Home Upgrade Search Memberlist Extras Hacker Tools Award Goals Help Wiki Follow Contact

HF Rulez the UniverseHF Rulez the Universe
Hydra
Writ3rs
Azure AD Active Directory Enterprise Developer Microsoft

Microsoft Azure AD - Introduction

Posted 06-14-2022, 08:24 PM

Introduction to Azure AD

Azure Active Directory (Azure AD) is the modern cloud alternative to the classic Windows Active Directory. Microsoft has been developing the platform for years now, first launched in 2013. Over the years, Azure AD has been changed a lot in not only design, but functionality. Azure AD allows you to sync your existing on-premises AD to the cloud, giving your organization modern capabilities: Azure MFA, SAML Single-Sign-On, Application Proxy, Conditional Access, Endpoint, and much more.

Creating an Azure AD Tenant

  1. Create a Microsoft account and create an Azure account using your newly created Microsoft account. Keep in mind that this account will become the master or global administrator account. Keep it extremely secure and use a strong unique password. To register an Azure account, a credit card must be added on file (although it's free to use).
  2. Once the account is created, visit Azure AD portal and login if necessary. If you get an error regarding authorization token (AAD IAM), click on your profile name in the top right and "Switch Directory". You'll see a default directory as {username}{domain}@onmicrosoft.com - great! Click Switch button to gain access to the default tenant.
  3. Now either way we're on our default tenant but that's not good enough. We'll want to create our own tenant with the proper name and domain. Going forward, I'll be calling Azure AD for short as AAD. On the AAD portal, click on Azure Active Directory link in the sidebar menu. This menu is the primary menu and you'll soon realize why I call it the primary menu. Once in the AAD menu, you'll see "Default Directory", let's click "Manage tenants" link in the topbar. The topbar is the horizontal menu generally above the page content. It provides the controls to the related page.
  4. You'll see your default tenant called "Default Directory". Let's create our new official tenant; click "Create". Keep the tenant type as default, not B2C. Under Configuration, you'll name your tenant and give it the official domain name. Keep in mind the domain name will be appended with "@onmicrosoft.com". I'll setup the organization name as "Polyzen" and the domain will be "polyzenllc". Now we'll click "Create" button to finalize it. After the captcha confirmation, give the system a few minutes to create the new tenant!
  5. Once created, you'll be given the link to go to the tenant. Let's click on it; you'll notice the primary menu is gone and you're presented with what we'll call the secondary menu. Let's go back to "Manage tenants" and mark our new tenant as default. Checkbox the new tenant and click "Make default tenant" and confirm action. You'll now realize you're not actually in AAD portal but the main, universal Azure portal. Use the same link as before to go back to the AAD portal; oh and you'll want to bookmark the link as you'll use it a lot - trust me.
  6. You're all done, let's recap. We created a Microsoft account, Azure account ("subscription"), created a new tenant and set it as default. Nice! You now have an Azure Active Directory tenant to use for your organization or to simply practice with.

Azure AD Walkthrough

Azure AD has a lot of functionality and may be overwhelming so let's briefly go over everything you have at your disposal.

General Configuration

We'll want to first do some basic changes to allow us full access to the tenant and customize the experience a bit.

  1. Let's visit AAD portal and from there click on Properties tab under the Overview page. At the bottom of the page you'll see "Access management for Azure resources". Change the option to Yes and save the change.
  2. Next click the Settings cog on the top navigation bar and select "Appearance + startup views". You can change to the dark theme if you wish to save your eyes at night. At the bottom, you'll want to select your new directory/tenant as the default startup directory so you never accidently visit the default one. We save the default due to an ongoing subscription trial upon registration.
  3. We'll now want to enable any available but optional preview features. Go back to AAD page from primary menu and click "Preview features" from the secondary menu. Enable all the optional preview features as they're always a benefit - be sure to save the changes. Microsoft is constantly developing new features and majority of the time they're essential. For example, searching for any objects used to be based on "starts with" and "contains" search was optional as it was in development with a release date of July 2020. In the past couple months, "contains" search became generally available (GA) and applied by default.
  4. Now onto the fun part - registering your custom domain to Azure AD! Let's visit "Custom domain names" from AAD's secondary menu. Every tenant will have a @onmicrosoft.com domain and is useful when you want to create something that's detached from your custom domain. This can be for testing, security or other creative reasons. One good example is to create a secondary global administrator account as a backup in case of a lockout event or broken Azure AD Connect sync (we'll discuss this more later on). Anyways, let's click "Add custom domain" and enter your domain - in my case it would be polyzen.io. Microsoft requires verification, obviously, so let's complete one of the two methods. Once verified, you'll want to set this domain as the default from the topbar.
  5. Let's now go to "User settings" from AAD's secondary menu. Ideally, you'd want to limit what your users can do on their own on the tenant. "No" for Users can register applications. "Yes" for Restrict access to Azure AD administration portal. This one is important otherwise any standard user can see a read-only copy of your Azure AD tenant including users, groups, etc. I also like to disable LinkedIn connections.

Basic Management

Now that we've done the general configuration, let's discuss what Azure AD can provide. At this point in time, we won't be discussing anything that requires a paid subscription or otherwise called license(s).

Users

Users is where you'll manage anything related to... Users. You can search and modify user objects, restore deleted users, or adjust password reset settings (requires Azure AD P1 or P2 - paid). Password reset is also known as SSPR or Self Service Password Reset. Let's create our first user to become familiar with the process.

  1. Click "New user" to be taken to the creation page. You're given the option to either create or invite the user - we'll stick to create.
  2. I'll name the user "hydra" and keep my default "polyzen.io" domain. You'll notice in the dropdown, your @onmicrosoft.com domain is available. This is how you can create a user account that's not included in your, what we'll call the primary domain. Everything we do for the most part is tied to a domain name we own.
  3. Let's give the user a name. e.g. John Doe or Help Desk. First and last name are optional but generally would want to fill out if the user is human (not a service account).
  4. Now you have the option to either set a password or generate a random one. Even if you create your own password, it's only a temporary password. First sign in will prompt the user to enter a new password. Only way to setup a password without it being temporary is through PowerShell.
  5. If the user should be added to any groups, now's a good time but since this is a brand new tenant, we don't have any groups. Roles are administrator roles or permissions. For example, if you're creating a user account for your new tech department employee, you'll want to give them proper admin permissions such as "Azure AD joined device local administrator" which will give them admin rights on end-users' devices.
  6. Usage location should be configured otherwise you won't be able to assign the user any licenses. It's also used for sign in logs and identity protection.
  7. Job info section is very useful for organization so make sure to fill it out as best as possible. It's important to keep it maintained to make management easy in the future. One example why is if you want to deploy an app to all staff in your HR department. Instead of maintaining that group membership, you can create a dynamic user group based on the "Department" field. More on types of groups soon!

Groups

Groups come in a few types and allow you to assign profiles, apps, etc. to a subset of objects. Objects can be either users, devices, service principals and other groups. Groups can also be used to assign administrative roles, licenses, and few other functionalities. We'll go over how to create a group, what each type means, and how to manage properties of a group. Some of the "advanced" stuff will be discussed at a later time.

  1. Now that you're more familiar with Azure AD, I'll be assuming you know where all the primary and secondary menu links are. Let's go to Groups page and click "New group". You'll be offered two group types in the dropdown. Security is going to be used for almost everything. You'd create a Microsoft 365 group when you're setting up a collaborative group. It would create a shared mailbox, SharePoint site, shared files and calendar. We won't be discussing Microsoft 365 groups at this time so let's keep Security selected.
  2. Give your group a good, organized name. Sometimes you'd want to prefix it for a general purpose like "INTN" for Intune use. Other times you'll want to label the group name with "Users" or "Devices" if you create two of the same groups with different set of objects. Let's say you want to deploy an app for a set of users and want to also be able to lookup all Intune related groups, here's how I would approach it. "INTN - Adobe Acrobat" would be one group and "INTN - Kiosk Devices" for another. This way you are able to easily identify if the group has devices or users and the general purpose of the group - Intune.
  3. Desription is optional yet very useful. Some ideas to mention would be where they will be used, if they're temporary, or who created it if the tenant has multiple administrators.
  4. Membership types are assigned or dynamic however dynamic requires a Azure AD P1 or P2 tenant. Although we do not have dynamic type available, a brief talk is due. Dynamic will ask you to curate a condition that searches for applicable objects based on their properties such as a user's department or devices enrolled in Autopilot (more on that later).
  5. Owners aren't required on Azure AD although they are in on-premises AD. Whoever is assigned as the owner is allowed to manage the membership of the group. Assigning the department head as the owner allows that person to maintain their roster themselves without contacting IT for assistance.
  6. Members can be the 4 types of objects mentioned earlier. Devices and Users are the most common. Object types cannot be mixed; the group can either be only users or devices, not both. This restriction applies to any variety of assignment, including Microsoft Endpoint's app and policy assignment.
  7. One last thing to mention before creating the group is the Azure AD Roles assignment option. It's only available to P1 and P2 but it's important to mention that this setting can only be managed at the time of group creation. You'd only want to enable this if you're creating a group for say Exchange administrators or Intune administrators.
  8. Once the group is created, go to the group you created and explore the additional options available to manage. At this time, the only reasonable one to be able to use is Properties but let's discuss the others briefly. Licenses is a great way to stay organized with license assignments. Instead of assigning licenses directly to the users, you can assign it to a group and the members will inherit it. If a user has a direct license and inherited license (group-assigned), this causes a conflict. It's benign but to keep the tenant clean, I'd recommend resolving it by removing the direct license.
  9. Roles and administrators allows you to assign Azure AD roles such as global administrator or global reader to the members of the group. This is only possible with P1 or P2 and if the group was created with the option enabled. Using a group to assign roles instead of directly assigning them makes sense and keeps the tenant organized when the role will be assigned to multiple users. This goes a long way when your tenant is growing and you have to onboard new users. It's as simple as adding them to all applicable groups to inherit roles, licenses, etc.

Free Developer Tenant

Microsoft offers a developer tenant for free. 90-day trial which can be renewed unlimited times as long as it's "active" and strictly used for development. It's a great way to learn Azure AD and Endpoint. The developer tenant comes with Azure AD P2 which unlocks everything that you'd normally would have to pay for.

  • Includes 25 user licenses for development purposes
  • Preconfigured for sideloading Teams apps
  • Fully loaded sample data with 16 sample users, user data, and content to help you model your solutions.
  • Easy access to pre-provisioned core Microsoft 365 workloads and capabilities (Windows not included), including:
    • All Office 365 apps
    • Everything you need for Power Platform development
    • Office 365 Advanced Threat Protection
    • Advanced analytics with Power BI
    • Enterprise Mobility + Security (EMS) for compliance and information protection
    • Azure Active Directory for building advanced identity and access management solutions

Tidbit

I'll be taking advantage of HTML/CSS in these blogs to introduce a series of blog guides related to Microsoft Azure AD and Endpoint. My goal is to educate everyone on the modern, cloud-based user and device management platform created by Microsoft. Windows Active Directory is widely used across the globe by majority organizations, with a 95% market share. Migration to Azure AD has begun and all parties are putting all their resources into it. Microsoft offers certificates related to Azure AD and Endpoint: Microsoft 365 Enterprise Administrator Expert.

This introduction is just the beginning, expect in-depth guides for anything Azure AD and Endpoint. I'll also be touching point on Microsoft Defender and its user identity and device protection features. Going forward, all guides will require an Azure AD P2 tenant so be sure to sign up for the Microsoft 365 Developer Program - it will give all of it to you for free!

06-15-2022, 06:08 PM
Fantastic blog post, great work as always Hydra. Always can count on you to produce quality content.