AzureCon Challenge

Azure AD Branding and MFA

Overview
Azure Active Directory is a very important service in Azure and it is becoming a central component in Enterprise IT as identity across many internal and
external applications and services needs to be unified and resources need to be secured and protected. You can connect Azure AD to your on-premises
Active Directory and it is the directory used by Azure itself and other online services such as Office 365.
Every Azure subscription has a default directory that initially just contains your subscription login account. In this challenge you will create other accounts,
you will brand the login experience and you will enable multi-factor authentication.

1. Login to Azure
For this challenge, you have either elected to use your own subscription or have created a new Azure
subscription using the provided Azure Pass (or Free Trial). If you want to switch to use the provided
Azure Pass the promotion code is displayed on the My Account page on the
http://challenge.azurecon.com web site. If there is no promo code displayed, you will need to use the
free trial - http://azure.microsoft.com/pricing/free-trial.
Azure has TWO management portals - the classic portal (http://manage.windowsazure.com) and a new
portal that is in Preview at http://portal.azure.com. You will use the classic portal in this challenge.
1.

Open a browser and go to http://manage.windowsazure.com

2.

Enter your Microsoft Account email address and password for the Microsoft Account
you associated with your Azure Pass or your own subscription.

3.

You will now be in your Azure subscription (see opposite) and from here you can create and
manage Azure services.

2. Setup a Co-Admin Account in your Active Directory.

The first thing you will do is create a user account in your Azure Active Directory for your subscription. In the Azure Portal, select ACTIVE DIRECTORY in
the left navigation bar and click on the DEFAULT DIRECTORY that you will see listed.

1.

Click the USERS tab.

If you have already completed the challenge Automate Resource Shutdown this section will be familiar to you. You cannot though use the same
coadmin account because you will be multi-factor enabling your account which wont work with Azure Automation.

2.

Click Add User (bottom of the Portal).

3.

Leave Type the default (New User in Your Organization).

4.

Enter coadminMFA for the user name and click NEXT

5.

Leave first name and last name blank and enter CoAdmin MFA as the Display Name.

6.

For ROLE, select Global Administrator. Enter foo@bar.com in the alternate email address (it is not validated).

7.

DO NOT check enable Multi-Factor Authentication ( you will do this later)

8.

Click NEXT and then click the CREATE button to generate the temporary password.

9.

Dont close this dialog..! Copy the user name value which will be something coadminMFA@<your email address>.onmicrosoft.com.

10.

You have to reset the password for this account. To do that OPEN a new In-Private Browser session. Then go to this url:
https://login.microsoftonline.com

11.

Paste in your username from the clipboard.

12.

Switch back to the Azure portal and copy the temporary password. Switch back to the login and paste the password in there and click sign-in.

13.

Paste the current temporary password in again and enter your NEW password remember this! Click Update Password and Sign In.

Page | 1

14.

Close the in-private browser you now have a new user with a new password..!

15.

Switch back to the Temporary Password dialog.

16.

Copy the username again to the clipboard and click OK (the tick) on the dialog.

17.

Hover over the left navigation bar and scroll all the way to the bottom and click the settings icon (opposite).

18.

Click the Administrators tab and click the ADD button at the bottom. Paste in your coadminMFA username from
above, check the Azure Pass subscription (or your own subscription name). It should look like this below (after Azure
successfully validates your account in Azure AD).

19.

Click OK.

3. Activate AD Premium and Setup the Custom Branding

1.

Go to the ACTIVE DIRECTORY category in the portal and click on your Default Directory.

2.

Click the LICENCES tab

3.

Click the Try Azure Active Directory Premium now link and click OK to the message.

4.

After 10-20 seconds, click the refresh link and you should see your trial activated. You will see something like this:

5.

At the bottom of the portal, click the ASSIGN button (you may have to refresh the portal). You will see a dialog with your coadminMFA account
listed. Click that account and this will add a value to the assign column on the dialog. Click OK. You will see 1 assigned user on the AD Premium
Licences screen.

6.

Click on the CONFIGURE tab. You should see a Customize Branding button (only
assigned users will see this). Click the button.

7.

You need some images and content to customize your login page. Download the .zip
file from this url:
http://az809253.vo.msecnd.net/docs/assets/AzureActiveDirectoryFiles.zip

8.

Extract the three images in the file.

9.

For the Banner Logo select: Contoso_BannerLogo_default.png from your

downloaded folder.

10.

For the Square Logo Select the Contoso_Tilelogo_default.png

11.

Leave the Square Logo, Dark Theme blank

12.

For the Sign in Page text: copy/paste in the following text:

Need help? Contact Contoso Help Desk at (206) 555-1234. This site is for the exclusive use of Contoso
employees and partners. Visit www.contoso.com/terms for details.

13.

Click Next button

14.

For the Sign-In Page Illustration, Select: Contoso_Illustration_default.jpg

15.

Leave the background color blank and the rest of the default values. Click OK.

Page | 2

16. Now you are going to see this change on login. Just so you remember your login, click the Users tab
17.

Copy the User Name from the username column for your CoAdminMFA account

18.

To CHECK that this is working, open a new in-private browser session. You are going to sign in to the new Preview Portal, so go to
http://portal.azure.com

19.

Paste in your username (Ctrl-V) in the Email or Phone field. When you tab to the password field, that is the time that Azure will recognize what
directory you want to login to and if that directory has any custom branding to apply. If you dont see your custom branding, it just has not been
propagated yet it can take up to an hour to do this.

20. You are now in the NEW Azure Preview Portal. This new experience will be the new way you create and manage your Azure resources. Not all
services (including Active Directory) have been moved over to the preview portal yet this will happen over the next several months. In the mean
time you will likely have to switch between the current and preview portals during the transition.
21.

Sign-Out and Close the In-Private Browser session.

4. Enable Multi-Factor Authentication for your co-admin Account.

Now you will setup the final part of the login which is to enable multi-factor authentication for your coadminMFA user.
1.

Back in the Azure Classic Portal, on your Default Directory, click on the Configure tab.

2.

Scroll down and you will see a MULTI-FACTOR AUTHENTICATION section, click the Manage Service Settings link.

3.

You might have to sign-in again use your normal Azure subscription login.

4.

Click the USERS tab (see below)

5.

Click the check box next to the coadminMFA account and in the Quick Steps box on the right, click Enable.

6.

Click the Enable Multi-Factor Auth button in the warning dialog and then click CLOSE after completion.
The user now has to configure HOW they want to participate with muti-factor auth
you will do that next.

7.

In the Portal, click on your username (top right) and click Sign-Out and then on the
next screen, click Sign-In

8.

Sign-In with your coadmin account (it should still be on the clipboard if you need it).

9.

If you setup MFA correctly, you will get this message on the login screen.

10.

Click Set it up now. You might also get the customized branding at this point as
well.

11.

The BEST method to use, is the Authentication Phone (you have Office Phone or
Mobile App choices as well.

12.

Enter your own CELL PHONE number and select the Send Me a Code by Text
Message option. Click CONTACT ME.

13.

When you receive the SMS code, enter it and click VERIFY and then click DONE.
You will be logged into Azure now.

14.

Lets finish by going through the actual login workflow. Click on your login name and click Sign-Out and
then click Sign-In

15.

Enter your coadmin credentials.

16.

Now you will get a box to enter an SMS code, and a code will be sent to your phone. Enter that code and you
will be logged in.

--- END OF LAB --Go back to the AzureCon Challenge web site (http://challenge.azurecon.com) and complete the challenge question to get your points.
REMEMBER: You only have one chance at the question, make sure you really know the answer!

Page | 3