A Beginner’s Look into Azure Active Directory (Microsoft Entra ID) and Roles with a Simple Exercise

First of all, what is Active Directory?

Active Directory is a service that was previewed by Microsoft in 1999 has been in use since windows server 2000 edition. It has been a useful service in helping organisations as a Windows domain services tool that allows you to set permissions and make groups for the users and assets in your environment. Active Directory works on premises with the domain controller.

This service is also available in the cloud, for Microsoft Azure it is known as Azure Active Directory (Azure AD) or by its new name Microsoft Entra ID. It is an identity and access management solution from Microsoft that helps organizations secure and manage identities for hybrid and multicloud environments.

Permissions and access management solutions are given based on roles in Azure are assigned using either:

• Azure Active Directory (Azure AD) Roles is an identity and access management service that enables user and device authentication and authorization across Azure and other integrated applications. Azure Active Directory roles control access to Azure Active Directory resources such as users, groups, and applications.
• Azure Roles (or Role Based Access Control-RBAC) is a widely used access control model that allows administrators to assign specific roles to Azure users, groups, or service principals.

Azure Roles is responsible for the access to Azure resources while Azure AD Roles controls access to resources in Azure AD (Microsoft Entra ID). These roles have their different purposes, scopes and types of roles you can assign. Below is a table highlighting the differences between Azure Active Directory Roles (Azure AD) and Azure Roles.

Practical Exercise

Hagital Consulting Ltd has decided to streamline its identity management process by utilizing Microsoft *Entra ID *(Azure Active Directory) to manage its cloud-based identities.

• Create the Administrative Department and add two users (Grace Peters and Ahmed Johnson) to it.
• Assign the Global Administrator Role to User A (Grace Peters)
• Show all the steps it took the Global Admin to Log in into the Azure Portal with Grace Peters new credentials.
• Let the Global Administrator (Grace Peters) create/onboard a new member (Steven Kalu) to the Admin Department

Let’s go ahead with the exercise.

Prerequisite

First thing login to your Microsoft Azure Portal by going to https://portal.azure.com.

If you do not have an azure account sign up and create an account for free with this link https://azure.microsoft.com/en-us/free/. Registration will require a phone number and a debit or credit card details to validate your account even for the free account. You have a choice between the free or pay as you go account.

Practical Begins

Step 1: Search for Microsoft Entra ID in the search bar at the top of your portal page and Select Microsoft Entra ID.

You are now in the Default Directory| Overview page.

• Click Groups under the Manage drop-down menu at the left-hand side of the portal.

• Click New group.

Step 2: The New Group menu create the Administrative Department.

• Group type: Select Security.
• Group name: Type Administrative Department
• Group description: Give a description of the group or you can leave it as is.
• Membership type: Leave as is.

• Members: Click on No members selected

• The Add members menu pops up click Users underneath the search bar.

Select the two new members of this group in this we are picking Grace **and **Ahmed Johnson the click Select at the bottom left of the windows.

• You are back to the New Group page click Create at the bottom left of the page.
• Back at the Groups| All groups page click Refresh then your newly created Administrative Department will show up under the list of groups found.

Step 2: Assigning Global Administrative role to a member of the created group. We will be giving Grace this role and appoint her as Head of the Admin.

• Click on Default Directory|Groups to get back to the Default Directory page.

• Click on Users under the Manage dropdown menu at the left-hand side of the page.

• In the Users page click Grace.

• Grace's User page is now open. Go to the menu at left hand side of the page click on Manage in its dropdown menu click on Assigned roles.

• In the Grace|Assigned roles page click on Add assignments.

• Directory roles window opens. In the search bar type Global Administrator, select it when it appears and click Add at the bottom of the window.

• Click on Refresh once back in Grace|Assigned **roles page, the role will now appear in the list of **Administrative roles she has been given.

Sign into Grace’s Azure Portal

Step1: Open another browser or your current browser in incognito or Inprivate mode depending on the browser you are using.

• Login to Azure using Grace’s credentials.
• Go and copy Grace User Principal name (UPN) to login to Azure.

• Paste it in the Sign in.

• Enter the password you gave to the account or the copied out autogenerated password and click Sign In.

• Grace will be prompted to Update your password at your first sign in. Change password and click Sign in.

• An Action Required prompt will show on screen, for this exercise we will be clicking Ask Later.
• Stay signed in? prompt comes click Yes.

You are now logged Grace’s User Account.

Create/Onboard a new member into the Administrative Department with Grace who we have giving the role of Global Administrator.

Step 2: Click Microsoft Entra ID to go into the Default Directory|Overview Page

• Click on Add
• In the menu that hover your mouse over User then click on Create new user

Step 3: In the Create new user page we start with the Basic tab.

• User principal name: Enter the user’s name
• Mail nickname: Leave the check box ticked beside the Derive from user principal name
• Display name: Enter a name
• Password: You can leave the Auto-generate password ticked but copy the password somewhere you can easily find it or uncheck the box and type in the password yourself.

• Click Next: Properties at the bottom of the portal to move to the next tab.

Step 3: We move to the next tab Properties.

• We start with Identity.
• First name: Enter Steven
• Last name: Enter Kalu

• User type: Leave it as Member.

• Job Information: We will fill in a few other details

1.** Job title:** Admin Officer

1. Company name: Higital Consulting Ltd
2. Department: Administrative

• Leave everything else as they were and click Next: Assignments at the bottom of the page.

Step 4: In the Assignments tab. We be adding Steven Kalu to the Administrative Department.

• Click Add group

• In the new window Select group look for and click the check box for Administrative Department we created.

• Once done click Select at the bottom of the page.
• Click Next: Review + create
• Click Create

You have successfully created a user with Graces Peter’s Portal. You can view the account, Steven Kalu, you just created by going to Default Directory| Overview and click Users under manage. You will be able to see it in both your account you start this exercise with and in Grace Peters’ account.

In summary, Azure Active Directory (Azure AD) Roles and Azure Roles are important parts of access management in Azure’s ecosystem. As we can see from the simple exercise above it can help an organisation securely and efficiently manage its users/staff and give access and privileges which can be similar to their roles in their organisation.