This is the first section of SC-300 study guide and starting with:
- configure and manage Azure AD directory roles
- configure and manage custom domains
- configure and manage device registration options
- configure delegation by using administrative units
- configure tenant-wide settings
Table of Contents
Configure and manage Azure AD directory roles
Categories of Azure AD roles
Azure AD built-in roles differ in where they can be used, which fall into the following three broad categories.
- Azure AD-specific roles: These roles grant permissions to manage resources within Azure AD only. For example, User Administrator, Application Administrator, Groups Administrator all grant permissions to manage resources that live in Azure AD.
- Service-specific roles: For major Microsoft 365 services (non-Azure AD), we have built service-specific roles that grant permissions to manage all features within the service. For example, Exchange Administrator, Intune Administrator, SharePoint Administrator, and Teams Administrator roles can manage features with their respective services. Exchange Administrator can manage mailboxes, Intune Administrator can manage device policies, SharePoint Administrator can manage site collections, Teams Administrator can manage call qualities and so on.
- Cross-service roles: There are some roles that span services. We have two global roles – Global Administrator and Global Reader. All Microsoft 365 services honor these two roles. Also, there are some security-related roles like Security Administrator and Security Reader that grant access across multiple security services within Microsoft 365. For example, using Security Administrator roles in Azure AD, you can manage Microsoft 365 Defender portal, Microsoft Defender Advanced Threat Protection, and Microsoft Defender for Cloud Apps. Similarly, in the Compliance Administrator role you can manage Compliance-related settings in Microsoft 365 Compliance Center, Exchange, and so on.
How assign the roles?
Open Azure AD and choose Roles and administrators
Select Application developer. From there You can see permissions for the role.
When You choose assignments, You can add this role for a user.
And choose the designated user.
Assigning to a group
Restrictions for role-assignable groups
Role-assignable groups have the following restrictions:
- You can only set the
isAssignableToRoleproperty or the Azure AD roles can be assigned to the group option for new groups. - The
isAssignableToRoleproperty is immutable. Once a group is created with this property set, it can’t be changed. - You can’t make an existing group a role-assignable group.
- A maximum of 400 role-assignable groups can be created in a single Azure AD organization (tenant).
To use Role-assignable groups You need Azure AD Premium P1 license.
Custom domains
The person who creates the tenant is automatically the Global administrator for that tenant. The Global administrator can add additional administrators to the tenant.
Hard-coded limits for Custom domains
- You can add no more than 5,000 managed domain names.
- If you set up all of your domains for federation with on-premises Active Directory, you can add no more than 2,500 domain names in each tenant.
Adding a custom domain
When You are adding a custom domain You have the following options for verification:
Or MX
You can also share the DNS-settings via Email to someone who is responsible for the names records.
DNS changes may take up to 72 hours to propagate but rarely they do, most of the time it’s almost instant.
Removing a custom domain
Before you remove a domain name, we recommend that you read the following information:
- The original contoso.onmicrosoft.com domain name that was provided for your directory when you signed up cannot be removed.
- Any top-level domain that has subdomains associated with it cannot be removed until the subdomains have been removed. For example, you can’t remove adatum.com if you have corp.adatum.com or another subdomain that uses the top-level domain name. For more information, see the Support article “Domain has associated subdomains” or “You cannot remove a domain that has subdomains” error when you try to remove a domain from Office 365.
- Have you activated directory synchronization? If so, a domain was automatically added to your account that looks similar to this: contoso.mail.onmicrosoft.com. This domain name can’t be removed.
- Before you can remove a domain name, you must first remove the domain name from all user or email accounts associated with the domain. You can remove all of the accounts, or you can bulk edit user accounts to change their domain name information and email addresses. For more information, see Create or edit users in Azure AD. Remember to remove:
- Any user that has the domain in their user name or email address
- Any mail-enabled group that has the domain in its email address
- Any application that has the domain as part of its reply URL
- If you are hosting a SharePoint Online site on a domain name that is being used for a SharePoint Online site collection, you must delete the site collection before you can remove the domain name.
Configure and manage device registration options
The service includes support for iOS, Android, and Windows devices.
Open Devices from Azure portal.
And Device settings.
Note! Enrollment with Microsoft Intune or Mobile Device Management for Office 365 requires Workplace Join. If you have configured either of these services, ALL is selected and the NONE button is disabled.
You can also enforce MFA and set the maximum devices per user.
DNS-records
| Entry | Type | Address |
|---|---|---|
| enterpriseregistration.contoso.com | CNAME | enterpriseregistration.windows.net |
| enterpriseregistration.region.contoso.com | CNAME | enterpriseregistration.windows.net |
Administrators for joined devices
When you add users to the following group they will have admin rights to Azure AD joined windows devices but they do not have the ability to manage devices objects in Azure Active Directory
Configure delegation by using administrative units
Using administrative units requires an Azure AD Premium P1 license for each administrative unit administrator, and Azure AD Free licenses for administrative unit members.
Current support for administrative unit scenarios
Administrative unit management
| Permissions | Graph/PowerShell | Azure portal | Microsoft 365 admin center |
|---|---|---|---|
| Creating and deleting administrative units | Supported | Supported | Not supported |
| Adding and removing administrative unit members individually | Supported | Supported | Not supported |
| Adding and removing administrative unit members in bulk by using CSV files | Not supported | Supported | No plan to support |
| Assigning administrative unit-scoped administrators | Supported | Supported | Not supported |
| Adding and removing administrative unit members dynamically based on attributes | Not supported | Not supported | Not supported |
User management
| Permissions | Graph/PowerShell | Azure portal | Microsoft 365 admin center |
|---|---|---|---|
| Administrative unit-scoped management of user properties, passwords | Supported | Supported | Supported |
| Administrative unit-scoped management of user licenses | Supported | Not Supported | Supported |
| Administrative unit-scoped blocking and unblocking of user sign-ins | Supported | Supported | Supported |
| Administrative unit-scoped management of user multifactor authentication credentials | Supported | Supported | Not supported |
Group management
| Permissions | Graph/PowerShell | Azure portal | Microsoft 365 admin center |
|---|---|---|---|
| Administrative unit-scoped management of group properties and membership | Supported | Supported | Not supported |
| Administrative unit-scoped management of group licensing | Supported | Supported | Not supported |
Adding AU in Azure
From Azure portal You will open Administrative units and add.
and You have following roles available.
You can add either M365 and security groups or Users to an Administrative unit.
When You add a user to a AU they can access resources inside that Unit.
Limitations
- Administrative units can’t be nested.
- Administrative unit-scoped user account administrators can’t create or delete users.
- A scoped role assignment doesn’t apply to members of groups added to an administrative unit, unless the group members are directly added to the administrative unit. For more information, see Add members to an administrative unit.
- Administrative units are currently not available in Azure AD Identity Governance.
- An Azure AD resource can be a member of no more than 30 administrative units.
Administrative units apply scope only to management permissions. They don’t prevent members or administrators from using their default user permissions to browse other users, groups, or resources outside the administrative unit. In the Microsoft 365 admin center, users outside a scoped admin’s administrative units are filtered out. But you can browse other users in the Azure portal, PowerShell, and other Microsoft services.
Configure tenant-wide settings
External collaboration settings
This setting determines whether guests have full access to enumerate all users and group memberships (most inclusive), limited access to other users and memberships, or no access to other users and group memberships including groups they are a member of (most restrictive).
This setting controls who can invite guests to your directory to collaborate on resources secured by your Azure AD, such as SharePoint sites or Azure resources.
Yes means that you can enable self-service sign up for guests via user flows associated with applications in your directory. No means that applications cannot be enabled for self-service sign up by guests and require them to be invited to your directory.
Collaboration settings will affect SPO and OneDrive sharing settings. Example when I add google.com to deny invitations.
And look at the settings from SPO admin portal, I can see it there also.
GAL
You can display external users in your Global Address List (GAL) by either:
- Inviting users as guests using Azure AD B2B (Recommended)
- Using GAL Synchronization (Not recommended)
Other properties that are tenant wide
- Tenant display name
- View the Country and Region associated with our Tenant
- View the Location associated with our Tenant
- View / Edit Notification Language
- View / Change the Technical contact, add your privacy info, Global privacy contact, and Privacy statement URL
- Company Branding
- User settings
- App and Enterprise application settings
Things to remember
Different Azure AD-specific roles and their permissions.
Roles can be assigned to a user or a group and it’s requires at least Azure AD P1
Hard-coded limits for Custom domains
- You can add no more than 5,000 managed domain names.
- If you set up all of your domains for federation with on-premises Active Directory, you can add no more than 2,500 domain names in each tenant.
Custom domain verification can be done with TXT and MX records.
DNS changes may take up to 72 hours to propagate
Device administrators group members will have admin rights to Azure AD joined windows devices but they do not have the ability to manage devices objects in Azure Active Directory
Administrative units:
- Administrative units can’t be nested.
- Administrative unit-scoped user account administrators can’t create or delete users.
- A scoped role assignment doesn’t apply to members of groups added to an administrative unit, unless the group members are directly added to the administrative unit. For more information, see Add members to an administrative unit.
- Administrative units are currently not available in Azure AD Identity Governance.
- An Azure AD resource can be a member of no more than 30 administrative units
Tenant wide settings include but not limited to.
- Tenant display name
- View the Country and Region associated with our Tenant
- View the Location associated with our Tenant
- View / Edit Notification Language
- View / Change the Technical contact, add your privacy info, Global privacy contact, and Privacy statement URL
- Company Branding
- User settings
- App and Enterprise application settings
RSS - Posts