AZ-104

Azure Administrator

Instructor: Sharif Khairy 2

 AZ-104
Azure Administrator

Module 1 Identity
 AZ-900

Contents
Module 1 Identity
Azure Active Directory
Users and Groups
Module 01 Lab and Review

4
 AZ-900

Active Directory Overview

Active Directory (AD) is a directory service developed by Microsoft that
provides centralized management and authentication of network resources
in a Windows domain environment.
It is commonly used in enterprise-level networks to manage and organize
users, computers, groups, and other network resources.

Module 1 Identity (Azure Active Directory) 5

 AZ-900

Active Directory Overview

Active Directory is a database that stores information about network objects
and their attributes.
These objects can include users, computers, printers, shared folders, security
groups, and more.

Module 1 Identity (Azure Active Directory) 6

 AZ-900

Azure Active Directory

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud-based
directory and identity management service.
Azure AD provides an affordable, easy to use solution to give employees and
business partners single sign-on (SSO) access to thousands of cloud SaaS
Applications like Office365, Salesforce, DropBox, and Concur.

Module 1 Identity (Azure Active Directory) 7

 AZ-900

Benefits and features

● Single sign-on to any cloud or on-premises web app.
● Works with iOS, Mac OS X, Android, and Windows devices.
● Protect on-premises web applications with secure remote access.
● Easily extend Active Directory to the cloud.
● Protect sensitive data and applications.
● Reduce costs and enhance security with self-service capabilities.

Module 1 Identity (Azure Active Directory) 8

 AZ-900

Azure AD Concepts
Identity. A thing that can get authenticated.
An identity can be a user with a username and password.
Identities also include secret keys or certificates.
Account. An identity that has data associated with it.
You cannot have an account without an identity.

Module 1 Identity (Azure Active Directory) 9

 AZ-900

Azure AD Concepts
Azure subscription. Used to pay for Azure cloud services.
You can have many subscriptions and they're linked to a credit card.
Azure tenant. A dedicated and trusted instance of Azure AD that's automatically
created when your organization signs up for a Microsoft cloud service subscription,
such as Microsoft Azure, Microsoft Intune, or Office 365.
An Azure tenant represents a single organization.

Module 1 Identity (Azure Active Directory) 10

 AZ-900

Azure AD Concepts
Azure AD directory. Each Azure tenant has a dedicated and trusted Azure AD
directory.
The Azure AD directory includes the tenant's users, groups, and apps and is used
to perform identity and access management functions for tenant resources.

Module 1 Identity (Azure Active Directory) 11

 AZ-900

AD DS vs Azure Active Directory

AD DS is the traditional deployment of Windows Server-based Active Directory on
a physical or virtual server.
Although AD DS is commonly considered to be primarily a directory service.
which also includes:
• Active Directory Certificate Services (AD CS)
• Active Directory Lightweight Directory Services (AD LDS)
• Active Directory Federation Services (AD FS)
• Active Directory Rights Management Services (AD RMS).

Module 1 Identity (Azure Active Directory) 12

 AZ-900

AD DS vs Azure Active Directory

Although you can deploy and manage AD DS in Azure virtual machines
it’s recommended you use Azure AD instead.

Module 1 Identity (Azure Active Directory) 13

 AZ-900

Azure AD is different from AD DS

Although Azure AD has many similarities to AD DS, there are also many
differences.
It is important to realize that using Azure AD is different from deploying an
Active Directory domain controller on an Azure virtual machine and adding it
to your on-premises domain.

Module 1 Identity (Azure Active Directory) 14

 AZ-900

Azure AD is different from AD DS

Here are some characteristics of Azure AD that make it different.
Identity solution. Azure AD is primarily an identity solution, and it is designed for
Internet-based applications by using HTTP and HTTPS communications.
REST API Querying. Because Azure AD is HTTP/HTTPS based, it cannot be queried
through LDAP. Instead, Azure AD uses the REST API over HTTP and HTTPS.
Communication Protocols. Because Azure AD is HTTP/HTTPS based, it does not
use Kerberos authentication. Instead, it uses HTTP and HTTPS protocols such as
SAML, WS-Federation, and OpenID Connect for authentication (and OAuth for
authorization).

Module 1 Identity (Azure Active Directory) 15

 AZ-900

Azure AD is different from AD DS

Federation Services. Azure AD includes federation services, and many third-
party services (such as Facebook).
Flat structure. Azure AD users and groups are created in a flat structure, and
there are no Organizational Units (OUs) or Group Policy Objects (GPOs).

Module 1 Identity (Azure Active Directory) 16

 AZ-900

Azure Active Directory Editions

Azure Active Directory comes in four editions—Free, Office 365 Apps, Premium
P1, and Premium P2.
The Free edition is included with an Azure subscription.
The Premium editions are available through a Microsoft Enterprise Agreement,
the Open Volume License Program, and the Cloud Solution Providers program.
Azure and Office 365 subscribers can also buy Azure Active Directory Premium P1
and P2 online.

Module 1 Identity (Azure Active Directory) 17

 AZ-900

Azure Active Directory Editions

Module 1 Identity (Azure Active Directory) 18

 AZ-900

Azure Active Directory Editions

Module 1 Identity (Azure Active Directory) 19

 AZ-900

Azure Active Directory Editions

Azure Active Directory Free. Provides user and group management, on-
premises directory synchronization, basic reports, and single sign-on across
Azure, Office 365, and many popular SaaS apps.
Azure Active Directory Office 365 Apps. This edition is included with O365.
In addition to the Free features, this edition provides Identity & Access
Management for Office 365 apps including branding, MFA, group access
management, and self-service password reset for cloud users.

Module 1 Identity (Azure Active Directory) 20

 AZ-900

Azure Active Directory Editions

Azure Active Directory Premium P1.
In addition to the Free features, P1 also lets your hybrid users access both on-
premises and cloud resources.
It also supports advanced administration, such as dynamic groups, self-service
group management, Microsoft Identity Manager (an on-premises identity and
access management suite) and cloud write-back capabilities, which allow self-
service password reset for your on-premises users.

Module 1 Identity (Azure Active Directory) 21

 AZ-900

Azure Active Directory Editions

Azure Active Directory Premium P2.
In addition to the Free and P1 features, P2 also offers Azure Active Directory
Identity Protection to help provide risk-based Conditional Access to your apps
and critical company data and Privileged Identity Management to help discover,
restrict, and monitor administrators and their access to resources and to provide
just-in-time access when needed.

Module 1 Identity (Azure Active Directory) 22

 AZ-900

Azure Active Directory Editions

The Azure Active Directory Pricing page has detailed information on what is
included in each of the editions.
Based on the feature list which edition does your organization need?
https://azure.microsoft.com/en-us/pricing/details/active-directory

Module 1 Identity (Azure Active Directory) 23

 AZ-900

New name for Azure Active Directory

Microsoft renamed Azure Active Directory (Azure AD) to Microsoft Entra ID to
communicate the multicloud, multiplatform functionality of the products.
No interruptions to usage or service.
https://learn.microsoft.com/en-gb/entra/fundamentals/new-name

Module 1 Identity (Azure Active Directory) 24

 AZ-900

Azure AD Join
Azure Active Directory (Azure AD) enables single sign-on to devices, apps, and
services from anywhere.
Azure AD Join is designed provide access to organizational apps and resources
and to simply Windows deployments of work-owned devices.

Module 1 Identity (Azure Active Directory) 25

 AZ-900

Azure AD Join
AD Join has these benefits.
● Single-Sign-On (SSO) to your Azure managed SaaS apps and services.
Your users will not have additional authentication prompts when accessing work
resources.
The SSO functionality is available even when users are not connected to the
domain network.

Module 1 Identity (Azure Active Directory) 26

 AZ-900

Azure AD Join
AD Join has these benefits.
● Enterprise compliant roaming of user settings across joined devices.
Users don’t need to connect to a Microsoft account (for example, Hotmail) to
observe settings across devices.
● Access to Microsoft Store for Business using an Azure AD account. Your users
can choose from an inventory of applications pre-selected by the organization.

Module 1 Identity (Azure Active Directory) 27

 AZ-900

Azure AD Join
● Windows Hello support for secure and convenient access to work resources.
● Restriction of access to apps from only devices that meet compliance policy.

Module 1 Identity (Azure Active Directory) 28

 AZ-900

Connection options
To get a device under the control of Azure AD, you have two options:
● Registering a device to Azure AD enables you to manage a device’s identity.
When a device is registered, Azure AD device registration provides the device with
an identity that is used to authenticate the device when a user signs-in to Azure
AD.
You can use the identity to enable or disable a device.

Module 1 Identity (Azure Active Directory) 29

 AZ-900

Connection options
To get a device under the control of Azure AD, you have two options:
● Joining a device is an extension to registering a device.
This means, it provides you with all the benefits of registering a device and in
addition to this, it also changes the local state of a device.
Changing the local state enables your users to sign-in to a device using an
organizational work or school account instead of a personal account.

Module 1 Identity (Azure Active Directory) 30

 AZ-900

Azure Multi-Factor Authentication

Azure Multi-Factor Authentication (MFA) helps safeguard access to data and
applications while maintaining simplicity for users.
It provides additional security by requiring a second form of authentication and
delivers strong authentication through a range of easy to use authentication
methods.

Module 1 Identity (Azure Active Directory) 31

 AZ-900

Azure Multi-Factor Authentication

Even if an attacker manages to learn the user's password, it is useless without also
having possession of the additional authentication method.
Authentication methods include:
● Something you know (typically a password)
● Something you have (a trusted device that is not easily duplicated, like a phone)
● Something you are (biometrics)

Module 1 Identity (Azure Active Directory) 32

 AZ-900

MFA Features
• Get more security with less complexity.
• Mitigate threats with real-time monitoring and alerts.
• Use with Office 365, Salesforce, and more.
• Add protection for Azure administrator accounts. MFA adds a layer of security
to your Azure administrator account at no additional cost.
When it's turned on, you need to confirm your identity to create a virtual
machine, manage storage, or use other Azure services.

Module 1 Identity (Azure Active Directory) 33

 AZ-900

Authentication Methods

Module 1 Identity (Azure Active Directory) 34

 AZ-900

Authentication Methods

Module 1 Identity (Azure Active Directory) 35

 AZ-900

Self-Service Password Reset

The large majority of helpdesk calls in most companies are requests to reset
passwords for users.
Enabling Self-service password reset (SSPR) gives the users the ability to bypass the
helpdesk and reset their own passwords.
To configure Self-Service Password Reset, you first determine who will be enabled to
use self-service password reset.
From your existing Azure AD tenant, on the Azure Portal under Azure Active Directory
select Password reset.

Module 1 Identity (Azure Active Directory) 36

 AZ-900

Self-Service Password Reset

In the Password reset properties there are three options: None, Selected, and All.

Module 1 Identity (Azure Active Directory) 37

 AZ-900

Authentication methods
After enabling password reset for user and groups, you pick the number of
authentication methods required to reset a password and the number of
authentication methods available to users.
At least one authentication method is required to reset a password.

Module 1 Identity (Azure Active Directory) 38

 AZ-900

Authentication methods

Module 1 Identity (Azure Active Directory) 39

 AZ-900

Users and Groups

Typically, Azure AD defines users in three ways:
Cloud identities
Directory-synchronized identities
Guest users

Module 1 Identity (Users and Groups) 40

 AZ-900

Users and Groups

Cloud identities. These users exist only in Azure AD.
Examples are administrator accounts and users that you manage yourself.
Their source is Azure Active Directory or External Azure Active Directory if the user is
defined in another Azure AD instance but needs access to subscription resources
controlled by this directory.
When these accounts are removed from the primary directory, they are deleted.

Module 1 Identity (Users and Groups) 41

 AZ-900

Users and Groups

Directory-synchronized identities.
These users exist in an on-premises Active Directory.
A synchronization activity that occurs via Azure AD Connect brings these users in to
Azure.
Their source is Windows Server AD.

Module 1 Identity (Users and Groups) 42

 AZ-900

Users and Groups

Guest users. These users exist outside Azure.
Examples are accounts from other cloud providers and Microsoft accounts such as
an Xbox LIVE account.
Their source is Invited user.
This type of account is useful when external vendors or contractors need access to
your Azure resources.
Once their help is no longer necessary, you can remove the account and all of their
access.

Module 1 Identity (Users and Groups) 43

 AZ-900

Managing User Accounts

There are multiple ways to add cloud identities to Azure AD.
Azure Portal
You can add new users through the Azure Portal.
In addition to Name and User name, there is profile information like Job Title and
Department.

Module 1 Identity (Users and Groups) 44

 AZ-900

Group Accounts
Azure AD allows you to define two different types of groups.
Security groups.
These are the most common and are used to manage member and computer access
to shared resources for a group of users.
For example, you can create a security group for a specific security policy.
By doing it this way, you can give a set of permissions to all the members at once,

Module 1 Identity (Users and Groups) 45

 AZ-900

Group Accounts
Office 365 groups.
These groups provide collaboration opportunities by giving members access to a
shared mailbox, calendar, files, SharePoint site, and more.
This option also lets you give people outside of your organization access to the
group.
This option is available to users as well as admins.

Module 1 Identity (Users and Groups) 46

 AZ-900

Adding Members to Groups

There are different ways you can assign access rights:
● Assigned. Lets you add specific users to be members of this group and to have
unique permissions.
● Dynamic User. Lets you use dynamic membership rules to automatically add and
remove members.
● Dynamic Device (Security groups only). Lets you use dynamic group rules to
automatically add and remove devices.

Module 1 Identity (Users and Groups) 47

 AZ-900

Azure AD Connect
Azure AD Connect will integrate your on-premises directories with Azure Active
Directory.
This allows you to provide a common identity for your users for Office 365, Azure,
and SaaS applications integrated with Azure AD.

Module 1 Identity (Users and Groups) 48

 AZ-900

Module 01 Lab
Lab 01 - Manage Azure Active Directory Identities.
Objectives
In this lab, you will:
● Task 1: Create and configure Azure AD users.
● Task 2: Create Azure AD groups with assigned and dynamic membership.
● Task 3: Create an Azure Active Directory (AD) tenant.
● Task 4: Manage Azure AD guest users.

Module 1 Identity (Users and Groups) 49

AZ-900

Thanks!
Any questions?
You can find me at:
[email protected]
+93 784670845

50