Al

an
R
o
Groups

d
r
ig
u
es
 Azure AD Security Groups

es
u
ig
1
This is somewhat similar to You can assign licenses to
Security Groups in on-
3 groups.

r
premises Active Directory
implementation.

d
o
R
You can create and manage
These are cloud-only.
2 the groups in Azure AD and
an
4 Microsoft 365.
Al
Groups
c
 Microsoft 365 Groups

es
u
ig
1
Microsoft 365 Groups is a You can assign licenses to
membership object in
3 groups. But this can’t be

r
Microsoft 365. done in Microsoft Admin
Center.

d
o
R
You can create and manage
These are cloud-only.
2 the groups in Azure AD and
an
4 Microsoft 365.
Al
Groups
c
 Licenses

es
u
1 Group License When you assign a license

ig
to a group, you have to
ensure that there is a

r
license available for each

d
user in the group.

o
2 Applying licenses Group-based licensing is

R
only available via the
Azure portal.
an
3 Multiple licenses A user can be part of
Al
Groups

multiple groups that are

assigned licenses.
c
 M365 Groups

es
u
1 Distribution Lists This is used to hold

ig
contacts when you want to
send email messages to a

r
number of users.

d
o
2 Mail-enabled Here you can distribute

R
security messages and also grant
access permissions to
an
resources in Exchange
and Active Directory.
Al
Groups
c
Al
an
R
o
Azure AD

d
r
ig
u
es
 Azure AD Connect Health

es
u
ig
r
Monitor AD FS Security Metrics

d
Helps to monitor your It also has support to You get advanced You get metrics on top

o
on-premises identity monitor your Azure security features such as application usage ,

R
setup to help maintain an Active Directory Extranet lockout trends network locations and
reliability. Federation Services as and failed sign-in TCP connections.
Connect Health

well. reports.
Al
c
 Installation aspects

es
u
License AD FS

ig
If you need to monitor Azure AD
You need either Azure AD
Domain Federation services
Premium P1 or P2 license.

r
infrastructure, the agent needs to be
installed on the AD FS server

d
Privilege Outbound connectivity

o
The user performing the Setup The agent needs to have

R
installation and configuration connectivity to Azure AD Connect
must have the Global Health Service endpoints.
Administrator role.
an
Connect Health

Firewall ports
Installation
TCP Port 443 must be open for
Al

If you need to monitor the

Azure AD Domain services connectivity.
infrastructure, the agent needs
to be installed on the Domain
c

controller.
 es
u
ig
One-time passcode

r
authentication

d
o
R
an
Al
 One-time Authentication

es
u
ig
This is useful when users can’t be authenticated via Azure AD, Microsoft
accounts or social identity providers.

r
d
Here users need to enter a passcode to continue with the sign-in process.

o
R
The passcode is valid for 30 minutes.
an
One-time passcode

Al
c
Al
an
R
Quick

o
d
r
ig
u
es
Role Base

es
u
ig
This is used to give access to resources. Examples of

r
such roles are

d
o
1) Owner

R
2) Contributor an
LEARN NOW
3) Reader
Al

Review
c
Azure Active Directory

es
u
ig
This is used to give specific permissions in Azure

r
Active Directory

d
o
1) User Administrator

R
2) Group Administrator
an
LEARN NOW
3) Application Administrator
Al

Review
c
 Azure AD Custom Domains

es
u
ig
1
Add the custom domain Verify the custom domain
name in Azure AD
3 name in Azure AD

r
d
o
R
Make the domain as the
Add the DNS information to
2 primary domain for new
an
your domain registrar
4 users
Al
Review
c
Assigning Licenses to

es
u
ig
To assign a license to a user , you need to ensure

r
that the user has the Usage Location defined.

d
o
R
an
LEARN NOW
Al

Review
c
Assigning Licenses to

es
u
ig
You can assign licenses to Azure AD Groups. Here the

r
users will inherit the licenses assigned to the group.

d
o
R
an
LEARN NOW
Al

Review
c
Assigning Users to

es
u
ig
You can’t add users directly to a Group that has

r
dynamic membership. But remember that you can

d
assign a license to a dynamic group.

o
R
an
LEARN NOW
Al

Review
c
 Adding to

es
u
ig
You can’t add a user to a Mail-enabled security group unless the user has
been assigned an appropriate Microsoft 365 license.

r
d
You can add a user onto a Microsoft 365 group.

o
R
an
You can’t add a Microsoft 365 Group to an Azure AD Security Group.
Al
Groups
c
External Users

es
u
ig
For monthly billing for external users, just ensure to

r
link your Azure AD tenant to your subscription.

d
o
R
an
LEARN NOW
Al

Review
c
Al
an
R
o
d
Security

r
ig
u
es
 Security Defaults

es
This is a feature that can be enabled by default

u
Administrators Actions

ig
Administrator accounts need Perform more authentication
to perform Multi-Factor when using the Azure Portal,

r
Authentication. Azure CLI or Azure PowerShell.

d
All users Action
Security

o
Protecting users with the use
Defaults You can enable and disable

R
of Multi-Factor this setting at any time.
Authentication. an
Security Defaults

Protection
Legacy Authentication
It just helps to protect the way
Al

Older clients like Office 2010

that use older mail protocols. the Azure Account is accessed.
c
Al
an
R
o
Microsoft

d
r
ig
u
es
 Authenticator

es
u
ig
1 Security Provides an Additional

r
level of security.

d
o
2 Availability Its available for both

R
Android and iOS.
an
Authentication

3 Passwordless Users can sign-in via a

Al

passwordless way.
c
 Authenticator

es
u
ig
1 Verification Additional verification

r
option in MFA and SSPR.

d
o
2 Notification Users can get a

R
notification to approve
or deny.
an
Authentication

3 OATH Receive a OATH

Al

verification code.
c
Al
Self

an
R
o
d
r
ig
u
es
 Self-Service

es
u
ig
This feature helps users to reset their

r
password without the need of

d
contacting the IT help desk staff.

o
R
an

Password Reset
LEARN NOW
Al

c
 Password Reset

es
u
License Number of methods

ig
Password reset needs Azure Define the number of
AD Premium P1 or P2 licenses authentication methods

r
for users. required to reset the
password.

d
Password writeback Number of days
Password

o
If there is a hybrid
Reset Number of days before users

R
environment, the changed need to reconfirm their
passwords can be written back authentication information.
to the on-premises Active
an
Directory
Password Reset

Notification
Authentication Methods
Notify users when password is
Al

You can define authentication reset.

methods to reset the
password.
c
Al
an
R
o
Azure AD

d
r
ig
u
es
 Account

es
u
ig
This is based on the number of times

r
the process of Multi-Factor

d
authentication fails.

o
This is only based when the user enters

R
a PIN number to authenticate.

Azure AD Multi-Factor
an
LEARN NOW
Al

c
 Block

es
u
ig
This can be used if the user’s device has

r
been lost or stolen. And you need to

d
ensure that any attempts for Multi-

o
Factor authentication from the user’s

R
device is denied.

Azure AD Multi-Factor
an
LEARN NOW
Al

c
 Fraud

es
u
ig
Here users themselves can report a

r
fraud.

d
o
If they believe that Multi-Factor

R
authentication is being triggered for

Azure AD Multi-Factor
their account without their knowledge ,
an
LEARN NOW
they can report a fraud.
Al

c
Al
an
R
o
Azure AD

d
r
ig
u
es
 Account

es
u
ig
This is based on the number of times

r
the process of Multi-Factor

d
authentication fails.

o
This is only based when the user enters

R
a PIN number to authenticate.

Azure AD Multi-Factor
an
LEARN NOW
Al

c
 Block

es
u
ig
This can be used if the user’s device has

r
been lost or stolen. And you need to

d
ensure that any attempts for Multi-

o
Factor authentication from the user’s

R
device is denied.

Azure AD Multi-Factor
an
LEARN NOW
Al

c
 Fraud

es
u
ig
Here users themselves can report a

r
fraud.

d
o
If they believe that Multi-Factor

R
authentication is being triggered for

Azure AD Multi-Factor
their account without their knowledge ,
an
LEARN NOW
they can report a fraud.
Al

c
Al
an
R
o
d
r
Password

ig
u
es
 Azure AD Password Protection

es
u
Bad Passwords Password change

ig
This service detects and blocks Whenever a user changes or
weak passwords. resets the password, it’s

r
compared with the list.

d
List License

o
Protection
Azure AD Password Protection

This service has a default Azure AD Premium P1 or P2

R
global banned password list. for a custom list of banned
This is applied to all users. an passwords.

Global List
Custom List
You can’t delete or change the
Al

You can also define your own

custom banned password list. global banned list of
passwords.
c
Al
an
R
Quick

o
d
r
ig
u
es
 Multi-Factor Authentication

es
u
ig
Per-user MFA

r
Status of MFA is
Status of MFA is enforced

d
disabled

o
Status of MFA is
enabled

R
an
Al
Review
c
Per User

es
u
You can skip MFA for a set

ig
of IP addresses

r
d
o
R
You can set the different
an
LEARN NOW

verification methods
Al

Review
available to the user.

c
Conditional

es
u
You can select users or

ig
groups that the policy

r
d
should apply to.

o
R
You can decide the
an
LEARN NOW

applications the policy

Al

Review
needs to apply to.

c
Conditional

es
u
You can select users or

ig
groups that the policy

r
d
should apply to.

o
R
an
LEARN NOW

If you don’t want clients that use legacy protocols.

Al

Review
c
Conditional

es
u
ig
r
d
o
R
an
LEARN NOW

If you want to ensure that the policy applies to high-risk

Al

Review
locations.

c
Conditional

es
u
ig
r
d
o
R
an
LEARN NOW

Conditional App control to block downloads.

Al

Review
c
Authentication

es
u
ig
r
d
o
R
an
LEARN NOW
Al

Review
c
Windows Hello for

es
u
ig
This is ideal if users have dedicated computers. The

r
system must have support for Windows Hello for

d
o
Business

R
an
LEARN NOW
Al

Review
c
FIDO2

es
u
ig
This is ideal if users don’t have mobile devices to use

r
the Microsoft Authenticator app.

d
o
R
an
LEARN NOW
Al

Review
c
Al
an
R
o
d
r
ig
u
Applications

es
 Azure Application Administrator

es
u
ig
This roles allows one to manage all aspects of enterprise applications,
application registrations and application proxy settings.

r
d
The user also has the ability to grant consent for delegated permissions and

o
application permissions.

R
an
Here the user will also NOT be added as an owner when creating the new
application.
Applications

Al
c
 Azure
Cloud Application Administrator

es
u
ig
This roles allows one to manage all aspects of enterprise applications,
application registrations BUT NOT application proxy settings.

r
d
The user also has the ability to grant consent for delegated permissions and

o
application permissions.

R
an
Here the user will also NOT be added as an owner when creating the new
application.
Applications

Al
c
 Azure Application Developer

es
u
ig
Here users can create application registrations if the setting of “Users can
register applications” is set to No.

r
d
This role can also grant permission to consent on one's own behalf when the
"Users can consent to apps accessing company data on their behalf" setting is

o
set to No.

R
an
But the user will be assigned as the owner of the application.
Applications

Al
c
Al
an
R
o
d
Privileged

r
ig
u
es
 Privileged

es
u
ig
1 Control Control and manage

r
access to key resources.

d
o
Privileged Identity Management

2 Scope Here you can control

R
access to resources in
Azure AD, Azure and
an
Microsoft 365.

3 Requirement Here you can ensure

Al

that a user only gets

access when required.
c
 Privileged Identity Management

es
u
Just-in-time

ig
Just-in-time
Here you can provide privileged

r
access to resources whenever they
are required

d
Time-bound
You can mention start and end dates Approval

o
Timebound
Privileged Identity Management

for the access.

R
Multi-Factor Authentication
Increased level of authentication to
activate a role. Multi-Factor
an
Authentication
Approval
You can ensure approval is required
Al

for any role.

c
 es
License

u
ig
r
d
You need to have Azure AD Premium P2
licenses

Privileged Identity Management

R
an
LEARN NOW
Al

c
Al
an
R
o
Access

d
r
ig
u
es
 Access

es
u
ig
1 Group Review Check if the user needs

r
continual access to a
group.

d
o
2 Application Review Check if the user needs

R
continual access to an
application.
an
Access Review

3 Review frequency Setup the review on a

Al

continuous basis
c
 Access Review

Licenses required – Azure AD Premium P2

es
u
ig
1
Members/Guests who are Members/Guests as group
assigned as reviews
3 owners who perform an

r
access review

d
o
R
Members/Guests as
Members/Guests who
2 application owners who
an
perform a self-review
4 perform an access review
Access Review

Al
c
 Access
Catalogs

es
u
ig
This is a container of resources and access packages.

r
d
This is used when you want to group related resources and access packages.

o
R
an
The user who creates the catalog becomes the catalog owner.
Access reviews

Al
c
 Access
Connected Organizations

es
u
ig
This allows you to connect an external organization.

r
d
With entitlement management, you can collaborate with users outside your

o
organization.

R
an
Access reviews

Al
c
Al
an
R
o
d
r
Entitlement

ig
u
es
 es
Entitlement

u
ig
r
d
Helps to efficiently manage access to groups,
applications and SharePoint Online Sites.

o
Here the access can be granted for internal

Entitlement management
an and external users.
Al

c
 Access Package

es
This is a bundle of all resources which the user would need access to

u
ig
1
Membership to an Azure AD Assignment to Azure AD
Security Group
3 Enterprise applications

r
d
o
R
Entitlement management

Membership to SharePoint
Membership to Microsoft
2 Online Sites
an
365 Groups and Teams
4
Al
c
 Access Package

es
License requirement – Azure AD Premium P2 licenses

u
ig
1
Required for members who Required for members who
request for an access
3 review assignments for an

r
package access package

d
o
R
Entitlement management

Required for members who

Required for members who
2 have direct assignment to
an
approve requests for an
access package
4 an access package
Al
c
 Access

es
u
ig
1 Global Administrator No license required to

r
setup access packages.

d
o
2 Delegation No license for users who

R
have been delegated
Entitlement management

administrative tasks.
an
3 Guest users No license for guest users who
Al

can request access but choose

not to.
c
Al
an
Audit

R
o
d
r
ig
u
es
 Sign-in

es
u
ig
1 Management Get information on user,

r
activities group and application
management.

d
o
2 License This is available in all

R
editions of Azure AD.
an
Sign-in logs

3 Properties You get to see all

Al

information for each

activity log
c
 Access Review

Who can access the sign-in logs

es
u
ig
1
Global Administrator Reports reader
3

r
d
o
R
Security
Global reader
2 Administrator/Reader
an
4
Sign-in logs

Al
c
How long are

es
u
ig
r
d
o
R
an
LEARN NOW
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-reports-data-retention

Sign-in logs
Al