How to Provide Access to Azure Resources with Azure AD

Once you have verified the domain, create an administrator for it and call it BWCAdmin@bluewidgetcoXXXX.com and assign it Global Admin role.  Login to the portal with the account once so you can reset the temporary password you are provided.

Again, if you would like to follow along, click here to register a domain at Register.com and complete the steps above.

Synchronize Local AD to Azure Active Directory

Now that you have a running on-prem Active Directory and a custom domain added to Azure Active Directory, download Azure AD Connect to the DC01 server in your on-prem AD.  Do not install it yet.  You will install it shortly and use it to synchronize your local AD users to your Azure AD.  Before synchronizing your on-prem AD to Azure AD, you have to make sure your on-prem AD domain name is internet routable.  If you are following along with this tutorial, your on-prem AD is not routable (it is a .local domain).

If your local AD domain is non-internet-routable (it is a .local domain, for example), be sure to open up Active Directory Domains and Trusts from your on-prem DC and add the BlueWidgetCoXXXX.com domain as a UPN suffix.  After adding the suffix to your local AD, go into Active Directory Users and Computers in your on-prem AD and change the UPN suffix for User01 to BlueWidgetCoXXXX.com.

Synchronize Local AD to Azure AD

Once you have your local AD prepared, you can install Azure AD Connect.  Login to your DC01 virtual machine and launch the Azure AD Connect installer.  Perform a custom install (leave all 4 optional configuration checkboxes unchecked) and click Install.  Configure it to synchronize the BlueWidgetCo.local forest to Azure Active Directory.  Choose the password sync option.  Leave everything else unchecked.  You may see a message indicating BlueWidgetCo.local cannot be synced.  That’s fine; you do not want to synchronize that domain anyway.  You will, however, see an option to synchronize BlueWidgetCoXXXX.com.  Synchronize it.