Module 2 Describe the concepts & capabilities of Microsoft identity and access

7. The concept of directory services and Active Directory

The concept of directory services is not new. It’s been there for a very long time. In the Microsoft world, Directory Services was introduced with Windows 2000 operating system and since then we got several features and updates with Directory Services. And Microsoft calls Directory services as active directory. But what is a directory server or a directory service? The Directory Services provides a central database or a central repository for storing and managing information. Well, what kind of information is it? Well, it could be almost any kind of information that can be stored as far as identities are concerned. It will also store their access privileges so that the identities can access the resources in the network for example, printers, network devices and any other resource in the network. The information stored in the directory server can be used for authentication and authorization of users so that they can go ahead and access the applications. In today's world, the Directory Services has become a very essential part of the network centric computing infrastructure. Some experts also called a Directory Services as a hierarchical structure that will store information about objects on the network. Again, these objects are identities. And when I say identities, it could be users or even computers. Active Directory is also a directory service. This was developed by Microsoft, like Isai, and it was part of Windows2000 for on premises domain based networks. The best known term for active directory service is active directory domain services. It stores information about the various members of the domain, for example, device users. It verifies the credentials and also defines their access rights. The server running adds is called as the domain controller. The Active Directory domain Services, or Ad DS, in short, give the organizations the ability to manage multiple on premise infrastructure components and systems using a single identity per user. Ad DS, however, does not support natively the mobile devices or SaaS based applications or line of business applications that require modern authentication methods. Today there has been a growth of cloud services, specifically SaaS based applications. You can bring your own devices or use personal devices for work and this has resulted in the need to use modern authentication. And hence Active Directory has also evolved Tobe what's called as Azure Active Directory. Now, Azure Active Directory is the next evolution of identity and access management solutions by providing organizations with an identity as a service also called as. IDAS.Now, these identities, which are there in AzureActive Directory can then be used to accessapplications across cloud as well as on premises.In the upcoming sections, we will focus on AzureActive Directory and how Azure Active Directory is actingas a primary cloud based identity provider.

8. Describe the basic services and identity types – Introduction

When it comes to security, your organization canno longer rely on its network boundaries toallow employees, partners and customers to collaborate securely.Identity has become the new security perimeter.Using an identity provider gives your organization the abilityto manage all the aspects of identity security.In this lesson, we talk about AzureActive Directory, which is the Microsoft cloudbased identity and access management service.So we learn about the benefits of using acloud based identity provider and that includes a lotof features, including single sign on for your users.Azure Active Directory also comes in differentflavors, what they call as additions.So we'll learn about the additions and the identitytypes that are supported by Azure Active Directory andhow can we support external users, the people whodo not belong to our company.So there's a lot to learn here.Let's do this step by step,starting with Azure Active Directory.

9. Describe Azure Active Directory

Azure active directory.Now, what is that?Azure Active Directory is Microsoft cloudbased identity and access management service.And organizations use Azure ad to enable theiremployees, guests and all other devices to signin and access the resources that they need.So when I talk about resources, what are they?Well, they could include internal resources suchas applications on your corporate network.It could be on the instrument and also cloudapps that are developed by your own organization.It could also be external services like OfficeThree, Six Five, the Azure Portal and anykind of SaaS applications used by your organizations.And that means that Azure Active Directory issimplifying the way organizations manage authorization and accessby providing a single identity system for thecloud as well as for Onpremise applications.Azure Active Directory can be synchronized withyour existing onpremise Active Directory as well.Azure Active Directory allows organizations to securelyenable the use of personal devices suchas mobile phones and tablets and enablethat collaboration with business partners and customers.So, what do we have inpackage for the It administrators?Well, Azure ad is used by It admins aswell so that they can control access to corporateapplications and resources based on business requirements.And that means that, let's say It admincan set up multifactor authentication for the users.The admin can also automate the userprovisioning between the Windows Active Directory andalso Cloud apps, including Office 365.Finally, Azure ad provides powerful tools toautomatically protect your user identities and credentialsto meet an organization's access governance requirements.If your organization is using Microsoft 365, Office365, Azure or Dynamics 365 subscriptions, they willbe automatically using Azure Active Directory tenant.The users of these services will betaking advantage of the Azure Active Directoryservices such as Selfservice Password Reset.However, it has to beconfigured by the organization's admins.When it comes to developers, the developersuse Azure Active Directory as a standardfor single sign on for their applications.So when the user signs in with their preexisting credentials,they don't have to type it again and again.Azure Active Directory will be providing APIs forthe developers so that they can build personalizedapplication experiences using existing organization data.As I said earlier, azureActive Directory has several additions.There is a free version.Apps premium P One and the P Two version.Let's go ahead and understand what features eachone of them brings in the next lesson.Thanks for watching so far. I'll see you there.

10. Azure AD Editions

By now you know that Azure Active Directory already has four editions. Today it has got the free version, Office Three six five apps version the P one and P two. So what's included in the free version? The free version allows you to administer users and groups synchronize from on premise Active Directory as well, create some basic reports, and also configure self service password reset for all the cloud users. And that means that with all these features, you can have single sign on across Azure, Microsoft 365, and other popular SaaS based applications. The free version, although, has an upper limit of up to50 objects that can be held in Azure Active Directory. The free edition is included with subscriptions to Office 365, Azure Dynamics365 Intune, and the Power Platform. So if you're using any of these subscriptions, you are covered because now you have Azure Active Directory free version supporting tithe Office 365 apps will let you do everything, including whatever is there in the free version. Plus you can have the self-service password reset for the cloud users and Device Write back as well. Now.What is device? Writeback. Device Writeback is a key feature that will help you synchronize between on premise directories and Azure Active Directory. The Office 365 App Edition is included in several subscriptions of Office 365.And these are e one, e three, five, the f one and f three. Now the other premium ones, which is P one and P top One includes all the features that you got in free and Office 365 editions, plus a lot of security features and good administration features. And these features will include dynamic groups, self-service, group management and Microsoft Identity Manager. Plus, of course, you got the cloud rightback capabilities, which will allow a self service password reset for your on premise users. That means the users no longer have to call your help desk to reset the password. Instead, just go to this URL, aka Mssetupspr, and then they will be redirected toa site where they can change the passwords. What’s there in p top two has a lot of security features included, and that means that you can have the conditional access to your apps and the critical company data two also has privileged identity management, and that means that you can do some management with respect to discovering, restricting and monitoring the administrators and also how they access the resources to provide a wonderful feature called as Just in Time Access. And that means that the administrators will have access to the resources just as much as they want and exactly at the time they want. Now, P one and P two are not currently supported in China. Now, there's another thing called Pays you go feature licenses. You can get other feature licenses separately, such as Azure Active Directory BTC. Now, BTC is something that can help you provide identity and access management solution for your customer facing apps. So that's about Licensing and Azure Active Directory additions. It’s important to know what features is covered in which edition. Well, thanks for watching so far. I'll see in the next lesson where we'll be talking about Azure Active Directory types of identities.

11. Describe the Azure AD identity types

With Azure Active Directory, you manage different types of identities. Well, you got users. It's the users who are employees of the organization. And then there are service principles, managed identities, and devices. Let's go ahead and talk about each one of them and understand the purpose of them. Them. So a user is a representation of something that is managed by Azure Active Directory. So people like your employees and even the guests are represented as users in Azure Active Directory. So if you have several users with the same access needs, you can create a group. So what usually happens in an organization is that when you have several users with the same access needs, the same level of access, you're going to create a group, and then you will be adding those users into the group. Now, that group will be used to assign permissions to all members of the group. So instead of granting permissions individually, you would rather go for a group based approach. There’s a feature called as b to Brother call it as Azure Ad. Business to business. This is a collaboration feature where you can invite external identities and call them as guests. With B to B collaboration, an organization can securely share applications and services with guest users from another organization. Let's talk about the service principles. A service principle is a security identity which is used by applications or services in order to access Azure resources. Now, you can think about its an identity for an application. The service principle is not used like a user account. Instead, it is used by the applications. For an application to delegate its identity and access functions to Azure Active Directory, the application must first be registered with Azure Active Directory. The process of registering the application creates a globally unique app object which is stored in your home tenant or the directory. A service principle is created in each tenant where the application is used and references the globally unique app object. The service principle defines what the application can do in the tenant, such as who can have access to the application and what resources the app can access. So remember, the service principal aim is not like a user account, but instead more used by the applications to access the specific resources. In Azure, the next one is managed identity. A managed identity is an identity in Azure Active Directory that is automatically managed by Azure. So that means we as admins or was users do not control that identity. The managed identities are typically used to manage the credentials. For authenticating a cloud application within Azure service, there are several benefits to use managed entities. And this could be, let's say, the application developer can authenticate to services that support managed identities. For Azure Resource, any Azure service that supports Azure Active Directory authentication can use managed identity to authenticate to another Azure service. So let's say there are two applications that need total to each other and in order to talk and communicate, they need to use Azure Active Directory. But then we cannot have user or Andaman typing in the credentials all the time. So that's where you'll use managed identity in order to have that communication done. Managed identities can be used without any additional cost. So you don't have to pay for using managed identities. Now, there are two types of managed guarantees that we must be aware of. There is a system assigned and a user assigned. Let’s talk about the system assigned. Now, some Azure Services allows you to enable managed identity directly on a service instance. So when you enable a system assigned managed identity, an identity is created in Azure Active Directory that is tied to the life cycle of that service instance. When that resource is deleted, what happens then? Azure automatically deletes the identity for you. So that means you do not have to manage it.And that's where the whole termmanaged identity comes into picture.So by design only the Azure Resource can usethis identity to request tokens from Azure Active Directory.What's user assigned? Now, you may also create a managed entity.As a standalone Azure Resource, a userassigned manage is assigned to one ormore instances of an Azure service.You can create a user assigned managed entity and assignit to one or more instances of Azure service.And in this case, the identity is managedseparately from the resources that use it.It's important to understand the differences between systemassigned and user assigned managed entities, and I'llshare a table that summarises the differences.We also need to talk about a device based entity.A device is a piece of hardware and the hardware couldbe a mobile device, a laptop server or a printer.The device identities can be set up in differentways in Azure Active Directory and that determines theproperty, such as who owns the device.Managed Devices in Azure Active Directory allowsan organisation to protect its assets byusing tools such as Microsoft Intune toensure standards for security and compliance.Azure Active Directory also enables single signon to these devices, applications and servicesfrom anywhere through these devices.There are multiple options for gettingdevices into Azure Active Directory.So you can use it as Azuread registered devices or Azure Active Directoryjoined or hybrid Azure ad joined devices.The first case, which is Azure adregistered device, can be a Windows TenmacOS or devices with iOS or Android.Devices that are Azure ActiveDirectory registered are typically personallyowned rather than the organization.They are signed in with a personalMicrosoft account or another local account.Azure ad join devices exist only in the cloud.Azure ad join devices are owned bythe organisation and signed within organizations.Azure ad account users sign in to theirdevices with their Azure ad credentials or syncActive Directory work or school accounts.You can configure Azure ad join devices withall Windows Ten devices except Windows Ten.Home edition is not accepted.The hybrid joined devices.These can be Windows Seven, Eight One,Windows Ten or Windows server based operatingsystems like 2008 and above.And these devices are owned by theorganizations and are signed in with ActiveDirectory domain services belonging to that organization.So they exist in the cloud and on premises as well.And that's where the term hybrid came in.So how do you manage all of these devices? Well, you can manage it with tools like Microsoft Intune, which is a mobile device management solution, so that you can manage all these devices with a single interface.

ExamSnap's Microsoft SC-900 Practice Test Questions and Exam Dumps, study guide, and video training course are complicated in premium bundle. The Exam Updated are monitored by Industry Leading IT Trainers with over 15 years of experience, Microsoft SC-900 Exam Dumps and Practice Test Questions cover all the Exam Objectives to make sure you pass your exam easily.