MS Entra - Deep Dive
Welcome to the MS Entra Deep Dive training course
You have no previous knowledge or want to strengthen your knowledge within MS Entra Identity management. Then you have already come to the right place on this page. Here you will find all the information, video materials, a series of links to MS Learn and a PDF version of the information on MS Entra.
If you have not yet attended the M365 CLoud management intro sessions it is recommended that you watch them first. Admission to this course is included in your education and is therefore accessible.
After this course, you will also be well prepared to delve further into:
- MS Intune
- MS Security & Compliance (SC-900)
Introduction
1.1 Introduction course
Welcome to the Entra ID course. In this video, we look at:
- What topics are covered in the course
- Where do you find all the material?
- What prior knowledge should you have?
- What is basic and what is extension?
1.2 What is MS Entra?
How does Entra fit in and why are we starting here. We discuss:
- What is MS Entra and what is it not?
- Where can you place Entra in M365 CLoud?
- What types of identities are managed?
Entra identity
2.1 MS Entra Identity Types
An Identity is more than just an object.
But what kinds are there? We discuss:
- The different types of identities
- How do you position Entra in all of this?
- Internal or External?
- Members or Guests?
2.2 Creating Users (!Important!)
We can create various types of users and do so in multiple ways. In this lesson, we will discuss them all:
- Creating one individual user through Admin Center
- Creating multiple users through Admin Center
2.3 Creating users through Entra Portal
In the previous lesson, you created a user through the Admin Portal.
Now we create the user through Entra ID portal. Do you see any major differences?
We also emphasize entering additional properties such as department, company and job title. That way, we can later automate the groups and licenses.
2.4 Guest users
Until now, we have worked with internal proprietary users. But what do we do with remote users who also need to authenticate to gain access? We discuss:
- What is a Guest?
- How do you create a guest?
2.5 Hybrid environments (+)
(Entra Connect & Cloud Sync)
Do you have a local domain controller? Multiple controllers? Want to sync multiple forests together? We discuss:
- What topologies are supported?
- What is Entra ID Connect (AD Connect)?
- What is Cloud Sync (new client!)
- What steps to prepare a hybrid sync?
2.6 Trusts, Federations, B2B and B2C
When two (or more) organizations work together, it is useful to set up a B2B Trust or federation. This way, you don’t have to invite guests and you can decide if the Entra ID and MFA of the external Identity Provicer is sufficient or not. Who has access to what? As a result of this session, you can also use Teams Shared Channels and collaborate in MS Loop.
We discuss:
- What is B2B?
- Configure the B2B trust.
- What is a B2C?
- What options in which Entra Plan?
2.7 Azure Active Directory Domain Services (+)
With AADDS, you have a full-fledged domain and all the associated services running in the cloud. Consider:
- Local AD copy of your Entra ID
- LDAP(/s)
- RADIUS
- GPOs and a local AD join with Entra ID.
We discuss this service conceptually. Important to know what it is and that it exists.
2.8 Groups (!Important!)
Groups is a second type of identity and this is where all other services make use of it. We review:
- What types of groups exist?
- What type of group do you make true?
- How do you create the groups in each portal?
- Dynamic or static groups?
This is a very, very important part. So definitely don’t skip it!
Dynamic groups only works with an Entra Premium P1 or P2 license (A3, A5)
2.9 Granting licenses
You can assign a lcientie when you create a user or create in bulk. But when you use tools or scripts, this doesn’t work. Cloud Sync or Entra ID Connect synchronized users are also not created this way. Therefore, we are going to assign licenses by (dynamic) groups. You can also automate the assignment of licenses this way, which is again easier.
This only works with an Entra Premium P1 or P2 license (A3, A5)
2.10 Administrative Units (+)
Within an Active Directory, in addition to groups, we also have a kind of directory structure in the form of Organizational Units (OUs). This compares in NOTHING to Administrative Units! So don’t be led astray -_-.
Administrative Units we use to segment the management of users/groups into different roles and administrators. Useful when you have multiple organizations/schools together in one tenant.
2.11 Devices
A third type of identities are devices. We will NOT manage the devices, but we will register their identity within Entra ID so we can identify them as well.
We discuss:
- The difference between Registered or Joined devices.
- How to enrol a device?
- What do we see of these devices in Entra ID?
- How to recover Bitlocker key in Entra ID?
2.11 Devices
A fourth and final type of identities are Apps. We will NOT manage software on a device, but we will integrate with other SAAS platforms.
We discuss:
- What is an App registration?
- What is an Enterprise Application?
- How do we configure SSO?
- What is User provisioning?
Here we also cite Google Workspace and Apple School Manager.
Modern Authentication and MFA
3.1 Introduction to Authentication
What do we cover in this course?
- What is Authentication?
- What is Multiple Verification?
- What is conditional access?
- What is passwordless authentication?
- What is Encryption?
- What is FIDO 2 and Passphrases?
An introduction to what and why…
3.2 Modern authentication and MFA
What is modern Authentication?
Why is working without a password better?
What forms of MFA exist and what is MFA?
Which licenses provide which capabilities?
3.3 Multi-Factor Authentication (Legacy)
Organizations without M365 licenses or with a Free A1 license (without Entra Premium P1/P2) use Legacy Multi-Factor authentication. We review:
- How do you configure MFA for users?
- What are app passwords and why don’t we use them?
- How to enforce or allow MFA?
- Where do you specify secure IP segments?
3.4 Risky users and conditional access
Organizations WITH M365 licenses (with Entra Premium P1/P2) use Modern Multi-Factor authentication. We review:
- What are user Risks?
- How do you use Defender for Identity?
- How is this used to design modern authentication?
- What is conditional access?
3.5 Risky users DEMO
After the theory, here in the Entra ID Portal we look at the Risky users and the various reports on them.
3.6 Conditional Access (DEMO) Also known as Conditional Access (! Important!)
After the theory, here we look into Entra ID’s interface to set up conditional access.
We start by creating one line step-by-step but build up to:
- Excluded Apps
- Excluded users
- Working with IP ranges (countries/locations)
- Shielding user actions.
3.7 Self Service Password Reset
In addition to multiple authentication, users can also use these methods to reset a password. We review:
- How to set up SSPR
- Integrate Local Active Directory
- Setting methods
- Working with a registration campaign.
3.8 Verification methods and settings
Users can use multiple authentication methods.
We set up what methods are possible for whom and review registration campaigns. This is a Session that completes the basic set-up of MFA and also addresses a common problem with registration campaigns, even when MFA is not enabled.
3.9 Temporary Access Pass (+)
If you want to work completely without a password, no longer give users a password at login. As a result, they have no identification when starting their account.
You work with a Temporary Access Pass to give them access for 10 minutes to set up an MFA without a password.
You also use this when the MFA stops working, without lowering security.
As an organization, do you work this way? Then you carry security in high regard!
3.10 Encryption (+)
This is a short theoretical chapter needed as preparation to understand the next lesson. You will learn:
- What is encryption?
- What is hashing?
- What is symmetric encryption?
- What is asymmetric encryption?
- How do the latter two go hand-in-hand?
This is an extension and also adds to your general knowledge.
3.11 Passphrases and FIDO 2 (++)
In the future, you want to be even better protected. You may not use this technique today but it is useful to know that it can be done. Is all of your workforce ready to face this hurdle? Then I invite you to take your security to extremely high levels with FIDO 2.
Extras
4.1 Introduction
We have come a long way.
In this series, we frame briefly:
- Terms of use
- Custom Branding
- Verified Identity (++)
- PIM Management (+)
- Global Secure Access(++)
At the time of recording, the latter 3 are a part of Entra Premium P2 although it is not certain if this will remain so.
4.2 Terms Of Use
What are conditions that must be accepted?
How to upload a PDF and attach a conditional access rule to it.
Since this works with Conditional Access, at least an Entra Premium P1 (A3) license is required.
4.3 Custom branding and corporate identity
Provide recognition.
Put your logo in the login screen. Make sure people have recognition and trust the environment to sign up. This increases visibility and personality but also provides increased security.
4.4 Entra Verified Identity (++)
In the physical world, we work with decentralized authentication with badges, keys and verifications.
In the digital world, we often work centrally with a single Identity Provider.
Not every service wants to connect you to this, and you may want to organize or use a decentralized authenticated identity.
This is a very far-reaching deepening of a new concept in identities.
As of 14/07/2024, this is part of the additional Entra extension Entra Suite. Microsoft Entra Plans and Pricing | Microsoft Security
4.5 PIM Management (+)
You permanently have too many rights as an administrator. Therefore, we are going to restrict access to certain permissions with PIM management. But employee access to resources can also be controlled with application procedures.
As a result, you provide procedures and measures.
Just In Time and Just Enough Access are key words here.
4.6 Global Secure Access (++)
Anyone can connect to your M365 environment via the Internet. You can restrict this connection to only users with an appropriate tool in the OS.
You can also restrict access to Internet Web sites based on user.
And you can use Entra to control the VPN and create cloud rules to control access to On Premise applications.
This is a conceptual extension in which we briefly look at how it works.
This has been part of the additional Entra extension Entra Suite since 14/07/2024. Microsoft Entra Plans and Pricing | Microsoft Security
Evaluation
EDU-Versity evaluation
Are you ready to test your knowledge? You can take a knowledge test at EDU-Versity to see if you have understood everything correctly.
We hereby evaluate:
- What objects exist in Entra?
- How to manage users, Groups and devices?
- What types of Apps exist?
- Knowledge about Modern authentication and conditional access.
- Knowledge about new authentication standards (FIDO2)
- Knowledge about Branding and PIM management.
- Knowledge about Verified Identity
- Knowledge about Managing Licenses through Entra Groups.
- Be able to configure dynamic groups.