Skip to content

Latest commit

 

History

History
148 lines (139 loc) · 6.47 KB

2.2.1. Governence - Azure AD - Entities.md

File metadata and controls

148 lines (139 loc) · 6.47 KB

Azure AD Entities

Users

  • Types of users
    • Cloud or Synced (from local AD through AD Connect)
    • Member or Guest
      • Members are created within AD directory
      • Guests are invited by administrator or one of other users of Azure AD.
  • Common settings
    • Usual attributes (e.g. department, phone number, contact, email)
    • Setup password policy, expiration policy, flag users needing to reset their password
    • Usage Location: Location is required if you want to assign license to a user within AD.
      • Set usage location: AD -> Users -> Select User -> Profile -> Settings
      • You can then assign license in AD -> Users -> Select User -> Licenses
    • User Principal name: Combination of an user name + domain.
  • Create new user
    • AD -> User -> new User
    • User name
    • Properties: Optional information e.g. first name, last name, job title.
  • External access
    • You can add a user as an External User
    • Good for B2B scenerios
      • AD is not required on other business side.
  • Self-service password reset
    • Scenarios
      • Allows users to change their passwords
      • If you cannot log in somehow
      • Helpws with account lockout
    • Authentication methods
      • Types:
        • Text message/Phoen call
        • Secondary email
        • Security questions
      • Administrator requires one or more.
    • Manage in: Portal -> AD -> Password Reset
      • Enable
        • You can enable for all users or selected users.
        • 💡 Good to first enable for a pilot group to see how it works.
      • Registration
        • Require users to register when signin in
          • Prompts user to fill information for authentication methods.
        • After how long user will be prompted to confirm authentication method information
      • Notifications
        • Notify users on password resets
        • Notify all admins when other admins reset their password
  • User settings
    • Enterprise applications
      • Users can consent to apps accessing company data on their behalf (yes/no)
        • Yes; users can consent to allow third party and multi-tenant applications to consent on their own behalf.
      • Users can add galery apps to theri Access Panel
        • No; as an administrator you have to manually integrate the applciations through Access Panel
    • App registrations
      • Users can register applications (yes/no)
        • Yes; non administrations can register applications to be used within the directory, no; only administrators can do it

Groups

  • Types of groups
    • Assigned or Dynamic
      • Assigned: You assign users to groups manually
      • Dynamic: You select various attributes to make users member of a group
        • Dynamic query e.g. deparment Equals marketing
    • Security or Office 365
      • Security groups are for assigning permissions.
  • Owners and members
    • Owners: Can add/remove users from the group.
    • Members: cannot manage the group, normal permissions
  • Expiration of groups: Groups can automatically expire.
  • You manage in AD -> Groups
    • You can assign licenses to a group where each member will get a license.
  • Good for performing bulk user updates
  • Self-service group management
    • Owners manage groups instead of administrator that manage the group for the owners.
    • Users can request to join in group with providing some business justification.
    • Audits & alerts
      • Everything is logged
      • You can e.g. trigger alert on frequent activities in a group
  • Company Branding
    • In portal: AD -> Users and groups -> Company branding
    • Allows you to customize the pages with e.g. banner, sign-in page text, user name hint

Devices

  • Enables more management

  • Device settings show overview in Portal

    • Intune + MDM offer much more control

  • You can add work or school account to integrate

  • Registration types:

    • Register Device
      • Basic registration
      • Bring your own device (BYOD) scenario
      • For mobile devices and Windows 10
        • Enable/disable and additional management (MDM) for mobile devices like intune.
      • Enterprise State Roaming
        • Users synchronizes their user settings and application settings data to the cloud.
        • Supported in Windows 10
        • Enchanced security, management and monitoring.
        • Separation of corporate and consumer data in cloud.
    • Join Device
      • Corparate owned assets that you want to manage
      • E.g. Windows 7 or Windows 10
      • You get some benefits e.g. single sign on.
    • Hybrid Join
      • You can enable automatic registration for your AD joined computers
      • Join device in both local AD and Azure AD
      • Grant device user access to apps that need traditional local AD (=on-prem AD) authentication.
      • You get service principal for the device
      • Actual management is done through Group Policy or System Center Configuration Manager.
        • They're tied in to Azure AD but not part of core AD.
      • Relies on AD Connect for synchronization.
        • If they're already joined to local AD, they're also registered in Azure AD automatically.
      • Configuration:
        • Ensure access to external Azure AD URLs.
        • Configure SCP (service connection point) internally.
        • Configure ADFS if required

  • Manage in Portal -> AD -> Devices

    • Users may join devices to Azure AD
    • Additional administrators on Azure AD joined devices
      • Default is none, you can select users
    • Users may register their devices with Azure AD
    • Require Multi-Factor Auth to join devices
    • Maximum number ofdevices per device
    • Users may sync settings and enterprise app data
      • All, selected, None
    • For more you need PowerShell.

  • Azure AD Device Settings/Policies

    • Control permissions: Who's allowed to access join devices?
    • Control sync (enabled or disabled)
    • Device management through Intune or other MDM
    • Conditional access: Whether or not device has access to resources within your organization

Applications

  • Azure AD IDaaS (Identity Directory as a Service)
  • Application types
    • Third party or internal
    • Pre-integrated or proxies
  • Automated user provisioning through SCIM 2.0
    • Use provisioning enables synchronization of user account.
    • SCIM
      • System for cross domain identity management.
      • Defined by IETF
      • Control users, groups and their relations
    • Available on select SaaS apps
  • You can assign access to applications in AD -> Applications -> Select application -> Users and groups