Author Kamal Kumar on August 23, 2020 55  Views

Azure Active Directory ~ Manage Identities Chapter 2

In this article we'll understand the concept of Custom Domains, resetting the AAD passwords, and will get a bit overview of Azure Active Directory. We'll also check the available options to joining AAD
What we will cover in this article -

Azure active directory overview, key points

  • Each Azure AD is independent.
  • Azure AD must be associated with a subscription.
  • Multiple AADs are supported.
  • A domain name can only be used by a single AD.
  • The creator of the tenant is a global administrator.
  • Other administrators do not have access to the directory unless granted permissions.
  • Deleting the subscription does not delete the directory, you can still use it in PowerShell, Azure Graph API, Office 365 Admin center.
  • Prerequisites for deleting Azure Active directory -
    • Delete all users first (Except global admin who will delete the users).
    • Must delete all the applications as well.
    • Disable MFA.
    • Delete all subscriptions from other services like Office 365, Dynamic CRM, etc.

Available options to join Azure AD

  • Registering -
    • Register to Azure AD
    • Identity is assigned to the device
    • ID is the user to authenticate the device and enable/disable the device.
    • Combine with Mobile Device Management (MDM) for conditional access.
  • Joining -
    • Already registered device, when the device joined then the state of the device will change.
    • User can log in using work/school account.
    • Note - Only available for Windows 10 devices.
    • Benefits of Joining AAD -  
      • Single Sign-On to SaaS apps and services.
      • Enterprise state roaming.
      • Users can use windows hello
      • Restrict access based on compliance policy.
      • Access to device on-premises if a DC is available.
      • Can access Windows store for business
  • Hybrid Azure AD connect -
    • Used when devices are joined to AD on-premises.
    • Support devices back to Windows 7 or later.
    • Registration is automatic.
  • Enterprise State Roaming -
    • Settings and App data are synchronized across devices.
    • Windows 10 only
    • Reduce the time needed to configure a new device.
    • Also, support the separation of Corporate and Consumer data in their cloud accounts.
    • Azure Rights management ensures data automatically encrypted before leaving the device.
    • It requires a minimum of AAD premium subscription or Enterprise mobility + security.
    • The device must authenticate using an Azure AD Identity.

Custom domains

  • Only global administrators can manage domains in Azure AD
  • Can have up to 900 managed domain names per Azure AD tenant
  • Can have up to 450 domains for federation using on-premises AD
  • If I add a subdomain, it will automatically be verified
  • will automatically be verified if is already verified.


Password reset

  • Need to register for password reset before users can actually reset it.
  • Select one 'None', 'Selected' or 'All'
  • None - no one allowed to reset the password
  • Selected - You can choose a set of users or group/s who can reset passwords
  • All - User can reset his password using MFA.
  • By default 'Admins' can reset their passwords in Azure. No need to configure anything for that.
  • Go to 'authentication methods' -
    • 1 or 2 max methods can be selected. i.e. mobile app code, email, phone, SMS, security questions, etc.
      • You can also configure custom questions if you’re selecting 'security questions'.
  • Note - These things are only applied to users. Admins always have to use 2-factor authentication.
  • Registration - If we enable multifactor authentication for a password reset, we just need to ask user to register their phone number, email ID, etc. in order to make MFA work.
  • Notifications - Users will be notified once the password reset.
  • Customization - We can provide helpdesk link if they get in trouble while resetting.
  • On-premises integration -
    • Write back passwords to local AD if the user resets it.
    • Allow users to unlock their user accounts without resetting their passwords.


Password hash synchronization

  • Syncs on-premises password to Azure AD.
  • Use the same password for both on-premises and cloud.
  • Password hashes are stored in Azure AD.
  • Password writeback: when the password on Azure AD changed, it will automatically sync the new password to on-premises AD.
  • This is the default authentication method when using Azure AD connect express.