Azure Active Directory - The Ultimate Beginners Guide

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

this week it's the turn of azure active directory and the ultimate beginner's guide are you ready to learn let's go [Music] greetings my fellow youtubers welcome to the channel especially if this is your first visit i really do appreciate it okay ali malone microsoft mvp as well as a microsoft certified trainer now a couple of years ago when i started my channel um one of the very first videos that i did was a session on getting started with azure active directory and i sat here realizing that you know an awful lot has happened in that two years in terms of how the product has evolved so i thought i would take this session to take a look at the ultimate beginner's guide if you will so if you've just come into azure active directory or you're thinking of a career in the cloud then this hopefully will really help you put you in the right direction all right now in this episode we're going to talk about the architecture we're going to talk about creating users we'll talk about groups and how they work we'll talk about roles or role-based access control or are back all designed to get you up and running as quickly as possible now if you've not subscribed to the channel we love subscribers so hit that subscribe button ring the bell and you won't miss out on future tutorials and if you enjoyed the session then please bump the like button it really does make a difference to my channel and if you've got questions comments about this or any of my other sessions then of course please just get them down below so i think without any further ado let's go and have a quick look at the architecture of azure active directory and then we'll get into some cool demos let's have a look so azure active directory is microsoft's cloud or identity as as a service solution and unlike that little server that's perhaps hosted in your own company these servers are hosted in vast microsoft data centers which are distributed around the world and these things are absolutely enormous and they contain literally thousands and upon thousands of servers and the idea is that we have a number of data centers in each region so within each data center of course your azure active directory is hosted here and you can see it's hosted in the cloud uh so the the absolute core of it is all managed by microsoft so instead of you being able to manage the database you only manage essentially your tenant and within your tenant you've got your users your groups your devices okay so you don't need to worry about backing up or managing your tenant because ultimately this is what you pay microsoft for okay of course once a user gets authenticated they can then access the vast number of resources that are out there in the cloud okay which is very cool like active directory of course um it's a database objects have attributes first name last name email address and so on how is active or azure active directory distributed then well as i mentioned microsoft have multiple data centers around the world for example i work a lot in norway and in norway we have two data centers we have one in oslo and the other one in stavanger so typically it works like this one of the data centers will have the primary copy of the database and so essentially this is a writable copy of the database in the same data center we also have an array which contains a read-only copy of the database again for redundancy purposes you should also know that a copy of that same database is also replicated to a sister and also other data centers throughout the world so the idea is that you've got ultimate redundancy if you just happen to have a failure and the database has a number of different layers and the idea is it's to protect you against a potential failure so now that we've discussed the architecture of azure active directory it's time to dive in and look at the various components so if you're ready let's buckle up so to create a user account i'm going to come in here into azure active directory into the portal now to be honest it doesn't matter really which portal you do it in so if you're an avid microsoft 365 user again we can go into users and active users and you can create the same users here because in fact it's the same as your active directory there is no difference and the only difference is by the way there isn't one portal to rule them all so unfortunately there are only certain things that you can do in one portal and other things you have to do in another unfortunately that's just the way it is i'm going to come down here into users and the first thing i'm going to do of course i'm going to create a new user then you've got a choice do you want to create a new user or a new external user or guest user and if you want to know more about this then please check out my recent video and i'll put a link in the description below so for now i'm going to create a new user so i'm going to come into the portal i'm going to scroll down and it asks me for a username so i'm a big gamer thrones fan so i'm going to create a new user called jon snow so here we go jon snow i'm gonna type in john and snow now do i want to auto generate the password or i am am i happy for azure to go ahead and create one for me um so i'm gonna i'm happy with that at the moment do i want to add john into some groups i'll come back to that in a moment i don't want him to be any kind of administrator so um i'm just going to make him a member of the user role which is just regular users now if you're not ready for john to sign in yet so if you're provisioning his account and he's not joining the company it's a good idea to block the sign in all right the other thing that you can also do is you can also create a usage location and essentially what this does is it places the user's data in their country so for example this tenant is in the united states so for legal and compliance reasons it will ensure that my data remains within the united states but you can change that by the way there are ways to change that i can put some information here i can put company name department so for example if i said hey you know he's in sales i can even assign a manager to john if i want to i'm happy so i'm going to click on create and off it goes and it now creates john i'll just do a quick refresh on that and if i scroll down uh you will see that in fact i have sometimes it just takes a second or two just to come in um if i just let's try again and indeed there we see we can now see that we have a user called jon snow so when we go into john's account this is everything that we need to know about john's account so for example we have some logs here so it shows us the last time he signed in and so on we also have some uh if he's got any admin roles is he a member of a particular group applications that have been assigned to him what licenses what devices and so on i can also go in and view john's properties by clicking on the edit properties button and in here you can see in fact this was actually just recently updated we now have a lot more information in here and i think the main reason for this is um azure ad is now classed as a multi-cloud solution so if you're using hr systems for example then they're going to fully integrate with this so i can go in here you can see it shows me when john was created the last time he changed his password if it's an external user or not i can you see you've got these free fields that you can fill in um you know his location his address his details and you can see a lot of this could potentially come from a hr system now you can scroll down through all of these fields or you can use these tabs that will take you through to the various sections which is kind of cool actually okay um so there's his usage location like the other thing that we now have is we also have an on-premises tab so if john had synced um from on-premises so if you were using active directory and azure ad connect then you can sync your users from on-premises into the cloud and this is kind of cool because it gives us a nice report of the status of john's account so that's kind of cool now of course as i mentioned one of the things you might want to do is assign a license and this is not the only place where you can do that i can simply go into active users in microsoft 365 for example and if i do a quick refresh here and scroll down sure enough hopefully you'll see that john's account is here so if i just scroll down and there he is so i can now click into john's account and one of the first things you're going to want to do is you're going to want to assign a license to him so all those attributes from azure active directory are here it's because it's the same directory service now um one of the things that i that is different here is that you've got things like onedrive and mail of course you won't get that in microsoft azure so one of the things i'm going to want to do is i'm going to want to assign a license to this user so i'm assigning an e5 plus mobility and security and i'm also going to grant john a license for windows 11. now you can also see in here that because it's a microsoft 365 license he also has access to all of these different apps and this is cool because if you didn't want him to let's say use microsoft bookings you can just take that checkbox out and he doesn't have it and i'm gonna go ahead i'll save my changes and now jon snow is a fully licensed microsoft 365 user and you can go in you can change that any time that you want isn't that cool okay so that is how you create a user and manage them in microsoft 365. there is one last thing that we need to talk about though so um what i want to do here is i want to select a user and what happens if john leaves the company well if john leaves the company of course you're going to need to delete him so when you delete a user account in microsoft 365 and or azure active directory um there's no now there's no content here in things like onedrive and email so normally in fact that's probably not a good example so let me select another user i've got a user here called let's say um let's say lydia let's see if we've got a user joanna okay so here's joanna and i want to delete a user now because joanna is a mature user in our company she's got lots of files and things like that so here it's like what do you want to do with those files so for example she can delegate access to her mailbox to another user and you can grant user and access to onedrive so it could be a manager or somebody like that and they can back up her copies of her files likewise you can give access to her mailbox to another user as well so you can give them full access now i did a session on this recently so again i'll put the link in below and check it out all right so when you're happy to delete that user you simply just go ahead delete that user and you can do this as i say either from the azure portal or the 365 portal and that will go and everything that joanna was and is has now been deleted and what happens to that data is um first of all the licenses are recouped and that data then comes into the deleted users container here now the nice thing is if you realize oh my goodness i just made a mistake i can scroll down i can select joanna and of course i can restore that user back but you need to do this within 30 days okay so there we have it in azure active directory and also in microsoft 365 creating managing and deleting a user so now we've created a user account i suppose the next thing we should talk about are groups and groups can be found here in azure active directory now in here if you go ahead and create a new group there are essentially two types of groups that you can create here you can create a security group and you can also create a microsoft 365 group now in addition you can also create groups from in the portal here so i can scroll up but i can just collapse that down uh just expand the menu and you can see here we've got teams and groups again i can go into active teams and groups and by the way in here you'll notice that we have got four types of groups so these two of course are specific to microsoft exchange online which you don't get that in the azure portal so in essence what we have is a security group which again is the same security group here so security groups are really useful but they don't have any collaboration capabilities so you can't make appointments with them they're just purely for permissions now the one thing that's nice about security groups and in fact i'll go ahead and create a group here so i'm going to call this you know i'm in the us so let's say i'll call this this is my nyc um i'm going to call this my nyc let's say sales okay so i'm going to call this my nyc sales team i can put in a description here one of the things you can do in in azure is that you can give them an admin role and i'm going to come back to that a little bit later now when you assign a membership you've got the choice do you want it to be an assigned member or which means basically you can just add in the users as and when you require or you can use something pretty cool called dynamic users and notice with security groups you can also have devices in here as well now if i change the group type to microsoft 365 groups again you can see that this time though you only get dynamic users as opposed to assigned users so if i just choose a sign for now one of the things that we can do here is i can then say okay do you want to assign an owner to the group and the owners are really useful it's almost like a manager and they can manage the users and the members and they can also invite guests if your company allows it so for the purpose of this demo i'm my user account is the mod administrator i'm just going to assign myself as a member now like i said i can just go in and assign members here and for the purpose of this demo i'm going to do that but if you want to see dynamic users then check out my dynamic users video that i recorded a little while back okay it's on youtube so i'm going to go into members here i'm going to go in i'm going to add in adele alex i'm going to bring in alan and just let's click on select so i've added my three members in and i'm going to go off now i'm going to click create and a microsoft 365 group when you create it here in the azure admin center it really doesn't do that much but i'll show you what's contained within it but i also want to show you a couple of very important things here so i can go into the general tab for the groups and this is where you've got various security settings so for example who can create microsoft 365 groups you might not want users creating these but you can also add clever things like expiry dates on groups so for example i could add in let's say i've just created this group called nyc and i could add in nyc sales and i i could say okay um i want to say in in six months if nobody is using that group then i want to delete it okay so ai and machine learning will constantly monitor this group now and if there's no traffic in the group it will delete it and this can be really useful protecting your organization from things like group bloat as we call it so too many groups now and you might ask me well andy what if a user is using it and i don't want to lose my data again don't worry about that because the ai will determine no the group's still in use and it resets it for another six months so it's a really really nice useful feature now just to mention when you create your groups you can also for example here you can set up a group naming policy so you can have a suffix a prefix and a suffix so for example nyc sales nyc marketing or it can be a suffix marketing nyc you get the idea so that just a quick tip that's really really useful now just before i leave this let's flip over to microsoft 365. and let's talk about the groups here so first of all what does that group look like so if i just refresh my page here and if i scroll down and we will see in fact that i've now cr i've got this group called nyc sales and you can see there it's assigned um it's a private group so i what does that mean so if i go into the properties of this group and if i go into the settings you'll notice that we have a private and a public group now because this is a microsoft 365 group what this means is in outlook microsoft 365 groups basically give you access to a shared mailbox you get a shared sharepoint document library you get a onenote notebook at microsoft planner a microsoft sharepoint team site and much more now the question is do you want it to be private or do you want it to be public so private means that only the members of the group can actually view it whereas if it's public it's discoverable by anyone all right now again if you want people to be able to contact the group externally we need to click this little check box on here so i'm just going to go ahead i'm going to click on save and let's just have a quick look at what that microsoft 365 group actually looks like so to do that i'm just going to flip over here and i'm going to open up microsoft outlook and this is such a cool feature by the way so i can come into outlook here and if i scroll down you can see it says discover groups so if i click on to here and type in nyc and just enter that there it is now i can request to join the group and also if it's a complete public group and it is a public group but i think the timing because i'm doing this demo quite quick it hasn't come through sometimes the portals are a little bit slow but i'm going to say yep i can if it's a private group i can say message the group owner um i would like to join the group please all right so that's quite useful whereas if it's a public group basically what you'll get is i will say okay discover and let's say if i just type in sales and enter that you can see i can just join the group so straight away i've now i can now join this group and i've now got access to that group so if i close that down you can now see that i've got us sales here and as i mentioned you get a shared mailbox you also get a shared document library for all your files and so you can collaborate and of course you get the calendar you get notebook planner site and so on and one of the super smart things about microsoft 365 groups and check this out is if i scroll down here in microsoft 365 i can now extend this group to become a microsoft team and that adds all the chat the and the communication capabilities and also you can talk to third-party applications as well now this is an irreversible action of course so once you switch this on you can't then switch it off so there you have it groups in azure active directory and microsoft 365. so the third and final part of my guide to azure active directory has to be roles and administrators now of course roles and admins what does that actually mean this is sometimes referred to as our back or role-based access control and the idea of role-based access control and you can do this from both azure active directory of course and you can also do this from microsoft 365. the idea of this is we can see that we have a number of different types of roles so for example azure active directory here microsoft exchange in tune and so on and the idea of the various roles is that you don't want to give a user global admin rights now typically within any organization you should have no more than five global admins and maybe no less than two so what you're going to do for the other administrators in your company so what we have here and it's really easy to get kind of overwhelmed by this but we have tons and tons of different types of roles now initially this looks really overwhelming and what you can see though is if you look closer you'll notice that they're actually grouped okay so for example in microsoft exchange we have an exchange admin and you also have an exchange recipient role and you can see these are the specific permissions that that role can actually do um and you could you also have other roles so things like teams sharepoint and so on now what you can do of course is i can scroll down here and the second most powerful role that we have is a user admin so if you don't want a maybe a senior administrator in your organization you don't want him to have all the power what you can do is you can grant him the rights to the user admin role and if i click into the role itself you can see i can go into the description of the role here and it tells me a little bit about the role and pretty much he can do an awful lot this guy so basically he can manage all aspects of users and group creation management and also licensing for those users um so i can then go into assignments and say hey that sounds great i want to add an assignment for this user so now just mention one thing by the way this screen here that i'm actually in this is actually a feature in azure active directory called pim or privileged identity management okay what does that mean andy well if i go back into microsoft 365 and let's say i come into let's say what we got here let's let's choose one um [Music] let's say we have a user here and i want him to be a security admin okay so i'm gonna go into assignments here and i'm going to add a user so in here i'm going to say okay i want i've got a user here called uh alan and i would like alan to be a security administrator so the problem with that though is a it's for the entire organization okay so um if i close that down now i'm just going to close that down and if i come back and let's look at the same role in azure active directory so i just want to show you a couple of little interesting things here so um very important so if i just scroll down here and if i come into let's say the security administrator role and in here you can see there he is here is alan and he's a user he's got access to the entire directory um it's been directly assigned to him but check it out look it's a permanent so alan is a permanent administrator now you might not want that you might want the user to only have let's say a temporary assignment so what we mean by pim are privileged identity management is this so if i scroll down here and then let's say go into the user admin role let me do that same demo again but this time i'm going to add an assignment here now you'll notice here that some of the options are kind of grayed out and in fact you can see that you've got settings here so one of the things you might want to do in advance is you might want to go either into the settings or the role settings it's the same thing and you can click on edit and what this does is it allows for temporary access so for example if alan's going on vacation and you need to take over allen's job what i'm going to do is i'm going to grant you 12 hours of access let's say um do i require multi-factor authentication that means if you're using the microsoft authenticator app on your phone okay do you need to put in a reason why you're activating i think that's a good idea does it require any kind of approval no i'm okay with it and again i can specify how long you're going to get access for so you might just be a couple of weeks might be a month and so on okay so for this demo i'm just going to say a month but you can change it if you want to um and i'll say okay when a user activates the role do you want me to send a a notification an email okay fair enough you can choose who you want to send that email to so i can now update those settings and that what that means now is that when i add an assignment it will now pick up those settings so i'm going to go in i'm going to assign a user and for this demo i'm going to assign um i'll bring in alex okay now if i do nothing and just click next what i want to do is i want to make alex active and that's pretty much i can put in a justification okay so for his job okay so you can see that alex has now been assigned and and you can see specifically that he's permanently assigned so what is this eligible option this is something that admins really will use by the way so i'm going to click on a sign i'm going to maybe assign somebody else and let's bring in adele so adele is alex's assistant and i'm going to select but this time when i click next i'm not going to choose active i'm going to choose eligible so if alex goes on vacation adele is going to be able to take on his role for the for this duration okay so beyond this duration when alex comes back she then loses that right okay so i'm now going to assign that and now you can see that adele doesn't appear but if i go into eligible assignments sure enough she's here so here is adele and if i just scroll over you can see that that date uh has come in here so there we go that's really cool so this is called privileged identity management and the idea of this is that it provides something called just in time access and they're just getting enough administration so users don't need to have full global admin permissions and that's the purpose of our back role based access control in other words just give them what they need not necessarily everything okay a really cool feature so there you have it the azure active directory ultimate beginner's guide i really hope that you enjoyed it and that you got a lot out of it remember if you did bump that like button it really does make a difference and if you've not subscribed then go ahead hit the subscribe button ring the bell and you won't miss out on future tutorials alright and as always i love your comments your questions and your feedback so please get those down below and that's it for this week okay thanks very much for joining me and i really appreciate it and we'll see you next time around hey thanks so much for dropping by today here's a couple of videos that you may enjoy and while you're here go ahead click on the subscribe button and you won't miss out [Music]

Info

Channel: Andy Malone MVP

Views: 48,786

Rating: undefined out of 5

Keywords: Azure Active directory beginners guide, Azure AD for beginers, get started with Azure AD, Microsoft 365, Microsoft Azure active directory, Andy Malone MVP, MVPBuzz, MCTBuzz

Id: GbntYTbXLHc

Channel Id: undefined

Length: 34min 15sec (2055 seconds)

Published: Mon Aug 29 2022