Azure AD Subscription and Synchronization
 

Overview

Microsoft Azure is a collection of integrated cloud services. With Azure Active Directory (AD), you can manage your practice’s Azure AD users from your on-premises active directory.

To prepare your organization for g4 Studio Cloud, you must integrate your on-premises AD with Azure AD. This document guides you through the process with links to Microsoft instructions and resources. Because this process requires technical expertise, we recommend that it is performed by a system administrator in your IT department or an equivalent person in your organization.

In this process, you will:

• Sign up for an Azure subscription.
• Add and verify your organization’s domain.
• Prepare your on-premises environment and data.
• Download and run the Azure AD Connect tool.
• Verify your local AD is synchronized with Azure AD.
• Add a global administrator account and assign it as your co-administrator.
• Configure your Azure integrated applications settings.

This process typically takes at least 2 hours. You might need additional time depending on how long it takes you to prepare your on-premises environment.

Note: These guidelines are for Unlimited Systems customers with common AD configurations. If your organization has an advanced AD configuration (for example, Active Directory Federation Services), research Microsoft’s documentation for possible extra steps you might need to take.

Integrating your on-premises directories with Azure AD

Step 1: Sign up your organization for a free Azure subscription.

Note:     Azure AD services are free. Microsoft requires a valid credit card to sign up for an Azure AD subscription, but your credit card isn’t charged unless you sign up for other services that require payment (for example, Office 365, Azure Virtual Machines, Azure App Service). The Azure pay-as-you-go model is similar to consumer-oriented stores like Apple iTunes.

1. Go to https://account.windowsazure.com/organization. 
2. In the required fields, enter your organization’s information, then click Continue.  The Microsoft Azure login page opens.
3. Sign in with the account you created in step 2 of this procedure.
4. In the About You section, enter your personal information.
5. In the Verifications by Phone section, enter a phone number to receive a verification code.
6. After you receive the verification code on your phone, in the Verifications by Phone section, enter the verification code, then click Verify Code.
7. In the Verification by Card section, enter the information for a valid credit card.
   Note: Microsoft requires this credit card number to verify your account.
8. In the Agreement section, select the checkbox to agree to the subscription agreement, offer details, and privacy statement.
9. Click Sign Up. Microsoft activates your subscription.
10. After your subscription is activated, click Start Managing My Service.
11. Open this article: How to sign up, purchase, upgrade, or activate Azure.
12. In the section “Sign up for an Azure Free Trial subscription,” complete steps 2-7.
13. In the section “Upgrade Azure Free Trial to Pay-As-You-Go,” complete steps 1-3.
14. Open this article: Upgrade your Free Trial or Microsoft Imagine Azure subscription to Pay-As-You-Go.
15. Complete all the steps in the article.
16. Test your subscription:
    a. Sign in to the new Azure portal at https://portal.azure.com/.
    b. Sign in to the classic Azure portal at https://manage.windowsazure.com/.
    Note: To manage Azure AD, use the classic Azure portal. Almost all Azure AD features are currently managed through the classic portal.

Step 2: Add and verify your organization’s domain name.

1. Open this article: Add a custom domain name to Azure AD.
2. In these sections, complete all steps:
   a. “Add a custom domain name to your directory”
   b. “Add the DNS entry at the domain name registrar for the domain” 
   c. “Verify the domain name with Azure AD”.
   Note: This step requires a global administrator account. You can use your Azure subscription account, which is created as a global administrator account by default.
3. If your on-premises domain is non-routable (for example, organization.local), to enable your users to use their existing credentials to log in to g4 Studio Cloud, follow this additional directory synchronization procedure.

Step 3: Prepare your organization’s on-premises environment and data for integration with Azure AD Connect.

1. Open this article: Prerequisites for Azure AD Connect.
2. In the section “Before you install Azure AD Connect,” in these subsections, review all steps and complete steps as necessary:
   a. “Prepare your on-premises data”
   b. “On-premises Active Directory”
   c. “Azure AD Connect server”
   d. "Accounts"
   e. “Connectivity”
   f. "Other"
3.  In the section “Component prerequisites,” in the subsection “PowerShell and .Net Framework,” complete all steps for PowerShell and .NET requirements.
4. In the section “Hardware requirements for Azure AD Connect,” verify that your server meets the minimum requirements.
5. In Active Directory, create an Unlimited Systems user account:
   a. First name: g4
   b. Last name: User
   c. Full name: g4 User
   d. User logon name: g4user
   e. Password:
       - Create a password with a least 6 characters, including 1 number and 1 capital letter.
       - Select the checkbox Password never expires.
       - Don't select any other options.

   Note: If your organization already has an Unlimited Systems vendor account in your local Active Directory, you can use the existing account and don't need to create a new one. Send the existing account's user name and password to Unlimited Systems so we can use the account for support and troubleshooting.

6. In Active Directory, in the appropriate Organizational Unit (OU), create two security groups: g4 Cloud Admins and g4 Cloud Users.
   Note: When Unlimited Systems registers g4 Studio Cloud into your Azure directory, we use these groups to assign permissions and roles to g4 Studio Cloud application users. If you name and organize these groups using your on-premises naming conventions, you must notify Unlimited Systems of the group names to use. These groups don’t affect the synchronization process.
7. In Active Directory, in the g4 Cloud Admins security group, add these members:
   a. The g4user account
   b, A local user account (typically a local domain administrator)

Step 4: Download and install Azure AD Connect.

1. On the server you want to be the sync server, from the Microsoft Download Center, download Azure AD Connect.
2. Install Azure AD Connect using express settings:
   a. Open this article: Getting started with Azure AD Connect using express settings.
   b. In the section “Express installation of Azure AD Connect,” complete all steps.

Step 5: Verify that your local AD is synchronized with Azure AD.

1. In the classic Azure portal, navigate to your directory, then click the Users tab.
2. Verify that you see a list of all users who have been synchronized.
   Note: The Sourced From column should display "Local Active Directory."
3. In the new Azure portal, log in with the user name and password of any user synchronized in step 4 (Download and install Azure AD Connect). If the login works, the ADs are synchronized.
   Note: Azure AD user names have this format: user@organization.topleveldomain, where organization.topleveldomain is the custom domain verified in step 2 (Add and verify your organization’s domain name). Often, the Azure AD user name is the same as the user's email address.

STEP 6: ADD A GLOBAL ADMINISTRATOR AND ASSIGN A CO-ADMINISTRATOR.

Note: In this process, you create a global administrator account, then assign it as the co-administrator for your Azure subscription account. Although this step is optional, we recommend performing it so you keep full access if your account administrator or service administrator accounts become lost.

1. Open this article: Add new users or users with Microsoft accounts to Azure Active Directory.
2. In the section “Add a user,” complete all steps.
   Note: In step 4, in the Types of User field, select New User in Your Organization.
   Note: In step 6, in the Roles list, select Global Administrator.
3. In either the new or classic Azure portal, log in to Azure using the new Global Administrator account, then update the password.
   Note: A successful login verifies the new account.
4. Open this article: How to add or change Azure administrator roles.
5. In the section “Add an admin for a subscription,” in the subsection “Azure classic portal,” complete all steps.
   Note: Because the global administrator account you create in this step is not affected by the Azure AD synchronization, the account acts as a safety net in case you experience synchronization issues with your on-premises accounts. After you complete the Azure AD synchronization process, you can assign the global administrator role to your on-premises administrator account as well.

STEP 7: Configure your Azure integrated applications settings.

Note: For screen samples, open the article Apps, permissions, and consent in Azure Active Directory, then see the section “Controls.”

1. Sign in to the classic Azure portal at https://manage.windowsazure.com/.
2. In Azure, go to your directory.
3. In the top menu, click Configure.
4. In the Integrated Applications section, in the field "Users may give applications permission to access their data," select Yes.
   Note: With this option, when your global administrator adds new applications to your Azure AD portal, users can sign in to the applications.

Helpful Microsoft links

New Azure portal: https://portal.azure.com/

Classic Azure portal: https://manage.windowsazure.com/

Azure AD Connect download site: https://www.microsoft.com/en-us/download/details.aspx?id=47594

Videos:

• Windows Azure Active Directory - Common Sign-up, sign-in and usage questions (video): https://channel9.msdn.com/Series/Windows-Azure-Active-Directory/WAADCommonSignupsigninquestions
• Windows Azure Active Directory (video series): https://channel9.msdn.com/Series/Windows-Azure-Active-Directory

Help articles:

• What is Azure?: https://azure.microsoft.com/en-us/overview/what-is-azure/
• What is Azure Active Directory?: https://azure.microsoft.com/en-us/documentation/articles/active-directory-whatis/
• Prerequisites for Azure AD Connect: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-prerequisites/
• Integrating your on-premises identities with Azure Active Directory: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/
• Upgrade your Free Trial or Microsoft Imagine Azure subscription to Pay-As-You-Go: https://docs.microsoft.com/en-us/azure/billing/billing-upgrade-azure-subscription
• Azure Purchase FAQ: https://azure.microsoft.com/en-us/pricing/faq/
• Azure billing and subscription FAQ: https://azure.microsoft.com/en-us/documentation/articles/billing-subscription-faq/
• Add a custom domain name to Azure AD: https://azure.microsoft.com/en-us/documentation/articles/active-directory-add-domain/
• Getting started with Azure AD Connect using express settings: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-get-started-express/
• How to prepare a non-routable domain (such as .local domain) for directory synchronization: https://support.office.com/en-US/article/How-to-prepare-a-non-routable-domain-such-as-local-domain-for-directory-synchronization-e7968303-c234-46c4-b8b0-b5c93c6d57a7
• Add new users or users with Microsoft accounts to Azure Active Directory: https://azure.microsoft.com/en-us/documentation/articles/active-directory-create-users/
• How to add or change Azure administrator roles: https://azure.microsoft.com/en-us/documentation/articles/billing-add-change-azure-subscription-administrator/
• Apps, permissions, and consent in Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-apps-permissions-consent