1. Implementing the initial configuration of Azure Active Directory


Concepts to know about Microsoft Cloud Services

  • Things are constantly changing
  • You must be agile in utilising Microsoft’s cloud services


Basics of Using Azure AD Portal

Login: portal.azure.com

All users and groups in Microsoft 365 are stored in Azure AD.

Azure and Microsoft 365 share the Azure AD Services

You can see users and groups in both Azure and the Microsoft 365 admin portals. There are some crossover features in both places, but some features are only available in Azure AD and Vice versa.


Understanding Azure AD Directory Roles

Role based Access Control:

  • Roles provide a means of assigning privileges in the Azure/Microsoft 365 environment
  • Roles allow you to see exactly what rights are assigned to a user or group
  • Identities can be assigned multiple roles

Some roles are specific to Azure, some are specific to M365

In the past, when you used groups and assigned permissions to those groups, it was hard to go back and see exactly what permissions were assigned to those groups (unless it was documented properly). With roles the permissions are documented for you automatically using JSON.

Principal of Least Privilege: give someone the least amount of rights that allows them to do their job.

PIM: Privileged Identity Management

This allows you to achieve “Just in Time” (JIT) administration using roles. This allows you to give a role access to an identity temporarily on a schedule.


Configuring and managing Azure AD directory Roles

Go to Azure AD -> Roles and Administrators

Here you can see the full list of roles Microsoft has created.

EXAM TIP: it is a good idea to get familiar with some of these roles. Go into the roles and have a look at the description and the permissions etc…

Assigning role to an identity

You can do it in  ways:

  1. Go to the role -> Add assignment and select the user
  2. Go to the user and add them to the role that way
  3. Go to the “Security & Compliance centre”


Custom Domains in Microsoft 365 / Azure AD

By default You get an “onmicrosot.com” extension for your cloud domain. EG:


You can add your own domain. To do this you need to prove you own your domain You can do this by:

– adding a TXT record to your DNS for your domain.


  • Adding a file to your website


Configuring and Managing Device Registration Options

In order to manage devices through Intune and Azure AD the devices have to be registered. There are different ways to do that. There are also settings which allow you to select who can register devices.

To see these settings go to : Azure AD -> Devices – > Device Settings

Here you can set:

  •  which users or groups can register devices.
  • MFA options
  • How many devices they can register

Register Vs Join Devices

Join devices:  This is when you login to a machine using a corporate or school account. (on a Windows 10 device go to “Settings -> Accounts – > Access work or school”). The user must have local admin rights on the machine to do this.

Register Devices: This is when you log in to an app on a personal or BYOD device

Hybrid Azure AD Joined: this is when you have an on premise AD domain joined device, that is syncing to Azure AD using Azure AD Connect


Understanding Administrative Units

  • An Administrative Unit is a resource that can be a container for other Azure Ad resources
  • It can contain only users and groups
  • It is slightly different to OU’s in AD. In AD users can only be in one OU, in Azure AD users can be linked to multiple Administrative Units
  • You can use administrative Units to restrict permissions in a role to any portion of your organisation
  • You need an Azure Active Directory Premium licence for each administrative unit admin. But the members of the administrative units only need a free licence.


Configuring Delegation by Using Administrative Units

Create an Administrate Unit

  1. Go to Azure AD
  2. Click on “Administrative Units”
  3. Click on Add
  4. Give it a name
  5. Click Review and Create

Adding Members:

  • Click on the new Administrative Units
  • Click on Add Members and add the members
  • You can also add groups

Add Role Assignment

This is where you can add who has certain admin permissions on the members of the Administrative Unit:

  • Click on Role Assignment
  • Select the Role. EG: User administrator
  • Select the User that will have this role
  • You can set a schedule for this role to be active


Configuring Tenant Wide Settings

Some of these are set in the Azure AD portal and some are set in the M365 portal.

Azure AD

Some Tenant wide settings here are

  1. Licences
  2. Company branding: company logos, Welcome banner etc…
  3. User Settings:
    – user rights to register applications
    – restrict access to admin portal
    – allow linking LinkedIn accounts
    – guest user access (External Collaboration Settings)
  4. Properties: Tenant name, language etc…

M365 Portal

  1. Settings -> Org Settings: Application specific settings, Security & Privacy (password policies etc…). Org profile (more branding)

Leave a Reply

Your email address will not be published. Required fields are marked *