365 Azure Admin: Mastering Identity and Access

Mastering Identity and Access is a critical aspect of being a 365 Azure Admin. You need to understand how to manage identities, permissions, and access to ensure your organization's resources are secure and accessible to the right people.

To get started, Azure Active Directory (AAD) is a crucial component of 365 Azure, providing identity and access management capabilities. AAD allows you to manage users, groups, and devices, and grant them the necessary permissions to access your organization's resources.

In the 365 Azure Admin role, you'll often encounter the concept of Azure AD Premium, which provides advanced identity and access management features, including multi-factor authentication, conditional access, and privileged identity management.

Azure Admin Security is a top priority for any 365 Azure Admin. Azure Active Directory (Azure AD) provides robust security features to protect your organization's resources.

Azure AD uses multi-factor authentication (MFA) to add an extra layer of security to user logins. This can be done through authenticator apps, SMS, or phone calls.

To ensure secure access, Azure AD also offers conditional access policies that can restrict access to sensitive resources based on user location, device, and other factors.

MFA is a crucial security feature that Azure Admins can implement to protect their accounts. Azure supports multi-factor authentication (MFA) through various methods, including authenticator apps, SMS, and phone calls.

Azure offers a built-in MFA solution, Azure Active Directory (Azure AD) MFA, which can be enabled for users and administrators. This feature requires users to enter a second form of verification in addition to their password.

Azure MFA can be configured to require a second form of verification for all sign-ins or only for specific applications and locations. This adds an extra layer of security to prevent unauthorized access to Azure resources.

Azure MFA can be enforced for all users, including administrators, to ensure that even the most privileged accounts are protected. This helps to prevent lateral movement in the event of a breach.

Azure MFA can be configured to use a range of authenticator apps, including the Microsoft Authenticator app, Google Authenticator, and Authy. This gives users the flexibility to choose the app that works best for them.

Cloud App Security offers deeper insights into data and more recommendations across thousands of apps. It's a powerful tool that requires a license to use.

The Cloud App Security center contains elements found in the Security and Compliance center, making it a natural extension of your Office 365 environment. It's focused on securing your Office 365 environment across all platforms and tools.

Cloud App Security provides a more detailed view of your data, similar to the auditing capabilities in the Office 365 Security & Compliance Center. This allows you to make more informed decisions about your data security.

To access Cloud App Security, simply visit the portal at https://portal.cloudappsecurity.com/.

Azure Admin Identity is a powerful tool for managing access to Azure resources. It allows you to assign administrative roles to users, enabling them to perform tasks such as creating and managing resources.

With Azure Admin Identity, you can also manage user permissions at the subscription level, which is crucial for ensuring that users only have access to the resources they need to perform their jobs. This helps maintain a secure and organized environment.

One of the key benefits of Azure Admin Identity is that it integrates seamlessly with Azure Active Directory (AAD), allowing you to leverage your existing AAD identities to manage access to Azure resources. This makes it easy to manage access and reduce administrative overhead.

Entra ID operates over HTTPS and can be accessed from a REST API. It supports modern authentication protocols such as Security Assertion Markup Language (SAML), WS-Federation, and OpenID Connect for authentication and OAuth for authorization.

Entra ID also supports federation, allowing you to connect it to other authentication systems. There are three types of authentications supported in Entra ID: Cloud-based, Directory synchronization, and Single Sign On (SSO) with AD FS.

Here are the three types of authentications supported in Entra ID:

The cloud-based option is suitable for organizations that don't have AD on-premises or want to retire it and create accounts in the cloud only. It's the simplest option to configure.

The other two options require linking your on-premises AD to your Entra ID tenant through the free AAD Connect tool. A popular option is using the AWS Single Sign-On app to integrate AAD and AWS.

By using Entra ID and AAD Connect, you can create a seamless authentication experience for your users, regardless of whether they're accessing cloud or on-prem resources.

Custom domains are a game-changer for Azure AD users. They reduce the frustration that comes with typing out long default domains.

The default Azure AD domain looks like this: @notarealdomain.onmicrosoft.com

Configuring Azure AD with a custom domain you own makes a huge difference. It would look something like @notarealdomain.com instead.

Who Is an Azure Admin?

By default, the person who signs up for and buys an Azure subscription gets admin permissions. That person can assign admin permissions to other people to help them manage Azure.

An admin is someone who has the power to make changes to Azure settings, which is why you might see the message "You don't have permission to access this page or perform this action" if you're not an admin.

To become an admin, you need to be assigned admin permissions by the original subscriber or another admin. This is usually done to help manage Azure for their organization.

Azure AD uses Kerberos and Group Policy, has a hierarchical structure, and is based on LDAP, none of which are cloud-friendly.

Managing admin access is crucial to prevent over-permissioning accounts, which raises the impact risk of any mistake they make, gives hackers wider scope to cause harm, and makes it hard to store personal data with integrity and confidentiality.

To avoid over-permissioning, make sure users are given the right licenses, are added to the right groups, and when the time comes to disable the account, the right steps are followed.

Conditional Access Policies are a powerful feature in Azure Admin Access that help you build policies around application access. These policies can be based on user account, group membership, application type, device state, location, sign-in risk, and client application type.

With Conditional Access Policies, you can create "if this – then do that" rules to manage risk factors affecting identity and access in M365. This greatly enhances the security of your data. Templates are available to make it easier to set up good policies, covering Secure Foundation, Zero Trust, Remote work, Protecting administrators, and Emerging threats.

You can test policies in a test tenant before exporting them to your production tenant. This ensures that you don't create a policy that locks out the CEO five minutes before a board presentation. The option to deploy CA policies in Report-only mode lets you evaluate the impact without enforcing them.

There's an API for accessing CA policies, which makes it possible to backup, restore, monitor changes, and treat them as code. This is especially useful for managing large-scale deployments.

Some examples of Azure Admin Access features that integrate with Conditional Access Policies include:

Access to Azure AD is a double-edged sword: it gives you the power to manage your tenant, but also increases the risk of mistakes and security breaches.

Over-permissioning accounts is a major issue, as it raises the impact risk of any mistake they make.

Having too many users with admin rights can lead to a hacker compromising an admin account having wider scope to cause harm.

From a data protection perspective, personal data should be stored in a way that allows for accountability, integrity, and confidentiality.

To mitigate this, use Access Reviews (Premium P2) to review all guest accounts in one operation, rather than on a per Team/M365 Group basis.

In smaller O365 or M365 tenants, you may not need to use the full Azure AD portal, and can instead manage users in the M365 portal.

However, exploring the "full" Entra portal at https://entra.microsoft.com is still a good idea, especially if you want to try out upcoming features in Entra ID.

To do this, use the Preview hub to learn about and turn on public preview features.

Microsoft offers three main plans for you to try or buy: Microsoft 365 for business, Microsoft 365 Enterprise E3, and Microsoft 365 Enterprise E5.

You can find these plans in the admin center, which is the common entry point for all teams and roles managing Microsoft 365. The experience, information, and controls in the admin center are tailored and customizable for each admin and role.

The admin center is where you'll also find specialist workspaces that allow for deep, granular control. These workspaces include SharePoint, Teams & Skype, Exchange, Security, Compliance, Device Management, and Microsoft Entra ID.

If you want to try out these plans or provide feedback on the admin center, you can do so directly from the page. Just select the Feedback button on the bottom of the page and use the form to send us your thoughts.

As an Azure admin, it's essential to manage permissions effectively to avoid over-permissioning accounts. This can raise the impact risk of any mistake, giving hackers wider scope to cause harm if they compromise an admin account. Over-permissioning also makes it harder to store personal data with integrity and confidentiality.

The admin center is the hub for managing various aspects of your Azure organization. You can find different features and settings under various menus, such as Users, Groups, Resources, and Billing.

Here's a brief overview of what you can expect to find under each menu:

Effective account lifecycle management is crucial for maintaining a secure and organized Azure environment. You should update your process documentation to consider the full lifecycle of user accounts, including giving them the right licenses and adding them to the right groups.

To manage user accounts efficiently, use Access Reviews (Premium P2) to review all guest accounts in one operation. This feature helps prevent users from accumulating unnecessary access.

For smaller O365 or M365 tenants, user management can be done within the M365 portal, but exploring the full Entra portal is still a good idea. You can access it at https://entra.microsoft.com.

If you're interested in trying out upcoming features in Entra ID, use the Preview hub to learn about and turn on public preview features.

The admin center is the central hub for managing your Azure environment. It's divided into various menus that help you manage different aspects of your organization.

The Home menu serves as the landing page in the admin center, where you can find links to manage users, billing, service health, and reports.

You can create and manage users in your organization through the Users menu, setting their permission level or resetting their passwords.

To manage groups, use the Groups menu, where you can create and manage groups such as Microsoft 365 groups, distribution groups, security groups, or shared mailboxes.

The Resources menu allows you to create and manage resources like SharePoint site collections.

For billing-related tasks, head to the Billing menu, where you can view, purchase, or cancel subscriptions, as well as view past billing statements or the number of assigned licenses to individual users.

If you need assistance, the Support menu is where you can view existing service requests or create new ones.

The Settings menu enables you to manage global settings for apps like email, sites, and Microsoft 365, including changing your password policy and expiration date.

The Setup menu is used to manage existing domains, turn on and manage multi-factor authentication, manage admin access, and more.

The Reports menu provides detailed reports on email use, Microsoft 365 activations, and more, helping you understand how your organization is using Microsoft 365.

You can also view health at a glance through the Health menu, which includes more details and health history.

Each admin center includes all available settings for a specific service, such as the Exchange admin center or the SharePoint admin center.

The Microsoft 365 admin center has two views to help you manage your Azure admin tasks efficiently.

One of these views is the simplified view, which is perfect for smaller organizations that need to manage their most common tasks.

You can switch between the two views from a button at the top of the admin center, making it easy to access the features you need.

Targeted Release is a feature in Azure that allows you to control when new features are released to your organization.

To turn on Targeted release, you need to sign in at admin.cloud.microsoft and go to the navigation pane, then select Settings > Org settings > Organization profile tab.

Once you're in the Organization profile tab, you'll need to select the Release preferences card and then click on Edit.

You can choose between Targeted release for everyone or Targeted release for selected users. If you choose Targeted release for selected users, make sure to add your admin account and any other admins who want to participate to the list of selected users.

It's essential to add your admin account to the list of selected users to ensure you can participate in the Targeted release.

Azure Admin Office is a powerful tool for managing your Microsoft 365 environment. It's essentially a centralized dashboard where you can monitor and control all aspects of your Azure and Office 365 services.

From this single location, you can access various features such as Azure Active Directory, Azure Storage, and Azure Virtual Machines. This makes it easier to manage your resources and troubleshoot issues.

As an Azure Admin, you can use the Office 365 admin center to manage your users, groups, and licenses. This includes creating and editing user accounts, assigning licenses, and managing group memberships.

Office is the hub of your Azure Admin experience, and it's essential to understand its various components. The Office 365 Admin Center is the main administrative launching pad, where you can manage licenses, users, and company-wide settings.

You can access the Office 365 Security & Compliance Center from the Office 365 Admin Center, and it's a treasure trove of features, including data loss prevention, information governance, threat management, and auditing.

Within the Office 365 Security & Compliance Center, you can monitor numerous events, including logins, content sharing, and content deletion. You can also set up alerts on certain events, such as detecting malware in files or shared files.

The Office 365 Compliance Center is a new admin center that has a significant impact on your organization's compliance. You can find major compliance standards, such as ISO, HIPAA, and NIST, and create a plan to implement them.

Here are some key features of the Office 365 Compliance Center:

The Office 365 Security Center is another crucial component, where you can view your company's Secure Score and get security recommendations based on Office 365 features and functionality. It's recommended to visit this site once a month to stay up-to-date with Microsoft's security improvements.

The Azure Admin Office offers a wide range of language options to cater to users from diverse backgrounds.

The Microsoft 365 admin center is fully localized in 40 languages, making it accessible to users worldwide.

You can switch to a language that suits your preference, such as Arabic, Bulgarian, or Catalan, and the interface will adapt accordingly.

The admin center supports languages like Chinese Simplified and Traditional, Croatian, Czech, Danish, Dutch, English, Estonian, Finnish, French, Galician, German, Greek, Hebrew, Hungarian, Indonesian, Italian, Japanese, Korean, Latvian, Lithuanian, Norwegian, Polish, Portuguese, Romanian, Russian, Serbian (Cyrillic and Latin), Slovak, Slovenian, Spanish, Swedish, Thai, Turkish, Ukrainian, and Vietnamese.

Here's a list of some of the supported languages, along with their corresponding locale codes: