AZ 100T05A ENU TrainerHandbook

Download as pdf or txt
Download as pdf or txt
You are on page 1of 69
At a glance
Powered by AI
The document outlines the contents and objectives of an Azure Administrator training course covering Azure Active Directory, identity management, and hybrid identities.

Azure AD Application Proxy allows publishing internal applications to external users by integrating applications with Azure AD and providing single sign-on without requiring a VPN.

Azure AD Connect Health monitors and provides insights into AD FS servers, Azure AD Connect, the synchronization between on-premises AD and Azure AD, and the overall on-premises identity infrastructure used to access Office 365 and other Azure AD applications.

MCT USE ONLY.

STUDENT USE PROHIBITED


Microsoft
Official
Course

AZ-100T05
Manage Identities
MCT USE ONLY. STUDENT USE PROHIBITED
Manage Identities
AZ-100T05
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
Contents

■■ Module 0 Welcome  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  1
Start Here  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  1
■■ Module 1 Managing Azure Active Directory  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  5
Azure Active Directory Overview  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  5
Self-Service Password Reset  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  11
Azure AD Identity Protection  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  15
Intergrating SaaS Applications with Azure AD  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  20
Module 1 Review Questions  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  28
■■ Module 2 Managing Azure Active Directory Objects  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  31
Azure Domains and Tenants  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  31
Azure Users and Groups  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  36
Azure Roles  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  41
Managing Devices  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  45
Module 2 Review Questions  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  48
■■ Module 3 Implementing and Managing Hybrid Identities  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  51
Azure Active Directory Integration Options  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  51
Azure AD Application Proxy  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  57
Module 3 Review Questions  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  60
■■ Module 4 Lab-Implement and Manage Hybrid Identities  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  63
Lab  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  63
MCT USE ONLY. STUDENT USE PROHIBITED
Module 0 Welcome

Start Here
Azure Administrator Curriculum
This course is part of a series of courses to help you prepare for Microsoft’s Azure Administrator certifica-
tion tests. There are two exams:
●● AZ-100, Microsoft Azure Infrastructure and Deployment1, and
●● AZ-101, Microsoft Azure Integration and Security2.
Each exam measures your ability to accomplish certain technical tasks. For example, AZ-100 includes five
study areas, as shown in the table. The percentages indicate the relative weight of each area on the exam.
The higher the percentage, the more questions you are likely to see in that area.

AZ-100 Study Areas Weights


Manage Azure subscriptions and resources 15-20%
Implement and manage storage 20-25%
Deploy and manage virtual machines 20-25%
Configure and manage virtual networks 20-25%
Manage identities 15-20%
✔️ This course will focus on preparing you for the Manage Identities area of the AZ-100 certification
exam.

About This Course


Course Description
This course teaches IT Professional how to use Azure Active Directory (AD) to provide employees and
customers with a multi-tenant cloud-based directory and identity management system. Students will
learn the differences between Azure AD and Active Directory Domain Services (AD DS), as well the

1 https://www.microsoft.com/en-us/learning/exam-az-100.aspx
2 https://www.microsoft.com/en-us/learning/exam-az-101.aspx
MCT USE ONLY. STUDENT USE PROHIBITED 2  Module 0 Welcome

differences in functionality offered by the different editions of Azure AD. Students also learn how to
configure self-service password reset, or to use the option of password writeback to reset user passwords
regardless of their location. Students are then introduced to Azure AD Identity Protection and learn how
they can use it to protect their organizations from compromised accounts, identity attacks, and configu-
ration issues. Students also learn how to integrate Azure AD with the many Software as a Service (SaaS)
applications that are used, in order to secure user access to those applications.
Next, the concepts of Azure domains and tenants, and users and groups are explained and students learn
how to work with the various Azure AD objects. Students are introduced to Azure role-based access
control to be able to provide a more granular access based on the principle of least privilege. An admin-
istrator, or user, can do exactly the task they need to accomplish; no more, no less. Students also learn
how to work with Azure joined devices and Hybrid AD joined devices, enabling their users to be produc-
tive wherever and whenever – but ensuring that corporate assets are protected and that devices meet
security and compliance standards.
Students learn how to use Azure AD Connect to integrate their on-premises directories with Azure AD,
providing a common identity for their users of Office 365, Azure, and SaaS applications integrated with
Azure AD. Lastly, students also learn how to use Azure AD Application Proxy to be able to provide their
users with remote access to web application that are published on-premises, such as SharePoint sites,
Outlook Web Access, or any other line of business (LOB) applications the organization has.
Level: Intermediate
Audience
This course is for Azure Administrators. Azure Administrators manage the cloud services that span
storage, networking, and compute cloud capabilities, with a deep understanding of each service across
the full IT lifecycle. They take end-user requests for new cloud applications and make recommendations
on services to use for optimal performance and scale, as well as provision, size, monitor and adjust as
appropriate. This role requires communicating and coordinating with vendors. Azure Administrators use
the Azure Portal and as they become more proficient they use PowerShell and the Command Line
Interface.
Prerequisites
Successful Azure Administrators start this role with experience on operating systems, virtualization, cloud
infrastructure, storage structures, and networking.
Expected learning
●● Implement Azure Active Directory, Self-Service Password Reset, Azure AD Identity Protection, and
integrated SaaS applications.
●● Configure domains and tenants, users and groups, roles, and devices.
●● Implement and manage Azure Active Directory integration options and Azure AD Application Proxy.

Syllabus
This course includes content that will help you prepare for the certification exam. Other content is
included to ensure you have a complete picture of Azure identity. The course content includes a mix of
videos, graphics, reference links, module review questions, and practice labs.
Module 1 – Managing Azure Active Directory
In this module, you’ll will be introduced to Azure Active Directory. What is Azure Active Directory and
how is it different from Active Directory Domain Services? What is Self-Service Password Reset and how is
MCT USE ONLY. STUDENT USE PROHIBITED
Start Here  3

it configured? How can Azure AD Identity protection improve your security posture. How do you inte-
grate SaaS applications with Azure AD? Lessons include:
●● Azure Active Directory Overview
●● Self-Service Password Reset
●● Azure AD Identity Protection
●● Integrating SaaS Applications with Azure AD
Module 2 – Managing Azure Active Directory Objects
In this module, you will learn the basics of implementing Azure AD objects. These objects include do-
mains and tenants, users and groups, roles, and devices. In each lesson you will practice how to configure
these objects through the portal and with Azure PowerShell. The Azure roles lesson will be your introduc-
tion to role-based access control. Lessons include:
●● Azure Domains and Tenants
●● Azure Users and Groups
●● Azure Roles
●● Managing Devices
✔️ More complete coverage of Role-based Access Control is provided in the Securing Identities course.
Module 3 – Implementing and Managing Hybrid Identities
In this module, you will learn how to integrate Active Directory with your existing infrastructure. You will
learn about different authentication options like AD Connect, Single Sign On, and Pass-through authenti-
cation. You will also learn how to configure Azure AD Application Proxy and how it is used. Lessons
include:
●● Azure Active Directory Integration Options
●● Azure AD Application Proxy

Study Guide
The Configure and manage virtual networks objective of the AZ-100 exam, consists of three main areas of
study: Manage Azure Active Directory, Manage Azure AD objects, and Implement and manage hybrid
identities. These tables show you what may be included in each test area and where it is covered in this
course.
✔️ We recommend you use these tables as a checklist to ensure you are prepared in each area.
✔️ We recommend supplementing your study with a practice test.3 Also, hands-on practice is critical to
understanding these concepts and passing the certification exams. There are several ways to get an
Azure subscription4.
Manage Azure Active Directory

Testing May Include Course Content


Add custom domains Module 2 - Azure Domains and Tenants
Configure Azure AD Identity Protection Module 1 - Azure AD Identity Protection
Configure Azure AD Join Module 2 - Managing Devices

3 https://us.mindhub.com/az-100-microsoft-azure-infrastructure-deployment-microsoft-official-practice-test/p/MU-AZ-100
4 https://azure.microsoft.com/en-us/offers/ms-azr-0044p/
MCT USE ONLY. STUDENT USE PROHIBITED 4  Module 0 Welcome

Testing May Include Course Content


Configure self-service password reset Module 1 - Self-Service Password Reset
Implement conditional access policies Module 1 - Integrating SaaS Applications with
Azure AD
Manage multiple directories Module 2 - Azure Domains and Tenants
Perform access review Module 1 - Azure Active Directory Overview
Manage Azure AD objects (users, groups, and devices)

Testing May Include Course Content


Create users and groups Module 2 - Azure Users and Groups
Manage user and group properties Module 2 - Azure Users and Groups
Manage device settings Module 2 - Managing Devices
Perform bulk user updates Module 2 - Azure Users and Groups
Implement and manage hybrid identities

Testing May Include Course Content


Install and configure Azure AD Connect Module 3 - Azure Active Directory Integration
Options
Configure federation Module 3 - Azure Active Directory Integration
Options
Configure single sign-on Module 3 - Azure Active Directory Integration
Options
Manage and troubleshoot Azure AD Connect Module 3 - Azure Active Directory Integration
Options
Troubleshoot password sync and writeback Module 1 - Self-Service Password Reset; Module
3- Azure Active Directory Integration Options
MCT USE ONLY. STUDENT USE PROHIBITED
Module 1 Managing Azure Active Directory

Azure Active Directory Overview


Video: Course Introduction

Azure Active Directory


For both IT Admins and Developers
Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud-based directory and identity manage-
ment service. For IT Admins, Azure AD provides an affordable, easy to use solution to give employees and
business partners single sign-on (SSO) access to thousands of cloud SaaS Applications like Office365,
Salesforce.com, DropBox, and Concur.
For application developers, Azure AD lets you focus on building your application by making it fast and
simple to integrate with a world class identity management solution used by millions of organizations
around the world.
MCT USE ONLY. STUDENT USE PROHIBITED 6  Module 1 Managing Azure Active Directory

Identity manage capabilities and integration


Azure AD also includes a full suite of identity management capabilities including multi-factor authentica-
tion, device registration, self-service password management, self-service group management, privileged
account management, role-based access control, application usage monitoring, rich auditing and security
monitoring, and alerting. These capabilities can help secure cloud-based applications, streamline IT
processes, cut costs, and help assure corporate compliance goals are met.
Additionally, Azure AD can be integrated with an existing Windows Server Active Directory, giving
organizations the ability to leverage their existing on-premises identity investments to manage access to
cloud based SaaS applications.
✔️ If you are an Office365, Azure or Dynamics CRM Online customer, you might not realize that you are
already using Azure AD. Every Office365, Azure and Dynamics CRM tenant is already an Azure AD tenant.
Whenever you want you can start using that tenant to manage access to thousands of other cloud
applications Azure AD integrates with.
For more information, you can see:
What is Azure Active Directory? - https://docs.microsoft.com/en-us/azure/active-directory/active-di-
rectory-whatis

Azure Active Directory Benefits


Azure AD has many benefits

●● Single sign-on to any cloud or on-premises web app. Azure Active Directory provides secure single
sign-on to cloud and on-premises applications including Microsoft Office 365 and thousands of SaaS
applications such as Salesforce, Workday, DocuSign, ServiceNow, and Box.
●● Works with iOS, Mac OS X, Android, and Windows devices. Users can launch applications from a
personalized web-based access panel, mobile app, Office 365, or custom company portals using their
MCT USE ONLY. STUDENT USE PROHIBITED
Azure Active Directory Overview  7

existing work credentials—and have the same experience whether they’re working on iOS, Mac OS X,
Android, and Windows devices.
●● Protect on-premises web applications with secure remote access. Access your on-premises web
applications from everywhere and protect with multi-factor authentication, conditional access policies,
and group-based access management. Users can access SaaS and on-premises web apps from the
same portal.
●● Easily extend Active Directory to the cloud. Connect Active Directory and other on-premises
directories to Azure Active Directory in just a few clicks and maintain a consistent set of users, groups,
passwords, and devices across both environments.
●● Protect sensitive data and applications. Enhance application access security with unique identity
protection capabilities that provide a consolidated view into suspicious sign-in activities and potential
vulnerabilities. Take advantage of advanced security reports, notifications, remediation recommenda-
tions and risk-based policies to protect your business from current and future threats.
●● Reduce costs and enhance security with self-service capabilities. Delegate important tasks such as
resetting passwords and the creation and management of groups to your employees. Providing
self-service application access and password management through verification steps can reduce
helpdesk calls and enhance security.
✔️ What reasons do you have for considering Azure Active Directory?
For more information, you can see:
The power of common identity across any cloud) - https://myignite.microsoft.com/videos/54694

Active Directory Domain Services (AD DS)

Active Directory Domain Services (AD DS)


AD DS is the traditional deployment of Windows Server-based Active Directory on a physical or virtual
server. Although AD DS is commonly considered to be primarily a directory service, it is only one compo-
nent of the Windows Active Directory suite of technologies, which also includes Active Directory Certifi-
cate Services (AD CS), Active Directory Lightweight Directory Services (AD LDS), Active Directory Federa-
tion Services (AD FS), and Active Directory Rights Management Services (AD RMS). Although you can
deploy and manage AD DS in Azure virtual machines it’s recommended you use Azure AD instead, unless
you are targeting IaaS workloads that depend on AD DS specifically.
Azure AD is different from AD DS
Although Azure AD has many similarities to AD DS, there are also many differences. It is important to
realize that using Azure AD is different from deploying an Active Directory domain controller on an Azure
MCT USE ONLY. STUDENT USE PROHIBITED 8  Module 1 Managing Azure Active Directory

virtual machine and adding it to your on-premises domain. Here are some characteristics of Azure AD
that make it different.
●● Identity solution. Azure AD is primarily an identity solution, and it is designed for Internet-based
applications by using HTTP and HTTPS communications.
●● REST API Querying. Because Azure AD is HTTP/HTTPS based, it cannot be queried through LDAP.
Instead, Azure AD uses the REST API over HTTP and HTTPS.
●● Communication Protocols. Because Azure AD is HTTP/HTTPS based, it does not use Kerberos
authentication. Instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID
Connect for authentication (and OAuth for authorization).
●● Federation Services. Azure AD includes federation services, and many third-party services (such as
Facebook).
●● Flat structure. Azure AD users and groups are created in a flat structure, and there are no Organiza-
tional Units (OUs) or Group Policy Objects (GPOs).
✔️ Azure AD is a managed service. You only manage the users, groups, and policies. Deploying AD DS
with virtual machines using Azure means that you manage the deployment, configuration, virtual ma-
chines, patching, and other backend tasks. Do you see the difference?

Video: Azure Active Directory Overview

Azure Active Directory Editions


Azure Active Directory comes in four editions—Free, Basic, Premium P1, and Premium P2. The Free
edition is included with an Azure subscription. The Azure Active Directory Basic, Premium P1, and
Premium P2 editions are built on top of your existing free directory, providing enterprise class capabilities
spanning self-service, enhanced monitoring, security reporting, Multi-Factor Authentication (MFA), and
secure access for your mobile workforce.

The Azure Active Directory Pricing1 page has detailed information on what is included in each of the
editions.
●● Azure Active Directory Free – Designed to introduce system administrators to Azure Active Directo-
ry. This version includes common features such as directory objects, user/group management, single
sign-on, self-service password change, on-premises connect, and security/usage reports.

1 https://azure.microsoft.com/en-us/pricing/details/active-directory/?wt.mc_id=DXLEX_EDX_AZURE204X
MCT USE ONLY. STUDENT USE PROHIBITED
Azure Active Directory Overview  9

●● Azure Active Directory Basic - Designed for task workers with cloud-first needs, this edition provides
cloud centric application access and self-service identity management solutions. With the Basic
edition of Azure Active Directory, you get productivity enhancing and cost reducing features like
group-based access management, self-service password reset for cloud applications, and Azure Active
Directory Application Proxy (to publish on-premises web applications using Azure Active Directory), all
backed by an enterprise-level SLA of 99.9 percent uptime.
●● Azure Active Directory Premium P1 - Designed to empower organizations with more demanding
identity and access management needs, Azure Active Directory Premium edition adds feature-rich
enterprise-level identity management capabilities and enables hybrid users to seamlessly access
on-premises and cloud capabilities. This edition includes everything you need for information worker
and identity administrators in hybrid environments across application access, self-service identity and
access management (IAM), and security in the cloud.
●● Azure Active Directory Premium P2 - Azure Active Directory Premium P2 includes every feature of
all other Azure Active Directory editions enhanced with advanced identity protection and privileged
identity management capabilities.
✔️ Did you look through the pricing list to determine which features your organization needs?

Choosing Between Azure AD and Azure AD DS


One of the main differences between Azure AD and Azure AD DS is the way devices are registered and
joined.
Azure AD Domain Services provides a managed AD domain in an Azure virtual network. You can join
machines to this managed domain using traditional domain-join mechanisms. Azure AD also enables you
to manage the identity of devices used by your organization and control access to corporate resources
from these devices. Azure AD joined devices give you the following benefits:
●● Single-sign-on (SSO) to applications secured by Azure AD
●● Enterprise policy-compliant roaming of user settings across devices.
●● Access to the Windows Store for Business using your corporate credentials.
●● Windows Hello for Business
●● Restricted access to apps and resources from devices compliant with corporate policy.

Aspect Course Content Azure AD Domain Services


Device controlled by Azure AD Azure AD Domain Services
managed domain
Representation in the directory Device objects in the Azure AD Computer objects in the AAD-DS
directory. managed domain.
Authentication OAuth/OpenID Connect based Kerberos, NTLM protocols
protocols
Management Mobile Device Management Group Policy
(MDM) software like Intune
Networking Works over the internet Requires machines to be on the
same virtual network as the
managed domain.
Great for ... End-user mobile or desktop Server virtual machines deployed
devices in Azure
MCT USE ONLY. STUDENT USE PROHIBITED 10  Module 1 Managing Azure Active Directory

For more information, you can see:

Choose between Azure Active Directory join and Azure Active Directory Domain Services - https://docs.
microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-compare-with-
azure-ad-join

Video: Azure Active Directory Editions


MCT USE ONLY. STUDENT USE PROHIBITED
Self-Service Password Reset  11

Self-Service Password Reset


Video: Self-Service Password Reset (SSPR)

Configuring Self-Service Password Reset


To configure self-service password reset, you first determine who will be enabled to use self-service
password reset. From your existing Azure AD tenant, on the Azure Portal under Azure Active Directory
select Password reset.
In the Password reset properties there are three options: None, Selected, and All.

The Selected option is useful for creating specific groups who have self-service password reset enabled.
The Azure documentation recommends creating a specific group for purposes of testing or proof of
concept before deploying to a larger group within the Azure AD tenant. Once you are ready to deploy
this functionality to all users with accounts in your AD Tenant, you can change the setting to All.
Important! Azure Administrator accounts will always be able to reset their passwords no matter what
this option is set to.

Authentication Methods for Password Reset


After enabling password reset for user and groups, you pick the number of authentication methods
required to reset a password and the number of authentication methods available to users.
At least one authentication method is required to reset a password, but it is a good idea to have addi-
tional methods available. You can choose from email notification, a text or code sent to user’s mobile or
office phone, or a set of security questions.
Regarding the security questions, these can be configured to require a certain number of questions to be
registered for the users in your AD tenant. In addition, you must configure the number of correctly
answered security question that are required for a successful password reset.
In the next demonstration, Corey walks through the process of self-service password reset.
MCT USE ONLY. STUDENT USE PROHIBITED 12  Module 1 Managing Azure Active Directory

Password Writeback
With password writeback, you can configure Azure Active Directory (Azure AD) to write passwords back
to your on-premises Active Directory. Password writeback removes the need to set up and manage a
complicated on-premises self-service password reset (SSPR) solution, and it provides a convenient
cloud-based way for your users to reset their on-premises passwords wherever they are.
Password writeback is a component of Azure Active Directory Connect that can be enabled and used by
current subscribers of Premium Azure Active Directory editions.
It’s recommended that you use the auto-update feature of Azure AD Connect.
The following steps assume you have already configured Azure AD Connect in your environment by using
the Express2 or Custom3 settings.
1. To configure and enable password writeback, sign in to your Azure AD Connect server and start the
Azure AD Connect configuration wizard.
2. On the Welcome page, select Configure.
3. On the Additional tasks page, select Customize synchronization options, and then select Next.
4. On the Connect to Azure AD page, enter a global administrator credential, and then select Next.
5. On the Connect directories and Domain/OU filtering pages, select Next.
6. On the Optional features page, select the box next to Password writeback and select Next.

2 https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-express
3 https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-custom
MCT USE ONLY. STUDENT USE PROHIBITED
Self-Service Password Reset  13

7. On the Ready to configure page, select Configure and wait for the process to finish.
8. When you see the configuration finish, select Exit.
✔️ Use the link below to read about the password writeback features. Which of the features are you most
interested in?
For more information, you can see:
Password writeback overview - https://docs.microsoft.com/en-us/azure/active-directory/authentica-
tion/howto-sspr-writeback

Demonstration: Configuring Self-Service Pass-


word Reset

Demonstration: Configuring Self-Service Group


Creation
Configuring Self-Service Group Creation
Although not part of self-service password reset, self-service group creation is another feature in Azure
Active Directory Premium that allows users to create and manage their own security groups or Office 365
groups in Azure Active Directory (Azure AD).
For more information about setting up Azure Active Directory for self-service group management, see:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanage-
ment-self-service-group-management
MCT USE ONLY. STUDENT USE PROHIBITED 14  Module 1 Managing Azure Active Directory

Additional Practice - Self-Service Password Reset


(SSPR)
Access the Azure AD self-service password reset rapid deployment4 page. Take a minute to review the
video and walk-through the configuration steps.
To finish your study, read the FAQ at the reference link.
✔️ Always test SSPR with a user rather than an administrator because Microsoft enforces strong authenti-
cation requirements for Azure administrator accounts.
For more information, you can see:
Password management frequently asked questions - https://docs.microsoft.com/en-us/azure/ac-
tive-directory/authentication/active-directory-passwords-faq

4 https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr
MCT USE ONLY. STUDENT USE PROHIBITED
Azure AD Identity Protection  15

Azure AD Identity Protection


Video: Azure Identity Protection
Azure Identity Protection
Azure Active Directory Identity Protection is a feature of the Azure AD Premium P2 edition that enables
you to:
●● Detect potential vulnerabilities affecting your organization’s identities.
●● Configure automated responses to detected suspicious actions that are related to your organization’s
identities.
●● Investigate suspicious incidents and take appropriate action to resolve them.

Azure Identity Protection

With Azure AD Identity Protection, you can protect your organization from compromised accounts,
identity attacks, and configuration issues. Identity Protection provides a consolidated view of identity
threats and vulnerabilities. You can receive detailed notifications of new identity risks, perform recom-
mended remediation, and automate future response with Conditional Access policies.
Using Azure AD Identity Protection, you can:
●● Get a consolidated view to examine suspicious user activities detected using Identity Protection
machine learning algorithms with signals like brute force attacks, leaked credentials, and sign-ins from
unfamiliar locations.
●● Improve the security posture of your organization by acting on a customized list of configuration
vulnerabilities that could lead to an elevated risk of account compromise in your organization.
●● Set risk-based Conditional Access policies to automatically protect your users.
MCT USE ONLY. STUDENT USE PROHIBITED 16  Module 1 Managing Azure Active Directory

✔️ Take a minute to enable Azure AD Identity Protection5 and explore the different capabilities you
saw in the previous video.
For more information, you can see:
Azure Active Directory Identity Protection FAQ - https://docs.microsoft.com/en-us/azure/active-direc-
tory/active-directory-identity-protection-faqs

Vulnerabilities Detected
Vulnerabilities are weaknesses in your environment that can be exploited by an attacker. We recommend
that you address these vulnerabilities to improve the security posture of your organization and prevent
attackers from exploiting them. On the Vulnerabilities page the Risk Level, Count, and Vulnerability
description are shown.

Identity Protection can report several vulnerabilities. Here are two examples,

●● Users without multi-factor authentication registration. We recommend that you require Azure
Multi-Factor Authentication for user sign-ins. Multi-factor authentication plays a key role in risk-based
conditional access policies available through Identity Protection.
●● Unmanaged apps discovered in last 7 days. In modern enterprises, IT departments are often
unaware of all the cloud applications that users in their organization are using to do their work. We
recommend deploying Cloud App Discovery to discover unmanaged cloud applications, and to
manage these applications using Azure Active Directory.
For more information, you can see:

Vulnerabilities detected by Azure Active Directory Identity Protection - https://docs.microsoft.com/


en-us/azure/active-directory/active-directory-identityprotection-vulnerabilities
What is Azure Multi-Factor Authentication? - https://docs.microsoft.com/en-us/azure/active-directo-
ry/authentication/multi-factor-authentication

5 https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection-enable
MCT USE ONLY. STUDENT USE PROHIBITED
Azure AD Identity Protection  17

Set up Cloud App Discovery in Azure AD - https://docs.microsoft.com/en-us/azure/active-directory/


manage-apps/cloud-app-discovery

Demonstration: Enabling Multi-Factor Authenti-


cation

Risky Sign-Ins
With the security reports in Azure Active Directory (Azure AD) you can gain insights into the probability
of compromised user accounts in your environment. Azure AD detects suspicious actions that are related
to your user accounts. For each detected action, a record called risk event (next topic) is created.

Risk events are used to calculate:


●● Risky sign-ins. A risky sign-in is an indicator for a sign-in attempt that might have been performed by
someone who is not the legitimate owner of a user account. A sign-in risk level is an indication (High,
Medium, or Low) of the likelihood that a sign-in attempt was made by someone other than the
legitimate owner of the user account.
●● Users flagged for risk. A risky user is an indicator for a user account that might have been compro-
mised.
✔️ Azure AD Identity Protection sends two types of automated notification emails to help you manage
user risk and risk events: users at risk detected email, and a weekly digest email.
For more information, you can see:
Risky sign-ins - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identi-
typrotection#risky-sign-ins
Azure Active Directory Identity Protection notifications - https://docs.microsoft.com/en-us/azure/
active-directory/active-directory-identityprotection-notifications
MCT USE ONLY. STUDENT USE PROHIBITED 18  Module 1 Managing Azure Active Directory

Risks Detected
Most security breaches take place when attackers gain access to an environment by stealing a user’s
identity. Discovering compromised identities is no easy task. Azure Active Directory uses adaptive
machine learning algorithms and heuristics to detect suspicious actions that are related to your user
accounts. Each detected suspicious action is stored in a record called risk event.

Currently, Azure Active Directory detects six types of risk events:


●● Users with leaked credentials6
●● Sign-ins from anonymous IP addresses7
●● Impossible travel to atypical locations8
●● Sign-ins from infected devices9
●● Sign-ins from IP addresses with suspicious activity10
●● Sign-ins from unfamiliar locations11
✔️ The insight you get for a detected risk event is tied to your Azure AD subscription. With the Azure AD
Premium P2 edition, you get the most detailed information about all underlying detections. With the
Azure AD Premium P1 edition, detections that are not covered by your license appear as the risk event
Sign-in with additional risk detected.
✔️ If you have time, check out the following presentation given at the Ignite 2017 conference. It provides
a broad overview of the Azure AD Identity Protection capabilities covered in this lesson. The session is
entitled “Shut the door to cybercrime with Azure Active Directory risk-based identity protection.”
For more information, you can see:
Azure Active Directory risk events - https://docs.microsoft.com/en-us/azure/active-directory/
active-directory-reporting-risk-events

6 https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-risk-events#leaked-credentials
7 https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-risk-events#sign-ins-from-anonymous-ip-addresses
8 https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-risk-events#impossible-travel-to-atypical-locations
9 https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-risk-events#sign-ins-from-infected-devices
10 https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-risk-events#sign-ins-from-ip-addresses-with-suspi-
cious-activity
11 https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-risk-events#sign-in-from-unfamiliar-locations
MCT USE ONLY. STUDENT USE PROHIBITED
Azure AD Identity Protection  19

Video: Enabling Azure Active Directory Protec-


tion
Enabling Azure Active Directory Protection
This video is from the Enterprise Mobility + Security series on Microsoft’s Channel 9 platform. It discusses
the process to enable Azure AD Identity Protection. You’ll learn how this feature can help corporations
understand the risk levels of authentication, mitigating them through things such as Azure MFA. Addi-
tionally, Azure AD Identity Protection also benefits corporations proactively by searching for compro-
mised credentials and then alerting administrators of the compromise while locking the user account.
MCT USE ONLY. STUDENT USE PROHIBITED 20  Module 1 Managing Azure Active Directory

Intergrating SaaS Applications with Azure AD


Software as a Service
Software as a service (SaaS) allows users to connect to and use cloud-based apps over the Internet.
Common examples are email, calendaring, and office tools (such as Microsoft Office 365).
For organizational use, you can “rent” productivity apps, such as email, collaboration, and calendaring;
and sophisticated business applications such as customer relationship management (CRM), enterprise
resource planning (ERP), and document management. You pay for the use of these apps by subscription
or according to the level of use. SaaS allows your organization to get quickly up and running with an app
at minimal upfront cost.
Common SaaS scenarios
If you’ve used a web-based email service such as Outlook, Hotmail, or Yahoo! Mail, then you’ve already
used a form of SaaS. With these services, you log into your account over the Internet, often from a web
browser. The email software is located on the service provider’s network, and your messages are stored
there as well. You can access your email and stored messages from a web browser on any computer or
Internet-connected device. In the following image, which SaaS applications do you see that you are
interested in?

✔️ Begin to think about how users will login to your SaaS applications. Will you be able to implement a
single sign-on experience?
For more information, you can see:
What is SaaS? - https://azure.microsoft.com/en-us/overview/what-is-saas/

SaaS Advantages
Generally, you can group SaaS advantages into: unified user experience, security, centralized application
access management, and unified reporting and monitoring.
MCT USE ONLY. STUDENT USE PROHIBITED
Intergrating SaaS Applications with Azure AD  21

Gain access to sophisticated applications. To provide SaaS apps to users, you don’t need to purchase,
install, update, or maintain any hardware, middleware, or software. SaaS makes even sophisticated
enterprise applications, such as ERP and CRM, affordable for organizations that lack the resources to buy,
deploy, and manage the required infrastructure and software themselves.
Pay only for what you use. You also save money because the SaaS service automatically scales up and
down according to the level of usage.
Use free client software. Users can run most SaaS apps directly from their web browser without needing
to download and install any software, although some apps require plugins. This means that you don’t
need to purchase and install special software for your users.
Mobilize your workforce easily. SaaS makes it easy to “mobilize” your workforce because users can
access SaaS apps and data from any Internet-connected computer or mobile device. You don’t need to
worry about developing apps to run on different types of computers and devices because the service
provider has already done so. In addition, you don’t need to bring special expertise onboard to manage
the security issues inherent in mobile computing. A carefully chosen service provider will ensure the
security of your data, regardless of the type of device consuming it.
Access app data from anywhere. With data stored in the cloud, users can access their information from
any Internet-connected computer or mobile device. And when app data is stored in the cloud, no data is
lost if a user’s computer or device fails.
✔️ Can you think of any other advantages specific to your organization’s needs?
For more information, you can see:
What is SaaS? - https://azure.microsoft.com/en-us/overview/what-is-saas/

Video: Integrating SaaS Applications

Azure AD Application Gallery


If you are going to deploy SaaS applications, then you will want your users to be able to use single-sign
on (SSO). The Azure AD Application Gallery provides a listing of applications that are known to support a
form of SSO with Azure AD.
MCT USE ONLY. STUDENT USE PROHIBITED 22  Module 1 Managing Azure Active Directory

Here are some tips for finding apps by what capabilities they support:
●● Featured applications support automatic provisioning and de-provisioning in Azure AD.
●● Gallery applications support federated single sign-on using a protocol such as SAML, WS-Federation,
or OpenID Connect.
●● Each application in the gallery provides step-by-step instructions on how to enable single sign-on.
Automatic provisioning includes all the following:
●● Automatically create new accounts in the right systems for new people when they join your team or
organization.
●● Automatically deactivate accounts in the right systems when people leave the team or organization.
●● Ensure that the identities in your apps and systems are kept up-to-date based on changes in the
directory, or your human resources system.
●● Provision non-user objects, such as groups, to applications that support them.
✔️ Automatic provisioning is a very good thing. Take a minute to read more in the next link.
For more information, you can see:
Azure Active Directory integrated with applications - https://docs.microsoft.com/en-us/azure/ac-
tive-directory/active-directory-enable-sso-scenario#azure-active-directory-integrated-with-appli-
cations

Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory -
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-app-provisioning

Demonstration: Integrating SaaS Applications

Other Integration Options


What if you need to implement an application that is not yet listed in the application gallery? While this is
a bit more time-consuming than configuring SSO for applications from the application gallery, Azure AD
provides you with a wizard that helps you with the configuration.
MCT USE ONLY. STUDENT USE PROHIBITED
Intergrating SaaS Applications with Azure AD  23

1. Add your own app you are developing. If you have developed the application yourself, follow the
guidelines in the Azure AD developer documentation to implement federated single sign-on or
provisioning12 using the Azure AD graph API.
2. Add an On-premises Application. Azure AD Application Proxy provides SSO and secure remote
access for web applications hosted on-premises. Some apps you would want to publish include Share-
Point sites, Outlook Web Access, or any other LOB web applications you have. End users can access
your on-premises applications the same way they access O365 and other SaaS apps integrated with
Azure AD. You don't need to change the network infrastructure or require VPN to provide this solu-
tion for your users.
3. Integrate any other application that you can’t find in the gallery. Use this category in the app
gallery to connect an unlisted application that your organization is using. You can add any application
that supports SAML 2.0 as a federated app, or any application that has an HTML-based sign-in page
as a password SSO app.
For more information, you can see:
Get started with the Azure AD application gallery - https://docs.microsoft.com/en-us/azure/active-di-
rectory/active-directory-appssoaccess-whatis#get-started-with-the-azure-ad-application-gallery
Integrating Azure Active Directory with applications getting started guide - https://docs.microsoft.com/
en-us/azure/active-directory/active-directory-integrating-applications-getting-started
SaaS application integration with Azure Active Directory - https://docs.microsoft.com/en-us/azure/
active-directory/active-directory-saas-tutorial-list

Additional Practice - SaaS Integration with Azure


AD
If you are interested in learning more on how to integrate cloud-enabled SaaS applications with Azure
AD, there is a collection of tutorials13 to help walk you through the configuration process for single sign
on (SSO).
●● The applications are organized alphabetically, and in some cases, there is also an accompanying
tutorial for user provisioning. (This is noted where it is the case)
●● Pick one or two applications that are of interest and give the tutorials a try to see how the process
works.

12 https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios
13 https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/tutorial-list
MCT USE ONLY. STUDENT USE PROHIBITED 24  Module 1 Managing Azure Active Directory

✔️ Remember that in the video, Corey mentioned that SaaS application integration with Azure AD
involves two main processes: first you add the application from the gallery and configure it for Azure AD;
then you must perform any additional configuration required by the application provider
For more information, you can see:
Azure Active Directory integrated with applications - https://docs.microsoft.com/en-us/azure/ac-
tive-directory/active-directory-enable-sso-scenario#azure-active-directory-integrated-with-appli-
cations
Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory -
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-app-provisioning

Conditional Access
Once you have setup SSO for your SaaS application it is time to consider additional security measures
such as conditional access.
Conditional access is a capability of Azure AD (with an Azure AD Premium license) that enables you to
enforce controls on the access to apps in your environment based on specific conditions from a central
location. With Azure AD conditional access, you can factor how a resource is being accessed into an
access control decision. By using conditional access policies, you can apply the right access controls
under the required conditions.

In the context of conditional access:


●● “When this happens” is called conditions.
●● “Then do this” is called access controls.
The combination of your conditions with your access controls represents a conditional access policy .
With access controls, you can either Block Access altogether or Grant Access with additional requirements
by selecting the desired controls. You can have several options:
●● Require MFA from Azure AD or an on-premises MFA (combined with AD FS).
●● Grant access to only trusted devices.
●● Require a domain-joined device.
●● Require mobile devices to use Intune app protection policies14.
✔️ Do you think conditional access would be something your organization is interested in?
For more information, you can see:
Conditional access in Azure Active Directory - https://docs.microsoft.com/en-us/azure/active-directo-
ry/active-directory-conditional-access-azure-portal
Grant controls - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-condi-
tional-access-controls#grant-controls

14 https://docs.microsoft.com/intune/app-protection-policy
MCT USE ONLY. STUDENT USE PROHIBITED
Intergrating SaaS Applications with Azure AD  25

Conditions – Users Groups


Conditional access comes with six conditions: user/group, cloud application, device state, location (IP
range), client application, and sign-in risk. You can use combinations of these conditions to get the exact
conditional access policy you need. Notice on this image the conditions determine the access control
from the previous topic.

✔️ The Users and Groups condition is mandatory in a conditional access policy. In your policy, you can
either select All users or select specific users and groups.
For more information, you can see:
Conditions in Azure Active Directory conditional access - https://docs.microsoft.com/en-us/azure/
active-directory/active-directory-conditional-access-conditions

Sign-in Risk Condition


A sign-in risk is an indicator for the likelihood (high, medium, or low) that the legitimate owner of a user
account did not perform the sign-in attempt. Azure AD calculates the sign-in risk level during the sign-in
of a user. You can use the calculated sign-in risk level as condition in a conditional access policy.

✔️ To use this condition, you need to have Azure Active Directory Identity Protection15 enabled.

15 https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection
MCT USE ONLY. STUDENT USE PROHIBITED 26  Module 1 Managing Azure Active Directory

For more information, you can see:


Sign-in risk - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-condition-
al-access-conditions#sign-in-risk

Locations Condition
With locations, you have the option to define conditions that are based on where a connection attempt
was initiated from. Your choices are: any location, all trusted locations, and selected locations.

Common use cases for this condition are policies that:


●● Require multi-factor authentication for users accessing a service when they are off the corporate
network.
●● Block access for users accessing a service from specific countries or regions.
●● Ensure that access to a non-production Azure environment occurs only from a non-production
network.
✔️ If you are interested in the other access conditions that are available take some time to go through
the next links.
For more information, you can see:
Locations - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-condition-
al-access-locations
Cloud Apps - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-condition-
al-access-conditions#cloud-apps
Device Platforms - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-condi-
tional-access-conditions#device-platforms
Client Apps - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-condition-
al-access-conditions#client-apps

Additional Practice - Conditional Access


To simplify the sign-in experience of your users, you might want to allow them to sign in to your cloud
apps using a user name and a password. However, some environments may have scenarios where it
would be advisable to require a strong form of account verification.
In this Quickstart, you configure an Azure AD conditional access policy that requires multi-factor authen-
tication (MFA) for a selected cloud app in your environment.
MCT USE ONLY. STUDENT USE PROHIBITED
Intergrating SaaS Applications with Azure AD  27

If you decide to try this Quickstart16, you will need:


●● Access to an Azure AD Premium edition - Azure AD conditional access is an Azure AD Premium
capability.
●● A test account called Isabella Simonsen.
The specific tasks in this Quickstart include:
●● Create the required conditional access policy
●● Evaluate a simulated sign in
●● Test the conditional access policy
For more information, you can see:
What is conditional access in Azure Active Directory - https://docs.microsoft.com/en-us/azure/
active-directory/active-directory-conditional-access-azure-portal

16 https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa
MCT USE ONLY. STUDENT USE PROHIBITED 28  Module 1 Managing Azure Active Directory

Module 1 Review Questions


Module 1 Review Questions
Domain Services Differences
You establish a hybrid environment using an on-premises Active Directory Domain Services (AD DS)
domain and Azure AD. You need to define how the hybrid deployment will influence administrative work.
What are the differences between AD DS and Azure AD?

Click for suggested answer ↓ 


Although Azure AD has many similarities to AD DS, there are also many differences. It is important to
realize that using Azure AD is different from deploying an Active Directory domain controller on an Azure
virtual machine and adding it to your on-premises domain. Here are some characteristics of Azure AD
that make it different.
●● Identity solution. Azure AD is primarily an identity solution, and it is designed for Internet-based
applications by using HTTP and HTTPS communications.
●● REST API Querying. Because Azure AD is HTTP/HTTPS based, it cannot be queried through LDAP.
Instead, Azure AD uses the REST API over HTTP and HTTPS.
●● Communication Protocols. Because Azure AD is HTTP/HTTPS based, it does not use Kerberos
authentication. Instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID
Connect for authentication (and OAuth for authorization).
●● Federation Services. Azure AD includes federation services, and many third-party services (such as
Facebook).
●● Flat structure. Azure AD users and groups are created in a flat structure, and there are no Organiza-
tional Units (OUs) or Group Policy Objects (GPOs).
Azure AD SSO
You manage an existing Active Directory Domain Services (AD DS) domain. You grant users access to
internal and external web apps by using Active Directory Federation Services (AD FS). The organization
deploy Office 365 Exchange Online, and migrate all user mailboxes to the cloud.
How can you use the existing Office 365 implementation to improve the user experience, and save
money for the organization? What are some benefits of using Azure AD?

Click for suggested answer ↓ 


Use the existing Office 365 Azure AD Connect functionality already in place with Exchange Online, and
use Azure AD Single Sign-On (SSO) to decommission the existing AD FS Servers.
Azure AD has many benefits: single sign-on to any cloud or on-premises web app, works with iOS, Mac
OS X, Android, and Windows devices, protect on-premises web applications with secure remote access,
easily extend Active Directory to the cloud, protect sensitive data and applications, and reduce costs and
enhance security with self-service capabilities.
Azure AD Editions
You are planning to deploy Azure AD in a hybrid environment for an organization. You must implement
the following features: MFA, SSO, Self-service Password Reset, seamless access to both on-premises and
cloud applications, and self-service Bitlocker recovery.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 1 Review Questions  29

Which Azure AD edition is suitable for your organization and why? What are the Azure AD editions?

Click for suggested answer ↓ 


Azure AD Premium P1 is most suitable for your deployment. The Azure AD editions include: Azure Active
Directory Free, Azure Active Directory Basic, Azure Active Directory Premium P1, and Azure Active
Directory Premium P2.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 2 Managing Azure Active Directory
Objects

Azure Domains and Tenants


Domains
Initial domain name
By default, when you create an Azure subscription an Azure AD domain is created for you. This instance
of the domain has initial domain name in the form domainname.onmicrosoft.com. The initial domain
name, while fully functional, is intended primarily to be used as a bootstrapping mechanism until a
custom domain name is verified.
Custom domain name
Although the initial domain name for a directory can't be changed or deleted, you can add any routable
custom domain name you control. This simplifies the user sign-on experience by allowing user to logon
with credentials they are familiar with. For example, a contosogold.onmicrosoft.com, could be assigned a
simpler custom domain name of contosogold.com.

Practical information about domain names


●● Only a global administrator can perform domain management tasks in Azure AD.
MCT USE ONLY. STUDENT USE PROHIBITED 32  Module 2 Managing Azure Active Directory Objects

●● Domain names in Azure AD are globally unique. If one Azure AD directory has verified a domain
name, then no other Azure AD directory can verify or use that same domain name.
●● Before a custom domain name can be used by Azure AD, the custom domain name must be added to
your directory and verified. This is covered in the next topic.

Verifying Custom Domain Names


When an administrator adds a custom domain name to an Azure AD, it is initially in an unverified state.
Azure AD will not allow any directory resources to use an unverified domain name. This ensures that only
one directory can use a domain name, and the organization using the domain name owns that domain
name.

Azure AD verifies ownership of a domain name by looking for an entry in the domain name service (DNS)
zone file for the domain name. To verify ownership of a domain name, an admin gets the DNS entry from
Azure AD that Azure AD will look for and adds that entry to the DNS zone file for the domain name. The
DNS zone file is maintained by the domain name registrar for that domain. Adding a DNS entry to the
zone file for the domain name does not affect other domain services such as email or web hosting.

✔️ An upcoming demonstration shows how to add the DNS record to your domain.
MCT USE ONLY. STUDENT USE PROHIBITED
Azure Domains and Tenants  33

For more information, you can see:


Managing custom domain names in your Azure Active Directory - https://docs.microsoft.com/en-us/
azure/active-directory/active-directory-domains-manage-azure-portal

Tenants
A tenant is simply a dedicated instance of Azure AD that your organization receives and owns when it
signs up for a Microsoft cloud service such as Azure or Office 365. For example, contosogold.onmicrosoft.
com, is a tenant.
A tenant houses the users in a company and the information about them - their passwords, user profile
data, permissions, and so on. It also contains groups, applications, and other information pertaining to an
organization and its security.
You can have multiple tenants within your organization. Each tenant can have a different purpose and
fulfill a different scenario. For example, you might have tenant for Testing, Office365, and Production.
Can you think of reasons why you might want different tenants?
●● Isolation. Each tenant is isolated with different policies, users, groups, and roles.
●● Resources. Each tenant can have different resources specific for their functionality.
●● Administration. Each tenant can have different administrator roles.
●● Synchronization. Each tenant can implement synchronization in a different way.
To use a tenant, it must be associated with a subscription. The basic steps are: create a directory, create
an admin for the directory, and then have the admin associate the directory with a subscription. Each
directory must have at least one subscription.

✔️ An upcoming demonstration shows how to create a tenant, add an admin, and associate a subscrip-
tion.
For more information, you can see:
How to get an Azure Active Directory tenant - https://docs.microsoft.com/en-us/azure/active-direc-
tory/develop/active-directory-howto-tenant
What is an AD Tenant? - https://docs.microsoft.com/en-us/azure/active-directory/active-directo-
ry-administer#what-is-an-azure-ad-tenant

Multiple Tenants
Multiple Tenants
MCT USE ONLY. STUDENT USE PROHIBITED 34  Module 2 Managing Azure Active Directory Objects

In Azure Active Directory (Azure AD), each tenant is a fully independent resource: a peer that is logically
independent from the other tenants that you manage. There is no parent-child relationship between
tenants. This independence between tenants includes resource independence, administrative inde-
pendence, and synchronization independence.

Resource independence
●● If you create or delete a resource in one tenant, it has no impact on any resource in another tenant,
with the partial exception of external users.
●● If you use one of your domain names with one tenant, it cannot be used with any other tenant.
Administrative independence
If a non-administrative user of tenant ‘Contoso’ creates a test tenant 'Test,' then:
●● By default, the user who creates a tenant is added as an external user in that new tenant and assigned
the global administrator role in that tenant.
●● The administrators of tenant ‘Contoso’ have no direct administrative privileges to tenant 'Test,' unless
an administrator of ‘Test’ specifically grants them these privileges.
Synchronization independence. You can configure each Azure AD tenant independently to get data
synchronized from a single instance of either: The Azure AD Connect tool or the Forefront Identity
Manager Azure Active Tenant Connector.
✔️ Unlike other Azure resources, your tenants are not child resources of an Azure subscription.
For more information, you can see:
Understand how multiple Azure Active Directory tenants interact - https://docs.microsoft.com/en-us/
azure/active-directory/active-directory-licensing-directory-independence

Video: Managing Domains Directories and Ten-


ants
MCT USE ONLY. STUDENT USE PROHIBITED
Azure Domains and Tenants  35

Demonstration: Create a New Instance of Azure


AD

Additional Practice - Custom Domain Names


Take a few minutes to work through the Quickstart: Add a custom domain name to Azure Active
Directory1. This Quickstart steps through the basics of:
●● Add the custom domain name to your directory.
●● Add a DNS entry for the domain name at the domain name registrar.
●● Verify the custom domain name in Azure AD.
This Quickstart includes troubleshooting steps.
●● Wait an hour. DNS records must propagate before Azure AD can verify the domain. This process can
take an hour or more.
●● Ensure the DNS record was entered, and that it is correct. Complete this step at the website for the
domain name registrar for the domain.
●● Delete the domain name from another directory in Azure AD. A domain name can be verified in
only a single directory. If a domain name is currently verified in a different directory, it can't be verified
in your new directory until it is deleted on the other one.
For more information, you can see:
Manage custom domain names - https://docs.microsoft.com/en-us/azure/active-directory/active-di-
rectory-domains-manage-azure-portal

1 https://docs.microsoft.com/en-us/azure/active-directory/add-custom-domain
MCT USE ONLY. STUDENT USE PROHIBITED 36  Module 2 Managing Azure Active Directory Objects

Azure Users and Groups


Video: Managing Users and Groups

User Accounts
In Azure AD, all users who require access to resources must have a user account. A user account is an
Azure AD user object that contains all the information that's required to authenticate and authorize the
user during the sign‑in process and build the user's access token.
To view the Azure AD users, simply access the All users blade.

Notice the Source in the above screenshot. There are different sources depending on the types of
identity, including:
●● Cloud identities (Azure Active Directory). Users that only exist in Azure AD. For example, administra-
tor accounts or users you are managing yourself.
●● Directory-synchronized identities (Windows Server AD). Users brought in to Azure through a
synchronization activity using Azure AD Connect. These are users that exist in Windows Server AD.
●● Guest users (Azure Active Directory). Users from outside Azure. For example, Google and Microsoft
accounts.
✔️ Take a minute to access the Portal and view your users. Notice the User Type and Source columns.
Have you given any thought as to the type of users you will need?

Adding User Accounts


There are multiple ways to add cloud identities to Azure AD.
Azure Portal
You can add new users through the Azure Portal. In addition to Name and User name, there is profile
information like Job Title and Department.
MCT USE ONLY. STUDENT USE PROHIBITED
Azure Users and Groups  37

Azure PowerShell
You can use the PowerShell New-AzureADUser command to add cloud-based users.
# Create a password object
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.Pass-
wordProfile
# Assign the password
$PasswordProfile.Password = "<Password>"
# Create the new user
New-AzureADUser -AccountEnabled $True -DisplayName "Abby Brown" -Password-
Profile $PasswordProfile -MailNickName "AbbyB" -UserPrincipalName "AbbyB@
contoso.com"

✔️ Users can also be added to Azure AD through Office 365 Admin Center, Microsoft Intune admin
console, and the CLI. Which of the options mentioned in this topic do you prefer?
For more information, you can see:
Add or change profile information for a user in Azure Active Directory - https://docs.microsoft.com/
en-us/azure/active-directory/active-directory-users-profile-azure-portal
Creating a new user in Azure AD - https://docs.microsoft.com/en-us/powershell/azure/active-direc-
tory/new-user-sample?view=azureadps-2.0
az ad user create - https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest#az_
ad_user_create

Bulk User Accounts


There are several ways you can use PowerShell to import data into your directory, but the most common-
ly used method is to use a CSV file. This file can either be manually created, for example using Excel, or it
can be exported from an existing data source such as an SQL database or an HR application.
If you are going to use a CSV file here are some things to think about:
●● Naming conventions. Establish or implement a naming convention for usernames, display names
and aliases. For example, a user name could consist of last name, period, first name: Smith.John@
contoso.com.
MCT USE ONLY. STUDENT USE PROHIBITED 38  Module 2 Managing Azure Active Directory Objects

●● Passwords. Implement a convention for the initial password of the newly created user. Figure out a
way for the new users to receive their password in a secure way. Methods commonly used for this are
generating a random password and emailing it to the new user or their manager.
The steps for using the CSV file are very straightforward. Use the reference link to see a sample Power-
Shell script.

1. Use Connect-AzureAD to create a PowerShell connection to your directory You should connect with
an admin account that has privileges on your directory.
2. Create a new Password Profile for the new users. The password of the new users’ needs to conform to
the password complexity rules you have set for your directory.
3. Use Import-CSV to import the csv file. You will need to specify the path and file name of the CSV file.
4. Loop through the users in the file constructing the user parameters required for each user. For
example, User Principal Name, Display Name, Given Name, Department, and Job Title.
5. Use New-ADUser to create each user. Be sure to enable each account.
For more information, you can see:
Importing data into my directory - https://docs.microsoft.com/en-us/powershell/azure/active-direc-
tory/importing-data?view=azureadps-2.0
New-ADUser - https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadus-
er?view=azureadps-2.0

Group Accounts
A group helps organize users to make it easier to manage permissions. Groups can be easily added
through the portal. There are two types of groups: security groups and distribution groups.
●● Security groups are security‑enabled and are used to assign permissions and control access to
various resources.
●● Distribution groups are used mainly by email applications and are not security enabled. You can
easily add groups in the portal.
MCT USE ONLY. STUDENT USE PROHIBITED
Azure Users and Groups  39

Adding Groups
You can also use PowerShell to add a group with the New-AzureADGroup command.
**New-AzureADGroup** -Description "Marketing" -DisplayName "Marketing"
-MailEnabled $false -SecurityEnabled $true -MailNickName "Marketing"

Adding Members to Groups


There are two ways to add members to Azure groups.
●● Directly Assigned. In this situation you create the group then you manually add individual user
accounts to the group.
●● Dynamically Assigned. In this situation you create rules to enable attribute-based dynamic member-
ships for groups based on characteristics. For example, if a user’s Department is Sales, then they are
dynamically assigned to the Sales group. You can set up a rule for dynamic membership on security
groups or Office 365 groups. This feature requires an Azure AD Premium P1 license.
✔️ Have you given any thought to which groups you need to create? Would you directly assign or
dynamically assign membership?
For more information, you can see:
Manage group membership for users in your Azure Active Directory tenant - https://docs.microsoft.
com/en-us/azure/active-directory/active-directory-groups-members-azure-portal
Create attribute-based rules for dynamic group membership in Azure Active Directory - https://docs.
microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-az-
ure-portal
Create a group and add members in Azure Active Directory - https://docs.microsoft.com/en-us/azure/
active-directory/active-directory-groups-create-azure-portal
New-AzureADGroup - https://docs.microsoft.com/en-us/powershell/module/azuread/new-azuread-
group?view=azureadps-2.0
MCT USE ONLY. STUDENT USE PROHIBITED 40  Module 2 Managing Azure Active Directory Objects

Demonstration: Create User and Group Accounts

Additional Practice - Users and Groups


✔️ For the Quickstarts in this practice, you will to sign in to Azure with an account that’s a global admin
for the directory.
Try the Quickstart: Add new users to Azure Active Directory2. This Quickstart explains how to delete or
add users in your organization into your organization's Azure Active Directory (Azure AD) tenant using
the Azure portal or by synchronizing your on-premises Windows Server AD user account data.
Manage Group Membership
Try the Manage group membership for users in your Azure Active Directory tenant3. This article
explains how to manage the members for a group in Azure Active Directory (Azure AD).
Create a group and add members
Try the Create a group and add members in Azure Active Directory4. This article explains how to
create and populate a new group in Azure Active Directory. Use a group to perform management tasks
such as assigning licenses or permissions to several users or devices at once.
Manage profile information
Try the Add or change profile information for a user in Azure Active Directory5 article. This article
explains how to add user profile information, such as a profile picture or phone and email authentication
information, in Azure Active Directory (Azure AD).
✔️As you have time, experiment with other user and group administrative tasks.

2 https://docs.microsoft.com/en-us/azure/active-directory/add-users-azure-active-directory
3 https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-members-azure-portal
4 https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-create-azure-portal
5 https://docs.microsoft.com/en-us/azure/active-directory/active-directory-users-profile-azure-portal
MCT USE ONLY. STUDENT USE PROHIBITED
Azure Roles  41

Azure Roles
Role-Based Access Control
Managing access to resources in Azure is a critical part of an organization’s security and compliance
requirements. Role-based access control (RBAC) is the capability within Azure that lets you grant a very
granular level of access based on an administrator’s assigned tasks. This ensures an Administrator can do
exactly the task they need to do; no more, no less.
Role assignments
RBAC is configured by selecting a role (the definition of what actions are allowed and/or denied), then
associating the role with a security principal (user, group, or service). Finally, this combination of role and
security principal is scoped to a subscription, a resource group, or a specific resource.

✔️ Notice that access is inherited from subscriptions, to resource groups, and then to resources.
Using the Portal to implement RBAC
You can use the Azure Portal to make your role assignments. In this example, the ContosoBlueAD re-
source group shows on the Access Control (IAM) blade the current roles and scopes. You can add or
remove roles as you need. You can add synced users and groups to Azure roles, which enables organiza-
tions to centralize the granting of access.

For more information, you can see:


Get started with access management in the Azure portal: https://docs.microsoft.com/en-us/azure/
active-directory/role-based-access-control-what-is
MCT USE ONLY. STUDENT USE PROHIBITED 42  Module 2 Managing Azure Active Directory Objects

Built-in Roles
Azure AD provides many built-in roles6 to cover the most common security scenarios. To understand
how the roles work we will examine three roles that apply to all resource types:
●● Owner has full access to all resources including the right to delegate access to others.
●● Contributor can create and manage all types of Azure resources but can’t grant access to others.
●● Reader can view existing Azure resources.
Role definitions
Each role is a set of properties defined in a JSON file. This role definition includes Name, Id, and Descrip-
tion. It also includes the allowable permissions (Actions), denied permissions (NotActions), and scope
(read access, etc.) for the role.
For the Owner role that means all (*) actions, no denied actions, and all (/) scopes. This information is
available with the Get-AzureRmRoleDefinition cmdlet.
!Screenshot of the results of the Get-AzureRMRoleDefinition -Name Owner command. The Actions and
NoActions values are highlighted. ](../../Linked_Image_Files/AZ-100.5_Managing_Identities_image36.png)
✔️ Take a minute to open the Azure Portal, open the Subscriptions or Resource Group blade, and click
Access Control (IAM). Click Add and take a few minutes to review the built-in roles and see which role
you would be most interested in using.
For more information, you can see:
Built-in roles in Azure - https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-
roles
Create custom roles for Azure Role-Based Access Control - https://docs.microsoft.com/en-us/azure/
active-directory/role-based-access-control-custom-roles
Get-AzureRmRoleDefinition - https://docs.microsoft.com/en-us/powershell/module/azurerm.
resources/get-azurermroledefinition?view=azurermps-5.3.0

Role Definitions
Actions and NotActions
The Actions and NotActions properties can be tailored to grant and deny the exact permissions you
need. Review this table to see how Owner, Contributor, and Reader are defined.

Built-in Role Action NotActions


Owner (allow all actions) *
Contributor (allow all actions * Microsoft.Authorization/*/
except writing or deleting role Delete,Microsoft.Authorization/*/
assignment) Write,Microsoft.Authorization/
elevateAccess/Action
Reader (allow all read actions) */read
AssignableScopes
Defining the Actions and NotActions properties is not enough to fully implement a role. You must also
properly scope your role.

6 https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles#roles-in-azure
MCT USE ONLY. STUDENT USE PROHIBITED
Azure Roles  43

The AssignableScopes property of the role specifies the scopes (subscriptions, resource groups, or
resources) within which the custom role is available for assignment. You can make the custom role
available for assignment in only the subscriptions or resource groups that require it, and not clutter user
experience for the rest of the subscriptions or resource groups.
●● /subscriptions/[subscription id]
●● /subscriptions/[subscription id]/resourceGroups/[resource group name]
●● /subscriptions/[subscription id]/resourceGroups/[resource group name]/[resource]
Example 1
Make a role available for assignment in two subscriptions.
“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e”,

“/subscriptions/e91d47c4-76f3-4271-a796-21b4ecfe3624”
Example 2
Makes a role available for assignment only in the Network resource group.
“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network”
✔️ Take a minute to open the Azure Portal and use the Access Control blade to add a role and then
assign it to a user. Can you see how for your organization which role assignments you would need?
For more information, you can see:
Custom roles access control - https://docs.microsoft.com/en-us/azure/active-directory/role-based-
access-control-custom-roles#custom-roles-access-control

Azure PowerShell and CLI


When you have large numbers of role assignments, you may prefer to use Azure PowerShell or the CLI.
#Role assignment properties
$roleName = “Contributor”
$assigneeName = josh@microsoft.com
$resourceGroupName = “contosoblue”

Azure PowerShell
New-AzureRmRoleAssignment -RoleDefinitionName $roleName -SignInName $assign-
eeName -ResourceGroupName $resourceGroupName

CLI
az role assignment create –role $roleName –assignee $assigneeName –re-
source-group $resourceGroupName

✔️ If you have created a custom JSON role definition file you can use PowerShell or the CLI to create a
new custom role definition. In the following examples the sysops.json file has the custom definition.
#PowerShell
New-AzureRmRoleDefinition -InputFile .\sysops.json
#CLI
MCT USE ONLY. STUDENT USE PROHIBITED 44  Module 2 Managing Azure Active Directory Objects

az role definition create –role-definition “./sysops.json”

Video: Role-Based Access Control

Demonstration: Role-Based Access Control

Additional Practice - Role-based Access Control


(RBAC)
Role-based access control (RBAC) is the way that you manage access to resources in Azure. In this
Quickstart, you grant a user access to create and manage virtual machines in a resource group. Take a few
minutes to work through the Grant access for a user using RBAC and the Azure portal7. This Quick-
start steps through the basics of:
●● Creating a resource group in the Azure portal.
●● Assign a user to a role.
●● Remove the created role assignment.
Using PowerShell
Next, try the following tutorial8 to grant a user access to view all resources in a subscription and manage
everything in a resource group using Azure PowerShell. In this tutorial you will:
●● Create a user
●● Create a resource group
●● Use the Get-AzureRMRoleAssignment command to list the role assignments
●● Use the Remove-AzureRmResourceGroup command to remove access
For more information, you can see:
What is role-based access control - https://docs.microsoft.com/en-us/azure/role-based-access-con-
trol/overview

7 https://docs.microsoft.com/en-us/azure/role-based-access-control/quickstart-assign-role-user-portal
8 https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-role-assignments-user-powershell
MCT USE ONLY. STUDENT USE PROHIBITED
Managing Devices  45

Managing Devices
Device Management
Azure Active Directory (Azure AD) enables single sign-on to devices, apps, and services from anywhere.
The proliferation of devices - including Bring Your Own Device (BYOD) – empowers end users to be
productive wherever and whenever. But, IT administrators must ensure corporate assets are protected
and that devices meet standards for security and compliance.
To get a device under the control of Azure AD, you have two options:
●● Registering a device to Azure AD enables you to manage a device’s identity. When a device is
registered, Azure AD device registration provides the device with an identity that is used to authenti-
cate the device when a user signs-in to Azure AD. You can use the identity to enable or disable a
device.
●● Joining a device is an extension to registering a device. This means, it provides you with all the
benefits of registering a device and in addition to this, it also changes the local state of a device.
Changing the local state enables your users to sign-in to a device using an organizational work or
school account instead of a personal account.
✔️ Registration combined with a mobile device management (MDM) solution such as Microsoft Intune,
provides additional device attributes in Azure AD. This allows you to create conditional access rules that
enforce access from devices to meet your standards for security and compliance.
For more information, you can see:
Introduction to device management - https://docs.microsoft.com/en-us/azure/active-directory/
device-management-introduction
Azure registered devices - https://docs.microsoft.com/en-us/azure/active-directory/device-manage-
ment-introduction#azure-ad-registered-devices

Azure Joined Devices

AD Join is designed provide access to organizational apps and resources and to simply Windows deploy-
ments of work-owned devices. AD Join has these benefits.
●● Single-Sign-On (SSO) to your Azure managed SaaS apps and services. Your users don’t see addition-
al authentication prompts when accessing work resources. The SSO functionality is available even
when users are not connected to the domain network.
●● Enterprise compliant roaming of user settings across joined devices. Users don’t need to connect to
a Microsoft account (for example, Hotmail) to see settings across devices.
MCT USE ONLY. STUDENT USE PROHIBITED 46  Module 2 Managing Azure Active Directory Objects

●● Access to Windows Store for Business using an Azure AD account. Your users can choose from an
inventory of applications pre-selected by the organization.
●● Windows Hello support for secure and convenient access to work resources.
●● Restriction of access to apps from only devices that meet compliance policy.
●● Seamless access to on-premise resources when the device has line of sight to the on-premises
domain controller.
✔️ Although AD Join is intended for organizations that do not have on-premises Windows Server Active
Directory infrastructure it can be used for other scenarios like branch offices. Read more at the reference
link.
For more information, you can see:
Azure AD joined devices – https://docs.microsoft.com/en-us/azure/active-directory/device-manage-
ment-introduction#azure-ad-joined-devices

Hybrid AD Joined Devices

If your environment has an on-premises AD footprint and you also want to benefit from the capabilities
provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These are
devices that are joined both to your on-premises Active Directory and your Azure Active Directory.
Joining devices to both directories allows:
●● IT departments to manage work-owned devices from a central location.
●● Users to sign in to their devices with their Active Directory work or school accounts.
Here is a comparison of Registered, AD Joined, and Hybrid AD Joined devices.

Registered Devices Azure AD Joined Hybrid AD Joined Devic-


Devices es
Device Type Personal Organization owned Organization owned
Registration Manual Manual Automatic
Operating System Windows 10 Windows 10 Windows 7, 8, and 10
✔️ Are you understanding the different types of joined devices? Which do you think your organization
needs?
For more information, you can see:
Hybrid Azure AD joined devices - https://docs.microsoft.com/en-us/azure/active-directory/de-
vice-management-introduction#hybrid-azure-ad-joined-devices
MCT USE ONLY. STUDENT USE PROHIBITED
Managing Devices  47

Additional Practice - Managing Devices (Portal)


Take some time to work through the Managing devices using the Azure portal9 documentation. In this
tutorial you will see how to:
●● Use the Azure portal to access the Devices blade.
●● Configure device settings.
●● Locate devices.
●● Perform device management tasks, such as Delete and Disable.
●● Review the device audit logs.
✔️ Pay attention to the device registration choices and ensure you understand the different scenarios:
●● Users may join devices to Azure AD. Select the users who can join devices to Azure AD.
●● Additional local administrators on Azure AD joined devices. Select the users that are granted local
administrator rights on a device.
●● Users may register their devices with Azure AD – Allow Azure AD joined or hybrid Azure AD joined
to register with Azure AD.
●● Require Multi-Factor Auth to join devices – Require a second authentication factor to join a device
to Azure AD.
●● Maximum number of devices - Select the maximum number of devices that a user can have in Azure
AD.
●● Users may sync settings and app data across devices - Allow user’s settings and app data to sync
across their Windows 10 devices.
For more information, you can see:
Usage scenarios and deployment considerations for Azure AD Join - https://docs.microsoft.com/en-us/
azure/active-directory/devices/azureadjoin-plan

9 https://docs.microsoft.com/en-us/azure/active-directory/device-management-azure-portal
MCT USE ONLY. STUDENT USE PROHIBITED 48  Module 2 Managing Azure Active Directory Objects

Module 2 Review Questions


Module 2 Review Questions
Custom Domain Names
You sign up for Microsoft Cloud Services by subscribing to Exchange Online. Your organization is as-
signed the initial tenant name myorg.onmicrosoft.com. Your domain administrator wants to assign a
custom domain name of myorg.com.

Which Azure AD role can manage domain tasks? What is the process of adding a custom domain name?

Click for suggested answer ↓ 


Only a global administrator can perform domain management tasks in Azure AD.
When an administrator adds a custom domain name to an Azure AD, it is initially in an unverified state.
Azure AD will not allow any directory resources to use an unverified domain name. This ensures that only
one directory can use a domain name, and the organization using the domain name owns that domain
name.
Azure AD verifies ownership of a domain name by looking for an entry in the domain name service (DNS)
zone file for the domain name. To verify ownership of a domain name, an admin gets the DNS entry from
Azure AD that Azure AD will look for and adds that entry to the DNS zone file for the domain name. The
DNS zone file is maintained by the domain name registrar for that domain. Adding a DNS entry to the
zone file for the domain name does not affect other domain services such as email or web hosting.
Multiple Tenants
Your organization (Company A) merges with another company (Company B). Both companies use Office
365 Exchange Online as well as Azure AD. Company A uses Azure AD Premium P1, while Company B uses
Azure AD Free. Both organizations plan to retain existing domain names and administrative staff.

What is an Azure tenant? Why would you have multiple tenants? How would you implement this mul-
ti-tenant merger?

Click for suggested answer ↓ 


A tenant is simply a dedicated instance of Azure AD that your organization receives and owns when it
signs up for a Microsoft cloud service such as Azure or Office 365.

You can have multiple tenants within your organization. Each tenant can have a different purpose and
fulfill a different scenario. For example, you might have tenant for Testing, Office365, and Production.
Other reasons for multiple tenants are: isolation, using different resources, and having different adminis-
tration roles.

The basic steps for merging the two tenants are to use the existing directory, use an admin account for
the directory, and then have the admin associate the directory with one of the subscriptions. This brings
both tenants under the same subscription, while allowing for separate management.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 2 Review Questions  49

AD Users
You manage users for your organizations Azure AD. You need to add several thousand users to Azure AD.

Which methods can you use to add users to Azure AD? Which of these are suitable for adding a large
number of users? What format should you use for a user-import file?

Click for suggested answer ↓ 


You can add new users through the Azure Portal. In addition to Name and User name, there is profile
information like Job Title and Department.
You can use the PowerShell New-AzureADUser command to add cloud-based users. You can also create a
CSV file from an existing application and use that.
Users can also be added to Azure AD through Office 365 Admin Center, Microsoft Intune admin console,
and the CLI.
As the question discusses a large number of users, Azure PowerShell or Azure CLI is the correct method-
ology to use.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 3 Implementing and Managing Hybrid
Identities

Azure Active Directory Integration Options


Azure AD Connect
Azure AD Connect will integrate your on-premises directories with Azure Active Directory. This allows you
to provide a common identity for your users for Office 365, Azure, and SaaS applications integrated with
Azure AD.

Sync Services. This component is responsible for creating users, groups, and other objects. It is also
responsible for making sure identity information for your on-premises users and groups matches what’s
in the cloud.
MCT USE ONLY. STUDENT USE PROHIBITED 52  Module 3 Implementing and Managing Hybrid Identities

Health Monitoring. Azure AD Connect Health can provide robust monitoring and provide a central
location in the Azure portal to view this activity.
Active Directory Federation Services (AD FS). Federation is an optional part of Azure AD Connect and
can be used to configure a hybrid environment using an on-premises AD FS infrastructure. Organizations
can use this to address complex deployments, such as domain join SSO, enforcement of AD sign-in
policy, and smart card or 3rd party MFA.
For more information, you can see:
Integrate your on-premises directories with Azure Active Directory - https://docs.microsoft.com/en-us/
azure/active-directory/connect/active-directory-aadconnect

Password Synchronization
The probability that you're blocked from getting your work done due to a forgotten password is related
to the number of different passwords you need to remember. The more passwords you need to remem-
ber, the higher the probability to forget one. Questions and calls about password resets and other
password-related issues demand the most helpdesk resources.

Password hash synchronization is a feature used to synchronize user passwords from an on-premises
Active Directory instance to a cloud-based Azure AD instance. Use this feature to sign in to Azure AD
services like Office 365, Microsoft Intune, CRM Online, and Azure Active Directory Domain Services (Azure
AD DS). You sign in to the service by using the same password you use to sign in to your on-premises
Active Directory instance. By reducing the number of passwords, your users need to maintain to just one.
Password synchronization helps you to:
●● Improve the productivity of your users.
●● Reduce your helpdesk costs.
For more information, you can see:
What is password synchronization - https://docs.microsoft.com/en-us/azure/active-directory/
hybrid/whatis-phs
MCT USE ONLY. STUDENT USE PROHIBITED
Azure Active Directory Integration Options  53

Video: Choose an Azure AD Authentication


Method

Video: Azure AD Seamless Sign-On

Sign-On Methods
AD Connect provides several sign-on methods: Password Synchronization, Pass-through authentica-
tion, and Federation with AD FS. These methods are used to synchronize user accounts and, optionally,
passwords from an on-premises Active Directory instance to a cloud-based Azure AD instance. Synchro-
nization helps you to improve the productivity of your users and reduce your helpdesk costs.

Password Synchronization. This option can be used to synchronize an encrypted version of the pass-
word hash for user accounts. This ensures a user signing on to Azure uses the same password as the
on-premises domain. The is sometimes referred to password hash synchronization.
For more information, you can see:
MCT USE ONLY. STUDENT USE PROHIBITED 54  Module 3 Implementing and Managing Hybrid Identities

How password synchronization works - https://docs.microsoft.com/en-us/azure/active-directory/


hybrid/how-to-connect-password-hash-synchronization#how-password-hash-synchroniza-
tion-works
Pass-through authentication (PTA). With this option the username and password are authenticated by
the on-premises domain controllers. This is one of the newest authentication methods. Having a high-
ly-available internet connection is highly recommended.
For more information, you can see:
User sign-in with Azure Active Directory Pass-through Authentication - https://docs.microsoft.com/
en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication
Federation with AD FS. AD FS is the Microsoft implementation of an identity federation solution that
uses claims-based authentication. When AD FS has been configured, AD FS performs the validation
through the on-premises AD DS environment. Azure AD Connect, discussed later in this module, can
automate much of the AD FS configuration when integrating with Azure.
✔️ If you are interested in the details of these authentication methods, check out the following deep dive
video:
Deep-dive: Azure Active Directory Authentication and Single-Sign-On (video) - https://channel9.msdn.
com/events/Ignite/Microsoft-Ignite-Orlando-2017/BRK3015?term=Azure%20AD%20Pass-
through%20Authentication%20and%20Seamless%20Single%20Sign-on

Video: Pass-through Authentication

Video: Azure AD DS Integration Options


MCT USE ONLY. STUDENT USE PROHIBITED
Azure Active Directory Integration Options  55

Demonstration: Azure AD Connect


Azure AD Connect
In this demonstration Corey shows how to use the Azure AD Connect Express Settings1. The Express
settings are used when you have a single-forest topology and password synchronization2 for authenti-
cation.
Azure AD Connect Custom settings3 is used when you want more options for the installation. For
example, you can specify the sign-on method, directory and forest information, and domains or OUs you
do not want to synchronize to Azure AD. Be sure to take a few minutes to review the custom settings so
you can really appreciate the power of AD Connect.

Additional Practice - Azure AD Pass-through Au-


thentication
As you have time, work through the Quickstart: Azure Active Directory Pass-through Authentication4.
This Quickstart steps through the basics of:
●● Verifying prerequisites. You will need a server running Windows Server 2012 R2 or later to run Azure
AD Connect.
●● Enabling Pass-through authentication through Azure AD Connect.
●● Testing that Pass-through authentication works correctly
●● Ensuring high availability.
✔️ Important. If you use this feature through a preview version, ensure that you upgrade the preview
versions of the Authentication Agents by using the instructions provided in Azure Active Directory
Pass-through Authentication: Upgrade preview Authentication Agents5.
For more information, you can see:
User sign-in with Azure Active Directory Pass-through Authentication - https://docs.microsoft.com/
en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication

Azure AD Connect Health


When you integrate your on-premises directories with Azure AD, your users are more productive because
there's a common identity to access both cloud and on-premises resources. However, this integration

1 https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-express
2 https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization
3 https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-custom
4 https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication-quick-start
5 https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication-upgrade-pre-
view-authentication-agents
MCT USE ONLY. STUDENT USE PROHIBITED 56  Module 3 Implementing and Managing Hybrid Identities

creates the challenge of ensuring that this environment is healthy so that users can reliably access
resources both on premises and in the cloud from any device.
Azure AD Connect Health helps you:
●● Monitor and gain insights into AD FS servers, Azure AD Connect, and AD domain controllers.
●● Monitor and gain insights into the synchronizations that occur between your on-premises AD DS and
Azure AD.
●● Monitor and gain insights into your on-premises identity infrastructure that is used to access Office
365 or other Azure AD applications
With Azure AD Connect the key data you need is easily accessible. You can view and act on alerts, setup
email notifications for critical alerts, and view performance data.

✔️ Using AD Connect Health works by installing an agent on each of your on-premises sync servers.
For more information, you can see:
Monitor your on-premises identity infrastructure and synchronization services in the cloud - https://
docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadcon-
nect-health

Video: Monitoring Synchronization using Azure


AD Health
MCT USE ONLY. STUDENT USE PROHIBITED
Azure AD Application Proxy  57

Azure AD Application Proxy


Video: Application Proxy Overview

What is Azure Active Directory Application Proxy


Users today need to be able to remotely access modern web applications hosted on-premises. They
expect a single sign-on (SSO) and secure remote access experience. Azure AD Application Proxy is a
feature of Azure Active Directory that provides remote access as a service, making it easy to deploy, use,
and manage.

Typical apps that are published on-premises include SharePoint sites, Outlook Web Access, or any other
LOB web applications your organization has. These on-premises web applications are integrated with
Azure AD, the same identity and control platform that is used by O365. End users can access your
on-premises applications the same way they access O365 and other SaaS apps integrated with Azure AD.
You don't need to change the network infrastructure or require VPN to provide this solution for your
users.
For more information about the benefits of Azure AD Application Proxy, see:https://docs.microsoft.
com/en-us/azure/active-directory/active-directory-application-proxy-get-started

Requirements for Application Proxy


As discussed in the previous topic, you do not need to change your existing network infrastructure or
require VPN to implement Application Proxy for your on-premises users. However, that are some require-
ments that should be noted.
●● Application Proxy connector must be installed in the datacenter. One connector is required but two
connectors are recommended for greater resiliency.
●● Port 80 and port 443 are used for outbound connectivity. Note that no open inbound ports are
required.
●● An Azure subscription with Azure AD.
MCT USE ONLY. STUDENT USE PROHIBITED 58  Module 3 Implementing and Managing Hybrid Identities

●● One Global admin role.


●● Windows Server 2012 R2 or higher on the on-premises connector
For more information about Application Proxy Connectors, see:https://docs.microsoft.com/en-us/
azure/active-directory/application-proxy-understand-connectors

How Does Application Proxy Work


To make Application Proxy work, you must configure two components: a connector and an external
endpoint.
The connector is a lightweight agent that sits on a Windows Server inside your network. The connector
facilitates the traffic flow from the Application Proxy service in the cloud to your application on-premises.
It only uses outbound connections, so you don't have to open any inbound ports or put anything in the
DMZ. The connectors are stateless and pull information from the cloud, as necessary.
Your users reach your applications while outside of your network via the external endpoint. They can
either go directly to an external URL that you determine, or they can access the application through the
MyApps portal. When users go to one of these endpoints, they authenticate in Azure AD and then are
routed through the connector to the on-premises application.

Authentication Process
1. The user accesses the application through the Application Proxy service and is directed to the Azure
AD sign-in page to authenticate.
2. After a successful sign-in, a token is generated and sent to the client device.
3. The client sends the token to the Application Proxy service, which retrieves the user principal name
(UPN) and security principal name (SPN) from the token, then directs the request to the Application
Proxy connector.
4. If you have configured single sign-on, the connector performs any additional authentication required
on behalf of the user.
5. The connector sends the request to the on-premises application.
6. The response is sent through Application Proxy service and connector to the user.
In the next demonstration, Corey walks through the process configuring Application Proxy with Azure AD.
MCT USE ONLY. STUDENT USE PROHIBITED
Azure AD Application Proxy  59

Demonstration: Azure AD Application Proxy

Additional Practice - Azure AD Application Proxy


If you want to try using Azure AD Application Proxy services for yourself, you will need to do some setup
first. To publish an on-premise application that can be accessed over the internet using Application Proxy,
there are some prerequisites to be met:
●● A Microsoft Azure AD basic or premium subscription and an Azure AD directory for which you are a
global administrator.
●● A server running Windows Server 2012 R2 or 2016, on which you can install the Application Proxy
Connector.
In this practice, you will first:
●● Prepare your environment6 for Azure AD Application Proxy by opening your firewall for the Connec-
tor to make HTTPS (TCP) requests.
●● Install and register a connector7. Test the connector.
You’re now ready to use Application Proxy services. You will now:
●● Publish an on-premises app for remote access8
●● Add a test account9 and sign in to the published app
For more information, you can see:
How to provide secure remote access to on-premises applications - https://docs.microsoft.com/en-us/
azure/active-directory/active-directory-application-proxy-get-started

6 https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-enable#open-your-ports
7 https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-enable#install-and-register-a-connector
8 https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-publish-azure-portal#publish-an-on-premis-
es-app-for-remote-access
9 https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-publish-azure-portal#add-a-test-user
MCT USE ONLY. STUDENT USE PROHIBITED 60  Module 3 Implementing and Managing Hybrid Identities

Module 3 Review Questions


Module 3 Review Questions
AD Join
Your organization is plans to allow employees to use their own devices (BYOD) to access to company
resources. The company plans to require that all BYOD machines are joined to Azure AD. You plan to use
AD Join.
What are the benefits of AD Join?

Click for suggested answer ↓ 


Single-Sign-On (SSO) to your Azure managed SaaS apps and services. Your users don’t see additional
authentication prompts when accessing work resources. The SSO functionality is available even when
users are not connected to the domain network.
Enterprise compliant roaming of user settings across joined devices. Users don’t need to connect to a
Microsoft account (for example, Hotmail) to see settings across devices.
Access to Windows Store for Business using an Azure AD account. Your users can choose from an
inventory of applications pre-selected by the organization.
Windows Hello support for secure and convenient access to work resources.
Restriction of access to apps from only devices that meet compliance policy.
Seamless access to on-premise resources when the device has line of sight to the on-premises domain
controller.
Azure AD
Your organization provides employees with an human resources (HR) portal on a web server hosted
on-premises. The organization deploys Azure AD and Exchange Online. The HR portal can only be
accessed from the internal network. Employees frequently ask to be able to access the portal from home
or other remote locations.
What Azure AD functionality can be used to give users access to the HR portal? What other functionality
will the solution provide?

Click for suggested answer ↓ 


Azure AD Application Proxy is a feature of Azure Active Directory that provides remote access as a
service, making it easy to deploy, use, and manage.
Typical apps that are published on-premises include SharePoint sites, Outlook Web Access, or any other
LOB web applications your organization has. These on-premises web applications are integrated with
Azure AD, the same identity and control platform that is used by O365. End users can access your
on-premises applications the same way they access O365 and other SaaS apps integrated with Azure AD.
You don't need to change the network infrastructure or require VPN to provide this solution for your
users.
Azure AD
You deploy Azure AD, Exchange Online, SharePoint Online to allow employees to work from remote
locations. You need to ensure that applications, connectivity, and identity synchronization is working as
expected.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 3 Review Questions  61

What should you use, and how does the agent report status?

Click for suggested answer ↓ 


Azure AD Connect Health helps you:
●● Monitor and gain insights into AD FS servers, Azure AD Connect, and AD domain controllers.
●● Monitor and gain insights into the synchronizations that occur between your on-premises AD DS and
Azure AD.
●● Monitor and gain insights into your on-premises identity infrastructure that is used to access Office
365 or other Azure AD applications.
With Azure AD Connect the key data you need is easily accessible. You can view and act on alerts, setup
email notifications for critical alerts, and view performance data.
Using AD Connect Health works by installing an agent on each of your on-premises sync servers.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 4 Lab-Implement and Manage Hybrid
Identities

Lab
Lab
Scenario
Adatum Corporation wants to integrate its Active Directory with Azure Active Directory.
Exercise 1
Deploy an Azure VM hosting an Active Directory domain controller.
Exercise 2
Create and configure an Azure Active Directory tenant.
Exercise 3
Synchronize Active Directory forest with an Azure Active Directory tenant.
Estimated Time: 120 minutes
✔️ If you are in a classroom, ask your instructor for the lab guide. If you are in a self-paced online course,
check the Course Handouts page.
MCT USE ONLY. STUDENT USE PROHIBITED 64  Module 4 Lab-Implement and Manage Hybrid Identities

You might also like