:
1. Prepare a browser session for end user Isaiah Langer:
a. Launch Edge browser.
b. Log in to the https://outlook.office365.com as
IsaiahL@<tenant>.onmicrosoft.com using the tenant password from your
tenant card on https://cdx.transform.microsoft.com.
2. Prepare a browser session for administrator experience:
a. Launch Edge browser, in an In-Private Session.
b. Log in to the Azure Portal (https://portal.azure.com) as the Global Admin,
admin@<tenant>.onmicrosoft.com using the tenant password from your
tenant card on https://cdx.transform.microsoft.com .
c. In the left-hand navigation, click Azure Active Directory.

Advanced User Lifecycle Management

Speaker Script Click Steps
Introduction No click steps.
This demo shows how Microsoft Azure AD
allows admins to easily add and manage
users and groups, including enabling
dynamic group membership.
Manage Users
Contoso is creating a new team to manage Start in the Azure Active Directory browser window.
development needs for the Finance
Under Manage, click Users.
department. Troy Sun was recently hired to
lead the team. The Contoso admin will add Click + New user.
Troy to Azure Active Directory, then create Fill in the new User form as follows:
a dynamic group to allow only Finance
team members to automatically join the  Name: Troy Sun
group.  User name: troys@<tenant>.onmicrosoft.com
This is the directory of all users in the Click Directory role, then show the options available.
Contoso organization.
Click the Show Password checkbox.
Click Create.

17
The SOURCE column indicates how Azure In the Search by name or email textbox, type Troy.
created each user account. If the source is
Click the name Troy Sun in the results list.
local Active Directory, Azure created the
account by synchronizing with an on- NOTE: You may need to scroll up the page to view the
premises Active Directory. (The admin must Search textbox.
manage these users in the on-premises On the Profile page, point out the long list of properties
directory.) If the source is Azure Active available in Azure AD user profile.
Directory, Azure created the account in the In the Settings section, click edit and set the Usage
cloud. location drop-down to the desired country (e.g. United
States).
The admin must create an account for
every user who will access a Microsoft In the Job title property, type Marketing Analyst.
online service, such as Office 365.
At the top, click Save.
Azure AD supports adding four types of Under Manage, click Licenses.
users:
Click + Assign.
 New user in an organization
Click Products.
 User with an existing Microsoft
account On the Products blade, click Enterprise Mobility +
Security E5, and then click Select.
 User in another Microsoft Azure AD
Click Assignment options.
directory
Point out the list of services included in the Enterprise
 Users in partner company
Mobility + Security E5 license, and then click OK.
The most basic role is User. There are other
On the Assign license blade, click Assign.
elevated roles that can be assigned here.
Under Manage, click Devices, and review the information
Azure creates a temporary password for
that can be collected.
the user that must be changed at the user’s
first login. Below Manage Items, under Activity, click Sign-ins, and
review the information that can be collected.
Administrator can easily grant product
licenses based on subscriptions already Under Activity, click Audit logs, and review the
purchased by the organization. Specifying information that can be collected.
each user’s location (by country) is required
before a product license can be applied,
since product service availability and
experience may differ by country
Administrators can track Troy’s activities,
including his sign in attempts, application
access, and device usage.
Manage Groups
When many users need to access the same In the left navigation, click Azure Active Directory.
application, organizations can use groups
Under Manage, click Groups.
to assign the application multiple users.

18
Organizations can also use groups to
configure access management of other
online services that control access to
resources (e.g., SharePoint Online).
If the organization is using Office 365, the
distribution groups and mail-enabled
security groups created and managed
within the Exchange Admin Center display
here. The source for these groups is Office
365, and the admin must continue
managing them in Office 365.
Azure AD also allows dynamic group
memberships. Dynamic groups run rules
against user object attributes to
automatically add and remove users from
groups.
Any user that meets the membership
requirements (as defined in the group
membership query rule) will automatically
become a member of the group and gain
access to appropriate resources and
privileges automatically.
Configure Self-service password reset
Self-service password reset provides your users
the ability to reset their password, with no
administrator intervention, when and where
they need to.
Self-service password reset includes:
 Password change: I know my
password but want to change it to
something new.
19
Scroll down the list of Groups and point out the
GROUP TYPES:
 Distribution group
 Office group
 Security group
Click + New group.
Fill in the new group properties as follows:
 Group type: Office 365
 Name: Marketing Stars
 Membership type: Dynamic User
Click Add dynamic query.
Set the dynamic membership rule as follows:
 Select: Simple rule (default)
 Add users where: jobTitle
 In the next dropdown menu, select Contains
 In the text field, type marketing
Click Add query, and then click Create.
Close the Group blade to return to All groups.
In the Search groups text box, type marketing.
Click Marketing Stars from the results list.
Under Manage, click Members.
Point out the newly created group already has 3
members.
NOTE: It may take a few minutes to see members in the
group due to latency in processing the dynamic group
query.
In the left navigation, click Azure Active Directory.
Under Manage, select Password reset.
On the Properties blade, under Self Service Password
Reset Enabled, click Selected.
Click Select group.
Type sg-s, click sg-Sales and Marketing.
  Password reset: I can't sign in and
want to reset my password using
one or more approved
authentication methods.
 Account unlock: I can't sign in
because my account is locked out
and I want to unlock using one or
more approved authentication
methods.
Ease of Use for End Users
Speaker Script
Introduction
This scenario demonstrates the user centered
Access Panel, a one-stop shop to share
applications and other resources through Azure
AD. The demo shows how Azure AD allows
organization to use familiar applications well
integrated to allow for productivity quickly.
Self-service Password Reset
If SSPR is enabled, you must select at least one
of the following options for the authentication
methods. Sometimes you hear these options
referred to as "gates." We highly recommend
that you choose two or more authentication
methods so that your users have more flexibility
in case they are unable to access one when they
need it. Authentication methods:
 Mobile app notification (preview)
 Mobile app code (preview)
 Email
 Mobile phone
Click Select.
On the Properties blade, click Save.
Under Manage, click Authentication methods. Verify the
following options:
 Number of methods required to reset: 1
 Methods available to users:
o Email
o Mobile phone
Under Manage, click Registration. Verify and set the
following options:
 Require users to register when they sign in: Yes
 Number of days before users are asked to re-
confirm their authentication information: 365
Click outside of the text field and click Save.
Click Steps
No click steps.
Open a new browser window in Private mode, and browse
to https://aka.ms/ssprsetup.
Log in as IsaiahL@<tenant>.onmicrosoft.com
using the tenant password from your tenant card on
https://cdx.transform.microsoft.com.
On the don’t lose access to your account page, for
Authentication Phone is not configured, click Set it up
now.
Click Select your country or region and select your
country.
Click in the text box and type in your (real) phone number.
20
  Office phone
 Security questions
Users can only reset their password if they have
data present in the authentication methods that
the administrator has enabled.
Accessing apps
Isaiah has volunteered to join Contoso’s Testing
Team. The QA manager has sent an email
invitation to join the Contoso Bug Bashers
security group.
He clicks the link, which opens the Access Panel
at http://myapps.microsoft.com. This is a web-
based portal that Isaiah accesses as an end
user with an organizational account in
Azure Active Directory. The Azure AD
administrator has granted Isaiah access to
these cloud-based applications. Some are
internal to Isaiah’s organization and some
are external, such as Twitter and Salesforce.
Some are SaaS apps, custom apps, and on-
premises apps.
Self-Service Group Management
Isaiah can also utilize self-service group
management capabilities through the
Access Panel.
Patti, the QA manager, asked him to join
the Bug Bashers security group, so he
simply finds the group, then clicks to join it.
This group has been set up to
automatically accept join requests.
21
Click text me.
Obtain the verification code from the phone and type it in
the text box, then click Verify.
On the don’t lose access to your account page, for
Authentication Email is not configured, click Set it up
now.
Click in the text box and type in your Microsoft email
address.
Click email me.
On the don’t lose access to your account page, click
finish.
Switch to the browser tab opened to Outlook, logged in as
Isaiah Langer.
Click the email from Patti Fernandez.
Click the link embedded in the email.
In the Access Panel, point to the enterprise applications
that Isaiah has access to:
 Microsoft Office 365 apps
 Third party SaaS apps (Salesforce, Twitter, etc.)
On the right-hand side, click Groups.
Under Groups I’m in, click + Join group.
Search for and click ssg-Contoso Bug Bashers
group.
Click Join group.
In the Business justification pop-up, type demo, then
click Request. Point out the request is auto-approved.
Click OK on the approval message.
Click  Groups.
However, it can also be configured to
accept requests manually, after the group
owner has approved it.
Accessing Single Sign-On Applications
In two easy steps, he joins the group and when
he returns to the list of applications, he sees the
new BrowserStack app. The admin has given
the Contoso Bug Bashers security group access
to this additional application, so just by joining
the group Isaiah now has access to the
applications his team is using. He doesn’t need
to review a list and add them individually.
Multi-factor Authentication
The BrowserStack application has been
configured for Multi-Factor Authentication as
an added security measure to verify the user.
The first time Isaiah encounters MFA, he’s
required to verify his alternate contact info.
Once setup, his phone or authenticator app will
alert him to respond to the MFA challenge.
Accessing App Panel through Office 365
Contoso is using Office 365 applications
and since Isaiah is licensed to use them,
they display on his Access Panel.
When he clicks a tile for an Office 365
application, he is redirected to that
application and automatically signed in.
The Office 365 and Azure Active Directory
integration allows organization to place
apps assigned to Isaiah on the launcher in
Office 365.
Low IT Overhead
Speaker Script
Introduction
Azure AD Premium offers self-service for
password reset, group management, and app
management capabilities to empower IT and
users’ productivity in an organization. There’s
Scroll down the list of Groups I’m in. Note ssg-Contoso
Bug Bashers is in the list.
Click on Isaiah’s user icon (user menu on top-right
corner) then click Apps.
Point out a new application appears on the list of
applications, BrowserStack.
NOTE: It may take a few minutes and a page refresh to see
Browserstack appear in the list of apps.
Click BrowserStack.
Respond to the MFA request.
Point out that Isaiah is automatically logged in to the
BrowserStack App using the shared account set up by the
administrator.
Close the BrowserStack app browser tab to return to
Access Panel.
From the list of Apps, click SharePoint.
Dismiss SharePoint guided tour pop-up, if prompted.
Click App Launcher icon (also known as the “waffle”
icon) in the top-left corner of the page.
Point out the list of apps under Apps. The list is currently
populated with Microsoft Office 365 apps only.
Click All apps, then scroll to the bottom of the list, to
Other apps.
Close all browser windows.
Click Steps
No click steps.
22
 no need for users to make a helpdesk phone
call and provide a lot of information to get a
temporary password that’s sent in e-mail or
shared during the call in an unsecured way.

Self-Service Password Reset

Self-service password reset has numerous Open a new browser window in Private mode, and,
benefits: then navigate to https://portal.office.com.
 Reduce costs - support-assisted In the user name, type
password reset is typically 20% of IsaiahL@<tenant>.onmicrosoft.com, then Next.
organization's IT spend
On the Enter password window, click Forgot my
 Improve user experiences - users password.
don't want to call helpdesk and Note: If using a browser where you were previously signed
spend an hour on the phone every in you might need to sign out.
time they forget their passwords
Respond to captcha challenge, then click Next.
 Lower helpdesk volumes -
Under verification step 1, click Text my mobile phone,
password management is the single and type in the full phone number that was registered for
largest helpdesk driver for most Isaiah’s phone verification earlier and click Text.
organizations
Respond to the MFA, and click Next.
 Enable mobility - users can reset
Type in a new password, then click Finish.
their passwords from wherever they
are NOTE: You can reuse your current password for
IsaiahL@<tenant>.onmicrosoft.com.
Isaiah can perform self-service on his Azure
AD account, which really empowers him to
get work done on the go, without having
to depend on IT help desk or an
Administrator.
He can also reset and change his own
password so if he ever goes on vacation
and his password expires he can reset it
himself. Self-service is a very effective cost
cutting method that reduces help desk
calls.

Demo Reset Steps

Perform these steps after each demo presentation to ensure re-usability of this demo only if
redoing this demo without continuing on. Not required if continuing on.
1. In https://portal.azure.com:
a. Log in as the Global Admin
b. In Azure Active Directory > Users, right-click on Troy Sun and click Delete.

23
 c. In Azure Active Directory > Groups, right-click on Marketing Stars and click
Delete.
d. In Azure Active Directory > Conditional Access > Require two-factor
authentication for BrowserStack policy, set Enable policy to Off.
2. In https://myapps.microsoft.com:
a. Login as IsaiahL.
b. Leave the security group ssg-Contoso Bug Bashers.
c. Reset Isaiah Langer’s password, or note the new password for next demo.

24
Appendix: Set up the Demo Tenant
When using a demo environment provisioned through https://cdx.transform.microsoft.com, the
tenant is already equipped with appropriate trial licenses for the underlying products and
populated with relevant content. Configuration or validation of policy settings is still required, as
described below. These steps need to be performed only once per demo environment.

Send Welcome Email to Isaiah Langer to Join Group

You will need to send an email to Isaiah Langer with a link to join the ssg-Contoso Bug Bashers
security group in Azure AD to enable access to the BrowserStack application when
demonstrating the Ease of Use for End Users scenario.
1. Open a new InPrivate browser tab and log into Outlook on the Web
(https://outlook.office365.com) as Patti Fernandez (PattiF@<tenant>.onmicrosoft.com).
2. Compose an email message like the following:
To: Isaiah Langer (isaiahL@<tenant>.onmicrosoft.com)
Subject: Welcome to the Bug Bashers Team
Message: Hello Isaiah,
Welcome to the Contoso Bug Bashers team! Please join our ssg-Contoso Bug
Bashers security group so you can begin accessing all testing resources and
applications.
Thank you,
Patti
3. Ensure the text in the message body join our ssg-Contoso Bug Bashers security group
has a hyperlink to pointing to https://myapps.microsoft.com.
4. Click Send.

Configure BrowserStack SaaS Application with Azure AD

Estimated Setup Time: 5 minutes
You will be using the BrowserStack app to demonstrate Self-Service Group Management in
MyApps.
Sign up for a Demo BrowserStack Account
You will need to sign up for a new BrowserStack account, if you don’t have a demo
BrowserStack account already.

25
 1. In a new InPrivate browser session, navigate to https://browserStack.com/users/sign_up.
2. Complete the form with following information:
 Full Name: Contoso Demo
 Email: admin@<Tenant>.onmicrosoft.com
 Password: <Tenant Password>
3. Click to agree to BrowserStack’s Terms of Service and Privacy Policy.
4. Click Sign me up, and verify your sign up.
Confirm email address for BrowserStack account
5. In a new browser tab, navigate to https://outlook.office365.com and log in as
admin@<Tenant>.onmicrosoft.com.
6. Locate the email from BrowserStack, then click Activate Account link on the email body.
7. If prompted, log in as admin@<tenant>.onmicrosoft.com.
Configure BrowserStack for Conditional Access with Azure AD
8. In a new browser tab, browse to the Azure Management Portal
(https://portal.azure.com ).
9. If necessary, log in as the tenant’s Global Admin user,
admin@<Tenant>.onmicrosoft.com.
10. In the left-hand navigation, click Azure Active Directory.
11. Under Manage, click Enterprise applications.
Note: if BrowserStack isn’t in the list of applications, manually add BrowserStack from the Azure SaaS
applications gallery by clicking + New application.
12. Under Security, click Conditional Access.
13. Click + New policy.
14. Type a name for the new rule, e.g. Require two-factor authentication for
BrowserStack.
15. Complete the following settings: (the remaining settings can remain at their defaults)
 Users and groups > Include > All users > Done
 Cloud apps or actions > Select apps / BrowserStack > Select > Done
 Grant > Grant access > Require multi-factor authentication > Select
 Enable policy > Off
16. Click Create to save the policy settings.
17. Click X to close the Conditional Access – Policies blade.
Configure SSO for BrowserStack
18. Under Manage, click All applications.

26
 19. In the All application list, click BrowserStack title.
20. Under Manage, click Single sign-on.
21. Click Password-based, and then click Save.
22. Under Manage, click Users and groups.,
23. Click to the left of ssg-Contoso bug Bashers, to check it.
24. Click Update Credentials.
25. Type in the BrowserStack account you configured earlier
(admin@<TENANT>.onmicrosot.com and password) in the text box, then click Save.
26. Click X to close the Update Credentials blade.

Configure Salesforce Integration with Azure AD

Estimated Setup Time: 40 minutes
The Salesforce application is added to your demo Azure AD, but not yet configured for SSO.
Please follow the detailed guidance below to sign up for a Salesforce account for your demo
tenant and configure SSO with your tenant’s Azure AD.
Sign up for a Salesforce Developer Account
1. In a new, InPrivate Edge browser session, navigate to
https://developer.salesforce.com/signup.
Complete the signup form as follows:
First Name: Contoso
Last Name: Admin
Email: admin@<Tenant>.onmicrosoft.com
Role: Administrator
Company: Contoso
Country/Postal Code: (as appropriate)
Username: admin@<Tenant>.onmicrosoft.com
2. Select the Master Subscription Agreement checkbox, then click Sign me up.
3. If necessary, click X to close the GDPR message.
4. When prompted to check email to confirm account:
a. Open a new browser tab and navigate to https://outlook.office365.com.
b. If necessary, sign in as admin@<Tenant>.onmicrosoft.com.
c. Locate the email from Salesforce, requesting account verification and click Verify
Account. You’ll be directed to Salesforce web site.

27
 Note: The Welcome to Salesforce email used to verify your account, could be in the Other tab. The
window might also need refreshed to show the email.

5. Provide a password for Salesforce.

6. Pick a security question and answer it.
7. Click Change Password.
Note: You’ll be directed to the Salesforce Home page. Keep this Salesforce administration tab open.

8. Classic UI: In the left navigation pane, expand Domain Management, then click My
Domain.
Lightning UI: In the left navigation pane, under SETTINGS, expand Company Settings,
then click My Domain.
Note: You can verify you are using the Lightning UI if lightning.force is included in the URL to
Salesforce.
9. Under Choose Your Domain Name, type your tenant name in the textbox (e.g.
m365x123456).
10. Click Check Availability.
11. Wait for the availability to be verified.
Note: You may either refresh the page until it is verified or refresh Outlook until the email notification
arrives.
12. Click Register Domain.
Note: Please wait 10 - 15 minutes before proceeding to the next step. The custom domain name you
just registered requires some time to take effect.
13. In the left navigation, click My Domain, then refresh the page. The domain follows the
pattern: https://{TENANT}-dev-ed.my.salesforce.com.
14. Click Log in. If prompted to Navigate to this page, click Open.
15. If prompted to register your mobile phone, click I Don’t Want to Register My Phone.
16. If prompted, login with your Salesforce administrator user ID
(admin@<Tenant>.onmicrosoft.com) and password.
Note: The My Domain page will re-load, and the URL for this page will updated to the custom
domain name containing your tenant name https://<TENANT>-dev-ed.my.salesforce.com.
17. In the My Domain section, click Deploy to Users.
18. Click OK.
19. If the Classic Salesforce UI is displayed, in the upper right corner, click Switch to
Lightening Experience.
20. If you switched to the Lightening Experience, you will need to click the gear in the upper
right corner, and then click Setup.
Enable automatic account provisioning

28
 1. In a new browser tab, browse to the Azure Management Portal
(https://portal.azure.com).
2. If necessary, log in as the tenant’s Global Admin user,
admin@<Tenant>.onmicrosoft.com.
3. In the left-hand navigation menu, click Azure Active Directory.
4. On the left, under Manage, click Enterprise Applications.
5. In the All applications list, click the Salesforce title.
6. Under Manage, click Users and groups.
7. Click + Add user.
8. Click Users and groups.
9. On Users and groups blade, in the Search by name or email address, type MOD, and
then click admin@<Tenant>.onmicrosoft.com from the user list, and then click Select.
10. Click Select Role, and then click System Administrator.
11. Click Select.
12. Click Assign.
13. On the Salesforce – Users and groups blade, click the check box for sg-Sales and
Marketing, and then click Edit.
14. Click Select Role, and then click Chatter Free User.
15. Click Select.
16. Click Assign.
Enable automatic account provisioning
17. On the Salesforce blade, under Manage, click Provisioning.
18. On the Provisioning Mode drop-down list, click Automatic.
19. Under Admin Credentials, type in the admin@<Tenant>.onmicrosoft.com and
Password for accessing Salesforce.
20. Obtain a Secret Token as follows:
a. Switch to the Salesforce administration browser tab.
If the Salesforce tab was closed, go to https://{TENANT}-dev-ed.my.salesforce.com

b. Click the user menu ( character icon at the top-right corner of the page), then
click Settings.
c. In the left navigation, click Reset My Security Token.
d. Click Reset Security Token button.
e. Navigate back to the administrator’s inbox, and then copy the security token.
f. Switch back to the Azure portal, the Salesforce – Provisioning blade.
21. In the Secret Token textbox, paste in the security token string.

29
 22. Click Test Connection.
Note: You should see a notification saying “Testing connection to Salesforce. The supplied
credentials are authorized to enable provisioning”.
23. Set Notification Email to admin@<Tenant>.onmicrosoft.com and check Send an
email notification when a failure occurs.
24. At the top of the Salesforce – Provisioning blade, click Save.
25. Under Settings, scroll down if needed to Provisioning Status and set to On.
26. At the top of the Salesforce – Provisioning blade, click Save to complete account
provisioning settings.
Configure SSO for Azure AD
27. Under Manage, click Single sign-on.
28. On the Select a single sign-on method, click SAML to enable single sign-on.
29. In step 1 Basic SAML configuration, click the pen to edit the Sign on URL and Identifier:
o Identifier (Entity ID) (Required): https://{Tenant}-dev-ed.my.salesforce.com
o Reply URL (Assertion Consumer Service URL): https://{Tenant}-dev-
ed.my.salesforce.com
o Sign-on URL (Required): https://{Tenant}-dev-ed.my.salesforce.com
Note: Verify that there is NO space after the URL https://{Tenant}-dev-ed.my.salesforce.com.
30. At the top of the Basic SAML Configuration pane, click Save. After the configuration is
successfully saved, click X to close the Basic SAML Configuration blade.
31. If you are prompted to Test single sign-on with Salesforce, click No, I’ll validate later.
32. In step 3 SAML Signing Certificate, on the Federation Metadata XML option, click
Download. Save this XML file to your local system, you will use it later in Salesforce.
Set up Salesforce for SSO
1. Switch to the Salesforce administration browser tab.
If the Salesforce tab was closed, go to https://{TENANT}-dev-ed.my.salesforce.com
2. In the upper right-hand corner, click the configuration cog, and then click Setup.
3. Classic UI: In the left navigation pane, expand Security Controls, then click Single Sign-
On Settings.
Lightning UI: In the left navigation pane, scroll down under SETTINGS, expand Identity,
then click Single Sign-On Settings.
Note: You can verify you are using the Lightning UI if lightning.force is included in the URL to
Salesforce.
4. Classic UI: On the Federated Single Sign-on Using SAML section, click Edit, click SAML
Enabled and then click Save. On the Single Sign-on Settings section, click New from
Metadata File to configure SAML sign-on settings.

30
 Lightning UI: Above the Federated Single Sign-on Using SAML section, click Edit, click
SAML Enabled and then click Save. On the Single Sign-On Settings section, click New
from Metadata File to configure SAML sign-on settings.

5. Upload the Federation Metadata XML you downloaded from Azure portal.

NOTE: This defaults to Salesforce.xml as the filename.

6. Click Create.
7. On the SAML Single Sign-On Settings configuration page, make the following updates
or verify the information:
o Name: AzureSSO
o API Name: AzureSSO
o Entity ID: https://{Tenant}-dev-ed.my.salesforce.com (this may be
prepopulated, double check to confirm it is correct)
o SAML Identity Type: Assertion contains the User's Salesforce username (this
should be default)
o Identity Provider Login URL: this may be prepopulated, however copy/paste from
the Configure sign-on blade in the Azure window, which should look like:
https://login.microsoftonline.com/851...
o Identity Provider Logout URL: this may be prepopulated, however copy/paste
from the Configure sign-on blade in the Azure window, which should look like:
https://login.microsoftonline.com/....
8. Click Save to apply your SAML single sign-on settings.
9. Classic UI: In the left navigation pane, expand Domain Management, then click My
Domain.
Lightning UI: In the left navigation pane, under SETTINGS, expand Company Settings,
then click My Domain.
10. Scroll down to the Authentication Configuration section, and click the Edit button.
11. Under Authentication Service, uncheck Login Form, then select AzureSSO as
Authentication Service of your SAML SSO configuration, and then click Save.

Set up Salesforce for SSO

1. Switch back to the Azure portal, on the Salesforce - SAML-based sign-on, under
Manage, click Single sign-on.
2. In step 5, Validate single sign-on with Salesforece, click Validate.
3. Click on Sign in as current user.
4. You will be redirected to the Salesforce Dashboards or Home Page.

31
Install Access Panel Extension
Some demos require access to the Azure AD access panel (https://myapps.microsoft.com). This
web site requires a browser extension.
To configure Microsoft Edge for the Access Panel Extension:
1. Launch Microsoft Edge and navigate to https://myapps.microsoft.com.
2. Log in as Isaiah Langer (IsaiahL@<tenant>.onmicrosoft.com and password).
3. Click the Twitter tile.
4. In the My Apps Secure Sign-in Extension window click Install Now.
5. Complete the installation wizard to install the My Apps Secure Sign-In Extension.
6. Switch back to the Edge browser session.
7. On the You have a new extension notification, click Turn it on.
8. Close all Edge browser windows.
9. Relaunch Microsoft Edge and navigate to https://myapps.microsoft.com.
10. Log in as Isaiah Langer (IsaiahL@<tenant>.onmicrosoft.com and password).
11. Test Salesforce SSO login by clicking on the Salesforce tile. This should log Isaiah into
the Salesforce Dashboard or Home Page.

32