Get a high-level introduction to the various components of Azure AD.
- [Instructor] Before we jump into how to set up Azure Active Directory I always like to start with showing you what would an end user actually see so that you understand what you're configuring or what you're building. To do that I'm going to start with what's called the access panel, and the access panel is where an end user can go to see all the different applications and services that they have access to via that hybrid identity that they have in Azure Active Directory. And the way to get there is to go to a URL called myapps.microsoft.com and that'll take us to the sign in page. By default the sign in page just has the Microsoft logo on it because it's the same sign in page for every single customer that uses Azure Active Directory.
But you can also brand this if you have Office 365 or Azure Active Directory Premium so that it has your logo on it and your look and feel. Users will always sign in with what's called their user principle name. And this may be a little different than how they sign in to their on premises PC. Perhaps they only sign in with their short username whereas when you sign in to Azure Active Directory you're always going to have to sign in with your user principle name or UPN. We always try to make that the same as the user's email address because it's really easy for them to remember and it makes deploying certain Office 365 services a whole lot easier.
But it's not required. Once I enter my username and password I'll be taken to the access panel, which is what you see on the screen now. And each of these tiles is an application or service that the specific end user has access to. You can customize what this looks like for every single one of your users based on what they need to have access to and what services they use. By default you can see Microsoft adds the Office 365 services because this user uses Office 365, but then for example I have Salesforce on the screen which is a custom application that we added that this particular user has access to.
In addition to accessing applications in the access panel, end users can also do things like update their profile details or register for self service password reset. And self service password reset is another great capability that lets someone reset their password completely from the cloud without having to call the help desk or access something on premises. And to see what this looks like first we'll take a look at how you register for that and then we'll see what the password reset interface looks like. To register for this, there's a couple different ways to do this but since we're in the access panel we'll click on our name and then we'll click profile.
And then we can click the link called set up self service password reset. There's multiple different options that an end user can use to reset their password and you can configure these. In this case we have enabled people to either use their phone, an alternate email address like their personal email address, or their security questions which are the typical questions that you get asked when you go to set up your account with your bank or a shopping website or something like that. We'll go ahead and set up security questions.
And as an administrator you can configure all the different questions that are available here. You can have up to 20 that are enabled. And you can either use the defaults that come with Azure Active Directory or you can pick your own. So we'll go ahead and enter some answers here that we're going to remember. And once you've gone ahead an answered these there's going to be a policy in place where you determine how many of these questions the end user needs to answer in order to reset their password. But I'm going to go ahead and save my answers.
And then I'll click finish. And now what I'm going to do is I'm going to sign out and show you what happens if I can't remember my password. Now you notice on that same screen where you entered your username and password there's also this link that says can't access your account. When you click on that you'll get a choice of personal account or work and school account. A personal account is what's called a Microsoft account, that's something used to sign into a service like your Xbox, whereas a work and school account is an organizational identity that's stored in your Azure Active Directory.
I'll go ahead and complete the Captcha prompt. And now I get a choice of based on the methods that I registered, how I want to reset my password. It just so happens that my mobile phone was already registered, so I can use that. I can either get a text message or a call to my phone, or I can choose to answer my security questions. You might notice that I actually have to re-enter my phone number and Azure gives us a hint about the last two digits. This is just a security measure to make sure that I really am who I say I am. I'll click answer security questions. You'll notice that of the five questions I answered, only three are on the screen here.
And this is something that you can configure as an administrator as to how many questions an end user needs to answer out of the pool that they registered for. I usually recommend that you require users to register at least five questions, and then you'll have to answer three of those. And the system picks three randomly and that helps to prevent people from trying to game the system. So we'll go ahead and answer these. And now when I click next it's going to go ahead and validate that. And now I get to enter a new password.
There's a password meter on the bottom there. If you're using this in conjunction with on premises Active Directory with Azure AD Connect, when I click finish it's actually going to go ahead and write that password back to your on premises AD in real time and make sure that this meets your password policy as well. Now something interesting happened here. I put a password in that passed the password strength meter, you noticed that it was completely green. But at the bottom in red it says we've seen that password too many times before, please choose something that's harder to guess. And what's happening behind the scenes there, really interesting capability, where the system actually goes ahead, and it's not just about whether the password's strong or not but it's looking at passwords that are really weak in terms of things that are easy to guess or that they include words that are often in passwords.
It just so happens that the one I entered included the word password. So it's not just about the heuristics that you're used to about how long the password is, or how many characters, or is it complex, but is it actually strong as well. So if it isn't the system will block that for you just to make sure people are choosing relatively good passwords. Now I've reset my password, I'll go ahead and sign in with it.
And I'm back to the access panel and all the applications that I need to use without ever having to call the help desk because I forgot my password.
- Authentication options with Azure AD
- Configuring Azure AD Connect for sync and authentication
- Securing remote access with the Azure Application Proxy
- Managing apps and devices with Intune
- Building and deploying a basic Intune policy for iOS or Android
- Protecting data beyond the firewall with Azure Information Protection (AIP)
- Configuring AIP classification labels and protection
- Integrating Exchange and SharePoint with AIP
- Managing risk with Advanced Threat Analytics
- Connecting Office 365 to cloud app security