Microsoft Partner Practice Enablement Boot Camp Lab

Guide

Contents
Lab 1: Create a Virtual Machine in Microsoft Azure....................................................5
Overview.................................................................................................................... 5
Objectives............................................................................................................... 5
System requirements.............................................................................................. 5
Exercise 1: Create a Virtual Machine using the Management Portal........................5
Task 1 Login....................................................................................................... 5
Task 2 Create a storage account to contain VHDs for the virtual machines.......6
Task 3 Show the QUICK CREATE virtual machine creation option......................7
Task 4 Create a virtual machine with the GALLERY virtual machine creation
option................................................................................................................... 8
Lab 1: Summary.................................................................................................... 11
Lab 2: Connecting Virtual Machines........................................................................11
Overview.................................................................................................................. 11
Objectives............................................................................................................. 11
System requirements............................................................................................ 11
Exercise 1: Create a virtual machine in an existing cloud service.........................11
Task 1 Create an Availability set for High availability......................................11
Exercise 2: Create a virtual machine in an existing cloud service.........................13
Task 1 Create virtual machine using the FROM GALLERY OPTION....................13
Exercise 3: Test network connectivity with Ping....................................................15
Task 1 Enable ICMP on demovm2 to validate connectivity...............................15
Lab 2: Summary.................................................................................................... 17
Lab 3: Configuring the Azure Load Balancer.............................................................17
Overview............................................................................................................... 17
Objectives............................................................................................................. 17
System requirements............................................................................................ 17
Exercise 1: Configure Web Servers........................................................................18
Task 1 Install and Configure IIS........................................................................18
Exercise 2: Configuring the Load Balancer...........................................................20
Task 1- Creating a Load Balanced Set................................................................20

Exercise 3: Verify Load Balancing .........................................................................24

Task 1- Verify Load Balancing............................................................................. 24
Task 2- View Web Logs to See the Load Balancer HTTP Probes..........................25
Lab 3: Summary.................................................................................................... 27
Lab 4: Configuring Access Control Lists....................................................................28
Exercise 1: Secure Remote Desktop Access Only to the Local Network................28
Task 1 Save the .RDP file for demovm2 and Validate Connectivity...................28
Task 2 Enable an Access Control List................................................................29
Task 3 Validate the Access Control List.............................................................31
Lab 4: Summary................................................................................................... 31
Lab 5: Configuring Point-to-Site................................................................................ 31
Exercise 1: Create a Virtual Network.....................................................................31
Task 1 Create a Virtual Network.......................................................................31
Exercise 2: Deploy a Virtual Machine into the Virtual Network..............................32
Task 1 Deploy a Virtual Machine into the Virtual Network...............................32
Exercise 3: Configure Point-To-Site Connectivity for the Virtual Network...............34
Task 1 Enable Point-To-Site Connectivity..........................................................34
Task 2 Create a Network Gateway...................................................................34
Task 3 Create a Virtual Network Authentication Certificate.............................34
Task 4 Upload Client Authentication Certificate to Microsoft Azure.................35
Exercise 3: Configure Client Machine to Connect to Virtual Network.....................36
Task 1 Install client certificate (.PFX) to authenticate to the Virtual Network. .36
Task 2 Install the Client VPN Package..............................................................37
Exercise 3: Connect to the Virtual Machine using Point-To-Site VPN Connectivity. 38
Task 1 Get IP Address of Virtual Machine in the Virtual Network......................38
Task 2 Connect to Virtual Network through the VPN Client..............................38
Task 3 Connect to Virtual Machine using Internal IP Address...........................40
Task 4 Remove Public Endpoints for Virtual Machine.......................................41
Lab 5: Summary.................................................................................................... 42
Lab 6: Create and Configure an Azure Active Directory............................................42
Overview.................................................................................................................. 42
Objectives............................................................................................................. 42
Exercise 1: Create an Azure Active Directory using the Microsoft Azure
Management Portal............................................................................................... 42
Task 1 Login to the Azure Management Portal.................................................42

Task 2 Create a new Active Directory..............................................................43

Task 3 - Associate the Active Directory with your Azure subscription.................43
Exercise 2: Add Users to Active Directory..............................................................44
Task 1 Add a Global Administrator to the Active Directory..............................44
Task 2 Add a User to the Active Directory........................................................47
Task 3 Add a Co-Administrator for the Microsoft Azure Subscription...............48
Exercise 3: Create a Security Group and add Users to the Group.........................49
Task 1 Sign-in to the Azure Management Portal as the Global Administrator. .49
Task 2 Create a Security Group........................................................................50
Task 3 Add a User to the Security Group.........................................................51
Exercise 4: Sign-in to the Azure Management Portal as a User.............................52
Lab 6: Summary.................................................................................................... 54
Lab 7: Application Access......................................................................................... 54
Overview............................................................................................................... 54
Objectives............................................................................................................. 55
Prerequisites.......................................................................................................... 55
Exercise 1: Add a SaaS Application from the Azure Application Gallery to your
Azure Active Directory........................................................................................... 55
Task 1 Add the Microsoft OneDrive Application................................................55
Task 2 Assign user access to the Microsoft OneDrive application....................57
Task 3 Use the Access Panel to see and launch Microsoft OneDrive................58
Lab 7: Summary.................................................................................................... 61
Lab 8: Multi-Factor Authentication............................................................................62
Overview.................................................................................................................. 62
Objectives............................................................................................................. 62
Prerequisites.......................................................................................................... 62
Exercise 1: Create a Multi-Factor Authentication Provider.....................................62
Task 1 Sign-in to Azure Management Portal.....................................................62
Task 2 Create a Multi-Factor Authentication Provider.......................................63
Exercise 2: Mange Multi-Factor Authentication for a User in the Active Directory. 64
Task 1 Enable Multi-Factor Authentication for User..........................................64
Task 2 Setup Additional Security Verification for User.....................................66
Exercise 3: View Multi-Factor Authentication Report.............................................69
Task 1 Run a Multi-Factor Authentication Report..............................................69
Task 2 View a Multi-Factor Authentication Report............................................71

Lab 8: Summary................................................................................................... 72
Lab 9: Websites with a SQL Backend........................................................................72
Overview.................................................................................................................. 72
Objectives............................................................................................................. 72
System requirements............................................................................................ 73
Exercise 1: Configure the Database..........................................................................73
Task 1 Create a SQL Server Virtual Machine....................................................73
Task 2 Create Orchard Database.....................................................................78
Exercise 2: Create a Microsoft Azure Website using Orchard CMS.........................82
Task 1 Create the Orchard Website..................................................................82
Lab 9: Summary................................................................................................... 85

Lab 1: Create a Virtual Machine in Microsoft Azure

Overview
In this lab you will learn how to use the Microsoft Azure Management Portal options
for creating a virtual machine.

Objectives
This lab will show how to:
Login to the Management Portal
Create a Virtual Machine

System requirements
You must have the following to complete this demo:
A reliable Internet connection
An active Microsoft Azure subscription

Estimated time to complete this demo: 10 Minutes

Exercise 1: Create a Virtual Machine using the Management

Portal
Task 1 Login
1.

Launch a browser and navigate to https://manage.windowsazure.com.

Once prompted login with your Microsoft Azure credentials.
Note: You may need to launch an "in-private" session in your browser if you
have multiple Microsoft Accounts.

2.

After you enter your email, select whether this is a Microsoft or

Organization account.

3. From there you will be directed to the correct provider to login with your
password.

Task 2 Create a storage account to contain VHDs for the virtual machines.
1. Click on the +NEW link at the bottom-left corner of the screen.

2. Select DATA SERVICES -> STORAGE -> QUICK CREATE

3. Specify the storage account properties.

a. A unique name(Should be all lowercase) for the storage account URL
b. The Microsoft Azure Location to create the storage account in.
c. Select Locally Redundant for Replication field.

4. Press the checkmark next to CREATE STORAGE ACCOUNT to provision the

storage account.

5. Before proceeding wait for the storage account creation to complete. (as
seen below)

Task 3 Show the QUICK CREATE virtual machine creation option.

1

Click the NEW button at the bottom left of the management portal.

Click COMPUTE, VIRTUAL MACHINE and then QUICK CREATEto

Review the options on the screen for Windows Server or Linux based
virtual machine in this view but do not actually create the virtual
machine.
a

DNS NAME: Unique host name. This value is also the name of the
cloud service container for the virtual machine. The virtual machine
created here will also be named the same as the cloud service.

USER NAME: local administrator account name (cannot be

administrator)

REGION/AFFINITY GROUP: the data center location to create the

virtual machine in.

Task 4 Create a virtual machine with the GALLERY virtual machine creation
option.
1

Click the NEW button at the bottom left of the management portal.

Click COMPUTE, VIRTUAL MACHINE and then FROM GALLERY

Highlight the virtual machine gallery option available. Select Windows Server 2012
R2 Datacenter and click the 'next arrow' button at the bottom right.

Enter the configuration for the virtual machine.

a

VIRTUAL MACHINE NAME: This is the computer name:

demovm1. This value must be unique within the same cloud
service.

SIZE: Small

NEW USER NAME: demouser

PASSWORD: demo@pass1

On the next screen, specify a unique name for your cloud service. Select
the same Microsoft Azure region that you created the storage account in in
task two. For now, keep availability set as none.

On the final page place a checkmark by Microsoft Antimalware and press

the Checkmark to Complete.

Lab 1: Summary
In this lab you have learned how to provision a Microsoft Azure Storage Account to
act as the underlying storage for Microsoft Azure Virtual Machines. You have also
walked through both the QUICK CREATE and GALLERY creation options of the
Microsoft Azure Management portal and created a virtual machine with Microsoft
Antimalware enabled.

Lab 2: Connecting Virtual Machines

Overview
In this lab, you will use the Microsoft Azure Management Portal to create a second
virtual machine in the cloud service created in the previous lab. You will then
demonstrate network connectivity, including name resolution and enabling ICMP for
ping validation.

Objectives
This demo will show how to:
Configure Availability Sets
Create a virtual machine in an existing cloud service
Enable ICMP on the virtual machines firewalls and demonstrate name resolution
and ping.

System requirements
You must have the following to complete this demo:
A reliable Internet connection
An active Microsoft Azure subscription
Completed Lab 1 Creating a Virtual Machine

Estimated time to complete this demo: 20 Minutes

Exercise 1: Create a virtual machine in an existing cloud

service
Task 1 Create an Availability set for High availability
1. Open the configuration for demovm1 that was created in the previous lab by
clicking on the name column of the virtual machine list.

2. Once open click on the CONFIGURE tab.

3. In the settings section, Choose Create an Availability Set in the

AVAILABILITY SET dropdown and specify: DemoAVset for the availability set
name.

4. Click on the SAVE button.

5. When prompted to restarted click YES.

6. Wait for the Availability set to be created before moving to the next exercise.

Exercise 2: Create a virtual machine in an existing cloud

service
Task 1 Create virtual machine using the FROM GALLERY OPTION
4. Click the NEW button at the bottom left of the management portal.

5. Click COMPUTE, VIRTUAL MACHINE and then FROM GALLERY.

6. Highlight the virtual machine gallery option available. Select Windows

Server 2012 R2 Datacenter and click the right arrow button at the
bottom right corner.

7. Enter the configuration for the virtual machine and click the next arrow to
continue.
a

VIRTUAL MACHINE NAME: demovm2

SIZE: Small

NEW USER NAME: demouser

PASSWORD: demo@pass1

8. Select the previously created cloud service from the CLOUD SERVICE
drop down. Select the same storage account and the availability set
created in the first exercise.

9. Accept the defaults on the endpoint configuration page.

10.Click the Checkmark at the bottom of the screen to complete the virtual
machine creation. This will take some time.

Exercise 3: Test network connectivity with Ping

Task 1 Enable ICMP on demovm2 to validate connectivity.
1

Log into the first virtual machine demovm1 by highlighting the virtual
machine and clicking the CONNECT button.

11.Once prompted login with the credentials specified in the creation wizard.
12.Open a command prompt in demovm1, by pressing <Windows Key + R>
and typing in CMD then <enter>.
13.Type in ping demovm2. You should resolve an IP address, but there will
be no response from the server.

14.Log into the second virtual machine demovm2, by highlighting the virtual
machine and clicking the CONNECT button.
15.Once prompted, login with the credentials that you specified in this lab.
16.Once logged in, using Server Manager, click on Tools, Windows
Firewall with Advanced Security.

17.Click Inbound Rules

18.Find the File and Printer Sharing (Echo Request ICMPv4-In) rule,
right click on it and select Enable Rule.

19.Switch back to demovm1 and in the same command prompt execute

ping demovm2 again. This time you should see a response from
demovm2.

Lab 2: Summary
In this lab you learned how to provision a second virtual machine in an existing
cloud service and join it to an existing availability set. From there you learned how
to enable ICMP connectivity (which would apply to any other protocol) to allow
connectivity between the two virtual machines.

Lab 3: Configuring the Azure Load Balancer

Overview
In this lab, you will install IIS and configure load balanced HTTP endpoints on
demovm1 and demovm2. You will also learn how to use the IIS Web Logs to
troubleshoot the Microsoft Azure HTTP Load Balancer probe.

Objectives
This demo will show how to:
Configure load balancing between multiple virtual machines.
Testing and troubleshoot the load balancing probe using web logs.

System requirements
You must have the following to complete this demo:
A reliable Internet connection
An active Microsoft Azure subscription
Completed the labs in Module 1.

Estimated time to complete this demo: 25 Minutes

Exercise 1: Configure Web Servers

In this exercise, you will see how to configure the default iisstart.htm file to see
which server is servicing the Load balancer.

Task 1 Install and Configure IIS

1. Select the demovm1 that you created earlier.

2. Click on the CONNECT button at the bottom.

3. You will see a pop up for the download of RDP file at the bottom of the page,
click on the OPEN button.

4. Enter the credentials for the virtual machine Demovm1 and click ok.

5. Once logged in click the PowerShell Icon on the task bar then execute the
following PowerShell command.
Install-WindowsFeature "Web-Server" -IncludeAllSubFeature
IncludeManagementTools
6. While IIS is installing repeat steps 1-5 on demovm2.
7. Once IIS is installed on the servers navigate to the file iisstart.htm under the
folder c:\inetpub\wwwroot. This folder is automatically created when the
web-server role is installed.

8. Now you have to edit the default iisstart.htm file by right clicking then
select open with notepad.

9. Once notepad is open, add the server name (demovm1) followed by the
<br> tag, as shown in the below screenshot and save it. This change will
allow you to see which server the request is currently being served from.

10.Repeat Steps 7-9 on the demovm2 virtual machine as well. Make sure you
specify demovm2 as the server name in step 9.

Exercise 2: Configuring the Load Balancer

Task 1- Creating a Load Balanced Set
1. Click on the demovm1 virtual machine that was created earlier.

2. Click on the ENDPOINTS tab.

3. Click on ADD button at the bottom of the page.

4. Select ADD A STAND-ALONE ENDPOINT and click the next arrow.

5. In the next screen select HTTP under name field drop down menu.

6. Check the check box for CREATE A LOAD-BALANCED SET. Then click on
the right arrow button to continue to next screen.

7. Specify LBHTTP for the LOAD-BALANCED SET NAME, select HTTP in the
PROBE PROTOCOL dropdown and in the PROBE PATH field specify
/iisstart.htm. Click the check mark to continue.

8. Wait until the update is complete before proceeding.

9. Within the Microsoft Azure Management Portal open the demovm2
configuration and click ENDPOINTS.
10.Click ADD to launch the add endpoint wizard.

11.In the Add ENDPOINT screen, select the radio button option ADD AN
ENDPOINT TO AN EXISTING LOAD-BALANCED SET. Select as LBHTTP
load balancer. Then click on the arrow mark at the bottom right corner to
continue.

12.Specify HTTP in the NAME field and click the check mark to complete the
endpoint addition.

13.Wait until the update is complete before proceeding.

Exercise 3: Verify Load Balancing

Task 1- Verify Load Balancing
1. Select demovm1 virtual machine and click on the dashboard.

2. Scroll down and copy the cloud services DNS NAME URL under quick
glance section.

3. Click on new tab in internet explorer and paste the URL in the address bar.

4. This will serve up the modified content from iisstart.htm. Note the server
name (could be demovm1 or demovm2).

5. Now keep pressing the F5 button in your browser until you see the server
name change to the second server in the load balanced set.

Task 2- View Web Logs to See the Load Balancer HTTP Probes
1. Select the demovm2 virtual machine that was created earlier.

2. Click on the connect button at the bottom and when prompted login with the
demouser and demo@pass1 credentials.

3. Launch Windows Explorer and browse to the path

C:\inetpub\logs\LogFiles\W3SVC1\. Open up the web log file in notepad
by double clicking the file.

4. You can see the requests from the Microsoft Azure Load Balancer by finding
the requests with the user agent Load+Balancer+Agent. Note the
response code is HTTP 200.

5. Close the log file by closing notepad.

6. To see what happens when the probe encounters a response code other than
HTTP 200 delete the iisstart.htm file by navigating to C:\Inetpub\wwwroot,
right click on the file and click delete.

7. Wait for the load balancer to detect the file specified in the health probe is
gone (1-2 minutes) then re-open the log file in
C:\inetpub\logs\LogFiles\W3SVC1. You should see HTTP 404s status to the
load balancer probe check.

8. Go back to your browser session and refresh the page multiple times using
the F5 button. You should only see demovm1 is now in the load balanced
set.

9. Open recycle bin and Restore the deleted iisstart.htm.

10.Wait for 1-2 minutes and refresh the page again (it may take multiple times).
You should see that demovm2 is back in the load balanced set.

Lab 3: Summary
In this lab, you learned how to configure load balanced HTTP endpoints. You will
also have learned how to configure an HTTP Health Probe and to use the IIS Web
Logs to troubleshoot the Microsoft Azure HTTP Load Balancer probe.

Lab 4: Configuring Access Control Lists

Exercise 1: Secure Remote Desktop Access Only to the Local
Network

Task 1 Save the .RDP file for demovm2 and Validate Connectivity
1. Select the demovm2 virtual machine that was created earlier.

2. Click on the connect button at the bottom.

3. Click the arrow by the Save button and click Save as.

4. In the Save as dialog box select desktop in the left pane and click save.

5. Double click on the demovm2.rdp. If you are prompted for credentials this
validates that a connection can occur (do not complete the login).

6. Switch to the Microsoft Azure Management Portal and select the demovm1
virtual machine.
7. Click on the connect button at the bottom and fully login with the demouser and
demo@pass1 credentials.

8. Copy the demovm2.rdp file from your local desktop and paste it in the desktop
of demovm1 over the remote desktop session (CTRL-C local then CTRL-V in
Remote Desktop).
9. From within demovm1 double click on the demovm2.rdp. If you are prompted
for credentials this shows that you have connectivity to demovm2 from
demovm1 (do not complete the login).

Task 2 Enable an Access Control List

1. Open the Virtual Machine dashboard for demovm1 and copy the PUBLIC
VIRTUAL IP (VIP) ADDRESS.

2. Open the endpoint configuration for demovm2.

3. Click on ENDPOINTS.

4. Select Remote Desktop endpoint.

5. In the bottom of the page click on MANAGE ACL button.

6. Specify the following properties in the Specify ACL details for the Remote
Desktop endpoint screen. The IP address should be the VIP you copied earlier.
a. Rule Order 1

i. Description: Allow Local Access

ii. ACTION: Permit
iii. Remote Subnet: 23.99.83.189/32

Note: By default, a Permit rule will deny access to all IPs not specified in the
remote subnet and the public IP for the virtual machines (VIP).
7. Press the check mark at the bottom of the screen and wait for the update to
complete before proceeding.

Task 3 Validate the Access Control List

1. Double click the demovm2.rdp file from your local desktop to validate that you
can no longer connect.
2. From within demovm1 double click the demovm2.rdp file. At this point if the
access control list was applied successfully you should be able to connect
directly since you are coming from the allowed IP address in the access control
list.

Lab 4: Summary
In this lab, you should have learned how to use access control lists to limit access to
a public endpoint on a Microsoft Azure Virtual Machine.

Lab 5: Configuring Point-to-Site

Exercise 1: Create a Virtual Network
Task 1 Create a Virtual Network
1. Launch a browser and navigate to https://manage.windowsazure.com.

2. Click on the NEW, NETWORK SERVICES, VIRTUAL NETWORK, CUSTOM

CREATE

3. Specify ppe-vnet as the name of the virtual network and select the region
you are working closest to and click the next arrow to continue.

4. Accept the defaults on the DNS Servers and VPN Connectivity page and
click the next arrow to continue.
5. Change the STARTING IP to 10.0.16.0 and CIDR /24. Then press the
checkmark to create the virtual network.

Exercise 2: Deploy a Virtual Machine into the Virtual Network

Task 1 Deploy a Virtual Machine into the Virtual Network
1. Click on NEW, COMPUTE, VIRTUAL MACHINE, FROM GALLERY

2. Select Windows Server 2012 R2 Datacenter

3. Specify the name of the virtual machine and a username and password.

4. Specify a unique name for the CLOUD SERVICE DNS NAME and for the
REGION/AFFINITY GROUP/VIRTUAL NETWORK specify the virtual network
created in the first exercise.

5. Click the next arrow and on the last page click the check mark to create the
virtual machine.

Exercise 3: Configure Point-To-Site Connectivity for the Virtual

Network
Task 1 Enable Point-To-Site Connectivity
1. Click on NETWORKS on the left of the screen.
2. Click on the PPE-VNET network.
3. Click on the CONFIGURE tab at the top.
4. Click the Configure pont-to-site connectivity check mark.

5. Click the SAVE button at the bottom of the screen.

6. When prompted to continue, click YES.

Task 2 Create a Network Gateway

1. Click on the DASHBOARD tab at the top of the screen. Notice the message
about the gateway not being created. This is necessary for point-to-site
connectivity to function.

2. Click on the CREATE GATEWAY button at the bottom of the screen.

This will take a few minutes to create so proceed to the next task while this is
working.

Task 3 Create a Virtual Network Authentication Certificate

1. Start a command prompt on your local machine and change directories to
the following path.
CD C:\PPEContent\makecert

2. Execute the following command to create a self-signed root certificate.

makecert -sky exchange -r -n "CN=PPEP2SRoot" -pe -a sha1 -len 2048 -ss
My .\PPEP2SRoot.cer

3. Execute the following command to create a self-signed client certificate

using the previously created root certificate.
makecert.exe -n "CN=PPEP2SClient" -pe -sky exchange -m 96 -ss My -in
"PPEP2SRoot" -is my -a sha1

4. Launch certmgr.msc by typing <Windows Key + R> and type certmgr.msc

then press <enter>.
5. Select Personal -> Certificates and scroll down until you see a certificate
Issued By PPEP2SClient.

6. Export the PPEP2SClient certificate.

a. Right-click on the PPEP2SClient certificate and select All Tasks ->
Export.
b. Click Next on the first dialog
c. Select Yes, export the private key and click Next.
d. Accept the default selection of Personal Information Exchange
PKCS #12 (.PFX) and click Next.
e. Click the checkbox next to Password and enter a password. Click
Next.
f. For the folder and path enter C:\PPEContent. Click Next.
g. Click Finish.
h. Click OK on the dialog indicating the export was successful.
i. Close MMC.

Task 4 Upload Client Authentication Certificate to Microsoft Azure

1. Upload the root authority certificate to Microsoft Azure.
a. Open the Microsoft Azure Management Portal.
b. Click on NETWORKS on the left navigation.
c. Click on the PPE-VNET network you created previously.
d. Click on the CERTIFICATES tab at the top of the screen.

e. Click the UPLOAD A ROOT CERTIFICATE link.

f. In the browser dialog, navigate to the location of the PPEP2SRoot.cer
file and select it. This file should be in this folder:
C:\PPEContent

g. Click he check mark to upload the certificate.

Exercise 3: Configure Client Machine to Connect to Virtual

Network
Task 1 Install client certificate (.PFX) to authenticate to the Virtual Network
1. Open Windows Explorer and navigate to the C:\PPEContent folder.
2. Right-click on the PPEP2SClient.pfx certificate file and select Install PFX.
3. Accept all defaults when stepping through the certificate import wizard and
enter the password when prompted. The password is the password you
entered when you exported the certificate from your certificate store.
4. When prompted to install the certificate, select Yes.

5. Click the OK button on the dialog indicating the import was successful.

Task 2 Install the Client VPN Package

1. In the Microsoft Azure Management Portal, click on the DASHBOARD tab for
the virtual network.

2. Install the Client VPN Package by clicking on the appropriate option in the
quick glance section.

3. When prompted to run or save the package, select Save to save the file to
your C:\PPEContent folder.

4. You will see a warning message because the package is not signed. You can
ignore this message for the purposes of this lab. However, for future client
machines you want to connect to his network, you may want to sign this file
using your organizations signing service or sign it yourself using SignTool.
5. Open Windows Explorer and navigate to %UserProfile%\Downloads.
a. Right-click on the .exe and select Properties -> Unblock.

b. Click OK.
c. Double-click on the .EXE to install the Client VPN Package. When
prompted to install select Yes.

Exercise 3: Connect to the Virtual Machine using Point-To-Site

VPN Connectivity
Task 1 Get IP Address of Virtual Machine in the Virtual Network
1. In the Microsoft Azure Management Portal, click on the DASHBOARD tab for
your Virtual Network.
2. In the resources section, locate the IP ADDRESS of the virtual machine you
created in the previous lab. Make a note of this IP Adress.

Task 2 Connect to Virtual Network through the VPN Client

1. Click on the Internet Connection icon in the system tray (right side of your
task bar).
2. Select the PPE-VNET client connection and click the Connect button.

3. When the VPN Client opens, click on the Connect button.

4. Click the Continue button to elevate Connect Managers privileges.

5. (Optional) Go back to the Microsoft Azure Management Portal and you can
see the DASHBOARD updated to show 1 Client connection.

Task 3 Connect to Virtual Machine using Internal IP Address

1. Press <Windows Key + R>, type mstsc and press <Enter>.
2. Type in the IP Address for the virtual machine that you noted in the previous
step and click the Connect buton.

3. Login with the credentials you provided when you created the virtual
machine.
4. Click the Yes button on the Remote Desktop Connection warning dialog.

You are now connect to the Virtual Machine using the VPN Client and its
internal IP Address.

Task 4 Remove Public Endpoints for Virtual Machine

1. In the Microsoft Azure Management Portal, click on VIRTUAL MACHINES on
the left navigation.
2. Click on the Virtual Machine that is in the PPE-VNET Virtual Network.

3. Click on the ENDPOINTS tab at the top of the screen.

These public endpoints are no longer needed now that you have point-to-site
connectivity to the virtual network this machine is in.
4. Click on the PowerShell endpoint to select it and then click the DELETE
button at the bottom of the screen.

5. Click on the Remote Desktop endpoint to select it and then click the
DELETE button at the bottom of the screen.

Lab 5: Summary
In this lab you learned how to configure point-to-site connectivity for a virtual
network and then use the VPN Client to connect to the Virtual Network. You learned
what is required to authenticate clients to the virtual network. Finally, you observed
that the default public endpoints are not necessary when point-to-site connectivity
is configured for your network.

Lab 6: Create and Configure an Azure Active Directory

Overview
In this lab, you will learn how to create an Azure Active Directory and associate it
with your Azure Subscription. Next, you will create users as regular users in the
directory as well as global administrators in the directory. Signed in as a global
administrator, you will create a security group and added users to the group.

Objectives
This demo will walk you through how to:
Create a Microsoft Azure Active Directory using the Azure Management Portal
Associate the Active Directory with your Azure subscription
Add Users to the Active Directory
Show Capabilities of the Global Administrator Role
Show Capabilities of the User Role

Estimated time to complete this lab: 15 Minutes

Exercise 1: Create an Azure Active Directory using the

Microsoft Azure Management Portal
Task 1 Login to the Azure Management Portal
20.Launch a browser and navigate to https://manage.windowsazure.com.
When prompted, sign-in with your credentials to access your Azure
Subscription.
Note: You may need to launch an "in-private" session in your browser if
you have multiple Windows Accounts.

Task 2 Create a new Active Directory

1. In the Windows Azure Management Portal, select +NEW -> APP
SERVICES -> ACTIVE DIRECTORY -> DIRECTORY -> CUSTOM
CREATE.
2. In the Add directory window specify the new directory settings.
a. Set Directory to Create new directory.
b. Set Name to a name of PPE Labs AD.
c. Set Domain Name to a globally unique name of your choice.
d. Set Country to your country.

Task 3 - Associate the Active Directory with your Azure subscription

1

Now that your Active Directory for your organization exists, the next thing
you need to do is associate this directory with the Windows Azure
subscription. What this means is that when you login to the Azure
Management Portal for this subscription, you will be doing so in the realm
of your new Active Directory.

21.Click on SETTINGS on the left of the screen.

22.Click on SUBSCRIPTIONS at the top of the screen.
23.Highlight your Windows Azure Subscription and click on the EDIT
DIRECTORY button at the bottom of the screen.
24.Select the new Active Directory you created in the previous task.

25.Click the right arrow to go to the next screen.

26.Click the check mark to save the change.
27.The Windows Azure Management Portal will reload as result of this change.
Notice the change in the URL with respect to the realm. It will show the
new Active Directory as the realm in the URL.

Exercise 2: Add Users to Active Directory

Task 1 Add a Global Administrator to the Active Directory
1. In the Azure Management Portal, click on the ACTIVE DIRECTORY link on
the left of the screen.

2. Click on the name of the directory you created previously.

3. Click on the USERS tab at the top of the screen.

4. At the bottom of the screen, click the ADD USER link to add a new user.

5. In the Add User window specify the new user settings.

a. Set Type of User to New user in your organization.
b. Set User Name to a name of johndoe.

6. In the user profile window, specify properties for this user as a Global
Administrator.
a. Set FIRST NAME to John.
b. Set LAST NAME to Doe.
c. Set DISPLAY NAME to John Doe (Global Admin).
d. Set ROLE to Global Administrator.

e. Set Alternate Email Address to an email address of your choices.

Recommend using the Microsoft Account email address for the
subscription. That is, the Account Administrator.
f. Click the right arrow to continue

7. In the Get temporary password window, click the green create button to
generate a temporary password for the user.
8. In the New Password field, click the Copy icon to copy the password to
your clipboard. Save this to notepad along with the user name for this
user. You will need this information shortly.
9. Click the check mark button to create the user in the directory.
This user will be able to administer the active directory only. This user will
not be able to login to the Windows Azure Management Portal or provision
services in the Subscription (Virtual Machines, Networks, etc.) because
this user is not a Co-Administrator for the Microsoft Azure Subscription.

Task 2 Add a User to the Active Directory

1. Repeat Task 1 to add a user as Jane Smith.
a. Set USER NAME to janesmith.
b. Set ROLE to User.

This user is a user in the directory right now. This user cannot administer
the Active Directory nor can this user login to the Azure Management
Portal and provision services.

Task 3 Add a Co-Administrator for the Microsoft Azure Subscription

1.
2.
3.
4.

Click on the SETTINGS link on the left of the screen.

Click on the ADMINISTRATORS tab at the top of the screen.
Click on the ADD button at the bottom of the screen.
Enter the email address for John Doe. When you do this, the portal will
verify the user name and show a green check mark. Notice that the user
account is an Organizational Account, identified by the organizational
account icon (the badge) next to the user.

5. Click on the check box next to the Azure Subscription.

6. Click the check mark to add the user as a Co-Administrator of the Azure
Subscription.

This user, now being a Co-Administrator for the Azure Subscription, will be
able to login to the portal and provision services on the Subscription. This
user is also a Global Administrator so this user can also administer the
Active Directory.
7. Sign-out of the Azure Management Portal.

Exercise 3: Create a Security Group and add Users to the Group

Task 1 Sign-in to the Azure Management Portal as the Global Administrator
1

Sign-in to the portal at https://manage.windowsazure.com as the John

Doe user. Since this is the first time to sign-in as this user, you will need
to enter the temporary password (copy from notepad).

28.Enter the temporary password and then provide a new permanent

password as demo@pass1. Press the submit button.

29.Click through the new user tour dialogs for user John Doe. In the Azure
Management Portal, you will see user John Doe signed-in as an
Organizational User in the upper-right corner of the screen.

Task 2 Create a Security Group

1

Click on ACTIVE DIRECTORY on the left navigation.

30.Click on the PPE Labs AD directory name.

31.Click the ADD GROUP button at the bottom of the screen.
a

Set the NAME to Help Desk.

Set the DESCRIPTION to Users staffing the help desk.

Click the checkmark button to create the group.

Task 3 Add a User to the Security Group

1

Click on the Help Desk group.

32.Click on the ADD MEMBERS link at the bottom of the screen.

33.Click on Jane Smith, which will result in Jane Smith appearing in the
SELECTED section and then click the checkmark button.

34.Jane Smith is now a member of the Help Desk security group.

Exercise 4: Sign-in to the Azure Management Portal as a User

1

From the Internet Explorer main menu, select Tools -> InPrivate
Browsing.

35.In the new browser window, sign-in to the portal at

https://manage.windowsazure.com as the Jane Smithr. Since this is the
first time to sign-in as this user, you will need to enter the temporary
password (copy from notepad).

36.Enter the temporary password and then provide a new permanent

password as demo@pass1. Press the submit button.

37.As the portal starts to load, you will get a message indicating that there
were no subscriptions found for the Jane Smith user. This is expected.
Recall, Jane Smith is not a Co-Administrator on the Azure Subscription.
Therefore, Jane is not able to sign-in to the Azure Portal and provision
services.

38.Close the Internet Explorer window that is in InPrivate Browsing mode.

Lab 6: Summary
In this lab, you learned how to create an Azure Active Directory and associate it with
your Azure Subscription. You then learned how to create users as regular users in
the directory as well as global administrators in the directory. Signed in as a global
administrator, you created a security group and added users to the group. Finally,
you observed that users that are not co-administrators on the Azure subscription
are not able to sign-in to the Azure Management Portal.

Lab 7: Application Access

Overview
In this lab, you will learn how to add a Software-as-a-Service (SaaS) application for
Password-based Single Sign-on to your Azure Active Directory. The SaaS Application
you will configure will be Microsoft OneDrive. After adding the application to your
Azure Active Directory, you will then learn how to assign user access to the

application. Finally, you will sign-in to the Access Panel as a user of the directory to
see and launch the Microsoft OneDrive application.

Objectives
This demo will show how to:
Add a SaaS application (Microsoft OneDrive) from the Azure Application Gallery to
your Azure Active Directory
Configure the application for Password-based Single Sign-On
Assign permissions for users to access the application
Use the Access Panel to see and launch the application

Prerequisites
1. This hands-on-lab assumes you already completed the Azure AD
Introduction lab.
2. A Microsoft Account.

Estimated time to complete this demo: 15 Minutes

Exercise 1: Add a SaaS Application from the Azure Application

Gallery to your Azure Active Directory
Task 1 Add the Microsoft OneDrive Application
1. Launch a browser and navigate to https://manage.windowsazure.com.
2. Sign-in as the John Doe user.
3. Click on the ACTIVE DIRECTORY tab
4. Click on the PPE Labs AD directory.
5. Click on the APPLICATIONS link at the top of your screen.
6. Click on the ADD button at the bottom of the screen.

7. Click on the option to Add an application from the gallery.

8. In the Application Gallery, search for OneDrive. Click on Microsoft

OneDrive and then click the checkmark button.

Task 2 Assign user access to the Microsoft OneDrive application

1. Click on the green Assign users button.

2. Click on the user Jane Smith.

3. Click the ASSIGN button at the bottom of the screen.
4. In the Assign Users window, click the checkmark button. Do not check the
checkbox to enter Microsoft OneDrive credentials on behalf of the user.

Task 3 Use the Access Panel to see and launch Microsoft OneDrive
1. At the Internet Explorer main menu, select File -> New session to open a
new browser session.
2. In the new browser session, navigate to http://myapps.microsoft.com.
3. Sign-in as Jane Smith.
a. Username: janesmith@<yourdirectory>.onmicrosoft.com
b. Password: demo@pass1

4. In the Access Panel, click on the Microsoft OneDrive Application.

5. The first time you launch this application for this user (on your computer),
you will be prompted to install software. Click the green Install Now button.

6. After installing the Access Panel extension, restart the browser and navigate
back to the Access Panel http://myapps.microsoft.com.
7. Click on the Microsoft OneDrive application. Since this is the first time you
are accessing Microsoft OneDrive as Jane Smith, you are challenged to enter
your personal credentials to your personal OneDrive. Enter your Microsoft
Account credentials.

8. Your OneDrive will open in the browser.

In the future, when you launch Microsoft OneDrive from the Access Panel as the
Jane Smith user, you will not be challenged for credentials. Azure AD has
securely stored your credentials and will authenticate you automatically for
your OneDrive account.

Lab 7: Summary
In this lab, you learned how to add the Microsoft OneDrive application to your Azure
Active Directory. You configured the application for Password-based Single Sign-On
and then assigned user access to the application. Finally, you used the Access
Panel to see and launch the application when signed in as a user in the Azure Active
Directory.

Lab 8: Multi-Factor Authentication

Overview
In this lab, you will learn how to create and configure a multi-factor authentication
provider in Microsoft Azure and how to enable multi-factor authentication for users
in your Azure Active Directory.

Objectives
This lab will show how to:
Create a multi-factor authentication provider using the Azure Management Portal.
Enable multi-factor authentication for users in your Azure Active Directory.

Prerequisites
3. This hands-on-lab assumes you already completed the Application AccessPassword-Based lab.

Estimated time to complete this demo: 15 Minutes

Exercise 1: Create a Multi-Factor Authentication Provider

Task 1 Sign-in to Azure Management Portal
1. Launch a browser and navigate to https://manage.windowsazure.com.
2. Sign-in as the John Doe user.
a. Username: johndoe@<yourdirectory>.onmicrosoft.com
b. Password: demo@pass1

Task 2 Create a Multi-Factor Authentication Provider

1. Click on +NEW -> APP SERVICES -> ACTIVE DIRECTORY -> MULTIFACTOR AUTHENTICATION -> QUICK CREATE.
a. Set the NAME to PPE Labs.
b. Set USAGE MODEL to Per Enabled User.
c. Set DIRECTORY to PPE Labs AD.
d. Click the CREATE link in the bottom-right corner.

Exercise 2: Mange Multi-Factor Authentication for a User in the

Active Directory
Task 1 Enable Multi-Factor Authentication for User
1.
2.
3.
4.

Click on the ACTIVE DIRECTORY section on the left of your screen.

Click on PPE Labs AD in the NAME column.
Click on the USERS tab at the top of the screen.
Highlight (dont click on) the Jane Smith user and click on the MANAGE
MULTI-FACTOR AUTH button at the bottom of the screen.

5. Change the View to Sign-in allowed users.

6. Click on the check box next to Jane Smith.

7. Click on the Enable link for the user.

8. Click on the enable multi-factor auth button in the dialog window.

9. Click on the close button.

10.The Jane Smith user will now show Enabled in the Mult-Factor Auth
Status column.

Task 2 Setup Additional Security Verification for User

1. At the Internet Explorer main menu, select Tools -> InPrivate Browsing.
2. In the new InPrivate Browsing windo, sign-in to the Access Panel at
http://myapps.microsoft.com as Jane Smith.
a. Username: janesmith@<yourdirectory>.onmicrosoft.com
b. Password: demo@pass1
3. Point out the message about needing to verify the account and then click on
the Set it up now button.

4. In the additional security verification screen, provide the contact method

details.

a. Set the first field to Mobile phone.

b. Specify your country code and cell phone number.
c. Set Mode to Send me a code by text message.
d. Click on the next button.

5. Click on the verify now button.

6. Retrieve the verification code from the text message sent to your phone.
7. Enter the verification code in step 2 and click on the verify button.

8. Click the next button.

9. Click on the I dont use this account with these apps button.

10.To finish signing in to the Access Panel, you will be challenged again to enter
another security code that will be sent to your phone. As soon as you get the
security code, enter it in the sign-in screen. After successfully authenticating,
you will be directed to the Access Panel.

11.Close the InPrivate Browsing browser window.

Exercise 3: View Multi-Factor Authentication Report

Task 1 Run a Multi-Factor Authentication Report
1. In the Azure Management Portal, sign-in as the John Doe user if youre not
already.
2. Click on ACTIVE DIRECTORY on the left of the screen.
3. Click on MULTI-FACTOR AUTH PROVIDERS at the top of the screen.

4. Click on the MANAGE button at the bottom of the screen.

5. Click on the VIEW A REPORT link.

6. Click on Summary.

7. Keep the defaults values and click on the Run button.

Task 2 View a Multi-Factor Authentication Report

1. Click on the Queued link on the left of the screen.

2. Click on the View link for the report you ran in the previous exercise.

3. You should see the two authentications for user Jane Smith.

4. (optional) Run a detailed report to see the details for each user that are
available.

Lab 8: Summary
In this lab, you learned how to create and configure a multi-factor authentication
provider in Microsoft Azure. You also saw how to enable multi-factor authentication
for users in your Azure Active Directory and you learned how to run a multi-factor
authentication usage report.

Lab 9: Websites with a SQL Backend

Overview
In this lab, you will learn how to create and configure a SQL Server virtual machine
and then create a Microsoft Azure Website using the gallery experience to connect
to it.

Objectives
This demo will show how to:
Create a SQL Server Virtual Machine
Create a Microsoft Azure Website from the Gallery
Establish a connection to the SQL Server using public endpoints.

System requirements
You must have the following to complete this demo:
A reliable Internet connection
An active Microsoft Azure subscription

Estimated time to complete this demo: 30 Minutes

Exercise 1: Configure the Database

Task 1 Create a SQL Server Virtual Machine
39.Click the NEW button at the bottom left of the management portal.

40.Click COMPUTE, VIRTUAL MACHINE and then FROM GALLERY

41.Select SQL SERVER on the image gallery options below MICROSOFT.

Once selected choose SQL Server 2012 SP1 Enterprise (Windows
Server 2012) from the options and click the Arrow to continue.

42.Enter the configuration for the virtual machine.

a

VIRTUAL MACHINE NAME: this is the computer name. This value

must be unique within the same cloud service. Specify
OrchardSQL.

SIZE: the virtual machine size. Specify Small.

NEW USER NAME: the local administrator account (cannot be

administrator). Specify: demouser and a strong password.

43.On the next screen, specify a unique name for your cloud service, the data
center location and storage account that you created as part of the
setup. .

44.On the endpoint configuration page select the drop down and select
MSSQL for the endpoint to allow traffic on 1433.

45.Click the Checkmark at the bottom of the screen to complete the virtual
machine creation.
46.Connect to the virtual machine by clicking the CONNECT button on the
toolbar and logging in with the credentials specified during creation.
47.Using Server Manager Enable SQL Server connectivity through the
firewall by using and clicking on in Tools, Windows Firewall with
Advanced Security.

48.

Select the Inbound Rule Node, right click and click New Rule

49.

In the new rule wizard select Port and click next.

50.
In the Protocols and Ports dialog, specify 1433 for the local
ports.

51.
Accept the default settings for remaining screens except the last
one. Name the rule SQLServerRule and complete the wizard.

Task 2 Create Orchard Database

1

Launch SQL Management Studio by clicking to the far left bottom corner
of the screen to bring up the Windows 8 UI. Type SQL and the search will
automatically find the link to click.

52.Once started click Connect to login to the SQL Server

53.Right click the server name and click Properties.

54.Click on Security and Change Server Authentication to SQL Server

and Windows Authentication mode.

55.Press OK to continue.

56.Right click on the server and choose Restart to have the settings take
effect.

57.Right click Databases and click New Database.

58.Name the new database OrchardDB and press OK to create the database.

59.Next create a new user for the SQL Server by expanding Security and right
clicking on Logins then choose New Login.

60.Create the login

a. Change the login type to SQL Server Authentication

b. Specify the user name and password: demouser and use the same
password you specified creating the virtual machine.
c. Specify OrchardDB as the default database.
d. Uncheck Enforce Password Policy

61.Add the user to the Orchard Database by expanding OrchardDB,

Security and right clicking on users and clicking New User.

62.Enter demouser for the user name and demouser for the login name.

63.Then select Membership and check db_owner.

Exercise 2: Create a Microsoft Azure Website using Orchard

CMS
Task 1 Create the Orchard Website
2

Open the Azure Management Portal and click COMPUTE, WEB SITE,
FROM GALLERY

64.On the left select CMS, Orchard CMS and click the next arrow.

65.Enter a unique name for the website and select the region you are working
in. Then click the checkbox to create the website.

66.Open the dashboard of the newly created site. On the right side of the
page under quick glance copy the SITE URL and open it in a new tab in
your browser.

67.Configure the Orchard Site. Specify a name for the site, demouser for the
user name and the password you have been using up to this point.
Ensure you change the dropdown to Use an existing SQL Server, SQL
Express Database.

.
68.Specify the connection string.
Retrieve the cloud service of your SQL Server by opening the dashboard of
the SQL virtual machine and noting the DNS name.

Use the example below the textbox to populate the values.

Here is a full example:

Data Source=orchardsqlsvc.cloudapp.net;Initial
Catalog=OrchardDb;Persist Security Info=True;User
ID=demouser;Password=demo@pass1
69.Press Finish Setup to Complete

Lab 9: Summary
In this hands on lab you learned how to configure SQL Server in a Microsoft Azure
Virtual Machine and allow connectivity from a Microsoft Azure Website.