Student Lab Manual

MS500.1x: Implementing Identity

Synchronization

Lab Scenario
You are the security administrator for Adatum Corporation, and you have Microsoft 365 deployed in a
virtualized lab environment. In this lab, you will implement identity synchronization between your
Microsoft 365 tenant accounts and your local active directory accounts.

Important note: This lab must be performed after the earlier lab
Managing your Microsoft 365 Identity environment is completed.

Exercise 1: Implement Identity Synchronization

 Task 1 – Configure your UPN suffix
 Task 2 – Enable Directory Synchronization
 Task 3 – Set up Azure AD Connect
 Task 4 – Validate the results of directory synchronization and license user

WARNING – Be prepared for UI changes

Given the dynamic nature of Microsoft cloud tools, you may experience user interface (UI) changes that
were made following the development of this training content that do not match up with lab
instructions presented in this lab manual.

The Microsoft Learning team will update this training course as soon as any such changes are brought to
our attention. However, given the dynamic nature of cloud updates, you may run into UI changes before
this training content is updated. If this occurs, you will have to adapt to the changes and work through
them in the labs as needed.

Page 1
Lab: Implementing Identity Synchronization
You are now ready to start the directory synchronization process. In this lab exercise you to first make
sure your local Active Directory is ready to start the directory synchronization process.

Exercise 1: Setting up your organization for identity

synchronization
Task 1: Configure your UPN suffix
1. On LON-DC1, log on as ADATUM\Administrator and password Pa55w.rd.
2. Using Windows PowerShell as administrator, update the UPN suffix for the domain and on the
UPN on every user in AD DS with “@xxyyzza.onmicrosoft.com” (where xxyyzza is your unique UPN
name) for the domain name. To do this, run the following command (remember to change xxyyzza
to your unique UPN name):
Set-ADForest -identity "adatum.com" -UPNSuffixes
@{replace="xxyyzza.onmicrosoft.com"}

3. Next type the follow command (remember to change xxyyzza to your unique UPN name):
Get-ADUser –Filter * -Properties SamAccountName | ForEach-Object { Set-
ADUser $_ -UserPrincipalName ($_.SamAccountName + "@xxyyzza.onmicrosoft.com"
)}

4. At the Windows PowerShell prompt, type the following command, and then press Enter:
Set-ExecutionPolicy Unrestricted

5. To confirm the execution policy change, press Enter.

Task 2: Enable Directory Synchronization

1. On LON-DS1, if necessary, log on as ADATUM\Administrator and password Pa55w.rd.
2. Open Internet Explorer. Navigate to Tools > Internet Options > Security tab.
3. In the Internet zone, click Custom Level. Scroll down and under the Downloads section, you must
enable the File download setting.
4. Then in the Trusted Sites zone, you need to add the following sites:
• https://outlook.office365.com/
• https://outlook.office.com/
• https://portal.office.com/

Page 2
5. Browse to https://portal.office.com/.
6. Sign in as holly2@<your tenant here>.onmicrosoft.com with the password Pa55w.rd .
7. Click Admin.
8. If asked about update your admin contact information click on the Cancel button to skip this
request.
9. Navigate to the Active Users.
Note: If you see the Active Directory synchronization is being activated warning, you can ignore it
at this time, but you will not be able to run directory synchronization later in this exercise. You
must wait until directory synchronization is activated. However, you can complete the following
steps, even if you do see the warning message.

10. Select Holly Dickson.

11. Edit Holly’s alias by changing it to Holly and ensure that <your tenant here> domain is selected.
Click Add.
12. Click Set as primary and then read the warning and save your change. Click Save.
13. You should be signed out automatically, but if not click on the top right corner of Holly Dickson’s
profile icon and click Sign Out.
14. Close Internet Explorer.
15. Open Internet Explorer.
16. Sign in as Holly2@<your tenant here> with the password Pa55w.rd.
17. Click Admin.
18. If asked about update your admin contact information click on the Cancel button to skip this
request.

19. In the left-hand navigation, select the user’s icon ( ) and select Active users, click on More on
the top menu and choose Directory Synchronization.
20. Click on the Download Microsoft Azure Active Directory Connect tool. Run the download once
complete.

Task 3: Set up Azure AD Connect

1. On the Azure AD Connect setup wizard, proceed through the wizard.
2. Click on Use express settings.
3. On the Connect to Azure AD screen enter your Office 365 admin username of
Holly2@<your tenant here>.onmicrosoft.com with password Pa55w.rd and click Next.

4. On the Connect to AD DS screen enter your domain administrator ADATUM\Administrator and

password Pa55w.rd and click Next.
5. Select Continue without matching all UPN suffixes to verified domains. Click Next on the Azure
AD sign-in configuration screen.

Page 3
6. On the Ready to configure screen click the check box for Start the synchronization process when
configuration completes and click on Install.
7. Wait for the installation to complete.
8. Click on Exit.

Task 4: Validate the results of directory synchronization and

license user.
1. To verify the new user you created, on LON-CL1, open the Office 365 Admin Center in the browser
by typing https://portal.office.com/admin/default.aspx in the address bar.
2. Sign in using the following credentials: User name: holly2@<your tenant here>.onmicrosoft.com,
Password: Pa55w.rd
3. If you are connected to the previous Office 365 admin center, click that banner at the top of the
page to connect to the new Office 365 admin center.
4. Navigate to the Active Users.
5. You should now see many users that have become synced from the local Active Directory. Select
Ada Russell.
6. Edit Ada’s Product licenses as follows:
• Location = United Kingdom
• Product License = Enterprise Mobility + E5

7. Click Save. Click Close.

8. Navigate to Groups.
9. In the Groups list, select the Accounts group.
10. Click Edit to add members to the group.
11. Add Ada Russell to the Accounts group. Click Save. Click Close.

You have successfully synced local ADATUM users into Office 365, licensed the synced user Ada
Russell and joined her to the Accounts security group in Office 365.

End of lab

Page 4