Adding accounts and groups to Azure AD

First, you need to understand what accounts can be added to Azure AD. Basically, there are two types of account:

  • Cloud accounts: Accounts that are created through Azure AD or other Microsoft cloud services, such as Office 365.
  • Hybrid accounts: Accounts that are created and located in on-premises Microsoft AD DS. Those accounts are deployed through a the Azure AD Connect and synchronization tool.

To create cloud accounts, you have several options. Most Azure AD users start with Office 365 and do not natively add users through Azure. If you've used Office 365 before, that would be the simplest for you.

The example shown in the following screenshot guides you through how to add a user from the Office 365 preview portal through https://portal.office.com:

Alternatively, to create new users in Azure AD through the Azure portal, you need to follow these steps:

  1. Browse to https://portal.azure.com.
  2. Click on the More services option on the sidebar:
  1. The new Azure AD interface does not yet have all features enabled. Currently, it is not possible to create new Azure active directories, but you can perform most user and application operations.
  1. In addition to the new portal, Microsoft also extended user management to the Azure AD management portal. At the time of writing this book, the new user and group management is still in preview, so changes are still possible. To add or change user accounts, you now have different options. The first one would be to open user and group management through the Azure AD interface:
  1. The next step is look for Users and groups with Microsoft resources:
  1. Both ways will bring you to the same blade, with options to create users and groups as shown in the following screenshot:
  1. To add a user in the new UI, you click on the All users section, as shown in the following screenshot:
  1. There, you click on the +Add button and follow the instructions shown in the following screenshot:
  1. The blade will ask you to provide a username, as shown here:
Be aware that with Azure AD free without Office 365, the username must be an email or a Microsoft account (formerly a Microsoft Live account) to be able to receive the invitation from Azure AD.
  1. While creating the user, you have different options for pre-staging information about the user, including the First name, Last name, Job title, or Department fields as shown in the following screenshot:
  1. With a synced AD DS and other joined services, you can change the Source of Authority option:
  1. You can also join the account directly to Azure AD groups during creation:
  1. The new UI for Azure AD includes a new option to join users as account admins (formerly known as co-administrators). To do this, change the administrator rights of the user by clicking on the relevant user to open the user blade:
  1. Then, click on the Directory role section to open the role options:
  1. Not every user needs to be global administrator to be able to fulfill their job. Mostly, one or more of the options of a limited administrator should be enough:
  1. After you add the user to their admin role, you need to go to the Subscriptions section in the Azure resources:
  1. There, you select subscriptions for which the user should be the co-administrator:
  1. In the following blade, click on the Access control (IAM) section and then on the +Add button:
  1. Now, select a role for the user. To make them a co-administrator, we need to give them Owner rights:
As an owner, they have full access to the subscription resources, which will enable them to do all operations that need to be done on a subscription. As a reader, they can see billing and resources for a subscription but can't change things inside the subscription. That is the option most billing tools such as Microsoft Cloudyn / Azure Cost Management, Cloud Cruiser, or Azure Costs need to create their statistics.
  1. The user is now able to manage the subscription. Next, select the user or group that should have the permissions. This user can now manage the subscription.
You can also invite Microsoft accounts to your subscription without creating a user first. When it comes to best practice or how it would be done in the field, you wouldn't add any single accounts into the subscription. You should give permission for the subscription or resource to a group, and then add users to the group.

The other option to create new users and groups is to sync them through AD DS from your connected on-premises Windows Server AD DS. To do this, you'll need an additional tool named Azure AD Connect.

From a security and compliance perspective, never synchronize the administration account to Azure AD. Leave that account for on-premises AD DS only and create cloud-only accounts in Azure AD for administrative work in Azure or Microsoft 365 Services. 

Azure AD Connect will integrate your on-premises directories with Azure AD. This allows you to provide a common identity for your users for Office 365, Azure, and SaaS applications integrated with Azure AD:

Image source: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/

Azure AD Connect is the central tool with which to implement hybrid identities in Azure, and enables you to license your software or implement identity and access management tools such as SSO, MFS, or Active Directory Rights Management Services (AD RMS).

Azure AD Connect brings five programs with different purposes:

  • Azure AD Connect: This is configuration tool with an integrated and detailed wizard to configure Azure AD and on-premises AD DS synchronization.
  • Synchronization rules editor: This is a basic tool to configure and customize synchronizations between Azure AD and on-premises AD DS:
  • Synchronization service: The synchronization service is a tool to basically monitor and log synchronization between Azure AD and on-premises AD DS. You can supervise the synchronization process:
  • Synchronization service key manager: Helps you manage security keys to encrypt data transferred between Azure AD and on-premises AD DS:
  • Synchronization Service Web Service Configuration Manager: This came with version 1.1.189.0 of Azure AD Connect in June 2016. It is used to configure Microsoft Account Entity Management (MIM) endpoints with Azure AD Connect:
Azure AD Connect and all its components are freely available and can be downloaded from Microsoft:
https://www.microsoft.com/en-us/download/details.aspx?id=47594.

You can deploy Azure AD Connect in three different ways for users. Each method provides different integration levels and is more or less dependent on your Azure AD subscription level:

The first solution is to use the Password Synchronization option. This option transfers user passwords as hashed values to the cloud. This option is also the one that enables a basic SSO option for your users to Azure AD-based applications in your organization. This password synchronization is only based on user account and password replication. So, changes within Azure AD will take some time or be manual. This option is also only practical for small environments with fewer than 300 users. For larger environments, you would have too much replication traffic and too many changes within Azure AD, which would take too long. As an example, a replication of around 4,000 users could take up to 12 hours before it is visible in the Azure AD:

To choose the right sign in option for your organization, please refer a very detailed guide on that topic here: https://blogs.msdn.microsoft.com/samueld/2017/06/13/choosing-the-right-sign-in-option-to-connect-to-azure-ad-office-365/.
  • The following screenshot shows you the tooltip you get when you hover over the question mark for the Password Synchronization option:
  • The second option is to select the new Pass-through authentication option. With this option, your AD Connect and Azure AD will not store any identity data, and they will send all requests directly to your environment. The following screenshot shows you the tooltip you get when you hover over the question mark for Pass-through authentication:
  • The third and most complex solution is to implement Active Directory Federation Services (AD FS) with Azure AD, in the interface named federation with AD FS. That will enable full SSO and add MFA. The organizations and implementations. If you want to implement AD FS, you need also to have public and private key infrastructure (PKI) and certificates from a trusted agency in place. For AD FS, you need good response times so you might need to upgrade your internet access and/or Wide Area Network connectivity. The following screenshot shows you the tooltip you get when you hover over the question mark for Federation with AD FS:
  • The fourth and easiest way is to not configure user sign-in. This option enables only license and user replication from local to cloud and vice versa. There is no option to replicate passwords, and your users will not be able to sign in or use Azure AD resources. Users would be able to use, for example, Office 365 or the Azure remote app. The following screenshot shows you the tooltip you get when you hover over the question mark for Do not configure:
  • With the new enhancements in Windows 10 and with Azure AD, you can now also configure SSO directly from your on-premises Windows systems. To enable this feature, you need to check the Enable single sign on checkbox:
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.225.57.223