Azure Active Directory

Overview

Microsoft
Version 2306
Services
Module Overview
• Lesson 1: Azure Active Directory Introduction
• Lesson 2: Intune Roles and Role Based Access
• Lesson 3: Intune Basic Configuration Steps
Lesson 1: Azure Active Directory
• Editions
• Components
• Identity scenarios
• Management tasks and delegation
• Groups
• Branding options
Microsoft Entra - Azure Active Directory
• Azure AD is part of the Microsoft Entra product
family
• Family of multicloud identity and access products to secure access in a
connected world
Azure Active Directory Editions
• 500.000 objects
Free • Directory sync

Office
Office 365 • Group based management, SLA 365
• Application Proxy, Branding
Apps
• Device writeback, selfservice, AAD Join, EMS
Auto MDM E3
Premium P1 • Device-based/location-based conditional
access

• Identity protection EMS

Premium P2 • Privileged identity management E5
Azure Active Directory Components

EvoSTS/OrgID
Security Token Services
IAM Identity and
Management Services Authentication requests
Token requests
Federation metadata discovery
Directory management
Web UI
Self service password reset

MSODS AD/LDS datastore

Accessed by LDAP
Microsoft Online Replicated worldwide
Directory Service
Identity / Authentication Scenarios
Pass
Password through
Cloud user Federation
hash sync authenticati
on
User account User account User account
Independent
synced to synced to synced to
cloud identity
AAD AAD AAD

AAD Connect
On-Prem
Password responsible
ADFS
hash stored for
infrastructure
in AAD authenticatio
required
n
This
Workshop *optional: enable seamless
sign-on
 Configure your devices for Azure
AD
Azure AD Azure AD Azure AD

AD AD AD

Use Azure AD Use Azure AD joined Use Hybrid Azure AD

registered
for Windows 10/11, iOS, Android, for Windows 10/11 devices joined
for Windows 10/11 and down-level
macOS and Linux (soon) devices devices such as Windows 8.1
• For personal devices to support Bring Your • For devices that are owned by your • For devices that are owned by your
Own Device (BYOD) scenarios organization organization
• To manually register devices with Azure • For devices that are not joined to an • For devices that are joined to an on-
AD premises AD
on-premises AD • To automatically register devices with
• To manually register devices with Azure AD
Azure AD
Powershell / Graph API
• Module “[Link]“
• Based on the Microsoft Authentication Library (MSAL)
• PowerShell *-mg* Cmdlets

Module “Azure AD”

- Based on ADAL
- Is deprecated and
retired
Azure AD – Entra Portal Overview
• Users and groups
• Manage user and group objects and memberships
• Devices
• Manage AAD join permissions / addtl. Administrators,
…
• Billing
• Manage licensing, …
• Protect & secure
• Configure Conditional access, authentication methods,
…
• User experiences
• Manage company branding
Azure AD - Basic Role Seperation
• Regular User
• Global
administrator
• Has access to all
administrative features
• Can be delegated
subscription permission as
well
• Role administrator
• Permissions for single tasks
or Intune
services
related roles
AAD Join – Local Administrators Group
• AAD Join process adds the following security
principals
• The Azure AD global administrator role
• The Azure AD joined device local administrator role
• The user performing the Azure AD join
• Device Administrator Role
• Assigned to all AADJ devices
• Updating members has no
immediate impact on devices
• Dependent on PRT refresh and
sign-out / sign-in process
Groups - Group Types
• Used for policy / app assignment
• Assigned
• Static membership
• Dynamic
• Membership based
on AAD query

„Advanced rule“ examples:

([Link] -eq "Windows")

-and ([Link] -
Groups – Cloud Groups for Role
Assignment • Minimize efforts to grant
roles permissions
• AAD premium license needed
• PIM can be used
• Max 500 role assignable groups in a
tenant
• Only static membership supported
• No group nesting supported
Windows 10/11 Subscription Activation
• Automatically step up from “Pro” to “Enterprise”
• Eliminate product key (no MAK, no KMS)
• Deploy Windows 10/11 license
Lesson 2: Intune Roles and Role Based
Access
• Intune Roles
• Scope Tags
Intune - Management Roles
Custom roles
configurable

Intune built-in
roles
Role Based Access Control
• Roles define the set of permissions
• Assignments define member group, scope group
andIntune
tagRole
Device Endpoint
Android for Managed
Compliance Protection Organization Remote Tasks Security Tasks
Work Apps
Policies Reports
Device Enrollment Managed Telecom
Permission Audit Data
Configurations Programs Devices
Policy Sets Roles
Expenses
s Corporate Device
Intune Data Remote Security Terms and
Device Enrollment Mobile Apps
Warehouse Assistance Baselines Conditions
Identifiers Managers

Members Groups Scope Tags

Policies, apps Objects
Assignme Users and tasks of
assigned to having this
nt users and
this role devices of that
scope tag
scope group assigned are
visible
Scope Tags
Characteristics
• Are assigned to management
objects
• Define which object admins
can see
• Devices can be tagged
automatically based on groups
• New objects will inherit the
scope tag of the creating
admin account
Default scope tag Assign to
object
• Default scope tag is
automatically added to
untagged objects
Scoped Resources - Example

Unrestricted view on apps "Scoped“ view on apps

Lesson 3: Intune Basic Configuration
Steps
• MDM Enrollment
• Local Administrators
• Licensing
• Branding Options
Basic Intune Configuration Steps I
Allow Azure AD join

Enable automatic MDM

enrollment
Basic Intune Configuration Steps II
• Manage members of the local administrators
group
• Global by “Azure AD Joined Device Local Administrator” role, or
• By profile assignment
LocalUsersAndGroups
Account Protection profile
CSP
Basic Intune Configuration Steps III
Configure licensing – by group

Configure licensing –
individually
Windows Data Collection Processes
• Health Monitoring
• Endpoint Analytics
• Windows Updates
• Sends update data to Intune for
reporting

• Windows data and

Windows license
verification
• Windows feature update
device readiness report
• Windows feature update
compatibility risk report
Company Branding Options Windows
10 Title text from tenant
property

1
2

1
Company Branding Options Windows
11
1 1
2

4 2
3 3

4
4
Company Portal
Main user interface
• Align branding colors /
logo
• User can manage devices
• Show privacy data
• Sync policies, Install apps
• Check compliance
• Get diagnostic data
Enrollment Notifications
• Notify employees of newly enrolled devices
• Push notifications appear in the Intune Company Portal apps for
iOS/iPadOS, macOS, and Android (on users' other devices)
• Email notifications appear in the user's inbox
• Subset of HTML tags is supported for email notification

Plus, branding
and additional
customization
options
Device cleanup rules
• Intune task (not AAD) to clean stale/inactive
devices

Number of days: 30 - 270

Lab: Configure Azure
Active Directory
Environment
Module Summary
• Understand Azure Active Directory editions
• Understand Azure Active Directory high-level
architecture
• Understand basic configuration required for
Mobile Device Management
© 2023 Microsoft Corporation. All rights reserved.