Azure Active Directory (Azure AD) is Microsoft’s multi-tenant, cloud-based directory, and identity management service. In Azure AD, a user is defined by a User entity, which includes all the properties and settings specific to that user. Managing users in Azure AD is an important aspect of the AZ-500: Microsoft Azure Security Technologies exam.
Creating New Users in Azure AD
A new user in Azure AD can be created through the Azure portal or via the Azure AD module in PowerShell. Here is an example of how to create a user in the Azure AD portal:
- In the Azure portal, click on “Azure Active Directory”.
- Then, click on “Users”.
- Click the “+ New user” button.
- Fill in the “Name”, “User name”, “Profile”, “Properties”, “Groups”, “Directory role”, and “Password” fields.
- Click on the “Create” button.
The Azure AD PowerShell module can also be used to automate the task of creating users.
PowerShell
Install-Module AzureAD
$passwordProfile=New-Object Microsoft.Open.AzureAD.Model.PasswordProfile
$passwordProfile.Password=”userPassword”
New-AzureADUser -AccountEnabled $true -DisplayName “Sample User”
-PasswordProfile $passwordProfile -UserPrincipalName sample.user@contoso.com
Assigning Azure AD Users to Groups
Assigning a user to a group means giving the user the permissions and access rights of that group. This can be done from the Azure portal, or using PowerShell. For example, to add a user to a group in the Azure portal:
- Navigate to Azure Active Directory > Groups > All Groups.
- Select the group to which the user should be added.
- Under the “Members” section, click “+ Add members”.
- Select the users to be added to the group, and click “Select”.
PowerShell can also be used to add a user to a group:
Add-AzureADGroupMember -ObjectId
Assigning Azure AD Users to Directory Roles
Assigning a user to a directory role helps in delegating certain administrative tasks to the user. From the Azure portal:
- Azure Active Directory > Roles and administrators > Select the role.
- Click “+ Add assignments”.
- Choose the users to whom you want to assign the role, and click “Add”.
PowerShell can also be used:
Add-AzureADDirectoryRoleMember -ObjectId
Deleting Azure AD Users
Deleting a user will remove them from your Azure AD. From the Azure portal:
- Azure Active Directory > Users.
- Select the user to be deleted and click “Delete”.
Using PowerShell:
Remove-AzureADUser -ObjectId
Resetting Azure AD User Passwords
The Azure portal allows an administrator to reset a user’s password.
- Azure Active Directory > Users.
- Select the user and under “Manage”, click on “Reset password”.
Using PowerShell to reset user password:
$passwordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$passwordProfile.Password = “NewPass@word1”
Set-AzureADUserPassword -ObjectId
In conclusion, managing users in Azure AD by creating, assigning groups and roles, deleting, and resetting passwords is crucial, and understanding how to perform these tasks is an essential part of the AZ-500: Microsoft Azure Security Technologies exam preparation. Whether through the Azure portal or PowerShell commands, managing users is a basic but vital part of an Azure administrator’s role.
Practice Test
True or False: Azure Active Directory (Azure AD) only manages the users from your organization.
- True
- False
Answer: False.
Explanation: Azure AD manages both users from your organization and external users that belong to other Azure ADs.
What are the main roles in Azure Active Directory?
- A. Global Administrator
- B. User Administrator
- C. Group Administrator
- D. Device Administrator
- E. All of the above
Answer: E. All of the above
Explanation: Global Administrator, User Administrator, Group Administrator, and Device Administrator are main roles in Azure AD that have different permissions to manage the directory.
True or False: Azure AD Users can have multiple active sessions at the same time.
- True
- False
Answer: True.
Explanation: Azure AD does not restrict the number of active sessions a user can have concurrently.
What needs to be installed in order to synchronize on-premise Active Directory to Azure AD?
- A. Azure AD Connect
- B. Azure AD Sync
- C. Azure Powershell Module
- D. Exchange Server
Answer: A. Azure AD Connect
Explanation: Azure AD Connect is the tool that provides synchronization of on-premises directory objects to Azure AD.
True or False: Guest users can be added to Azure AD.
- True
- False
Answer: True.
Explanation: Azure AD allows managing guest users to collaborate with your organization.
Which of the following are ways of managing Azure AD users?
- A. Azure portal
- B. Azure AD PowerShell
- C. Azure AD Graph API
- D. All of the above
Answer: D. All of the above
Explanation: Managing Azure AD users can be accomplished through Azure portal, PowerShell or Graph API.
True or False: It is possible to change the username of a user in Azure AD.
- True
- False
Answer: True.
Explanation: Azure AD allows administrators to change the username of a user.
What is the maximum number of Azure AD objects that an Azure AD free edition support?
- A. 500
- B. 1000
- C. 5000
- D. No limit
Answer: D. No limit
Explanation: Azure AD free edition includes feature of an unlimited number of directory objects.
True or False: Azure AD supports group-based access management.
- True
- False
Answer: True.
Explanation: Azure AD has group-based features for access and identity management.
What Azure AD feature provides automatic password change for cloud apps?
- A. Self-service password reset
- B. Password writeback
- C. Password hash synchronization
- D. Managed Service Identity
Answer: B. Password writeback
Explanation: Password writeback is an Azure AD feature that, when enabled, allows password changes in the cloud to be written back to an existing on-premises directory in real time.
Which of the following is not a built-in role in Azure AD?
- A. Global administrator
- B. Printer administrator
- C. Billing administrator
- D. User administrator
Answer: B. Printer administrator
Explanation: There is no “Printer administrator” role.
True or False: Azure AD requires users to update their password every 60 days.
- True
- False
Answer: False.
Explanation: While it’s possible to enforce password expiration policies in Azure AD, it’s not a requirement for users to update their passwords every 60 days.
Can Azure AD manage users from multiple domains?
- A. Yes, if the domains are verified.
- B. Yes, but only from .com domains.
- C. No, Azure AD can only manage one domain.
- D. No, Azure AD cannot manage any domains.
Answer: A. Yes, if the domains are verified.
Explanation: Azure AD can support users from multiple domains but the domains must be verified before they can be added to Azure AD.
True or False: In Azure AD, a user can have multiple roles.
- True
- False
Answer: True.
Explanation: It is possible to assign multiple roles to a user in Azure AD.
What does the term ‘RBAC’ stand for in the context of Azure AD?
- A. Role-Based Availability Control
- B. Role-Based Access Control
- C. Resource-Based Access Control
- D. Rights-Based Access Control
Answer: B. Role-Based Access Control
Explanation: In Azure AD, RBAC is a system that grants access to Azure resources based on the user’s role in the organization.
Interview Questions
What does Azure Active Directory (Azure AD) provide?
Azure Active Directory (Azure AD) provides identity management and access control capabilities for your cloud applications. You can use it to manage user identities, create and manage groups, and control access to your cloud applications.
What is the function of “Guest Users” in Azure AD?
Guest users in Azure AD allows you to provide access to your organization’s resources to individuals outside your organization, such as partners or vendors. This enables them to access resources in your organization, while still maintaining control over their own user accounts.
How can you add a new user to Azure Active Directory?
You can add a new user to Azure Active Directory from the Azure portal. Go to Azure Active Directory > Users > New user. Then fill in the user’s name, username, and other details, and click “Create”.
How can you block a user from signing in to Azure Active Directory?
To block a user from signing in to Azure AD, navigate to the Azure portal. Then, to go Azure Active Directory > Users, select the specific user, and then change the “Block sign in” setting to “Yes”.
How can you assign a license to a user in Azure Active Directory?
To assign a license to a user in Azure AD, navigate to the Azure portal. Go to Azure Active Directory > Users, select the specific user, and then under Licenses, click “Assignments”. Here, you can assign or remove licenses.
How do you delete a user from Azure Active Directory?
To delete a user from Azure AD, navigate to the Azure portal, go to Azure Active Directory > Users > All users. Choose the user you want to delete and click “Delete user”.
How can you configure a user’s settings in Azure Active Directory?
You can configure a user’s settings in Azure AD using the Azure portal. You can do this by navigating to Azure Active Directory > Users, then select the specific user. When you open the user profile, you can configure settings such as Username, Display name, Job title, Department, etc.
What is the purpose of the “Directory role” option in Azure AD?
The “Directory role” option in Azure allows you to manage admin roles for users. Here, you can assign or remove Azure admin roles that grant permissions across your organization’s Azure resources.
What is the function of “Member” and “Guest” user types in Azure AD?
“Member” and “Guest” are two user types in Azure AD. A “Member” is typically an employee, while a “Guest” is usually someone outside the organization, like a partner or a vendor. You can set different access permissions for the two types based on the role they play in your organization.
What does Azure AD Conditional Access provide?
Azure AD Conditional Access provides a way to automatically enforce access controls when needed. It allows you to devise policies that take into account the user’s identity, location, device, and behavior to make real-time access decisions.
How can you reset a password for a user in Azure Active Directory?
To reset a password for a user in Azure AD, navigate to the Azure portal. Go to Azure Active Directory > Users, select the specific user, and then reset the password under Manage.
How can you manage multi-factor authentication settings for users in Azure AD?
You can manage multi-factor authentication settings for users in Azure AD in the Azure portal. Go to Azure Active Directory > Users > Multi-factor authentication. Here, you can manage settings for each user or bulk update for multiple users.
What is the use of the Azure AD Identity Protection tool?
Azure AD Identity Protection is a tool used for automating the detection and remediation of identity-based risks. It helps in investigating risky users and risky sign-ins, and provides custom policies for conditional access.
How can you configure password expiration policy for a user in Azure AD?
You can configure password expiration policy for a user in Azure AD in the Azure portal. Go to Azure Active Directory > Password protection. Here, you can define how often passwords expire and other related settings.
Can you restore a deleted user in Azure AD and how is it done?
Yes, you can restore a deleted user in Azure AD within 30 days of deletion. This can be done by navigating to Azure Active Directory > Users > Deleted users. Here, you can select the user and click on “Restore user”.
extutorials.com