MS-100 Manage Azure AD identities

May 31st, 2019 | Posted by admin in Exchange

Plan Azure AD identities

We have the Identity options like Cloud Identity and Federated Identity when deploying Microsoft 365. Planning Azure AD Identity includes

  • Plan to enable SSO for the cloud applications.
  • You may have federated Identity, see if you can move from Federated Identity to Cloud Identity by implementing Password Hash Sync and Seamless SSO.
  • Plan for Self Service Password Reset when you have cloud identity
  • Plan for On-Premise application authentication via cloud using Application Proxy.
  • Plan for providing access to all the cloud application via Access Panel

Implement and manage Azure AD self-service password reset

If we use cloud identity, then we can enable Azure AD Self Service Password Reset so that end users can reset their passwords on their own which helps to reduce the help desk cost.

To Implement and Manage Azure AD SSPR:

  1. Enable SSPR

Azure AD Portal -> Azure AD -> Password Reset -> Select All or based on your requirement -> Select the allowed authentication methods

  1. Enabled Password Writeback

Step 1: On the AD Connect Configuration Wizard -> Configure -> Customize Synchronization Options -> enabled password writeback

Step 2: Azure Portal -> Azure AD -> Password Reset -> On-Premise Integration -> Enabled Writeback passwords to On-Premise Organization

Manage access reviews

Azure AD Access Reviews enable organizations to manage group memberships, access to enterprise applications, and role assignments. User’s access reviewed on a regular basis to make sure only the right people have continued access.

To Onboard or Enable Access Reviews in Azure AD:

Azure Portal -> All Services -> Search for Access Reviews -> Onboard -> Create -> New Access Review based on your requirement like reviewing a group membership or role membership or an application access -> set the reviewers for the selected option.

Tips: Azure AD P2 or EMS E5 license required to use this feature.

Reviewers has the complete the reviews from Azure AD PIM portal. We can manage the reviews from Azure AD PIM Portal

Manage groups

Two type of groups Security and Office 365 created in Azure AD. To create a Group, Azure Portal -> Azure AD -> Groups -> Create a New Group.

Group Types: Security and Office 365 created in Azure AD

Security: Used to manage member and computer access to shared resources for a group of users

Office 365: Provides collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site. Users from external organization can be member of Office groups.

Membership type specified in Azure AD groups as

Assigned: To have unique permission for the members of the group

Dynamic User: Uses dynamic group rules to automatically add and remove members based on user attributes.

Dynamic Device: Uses dynamic group rules to automatically add and remove devices based on device attributes.

Group Owners will have access to manage the members of the group, if a group owner is not specified, the resource owner (administrator) will have owner permission by default.

Tips: Groups Management like New Group creation, deletion, adding / removing members, assigning / removing an owner can be done from the Azure AD Portal -> Group.

Groups either Security group or Dynamic Distribution Group Synchronized from On-Premise AD will be managed from On-Premise AD only.

Manage Passwords

Controlling Passwords:

Organizations using pure Cloud Identity can use the Azure AD Password Protection to restrict the use of users using Global Banned password list or Custom banned password list.

Organization using Hybrid Identity can use the Azure AD Password Protection agent installed in On-Premise AD to validate Global Banned password list or Custom banned password list usage in On-Premise AD.

Managing Password Resets:

Password Reset Policies defined for administrator roles and user accounts based on the controls that we want to implement like, Password Complexity, password reset duration etc.

If SSPR enabled on Hybrid Identity with Password Hash Sync, then set the authentication methods and inform the users to register the method for easier password reset when required.

Require user to register the password reset option when sign in will force the users to register the method selected by administrator.

Tips: Azure AD Premium P1 or P2 is required to use Password Protection feature in Hybrid Identity Method.

To set a custom banned password list, Azure Portal -> Azure AD -> Authentication Methods -> Password Protection -> Create a New Custom list

Manage product licenses

Microsoft 365 includes Windows 10 Enterprise, Office 365 Services E3 / E5 and EMS E3 / E5. You need to have those subscriptions. To view the services status on the subscription

(Get-MsolAccountSku | where {$_.AccountSkuId -eq SuperHybridCloud:ENTERPRISEPACK”}).ServiceStatus

Manage users

You know how to manage Users

Perform bulk user management

No additional information required I believe as this is familiar to you all.

You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback.

Leave a Reply