Differences

This shows you the differences between two versions of the page.

--- azure:az-104_2024:identity_and_access_management [2024/10/09 18:19] – [User Profile Attributes] mmuze
+++ azure:az-104_2024:identity_and_access_management [2025/11/29 17:48] (current) – mmuze
@@ Line 5: / Line 5: @@
   * **Microsoft 365 groups**: Provides collaboration opportunities by giving group members access to a shared mailbox, calendar, files, SharePoint sites, and more.
   * [[https://learn.microsoft.com/en-us/entra/fundamentals/concept-learn-about-groups]]
-  * M365 can be setup to expire after a specified period of time
+  * M365 groups can be setup to expire after a specified period of time
       * [[https://learn.microsoft.com/en-us/microsoft-365/solutions/microsoft-365-groups-expiration-policy]]
       * When a group expires, almost all of its associated services (the mailbox, Planner, SharePoint site, team, etc.) are also deleted.
@@ Line 11: / Line 11: @@
       * Expiration policies are only supported for dynamic groups.
   * <color :#fff200>Entra ID Security groups do not support expiration policies.</color>
+  * <color :#fff200>There is an option for Groups that allows roles to be assigned to them. This setting can only be set when the group is created and cannot be changed later.</color>
+    * Using this feature requires a Microsoft Entra ID P1/P2 license.
 ====== Azure Organization/Structure/Scoping ======
@@ Line 24: / Line 26: @@
 ----
 ===== Administrative Units =====
-  * //Administrative Units (AU)// provide an administrative scope <color :#fff200>over a subset Entra ID users and groups</color>.
+  * //Administrative Units (AU)// provide an administrative scope <color :#fff200>over a subset of Entra ID users and groups</color>.
   * Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but not the members of the group.
   * AUs cannot be nested.
@@ Line 56: / Line 58: @@
   * Examples of Entra ID roles:
     * Global Admin
+      * When you create a new Microsoft Entra tenant, you are automatically assigned the Global Administrator role
     * Application Admin
     * Application Developer
@@ Line 65: / Line 68: @@
   * <color :#fff200>Azure Roles are //additive//, meaning when multiple roles are assigned to a user the user gets the sum of all permissions granted by all roles.</color>
+==== Role Assignments ====
+   * An <color :#fff200>Azure role assignment condition</color> is an optional check that you can add to your role assignment to provide more fine-grained access control. For example, you can add a condition that requires an object to have a specific tag to read the object.
 ====== Administrative Units ======
   * The default scope for Entra Id roles is global (the entire tenant)
@@ Line 99: / Line 106: @@
 By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes.
 </callout>
+  * **Attribute Assignment Administrator role** - Users with this role can assign and remove custom security attribute keys and values for supported Microsoft Entra objects such as users, service principals, and devices.
+----
+Attributes can be assigned to the following entities:
+  * Users: Attributes like name, email, job title, department, location, etc.
+  * Groups: Attributes like description, membership rules, expiration policies.
+  * Applications: Attributes like display name, description, sign-in URL, etc.
+  * Devices: Attributes like device type, operating system, serial number, etc.
+  * Service Principals: Attributes like display name, description, application ID, etc.
+====== Licensing ======
+  * Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the Usage location for all members. You can set this value in Microsoft Entra by going to Identity > Users > All users > select a user > Properties.
+  * When you assign licenses to a group or you make bulk updates, such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the tenant.
+====== Global Admin Elevated Access ======
+  * [[https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin]]
+  * As a Global Administrator in Microsoft Entra ID, you might not have access to all subscriptions and management groups in your directory.
+   * There is a setting on the Entra Id tenant/directory that allows a Global Admin to <color :#fff200>"manage access to all Azure subscriptions and management groups in this tenant."</color> This allows the user to assign themselves and others roles to access resources.
+   * This setting gives the user the User Access Administrator role for the root scope that is inherited by all management groups/subscriptions.
+   * Although it's a per-user settings it is enabled from the tenant blade, not the user properties blade.
+   * Also, it results in an Azure role being assigned to the user, not a Entra Id/Administrative role being assigned. <color :#fff200>So, it might seem a little counterintuitive for the role to get assigned from tenant blade, but this a special case of bootstrapping the ability to assign RBAC roles.</color>
+====== Multi-factor Authentication (MFA) ======
+  * Conditional Access based MFA is also call Per-Authentication MFA in contrast to Per-User MFA.
+====== Conditional Access ======
+  * [[https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview]]