Category On-premises integration

In this chapter, you learned how to evaluate passwordless sign-in options for your organization and deploy the ones that best suit your needs. Some passwordless options, such as Windows Hello or FIDO2 keys, may require specialized hardware such as cameras, USB devices, or fingerprint readers, while the Microsoft Authenticator app method requires only the Microsoft Authenticator app on any supported Android or iOS-based device.

You also learned about deploying features such as self-service password reset and Azure AD password protection to further reduce administrative overhead, helping your organization comply with security policies.

In the next chapter, you’ll learn about implementing secure access in the context of Microsoft 365.

Exam Readiness Drill – Chapter Review Questions Benchmark Score: 75%

Apart from a solid understanding of key concepts, being able to think quickly under time pressure is a skill that will help you ace your certification exam. That’s why, working on these skills early on in your learning journey is key.

Chapter review questions are designed to improve your test-taking skills progressively with each chapter you learn and review your understanding of key concepts in the chapter at the same time. You’ll find these at the end of each chapter.

Before You Proceed

You need to unlock these resources before you start using them. Unlocking takes less than 10 minutes, can be done from any device, and needs to be done only once. Head over to the start of Chapter 7, Managing Security Reports and Alerts by Using the Microsoft 365 Defender Portal in this book for instructions on how to unlock them.

To open the Chapter Review Questions for this chapter, click the following link:

https://packt.link/MS102E1_Ch05. Or, you can scan the following QR code:

Figure 5.34 – QR code that opens Chapter Review Questions for logged-in users

Once you login, you’ll see a page similar to what is shown in Figure 5.35:

Figure 5.35 – Chapter Review Questions for Chapter 5

Once ready, start the following practice drills, re-attempting the quiz multiple times:

Exam Readiness Drill
For the first 3 attempts, don’t worry about the time limit.

ATTEMPT 1
The first time, aim for at least 40%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix your learning gaps.

ATTEMPT 2
The second time, aim for at least 60%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix any remaining learning gaps.

ATTEMPT 3 The third time, aim for at least 75%. Once you score 75% or more, you start working on your timing.

Tip You may take more than 3 attempts to reach 75%. That’s okay. Just review the relevant sections in the chapter till you get there.

Working On Timing

Target: Your aim is to keep the score the same while trying to answer these questions as quickly as possible. Here’s an example of how your next attempts should look like:

Table 5.4 – Sample timing practice drills on the online platform

Note
The time limits shown in the above table are just examples. Set your own time limits with each attempt based on the time limit of the quiz on the website.

With each new attempt, your score should stay above 75% while your time taken to complete should decrease. Repeat as many attempts as you want till you feel confident dealing with the time pressure.

Enabling SSPR is a straightforward task. Like many other features in Azure AD, it can be scoped to a group of users.

To enable SSPR, follow these steps:

1. Navigate to the Azure portal (https://portal.azure.com) and select Azure Active Directory.
2. Under Manage, select Password reset.
3. On the Properties page, as shown in Figure 5.21, click Selected if you want to be able to select one or more groups to enable SSPR. Click All if you want to enable all users for SSPR:

Figure 5.21 – Enabling self-service password reset

4. Click Save.

Now that SSPR has been enabled, you can manage and configure the features.

Managing SSPR

The SSPR service has a number of configuration options, including Authentication methods, Registration settings, Notifications options, Customization portal, and On-premises integration.
Each of those options can be configured on the Password reset configuration blade of the Azure portal.

Authentication Methods
Authentication methods are used to define how a user proves their identity, such as multifactor authentication or answering security questions. The Authentication methods page lets you select which options a user can register, as well as the number of methods needed to perform a reset. See Figure 5.22:

Figure 5.22 – Authentication methods

If you choose Security questions, additional options are configurable:

• The number of questions a user must supply when they select that option
• The number of security questions they must answer to prove their identity

You can choose up to 20 security questions from a list of predefined options or create your own security questions. Administrators are unable to pre-populate or retrieve answers to end user security
questions; users must select their own questions.

Exam Tip
Using the Office phone registration option requires an Azure AD Premium license (either P1 or P2) and can be pre-populated with a phone number in Active Directory under the telephoneNumber attribute (if using Azure AD Connect to synchronize data). Other fields that can be pre-populated for SSPR include a user’s alternate email address and mobile phone number. Alternate email does not synchronize from the on-premises Active Directory and must be set using Set-AzureADUser -OtherMails, Set-MsolUser -AlternateEmailAddresses, or Set-MgUser -OtherMails.

Registration
Options on this page allow you to configure a workflow to force users to register for SSPR the first time they log in to the Microsoft 365 portal (or any other Azure AD-backed service), as well as the interval in days in which users are asked to reconfirm their details.

Notifications
The Notifications page allows you to configure options for alerting on password changes. You can select Notify users on password resets, which sends users an email when their own password is reset via SSPR. The Notify all admins when other admins reset their password setting determines whether all Global Administrators receive a notification when any Global Administrator resets their password via SSPR.

Note
SSPR can be disabled on a per-user basis. In addition, SSPR can be disabled for administrator accounts using the Update-MgPolicyAuthorizationPolicy cmdlet. For more information, see https://learn.microsoft.com/en-us/ powershell/module/microsoft.graph.identity.signins/update-mgpolicyauthorizationpolicy.

Customization
The Customization page allows you to display a custom URL or email address for support-related requests.

Physical tokens, such as the Fast Identity Online 2 (FIDO2)-based token or security key, are another passwordless option that can be used. While the Microsoft Authenticator app is a soft token, FIDO2 tokens are physical pieces of hardware that are typically either connected to the computer (in the form of a USB device) or that communicate wirelessly (via Bluetooth or NFC).

You can access the security key logon process during a browser session by selecting the Sign in with

Windows Hello or a security key option from the sign-in page, as shown in Figure 5.5:

Figure 5.5 – Passwordless authentication dialog with a FIDO2 security token

The data flow for a FIDO2-based logon follows a similar pattern as both WHFB and the Microsoft Authenticator app. For example, to log in to a device using FIDO2, this process outlined in Figure 5.6 is followed:

Figure 5.6 – FIDO2 authentication sequence

1. The user plugs in a FIDO2 security key.
2. Windows detects the security key.
3. Windows sends an authentication request to Azure AD.
4. Azure AD responds by sending a nonce back to the logon device.
5. The user authenticates to the FIDO2 key, unlocking the secure storage area containing the private key.
6. The FIDO2 key signs the nonce with the private key and sends it to Windows.
7. Windows generates a PRT request and sends it with the signed nonce to Azure AD.
8. Azure AD verifies the signed nonce with the FIDO2 device’s public key.
9. Azure AD returns the PRT to the logon device.

FIDO2, like Windows Hello, has specific requirements for supported hardware.

Supported FIDO2 Security Tokens

You can see an up-to-date list of supported FIDO2 security keys or tokens here: https:// learn.microsoft.com/en-us/azure/active-directory/authentication/ concept-authentication-passwordless#fido2-security-key-providers.

As you’ve seen from the diagrams, each of the passwordless options (Windows Hello, Microsoft Authenticator App, and FIDO2) follows a similar authentication workflow, based on public key infrastructure.

Comparison

Now that you have explored the different passwordless options available for Microsoft 365, let’s look at some information that will help you choose the appropriate solution. Table 5.1 describes some basic features and requirements for each authentication scheme.

Table 5.1 – Authentication method comparison table

It’s also important to consider the various end user scenarios that your organization utilizes to ensure you’re recommending an appropriate mechanism based on your real-world use cases. Table 5.2 describes a few example scenarios:

Table 5.2 – Passwordless logon scenarios

With that information in hand, it’s time to look at the implementation aspects.

In addition to gathering and reporting information for your on-premises AD and synchronization services, Azure AD Connect Health also supports AD FS.

To get the most out of Azure AD Connect Health for AD FS, you’ll need to enable auditing, which involves three steps:

1.Ensure the AD FS farm service account has been granted the Generate security audits right in the security policy (Local Policies | User Rights Assignment | Generate security audits).

2. From an elevated command prompt, run the following command: auditpol.exe /set / subcategory:{0CCE9222-69AE-11D9-BED3-505054503030} /failure:enable /success:enable.

3. On the AD FS primary farm server, open an elevated PowerShell prompt and run the following command: Set-AdfsProperties -AuditLevel Verbose.

Then, you can deploy the agents to your servers.

After deploying the agents to your federation and proxy servers, you will see information reported in the Azure AD Connect Health portal by selecting AD FS services under the Active Directory Federation Services section, as shown in Figure 4.21:

Figure 4.21 – Azure AD Connect Health for AD FS

In addition to diagnostic information, the health services for AD FS can also provide usage analytics and performance monitoring, as well as failed logins and information regarding risky sign-ins. See Figure 4.22:

Figure 4.22 – Azure AD Connect Health for AD FS overview

Azure AD Connect Health is a valuable premium service that can help you keep on top of the health and performance aspects of your hybrid identity deployment.

Troubleshooting Azure AD Connect Synchronization

While things normally operate smoothly, there may be times when objects become misconfigured, or services go offline unexpectedly. You can troubleshoot common issues with Azure AD Connect’s built-in troubleshooting tool.

To launch the troubleshooting tool, follow these steps:

1.Launch the Azure AD Connect configuration tool on the desktop of the server where Azure AD Connect is installed.

2. Click Configure.

3. On the Additional tasks page, select Troubleshoot and then click Next.

4. On the Welcome to AADConnect Troubleshooting page, select Launch, as shown in Figure 4.23:

Figure 4.23 – Launching the AADConnect Troubleshooting tool

5. Select the appropriate troubleshooting option from the menu shown in Figure 4.24:

Figure 4.24 – AADConnect Troubleshooting menu

The AADConnect Troubleshooting tool provides several specific troubleshooters, such as diagnosing attribute or group membership synchronization, password hash synchronization, as well as service account permissions.

Most object or attribute troubleshooting routines will require the errored object’s distinguished name to continue.

Further Reading

For more information on the tests that can be performed by the AADConnect Troubleshooting tool, see https://learn.microsoft.com/en-us/azure/active-directory/ hybrid/tshoot-connect-objectsync.

Configuring and Managing Directory Synchronization by Using Azure AD Connect Cloud Sync

Azure AD Connect Cloud Sync (rebranded as Microsoft Entra Cloud Sync) is a new synchronization platform that allows you to manage directory synchronization from the Azure portal. Depending on your organization’s goals and environments, Azure AD Connect Cloud Sync can be a lightweight, flexible option that allows you to begin directory synchronization quickly.

Exam Tip

To perform the installation, you’ll need either Domain Admin or Enterprise Admin credentials to the on-premises Active Directory forest so that the installer can create the group Managed Service Account (gMSA). You’ll also need an account that has either the Global Administratoror Hybrid Identity Administrator roles in Azure AD.

Microsoft recommends configuring a unique identity in Azure AD with the Hybrid Identity Administrator role for Azure AD Connect Cloud Sync.

Another way to prevent objects from being synchronized to Azure AD is using an attribute filter. This advanced method requires creating a custom synchronization rule in the Azure AD Connect Synchronization Rules Editor.

To create an attribute-based filtering rule, select an attribute that isn’t currently being used by your organization for another purpose. You can use this attribute as a scoping filter to exclude objects. The following procedure can be used to create a simple filtering rule:

1.On the server running Azure AD Connect, launch the Synchronization Rules Editor.

2. Under Direction, select Inbound and then click Add new rule. See Figure 4.11:

Figure 4.11 – Synchronization rules editor

3. Provide a name and description for the rule.

4. Under Connected System, select the object that represents your on-premises Active Directory forest.

5. Under Connected System Object Type, select user.

6. Under Metaverse Object Type, select person.

7. Under Link Type, select Join.

8. In the Precedence text field, enter an unused number (such as 50) , as shown in Figure 4.12. Click Next.

Figure 4.12 – Creating a new inbound synchronization rule

9. On the Scoping filter page, click Add group and then click Add clause.

10. Under Attribute, select extensionAttribute1 (or whichever unused attribute you have selected).

11. Under Operator, select EQUAL.

12. In the Value text field, enter NOSYNC, as shown in Figure 4.13 and then click Next.

Figure 4.13 – Configuring a scoping filter for extensionAttribute1

13. On the Join rules page, click Next without adding any parameters.

14. On the Transformations page, click Add transformation.

15. Under FlowType, select Constant.

16. Under Target Attribute, select cloudFiltered.

17. In the Source text field, enter the value True. Click Add.

Figure 4.14 – Adding a transformation for the cloudFiltered attribute

18. Acknowledge the warning that a full import and synchronization cycle will be required by clicking OK. See Figure 4.15:

Figure 4.15 – Warning for full import and synchronization

After modifying the synchronization rule, a full import and full synchronization is required. You don’t have to perform any special steps, however; Azure AD Connect is aware of the update and will automatically perform the necessary full imports and synchronizations.

Monitoring Synchronization by Using Azure AD Connect Health

Azure AD Connect Health is a premium feature of the Azure AD license. Azure AD Connect Health has separate agent features for Azure AD Connect, Azure AD Health for Directory Services (DS), and Azure AD Health for AD FS.

In this chapter, you learned how to deploy identity synchronization and authentication solutions. You learned how to configure filtering for both Azure AD Connect and Azure AD Connect Cloud Sync, as well as deploying and managing the health agents for diagnostic and troubleshooting.

The next chapter will discuss methods to manage authentication.

Exam Readiness Drill – Chapter Review Questions

Benchmark Score: 75%

Apart from a solid understanding of key concepts, being able to think quickly under time pressure is a skill that will help you ace your certification exam. That’s why, working on these skills early on in your learning journey is key.

Chapter review questions are designed to improve your test-taking skills progressively with each chapter you learn and review your understanding of key concepts in the chapter at the same time. You’ll find these at the end of each chapter.

Before You Proceed

You need to unlock these resources before you start using them. Unlocking takes less than 10 minutes, can be done from any device, and needs to be done only once. Head over to thestart of Chapter 7, Managing Security Reports and Alerts by Using the Microsoft 365 Defender Portal in this book for instructions on how to unlock them.

To open the Chapter Review Questions for this chapter, click the following link:

https://packt.link/MS102E1_CH04. Or, you can scan the following QR code:

Figure 4.35 – QR code that opens Chapter Review Questions for logged-in users

Once you login, you’ll see a page similar to what is shown in Figure 4.36:

Figure 4.36 – Chapter Review Questions for Chapter 4

Once ready, start the following practice drills, re-attempting the quiz multiple times:

Exam Readiness Drill

For the first 3 attempts, don’t worry about the time limit.

ATTEMPT 1

The first time, aim for at least 40%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix your learning gaps.

ATTEMPT 2

The second time, aim for at least 60%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix any remaining learning gaps.

ATTEMPT 3

The third time, aim for at least 75%. Once you score 75% or more, you start working on your timing.

Tip

You may take more than 3 attempts to reach 75%. That’s okay. Just review the relevant sections in the chapter till you get there.

Working On Timing

Target: Your aim is to keep the score the same while trying to answer these questions as quickly as possible. Here’s an example of how your next attempts should look like:

Table 4.4 – Sample timing practice drills on the online platform

Note

The time limits shown in the above table are just examples. Set your own time limits with each attempt based on the time limit of the quiz on the website.

With each new attempt, your score should stay above 75% while your time taken to complete should decrease. Repeat as many attempts as you want till you feel confident dealing with the time pressure.

If you need to exclude objects from Azure AD Connect’s synchronization scope, you can do that through a number of different methods:

• Domain and organizational unit-based filtering

• Group-based filtering

• Attribute-based filtering

Let’s quickly examine these.

Domain and Organizational Unit-Based Filtering

With this method, you can deselect large portions of your directory by modifying the list of domains or organizational units that are selected for synchronization. While there are several ways to do this, the easiest way is through the Azure AD Connect setup and configuration tool:

1.To launch the Azure AD Connect configuration tool, double-click the Azure AD Connect icon on the desktop of the server where Azure AD Connect is installed. After it launches, click Configure.

2. On the Additional tasks page, as shown in Figure 4.8, select Customize synchronization options and then click Next.

Figure 4.8 – Additional tasks page

3. On the Connect to Azure AD page, enter credentials for either the Global Administrator or Hybrid Identity Administrator role and click Next.

4. On the Connect your directories page, click Next.

5. On the Domain and OU filtering page, as shown in Figure 4.9, select the Sync selected domains and OUs radio button and then select or clear objects to include or exclude from synchronization.

Figure 4.9 – Azure AD Connect Domain and OU filtering page

6. Click Next.

7. On the Optional features page, click Next.

8. On the Ready to configure page, click Configure.

After synchronization is completed, verify that only objects from in-scope organizational units or domains are present in Azure Active Directory.

Group-Based Filtering

Azure AD Connect only supports the configuration of group-based filtering if you choose to customize the Azure AD Connect setup. Group-based filtering is not available if you perform an express installation.

If you’ve chosen a custom installation, you can choose to limit the synchronization scope to a single group. On the Filter users and devices page of the configuration wizard, select the default radio button, Synchronize all users and devices, to continue without group filtering. You can also choose the Synchronize selected radio button and then enter the name or distinguishedName (DN) of a group that contains the users and devices to be synchronized.

Figure 4.10 – Filter users and devices page

With group-based filtering, only direct members of the group are synchronized. Users, groups, contacts, or devices nested inside other groups are not resolved or synchronized.

Note

Microsoft recommends group-based filtering for piloting purposes only.

You can browse the Azure AD Connect Health portal at https://aka.ms/aadconnecthealth. From there, you will be able to view basic details about your environment as well as obtain agent installation packages. See Figure 4.16:

Figure 4.16 – Azure Active Directory Connect Health

While Azure AD Connect Health Agent for Sync is included in the Azure AD Connect installation, the health agents for DS and AD FS are separate installations and must be downloaded separately:

• Azure AD Connect Health Agent for DS: https://go.microsoft.com/fwlink/?LinkID=820540

• Azure AD Connect Health Agent for AD FS: https://go.microsoft.com/fwlink/?LinkID=518973

If you do not have AD FS deployed in your environment, you do not need to deploy the AD FS agents.

Azure AD Connect Health for Sync

The core health product, Azure AD Connect Health for Sync, shows the current health of your synchronization environment, including object synchronization problems and data-related errors.

You can view the health status and identified errors by selecting Sync errors under Azure Active Directory Connect (Sync) in the Azure AD Connect Health portal (https://aka.ms/aadconnecthealth), as shown in Figure 4.17:

Figure 4.17 – Azure AD Connect Health Sync errors

Selecting an error type will allow you to drill down into individual errors. Figure 4.18 shows an example where Azure AD Connect Health has detected two objects with the same address:

Figure 4.18 – Azure AD Connect Health error details

You can use this information to identify and troubleshoot on-premises objects.

Azure AD Connect Health for Directory Services

Microsoft recommends deploying Azure AD Connect Health for DS agents on all domain controllers you want to monitor, or at least one for each domain.

The Azure AD Connect Health agent deployment is relatively straightforward, asking only for credentials to complete the installation. Once the installation is complete, you can review details about your domain controller’s health in the Azure AD Connect Health portal at https://aka. ms/aadconnecthealth.

From the Azure AD Connect Health page, under Active Directory Domain Services, select AD DS services, as shown in Figure 4.19, and then select a domain to view its details:

Figure 4.19 – Azure AD Connect Health AD DS services

The health services agents display a variety of details about the environment, including replication errors, LDAP bind operations, NTLM authentication operations, and Kerberos authentication operations. See Figure 4.20:

Figure 4.20 – Azure AD Connect Health for DS detail page

Errors that are detected here should be resolved in your on-premises AD environment.

In order to complete the Azure AD Connect Cloud Sync deployment, you’ll need to set up a new configuration in the Azure portal:

1.Navigate to the Azure portal (https://portal.azure.com) and select Active Directory | Azure AD Connect.

2. Select Cloud sync from the navigation menu, and then on the Configurations tab, select New configuration.

3. On the New cloud sync configuration page, select which domains you would like to synchronize to Azure AD. If desired, select the Enable password hash sync checkbox. The password hash sync checkbox on this page only enables the feature—it does not configure password hash sync as a sign-in method. See Figure 4.30.

Exam Tip

Azure AD Connect Cloud Sync does not support using password hash sync for

InetOrgPerson objects.

Figure 4.30 – Creating a new Azure AD Connect Cloud Sync configuration

4. Scroll to the bottom of the page and click Create to complete the basic configuration.

The Azure AD Connect Cloud Sync configuration has been completed but it is not yet enabled and ready to start provisioning users. In the next series of steps, you can customize the service before fully enabling it.

Customizing the Provisioning Service

Like the on-premises Azure AD Connect service, Azure AD Connect Cloud Sync features the ability to perform scoping (including or excluding objects from synchronization) as well as attribute mapping.

After creating a new configuration, you should be redirected to the properties of the configuration, as shown in Figure 4.31:

Figure 4.31 – Provisioning agent overview page

From this page, you can set up the scoping filters and attribute mappings for customizing your environment. By default, Azure AD Connect Cloud Sync will include all objects in the connected forest and domains for synchronization.

Scoping Filters

By selecting Scoping filters under Manage, you can configure which objects should be synchronized to Azure AD. You can specify a list of security groups or select organizational units, but not both. See Figure 4.32:

Figure 4.32 – Azure AD Connect Cloud Sync scoping filters

There are a few important caveats when using scoping filters with Azure AD Connect Cloud Sync:

• When using group-based scoping, nested objects beyond the first level will not be included in the scope

• You can only include 59 separate OUs or security groups as scoping filters

It’s also important to note that using security groups to perform scoping is only recommended for piloting scenarios.

Before you begin the installation, you should make sure that the server where the provisioning agent will be installed can communicate with the various Azure AD services. Table 4.3 highlights ports and URLs that are required for the cloud sync agent to function correctly:

Endpoint	Port/Protocol	Description
*.msappproxy.net	443/HTTPS	Azure Application Proxy cloud
*.servicebus.windows.net		service endpoints
crl3.digicert.com	80/HTTP	Certificate Revocation List
crl4.digicert.com		(CRL) endpoints
ocsp.digicert.com
crl.microsoft.com
oneocsp.microsoft.com
ocsp.msocsp.com

Endpoint	Port/Protocol	Description
login.windows.net	443/HTTPS	Agent configuration and registration
secure.aadcdn.
microsoftonline-p.com
*.microsoftonline.com
*.microsoftonline-p.com
*.msauth.net
*.msauthimages.net
*.msecnd.net
*.msftauth.net
*.msftauthimages.net
*.phonefactor.net
enterpriseregistration.
windows.net
management.azure.com
policykeyservice.dc.ad.
msft.net
ctldl.windowsupdate.com
www.microsoft.com/pkiops
ctldl.windowsupdate.com	80/HTTP	Agent configuration and registration

Table 4.3 – Required endpoints for Azure AD Connect Cloud Sync service

To begin configuring Azure AD Connect Cloud Sync, follow these steps:

1.Log on to a server where you wish to install the Azure AD Connect Cloud Sync provisioning agent.

2. Navigate to the Azure portal (https://portal.azure.com) and select Active Directory | Azure AD Connect.

Figure 4.25 – Azure AD Connect in the Azure portal

3. From the navigation menu, select Cloud Sync.

4. Under Monitor, select Agents.

5. Select Download on-premises agent.

Figure 4.26 – Download on-premises agent for Azure AD Connect Cloud Sync

6. On the Azure AD Provisioning Agent flyout, select Accept terms & download to begin the download.

7. Open the AADConnectProvisioningAgentSetup.exe file to begin the installation.

8. Agree to the licensing terms and click Install to deploy the Microsoft Azure AD Connect provisioning package.

9. After the software installation is complete, the configuration wizard will launch. Click Next on the splash page to begin the configuration.

10. On the Select Extension page, choose the HR-driven provisioning (Workday and SuccessFactors) / Azure AD Connect Cloud Sync radio button and click Next. See Figure 4.27:

Figure 4.27 – Azure AD Connect Cloud Sync Select Extension page

11. On the Connect Azure AD page, click Authenticate to sign in to Azure AD.

12. On the Configure Service Account page, select the Create gMSA radio button to instruct the setup process to provision a new gMSA. Enter either Domain Admin or Enterprise Admin credentials and click Next. See Figure 4.28:

Figure 4.28 – Configure Azure AD Connect Cloud Sync service account

13. On the Connect Active Directory page, click Add Directory and provide the domain credentials to add the directory to the configuration. When finished, click Next. See Figure 4.29:

Figure 4.29 – Adding a directory to Azure AD Connect Cloud Sync

14. Review the details on the Agent configuration page and click Confirm to deploy the provisioning agent. When finished, click Exit.

After the agent has been deployed, you will need to continue the configuration in the Azure AD portal.