Module 1

Administer Identity
 Configure Azure Active Directory

Configure User and Group Accounts

Administer
Identity
Introduction
Configure Azure Active Directory
 Describe Azure Active Directory Benefits and Features

Describe Azure AD Concepts

Compare AD DS to Azure Active Directory

Configure Select Azure AD Editions

Azure Active
Directory Implement Azure AD Device Identities
Introduction
Implement Self-Service Password Reset
Describe Azure Active Directory Benefits and Features

A cloud-based suite of
identity management
capabilities that enables you
to securely manage access to
Azure services and resources
for your users

Provides application
management, authentication,
device management, and
hybrid identity
Benefits and features

• Single sign-on to any cloud or on-premises web app. Azure Active Directory provides secure single sign-on to cloud and
on-premises applications. SSO includes Microsoft 365 and thousands of SaaS applications such as Salesforce, Workday,
DocuSign, ServiceNow, and Box.

• Works with iOS, macOS, Android, and Windows devices. Users can launch applications from a personalized web-based
access panel, mobile app, Microsoft 365, or custom company portals using their existing work credentials. The experience is
the same on iOS, macOS, Android, and Windows devices.

• Protect on-premises web applications with secure remote access. Access your on-premises web applications from
everywhere and protect with multifactor authentication, conditional access policies, and group-based access management.
Users can access SaaS and on-premises web apps from the same portal.

• Easily extend Active Directory to the cloud. You can connect Active Directory and other on-premises directories to Azure
Active Directory in just a few steps. This connection means a consistent set of users, groups, passwords, and devices across
both environments.

• Protect sensitive data and applications. You can enhance application access security with unique
identity protection capabilities. This includes a consolidated view into suspicious sign-in activities and
potential vulnerabilities. You can also take advantage of advanced security reports, notifications,
remediation recommendations, and risk-based policies.

• Reduce costs and enhance security with self-service capabilities. Delegate important tasks such as
resetting passwords and the creation and management of groups to your employees. Providing
self-service application access and password management through verification steps can reduce
helpdesk calls and enhance security.
Describe Azure AD Concepts
Concept Description

Identity An object that can be authenticated

Account An identity that has data associated with it

Azure AD account An identity created through Azure AD or another Microsoft cloud service
A dedicated and trusted instance of Azure AD, a Tenant is automatically created when
your organization signs up for a Microsoft cloud service subscription

Azure AD • Additional instances of Azure AD can be created

tenant/directory • Azure AD is the underlying product providing the identity service
• The term Tenant means a single instance of Azure AD representing a single
organization
• The terms Tenant and Directory are often used interchangeably

Azure subscription Used to pay for Azure cloud services

Compare AD DS to Azure Active Directory
Identity solution. Azure AD is primarily an identity solution, and it is designed for Internet-
based applications by using HTTP and HTTPS communications.

REST API Querying. Because Azure AD is HTTP/HTTPS based, it cannot be queried through
LDAP. Instead, Azure AD uses the REST API over HTTP and HTTPS.

Communication Protocols. Because Azure AD is HTTP/HTTPS based, it does not use

Kerberos authentication. Instead, it uses HTTP and HTTPS protocols such as SAML, WS-
Federation, and OpenID Connect for authentication (and OAuth for authorization).

Federation Services. Azure AD includes federation services, and many third-party services
(such as Facebook).

Flat structure. Azure AD users and groups are created in a flat structure, and there are no
Organizational Units (OUs) or Group Policy Objects (GPOs).
Select Azure Active Directory Editions
Feature Free Microsoft 365 Apps Premium P1 Premium P2
Directory Objects 500,000 objects No object limit No object limit No object limit
Single Sign-On Unlimited Unlimited Unlimited Unlimited
Core Identity and Access X X X X
B2B Collaboration X X X X

Identity & Access for O365 X X X

Premium Features X X
Hybrid Identities X X
Advanced Group Access X X
Conditional Access X X
Identity Protection X
Identity Governance X
Azure Active Directory Free. Provides user and group management, on-premises directory
synchronization, basic reports, and single sign-on across Azure, Microsoft 365, and many popular
SaaS apps.

Azure Active Directory Microsoft 365 Apps. This edition is included with O365. In addition to the
Free features, this edition provides Identity & Access Management for Microsoft 365 apps including
branding, MFA, group access management, and self-service password reset for cloud users.

Azure Active Directory Premium P1. In addition to the Free features, P1 also lets your hybrid users
access both on-premises and cloud resources. It also supports advanced administration, such as
dynamic groups, self-service group management, Microsoft Identity Manager (an on-premises
identity and access management suite) and cloud write-back capabilities, which allow self-service
password reset for your on-premises users.

Azure Active Directory Premium P2. In addition to the Free and P1 features, P2 also offers Azure
Active Directory Identity Protection to help provide risk-based Conditional Access to your apps and
critical company data. Privileged Identity Management is included to help discover, restrict, and
monitor administrators and their access to resources and to provide just-in-time access when needed.
Configure Azure AD Device Identities
Azure AD registered devices
• Supports Bring Your Own Device
• Registered devices sign-in using a
Microsoft account
• Attached to an Azure AD account
granting access to resources
• Control using Mobile Device
Management (MDM) tools like
Microsoft Intune
• OS – Windows 10+, iOS, Android,
and MacOS
Azure AD joined devices
• Intended for cloud-first or cloud-
only organizations
• Organization-owned devices
• Joined only to Azure AD -
organizational account required
• Can use Conditional Access policies
• OS – Windows 10+ devices
Hybrid Azure AD joined devices
• You have Win32 apps deployed to
these devices using Active Directory
machine authentication
• You want to continue to use Group
Policy to manage the device
• You want to use existing image
solutions to deploy devices
• OS - Windows 7+ devices
Implement Self-Service Password Reset

1. Determine who can use self-service

password reset
1
2
3

2. Choose the number of authentication

methods required and the methods
available (email, phone, questions)

3. You can require users to register for

SSPR (same process as MFA)
Configure User and Group Accounts
 Create User Accounts

Manage User Accounts

Create Bulk Accounts

Configure User Create Group Accounts

and Group
Accounts Assign Licenses to Users and Groups (extra topic)
Introduction
Create Administrative Units

Summary and Resources

Create User Accounts

All users must The account is used for Each user account has additional
have an account authentication and authorization properties
Typically, Azure AD defines users in three ways:

Cloud identities. These users exist only in Azure AD. Examples are administrator accounts and
users that you manage yourself. Cloud identities can be in Azure Active Directory or an external
Azure Active Directory, if the user is defined in another Azure AD instance. When these accounts
are removed from the primary directory, they are deleted.

Directory-synchronized identities. These users exist in an on-premises Active Directory. A

synchronization activity that occurs via Azure AD Connect brings these users in to Azure. Their
source is Windows Server AD.

Guest users. These users exist outside Azure. Examples are accounts from other cloud providers
and Microsoft accounts such as an Xbox LIVE account. Their source is Invited user. This type of
account is useful when external vendors or contractors need access to your Azure resources.
Once their help is no longer necessary, you can remove the account and all of their access.
 Note: Users can also be added to Azure AD through
Microsoft 365 Admin Center, Microsoft Intune
Manage User Accounts admin console, and the CLI.

Must be Global
User profile Deleted users Sign in and audit
Administrator or User
(picture, job, contact can be restored log information
Administrator to
info) is optional for 30 days is available
manage users
Perform bulk account updates

Create the comma-separated Must be signed in as a Global

Azure AD supports bulk user
values (CSV) template you administrator or User
and group member updates
can download from the Portal administrator
Things to consider when using the template
Naming conventions. Establish or implement a naming convention for usernames, display names,
and aliases. For example, a user name could consist of last name, period, first name: ‘Smith.John@
contoso.com’.

Passwords. Implement a convention for the initial password of the newly created user. Figure out
a way for the new users to receive their password in a secure way. Methods commonly used
include generating a random password and emailing it to the new user or their manager.

Note: PowerShell is also available for bulk user uploads.

Create Group Accounts

Group Types Assignment Types

• Security groups • Assigned
• Microsoft 365 groups • Dynamic User
• Dynamic Device (Security groups only)
Create Group Accounts
Azure AD allows you to define two different types of
groups.
Security groups. Security groups are used to
manage member and computer access to shared
resources for a group of users. For example, you
can create a security group for a specific security
policy. By doing it this way, you can give a set of
permissions to all the members at once, instead
of having to add permissions to each member
individually. This option requires an Azure AD
administrator.
Microsoft 365 groups. Microsoft 365 groups
provide collaboration opportunities by giving
members access to a shared mailbox, calendar,
files, SharePoint site, and more. You can give
people outside of your organization access to
the group. Both users and admins can use
Microsoft 365 groups.
Adding members to groups
There are different ways you can assign access rights:
Assigned. Lets you add specific users to be members
of this group and to have unique permissions.
Dynamic User. Lets you use dynamic membership
rules to automatically add and remove members.
When a member's attributes change, Azure reviews
the dynamic group rules for the directory. If the
member meets the rule requirements, they're added. If
the member no longer meets the rules requirements,
they're removed.
Dynamic Device (Security groups only). Lets you
use dynamic group rules to automatically add and
remove devices. If a device's attributes change, Azure
reviews the dynamic group rules for the directory. If
the device meets the rule requirements, they're added.
If the device no longer meets the rules requirements,
they're removed.
Assign Licenses to Users and Groups

Microsoft Azure is a cloud service that provides many built-in

services for free.
• Azure AD comes as a free service
• Gain additional Azure AD functionality with a P1 or P2 license

Additional Services (like O365 are paid cloud services)

• Microsoft paid cloud services require licenses
• Licenses are assigned to those who need access to the
services
• Each user or group requires a separate paid license
• Administrators use management portals and PowerShell
cmdlets to manage licenses
Create Administrative Units

Create an administrative unit

Populate the administrative unit with Azure AD

users or groups

Create a role with appropriate permissions scoped

to the administrative unit

Azure AD Premium P1 or P2 for

Add IT members to the role each Privileged Role Administrator
or Global Administrator