As you’ll see throughout this book, identity is the foundation of Azure AD (now Microsoft Entra ID). Without it, people wouldn’t be able to access services and features, store content, or work with their teams. Azure identity covers a broad range of objects, including cloud-only accounts, synchronized accounts, and external accounts (as well as groups, devices, and contacts).
Each of these types of objects has a purpose and one is generally more suited to a particular business case than another.
In this chapter, you’re going to look at the following topics as they relate to the MS-102 exam objectives:
- Creating and managing users
- Creating and managing guest users
- Creating and managing contacts
- Creating and managing groups
- Managing and monitoring Microsoft 365 license allocations
- Performing bulk user management
By the end of this chapter, you should be comfortable articulating the differences between the different kinds of objects and familiar with methods for provisioning and managing them.
Creating and Managing Users
Creating and managing users is central to administrating an information system—whether that system is an application on a small network, an enterprise-scale directory, or a cloud service hosted by a SaaS provider. In any instance, identities are used by people, applications, and devices to authenticate and perform activities.
In the context of Azure AD, there are three core types of identity:
- Cloud-based users
- Synchronized users
- Guest users
When planning out identity scenarios, it’s important to understand the benefits, features, drawbacks, and capabilities associated with each type of identity and authentication scheme—including ease of provisioning, integration with existing directory or security products, requirements for on-premises infrastructure, and network availability.
In this section, you’ll learn about managing each of these user types.
Creating and Managing Cloud Users
From an Azure AD perspective, cloud users are the easiest type of object to understand and manage. When you create an Azure AD or Microsoft 365 tenant, one of the first things you set up is your administrator user identity (in the form of [email protected]). This identity is stored in the Azure AD partition for your Microsoft 365 tenant. The Azure AD cloud users discussed in this context refer to the users whose primary source of identity is in Azure AD.
Exam Tip
One benefit of configuring cloud-only users is that there is no dependency on any other infrastructure or identity service. For many small organizations, cloud-only identity is the perfect solution because it requires no hardware or software investment other than the Microsoft 365 subscription. Conversely,
- drawback of cloud-only users is the lack of integration with on-premises directory solutions and applications.
Exam Tip
As a best practice, Microsoft recommends maintaining at least one cloud-only account in case you lose access to any on-premises environment.
The easiest way to provision cloud users is through the Microsoft 365 admin center
(https://admin.microsoft.com). To configure a user, expand Users, select Active Users, and then click Add a user. The wizard, shown in Figure 2.1, will prompt you to configure an account:
Figure 2.1 – Adding a new cloud user
You can configure the name properties for a user as well as assign them any licenses and a location through the Add a user wizard’s workflow, as shown in Figure 2.2:
Figure 2.2 – Assign product licenses page
On the Optional settings page, you can also configure additional properties such as security roles, job title and department, addresses, and phone numbers, as shown in Figure 2.3:
Figure 2.3 – Add a user profile information
You can also add users through the Azure AD portal (https://aad.portal.azure.com) or the new Entra ID portal (https://entra.microsoft.com). The Azure AD portal is arranged much differently than the Microsoft 365 admin center, due largely to the number of different types
of resources and services that can be managed there. There are several differences in managing users and objects between the two interfaces; the Microsoft 365 admin center is a much more menu-
driven experience, prompting administrators to configure common options and features inside the provisioning workflow.
IMPORTANT – Product Name Update
Microsoft has recently rebranded Azure Active Directory as Entra ID. MS-102 exam was released in Beta in May 2023. The exam is scheduled to be updated in November 2023. You may see questions that reference either Azure Active Directory or Entra ID—they are synonymous. Administration portals, product SKUs, service plans, and screenshots may reference either terminology or interface experience.
Once you’ve logged into the Azure AD portal, select Users and then select New user. The interface, shown in Figure 2.4, offers the opportunity to populate similar fields as the one in the admin center:
Figure 2.4 – Creating a user through the Azure AD portal
Most organizations that are using Azure from a cloud-only identity perspective will likely provision objects inside the Microsoft 365 admin center.
