Here are some of the key takeaways from this chapter:
- Windows 10 can be added to Entra ID as a device to be managed, enabling BYOD or corporate cloud only deployments with Entra Join.
- Entra Join enables administrators to manage device identity independently of users. For example, dynamic security groups can be created based on device attributes and then conditional access policies could be applied to those groups.
- Downstream Windows clients can be managed through Entra ID using Entra hybrid join.
- Conditional access is a feature of Entra ID which allows administrators to control access to cloud applications through additional checks such as user location, the device the user is accessing the cloud app from, and more.
- Multiple Entra tenants can be created and managed through Azure. This includes creating new directories and deleting existing directories.
- Users and groups can be created through the Azure portal, Azure PowerShell, the Azure CLI, and the Graph API.
- Users and groups can be managed in bulk with tools like PowerShell.
- Self-service password reset can be combined with the password writeback features of Entra Connect and Entra Cloud Sync to allow users to reset their passwords from the cloud while adhering to on-premises password standards.
- Many advanced features of Entra ID require Entra ID Premium P1 or Entra ID Premium P2 licenses. When considering Entra features, administrators need to be aware of the licensing boundaries.
- Azure offers a rich ecosystem of governance controls with user-level and platform-level controls in the form of role-based access control (RBAC) and Azure Policy.
- Azure management groups can be used to control Policy and RBAC for multiple subscriptions. Management groups enable organizational alignment for your Azure subscriptions through custom hierarchies and groupings.
- Tags in Azure can be used to logically organize resources by categories. Each tag is a name and a value pair. Tags can be shared across multiple resources and enforced with Azure Policy.
- Azure Policy is a service that lets you create, manage, and apply policies to Azure resources at a subscription, resource group, or resource level. Policies enforce different rules over your Azure resources, so those resources remain compliant with your organization’s standards.
- Role-based access control allows you to grant users, groups, and service principals access to Azure resources at the subscription, resource group, or resource scopes with RBAC inheritance. The three core roles are Owner, Contributor, and Reader.
- You can create resources from the portal, PowerShell, the CLI tools, and Azure Resource Manager templates. You should understand when to use which tool and how to configure the resource during provisioning and after provisioning.
- A resource is simply a single service instance in Azure. Most services in Azure can be represented as a resource. For example, a web app instance is a resource. An App Service plan is also a resource. Even a SQL Database instance is a resource.
- A resource group is a logical grouping of resources. For example, a resource group where you deploy a VM compute instance may be composed of a network interface card (NIC), a virtual machine, a virtual network, and a public IP address.
- An ARM template is a JSON file that allows you to declaratively describe a set of resources. These resources can then be added to a new or existing resource group. For example, a template can contain the configuration necessary to create two API app instances, a mobile app instance, and an Azure SQL Database instance.
- A template can simplify orchestration because you only need to deploy the template to deploy all your resources.
- With a template, you can configure multiple resources simultaneously and use
variables/parameters/functions to create dependencies between resources.