Professional Documents
Culture Documents
an
R
o
Groups
d
r
ig
u
es
Azure AD Security Groups
es
u
ig
1
This is somewhat similar to You can assign licenses to
Security Groups in on-
3 groups.
r
premises Active Directory
implementation.
d
o
R
You can create and manage
These are cloud-only.
2 the groups in Azure AD and
an
4 Microsoft 365.
Al
Groups
c
Microsoft 365 Groups
es
u
ig
1
Microsoft 365 Groups is a You can assign licenses to
membership object in
3 groups. But this can’t be
r
Microsoft 365. done in Microsoft Admin
Center.
d
o
R
You can create and manage
These are cloud-only.
2 the groups in Azure AD and
an
4 Microsoft 365.
Al
Groups
c
Licenses
es
u
1 Group License When you assign a license
ig
to a group, you have to
ensure that there is a
r
license available for each
d
user in the group.
o
2 Applying licenses Group-based licensing is
R
only available via the
Azure portal.
an
3 Multiple licenses A user can be part of
Al
Groups
es
u
1 Distribution Lists This is used to hold
ig
contacts when you want to
send email messages to a
r
number of users.
d
o
2 Mail-enabled Here you can distribute
R
security messages and also grant
access permissions to
an
resources in Exchange
and Active Directory.
Al
Groups
c
Al
an
R
o
Azure AD
d
r
ig
u
es
Azure AD Connect Health
es
u
ig
r
Monitor AD FS Security Metrics
d
Helps to monitor your It also has support to You get advanced You get metrics on top
o
on-premises identity monitor your Azure security features such as application usage ,
R
setup to help maintain an Active Directory Extranet lockout trends network locations and
reliability. Federation Services as and failed sign-in TCP connections.
Connect Health
well. reports.
Al
c
Installation aspects
es
u
License AD FS
ig
If you need to monitor Azure AD
You need either Azure AD
Domain Federation services
Premium P1 or P2 license.
r
infrastructure, the agent needs to be
installed on the AD FS server
d
Privilege Outbound connectivity
o
The user performing the Setup The agent needs to have
R
installation and configuration connectivity to Azure AD Connect
must have the Global Health Service endpoints.
Administrator role.
an
Connect Health
Firewall ports
Installation
TCP Port 443 must be open for
Al
controller.
es
u
ig
One-time passcode
r
authentication
d
o
R
an
Al
One-time Authentication
es
u
ig
This is useful when users can’t be authenticated via Azure AD, Microsoft
accounts or social identity providers.
r
d
Here users need to enter a passcode to continue with the sign-in process.
o
R
The passcode is valid for 30 minutes.
an
One-time passcode
Al
c
Al
an
R
Quick
o
d
r
ig
u
es
Role Base
es
u
ig
This is used to give access to resources. Examples of
r
such roles are
d
o
1) Owner
R
2) Contributor an
LEARN NOW
3) Reader
Al
Review
c
Azure Active Directory
es
u
ig
This is used to give specific permissions in Azure
r
Active Directory
d
o
1) User Administrator
R
2) Group Administrator
an
LEARN NOW
3) Application Administrator
Al
Review
c
Azure AD Custom Domains
es
u
ig
1
Add the custom domain Verify the custom domain
name in Azure AD
3 name in Azure AD
r
d
o
R
Make the domain as the
Add the DNS information to
2 primary domain for new
an
your domain registrar
4 users
Al
Review
c
Assigning Licenses to
es
u
ig
To assign a license to a user , you need to ensure
r
that the user has the Usage Location defined.
d
o
R
an
LEARN NOW
Al
Review
c
Assigning Licenses to
es
u
ig
You can assign licenses to Azure AD Groups. Here the
r
users will inherit the licenses assigned to the group.
d
o
R
an
LEARN NOW
Al
Review
c
Assigning Users to
es
u
ig
You can’t add users directly to a Group that has
r
dynamic membership. But remember that you can
d
assign a license to a dynamic group.
o
R
an
LEARN NOW
Al
Review
c
Adding to
es
u
ig
You can’t add a user to a Mail-enabled security group unless the user has
been assigned an appropriate Microsoft 365 license.
r
d
You can add a user onto a Microsoft 365 group.
o
R
an
You can’t add a Microsoft 365 Group to an Azure AD Security Group.
Al
Groups
c
External Users
es
u
ig
For monthly billing for external users, just ensure to
r
link your Azure AD tenant to your subscription.
d
o
R
an
LEARN NOW
Al
Review
c
Al
an
R
o
d
Security
r
ig
u
es
Security Defaults
es
This is a feature that can be enabled by default
u
Administrators Actions
ig
Administrator accounts need Perform more authentication
to perform Multi-Factor when using the Azure Portal,
r
Authentication. Azure CLI or Azure PowerShell.
d
All users Action
Security
o
Protecting users with the use
Defaults You can enable and disable
R
of Multi-Factor this setting at any time.
Authentication. an
Security Defaults
Protection
Legacy Authentication
It just helps to protect the way
Al
d
r
ig
u
es
Authenticator
es
u
ig
1 Security Provides an Additional
r
level of security.
d
o
2 Availability Its available for both
R
Android and iOS.
an
Authentication
passwordless way.
c
Authenticator
es
u
ig
1 Verification Additional verification
r
option in MFA and SSPR.
d
o
2 Notification Users can get a
R
notification to approve
or deny.
an
Authentication
verification code.
c
Al
Self
an
R
o
d
r
ig
u
es
Self-Service
es
u
ig
This feature helps users to reset their
r
password without the need of
d
contacting the IT help desk staff.
o
R
an
Password Reset
LEARN NOW
Al
c
Password Reset
es
u
License Number of methods
ig
Password reset needs Azure Define the number of
AD Premium P1 or P2 licenses authentication methods
r
for users. required to reset the
password.
d
Password writeback Number of days
Password
o
If there is a hybrid
Reset Number of days before users
R
environment, the changed need to reconfirm their
passwords can be written back authentication information.
to the on-premises Active
an
Directory
Password Reset
Notification
Authentication Methods
Notify users when password is
Al
d
r
ig
u
es
Account
es
u
ig
This is based on the number of times
r
the process of Multi-Factor
d
authentication fails.
o
This is only based when the user enters
R
a PIN number to authenticate.
Azure AD Multi-Factor
an
LEARN NOW
Al
c
Block
es
u
ig
This can be used if the user’s device has
r
been lost or stolen. And you need to
d
ensure that any attempts for Multi-
o
Factor authentication from the user’s
R
device is denied.
Azure AD Multi-Factor
an
LEARN NOW
Al
c
Fraud
es
u
ig
Here users themselves can report a
r
fraud.
d
o
If they believe that Multi-Factor
R
authentication is being triggered for
Azure AD Multi-Factor
their account without their knowledge ,
an
LEARN NOW
they can report a fraud.
Al
c
Al
an
R
o
Azure AD
d
r
ig
u
es
Account
es
u
ig
This is based on the number of times
r
the process of Multi-Factor
d
authentication fails.
o
This is only based when the user enters
R
a PIN number to authenticate.
Azure AD Multi-Factor
an
LEARN NOW
Al
c
Block
es
u
ig
This can be used if the user’s device has
r
been lost or stolen. And you need to
d
ensure that any attempts for Multi-
o
Factor authentication from the user’s
R
device is denied.
Azure AD Multi-Factor
an
LEARN NOW
Al
c
Fraud
es
u
ig
Here users themselves can report a
r
fraud.
d
o
If they believe that Multi-Factor
R
authentication is being triggered for
Azure AD Multi-Factor
their account without their knowledge ,
an
LEARN NOW
they can report a fraud.
Al
c
Al
an
R
o
d
r
Password
ig
u
es
Azure AD Password Protection
es
u
Bad Passwords Password change
ig
This service detects and blocks Whenever a user changes or
weak passwords. resets the password, it’s
r
compared with the list.
d
List License
o
Protection
Azure AD Password Protection
R
global banned password list. for a custom list of banned
This is applied to all users. an passwords.
Global List
Custom List
You can’t delete or change the
Al
o
d
r
ig
u
es
Multi-Factor Authentication
es
u
ig
Per-user MFA
r
Status of MFA is
Status of MFA is enforced
d
disabled
o
Status of MFA is
enabled
R
an
Al
Review
c
Per User
es
u
You can skip MFA for a set
ig
of IP addresses
r
d
o
R
You can set the different
an
LEARN NOW
verification methods
Al
Review
available to the user.
c
Conditional
es
u
You can select users or
ig
groups that the policy
r
d
should apply to.
o
R
You can decide the
an
LEARN NOW
Review
needs to apply to.
c
Conditional
es
u
You can select users or
ig
groups that the policy
r
d
should apply to.
o
R
an
LEARN NOW
Review
c
Conditional
es
u
ig
r
d
o
R
an
LEARN NOW
Review
locations.
c
Conditional
es
u
ig
r
d
o
R
an
LEARN NOW
Review
c
Authentication
es
u
ig
r
d
o
R
an
LEARN NOW
Al
Review
c
Windows Hello for
es
u
ig
This is ideal if users have dedicated computers. The
r
system must have support for Windows Hello for
d
o
Business
R
an
LEARN NOW
Al
Review
c
FIDO2
es
u
ig
This is ideal if users don’t have mobile devices to use
r
the Microsoft Authenticator app.
d
o
R
an
LEARN NOW
Al
Review
c
Al
an
R
o
d
r
ig
u
Applications
es
Azure Application Administrator
es
u
ig
This roles allows one to manage all aspects of enterprise applications,
application registrations and application proxy settings.
r
d
The user also has the ability to grant consent for delegated permissions and
o
application permissions.
R
an
Here the user will also NOT be added as an owner when creating the new
application.
Applications
Al
c
Azure
Cloud Application Administrator
es
u
ig
This roles allows one to manage all aspects of enterprise applications,
application registrations BUT NOT application proxy settings.
r
d
The user also has the ability to grant consent for delegated permissions and
o
application permissions.
R
an
Here the user will also NOT be added as an owner when creating the new
application.
Applications
Al
c
Azure Application Developer
es
u
ig
Here users can create application registrations if the setting of “Users can
register applications” is set to No.
r
d
This role can also grant permission to consent on one's own behalf when the
"Users can consent to apps accessing company data on their behalf" setting is
o
set to No.
R
an
But the user will be assigned as the owner of the application.
Applications
Al
c
Al
an
R
o
d
Privileged
r
ig
u
es
Privileged
es
u
ig
1 Control Control and manage
r
access to key resources.
d
o
Privileged Identity Management
R
access to resources in
Azure AD, Azure and
an
Microsoft 365.
es
u
Just-in-time
ig
Just-in-time
Here you can provide privileged
r
access to resources whenever they
are required
d
Time-bound
You can mention start and end dates Approval
o
Timebound
Privileged Identity Management
R
Multi-Factor Authentication
Increased level of authentication to
activate a role. Multi-Factor
an
Authentication
Approval
You can ensure approval is required
Al
u
ig
r
d
You need to have Azure AD Premium P2
licenses
c
Al
an
R
o
Access
d
r
ig
u
es
Access
es
u
ig
1 Group Review Check if the user needs
r
continual access to a
group.
d
o
2 Application Review Check if the user needs
R
continual access to an
application.
an
Access Review
continuous basis
c
Access Review
es
u
ig
1
Members/Guests who are Members/Guests as group
assigned as reviews
3 owners who perform an
r
access review
d
o
R
Members/Guests as
Members/Guests who
2 application owners who
an
perform a self-review
4 perform an access review
Access Review
Al
c
Access
Catalogs
es
u
ig
This is a container of resources and access packages.
r
d
This is used when you want to group related resources and access packages.
o
R
an
The user who creates the catalog becomes the catalog owner.
Access reviews
Al
c
Access
Connected Organizations
es
u
ig
This allows you to connect an external organization.
r
d
With entitlement management, you can collaborate with users outside your
o
organization.
R
an
Access reviews
Al
c
Al
an
R
o
d
r
Entitlement
ig
u
es
es
Entitlement
u
ig
r
d
Helps to efficiently manage access to groups,
applications and SharePoint Online Sites.
o
Here the access can be granted for internal
Entitlement management
an and external users.
Al
c
Access Package
es
This is a bundle of all resources which the user would need access to
u
ig
1
Membership to an Azure AD Assignment to Azure AD
Security Group
3 Enterprise applications
r
d
o
R
Entitlement management
Membership to SharePoint
Membership to Microsoft
2 Online Sites
an
365 Groups and Teams
4
Al
c
Access Package
es
License requirement – Azure AD Premium P2 licenses
u
ig
1
Required for members who Required for members who
request for an access
3 review assignments for an
r
package access package
d
o
R
Entitlement management
es
u
ig
1 Global Administrator No license required to
r
setup access packages.
d
o
2 Delegation No license for users who
R
have been delegated
Entitlement management
administrative tasks.
an
3 Guest users No license for guest users who
Al
R
o
d
r
ig
u
es
Sign-in
es
u
ig
1 Management Get information on user,
r
activities group and application
management.
d
o
2 License This is available in all
R
editions of Azure AD.
an
Sign-in logs
es
u
ig
1
Global Administrator Reports reader
3
r
d
o
R
Security
Global reader
2 Administrator/Reader
an
4
Sign-in logs
Al
c
How long are
es
u
ig
r
d
o
R
an
LEARN NOW
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-reports-data-retention
Sign-in logs
Al