Previous Post in Series: Part 3: Deploy App Service as PaaS on Azure Stack
Welcome back folks! I wasn’t really planning on actually doing this piece for a while but as ever, priorities shift and work streams are completed quicker than expected (yeah right, that last part can’t be true )
I have a really bad habit of saying a guide will be fairly short then going on to write war and peace with the -Verbose flag set, however, I’m not sure even I can beef this one up as it really is pretty straightforward.
When putting out an Azure Stack POC, I’ve been setting up a VPN connection from the customers site to the MAS-CON01 VM (using port forwarding from the Azure Stack host). I’ve also decided to create an AAD account for the POCs and making this work is the purpose of this article, so let’s get to it.
Prerequisites
Before we continue, this guide assumes you have control over both the tenant directory and the directory Azure Stack is installed in, if this is not the case, you’ll have to work with the tenant to complete the process.
NOTE: Your tenant will need VPN access to Azure Stack, in my testing, I set up a RAS server with NPS to control access policies.
We’ll be doing our configuration from the Azure Stack host, so if you’ve been following my Azure Stack POC deployment guide since the start, you can skip the next step.
Download and Import PowerShell for Azure Stack
We’re going to use PowerShell to download the required files, with that in mind, launch an elevated PowerShell ISE console, paste in the following code and run it:
# Change directory to the root directory cd \ # Download the tools archive invoke-webrequest ` https://github.com/Azure/AzureStack-Tools/archive/master.zip ` -OutFile master.zip # Expand the downloaded files expand-archive master.zip ` -DestinationPath . ` -Force # Change to the tools directory cd AzureStack-Tools-master
Now we’re going to import the Azure Stack Connect and Identity modules:
Within the same PowerShell ISE console, paste in the following code and run it:
Import-Module .\Connect\AzureStack.Connect.psm1 Import-Module .\Identity\AzureStack.Identity.psm1
Create Azure Active Directory Applications
NOTE: The following step will only need to be completed once and can be skipped when adding any Azure Stack guest tenants bar the first one.
The following PowerShell code will publish Azure AD applications to Azure Resource Manager to allow access to Azure Stack.
Launch an elevated PowerShell ISE console, paste in the following code (modified to suit your environment) and run it.
The table below shows expected values for variables in the code below:
| Variable | Expected Content |
|---|---|
| $AzureStackDirectoryTenant | This should be the Azure Active Directory you installed Azure Stack into e.g. company.onmicrosoft.com |
$AdminARMEndpoint = "https://adminmanagement.local.azurestack.external" $AzureStackDirectoryTenant = "company.onmicrosoft.com" Publish-AzureStackApplicationsToARM -AdminResourceManagerEndpoint $AdminARMEndpoint -DirectoryTenantName $AzureStackDirectoryTenant
When prompted for login details, enter the credentials for the global admin of your Azure AD.
With that done, we can move on to adding the guest tenant directory to our Azure Stack deployment, thereby telling Azure Resource Manager (ARM) to accept users and service principals from it.
Within the same PowerShell ISE console, paste the following PowerShell code, modify it for your environment and run it.
The table below shows expected values for variables in the code below:
| Variable | Expected Value |
|---|---|
| $AzureStackDirectoryTenant | This should be the Azure Active Directory you installed Azure Stack into e.g. company.onmicrosoft.com |
| $GuestDirectoryTenant | The tenant Azure Active Directory name e.g. customercompany.onmicrosoft.com |
$AdminARMEndpoint = "https://adminmanagement.local.azurestack.external" $AzureStackDirectoryTenant = "company.onmicrosoft.com" $GuestDirectoryTenant = "customercompany.onmicrosoft.com" Register-GuestDirectoryTenantToAzureStack -AdminResourceManagerEndpoint $AdminARMEndpoint -DirectoryTenantName $AzureStackDirectoryTenant -GuestDirectoryTenantName $GuestDirectoryTenant
When prompted for login details, enter the credentials for the global admin of your Azure AD.
We’re almost done, I said this would be a short one
Configure Guest Directory
As mentioned earlier in the guide, I have control over both the Service Administrator AAD and the guest tenant AAD, so I can complete the setup without involving anyone else. In reality though, it’s likely that you’ll need to have this step completed by the tenant AAD administrator. Either way, the steps are the same:
From the Azure Stack host, or MAS-CON01, open a browser and navigate to the following URL:
https://portal.local.azurestack.external/guest/signup/
e.g.
https://portal.local.azurestack.external/guest/signup/mycompany.onmicrosoft.com
When prompted, the tenant will need to enter the global admin credentials for their AAD and click accept when prompted.
Check it out…totally logged into Azure Stack as a tenant
OK, I’m signing off now before I break my promise of this being a short guide…see you in the next one!
Where can I find the command ” Publish-AzureStackApplicationsToARM”?
Hi there,
The process and PowerShell cmdlets have changed since TP3. You can find the most up-to-date instructions here:
https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-enable-multitenancy
Hi:
I tried this.
I ran this command, a windows popped up. And I input the login/password of the guest tenant directory admin. Then an error appeared in the popped window, it said:
Additional technical information: Correlation ID: 3c4b14a0-5569-467c-85d9-aa6c72fd9f44 Timestamp: 2017-12-14 05:09:22Z AADSTS50020: User account ‘xxxx@xxxxx.onmicrosoft.com’ from identity provider ‘https://sts.windows.net/4c41cb64-9f6f-40ef-ab71-baf30b418d63/’ does not exist in tenant ‘xxxx.xxx’ and cannot access the application ‘1950a258-227b-4e31-a9cf-717495945fc2’ in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Did I miss something?
Thanks!
We found the cause, and solved it. Thanks!