Mastering Identity and Access Management with Microsoft Azure E-Book

Mastering Identity and Access Management with Microsoft Azure Second Edition

Copyright © 2019 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Gebin GeorgeAcquisition Editor: Rahul NairContent Development Editor:Deepti ThoreTechnical Editor: Mamta YadavCopy Editor:Safis EditingProject Coordinator: Nusaiba AnsariProofreader: Safis EditingIndexer: Tejal Daruwale SoniGraphics: Jisha ChirayilProduction Coordinator: Aparna Bhagat

First published: September 2016 Second edition: February 2019

Production reference: 1250219

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78913-230-4

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

Packt.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the author

Jochen Nickel is a Cloud, Identity and Access Management Solution Architect with a clear focus and in-depth technical knowledge of Identity and Access Management. He is currently working for inovit GmbH in Switzerland leading and executing projects in the field of Identity and Access Management including Data Classification and Information protection. Jochen is focused on Microsoft Technologies, especially in the Enterprise Mobility + Security Suite, Office 365 and Azure. He is an established speaker at many technology conferences like Azure Bootcamps, TrustInTech Meetups or the Experts Live Switzerland and Europe.

About the reviewer

Kasam Shaikh, a Microsoft Azure enthusiast, is a seasoned professional with a "can do" attitude and 11 years of industry experience, working as a cloud architect with one of the leading IT companies in Mumbai, India. He is a certified Azure architect, YouTuber, recognized as an MVP by a leading online community, as well as a global AI speaker, and has authored books on Azure Cognitive, Azure Bots, and Microsoft Bot frameworks. He is the founder of Dear Azure, (AZ-INDIA) community, the fastest-growing online community for learning Azure.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Mastering Identity and Access Management with Microsoft Azure Second Edition

About Packt

Why subscribe?

Packt.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Get in touch

Reviews

Section 1: Identity Management and Synchronization

Building and Managing Azure Active Directory

Implementation scenario overview

Implementing a solid Azure Active Directory

Configuring your administrative workstation

Custom company branding

Summary and recommendations of the help information 

Creating and managing users and groups

Set group owners for organizational groups

Delegated group management for organizational groups

Configure self-service group management

Create the sales internal news group as an Office 365 (distribution group)

Configure dynamic group memberships

Assign roles to administrative units

Creating an administrative unit

Adding users to an administrative unit

Scoping administrative roles

Test your configuration

Protect your administrative accounts

Provide user and group-based application access

Assign applications to users and define login information

Assign applications to groups and define login information

Self-service application management

Password reset self-service capabilities

Configure notifications

Test the password reset process

Using standard security monitoring

Integrating Azure AD Join for Windows 10 clients

Join your Windows 10 client to Azure AD

Verify the newly joined Windows 10 client

Configuring a custom domain

Configure Azure AD Domain Services

Test and verify your new Azure AD Domain Services

Summary

Understanding Identity Synchronization

Technology overview

Microsoft Identity Manager (MIM) 2016

MIM synchronization service

MIM synchronization service extensions

MIM service and portal

MIM service extensions

MIM password reset and user account unlock

MIM privileged access management

Additional solution

Cloud deployment based on identity director service

On-premises deployment based on MIM 2016

Azure Active Directory Connect

Synchronization scenarios

Single-forest integration

Multi-forest integration

Multi-Azure Active Directory Integration

Azure Active Directory Domain Services Integration

Stretched Active Directory to Azure IaaS

Azure Active Directory B2B integration

Azure Active Directory and Microsoft Office 365 synchronization

Identity and password-hash synchronization including SSO options

Identity synchronization including PingFederate integration

Identity and password-hash synchronization including ADFS integration

Azure Active Directory Connect high availability

Synchronization terms and processes

UserPrincipalName suffix decisions

Active Directory preparations

Source Anchor decisions

Connected Directories

Import flow

Placeholder objects

Synchronization flows

Inbound synchronization

Outbound synchronization

Joins

Connector objects

Disconnector objects

Export flow

Summary

Exploring Advanced Synchronization Concepts

Preparing your lab environment

Understanding declarative provisioning and expressions

Synchronization rules explained

Special considerations in advanced synchronization concepts

Using standard filters to exclude users and groups

Building a custom rule for filtering

Connecting Azure AD Connect to the second forest

Summary

Monitoring Your Identity Bridge

How Azure AD Connect Health works

Azure AD monitoring and logs

Azure Security Center for monitoring and analytics

Summary

Configuring and Managing Identity Protection

Microsoft Identity Protection solutions

Azure ATP and how to use it

Azure AD Identity Protection

Using Azure AD PIM to protect administrative privileges

Summary

Section 2: Authentication and Application Publishing

Managing Authentication Protocols

Microsoft identity platform

Common token standards in a federated world

Security Assertion Markup Language (SAML) 2.0

Key facts about SAML

WS-Federation

Key facts about WS-Federation

OAuth 2.0

Key facts about OAuth 2.0

Main OAuth 2.0 flow facts

Authorization code flow

Client credential flow

Implicit grant flow

Resource owner password credentials flow

OpenID Connect (OIDC)

Key facts about OIDC

Pass-through authentication and seamless SSO

Multi-factor authentication

Azure MFA

Certificate authentication

Device authentication

Biometric authentication

Summary

Deploying Solutions on Azure AD and ADFS

Basic environment installation and configuration

Create the certificate for your environment with let's encrypt

Installing the ADFS farm on YDADS01

Installing the Web Application Proxy on YD1URA01

Installing demo applications on (YD1APP01) for ADFS

Subscribing to demo apps (Azure AD)

Azure AD authentication deployments

ADFS Authentication deployments

Integrating Azure MFA (YD1ADS01)

Summary

Using the Azure AD App Proxy and the Web Application Proxy

Configuring additional applications for Azure AD and ADFS

Publishing with Windows server and Azure AD Web Application Proxy

Using conditional access

Summary

Deploying Additional Applications on Azure AD

Preparing your lab environment

What defines single- and multi-tenant applications

Deploying a single-tenant application including roles and claims

Moving the single-tenant app to a multi-tenant scenario

Deploying another multi-tenant app with OpenID Connect

Summary

Exploring Azure AD Identity Services

Preparing your lab environment

Understanding Azure AD B2B

Providing resource access to external partners (on-premise)

Exploring Azure AD B2C

Azure AD B2C tenant creation

Demo app registration

User flow creation

Visual Studio code modification

Comparing Azure AD B2B and B2C

Comparing AD FS with Azure B2B and B2C

Extending Active Directory solutions with Azure AD Domain Services

AD FS as an on-premise identity service for the cloud

Typical single-forest deployment

Two or more Active Directory forests running separate AD FS instances

Running one AD FS instance for multiple trusted forests

One AD FS instance for multiple Active Directory forests without an AD trust

Using a local CP trust to support multiple Active Directory forests

Using a shared Active Directory environment

Microsoft Cloud Solution Provider summary

Summary

Creating Identity Life Cycle Management in Azure

Lab environment readiness

Handling the guest user life cycle

Use Case 1 – Exploring the invitation process with different user types

Using the Azure AD B2B portal and use cases

Installation and configuration

Usage of the portal

Special considerations

On-premise application access for guest users

Azure services for automation

Summary

Section 3: Data Classification and Information Protection

Creating a Security Culture

Why do we need a security culture?

Pillars of a good security culture

Leadership support

Training

Testing

Continuous communication

General overview of data classification

Methods of data classification

Data classification and unstructured data

Data classification and Data Leakage/Loss Prevention

Data classification and compliance

Storage optimization

Access control to data

Classification scheme and policy example

Description of the classification scheme

Visual markings and rules based on the classification label

General desired behavior example

Defining the data-processing roles

Change of classification

Azure Information Protection (AIP) overview

Summary

Identifying and Detecting Sensitive Data

Extending your lab environment

Understanding and using AIP capabilities for data in motion

Scenario 1 – Usage of Azure Information Protection

Scenario 2 – Monitoring with Windows Defender ATP

Scenario 3 – Identifying sensitive information in your cloud ecosystem

Scenario 4 – Data leakage prevention in Office 365

Understanding and using AIP capabilities for data at rest

Summary

Understanding Encryption Key Management Strategies

Azure Information Protection key basics

Microsoft-managed keys

Bring your own key

What is an HSM?

What is the Azure Key Vault?

Hold your own key

How Azure RMS works under the hood

Algorithms and key lengths

User environment-initialization flow

Content-protection flow

Content-consumption flow

Summary

Configuring Azure Information Protection Solutions

Preparing to configure and manage AIP

Azure RMS management with PowerShell

Azure RMS super users

Onboarding controls

Azure RMS templates

Azure RMS logging

AIP client PowerShell

Configuring AIP

Creating the classification schema

Creating sub-labels and scoped policies

Using visual markings

Configuring automatic classification and protection

Using justification

Configuring protection options

Activating unified labeling

Lab challenge

Summary

Azure Information Protection Development

Technical requirements

Microsoft Information Protection solutions

Understanding the Microsoft Information Protection SDK

Preparing your Azure AD environment for tests

Using MIP binaries to explore functionality

Using PowerShell with Azure Information Protection

Useful Azure RMS cmdlets

Overview of the RMS 2.1 and 4.2 SDKs

Summary

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

Mastering Identity and Access Management with Microsoft Azure is a crisp and practical, hands-on guide containing project scenarios/illustrations that is tailored to genuine hybrid and cloud-only challenges. Developers, security specialists, IT consultants, and architects are the audience for this book. With it, you get a complete companion for solving key topics in the field of identity and access management through all related Microsoft technologies and practice-related crisp and clear content that helps you to put the theory into practice. The book delves into the Microsoft 365 Security and Compliance plans and other Azure services related to identity and access management topics.

The book is divided into three parts. In the first part, crucial identity management topics are covered, such as identity synchronization as a whole, including monitoring and protection topics, in a cloud-only and hybrid world. The second part provides all the essentials and in-depth knowledge pertaining to the different authentication methods you can use and how you can securely publish and expose your applications with on-premise technologies and the Azure AD feature set. The final part of the book focuses entirely on the Microsoft information protection technologies. Another highlight is the more than 40 playbooks you receive to support the learning process through practical tips. With this great resource, you get an information package that also covers the functionality of Windows 10 and Windows Server 2016/2019.

How does this edition differ from the first edition of the book, and why a second edition with more than 85% new content?

First of all, many thanks to all the readers and the valuable feedback I received. I was happy to listen!

Since writing the first edition of the book back in 2016, many features have been completely updated, added, changed, or even removed. The Microsoft Azure world is changing very rapidly, from a pure infrastructure to an object and service-oriented environment. For this reason, it is necessary to include a variety of developmental aspects in the book. Some functions are currently changing their entitlement entirely to the cloud.

However, no overall solution for sustainable identity and access management in a hybrid cloud environment is currently available to fulfill all the different aspects. For this reason, the basics for individual services must be developed to ensure a better shift of the functions.

Another important reason for me to write an updated edition was that I heard from readers and workshop attendees that they require more technical guidance and less information on the decision manager side. This brought me to an approach whereby I provide more than 40 hands-on guides in the book, where you can test all the related information in a practical and guided manner. Furthermore, our workshop attendees and customers found it very hard to find qualified and working lab examples in a compressed form to save time and effort.

Many of you and our attendees loved the structure of the three scenarios in the first book. Frequently, however, I received a request to provide the theory and practical guidance in technology or topic-based flows so as to make it easier to follow, if you are just interested in specific topics, or if you want to use the book as a living reference.

At the time of writing the first book, the Azure information protection technology was not available in the complete approach that it is available today. Since this technology is now mature and an integral aspect of access management, in my view, additional chapters for this topic are an absolute necessity.

Windows Server 2019 is also available to use, so I updated the book to work with the new server version, with a primary focus on hybrid cloud scenarios.

Who this book is for

This book is designed for cyber security specialists, system and security engineers, developers and IT consultants/architects who wish to plan, design, and implement identity and access management solutions with the help of Microsoft Azure technology.

What this book covers

Chapter 1, Building and Managing Azure Active Directory, explains how to configure a suitable Azure AD tenant for a cloud-only approach. You will also learn how to configure and manage users, groups, roles, and administrative units to provide a user and group-based application and self-service access, including the related audit functionality.

Chapter 2, Understanding Identity Synchronization, explains the most important identity synchronization scenarios and tools for successful implementation of a complete hybrid identity life cycle management. We will run through the different processes, the Active Directory user account cleanup for a hybrid environment, and all the crucial identity synchronization aspects and steps in Azure Active Directory Connect.

Chapter 3, Exploring Advanced Synchronization Concepts, teaches you the advanced synchronization concepts. In particular, we will look into the synchronization rules and the declarative provisioning and expressions concept and use them directly in real-world examples.

Chapter 4, Monitoring Your Identity Bridge, explains the various monitoring capabilities for the identity bridge that's constructed by Azure AD Connect, the Active Directory itself and, if used, the Active Directory Federations Services (ADFS) and the Web Application Proxy. We'll investigate the Azure AD Monitoring and Logs' functionalities, the Azure AD Health Service, and the Azure Security Center.

Chapter 5, Configuring and Managing Identity Protection, demonstrates how to protect your identities against today's attacks. We will work through the different cloud services that can help you protect your environment so that you can plan and implement the features for your requirements.

Chapter 6, Managing Authentication Protocols, teaches you the basic authentication protocols you need to know for handling ADFS and Azure AD integrations. Additionally, you will benefit from a vast array of validated and recommended material to facilitate a deep dive into every critical authentication and authorization protocol.

Chapter 7, Deploying Solutions on Azure AD and ADFS, explains how to configure Azure AD and ADFS to handle your application requirements. You will install the service and the authentication platform to gather all the knowledge required in order to emerge victorious in this field of technology.

Chapter 8, Using the Azure AD App Proxy and the Web Application Proxy, covers the publishing of applications through the Azure AD Application Proxy and the Windows Server Web Application Proxy. We will configure a number of applications, including the first conditional access scenarios.

Chapter 9, Deploying Additional Applications on Azure AD, explains the concept of single- and multi-tenant applications and the differences between the two. Furthermore, you will configure the two types of application, including the transition process from single- to multi-tenant.

Chapter 10, Exploring Azure AD Identity Services, explains the different Azure AD identity services and ADFS as on-premise identity services. We will look at the Azure AD B2B and B2C functionality and explain the main concepts regarding these technologies.

Chapter 11, Creating Identity Life Cycle Management on Azure, covers different identity life cycle scenarios. With a strong focus on a complete Azure AD B2B management, we will provide you with all the requisite information and configuration tasks to offer comfortable and secure application access to your users.

Chapter 12, Creating a New Security Culture, explains why organizations need to build a strong security culture to provide a suitable information protection solution. You will get a clear and crisp overview to understand the three key factors and the four main pillars of a strong security culture.

Chapter 13, Identifying and Detecting Sensitive Data, teaches you why identifying and detecting sensitive data is a critical process inside an information protection solution. You will work through all the related technologies and configure a number of solutions.

Chapter 14, Understanding Encryption Key Management Strategies, explains how to use the three crucial, and different, deployment models and the role played by the Azure Key Vault service. Furthermore, you will learn how the Azure Rights Management Services uses the various keys on client applications.

Chapter 15, Configuring Azure Information Protection Solutions, shows you how to start an Azure information protection project and provides you with best practices and configuration tips for successful implementation.

Chapter 16, Azure Information Protection Development Overview, provides you with a solid foundation for using the Microsoft Information Protection developer resources for gathering more in-depth knowledge to handle this service in terms of troubleshooting or developing your extension.

To get the most out of this book

To use the book efficiently, you should have some understanding of security solutions, Active Directory, access privileges/rights, and authentication methods. Programming knowledge is not required but will be helpful for using PowerShell or working with APIs to customize your solutions. Working through the first edition of the book is not a requirement for following the chapters in this book.

During the book, we will work entirely on the Azure platform itself. The only requirement is to have an internet connection and a Microsoft or Apple client computer. The labs can be undertaken free of charge for the duration of the several trial versions we use. We highly recommend that you shut down your virtual machines on Azure to save the runtime for working with your practical guidance. In Chapter 7, Deploying Solutions on Azure AD and ADFS, we will provide you the architecture overview with all the requisite information for sizing and the different products we use and will reference in the chapters. We also provide you the guidance to create public certificates with Let's Encrypt. One small cost requirement exists. If you want to run all the different labs, you need to have three public DNS domains registered, including access to the related public DNS. Bear in mind that this lab is for studying and testing functionality and not a representation of a productive environment. Follow the instructions in the chapters to arrange the correct resources. All the scripts and demo files are covered in the example code files, which you can download on the web page provided in the download the example code files section.

Download the example code files

You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packt.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

Log in or register at

www.packt.com

.

Select the

SUPPORT

tab.

Click on

Code Downloads & Errata

.

Enter the name of the book in the

Search

box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

WinRAR/7-Zip for Windows

Zipeg/iZip/UnRarX for Mac

7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Mastering-Identity-and-Access-Management-with-Microsoft-Azure.Second-Edition. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/9781789132304_ColorImages.pdf

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in, and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Section 1: Identity Management and Synchronization

In this first section of the book, you will explore and use several Microsoft Identity and Access Management Service offerings. You will look into Identity Synchronization processes in detail as well.

The following chapter will be covered in this section:

Chapter 1

,

Building and Managing Azure Active Directory

Chapter 2

,

Understanding Identity Synchronization

Chapter 3

,

Exploring Advanced Synchronization Concepts

Chapter 4

,

Monitoring Your Identity Bridge

Chapter 5

,

Configuring and Managing Identity Protection

Building and Managing Azure Active Directory

Working with the several Software-as-a-Service (SaaS) offerings such as Office 365, Dynamics CRM or Visual Studio Online requires well-managed identities and an excellent basic structure in the Azure Active Directory (AD) that builds the heart of these solutions. You, as an administrator, need to provide a stable identity and access management platform to manage these services. 

This chapter explains how to configure a suitable Azure AD tenant, which we use throughout the whole book to explore, understand, and configure the different features and functions in the field of identity and access management with Microsoft Azure. We start with the cloud-only components, followed in the next chapters by the hybrid identity and access management approach.

In this chapter, we go directly to the configuration and learn how to configure and manage users, groups, roles, and administrative units to provide a user and group-based application and self-service access, including the audit functionality. The chapter focuses on the following :

Implementation scenario overview

Implementing a solid Azure Active Directory

Creating and managing users and groups

Assigning roles and administrative units

Protecting your administrative accounts

Providing user and group-based application access

Activating password reset

Using standard security monitoring

Integrating the Azure AD Join for Windows 10 clients

Configuring a custom domain

Configure Azure AD Domain Services

Now, we can introduce the implementation scenario.

Implementation scenario overview

After completing the next configuration tasks, you will see the rich functionality of Microsoft Azure in the field of identity and access management, starting with cloud identities. You can demonstrate the different capabilities in your own Microsoft Azure environment. The guidance will focus on the most essential feature sets to give you an idea about their capabilities. We will start to use the default directory, which we call domain.onmicrosoft.com for now, and will change it later to a custom domain name. Domain stands for your desired name like example.com , this is also used for the userPrincipalName of the users in this chapter, e.g. [email protected] is represented in the chapter by my example domain called inovitcloudlabs. Be aware that this name will be visible in different applications, such as SharePoint Online and Skype for Business, to the end user. We recommend the company name without the company form, for instance, inovit GmbH would be inovit.onmicrosoft.com. Use a different name for your tests, so that the domain for a productive environment stays free. This configuration will be the base for all further scenarios in the book. For this reason, we use an Azure, Enterprise Mobility Suite, and Office 365 subscription to use all the available features.

The following figure shows the different main areas we will focus on in this chapter:

In the next section, we will start the configuration of the scenarios.

Implementing a solid Azure Active Directory

The first step we need to take is to get an Azure AD tenant. There are many ways to do this. You can start with an Azure subscription or use any other service from the Microsoft SaaS portfolio. The easiest way to get your solution to a working state is to start with an Office 365 trial subscription.

Open your browser and navigate to http://bit.ly/1RVpFXe. Subscribe to a free Office 365 Enterprise E5 plan:

Follow the registration process and define your user ID, such as [email protected]. We recommend using a nonpersonal ID, as shown in the next screenshot. Enter your new user ID and password. Your default directory will get the name you define behind the @:

Afterward, you need to prove your identity with a text message or a phone call and enter the received code. Next, you need to click Create my account. Keep in mind that the provisioning process takes a few minutes and should end with a success message.

After the successful creation of your brand new Azure AD with an associated Office 365 E5 plan, you should be able to log on with your administrative credentials and see the following screen:

In the next step, we will assign an Enterprise Mobility Suite (EMS) E5 plan to the freshly created Azure AD tenant.

Click on the Admin icon on the right, and you should see your current assigned Subscriptions under the Billing tab:

Click Add subscriptions to add the EMS E5 trial plan to your Azure AD tenant:

Choose the EMS E5 plan and click Start free trial and follow the subscription process. After a successful subscription process, you can see the assigned Office 365 E5 and the EMS E5 plan in your Azure AD tenant.

Now that we have created our Azure AD tenant, we need to subscribe for an Azure free trial subscription. This step is necessary to use Azure resources such as the Azure AD Domain Services or other functionality we will discuss in the next chapters. 

You can also use the following ways to get an Azure subscription:

Use an Azure subscription from scratch (

https://account.azure.com/organization

)

Use an agreement-based Azure subscription

Use an MSDN Azure subscription, as shown in the following figure:

Let's go to configure your administrative workstation and your personal Azure AD tenant.

Custom company branding

Most companies like to see how they can apply their corporate identity to Azure services. With a few easy steps, you can show the most important capabilities. To add custom branding, you need to use an Azure Active Directory Premium 1, Premium 2, Basic, or Office 365 license. With the following simple example, you can see what you can customize. You can provide the customizing in different languages to address your own or your customers' needs. These configuration tasks are always a good starting point in a demo or a proof of concept. You are free to use your pictures and designs for this setup:

The first thing we are going to change is the Name of the directory in the properties section. Just enter your desired name. We used INOVITCLOUDLABS by inovit GmbH. You can also provide your own technical and privacy contacts and links on the login page:

Click Customize Branding, and you will see the following options. So that you can prepare your pictures and brands, we summarized the help information provided in Microsoft TechNet:

Next, you will see a configuration summary.

Summary and recommendations of the help information 

The following section provides you with several capabilities and summarizes the most important corporate identity features to customize your environment:

Banner logo

: Choose between the following options:

Displayed on the Azure AD sign-in page and

myapps.microsoft.com

PNG or JPEG

Can't be taller than 36 pixels or more extensive than 245 pixels

Recommendation—no padding around the image    

Sign-in page text body

:

Choose between the following options:

Appears at the bottom of the Azure AD sign-in page

Unicode text only with a maximum length of 256 characters

Use to communicate the phone number to your help desk or include a legal statement

Recommendation—don't add links or HTML tags

Sign-in page background image

:

Choose from the following options:

Displayed on the side of the Azure AD sign-in page

PNG or JPEG

Recommended 1420 x 1200 with a supported file size of 300 KB (max. 500 KB)

Keep the exciting part in the top-left corner (image gets resized and cropped)

Username hint

:

Hint text that appears to users if they forget their username:

Unicode, without links or code

Maximum 64 characters

Show option to remain signed in

: Let your users remain signed in to Azure AD until explicitly signing out:

Your expected result should be this:

Now that we have provided an essential company branding, we can start to create and manage users and groups.

Set group owners for organizational groups

To provide group management by the manager of a department, we will assign the following users as owners of their department groups:

Accounting

:

[email protected]

Do the same for:

HR

:

[email protected]

Sales

:

[email protected]

Now that we have configured the owners, we will start to delegate management.

Delegated group management for organizational groups

The default configuration of Azure AD allows an owner of a security or Office 365 group to manage the group members based on the data owner concept in the Azure AD Access Panel and the Azure portal.

Furthermore, you can limit this functionality, based on your needs:

Log in as [email protected] to https://myapps.microsoft.com. Click on the HR group and add [email protected] to the HR group:

Review the Join policy under Edit details.

In the next section, we will configure the group self-service options.

Configure self-service group management

Another request may be that users need to be able to create request-based security or Office 365 groups, for instance for projects or distribution groups. For this, they need the capability of an approval process. You can provide this functionality by activating the option under the group management general section. The feature set requires Azure Active Directory Premium:

Inbox for group email communication

Calendar for scheduling group meetings and events

Library for storing and working on group files and folders

OneNote notebook for taking project and meeting notes

Planning tool for organizing and assigning tasks and getting updates on project progress

Guest access (set up by the administrator)

Create the sales internal news group as an Office 365 (distribution group)

Log in as [email protected] to https://myapps.microsoft.com and create the Sales Internal News group as an Office 365 group. Check that the Group policyshows This group is open to join for all users:

Review the Join policy of your newly created group:

In your Azure AD, under Groups, you will also find the newly created group:

Now, as the group owner, we change the group to request a managers' approval with the group policy setting:

Test the new configuration and log in as [email protected] to https://myapps.microsoft.com. Navigate to groups. Choose Sales Internal News:

Join the Sales Internal News group and type a Business justification, click Request, and the process should be started.

Log in as [email protected] to https://myapps.microsoft.com.

Check your inbox. You should have received the join request mail and a notification, shown in the Access Panel UI.

Click on this request and approve it:

Log in as [email protected] on https://myapps.microsoft.com.

Check your inbox, and you should have received a successful approval message:

Check your group membership, and you should be a member of the Sales Internal News group:

Next, we will configure dynamic group memberships.

Configure dynamic group memberships

In the next section, we will configure straightforward dynamic group memberships to use the department attribute to add users to their department group and build up a dynamic licensing assignment. Group-based licensing currently does not support groups that contain other groups (nested groups).

As the [email protected], choose the Accounting group, navigate to properties, and change the membership type to Dynamic User.

Create a simple rule, department Equals (-eq) Accounting:

Set the department attribute (profile section) on the accounting users Brian Cox and Jeff Simpson to Accounting:

The member should be added automatically. Check the group membership and verify the two new members:

Next, we will provide an automatic licensing solution.

Create the following security group:

Office 365 full feature licensing

Group description

: 

Automatic Office 365 Full Feature Licensing

Membership type

:

Dynamic User

Dynamic query

:

userType -eq Member

:

Under Licenses | Products, assign the Office 365 E5 plan. Don't choose any assignment options at the moment:

Wait until the membership has updated and check the license assignment for [email protected].

You will see that the user gets the license through a direct and group-based assignment:

In the next section, we will configure role assignments to administrative units.

Assign roles to administrative units

To delegate tasks, we use the creation of administrative units (AUs) and assign roles for specific tasks. In this configuration, we generate an HR [AU] , and we assign the manager of the HR department with the role to manage user accounts in this scope.

Creating an administrative unit

First of all, we need to connect to our Azure AD with the PowerShell cmdlet Connect-AzureAD for the [email protected] user.

Use the following cmdlets to create the HR [AU]:

New-AzureADAdministrativeUnit -Description "

Human Resources Users"

-DisplayName "HR"

View the expected output:

Next, we will add the related users.

Scoping administrative roles