Convert Synced User to In-Cloud User

Here is the scenario:

Synced ID: Specifies the immutable ID of the federated identity of the user. This should be omitted for users with standard identities.

You have local Active Directory with AAD Connect installed, which sync users and password hash to Office 365. Now you have decided to migrate the authentication from local Active Directory to Office 365 and decommission on-premises Active Directory. The purpose of this exercise to demote on-premises AD, use Office 365 as office productivity tools and Azure AD as the IDaaS.

The following are the steps to transition from on-premises “Synced Identity” to “In Cloud Identity”.

Step1: Sign into the AAD Connect Server and Sync the Delta

Start-ADSyncSyncCycle -PolicyType Delta

Step2: Turn off AAD Connect Sync

Set-MsolDirSyncEnabled -EnableDirSync $false

Step3: Transition a Single Test User from on-premises “Synced Identity” to “In Cloud Identity”.

Get-MsolUser -UserPrincipalName john.doe@domain.com | Set-MsolUser -ImmutableId $null

Step4: Remove Immutable ID of all users

Get-MsolUser | Set-MsolUser -ImmutableId $null

Step5 (Optional): Alternative Scripts

$users=Get-MSOLUser

$immutableID=$null

Foreach($user in $users)

{Set-MsolUser -UserPrincipalName $user.UserPrincipalName -ImmutableID $immutableID}

Step5: Turn o AAD Connect Sync

Now go to local Active Directory, move user out of sync scope. In best practice when you have configured sync, you target a specific OU in active directory to sync users from, moving user to different OU will take user out of sync scope. If you have targeted the sync to all users then you have delete user from your local active directory.

Step6: Turn on AAD Connect Sync

Set-MsolDirSyncEnabled -EnableDirSync $true

Step7: Enable Force Sync if the Sync didn’t work

Import-Module ADSyn
Start-ADSyncSyncCycle -PolicyType Initial

Step8: Change the Federated Domain to Standard Domain if you have ADFS Server

Convert-MsolDomainToStandard -DomainName domain.com -WhatIf
Convert-MsolDomainToStandard -DomainName domain.com -Confim

Step9: Test SSO using Azure AD

Now, last step is to login into Office365 with the same password, it should work.
Also, you will see that in Office365 the user sync status will be shown as Incloud instead of Synced with local AD.

 

Decide on Office 365 Migration Path

Deciding on the best migration path of your users’ email to Office 365 can be difficult. Your migration performance will vary based on your network, existing messaging systems design, mailbox size, migration speed, and so on.

Office365

For migrations from an existing on-premises Exchange Server environment, you can migrate all email, calendar items, tasks and contacts from user mailboxes to Office 365. The available methods are cutover, staged, and Exchange Hybrid migrations.

For migrating third-party email to Office 365, you can configure mail flow coexistence if the third-party email provider permits then migrate the mailboxes using IMAP or cutover migration options.

Migrating from Exchange 2003 or Exchange 2007

Number of mailboxes How quickly do you want to migrate? Use
Fewer than 150 Over a weekend or a few days. Cutover
Fewer than 150 Slowly, by migrating a few users at a time. Staged
Over 150 Over a weekend or a few days. Staged
Over 150 Slowly, by migrating a few users at a time. Staged

Migrating from Exchange 2010 or Exchange 2013 or Exchange 2016 or Exchange 2019

Number of mailboxes How quickly do you want to migrate? Use
Fewer than 150 Over a weekend or a few days. Cutover
Fewer than 150 Slowly, by migrating a few users at a time. Exchange Hybrid
Over 150 Over a weekend or a few days. Exchange Hybrid
Over 150 Slowly, by migrating a few users at a time. Exchange Hybrid

Migrating from third-party email system to Office 365

Number of mailboxes How quickly do you want to migrate? Use
Fewer than 150 Over a weekend or a few days. Cutover
more than 150 Slowly, by migrating a few users at a time. IMAP with mail flow coexistence

If the mailboxes you’re migrating contain a large amount of data, you can also use Office 365 Import Service to import PST files to Office 365.

Azure AD B2B Collaboration With SharePoint Online

Azure AD B2B collaboration capabilities to invite guest users into your Azure AD tenant to allow them to access Azure AD service Azure AD B2B collaboration invited users can be picked from OneDrive/SharePoint Online sharing dialog boxes. OneDrive/SharePoint Online invited users also show up in Azure AD after they redeem their invitations and other resources such OneDrive for Business, SharePoint Online in your organization.

Azure B2B
Azure AD B2B Collaboration (Source Microsoft Corp)

Licensing Requirements for Paid Features:

The customer who owns the inviting tenant must be the one to determine how many B2B collaboration users need paid Azure AD capabilities. Depending on the paid Azure AD features you want for your guest users, you must have enough Azure AD paid licenses to cover B2B collaboration users in the same 5:1 ratio.

Extranet Collaboration.png
Contoso Corp B2B Collaboration with partners (Source Microsoft Corp)

The below guides articulate how to deploy Azure B2B functionality for SharePoint Online.

Turning on Azure AD Integrated App for Office 365

  1. Log on to Office 365 portal.office.com using your work or school account.
  2. Go to the Office 365 admin center, and from the left navigation bar, click Settings> Services & add-ins
  3. On the Integrated apps page, use the toggle to turn Integrated Apps on or off.

Add a B2B User

  1. Sign in to the Azure portal as an Azure AD administrator.
  2. In the navigation pane, select Azure Active Directory.
  3. Under Manage, select Users. Select New guest user.
  4. Under User name, enter the email address of the external user. Optionally, include a welcome message.
  5. Select Invite to automatically send the invitation to the guest user.
  6. To assign Group Permission, Under Manage, select Groups.
  7. Select a group (or click New group to create a new one). It’s a good idea to include in the group description that the group contains B2B guest users.
  8. Select Members. Add the Guest User.

Add Azure AD B2B Licenses

  1. Log on to Azure Portal.Azure.com, Navigate to Azure Active Directory
  2. To assign a license, under Azure Active Directory > Licenses > All Products, select one or more products, and then select Assign on the command bar.
  3. You can use the Users and groups blade to choose multiple users or groups or to disable service plans in the product. Use the search box on top to search for user and group names.
  4. When you assign licenses to a group, it can take some time before all users inherit the license depending on the size of the group. You can check the processing status on the Group blade, under the Licenses

Add guest users to a SharePoint Online App

  1. Sign in to the Azure portal as an Azure AD administrator. In the navigation pane, select Azure Active Directory.
  2. Under Manage, select Enterprise applications > All applications. Select the application to which you want to add guest users.
  3. On the application’s dashboard, select Total Users to open the Users and groups pane.
  4. Select Add user. Under Add Assignment, select User and groups.
  5. If the guest user already exists in the directory, search for the B2B user. Select the user, click Select, and then click Assign to add the user to the app.
  6. The guest user appears in the application’s Users and groups list with the assigned role of Default Access or Under Edit Assignment, click Select Role, and select the role you want to assign to the selected user. Click Select. Click Assign.

Turn on External Sharing for SharePoint Online

  1. Sign in to Office 365 as a global admin or SharePoint admin.
  2. Select the app launcher icon The app launcher icon in Office 365 in the upper-left and choose Admin to open the Office 365 admin center. (If you don’t see the Admin tile, you don’t have Office 365 administrator permissions in your organization.)
  3. In the left pane, choose Admin centers > SharePoint.
  4. In the left pane, click sharing.
  5. Select “Allow sharing only with the external users that already exist in your organization’s directory.”
  6. You can setup additional settings such as Limits external sharing using domains, prevent external users from sharing files, External User must accept sharing invitations.

Turn on External Sharing for Specific Site Collection

  1. Sign in to Office 365 as a global admin or SharePoint admin.
  2. Select the app launcher icon The app launcher icon in Office 365 in the upper-left and choose Admin to open the Office 365 admin center. (If you don’t see the Admin tile, you don’t have Office 365 administrator permissions in your organization.)
  3. In the left pane, choose Admin centers > SharePoint.
  4. Click Try the preview to open the new SharePoint admin center.
  5. In the left pane, click Site management.
  6. Locate the site that you want to update, and click the site name.
  7. In the right pane, under Sharing status, click Change.
  8. Select your option (see the following table) and click Save.

Redemption through the invitation email

If invited through a method that sends an invitation email, users can also redeem an invitation through the invitation email. An invited user can click the redemption URL in the email, and then review and accept the privacy terms.

  1. After being invited, the invitee receives an invitation through email that’s sent from Microsoft Invitations.
  2. The invitee selects Get Started in the email.
  3. If the invitee doesn’t have an Azure AD account or an MSA, they’re prompted to create an MSA.
  4. The invitee is redirected to the Review permissions screen, where they can review the inviting organization’s privacy statement and accept the terms.

Office 365 MailFlow Scenarios and Best Practices

Microsoft Office 365 gives you the flexibility to configure mail flow based on your requirements and uses scenario to delivered email to your organisation’s mailboxes. The simplest way to configure mail flow is to allow Microsoft EOP to handle spam filter and Maiflow of your organisation. However, you may have already invested your infrastructure handle mail flow. Microsoft also accepts this situation and allow you to use your own spam filter.

The below scenario and use cases will allow you to determine how you can configure MailFlow of your organisation.

Mailbox Location MailFlow Entry Point Scenario & Usecases Recommended MailFlow Configuration  and Example MX record
Office 365 Office 365 Use Microsoft EOP

Demote or migrate all mailboxes to office 365

Use Office 365 mailboxes

MX record Pointed to Office 365

MX: domain-com.mail.protection.outlook.com

SPF:  v=spf1 include:spf.protection.outlook.com -all

 

On-premises On-prem Prepare the on-prem to be cloud ready

Build and Sync AAD Connect

Built ADFS Farm

MX record Pointed to On-prem

MX1.domain.com

SPF: v=spf1 include: MX1.domain.com  include:spf.protection.outlook.com -all

Third-party cloud, for example, G-Suite Both third-party and office 365 Prepare to migrate to Office 365

Stage mailbox data

MailFlow co-existance

MX record pointed to third-party cloud

MX record Pointed to On-prem

in.hes.trendmicro.com

SPF: v=spf1 include:spf.protection.outlook.com include: in.hes.trendmicro.com include: ASPMX.L.GOOGLE.COM -all

Combination of On-premises and Office 365 On-premises Hybrid Environment

Stage mailbox migration

MailFlow co-existance

MX record Pointed to On-prem spam filter

MX record Pointed to On-prem

MX1.domain.com

SPF: v=spf1 include: MX1.domain.com  include:spf.protection.outlook.com -all

Combination of On-premises and Office 365 Third-party cloud spam filter Hybrid Environment

Stage mailbox migration

MailFlow co-existance

MX record Pointed to third-party cloud spam filter

MX record pointed to third-party cloud

MX record Pointed to On-prem

in.hes.trendmicro.com

SPF: v=spf1 include:spf.protection.outlook.com include: in.hes.trendmicro.com -all

MailFlow Configuration Prerequisites:

  1. Make sure that your email server (also called “on-premises mail server”) is set up and capable of sending and receiving mail to and from the Internet.
  2. Check that your on-premises email server has Transport Layer Security (TLS) enabled, with a valid public certification authority-signed (CA-signed) certificate.
  3. Make a note of the name or IP address of your external-facing email server. If you’re using Exchange, this will be the Fully Qualified Domain Name (FQDN) of your Edge Transport server or CAS that will receive an email from Office 365.
  4. Open port 25 on your firewall so that Office 365 can connect to your email servers.
  5. Make sure your firewall accepts connections from all Office 365 IP addresses. See Exchange Online Protection IP addresses for the published IP address range.
  6. Make a note of an email address for each domain in your organisation. You’ll need this later to test that your connector is working correctly.
  7. Make sure you add all datacenter IP addresses of Office 365 into your receive connector of on-premises Exchange server

Configure mail to flow from Office 365 to your email server and vice-versa. There are three steps for this:

  1. Configure your Office 365 environment.
  2. Set up a connector from Office 365 to your email server.
  3. Change your MX record to redirect your mail flow from the Internet to Office 365.

Note: For Exchange Hybrid Configuration wizard, connectors that deliver mail between Office 365 and Exchange Server will be set up already and listed here. You don’t need to set them up again, but you can edit them here if you need to.

  1. To create a connectorExchange in Office 365, click Admin, and then click to go to the Exchange admin center. Next, click mail flow click mail flow, and click connectors.
  2. To start the wizard, click the plus symbol +. On the first screen, choose the appropriate options when creating MailFlow from Office 365 to On-premises Server
  3. Click Next, and follow the instructions in the wizard.
  4. Repeat the step to create MailFlow between On-premises to Office 365.
  5. To redirect email flow to Office 365, change the MX (mail exchange) record for your domain to Microsoft EOP, i.e. domain-com.mail.protection.outlook.com

Relevant Articles:

Mailflow Co-existence between G-Suite and Office 365 during IMAP Migration

Office 365 Hybrid Deployment with Exchange 2016 Step by Step

Centralized MailFlow: NDR Remote Server returned ‘550 5.7.1 Unable to relay’

Migrate Office 365 Relying Party Trust to Different ADFS Farm

To migrate Office 365 Relying Party Trust from an existing ADFS Farm to new ADFS Farm, follow the step by step guide. Migrating Office 365 Relying Party Trust will incur a minor disruption to SSO environment.

Prerequisites:

  • Existing ADFS Farm with FQDN sts.domain.com
  • New ADFS Farm with FQDN sts1.domain.com
  • Existing Certificate CN=sts.domain.com or a wildcard certificate
  • New certificate with CN=sts1.domain.com
  • New public IP address for the public CNAME sts1.domain.com
  • A public CNAME record sts1.domain.com
  • An internal CNAME record sts1.domain.com

Note: keep the existing AAD Connect unless you have a requirement to build a new one.

Here are the steps:

Step1: Verify AAD Connect Configuration

  • Open AAD Connect, View Sign-in Option.
  • Check AAD Connect Wizard to make sure you did not configure “Federation with ADFS” Sign-in option. If you have done so then run AAD Connect Wizard again and replace the certificate and ADFS farm details to new ADFS server sts1.domain.com

Step2: Build ADFS and WAP Servers

Build a new ADFS farm side by side with an existing ADFS farm. It would be redundant effort to write another blog. Please follow my previous blog to deploy ADFS and WAP.

Building Multiple ADFS Farms in a Single Forest

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part I

Branding and Customizing the ADFS Sign-in Pages

Step3: Test SSO

Log on to the https://sts.domain.com/adfs/ls/idpinitiatedsignon.aspx using on-premises credentials to make sure you can single sign-on.

Step4: Gather list of existing federated domains from existing ADFS Farm

Log on to the existing primary ADFS Server, Open PowerShell as an Administrator, execute the following cmdlets.

$cred=Get-Credential

Connect-MsolService –Credential $cred

Get-MsolDomain

Record a list of Federated Domains.

Step5: Update Office 365 RP within the new ADFS Farm

Log on to the new primary ADFS Server, Open PowerShell as an Administrator, execute the following cmdlets.

$cred=Get-Credential

Connect-MsolService –Credential $cred

Update-MsolFederatedDomain –DomaiName “Domain.com” –SupportMultipleDomain –Confirm  Execute Update-MsolFederatedDomain Cmdlets if you have additional federated domains such as DomainB.com

GetMsolDomain

Open ADFS Management Console, Make sure Office 365 RP has been created with necessary tokens and permissions. If necessary, clone all incoming and outgoing claims and permission from previous ADFS farm to new ADFS Farm and apply to the newly created Office 365 RP.

Step6: Test SSOOnce you have completed the Step5, wait for Microsoft to update their backend Identity and Federation systems. In my previous implementation work, it took 30 minutes the change to take effect.  Sign on to portal.office.com; you will be redirected to https://sts1.domain.com to authenticate. Once you have sign-in successfully, you have completed the migration work.

Step7: New AAD Connect Server (Optional)Check step1 before running AAD Connect Wizard and reconfigure sign-in options. If you need to change sign-in options, please follow the guide to change Sign-in Option.

Relevant Articles:

Upgrading AD FS to Windows Server 2016 FBL

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part II

Office 365 Hybrid Deployment with Multiple Active Directory Forests

This article explains how you can deploy a hybrid Office 365 and Exchange on-premises environment with multiple Active Directory Forest. An organisation that utilizes an account forest and a resource forest to separate Active Directory accounts and Exchange servers in a single forest, aren’t considered as multiple AD Forest. Let’s say Company A (DomainA.com) bought Company B (DomainB.com). Company A has an Office 365 tenant with default domain domainA.onmicrosoft.com. Now Company A wishes to migrate Company B mailboxes into the Office 365 tenant but maintains the hybrid environment.

Here is the infrastructure you should consider.

AD Forest 1 AD Forest 2
On-prem Forest Corp.DomainA.com Corp.DomainB.com
Email Domain or Externally Routable NameSpace DomainA.com DomainB.com
Externally Routable Autodiscover CNAME Autodiscover.DomainA.com Autodiscover.DomainB.com
Default Domain in Office 365 Tenant domainA.onmicrosoft.com domainA.onmicrosoft.com
On-Prem Exchange Server Version Exchange 2013 SP1 or later Exchange 2013 SP1 or later
On-prem Certificate Issued by Public CA

CN= mail.DomainA.com

SAN=Autodiscover.DomainA.com

Issued by Public CA

CN= mail.DomainB.com

SAN=Autodiscover.DomainB.com

To configure a hybrid environment for a multi-forest organization, you’ll need to complete the basic steps below:

  1. Create Two-Way Trust Relationship between on-premises Corp.DomainA.com and On-premises Corp.DomainB.com if Trust relationship is not already established.
  2. Make sure you have correct public certificates for both Exchange Organisation.
  3. Build AAD Connect Server in Corp.DomainA.com Domain. AD Synchronisation occurs Corp.DomainA.com domain. you do not need to add another AAD Connect server in domainB.com domain. Run custom AAD Connect wizard and use domain filter and select both domains to sync to Azure AD.
  4. Build ADFS Farm in Corp.DomainA.com Domain. You use either AD FS or password sync to allow for a seamless user authentication experience for both domains.
  5. Add domain and verify both domains in Office 365 tenant. Setup both domain in Office tenant as an Internal Relay Domain
  6. Run Hybrid Configuration wizard in both Forest. Select both domains whilst running HCW.  For Centralized MailFlow Configuration of both domains, you must retain your existing MX record. Add EOP in your SPF record for the both domains. If you do not wish to configure Centralized MailFlow then point MX record to the EOP record of Exchange Online.

AAD Connect Recommendations:

  • Separate Topology – This topology might be the situation after a merger/acquisition or in an organization where each business unit operates independently. These forests are in the same organization in Azure AD and appear with a unified GAL.

In AAD Connect Wizard Select “Users are only once across all forests” and Mail Attribute.

  • Full Mesh- A full mesh topology allows users and resources to be located in any forest. Commonly, there are two-way trusts between the forests.

In AAD Connect Wizard Select “Users identities exist across multiple forests” and Mail Attribute.

Hybrid with Multiple Forest  Recomendations:

  • Having a single tenant in Azure AD for an organization
  • Having a single ADD connect server for an organisation
  • Having a unique Active Directory object for an organisation. Each unique object is synced into the Azure AD for once only.
  • Having a single on-prem namespace (UPN: domainA.com, domainB.com) to match the registered domain in Azure AD.
  • Having a single namespace associated with an user or an object
  • Having all email domains registered in a single tenant
  • Having a single AAD Connect and ADFS Farm in a same forest if “Federation with ADFS” is selected in AAD Connect custom installation Wizard

Relevant Article:

Office 365 Hybrid Deployment with Exchange 2016 Step by Step

Configuring Azure ExpressRoute using PowerShell

Microsoft Azure ExpressRoute is a private connection from on-premises networks to the Microsoft cloud over a private peering facilitated by a network service provider. With ExpressRoute, you can establish a faster, low latencies and reliable connection to Microsoft cloud services, such as Microsoft Azure, Office 365, and Dynamics 365. ExpressRoute is available to all continent and in all geopolitical boundaries.

ExpressRoute Circuit Connectivity Model

  • Co-located at a cloud exchange- The on-premises infrastructure is co-located in a facility with Microsoft Azure Cloud, you can order virtual cross-connections to the Microsoft cloud through the co-location provider’s Ethernet exchange. Data center providers can offer either Layer 2 cross-connections, or managed Layer 3 cross-connections between your infrastructure in the colocation facility and the Microsoft cloud.
  • Point-to-point Ethernet connections- You can connect your on-premises infrastructure to the Microsoft cloud through point-to-point Ethernet links. Point-to-point Ethernet providers can offer Layer 2 connections, or managed Layer 3 connections between your site and the Microsoft cloud.
  • Any-to-any (IPVPN) networks- You can integrate company WAN with the Microsoft cloud. IPVPN providers are typically MPLS connection between your branch offices and data centers. The Microsoft cloud can be interconnected to company WAN to make it look just like another branch office.

Key Features:

  • Layer 3 connectivity between your on-premises network and the Microsoft Cloud through a connectivity provider.
  • Connectivity to Microsoft cloud services across all regions in the geopolitical region.
  • Global connectivity to Microsoft services across all regions with an ExpressRoute premium add-on.
  • Dynamic routing between your network and Microsoft over industry standard protocols (BGP).
  • Built-in redundancy in every peering location for higher reliability.
  • QoS support for Skype for Business.
  • Bandwidth starting from 50Mbps to 10Gbps

Subscription requirements:

  • A valid and active Microsoft Azure account or an active Office 365 subscription. This account is required to set up the ExpressRoute circuit. ExpressRoute circuits are resources within Azure subscriptions.

Partners Requirements:

Network requirements:

  • Redundant connectivity-Microsoft requires redundant BGP sessions to be set up between Microsoft’s routers and the peering routers, even when you have just one physical connection to a cloud exchange.
  • Routing-ExpressRoute provider needs to set up and manage the BGP sessions for routing domains. Some Ethernet connectivity provider or cloud exchange provider may offer BGP management as a value-add service.
  • NAT-Microsoft only accepts public IP addresses through Microsoft peering. If you are using private IP addresses in your on-premises network, you or your provider need to translate the private IP addresses to the public IP addresses using the NAT.
  • QoS-Skype for Business has various services (for example; voice, video, text) that require differentiated QoS treatment. You and your provider should follow the QoS requirements.
  • Network Security- consider network security when connecting to the Microsoft Cloud via ExpressRoute.

ExpressRoute Peering

  • Private peering- The private peering domain is considered to be a trusted extension of on-premises core network into Microsoft Azure. You can set up bi-directional connectivity between your core network and Azure virtual networks.
  • Public peering- In a simple terminology, the public peering is a network peering between public domain to on-premises DMZ and connect to all Azure services on their public IP addresses from company WAN without having to connect to the internet.
  • Microsoft peering- ExpressRoute provides private network connectivity to Microsoft cloud services. Infrastructure and platform services running in Azure often benefit by addressing network architecture and performance considerations. Therefore, we recommend enterprises use ExpressRoute for Azure.
  • Microsoft peering is used specifically for SaaS like Office 365 and Dynamics 365, were created to be accessed securely and reliably via the Internet. Therefore, we only recommend ExpressRoute for these applications in specific scenarios.

 Provisioning an ExpressRoute

Step1: Login and Select the subscription

Login-AzureRmAccount

Get-AzureRmSubscription

Copy the name of the subscription to be used for next command.

Select-AzureRmSubscription -SubscriptionId “Company Default”

Step2: Copy the name of the ExpressRoute Provider information to be used for next command.

Name, PeeringLocations, BandwidthsOffered, Sku

Get-AzureRmExpressRouteServiceProvider

Step3: Create new ExpressRoute

New-AzureRmExpressRouteCircuit -Name “On-premtoAzureCloud” -ResourceGroupName “ExpressRouteRG” -Location “Australia East” -SkuTier Standard -SkuFamily MeteredData -ServiceProviderName “Equinix” -PeeringLocation “Sydney” -BandwidthInMbps 200

Once you have created new ExpressRoute, you will see the below status of ExpressRoute.

NotProvisioned & Enabled, Provisioning & Enabled, Provisioned & Enabled

Step4: Record Subscription ID, service Key, Location and send this information to your ExpressRoute circuit provider to provision and activate services.

get-help New-AzureRmExpressRouteCircuit –detailed

Step5: List of All ExpressRoute and record the information for next command

Get-AzureRmExpressRouteCircuit -Name “ExpressRouteARMCircuit” -ResourceGroupName “ExpressRouteResourceGroup”

Step5: Connect a virtual network in the same subscription to a circuit

$circuit = Get-AzureRmExpressRouteCircuit -Name “MyCircuit” -ResourceGroupName “MyRG”

$gw = Get-AzureRmVirtualNetworkGateway -Name “ExpressRouteGw” -ResourceGroupName “MyRG”

$connection = New-AzureRmVirtualNetworkGatewayConnection -Name “ERConnection” -ResourceGroupName “MyRG” -Location “East US” -VirtualNetworkGateway1 $gw -PeerId $circuit.Id -ConnectionType ExpressRoute

Step6: Create Azure private peering for Azure Services

Make sure that you have the following items before you proceed with the next steps:

  • A /30 subnet for the primary and secondary link. This must not be part of any address space reserved for virtual networks.
  • A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID.
  • AS number for peering. You can use both 2-byte and 4-byte AS numbers. You can use a private AS number for this peering. Ensure that you are not using 65515.

$ckt = Get-AzureRmExpressRouteCircuit -Name “ExpressRouteARMCircuit” -ResourceGroupName “ExpressRouteResourceGroup”

Add-AzureRmExpressRouteCircuitPeeringConfig -Name “AzurePrivatePeering” -ExpressRouteCircuit $ckt -PeeringType AzurePrivatePeering -PeerASN 100 -PrimaryPeerAddressPrefix “10.0.0.0/30” -SecondaryPeerAddressPrefix “10.0.0.4/30” -VlanId 200

Set-AzureRmExpressRouteCircuit -ExpressRouteCircuit $ckt

Get-AzureRmExpressRouteCircuitPeeringConfig -Name “AzurePrivatePeering” -Circuit $ckt

Step7: Configure Azure public peering for the circuit if you require a public peering refer to the explanation section.

  • Make sure that you have the following information before you proceed further:
  • A /30 subnet for the primary and secondary link. This must be a valid public IPv4 prefix.
  • A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID.
  • AS number for peering. You can use both 2-byte and 4-byte AS numbers.

Add-AzureRmExpressRouteCircuitPeeringConfig -Name “AzurePublicPeering” -ExpressRouteCircuit $ckt -PeeringType AzurePublicPeering -PeerASN 100 -PrimaryPeerAddressPrefix “12.0.0.0/30” -SecondaryPeerAddressPrefix “12.0.0.4/30” -VlanId 100

Set-AzureRmExpressRouteCircuit -ExpressRouteCircuit $ckt

Step8: Configure Microsoft peering for the circuit if you require a public peering refer to the explanation section.

  • Make sure that you have the following information before you proceed:
  • A /30 subnet for the primary and secondaary link. This must be a valid public IPv4 prefix owned by you and registered in an RIR / IRR.
  • A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID.
  • AS number for peering. You can use both 2-byte and 4-byte AS numbers.
  • Advertised prefixes: You must provide a list of all prefixes you plan to advertise over the BGP session. Only public IP address prefixes are accepted. You can send a comma separated list if you plan to send a set of prefixes. These prefixes must be registered to you in an RIR / IRR.
  • Customer ASN: If you are advertising prefixes that are not registered to the peering AS number, you can specify the AS number to which they are registered. This is optional.
  • Routing Registry Name: You can specify the RIR / IRR against which the AS number and prefixes are registered.

Add-AzureRmExpressRouteCircuitPeeringConfig -Name “MicrosoftPeering” -ExpressRouteCircuit $ckt -PeeringType MicrosoftPeering -PeerASN 100 -PrimaryPeerAddressPrefix “123.0.0.0/30” -SecondaryPeerAddressPrefix “123.0.0.4/30” -VlanId 300 -MicrosoftConfigAdvertisedPublicPrefixes “123.1.0.0/24” -MicrosoftConfigCustomerAsn 23 -MicrosoftConfigRoutingRegistryName “ARIN”

Set-AzureRmExpressRouteCircuit -ExpressRouteCircuit $ckt

To Upgrade the SKU from metered to unlimited. Implement the below command to upgrade ExpressRoute SKU

$ckt = Get-AzureRmExpressRouteCircuit -Name “ExpressRouteARMCircuit” -ResourceGroupName “ExpressRouteResourceGroup”

$ckt.Sku.Family = “UnlimitedData”

$ckt.sku.Name = “Premium_UnlimitedData”

Set-AzureRmExpressRouteCircuit -ExpressRouteCircuit $ckt