Join David Elfassy for an in-depth discussion in this video Create and manage user accounts, part of Microsoft Azure: Active Directory.
- [Voiceover] The basis of authentication in Azure active directory are the user accounts. User accounts are used to log on, and therefore to access various resources to which you've been provided access to through other components of Azure. In order to create a user account, we need to go into the Azure management portal, and click on our directory where we wanna create our account, again, our account will be created only in that directory, and then we click on users to create a new user.
So here I'm gonna click on the Add User button to create a new user. Now, I have an option here, new user in your organization, user with an existing Microsoft account, a user with a Microsoft account is a user that has a @outlook.com account, @hotmail.com, what we used to refer to as a Microsoft Passport. Do I want to create a user that is in another Microsoft Azure directory, or a user in a partner company? Now if I click on user in another Microsoft Azure directory, that is another directory that I have in my Azure subscription.
So if I want to create or duplicate a user that I have another directory, I would do that. Now, I wanna create a new user in my organization, so I'm gonna give him a name, and I'm going to say that this is going to be John. Now, you notice here that I have a suffix, this is referred to as a UPN suffix, or a user principle name suffix. The domain here resembles an email address, and this is going to be the full name that the user is going to use to log on to the computer, or log on to Azure AD.
Now, if I click on the dropdown list here, I would see all of the domains that have been verified for my subscription. At this point I don't have any other domains, but I'm going to add domains later on in this course, so you see the process of adding additional domains, and therefore giving a different UPN suffix. If your company is called CompanyX.com, you would be able to provide firstname.lastname@example.org so that he has a familiar name that he's going to use to log on with. If your user has a matching name of your organization, so if he has an email address email@example.com, he would be using the same name as his email address to log on.
If I click on Next, I can provide a name, so I'm going to say that this is Johnathan, his last name is Long, and I'm gonna give him a display name. Now, the display name could maybe include his company, so I'm gonna say that he works for Lynda, and then I'm gonna give him a role. Now, the role is the type of permissions that he has within my Azure AD environment. Now, the highest level, or the highest role that you can provide is a global admin. A global admin is a user that has all the rights around active directory.
There's other roles here, and there's other courses on Azure that provide the details of all these various roles, I'm not gonna go through them right now. I can also enable multi-factor authentication for this user, forcing him to use multiple methods to authenticate to Azure AD. Now, I'm not gonna enable it now, because in a later video I'll show you how we enable multi-factor authentication. Now, I can specify a temporary password for the user, and if I click on Create, a temporary password will be generated for the user.
I can click on the Copy option here, which will copy it to my clipboard, and I can then provide this password to the user. The user will then change the password after he logs on the first time. If I click on Complete, you'll notice here that Johnathan has been created, and you notice here that he is a Microsoft Azure active directory user. Now, note that I have other users here, such as myself, and my account actually comes from a separate directory, so it specifies here that my source is from another Microsoft Azure AD.
Now, if I go back to Johnathan's account and I click on his account, I can manage the properties of his account from here. Now some of the settings that we specified during the creation of his account can be modified, such as his role, his username, etc. Now, an important setting that I can specify here is an alternate email address. Now, you'll see how later on that may be important for multi-factor authentication. So I'm going to say that JohnLong@hotmail.com is an alternate email address.
This is going to be used for either notification, password resets, also multi-factor authentication. I've got other settings down here. Allow the user to sign in and access services, so by default he is allowed, now this is a way to enable or disable the account. I see the usage location, so specify his location, and later on I may be able to restrict what various locations can do, now I'm gonna say that this user is located in Canada, so I specified his region.
If I go back on top, I have additional options. I'm gonna click Okay to save all the changes I've made in the profile page, and under work info I can specify his job title, his department. Now, I'm gonna say that Johnathan works in the finance department, and you'll see how that'll be relevant in a later video. I can also specify an office number, and a phone number. Now, the phone number, again, is going to be useful if I'm going to be using a multi-factor authentication, so I'm gonna specify Johnathan's phone number, he's in the 514 area code.
I'm gonna put a fake number here, and that number will be used if we need to have a device, or a mobile device used in his authentication, and we'll look at that a little bit later on. I can provide information such as his address, now, all of this information is readable if I'm going to read the directory, query the directory. Notice here there is authentication phone, now again, this is going to be used for multi-factor authentication, and I've got options as to which ones are the ones that I populate, that can be used for multi-factor authentication.
And also the email address that can be used for multi-factor authentication. So that was JohnLong@hotmail.com. I'm going to save this page, and move on to my next page. The devices page. Now, from the devices page, I see the devices that the user has used to sign in. Now, this is private user data, because I can see information about the user, such as the name of his computer IP address, which is considered private data, so I'm being prompted to accept that I'm going to be viewing personal information.
Now, I just created this user, so I'm fairly confident that he's never logged on yet, so I can click over to the next tab. Now, in the next tab, it's similar to the devices tab, where I'm not gonna see any activity. This is my reporting page, where I'd be able to see when he logged on, when was the last time he logged on, and which applications he used, and I'll show you, later on in this course we'll look at reporting a little bit more in detail, and see how this information can be broken down further more. So this is the profile of Johnathan Long on Lynda, and Johnathan's information is fully accessible and modifiable because I am an administrator.
Now, the only option I didn't show you here is the reset password. Now, this has its own button, because, as you know, it can be a popular task or a common task on a user account to reset password. We'll look later on in this course on how the user himself can reset his own password.
Microsoft Azure Active Directory (Azure AD) provides most of the rich functionalities of Active Directory, with the conveniences of cloud-based computing. Azure AD also offers developers a great way to integrate identity management into applications. In this Azure training course, David Elfassy introduces the terminology and feature set in Azure AD. He shows how to implement and manage user and group accounts, join client computers, and implement single sign-on and multifactor authentication. (Industry standard protocols such as SAML 2.0, WS-Federation, and OpenID Connect makes sign-on possible on a variety of platforms.) In the final chapters of the course, David reviews the more advanced reporting and features in Azure AD and Azure AD Connect, including syncing on-premise Active Directory and Azure AD.
- Understanding directory as a service (DaaS)
- Using Azure AD management tools
- Creating an Azure AD directory
- Managing users and groups
- Enabling Active Directory self-service
- Implementing Azure AD authentication
- Running Active Directory reports