Azure Active Directory

Master Class
Kevin Brown
MCT (Microsoft Certified Trainer) since 2000
Azure Security Engineer
Azure Solutions Architect
Azure Administrator
M365 Enterprise Administrator
Microsoft Identity and Access Administrator
CISSP
and more….

1
What is a Master Class?

A Master Class is a course that focuses on one technology, and delivers depth into that topic.
A Master Class goes beyond what is required for certifications.
Intended for those that will become subject matter experts (SME).
This Azure Active Directory Master Class is designed for those that want a deep and immersive knowledge
of Azure Active Directory, which is at the core of Azure, Microsoft 365, Microsoft Dynamics, and other
Services.

2
Azure Active
Directory
(Azure AD)

3
Azure Active
Directory
(Azure AD)

4
Azure Active
Directory
(Azure AD)

5
Azure Active
Directory
(Azure AD)

6
Azure Active
Directory
(Azure AD)

7
Understanding Azure Active Directory
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps
your employees sign in and access resources in:

8
Who uses Azure Active Directory?

Azure AD is intended for:

IT admins: As an IT admin, use Azure AD to control access to your apps, based on your business
requirements. For example, you can use Azure AD to require multi-factor authentication when accessing
important organizational resources. Azure AD gives you powerful tools to automatically help protect user
identities and credentials and to meet your access governance requirements.
App developers: As an app developer, you can use Azure AD to add single sign-on (SSO) to your app,
allowing it to work with a user's pre-existing credentials. Azure AD also provides APIs that can help you build
personalized app experiences using existing organizational data.
Microsoft 365, Office 365, Azure, or Dynamics CRM Online subscribers: As a subscriber, you're already
using Azure AD. Each Microsoft 365, Office 365, Azure, and Dynamics CRM Online tenant is automatically an
Azure AD tenant. You can immediately start to manage access to your integrated cloud apps.

9
Custom Domain Name

Every new Azure AD tenant comes with an initial domain name, <domainname>.onmicrosoft.com. You can't
change or delete the initial domain name, but you can add your organization's names. Adding custom
domain names helps you to create user names that are familiar to your users, such as [email protected].

Before you can add a custom domain name,

create your domain name with a domain
registrar.

10
A tenant represents an organization. It's a dedicated instance of Azure AD that an organization receives at
the beginning of a relationship with Microsoft. That relationship could start with signing up for Azure,
Microsoft Intune, or Microsoft 365, for example.

Each Azure AD tenant is distinct and separate from other Azure AD tenants.

11
Azure AD Licensing

•Azure Active Directory Free/ Office 365. Provides user and group management, on-premises directory
synchronization, basic reports, self-service password change for cloud users, and single sign-on across
Azure, Microsoft 365, and many popular SaaS apps.
•Azure Active Directory Premium P1. In addition to the Free features, P1 also lets your hybrid users access
both on-premises and cloud resources. It also supports advanced administration, such as dynamic groups,
self-service group management, Microsoft Identity Manager (an on-premises identity and access
management suite) and cloud write-back capabilities, which allow self-service password reset for your on-
premises users.
•Azure Active Directory Premium P2. In addition to the Free and P1 features, P2 also offers Azure Active
Directory Identity Protection to help provide risk-based Conditional Access to your apps and critical
company data and Privileged Identity Management to help discover, restrict, and monitor administrators
and their access to resources and to provide just-in-time access when needed.
https://azure.microsoft.com/en-in/pricing/calculator/?service=active-directory
https://www.microsoft.com/en-us/security/business/identity-access-management/azure-ad-pricing

12
 The account is used for Types of users: Azure AD,
All users must have an
authentication and Active Directory and
account
authorization Guest

13
 Set-ExecutionPolicy RemoteSigned

Install-Module Az

Install-Module AzureAD

Connect-AzAccount

Much of the Azure Active Directory PowerShell for Graph module ( AzureAD) functionality has been rolled
into the new Azure PowerShell Az module ( Az ), it's not currently (and might never be) a replacement for the
full power of what you can achieve with AzureAD.

https://docs.microsoft.com/en-us/powershell/azure/?view=azps-7.2.0
https://docs.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0

14
15
Group Types
• Security groups
• Microsoft 365 groups

Assignment Types
• Assigned
• Dynamic User
• Dynamic Device (Security
groups only)

16
Self-Service Password Reset

Azure Active Directory (Azure AD)

self-service password reset (SSPR)
gives users the ability to change
or reset their password, with no
administrator or help desk
involvement.
If Azure AD locks a user's account
or they forget their password,
they can follow prompts to
unblock themselves and get back
to work.
This ability reduces help desk calls
and loss of productivity when a
user can't sign in to their device
or an application.

17
How do I connect devices to Azure AD?

Choice depends on the who owns the data and who gets to manage the device and what type of user
identity is being used to authenticate.

Azure AD Registered Device is for:

Personally owned corporate enabled
Authentication to the device is with a On-Prem id or personal cloud id
Authentication to corporate resources using a user id on AAD.

Azure AD Joined is for:

Corporate owned and managed devices
Authenticated using a corporate id that exists on Azure AD
Authentication is only through AAD.

Hybrid Azure AD Joined is for:

corporate owned and managed devices
Authenticated using a corporate user id that exists at On-Prem AD & on Azure AD.
Authentication can be done using both: On-Prem AD & Azure AD.

18
Azure AD registered devices are signed in to using a local account like
a Microsoft account on a Windows 10 or newer device. These devices
have an Azure AD account for access to organizational resources.
Access to resources in the organization can be limited based on that
Azure AD account and Conditional Access policies applied to the
device identity.

Administrators can secure and control these Azure AD registered

devices using tools like Microsoft Intune/Endpoint Manager.

*Microsoft Intune, which is a part of Microsoft Endpoint Manager, provides the cloud infrastructure, the
cloud-based mobile device management (MDM), cloud-based mobile application management (MAM), and
cloud-based PC management for your organization.

19
Azure AD Registered Description
Definition Registered to Azure AD without requiring
organizational account to sign in to the device
Primary audience Applicable to all users with the following
criteria:
Bring your own device
Mobile devices
Device ownership User or Organization
Operating Systems Windows 10 or newer, iOS, Android, and
macOS
Provisioning Windows 10 or newer – Settings
iOS/Android – Company Portal or Microsoft
Authenticator app
macOS – Company Portal

20
Azure AD Registered Description
Device sign in options End-user local credentials
Password
Windows Hello
PIN
Biometrics or pattern for other devices
Device management Mobile Device Management (example:
Microsoft Intune)
Mobile Application Management
Key capabilities SSO to cloud resources
Conditional Access when enrolled into Intune
Conditional Access via App protection policy
Enables Phone sign in with Microsoft
Authenticator app

21
A user in your organization wants to access your benefits enrollment tool from their home PC.
Your organization requires that anyone accesses this tool from an Intune compliant device. The
user registers their home PC with Azure AD and the required Intune policies are enforced giving
the user access to their resources.

Another user wants to access their organizational email on their personal Android phone that
has been rooted. Your company requires a compliant device and has created an Intune
compliance policy to block any rooted devices. The employee is stopped from accessing
organizational resources on this device.

22
Azure AD joined devices are signed in to using an
organizational Azure AD account.

Access to resources can be controlled based on Azure AD

account and Conditional Access policies applied to the
device.

Administrators can secure and control Azure AD joined

devices using Intune/ Microsoft Endpoint Configuration
Manager. These tools provide a means to enforce
organization-required configurations like:
•Requiring storage to be encrypted
•Password complexity
•Software installation
•Software updates

*Microsoft Intune, which is a part of Microsoft Endpoint Manager, provides the cloud infrastructure, the
cloud-based mobile device management (MDM), cloud-based mobile application management (MAM), and
cloud-based PC management for your organization.

23
Azure AD Join Description
Definition Joined only to Azure AD requiring
organizational account to sign in to the device
Primary audience Suitable for both cloud-only and hybrid
organizations.
Applicable to all users in an organization
Device ownership Organization
Operating Systems All Windows 11 and Windows 10 devices
except Home editions
Windows Server 2019 Virtual Machines
running in Azure (Server core isn't supported)
Provisioning Self-service: Windows Out of Box Experience
(OOBE) or Settings
Bulk enrollment
Windows Autopilot

24
Azure AD Join Description
Device sign in options Organizational accounts using:
Password
Windows Hello for Business
FIDO2.0 security keys (preview)
Device management Mobile Device Management (example:
Microsoft Intune)
Configuration Manager standalone or co-
management with Microsoft Intune
Key capabilities SSO to both cloud and on-premises resources
Conditional Access through MDM enrollment
and MDM compliance evaluation
Self-service Password Reset and Windows
Hello PIN reset on lock screen

25
Azure AD join can be used in various scenarios like:
•You want to transition to cloud-based infrastructure using Azure AD.
•You can’t use an on-premises domain join, for example, if you need to get mobile devices such
as tablets and phones under control.
•Your users primarily need to access Microsoft 365 or other SaaS apps integrated with Azure AD.
•You want to manage a group of users in Azure AD instead of in Active Directory. This scenario
can apply, for example, to seasonal workers, contractors, or students.
•You want to provide joining capabilities to workers who work from home or are in remote
branch offices with limited on-premises infrastructure.

26
Organizations with existing Active Directory
implementations can benefit from some of the functionality
provided by Azure Active Directory (Azure AD) by
implementing hybrid Azure AD joined devices.

These devices are joined to your on-premises Active

Directory and registered with Azure Active Directory.

Hybrid Azure AD joined devices require network line of

sight to your on-premises domain controllers periodically.
Without this connection, devices become unusable. If this
requirement is a concern, consider Azure AD joining your
devices.

27
Hybrid Azure AD Join Description
Definition Joined to on-premises AD and Azure AD
requiring organizational account to sign in to
the device
Primary audience Suitable for hybrid organizations with existing
on-premises AD infrastructure
Applicable to all users in an organization
Device ownership Organization
Operating Systems Windows 10 or newer, 8.1 and 7
Windows Server 2008/R2, 2012/R2, 2016 and
2019

28
Hybrid Azure AD Join Description
Provisioning Windows 10 or newer, Windows Server 2016
or newer
Domain join by IT and autojoin via Azure AD
Connect
Domain join by Windows Autopilot and
autojoin via Azure AD
Windows 8.1, Windows 7, Windows Server
2012 R2, Windows Server 2012, and Windows
Server 2008 R2 - Require MSI
Device sign in options Organizational accounts using:
Password
Windows Hello for Business for Win10 and
above
Device management Group Policy
Configuration Manager standalone or co-
management with Microsoft Intune

29
Hybrid Azure AD Join Description
Key capabilities SSO to both cloud and on-premises resources
Conditional Access through Domain join or
through Intune if co-managed

30
Use Azure AD hybrid joined devices if:
You support down-level devices running Windows 7 and 8.1 (does support newer operating
systems).
You want to continue to use Group Policy to manage device configuration.
You want to continue to use existing imaging solutions to deploy and configure devices.
You have Win32 apps deployed to these devices that rely on Active Directory machine
authentication.

31
Choice depends on the who owns the data and who gets to manage the device and what type of user
id is used to authenticate.

Hybrid Azure AD Joined is for:

corporate owned and managed devices
Authenticated using a corporate user id that exists at local AD & on AAD
Authentication can be done using both: On-Prem AD & Azure AD

Azure AD Joined is for:

Corporate owned and managed devices
Authenticated using a corporate id that exists on Azure AD
Authentication is only through AAD

AAD Registered Device is for:

Personally owned corporate enabled
Authentication to the device is with a local id or personal cloud id
Authentication to corporate resources using a user id on AAD

32
Built-in Role Description
Global Administrator Users with this role have access to all administrative features in
Azure Active Directory
Security Users with this role have permissions to manage security-related
Administrator features in the Microsoft 365 Security Center, Security Center,
Azure Active Directory Identity Protection, Azure Information Protection,
and Office 365 Security & Compliance Center

Billing Administrator Makes purchases, manages subscriptions, manages support tickets, and
monitors service health

Global Reader Users in this role can read settings and administrative information across
Microsoft 365 services but can't take management actions.

33
 Built-in Role Description
Owner Allows you to manage everything including access to
resources
Contributor Allows you to manage everything except managing
access to resources
Reader Allows you to view everything but not make any
changes

User Access Allows you to manage user access to Azure

Administrator resources

34
Management groups provides a
level to manage multiple
subscriptions

Subscriptions provision products

and services for an account

Resource groups are containers

for resources that share the
same life cycle

35
Admin Unit Members Usage
• Users Delegate administration of AD
• Groups resources to specific person or
role

36
The security of MFA two-step
verification lies in its layered
approach

Authentication methods include:

• Something you know (typically
a password)
• Something you have (a trusted
device that is not easily
duplicated, like a phone)
• Something you are
(biometrics)

37
Account Lockout –
temporarily lock accounts if
too many denied
authentication attempts
occur.

Block/Unblock Users – block

specific users from being able
to receive MFA requests.

Fraud Alerts - Users can

report fraudulent attempts to
access their resources

38
Select the users that you want
to modify and enable for MFA

User states can be Enabled,

Enforced, or Disabled

On first-time sign-in, after

MFA has been enabled, users
are prompted to configure
their MFA settings

Azure MFA is included free of

charge for global
administrator security

39
40
Authentication methods in Azure Active Directory - OATH tokens

OATH software tokens

Software OATH tokens are typically applications such as the Microsoft Authenticator app and other
authenticator apps. Azure AD generates the secret key, or seed, that's input into the app and used to
generate each OTP.
The Authenticator app automatically generates codes when set up to do push notifications. Third-party
applications that use OATH TOTP to generate codes can also be used.

OATH hardware tokens

Azure AD supports the use of OATH-TOTP SHA-1 tokens that refresh codes every 30 or 60 seconds.
Customers can purchase these tokens from the vendor of their choice.
OATH TOTP hardware tokens typically come with a secret key, or seed, pre-programmed in the token. These
keys must be input into Azure AD. Secret keys are limited to 128 characters, which may not be compatible
with all tokens. The secret key can only contain the characters a-z or A-Z and digits 2-7, and must be
encoded in Base32.

41
Authentication methods in Azure Active Directory - OATH tokens

OATH TOTP (Time-based One Time Password) is an open standard that specifies how one-time
password (OTP) codes are generated. OATH TOTP can be implemented using either software or
hardware to generate the codes. Azure AD doesn't support OATH HOTP, a different code generation
standard.

42
Microsoft Authenticator App

43
Time-based and approval-based role activation for privileged users

Just-in-time privileged access Justification to understand why

to Azure users activate

Time-bound access to Notifications when privileged

resources roles are activated

Approval to activate privileged Access reviews to ensure users

roles still need roles

Multi-factor authentication to Audit history for internal or

activate any role external audit

44
45
Azure AD Roles
Assign users to a role – users must elevate to use the
privileges granted by the role
Prioritize protecting Azure AD roles that have the
greatest number of permissions

Azure resources

Identify the management groups and subscriptions Which Azure AD roles and
Resources most vital for your organization or host the resources should be
most sensitive data protected with PIM?

46
Assume breach and verify each request as though it originates from an open network

47
Each detected suspicious action is stored in a record called a risk event

Leaked credentials

Sign in from anonymous IP addresses

Impossible travel to atypical locations

Sign in from unfamiliar locations

Sign in from infected devices

Sign in from IP addresses with

suspicious activity

48
 Automatically respond Provide the condition (risk
Applied to user sign-ins based on a specific user’s level) and action (block or
risk level allow)

49
Applied to all browser traffic and sign-ins Provide the condition (risk level) and
using modern authentication action (block or allow)

Automatically respond to a specific risk Target all policies to specific users – omit
level certain types of users

50
Identity management is the new control plane

Use signals to make an

informed decision

Base the decision on

organizational policy

Enforce the decision across

resources

51
Enable organizations to recertify group memberships, application access, and
privileged role assignments

Evaluate guest user access

Evaluate employee access to applications and

group membership

Track reviews for compliance or risk-sensitive

applications

Evaluate the role assignment of administrative

users (PIM)
membership
Premium P2 license – Global admins or User
Admins membership

52
53
Create Emergency
Accounts
Create two or more emergency
access accounts. These accounts
should be cloud-only accounts
that use the *.onmicrosoft.com
domain and that are not federated
or synchronized from an on-
premises environment.
Exclude Multi-factor
authentication
At least one of your emergency
access accounts should not have
the same multi-factor
authentication mechanism as
your other non-emergency
accounts.
Exclude from Conditional
Access
During an emergency, you do
not want a policy to potentially
block your access to fix an
issue. At least one emergency
access account should be
excluded from all Conditional
Access policies.
54
55
As an IT administrator, you want to know how your IT environment is doing. The information about your
system’s health enables you to assess whether and how you need to respond to potential issues.
To support you with this goal, the Azure Active Directory portal gives you access to three activity logs:

•Sign-ins – Information about sign-ins and how your resources are used by your users.

•Audit – Information about changes applied to your tenant such as users and group management or updates
applied to your tenant’s resources.

•Provisioning – Activities performed by the provisioning service, such as the creation of a group in
ServiceNow or a user imported from Workday.

56
What license do I need?
The audit activity report is available in all editions of Azure AD.

Who can access it?

To access the audit logs, you need to be in one of the
following roles:
•Security Administrator
•Security Reader
•Report Reader
•Global Reader
•Global Administrator

57
With the audit logs in Azure AD, you get access to records of system activities for compliance. The most
common views of this log are based on the following categories:

•User management
•Group management
•Application management

With a user-centric view, you can get answers to questions such as:
•What types of updates have been applied to users?
•How many users were changed?
•How many passwords were changed?
•What has an administrator done in a directory?

With a group-centric view, you can get answers to questions such as:
•What are the groups that have been added?
•Are there groups with membership changes?
•Have the owners of group been changed?
•What licenses have been assigned to a group or a user?

58
The identity secure score is percentage that functions as an indicator for how aligned you are with
Microsoft's best practice recommendations for security. Each improvement action in identity
secure score is tailored to your specific configuration.

The score helps you to:

•Objectively measure your identity security posture
•Plan identity security improvements
•Review the success of your improvements

You can access the score and related information on the identity secure score dashboard. On this dashboard,
you find:
•Your identity secure score
•A comparison graph showing how your Identity secure score compares to other tenants in the same industry
and similar size
•A trend graph showing how your Identity secure score has changed over time
•A list of possible improvements

59
Every 48 hours, Azure looks at your security configuration and compares your settings with the
recommended best practices. Based on the outcome of this evaluation, a new score is calculated for your
directory. It’s possible that your security configuration isn’t fully aligned with the best practice guidance
and the improvement actions are only partially met. In these scenarios, you will only be awarded a portion
of the max score available for the control.

Each recommendation is measured based on your Azure AD configuration. If you are using third-party
products to enable a best practice recommendation, you can indicate this configuration in the settings of
an improvement action. You also have the option to set recommendations to be ignored if they don't
apply to your environment. An ignored recommendation does not contribute to the calculation of your
score.

60
To address - You recognize that the improvement action is necessary
and plan to address it at some point in the future. This state also applies
to actions that are detected as partially, but not fully completed.

Planned - There are plans in place to complete the improvement action.

Risk accepted - Security should always be balanced with usability, and

not every recommendation will work for your environment. When that is
the case, you can choose to accept the risk, or the remaining risk, and
not enact the improvement action. You won't be given any points, but
the action will no longer be visible in the list of improvement actions.
You can view this action in history or undo it at any time.

Resolved through third party and Resolved through alternate

mitigation - The improvement action has already been addressed by a
third-party solution. You'll gain the points that the action is worth, so
your score better reflects your overall security posture. Keep in mind,
Microsoft will have no visibility into the completeness of implementation
if the improvement action is marked as either of these statuses.

61
Application management in Azure Active Directory (Azure AD) is the process of creating, configuring,
managing, and monitoring applications in the cloud. When an application is registered in an Azure AD tenant,
users who have been assigned to it can securely access it. Many types of applications can be registered in
Azure AD.

Develop, add, or connect – You take different paths depending on whether you're developing your own
application, using a pre-integrated application, or connecting to an on-premises application.

Manage access – Access can be managed by using single sign-on (SSO), assigning resources, defining the
way access is granted and consented to, and using automated provisioning.

Secure the application – Manage configuration of permissions, multifactor authentication (MFA), conditional
access, tokens, and certificates.

Govern and monitor – Manage interaction and review activity using entitlement management and reporting
and monitoring resources.

62
Develop, add, or connect
There are several ways that you might manage applications in Azure AD. The easiest way to start managing
an application is to use a pre-integrated application from the Azure AD gallery. Developing your own
application and registering it Azure AD is an option, or you can continue to use an on-premises application.

63
Pre-integrated applications
Many applications are already pre-integrated (shown as “Cloud applications” in the image above) and can be
set up with minimal effort. Each application in the Azure AD gallery has an article available that shows you
the steps required to configure the application.

Your own applications

If you develop your own business application, you can register it with Azure AD to take advantage of the
security features that the tenant provides.

On-premises applications
If you want to continue using an on-premises application, but take advantage of what Azure AD offers,
connect it with Azure AD using Azure AD Application Proxy. Application Proxy can be implemented when you
want to publish on-premises applications externally. Remote users who need access to internal applications
can then access them in a secure manner.

64
Manage access
To manage access for an application, you want to answer the following questions:

How is access granted and consented for the application?

Does the application support SSO?
Which users, groups, and owners should be assigned to the application?
Are there other identity providers that support the application?
Will it be helpful to automate the provisioning of user identities and roles?

65
1. Add the application
2. Assign the user
3. Enable single sign-on
4. register the application
5. Configure SAML settings

66
67
68
69
An
Anaccess
accesspackage
packageis islistlist
ofof
resources
resourceslike
likeGroups,
Groups, Apps,
Apps, and
and
Sites,
Sites,along
alongwith
withthe
theroles
roles a user
a user
needs
needsforforthose
thoseresources.
resources.
There
Thereisisaapolicy
policyincluded
includedin in
thethe
access package with rules
access package with rules forfor who
can access the package.
who can access the package.

70
Time-limited access Manager approval Manage access Cross organization
-or- without IT collaboration
Delegated Role /
Identity

71
72
73
74
75
Understanding the types of Active Directory Services

76
 Service Authentication Structure What it's used for
Azure Active Directory Includes SAML, OpenID Tenants Internet-based services and applications
Connect (based on OAuth), like Office 365, Azure services, and third-
WS-Federation party SaaS applications
Active Directory Domain Kerberos, NTLM Forests, domains, Authentication and authorization for on-
Services organizational units premises printers, applications, file services,
and more

77
 Use your corporate High availability and
Integrated with NTLM and Kerberos
credentials and simple deployment
Azure AD authentication
passwords experience

78
Integrate your on-premises directories
with Azure Active Directory

Provides a common identity for your

users for Office 365, Azure, and SaaS
applications integrated with Azure AD

There are several authentication options

to enable hybrid identity

79
Password Hash Synchronization (PHS) can
synchronize an encrypted version of the
password hash for user accounts

Pass-through authentication (PTA)

authenticates the username and
password with the on-premises domain
controllers

AD FS is the Microsoft implementation of

an identity federation solution that uses
claims-based authentication

80
Password hash synchronizes user
passwords from on-premises Active
Directory to cloud-based Azure AD

Sign into Azure AD services using the on-

premises password

Improve the productivity of your users

and reduce your helpdesk costs

81
Supports user sign-in into Is a free feature and can be Is not only for user sign-in
all web browser-based enabled via Azure AD but allows an organization
applications and into Connect to use other Azure AD
Microsoft Office client features – MFA and Self-
applications Service Password Reset

82
Use Password Writeback to configure
Azure AD to write passwords back to your
on-premises Active Directory

A component of Azure AD Connect

Available to subscribers of Premium

Azure Active Directory editions

Removes the need to set up and manage

an on-premises SSPR solution

83
Alternate method to integrate your on-
premises directories with Azure Active
Directory

Uses the Azure AD cloud provisioning

agent

Runs stand-alone or along-side Azure AD

Connect

84