@ODell Austin T ODell Cybersecurity and IT Project Extravaganza

Archives: Portfolio

  • EntraID/Azure AD: Enable users to unlock their account

    EntraID/Azure AD: Enable users to unlock their account

    Create a user to test the process: AZ500User1 and Create a group, AZ500Group1

    .

    Task 3: Enable self-service password reset (SSPR)

    1. Sign in to the Azure portal

    with your login credentials.

    2. Search for and select Azure Active Directory.,

    3. From the menu on the left side, select Password reset.

    3. From the Properties page, under the Self service password reset enabled option, choose Selected.

    4. If your group is not visible, choose No groups selected.

    5. Browse for, and select your Azure AD group, like AZ500Group1, and then choose Select.

    6. To enable SSPR, select the group and then, select Save.

    Task 4: Set up authentication methods and registration options

    1. Go to the Password reset option, from the menu on the left side, select the Authentication methods option and then set the Number of methods required to reset to 2 on the Authentication methods page.

    To improve security, you can increase the number of Authentication methods required for SSPR.

    2. Choose the Methods available to users that your organization wants to allow. For this task, check the boxes to enable the following methods:

    a. Mobile app notification

    b. Mobile app code

    c. Email

    d. Mobile phone (SMS only)

    If you do not see all these methods available you must go to “Auth Methods” and enable them for your tenant.

    You can enable other Authentication methods, like Office phone or Security questions, as needed to fit your business requirements.

    3. To apply the Authentication methods, select Save.

    Note: Before users can unlock their accounts or reset a password, they must register their contact information. Azure AD uses this contact information for the different Authentication methods set up in the previous steps.

    4. Go to Password reset option, from the menu on the left side, select the Registration option, and then select Yes for Require users to register when signing in? on the Registration page.

    5. Set the Number of days before users are asked to re-confirm their authentication information to 180.

    6. It is important to keep the contact information up to date. If outdated contact information exists when an SSPR event starts, the user may not be able to unlock their account or reset their password.

    7. To apply the registration settings, select Save.

    Task 5: Set up notifications and customizations

    1. Go to the Password reset option, from the menu on the left side, select the Notifications option and then set up the following options on the Notifications page:

    a. Set Notify users on password resets? option to Yes.

    b. Set Notify all admins when other admins reset their password? to Yes.

    2. To apply the Notifications preferences, select Save.

    3. From the menu on the left side, select the Customization option and then set Customize helpdesk link to Yes on the Customization page.

    4. In the Custom helpdesk email or URL field, provide an email address or web page URL where your users can get more help from your organization. For example, https://support.contoso.com/

    5. To apply the custom link, select Save.

    Task 6: Test SSPR process

    1. To see the manual registration process, open a new browser window in InPrivate or incognito mode, and browse to https://aka.ms/ssprsetup

    2. Sign in with the username and password of a non-administrator test user, like AZ500User2 along with the password.

    3. After updating your password, you will see a screen to follow a 2-step process to keep your account secure, i.e., via App and Phone. Select Next.

    4. Choose Phone as a method you would like to use and select Confirm.

    5. Enter your phone number and select Text me a code option and then select Next.

    6. Select Next.

    7. Scan the QR code by opening the Microsoft Authenticator app on your phone and then select Next.

    8. After it is approved, select Next.

    9. Your security information is set up, so select Done.

    10. Open a new browser window in InPrivate or incognito mode and browse to https://aka.ms/sspr

    11. Enter your non-administrator test users’ account information, i.e., AZ500User2, which we already mentioned in step 2 and fill in the characters from the CAPTCHA, and then select Next.

    12. Select Text my mobile phone option from the three options on the left side. Enter your mobile number to get a text code and select Next Text.

    13. Fill in the code sent to your mobile number and select Next.

    14. Now, enter the code which has been sent to your Microsoft Authenticator app on your phone and select Next.

    15. Enter your new password, confirm it by entering the same password, and then select Finish.

    16. Your password has been reset.

    Task 7: Cleaning up the resources

    When working on your subscription, assessing whether you still require the resources you created at the end of a project is a good idea. Running resources can cost you money. You can delete resources individually or the entire resource group containing the resources.

    1. In the Azure Portal, search for and select Azure Active Directory

    2. Select Manage tenants option.

    3. Select the Azure Active Directory which you want to delete and select Delete option.

    4. The Delete tenant screen loads up. If any other resources, such as Users or Applications, are present, you will need to delete them before deleting the Azure Active directory. 

    For instance, if you have created users under your active directory, select Delete all users’ link.

    5. The Users blade page loads up. Here you can select the list of users you want to delete and select the Delete option.

    Note: You should not select the user who has created the Azure Active Directory.

    6. The selected users are successfully deleted, and the one who is the owner of the Azure Active Directory is displayed

    7. Under Microsoft Azure Subscriptions, select Get Permission to delete Azure resources

    8. You will be directed to the Azure Active Directory Properties page.

    9. You need to be a Global Administrator to delete an Azure Active Directory. Check the properties under the Azure Active Directory to check the Access Management for Azure resources. The toggle here should be set to Yes.

    10. Once all the checks are passed in the Delete tenant page, delete the Azure Active directory and its resources by selecting the Delete button.

    11. The tenant gets successfully deleted.

  • Secure Access with EntraID (Azure AD) Part 1

    Secure Access with EntraID (Azure AD) Part 1

    Create and manage groups

    Before we get into more advanced aspects of Secure Access with EntraID you should be comfortable with the basics, if you have prior experience with on premises Active Directory Administrative Center (ADAC) this should be quite intuitive.

    Task 1: Create a basic group and add members

    1. Sign in to the Azure portal with your login credentials.

    2. Navigate to the Azure Active Directory.

    3. Select the Roles and administrators under the Manage blade to check your role.

    4. To create a user, check your role. If your role is listed as Global Administrator, you can manage all aspects of Azure AD.

    5. Navigate back to your Azure Active Directory. Under the Manage blade, select Groups.

    6. Select New group from the menu to create a new group.

    7. On the New Group page, provide the new group’s information. 

    8. Select the Group type as Microsoft 365. Selecting the Microsoft 365 group type enables the Group email address option.

    9. Provide a Group name. A check will be performed to determine if the name is already in use. If the name is already in use, you will be asked to change the name of your group.

    10. Enter a Group email address, available only for Microsoft 365 group types. Enter an email address manually or use the email address built from the Group name you provided.

    11. Select the Membership type as Assigned

    12. Add owners to your group by selecting the link under the Owners. Choose users from the populated list (on the right-hand side) and select the Select button to add them as owners.

    13. Add members to your group by selecting the link under the Members. Choose users from the populated list(on the right-hand side)and select the Select button to add them as members.  

    14. Select the Create button to create the group. 

    Your group is successfully created and ready for you to manage other settings.

    Task 2:  Add and remove members and owners

    1. Under the Manage blade select Groups. Select the group you need to manage.

    2. Select Members and then select + Add members.

    3. Scroll through the list or enter a name in the search box. You can choose multiple names at one time. When you are ready, select the Select button.

    4. Similarly, you can add owners.

    5. The Group Overview page updates to show the number of members who are now added to the group.

    6. To remove a group or an owner, select either Members or Owners.

    7. Check the box next to a name from the list and select the Remove button.

    Task 3: Update group information

    1. Go to Azure Active Directory and select Groups

    2. The Groups | All groups page shows all your active groups.

    3. Scroll through the list or enter a group name in the search box. Select the group you need to manage.

    4. Select Properties from the side.

    5. Update the General settings information as needed, including:

    a. Group name: Edit the existing group name.

    b. Group description: Edit the existing group description.

    c. Group type: You cannot change the type of group after it has been created. To change the Group type, you must delete the group and create a new one.

    d. Membership type: Change the membership type. If you enabled the Azure AD roles can be assigned to the group option, you cannot change the membership type. 

    e. Object ID: You cannot change the Object ID, but you can copy it to use in your PowerShell commands for the group.

    6. Select the Save button present at the top menu to save any changes.

    Task 4: Create a dynamic group

    1. Go to Azure Active Directory and select Groups.

    2. Select New group from the menu to create a new group.

    3. On the New Group page, enter a name and a description for the new group. Select a Membership type as Dynamic User. Make sure the toggle here should be set to No. Select Add dynamic query under Dynamic user members. 

    4. The rule builder supports up to five expressions. To add more than five expressions, you must use the Rule syntax text box.

    5. After creating the rule, select Save.

    6. Select Create on the New Group page to create the group.

    7. You can view the newly created group with the membership type as Dynamic on the Groups | All groups page.

    Task 5: Delete the group

    Note: You must have a Global Administrator, Privileged Authentication Administrator, or User Administrator role assignment to delete groups in your organization.

    1. Go to Azure Active Directory and select Groups.

    2. Search for and select the group you want to delete.

    3. Select Delete.

    4. You can view that the group has been deleted from the list.

    Task 6: Restore deleted group

    1. Select Azure Active Directory, select Groups, and then select Deleted groups.

    2. Review the list of groups that are available to restore.

    3. Search for and select the group you want to restore.

    4. Select Restore group.

    5. You can view that the group has been restored.  

    On the Deleted groups blade, you can:

    1. Restore the deleted group and its contents by selecting Restore group.

    2. Permanently remove the deleted group by selecting Delete permanently. To permanently remove a group, you must be an administrator.

    Optional task: Clean up resources

    Note: Delete the active directory  only if you have created it.

    Do not delete the Active Directory which appears by default when you login to the Azure portal.

    This is linked to your subscription.

    1. In the Azure portal, search for and select Azure Active Directory.

    2. Select Manage tenants option. 

    3. Select the Azure Active Directory you want to delete, and then select the Delete option. 

    4. The Delete tenant screen loads up. If any other resources, such as Users or Applications, are present, you will need to delete them before deleting the Azure Active Directory.  

    For instance, if you have created groups under your active directory, select the Delete all users link.

    5. The Users blade page loads up. Here you can select the list of users you want to delete and select the Delete option. 

    Note: You should not select the user who has created the Azure Active Directory.

    6. The selected users are successfully deleted, and the owner of the Azure Active Directory is displayed.

    7. Navigate back to the Delete tenant screen. Here under Microsoft Azure Subscriptions, select Get Permission to delete Azure resources.

    8. You will be directed to the Azure Active Directory Properties page.

    9. You need to be a Global Administrator to delete an Azure Active Directory. 

    Check the properties under the Azure Active Directory to check the Access management for Azure resources. The toggle here should be set to Yes. 

    10. Once all the checks are passed in the Delete tenant page, delete the Azure Active Directory and the resources within it by selecting the Delete button. 

    11. The tenant gets successfully deleted.