Microsoft Azure Administrator: Azure Identities (With Step By Step Demo)

Introduction:

Before creating / deploying / utilizing / migrating resources / services to Azure cloud, it is very important to understand the the Azure identity service (i.e. Azure AD).

In this article, I have tried to explain different Azure identity features / concepts with demo screenshots of step-by-step procedure to execute / perform different relevant tasks / activities.

Following are the agenda items which have been covered in this article:

1- Azure Active Directory

2- Azure AD: Types of Identities

3- Azure AD: Users & Groups

4- Azure AD Group Types

5- Azure AD Group Membership Type

6- Azure AD Administrative Units (AUs)

7- Azure Device Management: Azure AD Registered & Azure AD Join

8- Self Service Password Reset (SSPR)

9- Conditional Access

1-Azure Active Directory (AD):

Following types of accounts are managed in Azure AD:

Azure AD: Types of Identities

To managed above mentioned types of accounts in Azure AD, either of the following user roles are required:

• User Administrator

OR

• Global Administrator

2- Azure AD: Users & Groups

To see how users and groups can be created in Azure AD using PowerShell, see my following article on LinkedIn:

Azure Active Directory: Create Users and Groups Using PowerShell

3-Azure AD Group Types

Following two types of groups are there in Azure AD:

i) Security

These are similar to the security groups managed in on-premises AD to control access / permissions for users, applications etc.

ii) Microsoft 365

This type is applicable when we have Microsoft 365 licenses and we want to create Microsoft 365 groups for SharePoint Online, Exchange Online etc.

4- AD Group Membership Types:

Following two types of groups membership types are there in Azure AD:

i) Assigned

In this type of membership, group owners can add or remove users from group manually.

ii) Dynamic

In this type of membership, users are added dynamically to the groups based on the AD users properties. Owner of this group can add / remove licenses, update dynamic membership rules

Note: Under the dynamic group membership type, the license distribution and role assignment can be automated. So, whenever a user becomes a member of this dynamic group appropriate licenses will be allocated and pre-defined AD RBAC (role based access control) role(s) will be assigned to him/her.

5- Azure AD Administrative Units (AUs):

These are similar to the organizational units (OUs) used in one-premises AD. The AUs are used to organize Azure AD users and to delegate administrative permissions. This helps in reducing the organizational complexity by logically segregating the users to better manage and control administrative tasks to be performed on different set of users.

Note: Please note that Administrative Units (AUs) can be created / managed / removed either by 'Global Administrator' or 'Privileged Role Administrator'.

6- How to create an Administrative Unit (AU)?:

Step-1: Sign-in to the Azure portal i.e. portal.azure.com

Step-2: Go to the default tenant of your Azure AD

Step-3: Click "Administrative units" [See below image for reference]

Step-3: Click "Administrative units" [See below image for reference]

Step-4: Type the name and description of the AU. Then click "Next". [See below image for reference]

Step-5: Then select appropriate administrative role from this AU and assign to any user of your choice. Then click "Next". [See below image for reference]

Step-6: Assign the selected role in previous step to any user of your choice. Then click "Next". [See below image for reference]

Step-7: Click "Review + create". [See below image for reference]

Step-8: Click "Create". [See below image for reference]

Note: Now, it will take some time to show you the newly created AU. Then you can add users and / or groups in that AU.

7- Azure Device Management

Here we are discussing those devices/systems which can be joined with Azure AD and can be managed using Azure MDM (Mobile Device Management) tools. A user with either of the following role can enable and disable devices in Azure AD:

• Cloud device administrator
• Global administrator
• Intune administrator

There are two types of Azure AD join:

i) Azure AD Registered (For Personal Devices)

ii) Azure AD Join (For Organization Owned Devices)

Azure AD Registered:

Microsoft Authenticator app can be used to register BYOD (Bring Your Own Device) devices i.e. iOS devices and Android devices. The personal computer systems (not owned by organization) having windows operating systems can be registered with Azure AD using either Microsoft Account (MSA) or local Azure AD account.

So, by registering personal systems or devices with either MSA or local Azure AD account, users can access corporate data on their devices / systems.

Azure AD Join:

In this case, the organization owned devices are joined with Azure AD and the user sign-in using Azure AD account. i.e. Windows 10 device, windows server 2022 device etc. Then the user can have access to the organization's corporate data.

On the other hand, for the organizations maintaining local on-premises AD synchronized with Azure AD using Azure AD connect, the users having organization owned devices can do sign-in with AD DS credentials which are also being maintained in Azure AD. This is called Hybrid Azure AD Join.

Note:

i) Azure VM extension can be enabled during windows virtual machine creation to join this VM with Azure AD.

ii) The user who wants to login to this new windows VM:

• Should have either 'Virtual Machine Administrator Login' or 'Virtual Machine User Login' role assigned in Azure AD
• The user ID should be a member of 'remote desktop users' group present locally in the VM to have RDP session.

8- Self Service Password Reset (SSPR):

As the name implies, by enabling this setting in Azure, users may not have to request the AD administrators for the password reset. Instead, they can reset their password by themself.

How to Enable SSPR?

Step-1: Open the Azure portal (i.e. portal.azure.com) and sign-in.

Step-2: Go to the default Azure tenant directory.

Step-3: Go to the "Password reset" option. [See below image for reference]

Step-4: Select any suitable options from "None", "Selected" or "All". The description for each option given in the below image for more reference:

Step-5: Select the appropriate group from the right pane, for which you want to enable the SSPR settings. Then click the "Save" button. [See below image for reference]

Step-6: Click "Save", to save and apply the SSPR settings. [See below image for reference]

Now, the SSPR settings have been enabled for the selected group i.e. "Team Group 1"

There are some additional SSPR settings, some are mentioned below:

i) Authentication methods: To enable which type of authentication methods should be made available to the users so that they may change their password. For example: Email, SMS, Security questions etc. [See below image for reference]

ii) Registration: Under this settings we can specify the number of days after which the authentication will be re-confirmed / asked from user. [See below image for reference]

iii) Notifications: Under this settings, we can configure the notification settings. [See below image for reference]

iv) Customization: Under this settings, we can customized / configure the helpdesk URL or email. [See below image for reference]

9- Conditional Access:

Conditional access is a feature of Azure AD which allows administrators to implement conditional access policies for granular control and secure user experience. These policies depends on many signals to control who can access what data and from where. This feature is available only in paid editions of Azure AD.

Using this Azure AD feature, the user access can be controlled based on following criteria:

i) User Location: This setting validates, as if the user access request is coming from expected location / IP range or not.

ii) User Device: This setting confirms, as if the device from which the user access request is coming from, is a trusted / compliant device or not.

iii) User Attributes: This setting validates, as if the user requesting access, belongs to allowed user groups or not.

iv) User Application Specific Policy: This setting checks, as if the user access request is coming from trusted application or not.

How to enable condition access?

Step-1: Open the Azure portal (i.e. portal.azure.com) and sign-in.

Step-2: Go to the default Azure tenant directory.

Step-3: Select "Security" [See below image]

Step-4: Select "Conditional access" [See below image]

Step-5: Select "New policy" [See below image]

Step-6: Select "Create new policy" [See below image]

Step-7: Write the name of this policy and select the user / workload where you want to assign the policy [See below image]

Step-8: In the right pane, select the user to whom you want to assign this new policy [See below image]

Step-9: Click under "Cloud apps or actions" and select the user / group on which you want to apply this policy.

Step-10: Under the "Cloud Apps or actions", specify the application on which you want to apply the policy. So, click "Select apps", then in the right pane click on the application which you want to select.

Then click "Select" button present in the bottom of the right pane.

Step-11: Under the "Access controls" section, select "0 controls", then in the right pane, select "Grant access", then select "Require multi-factor authentication" (you may select as many controls as you want), then click "Select".

Step-12: At the bottom of this page, under the "Enable policy" section, click "On"

• The new policy has been configured and enabled. [See below screenshot for reference].

v) Session Risk

Once the aforementioned criteria has been applied, then the users are either allowed access or blocked access or routed towards MFA for another layer of authentication. After successfully passing through all these security layers, the users are allowed access to the organizational corporate applications / data.

Thank you.