Azure AD Entities
Users
- Types of users
- Cloud or Synced (from local AD through AD Connect)
- Member or Guest
- Members are created within AD directory
- Guests are invited by administrator or one of other users of Azure AD.
- Common settings
- Usual attributes (e.g. department, phone number, contact, email)
- Setup password policy, expiration policy, flag users needing to reset their password
- Usage Location: Location is required if you want to assign license to a user within AD.
- Set usage location: AD -> Users -> Select User -> Profile -> Settings
- You can then assign license in AD -> Users -> Select User -> Licenses
- User Principal name: Combination of an user name + domain.
- Create new user
- AD -> User -> new User
- User name
- Required, e.g. test@contoso.onmicrosoft.com
- Properties: Optional information e.g. first name, last name, job title.
- External access
- You can add a user as an External User
- Good for B2B scenerios
- AD is not required on other business side.
- Self-service password reset
- Scenarios
- Allows users to change their passwords
- If you cannot log in somehow
- Helpws with account lockout
- Authentication methods
- Types:
- Text message/Phoen call
- Secondary email
- Security questions
- Administrator requires one or more.
- Manage in: Portal -> AD -> Password Reset
- Enable
- You can enable for all users or selected users.
- 💡 Good to first enable for a pilot group to see how it works.
- Registration
- Require users to register when signin in
- Prompts user to fill information for authentication methods.
- After how long user will be prompted to confirm authentication method information
- Notifications
- Notify users on password resets
- Notify all admins when other admins reset their password
- User settings
- Enterprise applications
- Users can consent to apps accessing company data on their behalf (yes/no)
- Yes; users can consent to allow third party and multi-tenant applications to consent on their own behalf.
- Users can add galery apps to theri Access Panel
- No; as an administrator you have to manually integrate the applciations through Access Panel
- App registrations
- Users can register applications (yes/no)
- Yes; non administrations can register applications to be used within the directory, no; only administrators can do it
Groups
- Types of groups
- Assigned or Dynamic
- Assigned: You assign users to groups manually
- Dynamic: You select various attributes to make users member of a group
- Dynamic query e.g.
deparment Equals marketing
- Security or Office 365
- Security groups are for assigning permissions.
- Owners and members
- Owners: Can add/remove users from the group.
- Members: cannot manage the group, normal permissions
- Expiration of groups: Groups can automatically expire.
- You manage in AD -> Groups
- You can assign licenses to a group where each member will get a license.
- Good for performing bulk user updates
- Self-service group management
- Owners manage groups instead of administrator that manage the group for the owners.
- Users can request to join in group with providing some business justification.
- Audits & alerts
- Everything is logged
- You can e.g. trigger alert on frequent activities in a group
- Company Branding
- In portal: AD -> Users and groups -> Company branding
- Allows you to customize the pages with e.g. banner, sign-in page text, user name hint
Devices
- Enables more management
- Device settings show overview in Portal
- Intune + MDM offer much more control
- You can add work or school account to integrate
- Registration types:
- Register Device
- Basic registration
- Bring your own device (BYOD) scenario
- For mobile devices and Windows 10
- Enable/disable and additional management (MDM) for mobile devices like intune.
- Enterprise State Roaming
- Users synchronizes their user settings and application settings data to the cloud.
- Supported in Windows 10
- Enchanced security, management and monitoring.
- Separation of corporate and consumer data in cloud.
- Join Device
- Corparate owned assets that you want to manage
- E.g. Windows 7 or Windows 10
- You get some benefits e.g. single sign on.
- Hybrid Join
- You can enable automatic registration for your AD joined computers
- Join device in both local AD and Azure AD
- Grant device user access to apps that need traditional local AD (=on-prem AD) authentication.
- You get service principal for the device
- Actual management is done through Group Policy or System Center Configuration Manager.
- They’re tied in to Azure AD but not part of core AD.
- Relies on AD Connect for synchronization.
- If they’re already joined to local AD, they’re also registered in Azure AD automatically.
- Configuration:
- Ensure access to external Azure AD URLs.
- Configure SCP (service connection point) internally.
- Configure ADFS if required
- Manage in Portal -> AD -> Devices
- Users may join devices to Azure AD
- Additional administrators on Azure AD joined devices
- Default is none, you can select users
- Users may register their devices with Azure AD
- Require Multi-Factor Auth to join devices
- Maximum number ofdevices per device
- Users may sync settings and enterprise app data
- For more you need PowerShell.
- Azure AD Device Settings/Policies
- Control permissions: Who’s allowed to access join devices?
- Control sync (enabled or disabled)
- Device management through Intune or other MDM
- Conditional access: Whether or not device has access to resources within your organization
Applications
- Azure AD IDaaS (Identity Directory as a Service)
- Application types
- Third party or internal
- Pre-integrated or proxies
- Automated user provisioning through SCIM 2.0
- Use provisioning enables synchronization of user account.
- SCIM
- System for cross domain identity management.
- Defined by IETF
- Control users, groups and their relations
- Available on select SaaS apps
- You can assign access to applications in AD -> Applications -> Select application -> Users and groups