In the last section, we introduced Entra ID (formerly Azure AD), the core identity solution behind the Microsoft 365 ecosystem, which enables administrators to create and manage users and group properties. The AZ-104 certification hones the skills required to navigate through Azure Active Directory proficiently, focusing on managing user attributes and group properties. Since we saw how to create users and groups and the different types of groups in Azure and Microsoft 365, let’s now see how to manage user and group properties.
AZ-104 core competencies around managing users and groups
The AZ-104 certification encompasses various roles and responsibilities, including managing Azure identities and governance, implementing and managing storage, deploying and managing Azure compute resources, and more.
One of the core requirements of this role involves managing Azure AD, where administrators manage users, groups, and devices. These tasks help secure access to resources.
Azure Users: Management and Access Control
Managing users in Azure AD involves many tasks, these include:
- Creating new users
- Assigning roles
- Managing member and computer access
- Managing access
The Azure portal allows administrators to add members, assign users to groups, and define membership based on dynamic group rules. Administrators often use Microsoft Entra Connect (formerly Azure AD Connect) to synchronize users from on-premises Windows Server Active Directory Domain Services in a hybrid identity solution.
This synchronization between on-premises Active Directory and Azure AD is quite common and many organizations use it to implement SSO between on-premises and cloud resources effectively. It also helps to keep metadata the same between AD DS and Azure AD, such as the user’s job title, etc.
Azure AD Group Management Capabilities
In Azure AD, groups administrator and global administrator roles are generally administrators that manage groups, ensuring that group properties and group members are configured to meet organizational needs. Groups are extremely important in Azure and Microsoft 365 as groups provide collaboration opportunities between members across Microsoft 365 services.
The groups administrator can create a new group, manage group memberships, edit the group description, and configure dynamic membership rules, while the global administrator has a broader scope, managing all aspects of Azure AD, including user, groups, and group settings.
Admins performing group management do the following:
- Create groups
- Set group type configuration
- Configure nested groups hierarchy
- Manage group email addresses
Understanding Management Groups
Azure Spot Virtual Machines – Pricing | Microsoft AzureAzure management groups provide a level of scope above subscriptions. While each management group and subscription can have only one parent, they can have many children. This enables a flexible structuring of resources that allows efficient resource organization and access management.
In an environment with many Azure subscriptions, organizations often want an efficient strategy to manage access, policies, and compliance across all subscriptions, including new Azure Active Directory environments.
Management groups provide a governance layer above subscriptions and enable organizations to organize subscriptions into these groups. The governance conditions applied to a management group are inherited by all related subscriptions, ensuring consistent policy application.
Below is a high-level look at management groups in Microsoft Entra ID:
Management groups enable enterprise-level management at scale, applying to any subscription. All subscriptions within a single management group must trust the same Azure Active Directory (Azure AD) tenant.
For example, if a policy is applied to a management group restricting the available regions for virtual machine (VM) creation, this policy applies to all nested management groups, subscriptions, and resources, limiting VM creation to only the approved regions.
Viewing and updating user properties in Azure AD
Administrators typically navigate the Azure portal to view all user properties in Azure AD. Administrators can view and manage various properties by selecting a specific user, including the user’s job title, email address, group memberships, and more.
Below is a view of an Azure Active Directory user and the Overview tab.
Azure admins can update the following configuration settings for a user:
- Profile: Check and change details like your name, type of user, and job details here
- Assigned roles: Here, you can see every role assigned to the account, whether they’re currently active, eligible, or have expired
- Administrative units: This spot shows the Administrative Units (AUs) that include the user
- Groups: This area shows which Azure AD groups the user is a member of
- Applications: Look here to see which application assignments the user has
- Licenses: This part shows which licenses are assigned to the user’s account right now
- Devices: This area shows which devices are linked to the user’s account and details like whether they’re Azure AD joined
- Azure role assignments: Here, you can see which resources the account can access at the subscription level
- Authentication methods: This section shows contact details used for Multi-Factor Authentication (MFA) like phone numbers and email addresses. You can also make the account re-register for MFA or cancel current MFA sessions here
Updating User Attributes in Azure AD
Azure AD user attributes can be updated through the Azure portal, where administrators can modify properties like the user’s job title, email address, and more. Generally, you will need to click the “pencil” icon next to the configuration to edit properties.
Under the user properties page, you will see the editable properties with the pencil icon.
Alternatively, you can click the Edit properties button.
It will then take you to the edit properties page directly.
Additionally, Azure AD allows for bulk updates of user attributes through a CSV file and PowerShell to manage multiple users simultaneously. Below is a snippet of PowerShell code from the Microsoft Tech Community site to loop through and update user attributes:
# Connect to AzureAD
Connect-AzureAD# Get CSV content
$CSVrecords = Import-Csv C:\Temp\Test.csv -Delimiter “;”# Create arrays for skipped and failed users
$SkippedUsers = @()
$FailedUsers = @()# Loop trough CSV records
foreach ($CSVrecord in $CSVrecords) {
$upn = $CSVrecord.UserPrincipalName
$user = Get-AzureADUser -Filter “userPrincipalName eq ‘$upn'”
if ($user) {
try{
$user | Set-AzureADUser -Department $CSVrecord.Department -TelephoneNumber $CSVrecord.TelephoneNumber
} catch {
$FailedUsers += $upn
Write-Warning “$upn user found, but FAILED to update.”
}
}
else {
Write-Warning “$upn not found, skipped”
$SkippedUsers += $upn
}
}# Array skipped users
# $SkippedUsers# Array failed users
# $FailedUsers
Viewing and updating group properties
You can view your Azure Active Directory (Entra ID) groups from the Microsoft Entra ID dashboard.
Azure AD groups offer the following settings that can be configured:
- Overview: See the membership type, source directory, object ID, creation date, and more here
- Properties: View and modify general group settings like the group name, description, group type, and membership type in this section
- Members: This area shows all current group members and allows for bulk operations
- Owners: Check out who owns the group and can make changes to it and its members here
- Administrative units: This section shows which Administrative Units (AUs) the group is a part of
- Group memberships: Here, you can see all the security groups that count the group as a member (nested grouping)
- Applications: This setting reveals the group’s application assignments
- Licenses: View licenses assigned to the group, which group members will automatically inherit, in this section
- Azure role assignments: This area shows which resources the group members can access at the subscription level
- Dynamic membership rules: View and modify configuration rules for dynamic groups here, impacting group membership
Below is a look at the properties of an Azure Active Directory group and configuration settings.
Viewing the group members of an Azure AD groups.
Checking Azure AD Group Permissions
Checking Azure AD group permissions involves navigating the Azure portal to the desired group and exploring its properties and settings. Administrators can view and manage group memberships, ensuring users have the appropriate access to resources.
Furthermore, Azure role assignments can be utilized to grant groups specific permissions, ensuring a secure and well-governed environment.
Dynamic group rules and membership type
Azure AD groups, especially security groups, are crucial in managing resource access. Dynamic group rules allow administrators to define membership based on user or device properties, such as the user’s job title or device location.
The membership type, whether assigned or dynamic, determines how members are added to the group, with dynamic membership rules automatically managing group members based on their attributes.
Wrapping up
Managing user and group properties in Azure AD is an important task involving the configuration of user attributes, group memberships, and access permissions. The AZ-104 certification exam tests the core competencies of administrators and their knowledge of managing Azure AD users and groups proficiently.
By understanding and leveraging the capabilities of Microsoft Entra ID (formerly Azure AD), administrators can ensure that users and groups are configured to meet organizational needs, bolster security, and meet the needs of collaboration and communication requirements.
BDRSuite for Azure provides powerful Azure VM backup solutions to safeguard your data and ensure business continuity.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.
