This is the first section from study series for AZ-500 – Manage Azure Active Directory identities and starting with
Table of Contents
Create and manage a managed identity for Azure resources
In my example I will use Virtual Machines, you can also use SQL, Applications, Key Vaults etc.
System managed identity
Go to https://portal.azure.com and look for Virtual Machines.
Open your Virtual Machine.
Choose Identity and enable System managed identity.
Warning will be displayed and choose yes.
Enable user managed identity
User assigned managed identity can be enabled from the same place.
Choose add
You can see the identity under User assigned identities.
You need Virtual Machine Contributor role https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor or Global Admin.
Using CLI
Open Cloud Shell.
Make sure You are using Bash Shell.
Type Az-Login
Make device authentication by opening the url and enter the code.
Choose your account.
And continue
And done.
Then you can add a User assigned identity to the Virtual Machine with CLI.
1 2 3 4 5 6 7 8 |
#System managed identity to Virtual Machine az vm identity assign -g myResourceGroup -n myVm #User managed identity to Virtual Machine az vm identity assign -g yResourceGroup -n myVm --identities UserAssignedIdentityName #Removing both identities from the Virtual Machine az vm update -n myVM -g myResourceGroup --set identity.type='SystemAssigned' identity.userAssignedIdentities=null |
PowerShell
Open Azure Cloud Shell with PowerShell.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
#Add system managed identity to a Virtual Machine $vm = Get-AzVM -ResourceGroupName myResourceGroup -Name myVM Update-AzVM -ResourceGroupName myResourceGroup -VM $vm -IdentityType SystemAssigned #Remove system managed identity from Virtual Machine $vm = Get-AzVM -ResourceGroupName myResourceGroup -Name myVM Update-AzVm -ResourceGroupName myResourceGroup -VM $vm -IdentityType None #Add user managed identity to a Virtual Machine $vm = Get-AzVM -ResourceGroupName <RESOURCE GROUP> -Name <VM NAME> Update-AzVM -ResourceGroupName <RESOURCE GROUP> -VM $vm -IdentityType UserAssigned -IdentityID "/subscriptions/<SUBSCRIPTION ID>/resourcegroups/<RESROURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>" #Remove user managed identity from Virtual Machine $vm = Get-AzVm -ResourceGroupName myResourceGroup -Name myVm Update-AzVm -ResourceGroupName myResourceGroup -VM $vm -IdentityType None |
Templates
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
#Add a system managed identity to a template "identity": { "type": "SystemAssigned" }, #Revoming a system managed identity from the template { "apiVersion": "2018-06-01", "type": "Microsoft.Compute/virtualMachines", "name": "[parameters('vmName')]", "location": "[resourceGroup().location]", "identity": { "type": "None" } } #Adding a user managed identity to a template "resources": [ { //other resource provider properties... "apiVersion": "2018-06-01", "type": "Microsoft.Compute/virtualMachines", "name": "[variables('vmName')]", "location": "[resourceGroup().location]", "identity": { "type": "userAssigned", "userAssignedIdentities": { "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('<USERASSIGNEDIDENTITYNAME>'))]": {} } } } ] #Removing a user managed identity from a template { "apiVersion": "2018-06-01", "type": "Microsoft.Compute/virtualMachines", "name": "[parameters('vmName')]", "location": "[resourceGroup().location]", "identity": { "type": "None" }, } |
Adding role assignments thru a template Assign Azure roles using Azure Resource Manager templates – Azure RBAC | Microsoft Docs
Manage Azure AD groups
Type Groups to search bar.
From here You can deploy a new group and the types are security and Microsoft 365.
Security groups are used to give group members access to applications, resources and assign licenses. Group members can be users, devices, service principals, and other groups.
Microsoft 365 groups are used for collaboration, giving members access to a shared mailbox, calendar, files, SharePoint site, and so on. Group members can only be users.
You can assign roles to the group.
If You select Microsoft 365, this is how it look like. You have to define an email address to M365 group. You can also define a Sensitivity Label for the group. This will be used for example inside Teams and SharePoint.
And if You assign a Azure Role to a group, it cannot be changed later.
If You don’t select Azure AD roles to assign, You can have the member type as Dynamic.
With dynamic groups You can use up to 5 expressions can be added to the rule builder. The rule syntax can be used to add more than 5 expressions.
In the following example I will use UserPrincipalName attribute and contains means it’s part of the user FQDN login name.
In the validation part You can choose a user to validate if against. I will choose my corresponding demo.user
If I choose someone else, it will give an error.
You can also choose Dynamic device for the assigned Security group, not for Microsoft 365 group.
IF you open the group You just created, you will see this screen.
You can still add Azure AD roles from here but remember it cannot be reverted back to a group not having roles.
Manage Azure AD users
Open https://portal.azure.com and type Users
In here You can create internal and external guest users.
You can either Create a new user or Invite a new user
You can add Azure AD roles for the user. You have to add Usage location for a user.
The new user will appear as a member.
When You have a synced user, it will show as Directory synced equals Yes.
Removing a user from Azure AD is simple, just select Delete.
And the user will go to Recycle bin, where it will stay for 30 days and then automatically deleted. This happens in both cases, with Synced or with a Cloud-based user. 30 days is the magic limit.
But You can also recycle the user by Yourself manually. In here You can also see the Deletion and Permanent deletion dates.
Manage external identities by using Azure AD
If You invite a user, they will get an email saying that they are invited to join your organization.
Invitation was succesfull.
And user will get the invitation.
When they accept, they will be redirected to the following.
And users will be logged to myapplications.microsoft.com
And You can see the user inside Your own Azure AD with an issuer ExternalAzureAD (if the users has Azure AD in use, if not it will be MicrosoftAccount)
And if the users hasn’t accepted the invitation, You can resend it. There is currently an option for resetting the status but it’s currently in Preview so it won’t yet be in the test but nice to know.
If you want to limit the External Collaboration settings, You can go to
https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/AllowlistPolicyBlade
From there You can Guest user access to Your Azure AD objects and properties, Guest Invite Settings (Who can invite B2B users) from where You can invite them (Domains)
Manage administrative units
Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can manage users only in the region that they support.
License requirements
Using administrative units requires an Azure AD Premium P1 license for each administrative unit administrator, and Azure AD Free licenses for administrative unit members.
You can create AU in Azure AD page.
You can add a user to the unit (still in preview but not for long)
Assign the AU with a group that will be automatically populated.
Giving Eligible or Active assignment when You have PIM enabled, I will cover PIM in the following sections.
Then You can assign the AU to an existing group.
And done.
Then if You have a Dynamic User group that has a filter for Usage Location attribute (the mandatory one that we defined earlier) and this group will populate all user from Finland.
And You have to wait the group members to populate or You can just add whitespace (two spaces) behind the rule to run it immediately, instead of waiting for it to populate.
And populated!
Please, Microsoft make a button to trigger the population, it would be so much easier.
And we see Adele in the group.
Now we can allow the AU admin in Finland to edit attributes that are assigned to her Administrative Unit role.
Currently supported scenarios
As a Global Administrator or a Privileged Role Administrator, you can use the Azure portal to:
- Create administrative units
- Add users and groups members of administrative units
- Assign IT staff to administrative unit-scoped administrator roles.
Administrative unit-scoped admins can use the Microsoft 365 admin center for basic management of users in their administrative units. A group administrator with administrative unit scope can manage groups by using PowerShell, Microsoft Graph, and the Microsoft 365 admin centers.
End of section
That’s the first section of this exam prep series. Still eleven left.
Hopefully You enjoyed and learned what is needed.