Overview of Azure Active Directory Features

Hey, welcome back to Azure Administrator Associate Examination course. My name is Sushant Suteesh. In this lesson, we're going to learn about Azure Active Directory. Let's have a look at the topics we are going to see on this particular lesson. We're going to start with high-level overview on Azure Active Directory. We're going to go through Azure AD concepts. It's very important for us to know about what are the main difference between ADDS versus Azure Active Directory. Then we will go over what are the different editions of Azure Active Directories are available. How can you utilize Azure Active Directory join in terms of hybrid identity and other services, and few of the other features including self-service password reset. We'll touch base on multi-factor authentication and how to configure the MFA. Without wasting any more time, let's get into it. Azure Active Directory or Azure AD is Microsoft multi-tenant cloud-based directory and identity management service. For IT admins, Azure AD provides an affordable, easy-to-use solution to give employees and business partners single sign-on access. And this single sign-on access can be enabled for thousands of cloud applications like Office 365, Salesforce, Dropbox, and Concur, etc. For application developers, Azure AD lets you focus on building your application by making it fast and simple to integrate with world-class identity management solution used by millions of organizations around the world. Before I explain the benefits and features of Azure AD, let me quickly show you where you can find your Azure Active Directory in the Azure portal. So now I logged into my Azure portal by going into portal.azure.com. You can see that I used a user called Rick Sanchez to sign into the Azure portal. On the left-hand side, you would be able to find Azure Active Directory. If you don't see it over here, you can go to the global search box and type in Azure Active Directory and click on select to go inside the Azure Active Directory. On the left-hand side, you can find all the settings and options available for Azure AD, including single sign-on, company branding, device management, user management, group-based management, etc. So let me quickly go and explain some of the benefits and features of Azure AD. One of the cool benefits of Azure Active Directory is the single sign-on ability to log into any cloud or on-premises web application. So this Azure Active Directory provides secure single sign-on to cloud and on-premises application, including Microsoft Office 365 and thousands of SaaS applications, such as Salesforce, Workday, DocuSign, ServiceNow, and Box, et cetera. And Azure Active Directory works with iOS, Mac operating system, Android, and Windows devices. So users can launch application from any personalized web-based application panel, or mobile app, or Office 365, or any other custom company portal using their existing work credentials, and have the same experience whether they are working on iOS, Mac operating system, Android, and Windows devices. You can use Azure Active Directory to protect on-premises web application with secure remote access as well. You can access your on-premises web application from anywhere and protect with multi-factor authentication, conditional access policies, or group-based management access control. Users can access SaaS and on-premises web apps from the same portal. Another cool thing about Azure AD is the ability to extend your Active Directory to the Cloud. You can connect your Azure AD and other on-premises directory to your Azure Active Directory in just a few clicks and maintain a consistent set of users, groups, passwords, and devices across this environment. Another great feature comes with Azure AD is about protection. You can protect your sensitive data and applications. So you can enhance application access security with unique identity protection capabilities that provide a consolidated view into suspicious sign-in activity and potential vulnerabilities. If you are an Office 365, Azure, or Dynamics 365 online customer, you might not realize that you are already using Azure AD. Every Office 365, Azure, and Dynamics 365 CRM tenant is already an Azure AD tenant. So whenever you want to start using the tenant to manage access to thousands of other cloud applications, Just log into portal.azure.com and you will be able to access your tenant's Azure Active Directory from there. So let's have a look into some of the Azure AD concepts. Identity is a thing that can get authenticated. An identity can be a user with a username and password. Identities also include applications or other servers that might require authentication through secret keys. or certificates. So what are accounts? Accounts are an identity that has data associated with it. You cannot have an account without an identity. Let's have a look at Azure AD account. An identity created through Azure AD or another Microsoft cloud service such as Office 365 is called an Azure AD account. So, identities are stored in Azure AD and accessible to your organization's cloud service subscriptions. This account is also sometimes called a work or school account. So, what do you mean by an Azure tenant? Azure tenant is a dedicated and trusted instance of an Azure AD that's automatically created when your organization signs up. for a Microsoft Cloud Service subscription, such as Microsoft Azure, Microsoft Intune, or Office 365. An Azure tenant represents a single organization. So what is an Azure AD Directory? Each Azure tenant has a dedicated and trusted Azure AD Directory. So the Azure AD Directory includes the tenant users, groups, and apps. and is used to perform identity and access manage functions for the tenant resources. And finally, what is this user subscription or Azure subscription? Azure subscription is used to pay for your Azure cloud services. You can have many subscription and have link to your credit card or to your organization's accounts as well. So let's look at How different is this Azure Active Directory with Active Directory Domain Services? It is important to realize that using Azure AD is different from deploying an Active Directory Domain Controller. It is important for us to realize that using Azure AD is quite different from deploying an Active Directory Domain Controller on an Azure Virtual Machine and adding it to your on-premises domain controller. So let me make it clear that what are some of the characteristics that is making this Azure AD different from ADDS. The first one is identity solution. Azure AD is primarily an identity solution, and it is designed for Internet-based application by using HTTP and HTTPS communications. Because Azure AD is HTTP and HTTPS based, because Azure AD is used for HTTP and HTTPS based communication, it cannot be used for querying through LDAP. Instead, Azure AD uses REST APIs over HTTP and HTTPS. Because Azure AD is HTTP versus HTTPS based, it does not use Kerberos authentication. Instead, it uses HTTP and HTTPS protocols such as SAML, WS Federation, and OpenID Connect for authentication. Azure AD includes federation services and many third-party services such as Facebook, LinkedIn, Twitter, Google, etc. and Azure AD users and groups are created in a flat structure, and there are no organizational units. or group policy objects or GPOs in Azure AD. Azure AD is a managed service. You can manage the users, groups, and policies using Azure AD. When you deploy ADDS with Virtual Machine in Azure, that means that you are going to manage the deployment, configuration, Virtual Machine, patching, and all other backend tasks. If you deploy ADDS, with virtual machine using Azure, that means that you are going to manage the deployment, configuration, virtual machines, patching, and all other backend tasks. Now that we have learned about what are the main difference between AD DS versus Azure AD, let's have a quick look into what are the different types of Azure Active Directory editions available. Azure Active Directory comes in four different editions. Free, Office 365 apps, Premium P1, and Premium P2. The free edition is included with an Azure subscription. The premium editions are available through a Microsoft Enterprise Agreement, the Volume Licensing, and the Cloud Solution Providers Program, or CSP. Azure and Office 365 subscribers can also buy Azure Active Directory P1 and P2 online. So what comes with Azure Active Directory free option? Azure AD free provides user and group management. Then it gives you on-premises directory synchronization, basic reports, and single sign-on across Azure, Office 365, and many popular SaaS applications. Azure Active Directory Office 365 apps, this edition is included with your Office 365. In addition to the free features, this edition provides identity and access management for your Office 365 apps including branding, MFA, group access management, and self-service password reset for Cloud users. Let's look at Azure ADP1 or Premium 1. In addition to the free features, P1 also lets your hybrid users access both on-premises and cloud resources. It also supports advanced administration such as dynamic groups, self-service group management, Microsoft Identity Manager, and cloud write-back capabilities, which allows self-service password reset for your on-premises users. And last but not the least, Azure Active Directory P2. In addition to the free and P1 features, P2 also offers Azure Active Directory identity protection to help provide risk-based conditional access to your application and critical company data and privileged identity management to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed. Azure Active Directory or Azure AD enables single sign-on to devices, apps, and services from anywhere. The proliferation of devices, including bring your own device, empowers end users to be productive wherever and whenever. But IT administrators must ensure corporate assets are protected and that devices meet standards for security and compliance. Azure AD Join is designed to provide access to organizational apps and resources and to simplify Windows deployments of work-owned devices. Azure AD has many benefits. Let me take you through a few of those. The first benefit is single sign-on. Your users will not have additional authentication prompts when accessing work resources. The single sign-on functionality is available even when users are not connected to the domain network. The next one is enterprise-compliant roaming. This enterprise-compliant roaming of users setting across joined devices. So users don't need to connect to a Microsoft account, for example, Hotmail or Outlook, to observe settings across devices. The third benefit is... is access to Microsoft Store for Business. This is being used by using an Azure Active Directory account. Your users can choose from an inventory of applications pre-selected by the organization. The Windows Hello support for secure and convenient access to work resources. Another benefit is restriction of access to apps from only devices that means compliance policy. And what about seamless access to your on-premises resources when the device has the line of sight to the on-premises domain controller? Another key concept we need to understand are what are the connection options? To get a device under the control of Azure AD, you have primarily two options, registering and joining. So let me explain to you what is the main difference between registering a device and joining a device means for you. Registering a device to Azure AD enables you to manage a device identity. When a device is registered, Azure AD device registration provides the device with an identity that is used to authenticate the device when a user sign into Azure AD. You can use the identity to enable or disable a device. Joining a device is an extension to registering a device. This means that it provides you with all the benefits of registering a device. And in addition to this, it also changes the local state of the device. Changing the local state enables your users to sign into device using an organizational work or school account instead of a personal account. So the registration combined with the mobile device management or MDM solutions such as Microsoft Intune provide additional device attributes to Azure AD. This allows you to create conditional access rules that enforces access from devices to meet your standards for security and compliance. Although Azure AD Join is intended for organizations that do not have on-premises Windows Server Active Directory infrastructure, It can be used for other scenarios such as branch offices, etc. Let's learn about what is Azure Multi-Factor Authentication. Azure Multi-Factor Authentication, or MFA, helps safeguard access to data and applications while maintaining simplicity for users. It provides additional security by requiring a second form of authentication. and delivers strong authentication through a range of easy-to-use authentication methods. So for organizations that need to complement with industry standards such as PCI DSS, MFA is a must-have capability to authenticate users. Beyond being compliant with industry standards, enforcing MFA to authenticate users can help organizations to mitigate credential theft attacks. The security of MFA two-step verification lies in a layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if the attacker manages to learn the user's password, it is useless without having the possession of additional authentication methods. These additional authentication methods include something you know, typically a password, something you have, which is a trusted device, that is not easily duplicated like a phone and something you are, which is biometrics. There are so many benefits to multi-factor authentication. Some of the features are get more security with less complexity, migrating threats with real-time monitoring and alerts, use with Office 365, Salesforce, and more, and protection for Azure administrator accounts. So you can access multifactor authentication by going into the Azure AD portal and click on the hyperlink to come to this particular page. This is where you would be able to see all the users who's part of your Azure AD. You can filter these by who you enabled the MFA, who you have enforced the MFA, and you can filter these users by sign in, built. sign-in allowed users, billing administrators, global admin, etc. On the right-hand side, you can see the details of which is enabled or disabled. You can click a user to go to quick steps. Quick steps allow you to disable an already enabled account, and you can click on Manage User Settings. You would be able to enforce these settings for your users. The first one lets you force the users to provide the contact information again. You can delete all existing app passwords generated for a selected user, and you can restore MFA authentication on all remembered devices. You can go to the service settings page over here. This lets you control additional features for your MFA. Things like do you want to enable the app password? If you would like to widely certain IP, you can provide all the trusted IPs over here. So the users will not be prompted for dual factor authentication if you turn this on. And there is verification options as well. There are four methods available, so you are good to choose any one of these, or you can choose multiple as well. The first option is Call to Phone. This option allows you to place an automated voice call. The user answers the call and presses the hash key to authenticate. Then we have Text Message to Phone. This sends a text message that contains a verification code to the user. We have notification through mobile app. This sends a push notification to your phone or registered device. And finally, we have a verification code from the mobile app or hardware token. This is the way the Microsoft Authenticator app generates a new or auth verification code every 30 seconds. And once you make these changes, you can hit on save. unable to remember the multi-factor authentication. So depending on the number of days you've given, the MFA will remember not to prompt or re-authenticate those users who is already signed in with the MFA. All right, so the last topic on this lesson is self-service password reset. The large majority of help desk calls in most companies are requested to reset password for users. Enabling Self-Service Password Reset, or it is known as SSPR, gives the users the ability to bypass the help desk and reset their own password. To configure Self-Service Password Reset, you first determine who will be enabled to use Self-Service Password Reset. On the Azure portal, under Azure Active Directory, select Password Reset. In the password reset properties, there are three options, none, selected, and all. The selected option is useful for creating specific groups who have self-service password reset enabled. The Azure documentation recommends creating a specific group for this purpose for testing or proof of concept before deploying it to a larger group within your Azure AD Tenant. Once you're ready to deploy this functionality to all users with accounts in your Azure AD Tenant, you can change the settings to All. After enabling password reset for users and groups, you can pick the number of authentication methods required to reset the password and the number of authentication methods available to users. At least one authentication method is required to reset a password, but it is a good idea to have additional methods available. You can choose from email notifications, text or code sent to your user's mobile or office phone, or set the security questions as well. Regarding the security questions, these can be configured to require a certain number of questions, to be registered for the users in your Azure AD tenant. In addition, you must configure the number of correctly answered security questions that are required for a successful password reset. Please note that the Azure administrator account will always be able to reset their password no matter what their option is set to. Now with that, we have completed the first lesson. Thank you so much for listening. I hope the information provided was useful. In the next lesson, we're going to learn about users and groups so i will see you on the next one till then take care

Hey, welcome back to Azure Administrator Associate Examination course. My name is Sushant Suteesh. In this lesson, we're going to learn about Azure Active Directory.

Let's have a look at the topics we are going to see on this particular lesson. We're going to start with high-level overview on Azure Active Directory. We're going to go through Azure AD concepts. It's very important for us to know about what are the main difference between ADDS versus Azure Active Directory. Then we will go over what are the different editions of Azure Active Directories are available.

How can you utilize Azure Active Directory join in terms of hybrid identity and other services, and few of the other features including self-service password reset. We'll touch base on multi-factor authentication and how to configure the MFA. Without wasting any more time, let's get into it.

Azure Active Directory or Azure AD is Microsoft multi-tenant cloud-based directory and identity management service. For IT admins, Azure AD provides an affordable, easy-to-use solution to give employees and business partners single sign-on access. And this single sign-on access can be enabled for thousands of cloud applications like Office 365, Salesforce, Dropbox, and Concur, etc. For application developers, Azure AD lets you focus on building your application by making it fast and simple to integrate with world-class identity management solution used by millions of organizations around the world.

Before I explain the benefits and features of Azure AD, let me quickly show you where you can find your Azure Active Directory in the Azure portal. So now I logged into my Azure portal by going into portal.azure.com. You can see that I used a user called Rick Sanchez to sign into the Azure portal.

On the left-hand side, you would be able to find Azure Active Directory. If you don't see it over here, you can go to the global search box and type in Azure Active Directory and click on select to go inside the Azure Active Directory. On the left-hand side, you can find all the settings and options available for Azure AD, including single sign-on, company branding, device management, user management, group-based management, etc.

So let me quickly go and explain some of the benefits and features of Azure AD. One of the cool benefits of Azure Active Directory is the single sign-on ability to log into any cloud or on-premises web application. So this Azure Active Directory provides secure single sign-on to cloud and on-premises application, including Microsoft Office 365 and thousands of SaaS applications, such as Salesforce, Workday, DocuSign, ServiceNow, and Box, et cetera. And Azure Active Directory works with iOS, Mac operating system, Android, and Windows devices. So users can launch application from any personalized web-based application panel, or mobile app, or Office 365, or any other custom company portal using their existing work credentials, and have the same experience whether they are working on iOS, Mac operating system, Android, and Windows devices.

You can use Azure Active Directory to protect on-premises web application with secure remote access as well. You can access your on-premises web application from anywhere and protect with multi-factor authentication, conditional access policies, or group-based management access control. Users can access SaaS and on-premises web apps from the same portal. Another cool thing about Azure AD is the ability to extend your Active Directory to the Cloud.

You can connect your Azure AD and other on-premises directory to your Azure Active Directory in just a few clicks and maintain a consistent set of users, groups, passwords, and devices across this environment. Another great feature comes with Azure AD is about protection. You can protect your sensitive data and applications. So you can enhance application access security with unique identity protection capabilities that provide a consolidated view into suspicious sign-in activity and potential vulnerabilities. If you are an Office 365, Azure, or Dynamics 365 online customer, you might not realize that you are already using Azure AD.

Every Office 365, Azure, and Dynamics 365 CRM tenant is already an Azure AD tenant. So whenever you want to start using the tenant to manage access to thousands of other cloud applications, Just log into portal.azure.com and you will be able to access your tenant's Azure Active Directory from there. So let's have a look into some of the Azure AD concepts. Identity is a thing that can get authenticated.

An identity can be a user with a username and password. Identities also include applications or other servers that might require authentication through secret keys. or certificates.

So what are accounts? Accounts are an identity that has data associated with it. You cannot have an account without an identity.

Let's have a look at Azure AD account. An identity created through Azure AD or another Microsoft cloud service such as Office 365 is called an Azure AD account. So, identities are stored in Azure AD and accessible to your organization's cloud service subscriptions.

This account is also sometimes called a work or school account. So, what do you mean by an Azure tenant? Azure tenant is a dedicated and trusted instance of an Azure AD that's automatically created when your organization signs up.

for a Microsoft Cloud Service subscription, such as Microsoft Azure, Microsoft Intune, or Office 365. An Azure tenant represents a single organization. So what is an Azure AD Directory? Each Azure tenant has a dedicated and trusted Azure AD Directory. So the Azure AD Directory includes the tenant users, groups, and apps. and is used to perform identity and access manage functions for the tenant resources.

And finally, what is this user subscription or Azure subscription? Azure subscription is used to pay for your Azure cloud services. You can have many subscription and have link to your credit card or to your organization's accounts as well. So let's look at How different is this Azure Active Directory with Active Directory Domain Services? It is important to realize that using Azure AD is different from deploying an Active Directory Domain Controller.

It is important for us to realize that using Azure AD is quite different from deploying an Active Directory Domain Controller on an Azure Virtual Machine and adding it to your on-premises domain controller. So let me make it clear that what are some of the characteristics that is making this Azure AD different from ADDS. The first one is identity solution.

Azure AD is primarily an identity solution, and it is designed for Internet-based application by using HTTP and HTTPS communications. Because Azure AD is HTTP and HTTPS based, because Azure AD is used for HTTP and HTTPS based communication, it cannot be used for querying through LDAP. Instead, Azure AD uses REST APIs over HTTP and HTTPS.

Because Azure AD is HTTP versus HTTPS based, it does not use Kerberos authentication. Instead, it uses HTTP and HTTPS protocols such as SAML, WS Federation, and OpenID Connect for authentication. Azure AD includes federation services and many third-party services such as Facebook, LinkedIn, Twitter, Google, etc. and Azure AD users and groups are created in a flat structure, and there are no organizational units.

or group policy objects or GPOs in Azure AD. Azure AD is a managed service. You can manage the users, groups, and policies using Azure AD. When you deploy ADDS with Virtual Machine in Azure, that means that you are going to manage the deployment, configuration, Virtual Machine, patching, and all other backend tasks.

If you deploy ADDS, with virtual machine using Azure, that means that you are going to manage the deployment, configuration, virtual machines, patching, and all other backend tasks. Now that we have learned about what are the main difference between AD DS versus Azure AD, let's have a quick look into what are the different types of Azure Active Directory editions available. Azure Active Directory comes in four different editions. Free, Office 365 apps, Premium P1, and Premium P2.

The free edition is included with an Azure subscription. The premium editions are available through a Microsoft Enterprise Agreement, the Volume Licensing, and the Cloud Solution Providers Program, or CSP. Azure and Office 365 subscribers can also buy Azure Active Directory P1 and P2 online.

So what comes with Azure Active Directory free option? Azure AD free provides user and group management. Then it gives you on-premises directory synchronization, basic reports, and single sign-on across Azure, Office 365, and many popular SaaS applications.

Azure Active Directory Office 365 apps, this edition is included with your Office 365. In addition to the free features, this edition provides identity and access management for your Office 365 apps including branding, MFA, group access management, and self-service password reset for Cloud users. Let's look at Azure ADP1 or Premium 1. In addition to the free features, P1 also lets your hybrid users access both on-premises and cloud resources. It also supports advanced administration such as dynamic groups, self-service group management, Microsoft Identity Manager, and cloud write-back capabilities, which allows self-service password reset for your on-premises users. And last but not the least, Azure Active Directory P2. In addition to the free and P1 features, P2 also offers Azure Active Directory identity protection to help provide risk-based conditional access to your application and critical company data and privileged identity management to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed.

Azure Active Directory or Azure AD enables single sign-on to devices, apps, and services from anywhere. The proliferation of devices, including bring your own device, empowers end users to be productive wherever and whenever. But IT administrators must ensure corporate assets are protected and that devices meet standards for security and compliance.

Azure AD Join is designed to provide access to organizational apps and resources and to simplify Windows deployments of work-owned devices. Azure AD has many benefits. Let me take you through a few of those.

The first benefit is single sign-on. Your users will not have additional authentication prompts when accessing work resources. The single sign-on functionality is available even when users are not connected to the domain network.

The next one is enterprise-compliant roaming. This enterprise-compliant roaming of users setting across joined devices. So users don't need to connect to a Microsoft account, for example, Hotmail or Outlook, to observe settings across devices. The third benefit is... is access to Microsoft Store for Business.

This is being used by using an Azure Active Directory account. Your users can choose from an inventory of applications pre-selected by the organization. The Windows Hello support for secure and convenient access to work resources.

Another benefit is restriction of access to apps from only devices that means compliance policy. And what about seamless access to your on-premises resources when the device has the line of sight to the on-premises domain controller? Another key concept we need to understand are what are the connection options?

To get a device under the control of Azure AD, you have primarily two options, registering and joining. So let me explain to you what is the main difference between registering a device and joining a device means for you. Registering a device to Azure AD enables you to manage a device identity.

When a device is registered, Azure AD device registration provides the device with an identity that is used to authenticate the device when a user sign into Azure AD. You can use the identity to enable or disable a device. Joining a device is an extension to registering a device. This means that it provides you with all the benefits of registering a device.

And in addition to this, it also changes the local state of the device. Changing the local state enables your users to sign into device using an organizational work or school account instead of a personal account. So the registration combined with the mobile device management or MDM solutions such as Microsoft Intune provide additional device attributes to Azure AD. This allows you to create conditional access rules that enforces access from devices to meet your standards for security and compliance.

Although Azure AD Join is intended for organizations that do not have on-premises Windows Server Active Directory infrastructure, It can be used for other scenarios such as branch offices, etc. Let's learn about what is Azure Multi-Factor Authentication. Azure Multi-Factor Authentication, or MFA, helps safeguard access to data and applications while maintaining simplicity for users.

It provides additional security by requiring a second form of authentication. and delivers strong authentication through a range of easy-to-use authentication methods. So for organizations that need to complement with industry standards such as PCI DSS, MFA is a must-have capability to authenticate users. Beyond being compliant with industry standards, enforcing MFA to authenticate users can help organizations to mitigate credential theft attacks.

The security of MFA two-step verification lies in a layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if the attacker manages to learn the user's password, it is useless without having the possession of additional authentication methods. These additional authentication methods include something you know, typically a password, something you have, which is a trusted device, that is not easily duplicated like a phone and something you are, which is biometrics.

There are so many benefits to multi-factor authentication. Some of the features are get more security with less complexity, migrating threats with real-time monitoring and alerts, use with Office 365, Salesforce, and more, and protection for Azure administrator accounts. So you can access multifactor authentication by going into the Azure AD portal and click on the hyperlink to come to this particular page. This is where you would be able to see all the users who's part of your Azure AD.

You can filter these by who you enabled the MFA, who you have enforced the MFA, and you can filter these users by sign in, built. sign-in allowed users, billing administrators, global admin, etc. On the right-hand side, you can see the details of which is enabled or disabled. You can click a user to go to quick steps.

Quick steps allow you to disable an already enabled account, and you can click on Manage User Settings. You would be able to enforce these settings for your users. The first one lets you force the users to provide the contact information again.

You can delete all existing app passwords generated for a selected user, and you can restore MFA authentication on all remembered devices. You can go to the service settings page over here. This lets you control additional features for your MFA.

Things like do you want to enable the app password? If you would like to widely certain IP, you can provide all the trusted IPs over here. So the users will not be prompted for dual factor authentication if you turn this on. And there is verification options as well.

There are four methods available, so you are good to choose any one of these, or you can choose multiple as well. The first option is Call to Phone. This option allows you to place an automated voice call.

The user answers the call and presses the hash key to authenticate. Then we have Text Message to Phone. This sends a text message that contains a verification code to the user.

We have notification through mobile app. This sends a push notification to your phone or registered device. And finally, we have a verification code from the mobile app or hardware token. This is the way the Microsoft Authenticator app generates a new or auth verification code every 30 seconds. And once you make these changes, you can hit on save.

unable to remember the multi-factor authentication. So depending on the number of days you've given, the MFA will remember not to prompt or re-authenticate those users who is already signed in with the MFA. All right, so the last topic on this lesson is self-service password reset.

The large majority of help desk calls in most companies are requested to reset password for users. Enabling Self-Service Password Reset, or it is known as SSPR, gives the users the ability to bypass the help desk and reset their own password. To configure Self-Service Password Reset, you first determine who will be enabled to use Self-Service Password Reset. On the Azure portal, under Azure Active Directory, select Password Reset. In the password reset properties, there are three options, none, selected, and all.

The selected option is useful for creating specific groups who have self-service password reset enabled. The Azure documentation recommends creating a specific group for this purpose for testing or proof of concept before deploying it to a larger group within your Azure AD Tenant. Once you're ready to deploy this functionality to all users with accounts in your Azure AD Tenant, you can change the settings to All. After enabling password reset for users and groups, you can pick the number of authentication methods required to reset the password and the number of authentication methods available to users. At least one authentication method is required to reset a password, but it is a good idea to have additional methods available.

You can choose from email notifications, text or code sent to your user's mobile or office phone, or set the security questions as well. Regarding the security questions, these can be configured to require a certain number of questions, to be registered for the users in your Azure AD tenant. In addition, you must configure the number of correctly answered security questions that are required for a successful password reset. Please note that the Azure administrator account will always be able to reset their password no matter what their option is set to.

Now with that, we have completed the first lesson. Thank you so much for listening. I hope the information provided was useful. In the next lesson, we're going to learn about users and groups so i will see you on the next one till then take care

Transcript for:Overview of Azure Active Directory Features

Transcript for:
Overview of Azure Active Directory Features