Part 13 – Managing User & Device Identities in Microsoft Azure Active Directory

Loading

In this blog, we will explore the identity management section of Azure AD.

Licensing

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing#available-versions-of-azure-ad-multi-factor-authentication

The minimum required for password resetsMinimum required for password resets
Azure AD Premium P2Azure P1 + Security Features

Subscriptions

  • There is a trust relationship between Azure AD and the subscription.
  • Each subscription can only trust a single Azure AD directory.
  • Multiple subscriptions can trust the same Azure AD directory.

Create Dynamic AD Groups

Let’s begin by creating a group in Azure for our Norfolk Office based on a condition or property eg: City.

We will choose Dynamic Group as we will want to group users later based on the office location they work

Every group should have a group owner so we’ve added one here.

Assigning Licenses to Groups

Rather than assigning licenses at an individual user level, it’s much faster to do the assignment at the group level and this happens under the licenses tab at the Group level

Creating Administrative Units

AU in short will give a few users some privileged access in our Norfolk office so they can reset passwords, assign licenses etc.

Click on the Helpdesk Administrator or User Administrator

Add Sarla as our Helpdesk admin for Norfolk Site

Click Review and Create

Our Administrative Unit Norfolk HelpDesk Admins is now ready.

Creating Users

Since we choose to add users dynamically via their office location, our users will be automatically added to the group when the office location is set to Norfolk. Users get the name plus the default domain name as their email account.

Password Reset Registration

In order for us to do password reset registration, we need to have at least an Azure AD Premium P1 or Azure AD Premium P2 license.

Self-service password resets can be done via the below tab

We will add email/phone authentication

Notify users about events on password resets

Synchronization with on-prem AD is available under the integration tab

Setting up Users and Applications for Hybrid Identity

In this section, we will get some apps from Azure Marketplace and provision them to our users.

Go to the Enterprise Application section

Enable Users can add gallery apps

Test User Access

Login as the new user we created using one of the links

https://myapplications.microsoft.com/

https://account.activedirectory.windowsazure.com/

We’ve secured our access using phone/email

Once logged in, I should be able to see the apps I provisioned to the user.

Managing Devices in Azure Hybrid Identity

In this section, we will add a new Virtual machine and join Azure AD. If this option is chosen, this VM will be auto-joined to Azure Ad

Alternatively, on our Windows 10 PC, let’s just connect to Azure AD manually as shown

Give the Azure AD account

Join Phone

Configure MFA

To view devices, joined to Azure AD go to the below tab

All our Azure AD joined devices appear here.

Configure MFA

Per user, MFA is free of charge but conditional access needs P1/P2 license.

(Visited 96 times, 1 visits today)

By Ash Thomas

Ash Thomas is a seasoned IT professional with extensive experience as a technical expert, complemented by a keen interest in blockchain technology.

Leave a Reply