- Cloud or Synced (from local AD through AD Connect)
- Member or Guest
- Members are created within AD directory
- Guests are invited by administrator or one of other users of Azure AD.
- Usual attributes (e.g. department, phone number, contact, email)
- Setup password policy, expiration policy, flag users needing to reset their password
- Location is required if you want to assign license to a user within AD.
- Set usage location
- In portal: Active Directory → Users → Select User → Profile → Settings
- You can then assign license
- In Portal: Active Directory → Users → Select User → Licenses
- User Principal name: Combination of an user name + domain.
- AD → User → new User
- User name
- Required, e.g.
test@contoso.onmicrosoft.com
- Required, e.g.
- Properties: Optional information e.g. first name, last name, job title.
- You can add a user as an External User
- Good for B2B scenarios
- AD is not required on other business side.
- Scenarios
- Allows users to change their passwords
- If you cannot log in somehow
- Helps with account lockout
- Authentication methods
- Types:
- Text message/Phone call
- Secondary email
- Security questions
- Administrator requires one or more methods.
- Types:
- Manage in portal
- Steps: Active Directory → Password Reset
- Configurations
- Enable
- You can enable for all users or selected users.
- 💡 Good to first enable for a pilot group to see how it works.
- Registration
- Require users to register when signing in
- Prompts user to fill information for authentication methods.
- After how long user will be prompted to confirm authentication method information
- Require users to register when signing in
- Notifications
- Notify users on password resets
- Notifies all other admins when an admin resets his password
- Enable
- Enterprise applications
- Users can consent to apps accessing company data on their behalf (yes/no)
- Yes; users can consent to allow third party and multi-tenant applications to consent on their own behalf.
- Users can add gallery apps to their Access Panel
- No; as an administrator you have to manually integrate the applciations through Access Panel
- Users can consent to apps accessing company data on their behalf (yes/no)
- App registrations
- Users can register applications (yes/no)
- Yes; non administratiors can register applications to be used within the directory, no; only administrators can do it
- Users can register applications (yes/no)
- Types of groups
- Assigned or Dynamic
- Assigned: You assign users to groups manually
- Dynamic: You select various attributes to make users member of a group
- Dynamic query e.g.
deparment Equals marketing
- Dynamic query e.g.
- Security or Office 365
- Security groups are for assigning permissions.
- Assigned or Dynamic
- Owners and members
- Owners: Can add/remove users from the group.
- Members: cannot manage the group, normal permissions
- Expiration of groups
- Groups can automatically expire.
- You manage in "Azure Directory → Groups"
- You can assign licenses to a group where each member will get a license.
- Good for performing bulk user updates
- Self-service group management
- Owners manage groups instead of administrator that manage the group for the owners.
- Users can request to join in group with providing some business justification.
- Audits & alerts
- Everything is logged
- You can e.g. trigger alert on frequent activities in a group
- Company Branding
- In portal: Active Directory → Users and groups → Company branding
- Allows you to customize the pages with e.g. banner, sign-in page text, user name hint
- Enables more management
- Device settings show overview in Portal
- Intune + MDM offer much more control
- You can add work or school account to integrate
- Basic registration
- Bring your own device (BYOD) scenario
- For mobile devices and Windows 10
- Enable/disable and additional management (MDM) for mobile devices like intune.
- Enterprise State Roaming
- Users synchronizes their user settings and application settings data to the cloud.
- Supported in Windows 10
- Enchanced security, management and monitoring.
- Separation of corporate and consumer data in cloud.
- Corparate owned assets that you want to manage
- E.g. Windows 7 or Windows 10
- You get some benefits e.g. single sign on.
- You can enable automatic registration for your AD joined computers
- Join device in both local AD and Azure AD
- Grant device user access to apps that need traditional local AD (=on-prem AD) authentication.
- You get service principal for the device
- Actual management is done through Group Policy or System Center Configuration Manager.
- They're tied in to Azure AD but not part of core AD.
- Relies on AD Connect for synchronization
- If they're already joined to local AD, they're also registered in Azure AD automatically.
- Configuration
- Ensure access to external Azure AD URLs.
- Configure SCP (service connection point) internally.
- Configure ADFS if required
- Active Directory → Devices
- Configurations
- Users may join devices to Azure AD
- Additional administrators on Azure AD joined devices
- Default is none, you can select users
- Users may register their devices with Azure AD
- Require Multi-Factor Auth to join devices
- Maximum number ofdevices per device
- Users may sync settings and enterprise app data
- All, selected, None
- For more you need PowerShell.
- Control permissions
- Who's allowed to access join devices?
- Control sync
- Enabled/disabled
- Device management through Intune or other MDM
- Conditional access
- Whether or not device has access to resources within your organization
- Azure AD IDaaS (Identity Directory as a Service)
- Application types
- Third party or internal
- Pre-integrated or proxies
- Automated user provisioning through SCIM 2.0
- Use provisioning enables synchronization of user account.
- SCIM
- System for cross domain identity management.
- Defined by IETF
- Control users, groups and their relations
- Available on select SaaS apps
- In portal, you can assign access to applications
- AD → Applications → Select application → Users and groups