8 hours 33 minutes
Hello, Siberians. Welcome to this lesson. Titled as Your Haiti Identity Management.
This lesson is part of the second Badu off the Is It 500. Microsoft Azure security technologist costs
quick information on what will be covering in this lesson.
Who started by covering azure Haiti uses the types of fuses on the sauces off uses
well, then discuss azure, heady groups is types and the membership assignments
who proceeds to cover your head heroes and how we use them to assign permissions.
And we'll conclude by discussing as your head the application registration on the different permission scenarios that allows
Let's get into this
mentioned in the last lesson
that the primary use case for azure Haiti is to manage access to applications that support modern authentication protocols
in order for users to be able to access the services and resources to neither is the account on the attunement types off his accounting majority.
You have direct remembers, and we have guessed uses. Director members are considered to be native members off that azure Haiti tenant. Why guest uses our external collaboration users that have been brought in from external directories.
What about the sauce is off those cheesy accounts
we can create users in Azure Lady is in the pot or using command line tools,
we can invite Microsoft accounts like Hotmail or outlook dot com accounts into our joy determent.
We can invite users from order a joy he d tenants.
We can also synchronise Jesus from our on premises directory in Treasure, Haiti.
Let's talk about RJD groups,
groups and agile Haiti's serves the same function as groups in any other identity systems.
They used to organize uses and to make it easier to assign permissions.
It's more effective to assign permissions to groups. For example,
we can then manage the membership of that group Queen Forward
as your head is supposed to. Types of groups
security groups that I used to manage member and computer access to shared resources.
On Office Street 65 groups The serves a similar function to distribution groups in other words, a group that's used for collaboration.
When we create Guti Natural Haiti, we need to specify our members will be a science to that group.
This can be heated by direct assignment where we manually had all the move uses from the group. This is called assigned membership
or this can be by dynamic assignment, where with the fine membership fools
based on user or device attributes on the group membership is automatically div. I've based on this rules
some important information about azure Haiti groups.
Security groups in Azure Haiti can be nested but not office. 365 groups
Dynamic group membership in Azure Haiti requires theology. 80. Premium License This is not something that's available to free office, stressing five azure Haiti additions.
And finally, a group cannot be dynamic for both users and devices. We can create a dynamic group
based on the user attributes on another dynamic group based on device attributes, but not for both. At the same time,
let's talk about our joy. DeVos fost What is the vote? If all is a collection of permissions, we can create a user
in a variety. We can have to use the entry group, but that wasn't Gundam rights to do Hanafin. Do we actually assigned them?
the two men types of rose,
we have the edge ahead. The administrator of those which grants permission to a jury 80 itself, for example, permission to create the user, the let users office said He's a password.
Some beauty. Nigel Hey, DeVos includes the global Administrator row that grant full access to manage all the features off as your Haiti on the user administrator vote there only grants permissions to create and manage all aspect off users and groups.
The other type of O is as your job is, access control,
and this grants permission toe azure resources that can be consumed as part off on azure subscription.
Some beauty in Azure. How back rows includes the Hana Row that grants full access to all resources, including being able to assign permission toward identities.
The contributor. Row, which grants permissions to harvest assists except the ability to hard permission for the identities.
And the video, which grants read on the access.
Some important information about azure hate evos
Fost Onley uses can be assigned as your Haiti administrator. Rose. Unfortunately,
we cannot assign groups as azure. 80 administrative roles.
Secondly, rose can either be beauty like the ones that were listed and mentioned, or they can be cost unrolled based on fine grid permissions defined by house on. This applies for both as your Haiti administrator Rose and for Azure, our back rose
it's normally uses that needs sorting kids to a joy d toe access resources
applications may also need toward indicates to a jury. 80.
Well, how does actually Haiti identify her application?
It does this using something called on an application registration. This is similar to service accounts.
An application registration. Represent an application in Azure Haiti.
Applications in as lady can function in different roles
on application. Can function as a client if the application just needs to consume resources that I managed. Badger, 80
on application can also function as a sever if the application is providing a service usually and happy high that other clients can access.
In some cases, an application can function as body client toe access resources on as a sever to provide services.
Any application then needs toward into kids toe azure. Haiti as a client requires a service principle,
and any application that provides a service protected by a variety must be registered in the directory
both off. These achieved by creating an application registration in a jury. 80. Let's this cause the two men permission scenarios that Azure hated registration supports.
The first, in our view, is when an application needs to get permission on behalf off one or more users. This scenario is referred to US delegated permission,
and this is usually the case for Mobile Web, a single page application that operate on behalf off uses that I've signed into them.
So this abs generally used user permissions or delegated permissions.
So when you just authenticated to these APS,
they can usually consent to delegated permission that grant access to downed it. For example, on application that needs to be the user's profile. In Azure Haiti,
there some permissions that have pre villages that admits when needs to consent to
had means can also grand consents, delegated permissions on behalf of the entire organization
and walking with delegated permissions. The effective for mission or water an application can actually do is calculated by taking the intersection off what an application has been granted by consent on the permissions that user has in the lying system.
For example, if an application gets consents to do full crowd on all users in an entire organization,
but it's making calls on behalf of a non admitting uses what cannot normally the least users,
the application won't be able to delete any users.
The other scenario is when an application is getting permissions on behalf off itself. In other words, as a service, this scenario is also referred to US application permission.
How does the hop it purely in the background? As a service falls into this category,
these types of applications for request application permission or they can be referred to us up on Lee permissions.
Only administrators can consent to most application permissions on the effective permissions exactly what the application has been granted consent. Since there's no signed in user presents that it happen can hacked on behalf off.
He has some quiz questions For this lesson.
You have the following two groups in your house your hea d tenant.
You have a requirement toe had all London uses on their devices into the London group.
What should you do
if you select that option to re, which is to change the membership type of the London group to assigned and then creates two new groups that have dynamic membership and then hearts the new ghost of London grope? You would be correct. Remember that a dynamic group can only be dynamic for either user
but not for border the same time. So in this case, the other way to achieve that is to create a separate dynamic group for the users, a separate dynamic group for the devices and then had boats as a signed membership for the London group
Quiz Question Number two.
The company has on Azure subscription named Sub one that disassociated to an azure lady tenant named Test Cloud that X y Z
a confident develops an application named Custom Hap.
The Happiest Veggie study, Nigel Haiti.
It needs to ensure that they have can access secrets in Azure key. Vote on behalf off the application users.
What should you configure
if you select that option? Number two It delegated permission without admitting consent. You would be correct because in this case, the application needs delegated permission on behalf off use their that have authenticated to heat.
He has some supplementary links for for the studies on the topics covered in this lesson
on in summary here the topics are covered in this lesson.
We started by discussing azure Haiti uses the types off users and the sources off uses
well, then discussed a jehadi groups is types and membership assignment.
We proceeded to cover as your hea d rose and how we use them to assign permissions on. We concluded by discussing azure Haiti application registration on the different permissions. An obvious tie supports, namely delegated permissions on application permissions.
Thanks very much for watching this video, and I'll see you in the next lesson.