Time
8 hours 33 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Transcription

00:00
Hello, Siberians. Welcome to this lesson. Titled as Your Haiti Identity Management.
00:06
This lesson is part of the second Badu off the Is It 500. Microsoft Azure security technologist costs
00:14
quick information on what will be covering in this lesson.
00:18
Who started by covering azure Haiti uses the types of fuses on the sauces off uses
00:24
well, then discuss azure, heady groups is types and the membership assignments
00:30
who proceeds to cover your head heroes and how we use them to assign permissions.
00:35
And we'll conclude by discussing as your head the application registration on the different permission scenarios that allows
00:42
Let's get into this
00:45
mentioned in the last lesson
00:47
that the primary use case for azure Haiti is to manage access to applications that support modern authentication protocols
00:56
in order for users to be able to access the services and resources to neither is the account on the attunement types off his accounting majority.
01:04
You have direct remembers, and we have guessed uses. Director members are considered to be native members off that azure Haiti tenant. Why guest uses our external collaboration users that have been brought in from external directories.
01:21
What about the sauce is off those cheesy accounts
01:23
we can create users in Azure Lady is in the pot or using command line tools,
01:30
we can invite Microsoft accounts like Hotmail or outlook dot com accounts into our joy determent.
01:37
We can invite users from order a joy he d tenants.
01:41
We can also synchronise Jesus from our on premises directory in Treasure, Haiti.
01:46
Let's talk about RJD groups,
01:49
groups and agile Haiti's serves the same function as groups in any other identity systems.
01:56
They used to organize uses and to make it easier to assign permissions.
02:00
It's more effective to assign permissions to groups. For example,
02:05
we can then manage the membership of that group Queen Forward
02:08
as your head is supposed to. Types of groups
02:12
security groups that I used to manage member and computer access to shared resources.
02:19
On Office Street 65 groups The serves a similar function to distribution groups in other words, a group that's used for collaboration.
02:28
When we create Guti Natural Haiti, we need to specify our members will be a science to that group.
02:35
This can be heated by direct assignment where we manually had all the move uses from the group. This is called assigned membership
02:44
or this can be by dynamic assignment, where with the fine membership fools
02:49
based on user or device attributes on the group membership is automatically div. I've based on this rules
02:58
some important information about azure Haiti groups.
03:01
Security groups in Azure Haiti can be nested but not office. 365 groups
03:08
Dynamic group membership in Azure Haiti requires theology. 80. Premium License This is not something that's available to free office, stressing five azure Haiti additions.
03:23
And finally, a group cannot be dynamic for both users and devices. We can create a dynamic group
03:30
based on the user attributes on another dynamic group based on device attributes, but not for both. At the same time,
03:38
let's talk about our joy. DeVos fost What is the vote? If all is a collection of permissions, we can create a user
03:46
in a variety. We can have to use the entry group, but that wasn't Gundam rights to do Hanafin. Do we actually assigned them?
03:53
In Truro,
03:55
the two men types of rose,
03:58
we have the edge ahead. The administrator of those which grants permission to a jury 80 itself, for example, permission to create the user, the let users office said He's a password.
04:10
Some beauty. Nigel Hey, DeVos includes the global Administrator row that grant full access to manage all the features off as your Haiti on the user administrator vote there only grants permissions to create and manage all aspect off users and groups.
04:26
The other type of O is as your job is, access control,
04:30
and this grants permission toe azure resources that can be consumed as part off on azure subscription.
04:36
Some beauty in Azure. How back rows includes the Hana Row that grants full access to all resources, including being able to assign permission toward identities.
04:46
The contributor. Row, which grants permissions to harvest assists except the ability to hard permission for the identities.
04:55
And the video, which grants read on the access.
04:59
Some important information about azure hate evos
05:02
Fost Onley uses can be assigned as your Haiti administrator. Rose. Unfortunately,
05:10
we cannot assign groups as azure. 80 administrative roles.
05:15
Secondly, rose can either be beauty like the ones that were listed and mentioned, or they can be cost unrolled based on fine grid permissions defined by house on. This applies for both as your Haiti administrator Rose and for Azure, our back rose
05:32
it's normally uses that needs sorting kids to a joy d toe access resources
05:38
applications may also need toward indicates to a jury. 80.
05:42
Well, how does actually Haiti identify her application?
05:46
It does this using something called on an application registration. This is similar to service accounts.
05:54
An application registration. Represent an application in Azure Haiti.
06:00
Applications in as lady can function in different roles
06:02
on application. Can function as a client if the application just needs to consume resources that I managed. Badger, 80
06:11
on application can also function as a sever if the application is providing a service usually and happy high that other clients can access.
06:20
In some cases, an application can function as body client toe access resources on as a sever to provide services.
06:30
Any application then needs toward into kids toe azure. Haiti as a client requires a service principle,
06:36
and any application that provides a service protected by a variety must be registered in the directory
06:45
both off. These achieved by creating an application registration in a jury. 80. Let's this cause the two men permission scenarios that Azure hated registration supports.
06:57
The first, in our view, is when an application needs to get permission on behalf off one or more users. This scenario is referred to US delegated permission,
07:06
and this is usually the case for Mobile Web, a single page application that operate on behalf off uses that I've signed into them.
07:16
So this abs generally used user permissions or delegated permissions.
07:21
So when you just authenticated to these APS,
07:25
they can usually consent to delegated permission that grant access to downed it. For example, on application that needs to be the user's profile. In Azure Haiti,
07:35
However,
07:38
there some permissions that have pre villages that admits when needs to consent to
07:44
had means can also grand consents, delegated permissions on behalf of the entire organization
07:50
and walking with delegated permissions. The effective for mission or water an application can actually do is calculated by taking the intersection off what an application has been granted by consent on the permissions that user has in the lying system.
08:07
For example, if an application gets consents to do full crowd on all users in an entire organization,
08:15
but it's making calls on behalf of a non admitting uses what cannot normally the least users,
08:22
the application won't be able to delete any users.
08:24
The other scenario is when an application is getting permissions on behalf off itself. In other words, as a service, this scenario is also referred to US application permission.
08:35
How does the hop it purely in the background? As a service falls into this category,
08:41
these types of applications for request application permission or they can be referred to us up on Lee permissions.
08:48
Only administrators can consent to most application permissions on the effective permissions exactly what the application has been granted consent. Since there's no signed in user presents that it happen can hacked on behalf off.
09:03
He has some quiz questions For this lesson.
09:07
You have the following two groups in your house your hea d tenant.
09:11
You have a requirement toe had all London uses on their devices into the London group.
09:18
What should you do
09:22
if you select that option to re, which is to change the membership type of the London group to assigned and then creates two new groups that have dynamic membership and then hearts the new ghost of London grope? You would be correct. Remember that a dynamic group can only be dynamic for either user
09:41
on devices,
09:43
but not for border the same time. So in this case, the other way to achieve that is to create a separate dynamic group for the users, a separate dynamic group for the devices and then had boats as a signed membership for the London group
10:00
Quiz Question Number two.
10:01
The company has on Azure subscription named Sub one that disassociated to an azure lady tenant named Test Cloud that X y Z
10:11
a confident develops an application named Custom Hap.
10:16
The Happiest Veggie study, Nigel Haiti.
10:18
It needs to ensure that they have can access secrets in Azure key. Vote on behalf off the application users.
10:26
What should you configure
10:28
if you select that option? Number two It delegated permission without admitting consent. You would be correct because in this case, the application needs delegated permission on behalf off use their that have authenticated to heat.
10:46
He has some supplementary links for for the studies on the topics covered in this lesson
10:52
on in summary here the topics are covered in this lesson.
10:56
We started by discussing azure Haiti uses the types off users and the sources off uses
11:01
well, then discussed a jehadi groups is types and membership assignment.
11:07
We proceeded to cover as your hea d rose and how we use them to assign permissions on. We concluded by discussing azure Haiti application registration on the different permissions. An obvious tie supports, namely delegated permissions on application permissions.
11:24
Thanks very much for watching this video, and I'll see you in the next lesson.

Up Next

AZ-500: Microsoft Azure Security Technologies

In the AZ-500 Microsoft Azure Security Technologies training, students will learn the skills that are needed to pass the AZ-500 certification exam. All exam topics are covered as well as exam preparation strategies and hands-on practice.

Instructed By

Instructor Profile Image
David Okeyode
Cloud Security Architect
Instructor