quizgeckotest.docx

Full Transcript

Part 1: Implement an identity management solution

Implement initial configuration of Azure Active Directory

Azure Active Directory roles

Understand roles

There are about 60 Azure Active Directory (Azure AD) built-in roles,
which are roles with a fixed set of role permissions. To supplement the
built-in roles, Azure AD also supports custom roles. Azure AD roles are
different from other Microsoft 365 roles.

Understand roles

Compare Azure and Azure AD Roles

Explain the difference between Azure roles, Azure Active Directory
(Azure AD) roles and Classic subscription administrator roles

RBAC Admin roles

Roles for Microsoft 365 services in Azure Active Directory

All products in Microsoft 365 can be managed with administrative roles
in Azure Active Directory (Azure AD). Some products also provide
additional roles that are specific to that product

Assign Azure AD roles to users

To grant access to users in Azure Active Directory (Azure AD), you
assign Azure AD roles. A role is a collection of permissions.

Use Azure AD groups to manage role assignments

Azure Active Directory (Azure AD) lets you target Azure AD groups for
role assignments. Assigning roles to groups can simplify the management
of role assignments in Azure AD with minimal effort from your Global
Administrators and Privileged Role Administrators. Role assignable
groups

Azure AD built-in roles

This article lists the Azure AD built-in roles you can assign to allow
management of Azure AD resources.

Custom Roles

This article describes how to create new custom roles in Azure Active
Directory (Azure AD). For the basics of custom roles, see the custom
roles overview. The role can be assigned either at the directory-level
scope or an app registration resource scope only.

RBAC Overview

Develop a security plan

Microsoft recommends that you develop and follow a roadmap to secure
privileged access against cyber attackers.

Establish emergency accounts

It is important that you prevent being accidentally locked out of your
Azure Active Directory (Azure AD) organization because you can\'t sign
in or activate another user\'s account as an administrator. You can
mitigate the impact of accidental lack of administrative access by
creating two or more emergency access accounts in your organization.

Custom domains

Add your custom domain name

Every new Azure AD tenant comes with an initial domain name,
\.onmicrosoft.com. You can\'t change or delete the initial
domain name, but you can add your organization\'s names. Adding custom
domain names helps you to create user names that are familiar to your
users, such as alain\@contoso.com.

Managing custom domain names

Set the primary domain name for your Azure AD organization

Add custom domain names to your Azure AD organization

Add subdomains of a custom domain

What to do if you change the DNS registrar for your custom domain name

Delete a custom domain name

Verify a custom subdomain

After a root domain is added to Azure Active Directory (Azure AD), all
subsequent subdomains added to that root in your Azure AD organization
automatically inherit the authentication setting from the root domain.
However, if you want to manage domain authentication settings
independently from the root domain settings, you can now with the
Microsoft Graph API. For example, if you have a federated root domain
such as contoso.com, this article can help you verify a subdomain such
as child.contoso.com as managed instead of federated.

Self-service sign-up for Azure Active Directory

This article explains how to use self-service sign-up to populate an
organization in Azure Active Directory (Azure AD). If you want to take
over a domain name from an unmanaged Azure AD organization, see Take
over an unmanaged tenant as administrator.

Device registration

Azure AD registered devices

The goal of Azure AD registered devices is to provide your users with
support for the bring your own device (BYOD) or mobile device scenarios.
In these scenarios, a user can access your organization's resources
using a personal device.

Azure AD registered device

Azure AD joined devices

Azure AD join is primarily intended for organizations that do not have
an on-premises Windows Server Active Directory infrastructure

Azure AD joined device

Hybrid Azure AD joined devices

These devices are joined to your on-premises Active Directory and
registered with Azure Active Directory.

Azure AD Hybrid joined device

How SSO to on-premises resources works on Azure AD joined devices

If your environment has an on-premises Active Directory (AD), you can
also get SSO experience on Azure AD joined devices to resources and
applications that rely on on-premises AD. This article explains how this
works.

Delegation by using administrative units

Administrative units

An administrative unit is an Azure AD resource that can be a container
for other Azure AD resources. An administrative unit can contain only
users and groups. Administrative units restrict permissions in a role to
any portion of your organization that you define. You could, for
example, use administrative units to delegate the Helpdesk Administrator
role to regional support specialists, so they can manage users only in
the region that they support.

Delegate app registration permissions

Restrict who can create applications

Assign application owners

Assign built-in application admin roles

Create and assign a custom role (preview)

Tenant-wide settings

Default user permissions (members and guests)

In Azure Active Directory (Azure AD), all users are granted a set of
default permissions. A user's access consists of the type of user, their
role assignments, and their ownership of individual objects. This
article describes those default permissions and contains a comparison of
the member and guest user defaults. The default user permissions can be
changed only in user settings in Azure AD. The article also contains a
comparison between member and guest default permissions.

Sign in with LinkedIn

You can allow users in your organization to access their LinkedIn
connections within some Microsoft apps. No data is shared until users
consent to connect their accounts.

Security defaults

Managing security can be difficult with common identity-related attacks
like password spray, replay, and phishing becoming more popular.
Security defaults make it easier to help protect your organization from
these attacks with preconfigured security settings

Configure B2B external collaboration settings

By default, all users and guests in your directory can invite guests
even if they\'re not assigned to an admin role. External collaboration
settings let you turn guest invitations on or off for different types of
users in your organization. You can also delegate invitations to
individual users by assigning roles that allow them to invite guests.
Azure AD allows you to restrict what external guest users can see in
your Azure AD directory. By default, guest users are set to a limited
permission level that blocks them from enumerating users, groups, or
other directory resources, but lets them see membership of non-hidden
groups.

Add your organization\'s privacy info

We strongly recommend you add both your global privacy contact and your
organization\'s privacy statement, so your internal employees and
external guests can review your policies. Because privacy statements are
uniquely created and tailored for each business, we strongly recommend
you contact a lawyer for assistance.