๐Ÿ“‘
docs
  • Initial page
  • Golang Shippets
    • PII Data Check
  • Docker
    • Concepts
  • NGINX Web Server Deep Dive
    • What's NGINX
  • AWS CloudFormation
    • Introduction
    • Infrastructure as Code
    • What's CloudFormation?
    • CloudFormation - Lab #1
    • CloudFormation Concepts
  • Kubernetes
    • Introduction
    • Untitled
  • Jenkins Engineer - (CJE)
    • Topics
  • Microsoft Azure - AZ-104
    • ๐Ÿ““Manage Azure AD Users
  • Terraform - Certified Associate
  • ๐Ÿฆ What is Terraform?
  • ๐ŸงฌInfrastructure as Code
  • ๐Ÿ“ฎGetting Started
    • ๐ŸงซBuild Infrastructure
    • ๐ŸงชChange Infrastructure
    • ๐ŸงบDefine Input Variables
    • ๐ŸšฐQuery Data with Outputs
    • ๐Ÿ’พStore Remote State
  • ๐ŸŽƒConfiguration Language
    • ๐ŸงผTerraform Resources
    • ๐Ÿ’ŠTerraform Variables
  • ๐Ÿ”ŽOverview
    • ๐Ÿ—ƒ๏ธConfiguration Syntax
  • ๐ŸŽฒCheat Sheet
  • GCP - Data Engineer
    • Overview
    • Big Data and Machine Learning Fundamentals
Powered by GitBook
On this page
  • Overview
  • Features
  • Identity and Access Management (IAM)
  • Authentication
  • Authorization
  • Azure AD Security
  • Azure CLI
  • Commands
  • Powershell Commands

Was this helpful?

Edit on GitHub
  1. Microsoft Azure - AZ-104

Manage Azure AD Users

PreviousTopicsNextWhat is Terraform?

Last updated 4 years ago

Was this helpful?

Overview

Azure Active Directory (Azure AD) is Microsoftโ€™s cloud-based identity and access management service, which helps your employees sign in and access resources in:

  • External resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.

  • Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.

Features

  1. It's an Active Directoruy in the Azure Cloud.

  2. Manage users, groups, app, and security principals.

  3. It can be linked to on-prem Active Directories.

  4. GUI Management

  5. Command-line management such as Powershell or azure-cli.

Identity and Access Management (IAM)

Authentication

  • Proof of indentity.

  • Single factor - Username, password.

  • Multi-factor - Username, password, smartcard.

Authorization

  • Controlled access to resources.

  • There're permissions or policies assigned to groups.

Azure AD Security

It's a centralized is a centralazed repository of credentials, like.

  • RBAC Role (a collection of permissions).

  • Condition Access.

  • Access Reviews.

  • Multi-Factor Authentication.

  • Privileded Identity Management (PIM).

Tenant = An Azure Active Directory instance.

Azure CLI

[
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "015d833e-6116-46e4-8cdc-934661223874",
    "id": "edea1940-2666-4135-958c-260de343efa8",
    "isDefault": true,
    "managedByTenants": [],
    "name": "Azure for Students",
    "state": "Enabled",
    "tenantId": "015d833e-6116-46e4-8cdc-934661223874",
    "user": {
      "cloudShellID": true,
      "name": "live.com#ctreminiom079@gmail.com",
      "type": "user"
    }
  },
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "015d833e-6116-46e4-8cdc-934661223874",
    "id": "6819e7c3-a625-47c1-b352-8db014ae1236",
    "isDefault": false,
    "managedByTenants": [],
    "name": "Azure subscription 1",
    "state": "Enabled",
    "tenantId": "015d833e-6116-46e4-8cdc-934661223874",
    "user": {
      "cloudShellID": true,
      "name": "live.com#ctreminiom079@gmail.com",
      "type": "user"
    }
  }
]

The subscription is associated with the Azure ID Tenant.

Commands

carlos@Azure:~$ az ad -h

Group
    az ad : Manage Azure Active Directory Graph entities needed for Role Based Access Control.

Subgroups:
    app            : Manage applications with AAD Graph.
    group          : Manage Azure Active Directory groups.
    signed-in-user : Show graph information about current signed-in user in CLI.
    sp             : Manage Azure Active Directory service principals for automation authentication.
    user           : Manage Azure Active Directory users and user authentication.

Examples
    Delete a group from the directory. (autogenerated)
        az ad group delete --group MyGroupDisplayName


    Create a service principal. (autogenerated)
        az ad sp create --id 00000000-0000-0000-0000-00000000000000000


    update an application's group membership claims to "All" (autogenerated)
        az ad app update --id 00000000-0000-0000-0000-00000000000000000 --set
        groupMembershipClaims=All


    Create a web application, web API or native application. (autogenerated)
        az ad app create --available-to-other-tenants true --display-name my-native --password
        {password}


For more specific examples, use: az find "az ad"

Please let us know how we are doing: https://aka.ms/azureclihats
carlos@Azure:~$

Commands Available

Description

Manage applications with AAD Graph.

Create a web application, web API, or native application.

Manage an application's password or certificate credentials.

Delete an application's password or certificate credentials.

List an application's password or certificate credential metadata. (The content of the password or certificate credential is not retrievable.).

Append or overwrite an application's password or certificate credentials.

Delete an application.

List applications.

Manage application owners.

Add an application owner.

List application owners.

Remove an application owner.

Manage an application's OAuth2 permissions.

Add an API permission.

Grant Application & Delegated permissions through admin-consent.

Remove an API permission.

Grant the app an API Delegated permissions.

List API permissions the application has requested.

List Oauth2 permission grants.

Get the details of an application.

Update an application.

Manage domain service with azure active directory.

Create a new domain service with the specified parameters.

The Delete Domain Service operation deletes an existing Domain Service.

List domain services in resource group or in subscription.

Get the specified domain service.

Update the existing deployment properties for domain service.

Place the CLI in a waiting state until a condition of the ad ds is met.

Manage Azure Active Directory groups.

Create a group in the directory.

Delete a group from the directory.

Gets a collection of object IDs of groups of which the specified group is a member.

List groups in the directory.

Manage Azure Active Directory group members.

Add a member to a group.

Check if a member is in a group.

Gets the members of a group.

Remove a member from a group.

Manage Azure Active Directory group owners.

Add a group owner.

List group owners.

Remove a group owner.

Gets group information from the directory.

Show graph information about current signed-in user in CLI.

Get the list of directory objects that are owned by the user.

Gets the details for the currently logged-in user.

Manage Azure Active Directory service principals for automation authentication.

Create a service principal.

Create a service principal and configure its access to Azure resources.

Manage a service principal's credentials.

Delete a service principal's credential.

List a service principal's credentials.

Reset a service principal credential.

Delete a service principal and its role assignments.

List service principals.

Manage service principal owners.

List service principal owners.

Get the details of a service principal.

Update a service principal.

Manage Azure Active Directory users and user authentication.

Create an Azure Active Directory user.

Delete a user.

Get groups of which the user is a member.

List Azure Active Directory users.

Gets user information from the directory.

Update Azure Active Directory users.

PS /home/carlos> az ad signed-in-user -h

Group
    az ad signed-in-user : Show graph information about current signed-in user in CLI.

Commands:
    list-owned-objects : Get the list of directory objects that are owned by the user.
    show               : Gets the details for the currently logged-in user.

For more specific examples, use: az find "az ad signed-in-user"

Please let us know how we are doing: https://aka.ms/azureclihats
PS /home/carlos> az ad signed-in-user show
{
  "accountEnabled": true,
  "ageGroup": null,
  "assignedLicenses": [],
  "assignedPlans": [],
  "city": null,
  "companyName": null,
  "consentProvidedForMinor": null,
  "country": null,
  "createdDateTime": "2021-04-30T21:30:52Z",
  "creationType": null,
  "deletionTimestamp": null,
  "department": null,
  "dirSyncEnabled": null,
  "displayName": "Carlos Treminio",
  "employeeId": null,
  "facsimileTelephoneNumber": null,
  "givenName": "Carlos",
  "immutableId": null,
  "isCompromised": null,
  "jobTitle": null,
  "lastDirSyncTime": null,
  "legalAgeGroupClassification": null,
  "mail": null,
  "mailNickname": "ctreminiom079_gmail.com#EXT#",
  "mobile": null,
  "objectId": "051a6a52-aeb0-4844-a238-11b2a145b415",
  "objectType": "User",
  "odata.metadata": "https://graph.windows.net/015d833e-6116-46e4-8cdc-934661223874/$metadata#directoryObjects/@Element",
  "odata.type": "Microsoft.DirectoryServices.User",
  "onPremisesDistinguishedName": null,
  "onPremisesSecurityIdentifier": null,
  "otherMails": [
    "ctreminiom079@gmail.com"
  ],
  "passwordPolicies": null,
  "passwordProfile": null,
  "physicalDeliveryOfficeName": null,
  "postalCode": null,
  "preferredLanguage": "en",
  "provisionedPlans": [],
  "provisioningErrors": [],
  "proxyAddresses": [],
  "refreshTokensValidFromDateTime": "2021-04-30T21:30:52Z",
  "showInAddressList": null,
  "signInNames": [],
  "sipProxyAddress": null,
  "state": null,
  "streetAddress": null,
  "surname": "Treminio",
  "telephoneNumber": null,
  "thumbnailPhoto@odata.mediaEditLink": "directoryObjects/051a6a52-aeb0-4844-a238-11b2a145b415/Microsoft.DirectoryServices.User/thumbnailPhoto",
  "usageLocation": "CR",
  "userIdentities": [],
  "userPrincipalName": "ctreminiom079_gmail.com#EXT#@ctreminiom079gmail.onmicrosoft.com",
  "userState": null,
  "userStateChangedOn": null,
  "userType": "Member"
}
PS /home/carlos>
PS /home/carlos> az ad group list --query [].displayName
[
  "Group Dummy"
]
PS /home/carlos>

Powershell Commands

Find commands

PS /home/carlos> get-command get*azad*

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Alias           Get-AzADServicePrincipalCredential                 3.4.1      Az.Resources
Cmdlet          Get-AzADAppCredential                              3.4.1      Az.Resources
Cmdlet          Get-AzADApplication                                3.4.1      Az.Resources
Cmdlet          Get-AzADGroup                                      3.4.1      Az.Resources
Cmdlet          Get-AzADGroupMember                                3.4.1      Az.Resources
Cmdlet          Get-AzADServicePrincipal                           3.4.1      Az.Resources
Cmdlet          Get-AzADSpCredential                               3.4.1      Az.Resources
Cmdlet          Get-AzADUser                                       3.4.1      Az.Resources
Cmdlet          Get-AzAdvisorConfiguration                         1.1.1      Az.Advisor
Cmdlet          Get-AzAdvisorRecommendation                        1.1.1      Az.Advisor

PS /home/carlos>
PS /home/carlos>  Get-AzADGroup | select displayName

DisplayName
-----------
Group Dummy
PS /home/carlos>  Get-AzADGroup | get-member -type property

   TypeName: Microsoft.Azure.Commands.ActiveDirectory.PSADGroup

Name            MemberType Definition
----            ---------- ----------
Description     Property   string Description {get;set;}
DisplayName     Property   string DisplayName {get;set;}
Id              Property   string Id {get;set;}
MailNickname    Property   string MailNickname {get;set;}
ObjectType      Property   string ObjectType {get;}
SecurityEnabled Property   System.Nullable[bool] SecurityEnabled {get;set;}
Type            Property   string Type {get;set;}

Azure PowerShell is designed for managing and administering Azure resources from the command line. Use Azure PowerShell when you want to build automated tools that use the Azure Resource Manager model. Try it out in your browser with , or install it on your local machine.

Azure PowerShell cmdlets follow a standard naming convention for PowerShell, Verb-Noun. The verb describes the action (examples include New, Get, Set, Remove) and the noun describes the resource type (examples include AzVM, AzKeyVaultCertificate, AzFirewall, AzVirtualNetworkGateway). Nouns in Azure PowerShell always start with the prefix Az. For the full list of standard verbs, see .

๐Ÿ““
Azure Cloud Shell
Approved verbs for PowerShell Commands
az ad app
az ad app create
az ad app credential
az ad app credential delete
az ad app credential list
az ad app credential reset
az ad app delete
az ad app list
az ad app owner
az ad app owner add
az ad app owner list
az ad app owner remove
az ad app permission
az ad app permission add
az ad app permission admin-consent
az ad app permission delete
az ad app permission grant
az ad app permission list
az ad app permission list-grants
az ad app show
az ad app update
az ad ds
az ad ds create
az ad ds delete
az ad ds list
az ad ds show
az ad ds update
az ad ds wait
az ad group
az ad group create
az ad group delete
az ad group get-member-groups
az ad group list
az ad group member
az ad group member add
az ad group member check
az ad group member list
az ad group member remove
az ad group owner
az ad group owner add
az ad group owner list
az ad group owner remove
az ad group show
az ad signed-in-user
az ad signed-in-user list-owned-objects
az ad signed-in-user show
az ad sp
az ad sp create
az ad sp create-for-rbac
az ad sp credential
az ad sp credential delete
az ad sp credential list
az ad sp credential reset
az ad sp delete
az ad sp list
az ad sp owner
az ad sp owner list
az ad sp show
az ad sp update
az ad user
az ad user create
az ad user delete
az ad user get-member-groups
az ad user list
az ad user show
az ad user update
Azure AD - Diagram