?? Master Microsoft Entra: A Guide for students, Administrators and Security Experts (I)

1. Roles in Microsoft Entra

?? What is Microsoft Entra ID?

Microsoft Entra ID is a cloud service that manages identities and access. It facilitates employee sign-ins to:

? External resources: Microsoft 365, Azure Portal, and SaaS applications.

? Internal resources: Corporate applications, intranet, and cloud solutions.

?? Who Uses Microsoft Entra ID?

?? IT Administrators

?? Control access to applications and resources.

?? Implement multi-factor authentication.

?? Automate user provisioning.

?? Protect credentials and comply with access regulations.

?? Application Developers

?? Integrate Single Sign-On (SSO).

?? Use Microsoft Entra APIs for customized experiences.

?? Microsoft 365, Office 365, Azure, and Dynamics CRM Subscribers

?? Already have access to Microsoft Entra ID.

?? Manage access from day one.

?? Role Management in Microsoft Entra ID

If a user needs permissions to manage resources in Microsoft Entra, they must be assigned a role with the appropriate permissions.

?? Types of Roles

1?? Classic subscription administrator roles

2?? Azure roles

3?? Microsoft Entra roles

?? Microsoft Entra Roles

These roles are used to manage resources within the Microsoft Entra directory.

?? Global Administrator: Full access to Microsoft Entra ID and federated services. The first Global Administrator is the user who creates the tenant. They can assign roles and reset passwords.

?? User Administrator: Manages users, groups, and technical support. They can reset passwords for users and other administrators.

?? Billing Administrator: Makes purchases and manages subscriptions. They oversee service maintenance.

?? Differences Between Azure Roles and Microsoft Entra Roles

?? Azure Roles

? Control access to Azure resources.

? Allow defining permissions at different levels (subscription, resource, management group).

? Managed in Azure Portal, CLI, PowerShell, REST API.

?? Microsoft Entra Roles

? Control access to Microsoft Entra resources.

? Applied at the tenant or administrative unit level.

? Managed in Azure Portal, Microsoft 365, Microsoft Graph, and PowerShell.

?? Do they overlap?

? By default, no. However, a Global Administrator can elevate their access in the Azure Portal to obtain the User Access Administrator role to manage Azure resources.

2. Administrative Units in Microsoft Entra ID

?? What Are Administrative Units?

Administrative Units in Microsoft Entra ID are containers that group users, groups, and devices, allowing permission restrictions to a specific part of the organization.

? Example of use:

A regional support administrator can manage users only in their designated area without affecting the rest of the organization.

?? Principle of Least Privilege

In a single-tenant environment, an administrator role grants access to all users. To restrict this and enhance security:

?? Administrative Units with specific permissions are created.

?? A User Administrator can only manage specific users and groups (e.g., the research team in a hospital).

?? Prevents administrators from having unnecessary access to the entire tenant.

?? Available Administrator Roles in an Administrative Unit

Each Administrative Unit can be managed by users with the following specific roles:

??? Authentication Administrator

?? Groups Administrator

??? Helpdesk Administrator

?? License Administrator

?? Password Administrator

?? User Administrator

?? Note: In on-premises environments, this was managed through Organizational Units (OU) in Active Directory.

??? Planning Administrative Units

Administrative Units allow logical organization of resources in Microsoft Entra ID and Microsoft 365.

Implementation Examples:

?? By Geographic Location → Global IT organizations can define units by region.

?? By Suborganization → Multinational companies can segment by semi-autonomous subsidiaries.

?? Phases in Creating Administrative Units:

1?? Initial Adoption → Units are created based on basic needs.

2?? Optimization → Unnecessary units are removed.

3?? Stabilization → The final structure is defined without frequent changes.

?? Delegation of Administration in Microsoft Entra ID

?? As an organization grows, centralized administration becomes more complex.

?? To ease this burden, administrator roles in Microsoft Entra can be delegated.

?? Benefits of Delegation:

? Reduces the workload of the Global Administrator

? Minimizes security risks

? Distributes responsibilities more effectively

?? Methods for Delegating Permissions in Applications

?? Options for managing applications in Microsoft Entra ID:

?? ?? Restricting Application Creation and Management

? By default, all users can register applications.

? This can be restricted so only specific users can do so.

?? ?? Assigning Application Owners

? Allows a specific user to manage all aspects of an application without access to others.

?? ?? Assigning Administrative Roles

? Grants permissions for all applications without affecting other Entra ID areas.

?? ??? Creating Custom Roles

? Defines specific permissions for users in a particular application.

?? Advantages:

? Reduces the workload of the Global Administrator

? Improves security by restricting permissions

?? Delegation Plan

?? For effective delegation, follow these steps:

?? Define the necessary roles

?? Delegate application administration

?? Grant permissions for application registration

?? Assign application ownership

?? Develop a security plan

?? Establish emergency accounts

?? Protect administrator roles

?? Implement temporary privilege elevation

??? Delegation of Application Administration

If application management falls under the Global Administrator, it is recommended to delegate with specific roles:

?? Application Administrator

?? Manages all applications in Microsoft Entra ID.

?? Controls registrations, single sign-on (SSO), assignments, and licenses.

? Cannot manage Conditional Access.

?? Cloud Application Administrator

?? Same as the Application Administrator but without access to on-premises proxies.

?? Delegating Application Registration

By default, all users can create application registrations.

?? To restrict this:

?? Disable the option “Users can register applications” in settings.

?? Assign the Application Developer role only to authorized users.

?? To control application consent:

?? Disable the option “Users can allow applications to access company data.”

?? Assign the Application Developer role to specific users.

?? Note: When an Application Developer creates a new registration, they are automatically added as an owner.

?? Delegation of Application Ownership

Application ownership can be assigned to specific enterprise applications.

?? Example: A user can be the owner of the Salesforce application, managing only its access and configuration.

?? Available Roles:

?? Enterprise Application Owner: Manages single sign-on settings, assignments, and users.

? Cannot modify Conditional Access or application proxy settings.

?? Application Registration Owner: Manages the application registration, manifest, and assignment of owners.

??? Developing a Security Plan

Microsoft Entra ID recommends a security strategy to protect administrative roles.

?? Key Measures:

?? ?? Emergency Accounts → Maintain backup administrative access.

?? ?? Administrator Role Protection → Prioritize security for privileged accounts.

?? ? Temporary Privilege Elevation → Assign permissions only when necessary.

?? ?? Enable Multi-Factor Authentication (MFA) for all administrative accounts

3. Permission in Microsoft Entra

?? What is a Permission?

A permission is the authorization to perform a specific action. In Microsoft Entra ID, each operation requires permissions, which can range from viewing settings to modifying configurations or managing users.

Permissions can be assigned at two levels:

?? User

?? Group

However, all permissions ultimately affect users directly.

?? Types of Users and Default Permissions

?? Member Users → Have more default permissions.

?? Guest Users → Have additional restrictions.

Example:

?? Permission Control: Adding and Restricting

? Principle of Least Privilege

Assign only the necessary permissions for each user, avoiding unnecessary access.

?? From User Settings, you can restrict:

?? Application registration

?? Access to the Azure Portal

?? Blocking LinkedIn connections

?? Management of external collaboration

?? Role Assignment

When assigning a role to a user or group, they receive specific permissions, whether they belong to:

?? Member Users

?? Guest Users

?? Service Entities

Roles are designed to limit actions, ensuring minimal privileges.

?? Exploring Available Permissions

To prevent unnecessary access, review the permissions granted by each role before assigning it.

There are two main categories:

? Role-based permissions

? Basic read permissions (for guest users and service entities).

Example:

3 ?? Default User Permissions in Microsoft Entra ID

In Microsoft Entra ID, all users receive a set of default permissions based on their user type, assigned roles, and ownership of objects within the directory.

This article details the default permissions for member and guest users, including a clear comparison.

These permissions can only be modified in the user settings within Microsoft Entra ID.

?? Member and Guest Users

The default permissions vary depending on whether the user is a native tenant member (member user) or an external guest added via B2B collaboration.

?? General Permissions- Users

?? Users & Contacts

??View all users and contacts. ??Invite users. ??Manage their password. ??Manage their photo and mobile phone.

?? Groups

?? Create security and Microsoft 365 groups. ?? View all groups. ?? Manage groups they own. ?? Add guests to their groups.

?? Applications

?? Register new applications. ?? View all applications. ?? Manage and delete their own applications. ?? View granted app permissions.

?? Devices

?? View and manage devices they own

?? Organization

?? Read company and domain information. ?? View authentication settings. ?? View tenant contracts and details

?? Roles & Scopes

?? View roles and administrative units

?? Subscriptions

?? View all subscriptions and service plans

?? Policies

?? View and manage policies they own

?? Terms of Use

?? View accepted terms of use

?? General Permissions- Guest

?? Users & Contacts

?? Read name, email, photo, and user type. ?? Search for users (if allowed). ?? View admin and subordinate details

?? Groups

?? View public group information. ?? View groups they belong to in some Microsoft 365 apps.

?? Applications

?? View registered and enterprise app properties. ?? View granted app permissions.

?? Devices

?? No permissions

?? Organization

?? View company name and domains. ?? View authentication settings

?? Roles & Scopes | ?? Subscriptions | ?? Policies

?? No permissions

?? Restricting Default Permissions for Member Users

It is possible to restrict default user permissions in Microsoft Entra in several ways.

?? Register Applications

? Option “Yes” → Users can register applications.

? Option “No” → Users are prevented from creating application registrations.

?? To allow this only for specific users, assign them the Application Developer role.

?? Connect Work or School Account with LinkedIn

? Option “Yes” → Users can link their accounts.

? Option “No” → Blocks professional account connection with LinkedIn.

?? Create Security Groups

? Option “Yes” → Users can create security groups.

? Option “No” → Only users with the User Administrator role can create security groups.

?? More information: Microsoft Entra cmdlets for configuring groups.

?? Access to the Microsoft Entra Admin Portal

? What Does This Option Do?

?? Prevents non-administrators from accessing the admin portal.

?? Stops group or application owners from managing resources via the Azure Portal.

? What This Option Does NOT Do

?? Does not restrict access to Microsoft Entra data via PowerShell, Microsoft Graph API, or other clients like Visual Studio.

?? Does not prevent access if the user has an assigned role.

?? When to Use This Option

?? To prevent misconfigurations in user-owned resources.

?? When NOT to Use This Option

? Should not be used as a security measure.

? Instead, create a Conditional Access Policy to block non-admin access to the Windows Azure Service Management API.

?? How to Allow a Non-Administrator to Access the Admin Portal?

?? Set the option to “Yes” and assign them the Global Reader role.

?? Restricting Non-Administrator Users from Creating Tenants

?? Users can create tenants in Microsoft Entra ID and in the admin portal.

?? Tenant creation is logged in the audit log under the DirectoryManagement category.

?? The user who creates a tenant automatically becomes its Global Administrator.

? What Does This Option Do?

?? Option “Yes” → Only users with the Tenant Creator role can create tenants.

? Option “No” → Any user can create tenants.

?? How to Allow Only Certain Non-Administrators to Create Tenants?

?? Set the option to “Yes” and assign them the Tenant Creator role.

?? Restricting BitLocker Key Recovery

?? Setting available in the Microsoft Entra Admin Center (Device Settings section).

? Option “Yes” → Users cannot recover their BitLocker keys and must contact support.

? Option “No” → Users can recover their keys themselves.

?? Restricting Access to Other Users’ Information

?? Setting available only via Microsoft Graph and PowerShell.

? Option “$true” → Users can read information about other users in the directory.

? Option “$false” → Reading other users’ information is blocked.

?? Important Note:

?? This setting may impact other Microsoft services, including Microsoft Teams.

?? It is not recommended to set this option to $false unless under special circumstances.

?? Restricting Default Permissions for Guest Users

Guest users’ default permissions can be restricted in the following ways:

?? Note: The Guest User Access Restrictions setting has replaced Guest User Permissions are Limited.

??? Guest User Access Restrictions

? Option: “Guest users have the same access as members”

?? Grants guests the same default permissions as member users.

?? Option: “Guest user access is restricted to their own directory objects”

?? Restricts guests only to their own profile.

?? They cannot view other users or search for them by principal name, object ID, or display name.

?? They cannot access group information, including memberships.

?? Important: This setting does NOT prevent access to groups in other Microsoft 365 services, such as Microsoft Teams.

?? Guests can still be assigned Administrator roles, regardless of this restriction.

??Guest Can Invite

? Option: “Yes”

?? Allows guests to invite other users.

?? Object Ownership in Microsoft Entra ID

??? Owner Permissions for Different Object Types

?? 1. Application Registration

When a user registers an application, they are automatically assigned the Owner role, which allows them to:

? Manage metadata (name, requested permissions).

? Administer tenant settings such as SSO and user assignments.

? Add or remove other owners.

?? Key Difference: Unlike an Application Administrator, owners can only manage their own applications.

?? 2. Enterprise Applications

When a user adds an Enterprise Application, they are automatically assigned as the Owner, which allows them to:

? Manage specific settings, such as SSO, provisioning, and user assignments.

? Add or remove other owners.

?? Key Difference: Unlike an Application Administrator, owners cannot manage applications they do not own.

?? 3. Groups

When a user creates a Group, they are assigned as the Owner, which allows them to:

? Manage group properties (name, settings).

? Manage group membership.

? Add or remove other owners.

?? Limitations: They can only modify membership based on the membership type.

?? Optional: To manage group owners, refer to Managing Group Ownership.

?? For role assignments with Privileged Identity Management (PIM), refer to Using Microsoft Entra Groups.

4.Domains in Microsoft Entra ID

?? Domain Name Concept in Microsoft Entra ID

A domain name is a key identifier in Microsoft Entra ID and is used in:

? Usernames and email addresses

? Group addresses

? Application identifier URIs

?? An organization in Microsoft Entra ID can include its own domain.

?? Only Global Administrators can manage domain names.

?? Setting the Primary Domain Name

When an organization is created in Microsoft Entra, an initial domain is automatically assigned, which is set as the primary domain.

?? Important:

? The user who creates the tenant becomes the Global Administrator and can add more administrators.

? The primary domain is used as the default when creating new users.

? Changing the primary domain does not affect existing usernames.

?? Steps to Change the Primary Domain:

1?? Sign in to the Azure Portal with a Global Administrator account.

2?? Select Microsoft Entra ID.

3?? Go to Custom Domain Names.

4?? Choose the domain to set as primary.

5?? Click Make Primary and confirm the action.

? Adding Custom Domain Names

An organization can add up to 900 managed domains.

If the domains are configured with Windows Server Active Directory, the limit is 450 domains per organization.

?? Adding Subdomains

If adding a subdomain (e.g., europe.contoso.com), the root domain (contoso.com) must be added and verified first.

? Microsoft Entra ID automatically verifies the subdomain once added.

? If the subdomain is added in another organization, a TXT record must be added to the DNS provider.

?? Changing the DNS Registrar

If switching to a new DNS registrar, no additional configuration is required in Microsoft Entra ID.

? The domain remains functional without interruption.

? If the domain is linked to Microsoft 365 or Intune, refer to the specific documentation.

?? Deleting a Custom Domain Name

A custom domain can be deleted if it is no longer in use or needs to be associated with another organization.

? Conditions for Deletion

A domain cannot be deleted if:

?? A user has a username, email, or proxy address linked to the domain.

?? A group has an email or proxy address associated with the domain.

?? An application has a URI identifier containing the domain.

?? To delete the domain, these resources must be modified or removed first.

?? ForceDelete Option for Domain Removal

ForceDelete allows removing a custom domain using the Microsoft Entra Admin Center or Microsoft Graph API.

?? It is an asynchronous operation that replaces all references to the custom domain with the default domain ([email protected]).

? Requirements to Use ForceDelete in Azure Portal:

?? The domain must have fewer than 1000 references.

?? References managed by Exchange (such as mail-enabled security groups and distribution lists) must be removed or updated in the Exchange Admin Center.

? ForceDelete Limitations:

? Cannot be executed if:

? The domain was purchased through Microsoft 365.

? It is managed by a delegated admin on behalf of another organization.

?? Actions Performed by ForceDelete:

? Updates UPN names, emails, and proxy addresses to the default domain.

? Modifies identifier URIs for users and applications.

?? Errors That Prevent ForceDelete:

? More than 1000 objects need to be modified.

? An affected application is multi-tenant.

5. Change the Entire Tenant

The tenant settings in Microsoft Entra ID encompass global options that affect all resources and users within the directory.

These settings are managed from the Microsoft Entra Admin Center and allow control over security, permissions, collaboration, and more.

?? General Options for the Entire Tenant

?? 1. Tenant Properties

?? Key Settings:

? Directory name

? Primary contact

? Other basic tenant values

?? 2. User Settings

?? Defines global user rights, including:

?? Application registration

?? Profile management

?? 3. External Collaboration Settings

?? Defines what guest users can do:

?? Invite other external users

?? Access specific resources

?? User Permissions Management

In Microsoft Entra ID, permissions depend on the user type and their assigned roles.

?? Member Users

?? Can:

?? Register applications

?? Manage their mobile number and profile picture

?? Change their password

?? Invite B2B users

?? Read most directory information

?? Guest Users

?? Have restricted permissions:

?? Manage their own profile

?? Change their password

?? Access limited information about other users, groups, and applications

? Cannot list all users and groups in the directory

?? Can be assigned administrative roles for additional permissions

?? Default Permission Restrictions

?? Application Registration: Members can register apps by default. To restrict this, disable it or assign the Application Developer role.

?? Admin Portal Access: If set to “No”, non-administrator users cannot access the Microsoft Entra Admin Portal.

?? Sign in with LinkedIn: Allows users to sign in with LinkedIn for easier registration and personalization.

??? Security Management

To protect identity and mitigate attacks, Microsoft Entra ID includes predefined security settings:

?? Mandatory enrollment in Multi-Factor Authentication (MFA)

?? MFA required for administrators

?? Blocking of legacy authentication

?? Context-based MFA enforcement

?? Protection of privileged access (e.g., Azure Portal access)

?? Availability:

?? These settings are available to all tenants at no additional cost.

?? Managing External Users

Controls what guest users can do within the tenant.

??? Available Options:

?? Guest User Access → Guests operate similarly to regular users but can only see their own content.

?? Guest Invitation → Controls who can invite new users (administrators, all users, or only guests themselves).

?? Guest Self-Service → Allows guests to access self-service options.

??? Tenant Property Configuration

Defines key information about the tenant’s appearance and management in Microsoft Entra ID.

?? Name: The tenant name visible in the Azure Portal.

?? Country or Region: The location of the main company and Azure data centers used.

??? Notification Language: The language used for alerts and notifications.

?? Tenant ID: The unique identifier of the tenant, used in development.

?? Technical Contact: The primary contact person or team for the tenant (default: tenant creator).

?? Privacy Contact: The person or alias responsible for privacy-related inquiries.

?? Privacy Statement URL: A link to the organization’s privacy policy.