Azure AD Admin Best Practices and Configuration

As an Azure AD admin, it's essential to follow best practices to ensure a secure and efficient environment. Use multi-factor authentication to add an extra layer of security to your Azure AD account.

Azure AD provides a built-in multi-factor authentication feature that can be enabled for all users. This feature requires users to provide a second form of verification, such as a code sent to their phone or a biometric scan, in addition to their password.

To configure Azure AD, start by creating a directory and registering an application. This will give you a client ID and client secret that you'll need to use in your application.

Azure AD supports multiple authentication protocols, including SAML, OAuth, and OpenID Connect. Choose the protocol that best fits your needs and configure it accordingly.

In Azure Active Directory (Azure AD), roles determine what actions users can perform on specific objects. There are two roles relevant to custom security attributes: Attribute Definition Administrator and Attribute Definition Reader.

The Attribute Definition Administrator role allows users to define a valid set of custom security attributes that can be assigned to supported Microsoft Entra objects, as well as activate and deactivate custom security attributes. This role has access to the "microsoft.directory/attributeSets/allProperties/allTasks" and "microsoft.directory/customSecurityAttributeDefinitions/allProperties/allTasks" actions.

The Attribute Definition Reader role, on the other hand, allows users to read the definition of custom security attributes. This role has access to the "microsoft.directory/attributeSets/allProperties/read" and "microsoft.directory/customSecurityAttributeDefinitions/allProperties/read" actions.

As a best practice, administrators should use precise Administrative roles to assign the correct permissions for each user's daily job, rather than using highly privileged accounts.

I've spoken to many customers about Azure AD admin basics, and I've noticed that a lot of companies have a questionable security posture regarding their administrative accounts.

Many admins are using their "daily-runner" account as privileged administrators for their tenants, which is not a good practice.

Using precise administrative roles is a best practice, as it prevents headaches and ensures that admins only have the permissions they need for their daily job.

According to Microsoft Docs, there are many administrative roles to choose from, such as the Attribute Definition Administrator, which can define and manage custom security attributes.

Here are some tips to improve your admin account posture:

Losing privileged access is a big deal, and attackers love targeting privileged accounts because they give them quick and broad access to a company's important assets.

As a result, it's essential to implement controls to improve your admin account posture and prioritize privileged access management as one of your top security priorities.

As a Directory Writer, you have a privileged role that allows you to read and update basic information of users, groups, and service principals. This is a crucial role in Azure AD Admin.

To perform these actions, you need to have the right permissions, specifically the Directory.Write.All permission. This allows you to update basic information of users, groups, and service principals.

Some of the actions you can perform as a Directory Writer include updating extension properties on applications, creating contacts, and updating basic properties on Security groups and Microsoft 365 groups. You can also create group settings, update group members, and update owners of Security groups and Microsoft 365 groups.

Here are some specific actions you can perform as a Directory Writer:

To configure the permissions for a Directory Writer, you need to follow these steps: Select API permissions, add a permission, and choose Microsoft Graph. Then, select Delegated Permissions and check the box next to Directory.ReadWrite.All. Finally, grant Admin Consent if requested.

As an Azure AD admin, managing domain names is a crucial part of your job. This is a privileged role that allows users to manage domain names, including reading, adding, verifying, updating, and deleting them.

Users with this role can also read directory information about users, groups, and applications, as these objects possess domain dependencies. They can configure domain names for federation in on-premises environments, allowing associated users to sign into Microsoft Entra based services with their on-premises passwords via single sign-on.

Here are the specific permissions associated with the Domain Name Administrator role:

Authentication Extensibility is a powerful feature in Azure AD that allows developers to create custom authentication extensions. These extensions are API endpoints that are registered in Microsoft Entra ID and can be used to customize an application's authentication experiences.

Custom authentication extensions can be created and managed by users with the Authentication Extensibility Administrator role. This role is privileged and should only be assigned to users who need to perform these tasks.

To create and manage custom authentication extensions, users with the Authentication Extensibility Administrator role can use the following action: microsoft.directory/customAuthenticationExtensions/allProperties/allTasks.

Application administrators and application owners can use custom authentication extensions to customize their application's authentication experiences, such as sign in and sign up, or password reset. They can do this by using the custom authentication extension in their application's authentication flow.

As an Azure AD admin, you'll likely spend a lot of time in the Cloud section of the Azure portal. This is where you manage your organization's cloud applications and services.

The Cloud section is divided into several areas, including Service Health, Support Tickets, and Web Portal. In Service Health, you can read and configure Azure Service Health, which provides insights into the health of your Azure services.

You can create and manage Azure support tickets in the Support Tickets section. This is useful for troubleshooting issues with your Azure services.

In the Web Portal section, you can read basic properties on all resources in the Microsoft 365 admin center. This includes information about your organization's users, groups, and applications.

As an Azure AD admin, it's essential to understand the permissions and roles associated with the Cloud section. The Cloud Application Administrator role, for example, grants the ability to create and manage all aspects of enterprise applications and application registrations.

Here are some key actions you can perform with the Cloud Application Administrator role:

These actions demonstrate the level of control and flexibility that comes with the Cloud Application Administrator role.

As a Guest Inviter in Azure AD, you have a specific set of permissions that allow you to manage guest user invitations. This role is crucial for organizations that collaborate with external users.

The Guest Inviter role can manage Microsoft Entra B2B guest user invitations when the "Members can invite user" setting is set to No. This means you have control over who can invite external users to your organization.

You can read application role assignments for users, which is essential for understanding their permissions and access levels. This is done through the "microsoft.directory/users/appRoleAssignments/read" permission.

Guest Inviters can also read device information for users, including their direct reports and the user that invited an external user to the tenant. This helps you understand the user's context and permissions.

Here's a summary of the permissions associated with the Guest Inviter role:

These permissions allow you to manage guest user invitations and understand the context of the users in your organization.

Permissions Management is a crucial aspect of Azure AD Admin. Users with the Permissions Management Administrator role can manage all aspects of Microsoft Entra Permissions Management. This role is assigned to users who need to perform tasks such as managing permissions, policies, and assignments.

To configure permissions for your Azure AD Admin plugin, you'll need to add specific permissions. These include Directory.AccessAsUser.All, Directory.ReadWrite.All, and User.ReadWrite.All. You can do this by going to the Application menu, selecting API Permissions, and adding the necessary permissions.

The Permissions Management Administrator role grants users full permissions in Microsoft Entra Permissions Management. This includes the ability to manage all aspects of the service, including permissions, policies, and assignments.

Here's a list of permissions required for the Azure AD Admin plugin:

These permissions are required because all actions in the plugin are user and directory operations, which are administrator tasks. By assigning these permissions, you'll be able to manage permissions, policies, and assignments with ease.

License management is a crucial aspect of Azure AD administration. Users with the License Administrator role can read, add, remove, and update license assignments on users and groups.

One key responsibility of the License Administrator is managing license assignments on groups using group-based licensing. This can be done by assigning product licenses to groups.

License Administrators can also reprocess license assignments for groups. This is useful when changes need to be made to existing license assignments.

To update usage location of users, the License Administrator can use the "microsoft.directory/users/usageLocation/update" action. This ensures that users' locations are up to date and accurate.

Here are some key actions that License Administrators can perform:

Lifecycle Workflows are a crucial aspect of managing user accounts in Azure AD. They allow administrators to automate tasks and enforce business policies, ensuring compliance and reducing administrative burdens.

To create and manage lifecycle workflows, you'll need to assign the Lifecycle Workflows Administrator role to the right users. This role is privileged, so use it sparingly.

The Lifecycle Workflows Administrator can create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Microsoft Entra ID. They can also check the execution of scheduled workflows, launch on-demand workflow runs, and inspect workflow execution logs.

To perform these tasks, the administrator will need to use specific actions in Microsoft Entra ID. Here are some examples:

By understanding Lifecycle Workflows and the actions required to manage them, administrators can ensure the smooth operation of their Azure AD environment.

Message Center Privacy is a crucial aspect of Azure AD Admin Basics. It's essential to understand who can read data privacy messages and how they can access them.

The Message Center Privacy Reader role allows users to monitor all notifications in the Message Center, including data privacy messages. They receive email notifications and can unsubscribe using Message Center Preferences.

Only the Global Administrator and the Message Center Privacy Reader can read data privacy messages. This is a restricted permission to ensure sensitive information is handled carefully.

The Message Center Privacy Reader role also grants the ability to view groups, domains, and subscriptions. However, they have no permission to view, create, or manage service requests.

Here are the key actions associated with the Message Center Privacy Reader role:

As an Azure AD admin, you'll likely need to manage organizational messages, which are essentially notifications sent to users in the Microsoft 365 admin center.

To do this, you'll need to assign the Organizational Messages Approver role to users who need to review, approve, or reject new organizational messages before they're sent.

These users will also need to read all aspects of organizational messages, which includes permissions to access various properties and data.

Here are the specific permissions required for the Organizational Messages Approver role:

By assigning the Organizational Messages Approver role, you can ensure that these users have the necessary permissions to manage organizational messages effectively.

As an Azure AD admin, managing passwords is an essential part of your job. You can create a privileged role called Password Administrator, which allows users to reset passwords for certain roles.

This role has limited abilities and doesn't grant the power to manage service requests or monitor service health. The ability to reset a user's password depends on the role the user is assigned.

The Password Administrator role can reset passwords for all users, thanks to the "microsoft.directory/users/password/update" action. This means you can give users with this role the ability to reset passwords across the board.

As a Teams Devices Administrator, you can manage Teams-certified devices from the Teams admin center. This role allows you to view all devices at a single glance, with the ability to search and filter devices.

You can check the details of each device, including the logged-in account, make and model of the device. You can also change the settings on the device and update the software versions.

Here are some specific actions you can perform as a Teams Devices Administrator:

As a Teams Devices Administrator, you don't have the ability to check Teams activity and call quality of the device. However, you can still manage the device's settings and software versions, making it easier to keep your Teams environment running smoothly.