Imagine a situation where a customer wants to do a Proof of Concept (POC) with on premise Azure Multi Factor Authentication (Azure MFA server) and on premise Self Service Password Reset (SSPR). These services are included in the Azure Active Directory (AAD) Premium license. This customer currently does not have any form of Microsoft Online subscription like an Azure Subscription, Office365, Intune, etc. Above of that customer has no possibility to use a company credit card to setup the POC. In this blog I’d like to show you how I set this up this customer recently. Please note, you need to be a Microsoft Partner of Record to set this up. I’m happy to work for a Microsoft partner and thus able to show you how I was able to achieve this goal.
First something about the many management portals Microsoft users for its Cloud Services. As you may there are quite few that all cover a part of the Online Services provided. A short overview of the services related to Azure AD:
Office 365 Portal:
The Office365 Portal (portal.office.com) is used for Office365 and the related services like Exchange Online, SharePoint Online, ect. In relation to Azure AD it offers a way to configure parts that are also included in Azure AD Premium, but not all. For instance, you can’t configure Self Service Password reset from this portal. And that’s a feature we’d like to use in this trial. The only way to gain access to the Office 365 Portal is having a valid Office 365 subscription.
Azure Management portal:
The Azure Management portal (manage.windowsazure.com) is where can you can administer most of the current Azure services provided. In this case are able to manage the Azure AD Premium features like on premise SSPR and Azure MFA online and on premise. These features are also accessible from the Office 365 Portal but this just directs you to the Azure Management portal. Unfortunately, you are only eligible to access the Azure Management portal if you have a valid Azure subscription or a “zero-dollar” Azure subscription from a paid Office 365 subscription. If don’t have this, you will get the page show blow. So you can’t fully set-up SSPR and MFA without some sort of Azure subscription.
The Azure Portal (portal.azure.com) is the new administration portal which is intended to be migrated to from the old Azure Management site. It looks great, but, as it is still in Preview, it does not offer most of the Azure AD management options that are needed. Luckily, you have access to this portal if you only have an Office 365 and an Azure AD Premium Subscription, but as said it cannot be used to configure MFA and SSPR.
As with almost every Microsoft Cloud Service there are a lot more portals like Intune, PowerBI, ect, but these are not focused on Azure AD so I will not further zoom in to these.
For this Proof of Concept, I need to achieve the following goals:
- Have access to the Azure Management portal to setup Azure MFA server and on-premise SSPR;
- Every enabled service must be “bound” to the customer’s tenant;
- Have no dependency on some sort of credit card for activation.
With these goals in mind I’d like to you which steps I’ve executed to achieve this.
Step 1: Create a Partner invite for an 30 day Office 365 trial
Although we will not use any Office 365 service for this Proof of Concept, we do need the Azure AD that is included with Office365. Microsoft offers a free Azure AD, but as far I know it’s not possible to just have this Azure AD alone. Yes, I know that you can do an implicit create using a free PowerBI subscription which implicitly creates an Azure AD in the background, but there I’m not able to choose the tenant name so that is no option for this situation.
From the Office365 Partner Portal you create a partner invite for the many trials forms that are offered. In this example we’ve used the Office 365 Enterprise E3 trial.
Step 2: Setup the tenant
Using the invitation link the tenant is set-up and you have your Azure Active AD available. From that point you can setup services like Active Directory Synchronization and Single Sign On using ADFS. Especially Active Directory Synchronization is needed because we want to use on premise SSPR.
Step 3: Apply for a 30 day Azure Active Directory Premium trial
This trial activation can be executed from the Office 365 Portal. Unfortunately, even if you have an Azure Active Directory Premium trial license you will not be able to sign in to the Azure Management portal to set-up MFA and SSPR. You need an Azure Subscription for this. So, more steps are needed to get to our goal.
Step 4: Gain Access to the customers Azure Active Directory
This step is the interesting part: Accessing the Azure Management portal using a native Global Admin account, within that directory, gives you the “No Subscriptions Available” message as show earlier in this post and limits us to setup SSPR and MFA. But, there is good news: This is where you as a partner have an advantage. Let me show the steps to have full access to the customers Azure AD within Azure in more detail:
- First access you own Azure Management portal using a Microsoft Account that is a co-admin in that subscription;
- Click on the + sign at the bottom of the page;
- Choose App Services à Active Directory à Directory à Custom Create;
- The Add Directory page is shown. Choose “Use existing directory”, check the “I am ready to be signed out now” checkmark and continue.
- You will be signed out and you will be asked to sign-in using a native Global Admin in the customers Azure AD. After sign-in you are requested to approve access;
- After that you can sign-out and sign-in again using your Microsoft Account. From that point you have the customers Azure AD listed within your subscription;
- You need an Azure AD Premium license set from the customer’s directory, so add license to your Microsoft account within that directory. Afterwards you can see all Azure AD Premium options in the Azure Management portal for this customer.
How about Azure Multi-Factory Authentication server?
You may say, “but I’m not able to setup on-premise Azure MFA server because the Azure MFA Management portal is not part of the Directory itself”. That’s right, normally you’ll find Multi-Factor Auth providers as a tab under Active Directory in the Azure Management Portal. The Azure Multi-Factor Authentication providers shown there are bound to your subscription and not to the customer. Thus if you don’t want to pay for the authentication requests made by your customer you have to find another way to set this up. As described in the article Getting started with the Azure Multi-Factor Authentication Server (https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started-server/) there is another way to get to the on premise Azure Multi-Factor Authentication page:
- Open the customers Azure AD;
- Open the Configure tab;
- Under multi-factor authentication select Manage service settings;
- On the services settings page, at the bottom of the screen click Go to the portal;
- This will open a new page. The name of the customer is show on the Welcome Page, so you have indeed access to on premise Azure MFA on behalf of the customer.
As you see, partners have an advantage is helping customers to try out the great services that Microsoft has to offer from the Cloud. I hope this article helps you a bit in having more understanding the possibilities to setup many of those services.