1.1 Manage Microsoft Entra users and groups

Question 1

What is Microsoft Entra

Answer 1

1.Cloud based directory and identity management service. Helps support user access to resources and applications.

Question 2

Key components of Microsoft Entra

Answer 2

Microsoft Entra has 5 key components:
1. Identity
Object that can be authenticated such as a user , server or applications.

2. Account
   Cant have an account without an identity. It is an identity with data associated with it.

3.Microsoft entra account
Called a work or school account. An identity that’s created through Microsoft entra ID or another Microsoft cloud service such as 365

4 . Azure tenant
Single dedicated and trusted instance(Directory) of Microsoft Entra ID. Represents a single organization.
You can create multiple tenants or instances

5. Subscription
   Used to pay for azure cloud services. You can have multiple subscriptions.

Question 3

Compare Microsoft Entra vs Active directory

Answer 3

1. Identity solution
   *AD DS
   - is primarily a directory service
   -
   *Entra ID
   -is full identity solution
   -Designed for internet based applications abd uses HTTPS/HTTP communications
2. Communication protocols
   - It does not use kerberos authentication but instead is based on the HTTPS/HTTP protcols such as SAML , WS -Federation and openID connect for authentication
   - Uses Oauth for authorization
3. Microsoft Entra includes federation services and many third party services.
4. Flat Structure
   Users and groups are created in a flat structure
   - There is no OU or group policy objects
5. Managed service
   Entra ID is a managed service. You only manage users , groups and policies.

• If you deploy AD DS in azure you can manage many other tasks such as deployment , configuration , vm, patching etc.

Question 4

Things to consider when using joined devices

Answer 4

A device identity is an object in Microsoft Entra and is similer to users, groups or applications. Allows admin to make access or configuration changes.

There are 3 ways to get a device identity
1. Microsoft Entra Registration
2. Microsoft Entra join
3. Microsoft Entra hybrid join

1. Microsoft Entra Registration ( Also known as work place joined)
   - Provides support for BYOD and mobile devices for users
   - This allows for a user to access the organizations resources by using there own devices.
   - Allows users to use a local account like Microsoft account on windows 10 or newer device.
   - You can disable and enable a device

** Example scenarios:
*A user in your organization wants to access your benefits enrollment tool from their home PC. Your organization requires that anyone accesses this tool from an Intune compliant device. The user registers their home PC with Microsoft Entra ID and Enrolls the device in Intune, then the required Intune policies are enforced giving the user access to their resources.

*Another user wants to access their organizational email on their personal Android phone that has been rooted. Your company requires a compliant device and has created an Intune compliance policy to block any rooted devices. The employee is stopped from accessing organizational resources on this device.

2. Microsoft Entra Joined devices
   -Microsoft Entra joined devices are signed in using an organization Microsoft Entra account.

• Access to resources can be controlled based on Microsoft Entra account and conditional access Policies
• Organization owns the device
• Works with a hybrid solution which enables access to both on prem and cloud apps and resources.

**Scenarios
Microsoft Entra join can be used in various scenarios like:

You want to transition to cloud-based infrastructure using Microsoft Entra ID and MDM like Intune.
You can’t use an on-premises domain join, for example, if you need to get mobile devices such as tablets and phones under control.
Your users primarily need to access Microsoft 365 or other SaaS apps integrated with Microsoft Entra ID.

You want to manage a group of users in Microsoft Entra ID instead of in Active Directory. This scenario can apply, for example, to seasonal workers, contractors, or students.

You want to provide joining capabilities to workers who work from home or are in remote branch offices with limited on-premises infrastructure.

You can configure Microsoft Entra join for all Windows 11 and Windows 10 devices except for Home editions.

The goal of Microsoft Entra joined devices is to simplify:

Windows deployments of work-owned devices
Access to organizational apps and resources from any Windows device
Cloud-based management of work-owned devices
Users to sign in to their devices with their Microsoft Entra ID or synced Active Directory work or school accounts.

Question 5

Create users and groups

Answer 5

• There are 3 different types of users:
  1. Cloud Identity
  -User accounts/external user accounts defined in your Microsoft Entra organization

2. hybrid
   -On prem accounts that synchronize via Microsoft Entra connect that brings the accounts in to azure
3. Guest
   -Accounts that are outside of azure such as Microsoft accounts like Xbox live.
   - The source for guest user account is the invite user. This is useful for allowing external vendors/ Contractors to have access to your Azure resources

There is also the entra.microsoft.com portal

Question 6

Manage Licenses in Microsoft Entra

Answer 6

1. Microsoft Entra ID free
   -provides user and group management
   - On prem directory synchronization
   - basic reports
   - Supports SSO for azure , Microsoft 365 , and many SaaS apps
2. Microsoft Entra Microsoft 365 apps
   - Has the free features
   - Provides identity and access management for 365 apps
   - MFA , group access management , self service passwords resets for cloud users
3. Microsoft Entra ID P1
   -Has all the free features
   - Allows hybrid users access both on prem and cloud resources
   - Supports dynamic groups , self service group management.
   - Allows self service password reset for on prem users as well
4. Microsoft Entra ID P1
   - Has the free and P1 features
   - Offers Microsoft entra ID protection to help provide risk based conditional access to apps and data
   -Privileged Identity Management is included to help discover , restrict and monitor admin and their access
   -Also provides just in time access when needed

For PIM you need a P2 license

Question 7

Configure self password reset(SSPR)

Answer 7

Allow user to reset there password on their own.

Things to know about SSPR feature
1. Requires a Microsoft entra global admin privilege’s to manage SSPR options
2. SSPR uses a security group to limit users who have SSPR privilege’s
3. All user accounts must have a valid license to use SSPR

Things to consider when using SSPR
1. Authentication methods
-You can set how many authentication methods are required for a user to reset there password .
- Requires at least one authentication method
- Authentication options are email notification , text message or security code sent to users phone. You can offer user to setup security questions as well.
- You can configure how many correct security questions must be answered for the password reset to be successful

2. Combine methods for stronger security
   - if security question is supported it is best to combine it with another authentication method.

Question 8

Manage External users

https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-external-users

Answer 8

To invite a guest user to your organization:
*An invitation is sent via email to the user and they need to accept to it.
*

Question 9

Manage user and group properties