azure:az-104_2024:identity_and_access_management

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
azure:az-104_2024:identity_and_access_management [2024/10/09 18:24] – [User Profile Attributes] mmuzeazure:az-104_2024:identity_and_access_management [2025/11/29 17:48] (current) mmuze
Line 5: Line 5:
   * **Microsoft 365 groups**: Provides collaboration opportunities by giving group members access to a shared mailbox, calendar, files, SharePoint sites, and more.   * **Microsoft 365 groups**: Provides collaboration opportunities by giving group members access to a shared mailbox, calendar, files, SharePoint sites, and more.
   * [[https://learn.microsoft.com/en-us/entra/fundamentals/concept-learn-about-groups]]   * [[https://learn.microsoft.com/en-us/entra/fundamentals/concept-learn-about-groups]]
-  * M365 can be setup to expire after a specified period of time+  * M365 groups can be setup to expire after a specified period of time
       * [[https://learn.microsoft.com/en-us/microsoft-365/solutions/microsoft-365-groups-expiration-policy]]       * [[https://learn.microsoft.com/en-us/microsoft-365/solutions/microsoft-365-groups-expiration-policy]]
       * When a group expires, almost all of its associated services (the mailbox, Planner, SharePoint site, team, etc.) are also deleted.       * When a group expires, almost all of its associated services (the mailbox, Planner, SharePoint site, team, etc.) are also deleted.
Line 11: Line 11:
       * Expiration policies are only supported for dynamic groups.       * Expiration policies are only supported for dynamic groups.
   * <color :#fff200>Entra ID Security groups do not support expiration policies.</color>   * <color :#fff200>Entra ID Security groups do not support expiration policies.</color>
 +  * <color :#fff200>There is an option for Groups that allows roles to be assigned to them. This setting can only be set when the group is created and cannot be changed later.</color>
 +    * Using this feature requires a Microsoft Entra ID P1/P2 license.
  
 ====== Azure Organization/Structure/Scoping ====== ====== Azure Organization/Structure/Scoping ======
Line 24: Line 26:
 ---- ----
 ===== Administrative Units ===== ===== Administrative Units =====
-  * //Administrative Units (AU)// provide an administrative scope <color :#fff200>over a subset Entra ID users and groups</color>.+  * //Administrative Units (AU)// provide an administrative scope <color :#fff200>over a subset of Entra ID users and groups</color>.
   * Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but not the members of the group.   * Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but not the members of the group.
   * AUs cannot be nested.   * AUs cannot be nested.
Line 56: Line 58:
   * Examples of Entra ID roles:   * Examples of Entra ID roles:
     * Global Admin     * Global Admin
 +      * When you create a new Microsoft Entra tenant, you are automatically assigned the Global Administrator role
     * Application Admin     * Application Admin
     * Application Developer     * Application Developer
Line 65: Line 68:
  
   * <color :#fff200>Azure Roles are //additive//, meaning when multiple roles are assigned to a user the user gets the sum of all permissions granted by all roles.</color>   * <color :#fff200>Azure Roles are //additive//, meaning when multiple roles are assigned to a user the user gets the sum of all permissions granted by all roles.</color>
 +
 +==== Role Assignments ====
 +   * An <color :#fff200>Azure role assignment condition</color> is an optional check that you can add to your role assignment to provide more fine-grained access control. For example, you can add a condition that requires an object to have a specific tag to read the object.
 +
 ====== Administrative Units ====== ====== Administrative Units ======
   * The default scope for Entra Id roles is global (the entire tenant)   * The default scope for Entra Id roles is global (the entire tenant)
Line 100: Line 107:
 </callout> </callout>
   * **Attribute Assignment Administrator role** - Users with this role can assign and remove custom security attribute keys and values for supported Microsoft Entra objects such as users, service principals, and devices.   * **Attribute Assignment Administrator role** - Users with this role can assign and remove custom security attribute keys and values for supported Microsoft Entra objects such as users, service principals, and devices.
 +
 +----
 +Attributes can be assigned to the following entities:
 +  * Users: Attributes like name, email, job title, department, location, etc.
 +  * Groups: Attributes like description, membership rules, expiration policies.
 +  * Applications: Attributes like display name, description, sign-in URL, etc.
 +  * Devices: Attributes like device type, operating system, serial number, etc.
 +  * Service Principals: Attributes like display name, description, application ID, etc.
 +
 +====== Licensing ======
 +  * Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the Usage location for all members. You can set this value in Microsoft Entra by going to Identity > Users > All users > select a user > Properties.
 +  * When you assign licenses to a group or you make bulk updates, such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the tenant.
 +
 +====== Global Admin Elevated Access ======
 +  * [[https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin]]
 +  * As a Global Administrator in Microsoft Entra ID, you might not have access to all subscriptions and management groups in your directory.
 +   * There is a setting on the Entra Id tenant/directory that allows a Global Admin to <color :#fff200>"manage access to all Azure subscriptions and management groups in this tenant."</color> This allows the user to assign themselves and others roles to access resources.
 +   * This setting gives the user the User Access Administrator role for the root scope that is inherited by all management groups/subscriptions.
 +   * Although it's a per-user settings it is enabled from the tenant blade, not the user properties blade.
 +   * Also, it results in an Azure role being assigned to the user, not a Entra Id/Administrative role being assigned. <color :#fff200>So, it might seem a little counterintuitive for the role to get assigned from tenant blade, but this a special case of bootstrapping the ability to assign RBAC roles.</color>
 +
 +====== Multi-factor Authentication (MFA) ======
 +  * Conditional Access based MFA is also call Per-Authentication MFA in contrast to Per-User MFA.
 +
 +====== Conditional Access ======
 +  * [[https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview]]
  
  • azure/az-104_2024/identity_and_access_management.1728498245.txt.gz
  • Last modified: 2024/10/09 18:24
  • by mmuze