Core Management

How to create users in Microsoft Entra ID (Azure AD)

Steps to Create a Cloud-Only User

1. Go to: [1](https://entra.microsoft.com)
2. Navigate to Users > All users
3. Click + New user
4. Choose Create user
5. Fill in:

• User name (e.g., john.doe@yourtenant.onmicrosoft.com)
• Name
• Password (auto-generated or custom)

1. Assign roles (optional)
2. Click Create

How to create groups in Microsoft Entra ID

Types of Groups

• Security Group – Used to assign permissions to resources
• Microsoft 365 Group – Used for collaboration (Teams, Outlook)

Steps to Create

1. Go to: Groups > All groups
2. Click + New group
3. Choose group type: Security or Microsoft 365
4. Set name and description
5. Choose Membership type:

• Assigned – Manually added users
• Dynamic – Based on rules

1. Click Create

Assigning Licenses to Users and Groups

Steps to Assign Licenses to Individual User

1. Go to Users > Select User
2. Click Licenses > + Assignments
3. Choose product (e.g., Microsoft 365 E5, EMS E3)
4. Select service plan components (optional)
5. Click Assign

Assigning to Groups (Recommended for Bulk)

1. Create a group (or select existing one)
2. Navigate to: Licenses > + Assignments
3. Select the product
4. Click Save

Device Registration and Azure AD Join

• Azure AD Registered – Personal device, limited access
• Azure AD Joined – Corporate-owned, full identity integration
• Hybrid Azure AD Join – On-prem AD + Azure AD sync

How to Azure AD Join Windows 11

1. During OOBE (Out of Box Experience), choose Set up for work or school
2. Enter user’s Entra ID email (e.g., john@domain.com)
3. Authenticate and the device gets Azure AD joined

How to deploy Intune and enroll devices

Step-by-Step: Deploy Intune

1. Assign Microsoft Intune license to users
2. Go to: Microsoft Endpoint Manager Admin Center → https://intune.microsoft.com
3. Navigate to Devices > Enroll devices > Automatic enrollment
4. Set MDM user scope to All (or selected group)
5. Save settings

Device Enrollment Steps

1. Open Settings > Accounts > Access work or school
2. Click + Connect
3. Enter organization email and authenticate
4. Device gets enrolled and appears in Intune

Create and deploy compliance policies in Intune

What is a Compliance Policy?

Defines rules a device must meet to be considered secure and compliant (e.g., PIN required, encryption, OS version).

Steps to Create

1. Go to Intune portal > Devices > Compliance policies
2. Click + Create policy
3. Choose platform (e.g., Windows 10/11)
4. Define settings:

• Password requirements
• Encryption
• Device Health

1. Assign policy to a group
2. Click Create

How to set up Conditional Access policies

Conditional Access Overview

Policies that enforce access control based on conditions like location, device compliance, or user risk.

Example: Require MFA for all users

1. Go to Entra ID > Protection > Conditional Access
2. Click + New Policy
3. Name: "Require MFA for all users"
4. Assignments:

• Users: All users
• Cloud apps: All cloud apps

1. Conditions (optional): e.g., Sign-in risk, Device platform
2. Access controls: Grant access, Require MFA
3. Enable the policy

Enable and Configure Multi-Factor Authentication (MFA)

Basic MFA (Per-user)

1. Go to: https://entra.microsoft.com
2. Users > Multi-Factor Authentication
3. Select users → Enable MFA
4. Users will be prompted to set up MFA on next sign-in

Conditional MFA (Recommended)

1. Use Conditional Access policy
2. Apply to specific apps or users
3. Require MFA under defined conditions

Security Defaults vs Conditional Access

• Disable Security Defaults before enabling Conditional Access