Professional Documents
Culture Documents
P REV N EXT
⏮ ⏭
Chapter 1 Design and implement Microso 365 services Chapter 3 Manage access and authentication
🔎
Chapter 2
Manage user identity and roles
A k ey aspect of depl oy i ng Mi cr osof t 365 i s ensur i ng that user
i denti ty i s conf i gur ed pr oper l y . When thi s i s done, user s ar e abl e
to seaml essl y access r esour ces i n the on-pr emi ses env i r onment, as
w el l as i n the Mi cr osof t 365 env i r onment. If i t i s not done
cor r ectl y , user s hav e to juggl e di f f er ent accounts, dependi ng on
w hether the accessi bl e r esour ces ar e hosted l ocal l y or i n the cl oud.
In thi s chapter y ou w i l l l ear n about desi gni ng an i denti ty str ategy ,
how to pl an i denti ty sy nchr oni zati on w i th Azur e AD Connect, how
to manage that sy nchr oni zati on, how to manage Azur e AD
i denti ti es, and how to manage Azur e AD user r ol es.
Manage user r ol es
When ev al uati ng r equi r ements and a sol uti on f or sy nchr oni zati on,
consi der the f ol l ow i ng questi ons:
Find answers on the fly, or master something new. Subscribe today. See pricing options.
How of ten do those i denti ti es need to be r epl i cated to the
cl oud? /
What pr oper ti es of those i denti ti es need to be r epl i cated to
the cl oud?
Another chal l enge to consi der i s that many on-pr emi ses
env i r onments ar e mor e compl i cated than a si ngl e Acti v e Di r ector y
domai n. Some or gani zati ons hav e mul ti -domai n Acti v e Di r ector y
f or ests and, as i t i s a r ecommended Mi cr osof t secur e admi ni str ati v e
pr acti ce, an i ncr easi ng number of l ar ge or gani zati ons hav e mul ti -
f or est depl oy ments such as hav i ng an Enhanced Secur i ty
Admi ni str ati v e Env i r onment (ESAE) f or est to stor e pr i v i l eged
accounts f or the pr oducti on f or est.
U ser accounts ar e not the onl y i denti ty that an or gani zati on may
w i sh to r epl i cate to the cl oud. It may be necessar y to r epl i cate
some gr oups to the cl oud because these gr oups may be usef ul i n
medi ati ng access to Mi cr osof t 365 w or k l oads. For ex ampl e, i f y our
or gani zati on al r eady has a l ocal secur i ty gr oup that i s used to
col l ect together member s of the accounti ng team, y ou may w ant
that gr oup al so pr esent as a method of medi ati ng access to r esour ces
and w or k l oads w i thi n Mi cr osof t 365.
How o en to replicate?
When ev al uati ng r equi r ements and a sol uti on f or sy nchr oni zati on,
y ou need to answ er sev er al i mpor tant questi ons. For ex ampl e, how
of ten do the pr oper ti es of an on-pr emi ses i denti ty change and how
soon must those changes be pr esent w i thi n Azur e Acti v e
Di r ector y ?
Whi l e ther e can be bandw i dth consi der ati ons ar ound i denti ty
sy nchr oni zati on, the major i ty of such tr af f i c i s goi ng to be the
r epl i cati on of changes, al so k now n as “del ta,” r ather than constant
r epl i cati ons of the enti r e i denti ty database. The amount of
bandw i dth consumed by del ta i denti ty sy nchr oni zati on tr af f i c i s
of ten i nsi gni f i cant compar ed to the bandw i dth consumed by other
Mi cr osof t 365 w or k l oads and ser v i ces.
When consi der i ng a sy nchr oni zati on sol uti on, deter mi ne w hi ch on-
pr emi ses Acti v e Di r ector y attr i bute i nf or mati on needs to be
r epl i cated to Azur e Acti v e Di r ector y . For ex ampl e, y ou may hav e
an appl i cati on r unni ng i n Azur e that needs access to the Job Ti tl e,
Depar tment, Company , and Manager attr i butes, as show n i n Fi gur e
2-1 .
Find answers on the fly, or master something new. Subscribe today. See pricing options. /
Figure 2-1 Whi ch attr i butes to r epl i cate
New l y cr eated on-pr emi ses user and gr oup objects w i l l onl y be
pr esent w i thi n the Azur e Acti v e Di r ector y i nstance that suppor ts
the Mi cr osof t 365 tenancy af ter sy nchr oni zati on has occur r ed. You
can f or ce sy nchr oni zati on to occur usi ng the Azur e AD Connect
Sy nchr oni zati on Ser v i ce Manager tool .
Find answers on the fly, or master something new. Subscribe today. See pricing options. /
Meeting the Azure AD Connect installation requirements
Pr i or to i nstal l i ng Azur e AD Connect, y ou shoul d ensur e that y our
env i r onment, Azur e AD Connect computer , and account used to
conf i gur e Azur e AD Connect meets the sof tw ar e, har dw ar e, and
pr i v i l ege r equi r ements. So, y ou need to ensur e that y our Acti v e
Di r ector y env i r onment i s conf i gur ed at the appr opr i ate l ev el , that
the computer on w hi ch y ou w i l l r un Azur e AD Connect has the
appr opr i ate sof tw ar e and har dw ar e conf i gur ati on, and that the
account used to i nstal l Azur e AD Connect has been added to the
appr opr i ate secur i ty gr oups.
You can check the f or est f uncti onal l ev el usi ng the Acti v e
Di r ector y Domai ns and Tr usts consol e. To do thi s, per f or m the
f ol l ow i ng steps:
(Get-ADForest).ForestMode
Connectivity requirements
The computer w i th Azur e AD Connect i nstal l ed must be a member
of a domai n i n the f or est that y ou w ant to sy nchr oni ze, and must
hav e connecti v i ty to a w r i tabl e domai n contr ol l er i n each domai n
of the f or est y ou w i sh to sy nchr oni ze on the f ol l ow i ng por ts:
Hardware requirements
The har dw ar e r equi r ements of the computer that hosts Azur e AD
Connect depend upon the number of objects i n the Acti v e
Di r ector y env i r onment that y ou need to sy nc. The gr eater the
1 0,000–50,000 4 GB 7 0 GB
50,000–1 00,000 1 6 GB 1 00 GB
1 00,000–300,000 32 GB 300 GB
300,000–600,000 32 GB 450 GB
It’s i mpor tant to note that dur i ng the pl anni ng phase, a new
Mi cr osof t 365 tenancy has a l i mi t of 50,000 objects. How ev er , once
the f i r st domai n i s v er i f i ed, thi s l i mi t i s i ncr eased to 300,000
objects. Or gani zati ons that need to stor e mor e than 300,000 objects
i n an Azur e Acti v e Di r ector y i nstance that suppor ts an Mi cr osof t
365 tenancy shoul d contact Mi cr osof t Suppor t.
Find answers on the fly, or master something new. Subscribe today. See pricing options. /
To i nstal l Azur e AD Connect w i th Ex pr ess setti ngs, per f or m the
f ol l ow i ng steps:
Find answers on the fly, or master something new. Subscribe today. See pricing options.
4. Specify custom sync groups When y ou depl oy Azur e
AD Connect, i t w i l l cr eate f our l ocal gr oups on the /
ser v er that hosts the Azur e AD Connect Instance. These
gr oups ar e the Admi ni str ator s gr oup, Oper ator s gr oup,
Passw or d Reset gr oup, and the Br ow se gr oup. If y ou
w ant to use y our ow n set of gr oups, y ou can speci f y
them her e. These gr oups must be l ocal to the host ser v er
and not a member of the domai n.
3. Feder ati on w i th AD FS
Find answers on the fly, or master something new. Subscribe today. See pricing options. /
Figure 2-10 Connect Your Di r ector i es
10. On the Azur e AD Si gn-In conf i gur ati on page, show n i n Fi gur e
2-1 1 , r ev i ew the U PN suf f i x and then i nspect the on-pr emi ses
attr i bute to use as the Azur e AD user name. You’l l need to
ensur e that accounts use a r outabl e Azur e AD user name.
13. On the Fi l ter U ser s And Dev i ces page, speci f y w hether y ou
w ant to sy nchr oni ze al l user s and dev i ces, or onl y member s of
a speci f i c gr oup. Fi gur e 2-1 4 show s member s of the Mi cr osof t
365-Pi l ot-U ser s gr oup bei ng conf i gur ed so that thei r accounts
w i l l be sy nchr oni zed w i th Azur e.
14. On the Opti onal Featur es page, show n i n Fi gur e 2-1 5, sel ect
any opti onal f eatur es that y ou w ant to conf i gur e. These
f eatur es i ncl ude the f ol l ow i ng.
Find answers on the fly, or master something new. Subscribe today. See pricing options. /
Figure 2-15 Opti onal Featur es
5. Passw or d w r i teback
6. Gr oup w r i teback
7. Dev i ce w r i teback
You can learn more about which attributes are synchronized by Azure
Find answers on the fly, or master something new. Subscribe today. See pricing options.
AD Connect at https://docs.microsoft.com/azure/active-
/
directory/connect/active-directory-aadconnectsync-attributes-
synchronized.
Exam Tip
Azur e Acti v e Di r ector y Connect can automati cal l y conf i gur e and
i nstal l si mpl e passw or d sy nchr oni zati on or Feder ati on / Si ngl e
Si gn-on, dependi ng on y our or gani zati onal needs. When y ou choose
the Feder ati on w i th AD FS opti on, Acti v e Di r ector y Feder ati on
Ser v i ces i s i nstal l ed and conf i gur ed, as w el l as a Web Appl i cati on
Pr ox y ser v er to f aci l i tate communi cati on betw een the on-pr emi ses
AD FS depl oy ment and Mi cr osof t Azur e Acti v e Di r ector y .
Find answers on the fly, or master something new. Subscribe today. See pricing options. /
More Info Azure Active Directory Connect
Remov e any dupl i cate user Pr i nci pal Name attr i butes.
gi v enName
sn
samAccountName
gi v enName
di spl ay Name
mai l
pr ox y Addr ess
mai l Ni ck Name
Letter s
Number s
Per i ods
Dashes
U nder scor es
IdFix
The IdFi x tool , w hi ch y ou can dow nl oad f r om Mi cr osof t’s w ebsi te,
al l ow s y ou to scan an Acti v e Di r ector y i nstance to deter mi ne i f
any user accounts, gr oup accounts, or contacts hav e pr obl ems that
w i l l cause them not to sy nchr oni ze betw een the on-pr emi ses
i nstance of Acti v e Di r ector y and the Mi cr osof t 365 i nstance of
Azur e Acti v e Di r ector y . IdFi x can al so per f or m r epai r s on objects
that w oul d other w i se be unabl e to sy nc. IdFi x r uns w i th the
secur i ty contex t of the cur r entl y si gned on user . Thi s means that i f
y ou w ant to use IdFi x to r epai r objects i n the f or est that hav e
pr obl ems, the secur i ty account y ou use to r un IdFi x must hav e
per mi ssi ons to modi f y those objects. The IdFi x tool i s show n i n
Fi gur e 2-1 8, di spl ay i ng an account detected w i th an i ncor r ectl y
conf i gur ed user Pr i nci pal Name.
Find answers on the fly, or master something new. Subscribe today. See pricing options. /
Figure 2-18 IdFi x f i nds user w i th a pr obl emati c U PN
ADModify.NET
ADmodi f y .NET i s a tool that al l ow s y ou to mak e changes to speci f i c
attr i butes f or mul ti pl e objects. If y ou ar e usi ng ADSIEdi t or the
Adv anced mode of the Acti v e Di r ector y U ser s and Computer s
consol e, y ou ar e onl y abl e to modi f y the attr i bute of one object at a
ti me. For ex ampl e, Fi gur e 2-1 9 show s ADModi f y .NET used to modi f y
the f or mat of the user Pr i nci pal Name attr i bute f or a number of
user accounts so that i t conf or ms to a speci f i c f or mat.
Thi s i s not a pr obl em w hen an or gani zati on’s i nter nal Acti v e
Di r ector y domai n suf f i x i s a publ i cl y r outabl e domai n. For
ex ampl e, a domai n name, such as contoso.com or adatum.com that i s
r esol v abl e by publ i c DNS ser v er s w i l l suf f i ce. Thi ngs become
mor e compl i cated w hen the or gani zati on’s i nter nal Acti v e
Di r ector y domai n suf f i x i s not publ i cl y r outabl e. For ex ampl e,
Fi gur e 2-20 show s the adatum346ER.i nter nal non-r outabl e domai n.
Find answers on the fly, or master something new. Subscribe today. See pricing options. /
Figure 2-20 Non r outabl e domai n
Find answers on the fly, or master something new. Subscribe today. See pricing options. /
Figure 2-23 ADModi f y .NET
6. You can al so use Mi cr osof t Pow er Shel l scr i pts to r eset the
U PNs of mul ti pl e user accounts. For ex ampl e, the f ol l ow i ng
scr i pt r esets U PN suf f i x es of al l user accounts i n the
epi stemi cus.i nter nal domai n to epi stemi cus.onmi cr osof t.com.
Password synchronization
Hashes of on-pr emi ses Acti v e Di r ector y user passw or ds
sy nchr oni ze to Azur e AD, and changed passw or ds i mmedi atel y
sy nchr oni ze to Azur e AD. Actual passw or ds ar e nev er sent to Azur e
AD and ar e not stor ed i n Azur e AD. Thi s al l ow s f or si ngl e si gn-on
f or user s of computer s that ar e joi ned to an Acti v e Di r ector y
domai n that sy nchr oni zes to Azur e AD. Passw or d sy nchr oni zati on
al so al l ow y ou to enabl e passw or d w r i te-back f or sel f ser v i ce
passw or d r eset f uncti onal i ty thr ough Azur e AD.
Pass-through authentication
When authenti cati ng to Azur e AD, the user ’s passw or d i s v al i dated
agai nst an on-pr emi ses Acti v e Di r ector y domai n contr ol l er .
Passw or ds and passw or d hashes ar e not pr esent i n Azur e AD. Pass-
thr ough authenti cati on al l ow s f or on-pr emi ses passw or d pol i ci es
to appl y . Pass-thr ough authenti cati on r equi r es that Azur e AD
Connect hav e an agent on a computer joi ned to the domai n that
hosts the Acti v e Di r ector y i nstance that contai ns the r el ev ant user
accounts. Pass-thr ough authenti cati on al so al l ow s si ngl e si gn-on
f or user s of domai n joi ned machi nes.
Find answers on the fly, or master something new. Subscribe today. See pricing options. /
Active Directory Federation
Thi s al l ow s user s to authenti cate to Azur e AD r esour ces usi ng on-
pr emi ses cr edenti al s. It al so r equi r es the depl oy ment of an Acti v e
Di r ector y Feder ati on Ser v i ces i nf r astr uctur e. Thi s i s the most
compl i cated i denti ty sy nchr oni zati on conf i gur ati on f or Mi cr osof t
365 and i s onl y l i k el y to be i mpl emented i n env i r onments w i th
compl i cated i denti ty conf i gur ati ons.
You can learn more about sign-in options, consult the following
article: https://docs.microsoft.com/azure/active-
directory/connect/active-directory-aadconnect-user-signin.
Exam Tip
Remember the di f f er ence betw een passw or d sy nchr oni zati on and
pass-thr ough authenti cati on.
You can use the Set-ADSy ncSchedul er cmdl et to conf i gur e the
f ol l ow i ng setti ngs that ar e di spl ay ed w hen y ou r un the Get-
ADSy ncSchedul er cmdl et:
Sy ncCy cl eEnabl ed
Mai ntenanceEnabl ed
Forcing synchronization
By def aul t, sy nchr oni zati on occur s betw een the on-pr emi ses
di r ector y and Azur e ev er y 30 mi nutes. In some cases y ou’l l mak e a
change to a user account or cr eate a col l ecti on of user accounts and
w ant to get those changes or new accounts up i nto the Azur e Acti v e
Di r ector y i nstance that suppor ts the Of f i ce 365 tenancy as f ast as
possi bl e. You can f or ce sy nchr oni zati on by r unni ng the Azur e AD
Connect w i zar d agai n, or y ou can use the Sy nchr oni zati on Ser v i ce
Manager .
Find answers on the fly, or master something new. Subscribe today. See pricing options. /
Figure 2-27 Sy nchr oni zati on Ser v i ce Manager
You can al so use the Sy nchr oni zati on Ser v i ce Manager to conf i gur e
ex tensi v e f i l ter i ng opti ons, though f or task s such as conf i gur i ng
OU based f i l ter i ng, Mi cr osof t r ecommends that y ou f i r st attempt
conf i gur i ng f i l ter i ng usi ng the Azur e AD Connect setup w i zar d and
onl y r el y on a tool such as Sy nchr oni zati on Ser v i ce Manager i f
pr obl ems ar i se.
Find answers on the fly, or master something new. Subscribe today. See pricing options. /
Wi th Azur e AD Connect, y ou can choose to f i l ter based on the
f ol l ow i ng opti ons as show n i n Fi gur e 2-29:
You can al so conf i gur e f i l ter i ng on the basi s of gr oup member shi p,
as show n i n Fi gur e 2-30. You can conf i gur e separ ate gr oup-based
f i l ter s f or each f or est or domai n sy nchr oni zed usi ng Azur e AD
Connect.
You can learn more about the Synchronization Rules Editor at:
https://docs.microsoft.com/azure/active-directory/connect/active-
directory-aadconnectsync-change-the-configuration.
Find answers on the fly,vevor master something new. Subscribe today. See pricing options.
al i d f or an on-pr emi ses user w i l l be v al i d w i thi n Mi cr osof t 365,
en i f i t w oul d not be nor mal l y . /
Passw or d ex pi r ati on w or k s i n the f ol l ow i ng w ay : the passw or d of
the account of the cl oud user object i s set to nev er ex pi r e. Each
ti me the user account passw or d i s changed i n the on-pr emi ses
Acti v e Di r ector y i nstance, thi s change r epl i cates to the Azur e
Acti v e Di r ector y i nstance that suppor ts the Mi cr osof t 365 tenancy .
Thi s means that i t i s possi bl e f or a user account’s passw or d to
ex pi r e on the on-pr emi ses Acti v e Di r ector y i nstance, but that user
can sti l l use the same passw or d to si gn on to Mi cr osof t 365. The nex t
ti me they si gn on to the on-pr emi ses env i r onment, they ar e f or ced
to change thei r passw or d and that change r epl i cates up to the
Azur e Acti v e Di r ector y i nstance that suppor ts the Mi cr osof t 365
tenancy .
Each user has a si ngl e mai l box , and the f or est that hosts that
mai l box i s the best sour ce of attr i butes v i si bl e i n the
Ex change Gl obal Addr ess Li st (GAL). In the ev ent that a user
doesn’t hav e an associ ated mai l box , any conf i gur ed f or est can
f uncti on as the sour ce f or the attr i bute v al ues.
Find answers on the fly, or master something new. Subscribe today. See pricing options. /
Exam Tip
Remember w hat tool s y ou can use to tr i gger sy nchr oni zati on.
Manage groups
Manage passwords
Manage users
When pl anni ng the use of Azur e i denti ti es, y ou’l l need to consi der
the f ol l ow i ng questi ons:
Find answers on the fly, or master something new. Subscribe today. See pricing options. /
Figure 2-34 Azur e Acti v e Di r ector y Admi n Center
You can learn more about configuring self service password at:
https://docs.microsoft.com/office365/admin/add-users/let-users-
reset-passwords.
Manage groups
Gr oups al l ow y ou to col l ect user s together and then assi gn them
pr i v i l eges and access to w or k l oads or ser v i ces. Rather than assi gn
pr i v i l eges and access to w or k l oads or ser v i ces di r ectl y to user s,
y ou can assi gn these r i ghts to a gr oup and then i ndi r ectl y assi gn
them to user s by addi ng the user accounts to the appr opr i ate gr oup.
U si ng gr oups i n thi s w ay i s a l ong standi ng admi ni str ati v e
pr acti ce, because i t al l ow s y ou to deter mi ne a user ’s l ev el of access
and r i ghts by l ook i ng at the user ’s gr oup member shi ps, r ather than
Find answers on the fly, or master something new. Subscribe today. See pricing options. /
check i ng each w or k l oad and ser v i ce to deter mi ne i f the user
account has been assi gned r i ghts to that ser v i ce.
You can use the Azur e AD admi ni str ati v e consol e to manage gr oups.
Azur e AD suppor ts tw o gr oup ty pes: Of f i ce 365 gr oups and Secur i ty
gr oups. Fi gur e 2-39 show s the sel ecti on of gr oup ty pe w hen
cr eati ng the gr oup. Of f i ce 365 gr oups ar e used f or col l abor ati on
betw een user s. These user s can be i nsi de our ex ter nal to the
or gani zati on. Each Of f i ce 365 gr oup has an associ ated emai l addr ess,
shar ed w or k space f or conv er sati ons, shar ed l ocati on f or f i l es,
cal endar ev ents, and a pl anner . Secur i ty gr oups ar e used to gr ant
access to speci f i c Mi cr osof t 365 r esour ces, such as Shar ePoi nt si tes.
Secur i ty gr oups can contai n user accounts as w el l as dev i ce
accounts. Dev i ce r el ated gr oups ar e most of ten used w i th ser v i ces
such as Intune.
Modi f i cati ons made to on-pr emi ses user and gr oup objects w i l l onl y
be pr esent w i thi n the Azur e Acti v e Di r ector y i nstance that
suppor ts the Mi cr osof t 365 tenancy af ter sy nchr oni zati on has
occur r ed. By def aul t, sy nchr oni zati on occur s ev er y 30 mi nutes. You
can f or ce sy nchr oni zati on to occur usi ng the Sy nchr oni zati on
Ser v i ce Manager tool or by usi ng Mi cr osof t Pow er Shel l .
You can use the f ol l ow i ng Pow er Shel l commands f r om the Azur eAD
modul e to manage Azur e AD Gr oups:
Manage passwords
The onl y thi ng that peopl e f or get mor e of ten than w her e they hav e
put thei r k ey s i s w hat thei r passw or d i s. As someone w ho i s
suppor ti ng Mi cr osof t 365, i t’s mor e l i k el y than not that i f y ou
hav en’t enabl ed sel f ser v i ce passw or d r eset, or ev en i f y ou hav e,
y ou’r e goi ng to hav e to r eset user passw or ds on a semi -r egul ar basi s.
1. In the Mi cr osof t 365 Admi n Center , sel ect the user w hose
passw or d y ou w ant to r eset i n the l i st of Acti v e user s by
sel ecti ng the check box nex t to the user ’s name.
You can r eset a user ’s passw or d thr ough Pow er Shel l usi ng the Set-
Msol U ser Passw or d cmdl et usi ng the sy ntax :
1. In the Mi cr osof t 365 Admi n Center , sel ect Security & Privacy
Find answers on the fly, or master something new. Subscribe today. See pricing options.
under Setti ngs, as show n i n Fi gur e 2-43.
/
Figure 2-43 Secur i ty and pr i v acy
You can learn more about resetting Microsoft 365 user passwords
at: https://docs.microsoft.com/office365/admin/add-users/reset-
passwords.
1. In the Mi cr osof t 365 consol e, sel ect the Acti v e U ser s node
under U ser s as show n i n Fi gur e 2-45.
Find answers on the fly, or master something new. Subscribe today. See pricing options. /
Figure 2-47 Pr oduct l i censes page
Get-MsolUser –UnlicensedUsersOnly
$Sku=Get-MsolAccountSku
Manage users
You can use the Mi cr osof t 365 Admi n Center , the Azur e AD Admi n
Center , or Azur e Pow er Shel l to manage Azur e AD U ser accounts.
The Azur e AD Admi n Center gi v es y ou a gr eater set of opti ons f or
managi ng the pr oper ti es of user accounts than the Mi cr osof t 365
Admi n Center , because y ou can edi t ex tended user pr oper ti es as
show n i n Fi gur e 2-48.
1. In the Azur e AD consol e, sel ect Users – All Users and then
cl i ck New User.
U pdate pr of i l e i nf or mati on
Manage l i censes
Exam Tip
Role Description
Appl i cati on Can cr eate appl i cati on r egi str ati ons.
Dev el oper
Pr i v i l eged Rol e
Find answers on the fly, or master something
Admi ni str ator
new. Subscribe today. See pricing options.
Can manage al l aspects of Azur e AD
Pr i v i l eged Identi ty Management. Can /
manage r ol e assi gnments i n Azur e AD.
Shar ePoi nt Has gl obal admi ni str ator per mi ssi ons f or
Admi ni str ator Shar ePoi nt Onl i ne w or k l oads.
Find answers on the fly, or master something new. Subscribe today. See pricing options. /
Delegate admin rights
To v i ew w hi ch user s ar e assi gned a speci f i c r ol e, per f or m the
f ol l ow i ng steps:
Get-AzureADDirectoryRole Vi ew a l i st of Azur e AD
Di r ector y r ol es.
You can use the f ol l ow i ng Azur e Pow er Shel l cmdl ets to manage r ol e
member shi p:
You can learn more about viewing and assigning administrator roles
at: https://docs.microsoft.com/azure/active-directory/users-groups-
roles/directory-manage-roles-portal.
You can learn more about security and compliance roles at:
https://docs.microsoft.com/office365/securitycompliance/permissions-
in-the-security-and-compliance-center.
Exam Tip
Chapter summary
The heal th of Azur e AD Connect can be moni tor ed thr ough the
Azur e Acti v e Di r ector y Admi n Center consol e.
Sy nchr oni zati on can be f or ced usi ng the Sy nchr oni zati on
Ser v i ce Manager or thr ough Pow er Shel l .
You can del egate admi ni str ati v e pr i v i l eges by assi gni ng
r ol es. You shoul d f ol l ow the pr i nci pl e of l east pr i v i l ege and
onl y assi gn user s the mi ni mum necessar y admi ni str ati v e
per mi ssi ons r equi r ed to per f or m thei r duti es.
Find answers on the fly, or master something new. Subscribe today. See pricing options. /