π Core Management
From Notes_Wiki
Core Management
How to create users in Microsoft Entra ID (Azure AD)
Steps to Create a Cloud-Only User
- Go to: [1](https://entra.microsoft.com)
- Navigate to Users > All users
- Click + New user
- Choose Create user
- Fill in:
- User name (e.g., john.doe@yourtenant.onmicrosoft.com)
- Name
- Password (auto-generated or custom)
- Assign roles (optional)
- Click Create
How to create groups in Microsoft Entra ID
Types of Groups
- Security Group β Used to assign permissions to resources
- Microsoft 365 Group β Used for collaboration (Teams, Outlook)
Steps to Create
- Go to: Groups > All groups
- Click + New group
- Choose group type: Security or Microsoft 365
- Set name and description
- Choose Membership type:
- Assigned β Manually added users
- Dynamic β Based on rules
- Click Create
Assigning Licenses to Users and Groups
Steps to Assign Licenses to Individual User
- Go to Users > Select User
- Click Licenses > + Assignments
- Choose product (e.g., Microsoft 365 E5, EMS E3)
- Select service plan components (optional)
- Click Assign
Assigning to Groups (Recommended for Bulk)
- Create a group (or select existing one)
- Navigate to: Licenses > + Assignments
- Select the product
- Click Save
Device Registration and Azure AD Join
- Azure AD Registered β Personal device, limited access
- Azure AD Joined β Corporate-owned, full identity integration
- Hybrid Azure AD Join β On-prem AD + Azure AD sync
How to Azure AD Join Windows 11
- During OOBE (Out of Box Experience), choose Set up for work or school
- Enter userβs Entra ID email (e.g., john@domain.com)
- Authenticate and the device gets Azure AD joined
How to deploy Intune and enroll devices
Step-by-Step: Deploy Intune
- Assign Microsoft Intune license to users
- Go to: Microsoft Endpoint Manager Admin Center β https://intune.microsoft.com
- Navigate to Devices > Enroll devices > Automatic enrollment
- Set MDM user scope to All (or selected group)
- Save settings
Device Enrollment Steps
- Open Settings > Accounts > Access work or school
- Click + Connect
- Enter organization email and authenticate
- Device gets enrolled and appears in Intune
Create and deploy compliance policies in Intune
What is a Compliance Policy?
Defines rules a device must meet to be considered secure and compliant (e.g., PIN required, encryption, OS version).
Steps to Create
- Go to Intune portal > Devices > Compliance policies
- Click + Create policy
- Choose platform (e.g., Windows 10/11)
- Define settings:
- Password requirements
- Encryption
- Device Health
- Assign policy to a group
- Click Create
How to set up Conditional Access policies
Conditional Access Overview
Policies that enforce access control based on conditions like location, device compliance, or user risk.
Example: Require MFA for all users
- Go to Entra ID > Protection > Conditional Access
- Click + New Policy
- Name: "Require MFA for all users"
- Assignments:
- Users: All users
- Cloud apps: All cloud apps
- Conditions (optional): e.g., Sign-in risk, Device platform
- Access controls: Grant access, Require MFA
- Enable the policy
Enable and Configure Multi-Factor Authentication (MFA)
Basic MFA (Per-user)
- Go to: https://entra.microsoft.com
- Users > Multi-Factor Authentication
- Select users β Enable MFA
- Users will be prompted to set up MFA on next sign-in
Conditional MFA (Recommended)
- Use Conditional Access policy
- Apply to specific apps or users
- Require MFA under defined conditions
Security Defaults vs Conditional Access
| Feature | Security Defaults | Conditional Access |
|---|---|---|
| Target Audience | Small organizations | Medium to large organizations |
| Customizable | No | Yes |
| Granular control | No | Yes |
| MFA enforcement | Always on | Conditional |
| Easy to manage | Yes | Requires planning |
- Disable Security Defaults before enabling Conditional Access
