Configuring and Managing Directory Synchronization by Using Azure AD Connect– Implementing and Managing Identity Synchronization with Azure AD

Azure AD Connect has a long history, originally starting as DirSync to support the deployment of Microsoft Business Productivity Online Suite (BPOS) in 2007.

If you are familiar with Microsoft Identity Manager(MIM), you’ll notice a lot of similarities shared with the current Azure AD Connect platform. Azure AD Connect (rebranded as Microsoft Entra Connect) allows you to connect to multiple directory sources and provision those objects to Azure Active Directory.

Planning and Sizing

Depending on your organization’s requirements for onboarding to Microsoft 365, as well as additional features or services that are included with your subscription, you may want (or need) to enable or configure additional Azure AD Connect features.

Table 4.2 illustrates the features that can be enabled through an Azure AD Connect setup:

FeatureDescription
  
Device writebackSynchronizes Azure AD-joined devices back to on-premises
 Active Directory
  
Directory extensionsEnables the synchronization of additional on-premises attributes
  
FederationEnables authentication federation with Microsoft  AD Federation
 Services (FS) or PingFederate
  
Hybrid Azure AD joinEnables on-premises domain-joined devices to be synchronized
 and automatically joined to Azure AD
  
Password hash synchronizationEnables the hash of an on-premises password to be synchronized
 to Azure AD; can be used for authentication, a backup option for
 authentication, or leaked credential detection
  
Pass-through authenticationAuthentication method where passwords are validated on-premises
 through the Azure AD Connect service’s connection to Azure
 Service Bus
  
Unified group writebackEnables cloud-based Microsoft 365 groups to be written back to
 on-premises Active Directory
  

Table 4.2 – Azure AD Connect features

There are several additional features available post-installation for Azure AD Connect, such as managing duplicate attribute resiliency and user principal name soft-matching, both of which are used to manage how Azure AD handles conflicts and connecting cloud accounts to on-premises accounts.

Further Reading

More detailed information about Azure AD Connect’s optional features, such as duplicate attribute resiliency, is available here: https://learn.microsoft.com/en-us/azure/ active-directory/hybrid/how-to-connect-syncservice-features.

Installing the Synchronization Service

The first step to deploying Azure AD Connect is gathering the requirements of your environment. These requirements can impact the prerequisites for deployment (such as additional memory or a standalone SQL Server environment). As part of the planning process, you’ll also want to identify which sign-in method will be employed (password hash synchronization, pass-through authentication, or federation).

Exam Tip

To perform the express installation, you’ll need Enterprise Administrator credentials to the on-premises Active Directory forest so that the installer can create a service account and delegate the correct permissions. You’ll also need an account that has either the Global Administrator or Hybrid Identity Administrator role in Azure AD, which Azure AD Connect will use to create a cloud sync service account.

With that information in hand, it’s time to start deploying Azure AD Connect:

1. On the server where Azure AD Connect will be deployed, download the latest version of the Azure AD Connect setup files (https://aka.ms/aad-connect) and launch the installer.

    2. Agree to the installation terms and select Continue. See Figure 4.4:

    Figure 4.4 – Azure AD Connect welcome page

    3. Review the Express Settings page, as shown in Figure 4.5. You can choose Customize if you want to configure Azure AD Connect to use pass-through or federated authentication methods, group-based filtering, or a custom SQL Server installation. While the sign-in methods and other features can be changed after installation, it is not possible to enable group-based filtering or change the SQL Server location after setup.

    Figure 4.5 – Azure AD Connect Express Settings page

    Installation Notes

    If you have other domains in your Active Directory forest, they must all be reachable from the Azure AD Connect server or installation will fail. You can perform a custom installation to specify which domains to include in synchronization.

    4. On the Connect to Azure AD page, enter credentials for either the Global Administrator or Hybrid Identity Administrator role in Azure AD. Click Next.

    5. On the Connect to AD DS page, enter Enterprise Administrator credentials and click Next.

    6. Verify the configuration settings. By default, the Exchange hybrid scenario is not enabled. If you have an on-premises Exchange environment that you will be migrating to Microsoft 365, select the Exchange hybrid deployment option to include the Exchange-specific attributes. If you want to perform additional configuration tasks prior to synchronizing users, clear the Start the synchronization process when configuration completes. checkbox.

    Figure 4.6 – Azure AD Connect Ready to configure page

    7. Click Install.

    8. Review the Configuration complete page, as shown in Figure 4.7, and click Exit:

    Figure 4.7 – Azure AD Connect Configuration complete page

    If you selected the Start the synchronization process when configuration completes checkbox, you can review the Azure AD portal to verify that users have been synchronized.

    Creating Administrative Units– Managing Roles in Microsoft 365

    In the following example, an administrative unit called California (used to hold users in that region) is created. During the creation, administrators are configured to perform role-scoped activities inside that administrative unit:

    1. Navigate to the Microsoft 365 admin center (https://admin.microsoft.com) and log in with Global Administrator credentials.

    2. Expand Roles | Role assignments and click Administrative units.

    Figure 3.14 – Administrative units page

    3. Click Add unit.

    4. On the Basics page, as shown in Figure 3.15, enter a name and description and click Next.

    Figure 3.15 – Basics page

    5. On the Optional settings | Add members page, as shown in Figure 3.16, you can add members to the administrative unit or click Next to proceed.

    Figure 3.16 – Add members page

    6. On the Assign admins to scoped roles page, as shown in Figure 3.17, review the roles listed. Not all roles can be scoped to administrative units (as it’s a relatively new feature and not all roles support it). In this example, select the checkbox next to User Administrator and then click the role name itself.

    Figure 3.17 – Adding roles

    7. On the User Administrator flyout, click the Assigned tab as shown in Figure 3.18:

    Figure 3.18 – User Administrator flyout

    8. Click Add users or Add groups to assign administrators to this role. Click Close when you’ve finished.

    Figure 3.19 – Adding users to role

    9. On the Assign admins to scoped roles page, click Next.

    10. On the Review and finish page, review your selections, make any changes, and then click Add.

    11. Click Done to return to the Administrative units page.

      One of the features of role-scoped administration is being able to limit what users or objects can be impacted by a particular administrator. As you noticed during the configuration, only a subset of the roles available in the tenant honor administrative unit scoping.

      Preparing for Identity Synchronization by Using IdFix– Implementing and Managing Identity Synchronization with Azure AD

      Since the purpose of Azure AD Connect and Azure AD Connect Cloud Sync is to synchronize user, group, contact, and device objects to Azure AD, you’ll need to make sure your objects meet the minimum requirements.

      Microsoft has guidance surrounding the preparation of user objects for synchronization. Some attributes (specifically those that are used to identify the user throughout the system) must be unique throughout the organization. For example, you cannot have two users that have the same userPrincipalName value.

      The following attributes should be prepared before synchronizing the directory to Azure AD:

      AttributeConstraintsMustRequired
        be unique 
      displayName≤ 256 characters X
      givenName≤ 64 characters  
      mail≤ 113 charactersX 
       ≤ 64 characters before the @ symbol  
       Adheres to the  
       RFC 822/2822/5322 standards  
      mailNickName≤ 64 charactersX 
       Cannot start with a .  
       Cannot contain certain characters such as &  
      proxyAddresses≤ 256 characters per valueX 
       No spaces  
       Diacritical marks are prohibited  
      sAMAccountName≤ 20 charactersXX
      AttributeConstraintsMustRequired
        be unique 
      sn≤ 64 characters  
      targetAddress≤ 256 charactersX 
       No spaces  
       Includes a prefix (such as SMTP:).  
       Value after prefix adheres to the  
       RFC 822/2822/5322 standards  
      userPrincipalName≤ 113 charactersXX
       Must use a routable domain name  
       Unicode characters are converted  
       to underscores  
       Table 4.1 – Azure AD Connect attributes  

      As you can see, very few attributes are actually required for an object to synchronize. Each attribute that is synchronized has some core requirements around formatting, including length and allowed characters. Several attributes (such as mailNickname, userPrincipalName, mail, sAMAccountName, and proxyAddresses) must contain unique values—that is, no other object in the directory of any type can share the value.

      Further Reading

      You can learn more about the required and supported values for attributes at https:// learn.microsoft.com/en-us/powershell/module/exchange/set-mailbox and https://learn.microsoft.com/en-us/microsoft-365/enterprise/ prepare-for-directory-synchronization.

      IdFix is Microsoft’s tool for detecting common issues with on-premises AD identity data. While it doesn’t fix all possible errors, it is able to identify and remediate data formatting errors so that objects have valid data to synchronize.

      IdFix supports the following features:

      • Transaction rollback
      • Verbose logging
      • Exporting data to CSV and LDF formats for offline review and editing

      To get started with the tool, follow these steps:

      1.Navigate to https://aka.ms/idfix.

          2. Scroll to the bottom of the page and click Next.

          3. Review the prerequisites for the tool. Scroll to the bottom of the page and click Next.

          4. Click setup.exe to download the file and start the installation.

          5. After the installation wizard starts, click Install.

          6. Acknowledge the IdFix privacy statement by clicking OK.

          7. IdFix, by default, targets the entire directory. You can select Settings (the gear icon) to change the options for IdFix. You can edit the Filter option to scope to certain object types. You can also select Search Base to specify a starting point for IdFix to begin its query. After modifying any settings, click OK, as shown in Figure 4.1:

          Figure 4.1 – IdFix Settings

          8. Click Query to connect to Active Directory and begin the analysis.

          Schema Warning

          If you receive a schema warning, such as the one in Figure 4.2, you can click Yes to proceed or No to return to the IdFix tool. The schema warning is generally presented when attributes are present in the AD schema but have not been marked for replication (usually because Exchange Server has not been installed or replication hasn’t been completed successfully in your organization for an extended period of time). If you receive this error, you should check to ensure that you have at least run the Exchange Server setup with the /PrepareSchema and /PrepareAD switches and have validated that AD replication is working correctly.

          Figure 4.2 – IdFix schema warning

          After IdFix has analyzed the environment, results are returned to the data grid, shown in Figure 4.3.

          The DISTINGUISHEDNAME column shows the full path to the object in question, while the

          ATTRIBUTE column shows the attribute or property impacted. The ERROR column shows what type of error was encountered (such as an invalid character or duplicate object value). The VALUE

          column shows the existing value and the UPDATE column shows any suggested value.

          Figure 4.3 – IdFix data grid

          After you have investigated an object, you can choose to accept the suggested value in the UPDATE column (if one exists). You can also choose to either enter or edit a new value in the UPDATE column.

          Once you’re done investigating or updating an object, you can use the dropdown in the ACTION column to mark an object:

          • Selecting EDIT indicates you want to configure the object attribute with the value in the UPDATE column
          • Selecting COMPLETE indicates you want to leave the object as it is
          • Selecting REMOVE instructs IdFix to clear the offending attribute

          In addition, you can select Accept to accept any suggested values in the UPDATE column. Choosing this option will configure all objects with a value in the UPDATE column to EDIT, indicating that the changes are ready to be processed.

          Once you have configured an action for each object, select Apply to instruct IdFix to make the changes.

          IdFix will process the changes. Transactions are written to a log that can be imported and used to roll back any mistakes.

          Once you have ensured that your on -premises directory data is ready to synchronize to Azure AD, you can deploy and configure one of the Azure AD Connect synchronization products.

          Alerting– Managing Roles in Microsoft 365

          PIM also has built-in alerting functions. The alerts are designed to provide notifications if certain risk conditions are detected. Several of the role alerts have sliders for notifications that can be used to tune them for your organization. Alerts are accessed through the Azure portal by going to the Identity Governance | Microsoft Entra roles| Alerts page. By clicking on the gear icon, you can see all of the pre-configured alerts and edit them to your needs, as shown in Figure 3.27:

          Figure 3.27 – Viewing PIM Alert settings

          Note

          Users can only edit and manage pre-configured alerts; creating new alerts is not an option.

          PIM is a tool to help reduce the surface area of your organization. By reducing the number of accounts with standing privileges, you can greatly reduce the risks presented by compromised administration accounts.

          Summary

          In this chapter, you learned about what it means to manage Azure AD from a least-privilege perspective. Reducing the scope and privileges used to administer an environment can greatly reduce the possible impacts of administrative actions—whether they are unintentional or targeted attacks by malicious users.

          The next chapter will explore authentication options and configurations in the Microsoft 365 platform.

          Exam Readiness Drill – Chapter Review Questions

          Benchmark Score: 75%

          Apart from a solid understanding of key concepts, being able to think quickly under time pressure is a skill that will help you ace your certification exam. That’s why, working on these skills early on in your learning journey is key.

          Chapter review questions are designed to improve your test-taking skills progressively with each chapter you learn and review your understanding of key concepts in the chapter at the same time. You’ll find these at the end of each chapter.

          Before You Proceed

          You need to unlock these resources before you start using them. Unlocking takes less than 10 minutes, can be done from any device, and needs to be done only once. Head over to thestart of Chapter 7, Managing Security Reports and Alerts by Using the Microsoft 365 Defender Portal in this book for instructions on how to unlock them.

          To open the Chapter Review Questions for this chapter, click the following link:

          https://packt.link/MS102E1_CH03. Or, you can scan the following QR code:

          Figure 3.28 – QR code that opens Chapter Review Questions for logged-in users

          Once you login, you’ll see a page similar to what is shown in Figure 3.29:

          Figure 3.29 – Chapter Review Questions for Chapter 3

          Once ready, start the following practice drills, re-attempting the quiz multiple times:

          Exam Readiness Drill

          For the first 3 attempts, don’t worry about the time limit.

          ATTEMPT 1

          The first time, aim for at least 40%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix your learning gaps.

          ATTEMPT 2

          The second time, aim for at least 60%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix any remaining learning gaps.

          ATTEMPT 3

          The third time, aim for at least 75%. Once you score 75% or more, you start working on your timing.

          Tip

          You may take more than 3 attempts to reach 75%. That’s okay. Just review the relevant sections in the chapter till you get there.

          Working On Timing

          Target: Your aim is to keep the score the same while trying to answer these questions as quickly as possible. Here’s an example of how your next attempts should look like:

          Table 3.3 – Sample timing practice drills on the online platform

          Note

          The time limits shown in the above table are just examples. Set your own time limits with each attempt based on the time limit of the quiz on the website.

          With each new attempt, your score should stay above 75% while your time taken to complete should decrease. Repeat as many attempts as you want till you feel confident dealing with the time pressure.

          Creating a Role Assignment– Managing Roles in Microsoft 365

          You can configure PIM for a role by following this procedure:

          1. Navigate to the Azure portal (https://portal.azure.com). Enter Identity Governance into the search bar and select the Identity Governance option.

            2. Under Privileged Identity Management, select Azure AD roles (or Microsoft Entra roles).

            3. Under Manage, select Roles. See Figure 3.22:

            Figure 3.22 – Role assignments

            4. Select the role you wish to configure an assignment for, such as the Exchange Administrator role.

            5. Click Add assignments.

            6. On the Membership tab of the Add assignments page, under Select member(s), click No member selected to bring up the Select a member flyout.

            7. On the Select a member flyout, choose one or more members and click Select, as shown in Figure 3.23:

            Figure 3.23 – Selecting members

            8. On the Add assignments page, click Next.

            9. On the Setting tab of the Add assignments page, select an assignment type, such as Eligible. In this instance, if you want the users to be eligible to request elevation for the duration of the time period their account is enabled, select Permanently eligible.

            Figure 3.24 – Configuring assignment type and eligibility duration

            10. Click Assign.

            From this point, the users that you have selected can activate their role assignment from the Azure portal.

            Reviewing Role Assignments

            You can review all of the assignments that you’ve created in the Azure portal. To view the role assignments, navigate to the Identity Governance blade and then select Azure AD roles | Azure AD roles | Assignments. See Figure 3.25:

            Figure 3.25 – Viewing role assignments

            On the Eligible assignments tab, assignments are listed under their respective Azure AD role. The Active assignments tab lists individuals with various role assignments, including their end dates andwhether they’re permanent. Review Figure 3.26 for an example of active assignments.

            Figure 3.26 – Viewing active assignments

            Notice that the assignments can include both users as well as application security principals.

            Viewing and Updating Administrative Units– Managing Roles in Microsoft 365

            After creating the administrative units, you can review them and modify their members and administrators from either the Azure portal or the Microsoft 365 admin center underRoles | Administrative units.

            See Figure 3.20:

            Figure 3.20 – Viewing administrative units

            By selecting an administrative unit in the Microsoft 365 admin center, you can view or change its membership.

            Note

            The user interface for managing administrative units isn’t consistent. From the Microsoft 365 admin center, you can view an administrative unit and add users or groups to it, but you can’t do the inverse of navigating to a user or group object and adding it to an administrative unit. You can, however, perform both types of membership operations in the Azure portal.

            While you can assign groups to administrative units, it does not automatically add the group member objects to the administrative scope—it only enables managing the properties of the group. You need to add the members of the group to the administrative unit directly in order for them to be in scope.

            Note

            Dynamic administrative units are a preview feature that allows you to use filters and queries to automatically populate administrative units. Like dynamic groups, dynamic administrative units can only have one object type (users or devices). Dynamic administrative units can only be configured in the Azure portal at this time.

            As you define administrative structures and delegation for your organization, you’ll need to understand the limits of scoping controls. For instance, assigning an administrator to both an administrative unit as well as an Exchange or SharePoint Administrator role means that while they can only make modifications to users in their administrative unit, they can potentially make changes to application settings that affect users tenant-wide.

            Note

            Some applications, such as Exchange Online, support additional RBAC scoping controls to offer finer-grained service administration.

            Planning and Implementing Privileged Identity Management

            Privileged Identity Management (PIM) is the logical next step in RBAC and least-privilege identity management. While RBAC addresses what amount of privilege is needed to accomplish a task, PIM addresses the idea of how long this level of privilege is required.

            Sometimes called Just-in-Time (JIT) access, PIM is a feature that allows users to request elevation to Azure AD roles or resources for limited periods of time to perform administrative tasks. At the end of the period, the roles and privileges are revoked, returning the user account to their pre-elevation access rights.

            Note

            PIM is an Azure AD Premium P2 or Enterprise Mobility + Security E5 feature.

            PIM has a few key terms that you’ll need to understand:

            • Assignment: This describeshow the user is granted the role. In the case of Eligible, it means a user has to perform an action to use the role, such as requesting elevation or asking for approval. In the case of Active, it means the user doesn’t have to do anything to request the role.
            • Duration: This describeshow long a particular assignment is active. It can be permanent (no expiration date) or time-bound, meaning it will be active only for a specific period of time.

            For example, John is a full-time employee and needs to periodically be able to perform functions in the Exchange Administrator role. His assignment would be Eligible, while the duration would be permanent.

            In another example, Kay is a temporary worker whose contract ends on July 31. She periodically needs to be elevated to be able to perform user administration functions. Her assignment would be Eligible, while the duration would have an end date of July 31.

            PIM for Azure AD roles and Azure resources can be configured in the Azure portal on the Identity Governance blade, as shown in Figure 3.12:

            Figure 3.21 – Privileged Identity Management

            Next, you’ll look at configuring a simple assignment.

            Managing Roles in Microsoft 365 and Azure AD – Managing Roles in Microsoft 365

            Azure AD roles are used to delegate permissions to perform tasks in Azure AD and Microsoft 365. Most people are familiar with the Global Administrator role, as it is the first role that’s established when you create a tenant. However, there are dozens of other roles available that can be used to provide a refined level of delegation throughout the environment. As the number of applications and services available in Microsoft 365 has grown, so has the number of security roles.

            Roles for applications, services, and functions are intuitively named and generally split into two groups, Administrator and Reader, though there are some roles that have additional levels of permission associated with them (such as Printer Technician or Attack Simulator Payload Author).

            If you’re reading this book chronologically, you’ll already be familiar with the Global Administrator role (also called the Company Administrator role in some legacy interfaces). If not, you can refer to Chapter 1, Implementing and Managing a Microsoft 365 Tenant, to get up to speed. The Global Administrator roleis able to administer all parts of the organization, including creating and modifying users or groups and delegating other administrative roles. In most cases, users with the Global Administrator role can access and modify all parts of an individual Microsoft 365 service—for example, editing Exchange transport rules, creating SharePoint Online sites, or setting up directory synchronization.

            Further Reading

            There are currently over 70 built -in administrative roles specific to Azure AD services and applications. For an up-to-date list of the roles available, see https://learn.microsoft. com/en-us/azure/active-directory/roles/permissions-reference.

            For the MS-102 exam, you should plan on becoming familiar with the core Microsoft 365 and

            Azure AD roles:

            Role nameRole description
              
            Global AdministratorCan manage all aspects of Azure AD and Microsoft 365 services
              
            Hybrid Identity AdministratorCan manage Azure AD Connect and Azure AD Connect
             Cloud Sync configuration settings, including Pass-Through
             Authentication (PTA), Password Hash Synchronization
             (PHS), Seamless Single Sign-on (Seamless SSO), and
             federation settings
              
            Billing AdministratorCan perform billing tasks such as updating payment information
              
            Role nameRole description
              
            Compliance AdministratorCan read and manage the compliance configuration and reporting
             in Azure AD and Microsoft 365
              
            Exchange AdministratorCan manage all aspects of the Exchange Online service
              
            Guest InviterCan invite guest users regardless of whether the members can
             invite guests setting is enabled
              
            Office Apps AdministratorCan manage Office apps, including policy and
             settings management
              
            Reports ReaderCan read sign-in and audit reports
              
            Security ReaderCan read security information and reports in Azure AD and
             Office 365
              
            SharePoint AdministratorCan manage all aspects of the SharePoint service
              
            Teams AdministratorCan manage all aspects of the Microsoft Teams service
              
            User AdministratorCan manage all aspects of users and groups, including resetting
             passwords for limited admins
              

            Table 3.1 – Core Azure AD and Microsoft 365 roles

            Planning for Role Assignments

            One of the core tenets of security is the use of a least-privilege model. Least privilege means delegating the minimum level of permissions to accomplish a particular task. In the context of Microsoft 365 and Azure AD, this translates to using the built-in roles for services, applications, and features where possible instead of granting the Global Administrator role. Limiting the administrative scope for services based on roles is commonly referred to as role-based access control (RBAC).

            In order to help organizations plan for a least-privilege deployment, Microsoft currently maintains this list of the least privileged roles required to accomplish certain tasks, grouped by application or content area: https://learn.microsoft.com/en-us/azure/active-directory/ roles/delegate-by-task.

            When planning for role assignments in your organization, you can choose to assign roles directly to users or via a specially designated Azure AD group. If you want to use groups for role assignment, you must configure the isAssignableToRole property during the group creation. For example, in Figure 3.1, the Azure AD roles cannot be assigned to the group due to the current setting of the Azure AD roles can be assigned to the group toggle. To enable roles to be assigned to this group, the toggle will need to be set to Yes, thereby setting the isAssignableToRole property of the object to $true behind the scenes. It cannot be configured afterward. If you make a mistake on this setting for a group, your only option is to delete the group and start over.

            Figure 3.1 – Configuring the isAssignableToRole property on a new group

            Azure AD groups that are configured to be role-eligible must have assigned membership. As soon as you move the slider to configure a role-assignable group, the ability to change the membership type to dynamic is grayed out. Role-assignable groups must have assigned membership to prevent unintentionally elevating a user to a privileged role or removing a user’s privilege when a group’s dynamic membership rules are evaluated.

            Microsoft Purview – Managing Roles in Microsoft 365

            Like Microsoft 365 Defender, Microsoft Purview can leverage both Azure AD global roles as well as more refined role groups specifically designed for Microsoft Purview. Some features (such as eDiscovery) can only be configured using the Purview-specific roles.

            You can view the global Azure AD roles by navigating to the Microsoft Purview compliance center, expanding Roles & scopes, selecting Permissions, and then selecting Roles under Azure AD. See Figure 3.11:

            Figure 3.11 – Viewing the Azure AD roles in the Microsoft 365 admin center

            By comparison, the Microsoft Purview-specific roles are more detailed. They can be seen in the Microsoft Purview compliance center (https://compliance.microsoft.com) by expanding Roles & scopes, selecting Permissions, and then selecting Roles under Microsoft Purview solutions.See Figure 3.12:

            Figure 3.12 – Microsoft Purview solutions roles

            Like Microsoft 365 Defender, you can also create custom role groups for Microsoft Purview solutions. Microsoft Purview roles also support scoping with administrative units. Currently, the features described in Table 3.2 support administrative units:

            Solution or featureConfiguration areas
            Data lifecycle managementRetention policies, retention label policies, role groups
            Data Loss Prevention (DLP)DLP policies, role groups
            Communications complianceAdaptive scopes
            Records managementRetention policies, retention label policies, adaptive scopes,
             role groups
            Sensitivity labelsSensitivity label policies, auto-labeling policies, role groups

            Table 3.2 – Microsoft Purview’s support for administrative units

            Next, you’ll look at managing role groups for Microsoft 365  workloads.

            Microsoft 365 Workloads

            The core Microsoft 365 workloads, such as Exchange Online and SharePoint Online, have built-in support for a number of role groups.

            Figure 3.13 – Microsoft 365 workload roles

            In the case of Exchange Online, there are additional management roles that can be assigned within the Exchange admin center’s existing RBAC mechanisms. Exchange Online’s RBAC model predates the modern Microsoft 365 and Azure role assignments; Exchange Online’s roles provide extra security granularity.

            While many workloads will have a single role group (such as Kaizala Administrator or SharePoint Administrator), some, such as Teams, have multiple role groups that can be used to further segmentor delegate administration. You can review the current list of roles available in the Microsoft 365 admin center by navigating to the admin center (https://admin.microsoft.com), expanding Roles, and then selecting Role assignments.

            Managing Administrative Units

            Administrative units are collections of users and devices that can be delegated to certain administrators. In on -premises Active Directory, you may choose to delegate control of administrative functions using the Delegation of Control wizard in Active Directory Users and Computers or the Active Directory Administration Center. Unlike on-premises Active Directory, Azure AD is not hierarchical. Delegation must be achieved by defining boundaries and then controlling which users or devices are placed inside the boundaries.

            Administrative units can be role-scoped—that is to say, administrators can both be granted administrative roles (such as Helpdesk Administrator) as well as be limited to administrative tasks only for assigned administrative units.

            Managing Roles in the Microsoft 365 Admin Center – Managing Roles in Microsoft 365

            Roles can be easily managed within the Microsoft 365 admin center by expanding the navigation menu, expanding Roles, and then selecting Role assignments, as shown in Figure 3.2:

            Figure 3.2 – Role assignments

            Roles are displayed across four tabs—Azure AD, Exchange, Intune, and Billing—on the Role assignments page, as shown in Figure 3.3:

            Figure 3.3 – Role assignments page

            To add people to a role, simply select the role from the list, choose the Assigned tab, and then add either users (click Add users) or groups (click Add groups) to the particular admin role, as shown in Figure 3.4:

            Figure 3.4 – Making role assignments

            Depending on the roles being assigned through this interface, you may be able to use Microsoft 365 groups, role-assignable security groups, or mail-enabled security groups.

            Managing Role Groups for Microsoft Defender, Microsoft Purview, and Microsoft 365 Workloads

            Now that you’re familiar with role groups and concepts, let’s look at managing roles for some specific workloads and feature areas of Microsoft 365:

            • Microsoft  Defender
            • Microsoft Purview
            • Microsoft 365  workloads

            You will next look at some of the nuances of managing roles in each of these areas.

            Microsoft Defender

            All of the Microsoft  Defender roles can be administered from the Azure portal (https://portal. azure.com). Both the Microsoft 365 Defender and Azure portal interfaces also provide the ability to define custom roles or role groups.

            Note

            Microsoft 365 Defender also has a new RBAC model available. As of June 2023, the Microsoft 365 Defender RBAC model is in preview and is subject to change. Not all features and rights are present in the new RBAC model and it is not yet suitable for production. If you switch as part of your study program, you may lose out on the opportunity to perform some activities. The exam will focus on the current model that is generally available. You should perform any study exercises with the default RBAC model.

            Microsoft 365 Defender users can be configured to use either the global Azure AD roles or custom roles from the Microsoft 365 Defender portal. When using Azure AD’s global roles to assign
            permissions for Microsoft 365 Defender, it’s important to note that the Azure AD roles will grant
            access to multiple workloads.

            By default, Global Administrators and Security Administrators have access to the Microsoft 365 Defender features. To delegate administrative duties, you can use custom roles.

            To create a custom role, follow these steps:

            1. Navigate to the Microsoft 365 Defender portal (https://security.microsoft. com) with an account that is either a member of the Global Administrators or Security Administrators group.

              2. In the navigation menu, select Permissions, as shown in Figure 3.5:

              Figure 3.5 – Microsoft 365 Defender permissions

              1. Click Create custom role.
              2. On the Basics page, enter a role name and click Next.

              Figure 3.6 – Creating a new custom role

              5. Select permissions from the available permissions groups. For example, select Security operations, then choose the Select all read-only permissions radio button and click Apply, as shown in Figure 3.7:

              Figure 3.7 – Selecting permissions

              1. When you’ve finished, click Next.
              2. On the Assignments page, click Add assignment. See Figure 3.8:

              Figure 3.8 – Adding user and data assignments

              1. On the Add assignment page, enter an assignment name for this permissions assignment.
              2. On the Add assignment page, select which data sources this assignment applies to. You can select Choose all data sources (including current and future supported data sources) to make a broadly scoped role or select specific individual data sources.
              3. On the Add assignment page, select which users or groups will be configured with this assignment. Click Add when finished. See Figure 3.9:

                      Figure 3.9 – Selecting assignment options

                      1. Add more assignments if necessary and then click Next to continue.
                      2. On the Review and finish page, confirm the selections and then click Submit, as shown in Figure 3.10:

                      Figure 3.10 – Confirming configuration

                      Once the roles and assignments have been configured, users can log in and view or manage the features to which they’ve been assigned.

                      Further Reading

                      For more information on the deeper nuances of the Microsoft 365 Defender custom roles and available permissions, see https://learn.microsoft.com/en-us/microsoft-365/ security/defender/custom-permissions-details.

                      Next, you’ll explore the roles and permissions for Microsoft Purview.