Microsoft Entra ID Beginner's Tutorial (Azure Active Directory)
Summary
TLDRMicrosoft Entra ID offers a unified identity and access management solution, simplifying secure access to work applications across clouds with a single sign-in. It enhances security through multifactor authentication, risk assessment, and passwordless login. The script guides users and admins through setup, user and group management, and device integration, emphasizing Entra ID's role in protecting identity and information.
Takeaways
- 🔒 Microsoft Entra ID allows for secure, unified access to various online services using a single sign-on with your work email address.
- 🆔 It serves as an identity and access management solution, handling both authentication (verifying identity) and authorization (granting access to services).
- 🔄 Microsoft Entra ID replaces Azure Active Directory and comes with new updates while retaining a familiar interface for those already acquainted with Azure AD.
- 🧑💻 The solution simplifies the management of multiple app and service logins, reducing the risk of credential reuse and potential security breaches.
- 👥 It provides a centralized location for IT and help desk to manage user accounts, including creation, changes, password resets, and more.
- 🌐 Entra ID supports multi-cloud identity management, extending its services to non-Microsoft cloud apps like Google, Salesforce, and AWS.
- 🔑 It promotes stronger security measures with support for multi-factor authentication and passwordless login options.
- 📊 Entra ID includes real-time sign-in risk assessment through Conditional Access, enhancing security by considering user risk levels and device compliance.
- 🛠️ The Microsoft Entra Admin Center is the hub for managing identities, including users, groups, and enterprise applications, with a focus on simplicity and shared backend service.
- 🔄 Hybrid management allows Entra ID to work with on-premises directory services like Active Directory, synchronizing services for a seamless experience.
- 📝 Entra ID offers detailed audit logs and sign-in reports, giving administrators insight into user activities and access patterns.
Q & A
What is Microsoft Entra ID and what does it enable users to do?
-Microsoft Entra ID is an identity and access management solution that allows users to securely access all their online services for work using their work email address, without needing to remember multiple passwords. It consolidates identity services and enables passwordless login, multi-factor authentication, and real-time sign-in risk assessment.
Why is it beneficial to consolidate identity services with Microsoft Entra ID?
-Consolidating identity services with Microsoft Entra ID simplifies the process of remembering multiple login credentials, enhances security with features like multi-factor authentication, and allows for centralized management of user identities and access permissions across various services, including non-Microsoft ones.
How does Microsoft Entra ID help with the security of user credentials?
-Microsoft Entra ID helps secure user credentials by offering multi-factor authentication and passwordless login options. It also assesses sign-in risk in real-time, blocking unauthorized access attempts from unfamiliar locations or devices.
What is the relationship between Microsoft Entra ID and Azure Active Directory?
-Microsoft Entra ID is the new name for Azure Active Directory. While there are a few updates, the transition is meant to be familiar for those who are already acquainted with Azure Active Directory.
How does Microsoft Entra ID support identity management for non-Microsoft services?
-Microsoft Entra ID can be configured as the identity provider for non-Microsoft services such as Google, Salesforce, and AWS. This allows for a unified system to manage identities across different platforms.
What is the role of the Microsoft Entra Admin Center in identity management?
-The Microsoft Entra Admin Center is the portal where identity admins can manage user accounts, groups, roles, authentication methods, and access to various applications and services. It also allows for the configuration of hybrid management with on-premises directory services like Active Directory.
What are the advantages of using groups in Microsoft Entra ID for identity management?
-Groups in Microsoft Entra ID allow for logical organization of users, devices, and managed identities. They can be static or dynamic, with dynamic groups automatically enrolling members based on set properties, simplifying management and access control.
How does Microsoft Entra ID support multi-factor authentication?
-Microsoft Entra ID supports multiple authentication methods for multi-factor authentication, including biometric sign-in with Windows Hello for Business, FIDO2 security keys, the Authenticator app on mobile phones, and other options beyond just password-based authentication.
What is Conditional Access in the context of Microsoft Entra ID?
-Conditional Access in Microsoft Entra ID is a feature that assesses risk in real-time and makes access decisions based on user risk level, IP location, device compliance, and the applications being accessed. It can allow, block, or require additional authentication strength based on predefined controls.
How does Microsoft Entra ID integrate with device management?
-Microsoft Entra ID integrates with device management by using device state to assess sign-in risk in real-time and enabling single sign-on through Microsoft Entra join. This allows seamless access to work resources after signing into a device, and it works with tools like Microsoft Intune for broader device management tasks.
What resources are available for further learning about Microsoft Entra ID?
-For more information on Microsoft Entra ID, one can visit aka.ms/EntraDocs, which is a resource provided for documentation and further learning about the service.
Outlines
🔒 Introduction to Microsoft Entra ID
The first paragraph introduces Microsoft Entra ID as an identity and access management solution that simplifies user authentication and authorization across various online services, including non-Microsoft cloud apps. It emphasizes the benefits of using a single sign-on system with multi-factor authentication to enhance security and ease of use. The paragraph also touches on the potential risks of credential reuse and the administrative challenges of managing multiple services. The speaker outlines the topics to be covered, including the basics of Microsoft Entra ID, its advantages, and an introduction to the admin experience.
🛠️ Identity Admin Experience and Core Capabilities
The second paragraph delves into the identity admin perspective, discussing prerequisites and dependencies for using Microsoft Entra ID. It explains how to access the Microsoft Entra Admin Center and manage identities for both Microsoft and non-Microsoft services. The paragraph covers the setup of enterprise applications, hybrid management with on-premises directories like Active Directory, and the management of users, groups, and authentication methods. It also highlights the importance of multi-factor authentication and the use of Conditional Access to assess sign-in risk in real-time.
👥 User and Group Management in Microsoft Entra ID
The third paragraph focuses on the day-to-day management of user accounts within Microsoft Entra ID, including adding, editing, and assigning users to groups and roles. It explains the process of creating user accounts, setting properties, and using dynamic groups for automated membership based on user attributes. The paragraph also discusses the assignment of licenses for Microsoft services and the use of admin roles to implement role-based access control. Additionally, it introduces admin units for restricting permissions and the integration of device management with Microsoft Entra ID for enhanced security and single sign-on capabilities.
Mindmap
Keywords
💡Microsoft Entra ID
💡Authentication
💡Authorization
💡Multi-cloud
💡Passwordless login
💡Two-factor authentication
💡Conditional Access
💡Hybrid management
💡Admin units
💡Dynamic Groups
💡Device management
Highlights
Microsoft Entra ID enables secure access to all online services using the same sign-in credentials.
Entra ID's primary function is identity and access management, simplifying the authentication and authorization process.
Users can access non-Microsoft cloud services like Google, Salesforce, and AWS with their work email.
Microsoft Entra ID is the new name for Azure Active Directory, with some updates but a familiar interface.
Consolidating identity services reduces the complexity of managing multiple logins and the risk of credential reuse.
The risk of credential leaks is mitigated as Entra ID can block unauthorized access attempts in real-time.
Entra ID supports passwordless login and two-factor authentication for enhanced security.
Centralized management of user access to web and business apps simplifies IT administration.
Microsoft Entra Admin Center provides a unified platform for identity and access management.
Hybrid management allows synchronization between on-premises directory services and Microsoft Entra ID.
Dynamic Groups in Entra ID automatically manage membership based on user or device properties.
Microsoft Entra supports multiple authentication methods, including biometrics and FIDO2 security keys.
Conditional Access in Entra ID assesses sign-in risk in real-time to decide access permissions.
Admin units in Entra ID restrict permissions to specific organizational segments, enhancing security.
Device management integration with Entra ID allows for real-time risk assessment and single sign-on capabilities.
Microsoft Entra ID seamlessly works with Microsoft Intune and other endpoint management tools for comprehensive device management.
For more information on Microsoft Entra ID, visit aka.ms/EntraDocs for detailed documentation.
Transcripts
(music)
- Imagine being able to use the same sign-in credentials
to securely access all of your online services for work,
not only the ones hosted by Microsoft,
but even other cloud apps and service providers
just using your work email address
and without needing to remember your passwords.
Well, all of that is possible
with Microsoft Entra ID.
As a common identity and access management solution,
its primary job is to help you prove
you are who you say you are.
And once that's verified,
which is a process called authentication,
you can access services that you have permissions to use,
which we refer to as authorization.
So today, I'm going to walk you through all the fundamentals
of Microsoft Entra ID, what it is and how it works.
First, as a user to access services
even from non-Microsoft clouds, like Google, Salesforce,
AWS, and others.
Then if you're an identity admin,
I'll walk through the basics with a focus
on users, groups, and roles.
And the good news is if you're familiar
with Azure Active Directory,
Microsoft Entra ID is its new name.
And while there are a few new updates,
it's going to look pretty familiar.
So let's start by looking at why you would even consolidate
identity services into a single provider.
And there are really quite a few reasons.
First, it's not easy to remember
all the different logins that you use
to access multiple apps and services.
And related to that,
the reality is many people will reuse their username
and password across different services.
So when one of those services gets hacked
and leaks your credentials,
without you even knowing it,
adversaries will use those leaked credentials
to access other services.
And what if you're one of the responsible ones,
and you don't reuse passwords
or you make a point of setting up second factor
of authentication whenever possible?
Well, that's one step better from a security point of view,
but for the organizations you work for,
it would still mean that they need to manage each service
that you're accessing separately,
for everything from account creation,
changes associated with your identity,
password resets, and more.
So if you could just have one username
and a unified system to log into all your work services,
where it's more secure with two factors
of authentication, works with passwordless login
so you don't need to remember multiple passwords,
just your email address.
It assesses sign-in risk in real-time.
Like if someone from another country
has stolen your credentials
and is trying to use your account,
so it can block them.
You can get to all of your assigned web
or line of business apps from one central location
instead of managing this yourself
with lots of browser bookmarks and favorites.
And for IT and your help desk,
all of this can be managed in one place.
Doesn't that sound like a better option?
And that's what Microsoft Entra ID is all about.
Multi-cloud identity and access management,
enabling secure access to your work applications
and protecting your identity, which then in turn
helps protect the information and services you use.
Now let's switch gears to the identity admin experience
and a few important things you should know
about before you get started.
These will become prerequisites and dependencies
as you work with core capabilities.
So I'll start in the Microsoft Entra Admin Center.
You can get to it by navigating to entra.microsoft.com.
By the way, for Microsoft Cloud services
like Microsoft 365 or Intune,
an instance of Microsoft Entra
is set up behind the scenes
for your organization automatically.
And even though the same information
is presented in these different admin experiences,
you can make changes in any of these locations
to the same shared backend service.
For today though, I'll keep things simple
and I'll do everything
from the Microsoft Entra Admin Center.
First, and as I mentioned before,
with things like Google, Salesforce, and AWS services,
you can manage identities for non-Microsoft services
in addition to those offered by Microsoft.
In enterprise applications, you can see that my environment
has quite a few of these already set up.
In most cases, there is a one-time operation
to set each of these up
where you'll configure Microsoft Entra ID
as the identity provider for that app or service,
its integration details,
and which users or groups can access it.
Next, if you currently have an on-premises directory service
like Active Directory, you can configure it
within hybrid management
to work directly with Microsoft Entra ID
to synchronize services from basic topologies
to even more advanced ones.
Then of course, as shown and mentioned,
you'll use Microsoft Entra to manage identities.
Now these can be users,
they can also be devices,
then groups that can consist of users, devices,
and managed identities.
And these managed identities can include applications
or other resources like a cloud-hosted virtual machine.
In protections, you'll find authentication methods,
which you'll want to use for multifactor authentication.
That's because password-only authentication
is not safe or recommended and Microsoft Entra ID
makes it simple to standardize
on more secure passwordless multifactor sign-ins.
And Microsoft Entra supports
multiple authentication methods,
including biometric sign-in options
with Windows Hello for Business,
FIDO2 security keys, as well as mobile phones
with the Authenticator app,
along with other options that go beyond basic authentication
using just passwords.
And another major benefit of Microsoft Entra ID
is its ability to assess risk in real-time
using Conditional Access.
So here, we base access decisions on user risk level,
the IP location, where the sign-in attempt is coming from,
whether the device trying to sign in is compliant,
and the applications.
After that, as you sign into those services,
conditional access can decide to allow, block,
or require additional authentication strength
based on the controls that you set for granting access.
So now you know a few of the core capabilities.
Let's look at a few of the basics that you'll need
to know when running the service on a day-to-day basis.
And then once you have an instance
of Microsoft Entra ID running,
the most common tasks you'll have
is to manage user accounts.
So here, you can see that I already have a few users added,
but I'll add another to show you how that process works.
And immediately, you'll see that I have options
for users both internal to my organization
and external to my organization.
When you get started, you'll typically
want to add internal users as members of your organization.
The user principle name, often referred to as a UPN,
is normally the same as an email address
and you can use whatever standard construct
you have in place.
So I'll use first initial and last name.
The display name then is usually the fully spelled out
first and last name.
And even though ultimately, this account
will be used with passwordless multifactor authentication
later, we'll let the system generate a password.
Then in properties, you'll input all the user's details,
and these are important to fill in
because you'll need them later for filtering
and dynamic grouping that I'll show you in a moment.
So now I have all their details inputted.
The next in assignments, I can manually add
this user account to an existing group.
So I'll do that here.
And the same is true for adding roles,
as I scroll down this list of built-in roles,
you'll see they can be pretty specialized
with lots of administrator roles.
Now for many user types, you won't need to define a role.
You can add them later if you want to,
but for my case, I'll just close this out
and I'll create the user account.
And now we have our new user,
and what's often just as common for managing users
is editing them.
So I'm going to click into this user account.
Right on the top, you'll find some of the most common tasks
for editing properties, deleting the account,
resetting the password, or revoking the sessions
that the selected user is currently logged into.
And this will come in handy if a user,
say, reports a lost or stolen device.
On the left, you'll find the applications
that each user has assigned to them.
Importantly, Microsoft Entra ID is often also used
for license assignment with Microsoft services.
And here, you can see the top level products.
And if I click into assignments,
you can even control access to lots of the underlying apps
and services within each of those top level product plans.
This allows you to curate exactly which app experiences
users have access to, so it's not all or nothing.
Then in devices, you can see which devices
and the details for each device that this user
has joined to Microsoft Entra.
And for each user account,
you can access a full set of audit logs
with different events related to their identity,
as well as detailed sign-in logs to see which apps
they've recently signed into, along with their locations.
Okay, so now with our users configured,
let's dig into how you'd group them together using groups.
These can comprise of users, other groups, devices,
and also managed identities.
In fact, here, you can see a few different groups
and types spanning Microsoft 365, distribution,
and security groups.
These are all based on roles, devices, locations, and more.
So I'll create a new group,
and you'll see that these can be security groups,
or Microsoft 365 groups.
And I'll explain what each one of them does
and we'll start with security groups.
So you'll see from these controls
that security groups are simply a logical grouping
of objects in the directory.
As I click into members,
you'll also see these can be users,
other groups, devices, and enterprise applications.
And that's it.
Conversely though, if I back out of the process
and start a Microsoft 365 group,
you'll see the difference here is that it provisions
a shared set of resources, like a shared inbox,
and calendar in Exchange as indicated here.
And behind the scenes,
it's also creating a SharePoint document library
along with a few other Microsoft 365 resources.
Then for member types, this time, you'll only see users
which can be people or things like meeting rooms.
And something else that you can set up for both users
and devices are Dynamic Groups.
Now, pay attention as I change the membership type here
from assigned, where you or others will manually assign
members as is indicated at the bottom,
to dynamic in this case.
And you'll see that members down below just change
to add dynamic query.
Now this is super useful
because it will automatically enroll,
or conversely unenroll users or devices
into groups based on their individual properties.
In this case, I want to group everyone
from the city where the value equals,
and then I'll type Bellevue and save it.
Now go ahead and name my group Bellevue Users
and hit create.
And that takes a moment to provision the group
and its underlying services.
Then if I open up the group,
you'll see that in members, it's already found and added
three people already working
in the city of Bellevue automatically.
So now let's move into something a bit more admin-focused
and how you and your fellow admins can manage resources
using admin roles.
So I'm going to move into roles and admins.
And if you're familiar with the concept
of role-based access control, or RBAC,
this is how you can right-size admin level permissions
to only the things that you need to access.
Of course, it's a huge risk if you just give everyone
global admin rights,
especially if you have a larger IT team.
So these roles can pinpoint permissions based
on the resources that each admin needs to manage.
So now if I jump back over to a user like Christie here,
in assigned roles, I can add one,
and now she can perform that function.
So now let's talk about admin units,
which are another way to restrict permissions in a role,
similar to an organizational unit,
if you're familiar with Active Directory,
for example, to certain departments, regions,
or other segments in your organization.
Let show you an example.
So here, I'm going to create a new admin unit.
Now I'll give it a name, Help Desk.
And this restricted management control is important
because it means the tenant level admins
won't simply inherit this role if you don't want them to.
Then I'll assign roles, and I'll pick a Teams administrator
in this case, which will allow these users
that I'll pick next to manage Microsoft Teams settings.
So now I'll pick a few people
working as Microsoft Teams admins.
And from there, I can create it.
Again, just those people that I defined have access
to manage the Teams service.
And one more component I'll touch on today
is how Microsoft Entra integrates with device management.
So as I mentioned before,
device state can be used to assess sign-in risk
in real-time with Conditional Access.
And it also works to enable single sign-on
with something called Microsoft Entra join,
so that as you sign into your device running Windows,
and now even macOS,
that single sign-on can transfer
to local and web apps you use to access work resources.
You can enable this from device settings,
and importantly, require multi-factor authentication
be used to register or join devices with Microsoft Entra.
And by the way, all of this works seamlessly
with Microsoft Intune and other endpoint management tools
as you use those to manage the broader tasks
of device management from provisioning,
to app distribution, and device configuration.
So those are a few of the core concepts
to manage users, groups, applications, and devices.
Now to learn more, check out aka.ms/EntraDocs.
And keep following Microsoft Mechanics
for latest tech updates.
And thanks for watching.
(music)
Ver Más Videos Relacionados
Creating custom copilot with Copilot Studio based on your files in SharePoint
CompTIA Security+ SY0-701 Course - 4.6 Implement and Maintain Identity & Access Management - PART A
CISSP Authentication Protocol PAP, CHAP EAP
An Illustrated Guide to OAuth and OpenID Connect
Single Sign On Menggunakan OAuth
Authentication, Authorization, and Accounting - CompTIA Security+ SY0-701 - 1.2
5.0 / 5 (0 votes)