2/12/25, 11:38 AM AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure

Scenario
Lab: Implementing integration between AD DS
Objectives and Microsoft Entra ID
Estimated time:
60 minutes Scenario
Lab setup To address concerns regarding management and monitoring overhead resulting from using Microsoft Entra ID to
authenticate and authorize access to Azure resources, you decide to test integration between on-premises Active
Exercise 1:
Preparing Directory Domain Services (AD DS) and Microsoft Entra ID to verify that this will address business concerns about
Microsoft Entra managing multiple user accounts by using a mix of on-premises and cloud resources.
ID for AD DS
integration
Additionally, you want to make sure that your approach addresses the Information Security team’s concerns and
Exercise 2: preserves existing controls applied to Active Directory users, such as sign-in hours and password policies. Finally,
Preparing on- you want to identify Microsoft Entra ID integration features that allow you to further enhance on-premises Active
premises AD DS
Directory security and minimize its management overhead, including Microsoft Entra ID Password Protection for
for Microsoft
Entra ID Windows Server Active Directory and Self-Service Password Reset (SSPR) with password writeback.
integration
Your goal is to implement pass-through authentication between on-premises AD DS and Microsoft Entra ID.
Exercise 3:
Downloading, Note: An interactive lab simulation is available that allows you to click through this lab at your own pace. You
installing, and
may find slight differences between the interactive simulation and the hosted lab, but the core concepts and
configuring
Microsoft Entra ideas being demonstrated are the same.
Connect

Exercise 4:
Verifying
Objectives
integration
between AD DS After completing this lab, you’ll be able to:
and Microsoft
Entra ID Prepare Microsoft Entra ID for integration with on-premises AD DS, including adding and verifying a
custom domain.
Exercise 5:
Prepare on-premises AD DS for integration with Microsoft Entra ID, including running IdFix DirSync Error
Implementing
Microsoft Entra Remediation Tool.
ID integration Install and configure Microsoft Entra Connect.
features in AD
DS Verify integration between AD DS and Microsoft Entra ID by testing the synchronization process.
Implementing Microsoft Entra ID integration features in Active Directory, including Microsoft Entra ID
Exercise 6: Password Protection for Windows Server Active Directory and SSPR with password writeback.
Cleaning up

Estimated time: 60 minutes

Lab setup
Virtual machines: AZ-800T00A-SEA-DC1, AZ-800T00A-SEA-SVR1, and AZ-800T00A-ADM1 must be running.
Other VMs can be running, but they aren’t required for this lab.

❕ Note: AZ-800T00A-SEA-DC1, AZ-800T00A-SEA-SVR1, and AZ-800T00A-SEA-ADM1 virtual machines are hosting the
installation of SEA-DC1, SEA-SVR1, and SEA-ADM1

1. Select SEA-ADM1.

2. Sign in using the following credentials:

Username: Administrator
Password: Pa55w.rd
Domain: CONTOSO

https://microsoftlearning.github.io/AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure/Instructions/Labs/LAB_02_Implementing_integration_between_AD DS_and_Azure_AD.html 1/10

2/12/25, 11:38 AM AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure

For this lab, you’ll use the available VM environment and an Microsoft Entra tenant. Before you begin the lab,
ensure that you have an Microsoft Entra tenant and a user account with the Global Administrator role in that
tenant.

Exercise 1: Preparing Microsoft Entra ID for AD DS integration

Scenario

You need to ensure that your Microsoft Entra ID environment is ready for integration with your on-premises AD
DS. Therefore, you’ll create and verify a custom Microsoft Entra ID domain name and an account with the Global
Administrator role.

The main tasks for this exercise are:

1. Create a custom domain name in Azure.

2. Create a user with the Global Administrator role.
3. Change the password for the user with the Global Administrator role.

Task 1: Create a custom domain name in Azure

1. On SEA-ADM1, start Microsoft Edge, and then go to the Azure portal.

2. Use the credentials that you instructor provides to sign in to the Azure portal.
3. In the Azure portal, browse to Microsoft Entra ID.
4. On the Microsoft Entra ID page, select Custom domain names, and then add contoso.com .

5. Review the DNS record types that you would use to verify the domain, and then close the pane without
verifying the domain name.

❕ Note: While, in general, you would use DNS records to verify a domain, this lab doesn’t require the use of a verified
domain.

Task 2: Create a user with the Global Administrator role

1. On SEA-ADM1, in the Microsoft Edge window displaying the Microsoft Entra ID page, browse to the All
Users page and create a user account with the following properties:

Username: admin

❕ Note: Ensure the domain name drop-down menu for the User name lists the default domain name ending with
onmicrosoft.com .

Name: admin
Role: Global administrator
Password: use autogenerated password

❕ Note: Use the Show Password option to display the autogenerated password and record it as you’ll use it later in
this lab.

Task 3: Change the password for the user with the Global Administrator role

1. Sign out from the Azure portal and sign in with the user account you created in the previous task.

2. When prompted, change the password.

❕ Note: Record the complex password you used as you’ll use it later in this lab.

https://microsoftlearning.github.io/AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure/Instructions/Labs/LAB_02_Implementing_integration_between_AD DS_and_Azure_AD.html 2/10

2/12/25, 11:38 AM AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure

Exercise 2: Preparing on-premises AD DS for Microsoft Entra ID

integration

Scenario

You need to ensure that your existing Active Directory environment is ready for Microsoft Entra ID integration.
Therefore, you’ll run the IdFix tool, and then ensure that the UPNs of the Active Directory users match the
Microsoft Entra tenant’s custom domain name.

The main tasks for this exercise are:

1. Install IdFix.
2. Run IdFix.

Task 1: Install IdFix

1. On SEA-ADM1, open Microsoft Edge, and then go to https://github.com/microsoft/idfix .

2. On the Github page, under ClickOnce Launch, select launch.
3. In the IdFix Privacy Statement dialog box, review the disclaimer, and then select OK.

Task 2: Run IdFix

1. In the IdFix window, select Query.

2. Review the list of objects from the on-premises Active Directory, and review the ERROR and ATTRIBUTE
columns. In this scenario, the value of displayName for ContosoAdmin is blank, and the tool’s
recommended new value appears in the UPDATE column.
3. In the IdFix window, in the ACTION drop-down menu, select Edit, and then select Apply to automatically
implement the recommended changes.
4. In the Apply Pending dialog box, select Yes, and then close the IdFix tool.

Exercise 3: Downloading, installing, and configuring Microsoft Entra

Connect

Scenario

Exercise scenario: You’re now ready to implement the integration by downloading Microsoft Entra Connect,
installing it on SEA-ADM1, and configuring its settings to match the integration objective.

The main task for this exercise is:

1. Install and configure Microsoft Entra Connect.

Task 1: Install and configure Microsoft Entra Connect

1. On SEA-ADM1, in the Microsoft Edge window displaying the Azure portal, from the Microsoft Entra ID
page, browse to the Microsoft Entra Connect page.
2. From the Microsoft Entra Connect page, select Download.
3. Download Microsoft Entra Connect installation binaries and start the installation.
4. On the Microsoft Entra Connect page, select the I agree to the license terms and privacy notice
checkbox, and then select Continue.
5. On the Express Settings page, select Use express settings.
6. On the Connect to Microsoft Entra ID page, enter the username and password of the Microsoft Entra ID
Global Administrator user account you created in exercise 1.

7. On the Connect to AD DS page, enter the following credentials:

Username: CONTOSO\\Administrator
Password: Pa55w.rd

https://microsoftlearning.github.io/AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure/Instructions/Labs/LAB_02_Implementing_integration_between_AD DS_and_Azure_AD.html 3/10

2/12/25, 11:38 AM AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure

8. On the Microsoft Entra ID sign-in configuration page, verify that the new domain you added is in the list
of Active Directory UPN Suffixes.

❕ Note: The domain name provided does not have to be a verified domain. While you typically would verify a domain
prior to installing Microsoft Entra Connect, this lab doesn’t require that verification step.

9. Select the Continue without matching all UPN suffixes to verified domains checkbox.
10. After you reach the Ready to configure page, review the list of actions, and then start the installation.

Exercise 4: Verifying integration between AD DS and Microsoft Entra

ID

Scenario

Now that you have installed and configured Microsoft Entra Connect, you must verify its synchronization
mechanism. You plan to make changes to an on-premises user account, which will trigger synchronization. Then,
you’ll verify that the change is replicated to the corresponding Microsoft Entra ID user object.

The main tasks for this exercise are:

1. Verify synchronization in the Azure portal.

2. Verify synchronization in the Synchronization Service Manager.
3. Update a user account in Active Directory.
4. Create a user account in Active Directory.
5. Sync changes to Microsoft Entra ID.
6. Verify changes in Microsoft Entra ID.

Task 1: Verify synchronization in the Azure portal

1. On SEA-ADM1, switch to the Microsoft Edge window displaying the Azure portal.
2. Refresh the Microsoft Entra Connect page and review the information under Provision from Active
Directory.
3. From the Microsoft Entra ID page, browse to the Users page.

4. Observe the list of users synced from Active Directory.

❕ Note: After the directory synchronization starts, it can take 15 minutes for Active Directory objects to appear in the
Microsoft Entra ID portal.

5. From the Users page, browse to the Groups page.

6. Review the list of groups synced from Active Directory.

Task 2: Verify synchronization in the Synchronization Service Manager

1. On SEA-ADM1, on the Start menu, expand Microsoft Entra Connect, and then select Synchronization
Service.
2. In the Synchronization Service Manager window, under the Operations tab, review the tasks that were
performed to sync the Active Directory objects.

3. Select the Connectors tab, and note the two connectors.

❕ Note: One connector is for AD DS and the other is for the Microsoft Entra tenant.

4. Close the Synchronization Service Manager window.

Task 3: Update a user account in Active Directory

https://microsoftlearning.github.io/AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure/Instructions/Labs/LAB_02_Implementing_integration_between_AD DS_and_Azure_AD.html 4/10

2/12/25, 11:38 AM AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure

1. On SEA-ADM1, in Server Manager, open Active Directory Users and Computers.

2. In Active Directory Users and Computers, expand the Sales organizational unit (OU), and then open the
properties for Sumesh Rajan.
3. In the properties of the user, select the Organization tab.
4. In the Job Title text box, enter Manager, and then select OK.

Task 4: Create a user account in Active Directory

Create the following user in the Sales OU:

First name: Jordan

Last name: Mitchell
User logon name: Jordan
Password: Pa55w.rd

Task 5: Sync changes to Microsoft Entra ID

1. On SEA-ADM1, start Windows PowerShell as Administrator.

2. In the Windows PowerShell console, run the following command to trigger synchronization:

Code  Copy

Start-ADSyncSyncCycle

❕ Note: After the synchronization cycle starts, it can take 15 minutes for Active Directory objects to appear in the
Microsoft Entra ID portal.

Task 6: Verify changes in Microsoft Entra ID

1. On SEA-ADM1, switch to the Microsoft Edge window displaying the Azure portal and go back to the
Microsoft Entra ID page.
2. From the Microsoft Entra ID page, browse to the Users page.
3. On the All Users page, search for the user Sumesh.
4. Open the properties page of the user Sumesh Rajan, and then verify that the Job title attribute has been
synced from Active Directory.
5. In Microsoft Edge, go back to the All Users page.
6. On the All Users page, search for the user Jordan.
7. Open the properties page of the user Jordan Mitchell, and then review the attributes of the user account
that have been synced from Active Directory.

Exercise 5: Implementing Microsoft Entra ID integration features in

AD DS

Scenario

You want to identify Microsoft Entra ID integration features that will allow you to further enhance your on-
premises Active Directory security and minimize its management overhead. You also want to implement
Microsoft Entra ID Password Protection for Windows Server Active Directory and self-service password reset with
password writeback.

The main tasks for this exercise are:

1. Enable self-service password reset in Azure.

2. Enable password writeback in Microsoft Entra Connect.
3. Enable pass-through authentication in Microsoft Entra Connect.
4. Verify pass-through authentication in Azure.
5. Install and register the Microsoft Entra ID Password Protection proxy service and DC agent.

https://microsoftlearning.github.io/AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure/Instructions/Labs/LAB_02_Implementing_integration_between_AD DS_and_Azure_AD.html 5/10

2/12/25, 11:38 AM AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure

6. Enable password protection in Azure.

Task 1: Enable self-service password reset in Azure

1. On SEA-ADM1, in the Microsoft Edge window displaying the Azure portal, browse to the Microsoft Entra
ID Licenses page and activate the Microsoft Entra ID P2 free trial.
2. Assign an Microsoft Entra ID P2 license to the Microsoft Entra ID Global Administrator user account you
created in exercise 1.
3. In the Azure portal, browse to the Microsoft Entra ID Password reset page.

4. On the Password reset page, note that you can select the scope of users to which to apply the
configuration.

❕ Note: Don’t enable the password reset feature because it will break the configuration steps that are required later in
this lab.

Task 2: Enable password writeback in Microsoft Entra Connect

1. On SEA-ADM1, open Microsoft Entra Connect.

2. In the Microsoft Entra Connect window, select Configure.
3. On the Additional tasks page, select Customize synchronization options.
4. On the Connect to Microsoft Entra ID page, enter the username and password of the Microsoft Entra ID
Global Administrator user account you created in exercise 1.

5. On the Optional features page, select Password writeback.

❕ Note: Password writeback is required for self-service password reset of Active Directory users. This allows passwords
changed by users in Microsoft Entra ID to sync to the Active Directory.

6. On the Ready to configure page, review the list of actions to be performed, and then select Configure.
7. After the configuration completes, close the Microsoft Entra Connect window.

Task 3: Enable pass-through authentication in Microsoft Entra Connect

1. On SEA-ADM1, on the Start menu, expand Microsoft Entra Connect, and then select Microsoft Entra
Connect.
2. In the Microsoft Entra Connect window, select Configure.
3. On the Additional tasks page, select Change user sign-in.
4. On the Connect to Microsoft Entra ID page, enter the username and password of the Microsoft Entra ID
Global Administrator user account you created in exercise 1.
5. On the User sign-in page, select Pass-through authentication.
6. Verify that the Enable single sign-on checkbox is selected.
7. On the Enable single sign-on page, select Enter credentials.

8. In the Forest credentials dialog box, authenticate using the following credentials:

Username: Administrator
Password: Pa55w.rd
9. On the Enable single sign-on page, verify that there’s a green check mark next to Enter credentials.
10. On the Ready to configure page, review the list of actions to be performed, and then select Configure.
11. After the configuration completes, close the Microsoft Entra Connect window.

Task 4: Verify pass-through authentication in Azure

1. On SEA-ADM1, from the Microsoft Entra ID page in the Azure portal, browse to the Microsoft Entra
Connect page.
2. On the Microsoft Entra Connect page, review the information under User Sign-In.
3. Under User Sign-In, select Seamless single sign-on.

https://microsoftlearning.github.io/AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure/Instructions/Labs/LAB_02_Implementing_integration_between_AD DS_and_Azure_AD.html 6/10

2/12/25, 11:38 AM AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure

4. On the Seamless single sign-on page, review the on-premises domain name.
5. From the Seamless single sign-on page, browse to the Passthrough Authentication page.

6. On the Passthrough Authentication page, review the list of servers under Authentication Agent.

❕ Note: To install the Microsoft Entra ID Authentication Agent on multiple servers in your environment, you can
download its binaries from the Pass-through authentication page in the Azure portal.

Task 5: Install and register the Microsoft Entra ID Password Protection proxy service and DC agent

1. On SEA-ADM1, start Microsoft Edge, browse to the Microsoft Downloads website, browse to the
Microsoft Entra ID Password Protection for Windows Server Active Directory page where you can
download installers, and then select Download.

2. Download AzureADPasswordProtectionProxySetup.exe and

AzureADPasswordProtectionDCAgentSetup.msi to SEA-ADM1.

❕ Note: We recommend installing the proxy service on a server that isn’t a domain controller. In addition, the proxy
service should not be installed on the same server as the Microsoft Entra Connect agent. You will install the proxy
service on SEA-SVR1 and the Password Protection DC Agent on SEA-DC1.

3. On SEA-ADM1, in the Windows PowerShell console, run the following command to remove the
Zone.Identifier alternate data stream indicating that files have been downloaded from internet:

Code  Copy

Get-ChildItem -Path "$env:USERPROFILE\Downloads -File | Unblock-File

4. Run the following commands to create the C:\Temp directory on SEA-SVR1, copy the
AzureADPasswordProtectionProxySetup.exe installer to that directory, and invoke the installation:

Code  Copy

New-Item -Type Directory -Path '\\SEA-SVR1.contoso.com\C$\Temp' -Force

Copy-Item -Path "$env:USERPROFILE\Downloads\AzureADPasswordProtectionProxySetup.exe" -
Destination '\\SEA-SVR1.contoso.com\C$\Temp\'
Invoke-Command -ComputerName SEA-SVR1.contoso.com -ScriptBlock { Start-Process -FilePath
C:\Temp\AzureADPasswordProtectionProxySetup.exe -ArgumentList `/quiet /log
C:\Temp\AzureADPPProxyInstall.log` -Wait }

5. Run the following commands to create the C:\Temp directory on SEA-DC1, copy the
AzureADPasswordProtectionDCAgentSetup.msi installer to that directory, invoke the installation, and
restart the domain controller after the installation completes:

Code  Copy

New-Item -Type Directory -Path '\\SEA-DC1.contoso.com\C$\Temp' -Force

Copy-Item -Path "$env:USERPROFILE\Downloads\AzureADPasswordProtectionDCAgentSetup.msi" -
Destination '\\SEA-DC1.contoso.com\C$\Temp\'
Invoke-Command -ComputerName SEA-DC1.contoso.com -ScriptBlock { Start-Process msiexec.exe -
ArgumentList '/i C:\Temp\AzureADPasswordProtectionDCAgentSetup.msi /quiet /qn /norestart /log
C:\Temp\AzureADPPInstall.log' -Wait }
Restart-Computer -ComputerName SEA-DC1.contoso.com -Force

6. Run the following commands to validate that the installations resulted in the creation of services necessary
to implement Microsoft Entra ID Password Protection:

Code  Copy

https://microsoftlearning.github.io/AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure/Instructions/Labs/LAB_02_Implementing_integration_between_AD DS_and_Azure_AD.html 7/10

2/12/25, 11:38 AM AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure

Get-Service -Computer SEA-SVR1 -Name AzureADPasswordProtectionProxy | fl

Get-Service -Computer SEA-DC1 -Name AzureADPasswordProtectionDCAgent | fl

❕ Note: Verify that each service has the Running status.

7. Run the following command to start a PowerShell Remoting session to SEA-SVR1:

Code  Copy

Enter-PSSession -ComputerName SEA-SVR1

8. Within the PowerShell Remoting session, run the following command to register the proxy service with
Active Directory (replace the <Azure_AD_Global_Admin> placeholder with the fully-qualified user principal
name of the Microsoft Entra ID Global Administrator user account you created in exercise 1):

Code  Copy

Register-AzureADPasswordProtectionProxy -AccountUpn <Azure_AD_Global_Admin> -

AuthenticateUsingDeviceCode

9. Follow the prompts to authenticate by using the Microsoft Entra ID Global Administrator user account you
created in exercise 1.
10. Exit the PowerShell Remoting session.

11. In the Windows PowerShell console, enter the following command, and then press Enter to start a
PowerShell Remoting session to SEA-DC1:

Code  Copy

Enter-PSSession -ComputerName SEA-DC1

12. Within the PowerShell Remoting session, run the following command to register the proxy service with
Active Directory (replace the <Azure_AD_Global_Admin> placeholder with the fully-qualified user principal
name of the Microsoft Entra ID Global Administrator user account you created in exercise 1):

Code  Copy

Register-AzureADPasswordProtectionForest -AccountUpn <Azure_AD_Global_Admin> -

AuthenticateUsingDeviceCode

13. Follow the prompts to authenticate by using the Microsoft Entra ID Global Administrator user account you
created in exercise 1.
14. Exit the PowerShell Remoting session.

Task 6: Enable password protection in Azure

1. On SEA-ADM1, switch to the Microsoft Edge window displaying the Azure portal, go back to the
Microsoft Entra ID page, and then browse to its Security page.
2. On the Security page, select Authentication methods.
3. On the Authentication methods page, select Password protection.
4. On the Password protection page, enable Enforce custom list.

5. In the Custom banned password list text box, enter the following words (one per line):

Contoso
London

❕ Note: The list of banned passwords should be words that are relevant to your organization.

https://microsoftlearning.github.io/AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure/Instructions/Labs/LAB_02_Implementing_integration_between_AD DS_and_Azure_AD.html 8/10

2/12/25, 11:38 AM AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure

6. Verify that the Enable password protection on Windows Server Active Directory setting is enabled.
7. Verify that the Mode is set to Audit and save your changes.

Exercise 6: Cleaning up

Scenario

You want to disable synchronization from the on-premises Active Directory to Azure. This will involve removing
Microsoft Entra Connect and disabling synchronization with Azure.

The main tasks for this exercise are:

1. Uninstall Microsoft Entra Connect.

2. Disable directory synchronization in Azure.

Task 1: Uninstall Microsoft Entra Connect

1. On SEA-ADM1, open Control Panel.

2. Use the Uninstall or change a program functionality to uninstall Microsoft Entra Connect.

Task 2: Disable directory synchronization in Azure

1. On SEA-ADM1, switch to the Windows PowerShell window.

2. In the Windows PowerShell console, run the following command to install the Microsoft Online module
for Microsoft Entra ID:

Code  Copy

Install-Module -Name MSOnline

3. Run the following command to provide the credentials to Azure:

Code  Copy

$msolcred=Get-Credential

4. When prompted, in the Windows PowerShell credential request dialog box, enter the credentials of the
user account you created in exercise 1.

5. Run the following command to connect to Azure:

Code  Copy

Connect-MsolService -Credential $msolcred

6. Run the following command to disable directory synchronization in Azure:

Code  Copy

Set-MsolDirSyncEnabled -EnableDirSync $false

Prepare for the next module

End the lab when you’re finished in preparation for the next module.

https://microsoftlearning.github.io/AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure/Instructions/Labs/LAB_02_Implementing_integration_between_AD DS_and_Azure_AD.html 9/10

2/12/25, 11:38 AM AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure

https://microsoftlearning.github.io/AZ-800-Administering-Windows-Server-Hybrid-Core-Infrastructure/Instructions/Labs/LAB_02_Implementing_integration_between_AD DS_and_Azure_AD.html 10/10