Beruflich Dokumente
Kultur Dokumente
Modern Access
Demo Guide
This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site
references, may change without notice. You bear the risk of using it.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and
use this document for your internal, reference purposes.
1
Contents
Demo Overview: Azure Active Directory – Core Features................................................................................ 3
Increase productivity and reduce helpdesk costs with self-service and single sign-on
experiences ................................................................................................................................................................... 3
Manage and control access to corporate resources ..................................................................................... 3
Scenarios and Features............................................................................................................................................. 3
Demo Prerequisites.................................................................................................................................................... 4
Demo Personas ........................................................................................................................................................... 4
Intended Audience ..................................................................................................................................................... 4
Provide Seamless Access Demo Steps .................................................................................................................... 5
Cloud Connect Seamlessly Intro ........................................................................................................................... 5
Single Sign-On............................................................................................................................................................. 6
Bring-Your-Own-Apps .............................................................................................................................................. 8
Demo Reset Steps ................................................................................................................................................... 12
Facilitate Collaboration Demo................................................................................................................................. 13
Pre-Demo Steps ....................................................................................................................................................... 13
Cross-Organization Collaboration .................................................................................................................... 13
Demo Reset Steps ................................................................................................................................................... 16
Unlock IT Efficiencies Demo Steps......................................................................................................................... 17
Pre-Demo Steps ....................................................................................................................................................... 17
Advanced User Lifecycle Management ........................................................................................................... 17
Ease of Use for End Users ..................................................................................................................................... 20
Low IT Overhead ...................................................................................................................................................... 22
Demo Reset Steps ................................................................................................................................................... 23
Appendix: Set up the Demo Tenant...................................................................................................................... 25
Send Welcome Email to Isaiah Langer to Join Group ............................................................................... 25
Configure BrowserStack SaaS Application with Azure AD ....................................................................... 25
Configure Salesforce Integration with Azure AD......................................................................................... 27
Install Access Panel Extension ............................................................................................................................ 32
2
Demo Overview: Azure Active Directory – Core Features
As employees bring their personal devices to work and adopt readily available SaaS applications,
maintaining control over their applications across corporate datacenters and public cloud
platforms has become a significant challenge.
Microsoft has proven experience in identity management through Windows Server Active
Directory and Microsoft Identity Manager. Now we have extended our offerings to provide you
with a powerful set of cloud-based identity and access management solutions on Azure Active
Directory.
Increase productivity and reduce helpdesk costs with self-service and single sign-
on experiences
Employees are more productive when they have a single username and password to remember
and a consistent experience from every device. They also save time when they can perform self-
service tasks like resetting a forgotten password, or requesting access to an application, without
waiting for assistance from the helpdesk.
3
Demo Prerequisites
The following is required for the demo presentation:
A Microsoft 365 Enterprise Demo Content demo environment provisioned through
https://cdx.transform.microsoft.com portal.
A Windows PC or Virtual Machine running Windows 10.
The demo tenant is pre-provisioned with a lot of content and settings for instant leveraging.
However, some settings need to be manually configured. Please ensure the following activities
are performed against the tenant prior to the first demo:
Appendix: Set up the Demo Tenant
Demo Personas
The recommended demo personas to use for performing demos in this guide, unless otherwise
stated, are:
Administrator scenarios: admin@<tenant>.onmicrosoft.com
End user scenarios (Hero User): Isaiah Langer, IsaiahL@<tenant>.onmicrosoft.com
The default password for both users can be found on your tenants information card under My
Environments at https://cdx.transform.microsoft.com.
Intended Audience
IT Pros, Business Decision Makers
4
Provide Seamless Access Demo Steps
Pre-Demo Steps
1. Ensure all sign in information for all users/personas required for this demo is obtained.
2. Use multiple browser sessions (using a combination of regular and InPrivate sessions) or
Chrome browser with multiple identities to switch between identities in this demo.
3. Ensure demo reset steps at the end of this demo, have been performed (if this is a repeat
of the demo).
4. Prepare a browser session for administrator experience:
a. Launch Edge browser in In-Private mode, or in another browser, or using
DevEdge profiles.
b. Log in to the Azure Portal (https://portal.azure.com) as the Global Admin,
admin@<tenant>.onmicrosoft.com using the tenant password from your
tenant card on https://cdx.transform.microsoft.com .
c. In the left-hand navigation, click Azure Active Directory.
5. Prepare a browser session for end user experience:
a. Launch Edge browser.
b. Log in to the My Apps Portal (https://myapps.microsoft.com) as the user Isaiah
Langer, IsaiahL@<tenant>.onmicrosoft.com using the tenant password from
your tenant card on https://cdx.transform.microsoft.com.
5
Single Sign-On
Speaker Script Click Steps
Introduction No click steps.
Azure AD integrates with thousands of today’s
popular SaaS applications (e.g., Concur,
SuccessFactors, WorkDay and so on),
supporting single sign-on (SSO) authentication
and identity, and providing secure access
management to applications.
Azure AD supports federated SSO through
Microsoft Azure AD Single Sign-on and
password SSO to third party apps and internal
custom apps.
Single sign on authentication NOTE: This demo scenario assumes the Salesforce
Single sign-on allows users to access all the enterprise application is already configured for SSO.
applications and resources they need to do
business, by signing in only once using a single
user account. Once signed in, users can access
all the applications they need without being Open the browser with the Global Admin user
required to authenticate (e.g. type a password) signed in to the Azure Portal and opened to the
a second time.
Azure Active Directory blade.
Azure AD supports three types of single sign-
Under Manage, click Enterprise applications.
on authentication:
6
Azure AD SSO (federated) with Salesforce
Contoso is onboarding the Salesforce
application for availability to all employees to
provide on-demand services that help with
global customer communications. The admin
has added the Salesforce application to Azure
AD from the Azure AD Application Gallery. To
simplify access to the application, the admin
configured Salesforce with federated SSO. Let’s
review how it was configured. Under Basic SAML Configuration, point to the Sign
The Sign on URL points to the web-based sign- on URL field.
in page for this application. If the application Point to the SAML Signing Certificate section and
is configured to perform service provider- note the properties of the certificate.
initiated single sign on, then when a user
navigates to this URL, the service provider In the Set up Salesforce section, click View step-by-
step instructions.
will do the necessary redirections to
authenticate and log the user in to the Scroll down the Configure sign-on blade reviewing
application. the instructions specific to this tenant, then click X to
The admin had to do some configurations close the blade to return to Salesforce – SAML-
within the Salesforce application. This based sign-on blade.
included uploading the certificate that was In the Salesforce – SAML- based sign on blade, under
downloaded from here and configuring the Manage, click Provisioning.
Salesforce authentication provider.
Review the Settings:
Beyond single sign-on, Azure AD also
Click Admin Credentials to expand and review
supports account provisioning so when
the section
users from Azure AD are assigned access to
Salesforce, they find their user account in Click Mappings to expand and review the
Salesforce automatically. section
Point to Settings configuration
Point to Synchronization Details
Assign groups and users to Salesforce
The last step to enabling SSO Integration is Under Manage, click Users and groups.
to assign users and groups who can access
the app.
The admin has assigned the Sales and
Marketing security group access to
Salesforce, so any members of this group
has access to this app.
Click to the left of sg-Sales and Marketing to check
mark it.
At the top, click Edit.
7
Anyone who joins the Sales and Marketing Click Select Role and, review the roles that are available.
group will automatically have access to the
Click the X to close the Select Role blade (without making
Salesforce application. any changes).
The admin can add individual users also. Click the X to close the Edit Assignment blade (without
Because automated user provisioning is making any changes).
enabled, the admin receives a prompt to At the top right, click the X close the Salesforce – Users
define what type of Salesforce profile the and Groups blade (without making any changes).
user should have.
Newly provisioned users will have access to
Salesforce via the Application Panel as
soon as they are granted access by the
Administrator.
End user experience
The Azure AD access panel is a cross- Switch to the browser session for
device/cross-browser portal, supporting iOS, https://myapps.microsoft.com logged in as
Android, Mac, and Windows. IsaiahL@<tenant>.onmicrosoft.com.
To reach the Access Panel, users authenticates
Point to the various enterprise application icons on the
against Azure AD once, they can view or access
page.
any of the applications listed in the MyApps
portal. If the application was configured for SSO Click Salesforce. Salesforce will launch in a new browser
by the administrator, the users don’t need to tab.
re-authenticate to access the application: single
NOTE: If prompted, enter the tenant password again to
sign-on will take care of the authentication
confirm.
automatically.
NOTE: If the display message reading ‘Access to
Salesforce is Monitored’ appears, click Continue to
Salesforce.
Point out the automated login to Salesforce.
Here, Isaiah Langer is logged into the Access
Panel using his corporate credentials and can Click the user icon, in the top right corner of the page, to
see all the applications available to him. He has see the name Isaiah Langer.
seamless access to various line-of-business and
Close Salesforce browser tab to return to Apps.
custom applications, without having to
remember multiple logins and passwords for Sign out and close the Access Panel Application browser
each. window.
Bring-Your-Own-Apps
Speaker Script Click Steps
Introduction No click steps.
Azure AD application gallery features
thousands of applications that may be added to
the organization, but if a third-party application
8
cannot be found, one may be added as a
custom app for the organization to use.
Azure Active Directory also has an Application
Proxy that provides secure remote access to
on-premises web applications. After a single
sign-on to Azure AD, users can access both
cloud and on-premises applications through an
external URL or an internal application portal.
For example, Application Proxy can provide
remote access and single sign-on to Remote
Desktop, SharePoint, Teams, Tableau, Qlik, and
line of business (LOB) applications.
9
The admin adds the URL to the Woodgrove In the Sign-on URL textbox, copy/paste this URL:
Expense Report sign in page. https://woodgroveexpensemanager.azurewebsites.ne
t
The admin can now test drive the Expense
Reporting App’s sign in page, which opens Click Save.
in a new tab.
When the changes have successfully saved, click
Configure Woodgrove Expense Manager
Password Single Sign-on Settings.
NOTE: This make take a minute or two, to process.
In the Configure sign-on blade, select Manually detect
sign-in fields option.
10
Type sg-s, and click sg-Sales and Marketing security
group.
11
Demo Reset Steps
Perform these steps after each demo presentation to ensure re-usability of this demo only if
redoing this demo without continuing on. Not required if continuing on.
1. Remove the custom application, Woodgrove Expense Manager, from the list of Azure
AD Enterprise applications. Remove any duplicates if they appear.
12
Facilitate Collaboration Demo
Pre-Demo Steps
Prior to each demo, follow these steps to ensure a smooth presentation:
1. Ensure all the sign in information for all users/personas required for this demo is
available.
2. Use multiple browser sessions (using a combination of regular and InPrivate sessions) or
Chrome browser with multiple identities to switch between identities in this demo.
3. Ensure demo reset steps have been performed (if this is a repeat of the demo).
4. Prepare a browser session for administrator experience:
a. Launch Edge browser.
b. Log in to the Azure Portal (https://portal.azure.com) as the Global Admin,
admin@<tenant>.onmicrosoft.com using the tenant password from your
tenant card on https://cdx.transform.microsoft.com .
c. In the left-hand navigation, click Azure Active Directory.
5. Access to email for an external user experience:
a. You will either need to use your work email or create an “demo” email address
(can be done with an @outlook.com email), that is not part of your demo tenant.
b. You will need to login to this to open an email.
Cross-Organization Collaboration
Speaker Script Click Steps
Introduction No click steps.
Azure Active Directory (Azure AD) business-to-
business (B2B) collaboration lets you securely
share your company's applications and services
with guest users from any other organization,
while maintaining control over your own
corporate data. Work safely and securely with
external partners, large or small, even if they
don't have Azure AD or an IT department. A
simple invitation and redemption process lets
partners use their own credentials to access
your company's resources.
13
Users supported by Azure AD
Azure Active Directory B2B collaboration 1. Switch to the Global Admin user’s browser session, on the
supports cross company relationships by Azure Active Directory blade.
enabling partners to selectively access 2. Under Manage, click Groups.
corporate applications and data using self-
managed identities.
Azure AD supports adding four types of users:
14
As soon as the Partner user accepts the
invitation to join Contoso’s directory, and is
added to the Bug Bashers security group, they
have access to the same apps and resources 12.
that other Contoso members of the group have 13. Click Get Started in the email body. The link will open in a
access to. In this case, they are all able to access new browser tab.
BrowserStack SaaS application, and collaborate 14. If needed, follow set up prompts.
on their testing. 15. On the Review permissions screen, click Accept.
Access by external users to corporate 16. In the Access Panel, click BrowserStack (Browserstack
applications can be gated by the conditional will open in a new browser tab).
access policies, the same as corporate users. 17. Close the BrowserStack tab.
Here Azure AD is requiring that multi-factor 18. Switch to the Global Admin user browser session (Add
authentication is performed to access the Members blade).
BrowserStack application. Other conditional 19. In the left-hand navigation, click Azure Active Directory.
access rules can also be applied to internal or
20. Under Manage, click Security.
external users.
21. Under Protect, click Conditional Access
22. Click the Require two-factor authentication for
BrowserStack policy.
23. Under Enable policy, click On.
Our external user can now access the
BrowserStack application, but first they must 24. Click Save.
complete the initial configuration of MFA. 25. Switch to the external user browser session.
26. Refresh the Access Panel Apps page. The BrowserStack
app icon should appear on the page.
27. Click BrowserStack.
28. Follow the prompts to configure multi-factor
authentication.
29. Point out that the app launches and logs in the external
user automatically.
30. Close the browser sessions.
15
Demo Reset Steps
Perform these steps after each demo presentation to ensure re-usability of this demo only if
redoing this demo without continuing on. Not required if continuing on.
1. In the Global Admin user browser session (Add Members blade), delete the External
User account from the tenant’s Azure AD.
16
Unlock IT Efficiencies Demo Steps
Pre-Demo Steps
Prior to each demo, follow these steps to ensure a smooth presentation:
1. Prepare a browser session for end user Isaiah Langer:
a. Launch Edge browser.
b. Log in to the https://outlook.office365.com as
IsaiahL@<tenant>.onmicrosoft.com using the tenant password from your
tenant card on https://cdx.transform.microsoft.com.
2. Prepare a browser session for administrator experience:
a. Launch Edge browser, in an In-Private Session.
b. Log in to the Azure Portal (https://portal.azure.com) as the Global Admin,
admin@<tenant>.onmicrosoft.com using the tenant password from your
tenant card on https://cdx.transform.microsoft.com .
c. In the left-hand navigation, click Azure Active Directory.
17
The SOURCE column indicates how Azure In the Search by name or email textbox, type Troy.
created each user account. If the source is
Click the name Troy Sun in the results list.
local Active Directory, Azure created the
account by synchronizing with an on- NOTE: You may need to scroll up the page to view the
premises Active Directory. (The admin must Search textbox.
manage these users in the on-premises On the Profile page, point out the long list of properties
directory.) If the source is Azure Active available in Azure AD user profile.
Directory, Azure created the account in the In the Settings section, click edit and set the Usage
cloud. location drop-down to the desired country (e.g. United
States).
The admin must create an account for
every user who will access a Microsoft In the Job title property, type Marketing Analyst.
online service, such as Office 365.
At the top, click Save.
Azure AD supports adding four types of Under Manage, click Licenses.
users:
Click + Assign.
New user in an organization
Click Products.
User with an existing Microsoft
account On the Products blade, click Enterprise Mobility +
Security E5, and then click Select.
User in another Microsoft Azure AD
Click Assignment options.
directory
Point out the list of services included in the Enterprise
Users in partner company
Mobility + Security E5 license, and then click OK.
The most basic role is User. There are other
On the Assign license blade, click Assign.
elevated roles that can be assigned here.
Under Manage, click Devices, and review the information
Azure creates a temporary password for
that can be collected.
the user that must be changed at the user’s
first login. Below Manage Items, under Activity, click Sign-ins, and
review the information that can be collected.
Administrator can easily grant product
licenses based on subscriptions already Under Activity, click Audit logs, and review the
purchased by the organization. Specifying information that can be collected.
each user’s location (by country) is required
before a product license can be applied,
since product service availability and
experience may differ by country
Administrators can track Troy’s activities,
including his sign in attempts, application
access, and device usage.
Manage Groups
When many users need to access the same In the left navigation, click Azure Active Directory.
application, organizations can use groups
Under Manage, click Groups.
to assign the application multiple users.
18
Organizations can also use groups to Scroll down the list of Groups and point out the
configure access management of other GROUP TYPES:
online services that control access to Distribution group
resources (e.g., SharePoint Online).
Office group
If the organization is using Office 365, the
Security group
distribution groups and mail-enabled
security groups created and managed Click + New group.
within the Exchange Admin Center display Fill in the new group properties as follows:
here. The source for these groups is Office
365, and the admin must continue Group type: Office 365
managing them in Office 365. Name: Marketing Stars
Membership type: Dynamic User
Click Add dynamic query.
Azure AD also allows dynamic group Set the dynamic membership rule as follows:
memberships. Dynamic groups run rules
Select: Simple rule (default)
against user object attributes to
automatically add and remove users from Add users where: jobTitle
groups. In the next dropdown menu, select Contains
In the text field, type marketing
Click Add query, and then click Create.
Any user that meets the membership Close the Group blade to return to All groups.
requirements (as defined in the group
membership query rule) will automatically In the Search groups text box, type marketing.
become a member of the group and gain Click Marketing Stars from the results list.
access to appropriate resources and
Under Manage, click Members.
privileges automatically.
Point out the newly created group already has 3
members.
NOTE: It may take a few minutes to see members in the
group due to latency in processing the dynamic group
query.
Configure Self-service password reset
Self-service password reset provides your users In the left navigation, click Azure Active Directory.
the ability to reset their password, with no
administrator intervention, when and where Under Manage, select Password reset.
they need to. On the Properties blade, under Self Service Password
Self-service password reset includes: Reset Enabled, click Selected.
19
Password reset: I can't sign in and Click Select.
want to reset my password using
On the Properties blade, click Save.
one or more approved
authentication methods. Under Manage, click Authentication methods. Verify the
following options:
Account unlock: I can't sign in
because my account is locked out Number of methods required to reset: 1
and I want to unlock using one or Methods available to users:
more approved authentication
o Email
methods.
o Mobile phone
Under Manage, click Registration. Verify and set the
following options:
Mobile app code (preview) Click Select your country or region and select your
country.
Email
Click in the text box and type in your (real) phone number.
Mobile phone
20
Office phone Click text me.
Security questions Obtain the verification code from the phone and type it in
the text box, then click Verify.
Users can only reset their password if they have
data present in the authentication methods that On the don’t lose access to your account page, for
the administrator has enabled. Authentication Email is not configured, click Set it up
now.
Accessing apps
Isaiah has volunteered to join Contoso’s Testing Switch to the browser tab opened to Outlook, logged in as
Team. The QA manager has sent an email Isaiah Langer.
invitation to join the Contoso Bug Bashers
security group. Click the email from Patti Fernandez.
He clicks the link, which opens the Access Panel Click the link embedded in the email.
at http://myapps.microsoft.com. This is a web- In the Access Panel, point to the enterprise applications
based portal that Isaiah accesses as an end that Isaiah has access to:
user with an organizational account in
Microsoft Office 365 apps
Azure Active Directory. The Azure AD
administrator has granted Isaiah access to Third party SaaS apps (Salesforce, Twitter, etc.)
these cloud-based applications. Some are
internal to Isaiah’s organization and some
are external, such as Twitter and Salesforce.
Some are SaaS apps, custom apps, and on-
premises apps.
Self-Service Group Management
Isaiah can also utilize self-service group On the right-hand side, click Groups.
management capabilities through the
Under Groups I’m in, click + Join group.
Access Panel.
Search for and click ssg-Contoso Bug Bashers
group.
Click Join group.
Patti, the QA manager, asked him to join
In the Business justification pop-up, type demo, then
the Bug Bashers security group, so he click Request. Point out the request is auto-approved.
simply finds the group, then clicks to join it.
Click OK on the approval message.
This group has been set up to
automatically accept join requests. Click Groups.
21
However, it can also be configured to Scroll down the list of Groups I’m in. Note ssg-Contoso
accept requests manually, after the group Bug Bashers is in the list.
owner has approved it.
Accessing Single Sign-On Applications
In two easy steps, he joins the group and when Click on Isaiah’s user icon (user menu on top-right
he returns to the list of applications, he sees the corner) then click Apps.
new BrowserStack app. The admin has given
the Contoso Bug Bashers security group access Point out a new application appears on the list of
to this additional application, so just by joining applications, BrowserStack.
the group Isaiah now has access to the NOTE: It may take a few minutes and a page refresh to see
applications his team is using. He doesn’t need Browserstack appear in the list of apps.
to review a list and add them individually.
Multi-factor Authentication
The BrowserStack application has been Click BrowserStack.
configured for Multi-Factor Authentication as
an added security measure to verify the user. Respond to the MFA request.
The first time Isaiah encounters MFA, he’s Point out that Isaiah is automatically logged in to the
required to verify his alternate contact info. BrowserStack App using the shared account set up by the
Once setup, his phone or authenticator app will administrator.
alert him to respond to the MFA challenge. Close the BrowserStack app browser tab to return to
Access Panel.
Low IT Overhead
Speaker Script Click Steps
Introduction No click steps.
22
no need for users to make a helpdesk phone
call and provide a lot of information to get a
temporary password that’s sent in e-mail or
shared during the call in an unsecured way.
23
c. In Azure Active Directory > Groups, right-click on Marketing Stars and click
Delete.
d. In Azure Active Directory > Conditional Access > Require two-factor
authentication for BrowserStack policy, set Enable policy to Off.
2. In https://myapps.microsoft.com:
a. Login as IsaiahL.
b. Leave the security group ssg-Contoso Bug Bashers.
c. Reset Isaiah Langer’s password, or note the new password for next demo.
24
Appendix: Set up the Demo Tenant
When using a demo environment provisioned through https://cdx.transform.microsoft.com, the
tenant is already equipped with appropriate trial licenses for the underlying products and
populated with relevant content. Configuration or validation of policy settings is still required, as
described below. These steps need to be performed only once per demo environment.
25
1. In a new InPrivate browser session, navigate to https://browserStack.com/users/sign_up.
2. Complete the form with following information:
Full Name: Contoso Demo
Email: admin@<Tenant>.onmicrosoft.com
Password: <Tenant Password>
3. Click to agree to BrowserStack’s Terms of Service and Privacy Policy.
4. Click Sign me up, and verify your sign up.
Confirm email address for BrowserStack account
5. In a new browser tab, navigate to https://outlook.office365.com and log in as
admin@<Tenant>.onmicrosoft.com.
6. Locate the email from BrowserStack, then click Activate Account link on the email body.
7. If prompted, log in as admin@<tenant>.onmicrosoft.com.
Configure BrowserStack for Conditional Access with Azure AD
8. In a new browser tab, browse to the Azure Management Portal
(https://portal.azure.com ).
9. If necessary, log in as the tenant’s Global Admin user,
admin@<Tenant>.onmicrosoft.com.
10. In the left-hand navigation, click Azure Active Directory.
11. Under Manage, click Enterprise applications.
Note: if BrowserStack isn’t in the list of applications, manually add BrowserStack from the Azure SaaS
applications gallery by clicking + New application.
12. Under Security, click Conditional Access.
13. Click + New policy.
14. Type a name for the new rule, e.g. Require two-factor authentication for
BrowserStack.
15. Complete the following settings: (the remaining settings can remain at their defaults)
Users and groups > Include > All users > Done
Cloud apps or actions > Select apps / BrowserStack > Select > Done
Grant > Grant access > Require multi-factor authentication > Select
Enable policy > Off
16. Click Create to save the policy settings.
17. Click X to close the Conditional Access – Policies blade.
Configure SSO for BrowserStack
18. Under Manage, click All applications.
26
19. In the All application list, click BrowserStack title.
20. Under Manage, click Single sign-on.
21. Click Password-based, and then click Save.
22. Under Manage, click Users and groups.,
23. Click to the left of ssg-Contoso bug Bashers, to check it.
24. Click Update Credentials.
25. Type in the BrowserStack account you configured earlier
(admin@<TENANT>.onmicrosot.com and password) in the text box, then click Save.
26. Click X to close the Update Credentials blade.
27
Note: The Welcome to Salesforce email used to verify your account, could be in the Other tab. The
window might also need refreshed to show the email.
8. Classic UI: In the left navigation pane, expand Domain Management, then click My
Domain.
Lightning UI: In the left navigation pane, under SETTINGS, expand Company Settings,
then click My Domain.
Note: You can verify you are using the Lightning UI if lightning.force is included in the URL to
Salesforce.
9. Under Choose Your Domain Name, type your tenant name in the textbox (e.g.
m365x123456).
10. Click Check Availability.
11. Wait for the availability to be verified.
Note: You may either refresh the page until it is verified or refresh Outlook until the email notification
arrives.
12. Click Register Domain.
Note: Please wait 10 - 15 minutes before proceeding to the next step. The custom domain name you
just registered requires some time to take effect.
13. In the left navigation, click My Domain, then refresh the page. The domain follows the
pattern: https://{TENANT}-dev-ed.my.salesforce.com.
14. Click Log in. If prompted to Navigate to this page, click Open.
15. If prompted to register your mobile phone, click I Don’t Want to Register My Phone.
16. If prompted, login with your Salesforce administrator user ID
(admin@<Tenant>.onmicrosoft.com) and password.
Note: The My Domain page will re-load, and the URL for this page will updated to the custom
domain name containing your tenant name https://<TENANT>-dev-ed.my.salesforce.com.
17. In the My Domain section, click Deploy to Users.
18. Click OK.
19. If the Classic Salesforce UI is displayed, in the upper right corner, click Switch to
Lightening Experience.
20. If you switched to the Lightening Experience, you will need to click the gear in the upper
right corner, and then click Setup.
Enable automatic account provisioning
28
1. In a new browser tab, browse to the Azure Management Portal
(https://portal.azure.com).
2. If necessary, log in as the tenant’s Global Admin user,
admin@<Tenant>.onmicrosoft.com.
3. In the left-hand navigation menu, click Azure Active Directory.
4. On the left, under Manage, click Enterprise Applications.
5. In the All applications list, click the Salesforce title.
6. Under Manage, click Users and groups.
7. Click + Add user.
8. Click Users and groups.
9. On Users and groups blade, in the Search by name or email address, type MOD, and
then click admin@<Tenant>.onmicrosoft.com from the user list, and then click Select.
10. Click Select Role, and then click System Administrator.
11. Click Select.
12. Click Assign.
13. On the Salesforce – Users and groups blade, click the check box for sg-Sales and
Marketing, and then click Edit.
14. Click Select Role, and then click Chatter Free User.
15. Click Select.
16. Click Assign.
Enable automatic account provisioning
17. On the Salesforce blade, under Manage, click Provisioning.
18. On the Provisioning Mode drop-down list, click Automatic.
19. Under Admin Credentials, type in the admin@<Tenant>.onmicrosoft.com and
Password for accessing Salesforce.
20. Obtain a Secret Token as follows:
a. Switch to the Salesforce administration browser tab.
If the Salesforce tab was closed, go to https://{TENANT}-dev-ed.my.salesforce.com
b. Click the user menu ( character icon at the top-right corner of the page), then
click Settings.
c. In the left navigation, click Reset My Security Token.
d. Click Reset Security Token button.
e. Navigate back to the administrator’s inbox, and then copy the security token.
f. Switch back to the Azure portal, the Salesforce – Provisioning blade.
21. In the Secret Token textbox, paste in the security token string.
29
22. Click Test Connection.
Note: You should see a notification saying “Testing connection to Salesforce. The supplied
credentials are authorized to enable provisioning”.
23. Set Notification Email to admin@<Tenant>.onmicrosoft.com and check Send an
email notification when a failure occurs.
24. At the top of the Salesforce – Provisioning blade, click Save.
25. Under Settings, scroll down if needed to Provisioning Status and set to On.
26. At the top of the Salesforce – Provisioning blade, click Save to complete account
provisioning settings.
Configure SSO for Azure AD
27. Under Manage, click Single sign-on.
28. On the Select a single sign-on method, click SAML to enable single sign-on.
29. In step 1 Basic SAML configuration, click the pen to edit the Sign on URL and Identifier:
o Identifier (Entity ID) (Required): https://{Tenant}-dev-ed.my.salesforce.com
o Reply URL (Assertion Consumer Service URL): https://{Tenant}-dev-
ed.my.salesforce.com
o Sign-on URL (Required): https://{Tenant}-dev-ed.my.salesforce.com
Note: Verify that there is NO space after the URL https://{Tenant}-dev-ed.my.salesforce.com.
30. At the top of the Basic SAML Configuration pane, click Save. After the configuration is
successfully saved, click X to close the Basic SAML Configuration blade.
31. If you are prompted to Test single sign-on with Salesforce, click No, I’ll validate later.
32. In step 3 SAML Signing Certificate, on the Federation Metadata XML option, click
Download. Save this XML file to your local system, you will use it later in Salesforce.
Set up Salesforce for SSO
1. Switch to the Salesforce administration browser tab.
If the Salesforce tab was closed, go to https://{TENANT}-dev-ed.my.salesforce.com
2. In the upper right-hand corner, click the configuration cog, and then click Setup.
3. Classic UI: In the left navigation pane, expand Security Controls, then click Single Sign-
On Settings.
Lightning UI: In the left navigation pane, scroll down under SETTINGS, expand Identity,
then click Single Sign-On Settings.
Note: You can verify you are using the Lightning UI if lightning.force is included in the URL to
Salesforce.
4. Classic UI: On the Federated Single Sign-on Using SAML section, click Edit, click SAML
Enabled and then click Save. On the Single Sign-on Settings section, click New from
Metadata File to configure SAML sign-on settings.
30
Lightning UI: Above the Federated Single Sign-on Using SAML section, click Edit, click
SAML Enabled and then click Save. On the Single Sign-On Settings section, click New
from Metadata File to configure SAML sign-on settings.
5. Upload the Federation Metadata XML you downloaded from Azure portal.
6. Click Create.
7. On the SAML Single Sign-On Settings configuration page, make the following updates
or verify the information:
o Name: AzureSSO
o API Name: AzureSSO
o Entity ID: https://{Tenant}-dev-ed.my.salesforce.com (this may be
prepopulated, double check to confirm it is correct)
o SAML Identity Type: Assertion contains the User's Salesforce username (this
should be default)
o Identity Provider Login URL: this may be prepopulated, however copy/paste from
the Configure sign-on blade in the Azure window, which should look like:
https://login.microsoftonline.com/851...
o Identity Provider Logout URL: this may be prepopulated, however copy/paste
from the Configure sign-on blade in the Azure window, which should look like:
https://login.microsoftonline.com/....
8. Click Save to apply your SAML single sign-on settings.
9. Classic UI: In the left navigation pane, expand Domain Management, then click My
Domain.
Lightning UI: In the left navigation pane, under SETTINGS, expand Company Settings,
then click My Domain.
10. Scroll down to the Authentication Configuration section, and click the Edit button.
11. Under Authentication Service, uncheck Login Form, then select AzureSSO as
Authentication Service of your SAML SSO configuration, and then click Save.
31
Install Access Panel Extension
Some demos require access to the Azure AD access panel (https://myapps.microsoft.com). This
web site requires a browser extension.
To configure Microsoft Edge for the Access Panel Extension:
1. Launch Microsoft Edge and navigate to https://myapps.microsoft.com.
2. Log in as Isaiah Langer (IsaiahL@<tenant>.onmicrosoft.com and password).
3. Click the Twitter tile.
4. In the My Apps Secure Sign-in Extension window click Install Now.
5. Complete the installation wizard to install the My Apps Secure Sign-In Extension.
6. Switch back to the Edge browser session.
7. On the You have a new extension notification, click Turn it on.
8. Close all Edge browser windows.
9. Relaunch Microsoft Edge and navigate to https://myapps.microsoft.com.
10. Log in as Isaiah Langer (IsaiahL@<tenant>.onmicrosoft.com and password).
11. Test Salesforce SSO login by clicking on the Salesforce tile. This should log Isaiah into
the Salesforce Dashboard or Home Page.
32