To follow along with the hands-on lessons, you will need access to the following:

• Microsoft Entra ID as a global administrator.
• Azure subscription with owner or contributor privileges. If you do not have access to one, students can enroll for a free account: https://azure.microsoft.com/en-us/free/.
• PowerShell 5.1 or later installed on a Windows PC or PowerShell Core 6.x on other operating systems where labs can be practiced.
• For Windows users, you will need to install .NET Framework 4.7.2 or later using the following link: https://learn.microsoft.com/en-us/dotnet/framework/install.
• Note that, occasionally, examples can only be followed from a PC or https://shell.azure.com (PowerShell 7.0.6 LTS or later is recommended).
• Install the Az PowerShell module, which can be performed by running the following in an administrative PowerShell session:

  Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
  Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force

In Microsoft Entra, a device represents any physical or virtual device that is registered with the directory. This can include devices such as laptops, desktops, mobile phones, and tablets. When a device is registered with Microsoft Entra, it can be managed and secured using policies and configurations defined in the directory. By managing devices in Microsoft Entra, IT administrators can ensure that devices accessing corporate resources meet an organization’s security and compliance requirements. In the following sections, you will explore device management in more detail and discuss how Microsoft Entra enables device management at scale.

Configuring Device Identities

When it comes to managing your devices through Microsoft Entra, you have several services available to you. You may want to support Bring Your Own Device (BYOD) scenarios or opt for a more traditional management style through Microsoft Entra joined devices. Joining is the typical approach for larger organizations that have established control and management structures for their IT infrastructure. For this course, you need to only be aware of how to register or join your devices to Microsoft Entra. This topic is worth much more exploration and research before you decide to adopt a certain approach.

Microsoft Entra Device Registration

A Microsoft Entra ID Registered Device is one that is registered within the Microsoft Entra ID directory but not added as a member of an organization:

• The device is then granted access to resources through an attachment to a Microsoft account in Microsoft Entra ID.
• It provides users with a Single Sign-On (SSO) experience across their devices, including app authentication.
• It enables Conditional Access policy enforcement.
• It is recommended for personally owned devices or devices not used exclusively for business purposes. Personally owned devices are also defined as BYOD, which are devices that can be used for work purposes.
• It offers a streamlined process with minimal administrative overhead.
• The device can be managed through tools such as Microsoft Intune.

The following diagram illustrates a device’s connection to Microsoft Entra ID and the relationship flow.

Figure 2.1: Microsoft Entra ID – device registration

For more details, refer to https://learn.microsoft.com/en-us/entra/identity/devices/concept-device-registration.

Microsoft Entra Join

A Microsoft Entra ID joined device is one that is added to an organization’s Microsoft Entra ID directory, providing additional benefits and control to the organization:

• It is fully managed by the organization with access to on-premises Active Directory resources. It is, therefore, suitable for dedicated, organization-owned devices that need full access to organizational resources.
• It is explicitly tied to an organizational user account and managed as part of the directory.
• It offers better management capabilities and integration and can use Conditional Access policies.

The following diagram illustrates a device-to-Microsoft Entra ID join connection, demonstrating how the connection is made from the device to Microsoft Entra ID. Entra ID can then form a hybrid connection to an on-premises Active Directory system, with synchronization occurring between the platforms through the Microsoft Entra Connect service.

Figure 2.2: Microsoft Entra ID – a device join

For more details, refer to https://learn.microsoft.com/en-us/entra/identity/devices/concept-directory-join.

Microsoft Entra Hybrid Join

A Microsoft Entra ID hybrid joined device is a device that is joined to both the on-premises Active Directory (AD) and Entra ID, for organizations with a blended infrastructure. It is designed to support Windows 10 and 11 devices:

• It retains the benefits of local on-premises AD while leveraging cloud features, such as enabling the continued use of Group Policy in Entra ID
• It combines cloud authentication with on-premises resources and devices
• It facilitates seamless transitions and secure access to resources in hybrid environments
• It is ideal for organizations that have a mix of cloud and on-premises infrastructure deployments

The following diagram illustrates a device connection to Microsoft Entra ID and the relationship flow for a Microsoft Entra ID hybrid join connection, demonstrating how the connection is made from the device to Microsoft Entra ID as a registration and to an Active Directory for a domain join. Entra ID will then have a hybrid connection to an on-premises Active Directory system, with synchronization occurring between the platforms through the Microsoft Entra Connect service.

Figure 2.3: Microsoft Entra ID – a device hybrid join

For more details, refer to https://learn.microsoft.com/en-us/entra/identity/devices/concept-hybrid-join.

Next, we will explore what device settings you can manage in Microsoft Entra.

Device Settings

Microsoft Entra enables organizations to ensure that their users access Azure resources from devices that comply with their security and compliance policies. Device management is a crucial component of device-based Conditional Access, where access to corporate resources is restricted only to managed devices.

Device settings can be easily managed from the Azure portal, provided the device is registered or joined to Microsoft Entra. To access Devices, you need to select it from the Manage context from the left-hand menu under Microsoft Entra ID. On the Devices blade, you can select Device settings from the left menu. The following device settings are available for configuration in Microsoft Entra ID:

• Users may join devices to Microsoft Entra: This setting lets administrators specify which users can join their Windows 10 devices to Entra ID. This setting is only applicable to Microsoft Entra Join on Windows 10. The Selected option allows you to specify which members are allowed to join their devices to Entra ID.

Figure 2.4: Device settings – Users may join devices to Microsoft Entra

• Users may register their devices with Entra ID: This setting needs to be configured to allow devices to be registered with Entra ID. There are two options here – None, which means that devices are not allowed to register when they are not Microsoft Entra-joined or hybrid Microsoft Entra-joined, and All, which means that all devices are allowed to register.

Figure 2.5: Device settings – Users may register their devices with Microsoft Entra

Note

In order for you to enroll with Microsoft Intune or Mobile Device Management (MDM) for Microsoft 365, you will be required to register. If you have configured either of these services, the All option is selected by default and None is not available for selection.

• Require Multi-Factor Authentication to register or join devices with Microsoft Entra: This setting adds another layer of security by requiring users to authenticate with Multi-factor Authentication (MFA) when registering or joining their devices to Microsoft Entra. Before you can enable this setting, MFA needs to be configured for the users who register their devices.

Figure 2.6: Device settings – requiring MFA

• Maximum number of devices per user: This setting allows you to select the maximum number of devices that a user can have in Microsoft Entra. Reaching this quota will prevent additional devices from being added until either existing devices are removed or the quota limit is changed.
• Manage Additional local administrators on all Microsoft Entra joined devices: This setting allows you to add additional local administrators for Microsoft Entra joined devices. A local administrator is a user who has administrative privileges on a specific device or computer.

Figure 2.7: Device settings – Local administrator settings

• Enable Microsoft Entra Local Administrator Password Solution (LAPS): Local Administrator Password Solution (LAPS) is a secure method for managing and retrieving built-in local admin passwords on Windows devices, supporting both Microsoft Entra and Microsoft Entra hybrid join configurations. You can read more about it here: https://learn.microsoft.com/en-gb/entra/identity/devices/howto-manage-local-admin-passwords.

Figure 2.8: Device settings – Microsoft Entra LAPS

• Restrict users from recovering the BitLocker key(s) for their owned devices: Restricting users from recovering BitLocker keys for their owned devices is a security measure that prevents non-admin users from accessing their device’s BitLocker key(s) for self-service recovery. By setting this restriction to Yes, only admin users can retrieve the keys, ensuring an additional layer of security and control over the devices. Conversely, setting it to No allows all users to recover their BitLocker key(s), enabling self-service access but potentially reducing security.

Figure 2.9: Device settings – BitLocker key(s)

Enterprise State Roaming

Enterprise State Roaming is a feature in Microsoft Entra ID that allows users to synchronize their application and system settings across their Windows devices. This means that when a user sets up a new Windows device, their familiar settings and preferences will be applied to the new device automatically. This feature is especially useful for organizations that provide employees with multiple Windows devices, or for users who switch between devices frequently. With Enterprise State Roaming, users can have a more seamless and consistent experience across all their Windows devices. The synchronization is achieved through Microsoft Entra ID, and all data is encrypted to ensure security and privacy.

This setting now has its own blade and can be accessed by clicking Enterprise State Roaming from the left menu of the Device blade, under the Manage context.

Selecting All will enable all users in your organization to take advantage of this feature, Selected allows you to specify users, and None will disallow all users from using the feature.

Figure 2.10: Enterprise State Roaming

You can read more about Enterprise State Roaming here: https://learn.microsoft.com/en-us/entra/identity/devices/enterprise-state-roaming-enable.

You now have a basic understanding of what Enterprise State Roaming is and the features and benefits it offers. Next, you will learn about device management settings.

Managing Device Settings

To manage the device settings from the Azure portal, you need to perform the following steps:

1. Navigate to the Azure portal by opening https://portal.azure.com.
2. From the left-hand hamburger menu or the main search bar, select Microsoft Entra ID.
3. From the left-hand menu, select Devices under the Manage context, as follows:

Figure 2.11: The Microsoft Entra ID Devices blade

4. The device management blade will open. Here, you can configure your device management settings, locate your devices, perform device management tasks, and review the device management-related audit logs.
5. To configure the device settings, select Device settings from the left-hand menu. From here, you can configure the following settings, which are shown in Figure 2.12:
   • Users may join devices to Microsoft Entra: All
   • Require Multifactor Authentication to register or join devices with Microsoft Entra: No

Figure 2.12: Microsoft Entra ID – the Device settings blade

6. To locate your devices, select All devices from the left menu. In this pane, you will see all the joined and registered devices, as follows:

Figure 2.13: Microsoft Entra ID – All devices

7. Additionally, you can select the different devices from the list to get more detailed information about a device. From here, global administrators and cloud device administrators can disable or delete the device:

Figure 2.14: Microsoft Entra ID – workstation 1 details

You now have experience managing a device on Microsoft Entra. The next topic you will learn about is audit logs, under the Devices blade.

Device Audit Logs

The audit logs section under Devices in Microsoft Entra ID contains a record of all activities related to device management. Audit logs provide detailed information on events and actions performed within the system. These logs offer valuable insights for administrators looking to monitor security, troubleshoot issues, and maintain compliance.

Using device audit logs, administrators can track changes made to device properties, registration and deletion events, and other relevant activities performed by either the users or the system itself. Information stored in the logs typically includes event timestamps, target(s) (affected devices), user details, and the specific category of the activity and actions/changes made during an event. Microsoft Entra offers a user-friendly interface to view and analyze device audit logs, allowing administrators to filter and sort records based on specific criteria, such as event type or date range. This enables you to quickly identify and investigate suspicious activities or potential sources of issues within the device management environment.

By regularly reviewing and analyzing device audit logs, organizations can proactively detect anomalies and maintain regulatory compliance, thus ensuring a secure and efficient device management process within your Microsoft Entra ecosystem. Additionally, the audit logs can be exported to third-party security information and event management (SIEM) systems for further analysis and correlation with other security events. In this exercise, you will explore how to view audit logs in the Azure portal. Complete the following steps:

1. To view audit logs, navigate to the Devices blade from Microsoft Entra ID.
2. From the left menu of the Devices blade, under the Activity context, select Audit logs. This is where you can view and download the different log files for your devices. Additionally, you can create filters to search through the logs, as per the following example:

Figure 2.15: Microsoft Entra ID – the Audit logs blade

This concludes the section on how to manage your device settings via the Azure portal.

Note

You are encouraged to read up further by using the following links:

https://learn.microsoft.com/en-us/entra/identity/devices/manage-device-identities.

https://learn.microsoft.com/en-us/entra/identity/monitoring-health/howto-stream-logs-to-event-hub.

https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices.

In the next section, you will explore the licensing options behind Microsoft Entra.

Licensing

Microsoft Entra offers a range of licensing options to meet your organizational requirements, whether small or large businesses. These licensing options determine which features and functionalities are available to users. Some of the key features of Microsoft Entra include SSO, MFA, and device management. In the following section, you will explore the different pricing plans available for Microsoft Entra and what each plan includes.

Microsoft Entra ID offers the following pricing plans:

• Microsoft Entra ID Free: This offers the most basic features, such as support for SSO across Azure, Microsoft 365, and other popular Software as a Service (SaaS) applications, Azure Business-to-Business (B2B) for external users, support for Microsoft Entra Connect synchronization, self-service password change, user and group management, and standard security reports.
• Microsoft Entra ID P1: Previously known as Azure Active Directory P1. In addition to the Free license features, this license offers a service-level agreement, advanced reporting, Conditional Access, Microsoft Entra Connect Health, advanced administration such as dynamic groups, self-service group management, and Microsoft Identity Manager.
• Microsoft Entra ID P2: Previously known as Azure Active Directory P2. In addition to the Free and Microsoft Entra ID P1 license features, the Microsoft Entra ID P2 license includes Identity Protection, Privileged Identity Management (PIM), access reviews, and entitlement management.
• Microsoft Entra ID Governance: For users of Microsoft Entra ID P1 and P2, Microsoft Entra ID Governance provides a sophisticated suite of identity governance features that can be added at a premium. These capabilities include automated user and group provisioning, HR-driven provisioning, terms of use attestation, basic and advanced access certifications and reviews, basic and advanced entitlement management, life cycle workflows, identity governance dashboard, and PIM.
• Microsoft Entra Verified ID: Microsoft Entra Verified ID is a license currently included free within any Microsoft Entra ID subscription, such as Microsoft Entra ID Free. This service enables organizations to verify and issue credentials based on unique identity attributes, granting individuals control over their digital credentials and improving visibility. The benefits of Verified ID include reduced organizational risk, simplified audit processes, and seamless integration for developers to create user-centric serverless applications. Organizations can enable Verified ID for free in the Microsoft Entra admin center.
• Microsoft Entra Permissions Management: This is a set of identity governance features tailored for Microsoft Entra ID P1 and P2 subscribers. These capabilities include automated user and group provisioning, HR-driven provisioning, terms of use attestation, basic and advanced access certifications and reviews, basic and advanced entitlement management, life cycle workflows, identity governance dashboard, and PIM.
• Microsoft Entra Workload ID: With the standalone Microsoft Entra Workload ID product, organizations can reduce risk exposure from compromised or lost identities or credentials, regulate workload identity access with adaptive policies, and obtain a thorough workload identity health-check view. The monthly pricing for Workload ID is based on the workload identity.

Note

For a detailed overview of the different Microsoft Entra licenses and all the features that are offered in each plan, refer to https://www.microsoft.com/en-us/security/business/microsoft-entra-pricing.

Now that you have a basic understanding of what Microsoft Entra ID is and the licensing models involved, you will learn how to implement a license.

Try/Buy License Products for Microsoft Entra

In this exercise, you are going to learn how to try or buy a license that can be associated with your Microsoft Entra instance. To do so, follow the following steps:

1. Navigate to the Azure portal by opening a web browser and browsing to https://portal.azure.com.
2. From the left-hand hamburger menu or the main search bar, select Microsoft Entra ID.

Figure 2.16: Selecting Microsoft Entra ID

3. Click on the Licenses setting under the Manage context from the left menu.

Figure 2.17: Microsoft Entra ID – Licenses

4. From the Licenses blade on the left menu, select All products, and then click Try / Buy from the blade screen that is presented.

Figure 2.18: Microsoft Entra ID – Licenses | All products

5. An Activate pop-up screen will appear. To select a product for trial, you can click the Free trial drop-down option and then Activate to activate the license for the service offering you want to try, such as the following screenshot for Microsoft Entra ID P2.

Figure 2.19: Microsoft Entra ID – activating a trial license

You have now seen how to try a licensed product using the Azure portal. Next, you will learn about assigning a license to one of your users or groups.

Assigning a License

In this exercise, you are going to assign an active licensed product to a user to demonstrate the assignment of licenses from within Microsoft Entra ID:

1. Just as you did in the previous exercise, you will navigate back to the All products settings screen under the Licenses blade.
2. Select the license you are looking to assign; in this instance, we will assign the Microsoft 365 E5 Developer license. Then, click Assign from the top menu.

Figure 2.20: Microsoft Entra ID licensing – assigning a license

3. Click + Add users and groups.

Figure 2.21: Microsoft Entra ID licensing – Add users and groups

4. From the screen that pops up, create a filter to search for the relevant name you are looking for – in this case, Demo. Select DemoUser1 and DemoUser2.

Figure 2.22: Microsoft Entra ID licensing – selecting users

5. Once you have chosen your users, click Select.
6. Click Review + assign, and then, on the final screen, click Assign.

You have now seen how to not only add product licenses but also assign them. Although there are several license types, the basic principles still apply, and the licenses are just as easy to assign. In the next section, we will look at what Microsoft Entra Join is and how to configure it for Windows 10 devices.

With Microsoft Entra Join, you can join devices directly to Microsoft Entra without the need to join your on-premises Active Directory in a hybrid environment. While Microsoft Entra hybrid join with an on-premises Active Directory might still be preferred for some scenarios, Microsoft Entra Join simplifies the process of adding devices and modernizes device management for your organization. This can result in the reduction of device-related IT costs.

Your users may have access to corporate assets through their devices. To protect these corporate assets, you want to control these devices. This allows your administrators to ensure that your users are accessing resources from devices that meet your standards for security and compliance.

Microsoft Entra Join is a good solution when you want to manage devices with a cloud device management solution, when you want to modernize your application infrastructure, when you want to simplify device provisioning for geographically distributed users, and when your company adopts Microsoft 365 as the productivity suite for your users.

Microsoft Entra Join Methods

Microsoft Entra Join can be employed through any of the following methods:

• Bulk deployment: This method is used to join large numbers of new Windows devices to Microsoft Entra and Microsoft Intune.
• Windows Autopilot: This is a collection of technologies used to preconfigure Windows 10 and later devices so that the devices are ready for productive use. Autopilot can also be used to reset, repurpose, and recover devices.
• Self-service experience: This is also referred to as a first-run experience, which is mainly used to join a new device to Microsoft Entra.

Microsoft Entra Join Management

When it comes to joining devices to Entra ID, there are two main ways of managing them:

• MDM only: This is when the device is managed exclusively by an MDM provider such as Intune.
• Co-management: This is when the device is managed by an MDM provider and Microsoft Configuration Manager.

Microsoft Entra Join Scenarios

When joining a Windows 10 device to Microsoft Entra, there are two scenarios that you need to look at:

• Joining a new Windows 10 or later device via the Out-of-Box Experience (OOBE)
• Joining an already configured Windows 10 or later device to Microsoft Entra
• Now that you understand what Microsoft Entra Join is and does, we will take a look at how to configure it.

Configuring Microsoft Entra Join

To follow this exercise, you will require either a virtual machine or a physical machine that has Windows 10 Pro installed and access to the internet.

You will now join an existing Windows 10 device to Microsoft Entra, as follows:

1. On the Windows 10 device, search for Settings and open Accounts.
2. Select Access work or school, and then click Connect:

Figure 2.23: The Windows 10 settings menu to add and connect a device

3. Enter the email address of the account you are setting up, and then click on Join this device to Microsoft Entra ID.

Figure 2.24: Selecting Join this Device to Microsoft Entra ID

4. On the Sign in window that pops up, enter your user principal name (UPN) (usually the email address of the user account you created earlier in the chapter). For this exercise, use the demouser1 account created previously. Click Next.

Figure 2.25: Signing into Microsoft Entra

5. You will be asked to confirm whether the organization you are joining and the details entered are correct, as per the following screenshot. If so, click Join.

Figure 2.26: Confirming your organization details

6. You will now be joined and momentarily presented with a success screen. Click Done.

Figure 2.27: A confirmation message for Microsoft Entra Join

7. When you navigate back to the Access work or school settings window, you will see that you are now joined to your organization. This will show something similar to the following screenshot with the connected organization. Note that the Entra ID wording will soon change to reflect Microsoft Entra.

Figure 2.28: Your connected organization on Microsoft Entra

8. Finally, navigate to the Azure portal and the Devices blade for Microsoft Entra ID. Select All devices from the left menu, and you will then see your newly joined device appear:

Figure 2.29: Displaying the recently joined Windows 10 devices

That brings an end to this section. You have learned what Microsoft Entra join is and the methods used to enroll, and you have also walked through the steps to manually join a Windows 10 device to Microsoft Entra.

Note

You are encouraged to read further by using the following links, which will provide additional information about Microsoft Entra Join, Windows Autopilot, and bulk device enrollment:

https://learn.microsoft.com/en-us/entra/identity/devices/concept-directory-join

https://learn.microsoft.com/en-us/autopilot/windows-autopilot

https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-bulk-enroll

https://learn.microsoft.com/en-us/entra/identity/devices/device-join-out-of-box

Next, we will look at what bulk operations are and how to perform them.

Bulk Microsoft Entra ID operations refer to the ability to perform a single action or update across multiple users, groups, or other objects in Microsoft Entra ID. This can be especially useful for larger organizations with hundreds or thousands of users, where manual updates to each individual object would be time-consuming and inefficient. Bulk operations in Microsoft Entra ID can be performed using PowerShell, Graph API, or other supported methods. Common bulk operations include adding or removing users from groups, updating user attributes, and managing device settings. We will explore more about the bulk operations you can perform and how they work in the following section.

Some of the popular operations you will learn about in this book perform bulk updates, such as the following:

• Bulk user creation
• Bulk user invitation
• Bulk user deletion
• Bulk user downloads

Performing Bulk Updates Using the Azure Portal

Performing bulk user updates is like managing single users (such as internal and guest users). The only property that can’t be set for multiple users is resetting a password, which must be done for a single user.

Azure has also improved its bulk user settings by adding a drop-down menu that enables you to perform updates via the downloadable CSV template, which you then re-upload.

Downloading a User List

To download a user list, you can follow the given steps:

1. Navigate to the Users overview blade again in Microsoft Entra ID. You should automatically go into the All users blade; if not, select that option.
2. Click Download users from the top menu.

Figure 2.30: Bulk operations – clicking Download users

3. Enter a desired filename and click Start. This will be saved as a .csv file, which can be opened in Microsoft Excel if you desire for easy editing. A free version can be used with Microsoft 365 Office online. You can read more about this at this link: https://www.microsoft.com/en-us/microsoft-365/free-office-online-for-the-web. Being a comma-separated file type, where each value is separated by a comma, you can use any text editor, such as Windows Notepad.

Figure 2.31: Bulk operations – Download users

4. Once complete, the option to download the file will appear. Click the blue text to download.

Figure 2.32: Downloading the user’s CSV file

When opening the file, if you are presented with what looks like gibberish, you can do the following in Excel to format it neatly for yourself:

1. Click the A column to select all the data:

Figure 2.33: Bulk operations – selecting the A column in Excel

2. Then, select the Data tab from the top menu bar, and then select Text to Columns from the Data Tools context.

Figure 2.34: Bulk operations – selecting Text to Columns in Excel

3. On the screen that pops up, click Delimited and then Next.

Figure 2.35: Bulk Operations – Delimited in Excel

4. Select Comma, and then click Next >.

Figure 2.36: Bulk operations – selecting Comma

5. Click General for Column data format, and then click Finish.

Figure 2.37: Bulk Operations – selecting the column data format in Excel

Now, your data will be organized neatly into columns. Next, you will learn how to use this sheet to perform bulk deletion operations in Microsoft Entra ID.

Bulk User Deletion Operations

To demonstrate a bulk deletion, you will select and keep the users you want to retain in the sheet and delete the rows with the remaining users:

1. Navigate back to the Users blade and select All users.
2. Click Bulk operations and then Bulk delete.

Figure 2.38: Microsoft Entra ID – Bulk delete

3. Click Download.

Figure 2.39: Microsoft Entra ID – the bulk delete template

4. Modify the sheet and paste in the user principal name for each user, from row 3 downward. You can copy these users from the sheet you downloaded in the last exercise. Click Save once you are finished and close the Excel sheet.

Figure 2.40: Bulk Operations – selecting users to delete in Excel

5. Back in the Azure portal, click the Select a file option from the previous screen. From the open file dialog that pops up, navigate to your file, and then click Open.
6. In the Azure portal, select Yes for the Are you sure you want to perform the delete operation? option, and then click Submit. You will be presented with a success notification once completed successfully.
7. That concludes the bulk user delete operation demonstration. Next, you will briefly explore other possible ways to modify Microsoft Entra ID user accounts.

Updating Multiple Users

You can also update multiple users by selecting them and choosing to delete them, or you can configure MFA for each user from the Azure portal in the Users blade:

Figure 2.41: An alternative bulk user delete method

This concludes our demonstration of how to perform bulk user deletion operations using the Azure portal. Next, we will take a look at a PowerShell script that I think can help you achieve bulk user creation.

Performing Bulk Creations Using PowerShell

You will now experience running a PowerShell script to enable you to create Microsoft Entra ID users quickly and programmatically in your environment. The following script will create several demo users with a predefined password for you:

1. Start by opening your favorite code editor or notepad; I recommend VS Code, which you can download from here: https://code.visualstudio.com/download.
2. Paste the following code and save the file as a .ps1 file, with whatever name prefix you want. To follow this exercise, it is advised that you save the file in C:\Scripts on your computer and name it Create_AzureAD_Users.ps1. You will need to populate the $TenantId and $DomainSuffix details in between the inverted commas on the right.

   Create_AzureAD_Users.ps1

   # Enter the Tenant ID for your Azure AD
   $TenantId = ""
   # Populate your Domain Suffix
   $DomainSuffix = ""
   # List of usernames to create
   $UserNames = @(
       "John Smith",
       "Jane Doe",
       "Robert Johnson",

   The complete code is available at https://packt.link/CEwga

3. Note the location of your script (e.g., C:\Scripts), and then open PowerShell.
4. Type in cd and the path to your script, and then press the Enter key.

Figure 2.42: Changing the directory on PowerShell

5. Now, to run the script, enter .\ and start typing your script name. The .\ notation means that you will look in the path that you are currently in – in my example, C:\Scripts. Click Enter once you have your script.

Figure 2.43 – Launching the Create_EntraID_Users script

6. A prompt will pop up, asking you to authenticate; enter your details and sign in.

Figure 2.44: Azure’s Sign in prompt

7. Return to the Azure portal and navigate to Microsoft Entra ID, and then the Users blade. You should see your new users there.

This concludes our demonstration on how to perform bulk user creations using a PowerShell script, helping you to achieve a consistent deployment methodology that can also save you time.

Note

You are encouraged to read further by using the following links, which look at adding bulk users:

https://learn.microsoft.com/en-us/entra/identity/users/users-bulk-add

https://learn.microsoft.com/en-us/entra/identity/users/groups-bulk-import-members

In the next section, we are going to cover how you can manage guest accounts.

In Microsoft Entra ID, a guest account is a user account that is created in one Microsoft Entra directory, allowing a user from another Microsoft Entra directory, or an external identity provider, to access resources in the first tenant. Guest accounts can be invited to access applications, groups, or resources by users with appropriate permissions in the inviting tenant. This feature enables organizations to collaborate and share resources with external partners, contractors, or customers while maintaining control over their own corporate data. Guest users have limited access to Microsoft Entra ID resources, and their permissions can be managed and revoked by the inviting organization.

You can also add guest accounts in Microsoft Entra ID using Azure AD B2B. Azure AD B2B is a feature on top of Microsoft Entra ID that allows organizations to work safely with external users. External users don’t require a Microsoft work or personal account that has been added to an existing Azure AD tenant to be added to Azure B2B.

All sorts of accounts can be added to Azure B2B. You don’t have to configure anything in the Azure portal to use B2B; this feature is enabled by default for all Microsoft Entra tenants.

Next, we will explore how to manage guest accounts on Microsoft Entra ID.

Managing Guest Accounts

We can manage guest accounts by performing the following steps:

1. Adding guest accounts to your Microsoft Entra ID directory is similar to adding internal users. When you navigate to the Users overview blade, you can choose + New user from the top-level menu and then select Invite external user, as follows:

Figure 2.45: Inviting an external user

2. Provide an email address and a personalized message, which is sent to the user’s inbox. This personalized message includes a link to log into your tenant.
3. Click Review + invite at the bottom of the blade screen, and then click Invite to add the user to your Microsoft Entra ID directory and send an invitation to the user’s inbox:

Figure 2.46: Microsoft Entra ID – inviting a guest user

4. To manage external users after creation, you can select them from the Users overview blade. They will have a User type value, which is named Guest. Simply select a user from the list, and you will then be able to manage the settings that are displayed in the top-level menu for the user, as follows:

Figure 2.47: A guest user in Microsoft Entra ID

That brings an end to this section. In this short section, we have reviewed guest accounts in Microsoft Entra ID and learned how to configure them.

Note

You are encouraged to read further by using the following links, which will provide additional information about restricting guest permissions: https://learn.microsoft.com/en-us/entra/identity/users/users-restrict-guest-permissions.

In the next section, we will look at SSPR.

Microsoft Entra ID SSPR allows users to reset their own passwords without the need to contact IT support or administrators. With SSPR, users can verify their identity using different methods, such as email, text message, or a mobile app notification, and reset their password without any help. This feature is not only convenient for end users but also reduces the workload for IT support, increases security by ensuring that users have strong passwords, and saves time and resources. SSPR is an essential feature for any organization that wants to improve user productivity and reduce IT costs.

There are several things to keep in mind when considering implementing this feature in your organization:

• Firstly, SSPR requires a Microsoft Entra ID account with Global Administrator privileges to manage SSPR options. This permission will allow the user to always be able to reset their own passwords, no matter what options are configured.
• Additionally, SSPR uses a security group to limit the users who have SSPR privileges, providing an added layer of security to the feature.
• It’s important to note that all user accounts in your organization must have a valid license to use SSPR. This means that if your organization has licenses for Office 365 or Microsoft Entra P1 or P2, you can enable SSPR for all users. If not, you must purchase Microsoft Entra P1 licenses to enable SSPR for your users.

Overall, implementing Microsoft Entra ID SSPR can be a useful and convenient tool for both users and IT administrators. However, it’s important to carefully consider the requirements and characteristics of this feature before enabling it for your organization.

Next, we will explore how to configure SSPR for your users.

Configuring SSPR

By enabling SSPR for your users, they are able to change their passwords automatically without calling the help desk. This can significantly eliminate the management overhead.

Note

The Microsoft Entra free-tier license only supports cloud users for SSPR, and only password change is supported, not a password reset.

SSPR can be easily enabled from the Azure portal. To do this, perform the following steps:

1. Navigate to the Azure portal by opening https://portal.azure.com.
2. From the left-hand hamburger menu or the main search bar, select Microsoft Entra ID.
3. From the left-hand menu under the Manage context, select Password reset, as follows:

Figure 2.48: The Password reset blade

4. In the Password reset blade, you can enable SSPR for all your users by selecting All; for selected users and groups, select Selected. For this demonstration, enable it for all users, and then click on Save in the top-level menu, as follows:

Figure 2.49: SSPR

5. Next, you need to set the different required authentication methods for your users. To do this, under the Manage context from the left menu, select Authentication methods.
6. In the next blade, you can set the number of authentication methods that are required to reset a password and explore what methods are available for your users, as follows:

Figure 2.50: Authentication methods for a password reset

7. Make a selection, and then click Save at the top of the screen. If you want to test SSPR after configuration, make sure that you use a user account without administrator privileges.

Note

You are encouraged to read further by using the following links:

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-howitworks

https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr

In this chapter, you learned about configuring and managing devices in Microsoft Entra ID (device identities, device settings, Enterprise State Roaming, device settings, audit logs, and licensing). You learned about the various mechanisms to integrate your devices into Entra ID (device registration, Entra join, and Entra hybrid join). Additionally, you explored different bulk user operations and how to create a guest account from the Azure portal. Finally, you learned how to configure SSPR, which is a feature critical to empower users to reset their own passwords and reduce the administrative burden of password management for IT support.

In the next chapter, you will learn about Role-Based Access Control (RBAC) and get hands-on with creating custom RBAC roles. Additionally, you will learn how to interpret role assignments.