Microsoft Entra / Azure AD 2 0 explained with full demo (2023)

Entry

It is advertised as Directory of Kings or Azure Active Directory 2.0. Whatever you think, this is a major update with an almost completely new UI. In this session, join me on my journey through Microsoft Entra. Here you will learn not only about the new features, but also where everything is located and works. If you are an IT professional or are seeking certification, this is an invaluable reference. In this session, we'll cover users and groups, apps, security, and more. Trust me, it's 30 minutes you can't miss.

More information about me can be found atwww.Andymalone.org

Other videos you might like

More tenantsyoutu.be/AI_wCumE5RY
Conditional Accessyoutu.be/CJtiPSMwxfM
Azure AD structureyoutu.be/GbntYTbXLHc
Microsoft 365 Groupyoutu.be/aBf1c6uKNUQ

Video

And it was called the register of kings. Azure Active Directory has a new look, it's now called Microsoft Enter, but I like to think of it as Azure Ad 2.0.

How it's working? What can I do? Stay with us? You've come to the right place, welcome my fellow YouTubers Andy, Malone and Microsoft MBP to this episode.

Thought I'd take a look at what I'm calling Azure Active Directory 2.0 or as you may know when Microsoft comes out it's going to be going through a lot of changes and I have to admit it's going to be a lot newer is the admin type.

The center looks pretty good right now, so I thought I'd walk you through the various settings so you know exactly where everything is. I've got a really cool demo here, so make sure you follow it to the end, because I guarantee you'll learn something.

If you haven't subscribed to the channel yet, we appreciate subscribers, so go ahead.

Click the Subscribe button, click the bell and you will be notified of new videos. If you have any questions or comments, not only about this but also about my other sessions, I love them so please post them below.

And if you like the session click the button above it really makes a difference on my channel so I guess without further ado let's start the demo and start learning, have fun so I'll be here. Start in the Microsoft admin center and before you see we have three main components here, now Enter consists of three products.

The first is Azure Active Directory Permissions Management, formerly known as Cloud Knox, and here we also have a verified ID.

The first is Azure, Active Directory, and I'll go to the overview page. This one was recently updated and what used to be many, many tabs is now nicely grouped on each page.

Notice that the layout is increasingly reminiscent of Microsoft 365, and you can expand and contrast the menu accordingly. So instead of having multiple tabs, Microsoft has grouped everything into one kind in a way that makes it easy to find things right here in the overview pane.

You can add here.

We have a few shortcuts again.

Users, groups, business applications, you can also register an application here. If you work with multiple tenants like many of you, and I did a session on this, check it out on my YouTube channel. Click the link below to learn how to manage multiple tenants here.

What's new, we will come back here again, you can also enable the preview features, which can also be found in the preview center in the settings page.

Yes, this is a review hub. The latest features can be found here. Additionally, some features are currently in public preview and can be turned on or off accordingly.

Okay, besides, we have a few different cards here.

Therefore, the overview only provides a high-level overview of the entire Azure Active Directory.

Below you will get your newsfeed where you are currently logged in.

Shortcuts are available here so you don't have to navigate through all those menus, you can create groups and users right from there.

Additionally, if you want to search for something in your tenant, you can search here.

So if I had a user named Jean-Luc, for example Picard and I, we can just type in the username here and we can start and it will find it for me, so that's a real time saver. We also have different monitors here.

This will keep you updated on your results. There are or will be several tabs that you can configure.

The properties page will show how many logins you have had, etc.

You can also change the name of the tenant here.

Again, you can change the language and, very importantly, especially for things like Powershell.

You will have your own unique tent ID which you can copy again.

You can perform these other functions here, which again is fine.

You also have Azure, sorry, and access management, and you can turn that back on.

If you want to um, you got it, it always attracts people.

Default security settings have now been moved to properties.

the site sees this because a lot of people miss it and what it actually does.

That's perfect, um, let's say you're support for example.

Pro: You have a customer who just signed up for Microsoft 365. So you haven't set up Conditional Access.

They didn't set any security rules or anything like that.

It's perfect. Enabling this option defines a number of default settings for the user.

It's almost like a basic security plan.

The downside, if you prefer, is that you already have security for your user.

By enabling this option, you set conditional access, set rules, etc.

This will delete them, so be very careful with that.

Then we have recommendations.

I like it again, Microsoft will make recommendations on a regular basis.

It's kind of like you know, sure score and what not, and then again things like performance recommendations.

Again, it's just a new tenant.

There's not much going on here at the moment as I've mentioned several times on my channel that Microsoft has moved or moved all of its learning content to Microsoft, Learn or Learn.microsoft.com and you can access various videos and train here.

So if you want to know what your Active Directory looks like, here are a whole bunch of tutorials that I think you will find useful. So let's go back to the user area: here we have all the users.

Users removed. So when you delete a user account, it is usually deleted and placed in the trash for up to 30 days.

This is of course true, unless you suspend that user again, um, they will be able to log in to Dell.

There have been a few changes here recently, so I can access Adele's features here and see what access she has. I can see her login logs, if she communicates with third parties, hm, I can also edit her properties by clicking this button here or this button here, I also go into edit mode.

Can you arrange it then? The user will also notice that useful things are shown to me here, e.g. when the user last logged in and can.

You can also change the user type here.

So you can see that Adele is currently a member of this Azure Active Directory, but you can also classify her as a guest account.

This is especially useful if, for example, Adele is leaving the company and perhaps joining as an artist.

You'll also notice that we have a whole bunch of fields that are related to the user's workplace in some way, and if you're in hybrid mode, you'll also notice that we have several fields.

So if you've implemented things like Azure or Ad Connect and those fields are filled, you're back.

Here you can go through each section and enter this information in the settings.

They know the language, they have it locally, or they just have generic properties there, um.

Note that when you occasionally create a new user in Microsoft 365, if I just scroll back here and go back to my overview and go back to my users, the guest account is missing.

So instead of creating a guest you are basically now inviting an external user so I can invite them and send the invite to the external user.

This could be a customer, co-worker or someone outside of the company.

This is a really cool feature here.

Note that we also have access to various logs here.

So again, it's all about saving time and speeding things up.

Umm, here you also have access to user settings.

This way you will see that the menu options are the same and you just choose the option that suits you. So here in user settings we can choose.

Do you know if you will allow users to register apps and restrict admins? Who can create tenants? Do you also use LinkedIn integration? You can show users to stay logged in by showing options for users to stay logged in. Surely you've seen that when you sign in to Microsoft 365, the message "Do you want me to sign in again?" pops up. ? This may or may not be an option for you.

If you were at the bank, maybe it wouldn't be like this.

Here you can also manage the settings for cooperation with external users, although I must admit that it is much simpler.

Imagine you now have a complete category of external identities. Everything related to external identities is now available, so in groups and groups of listeners.

Of course, I can manage all my groups here, i.e. create a new group here and there, as before.

I can rename the group and decide what type of group it is.

If you can use an assigned group, "Assigned" means I can manually assign a member to that group as well as assign an owner. The owners are especially helpful.

So if someone leaves the group or the groups are deleted, the owner can come in and recover some of the data related to the authentication types. Because it's a security group, you can add assigned dynamic users or dynamic devices, and dynamic membership is basically role-based.

So if I change this group to a Microsoft 365 group and give it a name, say Toronto Accounts, I can access the accounts here.

They may include the description you'll see, your email address, and your ad.

Do you want to assign an ad role to this account so that I can assign it later, for example, an administrator account?

If he wants.

Note that this only works with signed registration.

So if you change it to "Dynamic" it won't work anymore. Okay, for the purposes of this demonstration, I'll show you a dynamic user.

Now you will notice that dynamic devices are only available in security groups, so I can come here and select a dynamic user.

So a really cool feature is that I can assign a sensitivity tag to a tag.

So if you use tagging and classification, this is a super cool feature.

Note that there is a small bug in this interface, but you can't fix it.

So if I accidentally click on it, you can't delete it.

You have to do it with Microsoft.

365.

I can also assign an owner to this group.

So again I only have one admin so I select it and say "Dynamic Membership" so I put a dynamic rule so I can select a property here and say "Hey".

You know if the city is the same uh drummer and you're probably wondering where is Tromsø it's in Norway and I might even add one more and say "Hey if the department is let's say accounting ok so the rule dynamic and ". This is called ABAC attribute-based authentication. Now when I click on it, it creates this group. Now I have created a dynamic group.

So if I go back to one of my user accounts here and just scroll down and access Jean Luke's account here, I have a little problem with that.

Of course everyone knows about it and I edit Jean-Luc's properties and all I have to do is come here and I can change it.

It's Tromso, so that's an introduction.

What department will he work in? So I can go back to the section where it was for sale. I'll change it so it's now in accounting and your Luka is now a member of the accounting group in Microsoft 365 and of course this particular Microsoft 365 group.

You can also encourage this to become a Microsoft team.

Okay, again, there are really powerful, really useful features.

OK, all group functions are here.

So remember again: you can re-set restrictions on who can re-create groups.

You can also board here.

Here you can set expiration dates for specific Microsoft groups, for example a Microsoft 365 group.

You can set an expiration date within 30 days of that date, which is 30 days in a six-month period.

If no one is using it, it will now be deleted when it detects if the AI ​​detects group movement.

Of course, only the counter is reset and everything goes on as usual.

You have other stuff here.

You can create a naming policy, so things like group name, you can create a prefix, so OSL sales, OSL marketing and foreword, suffix so sales, OSL tagging, editing, OSL and so on.

Um, you can just leave it.

The other thing you have here is access.

Ratings and Access.

Reviews are great because you remember when we had classic systems, so you sign someone up in a group and two years later.

you would go

Oh my god, you're still a member.

So here you can, and basically, do a sparse access scan.

You still need access to that resource, so Microsoft is grouping there as well. Note that we also have devices, so I don't have them here.

However, if you have both hybrid and Intune devices in your organization, you'll see a nice list of all your devices.

You can manage device settings here and there, and if it's a Windows, 10, or 11 device, you can also store BitLocker recovery keys here.

So if something goes wrong with your devices, you can return them.

Of course, in applications, in business applications, it's very cool.

These days we don't go to the local computer store for apps, everything is in the cloud.

Well, you can come here.

You can say, "Hey, you know, I want to buy an application, and of course Azure is a multi-cloud platform."

So you can buy apps from any of these providers and you have little choice here, but seriously, there are thousands of apps to choose from. Ok, when you find a suitable app, you just add it. For example, here is Zoom, you go in and add. I can assign it to specific users and groups.

You can do things like single sign-on. Are you going to use Saml Um, ADF or something like that? Or do you need a simple password based password or just want to bind it to an account or user account?

So you can do something like this.

OK, you can also make the app self-service - and this is especially useful if, for example, you've developed an app for the public and use client-based authentication - and that's great, but give it a try.

How

Here you get not only the app, but also access to things like conditional access.

So again you can create a Conditional Access rule. Basically you are saying that these users can only access this app if they are using a specific device in a specific location. Absolutely amazing so check out the apps.

One cool thing to definitely keep in mind is business apps.

One of the things I'm always asked about is Andy.

And if we have the app installed, can I still use it? So definitely continue? You can download the connector.

This is called downloading a proxy app, connecting to the local server where the app is located, and basically right after waking it up.

Once active.

Then you just need to set up the application and the applications will be published in the application launcher or what I call it.

Waffles and apps just pop up here.

So all kinds of third-party apps you see will show up in the app launcher, which is worth its weight in gold by the way, ahem.

This is the launcher for applications, roles and administrators.

So when you create a user account here, it's basically just a user, so the user doesn't have any admin privileges.

So in Azure Admin Center we have literally hundreds of different administrative roles.

When you first look at them, it can be a bit overwhelming and you'll think, "Oh my god, I don't have to remember all of that, do I?" This is why! Actually the short answer is "No, don't do that", but if for example I have team admin privileges, I don't want to give global admins to too many people. Since Global Administrator is a very powerful role, you're trying to make it more role-based.

Again, "Teams" is an example where you have several different roles, so a general Teams admin would get that role, but perhaps you have a junior in your IT team who is only responsible for setting up Teams devices. Let's say they are in charge: You can assign an admin role to your Teams device.

It's a great feature by the way, so we have other really useful roles.

So if you want to give a user the right to add, configure, license users and groups, etc., and you don't want him to be a global admin, you should give him the user admin role again.

Really nice so be sure to check the cash register. I think you can guess what it is.

Um, I mentioned the review center.

If you want to add your own custom domain name you can do it again here and I covered it in previous sessions um one more thing Mobility so my tenant has an E5 and Emns license so you can see I have set up Microsoft or Intune or Endpoint Manager for Mobility here. In the old portal it was security and now it is a protection and security portal.

So you can come here and set up Conditional Access and Identity Protection policies. Again, I have covered all these topics in detail here.

Um, in the last few sessions, um, you too.

It's pretty cool.

You actually get the identity value as well.

So it shows you that you're coming as a result, and it's not that good.

Is that really the point, but it sure has some recommendations and it basically doesn't use or use multi-factor authentication.

Of course, multi-factor authentication can reduce password-based system attacks, which is why they need a device.

You may need to collect biometrics, but that stops simple password hacking up to 99%. Enable this feature.

Okay, so be sure to listen to the recommendations here and other things.

Here you can also set up multi-factor authentication and choose different types of authentication.

So again we have one time password which is currently being verified, we also have certificate based authentication, hm you have voice authentication and call authentication, you can go in and deploy for example Microsoft authenticator app or even fido keys.

You know this because if you use things like passwordless authentication, we also have password reset here, so you can enable self-service and password reset and just select user groups.

This is especially useful if you have Azure Ad Premium and Azure Ad Connect and you just re-enabled your password.

This will then save it back to your local Active Directory.

You also have things like identity, management and access, reviews, and privileged identity management, which is a way to ensure timely access to admin roles.

Okay, by the way, I covered all of this in sessions - and you can find these videos on my YouTube channel, usually on topics related to security and compliance or identity.

It's really nice to see everything related to external identities.

So I can go in here and set things like access settings for multiple pools and tenants.

I can specify external collaboration settings.

By the way, this is very important, especially for security reasons.

What level of restrictions do you want your guests to have? For example, do you want them to have full team membership rights or just limited access, so make sure you check out these menu items here, very important: Okay, um, user experience.

If you sign in to Azure or Microsoft 365, you can customize this.

So you can add your beautiful corporate background.

You can bring your own photos.

You can customize the text, which is nice, and by the way, it's also called company branding.

This is a premium feature if Azure Ad Connect is requested.

So if you're trying to connect to a local environment, it becomes even easier.

Now you have two main products, so just connect sync to know that sync connection is traditional Azure Ad Connect.

I can come here, download it, deploy it, or you can use a cloud sync tool.

So if you want to know more about it check out my identity and my playlist. All these topics are covered there.

Finally, you have Monitoring and Health, and this is where you can go in and monitor all your login logs.

You can also monitor things like audit logs and really get an idea of ​​what's really going on, and of course we look for login errors if it's a specific user.

Where is the user from so you can tell if it's a suspected hacker or something? Okay, log analysis workloads and stuff.

Very useful.

I also love the usage and insights.

So it's great for all your uses.

It shows how many successful logins there have been, and by the way, if someone has not logged in, it can be very useful for troubleshooting. It also gives you an idea of ​​how popular the product is and whether or not the product is popular - and you realize, hey, I'm paying a lot of money for this.

You may not have the appropriate license.

Here is a brief overview of Microsoft Enter or Azure Ad Mark II.

If you want. Hey, listen

I really hope you enjoyed this week and if you hit the Like button it will really change my feed.

If you have any questions, ask them below. I love questions, and if you haven't subscribed yet, hit the subscribe button and ring the bell above and you'll be notified of all new updates.

That's it for this time. I really appreciate you dropping by and it's good to see you're safe. Until next time. Hi, hey, thanks! That's it for today's visit.

Here are some videos you might like. If you're already here, hit the subscribe button so you don't miss anything.