Ends in

Get up to $10 DISCOUNT on our AWS Solutions Architect Associate Reviewers!

Azure Active Directory (Azure AD)

  • An identity and access management service that helps you access internal and external resources.
  • Azure AD licenses: Free, Premium P1, Premium P2 and Pay as you go
    • Free – user and group management in your on-premises directory
    • Premium P1 – allows access to both on-premises and cloud resources.
    • Premium P2 – provides an additional feature called Azure AD Identity Protection.
    • Pay as you go – offers a feature called Azure AD B2C.


  • You can use Azure AD Authentication for a self-service password reset, MFA, custom banned password list, and smart lockout.
  • Allows you to manage external identities using Azure AD B2B.
  • Azure AD B2C is a business-to-customer identity as a service that allows you to control how your users sign up, sign in, and manage their profiles when using your applications.
  • Azure AD B2C provides you control on how your users sign up, sign in, and manage their profiles when using your applications.
  • Tutorials dojo strip
  • You can manage the access in your cloud apps with conditional access.
  • With Azure AD Device Management, it allows you to manage and configure device identities.
  • If you need to manage domain services such as domain join, group policy, and authentication, you can use Azure AD Domain Services.
  • Identity Governance ensures that only the authorized people have the right access to specific resources.
  • Supports hybrid identity to access resources in the cloud or on-premises.
  • Use Azure AD Connect to accomplish your hybrid identity goals:
    • A sign-in method that uses password hash synchronization.
    • Pass-through authentication allows users to use the same password on-premises and in the cloud.
    • Enable federation integration to sign in to Azure AD-based services without having to enter their passwords again.
    • Synchronization between your on-premises environment and Azure AD.
    • Health Monitoring with Azure AD Connect Health.


  • Users
    • You can create a new user in your organization or a guest user.
    • By enabling Multi-Factor Authentication, you provide additional security by requiring the user a second form of authentication. The additional forms that can be used with Azure AD MFA are: 
      • Microsoft Authenticator app
      • OATH hardware token
      • SMS
      • Voice call
    • You can also perform the following bulk operations: 
      • Bulk create
      • Bulk invite 
      • Bulk delete 
      • Bulk restore
      • Download users
    • Self-service password reset enables users to manage their passwords from any device, at any time, and from any location.
    • In the device settings, you can change the maximum number of devices per user.
    • You can assign licenses to multiple users or groups to allow them to use the licensed Azure AD services. Licenses are applied per tenant, and you can’t transfer them to other tenants.
  • Groups
    • A collection of users, devices, groups, and service principals.
    • You can easily manage access to your resources by creating an Azure AD group.
    • A user can belong to multiple groups.
    • Groups do not have security credentials.
    • Group Types:
      • Security – it contains users, devices, groups, and service principals as its members. The users and service principals are the owners of this group.
      • Microsoft 365 – it contains users as its members. Both the users and service principals can be owners of this group.
    • Membership type:
      • Assigned – manually add users to be members of the group.
      • Dynamic user – automatically add and remove members using the dynamic membership rules.
      • Dynamic device – automatically add and remove members using the dynamic group rules.
  • With external identities, you can allow users outside your organization to sign in using an external identity provider like Facebook and Google.
  • Administrative roles can be used to grant access to Azure AD and other Microsoft services. There are two types of role definitions:
    • Built-in roles – it has a fixed set of permissions.
    • Custom roles – you can select permissions from a preset list. To create a custom role, you need to have an Azure AD Premium P1 or P2 plans.
  • An Azure AD resource that can be a container for other Azure AD resources is called an administrative unit. It can only contain users and groups.
  • Devices
    • Azure AD registered
      • The devices registered are personally owned devices (bring your own device or mobile device). These devices are signed in with a personal Microsoft account.
      • The supported operating systems are Windows 10, macOS, iOS, and Android.
      • A Mobile Device Management (MDM) helps you enforce configurations like storage must be encrypted, password complexity, and up-to-date security software.
      • Key capabilities:
        • Single sign-on (SSO) to cloud resources.
        • Conditional access when enrolled in Microsoft Intune or via App protection policy.
        • Enables phone sign in with Microsoft Authenticator app.
    • Azure AD joined
      • The devices and accounts are owned by an organization. It only exists in the cloud.
      • The supported operating systems are Windows 10 devices (except Windows 10 Home) and Windows Server 2019 Virtual Machines running in Azure.
      • Azure AD join is primarily used for organizations that do not have an on-premises Windows Server AD infrastructure.
      • Key capabilities:
        • SSO to both cloud and on-premises resources.
        • Conditional access through MDM enrollment and MDM compliance evaluation.
        • Self-service password reset and Windows Hello PIN reset on the lock screen.
        • Enterprise State Roaming across devices.
    • Hybrid Azure AD joined
      • The devices and Active Directory Domain Services account are owned by an organization. It exists both in the cloud and on-premises resources.
      • The supported operating systems are Windows 7, 8.1, 10, Windows Server 2008/R2, 2012/R2, 2016, and 2019.
      • You can implement hybrid joined devices if you have an existing on-premises AD footprint and you want to benefit from the capabilities provided by Azure AD.
      • Key capabilities:
        • SSO to both cloud and on-premises resources.
        • Conditional access through Domain join or through Microsoft Intune if co-managed.
        • Self-service password reset and Windows Hello PIN reset on the lock screen.
        • Enterprise State Roaming across devices.
  • If you register your application to use Azure AD, the users in your organization can do the following:
    • Get an identity for their application that is recognized by Azure AD.
    • Get secrets/keys that the application will use for authentication.
    • Create a custom name and logo for your application.
    • Apply Azure AD authorization (RBAC and oAuth)
    • Declare the necessary permissions for the application.
  • With application proxy, you can provide SSO and remote access for web apps hosted on-premises.


  • Monitor the security and usage patterns of your environment with Azure AD reports and monitoring.
  • With Azure AD Connect Health, you can view alerts, monitor performance and check usage analytics of your on-premises Active Directory and Azure AD.


  • Detect potential vulnerabilities and resolve suspicious actions with identity protection.
  • Azure AD PIM helps you control the access within your organization.
  • You can use security defaults to enable MFA in your organization.
  • Enabling security defaults protects you from common identity-related attacks.
  • You use block legacy authentication if a user is using a legacy application.
  • Identity secure score helps you verify your configurations if it’s aligned with Microsoft’s best practice for security.
  • You can lockout intruders that try to guess your users’ passwords or use brute-force methods in Azure AD using smart lockout.
  • Manage, control, and monitor access to significant resources in your organization with Privileged Identity Management (PIM).

Authentication Fundamentals: The Basics

Learn more about Azure Active Directory in this playlist from the Microsoft Azure YouTube channel:

Validate Your Knowledge

Question 1

Question Type: Multiple-choice

You are managing an Azure AD tenant that has 500 user accounts.

You created a new user account named AppAdmin.

You must assign the role of Application Administrator to the AppAdmin user account.

What should you do in the Azure Active Directory settings to accomplish this requirement?

  1. Select the user profile and add the role assignments.
  2. Select the user profile and add the user to the admin group.
  3. Select the user profile and assign it to an administrative unit.
  4. AWS Exam Readiness Courses
  5. Select the user profile and enable the My Staff feature.

Correct Answer: 1

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in external and internal resources. External resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications. Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.

Azure AD has a set of built-in admin roles for granting access to manage configuration in Azure AD for all applications. These roles are the recommended way to grant IT experts access to manage broad application configuration permissions without granting access to manage other parts of Azure AD not related to application configuration. Here are the two common built-in roles in Azure Active Directory:

– Application Administrator: Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to consent to delegated permissions, and application permissions excluding Microsoft Graph. Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.

– Cloud Application Administrator: Users in this role have the same permissions as the Application Administrator role, excluding the ability to manage application proxy. Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.

If you want to grant a user permission to manage Azure AD resources, you must assign them to a role that provides the permissions they need. Based on the given scenario, the new user account needs the role of Application Administrator. To grant a role to the new user account, you must select the user profile and click on add assignments in the assigned roles option. Add the Application Administrator role, and the user can now create and manage all aspects of app registrations and enterprise apps.

Hence, the correct answer is: Select the user profile and add the role assignments.

The option that says: Select the user profile and add the user to the admin group is incorrect because adding the user to the admin group doesn’t mean that the Application Administrator’s role is automatically assigned to the user account.

The option that says: Select the user profile and assign it to an administrative unit is incorrect because this option only restricts permissions in a role to any portion of your organization that you define. Take note that the requirement in the scenario is to assign an Application Administrator role to the new user account and not to restrict its permissions in your account.

The option that says: Select the user profile and enable the My Staff feature is incorrect because the My Staff feature simply enables you to delegate to a figure of authority, such as a store manager or a team lead, the permissions to ensure that their staff members are able to access to their Azure AD accounts.


Note: This question was extracted from our AZ-104 Microsoft Azure Administrator Practice Exams.

For more Azure practice exam questions with detailed explanations, check out the Tutorials Dojo Portal:

Microsoft Azure Practice Exams Tutorials Dojo


Tutorials Dojo portal

FREE AWS Exam Readiness Digital Courses

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?