Scribd
Upload
50 views18 pages

Module 1 - Manage Identity and Acess - Azure AD

Uploaded by

tj5qttr77f
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
50 views18 pages

Module 1 - Manage Identity and Acess - Azure AD

Uploaded by

tj5qttr77f
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

Azure Active Directory (Azure AD) 28/04/2021, 5:09 PM

Azure Active Directory (Azure AD)

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud-based directory and identity management
service. For IT Admins, Azure AD provides an affordable, easy to use solution to give employees and business
partners single sign-on (SSO) access to thousands of cloud SaaS Applications like Office365, Salesforce, DropBox,
and Concur.

Th developers, Azure AD lets you focus on building your application


For application Th by making it fast and simple to
is is
do d
cu class identity management solution used by millions oof
integrate with a world cuorganizations around the world.
me me
No da nt be No da nt be
un n c lo un ncch long
a u ch 8 2 n g s au
tho @ toD tho 82@ s to
riz gm a riz g D
ed ail nie ed mai anie
co .co lC co l.c l
pie m ho pie om Cho
sa ng s ng
llo . all .
we ow
d! e d!

Th Th
is is
do do
Identity manage ccapabilities
um and integration cu
me
en nt
d t be d
No
u
an
c l o n
No
u
a nc belo
Azure AD also includes
na c a full suite of identity management capabilities including na n
cmulti-factor authentication, device
uth h82@ gs to uth h82@ gs to
ori password
registration, self-service g D management,
a self-service group management, ori privileged
g Daccount management,
ze
d
m ai nie ze
dc
m ail aniel
op l.com usage
role-based access control,capplication lC
ho monitoring, rich auditing and security monitoring,
o pie
.co andC alerting. These
m ho
ies ng ng
capabilities can help secure cloud-based all
ow applications,
. streamline IT processes, cut costs,s aand llo help assure . corporate
e w e
compliance goals are met. d! d!

Additionally, Azure AD can be integrated with an existing Windows Server Active Directory, giving organizations the
ability to leverage their existing on-premises identity investments to manage access to cloud based SaaS
applications.

Azure AD Editions
Th Th
is is
do do
cu cu
Azure Active Directory me comes in four editions—Free, Microsoft 365 Apps, Premium me P1, and Premium P2. The Free
d n t d nt
No
edition is included awith anb eAzure subscription. The Premium editions N
areo a
available b
through
e a Microsoft Enterprise
un ncch long un ncch long
au Volume
Agreement, the Open 8 s
License Program, and the Cloud Solution au
Providers 8
program. s
tho 2 @ to tho 2 @ to Azure and Microsoft 365
riz gm Da riz g D
subscribers can also buy edAzure aiActive nieDirectory Premium P1 and P2 online. ed mai anie
co l.c lC co l.c l
pie o m ho pie om Cho
sa ng s ng
. all
Feature Free
llo
we Microsoft 365 Apps Premium P1 ow Premium. P2
d! e d!

Directory Objects 500,000 Unlimited Unlimited Unlimited

Single Sign-On Unlimited Unlimited Unlimited Unlimited

Core Identity and


Access X X X X
Th Th
Management is is
do do
cu cu
me me
Business toNo da nt be No da nt be
Business un ncch X long X
n
Xunau cch8 ongs
l
X
au
tho 82@ s to tho 2@ to
Collaboration riz gm Da riz gm Da
ed ail nie ed ail nie
co . l co . l
p i e co m C h o pie com Cho
Identity & Access sa ng sa ng
llo . llo .
Management for w e X X w e
Xd!
d!
Microsoft 365 apps

Premium Features X X

https://www.skillpipe.com/api/2.1/content/urn:uuid:a8812c50-6d9…806a-0305dc39651f@2021-04-09T06:15:29Z/OEBPS/Text/1463755.xhtml Page 1 of 2
Azure Active Directory (Azure AD) 28/04/2021, 5:09 PM

Hybrid Identities X X

Advanced Group
Access X X
Management

Conditional Access X X

Identity Protection X
Th Th
is is
do
Identity Governance do X
cu cu
me me
da n t da n t
No
Azure Active nc belo
un Directory
No nc belo
un on-premises
au ch82 nFree gs – Provides user and group management, au ch82 ngsdirectory synchronization,
tho single to
@ sign-on t o to apps.
basic reports, and riz g D across Azure, Microsoft 365, and many hpopular riz
@ SaaS
g D
ed mai anie ed mai anie
co l.c l Ch c l .co l
Azure Active DirectorypMicrosofties om 365 onApps - This edition is included with O365.pIn
o
iesaddition m C tohothe
ng Free
all g . a .
features, this edition provides oIdentity
we & Access Management for Microsoft 365 apps including l l ow branding, MFA,
d! ed
!
group access management, and self-service password reset for cloud users.

Azure Active Directory Premium P1 - In addition to the Free features, P1 also lets your hybrid users access
both on-premises and cloud resources. It also supports advanced administration, such as dynamic groups, self-
service group management, Microsoft Identity Manager (an on-premises identity and access management suite)
and cloud write-back capabilities, which allow self-service password reset for your on-premises users.

Th
Azure Active Directory Premium P2 - In addition to the Free and ThP1 features, P2 also offers Azure Active
is is
do do
cu Protection to help provide risk-based Conditional Access
Directory Identity cu to your apps and critical company
me me
data and Privileged
d n t Identity Management to help discover, restrict, and d nt administrators and their access
monitor
No an be No a nc belo
u c l o n u n
to resources naand cto na c
uth h8provide
2
gs just-in-time access when needed. uth h82@ gs to
ori @g to Da ori
ze m ai n ze g ma Dan
The Azure Active Directory
dc .co iel Cpage has detailed information on what is included
op lPricing
dc il.c iel
Cof
ies m ho o pie in omeach hothe editions.
all n g s ng
Based on the feature list which edition ow does .
your organization need? a l low .
ed ed
! !
Note: If you are an Microsoft 365, Azure or Dynamics CRM Online customer, you might not realize that you are
already using Azure AD. Every Microsoft 365, Azure and Dynamics CRM tenant is already an Azure AD tenant.
Whenever you want you can start using that tenant to manage access to thousands of other cloud applications Azure
AD integrates with.

There is an Azure Active Directory Admin Center.


Th Th
is is
do do
cu cu
me me
n n
No d an t bel No d an t bel
un cc on un c o
au h g au ch82 ngs
tho 82@ s to tho @ to
riz gm D riz g D
ed ail aniel ed mai anie
l.c
co .co co l
pie m Chon pie om Cho
sa g. sa ng
llo llo .
we we
d! d!

Th Th
is is
do do
cu cu
me me
No da nt be No da nt be
un ncch long un ncch long
au au
tho 82@ s to tho 82@ s to
riz g D riz g D
ed mai anie ed mai anie
co l.c l co l.c l
pie om Cho pie om Cho
sa ng sa ng
llo . llo .
we we
d! d!

https://www.skillpipe.com/api/2.1/content/urn:uuid:a8812c50-6d9…06a-0305dc39651f@2021-04-09T06:15:29Z/OEBPS/Text/1463755.xhtml Page 2 of 2
Azure AD vs AD DS 28/04/2021, 5:09 PM

Azure AD vs AD DS

Azure AD is different from AD DS

Although Azure AD has many similarities to AD DS, there are also many differences. It is important to realize that
using Azure AD is different from deploying an Active Directory domain controller on an Azure virtual machine and
adding it to Tyour
his on-premises domain. Here are some characteristics TofhisAzure AD that make it different.
do do
cu cu
Identity solution. me Azure AD is primarily an identity solution, and it is designed me for Internet-based applications by
d n t d nt
N
using HTTPo u andan HTTPS b e communications. N o a nc belo
c c lon u c n
na na
uth h82@ gs to uth h82@ gs to
REST API Querying. o riz Because g D o g
riz queried Da
ed mai aAzure nie AD is HTTP/HTTPS based, it cannot be ed mai through ni LDAP. Instead,
Azure AD uses the REST c l .c
op API overo l C
HTTP h and HTTPS. c o p
l .co el Ch
ies m on ies m on
all g. all g.
ow ow
Communication Protocols. Because ed Azure AD is HTTP/HTTPS based, it does not use Kerberos ed authentication.
! !
Instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID Connect for
authentication (and OAuth for authorization).

Authentication Services. Include SAML, WS-Federation, or OpenID.

Authorization Service. Uses OAuth.

Federation
Th Services. Azure AD includes federation services, andThmany third-party services (such as Facebook).
is is
do do
c cu
Flat structure.um Azure
en AD users and groups are created in a flat structure, manden there are no Organizational Units
d
NoGroupanPolicy t be Objects (GPOs). No d a tb
(OUs) or c lo n c elo
un un
a u ch 8 2 n g s au ch82 ngs
tho @ toD tho @ to
riz g riz g D
The following table summarizesed maithe adifferences:
nie ed mai anie
co l.c lC co l.c l
pie o m ho pie om Cho
sa ng s ng
llo . all .
Azure Active Directory we Active Directory Domain Services ow
d! e d!
Cloud On-Premises

Designed for HTTP & HTTPS Query via LDAP

Queried via REST API's Used Kerberos for Authentication

Uses SAML, Th WS-Federation, or OpenID for Th


is is Services
No Federated
d do
authentication ocu cu
me me
No da nt be No d n
an t bel
Uses OAuth for nc
un autheration lo Organizational
un Units o
c (OU's)
a u ch 8 2 n g s au ch82 ngs
tho @ to tho @ to
riz g D ri g Da
Includes federation services ed mai anie Group Policy (GPO's)zed mail. nie
co l.c l co c l
pie om Cho pie om Cho
sa ng sa ng
Flat Structure llo . llo .
we we
d! d!

Azure AD is a managed service. You only manage the users, groups, and policies. Deploying AD DS with virtual
machines using Azure is a IaaS deployment. Meaning that you manage the deployment, configuration, virtual
machines, patching, and other backend tasks.

Th Th
is is
do do
cu cu
me me
No da nt be No da nt be
un ncch long un ncch long
au au
tho 82@ s to tho 82@ s to
riz g D riz g D
ed mai anie ed mai anie
co l.c l co l.c l
pie om Cho pie om Cho
sa ng sa ng
llo . llo .
we we
d! d!

https://www.skillpipe.com/api/2.1/content/urn:uuid:a8812c50-6d9…806a-0305dc39651f@2021-04-09T06:15:29Z/OEBPS/Text/1463756.xhtml Page 1 of 1
Azure AD Administrator Roles 28/04/2021, 5:09 PM

Azure AD Administrator Roles

Using Azure Active Directory (Azure AD), you can designate limited administrators to manage identity tasks in less-
privileged roles. Administrators can be assigned for such purposes as adding or changing users, assigning
administrative roles, resetting user passwords, managing user licenses, and managing domain names. The default
user permissions can be changed only in user settings in Azure AD.

Th Th
Limit use isof
do Global administrators
c
is
do
cu
um me
en nt
da tb d
No n
Users who are uassignedc toe lthe
o n Global administrator role can read and
N o
modify
u
a nc beadministrative
every lon setting in your
na c na c
uth h82@ gs to uth h82@ gs to
Azure AD organization.ori By default, D the person who signs up for an Azure subscription
o is assigned
D the Global
ze gma an
iel
riz g
ed mai Role an
ieadministrators
administrator role for the dAzure
co AD il.c organization. Only Global administrators and Privileged
c l .co l can
pie om Cho op
ies assignm Chon
delegate administrator roles. To sreduce
all the n
risk
g to your business, we recommend that you this role
g to the
ow . all .
ow
fewest possible people in your organization. ed ed
! !
As a best practice, we recommend that you assign this role to fewer than five people in your organization. If
you have more than five admins assigned to the Global Administrator role in your organization, here are some ways
to reduce its use.

Available roles
Th Th
is is
do do
cu
Application Administrator - Users in this role can create and manage all cu aspects of enterprise applications,
me me
d n t d nt
application registrations,
be and application proxy settings.
No
un
an
cc lon
No
u
a nc belo
h gs na c n
au
tho 82@ - Users to in this role can create application registrations uth h82@ gs to
Application Developer Da ori when the “Users can register
riz gm ze g ma Dan
e
applications” settingdiscosetato il.cNo.niel C dc i ie
pie om ho op l.com l Ch
sa ng ies on
llo - Users with . all g.
Authentication Administrator we this role can set or reset non-password credentials ow for some users
d! e d!
and can update passwords for all users.

Azure DevOps Administrator - Users with this role can manage the Azure DevOps policy to restrict new Azure
DevOps organization creation to a set of configurable users or groups.

Azure Information Protection Administrator - Users with this role have all permissions in the Azure Information
Protection service.
Th Th
B2C Useris Flow
do Administrator - Users with this role can create andis manage do B2C User Flows (also called “built-
cu cu
me Azure portal.
in” policies) in the me
da n tb da nt be
No e No
un ncch long un ncch long
B2C User Flow a uth Attribute
82 sAdministrator - Users with this role add or delete
a uth custom
82 s attributes available to all
ori @g to Da ori @g to Da
user flows in the tenant.
ze ma n z e ma nie
dc i ie dc i
op l.com l Ch op l.com l Ch
ies on i es for tokenonencryption,
B2C IEF Keyset Administrator all - User cang. create and manage policy keys and secrets all g.
ow ow
ed
token signatures, and claim encryption/decryption. ed
! !
B2C IEF Policy Administrator - Users in this role can create, read, update, and delete all custom policies in
Azure AD B2C and therefore have full control over the Identity Experience Framework in the relevant Azure AD
B2C tenant.

Billing Administrator - Makes purchases, manages subscriptions, manages support tickets, and monitors
service health.
Th Th
is is
do do
Cloud Application
cu Administrator - Users in this role have the same permissions cu as the Application
me me
Administrator darole,n excluding
t the ability to manage application proxy. da n t
No be No be
un ncch long un ncch long
au 8 2 s au 8 s t in Azure AD and read
2@devices
Cloud Device tAdministrator
ho @ to - Users in this role can enable, disable, and
Da
thodelete oD
riz gm riz gm an
Windows 10 BitLocker e d c keys n
ail (if present)
i e in the Azure portal. e d a i iel
op .com l Ch co l .
ies on pie com Cho
g. s ng
Compliance Administratora-lloUsers we with this role have permissions to manage compliance-related
all
ow .features in
d e d
the Microsoft 365 compliance center, ! Microsoft 365 admin center, Azure, and Microsoft 365 Security ! &
Compliance Center.

Compliance Data Administrator - Users with this role have permissions to track data in the Microsoft 365

https://www.skillpipe.com/api/2.1/content/urn:uuid:a8812c50-6d9…806a-0305dc39651f@2021-04-09T06:15:29Z/OEBPS/Text/1463757.xhtml Page 1 of 2
Azure AD Administrator Roles 28/04/2021, 5:09 PM

compliance center, Microsoft 365 admin center, and Azure. Users can also track compliance data within the
Exchange admin center,

Conditional Access Administrator - Users with this role have the ability to manage Azure Active Directory
Conditional Access settings

Exchange Administrator - Users with this role have global permissions within Microsoft Exchange Online, when
the service is present.

Directory Readers - Users in this role can read basic directory information.
Th Th
is is
do d
cu
Global Administratorme / Company Administrator - Users with this roleochave um access to all administrative features
n en
in AzureN Actived t
Directory,
b as well as services that use Azure Active Directory
d t
identities like Microsoft 365 security
o u anc elo N o u anc belo
na
center, Microsoft c
365
h n
compliance
g center, Exchange Online, SharePoint ch andngSkype for Business Online.
naOnline,
uth 8 2 s uth 82@ s to
ori @g to Da ori
ze ma n i ze gma Dani
Groups Administrator d co- Usersil.c in ethis role can create/manage groups and its dc
settings e
i like naming and expiration
pie om Cho
l op l.com l Ch
policies. sa ng ies on
llo . all g.
we ow
d! e
Security Administrator - Users with this role have permissions to manage security-related dfeatures ! in the
Microsoft 365 security center, Azure Active Directory Identity Protection, Azure Information Protection, and
Microsoft 365 Security & Compliance Center.

For most organizations, the security of business assets depends on the integrity of the privileged accounts that
administer and manage IT systems. Cyber-attackers focus on privileged access to infrastructure systems (such as
Active Directory
Th and Azure Active Directory) to gain access to an organization’s Th sensitive data.
is is
do do
cu c
Traditional approaches me that focus on securing the entrance and exit points ofuamenetwork as the primary security
d nt d nt
perimeter areNoless effective
a be due to the rise in the use of SaaS apps and Nopersonala devicesbe on the Internet. The natural
un ncch long un ncch long
au network au is 8the
replacement for the tho 82@ security
st
oD perimeter in a complex modern enterprise tho 2 @
s
authentication
to and
riz gm an riz gm Da
authorization controls in ean
dc organization's
a i ie identity layer. e dc a i n ie
op l.com l Ch op l.com l Ch
ies on ies on
g
all are effectively. in control of this new security perimeter.alIt's g
Privileged administrative accounts ow low critical to. protect
ed ed
privileged access, regardless of whether! the environment is on-premises, cloud, or hybrid on-premises ! and cloud
hosted services. Protecting administrative access against determined adversaries requires you to take a complete
and thoughtful approach to isolating your organization’s systems from risks.

Th Th
is is
do do
cu cu
me me
No da nt be No d n
an t bel
un ncch long un c o
au au ch82 ngs
tho 82@ s to tho @ to
riz g D riz g D
ed mai anie ed mai anie
co l.c l co l.c l
pie om Cho pie om Cho
sa ng sa ng
llo . llo .
we we
d! d!

Th Th
is is
do do
cu cu
me me
No da nt be No da nt be
un ncch long un ncch long
au au
tho 82@ s to tho 82@ s to
riz g D riz g D
ed mai anie ed mai anie
co l.c l co l.c l
pie om Cho pie om Cho
sa ng sa ng
llo . llo .
we we
d! d!

https://www.skillpipe.com/api/2.1/content/urn:uuid:a8812c50-6d9…806a-0305dc39651f@2021-04-09T06:15:29Z/OEBPS/Text/1463757.xhtml Page 2 of 2
Azure Active Directory Domain Services 28/04/2021, 5:10 PM

Azure Active Directory Domain Services

Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join,
group policy, lightweight directory access protocol (LDAP), and Kerberos / NTLM authentication that is fully
compatible with Windows Server Active Directory. You use these domain services without the need to deploy,
manage, and patch domain controllers in the cloud. Azure AD DS integrates with your existing Azure AD tenant,
which makes it possible for users to sign in using their existing credentials. You can also use existing groups and
Th Th
user accounts isto secure access to resources, which provides a smoother is lift-and-shift of on-premises resources to
do do
cu cu
Azure. me me
da n tb d nt
No
un n cc e lon
N o u
a nc belo
Azure AD DS replicates hidentity g information from Azure AD, so it works with c ng
na Azureh8AD tenants
au
tho 82@ s to uth 2@ s to that are cloud-only, or
ize gma Active
synchronized with an ron-premises D o riz
Directory Domain Services (AD DS) environment. g Da same set of Azure AD
dc
a
il.c niel C ed mai The ni
op c op l .co el Ch
ies om
DS features exist for both environments. ho
ng i e sa
m on
all . llo g.
ow w
If you have an existing on-premises ed AD DS environment, you can synchronize user accountedinformation to
! !
provide a consistent identity for users.

For cloud-only environments, you don't need a traditional on-premises AD DS environment to use the
centralized identity services of Azure AD DS.

Th Th
is is
do do
cu cu
me me
No da nt be No d n
an t bel
un ncch long un cc
h
on
g
au au
tho 82@ s to tho 82@ s to
riz g D riz gm D
ed mai anie ed ail aniel
co l.c l co .co
pie om Cho pie m Chon
sa ng sa g.
llo . llo
we we
d! d!

Azure AD DS features and benefits


Th Th
is
do services to applications and VMs in the cloud, Azure isAD
To provide identity doDS is fully compatible with a traditional
cu cu
me me
AD DS environment d forn operations
t such as domain-join, secure LDAP (LDAPS),
d nt
Group Policy and DNS management,
No an be No a nc belo
lo
cc support.
and LDAP bindunand au read h8 ngs LDAP write support is available for objects un created
a ch ngthe Azure AD DS managed
in
tho 2@ to uth 82@ s to
domain, but not resources riz synchronized
g D from Azure AD. The following features oof
riz Azureg AD DS D simplify deployment
ed mai anie ed mai anie
and management operations: co l.c lC co l.c l
pie o m ho pie om Cho
sa ng s ng
llo . all .
we ow
Simplified deployment experience: d! Azure AD DS is enabled for your Azure AD tenant usinge d! a single wizard in
the Azure portal.

Integrated with Azure AD: User accounts, group memberships, and credentials are automatically available from
your Azure AD tenant. New users, groups, or changes to attributes from your Azure AD tenant or your on-
premises AD DS environment are automatically synchronized to Azure AD DS.

Use your corporate credentials/passwords: Passwords for users in Azure AD DS are the same as in your
Th Th
Azure AD istenant. Users can use their corporate credentials to domain-join
do is
do machines, sign in interactively or over
remote desktop, c um and authenticate against the Azure AD DS managed domain. cu
e m e
No da nt be No da nt be
u nc l o u n c lon
NTLM and nKerberos
au ch82 authentication:
ng With support for NTLM and Kerberos
na c authentication, you can deploy
tho @
st
o uth h82@ gs to
applications that rrely
i ze on g Windows-integrated
D an authentication. o r ize g D an
ma ma
dc i ie dc i ie
op l.com l Ch op l.com l Ch
High availability: Azure AD i o
es DS includesngmultiple domain controllers, which provide ehigh i s on for your
availability
all . all g.
managed domain. This high availability o we guarantees service uptime and resilience to failures. o we
d! d!

In regions that support Azure Availability Zones, these domain controllers are also distributed across zones for
additional resiliency.

https://www.skillpipe.com/api/2.1/content/urn:uuid:a8812c50-6d9…806a-0305dc39651f@2021-04-09T06:15:29Z/OEBPS/Text/1463758.xhtml Page 1 of 2
Azure Active Directory Domain Services 28/04/2021, 5:10 PM

Azure AD DS integrates with Azure AD, which itself can synchronize with an on-premises AD DS environment.
This ability extends central identity use cases to traditional web applications that run in Azure as part of a lift-and-
shift strategy.

Th Th
is is
do do
cu cu
me me
No da nt be No da nt be
un ncch long un ncch long
au au
tho 82@ s to tho 82@ s to
riz g D riz g D
ed mai anie ed mai anie
co l.c l co l.c l
pie om Cho pie om Cho
sa ng sa ng
llo . llo .
we we
d! d!

Th Th
is is
do do
cu cu
me me
No da nt be No d n
an t bel
un ncch long un cc
h
on
g
au au
tho 82@ s to tho 82@ s to
riz g D riz gm D
ed mai anie ed ail aniel
co l.c l co .co
pie om Cho pie m Chon
sa ng sa g.
llo . llo
we we
d! d!

Th Th
is is
do do
cu cu
me me
No da nt be No d n
an t bel
un ncch long un c o
au au ch82 ngs
tho 82@ s to tho @ to
riz g D riz g D
ed mai anie ed mai anie
co l.c l co l.c l
pie om Cho pie om Cho
sa ng sa ng
llo . llo .
we we
d! d!

Th Th
is is
do do
cu cu
me me
No da nt be No da nt be
un ncch long un ncch long
au au
tho 82@ s to tho 82@ s to
riz g D riz g D
ed mai anie ed mai anie
co l.c l co l.c l
pie om Cho pie om Cho
sa ng sa ng
llo . llo .
we we
d! d!

https://www.skillpipe.com/api/2.1/content/urn:uuid:a8812c50-6d9…06a-0305dc39651f@2021-04-09T06:15:29Z/OEBPS/Text/1463758.xhtml Page 2 of 2
Azure AD User Accounts 28/04/2021, 5:11 PM

Azure AD User Accounts

In Azure AD, every user who needs access to resources needs a user account. A user account is a synced Active
Directory Domain Services (AD DS) object or an Azure AD user object that contains all the information needed to
authenticate and authorize the user during the sign-on process and to build the user's access token.

To view the Azure AD users, access the All users blade. Take a minute to access the portal and view your users.
Th
Notice the USER T
is TYPE and SOURCE columns, as the following figurehdepicts.
is
do do
cu cu
me me
da n tb d nt
No
un n cc e lon
N o u
a nc belo
h g na c n
au
tho 82@ s to uth h82@ gs to
riz g D o riz g D
ed mai anie ed mai anie
co l.c l c l .c lC
pie om Cho op
ies om ho
sa ng ng
llo . all .
we ow
d! e d!

Th Th
is is
Typically, Azure dADoc defines users in three ways: do
cu
um me
en nt
d t be users exist only in Azure AD. Examples N d
No
Cloud identities
un
an - These
cc lon are
o u
a nc belo accounts and users that you
administrator
h8 gs na c n
manage yourself.
au 2@source
tho Their to is Azure AD. uth h82@ gs to
Da ori
riz
ed
gm
ail n ze g ma Dan
.co iel C- These users exist in on-premises Active Directory.
co identities dc il. iel
Directory-synchronized pie m ho o pie coAmsynchronization
Ch
on
sa ng s g.
activity that occurs via AzurellAD ow Connect . brings these users in to Azure. a l low
ed ed
! !
Guest users - These users exist outside Azure. Examples are accounts from other cloud providers and
Microsoft accounts.

What types of users you will need?

Th Th
is is
do do
cu cu
me me
No da nt be No d n
an t bel
un ncch long un c o
au au ch82 ngs
tho 82@ s to tho @ to
riz g D riz g D
ed mai anie ed mai anie
co l.c l co l.c l
pie om Cho pie om Cho
sa ng sa ng
llo . llo .
we we
d! d!

Th Th
is is
do do
cu cu
me me
No da nt be No da nt be
un ncch long un ncch long
au au
tho 82@ s to tho 82@ s to
riz g D riz g D
ed mai anie ed mai anie
co l.c l co l.c l
pie om Cho pie om Cho
sa ng sa ng
llo . llo .
we we
d! d!

https://www.skillpipe.com/api/2.1/content/urn:uuid:a8812c50-6d9…806a-0305dc39651f@2021-04-09T06:15:29Z/OEBPS/Text/1463759.xhtml Page 1 of 1
Azure AD Group Accounts 28/04/2021, 5:12 PM

Azure AD Group Accounts

Azure AD allows you to define two different types of groups.

Security groups. These are the most common and are used to manage member and computer access to
shared resources for a group of users. For example, you can create a security group for a specific security
policy. By doing it this way, you can give a set of permissions to all the members at once, instead of having to
Th
add permissions to each member individually. This option requires Than Azure AD administrator.
is is
do do
cu cu
me mby
engiving members access to a shared
Microsoft 365 groups. n tb These groups provide collaboration opportunities tb
No da e N d a e
n o
lonSharePoint site, and more. This option also lets nc give
mailbox, calendar,
un cc files,
h8 gs u na you ch lopeople
n outside of your
au
t 2 t u t 82 gs t
organization access ho to o D This option is available to users as wellhas
@the group. o @
admins. oD
riz g riz g
ed mai anie ed mai anie
co l. l co l. l
p i e co m C h o pie com Cho
sa ng s ng
llo . all .
we ow
d! e d!

Th Th
is is
do do
cu cu
me me
No da nt be No d n
an t bel
un ncch long un cc
h
on
g
au au
tho 82@ s to tho 82@ s to
riz g D riz gm D
ed mai anie ed ail aniel
co l.c l co .co
pie om Cho pie m Chon
sa ng sa g.
llo . llo
we we
d! d!

There are different ways you can assign group access rights:

Assigned. Lets you add specific users to be members of this group and to have unique permissions.

Dynamic User. Lets you use dynamic membership rules to automatically add and remove members. If a
member's
Th attributes change, the system reviews your dynamic group Th rules for the directory to determine if the
is
member meetsdo the rule requirements (is added) or no longer meetsisthe do rules requirements (is removed).
cu cu
me me
d n t d nt
No Device
Dynamic be
an (Security groups only). Lets you use dynamic N
group
o rules
a tobeautomatically add and remove
un cc
h
lon
g un ncch long
a uth 82@ st a
devices. If a device's
ori
attributes oD change, the system reviews your dynamic u th 82@rules
group s t for the directory to
oD
determine if the deviceze meetsgm
a an rule requirements (is added) or no longerormeets
the ize gthe ma rules an requirements (is
dc il.c iel dc i l ie
op Ch op .com l Ch
removed). ies om on ies on
all g . all g.
ow ow
ed ed
!
Have you given any thought to which groups you need to create? Would you directly assign or dynamically assign !
membership?

Th Th
is is
do do
cu cu
me me
No da nt be No da nt be
un ncch long un ncch long
au au
tho 82@ s to tho 82@ s to
riz g D riz g D
ed mai anie ed mai anie
co l.c l co l.c l
pie om Cho pie om Cho
sa ng sa ng
llo . llo .
we we
d! d!

https://www.skillpipe.com/api/2.1/content/urn:uuid:a8812c50-6d9…806a-0305dc39651f@2021-04-09T06:15:29Z/OEBPS/Text/1463760.xhtml Page 1 of 1
Administrative Units in Azure Administrative 28/04/2021, 5:12 PM

Administrative Units in Azure Administrative

An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. An
administrative unit can contain only users and groups. Administrative units restrict permissions in a role to any
portion of your organization that you define. You could, for example, use administrative units to delegate the
Helpdesk Administrator role to regional support specialists, so they can manage users only in the region that they
support.
Th Th
is is
do do
cu
Note - To use administrative units, you need an Azure Active Directory Premium cu license for each administrative unit
me me
admin, and NAzure dActive n t Directory Free licenses for administrative unit members.
d nt
o u anc b elo N o u anc belo
na c n na c n
uth h82@ gs to uth h82@ gs to
ori D o D
ze gma a riz g
ed mai anie
dc il.c niel C c l .c lC
op op
ies om ho
n ies om ho
ng
all g . a .
ow l l ow
ed ed
! !

Th Th
is is
do do
cu cu
me me
No da nt be No d n
an t bel
un ncch long un cc
h
on
g
au au
tho 82@ s to tho 82@ s to
riz g D riz gm D
ed mai anie ed ail aniel
co l.c l co .co
pie om Cho pie m Chon
sa ng sa g.
llo . llo
Available roles we
d!
we
d!

Role Description

Has access to view, set, and reset authentication


Authentication Administrator method information for any non-admin user in the
assigned administrative unit only.
Th Th
is is
do d
cu
me Can manage allocaspects
um of groups and groups settings,
n en
No d an t bel
Groups Administrator such as naming
No dand
a t
expiration
be policies, in the assigned
un cc on ununitnconly. lo
au h g administrative au ch82 ngs
tho 82@ s to tho @ to
riz gm D riz g D
ed ail aniel ed mai anie
co
pie
.co
m Chon op l.com l Ch
Can reset passwords forcnon-administrators and
sa ies on
Helpdesk Administrator llo g. Helpdesk administrators in the aassigned g
administrative
.
we llo
we
d! unit only. d!

Can assign, remove, and update license assignments


License Administrator
within the administrative unit only.

Can reset passwords for non-administrators and


Password Administrator Password Administrators within the assigned
Th administrative
Th unit only.
is is
do do
cu cu
me me
Can manage all aspects
d nt d nt of users and groups, including
N ou
User Administratora n be N ou
resetting passwordsa nc forbelimited admins within the
l lon
na cch8 ongs na c
uth 2@ to uth h82@
assigned administrative unit
gs
only.
t o
ori ori
ze gma Dani ze gma Dani
dc il.c el dc i e
op Ch op l.com l Ch
ies om on ies on
all g. all g.
ow ow
ed ed
! !

https://www.skillpipe.com/api/2.1/content/urn:uuid:a8812c50-6d9…806a-0305dc39651f@2021-04-09T06:15:29Z/OEBPS/Text/1463761.xhtml Page 1 of 1
Azure Multi-Factor Authentication 28/04/2021, 5:12 PM

Azure Multi-Factor Authentication

Azure Multi-Factor Authentication (MFA) helps safeguard access to data and applications while maintaining simplicity
for users. It provides additional security by requiring a second form of authentication and delivers strong
authentication through a range of easy to use authentication methods.

For organizations that need to be compliant with industry standards, such as the Payment Card Industry (PCI) Data
Th
Security Standard (DSS) version 3.2, MFA is a must have capability toTauthenticate
his users. Beyond being compliant
is
do do
cu
with industry standards, enforcing MFA to authenticate users can also help cu
organizations to mitigate credential theft
me me
attacks. No da nt be N d nt
b
un ncch long o u anc elo
na c n
au
tho 82@ s to uth h82@ gs to
riz g D o riz g D
ed mai anie ed mai anie
co l.c l c l .c lC
pie om Cho op
ies om ho
sa ng ng
llo . all .
we ow
d! e d!

Th Th
is is
do do
cu cu
me me
d n t d nt
No an be No a nc belo
un cc lon u c n
h g na
au
tho 82@ s to uth h82@ gs to
Da ori
riz
ed
gm
ail n ze g ma Dan
co .co iel C dc il. iel
p m ho o pie com Cho
The security of MFA two-stepieverification
sa ngin its layered approach. Compromising multiple
lies . s all ng
authentication
. factors
llo ow
presents a significant challenge for attackers. we Even if an attacker manages to learn the user's password,
e it is useless
d! d!
without also having possession of the additional authentication method. Authentication methods include:

Something you know (typically a password)

Something you have (a trusted device that is not easily duplicated, like a phone)

Something you are (biometrics)


Th Th
is is
d do
MFA Features ocu cu
me me
d n t d nt
No a n b e N o a nc bto e
Get more usecurity lonless complexity. Azure MFA helps safeguard ch lodata
na cch8with g s
un access
a 8
ng and applications and
st
u tho
helps to meet customer 2 @ demand to for a simple sign-in process. Get strong u 2
thauthentication
@ o Dwith a range of easy
riz gm Da ori gm an
e a n z e
iel message, or mobile app notification—andd callowailcustomers ie
verification options—phone dc ilcall,
. text to choose the
op co
m Ch op .com l Ch
method they prefer. i es o n i es on
all g . all g.
ow ow
ed ed
!
Mitigate threats with real-time monitoring and alerts. MFA helps protect your business with security !
monitoring and machine-learning-based reports that identify inconsistent sign-in patterns. To help mitigate
potential threats, real-time alerts notify your IT department of suspicious account credentials.

Deploy on-premises or on Azure. Use MFA Server on your premises to help secure VPNs, Active Directory
Federation Services, IIS web applications, Remote Desktop, and other remote access applications using
RADIUS and LDAP authentication. Add an extra verification step to your cloud-based applications and services
Th T
by turningis on Multi-Factor Authentication in Azure Active Directory.his
do do
cu cu
me me
Use with Microsoft
da n t 365, Salesforce, and more. MFA for Microsoft 365 d helpsnt secure access to Microsoft 365
No nc b e N ou a nc belo
applicationsun at no lon
additional cost. Multi-Factor Authentication is also available
au c h g n au c h with ngAzure Active Directory
tho 82@ s to tho 82@ s to
Premium and thousandsriz gmof software-as-a-service
Da (SaaS) applications, including
r ize Salesforce,
g ma Dan Dropbox, and other
ed ail n
popular services. co .co iel C dc il. iel
pie m ho o pie com Cho
sa ng s ng
llo . all .
Add protection for Azure administrator we accounts. MFA adds a layer of security to your owAzure administrator
d! e d!
account at no additional cost. When it's turned on, you need to confirm your identity to create a virtual machine,
manage storage, or use other Azure services.

https://www.skillpipe.com/api/2.1/content/urn:uuid:a8812c50-6d9…806a-0305dc39651f@2021-04-09T06:15:29Z/OEBPS/Text/1463762.xhtml Page 1 of 2
Azure Multi-Factor Authentication 28/04/2021, 5:12 PM

MFA Authentication Options

Th Th
is is
do do
cu cu
me me
No da nt be No da nt be
un ncch long un ncch long
au au
tho 82@ s to tho 82@ s to
riz g D riz g D
ed mai anie ed mai anie
co l.c l co l.c l
pie om Cho pie om Cho
sa ng sa ng
llo . llo .
we we
d! d!

Method Description

Places an automated voice call. The user answers the


Th Th
call and presses # in the phone keypad to authenticate.
is is
do do
cu The phone number cu is not synchronized to on-premises
me me
n nt call to phone is important
Call to phone
No d an t bel Active Directory.
No daA voice be
un cc
h
on
g un ncch long
au because it persists
au through a phone handset upgrade,
tho 82@ s to 8
tho 2@ s to
riz gm D allowing the user to riregisterg the Da
ed ail aniel ze
dc
m ai mobile nie app on the new
co
pie
.co
m Chon device. op l.com l Ch
sa ies on
llo g. all g.
we ow
d! e
Sends a text message that containsda! verification code.
The user is prompted to enter the verification code into
the sign-in interface. This process is called one-way
SMS. Two-way SMS means that the user must text
Text message to phone
back a particular code. Two-way SMS is deprecated
and not supported after November 14, 2018. Users who
are configured for two-way SMS are automatically
Th Th
is switched to iscall to phone verification at that time.
do do
cu cu
me me
n n
No d an t bel Sends a push
No d an t bel to your phone or registered
notification
un cc on un cc o
au h g device. The user au views h thennotification
g and selects
tho 82@ s to tho 82@ s to
riz gm D Approve to complete gm
riz verification. DaThe Microsoft
Notification through mobile ed app ail aniel ed ail nie
co .co co l
.co Windows
pie m Chon Authenticator app is available pie for m Chon Phone,
sa g. sa g.
llo
we Android, and iOS. Push notifications llo
we through the mobile
d! app provide the best user experience. d !

The Microsoft Authenticator app generates a new OATH


verification code every 30 seconds. The user enters the
verification code into the sign-in interface. The
Verification code from mobile app Microsoft Authenticator app is available for Windows
Phone, Android, and iOS. Verification code from mobile
Th T
is
do app can behisused
do when the phone has no data
cu cu
me connection or cellularme signal.
da n t d nt
No b e N ou a nc belo
un ncch long n c h8 ngs
auselection passwords so that users do not have ato
There is also a tho 82@ to scache to uthauthenticate
2
ori @g to Da
on trusted devices. The
riz gm Da ma
ze configured
number of days before aeduser must nie
ail re-authenticate on trusted devices can also be nie the value from 1
co .co lC d co i l .co with lC
to 60 days. The default is 14 days. p i es m h o p i es m ho
all ng ng
ow . a llo .
ed we
! d !

https://www.skillpipe.com/api/2.1/content/urn:uuid:a8812c50-6d9…06a-0305dc39651f@2021-04-09T06:15:29Z/OEBPS/Text/1463762.xhtml Page 2 of 2
MFA Settings 28/04/2021, 5:13 PM

MFA Settings

Th Th
is is
do do
cu cu
me me
No da nt be No da nt be
un ncch long un ncch long
au au
tho 82@ s to tho 82@ s to
riz g D riz g D
ed mai anie ed mai anie
co l.c l co l.c l
pie om Cho pie om Cho
sa ng sa ng
llo . llo .
we we
d! d!

Th Th
is is
do do
cu cu
me me
No da nt be No d n
an t bel
un ncch long un cc
h
on
g
au au
tho 82@ s to tho 82@ s to
riz g D riz gm D
ed mai anie ed ail aniel
co l.c l co .co
pie om Cho pie m Chon
sa ng sa g.
llo . llo
we we
d! d!
Account lockout

To prevent repeated MFA attempts as part of an attack, the account lockout settings let you specify how many failed
attempts to allow before the account becomes locked out for a period of time. The account lockout settings are only
applied when a pin code is entered for the MFA prompt. The following settings are available:
Th Th
Number ofis MFA denials to trigger account lockout is
do do
cu cu
me me
nt lockout counter is reset
MinutesN until daccount n
o u anc belo No d an t bel
ng un c o
na ch au ch82 ngs
tho 82@
Minutes until uaccount
st
isgautomatically
oD unblocked tho @ to
riz riz g D
ed mai anie ed mai anie
co l . l co l.c l
p i e co m C h o pie om Cho
Block and unblock users sa ng sa ng
llo . llo .
we we
d! d!
If a user's device has been lost or stolen, you can block authentication attempts for the associated account.

Fraud Alerts

Block user when fraud is reported - Configure the fraud alert feature so that your users can report fraudulent
attempts
Th to access their resources. Users can report fraud attempts Th by using the mobile app or through their
is is
phone. Blockdo user when fraud is reported: If a user reports fraud, their doaccount is blocked for 90 days or until an
cu cu
m en
administrator unblocks their account. An administrator can review sign-ins meby using the sign-in report and take
da t d nt
No b e
nc to prevent N a
o uunblock nc thebe
appropriateunaction lon future fraud. An administrator can then louser's account.
au c h 8 g s n au c h8 ngs
tho 2 @ to tho 2@ to
riz during g Da gm Da
Code to report fraud ed mai initial nie greeting - Code to report fraud during rinitial
ize greeting:
d a i nWhen
iel users receive a
co l .co lC co l.c Ch fraud, the
phone call to perform two-step pie ho
mverification, they normally press # to confirm their pie omTo report
sign-in. o
sa ng sa ng
llo . .
user enters a code before pressing we #. This code is 0 by default, but you can customize lit. low
e
d! d!

Notifications

https://www.skillpipe.com/api/2.1/content/urn:uuid:a8812c50-6d9…806a-0305dc39651f@2021-04-09T06:15:29Z/OEBPS/Text/1463763.xhtml Page 1 of 2
MFA Settings 28/04/2021, 5:13 PM

Email notifications can be configured when users report fraud alerts. These notifications are typically sent to identity
administrators, as the user's account credentials are likely compromised.

OATH tokens

Azure AD supports the use of OATH-TOTP SHA-1 tokens that refresh codes every 30 or 60 seconds. Customers can
purchase these tokens from the vendor of their choice.

Trusted TIPs
his
d
Th
is
do
oc cu
um me
en nt
N d
Trusted IPs isoa feature t b
an to eallow federated users or IP address ranges N
to d
bypass be
un cc lon o u
a nc two-step
lon authentication. Notice there
h g na c h
a
are two selectionsuin 8 s
thothis 2screenshot.t u t 82 gs t
@ oD ho @ oD
riz g riz g
ed mai anie ed mai anie
c l .c l c l . l
Which selections you can make op depends
ies om
Con
ho whether you have managed or federatedotenants. pie com Cho
all n g s ng
ow . all .
o
Managed tenants. For managed edtenants, you can specify IP ranges that can skip MFA. wed
! !
Federated tenants. For federated tenants, you can specify IP ranges and you can also exempt AD FS claims
users.

The Trusted IPs bypass works only from inside of the company intranet. If you select the All Federated Users
option and a user signs in from outside the company intranet, the user must authenticate by using two-step
verification.TThe process is the same even if the user presents an AD FS
Th claim.
his is
do do
cu cu
me me
d n t d nt
No an be No a nc belo
un cc lon u c n
h g na
au
tho 82@ s to uth h82@ gs to
Da ori
riz
ed
gm
ail n ze g ma Dan
co .co iel C dc il. iel
pie m ho o pie com Cho
sa ng s ng
llo . all .
we ow
d! e d!

Th Th
is is
do do
cu cu
me me
No da nt be No d n
an t bel
un ncch long un c o
au au ch82 ngs
tho 82@ s to tho @ to
riz g D riz g D
ed mai anie ed mai anie
co l.c l co l.c l
pie om Cho pie om Cho
sa ng sa ng
llo . llo .
we we
d! d!

Th Th
is is
do do
cu cu
me me
No da nt be No da nt be
un ncch long un ncch long
au au
tho 82@ s to tho 82@ s to
riz g D riz g D
ed mai anie ed mai anie
co l.c l co l.c l
pie om Cho pie om Cho
sa ng sa ng
llo . llo .
we we
d! d!

https://www.skillpipe.com/api/2.1/content/urn:uuid:a8812c50-6d9…06a-0305dc39651f@2021-04-09T06:15:29Z/OEBPS/Text/1463763.xhtml Page 2 of 2
Enabling MFA 28/04/2021, 5:13 PM

Enabling MFA

To enable MFA, go to the User Properties in Azure Active Directory, and then the Multi-Factor Authentication option.
From there, you can select the users that you want to modify and enable for MFA. You can also bulk enable groups of
users with PowerShell. Users states can be Enabled, Enforced, or Disabled.

Th Th
is is
do do
cu cu
me me
No da nt be No da nt be
un ncch long un ncch long
au au
tho 82@ s to tho 82@ s to
riz g D riz g D
ed mai anie ed mai anie
co l.c l co l.c l
pie om Cho pie om Cho
sa ng sa ng
llo . llo .
we we
d! d!

Th Th
is is
do do
cu cu
me me
No da nt be No d n
an t bel
un ncch long un cc
h
on
g
au au
tho 82@ s to tho 82@ s to
riz g D riz gm D
ed mai anie ed ail aniel
co l.c l co .co
pie om Cho pie m Chon
sa ng sa g.
llo . llo
we we
d! d!

On first-time sign-in, after MFA has been enabled, users are prompted to configure their MFA settings. For
example, if you enable MFA so that users must use a mobile device, users will be prompted to configure their mobile
device for MFA. Users must complete those steps, or they will not be permitted to sign in, which they cannot do until
they have validated that their mobile device is MFA-compliant.
Th Th
Enabling MFA is for Global Admins is
do do
cu cu
me me
Azure MFA is included
d nfree
t of charge for global administrator security. Enabling
d nt for global administrators
MFA
No an be No a be
un level c lon un ncch likelovirtual
ng
provides an added au ch8of security
gs when managing and creating Azure resources a 8 machines, managing
tho 2 @ to u tho 2@ s to
storage, or using other rizAzuregm Da Secondary authentication includes phone
services. r i call,
ze text
g ma D
message,
a and the
ed ail n il.c niel C
authenticator app. co .co iel C dc
o o
pie m ho pie m ho
sa ng sa ng
llo . l l o .
Remember you can only enable w ed for organizational accounts stored in Active Directory.weThese
MFA d! are also called
!
work or school accounts.

Th Th
is is
do do
cu cu
me me
No da nt be No da nt be
un ncch long un ncch long
au au
tho 82@ s to tho 82@ s to
riz g D riz g D
ed mai anie ed mai anie
co l.c l co l.c l
pie om Cho pie om Cho
sa ng sa ng
llo . llo .
we we
d! d!

https://www.skillpipe.com/api/2.1/content/urn:uuid:a8812c50-6d9…806a-0305dc39651f@2021-04-09T06:15:29Z/OEBPS/Text/1463764.xhtml Page 1 of 1
Passwordless 28/04/2021, 5:13 PM

Passwordless

Sign-in without ever using a password. With passwordless, the password is replaced with something you have plus
something you are or something you know. For example, Windows Hello for Business can use a biometric gesture
like a face or fingerprint, or a device-specific PIN that isn't transmitted over a network.

Passwordless
Th Authentication Methods Th
is is
do do
cu cu
me mtied
en to the user's PC, which prevents
Windows Hello for n tbBusiness - biometric and PIN credentials are directly t
da d
No
access from n
un anyone
e
cc other lon than the owner.
N o u
a nc belo
h8 gs na ch n
au
tho 2@ to uth 82@ gs to
riz gm D o riz are gan Da
FIDO2 Security Keys ail aniestored
ed - generally
lC
on a USB stick, FIDO2 security keys ed maunphishable
il.c niel C
standards-
co .co co
pie
based passwordless authentication m ho
method that can come in any form factor. pie om ho
sa ng sa ng
llo . llo .
we we
Microsoft Authenticator App - Authenticator d! App turns any iOS or Android phone into a strong, d! passwordless
credential. Users can sign in to any platform or browser by getting a notification to their phone, matching a
number displayed on the screen to the one on their phone, and then using their biometric (touch or face) or PIN
to confirm.

FIDO2 Smartcards (preview) - new method to use FIDO2 keys for passwordless login via a smartcard.

Temporary Access Pass (preview) - time-limited passcode allows you to set up security keys and the Microsoft
Th Th
is
Authenticator is
do without ever needing to use, much less know, your password!
do
cu cu
me me
d n t d nt
No an be No a nc belo
un cc lon u c n
h g na
au
tho 82@ s to uth h82@ gs to
Da ori
riz
ed
gm
ail n ze g ma Dan
co .co iel C dc il. iel
pie m ho o pie com Cho
sa ng s ng
llo . all .
we ow
d! e d!

Th Th
is is
do do
cu cu
me me
d n t d nt
No an be No a be
un c lo un ncch long
a u ch 8 2 n g s au 8
tho @ to tho 2@ s to
riz g D riz g D
ed mai anie ed mai anie
l.c lC l.c l
Benefits of passwordless c o pie o m authentication
ho
ng
c o pie om Cho
ng
sa . s all .
llo ow
we e
d ! d !
Increased security - Reduce the risk of phishing and password spray attacks by removing passwords as an
attack surface.

Better user experience - Give users a convenient way to access data from anywhere. Provide easy access to
applications and services such as Outlook, OneDrive, or Office while mobile.

Robust insights - Gain insights into users passwordless activity with robust logging and auditing.
Th Th
is is
do do
cu cu
me me
No da nt be No da nt be
un ncch long un ncch long
au au
tho 82@ s to tho 82@ s to
riz g D riz g D
ed mai anie ed mai anie
co l.c l co l.c l
pie om Cho pie om Cho
sa ng sa ng
llo . llo .
we we
d! d!

https://www.skillpipe.com/api/2.1/content/urn:uuid:a8812c50-6d9…806a-0305dc39651f@2021-04-09T06:15:29Z/OEBPS/Text/1463765.xhtml Page 1 of 1
Demonstrations – Azure Active Directory 28/04/2021, 5:14 PM

Demonstrations – Azure Active Directory

Task 1: Review Azure AD

In this task, we will review Azure Active Directory licensing and tenants.

1. In the Portal, search for and select Azure Active Directory.


Th Th
is is
do do
2. On the Overview cu page, locate the license information. cu
me me
da n tb d nt
No n e N o a nceach be
3. Got to theuAzure c AD
c lon
pricing page and review the features and pricing
u for c lon
edition.
na h g na h
uth 8 2 s uth 82@ gs to
ori @g to Da ori gm D
4. On the Overview page, ze ma
d c discuss creating directories and how to switch between
il.c niel C ail aniel
ze directories.
dc
op op .c Ch
ie om ho
ng ies om on
5. Review the Licenses blades information. all . a l g.
ow l ow
ed ed
! !
Task 2: Manage Users and Groups

Note: This task requires some users and groups to be populated. Dynamic groups requires a Premium P1 license.

In this task, we will create users and groups.

Th
1. Under Manage click Users. Th
is is
do do
cu cu
2. Review the differentm en Sources such as Windows Server AD, Invited User, meMicrosoft Account, and External
d t d nt
No a n be N o a nc belo
Azure Activeun Directory.
cc lon u c n
h g na
au
tho 82@ s to uth h82@ gs to
D ori
3. Notice the choicerifor ze New g m guest
ai a user.
nie ze g ma Dan
dc dc i ie
op l.com l Ch op l.com l Ch
ies on ies on
4. Click New user. all g . all g.
ow ow
ed ed
5. Review the two ways to create a user: ! Create user and Invite user. !

6. Create a new user. Review Identity, Groups and roles, Settings, and Job Info.

7. Going back to Azure AD, under Manage click Groups.

8. Review the Group types: Security and Office 365.

9. Create Tahnew
is group by clicking “New Group” with the Membership
Th type as Assigned.
is
do do
cu cu
me me
10. Add a user to the same n t group. nt
No d an be No d a be
un cc
h
lon
g un ncch long
a uthnew8group
2@ swith a 8
11. Create another
ori to Membership type as Dynamic user. u tho 2@ s to
ze gma Dani riz g
ed mai anie
D
dc i el
12. Review the details to constructop l.comdynamic Ch group membership rules. co l.c
pie om Cho
l
ies on s ng
all g . all .
ow ow
ed ed
Task 3 - Multi-Factor Authentication ! !

Note: This task requires a user account, AZ500User1.

In this demonstration, we will configure and test MFA.

Configure MFA
Th Th
is is
do enable MFA for a user.
In this task, we will do
cu cu
me me
d n t d nt
N
1. In the Portal, a b e N a be
o u searchn forl and select Azure Active Directory. ou n l
na cch8 ongs na cch8 ongs
uth 2@ t o u th 2@ to
ori D ori
2. Under Manage select gm
ze Security.ail aniel ze gma Dani
dc d i l. el
op .com Ch co
pie com Cho
3. Under Manage select MFA. ies on s ng
all g. all .
ow ow
ed ed
4. In the center pane, under Configure ! select Additional cloud-based MFA settings. !

5. Select the Users tab.

6. Select AZ500User1. Make a note of their user name in the form [email protected].

https://www.skillpipe.com/api/2.1/content/urn:uuid:a8812c50-6d9…806a-0305dc39651f@2021-04-09T06:15:29Z/OEBPS/Text/1463766.xhtml Page 1 of 2
Demonstrations – Azure Active Directory 28/04/2021, 5:14 PM

7. On the far right click Enable.

8. Read the information about enabling multi-factor authentication.

9. Click enable multi-factor auth.

10. Wait for update. AZ500User1 will not be required to provide two factor authentication.

Test MFA

Note: To testThMFA a phone number is required. Th


is is
do do
cu cu
me me
In this task, we willd testntthe MFA requirement. d nt
No an b e N o a nc belo
un cc lon u
a h gs na c h8 ngs
tho 82as
1. Sign in to the uPortal @ AZ500User1.
to Use their user name from a previous uth step.
o
2@ to
riz g D riz g D
ed mai anie ed mai anie
c l .c l c l .c lC
2. Provide the password, oclick pie Next. om Cho op
ies om ho
sa ng ng
llo . all .
we ow
3. Note that more information is required. d! Click Next. e d!

4. Review the Additional security verification page.

5. In Step 1, enter your phone number and ensure the send me a code by text message is selected.

6. Click Next.

7. In Step 2, enter the verification code from the text message.


Th Th
is is
do do
8. Click Verify. cum cu
me
en nt
d t be d
No
9. In Step 3, uread
an
about
c l
how o n to keep your existing applications
No
working.u
a nc belo
na c na c n
uth h82@ gs to uth h82@ gs to
ori D ori
10. Click Get started zwith g m a
ed thisai app npassword. ze g ma Dan
co l.c iel dc il. iel
pie o m C ho o pie com Cho
11. If prompted, Allow access. al s n g s ng
low . all .
ow
ed ed
! !
12. Click Done.

13. On the Update password screen provide and confirm a new password.

14. Click Sign-in.

15. Confirm that you can now access the Portal.


Th Th
is is
do do
cu cu
me me
No da nt be No d n
an t bel
un ncch long un c o
au au ch82 ngs
tho 82@ s to tho @ to
riz g D riz g D
ed mai anie ed mai anie
co l.c l co l.c l
pie om Cho pie om Cho
sa ng sa ng
llo . llo .
we we
d! d!

Th Th
is is
do do
cu cu
me me
No da nt be No da nt be
un ncch long un ncch long
au au
tho 82@ s to tho 82@ s to
riz g D riz g D
ed mai anie ed mai anie
co l.c l co l.c l
pie om Cho pie om Cho
sa ng sa ng
llo . llo .
we we
d! d!

https://www.skillpipe.com/api/2.1/content/urn:uuid:a8812c50-6d9…06a-0305dc39651f@2021-04-09T06:15:29Z/OEBPS/Text/1463766.xhtml Page 2 of 2

You might also like