• Security groups: Used to manage user and computer access to shared resources.
• Microsoft 365 groups: Provides collaboration opportunities by giving group members access to a shared mailbox, calendar, files, SharePoint sites, and more.
• https://learn.microsoft.com/en-us/entra/fundamentals/concept-learn-about-groups
• M365 groups can be setup to expire after a specified period of time
  • https://learn.microsoft.com/en-us/microsoft-365/solutions/microsoft-365-groups-expiration-policy
  • When a group expires, almost all of its associated services (the mailbox, Planner, SharePoint site, team, etc.) are also deleted.
  • When a group expires it is “soft-deleted” which means it can still be recovered for up to 30 days.
  • Expiration policies are only supported for dynamic groups.
• Entra ID Security groups do not support expiration policies.
• There is an option for Groups that allows roles to be assigned to them. This setting can only be set when the group is created and cannot be changed later.
  • Using this feature requires a Microsoft Entra ID P1/P2 license.

• Within the Azure ecosystem there are several organizational structures

• Management groups provide a governance scope (for Azure Resources) above subscriptions.
• By moving multiple subscriptions under a management group, you can create one Azure role assignment on the management group. The role will inherit that access to all the subscriptions.
• A management group tree can support up to six levels of depth.

• Administrative Units (AU) provide an administrative scope over a subset of Entra ID users and groups.
• Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but not the members of the group.
• AUs cannot be nested.

• https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/control-plane-and-data-plane

• ARM (Azure Resource Manager)/Azure/RBAC roles are distinct from Azure Entra ID roles.
  • And Data Access roles/permissions are distinct from resource access roles/permissions. For example, having the Owner role for a storage account does not give a user access to the data in the storage account.
  • The control plane permissions are distinct from the data plane permissions.
• Entra ID roles (sometimes referred to as Administrative Roles) are used for managing access to identity objects within the Entra ID tenant itself.
  • Although Microsoft Entra ID roles are typically set at a tenant level, you can make scope adjustments using administrative units.
• Azure RBAC roles are used for managing access to resources in an Azure subscription

• Examples of Azure roles:
  • Owner - this is role with the highest level of access, which includes the ability to grant users access to resources
  • Contributor - this role grants permissions for read/write access to the scope it's assigned to, but (unlike Owner) it does not grant the permissions needed to assign permissions to principles to access resources.
  • Reader
• A role assignment is a combination of an identity, role (permissions), and scope.. This could be thought of as the who, what and where respectively (Is there a better way to say this?).
• With a role there are control plane actions (just referred to as actions) and Data Actions, which are actions at the data plane layer. [Say more about this.]
• The Activity Log shows only control plane logs.

• Microsoft Entra Domain Services provides traditional AD functionality (as-a-service) in Azure. But there are no domain controllers to manage and maintain.
  • Supports LDAP, NTLM and Kerberos protocols

• Privileged Roles and permissions can be used to delegate management of directory resources to other users, modify credentials, authentication or authorization policies, or access restricted data.
• Examples of Entra ID roles:
  • Global Admin
    • When you create a new Microsoft Entra tenant, you are automatically assigned the Global Administrator role
  • Application Admin
  • Application Developer
  • Billing Admin

• Owner vs. Contributor
  • Owner grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
  • Contributor grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.

• Azure Roles are additive, meaning when multiple roles are assigned to a user the user gets the sum of all permissions granted by all roles.

• An Azure role assignment condition is an optional check that you can add to your role assignment to provide more fine-grained access control. For example, you can add a condition that requires an object to have a specific tag to read the object.

• The default scope for Entra Id roles is global (the entire tenant)
• Administrative Units (AU) can be used to limit scope of Entra ID roles to a unit that is a subset of the tenant
• AU's do not apply to resources, they only apply to tenant entities
  • Entra ID roles are also referred to as Administrative roles, hence the name Administrative Units
• An administrative unit can contain only users, groups, or devices.
• AU's are used to limit the scope of permissions (for Entra ID roles) to only the users, groups or devices that it contains.
• An example usage would be, assigning someone the Password Administrator role at the AU level, so they can reset non-administrative passwords for only the users in the AU.
• Other examples of permissions that can be assigned to AU's.
• Nesting is not supported
• ☝️Putting groups in an AU does not implicitly give the ability to access and change the attributes of the members of the group. The members must be explicitly added to the AU.

• Management Groups can be used to apply budget, RBAC roles and policies at a scope above subscriptions.

• ❓Does Microsoft 365 Business Standard License support password writeback? Answer: It does not support it. See Docs

• To add a custom domain name to an Entra ID tenant you must create either TXT or MX record for the domain name to verify ownership of the domain.

• The Microsoft Entra Connect synchronization services (Microsoft Entra Connect Sync) is a main component of Microsoft Entra Connect. It takes care of all the operations that are related to synchronize identity data between your on-premises environment and Microsoft Entra ID. Microsoft Entra Connect Sync is the successor of DirSync and Azure AD Sync.
• https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-whatis

• A server in staging mode is not running password sync or password writeback, even if you selected these features during installation.
• When you disable staging mode, the server starts exporting, enables password sync, and enables password writeback.
• https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-staging-server#staging-mode

• User Profile Attributes are built-in attributes, like company Display Name and Job Title, and custom attributes that can be assigned to users and groups (Security Groups/M365 Groups).

• Attribute Assignment Administrator role - Users with this role can assign and remove custom security attribute keys and values for supported Microsoft Entra objects such as users, service principals, and devices.

Attributes can be assigned to the following entities:

• Users: Attributes like name, email, job title, department, location, etc.
• Groups: Attributes like description, membership rules, expiration policies.
• Applications: Attributes like display name, description, sign-in URL, etc.
• Devices: Attributes like device type, operating system, serial number, etc.
• Service Principals: Attributes like display name, description, application ID, etc.

• Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the Usage location for all members. You can set this value in Microsoft Entra by going to Identity > Users > All users > select a user > Properties.
• When you assign licenses to a group or you make bulk updates, such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the tenant.

• https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
• As a Global Administrator in Microsoft Entra ID, you might not have access to all subscriptions and management groups in your directory.
• There is a setting on the Entra Id tenant/directory that allows a Global Admin to “manage access to all Azure subscriptions and management groups in this tenant.” This allows the user to assign themselves and others roles to access resources.
• This setting gives the user the User Access Administrator role for the root scope that is inherited by all management groups/subscriptions.
• Although it's a per-user settings it is enabled from the tenant blade, not the user properties blade.
• Also, it results in an Azure role being assigned to the user, not a Entra Id/Administrative role being assigned. So, it might seem a little counterintuitive for the role to get assigned from tenant blade, but this a special case of bootstrapping the ability to assign RBAC roles.

• Conditional Access based MFA is also call Per-Authentication MFA in contrast to Per-User MFA.

• https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview