quizgeckotest.docx
Document Details
Tags
Full Transcript
Part 1: Implement an identity management solution Implement initial configuration of Azure Active Directory Azure Active Directory roles Understand roles There are about 60 Azure Active Directory (Azure AD) built-in roles, which are roles with a fixed set of role permissions. To supplement the b...
Part 1: Implement an identity management solution Implement initial configuration of Azure Active Directory Azure Active Directory roles Understand roles There are about 60 Azure Active Directory (Azure AD) built-in roles, which are roles with a fixed set of role permissions. To supplement the built-in roles, Azure AD also supports custom roles. Azure AD roles are different from other Microsoft 365 roles. Understand roles Compare Azure and Azure AD Roles Explain the difference between Azure roles, Azure Active Directory (Azure AD) roles and Classic subscription administrator roles RBAC Admin roles Roles for Microsoft 365 services in Azure Active Directory All products in Microsoft 365 can be managed with administrative roles in Azure Active Directory (Azure AD). Some products also provide additional roles that are specific to that product Assign Azure AD roles to users To grant access to users in Azure Active Directory (Azure AD), you assign Azure AD roles. A role is a collection of permissions. Use Azure AD groups to manage role assignments Azure Active Directory (Azure AD) lets you target Azure AD groups for role assignments. Assigning roles to groups can simplify the management of role assignments in Azure AD with minimal effort from your Global Administrators and Privileged Role Administrators. Role assignable groups Azure AD built-in roles This article lists the Azure AD built-in roles you can assign to allow management of Azure AD resources. Custom Roles This article describes how to create new custom roles in Azure Active Directory (Azure AD). For the basics of custom roles, see the custom roles overview. The role can be assigned either at the directory-level scope or an app registration resource scope only. RBAC Overview Develop a security plan Microsoft recommends that you develop and follow a roadmap to secure privileged access against cyber attackers. Establish emergency accounts It is important that you prevent being accidentally locked out of your Azure Active Directory (Azure AD) organization because you can\'t sign in or activate another user\'s account as an administrator. You can mitigate the impact of accidental lack of administrative access by creating two or more emergency access accounts in your organization. Custom domains Add your custom domain name Every new Azure AD tenant comes with an initial domain name, \.onmicrosoft.com. You can\'t change or delete the initial domain name, but you can add your organization\'s names. Adding custom domain names helps you to create user names that are familiar to your users, such as alain\@contoso.com. Managing custom domain names Set the primary domain name for your Azure AD organization Add custom domain names to your Azure AD organization Add subdomains of a custom domain What to do if you change the DNS registrar for your custom domain name Delete a custom domain name Verify a custom subdomain After a root domain is added to Azure Active Directory (Azure AD), all subsequent subdomains added to that root in your Azure AD organization automatically inherit the authentication setting from the root domain. However, if you want to manage domain authentication settings independently from the root domain settings, you can now with the Microsoft Graph API. For example, if you have a federated root domain such as contoso.com, this article can help you verify a subdomain such as child.contoso.com as managed instead of federated. Self-service sign-up for Azure Active Directory This article explains how to use self-service sign-up to populate an organization in Azure Active Directory (Azure AD). If you want to take over a domain name from an unmanaged Azure AD organization, see Take over an unmanaged tenant as administrator. Device registration Azure AD registered devices The goal of Azure AD registered devices is to provide your users with support for the bring your own device (BYOD) or mobile device scenarios. In these scenarios, a user can access your organization's resources using a personal device. Azure AD registered device Azure AD joined devices Azure AD join is primarily intended for organizations that do not have an on-premises Windows Server Active Directory infrastructure Azure AD joined device Hybrid Azure AD joined devices These devices are joined to your on-premises Active Directory and registered with Azure Active Directory. Azure AD Hybrid joined device How SSO to on-premises resources works on Azure AD joined devices If your environment has an on-premises Active Directory (AD), you can also get SSO experience on Azure AD joined devices to resources and applications that rely on on-premises AD. This article explains how this works. Delegation by using administrative units Administrative units An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. An administrative unit can contain only users and groups. Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can manage users only in the region that they support. Delegate app registration permissions Restrict who can create applications Assign application owners Assign built-in application admin roles Create and assign a custom role (preview) Tenant-wide settings Default user permissions (members and guests) In Azure Active Directory (Azure AD), all users are granted a set of default permissions. A user's access consists of the type of user, their role assignments, and their ownership of individual objects. This article describes those default permissions and contains a comparison of the member and guest user defaults. The default user permissions can be changed only in user settings in Azure AD. The article also contains a comparison between member and guest default permissions. Sign in with LinkedIn You can allow users in your organization to access their LinkedIn connections within some Microsoft apps. No data is shared until users consent to connect their accounts. Security defaults Managing security can be difficult with common identity-related attacks like password spray, replay, and phishing becoming more popular. Security defaults make it easier to help protect your organization from these attacks with preconfigured security settings Configure B2B external collaboration settings By default, all users and guests in your directory can invite guests even if they\'re not assigned to an admin role. External collaboration settings let you turn guest invitations on or off for different types of users in your organization. You can also delegate invitations to individual users by assigning roles that allow them to invite guests. Azure AD allows you to restrict what external guest users can see in your Azure AD directory. By default, guest users are set to a limited permission level that blocks them from enumerating users, groups, or other directory resources, but lets them see membership of non-hidden groups. Add your organization\'s privacy info We strongly recommend you add both your global privacy contact and your organization\'s privacy statement, so your internal employees and external guests can review your policies. Because privacy statements are uniquely created and tailored for each business, we strongly recommend you contact a lawyer for assistance.