aure active directory a very important infrastructure topic we are going to deal with all Basics we're going to see how we can create users groups devices how we can make role based security implemented in Azure how we can have applications using those aure active directory credentials for allowing users or maybe denying users single sign on feature and so on so let's first begin with the basic introduction as usual see we all know Windows Active Directory but remember this is not Windows Active Directory this is Microsoft Azure active directory in short we call it as aure ad that's the short name given to it now it is a multi tenant cloud-based identity and access management solution for the resources that exist in cloud the rest all is okay but this is important identity and access management so basically for identifying users we will create their account provide some password in Azure ad aure ad will be responsible for authenticating the users and accordingly assigning permissions to various other resources which are part of our Azure cloud and it is multitenant implies what yes the same active directory can be used with multiple clients and in Azure we can have multiple active directory tenants created in Azure ad service multiple active directory tenants can be created and each tenant can have a different set of us users so basically the complete user management infrastructure which otherwise a developer is supposed to take care of at the time of coding applications we have to create tables for managing users adding users editing users deleting users providing features for Recovery of password ensure that people are not uh accessing our site or web application by trying to hack it there's lot of features which are built in in Azure active directory which otherwise a developer is supposed to take care of so yes moving from the traditional programming of applications to Azure active directory will reduce lots of programming efforts which otherwise a developer is supposed to take care of provides single sign on features wherein once we log into one application automatically we will be approved or we will be treated as logged in in other applications also you don't have to provide the same credentials again and again so what is the benefit now for it admins what is the benefit aure ad provides an affordable affordable so not expensive and affordable easy to use solution to give employees and business partner single sign on to thousands of cloud SAS applications see Microsoft has provided a gallery of SAS applications which are already supporting Azure ad so if I want to make use of those applications in my organization I can have a user account created in Azure ad and the same account then can be used for accessing all those applications the user doesn't have to use different ID for each one of them so an organization level ID can be created and the same ID can be granted permissions to various applications the organization is trying to make use of so that is the kind of benefit the admins are going to get now what are the benefits for the developers Azure ad lets you focus on building your application as I said you will focus on the logic required for your application obviously it's going to be fast and simple to integrate with the worldclass identity management solution using Millions used by millions of organizations across the world that means complete user management will be moved away from our application Microsoft will make you do everything from their portal you can create users from the portal you can assign roles to the users from the portal or if required of course a custom interface can be done but that is again going to be only called to simple API methods lot of programming in background is already done for us which is hidden from us which is not trans which remains transparent to us organizations can use Azure ad to improve employee productivity how because it doesn't have to login again and again so automatically his productivity will get improved streamline it processes and improve security for adopting various cloud services so we can basically categorize this set of users will have this much access that set of users will have that much access like that complete streamlining is possible because of the Azure ad specifically in the cloud setup Services employees can access online applications by using a single user account SSO feature we call it Azure ID Azure ad is highly scalable that means if your organization has only 10 users you can use it if your organization has th000 users you can use it if your organization user has 10,000 or even a lack of users still you can make use of Azu ready without any problem the scalability is all builtin and highly available now how it is highly available because the data is maintained at multiple data centers the infrastructure which aure ad takes care of will help you to even overcome the disaster problems at one particular data center see it is running around 28 data centers across the world so if by chance something goes wrong at one data center you'll still have everything available from some other data center that's the kind of assurance which Microsoft gives you when you're are making use of azure ad it's highly reliable and even if the data center goes down copy of your data are live in at least two or more Regional regionally dispayed data centers that means at a good amount a good distance the data centers are available it's not like flood has come and two data centers have gone away that kind of thing would not happen there'll be around at least 250 Mi of uh distance between the two data centers which Microsoft maintains so because of the flood or because of the war or because of any other reason if one data center goes down even then your Azure ad information will be taken up automatically automatically from another data center the switch over is going to happen without even our knowledge many applications built on the platform such as yeah this is the beautiful thing if you are a net developer if you are a Java developer if you are a nodejs developer if you are a PHP developer and the list is growing Microsoft is adding more and more languages to their cover but yes all these are pretty well going to integrate with Azure ad you can use protocols like saml WS Federation open ID connect of course the open ID connect is the most popular one used nowadays all these things can be used by the applications developed in different languages to make use of the Azure ad advantage through the support of o o 2.0 remember a your is now upgraded to oo 2.0 not o 1.0 so developers can develop mobile and web service applications that integrate with Microsoft identity platform for cl Cloud authentication and access management that means your mobile applications your desktop applications your apps uh web services that means web apis all the type of applications there is a scope for integrating with Azure ad yes if you want to programmatically control Azure ad you want to programmatically create users you want to create roles and groups you want to bind users and groups there is something called as graph API which is available for doing this so we don't use something which was earlier use ldap but instead we use the graph API today and graph API is rest based when I say it is rest based I can use it in almost every language which is going to provide support for rest that's the beauty of it that means if you want to build your own interface for managing users you can do that by in background making use of the graph API so these are the major reasons why Azure ad is getting popular day by day people are moving away from their in-house active directory to aure ad also now you can use aure ad to do what yes you can use for managing users and groups you can provision new users basically it's a reputation enable Federation between organ izations you can make use of applications of another organization with your ID or the vice versa to users of other organization you can provide access to certain applications in your organization yes indeed it's a identity management solution rather it's a first step it identifies irregular signin activity there is lot of machine learning which is happening in background which takes care of identifying The Irregular sign in activity for example there is some IP from which lots of login requests are coming automatically that IP will be blacklisted by AER ad or let's say I am in India on a regular basis I'm logging in from my country my location suddenly with my ID if somebody lcks it from logs in from another location Azure V will not let in it will will ask me to confirm that I've changed my location so yes that kind of irregular signin activities are all built in without we doing even single line of code you can use single sign on on cloud-based applications you can single you can use single sign on on cloud-based on premise and Azure based applications all of them if an application is in Cloud which we have hosted custom applications or any application was picked up from the gallery all these applications which can be picked up from gallery or even if your application in is in a on premise environment that means it is not even in AUM then also you can make use of azure ad yes it provides multiactor authentication that means in addition to username and password you have to further verify your identity by using maybe email or SMS additional multiactor authentication that is called existing on premise active directory implementations to aure ad it extends basically whatever we we were earlier doing in Windows Active Directory all that can be now extended to Azure ad it integrates pretty well with it how we will see that coming to now the Edition yes there is a free edition which we people can try we can move on to basic the only difference between free edition and basic Edition majorly is in basic Edition we can promise 99.9% SLA in multiple data centers it will be replicated only if it is basic edition free edition they don't promise any kind of SLA we take a chance if the data center goes down our users will not be able to login if you are making use of the free edition pretty obvious but yes simple user management change password synchronization the core features are all supported here almost same set I mean all these features and little extra group based access management groups can be basically given permissions here the there is no provision to provide groups to the I mean you cannot provide permissions to the groups but here you can have group based access management role based access management you can have self-service password reset feature if enabled user can reset their own password or if there are Services which are running in background they can reset their own password yeah here we can get company branding otherwise we'll get the default page of Microsoft when we are using the free edition whenever we login but here company branding can be done by changing the logo the access panel there is something called as access panel which we are going to discuss all that can be changed so then you have got Premium Edition now premium is really premium pretty expensive but it also gives you really wonderful features for your organization like multiactor authentication is supported only in Premium Edition self-service identity and access management feature is supported only in Premium Edition that means users can put their request to join and then later the approver has to approve it and they will be accepted into the system Advanced reports I told you earlier we have this feature where irregularity can be identified but there that has to be fetched through reports basic reports are available but Advanced reports are available only in Premium Edition the usage reports from which part of the world we have got how much traffic all those reports are available Dynamic groups and self-service group management is again basically Dynamic group is a feature which is available in Premium Edition identity manager Microsoft identity manager on premise identity and access management suit self-service password reset and password right back for an on premise user that means if the password is updated in on premise it will get updated in the Azure also so that kind of feature there is something to be discussed before that you before you understand so these and then further more advanced features are available here so we will not be able to get into lot of Premium features just theoretically I can explain but yes you'll understand most of the active directory features by end of this particular session so let's see the active directory in action now now directories provide a simple and logical way to group related identities very simple Point actually directories provide implies we can have multiple directories we have multiple directories implies we have multiple logical way of grouping users three different directories can have three different set of users now why we need multiple directories we will see a directory can consist of following three types of identities user added manually to the directory if I'm a directory administrator I'm going to add users of my organization into the directory that is one way of getting users into the directory and that's most common users synced from an existing active directory installation which is on premise you are already using Windows active directory you want to get all those Windows Active Directory users synced into the Azure active directory because Windows Active Directory users cannot access applications which are in Azure for applications which are in Azure for their identity for the users identity they will refer to Azure ad I repeat on premise identity that is Windows identity provided by Windows Active Directory cannot be used by users within the organization to access those applications which are in Azure Cloud but vice versa is true if you have already provided your identity with Azure ad the applications in on premise can access them but for this what we will have to do is sync all those users which are there in on premise into AUM your ad that step we will have to perform as a administrator I can also have third party accounts into my Azure active directory I can add your your account if you are user from some other organization if you are present in some other active directory or even if you only have a simple Microsoft account I can put you into aure active directory yes the basic criteria is you should have a Microsoft account any user who has Microsoft account outside my organization I can invite them into my aure active directory as a guest how it is done we will see that access control in aure starts from a building perspective this is important the actual owner of aure account accessed by visiting Azure account Center is account admin ad ministrator remember this role account administrator like for my account when I created aure account I become become an account administrator and I am going to be build for anything under my account let me show you see here I have a directory and now I have created multiple other subscriptions if I go to subscript descriptions all services subscriptions it will show me multiple subscriptions these are multiple subscriptions right so I'm actually owner of this I'm owner of this but these two subscriptions are I'm not owner I'm only the reader but I'm going to pay for this particular subscriptions because I am the account administrator even for these two subscriptions at the organization level these two accounts are created so this is used by one associate of ours this is used by another associate of ours whatever Services they make use of doft as an or organization is going to pay for it and I myself have these two subscriptions I repeat I'm being buildt for multiple subscriptions though I owner of only two subscriptions why because these are under my perview under my organization's perview but but the owner of that is somebody else so I'm the actual account owner subscriptions are container ERS for bilding but they also act as security boundary very important billing is always as you can see here building is always at the level of subscription if you have a subscription activated for that subscription you'll have to pay so you when you use Azure pass you get Microsoft Azure pass subscription when you create your account by providing your credentials and credit card number you get free trial subscri subcription like that you have pay as you go subscription you have got Microsoft Enterprise subscription I have something called as Microsoft aure sponsorship subscription extra privileges given to me for because because of the Microsoft partnership and certifications I have so like that there are different types of subscriptions and each subscription will have separate billing but all the subscriptions can be attached to the same account administrator remember this your account your aure subscription has a trust with Azure ad which means that it trust the directory to authenticate users services and devices so Azure ad has actually nothing to do with subscription you can have a Azure ad account even without a subscription but aure ad and subscriptions are generally connected with each other so that there can be a trust relationship so that in the subscription the resources which are created are given access to the users in the corresponding Azure account Azure ad a user should exist in Azure ad so that the user would then have access to the services which are provided by the Azure I repeat this point a user should be ex listing in Azure ad and Azure ad then should be connected to the subscription so that the resources of the subscription are accessible to that particular user whose account is existing in AZ ad yeah I forgot to mention that this is SEC security boundary it's basically implies that when I say there is a security boundary it basically it implies that yes within this particular subscription so and so user has complete privilege or reader privilege or managing privilege things like that so I repeat once again in summary how does it all happen first I create an Azure account so at that time I'm called as Azure account administrator the moment I create an Azure account I am aure account administrator this also creates an Azure ad for me an aure ad tenant one tenant is created we can say that then next what we happen what happens is we login as that account administrator and we add subscriptions to our account or somebody else will give me access to their subscription even that is possible for example I can invite you to have access to this particular subscription I can invite you like these people have made me reader they can also make me owner of this subscription uh not owner sorry they can make me let us say um permission where I can have read and write access rather than only reader access so that kind of permission also can be given I can invite subscription so one account One account of user can have multiple subscription that is the point within the subscription only all the resources will be present resources are created in a subscription and the charges of these resources are put onto subscription so subscription becomes the criteria for building but who will be build the administrator who owns that subscription is going to build for every a as you for every subscription there is only one account administrator remember this so any kind of resources which are created in the subscription resources are created who will where are the charges accumulated in subscription from whose credit card or debit card whatever you have provided who will be buildt for all those charges account admin can be built so can account admin have multiple subscriptions yes can one subscription have multiple resources yes one admin can have multiple subscriptions and one subscription can have multiple resources this point you have to keep in mind and the best example is my account here I am the owner of these two subscriptions they are though they are created by somebody else I am the owner because they are created at the organization level multiple subscriptions can trust same directory but each subscription can trust only one directory as I said multiple subscriptions can trust multiple subscriptions can trust the same directory that means one ad can have multiple sorry one ad will have uh each subscription okay one subscription will be attached to 1 AD only but one ad can have multiple subscriptions remember this between subscription and AD it is one many to one relationship or ad and subscription it is one to many relationship now we'll do all this practically we are going to look at all these things manage multiple aure ad tenants you can sign up to Azu Office 365 Microsoft Dynamics Microsoft in tune all these are different identity manage I mean all these are different Services which needs identity and for all these products of Microsoft all these are products of Microsoft a single aure ad is sufficient so if you are already using Office 365 you're actually already having aure ad directory or if you are using Dynamics guarantee for sure you have Azure ad any one of these Services if you are using in your organization for sure there is an Azure active directory existing and that is the directory which is going to be used for authenticating the users all their signin attempts will be authenticated by the Azure active directory so it is not necessary for Office 365 you should have separate ad for Azure you should have separate ad no a common Azure ad can be used for all of them that's the beautiful thing about it now what does multiple directory support means within the organization why would I have multiple Azure active directories created so if I go to now aure ad as your active directory this is the directory I have and I can have multiple directories actually and to switch from one directory to another directory I'll have to use this option so this is One Directory I have this is another directory I have I am managing directory of one of my customer this is not owned by me I'm not account administrator of this but I can manage this because I've been given rights to do that so one of for client he has a directory here this somebody made me owner I don't even know who is that I'm not able to get rid of it Microsoft has this bug if you make me an owner of an active directory it will get listed in my account but this was created much before that bug was resolved now Microsoft will not make me owner of directory unless I accept it earlier it was not like that in the beginning you make me owner immediately I'll become the owner I don't even get a confirmation that I want to become but now they have resolved it so this problem is there we are not able to get rid of it it's like a permanent thing there sitting without use because when I choose this I have no permission in that account it's an ad without subscription and I can't do anything in that see I'm switching actually now I'm using that directory complete switch the resource set here will be different I cannot create any resource in this directory even if I try to it will say you don't have permissions just trying to show you some today it may not happen because my account is pretty old this problem is existing let me go back irrelevant content now I go back to my main directory so why multiple directory supports are needed that's very important question add a new directory for testing or for other non production usage I can have certain applications which are in testing phase I don't want those applications to be available to all the users of my organization so yes I'll create a separate directory and in that directory I'm going to provide access to the resource access to the uh testing test applications but of course for production I may have a separate directory all together the applications which are live are accessible to more users so they might be in different directory altoe or for managing data synchronized from another ad Forest multiple directories can can be existing in the forest managing all existing ex aure directories such as Azure Office 365 Microsoft in tune by using the same account if at all multiple directories are used like for my organization I have a separate aure ad created for Office 36 sorry separate uh ad created for Office 365 aure ad and I have a separate Azure ad for my Azure account I mean it just happened by mistake actually it is not required but if I want to manage Office 365 users from Azure portal I can do that by just creating multiple active directories Management in Portal of course for both of them I should be a global administrator I'll show you how to do this practically now itself I'll show you add users to new Azure a from existing directory such as take users from the production directory and use them in test environment without requir actually this is the first one only it's just a reputation so how to do this how do I link two different directories and manage at one place that's what I want to see now what I want to do is I have two accounts accounts so let's say in Chrome I'm logging onto another account it's a different account managed by dcns hotmail.com so there are two account owners remember these are as good a situation where there are two account owners One account owner is basically account administrator we can call it one account admin is let's say spp Sony and there is another account admin which is decan soft here I login with my identity here I login with another identity so there are two account admins now what I want to do now is I want to manage this aure directory from my account that's my requirement I want this to be managed from here precisely that is needed so how to do that uh uh subscription amount has ended in that okay let me switch I may not be able to demonstrate because the account got locked because there is no subscription amount in that it's going to a wrong directory let me go to incognito let's try this once I'm just trying once because that the safest thing for me damn it this is too much it's not giving me opportunity to switch this I am the owner of this account dcn s. onmicrosoft.com this is one aure ad tenant this is a account created by some other organization where they wanted me to be a consultant on aure they had some queries on gazu so they gave me access to these accounts so what I did I came here and for managing them I changed it to this I changed to this what happens is every time it will take me to that account only next time also when I login but now they have removed permission for me in that account and now Microsoft is toggling you see this problem is coming I'm not interested in go to that account now but it is still by default taking me into that account only so somewhere on server of Microsoft it is remembering which was my last Azure uh tenant active Azure tenant and it is trying to take me to that account where I do not have permission because I do not have permission it is asking me to log to another another identity and it's automatically happening I'm doing nothing all this is drama automatically happening so Bas so what I did now explicitly I have to navigate to my account this is the URL so I paste that and I go there it takes me there but the issue now is I'm still listed these people only removed my permission but I'm still listed in their account that has become a problem now so I cannot switch to this I'll have to talk to them and ask them to remove myself from their account then this will this I'll get rid of anyways now you see what I'm going to do is coming to now our actual demo there are two accounts I was saying one account admin is sandep Sony another account admin is Deens soft this is the email ID now for the first account admin the tenant ID is this for the second one the tenant ID is this there are two different tenant IDs aure ad tenant idid we call it let me show you this thing dcn sf. onmicrosoft.com soft. onmicrosoft.com so every aure account is created with one tenant that's what is this tenant now what I want I want to manage from my ID this account that's my requirement so right now sandep Sony is not getting Deens soft listed here correct I want Deens soft to be listed here so for that what to do I now go to the dekin soft account this is Chrome in which I have logged in with dekin soft account and I go to aure ad yeah I just closed the browser and logged in again it's all fine some bug in Microsoft system that's not our problem leave it so here you see I into dek soft account so what I'll do now is I went to doft account active directory I go to users right there are two users I will add now a third user now because sandep Sony has a different domain I cannot directly use the option of add user I can use add user option only if I want to add a user with something at the rate decn sof mail. onmicrosoft.com I'll explain it here into this directory I can have users like this user one user two like this we can have whereas in this directory by default we can have users like user one at theate this part so this users I can simply Direct add into the active directory but now what is my requirement my requirement is this user should be added to this active directory so this is supposed to be a guest user remember this point so I now go to add guest user say invite now once I'm added here as a guest user now login with the account and here we are now going to have you see de soft hot mail oh now what I want to do is sandip son is there now I'm back into doft account I go to S Sonia soft.com see s s deo.com I'll go to directory roles and I'll make this fellow AS Global administrator now sandep Sunni has become Global administrator of Deens soft active directory siep Sonni now has become Global administrator of Deens soft Azure ad so now if I go back to S Sonia account there I can manage Deens soft ad exactly the way I would manage now my ad I can I have now become not guest I have now become Global admin who gave me this Global admin right this user has given me being a global admin under sandip Sony account there will be two identities I mean two aures this will be there and this also will be there and in this also I will be able to create users I'll be able to create users here I will be able to create users here when I'm logged in with this ID so let's go back to our notes so what is that we achieved successfully I demonstrated how we can actually have ownership of another active directory but what is important is I'm just logging in again I can have multiple active directories let me first remove this user once again I don't want this user to be there and just to avoid confusion don't keep the user permanently I can always go to that user and delete it it's showing guest because I did not click on okay for Global user gone so now if I refresh full page refresh you have to do you should not see de soft in the list now because you're no more owner of it now what we can do is I can myself forget about other active directory from outside here itself I can create a new active directory a z active directory I'm creating a new remember directly you have to click on create a resource search as your active directory and create a new directory you have to give a name so we have now organization name as s Sony initial domain name as s Sony dot on microsoft.com so here there is a small addition so what is happening now the email ID sandep Sony when I log in I am now going to have two directories I would say this is aure AD tenant 1 and this now aure ad tenant 2 which is s sony2 do on microsoft.com so two ads I am the owner now what is the benefit this I can use it for probably production and this I'll use it for my testing that is a kind of benefit this is for production and this is for testing so like that multiple ads can be created directories created now to switch to that directory I have to refresh the full page and then it will be listed here s2. onmicrosoft.com and in this I can start creating users so conclusion is here also I just all the things will be there as your ready we can create users so user one demo user at theate sandip Sun 2.on see no invitation needed nothing nothing nothing direct I've logged in with sandip sun at Deens soft.com I switched into a different directory and that directory I'm managing from here but into this directory try to add a resource let's say app service something randomly I'm doing it I try to add a app service don't worry about all this what see finish you're currently signed in into sandip Sony which does not have any subscription so unless there is a subscription assigned to this we cannot manage this I mean we cannot add resources we can add users but we cannot add resources into this directory very important so users can be added to this now why are we going to do this then what I'll do I'll tell you practically I'm going to add users here like I'll add here demo user 1 at theate sandep Sony 2 do on microsoft.com like that multiple users I'll add to this domain and these users if needed we can add here also because they are already existing in one add we can always add that user to another ID now here one very important point you have to understand that is though I am not able to access resources in that uh I I'm not able to create resources in that particular subscription I can still create applications and give permissions to these users remember that typical point there are two ways of looking at Azure portal one is through the portal we are trying to manage these resources I'm not able to access that for this particular account because there is no subscription there is no subscription assigned so resources cannot be created under sandep Sony 2 Under This resources cannot be created but I can always have applications who can access these users I mean the applications can be created not uh I would say Office 365 can be added or maybe my custom application can be added towards the end of a you ready topic I'm going to teach you that those applications can have access to this users rather this users I can give access to the applications which are part of this tenant that is the main advantage of it even without having subscription I repeat there is no subscription and subscription is not needed why I'm only going to create aure ad applications and into this applications I'm going to add users and these users will be authenticated using this usern password when we login these users will be authenticated by this directory and given access to these applications so developers can still use this aure ad but we cannot use of we cannot make use of this tenant or this aure ad account for creating new resources as there is no subscription Associated for it so now what is the conclusion one administ rator one active directory uh one account administrator can have multiple active directories we can either create a new directory or we can use an existing directory all the subscriptions will be listed let's say Visual Studio Enterprise subscription here we'll have manage click on the manage it will take you to the management portal subscription management portal it's a different portal for managing subscription here it is so there will be an option transfer subscription and I can transfer subscription to somebody else so it's not safe to do that I have to login with the new account where I am the owner and I have to transfer it so subscriptions can be transferred from one account to the other account I never completed this step always I came till here and I stopped yeah the classic portal it was little easy you could directly see but the classic portal is almost dead now I don't even visit to that so to add an existing subscription to your aure ad perform these steps this is copied from documentation though I stopped here you can continue and finish it off in case it is real time requirement I just try I'm just trying to avoid because there are lot of free credits which I get in my subscriptions and I cannot take risk for the mistakes which Microsoft has done I've already showed you how you can change the directory role of a given user and if you want to learn about each role you can go to this link and read there the multiple roles and when we are done we can always delete a directory when we don't need the directory you can just go to the directory and there will be option delete go to a your ready first you have to switch and after switching go to ad and delete directory remember you can delete this directory only under certain condition you see I cannot delete directory because there are user users in that directory but now they have given shortcut this option was not there earlier I can simply click delete all users now back to delete option all fine so it will take couple of minutes and then this will be enabled we can delete them once it is enabled we can delete that's it this will go away adding a custom domain to an Azure ad see right now when I go to the portal the domain name what we have is not good enough something like user 1 at theate spp Sony dein soft. onmicrosoft.com may not be acceptable we want something more friendly domain name so that how we can achieve is what we'll have to look at now so first thing we'll have to learn how to add a custom domain name so go to the active directory and there there is a direct provision for adding a domain name so you can take some domain name for which you have the ownership which probably you should have purchased chased from some somebody like GoDaddy or any other regist so so here is the option custom domain names so I have best Aur training.com actually already added here you see but how did I add that's what I can show you first and most important thing you are supposed to be the owner of that domain name unless you are owner of that domain name you cannot add it here I simply cannot add microsoft.com here because I'm owner of this best aut training.com I could add it so how does it work let's say I go to custom domain name I provide some name something like um my demos .c imagine I'm actually not the owner of it but just giving you the procedure so now once I have put my domain my deos.com here it will ask me to put a text record and after I put the text record in the registar I mean I have to go to the DNS DNS settings of my deos.com and there I should add this text record now once I add this text record and say verify Azure will communicate with the DNS server check if the text record is there and if it is there it will make you the owner of that domain it is as simple as this and I have precisely done that for best asut training.com this remains unverified because I'm not having ownership of it so I cannot actually use this domain name for adding users but I can use this domain name for adding users let me show you that I go to users say add new users I can give here maybe user one or let's call it as BST user 1 BST user 1 at the rate best aure training.com this will be validated but if I give here my deos.com it's going to clearly give the message is not a verified domain in this directory so once we have a custom domain name the advantage is we can create users with those custom domain names and most important importantly this becomes an active email ID also if you connect it with Office 365 I mean o Office 365 account say user one for demo just I'll keep it as it is I'll need this password so I will put this in notepad for later usage okay create now enter the name of your custom domain I mean I gave something else here but that's okay whatever name you have you give that in the cloud service portal a DNS record that is needed to be created in your domain will be provided you have to go to the domain regist and create a DNS record that's the procedure generally this is what you'll have to do you can also do custom branding how to do custom branding here only company branding it will not be available to me that feature is available only in the Premium Edition rather the standard edition so I have to upgrade this to Standard Edition then this particular feature will be available where The Branding will be done but branding of what so when we try to let us say log to something like uh I'll I'll go to now in private mode and if I say portal. ao.com it will ask me to login this whole page where it is going to ask me to login can be branded we can replace this logo and put our logo there so that is the advantage of branding feature but it's not free account you'll have to get a paid account for that and it's as simple as once you have a paid account it's as simple as uploading a logo that's it nothing more than that so that is this feature once you have used a custom domain when you don't need it you can always go to that domain and delete it I mean you can create it use it delete it all the features are there but of course the custom domain can be deleted only when all the users in that custom domain are deleted they have changed custom domain names now second part is pretty simple right straightforward how to add a custom domain name to your Azure ad why do we add a custom domain name we want a friendly name for our users we don't want on microsoft.com feature once we have a custom domain name we have already seen we can add users based on either the default tenant ID based on the default tenant ID name or we can use the custom domain name for adding users to the aure ad so this is important what are the types of users we can add we can add new user within the organization where we can make use of the custom domain name or the default tenant ID in the domain name two we can also use existing Microsoft account suppose you already have some Hotmail ID I can add that to the list here how do I add it for that I have to use the option of add guest user I say add users and I should use the option of add new guest user and what will happen when we add it as guest user the guest user is going to get a invitation click on invite once you do the invite you can now login with that ID to Hotmail and check basically the whole idea is we have to create our proper user database who should be given invitation and once we have a complete database of all the users then comes giving permissions to the various applications understand clearly what we are trying to do we created ad first step we created an aure ad active directory of course one is automatically created for you by default but if you want you can add more ads more tenants we call it then under aure ad what we did we added custom domain name why do we add custom domain name very clearly I said only to get a userfriendly domain name in the user ID for the organization I don't want everybody to remember sandep Sony do onmicrosoft.com instead I would now be able to give them as something atate best a training.com three then we are going to add users users can be either direct users or users can be guest now what is the condition for guest every user who is a guest compulsory should already have a Microsoft account guest who have Microsoft ID so you can take any of your ID and make it as Microsoft ID even Gmail ID can be converted to a Microsoft ID remember that you have to only register with Microsoft and claim that ownership of that email ID so once you have these users you may probably add groups then you will add users to groups or you'll do group to user mapping whatever for a given user you'll select a group or in a group you'll add users now once you do this now comes the role of application I'm trying to tell you how the flow is and applications are going to be configured in such a way that there will be given permissions to users in Azure ad there will be either allowed or they will be denied so this is actually the main purpose of course the other purpose we have already seen we can also provide access to aure of this can be restricted how we are going to how we are going to see that later but either to the applications which we are developing again there are two types of applications Gallery applications or the line of business applications the applications which our organization is developing and we'll host on assume or on premise so this is the whole flow what I'm trying to teach you is this is the flow we are still here we still here step by step we'll have to go in the next I mean next next next like that we'll have to move forward so welcome to sandep Sony directory I say next so now this particular user because he has accepted the invitation now we'll be able to log in to my Azure ad of course I have added him to my aure ad here once I refresh this page automatically his ID will be reflected let's do full page refresh we should have here DN sofp added as a guest user after this if you want to go there and make the guest user AS Global admin it's your choice but that's not my my requirement right now I don't want dein soft at hotmail.com to maintain this ad I don't want him to maintain this ad I just want him to login into different applications so keep him as guest only it is okay so many users are already there now this is all over yes you can also add groups and users I can go to aure ad all users add user likewise we also have close this groups will be there groups you can add a new group oh I should have selected members so I've added groups without members after this I can add members as the next time Advantage is what later in the application we can give permission to the group rather than giving permission to user we can give permission to group so obviously if I give permission to the group automatically all the users are going to enjoy that permission so that is the advantage you can simply select here the users that's it simple step not only that you can even add devices direct devices can be added to the aure active directory especially the Windows 10 devices to aure ad by themselves using the first run experience or from system settings first run experience is when you start your operating system for the first time after installation it will ask you for the steps provide those steps and it can get added or else you can go to system settings and do it from there so if what is the advantage if the user is going to sign in to Windows 10 that's it the same ID will be used by Azure ad for authenticating that user it will not ask you for the username and password once again they can experience a single sign on feature effect there is something called as access panel which I have to explain you a very beautiful feature actually which I have to explain to you in Azure ad you need to enable the option first you have to go to groups and all this you'll have to do manually I'm not demonstrating this step but these are the steps you'll have to do in Azure ad you have to allow users who are using devices you may want to register the devices this two you have to enable it and then in Windows 10 operating Sy system you'll have to follow these steps I'm leaving this I'm skipping this demo please do it in case you have a Windows 10 ID already used generally we do this for a organization when I'm using an organization laptop I'm always going to log into the organization laptop with some ID and that I want to directly use for logging into my aure ad so that time this is the most preferred option big advantage of this is what this one after a device is registered in a ready you can control its usage that's the beautiful aspect of it for example if you determine that the device has been lost or compromised you can delete or disable its aure ad object from the portal you can do this using Microsoft in tune suppose Microsoft InTune is managing the device you can I mean Microsoft InTune is wonderful feature where from one location you can manage multiple devices of a user so that benefit we are going to get if you enable this feature so devices can be added third thing users can be added groups can be added and devices can be added now something very very important how to configure security role based but this is changing the root actually I'm trying to I'll do this but little later but first i'm trying to show this to you people so now I am the owner of this particular account I also added users now to these users I would like to give access to create different resources in my Aur subscription see I cannot always go and create resources let us say in my development people want to create one new app service I don't want them to come to to me and then I create an app service for them so I would probably have one person whom I'm going to authorize for creation of the app service so how does this work now so what I'll do now is I'll go to let us say aure active directory uh no not even aure active directory what kind of permission I want to give first I have to decide that now I can give give permission to the complete subscription I can give permission to a resource Group in a permission or I can give only for a given resource some kind of permission so what I'm trying to do now is let us say I'll do give it at the permiss uh give permission at the subscription level so so I go to all services subscriptions once I'm in subscription I have to choose which subscription let's say Visual Studio Enterprise subscription and here we have access control go to access control now choose the user to whom you want to give permission so first click on add user what what kind of permission there are different roles which are predefined right now these are different predefined roles there is a provision to even create custom roles if needed how to create custom roles And all I'll show you later but right now I want to make that reader as contributor the role contributor will be allowed to manage the complete resource except other users contributor cannot manage users but he would be able to manage everything else assign access to right now we are giving access to asure ad user but you can also give access to a particular virtual machine or app service or function or a scale set but right now we are not giving access to these resources we are giving access to the user so here we have to select the username let's say decn sof select it's added just say save so here we got dek soft also now who is a user and is a contributor now because doft is a contributor how does things look for dein soft so let me now login into the portal Loft user was given permission at the subscription level so see here at theate Deens soft Hotmail now the first thing we will have to do is because I don't want Deens soft account to be managed here I want to create a resource under sandep son account so I switch to first s Sony after I switch to sandep Sony you see here at theate sandep soft. onmicrosoft.com after I switch to sandep Sony I should now be able to because I the subscription uh owner I can contribute to the subscription in any way I can create new resources here I can create now an app service it will not stop me from creating an app service now select app service and say create I can choose an existing Resource Group also it will take a while and once the app service is created I can now go to sandip Sony account this s son account remember I'm switching this s son account now once I'm in sandip son account you can actually note from here I can look at the app service and I will see the app service here so let me revise once again what I did I created the user and added to my active directory which user I have added I have added the user let us say B CN sof hotmail.com when I added this user as a guest he got invitation once he gets invitation he will be have he will be having ability to use my active directory but does it have any permission to aure resources no this user still does not have any permission on Azure resources so when I want to allow allow this user to access Azure resources I have to make him contributor for the subscription or I can also make him as reader and likewise under subscription comes Resource Group under Resource Group comes resources so sometimes what happens is we have given permission at the subscription level once you give permission at the subscription level automatically all the resource groups and resources will have permission but not necessary we should give it at the subscription level we may add the user at the next level that is only for a given Resource Group remember one subscription can have multiple resource groups and these resource groups can have multiple resources so just a hierarchy is maintained for permission so under Resource Group we will again have a similar option I go to a particular Resource Group and in this Resource Group also we will see access control rather this property Access Control will be there at in every property window in every property slide of Resource Group or resource also it will be there so I can see these are all inherited all these are inherited I can't do anything with these inherited ones if I want to remove permissions from from these users I have to go to their parent and from there I have to remove from here I cannot remove but Advantage is those which are not inherited for example some other user is there who is not inherited here that user you would like to add permission just go to add and here again choose permission basically a role remember so many rules are there these are general ones these are Ser uh service specific ones building reader backup reader these are all service specific roles so once you have all these you can select any role let's say read only role and I can give here the username user one at Best training.com so when somebody lcks in with user one at bestas training.com they can only manage resources which are under this Resource Group remember they cannot manage resources above the resource Group that means in any other resource Group they cannot do anything rather they will see only this Resource Group they will not even see other resources or their resource groups they will not be visible to them so this is what precisely is role based Access Control enables find grained access management for the resources that exist in Azu the service allows organization to set up access to Azu resources based on permissions and privilege that can be granted to users groups and other applications also which we haven't covered yet sometimes we can give access to the applications let us say I want to write a net application and through the net application I would like to create a app service programmatically I would like to create an app service so I should have permission for that application and hence we have to do all that same configuration rather than giving permission to user you'll have to give permission to the app see something is already there here majorly these are the commonly used roles but I showed you there is there is a bigger list through which you can you choose any one of the rules for giving access such as creating SQL Server database like that restricted access can be given I've already demonstrated all this to you integrating on premises ad with Azure ad I mean the identities which are there in on premises I would like to integrate them into Azure ad it's a long demo so first what I need is a virtual machine for doing all this so let me first start with creating a virtual machine and as the virtual machine is getting created I'll come back and explain you the concept so I need to create a virtual machine let's say my domain controller I'm going to make this as the domain controller actually or B A best a your training domain controller f I'll leave all these default settings as it is I don't want to putot Diagnostics also just say okay all the summary we can read here click on create it is not going to create create a virtual machine as the virtual machine is getting created let's understand what is this see the situation is we have an Azure ad within our organization now because I don't have that organization set up I'm going to create in Cloud only this kind of setup so let us say one of these machines I have called it as domain controller on which I'm going to have Windows Server active directory and that windows server active directory I want to sync it with my Azure active directory and for that we are going to make use of a tool called as ad connect ad connect is the software using which we can sync these two things now what is the advantage of syncing the advantage is if the users within the organization log on to this aure ad they can access all the applications of this organization and they can also access applications of cloud as well as the thirdparty applications who are authenticating with Aur so all the applications within the premise within the cloud and also the third party applications can use make use of a single identity of the user so we want to take the benefit of single sign on feature suppose this user are different and this user are different when the organization user goes here he will have to provide different credentials we don't want that we want him to use the same credential for accessing the applications in Azure as well as the third party application everything should be accessible with single ID that is actually the Target that is the purpose of doing this particular exercise so integrate your on premise directories with azur this allows you to provide common identities for users of Office 365 assum and SAS applications integrated with Azure ad integrating on premise directories with aure ad makes user more productive why more productive because they don't have to remember different user username and password for local active directory and the Azure active directory the beauty of this approach is that anytime your organization adds or deletes a user or user changes password you use the same process that you use today in your on premise environment that means any kind of password change here will automatically reflect here yeah that is the way connect is going to connect both of them ad connect is going to do that actually for us so Azure active directory connect is made up of three primary components synchronization Federation and health monitoring I can only demonstrate synchronization because the other features are not supported in the basic version you need a really expensive premium version for Federation and health monitoring and there are two types of synchronization again one is called as Express setting the other is custom setting I'm demonstrating Express setting but in case you want you can always read little more about it through custom settings so my demo starts here actually I created a new virtual machine which I want to create as a domain controller and DNS server both I want to use that change the private IP to static that the first requirement I have to wait for this virtual machine to get created rather before that we can go to the IP address which was given to the virtual machine and I'll convert this IP to static if it is dynamic change it to static domain controllers should have static IP that is the whole idea save it maybe here if you want some name also you can give to this domain controller it's your choice DNS name now you will need this IP later so let us record it because we are going to use this machine DNS server I'll need this IP somewhere I'll save it for for the time being now let's get into the virtual machine and promote that virtual machine as a domain controller I'm demonstrating these steps assuming that most of you do not know anything about Windows networking somebody you're actually not going to do this in your organization this setup is expected to be already there your organization already has a domain controller already has an active directory and you are already using that active directory for accessing your resources within the organization after that actually as your steps start but I'm teaching you this assuming that you may not have done something like this in the past so it's pure networking it has nothing to do with azure the windows will load and do some initialization in the meantime quickly we'll have to now go back to the virtual Network and we'll have we'll have an option of setting the DNS server we'll change the DNS server by default the default DNS server of azure is going to be used we want to change that to our DNS server now what we have created so as the virtual machine is initializing we'll go back to the portal we go to the virtual Network which is created for our virtual machine automatically that virtual network is created remember that and here we have DNS server It Is by default Azure provided DNS server that I have to change it now to use custom DNS server I have to tell Azure hello Azure please do not use your own DNS server any kind of DNS query please send it to this machine of course this machine is not yet a DNS server but we want it to eventually become a DNS server that's the target so that's what is this step now we have to promote the virtual machine to become a domain controller go to add roles and features have to wait a while yeah now it's ready add roles and features next next here you have to choose the option active directory domain service and DNS server no static IP were found the IP address changes that's okay some warning just ignore it but actually I've already given static IP maybe I did not save that after giving I don't remember but doesn't matter I'm not going to restart so as long as I do not restart the whole setup will work fine and just say next next and install it will restart your machine once it is all set up so we'll have to wait for all this so this is done once this is done close it and here you'll have the option notification promote This Server as a domain controller so we are going to make this machine as a domain controller now for which I should provide a new Forest add a new forest and we have to give some domain name ideally we should give the same domain name for which we are the owner within our organization we'll always create users based on that only but because you may not have this feature I'm skipping and I'll say My Demo or do local so users will be what user 1 aty demoor g.l user 2 at the My Demo org. loal like that users will be created we'll do that this is not the right step in Productions you'll not do this in production you are going to use the domain name for which you have already verified custom domain name in Azure give some password just use the default options I don't want to go into details of these options net Bas is used if somebody trying to connect from Legacy systems then only net bias is used and finally some warnings will come you can just ignore it and say finish I mean install so click on install and it's going to say take some time and of course it will also ask for restart of your machine we should have put a check mark So automatically it would have restarted but it will not restart the machine once all the task of promoting as a domain controller is done restarting of machine would happen now what I would also like to show you is I can have one more virtual machine we can Jo which can join the same network so for this I have to create a another virtual machine in the same virtual Network so I go to Virtual Machine add same I'll take Windows Server only you can take Windows 10 also actually doesn't matter any machine which has to join the network uh VM demo something all same routine steps yeah let's in the meantime go back now and check if that virtual machine has started where is that con no actually it is restarted actually we have to connect again it's already restarted so we'll have to connect to this again let's connect because it restarted my RDP session expired administrative tools DNS forwarders and just remove this because this is not there basically we should connect this DNS to another DNS which is intern connected to internet I'm not doing that now this is fine let's go to the other virtual machine Now demo VM I'm actually clubbing two demos one one I'm showing you how a private Network can be created in cloud like on premise setup how can we do all this in Cloud manager has to be loaded local server here by default it is work group change that and say to rename this computer or change its domain use this option now we have to give the domain name my demoor do local click on okay it will now try to contact the domain controller remember this step will not work if the the DNS IP was not given in something has gone wrong my demoor g. local I believe that's what I gave let me reconfirm it my demoor g.l good enough now what is the IP of this machine 10 do yeah it is 10. 0.0.4 we need basically a private IP we don't need a public IP by mistake I give public IP that that was my mistake so I go to portal again and in Portal virtual Network and here DNS server this should not be this is what I have to use sorry so it was my mistake and also we should have done virtual machine domain controller networking here we have public and private network interface IP configuration you have to change private IP to static that's why we got the error there remember it was private IP which was used and we got that warning it was because of this that's fine now I have set up so how did I come here I selected a virtual machine networking here I have to choose the network interface card IP configuration select the IP configuration and there it will show public and private IP both private uh private IP should be static because it is internal Network now we are talking about in internal Network it's all private IP we don't use public IP so I'm not sure now it will work but we can give a try otherwise we have to restart both the machines I'll have to restart so that it it takes the latest configuration latest DNS server from the networking properties it's not working we have to restart this machine let me quickly restart this machine I'll do it okay let's do it from here only when you restart this machine automatically it will pick up the latest settings so should be the case of even this so I'm restarting my domain controller and I'm restarting my client so that they can take the latest configuration settings of the virtual Network the DNS entry actually because when I say My Demo org. local where is this my demo org. loal it has to be mapped to some IP right that will be done through the DNS server so DNS server configuration in Virtual virtual network is very very very important compulsory you have to take care of it the domain controller I address should be given as the DNS IP in Virtual networks all good now now it's time to restart the second one only we'll talk about let us say for a while it will take time I know that in background so generally what people do in on premise I'm teaching you how to do that in Azure instead of physical machines which are used in on premise we have virtual machines created in Azure infrastructure that is the only difference so we are basically simulating on premise environment in AUM not simulating we are we are creating it is not even a simulation it's a creation proper creation I actually it might take some time because okay see now it is asking the administrator login what is this admin this admin is the domain controller admin remember that so what should I do here my demo o do local SL DSS admin actually not required not required because we already have domain name mentioned here my demo org. loal so under that domain this name will be verified with this password and on completion finish this machine is also part of the same domain controller you should restart it fantastic so what did we conclude here these are the steps required for creating a local network I mean uh virtual network with infrastructure as in on premise where we can have multiple machines every machine will log in now what I can do I can go to the domain controller and in domain controller I can create users because we have active directory there Windows administrative tools and here we have ADD directory users and computers so here users right click add a user maybe let's call it as demo user one so my demoor g/ demo user one or demo user 1 at the My Demo org. loal that's how the id id will be created password never expires like that you may create multiple users if you want demo user to password doesn't expire now what is the advantage like this yes you can also create groups add users to groups complete active directory of your or organization the way you manage everything precisely like that you'll manage here everything now can this ID be used by the user to connect onto the second machine yes you can do that because it is already joined a domain controller I can use any machine and connect but does the user have permission to remote desktop or not is the question actually I in no the user does not have permission we'll have to give that permission let us not get into those details act remote login permissions have to be given to that particular user then he can get into this system so this is how we have successfully completed a network which has domain controller active directory DNS and we are able to even join other machines within the same network as a part of that domain controller yeah if you want you can create a forest which can have one more domain controller which will have a different domain name it's your choice how you want to proceed from here but this is one part of it now that we have a domain controller and we are also able to join a virtual machine to a domain let us see actually the main step how to make use of the ad connect for synchronizing the active directory users and groups into Azure ad on premise to Azure ad that is the requirement now so what we'll have to do is go back to the controller machine the primary machine first do this step you'll have server manager go to local server and change here I enhanced security configuration change it to off otherwise it will give you a lot of trouble when you are browsing from this machine now go here and search for ad connect you have to search for ad connect in Google remember every Virtual Machine by default has internet connectivity through virtual machine you can access internet not going to work because the DNS is not forwarding it so we have to go to DNS it's not opening from there so basically I forwarded I mean the DNS entries I have forwarded to Google server 8.8.8.8 is Google DNS server now I go to browser search here aure ad connect download this I'm doing on the domain controller machine that is very very important so it's installing ad connect now we just take couple of just a minute that's it less than that actually now this is AD connect it has automatically launched you can go to I agree that's no choice continue my demo org is not a routable domain some configuration problem because I told you this is not a domain which is verified now you have choice of either using C Express settings or using custom settings now just to keep it simple first I would like to use express setting maybe later when you are done you can come back and click on customize and you can do customization of all these things as you put check mark here you can do some kind of customization so anyhow we want to go back and use express setting now the most important thing we'll need an account with Azure ad Global administrator credentials so now I have to go back to Azure portal and see if there is an account which is global administrator and that to we want with on microsoft.com ID only I cannot make use of the user which has the verified domain you verified domain name in the ID that that account will not be useful so I have one user here Global admin but that is best as your training and I'm telling you this ID cannot be used that's the most important thing we'll compulsory need a user which has sandep Sony Deens soft. on microsoft.com that is precisely the requirement now and I don't have any I have to create yeah rather this is there right admin admin atate sandep Sony Deens soft yeah but I don't remember the password of this user reset the password copy now how is this actually Global admin you should know that user which is created under directory role should have Global admin that is important this should be a global administrator of this Azure active directory compulsory now one more problem is there now when this user logs in for the first time let's go to any website or let's use Incognito it will ask me to change the password because I've changed the password that's the policy actually once the admin has changed the password see no this will not be allowed there are lot of policies I doubt even what I'm giving now will be taken we have seen that password too many times see these are all built-in feature which don't have to implement as a administ as a developer so you have logged in once you have to log in after you reset the password or create the user in aure active directory you'll have to log in once and you can close it we don't need this I changed it to sandep at the123 actually now I take this identity and I use it in my ad connect click on next this is very important step verified now we have to give credential of the local Azure active directory administrator and that also in the format my demoor DOT local slash DSS admin username format is incorrect okay so at theate this even this should be fine and the password next user will not be able to sign in in Azure ad using their on premise credentials why because this is not a verified domain that is the problem actually sync will happen everything will succeed but user will not be able to use it because this domain is not verified I told you in the beginning in product ction whatever domain name you have ownership that domain name you should have added as a custom domain in portal for your resure ad and the same domain name is supposed to be used here click on next and install it will take a while maybe 5 minutes or so and on completion what we will notice is the users which I created demo user one demo user 2 and some group I created in Lo local Azure ad here those users will be reflected in my Azure adid from the local ad Windows Windows ad it will sync into Azure ad that's the outcome of this particular demo so we'll have to go and watch now in my Azure ad the list of users right now we have so many on completion of this activity here I will do a refresh there so let's wait for a while for this to complete so it's done the configuration is complete blah blah blah blah blah blah blah go back to the Azure portal refresh the login refresh the page and we should have your demo user and we should have your demo user no okay do a full page refresh compulsory we should have the demo user there a you ready users and demo user but you see demo user at the rate it has become it has automatically changed because that my domain my domain org my uh my demo org is. loal that is not verified if my uh verified domain was used then this problem will not come then automatically the users will sync like in last class I gave best use best a you training it automatically synced no no sorry no even this was not the case because it will give here Windows Server ad clearly Source it will give here so this is how ad connect is able to synchronize whatever users are created in on premise ad with Azure ad I mean just for your reference I go to demo user who has created in Azure ad and try to reset the password and it will not allow me no sorry it's allowing for this to work we have to actually do a federation but maybe because I don't have the same domain name it's allowing that because though we have synced it even if you change the password here it may not change the password of the aure adid sorry Windows adid because of this desynchronization of the domain names between Windows ad and Azure ad so all these steps you'll have to perform and most important thing once you are done you would want to delete all that synchronization because I'm not going to keep these resources all these resources which I created now the virtual machine the users which are created I want to delete them because I don't want to otherwise every day it will try to sync and it will give you a email saying that the syn has failure health of your ad sync is uh not stable and so on as you ready connect seamless signon has been enabled and unfortunately there's no provision here to disconnect see there are two things here pass through authentication Federation all these things we'll have to discuss more right now only seamless single sign on is enabled so suppose if you delete your virtual machine and all the resources how to disconnect both of them go to Powershell and execute this command that's it specify credentials for aure ad connect it will disable it create a Azure ad globaled that is important again the global administrator account should be provided here let me execute go to Power Cell you have to log in and now execute the command here you have to give this account which we have created oh best should be sandep Sony on S Sony no let me try continue with this operation say yes Supply values for the following parameters something is going wrong and I know the reason is the ID only I'm not having the proper ID uh users admin admin admin at theate I didn't save this I remember saving it sorry admin at theate so and so something went wrong I don't remember what is that let's anyhow see if the ad connect is disconnected no no it's still not disconnected but this command works just execute them with proper password I I don't know what actually I remember that as the password which I gave but the name which I saved in notepad I don't know what mistake I have done but it works for sure it works please try later just set the right password for the user and then use that it's giving me invalid credentials bad username or password it's giving me soft. onmicrosoft.com let's try once again no yeah it's just matter of giving the correct credentials and this query will execute once this sorry once the the commands will execute once those commands are executed your ad will disconnect ad connect will disconnect the active directory and the Z active directory and windows activ disconnection will happen that's all that's all for today so in the last session we have seen how we can make use of azure ad connect and synchronize all active directory users of on premise into Azure active directory what actually is the purpose of doing that why should I have the users of on premise Windows Active Directory in Azure ad obviously single sign on we want to use the same identity for authenticating user in on premise environment and for authenticating users in aure applications which are installed in Azure and also authenticated authenticating users in third party applications which have integrated themselves with Azure active directory so basically single signon feature is what we want to implement here so for that there are multiple options in single sign on we have got password synchronization with single sign on now in password synchronization with single sign on what happens is whatever active directory accounts are here they are going to be synchronized with Azure also along with the password the password which is here will be stored in hash format over here so user will have the option of signing into to the on premise or signing it into the cloud also that will have the user will have the option of course if suppose password right back is enabled password WRB is enabled for which you'll have to use custom installation of AD connect we have used Express installation but if suppose you go for custom installation and enable password right back if the user changes the password Here the password will write back to the on premise ad through the ad connect software it will take care of upd creting the password Here Also by default it does not remember this so yes there is something called as password synchronization using SSO second option we have is pass through authentication now in pass through authentication the user is always going to sign in to Azure ad but Azure ad does not have any password stored here for password it will securely connect to the on premise active directory so I submit my credentials here this this will use ad connect to connect to the on premise and on premise will verify the username and password that means there is no password saved here at all so there cannot be any security breaches here also there cannot be any security breaches because password will be stored in the hash format it is stored let us say in encrypted form here here password is not stored at all and third option is Federated SSO in Federated SSO a user can sign in with Azure active directory or with Windows on premise active directory we have the option so I as a user through interet intranet would sign into this or to sign into this and if I'm already within the organization I can again sign into this or sign into this my Federation will take care of uh communication between the on premise and the Azure active directory but remember for Federation account I mean for the Federation SSO you will need a premium ad account One requirement and second is you have to install an additional service between the Azure ad and the on premise that is web application proxy this additional service has to be enabled rather it's part part of active directory only but you have to enable web application proxy web application proxy is enabled for authenticating users in on premise applications as well as aure applications when there is a Federated SSO Federation has to be established between these two rather if a user is already logged in Imagine a user is already logged in within the organization let's say this fellow is already logged in within the intranet organization he doesn't even need to log to Azure ad rather if is device is already logged in into on premise he doesn't even need to provide the password also if he is logged in into the corporate Network he will automatically get logged in into the Azure ad as well but of course a user from Extranet outside internet will have to log in through the web application proxy so I repeat once again this is little different from the other two cases so we have Extranet user and intranet user intranet user is the organization user using organization network has already logged in into the organization hence that same credential is going to be used by the on premise ad as well as the Azure ad the on premise user the intranet user is not even going to be asked for entering the password not even for the first time because it's already logged in into the corporate Network Extranet user that means user who is trying to log on to the intranet from in internet a user trying to log on to intranet from internet is Extranet user so when Extranet user has to access he can log to aure ad like any other user and use those credentials for accessing the applications in AO but at the same time the same credentials can also be used by this user for accessing on premise application for that we will have to use a web application proxy that setup has to be established and of course we will also create a federation trust between the on premise and the Azure ad so in a very large organization this kind of setup is more common but in common in routine this kind of setup is more common so let us see all the three but little notes before that single sign on means being able to access all applications that you need to do business by signning ing in once only once we sign in only once and we use the same account for accessing all the applications all the applications you need without being required to authenticate again and again aure ad enables easy integration to many of today's popular SAS application now what are the SAS applications Skype is a SAS application Skype for business is a s SAS application uh MSN is a SAS app application Hotmail Office 365 account so these are all SAS applications in context of Microsoft so like that Facebook is also a SAS application we can say so lot of SAS applications are there we can which can be simply enabled with Azure active directory and those applications we can simply login by using the same ad account now what an organization does is what seen commonly is every organization wants to provide to its users a set of applications which they can make use of an organization for all their employees would like to provide a set of applications which they should make use of all these applications they will make available to the users through Azure ad access panel I'm going to demonstrate this thing to you what is azure ad access panel we will have to learn but there is something called as Azure ad access panel through which all the organization users will have access to the various applications which the organization has enabled for their employees connecting to an application to aure ad typically consist of three typ three steps yes setting up the single signon you have to set up the single sign on after you set up the single sign on you have to provision the user accounts in the application that means which user account is allowed which user is not allowed assign users to the application in the aure active directory and finally deploy single sign on to end user these four steps we have to perform now I'll show you as I told you you may have application proxy you may have conditional access and there can be self-service application access users to manage and request for access to application I mean I'm an outsider so right now I may not have permission to the application now when I do not have permission to the application I can request for an permission and somebody who is the approver will then get a mail saying that this particular request has come do you want to approve or reject so that is self-service application access conditional access decide when it is appropriate to prompt user for multiactor authentication multiactor is like once you provide username and password you need to additionally also provide email verification or SMS verification that's what is multiactor authentication I already told you about application proxy on premise application that needs to be published to the cloud Azure ad users application proxy I repeat for Extranet users who have logged in into aure ad if you want to access on premise applications you need to set up a your application proxy a your ad application proxy ad supports three different ways to sign in to the application Federated signin passport based signin or there is something also called as existing single signed on or linked sign on what is this Federated between organiz I mean it enables applications to redirect to aure ad for user authentication instead of prompting for its own password I think this is better I demonstrate this feature and then I come back and explain this to you so let us go here now we'll get into aure first verify that you are in the correct directory yes I'm in soft. onmicrosoft.com which is good enough for me now what I'll do is go to aure active directory here we have got Enterprise applications we want to basically add here an application which users can use by using the credentials in azur so now we need to add applications here so let's go to new application search for some application let's say Facebook Facebook app and here you see Facebook supports password based sign on that's what is the support by Facebook Federate Federation and password Federated Soso will allow users to allow apps using their organizational account hosted in the identity provider password based administrator to securely Store password in cloud and assign those password to the users or groups I'll explain you click on ADD so now it will be added to my list of applications once this step is completed you see I'm already navigated to Facebook so this is the properties of Facebook quick start I'll close this and again come back to this close close close refresh here we should have your Facebook there's no refresh icon so I just changed and I came back now go to Facebook now here are the various options or you can simply go to Quick Start and do everything from here learn about steps and concept required to integrate Facebook app with Azure ad it is recommended you do that later assign a user for testing I have to assign a user how to assign a user actually I can click here and assign but quick start will help me to help me to navigate there I can add a user for testing groups are not available why are groups not available because I'm using free edition groups are available in basic Edition and Premium Edition select the user I'll need some user so I'll assign myself right now click on assign so this step is completed configure single sign on password single sign on mode so here we have only one option will be available I believe so single sign on is disabled which I'm changing now to password based sign on there is also remember link sign on which I'll discuss later but right now I'm using password based sign on the URL where the user is going to enter username and password actually if I save this this is going to automatically populate as ww w.f face.com anyhow it is disabled you cannot do anything but Facebook is provide providing login page to which we will be redirected to when we want to login so this is done we have configured single sign on same thing I can do from here now we have to set up conditional access of course this will not work conditional access is um basically the multiactor authentication I told you earlier but that will not work because I don't have the premium account but if that is there you have to Simply enable it configure self-service people can request for Access so it will take me to user Management Properties allow users to request access to this application so right now users cannot even request access if they don't have permission but if you want to allow users to request access enable this to which group should the user be added to we can choose some group which probably we created last week let's say demo group something so you new users will automatically belong to this group Now do should the new user require approval requires approval before granting access by default no that means if the request they will get access but I don't want to give that I want approval allow approvals to set users password for their application I mean you have a choice no I don't want to set the password who is allowed to approve basically the list of approvers you'll have to provide now I'm again putting myself as the approver now save it deploy single sign on users and groups now here you can add more users all the users who have permissions you can add here from the list assign so users are now assigned here now here there is one very very very important feature I select a particular user and I say update credentials what is this upgr update credentials this action will allow user s only to authenticate to the application from within the access panel now what is going to happen is Facebook is going to get listed on the access panel of the application so when I use Facebook from my login automatically it will get me into Facebook with this log Lo in I have an account some ID which I generally don't use but let's say something is there now click on save so basically what is going to happen is on the access panel we will have Facebook listed once I click on access panel I mean how do I get access panel to access access panel I'll use I'll use my ID which is my email ID now once I'm in I will see their Facebook now if I double click on Facebook that means I want to go to Facebook what will happen it will take me to Facebook it will navigate to Facebook which is the login page and it will automatically login using the account hotmail.com this is the so Advantage is what let's say in doft I am managing Facebook account there might be two or three more marketing people who should be managing Facebook account and I don't want to share this account username and password with these people who are managing my Facebook account of the organization I repeat people will Lo login into organization network using their ID so let us say I log in with sandep Sony or maybe I would log in with ABC at dof.ca.gov now requirement is all these people are are moderators of Facebook so everybody will have in their access panel Facebook icon so when we click on this Facebook icon we will navigate to Facebook but we will not be using our own credentials instead we will be using organization credentials why because organization credentials are already provided for those accounts like I'm doing it for sandep Sony update credentials like that the admin is going to do for these people also update credentials so this is the major advantage of upgraded credential feature so we are done all the features completed all the options completed and mind you this is only shortcut for visiting each one of them otherwise they are all here you have users and groups single sign on provisioning of us users enabling service all the features are over here of course conditional access can see password will be selected password based sign on provisioning remember Facebook I said use the tools and administration interface provided by Facebook app to provision and deprovision user accounts stored in Facebook app okay there's no option here selfs service I showed you all this be configured these are all not support Ed users who have signed in into this particular application those will be listed here right now we don't have any signin and so on now let me add one more application actually I will add Enterprise new application we will add something like uh Microsoft account Microsoft Live account Windows Live account I'll leave everything as it is live.com same story we can assign users assign so I have not assigned myself here so will I be able to log into this application actually it depends but before that let's finish this I'll show you how to restrict login single sign on mode password based you see we do not have uh the option of uh Federated single signon Federated single signon will not be there for all applications it may not be supported by all the applications Dropbox kind of thing we'll have if you have a corporate Dropbox there you can have Federated single sign on feature I'm not talking about individual Dropbox corporate Dropbox paid account set up conditional access anyhow that's not supported configure Self Service not required now after this you can actually go to properties and here you'll have an extra yeah visible to users this should be one more option actually user assignment required it takes a while generally let's wait actually it should come here it's not coming okay so there should be some Global option users user settings okay actually there should be an option here called as U user assignment required when that option is put check mark right only those users who are assigned here will be able to log in all users will not be able to log in so that option is not coming there maybe it is not supported for all the applications I'll have to check up but anyhow first let us finish this demo so I have two now Facebook and Microsoft Windows account and uh I will add myself here also but for Microsoft Windows account I'll not update credentials perfect so what I have done I logged in into my Azure ad I've gone to Enterprise application added two Enterprise applications Facebook and Microsoft Windows account Microsoft account which is Windows Live account these two are now going to become available in the access panel so now I go to in private mode and here my apps that's the URL microsoft.com we login so all the applications which are accessible to me are going to be listed here for looks like there's a problem with my account because my account is both organizational account as well as business account let me just give a try here if not I'll have to repeat the exercise by creating a new account if it works fine yep there is a problem yeah so what I have to do now I go to active directory I'll create one new user let's say J of John JJ atate sunep Sony de soft. on microsoft.com all fil have to remember is password for create I actually will not even assign applications to that user now I go to my app . microsoft.com login I'm I'm logging in for the first time so it will ask me to change the password and we will be on the access panel so we don't have on the access panel the applications Facebook see I'm able to request for a Facebook because I'm not given access in Facebook I'm able to request for it that's very important I can say add a mail will go to the ver sandip son account who will have to verify and approve it and then that will get listed there otherwise I will go to now again Enterprise applications and in Enterprise applications I'll select Facebook users add user JJ at assign once the user is assigned now the user can back refresh it will take a while actually Facebook should get listed here let's login again okay my apps. microsoft.com just step by step I'm taking you now I log in with the same ID password now we should have Facebook not listed till now actually it should have it yes it has come it just took some time and it takes time I did not invite or I did not approve anywhere I mean I just got it here after some time so you'll have to wait now I click on Facebook the basic problem is not problem actually it's a requirement for aure uh for Access final for aure ad access panel you'll have to install a plug-in it's a onetime feature actually just say install now my app secure signin extension and you can read here this extension is required to access specific appli microsoft.com which provides single sign on on to the cloud application within your organization it's a small file what is this Microsoft Eng it's already installed problem is I'm using in private mode not working here let's move to so many issues these issues are only coming because we are not on a corporate Network these problems will not come if we really sitting on corporate network from one machine I'm logging in with different IDs that's also not recommended oh so so you see here when I selected Facebook it is now asking me to provide the credentials which I'm supposed to use for logging onto the Facebook account now white is asking me for for this credentials I'll cancel this I'm not proceeding because in my Azure ad when I did configuration so let's go to now the same user and this time provide update credentials what is the advantage of doing this after this it might take some time but let me try immediately after this if I actually click on Facebook it should not ask me for username and password it should directly use use those credentials which I provided and redirect me to Facebook you see and that's happening it's no more asking me to provide username and password see on top it has automatically come and it will take me in I don't even have to press enter or anything that's it I'm in got it I click on access panel Facebook do Facebook app and I don't even have to provide usern and password because the administrator has already provided username and password on my behalf through update credential options that is the beauty of this but if this is not provided then you will be asked to provide username and password because that will be then considered as your personal account so you'll be asked to enter usern password but once you entered username and password remember those things will be remembered for subsequent login you don't have to again provide username and password thereafter in your access panel it will be remembered through that plug-in one time only you'll have to provide username and password to visit your personal account likewise I can also add to Microsoft account I can add users once you understand what is Happ happening it's all very easy setup I'll repeat and summarize everything because lot of options are happening I'll give you all the steps once again I can add now the new user which I created again go back to access panel remember access panel is not working in Incognito or private mode so it will take some time and after some time it will get listed here and once it is listed here the same story repeats we'll just keep it and come back after some time and check so what is that we have learned let's once again see all this we created aure ad or why not refer to my nodes aure ad Enterprise application I added a new application and let's say I searched for Facebook and I added that go to Facebook settings I mean here I have demonstrated how to give individually but you can do all this through quick start remember that quick start is an alternative single sign on mode password based single sign on sign on URL so and so users and groups add users and groups who can access the application that's what we have done users and group update credential why we should use this following action will allow user to authenticate to the application from within access panel without explicitly asking for username and password or with preconfigured identity if you want to perform this step the pre-configured identity username and password is going to be used for authenticating the user then self service if you want to allow all these things user settings users can add gallery application to their access panel for self-service you'll have to enable this that is here actually that's not under that's under active directory directly user settings by default in your configuration it will be disabled users can add gallery applications to their access panel by default it will be disabled sometime earlier I have enabled it user assignment required you see this is the Y this option is only enabled when the application is configured for single sign on modes SLE based SSO and wiia with Windows aure ad authentication okay so this is not available for Facebook and Microsoft account live maybe some other application it will be there user assignment required right now it is default enabled but in certain cases only by adding the application to the access panel automatically it becomes available to every everybody but you can control that user assignment required otherwise and then you'll have to go to my apps and the story access panel approver will receive the request or reject in case you want to have drop Dropbox supports Federated single sign on I told you earlier Dropbox which is corporate account Dropbox as your a directory application proxy helps you to improve productivity by publishing on premise application so that remote employees can securely access them also just remember this as a feature what is aure AD application proxy because this is going to be a certification question or probably interview question the importance of application proxy as you ready application proxy it is the one which will help us to give access to Extranet user to the on premise applications remember that ideally start with new users added to the application purpose here add few user accounts and then proceed based on the verified domain name and that's it that will make things easy for you or the default tenant ID verifi domain name or you can use the default tenant ID what will be your default NN ID something like XXXX dot on microsoft.com that's your default tenant ID pretty simple and very useful feature for corporates to provide at one place access to all their applications and not require requiring them to relogin again and again integrating line of business applications with Azure ad basically B2B applications we can call it the applications which we want to make use of in our organization the custom applications the developer applications the applications which the developers are developing for their own organization so to those applications how we can uh integrate aure ad so aure organization that develop their own line of business applications can protect access to the applications by using Azure ad developers can enable their own custom applications to use Azure ad and obtain features that are available to Ed gallery application so basically we'll have to use something called as oven middleware here so first these are the steps actually generalized steps you have to register an application with aure you have to set up the application to use oven authentication Pipeline and use oven to sign in and sign out request to a your so all this we have to do it one by one so now I go to aure ready and in aure ad we we will this time use the option application registrations earlier we have used Enterprise application now we are using application registrations new application registration and let's give some name to the application let's say my demo app now is it a web application or a native application native application is like your mobile application actually or Windows application or a console application but is web give signin URL at this point of time we don't know what can be the signin so just give something which we are going to change later and we'll have to change it click on create so what this has created is an active directory application mind you what I've created is a active directory application it's not getting listed here you have to change this filter all apps lot of apps what what I created now was my demo app this is what I just now created now click on settings and here in settings we are going to have properties from which we are going to use application ID there is an application ID login URL I'm going to come back and change later here so now let's see what a developer is going to do I'll take a shortcut and I'll show you the long route you can go through it in case you are interested into Studio you have to login with your Azure account first create a new project let's say an asp.net web application choose whatever is relevant MVC let us say in my case and click on change authentication and select this option work or school accounts that's what we want actually so here when you're logged in automatically it is supposed to populate the domain name it will take a while and the domain name will come s Sony do soft. onmicrosoft.com if not I'll type there click on more options see actually what happens is if I do not put a check mark here this step is going to create an aure ad application for me I repeat in our case we have created aure ad we'll take this application ID copy and use that here but if suppose copy paste yeah so we have copied from Azure the application ID and that we are using here as client ID but if I do not do that if I do not put a check mark here automatically studio is going to create an Azure active directory application for you you have the choice click on okay studio will take care of generating all the oven related code oven Pipeline and everything will be created for you now and actually speaking application is ready that's it you are done you don't need to do anything more for authentication and only take care of the authorization within your code that's it you see now lot of code is autogenerated for us you have account controller in content you'll have startup class app start app start you'll have startup class so all this is extra which is generated now you'll have reference to Identity system. identity model Microsoft oven all this is extra added now to support authentication with Azure ad I'll show you the code also but go to web.config and everything is actually there in web.config we have client ID we have ad instance this is the login URL which is going to be used for logging into the user account the domain which is your tenant ID I mean this can be used or this can be used both are fine post log out redirect to this page so I'll use this page only for login URL also so I go back now to portal just close this and come back to properties you'll see homepage URL is automatically updated I didn't even do that homepage URL is automatically set by Studio whatever is the URL here but of course once the go application goes into product you'll have to manually come and change the url here to the URL of your live website that's very important you don't have to do anything because you did not change anything click on okay now run this let's check if the controller account controller is authorized or not no it's not authorized one of these Pages maybe contact I'll change it to authorize now run this so by default it will let me in I'll get the homepage because that's not authorized Anonymous users can access it most important web application 2 is trying to access credentials of Microsoft do you want to accept say yes so our application basically contacted Microsoft and on behalf of the user it took permission to access the Aur ready go to contact oh sorry authorize is already there here I did not see this because authorize is already there at the controller level for homepage itself it asked me for username and password so this is not at all required but you can delete this so now if I login again I'll close this window run the whole application again this time I'll get into the homepage it will not ask me for credentials but when I click on contact it will ask me for credentials see I did not sign in now click on sign in just redirect me to login page I pick up my username and password login and I'm there so so simple developer doesn't have to now manage username password at all the whole login module is delegated to azur just I would like you to go through this if you are a net developer you should be able to understand what is there in sign in it's all oven pipeline integration actually sign out but then there is something very important which is startup and in startup all those values which are there in the config file are used from the app do from the web. config and all this configuration is done Owen pipeline options are created so like this developers within the organization will be able to let the users use active directory for authentication for their application without managing a separate uh database for identity management see an important feature my demo app go to properties and here you have the option it is not there right now you see if you wait it will come user assignment required right now user assignment is not required anybody is able to login that means even if I use the account of sandep Sony I will be able to log to this application but if you want to restrict only to few users then you'll have to say user assignment required and then save this after that go to users and groups and only those users who are here will now be able to access others will not be able to access like I try to now login with sandip Soni account have to close this go to contact I try to use let's say sand Sony at Deans soft.com provide my username and password it will not let me in very important the account needs to be added as an external user in the tenant first whatever I mean sorry and cannot access the application some error but I'm not able to access the application I think it was trying to use my work account earlier this also will not be given permission anyhow access Deni because I'm using Local Host it's directly showing the error message if not it will take me to the appropriate P so very very very important what is that for a given application come to manage application in local directory and properties basically this is called as a service principal application this application is a service principal application for my custom application which I have developed that's all in this thank you so implementing aure ad b2c collaboration see what we have seen is how we can make use of azure ad for developing applications which integrate for users within the organization as well as we know how we can invite people from other organization and have access to those applications but now we are talking about a major crowd let's say everybody in the world is our customer not a specific set of users so in those kind of cases we will have to go for business to Consumer now what would be the difference in business to Consumer any user will be able to register themselves on our website they would be able to use anything like soci uh any social media account maybe Facebook account or Google account or Twitter account or LinkedIn account these kind of accounts they can make use of and using those identities they can login into our system so basically those applications which are public available to the masses the implementation has to be aure ad business to Consumer b2c we call it so aure ad b2c provides identity as a service for your application for for supporting two industry standard protocols open ID connect and oath 2 those are the protocols which are supported here aure ad b2c eliminates the requirement for developers to write code for identity management and storing identities in on premise database or system that means complete user management is delegated to Azure now and as I said it simplifies and standardizes consumer identity management by allowing your consumers to sign in for your application by using their social accounts which can be Google Twitter Facebook LinkedIn and so on so how do we begin here for this the first thing we'll have to do is create a Azure ad b2c directory I repeat we'll have to start with creating an aure ad b2c directory what we have here aure ad directory is different but this is not going to be useful for B Toc for B Toc we have to create a separate directory Al together so I'll create a new resource search here b2c aure ad b2c create you're currently signed in as okay first let me switch to my actual directory and same procedure now create a resource aure ad B to C create create a new Azure ad tenant of course it's a b2c tenant give a name same name I'll use here also and that becomes do onmicrosoft.com you have to choose the country it's not supported in all the countries b2c is actually not supported in India itself actually there's no India here United States is good enough and it's going to take almost a minute for creating a directory now once the directory is created what's next obviously we would like to add users to that directory so now I mean the rest of the things what we have learned in Regular aure Ad the same things will apply here that directory is going to get listed here I would then switch to that directory create users create applications register applications assign Purp missions and of course finally integrate the directory with our application the custom application which we are going to develop something in like net where we would use open ID connect or o for communicating with the a your ad so directory is created now click on link existing directory to my aure subscription choose the directory from here we created this one now we'll create a new Resource Group b2c demo RT create so we created a new directory and linked to an existing I mean linked the directory to the existing subscription after this step is completed I'll have to switch to that directory now it's not listed here yet go to the resource and you'll see here it changes no it's not changed so what we'll do is refresh the whole page and switch we are switching to the directory and now from the left hand side panel we are not going to use Azure active directory all the time till now we have been using Azure active directory but this is a b2c directory that is very important point you have to understand done we will not use this option anymore so I'll say all services B to C Book Market click here we can actually move this up we'll be using it frequently so this is my aure ad so click here get started and it does all the initialization required p2c service has an internal error that is fine again it's asking me to take a while and come back again for preparation actually it's preparing the directory in background perfect we have the directory ready and this is the domain name DSS demo b2c do onmicrosoft.com so as I said the first thing we are going to do here is ADD users if I want to I can add users directly or I can let users to directly register into this both the options are available I can add a new user let's say whatever was there same thing I'm using and the domain name which we gave and other stuff you can create TSS demo B2 c. onmicrosoft.com space it's validating the domain name so I'll copy this username which I may need it at later point of time and the password create it so like this like we could do in a regular active directory here also we are able to create users and we will see that the users from external Source are also getting added to the same list now I go to the most important thing here which is policies because it is through these policies only we will allow the user to register so what we have completed in the handout is this part we have compl completed all together yeah you can either create policies first or you can create your web application it's your choice so in my case I would like to create policy first in providing access to the application integrated with B2B is b2c is defining the policies now what are these policies policies Define consumer identity experience such as there are options sign in sign up profile editing change password all these options are there these policies can be defined in Portal by using a special query parameter in HTTP authentication request for a signup policy or application can use identities from social accounts this is most important social accounts such as Google or Facebook or locally created account with email addresses we can use social accounts or we can also have accounts created within b2c using their email address and of course also including user uh including email address username and password so now this is the most important step so I go to sign up policies and I'll add a new policy sign up sign in single policy you want for both or you want separate policy for sign up separate policy is sign in it's your choice let's say I I would use a single policy there are no policies right now I will add a new one give some name b2c underscore sign up sign in identity providers now when the user is getting created or if the user is getting authenticated what are the identity providers we would like to support so right now there is only one option here email sign up that means user is going to register by his email ID so right now you do not see here any list like Facebook Google or stuff click on okay now when the user is supposed to sign in sign up what are the attributes we would like to capture we would like to capture the email address the display name and uh maybe the street address and the country it's our choice what we want to capture here we may not want to capture everything or let's say postal code or this is good enough click on okay then application claims this is the input which we would like to get from the external provider in case we have an external provider so same email address display name street address and what else I to took there that's it what are the four attributes I have used here we'll try to map the same things country display name email address and street so country I did not choose here let me choose that also in case you want to support multiactor authentication but that's supported only in Pre Premium Edition uh okay I think they have enabled now in this but I don't want multiactor authentication it's just one extra step for verification you can provide your email ID or phone number and then validate a token will be sent to you and if you want to do a page UI customization sign in sign up page if you want to change the image in the background and stuff like that right we don't want any kind of this customization need basis you can do it so now we have created a new policy like that this is for sign up sign in like that for edit profile also I can create same stuff everything is same for so two policies are created now you can see all the policies here you can go to particular policy and actually test how the login or register page would look like run now endpoint okay we don't have any application created yet that's why it's not coming up so let's create now the applications right now we are creating an Azure ad b2c application which I'm going to later link it with my net application name of my application b2c demo app is it going to support web API and web applications or is it the mobile application you can choose that reply URL this is very important once the authentication has succeeded to which URL should the user come back to that we will have to give here so for the time being I'll just give randomly something which I'll have to come back and change it and give Here app ID URI demo app b2c demo app preferably the same name we can give anything is okay two applications should not have same URI that's it and moreover that is optional app ID URI is optional app ID will be created that is what we will need so application is created that will get listed here switch and come back yeah that's the application and it's app ID so there are two things which we are going to need now one is the application ID and the other is is the secret basically we call it as key so app ID I'll need app ID and app secret here keys we'll have to generate a key click on generate key now just save it and key will be automatically generated what is important is ensure that this key does not have symbol like less than greater than because we are going to use this in programming in our configuration file we are going to make use of this so ensure that we do not have some special symbols which are going to collide with our HTML stuff so speci especially less than greater than Ampersand also see that it's not there if it is there you'll have to regenerate it you can delete this and regenerate a new one and you'll have have to copy because once you go out of this page it's gone you cannot come back and restore this you cannot see this again later so it's visible to you only one time and that's it we are done with this application creation we are done with the policy creation now let's go back to all policies we'll choose a policy here let's say B2 C sign up sign in we have to choose the application and this is the endpoint URL I'll say copy I would like to show you also see this is the URL now and important thing is in the URL we have got the policy name okay I added b2c internally it also added B2 C1 it automatically added this that's fine client ID and so on so this is the login URL actually and I take this let's say I go to Chrome paste here and this is the login URL which my application is going to use and the same URL will be used for even signing in sign up sign in both the features can be accommodated in single URL because of the policy which we have in the URL you see you can sign up if you have an account sign in if not sign up remember this can be changed through branding this can be changed so your application gets a rimed login page registration and everything for authentication we are using b2c where is Facebook right now we haven't added them as identity providers Facebook Google Twitter LinkedIn all these are referred as identity providers and they're not yet added to my b2c once those are added they will get listed here as an option for logging in that we'll see little later but now first we'll try to develop an application now you have two choices here either you write all the code if you want or else there is a sample application you can download this as the base and edit this code I'll download down load it we'll save it in our local directory here let's say I create some directory and I go to the directory extract practice we'll have to open the solution file and of course the changes which I'm going to make will be only in web.config so this particular application has two projects okay one is the web project and the other is web API project we are not interested in the web API project if we can Implement for web project we are fine yeah so there is a service which is a web API project and there is a web app we want to implement in web app so go to web app web.config and here we'll have to provide the required details so first thing I'll need is a tenant ID how do we get the tenant ID whatever active directory we have created p2c that name will be the tenant ID DSS demo b2c do onmicrosoft.com DSS demo b2c then we need this client ID which is nothing but the CL app ID which we have here the app ID and followed by that the app secret remember the URL this URL and the URL I showed you is same and then we need the policy names that is sign up sign in policy and likewise here the edit profile policy perfect in case you have created a reset policy password reset policy that you'll have to give here so you can create policies and simply mention here now if your service is talking to I mean if your web application is talking to the background web API these details will be required now task service URI of course first what I'll do is comment this line and uncomment this line no wait this is Task service I'm not so interested in task service I'm interested in return URI this one so the port number which is used by my application right now is 44316 so I'll copy this and this I'll configure in my portal under properties of a given application reply URL so if our page can probably come back to uh I mean what happens is from our website we go to Microsoft for login and then it comes back to our site so there are Chan that in some situations we'll have multiple return URLs so whichever is the reply URL that means which your url you want to come back to that URL should be present here compulsory if not we are going to get an error so right now we have only one but in case you do little Advanced coding this can change but remember at the same time when you go live into production you're going to change this at the same time you'll have to change here also that is important save it so now we our complete application setup is done we are ready to run I'm just telling you again I'm not so Keen about this part this also we can actually change but uh we're not using that scopes we're not getting into tasks and all that so we will get into the application right now and we'll notice that we are logged in by default oh sorry we not logged in by default but we can log in so yes here also in the meantime as it is loading in the background here also we have got authentication controller sorry account controller which is responsible for authentication here also so we will see startup but the code is little different we'll have policy included in the URLs now for b2c the code is different we are still using uh ovin only but the code is different so later if you want you can try to understand that I'm not so Keen about explaining all that and we should be there not logged in so let's try to log in beautiful thing is when we try to log in here it need not be even a Microsoft account you can use your Gmail ID you can use any ID here like for example let me use my Gmail ID and some password right now it is not there so I'm going to get error account is not there so I'll sign up when I click on sign up first thing it will ask me is to verify my email address I'm going to get an email that verification code I'm supposed to enter I'm checking the email on my mobile yes my verification code is 32581 verified once I verified now I can provide the new password street address these are the fields I have checked if you remember City I mean country display name create and the account is created we can use this to login I'm logged in I can click on claims and see my details so there's a claims API using which we will be able to get all these details programmatically so Azure ad b2c is holding this information and our application the do net application is able to read this information that's the point this data is with Azure ad and our net application is able to read this information you have the claims code claims principal. current. claims that's the API call claims principle. current. claims that gives you all the claim objects and each claim object has type and value that's what we are seeing in the browser actually this is the type and the value basically key value pair that's it our application is up and running no identity programming has to be done yeah you want to give permission to few users you don't want to give permission to few users that you can always code based on this extra data which we are getting from here I'll check up if name is equal to Sanson I will do something or else I'll not do something things like that we will have to take care of in our code authentication is taken care whereas authorization stuff user based stuff all that is our application logic that we will have to code in our application so all this is there in our handout all the steps are given if you download edit the web. config in case you want you can edit for web app web API both I've not edited web API so my web API will crash the web API is basically to create to-do list it so right now it will crash just forget it I've not programmed web API nor I have configured its web.config so this will not be able to authenticate the user that's okay we are not interested run and test the application and we can directly jump to step 36 but otherwise if you are a developer and if you want to do everything manually you don't want to use the sample application if you're a hardcore developer and if you want to yourself write everything so that you understand stuff I would propose you to follow these steps you have to add the oven class manually you have to write the startup open ID connect authentication read direct to Identity provider sign up sign in your account controller all this you'll have to take care of and this is how you can get the claims claims principal do current yeah you have to ensure that you get the new get package now I want to make use of Facebook so first thing we'll have to do is let's do this in the next video so now that we have got email authentication we would like to add now the face Facebook authentication to our site how to do this basically we want users to make use of their Facebook account and get into our website let us now visit Facebook dot I mean developers. facebook.com you should have a developer account enabled by chance it is not enabled you'll have to do that here you are going to see all the applications and add a new application now like we did aure b2c new application like that now we are adding b2c application in Facebook display name DSS b2c demo app contact email ID create an app ID here also we'll get app ID yep so we basically want Facebook login let's say set up this ours is a web application let's choose that the site URL what will be that the URL from here whatever is our site URL that we'll have to give here save it and we don't need in case you are doing JavaScript and stuff Facebook is giving you redimed code for integration we don't need all this login status and all we don't need this also Facebook button in case you want on your site you can use this that also we don't need and all this also we are not worried about so what is important is here we created a Facebook login see the product added here so go to settings the most important thing we'll have to provide is the O redirect URI so how to frame that this is how the format is supposed to be this you have to copy like I showed you earlier for aure b2c this was used now we are using this for Facebook so like that when we do Google for that also it will have some URL like this you'll have to find out this from the documentation what should be the format of URL for Facebook URL for Google like that everybody will give their URL so or redirect URI and here redirect URI to check when we come back this URI redirect URI after authentication it will come back to this why is it not running I have the express Edition 44 316 it's fine actually anyways let's leave that we know it's correct only so this is the very important step we have to provide and we are done now we go back to the dashboard settings actually dashboard also they changed okay I need app ID and app secret these two things I need now click on basic app ID and the app secret so where do we need this now I'll go to again b2c and in b2c this is aure AD b2c application but we want to go to b2c directory as you yeah sorry that's correct only b2c directory and here I should add identity provider so right now we don't we have only one actually email see email is already there I would like to add more which are social identity provider so this I want is Facebook there's so many identity providers we can choose one so many are there and the list is growing so right now Facebook is what I'm interested in set up this identity provider so here we need client ID which which is this ID past it here and we'll need secret we'll have to show we ask for again password copy and you can paste here so basically we are creating a setup between Azure b2c and Facebook by adding a provider okay create like this multiple providers can be created now we'll have to go to the policy the policy right now supports only email select the policy in the provider section we'll have to enable Facebook also now edit identity providers Facebook also should be checked so later if you add Google you'll have to come back and check Google also for each policy save it once you save you can actually check with this URL itself you don't even need to go to the application first thing it should work look here policy is saved so I copy this let's try to paste this you might get error click on Facebook we might get error see I'm now on to Facebook and it's asking me to provide permission so in Facebook I'm already logged in that user is being given permission into this application so once I says continue this user will have permission to access this particular application rather this application will have access to some of the data my public profile and my email address now I don't want to give access to some something I can uncheck and give limited access so this user also now is granted access so whichever Facebook ID you use with that ID user will be able to login and now the additional data we have to provide remember this check marks we have put in the at the time of creating the policy name and email ID has automatically come from where Facebook all this is outside our application mind you the user is still not in our application now he has come back I mean of course I didn't visit from here that's why all this problem I did not come from here I directly copied the URL from the application from here I copy ideally we should have gone to our application but because reply URL is given as our application it came back there facebook.com is the provider so like this Facebook integration is performed remember once you go live ensure that you put a check mark here I thought this would be required choose a category save it and you must provide a valid privacy policy URL this is a new thing which they have introduced privacy policy orl you're supposed to make a privacy policy page and provide that now is lot of data problem so all these precautions they are taking terms of service URL basically every organization has their own P privacy policy and terms of service when they capture the user details some file privacy file they need I took the URL from here that's it now switch on this it will again ask you to login for verification and your application is going going to go public of course this URL will be replaced with the more appropriate URL the production URL when this is unchecked with Local Host alone it would work so this is how the Facebook integration is done similarly you'll have steps to be followed for Google integration I don't have it in the handout but yes you can follow the Google integration also similar kind of steps in Google you'll have to create a Google app Google app also will give you app ID app secret which you're going to use it in your aure b2c go to aure b2c directory add one more identity provider and provide app ID app secret for Google Comm here in policies select the provider and add it so what is the advantage now now if I run my application I already showed you actually and I run my application and if the user wants to sign in we'll have the option of Facebook I'm already signed in let me sign out I now sign in and I have the option of Facebook so this list will grow without we doing even single line of programming we are getting all these extra benefits that's it I mean I did not click on okay there so signin process did not complete let me finish it off see these details have come now from Facebook fantastic we are inside so basically Advantage is our application would be able to use any account provided our application is enabled with Azure ad b2c in which providers are added and attached to the corresponding policies which we are using in our code so that's all in this particular Facebook integration