Hello and welcome back to sign Berries. Microsoft Azure Administrator Easy. One of three course, I'm Will Carlson. And this is Episode 50 as your a d Fun.
In today's episode, we're gonna talk about a whole host of functionalities that as your A d exposes tow us in the azure environment,
including as your a d join identity protection Self service password reset. We're gonna talk a little bit about how we manage multiple directories. This would be equivalent to a multiple domains in R A. T. D s infrastructure. And we're also going to talk about how azure Adie exposes some very simple single sign on functionality with a
of third party providers as well. To get started, we're gonna jump right into portal.
And the first thing we're going to talk about his azure lady join
because it has ready join. We're gonna go ahead and select on Azure Active directory, and then we're gonna select on devices.
We can come up here to device settings to configure azure 80 join, And what has your 80 join effectively does is it allows users of both B y, o d equipment and enterprise owned equipment to connect those pieces of hardware to our azure A D environment.
Once they've done that, they get a whole host of additional functions and features as well.
But to set this up here, we can see right now by default, we're set to allow all users to join devices to our azure 80.
We could go ahead and set this to selected and then select the user's that we wanted to give that permission to if we chose to.
We could also come down here and say that when a user joins a device toe azure a. D. We want to create another
administrator account on that machine of our choosing,
And this has to do with joining azure A D. And joining is going to be what you would do with a corporate owned device. So the use case here would be a piece of hardware gets shipped directly to the user at a remote location. They simply law again and join their device to Azure A D. But again, this would be for a corporate owned device
coming down here into register. This would be what a user would do for a B, Y o. D. Or a personal owned device
we haven't set right now to where all users conjoined their devices to azure. A D multi factor is not currently required, and each user can only join in 50 devices. Max.
The benefit of this is that users are going to be able to log in to their device using their corporate credentials. Whether it's a B y o b y o d device or a corporate owned device, an I T doesn't necessarily have to get their hands on the device at first to provisioned the device.
This has also been official because this leverage is as your a D. And so this is cloud functionality. Users don't have to worry any longer about being away from the Dominion control or cashed credentials and a whole host of other concerns. With an active directory, domain service is set up.
This also exposes for us the concept of enterprise state roaming, and this allows users to use multiple devices and have the settings mirrored across those devices.
The other thing we're gonna cover here under as active directory fun is going to be the concept and the resource called azure 80 identity protect.
We're gonna go ahead and lose changes here. And we're going to add that in.
We can select on Azure 80 identity protection and then create.
Since we only have one directory set up here on our Azure 80 tenant, we're gonna go ahead and leave this as default and then just click create.
Now we can come in here. It all Service's and select identity
and configure some of the options here is well,
as your identity protection is going to use some really interesting a. I to help us identify suspicious activity regarding our azure, a de authentication attempts.
It's also going to suggest some corrective actions based on what identity protection sees going on.
Another thing that identity protection does is it will look for some vulnerabilities. That air could be affecting our organization's identities and also help us get some ideas about how we might resolve those. So right now we're in the overview tab. We have no users that have been flagged for risk,
no risk events and no vulnerabilities currently detected in our azure 80 environment.
But I can go ahead and come down here and see various elements of the azure, A D, identity protection
and these are gonna be the detail tabs for all of the things that were mentioned here in the overview tab, as well
as with many things in Azure. The azure identity protection Blade offers some things that we can ultimately find that enforce and other places, for example, multi factor authentication registration. We can go ahead and set that here to all users or a selection of individual users that we want to require a multi factor authentication for.
And then we can enforce this policy that when those users come in to register or log in the next time, multi factor authentication will be set up for them.
We can come in to the user risk policy blade and set some risk levels associated with users. Again, we can set this to whichever users we would like. We can come into conditions and select the conditions,
and these were going to be Microsoft determined
Identity protection is going to put various activities or actions in each of these particular categories
request that we respond appropriately so we could go ahead and put this anything medium and above
and then we can decide what we want to have happen in the event of those events, and we can continue to allow access and require a password change, or we can simply block access completely. So when suspicious things begin to happen regarding our identities here in azure active directory
identity protection can lock those accounts out to help us secure our environment.
We're gonna go ahead and leave this as it is,
and this is an interesting drop down that gives us an idea of how many users are going to be potentially impacted by this change. Currently, here on our very small, azure active directory, that's gonna be zero.
And then same is with multi factor registration. We can set this policy to be enforced, and we can save that policy.
But again, a user risk policy is going to leverage the aye aye capabilities of identity protection. It's gonna be watching our azure 80 environment for suspicious activities. It's gonna respond in an automated way to help us further secure our environment.
Now there is a difference here between a user risk and a sign and risk policy. Even though the configuration is essentially identical, assigning risk policy is going to be just that these are risky events associated with signe ends and azure in general,
where is a user risk policy is going to be risky behaviors that are done after a user has already authenticated him and granted access
to your azure active directory environment.
The steps that could be taken after those events are triggered again are going to be set here. Through these policies, we set our condition level to whether it's low, moderate or high.
We select the control list of what we want identity protection to do, block the user or allow and require password. Reset the next log in, and it's gonna let us know how many users are likely to be impacted by that. But again, identity protection is an artificial intelligence enabled way for
Azure 80 to be monitored and to be proactively controlled when suspicious events happen in the environment.
Coming back over here to add your active directory, we can come down here to the password reset blade and see that we have some self service password options. Currently, self service passwords are off. I can go ahead and enable this for selected users. If I want to do a phased roll out or I could just select all
and we can save this change. There are also a number of authentication methods allowed for when users are attempting to reset their password. Currently, we are only requiring one of the included items, but we could require two to increase security.
We can also check check mark the boxes for the items that we would want users to be able to use to reset their passwords.
Currently, it's set to email and mobile phone via SMS.
We'll see here that there are a few options that are great out, and that has to do with the fact that we are currently using the preview of Azure ADP, too. If we were on a paid plan, these options would become available again. But we could send a notification to an azure mobile app.
You can send a coach to the mobile app
email text message. Users could use security questions that they said, or we could make a phone call to an office phone number as well. Registration is going to allow us to force users to register for password reset when they log in to their account. If they have not done so
and then we have the option to within 180 days
requests that they re confirm the information that they're gonna be using for self service. Password reset. We also have some information here on who's gonna be notified when passwords have been reset by default. The users were notified when self service passwords are reset administrators or not, but clearly simple toggle buttons for you to change these options as well.
We can go ahead and drop in. I helped sq r l here, and we also can enable password right back to on promise directory structures in the event that that's necessary or needed.
Once we completed that set up, this is gonna be enabled by setting up azure 80 sinks via the Azure, a D connect tool running on our on premise equipment. We walked through that configuration in a separate episode.
There's also the concept here in Azure of managing multiple directories. This would be equivalent to managing multiple domains in your A. T. D. S service is,
And to set that up, we come up here to create resource and were simply gonna search for
azure active directory.
We can click on that and weak insulate create
relatively straightforward. We name the organization and understand that this initial domain name has to be globally unique within the dot on Microsoft dot com names space,
We should let the country of origin and then we can create that
nothing. That directory has finished deploying. We can come up here to a somewhat obscure button in the azure portal.
We can use that to flip between the two different directories or the azure 80 tenants that we have created. So right now we're in the test store, ese tenant, when we just created and I can simply click back to the one that I was in previously and then I'm ready to go
Now keep in mind that these azure A D tenants have no cross communication with each other whatsoever. They are completely separate and discreet
as your A D tenants here within the azure environment.
The last thing I want to mention here and really interesting feature of Azure A D is gonna be the concept of enterprise applications.
And you can see there are a number of these already set up by default. But if I select new application here,
we have over 3000 applications that we can leverage Azure A D to use single sign on here for a number of third party solutions.
As mentioned, we have Box Dropbox Get Hub Lucid charts from Clouds, Microsoft Cloud Items. The list is very extensive. I encourage you once you have your azure lady tenant up and running even for this course to come through here
and search for any applications that you may be ableto leverage. Single sign on through azure A. D With
This could really be a boon for your in users and simplify user creation and password resets as well. If you couple this along with self service password reset, I think you'll see that some of these features here in Azure A D could really simplify your administrative life overall.
So in today's episode, we talked about a whole host of functionalities that are exposed to us through azure A. D all the way from Azure 80. Joined to help us manage devices. Bring B, bring your own device situations to corporate own devices shipped directly to the user without having to touch them.
We talked about self service password reset,
and we talked about a way to leverage some Microsoft built artificial intelligence to help us secure both our sign ins and our user actions in Azure as well.
Coming up next, we're going to talk about how to implement and the INS and the outs of multi factor authentication, one part of it that's free here in Azure for administrators and another part that is paid and can be deployed for all of your users across your organization.
Thank you so much for joining me for this episode. I'm looking forward to seeing you in the next one.