Az-100t05a-enu-trainerhandbook

AZ-100T05 Manage Identities

MCT USE ONLY. STUDENT USE PROHIBITED

Microsoft Official Course

MCT USE ONLY. STUDENT USE PROHIBITED

Manage Identities

AZ-100T05

MCT USE ONLY. STUDENT USE PROHIBITED

■■

Module 0 Welcome  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  Start Here  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 

1 1

■■

Module 1 Managing Azure Active Directory  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Azure Active Directory Overview  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Self-Service Password Reset  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Azure AD Identity Protection  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intergrating SaaS Applications with Azure AD  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 1 Review Questions  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

     

5 5 11 15 20 28

■■

Module 2 Managing Azure Active Directory Objects  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Azure Domains and Tenants  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Azure Users and Groups  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Azure Roles  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing Devices  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 2 Review Questions  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

     

31 31 36 41 45 48

■■

Module 3 Implementing and Managing Hybrid Identities  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Azure Active Directory Integration Options  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Azure AD Application Proxy  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 3 Review Questions  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

   

51 51 57 60

■■

Module 4 Lab-Implement and Manage Hybrid Identities  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  Lab  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 

63 63

MCT USE ONLY. STUDENT USE PROHIBITED

Contents

Start Here Azure Administrator Curriculum

This course is part of a series of courses to help you prepare for Microsoft’s Azure Administrator certification tests. There are two exams: ●● AZ-100, Microsoft Azure Infrastructure and Deployment1, and ●● AZ-101, Microsoft Azure Integration and Security2. Each exam measures your ability to accomplish certain technical tasks. For example, AZ-100 includes five study areas, as shown in the table. The percentages indicate the relative weight of each area on the exam. The higher the percentage, the more questions you are likely to see in that area. AZ-100 Study Areas

Weights

Manage Azure subscriptions and resources

15-20%

Implement and manage storage

20-25%

Deploy and manage virtual machines

20-25%

Configure and manage virtual networks

20-25%

Manage identities

15-20%

✔️ This course will focus on preparing you for the Manage Identities area of the AZ-100 certification exam.

About This Course Course Description

This course teaches IT Professional how to use Azure Active Directory (AD) to provide employees and customers with a multi-tenant cloud-based directory and identity management system. Students will learn the differences between Azure AD and Active Directory Domain Services (AD DS), as well the 1 2

https://www.microsoft.com/en-us/learning/exam-az-100.aspx https://www.microsoft.com/en-us/learning/exam-az-101.aspx

MCT USE ONLY. STUDENT USE PROHIBITED

Module 0 Welcome

MCT USE ONLY. STUDENT USE PROHIBITED

2  Module 0 Welcome

differences in functionality offered by the different editions of Azure AD. Students also learn how to configure self-service password reset, or to use the option of password writeback to reset user passwords regardless of their location. Students are then introduced to Azure AD Identity Protection and learn how they can use it to protect their organizations from compromised accounts, identity attacks, and configuration issues. Students also learn how to integrate Azure AD with the many Software as a Service (SaaS) applications that are used, in order to secure user access to those applications. Next, the concepts of Azure domains and tenants, and users and groups are explained and students learn how to work with the various Azure AD objects. Students are introduced to Azure role-based access control to be able to provide a more granular access based on the principle of least privilege. An administrator, or user, can do exactly the task they need to accomplish; no more, no less. Students also learn how to work with Azure joined devices and Hybrid AD joined devices, enabling their users to be productive wherever and whenever – but ensuring that corporate assets are protected and that devices meet security and compliance standards. Students learn how to use Azure AD Connect to integrate their on-premises directories with Azure AD, providing a common identity for their users of Office 365, Azure, and SaaS applications integrated with Azure AD. Lastly, students also learn how to use Azure AD Application Proxy to be able to provide their users with remote access to web application that are published on-premises, such as SharePoint sites, Outlook Web Access, or any other line of business (LOB) applications the organization has. Level: Intermediate Audience This course is for Azure Administrators. Azure Administrators manage the cloud services that span storage, networking, and compute cloud capabilities, with a deep understanding of each service across the full IT lifecycle. They take end-user requests for new cloud applications and make recommendations on services to use for optimal performance and scale, as well as provision, size, monitor and adjust as appropriate. This role requires communicating and coordinating with vendors. Azure Administrators use the Azure Portal and as they become more proficient they use PowerShell and the Command Line Interface. Prerequisites Successful Azure Administrators start this role with experience on operating systems, virtualization, cloud infrastructure, storage structures, and networking. Expected learning ●● Implement Azure Active Directory, Self-Service Password Reset, Azure AD Identity Protection, and integrated SaaS applications. ●● Configure domains and tenants, users and groups, roles, and devices. ●● Implement and manage Azure Active Directory integration options and Azure AD Application Proxy.

Syllabus

This course includes content that will help you prepare for the certification exam. Other content is included to ensure you have a complete picture of Azure identity. The course content includes a mix of videos, graphics, reference links, module review questions, and practice labs. Module 1 – Managing Azure Active Directory In this module, you’ll will be introduced to Azure Active Directory. What is Azure Active Directory and how is it different from Active Directory Domain Services? What is Self-Service Password Reset and how is

it configured? How can Azure AD Identity protection improve your security posture. How do you integrate SaaS applications with Azure AD? Lessons include: ●● Azure Active Directory Overview ●● Self-Service Password Reset ●● Azure AD Identity Protection ●● Integrating SaaS Applications with Azure AD Module 2 – Managing Azure Active Directory Objects In this module, you will learn the basics of implementing Azure AD objects. These objects include domains and tenants, users and groups, roles, and devices. In each lesson you will practice how to configure these objects through the portal and with Azure PowerShell. The Azure roles lesson will be your introduction to role-based access control. Lessons include: ●● Azure Domains and Tenants ●● Azure Users and Groups ●● Azure Roles ●● Managing Devices ✔️ More complete coverage of Role-based Access Control is provided in the Securing Identities course. Module 3 – Implementing and Managing Hybrid Identities In this module, you will learn how to integrate Active Directory with your existing infrastructure. You will learn about different authentication options like AD Connect, Single Sign On, and Pass-through authentication. You will also learn how to configure Azure AD Application Proxy and how it is used. Lessons include: ●● Azure Active Directory Integration Options ●● Azure AD Application Proxy

Study Guide

The Configure and manage virtual networks objective of the AZ-100 exam, consists of three main areas of study: Manage Azure Active Directory, Manage Azure AD objects, and Implement and manage hybrid identities. These tables show you what may be included in each test area and where it is covered in this course. ✔️ We recommend you use these tables as a checklist to ensure you are prepared in each area. ✔️ We recommend supplementing your study with a practice test.3 Also, hands-on practice is critical to understanding these concepts and passing the certification exams. There are several ways to get an Azure subscription4. Manage Azure Active Directory Testing May Include

Course Content

Add custom domains

Module 2 - Azure Domains and Tenants

Configure Azure AD Identity Protection

Module 1 - Azure AD Identity Protection

Configure Azure AD Join

Module 2 - Managing Devices

3 4

https://us.mindhub.com/az-100-microsoft-azure-infrastructure-deployment-microsoft-official-practice-test/p/MU-AZ-100 https://azure.microsoft.com/en-us/offers/ms-azr-0044p/

MCT USE ONLY. STUDENT USE PROHIBITED

Start Here  3

MCT USE ONLY. STUDENT USE PROHIBITED

4  Module 0 Welcome

Testing May Include

Course Content

Configure self-service password reset

Module 1 - Self-Service Password Reset

Implement conditional access policies

Module 1 - Integrating SaaS Applications with Azure AD

Manage multiple directories

Module 2 - Azure Domains and Tenants

Perform access review

Module 1 - Azure Active Directory Overview

Manage Azure AD objects (users, groups, and devices) Testing May Include

Course Content

Create users and groups

Module 2 - Azure Users and Groups

Manage user and group properties

Module 2 - Azure Users and Groups

Manage device settings

Module 2 - Managing Devices

Perform bulk user updates

Module 2 - Azure Users and Groups

Implement and manage hybrid identities Testing May Include

Course Content

Install and configure Azure AD Connect

Module 3 - Azure Active Directory Integration Options

Configure federation

Module 3 - Azure Active Directory Integration Options

Configure single sign-on

Module 3 - Azure Active Directory Integration Options

Manage and troubleshoot Azure AD Connect

Module 3 - Azure Active Directory Integration Options

Troubleshoot password sync and writeback

Module 1 - Self-Service Password Reset; Module 3- Azure Active Directory Integration Options

Azure Active Directory Overview Video: Course Introduction

Azure Active Directory For both IT Admins and Developers

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud-based directory and identity management service. For IT Admins, Azure AD provides an affordable, easy to use solution to give employees and business partners single sign-on (SSO) access to thousands of cloud SaaS Applications like Office365, Salesforce.com, DropBox, and Concur. For application developers, Azure AD lets you focus on building your application by making it fast and simple to integrate with a world class identity management solution used by millions of organizations around the world.

MCT USE ONLY. STUDENT USE PROHIBITED

Module 1 Managing Azure Active Directory

MCT USE ONLY. STUDENT USE PROHIBITED

6  Module 1 Managing Azure Active Directory

Identity manage capabilities and integration Azure AD also includes a full suite of identity management capabilities including multi-factor authentication, device registration, self-service password management, self-service group management, privileged account management, role-based access control, application usage monitoring, rich auditing and security monitoring, and alerting. These capabilities can help secure cloud-based applications, streamline IT processes, cut costs, and help assure corporate compliance goals are met. Additionally, Azure AD can be integrated with an existing Windows Server Active Directory, giving organizations the ability to leverage their existing on-premises identity investments to manage access to cloud based SaaS applications. ✔️ If you are an Office365, Azure or Dynamics CRM Online customer, you might not realize that you are already using Azure AD. Every Office365, Azure and Dynamics CRM tenant is already an Azure AD tenant. Whenever you want you can start using that tenant to manage access to thousands of other cloud applications Azure AD integrates with. For more information, you can see: What is Azure Active Directory? - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-whatis

Azure Active Directory Benefits Azure AD has many benefits

●● Single sign-on to any cloud or on-premises web app. Azure Active Directory provides secure single sign-on to cloud and on-premises applications including Microsoft Office 365 and thousands of SaaS applications such as Salesforce, Workday, DocuSign, ServiceNow, and Box. ●● Works with iOS, Mac OS X, Android, and Windows devices. Users can launch applications from a personalized web-based access panel, mobile app, Office 365, or custom company portals using their

existing work credentials—and have the same experience whether they’re working on iOS, Mac OS X, Android, and Windows devices. ●● Protect on-premises web applications with secure remote access. Access your on-premises web applications from everywhere and protect with multi-factor authentication, conditional access policies, and group-based access management. Users can access SaaS and on-premises web apps from the same portal. ●● Easily extend Active Directory to the cloud. Connect Active Directory and other on-premises directories to Azure Active Directory in just a few clicks and maintain a consistent set of users, groups, passwords, and devices across both environments. ●● Protect sensitive data and applications. Enhance application access security with unique identity protection capabilities that provide a consolidated view into suspicious sign-in activities and potential vulnerabilities. Take advantage of advanced security reports, notifications, remediation recommendations and risk-based policies to protect your business from current and future threats. ●● Reduce costs and enhance security with self-service capabilities. Delegate important tasks such as resetting passwords and the creation and management of groups to your employees. Providing self-service application access and password management through verification steps can reduce helpdesk calls and enhance security. ✔️ What reasons do you have for considering Azure Active Directory? For more information, you can see: The power of common identity across any cloud) - https://myignite.microsoft.com/videos/54694

Active Directory Domain Services (AD DS)

Active Directory Domain Services (AD DS) AD DS is the traditional deployment of Windows Server-based Active Directory on a physical or virtual server. Although AD DS is commonly considered to be primarily a directory service, it is only one component of the Windows Active Directory suite of technologies, which also includes Active Directory Certificate Services (AD CS), Active Directory Lightweight Directory Services (AD LDS), Active Directory Federation Services (AD FS), and Active Directory Rights Management Services (AD RMS). Although you can deploy and manage AD DS in Azure virtual machines it’s recommended you use Azure AD instead, unless you are targeting IaaS workloads that depend on AD DS specifically. Azure AD is different from AD DS Although Azure AD has many similarities to AD DS, there are also many differences. It is important to realize that using Azure AD is different from deploying an Active Directory domain controller on an Azure

MCT USE ONLY. STUDENT USE PROHIBITED

Azure Active Directory Overview  7

MCT USE ONLY. STUDENT USE PROHIBITED

8  Module 1 Managing Azure Active Directory

virtual machine and adding it to your on-premises domain. Here are some characteristics of Azure AD that make it different. ●● Identity solution. Azure AD is primarily an identity solution, and it is designed for Internet-based applications by using HTTP and HTTPS communications. ●● REST API Querying. Because Azure AD is HTTP/HTTPS based, it cannot be queried through LDAP. Instead, Azure AD uses the REST API over HTTP and HTTPS. ●● Communication Protocols. Because Azure AD is HTTP/HTTPS based, it does not use Kerberos authentication. Instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID Connect for authentication (and OAuth for authorization). ●● Federation Services. Azure AD includes federation services, and many third-party services (such as Facebook). ●● Flat structure. Azure AD users and groups are created in a flat structure, and there are no Organizational Units (OUs) or Group Policy Objects (GPOs). ✔️ Azure AD is a managed service. You only manage the users, groups, and policies. Deploying AD DS with virtual machines using Azure means that you manage the deployment, configuration, virtual machines, patching, and other backend tasks. Do you see the difference?

Video: Azure Active Directory Overview

Azure Active Directory Editions

Azure Active Directory comes in four editions—Free, Basic, Premium P1, and Premium P2. The Free edition is included with an Azure subscription. The Azure Active Directory Basic, Premium P1, and Premium P2 editions are built on top of your existing free directory, providing enterprise class capabilities spanning self-service, enhanced monitoring, security reporting, Multi-Factor Authentication (MFA), and secure access for your mobile workforce.

The Azure Active Directory Pricing1 page has detailed information on what is included in each of the editions. ●● Azure Active Directory Free – Designed to introduce system administrators to Azure Active Directory. This version includes common features such as directory objects, user/group management, single sign-on, self-service password change, on-premises connect, and security/usage reports. 1

https://azure.microsoft.com/en-us/pricing/details/active-directory/?wt.mc_id=DXLEX_EDX_AZURE204X

●● Azure Active Directory Basic - Designed for task workers with cloud-first needs, this edition provides cloud centric application access and self-service identity management solutions. With the Basic edition of Azure Active Directory, you get productivity enhancing and cost reducing features like group-based access management, self-service password reset for cloud applications, and Azure Active Directory Application Proxy (to publish on-premises web applications using Azure Active Directory), all backed by an enterprise-level SLA of 99.9 percent uptime. ●● Azure Active Directory Premium P1 - Designed to empower organizations with more demanding identity and access management needs, Azure Active Directory Premium edition adds feature-rich enterprise-level identity management capabilities and enables hybrid users to seamlessly access on-premises and cloud capabilities. This edition includes everything you need for information worker and identity administrators in hybrid environments across application access, self-service identity and access management (IAM), and security in the cloud. ●● Azure Active Directory Premium P2 - Azure Active Directory Premium P2 includes every feature of all other Azure Active Directory editions enhanced with advanced identity protection and privileged identity management capabilities. ✔️ Did you look through the pricing list to determine which features your organization needs?

Choosing Between Azure AD and Azure AD DS

One of the main differences between Azure AD and Azure AD DS is the way devices are registered and joined. Azure AD Domain Services provides a managed AD domain in an Azure virtual network. You can join machines to this managed domain using traditional domain-join mechanisms. Azure AD also enables you to manage the identity of devices used by your organization and control access to corporate resources from these devices. Azure AD joined devices give you the following benefits: ●● Single-sign-on (SSO) to applications secured by Azure AD ●● Enterprise policy-compliant roaming of user settings across devices. ●● Access to the Windows Store for Business using your corporate credentials. ●● Windows Hello for Business ●● Restricted access to apps and resources from devices compliant with corporate policy. Aspect

Course Content

Azure AD Domain Services

Device controlled by

Azure AD

Azure AD Domain Services managed domain

Representation in the directory

Device objects in the Azure AD directory.

Computer objects in the AAD-DS managed domain.

Authentication

OAuth/OpenID Connect based protocols

Kerberos, NTLM protocols

Management

Mobile Device Management (MDM) software like Intune

Group Policy

Networking

Works over the internet

Requires machines to be on the same virtual network as the managed domain.

Great for ...

End-user mobile or desktop devices

Server virtual machines deployed in Azure

MCT USE ONLY. STUDENT USE PROHIBITED

Azure Active Directory Overview  9

MCT USE ONLY. STUDENT USE PROHIBITED

10  Module 1 Managing Azure Active Directory

For more information, you can see: Choose between Azure Active Directory join and Azure Active Directory Domain Services - https://docs. microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-compare-withazure-ad-join

Video: Azure Active Directory Editions

Self-Service Password Reset Video: Self-Service Password Reset (SSPR)

Configuring Self-Service Password Reset

To configure self-service password reset, you first determine who will be enabled to use self-service password reset. From your existing Azure AD tenant, on the Azure Portal under Azure Active Directory select Password reset. In the Password reset properties there are three options: None, Selected, and All.

The Selected option is useful for creating specific groups who have self-service password reset enabled. The Azure documentation recommends creating a specific group for purposes of testing or proof of concept before deploying to a larger group within the Azure AD tenant. Once you are ready to deploy this functionality to all users with accounts in your AD Tenant, you can change the setting to All. Important! Azure Administrator accounts will always be able to reset their passwords no matter what this option is set to.

Authentication Methods for Password Reset

After enabling password reset for user and groups, you pick the number of authentication methods required to reset a password and the number of authentication methods available to users. At least one authentication method is required to reset a password, but it is a good idea to have additional methods available. You can choose from email notification, a text or code sent to user’s mobile or office phone, or a set of security questions. Regarding the security questions, these can be configured to require a certain number of questions to be registered for the users in your AD tenant. In addition, you must configure the number of correctly answered security question that are required for a successful password reset. In the next demonstration, Corey walks through the process of self-service password reset.

MCT USE ONLY. STUDENT USE PROHIBITED

Self-Service Password Reset  11

MCT USE ONLY. STUDENT USE PROHIBITED

12  Module 1 Managing Azure Active Directory

Password Writeback

With password writeback, you can configure Azure Active Directory (Azure AD) to write passwords back to your on-premises Active Directory. Password writeback removes the need to set up and manage a complicated on-premises self-service password reset (SSPR) solution, and it provides a convenient cloud-based way for your users to reset their on-premises passwords wherever they are. Password writeback is a component of Azure Active Directory Connect that can be enabled and used by current subscribers of Premium Azure Active Directory editions. It’s recommended that you use the auto-update feature of Azure AD Connect. The following steps assume you have already configured Azure AD Connect in your environment by using the Express2 or Custom3 settings. 1. To configure and enable password writeback, sign in to your Azure AD Connect server and start the Azure AD Connect configuration wizard. 2. On the Welcome page, select Configure. 3. On the Additional tasks page, select Customize synchronization options, and then select Next. 4. On the Connect to Azure AD page, enter a global administrator credential, and then select Next. 5. On the Connect directories and Domain/OU filtering pages, select Next. 6. On the Optional features page, select the box next to Password writeback and select Next.

2 3

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-express https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-custom

7. On the Ready to configure page, select Configure and wait for the process to finish. 8. When you see the configuration finish, select Exit. ✔️ Use the link below to read about the password writeback features. Which of the features are you most interested in? For more information, you can see: Password writeback overview - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback

Demonstration: Configuring Self-Service Password Reset

Demonstration: Configuring Self-Service Group Creation Configuring Self-Service Group Creation Although not part of self-service password reset, self-service group creation is another feature in Azure Active Directory Premium that allows users to create and manage their own security groups or Office 365 groups in Azure Active Directory (Azure AD). For more information about setting up Azure Active Directory for self-service group management, see: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management

MCT USE ONLY. STUDENT USE PROHIBITED

Self-Service Password Reset  13

MCT USE ONLY. STUDENT USE PROHIBITED

14  Module 1 Managing Azure Active Directory

Additional Practice - Self-Service Password Reset (SSPR) Access the Azure AD self-service password reset rapid deployment4 page. Take a minute to review the video and walk-through the configuration steps. To finish your study, read the FAQ at the reference link. ✔️ Always test SSPR with a user rather than an administrator because Microsoft enforces strong authentication requirements for Azure administrator accounts. For more information, you can see: Password management frequently asked questions - https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-passwords-faq

4

https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr

Azure AD Identity Protection Video： Azure Identity Protection Azure Identity Protection Azure Active Directory Identity Protection is a feature of the Azure AD Premium P2 edition that enables you to: ●● Detect potential vulnerabilities affecting your organization’s identities. ●● Configure automated responses to detected suspicious actions that are related to your organization’s identities. ●● Investigate suspicious incidents and take appropriate action to resolve them.

Azure Identity Protection

With Azure AD Identity Protection, you can protect your organization from compromised accounts, identity attacks, and configuration issues. Identity Protection provides a consolidated view of identity threats and vulnerabilities. You can receive detailed notifications of new identity risks, perform recommended remediation, and automate future response with Conditional Access policies. Using Azure AD Identity Protection, you can: ●● Get a consolidated view to examine suspicious user activities detected using Identity Protection machine learning algorithms with signals like brute force attacks, leaked credentials, and sign-ins from unfamiliar locations. ●● Improve the security posture of your organization by acting on a customized list of configuration vulnerabilities that could lead to an elevated risk of account compromise in your organization. ●● Set risk-based Conditional Access policies to automatically protect your users.

MCT USE ONLY. STUDENT USE PROHIBITED

Azure AD Identity Protection  15

MCT USE ONLY. STUDENT USE PROHIBITED

16  Module 1 Managing Azure Active Directory

✔️ Take a minute to enable Azure AD Identity Protection5 and explore the different capabilities you saw in the previous video. For more information, you can see: Azure Active Directory Identity Protection FAQ - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identity-protection-faqs

Vulnerabilities Detected

Vulnerabilities are weaknesses in your environment that can be exploited by an attacker. We recommend that you address these vulnerabilities to improve the security posture of your organization and prevent attackers from exploiting them. On the Vulnerabilities page the Risk Level, Count, and Vulnerability description are shown.

Identity Protection can report several vulnerabilities. Here are two examples, ●● Users without multi-factor authentication registration. We recommend that you require Azure Multi-Factor Authentication for user sign-ins. Multi-factor authentication plays a key role in risk-based conditional access policies available through Identity Protection. ●● Unmanaged apps discovered in last 7 days. In modern enterprises, IT departments are often unaware of all the cloud applications that users in their organization are using to do their work. We recommend deploying Cloud App Discovery to discover unmanaged cloud applications, and to manage these applications using Azure Active Directory. For more information, you can see: Vulnerabilities detected by Azure Active Directory Identity Protection - https://docs.microsoft.com/ en-us/azure/active-directory/active-directory-identityprotection-vulnerabilities What is Azure Multi-Factor Authentication? - https://docs.microsoft.com/en-us/azure/active-directory/authentication/multi-factor-authentication

5

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection-enable

Set up Cloud App Discovery in Azure AD - https://docs.microsoft.com/en-us/azure/active-directory/ manage-apps/cloud-app-discovery

Demonstration: Enabling Multi-Factor Authentication

Risky Sign-Ins

With the security reports in Azure Active Directory (Azure AD) you can gain insights into the probability of compromised user accounts in your environment. Azure AD detects suspicious actions that are related to your user accounts. For each detected action, a record called risk event (next topic) is created.

Risk events are used to calculate: ●● Risky sign-ins. A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account. A sign-in risk level is an indication (High, Medium, or Low) of the likelihood that a sign-in attempt was made by someone other than the legitimate owner of the user account. ●● Users flagged for risk. A risky user is an indicator for a user account that might have been compromised. ✔️ Azure AD Identity Protection sends two types of automated notification emails to help you manage user risk and risk events: users at risk detected email, and a weekly digest email. For more information, you can see: Risky sign-ins - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection#risky-sign-ins Azure Active Directory Identity Protection notifications - https://docs.microsoft.com/en-us/azure/ active-directory/active-directory-identityprotection-notifications

MCT USE ONLY. STUDENT USE PROHIBITED

Azure AD Identity Protection  17

MCT USE ONLY. STUDENT USE PROHIBITED

18  Module 1 Managing Azure Active Directory

Risks Detected

Most security breaches take place when attackers gain access to an environment by stealing a user’s identity. Discovering compromised identities is no easy task. Azure Active Directory uses adaptive machine learning algorithms and heuristics to detect suspicious actions that are related to your user accounts. Each detected suspicious action is stored in a record called risk event.

Currently, Azure Active Directory detects six types of risk events: ●● Users with leaked credentials6 ●● Sign-ins from anonymous IP addresses7 ●● Impossible travel to atypical locations8 ●● Sign-ins from infected devices9 ●● Sign-ins from IP addresses with suspicious activity10 ●● Sign-ins from unfamiliar locations11 ✔️ The insight you get for a detected risk event is tied to your Azure AD subscription. With the Azure AD Premium P2 edition, you get the most detailed information about all underlying detections. With the Azure AD Premium P1 edition, detections that are not covered by your license appear as the risk event Sign-in with additional risk detected. ✔️ If you have time, check out the following presentation given at the Ignite 2017 conference. It provides a broad overview of the Azure AD Identity Protection capabilities covered in this lesson. The session is entitled “Shut the door to cybercrime with Azure Active Directory risk-based identity protection.” For more information, you can see: Azure Active Directory risk events - https://docs.microsoft.com/en-us/azure/active-directory/ active-directory-reporting-risk-events

6 7 8 9 10

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-risk-events#leaked-credentials https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-risk-events#sign-ins-from-anonymous-ip-addresses https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-risk-events#impossible-travel-to-atypical-locations https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-risk-events#sign-ins-from-infected-devices https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-risk-events#sign-ins-from-ip-addresses-with-suspicious-activity 11 https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-risk-events#sign-in-from-unfamiliar-locations

Video: Enabling Azure Active Directory Protection Enabling Azure Active Directory Protection This video is from the Enterprise Mobility + Security series on Microsoft’s Channel 9 platform. It discusses the process to enable Azure AD Identity Protection. You’ll learn how this feature can help corporations understand the risk levels of authentication, mitigating them through things such as Azure MFA. Additionally, Azure AD Identity Protection also benefits corporations proactively by searching for compromised credentials and then alerting administrators of the compromise while locking the user account.

MCT USE ONLY. STUDENT USE PROHIBITED

Azure AD Identity Protection  19

MCT USE ONLY. STUDENT USE PROHIBITED

20  Module 1 Managing Azure Active Directory

Intergrating SaaS Applications with Azure AD Software as a Service

Software as a service (SaaS) allows users to connect to and use cloud-based apps over the Internet. Common examples are email, calendaring, and office tools (such as Microsoft Office 365). For organizational use, you can “rent” productivity apps, such as email, collaboration, and calendaring; and sophisticated business applications such as customer relationship management (CRM), enterprise resource planning (ERP), and document management. You pay for the use of these apps by subscription or according to the level of use. SaaS allows your organization to get quickly up and running with an app at minimal upfront cost. Common SaaS scenarios If you’ve used a web-based email service such as Outlook, Hotmail, or Yahoo! Mail, then you’ve already used a form of SaaS. With these services, you log into your account over the Internet, often from a web browser. The email software is located on the service provider’s network, and your messages are stored there as well. You can access your email and stored messages from a web browser on any computer or Internet-connected device. In the following image, which SaaS applications do you see that you are interested in?

✔️ Begin to think about how users will login to your SaaS applications. Will you be able to implement a single sign-on experience? For more information, you can see: What is SaaS? - https://azure.microsoft.com/en-us/overview/what-is-saas/

SaaS Advantages

Generally, you can group SaaS advantages into: unified user experience, security, centralized application access management, and unified reporting and monitoring.

Gain access to sophisticated applications. To provide SaaS apps to users, you don’t need to purchase, install, update, or maintain any hardware, middleware, or software. SaaS makes even sophisticated enterprise applications, such as ERP and CRM, affordable for organizations that lack the resources to buy, deploy, and manage the required infrastructure and software themselves. Pay only for what you use. You also save money because the SaaS service automatically scales up and down according to the level of usage. Use free client software. Users can run most SaaS apps directly from their web browser without needing to download and install any software, although some apps require plugins. This means that you don’t need to purchase and install special software for your users. Mobilize your workforce easily. SaaS makes it easy to “mobilize” your workforce because users can access SaaS apps and data from any Internet-connected computer or mobile device. You don’t need to worry about developing apps to run on different types of computers and devices because the service provider has already done so. In addition, you don’t need to bring special expertise onboard to manage the security issues inherent in mobile computing. A carefully chosen service provider will ensure the security of your data, regardless of the type of device consuming it. Access app data from anywhere. With data stored in the cloud, users can access their information from any Internet-connected computer or mobile device. And when app data is stored in the cloud, no data is lost if a user’s computer or device fails. ✔️ Can you think of any other advantages specific to your organization’s needs? For more information, you can see: What is SaaS? - https://azure.microsoft.com/en-us/overview/what-is-saas/

Video: Integrating SaaS Applications

Azure AD Application Gallery

If you are going to deploy SaaS applications, then you will want your users to be able to use single-sign on (SSO). The Azure AD Application Gallery provides a listing of applications that are known to support a form of SSO with Azure AD.

MCT USE ONLY. STUDENT USE PROHIBITED

Intergrating SaaS Applications with Azure AD  21

MCT USE ONLY. STUDENT USE PROHIBITED

22  Module 1 Managing Azure Active Directory

Here are some tips for finding apps by what capabilities they support: ●● Featured applications support automatic provisioning and de-provisioning in Azure AD. ●● Gallery applications support federated single sign-on using a protocol such as SAML, WS-Federation, or OpenID Connect. ●● Each application in the gallery provides step-by-step instructions on how to enable single sign-on. Automatic provisioning includes all the following: ●● Automatically create new accounts in the right systems for new people when they join your team or organization. ●● Automatically deactivate accounts in the right systems when people leave the team or organization. ●● Ensure that the identities in your apps and systems are kept up-to-date based on changes in the directory, or your human resources system. ●● Provision non-user objects, such as groups, to applications that support them. ✔️ Automatic provisioning is a very good thing. Take a minute to read more in the next link. For more information, you can see: Azure Active Directory integrated with applications - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-enable-sso-scenario#azure-active-directory-integrated-with-applications Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-app-provisioning

Demonstration: Integrating SaaS Applications

Other Integration Options

What if you need to implement an application that is not yet listed in the application gallery? While this is a bit more time-consuming than configuring SSO for applications from the application gallery, Azure AD provides you with a wizard that helps you with the configuration.

1. Add your own app you are developing. If you have developed the application yourself, follow the guidelines in the Azure AD developer documentation to implement federated single sign-on or provisioning12 using the Azure AD graph API. 2. Add an On-premises Application. Azure AD Application Proxy provides SSO and secure remote access for web applications hosted on-premises. Some apps you would want to publish include SharePoint sites, Outlook Web Access, or any other LOB web applications you have. End users can access your on-premises applications the same way they access O365 and other SaaS apps integrated with Azure AD. You don't need to change the network infrastructure or require VPN to provide this solution for your users. 3. Integrate any other application that you can’t find in the gallery. Use this category in the app gallery to connect an unlisted application that your organization is using. You can add any application that supports SAML 2.0 as a federated app, or any application that has an HTML-based sign-in page as a password SSO app. For more information, you can see: Get started with the Azure AD application gallery - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-appssoaccess-whatis#get-started-with-the-azure-ad-application-gallery Integrating Azure Active Directory with applications getting started guide - https://docs.microsoft.com/ en-us/azure/active-directory/active-directory-integrating-applications-getting-started SaaS application integration with Azure Active Directory - https://docs.microsoft.com/en-us/azure/ active-directory/active-directory-saas-tutorial-list

Additional Practice - SaaS Integration with Azure AD If you are interested in learning more on how to integrate cloud-enabled SaaS applications with Azure AD, there is a collection of tutorials13 to help walk you through the configuration process for single sign on (SSO). ●● The applications are organized alphabetically, and in some cases, there is also an accompanying tutorial for user provisioning. (This is noted where it is the case) ●● Pick one or two applications that are of interest and give the tutorials a try to see how the process works. 12 https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios 13 https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/tutorial-list

MCT USE ONLY. STUDENT USE PROHIBITED

Intergrating SaaS Applications with Azure AD  23

MCT USE ONLY. STUDENT USE PROHIBITED

24  Module 1 Managing Azure Active Directory

✔️ Remember that in the video, Corey mentioned that SaaS application integration with Azure AD involves two main processes: first you add the application from the gallery and configure it for Azure AD; then you must perform any additional configuration required by the application provider For more information, you can see: Azure Active Directory integrated with applications - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-enable-sso-scenario#azure-active-directory-integrated-with-applications Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-app-provisioning

Conditional Access

Once you have setup SSO for your SaaS application it is time to consider additional security measures such as conditional access. Conditional access is a capability of Azure AD (with an Azure AD Premium license) that enables you to enforce controls on the access to apps in your environment based on specific conditions from a central location. With Azure AD conditional access, you can factor how a resource is being accessed into an access control decision. By using conditional access policies, you can apply the right access controls under the required conditions.

In the context of conditional access: ●● “When this happens” is called conditions. ●● “Then do this” is called access controls. The combination of your conditions with your access controls represents a conditional access policy . With access controls, you can either Block Access altogether or Grant Access with additional requirements by selecting the desired controls. You can have several options: ●● Require MFA from Azure AD or an on-premises MFA (combined with AD FS). ●● Grant access to only trusted devices. ●● Require a domain-joined device. ●● Require mobile devices to use Intune app protection policies14. ✔️ Do you think conditional access would be something your organization is interested in? For more information, you can see: Conditional access in Azure Active Directory - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal Grant controls - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-controls#grant-controls

14 https://docs.microsoft.com/intune/app-protection-policy

Conditions – Users Groups

Conditional access comes with six conditions: user/group, cloud application, device state, location (IP range), client application, and sign-in risk. You can use combinations of these conditions to get the exact conditional access policy you need. Notice on this image the conditions determine the access control from the previous topic.

✔️ The Users and Groups condition is mandatory in a conditional access policy. In your policy, you can either select All users or select specific users and groups. For more information, you can see: Conditions in Azure Active Directory conditional access - https://docs.microsoft.com/en-us/azure/ active-directory/active-directory-conditional-access-conditions

Sign-in Risk Condition

A sign-in risk is an indicator for the likelihood (high, medium, or low) that the legitimate owner of a user account did not perform the sign-in attempt. Azure AD calculates the sign-in risk level during the sign-in of a user. You can use the calculated sign-in risk level as condition in a conditional access policy.

✔️ To use this condition, you need to have Azure Active Directory Identity Protection15 enabled. 15 https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection

MCT USE ONLY. STUDENT USE PROHIBITED

Intergrating SaaS Applications with Azure AD  25

MCT USE ONLY. STUDENT USE PROHIBITED

26  Module 1 Managing Azure Active Directory

For more information, you can see: Sign-in risk - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-conditions#sign-in-risk

Locations Condition

With locations, you have the option to define conditions that are based on where a connection attempt was initiated from. Your choices are: any location, all trusted locations, and selected locations.

Common use cases for this condition are policies that: ●● Require multi-factor authentication for users accessing a service when they are off the corporate network. ●● Block access for users accessing a service from specific countries or regions. ●● Ensure that access to a non-production Azure environment occurs only from a non-production network. ✔️ If you are interested in the other access conditions that are available take some time to go through the next links. For more information, you can see: Locations - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-locations Cloud Apps - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-conditions#cloud-apps Device Platforms - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-conditions#device-platforms Client Apps - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-conditions#client-apps

Additional Practice - Conditional Access

To simplify the sign-in experience of your users, you might want to allow them to sign in to your cloud apps using a user name and a password. However, some environments may have scenarios where it would be advisable to require a strong form of account verification. In this Quickstart, you configure an Azure AD conditional access policy that requires multi-factor authentication (MFA) for a selected cloud app in your environment.

If you decide to try this Quickstart16, you will need: ●● Access to an Azure AD Premium edition - Azure AD conditional access is an Azure AD Premium capability. ●● A test account called Isabella Simonsen. The specific tasks in this Quickstart include: ●● Create the required conditional access policy ●● Evaluate a simulated sign in ●● Test the conditional access policy For more information, you can see: What is conditional access in Azure Active Directory - https://docs.microsoft.com/en-us/azure/ active-directory/active-directory-conditional-access-azure-portal

16 https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa

MCT USE ONLY. STUDENT USE PROHIBITED

Intergrating SaaS Applications with Azure AD  27

MCT USE ONLY. STUDENT USE PROHIBITED

28  Module 1 Managing Azure Active Directory

Module 1 Review Questions Module 1 Review Questions Domain Services Differences

You establish a hybrid environment using an on-premises Active Directory Domain Services (AD DS) domain and Azure AD. You need to define how the hybrid deployment will influence administrative work. What are the differences between AD DS and Azure AD?

Click for suggested answer ↓  Although Azure AD has many similarities to AD DS, there are also many differences. It is important to realize that using Azure AD is different from deploying an Active Directory domain controller on an Azure virtual machine and adding it to your on-premises domain. Here are some characteristics of Azure AD that make it different. ●● Identity solution. Azure AD is primarily an identity solution, and it is designed for Internet-based applications by using HTTP and HTTPS communications. ●● REST API Querying. Because Azure AD is HTTP/HTTPS based, it cannot be queried through LDAP. Instead, Azure AD uses the REST API over HTTP and HTTPS. ●● Communication Protocols. Because Azure AD is HTTP/HTTPS based, it does not use Kerberos authentication. Instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID Connect for authentication (and OAuth for authorization). ●● Federation Services. Azure AD includes federation services, and many third-party services (such as Facebook). ●● Flat structure. Azure AD users and groups are created in a flat structure, and there are no Organizational Units (OUs) or Group Policy Objects (GPOs). Azure AD SSO You manage an existing Active Directory Domain Services (AD DS) domain. You grant users access to internal and external web apps by using Active Directory Federation Services (AD FS). The organization deploy Office 365 Exchange Online, and migrate all user mailboxes to the cloud. How can you use the existing Office 365 implementation to improve the user experience, and save money for the organization? What are some benefits of using Azure AD?

Click for suggested answer ↓  Use the existing Office 365 Azure AD Connect functionality already in place with Exchange Online, and use Azure AD Single Sign-On (SSO) to decommission the existing AD FS Servers. Azure AD has many benefits: single sign-on to any cloud or on-premises web app, works with iOS, Mac OS X, Android, and Windows devices, protect on-premises web applications with secure remote access, easily extend Active Directory to the cloud, protect sensitive data and applications, and reduce costs and enhance security with self-service capabilities. Azure AD Editions You are planning to deploy Azure AD in a hybrid environment for an organization. You must implement the following features: MFA, SSO, Self-service Password Reset, seamless access to both on-premises and cloud applications, and self-service Bitlocker recovery.

Which Azure AD edition is suitable for your organization and why? What are the Azure AD editions?

Click for suggested answer ↓  Azure AD Premium P1 is most suitable for your deployment. The Azure AD editions include: Azure Active Directory Free, Azure Active Directory Basic, Azure Active Directory Premium P1, and Azure Active Directory Premium P2.

MCT USE ONLY. STUDENT USE PROHIBITED

Module 1 Review Questions  29

Azure Domains and Tenants Domains

Initial domain name By default, when you create an Azure subscription an Azure AD domain is created for you. This instance of the domain has initial domain name in the form domainname.onmicrosoft.com. The initial domain name, while fully functional, is intended primarily to be used as a bootstrapping mechanism until a custom domain name is verified. Custom domain name Although the initial domain name for a directory can't be changed or deleted, you can add any routable custom domain name you control. This simplifies the user sign-on experience by allowing user to logon with credentials they are familiar with. For example, a contosogold.onmicrosoft.com, could be assigned a simpler custom domain name of contosogold.com.

Practical information about domain names ●● Only a global administrator can perform domain management tasks in Azure AD.

MCT USE ONLY. STUDENT USE PROHIBITED

Module 2 Managing Azure Active Directory Objects

MCT USE ONLY. STUDENT USE PROHIBITED

32  Module 2 Managing Azure Active Directory Objects

●● Domain names in Azure AD are globally unique. If one Azure AD directory has verified a domain name, then no other Azure AD directory can verify or use that same domain name. ●● Before a custom domain name can be used by Azure AD, the custom domain name must be added to your directory and verified. This is covered in the next topic.

Verifying Custom Domain Names

When an administrator adds a custom domain name to an Azure AD, it is initially in an unverified state. Azure AD will not allow any directory resources to use an unverified domain name. This ensures that only one directory can use a domain name, and the organization using the domain name owns that domain name.

Azure AD verifies ownership of a domain name by looking for an entry in the domain name service (DNS) zone file for the domain name. To verify ownership of a domain name, an admin gets the DNS entry from Azure AD that Azure AD will look for and adds that entry to the DNS zone file for the domain name. The DNS zone file is maintained by the domain name registrar for that domain. Adding a DNS entry to the zone file for the domain name does not affect other domain services such as email or web hosting.

✔️ An upcoming demonstration shows how to add the DNS record to your domain.

For more information, you can see: Managing custom domain names in your Azure Active Directory - https://docs.microsoft.com/en-us/ azure/active-directory/active-directory-domains-manage-azure-portal

Tenants

A tenant is simply a dedicated instance of Azure AD that your organization receives and owns when it signs up for a Microsoft cloud service such as Azure or Office 365. For example, contosogold.onmicrosoft. com, is a tenant. A tenant houses the users in a company and the information about them - their passwords, user profile data, permissions, and so on. It also contains groups, applications, and other information pertaining to an organization and its security. You can have multiple tenants within your organization. Each tenant can have a different purpose and fulfill a different scenario. For example, you might have tenant for Testing, Office365, and Production. Can you think of reasons why you might want different tenants? ●● Isolation. Each tenant is isolated with different policies, users, groups, and roles. ●● Resources. Each tenant can have different resources specific for their functionality. ●● Administration. Each tenant can have different administrator roles. ●● Synchronization. Each tenant can implement synchronization in a different way. To use a tenant, it must be associated with a subscription. The basic steps are: create a directory, create an admin for the directory, and then have the admin associate the directory with a subscription. Each directory must have at least one subscription.

✔️ An upcoming demonstration shows how to create a tenant, add an admin, and associate a subscription. For more information, you can see: How to get an Azure Active Directory tenant - https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-howto-tenant What is an AD Tenant? - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-administer#what-is-an-azure-ad-tenant

Multiple Tenants Multiple Tenants

MCT USE ONLY. STUDENT USE PROHIBITED

Azure Domains and Tenants  33

MCT USE ONLY. STUDENT USE PROHIBITED

34  Module 2 Managing Azure Active Directory Objects

In Azure Active Directory (Azure AD), each tenant is a fully independent resource: a peer that is logically independent from the other tenants that you manage. There is no parent-child relationship between tenants. This independence between tenants includes resource independence, administrative independence, and synchronization independence.

Resource independence ●● If you create or delete a resource in one tenant, it has no impact on any resource in another tenant, with the partial exception of external users. ●● If you use one of your domain names with one tenant, it cannot be used with any other tenant. Administrative independence If a non-administrative user of tenant ‘Contoso’ creates a test tenant 'Test,' then: ●● By default, the user who creates a tenant is added as an external user in that new tenant and assigned the global administrator role in that tenant. ●● The administrators of tenant ‘Contoso’ have no direct administrative privileges to tenant 'Test,' unless an administrator of ‘Test’ specifically grants them these privileges. Synchronization independence. You can configure each Azure AD tenant independently to get data synchronized from a single instance of either: The Azure AD Connect tool or the Forefront Identity Manager Azure Active Tenant Connector. ✔️ Unlike other Azure resources, your tenants are not child resources of an Azure subscription. For more information, you can see: Understand how multiple Azure Active Directory tenants interact - https://docs.microsoft.com/en-us/ azure/active-directory/active-directory-licensing-directory-independence

Video: Managing Domains Directories and Tenants

Demonstration: Create a New Instance of Azure AD

Additional Practice - Custom Domain Names

Take a few minutes to work through the Quickstart: Add a custom domain name to Azure Active Directory1. This Quickstart steps through the basics of: ●● Add the custom domain name to your directory. ●● Add a DNS entry for the domain name at the domain name registrar. ●● Verify the custom domain name in Azure AD. This Quickstart includes troubleshooting steps. ●● Wait an hour. DNS records must propagate before Azure AD can verify the domain. This process can take an hour or more. ●● Ensure the DNS record was entered, and that it is correct. Complete this step at the website for the domain name registrar for the domain. ●● Delete the domain name from another directory in Azure AD. A domain name can be verified in only a single directory. If a domain name is currently verified in a different directory, it can't be verified in your new directory until it is deleted on the other one. For more information, you can see: Manage custom domain names - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-domains-manage-azure-portal

1

https://docs.microsoft.com/en-us/azure/active-directory/add-custom-domain

MCT USE ONLY. STUDENT USE PROHIBITED

Azure Domains and Tenants  35

MCT USE ONLY. STUDENT USE PROHIBITED

36  Module 2 Managing Azure Active Directory Objects

Azure Users and Groups Video: Managing Users and Groups

User Accounts

In Azure AD, all users who require access to resources must have a user account. A user account is an Azure AD user object that contains all the information that's required to authenticate and authorize the user during the sign‑in process and build the user's access token. To view the Azure AD users, simply access the All users blade.

Notice the Source in the above screenshot. There are different sources depending on the types of identity, including: ●● Cloud identities (Azure Active Directory). Users that only exist in Azure AD. For example, administrator accounts or users you are managing yourself. ●● Directory-synchronized identities (Windows Server AD). Users brought in to Azure through a synchronization activity using Azure AD Connect. These are users that exist in Windows Server AD. ●● Guest users (Azure Active Directory). Users from outside Azure. For example, Google and Microsoft accounts. ✔️ Take a minute to access the Portal and view your users. Notice the User Type and Source columns. Have you given any thought as to the type of users you will need?

Adding User Accounts

There are multiple ways to add cloud identities to Azure AD. Azure Portal You can add new users through the Azure Portal. In addition to Name and User name, there is profile information like Job Title and Department.

Azure PowerShell You can use the PowerShell New-AzureADUser command to add cloud-based users. # Create a password object $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile # Assign the password $PasswordProfile.Password = "<Password>" # Create the new user New-AzureADUser -AccountEnabled $True -DisplayName "Abby Brown" -PasswordProfile $PasswordProfile -MailNickName "AbbyB" -UserPrincipalName "AbbyB@ contoso.com" ✔️ Users can also be added to Azure AD through Office 365 Admin Center, Microsoft Intune admin console, and the CLI. Which of the options mentioned in this topic do you prefer? For more information, you can see: Add or change profile information for a user in Azure Active Directory - https://docs.microsoft.com/ en-us/azure/active-directory/active-directory-users-profile-azure-portal Creating a new user in Azure AD - https://docs.microsoft.com/en-us/powershell/azure/active-directory/new-user-sample?view=azureadps-2.0 az ad user create - https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest#az_ ad_user_create

Bulk User Accounts

There are several ways you can use PowerShell to import data into your directory, but the most commonly used method is to use a CSV file. This file can either be manually created, for example using Excel, or it can be exported from an existing data source such as an SQL database or an HR application. If you are going to use a CSV file here are some things to think about: ●● Naming conventions. Establish or implement a naming convention for usernames, display names and aliases. For example, a user name could consist of last name, period, first name: Smith.John@ contoso.com.

MCT USE ONLY. STUDENT USE PROHIBITED

Azure Users and Groups  37

MCT USE ONLY. STUDENT USE PROHIBITED

38  Module 2 Managing Azure Active Directory Objects

●● Passwords. Implement a convention for the initial password of the newly created user. Figure out a way for the new users to receive their password in a secure way. Methods commonly used for this are generating a random password and emailing it to the new user or their manager. The steps for using the CSV file are very straightforward. Use the reference link to see a sample PowerShell script.

1. Use Connect-AzureAD to create a PowerShell connection to your directory You should connect with an admin account that has privileges on your directory. 2. Create a new Password Profile for the new users. The password of the new users’ needs to conform to the password complexity rules you have set for your directory. 3. Use Import-CSV to import the csv file. You will need to specify the path and file name of the CSV file. 4. Loop through the users in the file constructing the user parameters required for each user. For example, User Principal Name, Display Name, Given Name, Department, and Job Title. 5. Use New-ADUser to create each user. Be sure to enable each account. For more information, you can see: Importing data into my directory - https://docs.microsoft.com/en-us/powershell/azure/active-directory/importing-data?view=azureadps-2.0 New-ADUser - https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureaduser?view=azureadps-2.0

Group Accounts

A group helps organize users to make it easier to manage permissions. Groups can be easily added through the portal. There are two types of groups: security groups and distribution groups. ●● Security groups are security‑enabled and are used to assign permissions and control access to various resources. ●● Distribution groups are used mainly by email applications and are not security enabled. You can easily add groups in the portal.

Adding Groups You can also use PowerShell to add a group with the New-AzureADGroup command. **New-AzureADGroup** -Description "Marketing" -DisplayName "Marketing" -MailEnabled $false -SecurityEnabled $true -MailNickName "Marketing" Adding Members to Groups There are two ways to add members to Azure groups. ●● Directly Assigned. In this situation you create the group then you manually add individual user accounts to the group. ●● Dynamically Assigned. In this situation you create rules to enable attribute-based dynamic memberships for groups based on characteristics. For example, if a user’s Department is Sales, then they are dynamically assigned to the Sales group. You can set up a rule for dynamic membership on security groups or Office 365 groups. This feature requires an Azure AD Premium P1 license. ✔️ Have you given any thought to which groups you need to create? Would you directly assign or dynamically assign membership? For more information, you can see: Manage group membership for users in your Azure Active Directory tenant - https://docs.microsoft. com/en-us/azure/active-directory/active-directory-groups-members-azure-portal Create attribute-based rules for dynamic group membership in Azure Active Directory - https://docs. microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal Create a group and add members in Azure Active Directory - https://docs.microsoft.com/en-us/azure/ active-directory/active-directory-groups-create-azure-portal New-AzureADGroup - https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadgroup?view=azureadps-2.0

MCT USE ONLY. STUDENT USE PROHIBITED

Azure Users and Groups  39

MCT USE ONLY. STUDENT USE PROHIBITED

40  Module 2 Managing Azure Active Directory Objects

Demonstration: Create User and Group Accounts

Additional Practice - Users and Groups

✔️ For the Quickstarts in this practice, you will to sign in to Azure with an account that’s a global admin for the directory. Try the Quickstart: Add new users to Azure Active Directory2. This Quickstart explains how to delete or add users in your organization into your organization's Azure Active Directory (Azure AD) tenant using the Azure portal or by synchronizing your on-premises Windows Server AD user account data. Manage Group Membership Try the Manage group membership for users in your Azure Active Directory tenant3. This article explains how to manage the members for a group in Azure Active Directory (Azure AD). Create a group and add members Try the Create a group and add members in Azure Active Directory4. This article explains how to create and populate a new group in Azure Active Directory. Use a group to perform management tasks such as assigning licenses or permissions to several users or devices at once. Manage profile information Try the Add or change profile information for a user in Azure Active Directory5 article. This article explains how to add user profile information, such as a profile picture or phone and email authentication information, in Azure Active Directory (Azure AD). ✔️As you have time, experiment with other user and group administrative tasks.

2 3 4 5

https://docs.microsoft.com/en-us/azure/active-directory/add-users-azure-active-directory https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-members-azure-portal https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-create-azure-portal https://docs.microsoft.com/en-us/azure/active-directory/active-directory-users-profile-azure-portal

Azure Roles Role-Based Access Control

Managing access to resources in Azure is a critical part of an organization’s security and compliance requirements. Role-based access control (RBAC) is the capability within Azure that lets you grant a very granular level of access based on an administrator’s assigned tasks. This ensures an Administrator can do exactly the task they need to do; no more, no less. Role assignments RBAC is configured by selecting a role (the definition of what actions are allowed and/or denied), then associating the role with a security principal (user, group, or service). Finally, this combination of role and security principal is scoped to a subscription, a resource group, or a specific resource.

✔️ Notice that access is inherited from subscriptions, to resource groups, and then to resources. Using the Portal to implement RBAC You can use the Azure Portal to make your role assignments. In this example, the ContosoBlueAD resource group shows on the Access Control (IAM) blade the current roles and scopes. You can add or remove roles as you need. You can add synced users and groups to Azure roles, which enables organizations to centralize the granting of access.

For more information, you can see: Get started with access management in the Azure portal: https://docs.microsoft.com/en-us/azure/ active-directory/role-based-access-control-what-is

MCT USE ONLY. STUDENT USE PROHIBITED

Azure Roles  41

MCT USE ONLY. STUDENT USE PROHIBITED

42  Module 2 Managing Azure Active Directory Objects

Built-in Roles

Azure AD provides many built-in roles6 to cover the most common security scenarios. To understand how the roles work we will examine three roles that apply to all resource types: ●● Owner has full access to all resources including the right to delegate access to others. ●● Contributor can create and manage all types of Azure resources but can’t grant access to others. ●● Reader can view existing Azure resources. Role definitions Each role is a set of properties defined in a JSON file. This role definition includes Name, Id, and Description. It also includes the allowable permissions (Actions), denied permissions (NotActions), and scope (read access, etc.) for the role. For the Owner role that means all (*) actions, no denied actions, and all (/) scopes. This information is available with the Get-AzureRmRoleDefinition cmdlet. !Screenshot of the results of the Get-AzureRMRoleDefinition -Name Owner command. The Actions and NoActions values are highlighted. ](../../Linked_Image_Files/AZ-100.5_Managing_Identities_image36.png) ✔️ Take a minute to open the Azure Portal, open the Subscriptions or Resource Group blade, and click Access Control (IAM). Click Add and take a few minutes to review the built-in roles and see which role you would be most interested in using. For more information, you can see: Built-in roles in Azure - https://docs.microsoft.com/en-us/azure/role-based-access-control/built-inroles Create custom roles for Azure Role-Based Access Control - https://docs.microsoft.com/en-us/azure/ active-directory/role-based-access-control-custom-roles Get-AzureRmRoleDefinition - https://docs.microsoft.com/en-us/powershell/module/azurerm. resources/get-azurermroledefinition?view=azurermps-5.3.0

Role Definitions Actions and NotActions

The Actions and NotActions properties can be tailored to grant and deny the exact permissions you need. Review this table to see how Owner, Contributor, and Reader are defined. Built-in Role

Action

Owner (allow all actions)

*

Contributor (allow all actions except writing or deleting role assignment)

*

Reader (allow all read actions)

*/read

NotActions Microsoft.Authorization/*/ Delete,Microsoft.Authorization/*/ Write,Microsoft.Authorization/ elevateAccess/Action

AssignableScopes Defining the Actions and NotActions properties is not enough to fully implement a role. You must also properly scope your role. 6

https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles#roles-in-azure

The AssignableScopes property of the role specifies the scopes (subscriptions, resource groups, or resources) within which the custom role is available for assignment. You can make the custom role available for assignment in only the subscriptions or resource groups that require it, and not clutter user experience for the rest of the subscriptions or resource groups. ●● /subscriptions/[subscription id] ●● /subscriptions/[subscription id]/resourceGroups/[resource group name] ●● /subscriptions/[subscription id]/resourceGroups/[resource group name]/[resource] Example 1 Make a role available for assignment in two subscriptions. “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e”, “/subscriptions/e91d47c4-76f3-4271-a796-21b4ecfe3624” Example 2 Makes a role available for assignment only in the Network resource group. “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network” ✔️ Take a minute to open the Azure Portal and use the Access Control blade to add a role and then assign it to a user. Can you see how for your organization which role assignments you would need? For more information, you can see: Custom roles access control - https://docs.microsoft.com/en-us/azure/active-directory/role-basedaccess-control-custom-roles#custom-roles-access-control

Azure PowerShell and CLI

When you have large numbers of role assignments, you may prefer to use Azure PowerShell or the CLI. #Role assignment properties $roleName = “Contributor” $assigneeName = [email protected] $resourceGroupName = “contosoblue” Azure PowerShell New-AzureRmRoleAssignment -RoleDefinitionName $roleName -SignInName $assigneeName -ResourceGroupName $resourceGroupName CLI az role assignment create –role $roleName –assignee $assigneeName –resource-group $resourceGroupName ✔️ If you have created a custom JSON role definition file you can use PowerShell or the CLI to create a new custom role definition. In the following examples the sysops.json file has the custom definition. #PowerShell New-AzureRmRoleDefinition -InputFile .\sysops.json #CLI

MCT USE ONLY. STUDENT USE PROHIBITED

Azure Roles  43

MCT USE ONLY. STUDENT USE PROHIBITED

44  Module 2 Managing Azure Active Directory Objects

az role definition create –role-definition “./sysops.json”

Video: Role-Based Access Control

Demonstration: Role-Based Access Control

Additional Practice - Role-based Access Control (RBAC)

Role-based access control (RBAC) is the way that you manage access to resources in Azure. In this Quickstart, you grant a user access to create and manage virtual machines in a resource group. Take a few minutes to work through the Grant access for a user using RBAC and the Azure portal7. This Quickstart steps through the basics of: ●● Creating a resource group in the Azure portal. ●● Assign a user to a role. ●● Remove the created role assignment. Using PowerShell Next, try the following tutorial8 to grant a user access to view all resources in a subscription and manage everything in a resource group using Azure PowerShell. In this tutorial you will: ●● Create a user ●● Create a resource group ●● Use the Get-AzureRMRoleAssignment command to list the role assignments ●● Use the Remove-AzureRmResourceGroup command to remove access For more information, you can see: What is role-based access control - https://docs.microsoft.com/en-us/azure/role-based-access-control/overview 7 8

https://docs.microsoft.com/en-us/azure/role-based-access-control/quickstart-assign-role-user-portal https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-role-assignments-user-powershell

Managing Devices Device Management

Azure Active Directory (Azure AD) enables single sign-on to devices, apps, and services from anywhere. The proliferation of devices - including Bring Your Own Device (BYOD) – empowers end users to be productive wherever and whenever. But, IT administrators must ensure corporate assets are protected and that devices meet standards for security and compliance. To get a device under the control of Azure AD, you have two options: ●● Registering a device to Azure AD enables you to manage a device’s identity. When a device is registered, Azure AD device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Azure AD. You can use the identity to enable or disable a device. ●● Joining a device is an extension to registering a device. This means, it provides you with all the benefits of registering a device and in addition to this, it also changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account. ✔️ Registration combined with a mobile device management (MDM) solution such as Microsoft Intune, provides additional device attributes in Azure AD. This allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. For more information, you can see: Introduction to device management - https://docs.microsoft.com/en-us/azure/active-directory/ device-management-introduction Azure registered devices - https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction#azure-ad-registered-devices

Azure Joined Devices

AD Join is designed provide access to organizational apps and resources and to simply Windows deployments of work-owned devices. AD Join has these benefits. ●● Single-Sign-On (SSO) to your Azure managed SaaS apps and services. Your users don’t see additional authentication prompts when accessing work resources. The SSO functionality is available even when users are not connected to the domain network. ●● Enterprise compliant roaming of user settings across joined devices. Users don’t need to connect to a Microsoft account (for example, Hotmail) to see settings across devices.

MCT USE ONLY. STUDENT USE PROHIBITED

Managing Devices  45

MCT USE ONLY. STUDENT USE PROHIBITED

46  Module 2 Managing Azure Active Directory Objects

●● Access to Windows Store for Business using an Azure AD account. Your users can choose from an inventory of applications pre-selected by the organization. ●● Windows Hello support for secure and convenient access to work resources. ●● Restriction of access to apps from only devices that meet compliance policy. ●● Seamless access to on-premise resources when the device has line of sight to the on-premises domain controller. ✔️ Although AD Join is intended for organizations that do not have on-premises Windows Server Active Directory infrastructure it can be used for other scenarios like branch offices. Read more at the reference link. For more information, you can see: Azure AD joined devices – https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction#azure-ad-joined-devices

Hybrid AD Joined Devices

If your environment has an on-premises AD footprint and you also want to benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These are devices that are joined both to your on-premises Active Directory and your Azure Active Directory. Joining devices to both directories allows: ●● IT departments to manage work-owned devices from a central location. ●● Users to sign in to their devices with their Active Directory work or school accounts. Here is a comparison of Registered, AD Joined, and Hybrid AD Joined devices. Registered Devices Device Type

Azure AD Joined Devices

Hybrid AD Joined Devices

Personal

Organization owned

Organization owned

Operating System

Manual

Manual

Automatic

Windows 10

Windows 10

Windows 7, 8, and 10

Registration

✔️ Are you understanding the different types of joined devices? Which do you think your organization needs? For more information, you can see: Hybrid Azure AD joined devices - https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction#hybrid-azure-ad-joined-devices

Additional Practice - Managing Devices (Portal)

Take some time to work through the Managing devices using the Azure portal9 documentation. In this tutorial you will see how to: ●● Use the Azure portal to access the Devices blade. ●● Configure device settings. ●● Locate devices. ●● Perform device management tasks, such as Delete and Disable. ●● Review the device audit logs. ✔️ Pay attention to the device registration choices and ensure you understand the different scenarios: ●● Users may join devices to Azure AD. Select the users who can join devices to Azure AD. ●● Additional local administrators on Azure AD joined devices. Select the users that are granted local administrator rights on a device. ●● Users may register their devices with Azure AD – Allow Azure AD joined or hybrid Azure AD joined to register with Azure AD. ●● Require Multi-Factor Auth to join devices – Require a second authentication factor to join a device to Azure AD. ●● Maximum number of devices - Select the maximum number of devices that a user can have in Azure AD. ●● Users may sync settings and app data across devices - Allow user’s settings and app data to sync across their Windows 10 devices. For more information, you can see: Usage scenarios and deployment considerations for Azure AD Join - https://docs.microsoft.com/en-us/ azure/active-directory/devices/azureadjoin-plan

9

https://docs.microsoft.com/en-us/azure/active-directory/device-management-azure-portal

MCT USE ONLY. STUDENT USE PROHIBITED

Managing Devices  47

MCT USE ONLY. STUDENT USE PROHIBITED

48  Module 2 Managing Azure Active Directory Objects

Module 2 Review Questions Module 2 Review Questions Custom Domain Names

You sign up for Microsoft Cloud Services by subscribing to Exchange Online. Your organization is assigned the initial tenant name myorg.onmicrosoft.com. Your domain administrator wants to assign a custom domain name of myorg.com. Which Azure AD role can manage domain tasks? What is the process of adding a custom domain name?

Click for suggested answer ↓  Only a global administrator can perform domain management tasks in Azure AD. When an administrator adds a custom domain name to an Azure AD, it is initially in an unverified state. Azure AD will not allow any directory resources to use an unverified domain name. This ensures that only one directory can use a domain name, and the organization using the domain name owns that domain name. Azure AD verifies ownership of a domain name by looking for an entry in the domain name service (DNS) zone file for the domain name. To verify ownership of a domain name, an admin gets the DNS entry from Azure AD that Azure AD will look for and adds that entry to the DNS zone file for the domain name. The DNS zone file is maintained by the domain name registrar for that domain. Adding a DNS entry to the zone file for the domain name does not affect other domain services such as email or web hosting. Multiple Tenants Your organization (Company A) merges with another company (Company B). Both companies use Office 365 Exchange Online as well as Azure AD. Company A uses Azure AD Premium P1, while Company B uses Azure AD Free. Both organizations plan to retain existing domain names and administrative staff. What is an Azure tenant? Why would you have multiple tenants? How would you implement this multi-tenant merger?

Click for suggested answer ↓  A tenant is simply a dedicated instance of Azure AD that your organization receives and owns when it signs up for a Microsoft cloud service such as Azure or Office 365. You can have multiple tenants within your organization. Each tenant can have a different purpose and fulfill a different scenario. For example, you might have tenant for Testing, Office365, and Production. Other reasons for multiple tenants are: isolation, using different resources, and having different administration roles. The basic steps for merging the two tenants are to use the existing directory, use an admin account for the directory, and then have the admin associate the directory with one of the subscriptions. This brings both tenants under the same subscription, while allowing for separate management.

AD Users You manage users for your organizations Azure AD. You need to add several thousand users to Azure AD. Which methods can you use to add users to Azure AD? Which of these are suitable for adding a large number of users? What format should you use for a user-import file?

Click for suggested answer ↓  You can add new users through the Azure Portal. In addition to Name and User name, there is profile information like Job Title and Department. You can use the PowerShell New-AzureADUser command to add cloud-based users. You can also create a CSV file from an existing application and use that. Users can also be added to Azure AD through Office 365 Admin Center, Microsoft Intune admin console, and the CLI. As the question discusses a large number of users, Azure PowerShell or Azure CLI is the correct methodology to use.

MCT USE ONLY. STUDENT USE PROHIBITED

Module 2 Review Questions  49

Azure Active Directory Integration Options Azure AD Connect

Azure AD Connect will integrate your on-premises directories with Azure Active Directory. This allows you to provide a common identity for your users for Office 365, Azure, and SaaS applications integrated with Azure AD.

Sync Services. This component is responsible for creating users, groups, and other objects. It is also responsible for making sure identity information for your on-premises users and groups matches what’s in the cloud.

MCT USE ONLY. STUDENT USE PROHIBITED

Module 3 Implementing and Managing Hybrid Identities

MCT USE ONLY. STUDENT USE PROHIBITED

52  Module 3 Implementing and Managing Hybrid Identities

Health Monitoring. Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity. Active Directory Federation Services (AD FS). Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. Organizations can use this to address complex deployments, such as domain join SSO, enforcement of AD sign-in policy, and smart card or 3rd party MFA. For more information, you can see: Integrate your on-premises directories with Azure Active Directory - https://docs.microsoft.com/en-us/ azure/active-directory/connect/active-directory-aadconnect

Password Synchronization

The probability that you're blocked from getting your work done due to a forgotten password is related to the number of different passwords you need to remember. The more passwords you need to remember, the higher the probability to forget one. Questions and calls about password resets and other password-related issues demand the most helpdesk resources.

Password hash synchronization is a feature used to synchronize user passwords from an on-premises Active Directory instance to a cloud-based Azure AD instance. Use this feature to sign in to Azure AD services like Office 365, Microsoft Intune, CRM Online, and Azure Active Directory Domain Services (Azure AD DS). You sign in to the service by using the same password you use to sign in to your on-premises Active Directory instance. By reducing the number of passwords, your users need to maintain to just one. Password synchronization helps you to: ●● Improve the productivity of your users. ●● Reduce your helpdesk costs. For more information, you can see: What is password synchronization - https://docs.microsoft.com/en-us/azure/active-directory/ hybrid/whatis-phs

Video: Choose an Azure AD Authentication Method

Video: Azure AD Seamless Sign-On

Sign-On Methods

AD Connect provides several sign-on methods: Password Synchronization, Pass-through authentication, and Federation with AD FS. These methods are used to synchronize user accounts and, optionally, passwords from an on-premises Active Directory instance to a cloud-based Azure AD instance. Synchronization helps you to improve the productivity of your users and reduce your helpdesk costs.

Password Synchronization. This option can be used to synchronize an encrypted version of the password hash for user accounts. This ensures a user signing on to Azure uses the same password as the on-premises domain. The is sometimes referred to password hash synchronization. For more information, you can see:

MCT USE ONLY. STUDENT USE PROHIBITED

Azure Active Directory Integration Options  53

MCT USE ONLY. STUDENT USE PROHIBITED

54  Module 3 Implementing and Managing Hybrid Identities

How password synchronization works - https://docs.microsoft.com/en-us/azure/active-directory/ hybrid/how-to-connect-password-hash-synchronization#how-password-hash-synchronization-works Pass-through authentication (PTA). With this option the username and password are authenticated by the on-premises domain controllers. This is one of the newest authentication methods. Having a highly-available internet connection is highly recommended. For more information, you can see: User sign-in with Azure Active Directory Pass-through Authentication - https://docs.microsoft.com/ en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication Federation with AD FS. AD FS is the Microsoft implementation of an identity federation solution that uses claims-based authentication. When AD FS has been configured, AD FS performs the validation through the on-premises AD DS environment. Azure AD Connect, discussed later in this module, can automate much of the AD FS configuration when integrating with Azure. ✔️ If you are interested in the details of these authentication methods, check out the following deep dive video: Deep-dive: Azure Active Directory Authentication and Single-Sign-On (video) - https://channel9.msdn. com/events/Ignite/Microsoft-Ignite-Orlando-2017/BRK3015?term=Azure%20AD%20Passthrough%20Authentication%20and%20Seamless%20Single%20Sign-on

Video: Pass-through Authentication

Video: Azure AD DS Integration Options

Demonstration: Azure AD Connect Azure AD Connect In this demonstration Corey shows how to use the Azure AD Connect Express Settings1. The Express settings are used when you have a single-forest topology and password synchronization2 for authentication. Azure AD Connect Custom settings3 is used when you want more options for the installation. For example, you can specify the sign-on method, directory and forest information, and domains or OUs you do not want to synchronize to Azure AD. Be sure to take a few minutes to review the custom settings so you can really appreciate the power of AD Connect.

Additional Practice - Azure AD Pass-through Authentication

As you have time, work through the Quickstart: Azure Active Directory Pass-through Authentication4. This Quickstart steps through the basics of: ●● Verifying prerequisites. You will need a server running Windows Server 2012 R2 or later to run Azure AD Connect. ●● Enabling Pass-through authentication through Azure AD Connect. ●● Testing that Pass-through authentication works correctly ●● Ensuring high availability. ✔️ Important. If you use this feature through a preview version, ensure that you upgrade the preview versions of the Authentication Agents by using the instructions provided in Azure Active Directory Pass-through Authentication: Upgrade preview Authentication Agents5. For more information, you can see: User sign-in with Azure Active Directory Pass-through Authentication - https://docs.microsoft.com/ en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication

Azure AD Connect Health

When you integrate your on-premises directories with Azure AD, your users are more productive because there's a common identity to access both cloud and on-premises resources. However, this integration 1 2 3 4 5

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-express https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-custom https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication-quick-start https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication-upgrade-preview-authentication-agents

MCT USE ONLY. STUDENT USE PROHIBITED

Azure Active Directory Integration Options  55

MCT USE ONLY. STUDENT USE PROHIBITED

56  Module 3 Implementing and Managing Hybrid Identities

creates the challenge of ensuring that this environment is healthy so that users can reliably access resources both on premises and in the cloud from any device. Azure AD Connect Health helps you: ●● Monitor and gain insights into AD FS servers, Azure AD Connect, and AD domain controllers. ●● Monitor and gain insights into the synchronizations that occur between your on-premises AD DS and Azure AD. ●● Monitor and gain insights into your on-premises identity infrastructure that is used to access Office 365 or other Azure AD applications With Azure AD Connect the key data you need is easily accessible. You can view and act on alerts, setup email notifications for critical alerts, and view performance data.

✔️ Using AD Connect Health works by installing an agent on each of your on-premises sync servers. For more information, you can see: Monitor your on-premises identity infrastructure and synchronization services in the cloud - https:// docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health

Video: Monitoring Synchronization using Azure AD Health

Azure AD Application Proxy Video: Application Proxy Overview

What is Azure Active Directory Application Proxy Users today need to be able to remotely access modern web applications hosted on-premises. They expect a single sign-on (SSO) and secure remote access experience. Azure AD Application Proxy is a feature of Azure Active Directory that provides remote access as a service, making it easy to deploy, use, and manage.

Typical apps that are published on-premises include SharePoint sites, Outlook Web Access, or any other LOB web applications your organization has. These on-premises web applications are integrated with Azure AD, the same identity and control platform that is used by O365. End users can access your on-premises applications the same way they access O365 and other SaaS apps integrated with Azure AD. You don't need to change the network infrastructure or require VPN to provide this solution for your users. For more information about the benefits of Azure AD Application Proxy, see:https://docs.microsoft. com/en-us/azure/active-directory/active-directory-application-proxy-get-started

Requirements for Application Proxy

As discussed in the previous topic, you do not need to change your existing network infrastructure or require VPN to implement Application Proxy for your on-premises users. However, that are some requirements that should be noted. ●● Application Proxy connector must be installed in the datacenter. One connector is required but two connectors are recommended for greater resiliency. ●● Port 80 and port 443 are used for outbound connectivity. Note that no open inbound ports are required. ●● An Azure subscription with Azure AD.

MCT USE ONLY. STUDENT USE PROHIBITED

Azure AD Application Proxy  57

MCT USE ONLY. STUDENT USE PROHIBITED

58  Module 3 Implementing and Managing Hybrid Identities

●● One Global admin role. ●● Windows Server 2012 R2 or higher on the on-premises connector For more information about Application Proxy Connectors, see:https://docs.microsoft.com/en-us/ azure/active-directory/application-proxy-understand-connectors

How Does Application Proxy Work

To make Application Proxy work, you must configure two components: a connector and an external endpoint. The connector is a lightweight agent that sits on a Windows Server inside your network. The connector facilitates the traffic flow from the Application Proxy service in the cloud to your application on-premises. It only uses outbound connections, so you don't have to open any inbound ports or put anything in the DMZ. The connectors are stateless and pull information from the cloud, as necessary. Your users reach your applications while outside of your network via the external endpoint. They can either go directly to an external URL that you determine, or they can access the application through the MyApps portal. When users go to one of these endpoints, they authenticate in Azure AD and then are routed through the connector to the on-premises application.

Authentication Process 1. The user accesses the application through the Application Proxy service and is directed to the Azure AD sign-in page to authenticate. 2. After a successful sign-in, a token is generated and sent to the client device. 3. The client sends the token to the Application Proxy service, which retrieves the user principal name (UPN) and security principal name (SPN) from the token, then directs the request to the Application Proxy connector. 4. If you have configured single sign-on, the connector performs any additional authentication required on behalf of the user. 5. The connector sends the request to the on-premises application. 6. The response is sent through Application Proxy service and connector to the user. In the next demonstration, Corey walks through the process configuring Application Proxy with Azure AD.

Demonstration: Azure AD Application Proxy

Additional Practice - Azure AD Application Proxy If you want to try using Azure AD Application Proxy services for yourself, you will need to do some setup first. To publish an on-premise application that can be accessed over the internet using Application Proxy, there are some prerequisites to be met: ●● A Microsoft Azure AD basic or premium subscription and an Azure AD directory for which you are a global administrator. ●● A server running Windows Server 2012 R2 or 2016, on which you can install the Application Proxy Connector. In this practice, you will first: ●● Prepare your environment6 for Azure AD Application Proxy by opening your firewall for the Connector to make HTTPS (TCP) requests. ●● Install and register a connector7. Test the connector. You’re now ready to use Application Proxy services. You will now: ●● Publish an on-premises app for remote access8 ●● Add a test account9 and sign in to the published app For more information, you can see: How to provide secure remote access to on-premises applications - https://docs.microsoft.com/en-us/ azure/active-directory/active-directory-application-proxy-get-started

6 7 8 9

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-enable#open-your-ports https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-enable#install-and-register-a-connector https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-publish-azure-portal#publish-an-on-premises-app-for-remote-access https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-publish-azure-portal#add-a-test-user

MCT USE ONLY. STUDENT USE PROHIBITED

Azure AD Application Proxy  59

MCT USE ONLY. STUDENT USE PROHIBITED

60  Module 3 Implementing and Managing Hybrid Identities

Module 3 Review Questions Module 3 Review Questions AD Join

Your organization is plans to allow employees to use their own devices (BYOD) to access to company resources. The company plans to require that all BYOD machines are joined to Azure AD. You plan to use AD Join. What are the benefits of AD Join?

Click for suggested answer ↓  Single-Sign-On (SSO) to your Azure managed SaaS apps and services. Your users don’t see additional authentication prompts when accessing work resources. The SSO functionality is available even when users are not connected to the domain network. Enterprise compliant roaming of user settings across joined devices. Users don’t need to connect to a Microsoft account (for example, Hotmail) to see settings across devices. Access to Windows Store for Business using an Azure AD account. Your users can choose from an inventory of applications pre-selected by the organization. Windows Hello support for secure and convenient access to work resources. Restriction of access to apps from only devices that meet compliance policy. Seamless access to on-premise resources when the device has line of sight to the on-premises domain controller. Azure AD Your organization provides employees with an human resources (HR) portal on a web server hosted on-premises. The organization deploys Azure AD and Exchange Online. The HR portal can only be accessed from the internal network. Employees frequently ask to be able to access the portal from home or other remote locations. What Azure AD functionality can be used to give users access to the HR portal? What other functionality will the solution provide?

Click for suggested answer ↓  Azure AD Application Proxy is a feature of Azure Active Directory that provides remote access as a service, making it easy to deploy, use, and manage. Typical apps that are published on-premises include SharePoint sites, Outlook Web Access, or any other LOB web applications your organization has. These on-premises web applications are integrated with Azure AD, the same identity and control platform that is used by O365. End users can access your on-premises applications the same way they access O365 and other SaaS apps integrated with Azure AD. You don't need to change the network infrastructure or require VPN to provide this solution for your users. Azure AD You deploy Azure AD, Exchange Online, SharePoint Online to allow employees to work from remote locations. You need to ensure that applications, connectivity, and identity synchronization is working as expected.

What should you use, and how does the agent report status?

Click for suggested answer ↓  Azure AD Connect Health helps you: ●● Monitor and gain insights into AD FS servers, Azure AD Connect, and AD domain controllers. ●● Monitor and gain insights into the synchronizations that occur between your on-premises AD DS and Azure AD. ●● Monitor and gain insights into your on-premises identity infrastructure that is used to access Office 365 or other Azure AD applications. With Azure AD Connect the key data you need is easily accessible. You can view and act on alerts, setup email notifications for critical alerts, and view performance data. Using AD Connect Health works by installing an agent on each of your on-premises sync servers.

MCT USE ONLY. STUDENT USE PROHIBITED

Module 3 Review Questions  61

Lab Lab

Scenario Adatum Corporation wants to integrate its Active Directory with Azure Active Directory. Exercise 1 Deploy an Azure VM hosting an Active Directory domain controller. Exercise 2 Create and configure an Azure Active Directory tenant. Exercise 3 Synchronize Active Directory forest with an Azure Active Directory tenant. Estimated Time: 120 minutes ✔️ If you are in a classroom, ask your instructor for the lab guide. If you are in a self-paced online course, check the Course Handouts page.

MCT USE ONLY. STUDENT USE PROHIBITED

Module 4 Lab-Implement and Manage Hybrid Identities

MCT USE ONLY. STUDENT USE PROHIBITED

64  Module 4 Lab-Implement and Manage Hybrid Identities