May 2024 – Microsoft AZ-104 Certification Exams – Identity: Azure Active Directory

You have seen that Azure AD offers a lot of add-on features more than legacy identity and management solutions. These features come with a price, and not all organizations need all these features. Licenses are categorized based on the number of premium features it supports. There are four editions of Azure Active Directory.

Azure Active Directory Free As the name implies, this is the free version of Azure Active Directory and offers minimal features such as user management, group management, Azure AD Connect for syncing on-premises identities, basic reporting, SSO, SSPR, etc. If you have not purchased any Azure AD license, this is going to be your default edition.

Azure Active Directory Microsoft 365 Apps If you have O365, this edition of Azure AD is automatically provisioned for you. Besides the features offered by Azure AD Free, this edition offers additional functionalities such as IAM for Microsoft 365 Apps, branding, MFA, etc.

Azure Active Directory Premium P1 Azure AD Premium P1 offers all the capabilities of Azure AD Free and some additional premium features that can increase the overall security of your environment. Dynamic groups, self-serve group management, Microsoft Identity Manager, and password writeback are some of the additional features offered by Azure AD Premium P1.

Azure Active Directory Premium P2 This is the top edition of Azure AD and offers all features in the P1 and Azure AD Free editions; additionally, Identity Protection and Identity Governance are offered.

Table 1.1 provides a quick comparison of all editions of Azure AD and the features offered by each edition.

TABLE 1.1 Comparison of Azure AD Editions

Feature	Free	Microsoft 365 Apps	Premium P1	Premium P2
Directory objects	500,000	Unlimited	Unlimited	Unlimited
Single sign-on	Unlimited	Unlimited	Unlimited	Unlimited
Core identity and access management	✓	✓	✓️	✓️
Business-to-business collaboration	✓️	✓️	✓️	✓️
Identity and access management for Microsoft 365 apps	✕	✓️	✓️	✓️
Hybrid identities (password writeback)	✕	✕	✓️	✓️
Advanced group access management	✕	✕	✓	✓️
Conditional access	✕	✕	✓️	✓️
Identity protection	✕	✕	✕	✓️
Identity governance	✕	✕	✕	✓️

The pricing of Azure AD licensing can be reviewed on the Azure AD pricing page.

https://azure.microsoft.com/en-us/pricing/details/active-directory

In addition to these editions, if you already have an Office 365 E3/E5 license, then you can use the premium features of Azure AD, and you do not have to pay for these licenses separately. P1 is included in E3, and P2 is included in E5, respectively.

Since you have the basic understanding of the editions of Azure AD and how they are different from a traditional Active Directory deployment, let’s talk quickly about custom domains in Azure AD.

A resource group is a container used for the logical organization of resources in Azure. These resources may be part of the same solution or based on any grouping that you prefer. Some organizations prefer to keep all services that are part of a solution in a single resource group. For example, say you are hosting a payroll application that has a virtual machine, SQL database, and storage. You can group these resources so that you can manage the lifecycle of them together. Some organizations prefer to keep resources of the same type together, for example, all virtual machines in a single resource group or all databases in a single resource group. This strategy would help them to manage the access to all virtual machines or databases easily.

Resource groups make it easy to deploy, delete, or update resources in bulk. Instead of performing operations on these resources one by one, you could directly perform the action on the resource group, and all resources that are part of the resource group are updated with the action. Assume you have 135 services deployed to your subscription and now your management is asking you to delete these 135 services. You could select all services from the portal or write a script in PS/CLI to delete the resources. Another easier workaround is to delete the resource group so that all the resources are deleted. This is not an action that is recommended in a production environment, as this delete action cannot be reversed, and the deleted services cannot be recovered. It’s recommended that you are cautious and vigilant before deleting a resource group.

A resource group contains the metadata about the resources that are part of the resource group. You can have resources from different regions be part of the same resource group; however, the metadata about these resources will be stored in the region of the resource group. An example is if the location of your resource group is East US and you have a couple of VMs from West US that are part of the resource group. Another is if the East US region is facing an outage and you are making any changes to the VM. Even though the VMs are from West US, the metadata cannot be updated as the East US (region of the resource group) is facing an outage.

Now we will see how you can manage (create, list, open, and delete) a resource group from the Azure portal; see Exercise 2.1, Exercise 2.2, and Exercise 2.3.

EXERCISE 2.1
Creating a Resource Group from the Azure Portal

2. Select Resource Groups and click Create.

3. Input the following values:

Subscription: Select your subscription.
- Resource Group: Enter a name for the new resource group.
- Region: Select the region for the resource group such as East US, India Central, UK South, etc.

Clicking Review + Create will take you to the validation phase.
Once the validation is done, you will see the Create button. Click Create, and your resource group will be created.

EXERCISE 2.2

Month: May 2024

Azure AD: Licensing – Identity: Azure Active Directory

Resource Groups – Compliance and Cloud Governance