Concepts to know about Microsoft Cloud Services
- Things are constantly changing
- You must be agile in utilising Microsoft’s cloud services
Basics of Using Azure AD Portal
All users and groups in Microsoft 365 are stored in Azure AD.
You can see users and groups in both Azure and the Microsoft 365 admin portals. There are some crossover features in both places, but some features are only available in Azure AD and Vice versa.
Understanding Azure AD Directory Roles
Role based Access Control:
- Roles provide a means of assigning privileges in the Azure/Microsoft 365 environment
- Roles allow you to see exactly what rights are assigned to a user or group
- Identities can be assigned multiple roles
Some roles are specific to Azure, some are specific to M365
In the past, when you used groups and assigned permissions to those groups, it was hard to go back and see exactly what permissions were assigned to those groups (unless it was documented properly). With roles the permissions are documented for you automatically using JSON.
Principal of Least Privilege: give someone the least amount of rights that allows them to do their job.
PIM: Privileged Identity Management
This allows you to achieve “Just in Time” (JIT) administration using roles. This allows you to give a role access to an identity temporarily on a schedule.
Configuring and managing Azure AD directory Roles
Go to Azure AD -> Roles and Administrators
Here you can see the full list of roles Microsoft has created.
EXAM TIP: it is a good idea to get familiar with some of these roles. Go into the roles and have a look at the description and the permissions etc…
Assigning role to an identity
You can do it in ways:
- Go to the role -> Add assignment and select the user
- Go to the user and add them to the role that way
- Go to the “Security & Compliance centre”
Custom Domains in Microsoft 365 / Azure AD
By default You get an “onmicrosot.com” extension for your cloud domain. EG:
You can add your own domain. To do this you need to prove you own your domain You can do this by:
– adding a TXT record to your DNS for your domain.
- Adding a file to your website
Configuring and Managing Device Registration Options
In order to manage devices through Intune and Azure AD the devices have to be registered. There are different ways to do that. There are also settings which allow you to select who can register devices.
To see these settings go to : Azure AD -> Devices – > Device Settings
Here you can set:
- which users or groups can register devices.
- MFA options
- How many devices they can register
Register Vs Join Devices
Join devices: This is when you login to a machine using a corporate or school account. (on a Windows 10 device go to “Settings -> Accounts – > Access work or school”). The user must have local admin rights on the machine to do this.
Register Devices: This is when you log in to an app on a personal or BYOD device
Hybrid Azure AD Joined: this is when you have an on premise AD domain joined device, that is syncing to Azure AD using Azure AD Connect
Understanding Administrative Units
- An Administrative Unit is a resource that can be a container for other Azure Ad resources
- It can contain only users and groups
- It is slightly different to OU’s in AD. In AD users can only be in one OU, in Azure AD users can be linked to multiple Administrative Units
- You can use administrative Units to restrict permissions in a role to any portion of your organisation
- You need an Azure Active Directory Premium licence for each administrative unit admin. But the members of the administrative units only need a free licence.
Configuring Delegation by Using Administrative Units
Create an Administrate Unit
- Go to Azure AD
- Click on “Administrative Units”
- Click on Add
- Give it a name
- Click Review and Create
- Click on the new Administrative Units
- Click on Add Members and add the members
- You can also add groups
Add Role Assignment
This is where you can add who has certain admin permissions on the members of the Administrative Unit:
- Click on Role Assignment
- Select the Role. EG: User administrator
- Select the User that will have this role
- You can set a schedule for this role to be active
Configuring Tenant Wide Settings
Some of these are set in the Azure AD portal and some are set in the M365 portal.
Some Tenant wide settings here are
- Company branding: company logos, Welcome banner etc…
- User Settings:
– user rights to register applications
– restrict access to admin portal
– allow linking LinkedIn accounts
– guest user access (External Collaboration Settings)
- Properties: Tenant name, language etc…
- Settings -> Org Settings: Application specific settings, Security & Privacy (password policies etc…). Org profile (more branding)