Create and manage user accounts in Azure Active Directory.
- [Instructor] Now we've already looked at the domain names and how domain names can be added to our Azure AD subscription, and here I've added the litware.com domain name. Now remember that this domain name is not a domain name that I own, therefore, it shows up as unverified. Only the verified domain name can be used as the log-on names of my users. So I have a little bit of a complex log-on name here that I'm going to have to use for my user accounts that I'm going to create in my directory. So let's go ahead and create some users.
I'm going to go into users and groups and then click on all users, and this where I have the option to create a new user. Now, first of all it's important to understand that our users are our unit of identification and authentication. So a user is the account that I require in order to access resources. It identifies me as an individual that is trying to access a specific resource that has been enabled for authentication using Azure active directory.
So that may be a resource such as an Office 365 mailbox, it could be a resource such as an enterprise application that I've provided or published for my organization, or it could be a number of other resources that are stored in Azure such as virtual machines, or networking resources, or sequel databases, or any other type of resource for which access has been given to my user account through an authentication provider of Azure active directory. So, let's go ahead and create a new user account; a new individual for authentication, and I'm going to create a user named Johnathan, and I'm going to have to give him a username.
Now his username is going to have to use that complex suffix of LitwareXYZ2017.onmicrosoft.com. If I use anything else it will not work. That validation check that happens over here will fail. So right now it's running that validation check. Give me a green light saying there is no other user that uses this same username. If I erase this, I'm just going to remove it, and just say I want to use litware.com which is another domain I've added but has not been verified as the verification runs it will return a red mark saying that this is really an unverified domain, and it's unable to access.
So it will give me that telling me that that domain is not a verified domain and therefore, I cannot use it for authentication purposes. So I'm going to put in the one verified domain that I have, complete my verification, and then move on to my other configuration. So for a second go here under the users profile, and under user profile I can specify things such as the user's first name, last name, and job information. These are specifically for directory listing and information only and have no bearing on any access or permissions.
If I click on properties down below, I have here a property that states who is the source of authority for authentication for this user account, essentially specifying where does this user account reside, and this is in Azure Active Directory. If I had a hybrid coexistence with on-premises Active Directory, there would be more information here that could say whether or not the user resides on premises, or if it resides in Azure Active Directory. My next tab here, or my next blade as they're called within the Azure portal, is the groups.
So specifying if the user is a member of any group, and the user here is not a member of any group. I can add him to groups down below by selecting existing groups, or later on I can add him to a group. Then I have the directory role. Now the directory role defines the permission of that user within Azure Active Directory. So is this user a basic user? Which is the default. Is he a limited administrator? Which means does he have specific rights? Maybe he has rights only to exchange properties, or he has rights to SharePoint properties, or he has a certain level of permissions that give him a privilege role, and those are some enhanced privileges that are related to security, or is he able to manage billing or Azure subscription billing? So I can give him some specific granular roles, or I can make him a global administrator and global administrator means that he has really access to all of the objects, all of the resources that are part of my Azure subscription.
So it's a very much an enhanced permission. The default, again, is user, and that's what he has as a directory, a user role. So, now I can show my password here. This is a password that gets automatically generated by the system. I can copy it if I want to be able to send it by email to the user or provide it in a different secure way to the user, and I can click now create. So it's creating the user account inside my Azure Active Directory.
Once the user has been created, I'll be able to click on that user account, and I see that they have many of the configurations that I saw earlier such as the profile, the directory role, the groups, but I also have some additional permissions and settings here such as licenses for example. So if I click on licenses I see here that I don't have any products that are available for licensing for this user, but this is where I would provide some additional licenses.
Now I'm going to switch over to a different directory that has some licenses to show you the difference of what happens when these licenses become available. So I'm going to connect to my different directory here and find the license option for one of the user accounts. So I'm going to click directly on my user account here which is under all users, and I'm going to do a search, and here I have the same options in the other directory including the licenses blade, and you'll notice that my subscription of Azure Active Directory is the underlying infrastructure for my Office 365 deployment, and this is where I find my licenses for Office 365, and I have also my licenses for Power BI which is a separate product that is also activated for my account.
So if I want to assign a license, I click on plus here to assign the license. Now these licenses are all ready assigned to me. I can remove licenses as well. So licenses are managed on a per-user basis after they have been added to your subscription. So now let me go back and look at my new user again that I created, Jonathan Long within my Litware directory, and we will see how this user that has been created and that is part of this directory and that is a user member of this directory can now have its various properties for sign-in, can access resources; any resource that he's provided access to will be able to access those resources.
Now by default, he is able to access a website that includes all of my Enterprise applications, and to access that website, all you have to do is go to myapps.microsoft.com, and my user account is cached here. I'm going to sign out, and I'm going to sign in with the user account for Johnathan Long. So it's going to be email@example.com.
After you put in this login name several times you see the value of having a verified domain name becomes pretty apparent. I'm going to put in his password and click sign in. Now because this is the first time that the user has logged in I have to specify his current password and specify a new password. So for security reasons the first time the user logs in he must update his password with a new password. So I'm going to put in a new password for that user account, and of course the passwords must match, and I'm going to click update password to sign in.
This actually updates his password in Azure Active Directory, and I am now logged into the MyApps. Now you'll note that I have no applications that are published, and luckily we'll be able to publish some applications later on in later videos in this course, but he is able to successfully login to Azure Active Directory into the Litware directory, and he's able to access the MyApps page which is, again, a resource that he has permission to by default in Azure Active Directory.
David shows how to implement and manage user and group accounts, join client computers, and implement single sign-on and multi-factor authentication. (Industry standard protocols such as SAML 2.0, WS-Federation, and OpenID Connect make sign-on possible on a variety of platforms.) To wrap up the course, David reviews the more advanced features in Azure AD and Azure AD Connect, including syncing on-premises Active Directory and Azure AD, and troubleshooting an Azure AD deployment.
- Directory as a service (DaaS)
- Using Azure AD management tools
- Creating an Azure Active directory
- Managing users and groups
- Enabling Active Directory self-service
- Implementing Azure AD authentication
- Running Active Directory reports