2.1.1.1. Create Users and Groups
2.1.1.1. Create Users and Groups
š” First Principle: Centralizing identity management in Microsoft Entra ID (formerly Azure Active Directory) simplifies access control and enhances security by providing a unified platform for creating and managing user and group identities.
Scenario: You need to onboard 20 new employees and grant them access to various Azure resources. You also need to grant temporary access to a partner company for a specific project.
What It Is:
- Microsoft Entra ID (formerly Azure Active Directory): Microsoft's cloud-based identity and access management service, which helps your employees sign in and access resources.
- Users: Individual identities within Entra ID, representing people or applications that need access.
- Groups: Collections of users or other groups, used to simplify permission management by assigning roles to the group rather than individual users.
Creating Users: To add a user, specify:
- User Principal Name (UPN): Unique sign-in (e.g.,
user@domain.com). - Display Name: Name shown in the directory.
- Password Options: Set an initial password; require reset at first sign-in for security.
User Types:
- Member Users: Internal staff with full access to organizational resources.
- Guest Users: External collaborators (partners, vendors) with restricted access, typically invited via email.
Creating Groups: Groups allow you to manage permissions for multiple users efficiently. When creating a group, define:
- Group Type:
- Security Group: Controls access to resources (apps, files) via Role-Based Access Control (RBAC).
- Microsoft 365 Group: Adds collaboration tools (mailbox, Teams, SharePoint).
- Membership Type:
- Assigned: Admins manually add/remove members.
- Dynamic User/Device: Membership based on user/device attributes defined by a query.
Practical Implementation: Creating a User with Azure CLI
# Create a new user in Entra ID
az ad user create --display-name "John Doe" --password "P@ssw0rd12345" --user-principal-name "john.doe@yourtenant.onmicrosoft.com"
Visual: Entra ID Users and Groups for Access Control
ā ļø Common Pitfall: Using Member user accounts for external collaborators. This grants them a higher level of default permissions than necessary. Always use Guest accounts for external users to enforce least privilege.
Key Trade-Offs:
- Manual (Assigned) vs. Automated (Dynamic) Group Membership: Assigned groups offer direct control but require manual effort. Dynamic groups automate membership based on attributes (like department), reducing administrative overhead but requiring careful query design.
Reflection Question: How does centralizing user and group management in Entra ID fundamentally reduce administrative effort and strengthen security by enforcing consistent access policies compared to managing individual permissions?
