1. Identities & Governance in Azure - GlennVandenborre/AZ-104-Azure-Administrators GitHub Wiki
1.1 Configure MS Entra ID
1.1.1 Benefits & features of MS Entra ID
Microsoft's multitenant cloud-based directory and identity management service.
- Access to internal resources & apps on your corporate network.
- Access to external resources like M365, Azure portal, SaaS apps.
- Cloud apps developed for your organization.
MS Entra ID implementation
MS Entra ID features
- SSO
- Universal device support: macOS, Android, iOS, Windows
- Secure remote access: MFA, conditional access
- Cloud extensibility: manage cross-environment
- Sensitive data protection: identity protection capabilities
- Self-service support: self service password reset
1.1.2 MS Entra concepts
- Identity: object that can be authenticated.
- Account: identity that has data associated with it.
- MS Entra account: identity created and stored in MS Entra ID (work or school account).
- Azure tenant (directory): dedicated instance of MS Entra ID for a single organization.
- Azure subscription: used to pay your Azure Cloud services.
1.1.3 ADDS versus MS Entra ID
ADDS
Active Directory Domain Services on a physical server and network, als called on-premises Active Directory. ADDS's communication protocols are Kerberos, NTLM and LDAP.
MS Entra ID
- Identity solution: full package
- Communication protocols: HTTP & HTTPS protocols, SAML, WS-FED, OpenID Connect, OAUTH2
- Federation services: Facebook, LinkedIn
- Flat structure: no OU's or GPO's
- Managed service: only users, groups & devices
1.1.4 MS Entra editions
1.1.5 MS Entra join implementation
Benefits
- SSO
- Enterprise state roaming: time reduction to configure new device
- Windows Hello 4 Business
- Restriction of access
- Access to on-prem resources
Connection options
MS Entra registered devices: company manages the identity on a personal device by registering it in MS Entra (BYOD). MS Entra joined devices: company manages the device, using work or school account to join the device in MS Entra. MS Entra hybrid joined devices: company devices that are joined to your on-premises Active Directory and registered with MS Entra ID.
1.1.6 MS Entra Self-service password reset (SSPR)
In the modern workplace, SSPR aims to provide users with greater autonomy and reduced reliance on helpdesks for password-related issues. SSPR allows users to independently restore their accounts using various recovery options, including:
- Mobile app notification
- Mobile app code
- Mobile phone
- Office phones
SSPR Settings
- None: no one can use SSPR so helpdesk will receive calls to reset password.
- Selected: only selected users or preferably groups can use SSPR (ideal for testing before roll-out to everyone).
- All: everyone within the organization can use SSPR.
1.2 Configure user and group accounts
1.2.1 Users Accounts
Cloud identity
Administrator accounts and users who are managed as part of your organization and exists only in MS Entra ID.
Directory synced identity
MS Entra connect or MS Entra Cloud Sync is used between Active Directory & MS Entra to sync user accounts to Azure.
Guest user
User accounts outside of your organization that are invited into your organization's tenant to cooperate with your organizations.
1.2.2 User Account management
There are various ways to manage user accounts: Azure Poral, M365 Admin center, Azure CLI, Azure CloudShell and Azure PowerShell. You can manage user profile data. You have the option to restore a user account up to 30 days after deletion. You also can gather account data using sign-in and audit log information.
1.2.3 Bulk actions
Bulk creating of users
Bulk creating users is beneficial for naming conventions, initial passwords and to minimize errors.
Bulk deletion of users
If you have to delete a lot of users, then performing bulk deletion saves up a lot of time because you can delete all related users in one click instead of deleting them one by one.
1.2.4 Group accounts
Security Groups
Manage member and computer access to shared resources for an assigned group of users.
M365 Groups
This type of group is purposely designed for collaborating opportunities. Think of shared mailboxes, calendar, SharePoint, etc...
Membership types
- Assigned: add specific users or devices.
- Dynamic user: using a dynamic membership rule, add users if certain attributes are met. (ex: add people to a group if they are member of certain department)
- Dynamic device (security groups only): dynamic membership rule to automatically add devices to security groups.
1.2.5 Administrative units
1.3 Configure Subscriptions
1.3.1 Azure Regions
Geographical area on the planet containing at least one, but potentially multiple datacenters. Think of West Europe, West US, East US, etc...
Regional pairs
A region paired with another region in the same geography. West Europe is paired with North Europe for example.
- Physical location: min. 300 miles between datacenters.
- Platform-provided replication: automatic replication to paired region, ex: Geo-redundant Storage.
- Region recovery order: prio recovery in every pair when there is an outage.
- Sequential updates: sequentially roll-out of updates, minimize downtime, reduce bugs.
- Data residency.
1.3.2 Azure subscriptions
A logical unit of Azure services that's linked to an Azure account. An Azure account is an identity in Microsoft Entra ID or a directory that's trusted by Microsoft Entra ID, such as a work or school account.
1.3.3 Obtaining an Azure subscriptions
1.3.4 Usage of Azure subscriptions
There are 4 model of subscriptions: Azure for free, Pay-as-you go, Azure Enterprise Agreement and Azure for students.
1.3.5 Cost Management
Administrative billing tasks and helps you manage billing access to costs.
- Cost analysis
- Budget options
- Recommendations
- Export cost management data
1.3.6 Resource tagging
Logically categorizes Azure resources: sorting, searching, managing & analyzing of your Azure resources.
- Search on tag data.
- Find related resources.
- Group billing data.
- Create tags with PowerShell or CLI.
- Add tags via Azure Policy, also if they are missing.
1.3.7 Cost Savings
Azure Reservations
Pay less if you know you are going to use certain Azure resources for at least 1 or 3 years.
Azure Hybrid benefits
Don't buy licenses if you already have licenses in house.
Azure credits
No extra charge monthly. Use credits to test & develop.
Azure Regions
Prices vary from region to region, so think thoroughly where you deploy your resources.
Budgets
Monitor spending over time and create a budget to avoid spending too much.
Pricing Calculator
The calculator gives you an estimate in all areas of Azure services before you even buy something.