The journey to Azure Administrator - AZ 104: Manage Identity & Governance in Azure

The AZ-104 study course and examination represent an advanced and comprehensive exploration of Azure, offering complex and broad content.

In this weeks session, I will delve into the first module of this course, focusing on "Managing Identity & Governance in Azure."

This module covers an examination of aspects, including the configuration of MS Entra ID, user and group accounts, subscriptions, Azure Policy, RBAC (Role-Based Access Control), and more.

Our discussion will enlighten on the intial details of these components, providing a solid foundation for mastering identity management and governance within the Azure environment.

1. MS Entra ID configuration

Microsoft Entra ID: Microsofts multitenant cloud-based directory and identity management service.

- Access to internal resources & apps on your corporate network.
- Access to external resources like M365, Azure portal & SaaS apps.
- Cloud apps developed for your organization.
        

Features of MS Entra ID

1. Single sign-on: authentication method that enables users to only use 1 set of credentials to log in to multiple applications and websites.
2. Universal device support: through an MDM solution like Intune, you can manage & support multiple devices like macOS, Android, iOS and Windows.
3. Secure remote access: MFA, multi-factor authentication, is the key feature! Together with Conditional Access you can provide a secure environment for your identities & devices.
4. Cloud extensibility: you can extend cloud features cross-environments, like on-prem environment, AWS and GCP. This allows you to manage and monitor your entire environment within your organization.
5. Sensitive data protection: capabilities to protect your identities.
6. SSPR: self-service password reset

2. User & Group accounts configuration

You can manage user and group accounts using the Azure Portal, M365 Admin Center, Azure CLI, Azure PowerShell or Azure CloudShell.

Tip: 

- For 1 time actions use Azure Portal.
- For bulk actions and automation purposes, consider using scripts via Azure CLI, PowerShell or CloudShell.        

User Accounts

1. Cloud identity: in MS Entra ID you can manage your admin & user accounts of your organization.
2. Directory synced identity: using a service called MS Entra Connect, you can synchronize your on-premises Active Directory to MS Entra ID. This is a unidirectional sync with your Active Directory being the source of your identities. If you want to synchronize bidirectionally, you'll need to use MS Entra Cloud Sync.
3. Guest users: individuals invited to collaborate within your organization's tenant. Upon invitation, they are granted permissions to access specific organizational resources. However, it's important to note that their access is restricted and limited, ensuring a controlled level of engagement with your organization's assets. This approach maintains security while enabling collaboration with external partners, vendors, or contributors.

Group accounts

Group Types

• Security Groups: Manage members and computer access to shared resources for a group of users.
• M365 groups: group existing for collaborating opportunities like shared mailboxes, calendars, SharePoint and more.

Membership Types

• Assigned: add specific users.
• Dynamic user: create a dynamic membership rule via a query to allow members joining a group If certain attributes are met.
• Dynamic devices (security groups only): rules to automatically add devices to security groups.

3. Subscription configuration

A logicial unit of Azure services that is linked to an Azure account.
You can have multiple subscriptions for your organization.        

The cost of your subscriptions varies from various factors. Following factors have an impact on your cost:

• Reservations: if you know that you will use certain services for 1 or 3 years, you can request a reservation. This will create a lower expense then if you choose for pay as you go.
• Azure Hybrid Benefits: if you already own licenses (f.e. WIndows 10 licenses), you don't have to buy additional licenses when purchasing Azure Services, which will decrease your cost.
• Azure credits: Use credits to test & develop on a monthly basis, there are no extra charges involved.
• Azure Regions: prices vary from region to region. Always consider deploying resources to a region where your customers are the closest.
• Budgets: monitor spending over time and create a budget for your subscription(s) to avoid spending too much.
• Pricing Calculator: estimates in all areas of Azure services before you even buy something, Azure Pricing Calculator

4. Azure Policy configuration

Create policies to enforce corporate standards to a specific scope.        

Management groups

A level of scope and control above your subcriptions.

Azure Policies implementation

• Enfore rules & compliance
• Apply policies at scale
• Perform remediation
• Exercise governance

Azure Policies creation

• Create a policy definition: describe the compliance conditions of a resource and the action to complete when conditions are met.
• Create an initiative definition: set of policies that help you track resource compliance state to meet a larger goal.
• Scope the initiative definition: set the policy to a certain level (management groups, subscriptions or resource groups).
• Determine compliance: evaluate state of compliance for all resources, resource groups & subscriptions.

5. Role-based Access Control (RBAC)

A mechanism that can help you manage who can access Azure resources. This is a built-in authorization system on Azure Resource Manager.        

Azure RBAC concepts

• Security principal (Who): object that represents something (user, group, application) that requests access to resources.
• Role Definition (What): set of permissions that lists allowed operations (built-in and custom).
• Scope (Where): level of access, management groups, subscriptions, resource groups.
• Role Assignment: attaches a role definition to a security principal at a particular scope.

Azure Roles versus MS Entra Roles

Azure RBAC roles

• Manage access to Azure resources
• Scope at multiple levels
• Roles can be defined via Azure Portal, CLI, PowerShell

MS Entra roles

• Manage access to MS Entra resources
• Scope defined at tenant level
• Role can be defined via Azure Admin Portal, M365 Admin Portal & MS Graph PowerShell

6. MS Entra self-service password reset

SSPR (self-service password reset): to reduce the workload on administrators and reduce helpdesk costs, you can enable users to reset their password using SSPR.        

How does SSPR work?

• Localization: browser's local settings and renders SSPR page in appropiate language.
• Verification: enter username and pass a captcha to ensure user is not a bot.
• Authentication: required data to authenticate their identity, often a code or security questions are used.
• Password reset: if authentication is passed, user can enter new password and confirm it.
• Notification: a message is sent to confirm the reset. This message can be sent towards the user or administrators, or both.

Authentication methods

• Mobile app notification
• Mobile app code
• Email
• Mobile phone
• Office phone
• Security questions

Implementation of MS Entra SSPR

1. Prerequisites before implementation

• MS Entra organization: you must have at least a minimum trial license enabled to use SSPR.
• MS Entra account with Global admin privileges: this account is used to set up SSPR.
• Non-admin user account: you need to have a valid user account to test SSPR.
• Security Group: to limit the roll-out of SSPR and test the configuration thoroughly.

2. Scope of SSPR

• Disabled: default SSPR is disabled, no users can use SSPR.
• Enabled: all users use SSPR.
• Selected: only members of the security group can use SSPR. This is ideal for testing purposes or if you want to perform phased roll-outs.

3. SSPR configuration

• Enable SSPR for all or for selected users.
• Choose which authentication methods users need to use and how many are required to perform a succesful login.
• Registration: users are required to register for SSPR and how often are they asked to reconfirm.
• Notifications: choose to notify users or administrators of password resets.
• Customization: email address or web page url where users can receive help.

For a complete & comprehensive overview of the learning path and examination details for AZ-104 Azure Adminisrator - Manage Identity and Governance in Azure, the Microsoft Learn platform offers an extensive resource. You can explore the specifics via the following link: AZ-104 Manage Identity & Governance in Azure