Azure Active Directory: Complete Identity Management Guide
Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service. This comprehensive guide helps organizations implement secure identity management, enable single sign-on (SSO), and protect their resources.
Understanding Azure AD
Azure AD is more than just cloud-based Active Directory—it's a complete identity platform that enables:
- Single Sign-On (SSO): One identity for thousands of apps
- Multi-Factor Authentication: Enhanced security for all users
- Conditional Access: Context-aware security policies
- B2B Collaboration: Secure partner access
- Application Management: Centralized app access control
Getting Started with Azure AD
Initial Setup
- Create Azure AD Tenant
# Using Azure CLI
az login
az ad signed-in-user show
# Create a new Azure AD tenant (requires appropriate permissions)
# This is typically done through Azure Portal
- Configure Custom Domain
# Add custom domain
az ad domain create --domain contoso.com
# Verify domain with DNS TXT record
# Add TXT record: MS=ms12345678
User Management
Creating Users
# Create a single user
az ad user create \
--display-name "John Doe" \
--user-principal-name "john.doe@contoso.com" \
--password "TempPassword123!" \
--force-change-password-next-login true
# Bulk user creation with CSV
$users = Import-Csv "users.csv"
foreach ($user in $users) {
New-AzureADUser `
-DisplayName $user.DisplayName `
-UserPrincipalName $user.UPN `
-PasswordProfile @{
Password = "TempPassword123!"
ForceChangePasswordNextLogin = $true
} `
-AccountEnabled $true
}
User Attributes and Profile
# Update user attributes
Set-AzureADUser `
-ObjectId "john.doe@contoso.com" `
-Department "IT" `
-JobTitle "System Administrator" `
-Mobile "+1-555-1234" `
-City "Louisville" `
-State "KY"
Group Management
Types of Groups
- Security Groups: For access control
- Microsoft 365 Groups: For collaboration
- Dynamic Groups: Membership based on attributes
Creating Dynamic Groups
# Dynamic group for all users in IT department
$dynamicGroup = @{
DisplayName = "All IT Staff"
MailEnabled = $false
SecurityEnabled = $true
GroupTypes = @("DynamicMembership")
MembershipRule = '(user.department -eq "IT")'
MembershipRuleProcessingState = "On"
}
New-AzureADMSGroup @dynamicGroup
Advanced Dynamic Rules
# Complex dynamic group rules
# All managers in Sales or Marketing
$managerRule = '(user.jobTitle -contains "Manager") -and ((user.department -eq "Sales") -or (user.department -eq "Marketing"))'
# Users with specific licenses
$licensedUsersRule = '(user.assignedPlans -any (assignedPlan.servicePlanId -eq "efb87545-963c-4e0d-99df-69c6916d9eb0" -and assignedPlan.capabilityStatus -eq "Enabled"))'
Application Integration
Enterprise Applications
SAML SSO Configuration
<!-- SAML Configuration Example -->
<EntityDescriptor entityID="https://app.contoso.com">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<AssertionConsumerService
index="0"
isDefault="true"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://app.contoso.com/saml/consume"/>
</SPSSODescriptor>
</EntityDescriptor>
Application Registration
# Register new application
$app = New-AzureADApplication `
-DisplayName "Contoso HR App" `
-Homepage "https://hr.contoso.com" `
-ReplyUrls @("https://hr.contoso.com/auth/callback")
# Create service principal
$sp = New-AzureADServicePrincipal `
-AppId $app.AppId
# Assign users to application
New-AzureADUserAppRoleAssignment `
-ObjectId $user.ObjectId `
-PrincipalId $user.ObjectId `
-ResourceId $sp.ObjectId `
-Id ([Guid]::Empty)
Conditional Access Policies
Common Scenarios
1. Require MFA for Admins
{
"displayName": "Require MFA for Admin Roles",
"state": "enabled",
"conditions": {
"users": {
"includeRoles": [
"62e90394-69f5-4237-9190-012177145e10",
"194ae4cb-b126-40b2-bd5b-6091b380977d"
]
},
"applications": {
"includeApplications": ["All"]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": ["mfa"]
}
}
2. Block Legacy Authentication
# Create policy to block legacy auth
$conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
$conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
$conditions.Applications.IncludeApplications = @("All")
$conditions.ClientAppTypes = @("ExchangeActiveSync", "Other")
$controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
$controls.Operator = "OR"
$controls.BuiltInControls = @("Block")
New-AzureADMSConditionalAccessPolicy `
-DisplayName "Block Legacy Authentication" `
-State "Enabled" `
-Conditions $conditions `
-GrantControls $controls
3. Location-Based Access
{
"displayName": "Block Access Outside Corporate Network",
"conditions": {
"locations": {
"includeLocations": ["All"],
"excludeLocations": ["AllTrusted"]
},
"applications": {
"includeApplications": ["00000002-0000-0ff1-ce00-000000000000"]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": ["block"]
}
}
Multi-Factor Authentication
Enabling MFA
# Enable MFA for specific users
$mfa = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$mfa.RelyingParty = "*"
$mfa.State = "Enabled"
Set-MsolUser -UserPrincipalName "john.doe@contoso.com" `
-StrongAuthenticationRequirements $mfa
MFA Methods Configuration
# Configure authentication methods
$methods = @{
"authenticatorApp" = $true
"sms" = $true
"voiceCall" = $false
"email" = $true
"tempAccessPass" = $true
"fido2" = $true
}
# Apply to authentication methods policy
Update-MgPolicyAuthenticationMethodPolicy -AuthenticationMethodConfigurations $methods
Identity Protection
Risk Policies
User Risk Policy
{
"displayName": "High User Risk Policy",
"isEnabled": true,
"userRiskLevels": ["high"],
"includeUsers": ["All"],
"excludeUsers": ["emergencyAccess@contoso.com"],
"actions": {
"mfa": true,
"passwordChange": true
}
}
Sign-In Risk Policy
# Configure sign-in risk policy
$signInRiskPolicy = @{
DisplayName = "Medium and High Sign-In Risk"
Enabled = $true
IncludeUsers = @("All")
SignInRiskLevels = @("Medium", "High")
AccessControls = @{
RequireMFA = $true
}
}
New-AzureADIdentityProtectionSignInRiskPolicy @signInRiskPolicy
Privileged Identity Management (PIM)
Configure PIM Roles
# Enable PIM for Global Administrator role
$role = Get-AzureADMSPrivilegedRoleDefinition -ProviderId "aadRoles" `
-Filter "DisplayName eq 'Global Administrator'"
# Configure role settings
$setting = Get-AzureADMSPrivilegedRoleSetting -ProviderId "aadRoles" `
-Filter "RoleDefinitionId eq '$($role.Id)'"
$setting.ActivationMaxDuration = "PT8H" # 8 hours
$setting.MfaRule = "Required"
$setting.JustificationRule = "Required"
Set-AzureADMSPrivilegedRoleSetting -ProviderId "aadRoles" `
-Id $setting.Id -RoleSetting $setting
Eligible Assignments
# Make user eligible for role
$assignment = @{
ProviderId = "aadRoles"
ResourceId = $tenantId
RoleDefinitionId = $role.Id
SubjectId = $user.ObjectId
AssignmentState = "Eligible"
Schedule = @{
StartDateTime = (Get-Date)
EndDateTime = (Get-Date).AddMonths(6)
Type = "Once"
}
}
New-AzureADMSPrivilegedRoleAssignment @assignment
B2B Collaboration
Guest User Management
# Invite external user
$invitation = New-AzureADMSInvitation `
-InvitedUserEmailAddress "partner@external.com" `
-InvitedUserDisplayName "External Partner" `
-InviteRedirectUrl "https://myapps.microsoft.com" `
-SendInvitationMessage $true `
-InvitedUserType "Guest"
# Configure guest access settings
$guestSettings = @{
AllowGuestsToAccessGroups = $true
AllowGuestsToInviteOtherGuests = $false
RestrictGuestAccess = $true
}
Security Best Practices
1. Password Policies
# Configure password policy
$passwordPolicy = @{
ValidityPeriod = 90
NotificationDays = 14
MinimumLength = 12
RequireComplexity = $true
PreventPasswordReuse = 5
}
# Implement custom banned passwords
$bannedPasswords = @(
"Company2024!",
"Louisville123",
"Password123"
)
Set-AzureADPasswordPolicy -BannedPasswords $bannedPasswords
2. Emergency Access Accounts
# Create break-glass account
$breakGlass = @{
DisplayName = "Emergency Admin"
UserPrincipalName = "emergency.admin@contoso.com"
PasswordNeverExpires = $true
AccountEnabled = $true
}
$emergencyUser = New-AzureADUser @breakGlass
# Exclude from all conditional access
$policies = Get-AzureADMSConditionalAccessPolicy
foreach ($policy in $policies) {
$policy.Conditions.Users.ExcludeUsers += $emergencyUser.ObjectId
Set-AzureADMSConditionalAccessPolicy -PolicyId $policy.Id -Conditions $policy.Conditions
}
Monitoring and Reporting
Sign-In Logs Analysis
# Get failed sign-ins
$failedSignIns = Get-AzureADAuditSignInLogs `
-Filter "status/errorCode ne 0" `
-Top 100
# Analyze by failure reason
$failureReasons = $failedSignIns |
Group-Object -Property {$_.Status.FailureReason} |
Select-Object Count, Name |
Sort-Object Count -Descending
Usage Analytics
# Application usage report
$appUsage = Get-AzureADApplicationSignInSummary -Days 30
# Create usage dashboard
$dashboard = @{
TotalSignIns = ($appUsage | Measure-Object -Property SignInCount -Sum).Sum
UniqueUsers = ($appUsage | Select-Object -Unique UserId).Count
TopApplications = $appUsage | Sort-Object SignInCount -Descending | Select-Object -First 10
}
Automation Scripts
Automated User Lifecycle
# Onboarding script
function New-EmployeeAccount {
param(
[string]$FirstName,
[string]$LastName,
[string]$Department,
[string]$Manager
)
$upn = "$FirstName.$LastName@contoso.com".ToLower()
# Create user
$user = New-AzureADUser `
-DisplayName "$FirstName $LastName" `
-UserPrincipalName $upn `
-GivenName $FirstName `
-Surname $LastName `
-Department $Department `
-AccountEnabled $true `
-PasswordProfile @{
Password = "Welcome2024!"
ForceChangePasswordNextLogin = $true
}
# Add to department group
$group = Get-AzureADGroup -Filter "DisplayName eq '$Department'"
Add-AzureADGroupMember -ObjectId $group.ObjectId -RefObjectId $user.ObjectId
# Assign licenses
$license = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
$license.SkuId = "6fd2c87f-b296-42f0-b197-1e91e994b900" # Office 365 E3
$licensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
$licensesToAssign.AddLicenses = $license
Set-AzureADUserLicense -ObjectId $user.ObjectId -AssignedLicenses $licensesToAssign
# Send welcome email
Send-WelcomeEmail -UserEmail $upn -Manager $Manager
return $user
}
Cost Optimization
License Management
# Find unused licenses
$allUsers = Get-AzureADUser -All $true
$inactiveUsers = @()
foreach ($user in $allUsers) {
$signIns = Get-AzureADAuditSignInLogs -Filter "userId eq '$($user.ObjectId)'" -Top 1
if ($signIns.Count -eq 0) {
$licenses = Get-AzureADUserLicenseDetail -ObjectId $user.ObjectId
if ($licenses.Count -gt 0) {
$inactiveUsers += @{
User = $user.DisplayName
UPN = $user.UserPrincipalName
Licenses = $licenses.SkuPartNumber -join ", "
}
}
}
}
# Export report
$inactiveUsers | Export-Csv "InactiveLicensedUsers.csv" -NoTypeInformation
Conclusion
Azure Active Directory provides a comprehensive identity platform for modern organizations. Success requires careful planning, continuous monitoring, and regular security reviews.
Next Steps
- Implement Zero Trust security model
- Explore Azure AD B2C for customer identity
- Set up Identity Governance workflows
- Integrate with Microsoft Defender for Identity
Remember: Identity is the new security perimeter. Protect it accordingly.