?? Master Microsoft Entra: A Guide for students, Administrators and Security Experts (II)
Daniel álvarez García
Senior Manager en PwC | Experto en Identidad Digital y Ciberseguridad | Construyendo la comunidad de Digital Identity
I am continuing to learn about cloud-native Identity and Access Management, specifically with Microsoft Entra, but in the future, I’ll write about others as well.
So, let’s continue!
Previuous article: https://www.dhirubhai.net/pulse/master-microsoft-entra-guide-students-administrators-i-daniel-m8atf?utm_source=share&utm_medium=member_ios&utm_campaign=share_via
1 ?? User Creation, Configuration, and Management in Azure
?? User Access and Authentication
Every user who needs access to Azure resources requires an account in Microsoft Entra ID. This account stores all necessary authentication information.
?? Authentication: During sign-in, Microsoft Entra ID verifies the user’s identity.
?? Authorization: Once authenticated, an access token is generated, defining the resources the user can access and the actions they can perform.
??? User Management in Azure Portal
To manage users, access the Microsoft Entra ID panel in Azure Portal.
?? Only one directory can be managed at a time.
?? To switch directories, use Directory + Subscription or the Switch Directory button in the toolbar.
?? Viewing Users
?? To see the list of users in Microsoft Entra ID, select Users under the Manage section.
?? The All Users view will open, allowing you to identify each user by type.
?? In the User Type column, you can differentiate between internal members and guest users.
??? Identity Types in Microsoft Entra ID
Microsoft Entra ID categorizes users into three main types:
?? 1. Cloud Identities
?? Users created directly in Microsoft Entra ID.
?? Includes administrator accounts and managed users within the directory.
?? Their source is Microsoft Entra ID or an external Microsoft Entra directory.
?? If deleted from the main directory, they are permanently removed.
?? 2. Directory-Synchronized Identities
?? Users that exist in an on-premises Active Directory (AD).
?? Synchronized with Azure via Microsoft Entra Connect.
?? Their source is Windows Server AD.
??? 3. Guest Users
?? External users who need access to Azure resources.
?? Can include accounts from other cloud providers and Microsoft accounts (e.g., Xbox Live).
?? Their source is Guest User.
?? Ideal for external vendors or contractors.
?? Can be easily removed when no longer needed.
2 ?? Creating a New User in Microsoft Entra ID
1?? Access the Microsoft Entra Admin Center and go to the Identity menu.
2?? In the left navigation panel, select Users.
3?? Click New user.
4?? Fill in the following details:
?? Username: XX
?? Full name: XX
?? First name: XX
?? Last name: XX
?? Password: Create a unique password
? Complete the process and verify that Chris Green’s account appears in the All Users list.
?? Creating a Security Group in Microsoft Entra ID
1?? Access the Microsoft Entra Admin Center.
2?? In the left navigation panel, go to Identity and select Groups.
3?? Click New group.
4?? Configure the group with the following settings:
?? Group type: gg
?? Group name: gg
?? Membership type: Assigned
?? Owner: Assign your admin account
?? Members: xx
? Confirm that the gg group appears in the All Groups list.
??? Assigning a License to a Group
1?? In the All Groups list, select Marketing.
2?? In the group window, go to Manage and select Licenses.
3?? Click Assignments.
4?? In the Update License Assignments screen:
?? Under Select licenses, check the box for the desired license.
?? Under Review license, verify the available options.
?? If you selected multiple licenses, use the Review license menu to view specific options for each one.
5?? Click Save.
?? Restoring or Permanently Deleting a User in Microsoft Entra ID
??? When a user is deleted, their account remains in suspension for 30 days. During this period, you can restore it along with its properties. After this time, deletion becomes irreversible.
?? You can view, restore, or permanently delete users from the Microsoft Entra ID interface.
?? Important:
Once an account is permanently deleted, neither you nor Microsoft Support can recover it.
?? Required Permissions:
To restore or delete users, you must have one of the following roles:
?? Global Administrator
?? Helpdesk Administrator (Level 1)
?? Helpdesk Administrator (Level 2)
?? User Administrator
?? Deleting a User
1?? Access the Microsoft Entra Admin Center.
2?? In the left navigation panel, go to ?? Identity and select ?? Users.
3?? In the user list, check the box for the user you want to delete (e.g., Chris Green).
?? Tip: You can select multiple users at once. If you open a specific user’s page, you will only manage that user.
4?? With the user selected, click ??? Delete user.
5?? Confirm the action in the dialog box and click ?? OK.
?? Restoring a Deleted User
?? Deleted users can be restored within 30 days of deletion.
1?? On the Users page, select ??? Deleted users from the left navigation panel.
2?? Find and select the user you want to restore.
?? Important: Deleted accounts are permanently removed after 30 days.
3?? Click ?? Restore user.
4?? Confirm the action in the dialog box and click ?? OK.
5?? Go to ?? All Users to verify that the user has been successfully restored.
3 ?? Creating, Configuring, and Managing Groups in Microsoft Entra
?? What is a Group in Microsoft Entra?
A group in Microsoft Entra allows you to organize users and simplify permission management. Instead of assigning access rights individually, resource or directory owners can grant permissions to all group members at once.
? Benefits:
?? Defines a security boundary for access.
?? Adds or removes users with minimal effort.
?? Configures dynamic memberships based on rules such as department or job title.
??? Types of Groups in Microsoft Entra
?? 1. Security Groups ??
?? Used to manage access to shared resources within teams or departments.
?? Allows security policies to be applied to all members simultaneously.
?? Requires a Microsoft Entra administrator.
?? 2. Microsoft 365 Groups ??
?? Facilitates collaboration by providing access to a shared mailbox, calendar, files, and SharePoint sites.
?? Allows external members to be included in the organization.
?? Available for both administrators and users.
?? Viewing and Managing Groups
All available groups can be found under ?? Groups in the Microsoft Entra - Identity panel, within the Manage section.
?? Note: New Microsoft Entra ID implementations do not include predefined groups.
?? Group Membership Types
When creating a group, you must define the membership type, which determines how members are added:
?? Assigned ?? → Members are manually added and managed.
?? Dynamic ? ?? → Membership is based on predefined rules, automatically adding users based on attributes like department or job title.
?? Dynamic Groups
A dynamic group automatically updates its membership based on defined criteria.
?? Key Features:
?? Based on Active Directory attributes.
?? Automatically adds users who meet the criteria.
?? Removes members if their attributes no longer match.
?? Caution: If a user’s attributes change, they may be automatically added or removed. To prevent issues, it is recommended to have a well-structured account provisioning process.
?? Configuration and Management of Device Registration
With the increasing variety of devices and the rise of the Bring Your Own Device (BYOD) model, IT professionals face two seemingly opposing challenges:
1?? Enabling users to be productive anytime, anywhere, and on any device.
2?? Protecting the organization’s critical resources.
To ensure security, the first step is managing device identity.
Tools like Microsoft Intune help register and manage these identities, ensuring compliance with security policies and regulations.
Additionally, Microsoft Entra ID enables Single Sign-On (SSO) for devices, applications, and services from any location without compromising security.
? Users gain access to the resources they need.
? IT teams maintain control and security across the organization.
Microsoft Entra Registered Devices
Microsoft Entra registered devices are designed for BYOD and mobile scenarios, allowing users to access corporate resources from their personal devices.
Registered Device Features
Microsoft Entra registered devices log in with a local account (such as a Microsoft account) but are also linked to a Microsoft Entra ID account, allowing them to access organizational resources.
Access may be restricted based on device identity and conditional access policies.
For greater control, administrators can use Mobile Device Management (MDM) tools like Microsoft Intune, which enable:
? Applying security configurations (encryption, password policies).
? Ensuring security software is up to date.
The registration process in Microsoft Entra ID can happen automatically when accessing a work application for the first time or manually from the Windows 10/11 settings menu.
Example Scenarios with Registered Devices
?? Scenario 1: An employee needs to access corporate email and reporting tools from their personal laptop. Their organization requires the device to comply with Microsoft Intune policies. To gain access, the user registers their device in Microsoft Entra ID, and the necessary security settings are applied
?? Scenario 2: An employee attempts to access their corporate email from a personal Android phone with root access. However, their company has an Intune policy that blocks rooted devices for security reasons. As a result, access to organizational resources is denied.
?? Microsoft Entra Joined Devices
Microsoft Entra join is designed for organizations that aim to operate primarily in the cloud or in a fully cloud-based environment.
Any company, regardless of size or industry, can implement Microsoft Entra joined devices to enable secure access to applications and resources in both cloud and on-premises environments.
?? What Are Microsoft Entra Joined Devices?
? Definition: Devices that are exclusively joined to Microsoft Entra ID and require an organizational account to sign in.
?? Target Audience: Organizations with hybrid or fully cloud-based environments.
?? Device Ownership: Managed and administered by the organization.
??? Supported Operating Systems: Windows 10 and Windows 11 (except Home editions).
?? Device Management: Managed through Microsoft Intune and other Mobile Device Management (MDM) solutions.
?? Key Capabilities:
?? Single Sign-On (SSO) for both on-premises and cloud resources.
?? Conditional Access for enhanced security.
?? Self-service password reset.
?? Windows Hello PIN reset.
?? ?? Security and Management
Microsoft Entra joined devices enable access to organizational resources under Conditional Access policies applied to both device identity and Microsoft Entra account.
?? Management Tools:
?? Microsoft Intune (MDM management).
?? Microsoft Endpoint Configuration Manager (for co-management scenarios).
领英推荐
?? Benefits:
?? Enforcement of security policies (encryption, password rules, etc.).
?? Control over software installations and updates.
?? Deployment of enterprise applications on managed devices.
?? ?? Deployment Methods
??? Devices Can Join Microsoft Entra Through:
?? Out-of-Box Experience (OOBE): Quick and easy setup.
?? Bulk Enrollment: For large-scale deployments.
?? Windows Autopilot: Automated device provisioning.
?? ?? Access to On-Premises Resources
Although Microsoft Entra joined devices are designed for cloud environments, they can still access on-premises resources when connected to the corporate network. This allows users to authenticate to local servers and access files, printers, and enterprise applications.
?? ?? Use Cases
Microsoft Entra joined devices are ideal for organizations that want to:
?? Migrate to the cloud using Microsoft Entra ID and Intune.
?? Manage mobile devices (tablets and phones) without local domain join.
?? Access Microsoft 365 and SaaS applications integrated with Microsoft Entra ID.
?? Manage temporary employees, contractors, or students without Active Directory.
?? Support remote workers in branch offices with limited infrastructure.
?? ?? Key Benefits
?? Adopting Microsoft Entra joined devices simplifies:
?? Windows device deployment in corporate environments.
?? Access to resources and applications from any Windows device.
?? Centralized, cloud-based management.
?? Sign-in with Microsoft Entra ID or synchronized Active Directory accounts.
Microsoft Entra joined devices can be deployed in different ways depending on the organization’s needs. ??
?? Hybrid Microsoft Entra Joined Devices
For over a decade, many organizations have used on-premises Active Directory (AD) domain join for:
? Centralized management: Allowing IT teams to manage corporate devices from a single point.
? Secure access: Enabling users to sign in with their AD work or school accounts.
?? In on-premises environments, organizations often use Configuration Manager or Group Policies (GPOs) to manage devices and configure images.
?? If your organization has on-prem AD but wants to leverage Microsoft Entra ID, you can implement Hybrid Microsoft Entra Joined Devices.
?? These devices are joined to on-prem AD and registered in Microsoft Entra ID, combining the best of both worlds.
??? What Are Hybrid Microsoft Entra Joined Devices?
?? Definition: Devices joined to both on-prem AD and Microsoft Entra ID, requiring a corporate account for sign-in.
?? Target Audience: Hybrid organizations with Active Directory infrastructure.
?? Ownership: Corporate (managed by the organization).
?? Supported OS: Windows 11, 10, 8.1, 7; Windows Server 2008/R2, 2012/R2, 2016, 2019.
?? Sign-in Methods: Password or Windows Hello for Business.
?? Management: Group Policy (GPO), standalone management, or co-management with Configuration Manager + Intune.
?? Key Capabilities: ? Single Sign-On (SSO) for cloud & on-prem resources.? ? Conditional Access.? ? Self-service password reset.? ? Windows Hello PIN reset.
?? When to Implement Hybrid Microsoft Entra Joined Devices
?? Use them if your organization:
?? Relies on WIN32 applications that require machine authentication in Active Directory.
?? Needs to manage devices with Group Policies (GPOs).
?? Requires compatibility with older OS versions, such as Windows 7 and 8.1.
?? Wants to continue using existing imaging tools for device configuration.
?? Device Writeback (Deferred Write)
?? In a 100% cloud environment, devices are only registered in Microsoft Entra ID and do not appear in on-prem AD.
?? This enables Conditional Access in the cloud but prevents visibility in AD.
?? Solution:
Device Writeback replicates Microsoft Entra ID-registered devices into on-prem AD, storing them in the Registered Devices container.
?? Example Use Case:
?? You want to restrict access to an application only to users on registered devices.
?? In the cloud: You can create Conditional Access rules in Microsoft Entra ID.
?? On-premises: Without Device Writeback, this isn’t possible. However, if the app uses ADFS (2012 or later), you can configure rules to validate device status before granting access.
?? Windows Hello for Business (WHFB) requires Device Writeback in hybrid and federated environments.
5 ?? License Management in Microsoft Cloud Services
?? Introduction
Microsoft’s paid cloud services, such as Microsoft 365, Enterprise Mobility + Security, and Dynamics 365, require individual licenses for each user. To manage these, administrators use:
? Administration portals (Office, Azure)
? PowerShell cmdlets
Microsoft Entra ID is the identity and access management infrastructure across all Microsoft cloud services, storing each user’s license assignment status.
?? Challenges in License Management
?? Previously, licenses could only be assigned at the user level, making management complex in large organizations.
?? Adding or revoking licenses required administrators to manually run PowerShell scripts.
?? Organizational changes, such as new hires or departures, required constant manual adjustments.
?? Solution: Microsoft Entra ID now allows group-based licensing, making administration faster and more efficient.
??? How Group-Based Licensing Works
?? Administrators can assign one or multiple licenses to a group in Microsoft Entra ID.
?? Automatic Assignment: All group members receive licenses without manual intervention.
?? Dynamic Management: When a user joins the group, they get the license. If they leave, the license is revoked automatically.
?? Requirements for Using Group-Based Licensing
To enable this feature, the organization must have one of the following subscriptions:
?? Microsoft Entra ID Premium P1 or higher (paid or trial)
?? Office 365 Enterprise E3, Office 365 A3, Office 365 GCC G3, Office 365 E3 for GCCH, or Office 365 E3 for DOD and above
?? Required Number of Licenses
Although licenses don’t need to be manually assigned to each user, the organization must purchase enough licenses to cover all group members.
?? Example:
If a group has 1,000 licensed users, the organization must have at least 1,000 licenses to comply with the usage agreement.
? Key Features of Group-Based Licensing
?? Assignment to Security Groups
? Compatible with Microsoft Entra ID security groups, whether synced from on-premises AD using Microsoft Entra Connect or created in the cloud.
?? Disabling Specific Services
? Administrators can disable certain services within a product if the organization isn’t ready to use them.
Example: Assign Microsoft 365 to a department but temporarily disable Yammer.
?? Compatibility with All Microsoft Services
? Works with Microsoft 365, Enterprise Mobility + Security, and Dynamics 365.
?? Availability in Azure Portal
??? Currently available in Azure Portal.
??? Coming soon to the Microsoft Entra Admin Center.
?? Automated Change Management
?? Microsoft Entra ID adjusts licenses within minutes when group membership changes.
?? Support for Multiple License Sources
?? A user can belong to multiple groups with different licenses or have manually assigned licenses.
?? If a license is assigned from multiple groups, it is only used once, avoiding duplication.
?? Cases Where a License Cannot Be Assigned
?? Not enough available licenses.
?? Conflicting services have been assigned to the same user.
?? Administrators can review errors and take corrective actions.
?? Location and Geographic Restrictions
?? Some Microsoft services may not be available in all regions.
?? Before assigning a license, the administrator must ensure that each user’s usage location is set in their profile.
?? If a user has no location, they inherit the directory’s default location.
?? Best practice: Set the location when creating users with Microsoft Entra Connect to avoid issues.
6 ?? Creating Custom Security Attributes in Microsoft Entra ID
?? What Is a Custom Security Attribute?
Custom security attributes in Microsoft Entra ID are key-value pairs defined by the organization. These attributes can be assigned to directory objects and are useful for:
?? Storing specific information.
?? Classifying and organizing objects.
?? Applying advanced access controls to Azure resources.
?? Why Use Custom Security Attributes?
? User Profile Extensions: Add relevant information like hire date or hourly wage.
? Advanced Access Control: Restrict visibility of sensitive attributes (e.g., salary) only to administrators.
? Application Classification: Create a filterable inventory for easier audits.
? Granular Resource Access: Assign specific permissions based on attributes, such as granting Azure Storage blob access by project.
?? What Can You Do with Custom Security Attributes?
?? Define custom attributes tailored to business needs.
?? Assign attributes to users, applications, and Microsoft Entra or Azure resources.
?? Manage objects using filters and queries based on attributes.
?? Govern access by allowing attributes to determine who can access certain resources.
?? Key Features
? Available across the entire tenant.
? Supports attribute descriptions.
? Supports multiple data types: Boolean, integer, string.
? Allows unique or multiple values.
? Supports custom or predefined values.
? Compatible with on-premises Active Directory synchronization.
7 ?? Exploring Automatic User Provisioning
?? SCIM System Components (System for Cross-domain Identity Management)
?? HCM System (Human Capital Management)
?? Applications and technologies that manage and automate HR processes throughout the employee lifecycle.
?? Microsoft Entra Provisioning Service
? Uses the SCIM 2.0 protocol for automatic provisioning.
?? Connects to the application’s SCIM endpoint.
?? Uses the SCIM object schema and REST APIs to automatically create, update, and delete users and groups.
?? Microsoft Entra ID
?? Central identity repository, responsible for managing user lifecycle and permissions.
?? Target System
?? An application or system with a SCIM endpoint, working alongside the Microsoft Entra provisioning service to automatically manage users and groups.
?? Why Use SCIM?
SCIM (System for Cross-domain Identity Management) is an open standard protocol that automates identity management across IT systems and identity domains.
?? Key Benefits
? Automatic account creation in Microsoft Entra ID or Windows Server Active Directory when employees are added to the HCM system.
? Real-time synchronization of user attributes and profiles across systems.
? Automated user deactivation and updates based on status or role changes.
? Enhanced security: If a user is deprovisioned in Microsoft Entra ID when removed from the HR system, the risk of unauthorized access is reduced.
?? With SCIM, user identities remain up-to-date and secure at all times. ??
Source: learn.microsoft.com
#iam #DigitalIdentity #microsoft #DigitalTransformation #DigitalIdentityFuture