In this article, we’ll provide an overview of configuring these tenant-wide settings, highlighting key settings and providing examples for clarity. The enhanced understanding of these configurations will add value to your knowledge stack, assisting you during the SC-300 Microsoft Identity and Access Administrator exam.
Understanding Tenant-Wide Settings in Azure AD
In general, a “tenant” in Azure AD is simply a dedicated, isolated instance of Azure AD that’s automatically created when your organization signs up for a Microsoft cloud service subscription, such as Microsoft 365, Dynamics 365, or Azure. A tenant houses the users in a company and the information about them – their passwords, user profile data, permissions, and so on.
Configuring tenant-wide settings helps administrators manage security, compliance, and operational tasks. Key aspects of Azure AD tenant-wide settings include user settings, security and privacy, and Services & Add-ins.
User Settings
Within the Azure portal, under the general directory settings, administrators can configure the user settings, allowing new users to be created, guests to be invited, enabling self-service password reset for non-admins, and more.
Here is a brief on some of the significant configurations under user settings:
- User can register applications: By default, this is set to ‘Yes’. Changing this to ‘No’ means only the Global Administrator can register new applications.
- Guest users permissions are limited: This is set to ‘Yes’ by default, providing limited permissions compared to member users for additional security.
- Users can consent to apps accessing company data on their behalf: This setting allows users to give consent to applications that request access to company data. This is set to ‘Yes’ by default, but it needs to be managed wisely to ensure organizational data security.
- Admins and users in the guest inviter role can invite: This determines who can invite guest users into your organization’s directory.
Security and Privacy
This is crucial to protect sensitive company data. Some key configurations under the security and privacy guise are:
- Password expiry: Administrators can set a password policy wherein user passwords expire after a certain number of days. It could range from 14 to 730 days.
- Password complexity: Administrators can define password compliances such as length, presence of special characters, upper and lower case letters, etc.
- Two-step verification: For additional security, two-step verification can be enabled wherein users will be required to authenticate using an additional form of verification like a code sent to their mobile device.
Services & Add-ins
Administrators have the ability to provide or limit access to Microsoft services or third-party applications.
For instance, there are settings for Microsoft Teams, Office 365, and others where administrators can configure who can create teams, who can access which SharePoint resources, etc.
In conclusion, configuring tenant-wide settings in Azure AD is an important skill for Microsoft Identity and Access Administrators. These settings change how the Azure AD service functions, and have crucial implications for user access, security, and interoperability within the organization. Understanding these settings should be beneficial for anyone preparing for the SC-300 Microsoft Identity and Access Administrator exam.
Practice Test
True or False? Conditional Access App Control supports granular control for data inside the app.
- True
- False
Answer: True.
Explanation: This feature indeed offers granular controls for protected data within the app, thereby restricting the way users interact with the data.
In Microsoft Azure, which of the following PowerShell commands can be used to view all of your Azure AD roles?
- a) View-AzureADRole
- b) Get-AzureADRole
- c) Check-AzureADRole
- d) Find-AzureADRole
Answer: b) Get-AzureADRole
Explanation: The command “Get-AzureADRole” is used to view all of your available Azure AD roles.
True or False? PowerShell can be used to configure tenant-wide settings in Azure Active Directory.
- True
- False
Answer: True.
Explanation: PowerShell module for Azure Active Directory allows for configuration of tenant-wide settings, including roles, users, groups, and more.
When configuring tenant-wide settings, which of the following factors should be considered?
- a) Role assignments
- b) User locations
- c) Number of resources
- d) All of the above
Answer: d) All of the above
Explanation: The configuration of tenant-wide settings should take into account role assignments, user locations, and the number of resources to ensure optimal configuration.
True or False? Azure AD Connect Health requires Azure AD Premium.
- True
- False
Answer: True.
Explanation: Azure AD Connect Health is a premium feature and is only available with Azure AD Premium or Enterprise Mobility + Security (EMS) licenses.
Multiple select: What are the common tenant-wide settings in Azure Active Directory?
- a) User settings
- b) Directory settings
- c) External collaboration settings
- d) All of the above
Answer: d) All of the above
Explanation: These are the common tenant-wide settings that need to be configured in Azure Active Directory.
Single select: Which feature in Azure Active Directory requires Global Administrator permissions?
- a) Create users
- b) Manage user roles
- c) Configure Enterprise State Roaming
- d) All of the above
Answer: d) All of the above
Explanation: All these tasks require Global Administrator permissions to be configured in Azure Active Directory.
True or False? Microsoft Intune cannot be integrated with Azure Active Directory.
- True
- False
Answer: False.
Explanation: Microsoft Intune can be integrated with Azure Active Directory for mobile device management and conditional access features.
Multiple select: What can you use to configure tenant-wide settings in Azure Active Directory?
- a) Azure portal
- b) PowerShell
- c) APIs
- d) All of the above
Answer: d) All of the above
Explanation: Azure portal, PowerShell and APIs can be used to configure different settings for tenant-wide settings.
Single select: Which one is NOT a tenant-wide setting in Azure Active Directory?
- a) User password reset policy
- b) Two-factor authentication
- c) Intrusion detection
- d) External collaboration settings
Answer: c) Intrusion detection
Explanation: Intrusion detection is not a part of tenant-wide settings. It’s part of the Azure security features.
Interview Questions
What are tenant-wide settings in Microsoft 365?
Tenant-wide settings in Microsoft 365 are settings that apply to the entire organization. These settings include services and add-ins, services & add-ins, settings available under org settings, and data migration settings.
How can you configure tenant-wide settings in Microsoft 365 admin center?
To configure tenant-wide settings, you need to go to the Microsoft 365 admin center > Settings > Org settings, and then on the Services & add-ins page, select the services or add-ins you want to configure.
What’s the purpose of tenant-wide settings?
Tenant-wide settings allow you to manage functionalities and features for your entire Office 365 tenant. It provides configuration options for various add-ins and services, enabling you to manage rules, permissions, and restrictions across your tenant.
Can you explain the role of the Microsoft 365 Groups at the tenant level?
At the tenant level, Microsoft 365 Groups let you choose the settings you want to apply to all groups in your organization. Settings include how users can create groups, the privacy of the groups, and how much data members can access and share.
How do you control guest access for all Teams at the tenant level?
To control guest access for all Teams, an administrator would go to the Teams admin center, then navigate to the Org-wide settings > Guest access.
Is it possible to disable external sharing for all SharePoint Online sites at once?
Yes, it is possible to disable external sharing for all SharePoint Online sites at once. You do this by setting the SharePoint external sharing settings to ‘Only people in your organization’.
Can you restrict who can create a Microsoft 365 Group at the tenant level?
Yes, you can restrict who can create a Microsoft 365 Group by running a PowerShell script that modifies the settings of the Azure Active Directory.
Can user properties be altered at a tenant-wide level?
Yes, specific user properties can be edited at a tenant-wide level such as location details.
How can OneDrive cleanup be controlled at the tenant level?
OneDrive cleanup can be controlled at the tenant level by modifying the ‘cleanup function’ settings in the OneDrive admin center.
Is there a way to globally control meeting settings in Teams?
Yes, global control over meeting settings in Teams is possible through the ‘Meeting settings’ option under the Org-wide settings in Team’s admin center.
How can you manage Microsoft Search at a tenant level?
You can manage Microsoft Search at a tenant level by going to the Microsoft 365 admin center > Settings > Microsoft Search.
Can Threat Management policy be configured tenant-wide?
Yes, Threat Management policy can be configured tenant-wide through the Security & Compliance center.
How can you enforce multi-factor authentication (MFA) across a tenant?
To enforce MFA across a tenant, the administrator can go to the Azure portal > Azure Active Directory > Security > MFA to set up the necessary requirements.
Can security & compliance alerts be set up at a tenant-wide level?
Yes, security & compliance alerts can be setup at a tenant-wide level through the Security & Compliance center under the “Alert policies” section.
How can you control Teams upgrade notifications at the tenant level?
To control Teams upgrade notifications at the tenant level, you can configure settings in the Teams admin center under “Teams upgrade” in the Org-wide settings.
extutorials.com