Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Exam Ref AZ-104 Microsoft Azure Administrator Certification and Beyond
Exam Ref AZ-104 Microsoft Azure Administrator Certification and Beyond

Exam Ref AZ-104 Microsoft Azure Administrator Certification and Beyond: Master Azure administration and pass the AZ-104 exam with confidence , Third Edition

eBook
€29.99
Paperback
€37.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
Table of content icon View table of contents Preview book icon Preview Book

Exam Ref AZ-104 Microsoft Azure Administrator Certification and Beyond

Devices in Microsoft Entra ID

In this chapter, you will delve into Microsoft Entra’s functionalities and configurations. As organizations increasingly adopt a digital-first approach, the ability to securely and efficiently manage devices and identities has never been more critical. This chapter is structured to walk you through the essentials of configuring and managing devices for seamless integration within your organizational infrastructure. You will learn about configuring Microsoft Entra Join to simplify the complexity of integrating devices with Microsoft Entra for enhanced security and user experience. Additionally, you will explore operational agility provided by performing bulk operations, essential to managing users and groups at scale. You will learn how to create guest accounts in Microsoft Entra ID. Finally, you will learn about configuring Self-Service Password Reset (SSPR), which is a critical feature that empowers users to reset their own passwords and reduce the administrative burden of password management for IT support.

In this chapter, the following topics will be covered:

  • Configuring and Managing Devices
  • Configuring Microsoft Entra Join
  • Performing Bulk Operations
  • Navigating Guest Accounts
  • Configuring SSPR

Technical Requirements

To follow along with the hands-on lessons, you will need access to the following:

  • Microsoft Entra ID as a global administrator.
  • Azure subscription with owner or contributor privileges. If you do not have access to one, students can enroll for a free account: https://azure.microsoft.com/en-us/free/.
  • PowerShell 5.1 or later installed on a Windows PC or PowerShell Core 6.x on other operating systems where labs can be practiced.
  • For Windows users, you will need to install .NET Framework 4.7.2 or later using the following link: https://learn.microsoft.com/en-us/dotnet/framework/install.
  • Note that, occasionally, examples can only be followed from a PC or https://shell.azure.com (PowerShell 7.0.6 LTS or later is recommended).
  • Install the Az PowerShell module, which can be performed by running the following in an administrative PowerShell session:
    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
    Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force

Configuring and Managing Devices

In Microsoft Entra, a device represents any physical or virtual device that is registered with the directory. This can include devices such as laptops, desktops, mobile phones, and tablets. When a device is registered with Microsoft Entra, it can be managed and secured using policies and configurations defined in the directory. By managing devices in Microsoft Entra, IT administrators can ensure that devices accessing corporate resources meet an organization’s security and compliance requirements. In the following sections, you will explore device management in more detail and discuss how Microsoft Entra enables device management at scale.

Configuring Device Identities

When it comes to managing your devices through Microsoft Entra, you have several services available to you. You may want to support Bring Your Own Device (BYOD) scenarios or opt for a more traditional management style through Microsoft Entra joined devices. Joining is the typical approach for larger organizations that have established control and management structures for their IT infrastructure. For this course, you need to only be aware of how to register or join your devices to Microsoft Entra. This topic is worth much more exploration and research before you decide to adopt a certain approach.

Microsoft Entra Device Registration

A Microsoft Entra ID Registered Device is one that is registered within the Microsoft Entra ID directory but not added as a member of an organization:

  • The device is then granted access to resources through an attachment to a Microsoft account in Microsoft Entra ID.
  • It provides users with a Single Sign-On (SSO) experience across their devices, including app authentication.
  • It enables Conditional Access policy enforcement.
  • It is recommended for personally owned devices or devices not used exclusively for business purposes. Personally owned devices are also defined as BYOD, which are devices that can be used for work purposes.
  • It offers a streamlined process with minimal administrative overhead.
  • The device can be managed through tools such as Microsoft Intune.

The following diagram illustrates a device’s connection to Microsoft Entra ID and the relationship flow.

Figure 2.1: Microsoft Entra ID – device registration

Figure 2.1: Microsoft Entra ID – device registration

For more details, refer to https://learn.microsoft.com/en-us/entra/identity/devices/concept-device-registration.

Microsoft Entra Join

A Microsoft Entra ID joined device is one that is added to an organization’s Microsoft Entra ID directory, providing additional benefits and control to the organization:

  • It is fully managed by the organization with access to on-premises Active Directory resources. It is, therefore, suitable for dedicated, organization-owned devices that need full access to organizational resources.
  • It is explicitly tied to an organizational user account and managed as part of the directory.
  • It offers better management capabilities and integration and can use Conditional Access policies.

The following diagram illustrates a device-to-Microsoft Entra ID join connection, demonstrating how the connection is made from the device to Microsoft Entra ID. Entra ID can then form a hybrid connection to an on-premises Active Directory system, with synchronization occurring between the platforms through the Microsoft Entra Connect service.

Figure 2.2: Microsoft Entra ID – a device join

Figure 2.2: Microsoft Entra ID – a device join

For more details, refer to https://learn.microsoft.com/en-us/entra/identity/devices/concept-directory-join.

Microsoft Entra Hybrid Join

A Microsoft Entra ID hybrid joined device is a device that is joined to both the on-premises Active Directory (AD) and Entra ID, for organizations with a blended infrastructure. It is designed to support Windows 10 and 11 devices:

  • It retains the benefits of local on-premises AD while leveraging cloud features, such as enabling the continued use of Group Policy in Entra ID
  • It combines cloud authentication with on-premises resources and devices
  • It facilitates seamless transitions and secure access to resources in hybrid environments
  • It is ideal for organizations that have a mix of cloud and on-premises infrastructure deployments

The following diagram illustrates a device connection to Microsoft Entra ID and the relationship flow for a Microsoft Entra ID hybrid join connection, demonstrating how the connection is made from the device to Microsoft Entra ID as a registration and to an Active Directory for a domain join. Entra ID will then have a hybrid connection to an on-premises Active Directory system, with synchronization occurring between the platforms through the Microsoft Entra Connect service.

Figure 2.3: Microsoft Entra ID – a device hybrid join

Figure 2.3: Microsoft Entra ID – a device hybrid join

For more details, refer to https://learn.microsoft.com/en-us/entra/identity/devices/concept-hybrid-join.

Next, we will explore what device settings you can manage in Microsoft Entra.

Device Settings

Microsoft Entra enables organizations to ensure that their users access Azure resources from devices that comply with their security and compliance policies. Device management is a crucial component of device-based Conditional Access, where access to corporate resources is restricted only to managed devices.

Device settings can be easily managed from the Azure portal, provided the device is registered or joined to Microsoft Entra. To access Devices, you need to select it from the Manage context from the left-hand menu under Microsoft Entra ID. On the Devices blade, you can select Device settings from the left menu. The following device settings are available for configuration in Microsoft Entra ID:

  • Users may join devices to Microsoft Entra: This setting lets administrators specify which users can join their Windows 10 devices to Entra ID. This setting is only applicable to Microsoft Entra Join on Windows 10. The Selected option allows you to specify which members are allowed to join their devices to Entra ID.

Figure 2.4: Device settings – Users may join devices to Microsoft Entra

Figure 2.4: Device settings – Users may join devices to Microsoft Entra

  • Users may register their devices with Entra ID: This setting needs to be configured to allow devices to be registered with Entra ID. There are two options here – None, which means that devices are not allowed to register when they are not Microsoft Entra-joined or hybrid Microsoft Entra-joined, and All, which means that all devices are allowed to register.

Figure 2.5: Device settings – Users may register their devices with Microsoft Entra

Figure 2.5: Device settings – Users may register their devices with Microsoft Entra

Note

In order for you to enroll with Microsoft Intune or Mobile Device Management (MDM) for Microsoft 365, you will be required to register. If you have configured either of these services, the All option is selected by default and None is not available for selection.

  • Require Multi-Factor Authentication to register or join devices with Microsoft Entra: This setting adds another layer of security by requiring users to authenticate with Multi-factor Authentication (MFA) when registering or joining their devices to Microsoft Entra. Before you can enable this setting, MFA needs to be configured for the users who register their devices.
Figure 2.6: Device settings – requiring MFA

Figure 2.6: Device settings – requiring MFA

  • Maximum number of devices per user: This setting allows you to select the maximum number of devices that a user can have in Microsoft Entra. Reaching this quota will prevent additional devices from being added until either existing devices are removed or the quota limit is changed.
  • Manage Additional local administrators on all Microsoft Entra joined devices: This setting allows you to add additional local administrators for Microsoft Entra joined devices. A local administrator is a user who has administrative privileges on a specific device or computer.
Figure 2.7: Device settings – Local administrator settings

Figure 2.7: Device settings – Local administrator settings

Figure 2.8: Device settings – Microsoft Entra LAPS

Figure 2.8: Device settings – Microsoft Entra LAPS

  • Restrict users from recovering the BitLocker key(s) for their owned devices: Restricting users from recovering BitLocker keys for their owned devices is a security measure that prevents non-admin users from accessing their device’s BitLocker key(s) for self-service recovery. By setting this restriction to Yes, only admin users can retrieve the keys, ensuring an additional layer of security and control over the devices. Conversely, setting it to No allows all users to recover their BitLocker key(s), enabling self-service access but potentially reducing security.
Figure 2.9: Device settings – BitLocker key(s)

Figure 2.9: Device settings – BitLocker key(s)

Enterprise State Roaming

Enterprise State Roaming is a feature in Microsoft Entra ID that allows users to synchronize their application and system settings across their Windows devices. This means that when a user sets up a new Windows device, their familiar settings and preferences will be applied to the new device automatically. This feature is especially useful for organizations that provide employees with multiple Windows devices, or for users who switch between devices frequently. With Enterprise State Roaming, users can have a more seamless and consistent experience across all their Windows devices. The synchronization is achieved through Microsoft Entra ID, and all data is encrypted to ensure security and privacy.

This setting now has its own blade and can be accessed by clicking Enterprise State Roaming from the left menu of the Device blade, under the Manage context.

Selecting All will enable all users in your organization to take advantage of this feature, Selected allows you to specify users, and None will disallow all users from using the feature.

Figure 2.10: Enterprise State Roaming

Figure 2.10: Enterprise State Roaming

You can read more about Enterprise State Roaming here: https://learn.microsoft.com/en-us/entra/identity/devices/enterprise-state-roaming-enable.

You now have a basic understanding of what Enterprise State Roaming is and the features and benefits it offers. Next, you will learn about device management settings.

Managing Device Settings

To manage the device settings from the Azure portal, you need to perform the following steps:

  1. Navigate to the Azure portal by opening https://portal.azure.com.
  2. From the left-hand hamburger menu or the main search bar, select Microsoft Entra ID.
  3. From the left-hand menu, select Devices under the Manage context, as follows:

Figure 2.11: The Microsoft Entra ID Devices blade

Figure 2.11: The Microsoft Entra ID Devices blade

  1. The device management blade will open. Here, you can configure your device management settings, locate your devices, perform device management tasks, and review the device management-related audit logs.
  2. To configure the device settings, select Device settings from the left-hand menu. From here, you can configure the following settings, which are shown in Figure 2.12:
    • Users may join devices to Microsoft Entra: All
    • Require Multifactor Authentication to register or join devices with Microsoft Entra: No

Figure 2.12: Microsoft Entra ID – the Device settings blade

Figure 2.12: Microsoft Entra ID – the Device settings blade

  1. To locate your devices, select All devices from the left menu. In this pane, you will see all the joined and registered devices, as follows:
Figure 2.13: Microsoft Entra ID – All devices

Figure 2.13: Microsoft Entra ID – All devices

  1. Additionally, you can select the different devices from the list to get more detailed information about a device. From here, global administrators and cloud device administrators can disable or delete the device:
Figure 2.14: Microsoft Entra ID – workstation 1 details

Figure 2.14: Microsoft Entra ID – workstation 1 details

You now have experience managing a device on Microsoft Entra. The next topic you will learn about is audit logs, under the Devices blade.

Device Audit Logs

The audit logs section under Devices in Microsoft Entra ID contains a record of all activities related to device management. Audit logs provide detailed information on events and actions performed within the system. These logs offer valuable insights for administrators looking to monitor security, troubleshoot issues, and maintain compliance.

Using device audit logs, administrators can track changes made to device properties, registration and deletion events, and other relevant activities performed by either the users or the system itself. Information stored in the logs typically includes event timestamps, target(s) (affected devices), user details, and the specific category of the activity and actions/changes made during an event. Microsoft Entra offers a user-friendly interface to view and analyze device audit logs, allowing administrators to filter and sort records based on specific criteria, such as event type or date range. This enables you to quickly identify and investigate suspicious activities or potential sources of issues within the device management environment.

By regularly reviewing and analyzing device audit logs, organizations can proactively detect anomalies and maintain regulatory compliance, thus ensuring a secure and efficient device management process within your Microsoft Entra ecosystem. Additionally, the audit logs can be exported to third-party security information and event management (SIEM) systems for further analysis and correlation with other security events. In this exercise, you will explore how to view audit logs in the Azure portal. Complete the following steps:

  1. To view audit logs, navigate to the Devices blade from Microsoft Entra ID.
  2. From the left menu of the Devices blade, under the Activity context, select Audit logs. This is where you can view and download the different log files for your devices. Additionally, you can create filters to search through the logs, as per the following example:
Figure 2.15: Microsoft Entra ID – the Audit logs blade

Figure 2.15: Microsoft Entra ID – the Audit logs blade

This concludes the section on how to manage your device settings via the Azure portal.

Note

You are encouraged to read up further by using the following links:

https://learn.microsoft.com/en-us/entra/identity/devices/manage-device-identities.

https://learn.microsoft.com/en-us/entra/identity/monitoring-health/howto-stream-logs-to-event-hub.

https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices.

In the next section, you will explore the licensing options behind Microsoft Entra.

Licensing

Microsoft Entra offers a range of licensing options to meet your organizational requirements, whether small or large businesses. These licensing options determine which features and functionalities are available to users. Some of the key features of Microsoft Entra include SSO, MFA, and device management. In the following section, you will explore the different pricing plans available for Microsoft Entra and what each plan includes.

Microsoft Entra ID offers the following pricing plans:

  • Microsoft Entra ID Free: This offers the most basic features, such as support for SSO across Azure, Microsoft 365, and other popular Software as a Service (SaaS) applications, Azure Business-to-Business (B2B) for external users, support for Microsoft Entra Connect synchronization, self-service password change, user and group management, and standard security reports.
  • Microsoft Entra ID P1: Previously known as Azure Active Directory P1. In addition to the Free license features, this license offers a service-level agreement, advanced reporting, Conditional Access, Microsoft Entra Connect Health, advanced administration such as dynamic groups, self-service group management, and Microsoft Identity Manager.
  • Microsoft Entra ID P2: Previously known as Azure Active Directory P2. In addition to the Free and Microsoft Entra ID P1 license features, the Microsoft Entra ID P2 license includes Identity Protection, Privileged Identity Management (PIM), access reviews, and entitlement management.
  • Microsoft Entra ID Governance: For users of Microsoft Entra ID P1 and P2, Microsoft Entra ID Governance provides a sophisticated suite of identity governance features that can be added at a premium. These capabilities include automated user and group provisioning, HR-driven provisioning, terms of use attestation, basic and advanced access certifications and reviews, basic and advanced entitlement management, life cycle workflows, identity governance dashboard, and PIM.
  • Microsoft Entra Verified ID: Microsoft Entra Verified ID is a license currently included free within any Microsoft Entra ID subscription, such as Microsoft Entra ID Free. This service enables organizations to verify and issue credentials based on unique identity attributes, granting individuals control over their digital credentials and improving visibility. The benefits of Verified ID include reduced organizational risk, simplified audit processes, and seamless integration for developers to create user-centric serverless applications. Organizations can enable Verified ID for free in the Microsoft Entra admin center.
  • Microsoft Entra Permissions Management: This is a set of identity governance features tailored for Microsoft Entra ID P1 and P2 subscribers. These capabilities include automated user and group provisioning, HR-driven provisioning, terms of use attestation, basic and advanced access certifications and reviews, basic and advanced entitlement management, life cycle workflows, identity governance dashboard, and PIM.
  • Microsoft Entra Workload ID: With the standalone Microsoft Entra Workload ID product, organizations can reduce risk exposure from compromised or lost identities or credentials, regulate workload identity access with adaptive policies, and obtain a thorough workload identity health-check view. The monthly pricing for Workload ID is based on the workload identity.

Note

For a detailed overview of the different Microsoft Entra licenses and all the features that are offered in each plan, refer to https://www.microsoft.com/en-us/security/business/microsoft-entra-pricing.

Now that you have a basic understanding of what Microsoft Entra ID is and the licensing models involved, you will learn how to implement a license.

Try/Buy License Products for Microsoft Entra

In this exercise, you are going to learn how to try or buy a license that can be associated with your Microsoft Entra instance. To do so, follow the following steps:

  1. Navigate to the Azure portal by opening a web browser and browsing to https://portal.azure.com.
  2. From the left-hand hamburger menu or the main search bar, select Microsoft Entra ID.
Figure 2.16: Selecting Microsoft Entra ID

Figure 2.16: Selecting Microsoft Entra ID

  1. Click on the Licenses setting under the Manage context from the left menu.
Figure 2.17: Microsoft Entra ID – Licenses

Figure 2.17: Microsoft Entra ID – Licenses

  1. From the Licenses blade on the left menu, select All products, and then click Try / Buy from the blade screen that is presented.

Figure 2.18: Microsoft Entra ID – Licenses | All products

Figure 2.18: Microsoft Entra ID – Licenses | All products

  1. An Activate pop-up screen will appear. To select a product for trial, you can click the Free trial drop-down option and then Activate to activate the license for the service offering you want to try, such as the following screenshot for Microsoft Entra ID P2.

Figure 2.19: Microsoft Entra ID – activating a trial license

Figure 2.19: Microsoft Entra ID – activating a trial license

You have now seen how to try a licensed product using the Azure portal. Next, you will learn about assigning a license to one of your users or groups.

Assigning a License

In this exercise, you are going to assign an active licensed product to a user to demonstrate the assignment of licenses from within Microsoft Entra ID:

  1. Just as you did in the previous exercise, you will navigate back to the All products settings screen under the Licenses blade.
  2. Select the license you are looking to assign; in this instance, we will assign the Microsoft 365 E5 Developer license. Then, click Assign from the top menu.

Figure 2.20: Microsoft Entra ID licensing – assigning a license

Figure 2.20: Microsoft Entra ID licensing – assigning a license

  1. Click + Add users and groups.

Figure 2.21: Microsoft Entra ID licensing – Add users and groups

Figure 2.21: Microsoft Entra ID licensing – Add users and groups

  1. From the screen that pops up, create a filter to search for the relevant name you are looking for – in this case, Demo. Select DemoUser1 and DemoUser2.

Figure 2.22: Microsoft Entra ID licensing – selecting users

Figure 2.22: Microsoft Entra ID licensing – selecting users

  1. Once you have chosen your users, click Select.
  2. Click Review + assign, and then, on the final screen, click Assign.

You have now seen how to not only add product licenses but also assign them. Although there are several license types, the basic principles still apply, and the licenses are just as easy to assign. In the next section, we will look at what Microsoft Entra Join is and how to configure it for Windows 10 devices.

Configuring Microsoft Entra Join

With Microsoft Entra Join, you can join devices directly to Microsoft Entra without the need to join your on-premises Active Directory in a hybrid environment. While Microsoft Entra hybrid join with an on-premises Active Directory might still be preferred for some scenarios, Microsoft Entra Join simplifies the process of adding devices and modernizes device management for your organization. This can result in the reduction of device-related IT costs.

Your users may have access to corporate assets through their devices. To protect these corporate assets, you want to control these devices. This allows your administrators to ensure that your users are accessing resources from devices that meet your standards for security and compliance.

Microsoft Entra Join is a good solution when you want to manage devices with a cloud device management solution, when you want to modernize your application infrastructure, when you want to simplify device provisioning for geographically distributed users, and when your company adopts Microsoft 365 as the productivity suite for your users.

Microsoft Entra Join Methods

Microsoft Entra Join can be employed through any of the following methods:

  • Bulk deployment: This method is used to join large numbers of new Windows devices to Microsoft Entra and Microsoft Intune.
  • Windows Autopilot: This is a collection of technologies used to preconfigure Windows 10 and later devices so that the devices are ready for productive use. Autopilot can also be used to reset, repurpose, and recover devices.
  • Self-service experience: This is also referred to as a first-run experience, which is mainly used to join a new device to Microsoft Entra.

Microsoft Entra Join Management

When it comes to joining devices to Entra ID, there are two main ways of managing them:

  • MDM only: This is when the device is managed exclusively by an MDM provider such as Intune.
  • Co-management: This is when the device is managed by an MDM provider and Microsoft Configuration Manager.

Microsoft Entra Join Scenarios

When joining a Windows 10 device to Microsoft Entra, there are two scenarios that you need to look at:

  • Joining a new Windows 10 or later device via the Out-of-Box Experience (OOBE)
  • Joining an already configured Windows 10 or later device to Microsoft Entra
  • Now that you understand what Microsoft Entra Join is and does, we will take a look at how to configure it.

Configuring Microsoft Entra Join

To follow this exercise, you will require either a virtual machine or a physical machine that has Windows 10 Pro installed and access to the internet.

You will now join an existing Windows 10 device to Microsoft Entra, as follows:

  1. On the Windows 10 device, search for Settings and open Accounts.
  2. Select Access work or school, and then click Connect:
Figure 2.23: The Windows 10 settings menu to add and connect a device

Figure 2.23: The Windows 10 settings menu to add and connect a device

  1. Enter the email address of the account you are setting up, and then click on Join this device to Microsoft Entra ID.

Figure 2.24: Selecting Join this Device to Microsoft Entra ID

Figure 2.24: Selecting Join this Device to Microsoft Entra ID

  1. On the Sign in window that pops up, enter your user principal name (UPN) (usually the email address of the user account you created earlier in the chapter). For this exercise, use the demouser1 account created previously. Click Next.
Figure 2.25: Signing into Microsoft Entra

Figure 2.25: Signing into Microsoft Entra

  1. You will be asked to confirm whether the organization you are joining and the details entered are correct, as per the following screenshot. If so, click Join.
Figure 2.26: Confirming your organization details

Figure 2.26: Confirming your organization details

  1. You will now be joined and momentarily presented with a success screen. Click Done.
Figure 2.27: A confirmation message for Microsoft Entra Join

Figure 2.27: A confirmation message for Microsoft Entra Join

  1. When you navigate back to the Access work or school settings window, you will see that you are now joined to your organization. This will show something similar to the following screenshot with the connected organization. Note that the Entra ID wording will soon change to reflect Microsoft Entra.
Figure 2.28: Your connected organization on Microsoft Entra

Figure 2.28: Your connected organization on Microsoft Entra

  1. Finally, navigate to the Azure portal and the Devices blade for Microsoft Entra ID. Select All devices from the left menu, and you will then see your newly joined device appear:
Figure 2.29: Displaying the recently joined Windows 10 devices

Figure 2.29: Displaying the recently joined Windows 10 devices

That brings an end to this section. You have learned what Microsoft Entra join is and the methods used to enroll, and you have also walked through the steps to manually join a Windows 10 device to Microsoft Entra.

Note

You are encouraged to read further by using the following links, which will provide additional information about Microsoft Entra Join, Windows Autopilot, and bulk device enrollment:

https://learn.microsoft.com/en-us/entra/identity/devices/concept-directory-join

https://learn.microsoft.com/en-us/autopilot/windows-autopilot

https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-bulk-enroll

https://learn.microsoft.com/en-us/entra/identity/devices/device-join-out-of-box

Next, we will look at what bulk operations are and how to perform them.

Performing Bulk Operations

Bulk Microsoft Entra ID operations refer to the ability to perform a single action or update across multiple users, groups, or other objects in Microsoft Entra ID. This can be especially useful for larger organizations with hundreds or thousands of users, where manual updates to each individual object would be time-consuming and inefficient. Bulk operations in Microsoft Entra ID can be performed using PowerShell, Graph API, or other supported methods. Common bulk operations include adding or removing users from groups, updating user attributes, and managing device settings. We will explore more about the bulk operations you can perform and how they work in the following section.

Some of the popular operations you will learn about in this book perform bulk updates, such as the following:

  • Bulk user creation
  • Bulk user invitation
  • Bulk user deletion
  • Bulk user downloads

Performing Bulk Updates Using the Azure Portal

Performing bulk user updates is like managing single users (such as internal and guest users). The only property that can’t be set for multiple users is resetting a password, which must be done for a single user.

Azure has also improved its bulk user settings by adding a drop-down menu that enables you to perform updates via the downloadable CSV template, which you then re-upload.

Downloading a User List

To download a user list, you can follow the given steps:

  1. Navigate to the Users overview blade again in Microsoft Entra ID. You should automatically go into the All users blade; if not, select that option.
  2. Click Download users from the top menu.
Figure 2.30: Bulk operations – clicking Download users

Figure 2.30: Bulk operations – clicking Download users

  1. Enter a desired filename and click Start. This will be saved as a .csv file, which can be opened in Microsoft Excel if you desire for easy editing. A free version can be used with Microsoft 365 Office online. You can read more about this at this link: https://www.microsoft.com/en-us/microsoft-365/free-office-online-for-the-web. Being a comma-separated file type, where each value is separated by a comma, you can use any text editor, such as Windows Notepad.

Figure 2.31: Bulk operations – Download users

Figure 2.31: Bulk operations – Download users

  1. Once complete, the option to download the file will appear. Click the blue text to download.

Figure 2.32: Downloading the user’s CSV file

Figure 2.32: Downloading the user’s CSV file

When opening the file, if you are presented with what looks like gibberish, you can do the following in Excel to format it neatly for yourself:

  1. Click the A column to select all the data:
Figure 2.33: Bulk operations – selecting the A column in Excel

Figure 2.33: Bulk operations – selecting the A column in Excel

  1. Then, select the Data tab from the top menu bar, and then select Text to Columns from the Data Tools context.
Figure 2.34: Bulk operations – selecting Text to Columns in Excel

Figure 2.34: Bulk operations – selecting Text to Columns in Excel

  1. On the screen that pops up, click Delimited and then Next.
Figure 2.35: Bulk Operations – Delimited in Excel

Figure 2.35: Bulk Operations – Delimited in Excel

  1. Select Comma, and then click Next >.
Figure 2.36: Bulk operations – selecting Comma

Figure 2.36: Bulk operations – selecting Comma

  1. Click General for Column data format, and then click Finish.

Figure 2.37: Bulk Operations – selecting the column data format in Excel

Figure 2.37: Bulk Operations – selecting the column data format in Excel

Now, your data will be organized neatly into columns. Next, you will learn how to use this sheet to perform bulk deletion operations in Microsoft Entra ID.

Bulk User Deletion Operations

To demonstrate a bulk deletion, you will select and keep the users you want to retain in the sheet and delete the rows with the remaining users:

  1. Navigate back to the Users blade and select All users.
  2. Click Bulk operations and then Bulk delete.
Figure 2.38: Microsoft Entra ID – Bulk delete

Figure 2.38: Microsoft Entra ID – Bulk delete

  1. Click Download.

Figure 2.39: Microsoft Entra ID – the bulk delete template

Figure 2.39: Microsoft Entra ID – the bulk delete template

  1. Modify the sheet and paste in the user principal name for each user, from row 3 downward. You can copy these users from the sheet you downloaded in the last exercise. Click Save once you are finished and close the Excel sheet.

Figure 2.40: Bulk Operations – selecting users to delete in Excel

Figure 2.40: Bulk Operations – selecting users to delete in Excel

  1. Back in the Azure portal, click the Select a file option from the previous screen. From the open file dialog that pops up, navigate to your file, and then click Open.
  2. In the Azure portal, select Yes for the Are you sure you want to perform the delete operation? option, and then click Submit. You will be presented with a success notification once completed successfully.
  3. That concludes the bulk user delete operation demonstration. Next, you will briefly explore other possible ways to modify Microsoft Entra ID user accounts.

Updating Multiple Users

You can also update multiple users by selecting them and choosing to delete them, or you can configure MFA for each user from the Azure portal in the Users blade:

Figure 2.41: An alternative bulk user delete method

Figure 2.41: An alternative bulk user delete method

This concludes our demonstration of how to perform bulk user deletion operations using the Azure portal. Next, we will take a look at a PowerShell script that I think can help you achieve bulk user creation.

Performing Bulk Creations Using PowerShell

You will now experience running a PowerShell script to enable you to create Microsoft Entra ID users quickly and programmatically in your environment. The following script will create several demo users with a predefined password for you:

  1. Start by opening your favorite code editor or notepad; I recommend VS Code, which you can download from here: https://code.visualstudio.com/download.
  2. Paste the following code and save the file as a .ps1 file, with whatever name prefix you want. To follow this exercise, it is advised that you save the file in C:\Scripts on your computer and name it Create_AzureAD_Users.ps1. You will need to populate the $TenantId and $DomainSuffix details in between the inverted commas on the right.

    Create_AzureAD_Users.ps1

    # Enter the Tenant ID for your Azure AD
    $TenantId = ""
    # Populate your Domain Suffix
    $DomainSuffix = ""
    # List of usernames to create
    $UserNames = @(
        "John Smith",
        "Jane Doe",
        "Robert Johnson",
  1. Note the location of your script (e.g., C:\Scripts), and then open PowerShell.
  2. Type in cd and the path to your script, and then press the Enter key.
Figure 2.42: Changing the directory on PowerShell

Figure 2.42: Changing the directory on PowerShell

  1. Now, to run the script, enter .\ and start typing your script name. The .\ notation means that you will look in the path that you are currently in – in my example, C:\Scripts. Click Enter once you have your script.
Figure 2.43 – Launching the Create_EntraID_Users script

Figure 2.43 – Launching the Create_EntraID_Users script

  1. A prompt will pop up, asking you to authenticate; enter your details and sign in.

Figure 2.44: Azure’s Sign in prompt

Figure 2.44: Azure’s Sign in prompt

  1. Return to the Azure portal and navigate to Microsoft Entra ID, and then the Users blade. You should see your new users there.

This concludes our demonstration on how to perform bulk user creations using a PowerShell script, helping you to achieve a consistent deployment methodology that can also save you time.

Note

You are encouraged to read further by using the following links, which look at adding bulk users:

https://learn.microsoft.com/en-us/entra/identity/users/users-bulk-add

https://learn.microsoft.com/en-us/entra/identity/users/groups-bulk-import-members

In the next section, we are going to cover how you can manage guest accounts.

Navigating Guest Accounts

In Microsoft Entra ID, a guest account is a user account that is created in one Microsoft Entra directory, allowing a user from another Microsoft Entra directory, or an external identity provider, to access resources in the first tenant. Guest accounts can be invited to access applications, groups, or resources by users with appropriate permissions in the inviting tenant. This feature enables organizations to collaborate and share resources with external partners, contractors, or customers while maintaining control over their own corporate data. Guest users have limited access to Microsoft Entra ID resources, and their permissions can be managed and revoked by the inviting organization.

You can also add guest accounts in Microsoft Entra ID using Azure AD B2B. Azure AD B2B is a feature on top of Microsoft Entra ID that allows organizations to work safely with external users. External users don’t require a Microsoft work or personal account that has been added to an existing Azure AD tenant to be added to Azure B2B.

All sorts of accounts can be added to Azure B2B. You don’t have to configure anything in the Azure portal to use B2B; this feature is enabled by default for all Microsoft Entra tenants.

Next, we will explore how to manage guest accounts on Microsoft Entra ID.

Managing Guest Accounts

We can manage guest accounts by performing the following steps:

  1. Adding guest accounts to your Microsoft Entra ID directory is similar to adding internal users. When you navigate to the Users overview blade, you can choose + New user from the top-level menu and then select Invite external user, as follows:

Figure 2.45: Inviting an external user

Figure 2.45: Inviting an external user

  1. Provide an email address and a personalized message, which is sent to the user’s inbox. This personalized message includes a link to log into your tenant.
  2. Click Review + invite at the bottom of the blade screen, and then click Invite to add the user to your Microsoft Entra ID directory and send an invitation to the user’s inbox:

Figure 2.46: Microsoft Entra ID – inviting a guest user

Figure 2.46: Microsoft Entra ID – inviting a guest user

  1. To manage external users after creation, you can select them from the Users overview blade. They will have a User type value, which is named Guest. Simply select a user from the list, and you will then be able to manage the settings that are displayed in the top-level menu for the user, as follows:
Figure 2.47: A guest user in Microsoft Entra ID

Figure 2.47: A guest user in Microsoft Entra ID

That brings an end to this section. In this short section, we have reviewed guest accounts in Microsoft Entra ID and learned how to configure them.

Note

You are encouraged to read further by using the following links, which will provide additional information about restricting guest permissions: https://learn.microsoft.com/en-us/entra/identity/users/users-restrict-guest-permissions.

In the next section, we will look at SSPR.

Configuring SSPR

Microsoft Entra ID SSPR allows users to reset their own passwords without the need to contact IT support or administrators. With SSPR, users can verify their identity using different methods, such as email, text message, or a mobile app notification, and reset their password without any help. This feature is not only convenient for end users but also reduces the workload for IT support, increases security by ensuring that users have strong passwords, and saves time and resources. SSPR is an essential feature for any organization that wants to improve user productivity and reduce IT costs.

There are several things to keep in mind when considering implementing this feature in your organization:

  • Firstly, SSPR requires a Microsoft Entra ID account with Global Administrator privileges to manage SSPR options. This permission will allow the user to always be able to reset their own passwords, no matter what options are configured.
  • Additionally, SSPR uses a security group to limit the users who have SSPR privileges, providing an added layer of security to the feature.
  • It’s important to note that all user accounts in your organization must have a valid license to use SSPR. This means that if your organization has licenses for Office 365 or Microsoft Entra P1 or P2, you can enable SSPR for all users. If not, you must purchase Microsoft Entra P1 licenses to enable SSPR for your users.

Overall, implementing Microsoft Entra ID SSPR can be a useful and convenient tool for both users and IT administrators. However, it’s important to carefully consider the requirements and characteristics of this feature before enabling it for your organization.

Next, we will explore how to configure SSPR for your users.

Configuring SSPR

By enabling SSPR for your users, they are able to change their passwords automatically without calling the help desk. This can significantly eliminate the management overhead.

Note

The Microsoft Entra free-tier license only supports cloud users for SSPR, and only password change is supported, not a password reset.

SSPR can be easily enabled from the Azure portal. To do this, perform the following steps:

  1. Navigate to the Azure portal by opening https://portal.azure.com.
  2. From the left-hand hamburger menu or the main search bar, select Microsoft Entra ID.
  3. From the left-hand menu under the Manage context, select Password reset, as follows:
Figure 2.48: The Password reset blade

Figure 2.48: The Password reset blade

  1. In the Password reset blade, you can enable SSPR for all your users by selecting All; for selected users and groups, select Selected. For this demonstration, enable it for all users, and then click on Save in the top-level menu, as follows:
Figure 2.49: SSPR

Figure 2.49: SSPR

  1. Next, you need to set the different required authentication methods for your users. To do this, under the Manage context from the left menu, select Authentication methods.
  2. In the next blade, you can set the number of authentication methods that are required to reset a password and explore what methods are available for your users, as follows:
Figure 2.50: Authentication methods for a password reset

Figure 2.50: Authentication methods for a password reset

  1. Make a selection, and then click Save at the top of the screen. If you want to test SSPR after configuration, make sure that you use a user account without administrator privileges.

Note

You are encouraged to read further by using the following links:

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-howitworks

https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr

Summary

In this chapter, you learned about configuring and managing devices in Microsoft Entra ID (device identities, device settings, Enterprise State Roaming, device settings, audit logs, and licensing). You learned about the various mechanisms to integrate your devices into Entra ID (device registration, Entra join, and Entra hybrid join). Additionally, you explored different bulk user operations and how to create a guest account from the Azure portal. Finally, you learned how to configure SSPR, which is a feature critical to empower users to reset their own passwords and reduce the administrative burden of password management for IT support.

In the next chapter, you will learn about Role-Based Access Control (RBAC) and get hands-on with creating custom RBAC roles. Additionally, you will learn how to interpret role assignments.

Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • Prepare for the AZ-104 exam with the latest exam objectives and content
  • Gain hands-on Azure experience with practical labs for real-world administrative tasks
  • Assess your exam readiness with challenging mock exams

Description

Take the first step toward excellence in Azure management and achieving Microsoft certification with this practical guide! This third edition of Exam Ref AZ-104 Microsoft Azure Administrator Certification and Beyond offers comprehensive insights and clear, step-by-step instructions that follow the latest AZ-104 exam objectives. You’ll work your way from foundational topics such as Azure identity management and governance to essential skills such as deploying and managing storage solutions, configuring virtual networks, and effectively monitoring Azure resources. Each chapter is equipped with practice questions to reinforce your understanding and enhance your practical skills. The book also provides you with access to online mock exams, interactive flashcards, and expert exam tips, guaranteeing that you pass with flying colors. By the end of this book, you'll not only be equipped to pass the AZ-104 exam but also possess the expertise needed to expertly manage Azure environments.

Who is this book for?

This book is for cloud administrators, engineers, and architects looking to understand Azure better and get a firm grasp on administrative functions or anyone preparing to take the Microsoft Azure Administrator (AZ-104) exam. A basic understanding of the Azure platform is needed, but astute readers can comfortably learn all the concepts without having worked on the platform before by following all the examples present in the book.

What you will learn

  • Manage Azure AD users, groups, and RBAC
  • Handle subscription management and governance implementation
  • Customize and deploy Azure Resource Manager templates
  • Configure containers and Azure app services
  • Manage and secure virtual networks comprehensively
  • Utilize Azure Monitor for resource monitoring
  • Implement robust backup and recovery solutions

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Sep 30, 2024
Length: 824 pages
Edition : 3rd
Language : English
ISBN-13 : 9781805126195

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning

Product Details

Publication date : Sep 30, 2024
Length: 824 pages
Edition : 3rd
Language : English
ISBN-13 : 9781805126195

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 85.97 100.97 15.00 saved
Exam Ref AZ-104 Microsoft Azure Administrator Certification and Beyond
€37.99
Architecting ASP.NET Core Applications
€20.99 €35.99
System Design Guide for Software Professionals
€26.99
Total 85.97 100.97 15.00 saved Stars icon

Table of Contents

24 Chapters
Chapter 1: Managing Microsoft Entra ID Objects Chevron down icon Chevron up icon
Chapter 2: Devices in Microsoft Entra ID Chevron down icon Chevron up icon
Chapter 3: Managing Role-Based Access Control in Azure Chevron down icon Chevron up icon
Chapter 4: Creating and Managing Governance Chevron down icon Chevron up icon
Chapter 5: Managing Governance and Costs Chevron down icon Chevron up icon
Chapter 6: Understanding Storage Accounts Chevron down icon Chevron up icon
Chapter 7: Copying Data To and From Azure Chevron down icon Chevron up icon
Chapter 8: Securing Storage Chevron down icon Chevron up icon
Chapter 9: Storage Management and Replication Chevron down icon Chevron up icon
Chapter 10: Azure Resource Manager Templates Chevron down icon Chevron up icon
Chapter 11: Azure Bicep Chevron down icon Chevron up icon
Chapter 12: Understanding Virtual Machines Chevron down icon Chevron up icon
Chapter 13: Managing Virtual Machines Chevron down icon Chevron up icon
Chapter 14: Creating and Configuring Containers Chevron down icon Chevron up icon
Chapter 15: Creating and Configuring App Service Chevron down icon Chevron up icon
Chapter 16: Implementing and Managing Virtual Networking Chevron down icon Chevron up icon
Chapter 17: Securing Access to Virtual Networks Chevron down icon Chevron up icon
Chapter 18: Configuring Load Balancing Chevron down icon Chevron up icon
Chapter 19: Integrating On-Premises Networks with Azure Chevron down icon Chevron up icon
Chapter 20: Monitoring and Troubleshooting Virtual Networking Chevron down icon Chevron up icon
Chapter 21: Monitoring Resources with Azure Monitor Chevron down icon Chevron up icon
Chapter 22: Implementing Backup and Recovery Solutions Chevron down icon Chevron up icon
Chapter 23: Accessing the Online Practice Resources Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.3
(3 Ratings)
5 star 66.7%
4 star 0%
3 star 33.3%
2 star 0%
1 star 0%
Ben Nov 09, 2024
Full star icon Full star icon Full star icon Empty star icon Empty star icon 3
This is more feedback that starting around chapter 8, I'm not seeing any of the figures. Best I can tell, the previous chapters' figures are all showing for me. If I click on the broken image, I get a white screen with the text "that wanaka tree" for each one.
Subscriber review Packt
Allen Wyma Oct 21, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
More and more of my clients are using Azure, so I needed to find a good resource for myself and helping them. Azure packs a lot of features so having this book was a godsend so I can make the most of Azure. I highly recommend people to pick up this book if you're working with Azure.
Amazon Verified review Amazon
Tiny Oct 16, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
An exhaustive review of all the essentials needed for those prepping to take an Azure administrator exam. It includes helpful questions and links to online sources to practice for your exam. These study books are great, but highlight a key essential for administrator certifications that one must not only know the material but understand applications. It's not just about knowing the words, but getting into the material and applying those knowledge elements regularly. A great book to help you learn.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

How do I buy and download an eBook? Chevron down icon Chevron up icon

Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.

If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.

Please Note: Packt eBooks are non-returnable and non-refundable.

Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:

  • You may make copies of your eBook for your own use onto any machine
  • You may not pass copies of the eBook on to anyone else
How can I make a purchase on your website? Chevron down icon Chevron up icon

If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:

  1. Register on our website using your email address and the password.
  2. Search for the title by name or ISBN using the search option.
  3. Select the title you want to purchase.
  4. Choose the format you wish to purchase the title in; if you order the Print Book, you get a free eBook copy of the same title. 
  5. Proceed with the checkout process (payment to be made using Credit Card, Debit Cart, or PayPal)
Where can I access support around an eBook? Chevron down icon Chevron up icon
  • If you experience a problem with using or installing Adobe Reader, the contact Adobe directly.
  • To view the errata for the book, see www.packtpub.com/support and view the pages for the title you have.
  • To view your account details or to download a new copy of the book go to www.packtpub.com/account
  • To contact us directly if a problem is not resolved, use www.packtpub.com/contact-us
What eBook formats do Packt support? Chevron down icon Chevron up icon

Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.

You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.

What are the benefits of eBooks? Chevron down icon Chevron up icon
  • You can get the information you need immediately
  • You can easily take them with you on a laptop
  • You can download them an unlimited number of times
  • You can print them out
  • They are copy-paste enabled
  • They are searchable
  • There is no password protection
  • They are lower price than print
  • They save resources and space
What is an eBook? Chevron down icon Chevron up icon

Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.

When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.

For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.