Azure AD - #1 - Overview

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I'm Dean Sephora and this is the Azure Academy thanks for joining us again at the Azure Academy and please click on that subscribe button if you have not done so already and don't forget to leave us some comments below on any questions you have or what you'd like us to do for videos in the future so today I thought we'd start a series on Azure Active Directory and we do have quite a lot of interest in this from our community polls this topic can get quite extensive so we're gonna be up real particular in the topics that we pick up front for us to cover and then as the series develops I want to hear from you what scenarios you want and then we'll make videos for those so what exactly is Azure Active Directory Azure ad is Microsoft's multi-tenant cloud-based identity management service it is highly scalable and distributed across the world through the azure cloud now that was a big mouthful so let's break that down a little bit it is a multi-tenant cloud service this means that the service itself of azure ad exists in the cloud and part of that service there are tenants and each tenant is its own little isolated island within that world of azor ad the other thing that Azure ad does is it creates a single identity solution for all other Microsoft cloud services such as office 365 dynamics in tune and of course asher but it does much more than that it also integrates with other applications by enabling you to federate your ID which of course enables then hybrid identity options from on prem to the cloud and beyond with things like b2b and b2c scenarios however Azure Active Directory is not Active Directory like we have with ad servers on Prem ad is a system that provides authentication a directory policies and some other services and it utilizes Kerberos and ntlm for authentication as your ad on the other hand has two major services and that is Identity and Access Management services these would be things like single sign-on password authentication user self-service Federation services and uses a completely different authentication mechanism than Active Directory Azure ad uses OAuth which is a more modern authentication protocol than ntlm and Kerberos so with that said let's jump over to the azure portal and we can get to Azure Active Directory from the azure portal by going to all services and then going to the identities section there's all of our identity related tools and I'm gonna click on Azure Active Directory and here is my directory and if you've seen any of our videos before we have been in here a few times already but I want to give you a quick overview and we're not going to get into details about everything in this video this is just meant as a kind of level 100 introductory session for azure ad so the very first thing as I said in the beginning is it is a multi-tenant service that means each directory or each ad tenant is isolated unto itself so you have to switch between directories if you want to go from one to the other so looking here at the basic overview screen we can see the name of our directory and I'm using a custom domain name and we'll show you how to do that as well as we see what our current role is in the directory I am a global administrator which is a built-in role and then we also have a quick search feature over here and that's for users groups apps and directory roles so you can see all that's in there and there are some create options down the side as well as the ability to create a new directory and then we have a section in the middle around updates and what's new around Azure ad so over here on the Left we have some identity related services and customizations around the directory for users groups and roles applications identity governance the licensing as your ad Connect which we'll get into in another video making a custom domain name integrating with MDM solutions password reset company branding around the portal itself and then some other user settings and notifications the properties section here is where you can see your directory ID and that becomes important when you're doing certain kinds of tasks especially through shell and automation and then we have a security related section and this would be for your security score setting up conditional access multi-factor authentication and other authentication methods and then the monitoring of the directory which can be connected to log analytics as you see here and there are audit logs specifically for Azure Active Directory as well as looking at user sign ins and some insights and information that is the quick hundred thousand foot view of what's in Azure Active Directory but let's look in some of the details here now one of the first things that we saw up here on the overview is our custom domain name and then we also see this section around licensing p1 and p2 so what exactly is this well let's go over to the azure documentation page and from here we can go to pricing at the top and here on the pricing page will click on pricing by product which will take us all the way to the bottom and we'll type in here Active Directory and we'll click on Azure Active Directory here and that'll take us over to the documentation pricing page and then we scroll down a little bit and we can see the four different offerings around licensing on prices for Azure Active Directory down here at the bottom we see that we have a free version this version is included with office 365 and then p1 is $6 per user per month and nine dollars per user per month for p2 what will that shake out to in the end well over here in the azure pricing calculator will type in Active Directory and take a look at that in the pricing calculator and of course we see here is the free version and then we have options for adding multi-factor authentication and domain services now again we said in the beginning that as your ad is not Active Directory as you would think of it on Prem there is however this middle ground which if you have watched our Windows virtual desktop series you've seen us deploy as your ad domain services already but we'll do that in another video and as your ad domain services will deploy to domain controllers so it is highly available in that sin but then the domain will also enable you to do ntlm kerberos while maintaining your cloud centric identity which would generally more use OAuth so that you can see by the number of directory objects that you need you would select that and then select how many hours it will be running and then you see the total cost for running that domain service in the cloud now I'm gonna set that back to zero here and then we can look at multi-factor authentication and this is of course for one user a dollar forty a month so you just multiply this by however many users you have and then you know what your cost is for enabling MFA in your organization I will again set this back to zero and then we'll choose P one which has that cost of six dollars per user per month so if you have five hundred and thirty two users that's your cost for using P one licensing versus P two licensing which is nine dollars per user per month so look at the feature set in the documentation decide which you need and then you will be able to see basically what your pricing would be and this is of course street pricing it doesn't take into account any discounts or anything like that that you may have and we'll go back to our main documentation page so we'll go to our products and then on the Left we'll go down to identity and there is the documentation for all of our identity solutions and we'll go to Azure Active Directory now you can see this documentation page is quite different than the other doc pages that we've looked at in the past and that's because as I said in the beginning there is so much here and they break it down into all of these sections which have subsections of their own and there is a ton of documentation so we won't be able to certainly cover near half of everything during this overview but I just wanted to see where it all is so one of the other tools that we're going to use a bit as we go through this series is going to be the graph Explorer and this uses the azure graph API and then the first thing you have to do when you get to this page which is graph explorer websites Ned and I'll have that linked in the description is first you have to log in so I'll click that and then I'll be prompted for my login so I'll choose my Windows virtual desktop environment and so once we're logged in we can click here in the top bar and then it'll give us a few items that it suggests that we look for so I could look for me and push go and then it does a look up on my directory and we can see all of the stuff here related to my directory and my users and there is my particular user and there's many different things here like our immutable IDs which are going to become important later as well as the distinguished name for my user where it's located in my domain structure and many other things here like my sip proxy address user principal name all that stuff so you can get a lot of information out of the graph explorer which is also a very good troubleshooting tool as we'll see as we get into this series so back in the azure portal let's take a quick look at what some of our user it looks like here so here I've got all of my users that are in my environment and users can come in different kinds of sources first source that you can see here is Windows Server ad this means that this user was synchronized from my on-premise into Azure Active Directory we also have Microsoft accounts and this account in particular was one that I opened this directory with so this was a external account and then we also have some that are native to the cloud directly they do not exist on Prem at all and that would be an azure active directory account and there is one fourth one and that is a invited guest and that would be if one of my accounts here decided to invite a new guest user so let's take a look at that experience real quick so I'll put in here another email address okay so I put in here a fake email address and then I'm going to go ahead and click invite and then you can see down here at the bottom that we now have an invited user who is a guest in this environment now this is not a valid email address and I'm just going to go ahead and delete this user all right so one of the other things that we can see is deleted users and these are B users that I had from other tests that I had run and you can select them if you are okay with permanently deleting them and click that or you could decide oh you know what I really need to bring this user back for some reason and then you can click restore user and that'll bring it back but they will be permanently deleted after 30 days also we can have some password reset functionality and you could have this as self-service and so that way you can remove that burden from IT administrators by allowing users to walk through this process themselves and we'll get into self-service Password Reset in another video as well as you can set different authentication methods to guarantee that the person who is going through the password reset process actually is the correct person so we can secure this by any one of many methods here and then the user process do we require a user to sign in before they can go through the password reset process and then we can set customizations if we want to in the environment as well as do some on-prem integration with password write back and things like that and then I'm back under the users tab here we can see the audit logs so for example here's an audit log related to a delete that was performed in my environment that delete was against this particular target ID and we can see what modified properties there were as well as the user sign ends if you have p1 or p2 so as you're gonna see through our sessions here there are some features that you need p1 or p2 before you can use them this happens to be one of those the group experience is pretty much the same you can create a cloud based group or you can have a group that is from your synchronized environment and you can see down here I've got these several groups that were in the cloud and so you can build those assign groups and then also the same delete experience is here as well and then the other big one that we'll cover for right now is under roles and administrators and these are the built-in directory roles and that domain admin role function is carried out here by the global administrators and you can see I've got two in my environment it is a best practice to have a minimum of two if not three would be highly preferred so that in case one person is out or unavailable someone still has quote-unquote keys to the kingdom Azure Active Directory is not an azure subscription the relationship here which I'll show you on my sidebar the reason I've got things organized this way is because they kind of nest in this particular manner so azure active directory is the top-level and within the directory we have management groups inside the management groups we can nest subscriptions and then within subscriptions are resource groups and then all of the other resources so Azure Active Directory is not a subscription it is a separate entity from a subscription a subscription must be part of a single Azure Active Directory tenant but an azure ad tenant may have multiple subscriptions now I say this because the global admin rights in Azure ad do not necessarily indicate that you have global admin type rights in your Azure subscriptions that privilege is based on the subscription access control itself and then you can see who exactly is the owners of that subscription and there is one special role that I'll call out as our last thing for this overview and that is the user access administrator this role is inside Azure ad under the properties in the blade and we can see down here the access administrator role and be granted to perform all identity related functions within an azure subscription so after I had created my subscription I removed this role from myself inside a juror Active Directory and granted that role instead to one of my groups that would be my sub user account admins and the benefit of this is now I can use this as a way for adding some automation to my user account access and identity control so that I do not have to have a person giving out the rights I can use automation say for example that you have a domain group on Prem you add a member to a new group that member is then granted access into a cloud group based on Active Directory synchronization which then is granted access to your Asscher subscription through an autumn and I know that sounds like a whole lot and we'll get into that in another video so I hope you've enjoyed looking at this overview of Azure Active Directory there is a million more things here that we could talk about and just in an overview each one of these features we could spend a whole day on it this is just a quick overview and we'll get more into Azure ad as we go through this series so if you haven't done so already please click on that subscribe button and if you like this video give us a thumbs up as well as please do give us some comments below on if this was a help to you or what you would be interested in seeing out of this Azure Active Directory series going forward as always thanks for joining us today and we'll see you in the next video happy learning

Info

Channel: Azure Academy

Views: 88,490

Rating: undefined out of 5

Keywords: azure ad, azure active directory, azure active directory español, The Azure Academy, Microsoft Azure Academy, Azure Academy, AzureAcademy, azure active directory connect step by step, azure active directory tutorial, azure ad connect, azure active directory authentication, Azure, azure ad domain services, azure active directory domain services, azure ad b2c, azure active directory b2c, yt:cc=on, Azure CAF, azure basics, azure fundamentals, azure sso, Azure ad sso setup

Id: pN8o0owHfI0

Channel Id: undefined

Length: 16min 13sec (973 seconds)

Published: Sun Sep 01 2019