Microsoft Entra ID Beginner's Tutorial (Azure Active Directory)

00:00

(music)

00:02

- Imagine being able to use the same sign-in credentials

00:05

to securely access all of your online services for work,

00:09

not only the ones hosted by Microsoft,

00:10

but even other cloud apps and service providers

00:13

just using your work email address

00:15

and without needing to remember your passwords.

00:18

Well, all of that is possible

00:19

with Microsoft Entra ID.

00:21

As a common identity and access management solution,

00:23

its primary job is to help you prove

00:26

you are who you say you are.

00:27

And once that's verified,

00:28

which is a process called authentication,

00:31

you can access services that you have permissions to use,

00:34

which we refer to as authorization.

00:36

So today, I'm going to walk you through all the fundamentals

00:39

of Microsoft Entra ID, what it is and how it works.

00:42

First, as a user to access services

00:44

even from non-Microsoft clouds, like Google, Salesforce,

00:48

AWS, and others.

00:49

Then if you're an identity admin,

00:51

I'll walk through the basics with a focus

00:53

on users, groups, and roles.

00:55

And the good news is if you're familiar

00:57

with Azure Active Directory,

00:59

Microsoft Entra ID is its new name.

01:01

And while there are a few new updates,

01:03

it's going to look pretty familiar.

01:05

So let's start by looking at why you would even consolidate

01:08

identity services into a single provider.

01:11

And there are really quite a few reasons.

01:13

First, it's not easy to remember

01:15

all the different logins that you use

01:16

to access multiple apps and services.

01:18

And related to that,

01:20

the reality is many people will reuse their username

01:23

and password across different services.

01:25

So when one of those services gets hacked

01:28

and leaks your credentials,

01:30

without you even knowing it,

01:31

adversaries will use those leaked credentials

01:34

to access other services.

01:36

And what if you're one of the responsible ones,

01:38

and you don't reuse passwords

01:39

or you make a point of setting up second factor

01:41

of authentication whenever possible?

01:44

Well, that's one step better from a security point of view,

01:46

but for the organizations you work for,

01:49

it would still mean that they need to manage each service

01:52

that you're accessing separately,

01:54

for everything from account creation,

01:55

changes associated with your identity,

01:57

password resets, and more.

01:59

So if you could just have one username

02:01

and a unified system to log into all your work services,

02:05

where it's more secure with two factors

02:07

of authentication, works with passwordless login

02:10

so you don't need to remember multiple passwords,

02:12

just your email address.

02:14

It assesses sign-in risk in real-time.

02:16

Like if someone from another country

02:18

has stolen your credentials

02:19

and is trying to use your account,

02:21

so it can block them.

02:22

You can get to all of your assigned web

02:24

or line of business apps from one central location

02:27

instead of managing this yourself

02:29

with lots of browser bookmarks and favorites.

02:32

And for IT and your help desk,

02:33

all of this can be managed in one place.

02:35

Doesn't that sound like a better option?

02:37

And that's what Microsoft Entra ID is all about.

02:40

Multi-cloud identity and access management,

02:43

enabling secure access to your work applications

02:46

and protecting your identity, which then in turn

02:48

helps protect the information and services you use.

02:52

Now let's switch gears to the identity admin experience

02:54

and a few important things you should know

02:56

about before you get started.

02:57

These will become prerequisites and dependencies

02:59

as you work with core capabilities.

03:02

So I'll start in the Microsoft Entra Admin Center.

03:05

You can get to it by navigating to entra.microsoft.com.

03:09

By the way, for Microsoft Cloud services

03:11

like Microsoft 365 or Intune,

03:14

an instance of Microsoft Entra

03:16

is set up behind the scenes

03:17

for your organization automatically.

03:19

And even though the same information

03:21

is presented in these different admin experiences,

03:24

you can make changes in any of these locations

03:26

to the same shared backend service.

03:29

For today though, I'll keep things simple

03:31

and I'll do everything

03:31

from the Microsoft Entra Admin Center.

03:34

First, and as I mentioned before,

03:35

with things like Google, Salesforce, and AWS services,

03:38

you can manage identities for non-Microsoft services

03:42

in addition to those offered by Microsoft.

03:45

In enterprise applications, you can see that my environment

03:47

has quite a few of these already set up.

03:50

In most cases, there is a one-time operation

03:53

to set each of these up

03:54

where you'll configure Microsoft Entra ID

03:57

as the identity provider for that app or service,

04:00

its integration details,

04:01

and which users or groups can access it.

04:03

Next, if you currently have an on-premises directory service

04:06

like Active Directory, you can configure it

04:09

within hybrid management

04:10

to work directly with Microsoft Entra ID

04:12

to synchronize services from basic topologies

04:15

to even more advanced ones.

04:17

Then of course, as shown and mentioned,

04:18

you'll use Microsoft Entra to manage identities.

04:22

Now these can be users,

04:23

they can also be devices,

04:25

then groups that can consist of users, devices,

04:28

and managed identities.

04:30

And these managed identities can include applications

04:32

or other resources like a cloud-hosted virtual machine.

04:35

In protections, you'll find authentication methods,

04:38

which you'll want to use for multifactor authentication.

04:41

That's because password-only authentication

04:43

is not safe or recommended and Microsoft Entra ID

04:46

makes it simple to standardize

04:48

on more secure passwordless multifactor sign-ins.

04:51

And Microsoft Entra supports

04:53

multiple authentication methods,

04:55

including biometric sign-in options

04:57

with Windows Hello for Business,

04:59

FIDO2 security keys, as well as mobile phones

05:02

with the Authenticator app,

05:04

along with other options that go beyond basic authentication

05:07

using just passwords.

05:09

And another major benefit of Microsoft Entra ID

05:12

is its ability to assess risk in real-time

05:15

using Conditional Access.

05:17

So here, we base access decisions on user risk level,

05:20

the IP location, where the sign-in attempt is coming from,

05:24

whether the device trying to sign in is compliant,

05:26

and the applications.

05:27

After that, as you sign into those services,

05:29

conditional access can decide to allow, block,

05:33

or require additional authentication strength

05:35

based on the controls that you set for granting access.

05:39

So now you know a few of the core capabilities.

05:41

Let's look at a few of the basics that you'll need

05:43

to know when running the service on a day-to-day basis.

05:47

And then once you have an instance

05:48

of Microsoft Entra ID running,

05:50

the most common tasks you'll have

05:52

is to manage user accounts.

05:54

So here, you can see that I already have a few users added,

05:56

but I'll add another to show you how that process works.

05:59

And immediately, you'll see that I have options

06:01

for users both internal to my organization

06:03

and external to my organization.

06:05

When you get started, you'll typically

06:07

want to add internal users as members of your organization.

06:10

The user principle name, often referred to as a UPN,

06:14

is normally the same as an email address

06:16

and you can use whatever standard construct

06:18

you have in place.

06:20

So I'll use first initial and last name.

06:23

The display name then is usually the fully spelled out

06:25

first and last name.

06:27

And even though ultimately, this account

06:29

will be used with passwordless multifactor authentication

06:31

later, we'll let the system generate a password.

06:34

Then in properties, you'll input all the user's details,

06:37

and these are important to fill in

06:38

because you'll need them later for filtering

06:40

and dynamic grouping that I'll show you in a moment.

06:43

So now I have all their details inputted.

06:45

The next in assignments, I can manually add

06:47

this user account to an existing group.

06:49

So I'll do that here.

06:51

And the same is true for adding roles,

06:53

as I scroll down this list of built-in roles,

06:56

you'll see they can be pretty specialized

06:57

with lots of administrator roles.

06:59

Now for many user types, you won't need to define a role.

07:02

You can add them later if you want to,

07:04

but for my case, I'll just close this out

07:06

and I'll create the user account.

07:08

And now we have our new user,

07:09

and what's often just as common for managing users

07:11

is editing them.

07:12

So I'm going to click into this user account.

07:15

Right on the top, you'll find some of the most common tasks

07:17

for editing properties, deleting the account,

07:19

resetting the password, or revoking the sessions

07:22

that the selected user is currently logged into.

07:25

And this will come in handy if a user,

07:26

say, reports a lost or stolen device.

07:29

On the left, you'll find the applications

07:31

that each user has assigned to them.

07:33

Importantly, Microsoft Entra ID is often also used

07:36

for license assignment with Microsoft services.

07:40

And here, you can see the top level products.

07:42

And if I click into assignments,

07:44

you can even control access to lots of the underlying apps

07:47

and services within each of those top level product plans.

07:50

This allows you to curate exactly which app experiences

07:53

users have access to, so it's not all or nothing.

07:57

Then in devices, you can see which devices

07:59

and the details for each device that this user

08:02

has joined to Microsoft Entra.

08:04

And for each user account,

08:05

you can access a full set of audit logs

08:08

with different events related to their identity,

08:11

as well as detailed sign-in logs to see which apps

08:13

they've recently signed into, along with their locations.

08:17

Okay, so now with our users configured,

08:19

let's dig into how you'd group them together using groups.

08:23

These can comprise of users, other groups, devices,

08:26

and also managed identities.

08:28

In fact, here, you can see a few different groups

08:30

and types spanning Microsoft 365, distribution,

08:33

and security groups.

08:35

These are all based on roles, devices, locations, and more.

08:39

So I'll create a new group,

08:40

and you'll see that these can be security groups,

08:42

or Microsoft 365 groups.

08:45

And I'll explain what each one of them does

08:46

and we'll start with security groups.

08:48

So you'll see from these controls

08:49

that security groups are simply a logical grouping

08:52

of objects in the directory.

08:55

As I click into members,

08:56

you'll also see these can be users,

08:58

other groups, devices, and enterprise applications.

09:01

And that's it.

09:03

Conversely though, if I back out of the process

09:05

and start a Microsoft 365 group,

09:07

you'll see the difference here is that it provisions

09:09

a shared set of resources, like a shared inbox,

09:13

and calendar in Exchange as indicated here.

09:16

And behind the scenes,

09:17

it's also creating a SharePoint document library

09:20

along with a few other Microsoft 365 resources.

09:24

Then for member types, this time, you'll only see users

09:27

which can be people or things like meeting rooms.

09:31

And something else that you can set up for both users

09:33

and devices are Dynamic Groups.

09:36

Now, pay attention as I change the membership type here

09:38

from assigned, where you or others will manually assign

09:41

members as is indicated at the bottom,

09:43

to dynamic in this case.

09:45

And you'll see that members down below just change

09:48

to add dynamic query.

09:50

Now this is super useful

09:51

because it will automatically enroll,

09:53

or conversely unenroll users or devices

09:55

into groups based on their individual properties.

09:58

In this case, I want to group everyone

10:00

from the city where the value equals,

10:03

and then I'll type Bellevue and save it.

10:06

Now go ahead and name my group Bellevue Users

10:08

and hit create.

10:10

And that takes a moment to provision the group

10:11

and its underlying services.

10:14

Then if I open up the group,

10:15

you'll see that in members, it's already found and added

10:18

three people already working

10:19

in the city of Bellevue automatically.

10:22

So now let's move into something a bit more admin-focused

10:24

and how you and your fellow admins can manage resources

10:27

using admin roles.

10:29

So I'm going to move into roles and admins.

10:30

And if you're familiar with the concept

10:32

of role-based access control, or RBAC,

10:34

this is how you can right-size admin level permissions

10:37

to only the things that you need to access.

10:39

Of course, it's a huge risk if you just give everyone

10:42

global admin rights,

10:43

especially if you have a larger IT team.

10:46

So these roles can pinpoint permissions based

10:48

on the resources that each admin needs to manage.

10:52

So now if I jump back over to a user like Christie here,

10:55

in assigned roles, I can add one,

10:57

and now she can perform that function.

10:59

So now let's talk about admin units,

11:01

which are another way to restrict permissions in a role,

11:04

similar to an organizational unit,

11:06

if you're familiar with Active Directory,

11:07

for example, to certain departments, regions,

11:09

or other segments in your organization.

11:12

Let show you an example.

11:13

So here, I'm going to create a new admin unit.

11:16

Now I'll give it a name, Help Desk.

11:19

And this restricted management control is important

11:21

because it means the tenant level admins

11:23

won't simply inherit this role if you don't want them to.

11:27

Then I'll assign roles, and I'll pick a Teams administrator

11:29

in this case, which will allow these users

11:31

that I'll pick next to manage Microsoft Teams settings.

11:35

So now I'll pick a few people

11:36

working as Microsoft Teams admins.

11:38

And from there, I can create it.

11:40

Again, just those people that I defined have access

11:43

to manage the Teams service.

11:45

And one more component I'll touch on today

11:47

is how Microsoft Entra integrates with device management.

11:51

So as I mentioned before,

11:52

device state can be used to assess sign-in risk

11:55

in real-time with Conditional Access.

11:57

And it also works to enable single sign-on

11:59

with something called Microsoft Entra join,

12:02

so that as you sign into your device running Windows,

12:05

and now even macOS,

12:07

that single sign-on can transfer

12:09

to local and web apps you use to access work resources.

12:13

You can enable this from device settings,

12:15

and importantly, require multi-factor authentication

12:18

be used to register or join devices with Microsoft Entra.

12:22

And by the way, all of this works seamlessly

12:24

with Microsoft Intune and other endpoint management tools

12:27

as you use those to manage the broader tasks

12:30

of device management from provisioning,

12:32

to app distribution, and device configuration.

12:35

So those are a few of the core concepts

12:36

to manage users, groups, applications, and devices.

12:39

Now to learn more, check out aka.ms/EntraDocs.

12:43

And keep following Microsoft Mechanics

12:45

for latest tech updates.

12:46

And thanks for watching.

12:47

(music)