Section 2 – Implement an Identity Management Solution – Create, configure, and manage identities – User, groups and licenses

And in this section I will cover the following:

  • create, configure, and manage users
  • create, configure, and manage groups
  • manage licenses

Azure AD Users

  • Cloud-only identities – These users exist only in Azure AD. Examples are administrator accounts and users that you manage yourself. Their source is Azure Active Directory or External Azure Active Directory if the user is defined in another Azure AD instance but needs access to subscription resources controlled by this directory.
  • Directory-synchronized identities – These users exist in an on-premises Active Directory. A synchronization activity that occurs via Azure AD Connect brings these users in to Azure. Their source is Windows Server AD.
  • Guest users – These users exist outside Azure. Examples are accounts from other cloud providers and Microsoft accounts, such as an Xbox LIVE account. Their source is Invited user.

How to create users?

You can add cloud identities to Azure AD in multiple ways:

  • Syncing an on-premises Windows Server Active Directory
  • Using the Azure portal
  • Using the command line
  • IAM-solution ex. Saviynt or Okta.

Using Azure AD portal

Inside Azure portal You can Create or Invite a user.

You will be also asked about user role, password and location.

Using M365 Portal

You can also create a user from M365 admin center

In M365 Admin portal it’s mandatory to provide a location and choose a license or leave users unlicensed.

and You can also provide the optional info.

I don’t actually know why the location is mandatory inside M365 admin portal but not Azure because anyway the location defines a lot of different settings for Your user identity and the user is in the same Azure AD regardless of the solution where Your created them from.

Usage location is used at least in the following.

  • UsageLocation attribute
  • PreferredLanguage attribute

Usage location is the one used while assigning a license to a user. Some services in Microsoft 365 are not available in certain countries and Microsoft Backbone services determine this with the help of UsageLocation. So, this mandatory property needs to be assigned while assigning the license, even inside Azure portal.

Created users

At the end You can see both of the users in both portals.

User management Inside Azure portal

You have similar functions inside both admin portals but some part are more bolded inside M365

User management inside M365 portal

Like user owned applications ex. OneDrive and EXO but most of the controls are the same, just in different places.

License assignment in M365 admin portal

Easy as AB and C

Thanks Mr. Automation

License assignment in Azure portal

Omg, it failed.

So, why is that? Ah yes, it was the UsageLocation attribute not being populated.

Go to edit user and choose location

Let’s try again, success!

Azure AD Groups

Group types

  • Security – Used to manage member and computer access to shared resources for a group of users. For example, you can create a security group for a specific security policy. By doing it this way, you can give a set of permissions to all the members at once, instead of having to add permissions to each member individually. A security group can have users, devices, groups and service principals as its members and users and service principals as its owners.
  • Microsoft 365 – Provides collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and more. This option also lets you give people outside of your organization access to the group. A Microsoft 365 group can have only users as its members. Both users and service principals can be owners of a Microsoft 365 group

Membership types

  • Assigned. Lets you add specific users to be members of this group and to have unique permissions. For the purposes of this article, we’re using this option.
  • Dynamic user. Lets you use dynamic membership rules to automatically add and remove members. If a member’s attributes change, the system looks at your dynamic group rules for the directory to see if the member meets the rule requirements (is added) or no longer meets the rules requirements (is removed).
  • Dynamic device. Lets you use dynamic group rules to automatically add and remove devices. If a device’s attributes change, the system looks at your dynamic group rules for the directory to see if the device meets the rule requirements (is added) or no longer meets the rules requirements (is removed).

How to manage groups inside Azure portal?

When You open groups tab from Azure, You will see the following.

And You have the following General settings available.

And also for expiration.

And also for Naming policy

So inside Azure portal there is a ton of options for Groups.

What about Microsoft admin portal?

You won’t find the same kind of settings inside M365 admin portal.

What are the differences?

Inside Azure portal You can create M365 and Security group

Inside M365 admin portal You can create a lot more.

But inside Azure You can assign Azure AD roles and directly from creation menu or even create a Dynamic group with user filter.

But when You assign a role, You can only use Assigned type and the Group type will converted to Security.

But on the other hand inside M365 admin portal You can create Teams enabled Group.

And choose if You want Teams Channel to be created.

Finding the groups

M365 admin portal

Azure Portal

That was groups and how to handle them inside different admin portals.

Azure AD Licenses

These are base level services plan inside every Azure or Microsoft 365 license option.

  • Azure AD Free
  • Azure AD Premium P1
  • Azure AD Premium P2

How to manage licensing?

Azure portal

Inside Azure portal You can associate the group with a License.

And You can choose which apps to license or just license them all.

And You can see under the group which licenses it has.

M365 admin center

First notable thing is that You cannot assign licenses to a group thru M365 admin center.

Instead You have to open Licenses.

Then search for the user and assign the full license or part of it.

Azure portal Group-based licensing

When You assign a user to a group that has licensing enabled.

They will get the licenses applied automatically. Yes, I don’t currently have enough licenses but You get the big picture.

In Azure portal You also have a nice little portal for licenses to provide all the nice little info.

You can also give a Self-service sign-up for licenses.

Removing the license

License removal is straight forward process in both portals.

M365 admin portal

Search for the users and un-assign the license.

Azure portal

Search for the user and select the license.

And choose Remove license.

Group-based licensing

Either remove the user from the group that has the license assigned.

Or remove the group license assignment if it’s not needed anymore.

When You search for the user, magic!

Licenses that a user inherits from a group can’t be removed directly. Instead, you have to remove the user from the group from which they’re inheriting the license.

When an on-premises user account synced to Azure AD falls out of scope for the sync or when the sync is removed, the user is soft-deleted in Azure AD. When this occurs, licenses assigned to the user directly or via group-based licensing will be marked as suspended rather than deleted.

You can also use Dynamic group membership and extended attribute to help with Licensing automation. Dynamic groups give multiple ways to extend the group usage.

Things to remember

User identity types:

  • Cloud-only identities 
  • Directory-synchronized identities
  • Guest users

How to create users:

  • Syncing an on-premises Windows Server Active Directory
  • Using the Azure portal
  • Using the command line
  • IAM-solution ex. Saviynt or Okta.

Usage Location needed to assign licenses.

Group types:

  • Assigned
  • Dynamic user
  • Dynamic device

Link to main post

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *