AD Concepts
- Identity, can be user, app, servers that need auth through cert or keys
- Account, an identity that has some data associated
- Azure AD Account, identity created through Azure AD
- Azure subscription, pays for cloud services
- Azure tenant, dedicated and trusted instance of Azure AD, automatically made when signs up for MS cloud subscription (i.e MS Azure, Intune, o365). Tenant is a single organization
- Azure AD directory, tenant has a dedicated/trusted AD directory (Includes:users, groups, apps) for preforming identity and and access functions
Azure AD vs AD DS (Win server -based)
- Identity solution, designed for HTTP(S)
- REST API q, since it is HTTP(S), we cannot use LDAP, but REST API
- Communication protocols, since it is HTTP(S), it does not use Kerberos, but web protocols ; SAML, WS-Federation, OpenID for authentication (and Oauth for authorization)
- Federation service, is included, 3party services like Facebook
- Flat structure, there is no OU (org unit) or GPO (group policy objects)
Azure AD comes in four editions, free, O365 apps, premium p1, premium p2
Azure AD JOIN
Enables single sign-on to services and apps from wherever. So IT admin must ensure that organization’s are protected and that the app / services / devices meets standards.
Connection options is:
Registering: add device to Azure AD, to manage the identity, AD provides the device with identity for authentication the device when users signs in. Identity can be used to enable / disable.
Joining: device is an extension to registering a device. You get all from registering but also the change of state for the device. I.e use work account instead of personal.
There is also SSPR, self-service password reset to reset your own password, in active directory->password reset:
Under manage:
Users and groups
Managing users, add new. Bulk user accounts with Powershell
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/users-bulk-add
Group accounts
Two types of groups
Security groups,common and for manage member and machine access to shared resources for a group. I.e create security group for a security policy, so we can set permission to the hole group with members.
O365 groups, giving members access to mail, calendar, SP etc. Also for people outside of org
Adding members with Assigned (add user to group), dynamic user (automatically add and remove users/members, if users atrb. changes, then the user will be added or removed depending on the rules/requirements ). Dynamic device(security groups), same as above but for devices, added/removed depending on rules/requirements.