Practice Lab: Managing Identities in Azure AD
WWL Tenants - Terms of Use
If you are being provided with a tenant as a part of an instructor-led training delivery, please note that the tenant is made available for the purpose of supporting the hands-on labs in the instructor-led training.
Tenants should not be shared or used for purposes outside of hands-on labs. The tenant used in this course is a trial tenant and cannot be used or accessed after the class is over and are not eligible for extension.
Tenants must not be converted to a paid subscription. Tenants obtained as a part of this course remain the property of Microsoft Corporation and we reserve the right to obtain access and repossess at any time.
Summary
In this lab, you will use the Microsoft Entra admin center to create and modify users, assign administrative roles, create and modify groups, and manage license assignments in Azure AD.
Exercise 1: Creating users in Azure AD
Scenario
You need to create user accounts in Azure AD for new employees that will start next week. New users are listed in the following table:
Name | User Name | Password | Job title | Department |
---|---|---|---|---|
Edmund Reeve | [email protected] | Pa55-w.rd! | HR Rep | HR |
Miranda Snider | [email protected] | Pa55-w.rd! | Helpdesk Manager | Operations |
Cody Godinez | [email protected] | Pa55-w.rd! | Sales Rep | Sales |
Note: For location use either your local region or United States.
You've also been told that several more employees will be hired over the next couple of months. You've decided that scripting would be a far more efficient method of adding a large number of new users. You've decided to create a PowerShell script and test it out when you create Cody Godinez's account.
Task 1: Create users by using the Microsoft Entra admin center
-
On SEA-SVR1, sign in as Contoso\Administrator with the password of Pa55w.rd.
-
Close Server Manager.
-
On the taskbar, select Microsoft Edge.
-
In the address bar, enter https://admin.microsoft.com.
-
At the Sign-in prompt, enter [email protected] and then select Next.
-
At the Enter password page, enter the password for the Admin account and then select Sign in.
Note: Check with your instructor on the password to use for signing in with the Admin account.
-
At the Save password prompt, select Save & Turn on.
-
At the Stay signed in prompt, select No. The Microsoft 365 admin center opens.
-
Select the Navigation menu and then select Show all.
-
In the Navigation pane, under Admin centers select Identity. The Microsoft Entra admin center opens.
-
In the Microsoft Entra admin center, in the navigation pane, select Users and in the expanded menu that appears select All users.
Take note of the users that already exist as members of the Microsoft Entra ID. The On-premises sync enabled column states No for all current users. This indicates that each user was created directly in Microsoft Entra ID and not synchronized from an on-premises directory service.
-
On the Users | All users page, select New user then select Create new user.
-
On the Create new user page, enter the following:
- User Principal Name: ereeve
- Display Name: Edmund Reeve
-
Uncheck Auto-generated password
-
Next to Password, enter Pa55-w.rd!.
-
Select Next:Properties located at the bottom of the page.
-
Next to First name, enter Edmund.
-
Next to Last name, enter Reeve.
-
Next to User type, make note that Member is selected.
Note: The Member user type is the default user type. This user type is used for most users in an organization.
-
Next to Job title, enter HR Rep.
-
Next to Department, enter HR.
-
Next to Usage location, select United States.
-
Select Next:Assignments located at the bottom of the page.
-
On the Assignments page, note that no assignments are selected.
by default no groups are assigned to the user. This is because the user is not a member of any groups until you assign them.
-
Select Next:Review + create located at the bottom of the page.
Review the information on this page to ensure that it is correct.
-
Select Create.
-
On the Users | All users page, select New user then select Create new user.
-
On the Create new user page, enter the following:
- User Principal Name: msnider
- Display Name: Miranda Snider
-
Uncheck Auto-generated password
-
Next to Password, enter Pa55-w.rd!.
-
Select Next:Properties located at the bottom of the page.
-
Next to First name, enter Miranda.
-
Next to Last name, enter Snider.
-
Next to User type, make note that Member is selected.
-
Next to Job title, enter Helpdesk Manager.
-
Next to Department, enter Operations.
-
Next to Usage location, select United States.
-
Select Next:Assignments located at the bottom of the page.
-
On the Assignments page, note that no assignments are selected.
-
Select Next:Review + create located at the bottom of the page.
-
Select Create.
-
Minimize the Microsoft Edge window.
Task 2: Create users by using PowerShell
-
On SEA-SVR1, click into the Windows Search bar and then type PWSH. Right click on PowerShell 7 and then select Run as Administrator.
-
In the PowerShell 7 window, type the following command, and then press Enter. If prompted, enter Y at the NuGet and repository messages:
Install-Module Microsoft.Graph -Scope CurrentUser
-
In the PowerShell 7 window, type the following command, and then press Enter:
Connect-MgGraph -scopes "user.readwrite.all, group.readwrite.all"
-
A new tab in Microsoft Edge will appear prompting you to sign in. In the Sign in to your account dialog box, sign in as
[email protected]
with the tenant password, and then select Sign in. -
On the Permissions Requested prompt that appears, check Consent on behalf of your organization and then select Accept.
-
Close out of the Authentication complete tab and then minimize Microsoft Edge
-
Back In the PowerShell 7 window, type the following code to create a new profile object, and then press enter. Replace Pa55w.rd with a complex password of your choice:
$PWProfile = @{
Password = "Pa55w.rd";
ForceChangePasswordNextSignIn = $false
} -
Next, type the following code to create a new user, and then press Enter. Be sure to replace "yourtenant" with your assigned tenant name:
New-MgUser `
-DisplayName "Cody Godinez" `
-GivenName "Cody" -Surname "Godinez" `
-MailNickname "cgodinez" `
-UsageLocation "US" `
-UserPrincipalName "[email protected]" `
-PasswordProfile $PWProfile -AccountEnabled `
-Department "Sales" -JobTitle "Sales Rep" -
To confirm that the user Cody Godinez was created, In the PowerShell 7 window, type the following command and then press Enter:
Get-MgUser
Verify that the list of users from your tenant is displayed.
Results: After completing this exercise, you will have successfully created new user accounts in Azure AD.
Exercise 2: Assigning Administrative Roles in Azure AD
Scenario
You need to review and modify the current administrative roles for your tenant.
You have been provided a list of users should have administrative roles assigned as indicated in the following table.
Name | Must be able to: | Administrative Role needed: |
---|---|---|
Allan Deyoung | Manage the tenant | Global administrator |
Edmund Reeve | Manage users, group, and password resets | User administrator |
Miranda Snider | Manage password resets | Helpdesk administrator |
Task 1: Review and Assign Administrative Roles
-
On SEA-SVR1, switch to Microsoft Edge.
-
In the Microsoft Entra admin center, in the Navigation pane, select Show more.
-
In the Navigation pane, select Roles & admins > Roles & admins.
Note that you can scroll down the list or use the search box to find the Role you are looking for.
-
Using the search box, search for Global administrator.
-
Select Global administrator.
-
In the Global administrator pane, select Add assignments.
-
In the Add assignments pane, select Allan Deyoung.
-
Select Add.
-
In the navigation breadcrumbs, select Roles & administrators | All roles.
-
Using the search box, search for User administrator.
-
Select User administrator.
-
In the User administrator pane, select Add assignments.
-
In the Add assignments pane, search for and select Edmund Reeve.
-
Select Add.
-
In the navigation breadcrumbs, select Roles & administrators | All roles.
-
Using the search box, search for Helpdesk administrator.
-
Select Helpdesk administrator.
-
In the Helpdesk administrator pane, select Add assignments.
-
In the Add assignments pane, search for and select Miranda Snider.
-
Select Add.
-
In the navigation pane, select Home.
Results: After completing this exercise, you should have successfully assigned administrative roles to users.
Exercise 3: Creating and managing groups and validating license assignment
Scenario
You need to add the three new users to a Security group and assign licenses as indicated in the following table.
Name | Member of: | License to assign |
---|---|---|
Edmund Reeve | Contoso_Managers | Office 365 E5, Enterprise Mobility + Security E5 via group membership |
Miranda Snider | Contoso_Managers | Office 365 E5, Enterprise Mobility + Security E5 via group membership |
Cody Godinez | Contoso_Sales | Office 365 E5, Enterprise Mobility + Security E5 via group membership direct assignment |
You also been asked to modify the Company branding for the sign-in page.
Task 1: Create groups by using the Microsoft Entra admin center
-
On SEA-SVR1, in the Microsoft Entra admin center, in the navigation pane, select Groups > All groups.
-
Select New group.
-
On the New Group page, enter the following:
- Group type: Security
- Group name: Contoso_Managers
- Membership type: Assigned
-
Under Members, select No members selected.
-
In the Add members page add Edmund Reeve, Miranda Snider, and then click Select.
-
Select Create.
Task 2: Create groups by using PowerShell
-
On SEA-SVR1, switch to PowerShell 7.
-
In the PowerShell 7 window, type the following code to create a new group, and then press Enter:
New-MgGroup -DisplayName "Contoso_Sales" -Description "Contoso Sales team users" -MailEnabled:$false -Mailnickname "Contoso_Sales" -SecurityEnabled
-
In the PowerShell 7 window, type the following command, and then press Enter:
Get-MgGroup
-
Verify that you get the list of groups in your tenant, including the Contoso_Sales group you just created.
-
In the PowerShell 7 window, type the following code to define a variable as the Contoso_Sales group, and then press Enter:
$group = Get-MgGroup | Where-Object {$_.DisplayName -eq "Contoso_Sales"}
-
In the PowerShell 7 window, type the following code to define another variable as the user, and then press Enter:
$user = Get-MgUser | Where-Object {$_.DisplayName -eq "Cody Godinez"}
-
In the PowerShell 7 window, type the following code to add Cody to Contoso_Sales using set variables, and then press Enter:
New-MgGroupMember -GroupId $group.Id -DirectoryObjectId $user.Id
-
In the PowerShell 7 window, type the following code, and then press Enter:
Get-MgGroupMember -GroupId $group.Id | FL
-
Verify that you see Cody Godinez as value in AdditionalProperties.
-
Close PowerShell 7.
Task 3: Review licenses and modify company branding
-
In the Microsoft Entra admin center, in the navigation pane, select Billing > Licenses.
-
On the Licenses|Overview page, under Manage, select All products.
Take note of the current licenses available and assigned for Enterprise Mobility + Security E5 and Office 365 E5.
-
In the Microsoft Entra admin center, in the Navigation pane, select User experiences > Company branding.
-
On the Company Branding page, under Default sign-in experience, select Customize.
-
On the Customize default sign-in experience page, navigate to the Sign-in form tab and configure the following settings:
- Sign-in page text: Contoso Corp. Sign-in Page
-
Select Review + Create, review the settings and then select Create.
-
In the Microsoft Entra admin center, in the Navigation pane, select Users > All users.
-
In the user list, select Cody Godinez.
-
In the Cody Godinez Profile page, under Manage, select Licenses.
Notice that Cody does not have any current license assignments.
-
Select Assignments.
-
In the Update license assignments page, select the check box next to Enterprise Mobility + Security E5 and Office 365 E5.
-
Select Save.
-
In the Microsoft Entra admin center, in the Navigation pane, select Groups > All groups.
-
On the Groups|All groups page, select Contoso_Managers.
-
On the Contoso_Managers page, select Licenses.
Notice that the Contoso_Managers group does not have any current license assignments.
-
Select Assignments.
-
In the Update license assignments page, select the check box next to Enterprise Mobility + Security E5 and Office 365 E5.
-
Select Save.
-
In the Microsoft Entra admin center, in the Navigation pane, select Billing > Licenses.
-
On the Licenses|Overview page, under Manage, select All products.
-
On the Licenses|All products page, select Office 365 E5.
Take note of the users that are assigned the Office 365 E5 license. Notice the Assignment Paths column which indicates how license assignment is configured for each user. Edmund and Miranda both receive their license assignment from their membership in the Contoso_Managers group. You may need to select Refresh a couple of times to update the Assignment path column.
- Close Microsoft Edge.
Results: After completing this exercise, you should have successfully created and managed groups, modified company branding, and assigned licenses.
END OF LAB