• Notes

  • Roles
  • Password
  • B2B
  • Joining a device
  • SSPR

• Tasks

  • Add guest user
  • Add users in bulk
  • Licenses
  • Enable MFA
  • Enable SSPR
  • Add custom domain name

• Sources

• AZ-103: 5.1 5.2

• AZ-104: 1.1

Azure AD has its own set of roles which apply to Azure AD resources and which are distinct from those of Azure RBAC.

The terms tenant and directory are deeply connected and often confused with one another.

• A tenant refers to an instance of Azure AD that is tied to a subscription, and refers to the organization.
• Each tenant is associated with a dedicated and trusted directory that includes the tenant's users, groups, and apps.

• Global Administrator can manage access to administrative features in AAD and can grant administrator roles to other users. An AAD Global Administrator can also temporarily elevate their own access to the Azure RBAC role of User Access Administrator in order to manage all Azure subscriptions and management groups. Whoever signs up for the directory is automatically assigned this role.
• Device administrator

In order to make sure AD users can change their password either locally or in the cloud, Azure AD has to be upgraded to Premium. Enterprise State Roaming allows users to securely synchronize user settings and application settings to Azure.

Self-Service Password Reset (SSPR) is supported for all users. SSPR registration can be configured by group or for all domain users, but not individual users.

Business-to-business (B2B) collaboration allows you to invite guest users into your own (What is guest user access in Azure Active Directory B2B?)

When you join a device to an Azure AD tenant's domain, Azure AD creates local administrator accounts on the device for:

• The user joining the device
• The Azure AD global administrator
• The Azure AD device administrator

Administrator accounts are treated differently from other user accounts for SSPR and have a "strong default two-gate password reset policy", which requires two pieces of authentication data and foregoes the use of security questions.

Sources:

• Portal
• PowerShell

The only information really needed is an email.

New-AzureADMSInvitation -InvitedUserEmailAddress someexternaluser@externaldomain.com -SendInvitationMessage $True -InviteRedirectUrl "http://myapps.onmicrosoft.com"

Sources:

• Bulk create users in Azure Active Directory
• Bulk add group members in Azure Active Directory

Import members by first navigating to the group to which they will be added, then importing from a CSV. A template is available.

Sources

• Assign or remove licenses in the Azure Active Directory Portal
• Configure Microsoft 365 user account properties with PowerShell

Note: The user to be licensed must first have a Usage location set.

Use the ISO 3166-1 A2 two-letter country or region code to set this value in PowerShell

Set-AzureADUser -UsageLocation 'US'

Create a Conditional Access policy to enforce MFA with specified users.

AZ-103: 410

• Tutorial: Secure user sign-in events with Azure Multi-Factor Authentication
• How to manage the local administrators group on Azure AD joined devices
• Password policies and account restrictions in Azure AD