Are You Winning? Finding the Middle Ground for a Healthy Work–Life Balance in IT Consulting

Posted on January 15, 2026 by Alan Schmarr

If you’ve spent any time working in IT consulting, you already know this industry demands a lot from you—your time, your focus, your expertise, and sometimes your sanity. After several years working across different service companies, I’ve learned that one of the hardest skills isn’t configuring a system or solving a complex security issue… It’s learning how to say no.

We don’t like disappointing others. So instead of saying “no,” many of us default to:
“Happy to help… but can I get back to you later?”

It feels polite. It buys time.
But it still creates an expectation—and that expectation becomes your burden.

In this blog post, I want to explore the hidden cost behind the words yes, no, and maybe, especially for IT consultants. More importantly, I want to help you find a sustainable middle ground that protects your health, your relationships, and your long‑term career value.

Why Saying “Yes” Feels Natural—But Isn’t Always Healthy

As consultants, we’re conditioned to deliver. We want to grow experience, increase our market value, and be recognised as the person who gets things done. But companies also notice this… and some will happily take advantage of it.

👍 Pros of Saying Yes

Clients and colleagues love working with you.
You avoid negative perceptions or conflict.
The company saves money—no extra resources required.
If you work on commission, more work often means more income.
You may gain valuable experience, leading to future opportunities and higher salary potential.

👎 Cons of Saying Yes

Long hours become the norm.
Family time disappears—impacting relationships and even marriages.
If you’re not earning commission, you’re effectively doing unpaid work.
Quality drops when you’re stretched thin, harming your personal brand.
You prevent others (who may be underutilised) from getting work.
You lose time to upskill or stay current.
Your health suffers—stress, burnout, or worse.
Unrealistic expectations become “standard.”
Projects fail, customer relationships suffer, and it reflects on you.

When “No” Is the Healthiest Answer

Saying no doesn’t make you unhelpful—it makes you human. It sets boundaries and protects the quality of the work you do take on.

👍 Pros of Saying No

More time for family and personal life.
Higher quality deliverables.
Time to learn, grow, and improve skills.
A healthier lifestyle and stronger mental health.
More realistic expectations from employers and clients.
Better project outcomes and repeat customers.

👎 Cons of Saying No

Some people won’t like your response.
It may strain relationships with those who expect constant availability.
You might be passed over for future work by those who can’t handle boundaries.

The Trap of “Maybe”

Saying “maybe” feels safer than a direct no. But it often creates ambiguity that leads to stress on both sides.

👍 Pros of Saying Maybe

Everything is a “maybe” benefit:

Maybe you keep family time.
Maybe your work stays high quality.
Maybe you maintain reasonable expectations.
Maybe your project succeeds.

And that uncertainty is exactly the problem.

👎 Cons of Saying Maybe

Stress of giving an answer that isn’t really an answer.
Customers hear “not now” but expect “next week.”
You still end up working extra hours.
Family time still gets sacrificed.
The quality of your work still drops.
You still do unpaid work if you’re not on commission.
It still takes work away from others.
You still lose upskilling time.
Your health still suffers.
“Maybe” becomes the new expectation… also unrealistic.
Projects still fail, customers still leave.

If you look closely, the “maybe” list has nearly all the same cons as saying yes, minus the clarity.

Conclusion: How to Protect Your Career and Your Life

Achieving work–life balance as an IT consultant isn’t about choosing between yes, no, or maybe. It’s about strategic control—saying yes to the right things, no to the wrong things, and rarely using maybe at all.

Here’s how you can build a sustainable balance:

1. Set Clear Boundaries Early

People treat you based on what you allow. Set realistic expectations at the start of every project. Reinforce them.

2. Prioritise High‑Value Work

Not everything deserves your attention. Focus on tasks that grow your skills, enhance your market value, or meaningfully contribute to the project’s success.

3. Learn to Say “No, but…”

A powerful technique:

“No, I can’t take that on right now—but here’s what I can do.”

Offer alternatives: suggest timelines, other team members, or phased approaches.

4. Protect Your Non‑Work Time

Your health, family, and personal interests matter more than any project. Block out personal time the same way you block meetings.

5. Track your workload honestly

If you’re consistently overworked, it’s not a badge of honour—it’s a system that needs fixing.

6. Communicate openly

Clients and colleagues appreciate transparency. Clear communication avoids misunderstandings and prevents impossible workloads.

7. Remember: Your Career Is Yours—Not the Company’s

Companies benefit when you say yes. You benefit when you manage your yes carefully.

Okta AD Integration with Azure AD Domain Services

Posted on February 22, 2016 by Alan Schmarr

1. Introduction

This is a experimental article, using a existing Azure Active Directory (AD) and Azure Active Directory (AD) Domain Services deployment and integrating it with a Okta solution.

2. Preparation tasks

Azure AD
- Related Article – Getting started with Azure Active Directory Free Edition
Azure AD Domain Services
- Related Article – Azure AD Domain Services Quick Install
Azure VM domain Joined to Azure AD Domain Services
Okta Free 30 day trail
Create a Service Account in Azure AD (Okta AD agent will run under this account)

3. Assumptions

The following assumptions are made in following this article:

Windows 2012 R2 Member server of the Azure AD Domain Services
The member server has internet access
Okta free trail without any modifications made

4. Installation

4.1 Create Service Account in Azure AD

Log into Azure AD, Go to Users and Click “ADD USER“
In “Type of user“, Choose “New user in your organization“
In “User Name”, Use company Service Account Name convention e.g. okta
In “First Name“, “Last Name” and “Display Name“, Enter Okta
In “Role”, Choose “User”
Create a temporary password, and document the password for next step.
Go to http://portal.office.com, Login as the new user and set the password.
The default password expiry is set on the account and should be disabled by using Azure AD PowerShell.

4.2 Okta AD Agent Install

Please follow theses steps for integrating Azure AD Domain services with Okta:

Log onto the Domain joined Server that will run the Okta Agent
Go to your okta administrator url e.g. https://<Company>-admin.okta.com/admin/dashboard
On the top navigation bar, go to Security, Authentication
Click “Configure Active Directory“
Click, “Set Up Active Directory“
Click, “Download Agent“
Once the agent is finished downloading, run the installation.
In the Welcome screen, Click “Next“
Choose the path for the installation and click “Install“
In The Domain field, enter company domain and click “Next” e.g. schmarr.com
Choose “Use an alternate account that I specify“
Enter username and password and click “Next“
At Okta AD agent Proxy Configuration, Click “Next“
At Register Okta AD Agent, Choose Production and in “Enter Subdomain” add company name.
Click “Next“
Sign in with your Okta Admin Account
Click “Allow Access“
Agent Installed, Click “Next”
As an Example choose the following in “Basic Setting“
Click “Next“
Click “Next“
In “Select the attributes to build your Okta User profile“, Click “Next“
Done

Conclusion

The ability to add SaaS applications in Azure AD and Okta, Azure AD being the Identity store for both.

Integrate SharePoint with Azure AD

Posted on February 17, 2016 by Alan Schmarr

1. Introduction

This article will show the quick configuration tasks, that are required to make Azure AD a trusted identity provider for a SharePoint 2013 installation.

2. Assumptions

The following assumptions are made during this article:

General knowledge of the technologies discussed in this article
A SharePoint 2013 instance is available
- Related article: Quick install guide for SharePoint foundation 2013
SharePoint Instance is using SSL
- Related article: AD CS install guide for Azure AD Domain services
A Azure AD instance is available
- Related article: Getting started with Azure active directory free edition
All tasks will be done from the SharePoint Server
The SharePoint Server have unlimited internet access
Permissions required:
- securityadmin on the SQL instance
- db_owner on the SQL instance
- Administrators group on the server
- Global Administrator for Azure AD
In this example the following will be used in the article (Please change to reflect own implementation):
- Namespace name: “Company”
- SharePoint 2013 Url: “https://sharepoint.company.com”

3. Preparation

Before starting with the article the following needs to be in place:

Azure AD PowerShell tools installed, look here for more details.

4. Configuration

The configuration will be broken into the following sections:

Azure AD configuration
SharePoint configuration
Assigning Users

4.1 Azure AD Configuration

Follow these tasks to document the Azure AD WS-Federation metadata URL for later use:

In the Azure Management Portal (Classic), Click Active Directory.
Click on the Azure AD that will be integrated with SharePoint 2013
Click Applications
On the bottom bar, Click View Endpoints
Document the Federation metadata document url for later use

Follow these tasks to create / configure the namespace in Azure AD :

In the Azure Management Portal (Classic), Click Active Directory.
Click Access Control Namespaces, and create a new namespace and called it “Company”
Click Manage on the bottom bar. This should open https://company.accesscontrol.windows.net/v2/mgmt/web.
Click Identity Providers, Click Add
Click WS-Federation identity provider, click Next.
In Displayname enter, “Company”
In Login link Text enter, “Company”
In WS-Federation metadata, choose URL and enter the URL that was documented in tasks above Example: https://accounts.accesscontrol.windows.net/company.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml
Click Save
Click Relying party applications, then click Add
Enter the following in each field:
1. Name: “Company SharePoint”
2. Realm: “urn:sharepoint:company”
3. Token format: SAML 1.1
4. Token lifetime (secs) default is 600: Recommended value is 2 hours
Click Save
Click Rule Groups, and then Add
Click Generate
Click Add
Fill in all the fields as illustrated below:
Click Save
Delete the existing claim rule named upn

Extract the X.509 certificate from Azure Access Control for later use

In the Access Control Service pane, under Development, click Application integration.
In Endpoint Reference, locate the Federation.xml that is associated with your Azure tenant, and then copy the location in the address bar of a browser.
In the Federation.xml file, locate the RoleDescriptor section, and copy the information from the <X509Certificate> element, as illustrated in the following figure.
from the root of drive C:\, create folder named Certs
Save the X509Certificate information using notepad to the folder C:\Certs and name the file ACS.cer
Run the following PowerShell commands:
1. “Connect-MsolService”
2. “Import-Module MSOnlineExtended -Force”
3. $replyUrl = New-MsolServicePrincipalAddresses -Address “https://company.accesscontrol.windows.net”
4. “New-MsolServicePrincipal -ServicePrincipalNames @(“https://company.accesscontrol.windows.net”) -DisplayName “Company ACS Namespace” -Addresses $replyUrl”

4.2 SharePoint 2013 Configuration

Follow these steps to configure Azure AD as the identity provider for SharePoint 2013:

From the Start menu, click All Programs.
Click Microsoft SharePoint 2013 Products.
Click SharePoint 2013 Management Shell
Run the following PowerShell commands:
1. $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\Certs\ACS.cer”)
2. New-SPTrustedRootAuthority -Name “Token Signing Cert Parent” -Certificate $root
3. $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\Certs\ACS.cer”)
4. New-SPTrustedRootAuthority -Name “Token Signing Cert” -Certificate $cert
5. $map1 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming
6. $map2 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname” -IncomingClaimTypeDisplayName “GivenName” -SameAsIncoming
7. $map3 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname” -IncomingClaimTypeDisplayName “SurName” -SameAsIncoming
8. $map4 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” -SameAsIncoming
9. $realm = “urn:sharepoint:company”
10. $signInURL = “https://company.accesscontrol.windows.net/v2/wsfederation”
11. $ap = New-SPTrustedIdentityTokenIssuer -Name “ACS Provider” -Description “SharePoint secured by SAML in ACS” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2,$map3,$map4 -SignInUrl $signInURL -IdentifierClaim “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”
Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.

In Central Administration, on the home page, click Application Management.
On the Application Management page, in the Web Applications section, click Manage web applications.
Click the appropriate web application.
From the ribbon, click Authentication Providers.
Under Zone, click the name of the zone. For example, Default.
On the Edit Authentication page, in the Claims Authentication Types section, select Trusted Identity provider, and then click the name of your provider, which for purposes of this article is ACS Provider. Click OK.
The following figure illustrates the Trusted Provider setting.

The Trusted Provider setting in a web app

4.3 Assigning Users

Use the following steps to set the permissions to access the web application.

In Central Administration, on the home page, click Application Management.
On the Application Management page, in the Web Applications section, click Manage web applications.
Click the appropriate web application, and then click User Policy.
In Policy for Web Application, click Add Users.
In the Add Users dialog box, click the appropriate zone in Zones, and then click Next.
In the Add Users dialog box, type user2@company.onmicrosoft.com (ACS Provider).
In Permissions, click Full Control.
Click Finish, and then click OK.

Conclusion

Azure AD is the trusted identity provider for SharePoint 2013, and Azure AD users will be able to authenticate and use SharePoint 2013 resources.

External Links

Some good extra reading articles:

Quick Install Guide For SharePoint Foundation 2013

Posted on February 15, 2016 by Alan Schmarr

1. Introduction

This quick install guide will assist in installing SharePoint foundation 2013 server to address certain technical / business requirements. This type of installation will have some limitations and might not be fit for production deployments.

2. Preparation Tasks

The following preparation tasks will be required before starting the SharePoint 2013 Foundation installation:

Download SharePoint 2013 Foundation
Document SharePoint URL that users will use e.g. https://sharepoint.company.com
Acquire / Install Certificate with correct URL, example “AD CS Install Guide for Azure AD Domain Services“

3. Assumptions

The following assumptions are made during the creation of this article:

Active Directory or Azure AD Domain Services is up and running
Active Directory Member server, running windows 2012 R2
Unrestricted internet access
SSL Certificate is available for site.
Experience in SSL certificates
Access to DNS Server to create records

If using Azure AD Domain Services, changing DNS record will not be allowed.

2. Installation

The installation is broken up into two parts:

Framework installation
Configuration

2.1. Framework installation

Run the “sharepoint.exe” that was downloaded in the preparation tasks
Click “Install software prerequisites“
Click “Next“
Check “I accept the terms of the License Agreement(s)“
Click “Next”

The process will install all required roles and software, during the installation the server will be reboot twice, logon with the same user account that was used to continue installation.
Run the “sharepoint.exe” that was downloaded in the preparation tasks
Click “Install SharePoint Foundation“
Choose “Stand-alone” installation
Click “Install Now“
Check “Run the SharePoint Products Configuration Wizard now.“
On the Welcome Screen, Click “Next“
On warning dialog, Click “Yes“
Click “Finish“

2.2 Configuration

Once the steps above have completed, SharePoint foundation will be installed and running. Users will be able to connect to the default SharePoint Team Site, by using http://<servername> URL.

To change the default URL to the required URL, follow these steps:

Import SSL certificate into local computer store
Open “SharePoint 2013 Central Administration“
Under “System Settings“, Click “Configure alternate access mappings“
Click “Edit Public URLs“
In “Alternate Access Mapping Collection:” list, choose “SharePoint – 80“
In “Default“, Change http://<servername> to https://<newURL> e.g. https://sharepoint.company.com

IIS Manager Configuration

The following task should be done on IIS Manager to allow the configuration changes:

Open “Internet Information Services (IIS) Manager” console
Go to <SERVERNAME>\Sites\, click “SharePoint – 80“
On the right hand site, click “Bindings…“
Click “Add…“
In Type, choose “HTTPS“
In Host name, enter the new dns address e.g. sharepoint.company.com
In SSL certificate, choose the imported SSL certificate
Click “OK“
Remove “http” binding
Click “Close“

User’s should be able to use the new secure URL to access the SharePoint team site. e.g. https://sharepoint.company.com

P.S. Make sure to include the new URL into user Internet Explorer local intranet zones

Conclusion

Basic SharePoint 2013 foundation team site will be running and available for business, the solution will be using windows internal database and have some limitations.

AD CS Install Guide For Azure AD Domain Services

Posted on February 15, 2016 by Alan Schmarr

1. Introduction

Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies.

Azure AD domain Services allows limited access to the Active Directory instance for administrators, only a standalone Certificate Authority (CA) deployment will be possible.

More information about AD CS can be found here.

2. Assumptions

The following assumptions are made during the creation of this article:

Azure AD Domain Services is up and running
Active Directory Member sever, running windows 2012 R2
Experienced in Microsoft Certificate Authority
Experienced in Active Directory

3. Installation

Please follow the instruction below to install a Standalone CA:

Disclaimer:

This is a quick and basic installation and should be evaluated if it meet business and security requirements.

Run the following PowerShell Command as Administrator
1. “Install-WindowsFeature AD-Certificate,ADCS-Cert-Authority,ADCS-Web-Enrollment -IncludeManagementTools“
Run the following PowerShell command as Administrator
1. “Install-AdcsCertificationAuthority -CAType StandaloneRootCa“
Run the following Powershell command as Administrator
1. “Install-AdcsWebEnrollment“

4. Configuration

After the completion of section 3, the AD CS service should be up and running with default configuration. Here is some recommendation for making the AD CS more secure and a production ready service.

Steps to import the Root CA as trusted authority for all domain joined Servers/ machines.

Download Root CA:
1. Go to http://<Servername>/certsrv
2. Click “Download a CA certificate, Certificate chain, or CRL”
3. Click “Download CA certificate”
4. Save the file for next steps
Open Group Policy Management (Follow below to install Group Policy Management on a Member Server)
1. Run the following PowerShell Command as Administrator
  1. “Install-WindowsFeature GPMC“
Edit “AADDC Computers GPO“
Go to “Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities” section
Import the Root CA into the section above
Close the Group Policy
To allow the group policy to take affect:
1. reboot member servers, or
2. run “gpudpate /force” as administrator

5. Conclusion

Azure AD domain Services domain joined servers will be able to install and trusted the new standalone CA Certificates.

Azure AD Domain Services Quick Install

Posted on February 12, 2016February 12, 2016 by Alan Schmarr

Introduction

Azure Active Directory Domain Services lets you join Azure virtual machines to a domain without the need to deploy domain controllers, more detail can be found here.

This article show quick way to install and configure Azure AD Domain Services, other options might be required for a production deployment and not highlighted in this article.

At the time of writing this article most of the configuration will be done in Azure Portal (Classic), Microsoft is planning to move everything to the new Azure portal.

Assumptions

The following assumptions are made in this article:

Functional Azure AD – A quick guide can found here
Access to Azure Subscription

Preparation Tasks

The following preparation tasks will be required before starting the installation process below:

Document the Azure Virtual Network address range (default address range is 10.0.0.0/16)

Installation

This section will be divided into the following sections:

Create Azure Resources
1. Azure Virtual Network
2. Create “AAD DC Administrators Group“
3. Azure AD Domain Service
4. Configure Azure Virtual Network DNS Servers

To create all the required Azure resources, please follow the steps below:

1. Azure Virtual Network

Go to https://manage.windowsazure.com
Click “+ NEW”
Click “Network Services“, “Virtual Network” and then click “Custom Create“
In Name, enter required network name
Choose correct Location
On Page 2, leave DNS servers empty for now
On Page 3, enter the required Address space range and Subnets for the network
Click check mark to create network

2. Create ‘AAD DC Administrators’ Group

To allow users to manage Azure AD Domain Services, you’ll first need to create a group in Azure AD called ‘AAD DC Administrators’ and add all the users that should have admin rights.

For more detailed tasks, please have a look here.

3. Azure AD Domain Services

Go to https://manage.windowsazure.com/
On the left Menu find, “ACTIVE DIRECTORY“
Click on the required Azure AD in the list provided
Click “CONFIGURE” tab
Scroll down and find “domain services” section
Change “ENABLE DOMAIN SERVICES FOR THIS DIRECTORY” to “YES“
Change “DNS DOMAIN NAME OF DOMAIN SERVICES” to required suffix
Choose the network that was create in steps above for “CONNECT DOMAIN SERVICES TO THIS VIRTUAL NETWORK“
Click “Save“
The creation might take a bit of time to complete, once completed DNS server IP addresses will be provided for use in the created Virtual Network. (Please follow steps below to finish Virtual Network configuration)

3. Configure Azure Virtual Network DNS Servers

Go to https://manage.windowsazure.com/
On the left Menu find, “ACTIVE DIRECTORY“
Click on the required Azure AD in the list provided
Click “CONFIGURE” tab
Scroll down and find “domain services” section
Document the IP Addresses in “IP ADDRESS” section for next steps
On Left hand menu, Choose “NETWORKS“
Open the network that was created and have been enabled for Azure Domain Services
Click “CONFIGURE“
In the “dns servers” section, enter the two dns servers documented in previous step
Click “SAVE“

Before using Azure AD domain services, please follow this guide to enable password synchronization.

Conclusion

By the end of this guide Azure AD domain services will be functional with the ability to domain join Azure Virtual machines.

Filtering on Azure AD Connect

Posted on February 11, 2016 by Alan Schmarr

Introduction

This article will add a filter for Azure AD Connect for only syncing user accounts that have a valid email address. Additional options may be required by the organization and more detail can be found here.

Preparation Tasks

The following tasks should be completed before starting the process:

Azure AD Connect is installed and configured – see “Getting Started with Azure AD Free Edtion“
Administrator Access for Azure AD Connect Server

Adding the Filter

The following tasks should be preformed on the Azure AD Connect Server:

Disable scheduled task

To disable the scheduled task which will trigger a synchronization cycle every 3 hours, follow these steps:

Start Task Scheduler from the start menu.
Directly under Task Scheduler Library find the task named Azure AD Sync Scheduler, right-click and select Disable.
You can now make configuration changes and run the sync engine manually from the synchronization service manager console.

After you have completed all your filtering changes, don’t forget to come back and Enable the task again.

Open “Synchronization Rules Editor“
Click “Inbound“
Find “In From AD – User Join” rule, click “Edit“
Click “Yes“
In “Precedence“, enter “500“
Click “Next“
Only include user that a have email address
1. Click “Add clause“
2. Attribute Field choose “mail“
3. Operator field choose “ISNOTNULL“
Add Company email domain (Optional – checking if user have a email address solves most cases)
1. This rule assumes you only have one email domain, will not work for multi-domain
2. Click “Add clause“
3. Attribute Field choose “mail“
4. Operator field choose “ENDSWITH“
5. Value enter “<email>.<domain-name>”
Apply and Verify changes
Enable Scheduled task

Conclusion

Completion of this article, the organization will only sync user accounts that have a valid email address into Azure AD.

Getting Started with Azure Active Directory Free Edition

Posted on February 9, 2016 by Alan Schmarr

Introduction

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud based directory and identity management service.

More in-depth detail about Azure AD can be found here.

The article illustrate the registration process and the essential configuration tasks for Azure AD free edition for use of organization internal users. (Future posts will look at other scenarios)

Preparation tasks

The follow preparation tasks will be required:

Have a Microsoft account ready to use for sign-up;
1. Generate a Microsoft account by going here;
2. Follow the on-screen wizard and complete sign-up;
A credit Card – This will only be used for verification and not be charged unless you explicitly upgrade to a paid offer;
Optional – External Domain Name e.g. schmarr.com to integrate into Azure AD;
1. P.S. You’ll need to be able to create TXT records in the external domain.

Installation

Registration

Please follow theses steps in registering your free Azure subscription that will host Azure AD:

Go to the following url: https://azure.microsoft.com/en-us/trial/get-started-active-directory/;
Click on “Create a free Azure Account”;
Click “Start Now”;
Fill in the form and submit;
The subscription will take up to 4 minutes to be created.
Once the process is complete you should see the following screen:

AzureADFree-ScreenShot1

By now a default Azure AD is already created, skip “Create Azure AD” section if default instance shouldn’t be used.

Create Azure AD (Optional)

Follow the these steps to create a new Azure AD:

In the left corner click on the “+ New” icon
Click “Security + Identity”
Click “Active Directory”
It will re-direct to the Azure Classic portal (This might change in the future)
You will get the following Wizard
Fill in the form and click the check to create the Azure AD

Essential Azure AD Configuration

At this point Azure AD is fully functional, with the following constraints:

Manual process is required for creating user accounts (GUI, PowerShell or CSV import);
User passwords will not be in-sync with their network passwords;
Usernames at this stage will be <username>@<AzureADName>.onmicrosoft.com;
- Users will be required to remember their usernames. (Most users find it difficult remember their password);

Follow my Essential Azure Configuration guide here if you want to address the constraints mentioned above.

Conclusion

After completion of this guide, Azure AD free edition will available and be functional with available features.

Essential Azure AD Configuration

Posted on February 9, 2016 by Alan Schmarr

Introduction

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud based directory and identity management service.

More in-depth detail about Azure AD can be found here.

a fresh Azure AD installation will have the following constraints:

Usernames at this stage will be <username>@<AzureADName>.onmicrosoft.com;

Users will be required to remember usernames. (Most users find it difficult remember their passwords);
Manual process is required for creating user accounts (GUI, PowerShell or CSV import);
User passwords will not be in-sync with their network password;

This article will only focus in addressing the constraints above, with the least possible effort. More complex options are available and will depend on security & business requirements.

Configuration / Installation

Each optional tasks below should be followed chronological order to address the constraints above.

1. Add Email Domain (Optional)

This step should be done first before proceeding with step 2.

Only one Azure AD can own the organization email domain and Microsoft will not allow registering the email domain into another Azure AD Subscriptions.

Follow these steps to allow usernames to be the same as the organization email address:

Go to https://manage.windowsazure.com
On the left menu click “Active Directory”
Open your new create Azure AD, you should see the following screen:
Click “Domain” Tab
Click “ADD A CUSTOM DOMAIN”, the following wizard will appear:
Enter company domain name, example: “schmarr.com”, click “add”
On Page 2, will have the TXT record that should be created in the company domain external DNS service. Please see example:
Once the DNS TXT record is created, Click “verify” (Please allow DNS replication to complete up to 48 hours)
Change the user accounts manually to reflect user emails addresses

For automating user creation and password sync, please proceed to step 2.

2. Automate Account creation in Azure AD (Optional)

It is recommended that step 1 should be completed first, otherwise all users account will be created with system created domain name e.g. “<username>@<AzureADName>.onmicrosoft.com”

Assumptions / Requirements

The following assumptions are made in this section:

Internal Active Directory up and running
Windows 2012 R2 Member server of the Active Directory, ready to install Azure AD Connect
The member server has internet access
Active Directory userPrincipalName(UPN) reflects the user’s mail address
- This assumption is in most cases are a challenge for most organizations and the following options are available:
  - Run the Azure AD Connect (Steps below is expert install) in advanced mode and choose “mail” attribute instead of userPrincipalName(UPN) – Easy fix;
  - Fix the UPN to be the same as email address, here is a microsoft tool that can assist;
Azure AD
A Active Directory enterprise administrator account
global admin account is created with default domain context e.g. admin@<AzureADName>.onmicrosoft.com

Azure AD Configuration

Go to https://manage.windowsazure.com
On the left menu click “Active Directory”
Open your new create Azure AD, you should see the following screen:
Click “DIRECTORY INTEGRATION” Tab
Click “ATIVATED”, then click “SAVE”

Azure AD Connect Installation

The following tasks will be completed on the domain member server.

Download Azure AD Connect from Here
Run the downloaded setup file on the Windows 2012 R2 member server
Click “Continue”
Click “Use express settings”
Enter your Azure AD Admin username e.g. admin@<AzureADName>.onmicrosoft.com and password
Click “Next”
Enter the Active Directory Enterprise Admin account and password
Click “Next”
Click “Install”

Once the installation is complete all user accounts will be created in Azure AD automatically with the current user email address. Password synchronization will also be automatically enabled.

Advanced installation will allow disabling password sync if not required.

Conclusion

User will be now be able to login into Azure AD using exiting email address and network password.

ADFS 2016 Technical Preview 4 Install Guide

Posted on February 1, 2016 by Alan Schmarr

Introduction

Microsoft is in the process of releasing a new version of Windows Server 2016, with this new release it will include and new version of ADFS.

In this article I will be only focusing on the installation process of ADFS 2016 preview (The easy bit), future guides will have more focus on integration.

Here is also some related reading material from my previous posts:

Group Managed Service Accounts – This is highly recommended for all ADFS implementations. This article was written on 2012 but still relevant for 2016.

My Lab

The lab is running in Microsoft Azure, the following relevant services for ADFS 2016 is running in this lab:

Active Directory – Single Forest, Single Domain
- OS – Windows 2012 R2
- Server Name – DC2012R2
PKI Certificate Server running on the domain controller (Not a recommended for production)
ADFS 2016 Backend Server
- OS – Windows 2016 Technical Preview 4
- Server Name – S2016PR4ADFS01
ADFS 2016 Web Applications Proxy Server
- OS – Windows 2016 Technical Preview 4
- Server Name – S2016PR4PRX01

Preparation

All ADFS implementation will require the following high-level preparation tasks before starting with the installation: (Microsoft has a well documented checklist that should be follow)

Split Brain DNS – This allows internal users to resolved the ADFS URL to the Internal ADFS backend servers. Info can be found here.
DNS records
- External DNS
  - A Record – adfs2016.schmarr.com
    - Point to Web Application Proxy Server external IP
  - A Record – enterpriseregistration.schmarr.com
    - Point to Web Application Proxy Server external IP
  - A Record – certauth.adfs2016.schmarr.com
    - Point to Web Application Proxy Server external IP
- Internal DNS
  - A record – adfs2016.schmarr.com
    - Point to ADFS 2016 backend server internal IP
  - A Record – enterpriseregistration.schmarr.com
    - Point to ADFS 2016 backend server internal IP
  - A Record – certauth.adfs2016.schmarr.com
    - Point to ADFS 2016 backend Server internal IP
ADFS features – ADFS has additional feature which needs to be consider before proceeding in acquiring the required certificate for encryption. e.g. workplace join have some additional requirements for the certificate, Read more about workplace join here.
Certificate – All ADFS communication between the client and ADFS is encrypted, so the certificate should be trusted by all parties. A External Certificate is advised.
- In this article a internal certificate was used.
- Lab SSL Certificate attributes:
  - Subject Name (CN): adfs2016.schmarr.com
  - Subject Alternative Name (DNS): adfs2016.schmarr.com
  - Subject Alternative Name (DNS): enterpriseregistration.schmarr.com
Group Managed Service Account – how-to
- Enable Managed Service Accounts (On Domain Controller running 2012 R2 or higher)
- ADFSGmsa
  - Powershell command – “New-ADServiceAccount ADFSGmsa -DNSHostName adfs2016.schmarr.com -ServicePrincipalNames http/adfs2016.schmarr.com”
Topology – Choose the correct topology to fit business requirements. More information about topologies can be found here.
- Stand-Alone Federation Server using WID (Windows Internal Database) will be used in this article.
  - Gotcha – Limit memory usage for WID

Installation

ADFS 2016 backend server installation

Install the required SSL certificate.
1. Here is a guide for requesting a SAN certificate for internal PKI or External certificate provider.
3. Additional information for the “certauth” url can be found here
Install Active Directory Federation Services role on server
1. Powershell command – “Install-windowsfeature adfs-federation –IncludeManagementTools“
2. Get the 2012 R2 wizard options from here
Configure Active Directory Federation Services
1. Powershell command – “Install-AdfsFarm -CertificateThumbprint ff236398ad5b51b9dd427cf819e6586b43d2009b -FederationServiceName adfs2016.schmarr.com -GroupServiceAccountIdentifier AS\ADFSGmsa$“
2. Get the 2012 R2 wizard options from here
Limit WID memory usage
1. Install SQL Management Studio Express – Download from here
2. Open admin Command prompt – “osql -E -S \.pipeMICROSOFT##WID“
3. Enter the following commands
  1. exec sp_configure ‘show advanced option’, ‘1’;
  2. reconfigure;
4. To check current config:
  1. exec sp_configure;
  2. go
5. Reconfigure to use 2GB
  1. exec sp_configure ‘max server memory’, 2048;
  2. reconfigure with override;
  3. go
  4. quit
6. Restart the Windows Internal Database service
7. Optional – Uninstall SQL Management Studio Express
Testing Installation
1. Powershell command – “Set-AdfsProperties -EnableIdPInitiatedSignonPage $true“
2. Go to the following url https://adfs2016.schmarr.com/adfs/ls/IdpInitiatedSignOn
  1. User should be able to sign-in from domain joined machine on the internal network
  2. User should be able to sign-in from non domain joined machine on the internal network
3. Optional – Disabled IdPInitiatedSignonPage
  1. Powershell command – “Set-AdfsProperties -EnableIdPInitiatedSignonPage $false“

ADFS 2016 Web Application Proxy Server installation

Export the certificate from the ADFS backend server with private key
Import into computer store of Web Application proxy server
Install Web Application Proxy Role
1. Powershell Command – “Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools“
2. Get the 2012 R2 wizard options from here
Configure Web Application Proxy Role
1. Powershell Command – “Install-WebApplicationProxy –CertificateThumbprint ‘‎ff236398ad5b51b9dd427cf819e6586b43d2009b’ -FederationServiceName adfs2016.schmarr.com“
2. Get the 2012 R2 wizard options from here
Testing Installation
1. On ADFS backend Server run Powershell command – “Set-AdfsProperties -EnableIdPInitiatedSignonPage $true“
2. Go to the following url https://adfs2016.schmarr.com/adfs/ls/IdpInitiatedSignOn
  1. User should be able to sign-in from domain joined machine on the external network
  2. User should be able to sign-in from non domain joined machine on the internal network
3. Optional – Disabled IdPInitiatedSignonPage
  1. Powershell command – “Set-AdfsProperties -EnableIdPInitiatedSignonPage $false“

Conclusion

This article demonstrated installing ADFS 2016 preview 4 in a Stand-Alone Federation Server using WID topology.

	Alan Schmarr on Okta AD Integration with Azure…
	Randi on Okta AD Integration with Azure…
	Christian Oyson on Okta AD Integration with Azure…
	Alan Schmarr on Okta AD Integration with Azure…
	cl4ms on Okta AD Integration with Azure…

	Alan Schmarr on Okta AD Integration with Azure…
	Randi on Okta AD Integration with Azure…
	Christian Oyson on Okta AD Integration with Azure…
	Alan Schmarr on Okta AD Integration with Azure…
	cl4ms on Okta AD Integration with Azure…