1/25/2021 AZ-103-MicrosoftAzureAdministrator

Scenario
Lab: Azure AD Identity Protection
All tasks in this lab are performed from the Azure portal, except for steps in Exercise 2 performed within a
Objectives
Remote Desktop session to an Azure VM.
Exercise 0:
Prepare the lab Lab files:
environment
Labfiles\Module_10\Azure_AD_Identity_Protection\az-101-04b_azuredeploy.json
Exercise 1:
Implement Labfiles\Module_10\Azure_AD_Identity_Protection\az-101-04b_azuredeploy.parameters.json
Azure MFA

Exercise 2: Scenario
Implement
Azure AD Adatum Corporation wants to take advantage of Azure AD Premium features for Identity Protection.
Identity
Protection:
Objectives

After completing this lab, you will be able to:

Deploy an Azure VM by using an Azure Resource Manager template

Implement Azure MFA

Implement Azure AD Identity Protection

Exercise 0: Prepare the lab environment

The main tasks for this exercise are as follows:

1. Deploy an Azure VM by using an Azure Resource Manager template

Task 1: Deploy an Azure VM by using an Azure Resource Manager template

1. From the lab virtual machine, start Microsoft Edge, browse to the Azure portal at http://portal.azure.com
and sign in by using a Microsoft account that has the Owner role in the Azure subscription you intend to
use in this lab.

2. In the Azure portal, navigate to the New blade.

3. From the New blade, search Azure Marketplace for Template deployment.

4. Use the list of search results to navigate to the Custom deployment blade.

5. On the Custom deployment blade, select the Build your own template in the editor.

6. From the Edit template blade, load the template file

Labfiles\Module_10\Azure_AD_Identity_Protection\az-101-04b_azuredeploy.json.

❕ Note: Review the content of the template and note that it defines deployment of an Azure VM hosting Windows
Server 2016 Datacenter.

7. Save the template and return to the Custom deployment blade.

8. From the Custom deployment blade, navigate to the Edit parameters blade.

9. From the Edit parameters blade, load the parameters file

Labfiles\Module_10\Azure_AD_Identity_Protection\az-101-04b_azuredeploy.parameters.json.

10. Save the parameters and return to the Custom deployment blade.

11. From the Custom deployment blade, initiate a template deployment with the following settings:

Subscription: the name of the subscription you are using in this lab

Resource group: the name of a new resource group az1010401b-RG

https://microsoftlearning.github.io/AZ-103-MicrosoftAzureAdministrator/Instructions/Labs/10a - Azure AD Identity Protection (az-101-04b).html 1/8
1/25/2021 AZ-103-MicrosoftAzureAdministrator

Location: the name of the Azure region which is closest to the lab location and where you can
provision Azure VMs

Vm Size: Standard_DS1_v2

Vm Name: az1010401b-vm1

Admin Username: Student

Admin Password: Pa55w.rd1234

Virtual Network Name: az1010401b-vnet1

❕ Note: To identify Azure regions where you can provision Azure VMs, refer to https://azure.microsoft.com/en-
us/regions/offers/

❕ Note: Do not wait for the deployment to complete but proceed to the next exercise. You will use the virtual machine included
in this deployment in the last exercise of this lab.

❕ Result: After you completed this exercise, you have initiated a template deployment of an Azure VM az1010401b-vm1 that
you will use in the next exercise of this lab.

Exercise 1: Implement Azure MFA

The main tasks for this exercise are as follows:

1. Create a new Azure AD tenant

2. Activate Azure AD Premium v2 trial

3. Create Azure AD users and groups

4. Assign Azure AD Premium v2 licenses to Azure AD users

5. Configure Azure MFA settings, including fraud alert, trusted IPs, and app passwords

6. Validate MFA configuration

Task 1: Create a new Azure AD tenant

1. In the Azure portal, navigate to the New blade.

2. From the New blade, search Azure Marketplace for Azure Active Directory.

3. Use the list of search results to navigate to the Create directory blade.

4. From the Create directory blade, create a new Azure AD tenant with the following settings:

Organization name: AdatumLab101-4b

Initial domain name: a unique name consisting of a combination of letters and digits.

Country or region: United States

❕ Note: Take a note of the initial domain name. You will need it later in this lab.

Task 2: Activate Azure AD Premium v2 trial

1. In the Azure portal, set the Directory + subscription filter to AdatumLab101-4b (the newly created Azure
AD tenant.)

https://microsoftlearning.github.io/AZ-103-MicrosoftAzureAdministrator/Instructions/Labs/10a - Azure AD Identity Protection (az-101-04b).html 2/8

1/25/2021 AZ-103-MicrosoftAzureAdministrator

❕ Note: The Directory + subscription filter is located to the right of the Cloud Shell icon in the toolbar of the Azure
portal

❕ Note: You might need to refresh the browser window if the AdatumLab101-4b entry does not appear in the
Directory + subscription filter list.

2. In the Azure portal, navigate to the AdatumLab101-4b - Overview blade.

3. From the AdatumLab101-4b - Overview blade, navigate to the Licenses - Overview blade.

4. From the Licenses - Overview blade, navigate to the Licenses - All products blade.

5. From the Licenses - All products blade, click + Try / Buy, click Free Trial under Azure AD Premium P2,
and then click Activate.

Task 3: Create Azure AD users and groups.

1. In the Azure portal, navigate to the Users - All users blade of the AdatumLab101-4b Azure AD tenant.

2. From the Users - All users blade, create a new user with the following settings:

User name: aaduser1@<DNS-domain-name>.onmicrosoft.com where <DNS-domain-name>

represents the initial domain name you specified in the first task of this exercise.

❕ Note: Take a note of this user name. You will need it later in this lab.

Name: aaduser1

Password: ensure that the option Auto-generate password is selected, check the checkbox Show
Password and note the string appearing in the Password text box. You will need it later in this lab.

Groups: 0 groups selected

Directory role: Global administrator

3. From the Users - All users blade, create a new user with the following settings:

User name: aaduser2@<DNS-domain-name>.onmicrosoft.com where <DNS-domain-name>

represents the initial domain name you specified in the first task of this exercise.

❕ Note: Take a note of this user name. You will need it later in this lab.

Name: aaduser2

Password: ensure that the option Auto-generate password is selected, check the checkbox Show
Password and note the string appearing in the Password text box. You will need it later in this lab.

Groups: 0 groups selected

Directory role: User

Task 4: Assign Azure AD Premium v2 licenses to Azure AD users

❕ Note: In order to assign Azure AD Premium v2 licenses to Azure AD users, you first have to set their location attribute.

1. From the Users - All users blade, navigate to the aaduser1 - Profile blade and set the Usage location to
United States.

https://microsoftlearning.github.io/AZ-103-MicrosoftAzureAdministrator/Instructions/Labs/10a - Azure AD Identity Protection (az-101-04b).html 3/8

1/25/2021 AZ-103-MicrosoftAzureAdministrator

2. From the aaduser1 - Profile blade, navigate to the aaduser1 - Licenses blade and assign to the user an
Azure Active Directory Premium P2 license with all licensing options enabled.

3. Return to the Users - All users blade, navigate to the aaduser2 - Profile blade, and set the Usage
location to United States.

4. From the aaduser2 - Profile blade, navigate to the aaduser2 - Licenses blade and assign to the user an
Azure Active Directory Premium P2 license with all licensing options enabled.

5. Return to the Users - All users blade, navigate to the Profile entry of your user account and set the Usage
location to United States.

6. Navigate to Licenses blade of your user account and assign to it an Azure Active Directory Premium P2
license with all licensing options enabled.

7. Sign out from the portal and sign back in using the same account you are using for this lab.

❕ Note: This step is necessary in order for the license assignment to take effect.

Task 5: Configure Azure MFA settings.

1. In the Azure portal, navigate to the Users - All users blade of the AdatumLab101-4b Azure AD tenant.

2. From the Users - All users blade of the AdatumLab101-4b Azure AD tenant, use the Multi-Factor
Authentication link to open the multi-factor authentication portal.

3. On the multi-factor authentication portal, display to the service settings tab, review its settings, and the
verification options, including Text message to phone, Notification through mobile app, and
Verification code from mobile app or hardware token are enabled.

4. On the multi-factor authentication portal, switch to the users tab, select aaduser1 entry, and enable its
multi-factor authentication status.

5. On the multi-factor authentication portal, note that the multi-factor authentication status of aaduser1
changed to Enabled and that, once you select the user entry again, you have the option of changing it to
Enforced.

❕ Note: Changing the user status from enabled to enforced impacts only legacy, Azure AD integrated apps which do not
support Azure MFA and, once the status changes to enforced, require the use of app passwords.

6. On the multi-factor authentication portal, with the aaduser1 entry selected, display the Manage user
settings window and review its options, including:

Require selected users to provide contact methods again

Delete all existing app passwords generated by the selected users

Restore multi-factor authentication on all remembered devices

7. Click Cancel and switch back to the Azure portal, without making any changes.

8. From the Users - All users blade of the AdatumLab101-4b Azure AD tenant, navigate to the
AdatumLab101-4b - Overview blade.

9. From the AdatumLab101-4b - Overview blade, navigate to the Security blade, then MFA blade.

❕ Note: You might need to first click the Security entry in the vertical menu of the Azure Active Directory tenant blade.

10. From the Multi-Factor Authentication blade, navigate to the Multi-Factor Authentication - Fraud alert
blade and configure the following settings:

Allow users to submit fraud alerts: On

https://microsoftlearning.github.io/AZ-103-MicrosoftAzureAdministrator/Instructions/Labs/10a - Azure AD Identity Protection (az-101-04b).html 4/8

1/25/2021 AZ-103-MicrosoftAzureAdministrator

Automatically block users who report fraud: On

Code to report fraud during initial greeting: 0

Task 6: Validate MFA configuration

1. Open an InPrivate Microsoft Edge window.

2. In the new browser window, navigate to the Azure portal and sign in using the aaduser1 user account.
When prompted, change the password to a new value.

❕ Note: You will need to provide a fully qualified name of the aaduser1 user account, including the Azure AD tenant
DNS domain name, as noted earlier in this lab.

3. When prompted with the More information required message, continue to the Additional security
verification page.

4. On the How should we contact you? page, note that you need to set up one of the following options:

Authentication phone

Mobile app

5. Select the Authentication phone option with the Send me a code by text message method.

6. Complete the verification and note the automatically generated app password.

7. When prompted, change the password from the one generated when you created the aaduser1 account.

8. Verify that you successfully signed in to the Azure portal.

9. Sign out as aaduser1 and close the InPrivate browser window.

Exercise 2: Implement Azure AD Identity Protection:

The main tasks for this exercise are as follows:

1. Enable Azure AD Identity Protection

2. Configure user risk policy

3. Configure sign-in risk policy

4. Validate Azure AD Identity Protection configuration by simulating risk events

Task 1: Enable Azure AD Identity Protection

1. From the lab virtual machine, start Microsoft Edge, browse to the Azure portal at http://portal.azure.com
and sign in by using the Microsoft account you used to create the AdatumLab101-4b Azure AD tenant.

❕ Note: Ensure that you are signed-in to the AdatumLab101-4b Azure AD tenant. You can use the Directory +
subscription filter to switch between Azure AD tenants.

2. In the Azure portal, navigate to the New blade.

3. From the New blade, search Azure Marketplace for Azure AD Identity Protection.

4. Select the Azure AD Identity Protection in the list of search results and proceed to create an instance of
Azure AD Identity Protection associated with the AdatumLab101-4b Azure AD tenant.

5. In the Azure portal, navigate to the All services blade and use the search filter to display the Azure AD
Identity Protection blade.

Task 2: Configure user risk policy

https://microsoftlearning.github.io/AZ-103-MicrosoftAzureAdministrator/Instructions/Labs/10a - Azure AD Identity Protection (az-101-04b).html 5/8

1/25/2021 AZ-103-MicrosoftAzureAdministrator

1. From the Azure AD Identity Protection blade, navigate to the Azure AD Identity Protection - User risk
policy blade

2. On the Azure AD Identity Protection - User risk policy blade, configure the User risk remediation
policy with the following settings:

Assignments:

Users: All users (be sure to exclude the current admin account to avoid getting locked out of
the tenant)

Conditions:

User risk: Low and above

Controls:

Access: Allow access

Require password change

Enforce Policy: On

Task 3: Configure sign-in risk policy

1. From the Azure AD Identity Protection - User risk policy blade, navigate to the Azure AD Identity
Protection - Sign-in risk policy blade

2. On the Azure AD Identity Protection - Sign-in risk policy blade, configure the Sign-in risk remediation
policy with the following settings:

Assignments:

Users: All users

Conditions:

User risk: Medium and above

Controls:

Access: Allow access

Require multi-factor authentication

Enforce Policy: On

Task 4: Validate Azure AD Identity Protection configuration by simulating risk events

❕ Note: Before you start this task, ensure that the template deployment you started in Exercise 0 has completed.

1. In the Azure portal, set the Directory + subscription filter to the Default Directory (the original Azure AD
tenant.)

2. In the Azure portal, navigate to the az1010401b-vm1 blade.

3. From the az1010401b-vm1 blade, connect to the Azure VM via Remote Desktop session and, when
prompted to sign in, provide the following credentials:

Admin Username: Student

Admin Password: Pa55w.rd1234

4. Within the Remote Desktop session, in Server Manager, click Local Server and then click IE Enhanced
Security Configuration.

5. In the Internet Explorer Enhanced Security Configuration dialog box, set both options to Off and click
OK.
https://microsoftlearning.github.io/AZ-103-MicrosoftAzureAdministrator/Instructions/Labs/10a - Azure AD Identity Protection (az-101-04b).html 6/8
1/25/2021 AZ-103-MicrosoftAzureAdministrator

6. Within the Remote Desktop session, open an InPrivate Internet Explorer window.

7. In the new browser window, navigate to the ToR Browser Project at

https://www.torproject.org/projects/torbrowser.html.en, download the ToR Browser, and install it with
the default options.

8. Once the installation completes, start the ToR Browser, use the Connect option on the initial page, and
navigate to the Application Access Panel at https://myapps.microsoft.com

9. When prompted, sign in with the aaduser2 account you created in the previous exercise.

10. You will be presented with the message Your sign-in was blocked. This is expected, since this account is
not configured with multi-factor authentiation, which is required due to increased sign-in risk associated
with the use of ToR Browser.

11. Use the Sign out and sign in with a different account option to sign in as aaduser1 account you
created and configured for multi-factor authentication in the previous exercise.

12. This time, you will be presented with the Suspicious activity detected message. Again, this is expected,
since this account is configured with multi-factor authentiation. Considering the increased sign-in risk
associated with the use of ToR Browser, you will have to use multi-factor authentication, according to the
sign-in risk policy you configured in the previous task.

13. Use the Verify option and specify whether you want to verify your identity via text or a call.

14. Complete the verification and ensure that you successfully signed in to the Application Access Panel.

15. Sign out as aaduser1 and close the ToR Browser window.

16. Start Internet Explorer, browse to the Azure portal at http://portal.azure.com and sign in by using the
Microsoft account you used to create the AdatumLab101-4b Azure AD tenant.

17. In the Azure portal, set the Directory + subscription filter to AdatumLab101-4b (the newly created Azure
AD tenant.)

❕ Note: The Directory + subscription filter is located to the right of the Cloud Shell icon in the toolbar of the Azure
portal

18. In the Azure portal, navigate to the Azure AD Identity Protection - Risk Detections blade and note that
the entry representing Sign-in from anonymous IP address.

19. From the Azure AD Identity Protection - Risk Detections blade, navigate to the Azure AD Identity
Protection - Risky users blade and note the entry representing aaduser2.

20. From the Azure AD Identity Protection - Risky users blade, navigate to the Azure AD Identity
Protection - Risky sign-ins blade and note the entry representing aaduser2.

❕ Result: After you completed this exercise, you have enabled Azure AD Identity Protection, configured user risk policy and
sign-in risk policy, as well as validated Azure AD Identity Protection configuration by simulating risk events

Exercise 3: Remove lab resources

Task 1: Open Cloud Shell

1. At the top of the portal, click the Cloud Shell icon to open the Cloud Shell pane.

2. At the Cloud Shell interface, select Bash.

3. At the Cloud Shell command prompt, type in the following command and press Enter to list all resource
groups you created in this lab:

Shell  Copy

https://microsoftlearning.github.io/AZ-103-MicrosoftAzureAdministrator/Instructions/Labs/10a - Azure AD Identity Protection (az-101-04b).html 7/8

1/25/2021 AZ-103-MicrosoftAzureAdministrator

az group list --query "[?starts_with(name,'az1010')].name" --output tsv

4. Verify that the output contains only the resource groups you created in this lab. These groups will be
deleted in the next task.

Task 2: Delete resource groups

1. At the Cloud Shell command prompt, type in the following command and press Enter to delete the
resource groups you created in this lab

Shell  Copy

az group list --query "[?starts_with(name,'az1010')].name" --output tsv | xargs -L1 bash -c

'az group delete --name $0 --no-wait --yes'

2. Close the Cloud Shell prompt at the bottom of the portal.

❕ Note: To remove the Azure AD tenant you created in this lab, follow https://docs.microsoft.com/en-us/azure/active-
directory/users-groups-roles/directory-delete-howto

❕ Result: In this exercise, you removed the resources used in this lab.

https://microsoftlearning.github.io/AZ-103-MicrosoftAzureAdministrator/Instructions/Labs/10a - Azure AD Identity Protection (az-101-04b).html 8/8