Azure Active Directory (AD, AAD) Tutorial | Identity and Access Management Service

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

I've spent of a lot of time figuring out the agenda for this video. Azure AD is very broad topic and might interest people who might work in IT and non-IT roles. I tried my best to keep it brief and explain what is the service all about and how to start playing around with it.

In future I plan to do more Azure AD videos and this will be used as a primer.

Hope you will enjoy it.

πŸ‘οΈŽ︎ 10 πŸ‘€οΈŽ︎ u/AdamMarczakIO πŸ“…οΈŽ︎ Jun 23 2020 πŸ—«︎ replies

Good tutorial, thank you.

πŸ‘οΈŽ︎ 5 πŸ‘€οΈŽ︎ u/tb200 πŸ“…οΈŽ︎ Jun 23 2020 πŸ—«︎ replies

Thanks for all the videos dude!

πŸ‘οΈŽ︎ 5 πŸ‘€οΈŽ︎ u/karolnovak πŸ“…οΈŽ︎ Jun 23 2020 πŸ—«︎ replies

Informative. Thanks for the tutorial

πŸ‘οΈŽ︎ 2 πŸ‘€οΈŽ︎ u/OwnFilm πŸ“…οΈŽ︎ Jun 23 2020 πŸ—«︎ replies

Good video, thanks for sharing! I especially appreciated the end where you touched on AAD Connect and highlighted some of the features you get and which licenses you need to get them. M365 Business Premium now comes with P1 so I've been researching it a lot lately.

πŸ‘οΈŽ︎ 2 πŸ‘€οΈŽ︎ u/DesertDS πŸ“…οΈŽ︎ Jun 24 2020 πŸ—«︎ replies

How close are we to not needing on-premise domain controller(s)? Particularly if a business (more likely an SMB) doesn’t run any legacy applications that require domain credentials.

I am aware of jumpcloud for the record.

πŸ‘οΈŽ︎ 2 πŸ‘€οΈŽ︎ u/scapa_flow- πŸ“…οΈŽ︎ Jun 24 2020 πŸ—«︎ replies

Question: We have a hybrid configuration and only replicate from on-prem to cloud. What are the advantages and disatvantages to replicate both ways. When we started usind AAD it was not recommendet to replicate from cloud to on-prem.

πŸ‘οΈŽ︎ 2 πŸ‘€οΈŽ︎ u/Idontlikethishere πŸ“…οΈŽ︎ Jun 24 2020 πŸ—«︎ replies

Today I started digging and reseraching AAD in MS docs and here you are with a video about it, thank you :D

πŸ‘οΈŽ︎ 2 πŸ‘€οΈŽ︎ u/renut224 πŸ“…οΈŽ︎ Jun 24 2020 πŸ—«︎ replies
Captions
hey guys this Adam today I want to talk about other Active Directory because it doesn't matter what kind of role you are playing in your organization you should at least cover the basics and understand the basic of either Active Directory today an introduction into this great service stay tuned [Music] outer Active Directory is your cloud-based identity provider but also access management service and if you use any of the services like Skype onedrive or Outlook you already are a customer and the user of a direct in directory because it is a centralized service for all of those services so when you log into your life ID you are in fact logging to order ID to access any of those services if you work in an organization and that organization has office 365 and Microsoft 365 services like teams power bi sharepoint onedrive for business or any other service from that package you again use Azure Active Directory to login to any of those services and if you use Azure well the same applies you use Azure Active Directory to connect to other to access your subscriptions research groups and your services that you purchased it is again a centralized service for your Identity and Access Management and if you are a web developer you can use Azure Active Directory to secure the access to your custom web services and applications so that you have unified experience and single sign-on for all your users and your organization before we move to what is identity provider let's talk about what is identity itself an identity is a thing that gets authenticated an authentication is simply set a process of verification of the identity in the request so if you are sending a request as Adam a service needs to verify whenever this is a proper request actually send by Adam and the identity itself can be a user with user name and password but it also can be an application or a service which will authenticate using secret keys and certificates now that we know what identity is let's talk about the classic approach of building applications without the use of identity provider first of all you usually have a client and that client will connect to the server in order to authenticate to that server a set of credentials needs to be sent if that's a user this might be a username and password server at that point needs to verify whenever that user and the credentials provided are correct this the classic approach usually was done through some sort of user database where application was storing all the users and all the credentials and its own database once the verification was done server was returning the result back to the client this approach was very commonly used about ten years ago when the desktop and web applications were almost always containing its own user databases because identity providers didn't exist at that time so what kind of challenges is architecture poses first of all if you need to implement any additional security features it takes a lot of time and a lot of money to do that even implementing the simple user database and containing user credentials there is a very time-consuming task second of all you introduced a new security risk for your application because of that user database you need to maintain user information there usually some personal data and their credentials I think most of us heard at least once in our lifetime that some application lost its users and their credentials due to security leak or hacking this is because they were maintaining their own user databases and they did not secure it properly if you can avoid this well why not one additional challenge that you have by using this classic approach is having client connect to multiple services as that client will need to remember multiple username and multiple passwords if it's a client application you will need to store and maintain all of those again if your team is managing those virtual machines SQL databases they will also need to provision multiple users and maintain all of them and of course this ends up being more work for your clients but also your operation teams now that we have covered classic approach and the challenges let's talk about identity provider and the benefits in the same scenario of the client connecting to the server we introduce either a D as the identity provider for the client and for the server in which case client instead of sending its credentials to the server it sends them to our ad in exchange from Azure ad it retrieves a token token is a small encoded information about the client and its identity this token is then exchanged with the server in order to perform the request the instead of credentials you send a token and the server based on a trust relationship with Azure ad connects to it retrieve some basic information and performs token verification once the token is verified that the client is the one who it claims to be a result is returned back to the client in most cases this is done automatically through SDKs so if you're building web applications or using out-of-the-box features in Azure this is super easy to set up while this looks a bit more complicated on a diagram it is so much easier to set this up versus building your own identity solution for your application and one additional benefit is that that user database is no longer here because all the identities all the users are stored with an azure ad so the benefits that you get here are first of all let's go back to our scenario if you have mu client connecting to multiple services it connects to our ad instead and retrieves a token and then a token is exchanged with all of those services so that those services just need to configure the trust relationship between their services and are ready and then they don't really have to maintain the users at all it will only need to maintain the authorization part another user is allowed to use those services at the account itself this is outsourced to our ad and the same goes for client it will only need to remember a single set of financials and use them with Azure ad besides this the obvious benefits here is centralized user management so for your IT teams they just go to Azure ad and manage all their clients their applications there second of all we have top-notch security as Microsoft was perfect in our ad for many many years now the state-of-the-art security that you just get to use or pretty much free lastly our ad has a lot of additional security features that you get to use the spy using Azure ad like MF a very often we use these days MFA is a process where besides sending credentials like username and password you also need to send additional information like a text message from your mobile phone or click on the notification on the mobile application so to summarize identity provider is a centralized service that allows you to implement identity management for your applications in a single place and reuse them across more plication and services now that we know what it is let's talk about who should learn about our ad first of all IT administrators because they are the ones we'll be configuring the multi-factor authentication synchronizing your users with your on-premises because they are the ones we'll need to protect your users and your organizational assets and our ID has a lot of features to help with that second of all application developers should learn about our Jarecki because it allows you to provide that identity management service for your web application and services that you create if users already signed into our ID you can take advantage of single sign-on so they will not have to retype their credentials whenever using your application which is super super nice when it comes to user experience in your applications additionally our ad allows you to create personalized experience with all the additional services like Microsoft graph that it provides and if you're integrating with other services by they're exposing your API to those services or connecting to other services you can use our AED as your Identity and Access Management Service for those which is again a very nice benefit and lastly if you are a subscriber of Microsoft 365 office 365 or just Dynamics CRM you can already take advantage of RIT because automatically whenever you create that subscription and other ids created behind the scenes for you you can manage all your integrated apps in Azure ad let me now switch to our report all to quickly show you how to find information about our ad notice that in our portal you don't really have to have any other license in order to take advantage and configure as your ad find out your ad you can do one of multiple things first of all you can use search on the top by typing out your active and other active directory will come up on the list of the services just press it and you're ready to use Azure Active Directory this is probably the fastest way to access our ad on the left hand side you'll see a lot of Blades for configuration and management of your identities for instance the most common ones are users where you can manage and create users for your organization as you see you have two options here you can either create new user or add a guest user a guest user can be either a standalone account outside of your organization or it can be external Active Directory account from other organization you can also create new user by clicking on the new user button and providing first of all a user name I'm gonna call it Tom Doe give him a name come dog this is the display name that will be seen in our report I'll give it a first name and last name you can use Auto generate password or specify your own password I tend to choose the second option so I can generate the strong password even for the first login for my users for better security and then you can already assign it during the creation to some sort of groups and roles for now let's just create an empty user so let's hit create and that's pretty much it now we can use that user to sign in the best way to do it is click on Tom though grab the full username that you will need to use during the sign-in process right click on the right-hand side or open new incognito window and select sign in with different account in here choose another account if you already have running session and paste in the new user account is the full user name that you specified additionally the domain name of your other ad tenant select next and now provide the password password in this case is very strong password that I chose and notice that during the first login you need to change that password so even though I provided the password I'm still requiring my users to provide new strong password select sign in and that's pretty much it you might have this pop-up on the first signing to configure multi-factor authentication if your organization is requiring it or the demo purposes you can skip for now although you will be only able to skip this or 14 days since the first login let's hit skip for now and open up your portal this is a completely different session is the session of Tom and as you see Tom in Azure portal still sees our her ID but if he goes to research groups for instance he sees nothing as currently he is part of my already but he has no resource groups no privileges assigned in Azure he can still use other portal and still manage Active Directory if he has proper roles but he doesn't have to have any other subscriptions so if Tom wants to learn a little bit more about our ad at this moment he can't because he is not the global admin here and I as a administrator might not be able to grant him proper privileges to perform his tests so what Tom can do is if you go on the left hand side and here's another option of accessing our ID through this left-hand side blade called our Active Directory simply click on it to access our ad plus here in there will quickly notice that your role specifies that tom is currently just a user within this Active Directory so he cannot perform all the actions if he wants to learn in some organization this is very restrictive so you might not even be able to review the azure ad blade so if Tom wants to learn what he can do right now is create his own free Active Directory even though he's part of my tenant he can create his own tenant in his own organization to play around with it to do that go on the left-hand side on the top blade select create a resource and type our Active Directory and selected notice that standardized template for creating new outer Active Directory and it doesn't cost anything so you can freely create it select create and give an organization name this case it will be Tom org and I will choose the same domain name this will create Tom org on Microsoft com it's free so I'm ready to set it up and lastly you need to select a region Erin country notice that in this case it's not an outer region it's not a data center region it's a region where your tenant will be residing usually depends on the country where your organization is in my case this will be Poland and hit create in about two minutes time the organization is now created the easiest way to pick it up that it's created is to real log using Tom's account to do that select homes on the top right hand corner and if you click switch directory you might not yet see your other Active Directory on the list so you need to resign in do it click sign in with a different account and simply select already existing Tom those session when you do it you will log in back to Azure portal and your directory should be now visible once I log in to this directory I will still get the pop-up that I don't have any subscriptions but I don't need to have any but I need to simply click on my username select switched directory and now home organization is visible when I click on it I now have my own Archer ad it directly went through to users blight because this is the blade that I canti had open but if you select are ready are your active directory on the services list now you are a global administrator of your own are your ad tenant so you can play around and do pretty much everything that you want and test everything that you want you might even want to move your subscriptions your private subscriptions to your own tenant so you can test pretty much everything that you would need to this is ideal for testing of anything that requires higher privileges of our ad once you're done with the tenant simply select the eat tenant and review everything before deletion notice that you might get this pop-up that you cannot delete other subscriptions and this is not because you don't have privileges to do so it's because as a global admin there might be some subscriptions underneath resolve this select get permission to delete our resources scroll down and select access management for our resources it's safe that means if there would be any subscriptions under this tenant home would be able to seed now when he clicks on delete the directory hit refresh now sees that there are no subscriptions therefore deletion is okay and he can click delete this might take a moment for deletion to be done but that's pretty much it this is how easily you can create new tenants and test some stuff this is pretty great if you want to test some premium licensing but now that we're done with it we can switch back to the directory of my organization simply click on my icon you'll switch the directory and select your own directory from the list we're back to the users management blade and that's pretty much it for this demo I will now switch to my personal account will show you other options that you have with an archer ad as I said the quickest way to access this is through recent resources which is another option of accessing our active directory selected and here besides user management you also have group management so you can create user groups within your directory and it's as simple as pressing new group providing a name selecting whatever this is the type of security group or is the office 365 group giving in a name LT will be demo group you can provide a group description if you want select the owners and also the members you can do it at this time or just click read and once the group is created can then select that group and manage the members of that group by selecting add members you can then add maybe an ami user and if you want you can add more users like Tom and that's pretty much it when it comes to directory you have a lot of additional panels like managing technical accounts with enterprise applications and application registrations you have already connect if you want to synchronize your on-premises you have password reset features security features user settings the default settings for all the users within your organization here are some monitoring capabilities and more and more options besides what you see in this panel her ad has a lot of additional complementary services and panels to configure it and you will find all of them by typing our ad in the panel and notice how many additional options there are i connect Calvi to see authentication methods conditional access etc there's plenty and plenty of options around our ad it's so big that you could pretty much become an expert on Azure ad alone if you're working with governance teams is definitely a right path to choose and learn about all of those options separately going back to our presentation so all of those features that we're talking about is around Identity Management of our ad there are of course a lot of additional features about Identity Management of our ad but let's focus now on the access management part of our ad access management simply said it's a process of controlling verification tracking and managing access to authorized users or and applications and to explain this process I will use Azure as an example let's take a user let's call her Amy Amy wants to perform an update on a virtual machine with an azure and this update needs a permission called right to perform this action amy has to have proper privileges on that virtual machine and to do that a current owner let's call him Adam needs to go to that SQL gateway virtual machine in Azure portal select access and control blade at the new role assignment inside of that role assignment he needs to select two things first a role a role is then found our ID in this case it's an owner role definition this owner role definition has a set of privileges attached to it but also in order to create role assignment Adam needs to select a user that this role will be assigned to in this case this will be Amy which again will be found in our ad as an user object once those tools are found and the button save is clicked a new role assignment object will be created in our ad which will combine the owner with the user object of Amy once this is done will also be assigned to the scope in this case the scope will be virtual machine once this is done Audra will automatically verify whenever that role assignment exists and whenever that role assign an sis in a context of this virtual machine scope or its parent scope a greta's group or subscription if it does then Amy will be allowed to update virtual machine this process very nicely explains how the roles are organized within a drawer and this is pretty much called role based access control if you want you can create your own roles so our ad is very extensible here we have a lot of additional options there are many more scenarios using our ad for access management or instance when developing web applications but we will cover this in a separate video when talking about cross service authentication using Azure ad for now this is all we need to know when it comes to Azure management we can switch to our job portal in here I can go to my research groups and currently I have some resource groups already created or this demo I will use logic gaps and to an SQL firewall demo research group or I will go to Access Management and add a new role assignment in here again I need to select a role or instance I want a reader role granted to Amy or Tom in this case maybe I will use Tom since I just created this I selected home it's safe as Thomas added I can review his assignment in role assignments played and Tom is now on the list with a reader role I will now switch to Tom session by clicking them on my profile selecting already existing session for Tom and I will navigate back to Asher portal in here I can now select other research groups Tom is now able to see his research group because he was assigned a reader role on a scope of this research group therefore all the services within this research groups also inherited reader role or Tom and if Tom would want to update some service for instance if he would go to virtual machine and tried to restart this he would get an error because he has only read a role which doesn't give him privileges to restart virtual machines access management in a guru is governed entirely by either Active Directory and it's very secure and you're using the same account that you'd use for normal application instead you use them in other portal or your Argyl resources let's go back to presentation because there's one more very crucial topic that I want to talk about and that is a very brief description what are the differences between a directory directory Active Directory domain services and Azure Active Directory domain services there will be a video separately talking about each one of them and how they compared to each other but I want to be sure that you will leave this session with at least knowing the basic difference and they are not the same so first of all you have Active Directory domain services which is your on-premise directory services that you use if you already are on the market with your company for some time this is the place where you manage all your users internally in on-premise environment you also have your Active Directory which is the cloud service allowing you to give identity and access management capabilities for your users organization and applications and lastly there's other Active Directory domain services a cloud version of the domain services from on premises although it doesn't have all the features so what are the key differences here first of all there are some that should be noted and the answer is probably bit more difficult that I could explain within just couple of minutes but if you are a company that is on the market for quite some time then you probably already have Active Directory domain services the on-premises version and it doesn't have all the features of our Active Directory but it has all the required to run the organization if you will be moving to the cloud most likely what you will end up doing is synchronizing your on-premises version to other Active Directory to a service called are your ad connect this way you have out your ad using the same identities that you already have in your on-premise environment this way your users will be able to use the same credentials and same identity for internal but also cloud applications and also if you are moving to the cloud and you will need some of the features of the domain services from on-premises in the cloud and you might want to leverage a synchronization between other ad with Azure ad domain services allowing you to take advantage of some older protocols like elda of Kerberos or maybe using group policies with the cloud solutions or the solutions that do not support the newest features if you have some legacy applications other Active Directory domain services allow you to take advantage of some of the features on the classic on-premise directory services while the topic is much broader here I just wanted to be sure that when you leave this session you understand that other Active Directory is not a replacement of on-premises domain services if you are ready existing organization you will most likely end up using Azure ad Connect to synchronize if you are just starting your organization and you want to be cloud native maybe our ad with Azure ad domain services will be enough to cover all of your needs but that is for you to decide and you should definitely explore this topic further so let's leave this session we're talking about what are the e additional features that you also get by using Azure ad first of all our ad is free up to five hundred thousand objects pretty much anything that we do in Azure is an object a user is an object and role is an object role assignment is an object pretty much anything you can also manage our directive directory with PowerShell and CLI just type here commands and everything that you did in Azure portal can be done automatically through scripting additionally you have conditional access which is amazing security feature that allows you to take security and control of the access for your users and your organization to the next level or this you would need a premium one license at least and if the security of your organization is of the highest priority for you and you also have privileged Identity Management with premium p2 license all the scenarios that we're talking about today are business to business scenarios but they also have B to C which is business to customer scenarios so if you want to create user customer facing applications and allow them to sign in and create accounts and you have a version of our ID called other ad b2c for that and with device management you can very easily protect assets of your organization you also have manage identities which is pretty neat feature of being able to assign an identity and lifecycle of that identity to our resource and securely authenticate without using any passwords additionally you have a lot of reports and monitoring available with an author ID for free and some advanced reports if you purchase at least premium one license author ID also allows you to assign a custom domain names so if your organization has a domain name already purchased you can assign it to a druggy so that users will log in using their familiar logins and lastly our ad allows for integration of external identity providers like Facebook Google or maybe some direct Federation which allows you to take advantage of external and entity providers to hear users have their own private accounts they can use it to log into Azure ad and access other resources or office 365 resources this way it's pretty much depending on the needs of your applications and your organization but there is the support to do that but remember to leave the session remembering two things about our ad this is the identity provider and access management service in Azure after all of that you should at least understand that regardless of your role you should know and you should understand the basics of other Active Directory definitely deep dive into the topics that might interest you for your purpose and your role in your organization for today that's it if you liked the video hit thumbs up leave a comment down below and subscribe if you want to see more and definitely see you next time [Music]
Info
Channel: Adam Marczak - Azure for Everyone
Views: 239,763
Rating: 4.9528847 out of 5
Keywords:
Id: Ma7VAQE7ga4
Channel Id: undefined
Length: 30min 57sec (1857 seconds)
Published: Tue Jun 23 2020
Related Videos
Managed Identities with Azure AD (Active Directory) Tutorial
Adam Marczak - Azure for Everyone
49K
OAuth 2.0 and OpenID Connect (in plain English)
OktaDev
1M
AZ-900 Episode 10 | Networking Services | Virtual Network, VPN Gateway, CDN, Load Balancer, App GW
Adam Marczak - Azure for Everyone
135K
How to integrate applications with Azure Active Directory
Microsoft Azure
50K
AZ-900 Episode 28 | Azure Role-based Access Control (RBAC)
Adam Marczak - Azure for Everyone
49K
Azure Key Vault Tutorial | Secure secrets, keys and certificates easily
Adam Marczak - Azure for Everyone
84K
Azure AD App Registrations, Enterprise Apps and Service Principals
John Savill's Technical Training
47K
Settings Up Azure Active Directory Domain Services
MasterVisualStudio
150K
Lets Get One Thing Straight | Azure AD Domain Services
Azure Academy
13K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.