Getting Started With Azure Active Directory
Active Directory has been in use on corporate IT networks for decades and has been a key directory for managing users and groups. Typically, an Active Directory domain requires several servers and all of the subsequent management needed.
Azure Active Directory moves the management and maintenance to the cloud environment. This greatly simplifies the typical administrative server tasks that may be needed and allows an administrator to focus on correctly managing users, groups, and security.
There are several different licensing levels, as seen below. Each offering has a different set of limitations and features.
Using an Azure Pay-as-you-Go account, for example, you get the core Azure Active Directory services for free. There is a 500,000 object limit and a number of services that aren’t available.
Office 365 E1, E3, E5, F1 and F3 subscriptions offer everything in free, with no object limit, and the addition of identity and access management for Office 365. This includes additional branding capabilities, self-service password resets for cloud users, and SLA enhancements.
Premium P1 & Premium P2
Both P1 and P2 are available for Azure and Office 365 subscribers, but also Open Volume License Programs and Cloud Solution Providers platforms. Both of these options offer a large number of additional security features with P2 offering the most.
In this article, we are going to explore the basics of using Azure Active Directory through the Azure Portal in the free subscription.
Creating Active Directory Users
One of the first tasks that an administrator often does is that of creating a user. The core of Active Directory is its management of users and groups. With that in mind, navigate to the Users section under your directory and click on New User.
You have the option to either create a new user, which we are doing here, or to invite an existing user to be a member of your organization. The second option is useful if you have third-party collaborators that you want to assign resources to in your subscription, but don’t want them to have to remember a new account and password.
Here, we are going to click the radio button on Create user, and then fill in the appropriate details.
- User name: This should be a unique username that does not contain spaces and should generally not be longer than 20 characters for maximum compatibility.
- Name: Usually the combined first and last name of the user to be created.
- First name: The first name of the user.
- Last name: The last name of the user.
- Password: Auto-generate password
As you continue to scroll down, you have the option to add the new account to Azure Active Directory groups or change the role in the subscription that the user holds. The default is the User role and no additional groups selected.
Finally, there are a few additional settings such as Block sign in, which can be useful for service accounts, Usage location which is useful for cost tracking, and finally Job info that can assist in properly managing who is using what account.
Once done entering all the relevant details, click on Create and you will see the newly created user in the user directory. You will notice in the screenshot below that the newly created user is of the Source, Azure Active Directory. This means that this account solely lives in this directory, whereas the other account is of the Microsoft Account type. This happens to be the account owner, but additional rights and permissions are conferred upon Microsoft Accounts.
If you click on the Test User and navigate to their account, you will see that under Assigned roles, there are none.
Creating Active Directory Groups
The second most common operation in Active Directory management is that of creating groups. By utilizing groups, users can be added to a group that can then be assigned to a resource. This means that all new additions to the group automatically get the assigned resources, rather than needing to individually assign them. This also means, for off-boardings, that it is easy to remove a set of permissions from a user as well. Navigate to the Groups section in the directory and click on the New group button.
Once there you will see a number of options to create your new group. There is the Group Type which is either a Security group or an Office 365 group.
- Security Group: Generally used to manage shared resource access among different individuals.
- Office 365 Group: These are used for shared mailboxes, calendars, and other resources such as SharePoint sites as well.
Next, you will want to group name and optionally a group description. The membership type will be assigned only, which merely means that each membership is assigned manually. This doesn’t mean that you can’t use a PowerShell script to modify membership as well, but it won’t be dynamic based on attributes.
You can choose to set a group owner or owners at this time, if you want to target someone to functionally own the group. This is generally more for administrative reasons, but you can also optionally add members at this time as well.
Once you are done, click on Create Group and you can move on to adding members.
Adding Group Members
Finally, we want to add some members to our group. To do this, let’s navigate to the Groups section in Azure Active Directory, click on our Test Group, and then on the Members section. You can then click on Add members, to pull up a search box to find all the members you are looking to add. In this example, we have searched for “test” and found our Test User. Clicking on the user, will add them to the list of members to add to the group.
As you can see below, the Test User we have selected to add to the group is now a member.
Azure Active Directory makes running one of the most commonly used and useful directory services easy to do and with minimal maintenance and overhead. With advanced features, the higher the subscription level, you are able to create users, manage groups, and monitor them all securely very easily using Azure Active Directory!