Section 1 – Manage Azure Active Directory identities

This is the first section from study series for AZ-500 – Manage Azure Active Directory identities and starting with

Create and manage a managed identity for Azure resources

In my example I will use Virtual Machines, you can also use SQL, Applications, Key Vaults etc.

System managed identity

Go to and look for Virtual Machines.

Open your Virtual Machine.

Choose Identity and enable System managed identity.

Warning will be displayed and choose yes.

Enable user managed identity

User assigned managed identity can be enabled from the same place.

Choose add

You can see the identity under User assigned identities.

You need Virtual Machine Contributor role or Global Admin.

Using CLI

Open Cloud Shell.

Make sure You are using Bash Shell.

Type Az-Login

Make device authentication by opening the url and enter the code.

Choose your account.

And continue

And done.

Then you can add a User assigned identity to the Virtual Machine with CLI.


Open Azure Cloud Shell with PowerShell.


Adding role assignments thru a template Assign Azure roles using Azure Resource Manager templates – Azure RBAC | Microsoft Docs

Manage Azure AD groups

Type Groups to search bar.

From here You can deploy a new group and the types are security and Microsoft 365.

Security groups are used to give group members access to applications, resources and assign licenses. Group members can be users, devices, service principals, and other groups.

Microsoft 365 groups are used for collaboration, giving members access to a shared mailbox, calendar, files, SharePoint site, and so on. Group members can only be users.

You can assign roles to the group.

If You select Microsoft 365, this is how it look like. You have to define an email address to M365 group. You can also define a Sensitivity Label for the group. This will be used for example inside Teams and SharePoint.

And if You assign a Azure Role to a group, it cannot be changed later.

If You don’t select Azure AD roles to assign, You can have the member type as Dynamic.

With dynamic groups You can use up to 5 expressions can be added to the rule builder. The rule syntax can be used to add more than 5 expressions.

In the following example I will use UserPrincipalName attribute and contains means it’s part of the user FQDN login name.

In the validation part You can choose a user to validate if against. I will choose my corresponding demo.user

If I choose someone else, it will give an error.

You can also choose Dynamic device for the assigned Security group, not for Microsoft 365 group.

IF you open the group You just created, you will see this screen.

You can still add Azure AD roles from here but remember it cannot be reverted back to a group not having roles.

Manage Azure AD users

Open and type Users

In here You can create internal and external guest users.

You can either Create a new user or Invite a new user

You can add Azure AD roles for the user. You have to add Usage location for a user.

The new user will appear as a member.

When You have a synced user, it will show as Directory synced equals Yes.

Removing a user from Azure AD is simple, just select Delete.

And the user will go to Recycle bin, where it will stay for 30 days and then automatically deleted. This happens in both cases, with Synced or with a Cloud-based user. 30 days is the magic limit.

But You can also recycle the user by Yourself manually. In here You can also see the Deletion and Permanent deletion dates.

Manage external identities by using Azure AD

If You invite a user, they will get an email saying that they are invited to join your organization.

Invitation was succesfull.

And user will get the invitation.

When they accept, they will be redirected to the following.

And users will be logged to

And You can see the user inside Your own Azure AD with an issuer ExternalAzureAD (if the users has Azure AD in use, if not it will be MicrosoftAccount)

And if the users hasn’t accepted the invitation, You can resend it. There is currently an option for resetting the status but it’s currently in Preview so it won’t yet be in the test but nice to know.

If you want to limit the External Collaboration settings, You can go to

From there You can Guest user access to Your Azure AD objects and properties, Guest Invite Settings (Who can invite B2B users) from where You can invite them (Domains)

Manage administrative units

Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can manage users only in the region that they support.

License requirements

Using administrative units requires an Azure AD Premium P1 license for each administrative unit administrator, and Azure AD Free licenses for administrative unit members.

You can create AU in Azure AD page.

You can add a user to the unit (still in preview but not for long)

Assign the AU with a group that will be automatically populated.

And add roles.
Administrative units apply scope only to management permissions. They don’t prevent members or administrators from using their default user permissions to browse other users, groups, or resources outside the administrative unit. In the Microsoft 365 admin center, users outside a scoped admin’s administrative units are filtered out. But you can browse other users in the Azure portal, PowerShell, and other Microsoft services.

Adding a role to a user in the AU.

Giving Eligible or Active assignment when You have PIM enabled, I will cover PIM in the following sections.

Then You can assign the AU to an existing group.

And done.

Then if You have a Dynamic User group that has a filter for Usage Location attribute (the mandatory one that we defined earlier) and this group will populate all user from Finland.

And You have to wait the group members to populate or You can just add whitespace (two spaces) behind the rule to run it immediately, instead of waiting for it to populate.

And populated!

Please, Microsoft make a button to trigger the population, it would be so much easier.

And we see Adele in the group.

Now we can allow the AU admin in Finland to edit attributes that are assigned to her Administrative Unit role.

Currently supported scenarios

As a Global Administrator or a Privileged Role Administrator, you can use the Azure portal to:

  • Create administrative units
  • Add users and groups members of administrative units
  • Assign IT staff to administrative unit-scoped administrator roles.

Administrative unit-scoped admins can use the Microsoft 365 admin center for basic management of users in their administrative units. A group administrator with administrative unit scope can manage groups by using PowerShell, Microsoft Graph, and the Microsoft 365 admin centers.

End of section

That’s the first section of this exam prep series. Still eleven left.

Hopefully You enjoyed and learned what is needed.

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *