AZ-104 Microsoft Azure Administrator Associate – Manage Azure AD objects

  1. Manage Users and Groups

So in this video, we’re going to talk about that section of the requirements that says to manage Azure objects, specifically users, groups and devices. Now we see into this Azure Active Directory account I’m still running at the premium p two level on that trial. On the left, we have different things that we can manage, including use groups and devices. So let’s start off by creating a group, working with the accounting group up till now, but let’s start up with a new group. Let’s call this the Security group. Let’s call these the developers. Of course, you can optionally give this a description, but this is the It department. And how do people join this group? Well, we’re going to have assigned group members for this particular group.

Right now there are none, and we’re not going to add any yet. So creating a group is as simple as giving it a name and choosing the group, typing security membership type being assigned. Okay, we go back up to the Active Directory creating users. It’s just a simple, really. So we go up to here, we have new users, and we also have guest users, which are external users. We’ll talk about that in a minute. But if I go into the new user section and I’m going to call this Joe Green, and the user ID has to belong to a domain name that is associated with this Active Directory. So I said before, if I wanted to make Joe Green@gmail. com, that will get rejected because Gmail is not a verified domain and it will never be because Google.

So this will have to be a domain name associated with this Active Directory. For this particular one, which I’ve upgraded to p two, the only domain name is Scottsaccount. On Microsoft. com, I did a custom domain, but that custom domain is associated with a different Active Directory. Now, at this point, we can associate Joe Green with the developers group, and now we can start to make decisions when we’re doing role based access control. Developers have access to these resources, et cetera. It’s assigned a password to him. I can click Show password, see this? Joe would then have to modify his password, but I’m not going to do that at the moment. So now we have Joe Green and he is a member.

I’ve created him, added him manually, go back to the groups, we go into developers. We can see now that there is one member, and if we go into the membership that Joe Green is a member. So we’ve very easily added users and added groups. Now let’s go back to the users.We talked about this concept of the guest user. So within Active Directory, we have this domain name that is associated with the multiple domain names. In our case, remember, it was Scott’s testaccount on Microsoft. com. But what if we did want to invite Joe Green? This is a real person. It must be through his Gmail account. Well, that would be a guest user. Okay, so this is what is called B to B.

Basically we can send him an invitation and he can authenticate and log in to our directory into any applications that use it using this account. But he’s going to be invited by email to do that and then that person gets an email such as this. So you may want to put a little effort into formatting this, but basically you’ve been invited to access applications in this organization by me and click to get started. And then this will take you through a registration process essentially to join that Active Directory account. Now, when we were creating our groups earlier, remember we had the choice creating several types of groups, one of them being assigned users, which we did for developers. And another type is called a dynamic group based on user.

So dynamic group, well, a dynamic group is basically a group that you can set a rule that will auto add people to that group based on the rule. So for instance, I want to create dynamic group called the Scots and it’s going to contain anyone whose name begins with Scott. And so I’m going to go down here to display name and I’m going to start with down here and I’m going to say Scott. So anyone whose display name starts with Scott will then be added dynamically to the Scott’s group add query. And then I’m going to click create. And so it’s going to create this dynamic group. And you can do that not only on their attributes of a user, but also the attributes of their devices, which we haven’t really talked about devices yet.

You can see here I created a group for Joe’s and it’s a dynamic group, the same rules as the Scott group. And so anyone whose display name starts with the word letters Joe got added dynamically to the Joe. And if I was to create another user called him Joe, he would also be part of the Joe’s group. So now we can control. Now this is obviously a simple example based on their name. Imagine we have a number of other properties that we know about users, especially if you sync this with your on premises Active Directory. And then you can create dynamic groups based on their job title, based on their role within the organization, et cetera.

  1. Self Service Password Reset

So next up, we’re going to talk about something called self service password reset. Go under the password reset setting on your Active Directory account. You could see this option to enable self service password reset. This means that users of your Active Directory can are free to change their passwords using Azure Active Directory. And you as an administrator don’t need to be involved in order to reset their password. So this seems like a smart thing to enable. You do require a premium account in order to access to this. Now, you’ve got three options. Here is to turn it off, which is the default. You can turn it on for all users, or you can select a subset, which in this case would be group. So you go into selected, select a group.

I’ve enabled this for the accounting group, which is a group in my Active Directory, and click Save. So now there’s going to basically be anyone who’s a member of the accounting group is going to be allowed to use their Active Directory password without support intervention. The key settings here is under authentication methods to start. So first question is the number of methods required to reset. So when the users the next time the user is going to sign in, they’re going to have to register for this self service password reset. And that includes providing an email address and phone number, office maybe questions they can fill out. So how many methods are required in order for them to successfully transfer the default? Here is one, and that seems to make sense.

Depending on the amount of security you enable. You could then force them to both do email and SMS codes as a double method in order to reset. That’s a bit excessive, but it’s appropriate for some people, I guess. Now you have these six options for users to be able to authenticate. They can use an authenticator app and that’s a code that gets randomly generated phone that they have to enter. We see that in a lot of places, sending the password reset by email an SMS message to their phone, a call to their office phone, or answer a number of security questions. So by default, email and phone are the two options. I’m going to leave that unchanged.

When we go to the registration section, this is going to say, do we require users to register? So the next time they sign in, they must provide a mobile phone to have their email address already. But this stuff is required in order for us to enable self service sign in and how many are they going to be reproduced to verify their phone number and their email address? In this case it’s 100 days. So every six months they’re going to say, is this still correct? So we’ve set up self service password reset. Let’s see if we can test it. So here I am being asked to log into my account. I’m going to pick that John Doe user, which happened to be John at Scottsdestaccount@allmicrosoft. com.

I have to enter password. So we can see here that Microsoft now prompting us to do this password self service, password reset, registration. So we have to provide a phone, mail, phone and an email in order for us to move past this. And we’ve actually got a I’m going to zoom in a little bit here. We got a timer that got fitness in order to provide the phone and the email. And so this is going to basically allow our users to be able to recover their password, reset their password without having to go through any kind of support, which is obviously a great benefit.

  1. Manage Devices

So we’ve talked about users and groups, and those are pretty straightforward concepts. These users relate to individual people and groups being their role or some other way of organizing those people into groups. But what about divisive? Go into the devices menu and you’ll see that I don’t have any devices within this Active account and there’s no way to add them. There’s no plus device. Menu item devices have to be registered to your Active Directory, but they’re done externally from the portal. Now the devices could be anything from these are electronic resources that you’re adding to your Azure Active Directory. And from that point, you’re able to give them permissions to access applications and other resources.

By going to the Device Settings menu here, we can see top level that we can allow users to join their devices to our Active Directory. So these devices are typically their own, their own phones, their own tablets. Do we want them to be able to register with those devices to use our applications? Do we require multi factor authentication? Or do we have a maximum number of devices per user? So in this case, I set it to ten. The default was 50. You could have any sort of these range numbers that a single user is allowed to have devices registered with us. Okay, so these are the settings. Leave them as they are for now.

But how would I register? Let’s say I did want to volunteer a device to register to this thing on Windows Ten, you type Connect in the menu and you can see Connect to work or school as a menu item. And this pops up this settings box that allows me to join this device, my Windows Ten computer from Home, I can join it to this Azure Active Directory. Okay, so get access to resources like email apps in the network. Connecting means your worker school may control some things on this, such as what settings you can change, so you can basically have group policies, et cetera. So to demonstrate this, I can see Connect. Now this is going to pop up in the box, and this is going to be a web page, a Microsoft Azure page that’s going to ask us to sign in here. Now, I’m going to let that start up for a second. I’m going to go into the users here.

Now I’m going to need to use a registered user. Let me pick joe Green here. Just too lazy to type his full email address. So it’s asking me to enter the email address for a work or school account. So I’m going to use Joe Green’s work account here. Now this is associated with my Azure Active Directory. This domain associated with it. So when I enter my password here, then this is going to join this device to my Azure Active Directory. All right, I was able to log in as Joe Green here. Now my Windows computer will tell me that I’m part of this work or school account when I go back into my test account and I can see let’s start with Joe Green here. Go into the users. I can see that he’s here. And now I go into Devices and my Windows computer shows up as an Azure ad registration for Joe Green.

If I go to the top level under devices, then now my computer shows up here as well. Now I may do disable login for this particular computer, which will basically make my Windows computer disconnect from this. Or I can obviously the registration, et cetera. Okay, so we’ve seen here that we’re able to create users and groups. Users are able to register the because we allow it under device settings. We can obviously turn off the device registration options or block to certain groups the ability to join devices. And this allows us to control those devices. I believe those devices become part of our directory here and we can get certain permissions. Single sign on applications can take advantage of that, etc.

  1. *NEW* Bulk Operations

Now, Azure Active Directory has been changing over the years. Even this dashboard looks completely different to what it used to. One of the changes that you need to be aware of for this exam is that you can now perform things in bulk. You can perform actions in bulk across the directory. So we’ve always had this new user, guest user here on the user screen. But now there’s this bulk activities menu. And if I open it, I can see four things that I can do in bulk. I can create new users, I can invite guest users, I can delete users, or I can download the users in a bulk file. So if I click Download, it’s going to invent a name for it. I can say Start, and this will download to my default download director within my browser.

After a minute or so, I can download the file it downloads to my downloads folder, I can open it in, it’s a CSV file, but I can open it in Excel, and I can see my Active Directory users here. Now, that’s useful. But the real use thing is being able to let’s say you’ve got a CSV file that contains 100 external people that you want as guest users. You can download the template for that and then modify it, add the particular email and stuff that within this template, upload the file back into Azure, and it will bulk invite those users that are in that CSV file. So being able to work in Azure ad in bulk, relatively new feature and definitely useful.