Get Started. It's Free
or sign up with your email address
AZ104 by Mind Map: AZ104

1. EntraID

1.1. Creating Users, Guest accounts, and Bulk Updates

1.1.1. Creating Users

1.1.1.1. Can auto generate password or use custom password that I can share with user

1.1.1.2. Can add user to Group(s) and assign roles

1.1.1.2.1. Assigning Roles Purpose: Grant permissions for administrative actions within Entra ID or related Azure resources. Scope: Used for administrative access and management tasks. Types of Roles: Built-in Roles: Predefined roles like Global Administrator, User Administrator, or Application Administrator. Custom Roles: Roles you can define with specific permissions tailored to your needs.

1.1.1.2.2. Assigning Groups Purpose: Organize users and grant access to resources or manage settings collectively. Scope: Used for resource access or configuration. Types of Groups: Security Groups: Used to manage access to resources like SharePoint, Teams, or applications. Microsoft 365 Groups: Used for collaboration, including shared mailboxes, calendars, and OneDrive.

1.1.1.3. Can block user signin during creation of account

1.1.1.4. Can download all existing users as .csv file

1.1.2. Creating guest account

1.1.2.1. Invite external user:for contractors temp etc. Can have same access to resources as regular user. They get to keep their external email address

1.1.3. Bulk Updates

1.1.3.1. Bulk invite users or external users by uploading .csv file

1.2. Create Groups

1.2.1. Security Group

1.2.1.1. Security Group: Manages access to Azure resources (RBAC, Conditional Access). No collaboration tools. Membership can be static or dynamic.

1.2.1.2. Security group membership types

1.2.1.2.1. Assigned

1.2.1.2.2. Dynamic User

1.2.1.2.3. Dynamic Device

1.2.2. Microsoft 365 group

1.2.2.1. Microsoft 365 Group: Used for collaboration. Creates shared resources (mailbox, Teams, SharePoint). Supports external guest access. Cannot contain devices..only user accounts

1.3. Managing licenses

1.3.1. Types of licenses

1.3.1.1. Free

1.3.1.1.1. Entra ID Free: Basic features (SSO, user management, admin MFA).

1.3.1.2. Entra ID Premium P1

1.3.1.2.1. Entra ID P1: Adds Conditional Access, dynamic groups, SSPR, and MFA for all users. (Included in M365 E3)

1.3.1.3. Entra ID Premium P2

1.3.1.3.1. Entra ID P2: Adds Identity Protection, PIM, Access Reviews, and advanced security. (Included in M365 E5).

1.3.1.4. Microsoft 365 Licenses (Indirect Entra ID Access)

1.3.1.4.1. Microsoft 365 E3: Includes Entra ID Premium P1.

1.3.1.4.2. Microsoft 365 E5: Includes Entra ID Premium P2

1.3.1.4.3. Microsoft 365 Business Premium: Includes selected features of P1.

1.4. Create Adminstrative Units

1.4.1. Administrative Units (AUs): Logical containers to delegate administrative control to specific subsets of users, groups, or devices.They are not organizational units (OUs) like in on-premises Active Directory.

1.4.2. Purpose: Scoped admin rights for departments, regions, or teams.

1.4.3. Limitations: A user or group can only belong to one Administrative Unit. Roles assigned to an AU only apply to the objects (users, groups, devices) within that AU. Devices and groups can be added to AUs, but management capabilities are limited compared to user accounts.

1.4.4. Use Case: Granular admin delegation for large organizations.

1.4.5. Licensing: Requires Entra ID P1 or higher.

1.4.6. Key Features: Role delegation, RBAC support, limited to one AU per user/group.

1.5. Manage User and Group properties

1.5.1. • Common User Management Tasks: ○ Reset passwords. ○ Assign licenses. ○ Enable/disable user accounts. Manage user attributes (e.g., job title, department, UPN).

1.5.2. • Self-Service Password Reset (SSPR): ○ Allows users to reset their passwords independently. ○ Requires Entra ID P1 or higher.

1.5.3. • User Creation Methods: ○ Azure Portal: Manual creation. ○ PowerShell: Use New-AzureADUser or New-MgUser. ○ Azure CLI: Use az ad user create. ○ Bulk Operations: Import users via CSV files.

1.6. Manage device settingts and device identify

1.6.1. Device Identity Types

1.6.1.1. Azure AD Registered: BYOD, personal devices.

1.6.1.2. Azure AD Joined: Cloud-managed, org-owned devices.

1.6.1.3. Hybrid Azure AD Joined: On-prem AD + Entra ID integration.

1.6.2. Device Settings: Allow/block registration, set user limits, cleanup rules.

1.6.3. Device Management: View, enable/disable, and delete devices in Azure Portal or PowerShell.

1.6.4. Conditional Access: Enforce security policies for compliant devices

1.7. Configure self service password reset(SSPR)

1.7.1. • SSPR: Allows users to reset passwords independently.

1.7.1.1. Tools: Azure Portal, PowerShell (Get-AzureADDevice), Intune for advanced management.

1.7.2. • Authentication Methods: Email, mobile phone, security questions, or Microsoft Authenticator.

1.7.3. • Configuration: Enable SSPR for all/selected users, define required methods, and enforce registration.

1.7.4. • Password Writeback: Enables updates to on-prem AD (requires Azure AD Connect + Entra ID P1).

1.7.5. • Monitoring: Use the Password Reset Activity report in Azure Portal.