TL;DR how to take an existing ‘on prem’ AD lab and turn it into a hybrid AD lab, complete with Seamless Single Sign-On. This lab is free for at least the first month.
Background
We originally setup the ‘on prem’ test.local while studying for a Microsoft exam, so it was fitting to make it into a hybrid AD lab while studying for another Microsoft exam. The focus of the exam was not entirely setting up hybrid AD, however it was part of it. We always prefer to get some hands on and learn better from VMs and Google.
This is just about setup. We touched on some of the security related concerns following setup here.
None of this is original. I simply pieced together information from various sources on Google to create a step by step:
- Setup Azure AD Connect
- Make sure the computer account it creates (AZUREADSSOACC) is in the right OU
- Set a pair of GPOs
- Set an alternative UPN in AD [if needed]
Pre-existing Setup
Test.local was already up and running with 3 DCs, 2 member servers, and 2 client workstations. My kindergartener already had an administrator account and a separate Domain User account. We had made a user account for her twinsey and there were a couple random user accounts from previous labs such as ‘test dummy’.
We have the default OU for Domain Controllers naturally. In addition we created OUs for administrators, ‘privileged users’ [aka those who have been delegated rights], normal users, workstations, and member servers.
The ‘Computer Staging’ OU was created and used for a lab awhile back. Any computer accounts that are created by adding a system to the domain without creating the name in AD first will land in there. Group Policy prohibits anything in that OU from logging in and displays a banner letting the user know that the helpdesk needs to move the computer account.
I have always thought that many of Microsoft’s error messages leave something to be desired. They are meaningless to the end user and even the helpdesk has to Google them. Hence I try to make mine a bit more descriptive.
This caused an issue with Azure SSO later, which was a quick fix once I noticed what Microsoft’s installer had done.
Microsoft gives out free Azure trials which of course includes Azure AD (AAD). The user who first sets up AAD becomes a global administrator by default; my account in this case. My kindergartner became the other global administrator and setup 2FA with the Microsoft Authenticator app on the phone.
We downloaded the setup program for Azure AD Connect and put it on the lab’s share drive, which uses DFS and Group Policy to auto-map on the VMs. Microsoft does not recommend putting Azure AD Connect on a DC. Hence we used one of the member servers.
Setting up Azure AD Connect
Microsoft’s setup wizard is quite straightforward. We went with ‘password hash synchronization’ and default settings. We synced the User Accounts OU. We did not sync the Administrators OU as she already has a cloud only Global Admin account and a Domain Admin account and I would prefer to keep them separate. Her user account is the main one that we will sync and work with.
Microsoft’s wizard warns that the User Principal Name (UPN) suffixes do not match. Don’t worry about that part and just continue. There’s a workaround.
Please note that many of these screenshots have been redacted IOT omit Internet accessible FQDNs.
First issue to be aware of
In order to authenticate Azure AD Connect and start the process of setting up hybrid AD you need to use an account that has the same @<FQDN> address as your Azure tenant. This meant I could not use my global admin account. We had already created hers and just used it, but this is something to be aware of.
Confirming
Once AD Connect is done and syncs you will see the users in AAD. AAD will also show the sync status and settings.
Seamless SSO
In order to get SSO working we just had to knock out a few more things. There are two GPOs that need to be set. The first is under
User Configuration \ Policies \ Administrative Templates \ Windows Components \ Internet Explorer \ Internet Control Panel \ Security Page \ Site to Zone Assignment List
Make the value name ‘https://autologon.microsoftazuread-sso.com’ with a value data of 1. It’s easier to see what that looks like below:
Next navigate to
User Configuration \ Policies \ Administrative Templates \ Windows Components \ Internet Explorer \ Internet Control Panel \ Security Page \ Intranet Zone
And set ‘Allow updates to status bar via script’ to Enabled.
Make sure the computer account AZUREADSSOACC did not go in the Computer Staging OU. This happened in my lab since AD Connect added it to the domain automatically during setup and there was no account created first. Once I noticed it had done that I moved it to the Computers container, which is where AD Connect meant for it to go.
If your UPN suffixes do not match then you can make SSO work via a workaround. Add your AAD’s UPN suffix as an alternative UPN suffix in AD. You can do this either via PowerShell
Get-ADForest | Set-ADForest -UPNSuffixes @{add=”<your domain>.onmicrosoft.com”}Or in the GUI by running Active Directory Domains and Trusts, right clicking on AD Domains & Trusts, hit Properties, and add it.
We set my kindergartner’s user account’s UPN to AAD’s UPN and left the SamAccountName on test\mishka. This allows her to login ‘on prem’ with the same domain\username she has always used but access Azure apps via SSO. Of course she still has her separate ‘on prem’ only administrator account.
Wrapping up
We now have hybrid AD with Seamless SSO configured. This was all done completely free using the free version of ESXi to run the ‘on prem’ environment, free evaluation copies of Microsoft OSs, and a free trial of Azure AD. Right now I am leaning towards keeping this tenant even if I have to pay a few bucks a month going forward. I like the unique domain name I have currently, and I want to eventually stand all this up like it is a small business with M365 licenses, email [synced with ‘on prem’ Exchange via an eval copy if possible], and co-management of domain workstations via Intune.
References:
MS docs, hybrid AD: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-hybrid-identity
Lazy Admin on SSO: https://lazyadmin.nl/it/setting-up-single-sign-on-sso-with-azure-ad-connect/
MS docs on alt ID: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id
Alt UPNs in AD: https://www.stephenwagner.com/2018/10/16/how-to-add-an-alternative-upn-suffix-to-an-active-directory-domain/
GPOs for SSO: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
MS docs on SSO deep dive: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-how-it-works
Adding alt UPN to AD: https://www.alitajran.com/add-upn-suffix-in-active-directory/
