This course is available as a public or private course, live instructor-led via Teams.

Delegates on this highly practical course will get a solid foundation in the key identity and security features in Azure AD which are central to Microsoft’s Zero Trust “never assume trust, always verify” access control strategy. You will learn though lectures, discussions, and detailed hands-on labs exercises.

We provide detailed step-by-step lab instructions, and we also keep our class sizes small – so your instructor will have plenty of time to assist with any issues you might encounter in the labs, and answer any questions.

The hands-on labs are crucial to a proper understanding of the topics covered and have been designed to be as realistic as possible. With this in mind students will fully implement their own Azure/O365 environment, buying a real domain, with public email, and a real certificate for Single Sign-On (SSO).

Over four full and busy days, you will gain a deep and practical understanding of:

Module 1: Azure cloud computing
In this module, we introduce cloud computing and look at how it can be implemented in Azure through the use of various technologies such as Virtual Machines, cloud services, cloud licenses, and the Azure AD identity platform.

Module 2: AD and Azure AD
In this module, we look at (on-premises) Active Directory and (cloud) Azure Active Directory, and examine some of the key similarities and differences between them.

In the lab, we walk you through setting up an Azure AD tenant with a custom domain name. Following our step-by-step guides, you will buy a domain name, set up an Azure trial subscription, create an Azure AD tenant and add your custom domain name to it. Having set up your custom Azure AD tenant, we then walk you through the creation of Azure Virtual Machines which will be used to simulate various on-premises machines (a domain controller, an IIS server and a proxy server) in later labs.

Module 3: Integrating AD and AAD
Here we look at the need for synchronization and how Azure AD Connect can be used to synchronize users and groups between AD and Azure AD, in simple and more complex multi-forest scenarios. We cover numerous advanced topics including installation options, the various password synchronization options, the purpose of synchronization rules and why they might need to be modified, and how to monitor Azure AD Connect.

In the lab, you will populate your on-premises AD with users, and synchronize them with your Azure AD instance. You will examine various Azure AD connect features such as OU filtering, rules editing, password writeback, and SSO along the way. You will also setup and configure Azure AD Connect Health monitoring and alerts.

There is also an optional lab that walks you through the installation and configuration of both an AD FS server and a Web Application Proxy server. Having set them up, you will then configure Azure/O365 to use AD FS for authentication and examine the end user experience.

Module 4: Basic AADP Administration
In this module we focus on some of the features included with an Azure Active Directory Premium license. We start by discussing licence assignment (directly to individuals and indirectly via groups) and the various administrative and user interfaces. We also cover customizing your Azure AD branding, user and group management, and integrating SaaS apps (and the various levels of integration such as password vaulting, federation and inbound or outbound user provisioning). Finally, we examine the options for audit logs, sign-in reports, and security reports, and discuss how to analyse them.

In the lab, you will customize your Azure AD sign-in page and experiment with assigning licenses directly and indirectly (to groups synchronized from your on-premises AD). You will explore basic UI management and add SaaS apps: one with SSO configured, another with password-vaulting enabled, and optionally, a third SAML compliant SaaS app with provisioning enabled. In the final lab, you will review some of the pre-build reports in Azure.

Module 5: Self-service
This module is all about self-service: the self-service group management options for creating and joining groups (with or without owner approval); the self-service capabilities for providing application access; and self-service password registration and reset.
In the lab, you will explore all aspects of self-service group management both as an admin (enabling it) and as a user (creating groups and requesting to join groups and as a group owner approving membership requests). You will then implement self-service application management as an admin, and request access (as a user). Finally, you will implement and test self-service password reset both as an admin and a user.

Module 6: Other AADP Features
This module is all about cloud MFA and the Azure AD application proxy (both Azure Active Directory Premium features). We cover the different ways to purchase MFA, and the various configuration options for implementing cloud MFA and how it can be utilized to provide strong authentication for sign-in to modern office clients. We also take a detailed look at how the Azure Application proxy can be used to enable secure access to on-premises applications, from anywhere in the world without the need for traditional VPN technology.

In the labs, you will configure cloud MFA and enforce multi-factor authentication for some of the users, and test and contrast the end user experiences. In the Azure AD Application Proxy lab, you will publish an application hosted on your on-premises web server (one of your Azure VMs) and test access to it from both within your corporate network, and from outside. Further configuration involves enabling SSO, making it accessible for selection from the Office 365 app launcher and enabling self-service access. Finally, you will implement a custom name for the application.

There is also an optional lab which covers deploying the Azure Multi-Factor Authentication Server, integrating it with your on-premises Active Directory and configuring AD FS to utilize it for active client authentication requests.

Module 7: Implementing Conditional Access
In this module is all about Conditional Access which is fundamental to a Zero Trust access control strategy. We cover what it is and what it can be used for; how to configure conditional access policies to control application access, and invoke MFA if desired.

In the lab, you will set up and test identity-based (group membership) conditional access, and location-based (trusted and untrusted networks) conditional access for Exchange Online.

Module 8: Implementing Privileged Identity Management (PIM)
In this module, we discuss PIM (part of a Zero Trust least privilege approach) and how it can be used to control, monitor, alert, and review administrative access roles in Azure AD.

In the lab, you will assign various users Azure AD administrative roles and setup and configure PIM. Once enabled, you will test PIM role activation and deactivation. You will also set PIM alerts for administrative roles both for overuse and underuse, and you will perform a review of a user’s privileged access assignments.

Module 9: Implementing Identity Protection
In this module, we discuss Identity Protection, another central feature for any Zero Trust implementation. We cover what it can do, risk events, risk levels, user risk security policies, sign-in risk security policies, and how to remediate risks.

In the labs, you will setup Azure AD Identity protection. You will install an anonymity browser, and use it to visit the Azure portal – this generates anonymous IP address Identity Protection risk events, which you will then review and resolve. Finally, you will configure the Identity Protection sign-in policy and the user risk policy so that certain events can be automatically mitigated (you will make use of both MFA and password changes) and you will test both the policies.

Keeping your lab environment: Trial subscriptions and licenses for Azure AD, Enterprise Mobility + Security, and Microsoft 365 (formally Office 365) are used during the course, with the ‘on premises’ aspect of the environment implemented using Azure VMs within the Azure trial subscription. If delegates wish to keep the environment as their own sandbox for future use (and we think they should!), then the trial subscription can be made into a Pay-As-You-Go subscription after the class. Students will be expected to provide a credit card to secure the domain, certificates, and trial subscription – but this will only involve minor charges (about $30).