WEBVTT 0:00:02.900000 --> 0:00:05.980000 I'm going to take a couple of minutes to talk to you about creating and 0:00:05.980000 --> 0:00:07.500000 managing groups. 0:00:07.500000 --> 0:00:11.280000 In this video, we're going to take a look at the following. 0:00:11.280000 --> 0:00:14.180000 We're going to look at Azure AD groups. 0:00:14.180000 --> 0:00:17.000000 What groups are, that's relatively straightforward. 0:00:17.000000 --> 0:00:21.120000 We'll look at the process of creating groups, talk about what you can 0:00:21.120000 --> 0:00:25.240000 do to manage groups, and then I'm going to demonstrate the implementation 0:00:25.240000 --> 0:00:28.860000 of groups, all of which is relatively straightforward. 0:00:28.860000 --> 0:00:32.380000 So let's go ahead and let's take a look at this. 0:00:32.380000 --> 0:00:35.380000 So what is an Azure AD group? 0:00:35.380000 --> 0:00:40.540000 Well, if I've got Azure AD groups, they of course are going to be within 0:00:40.540000 --> 0:00:44.380000 Azure AD. I've got Azure AD. 0:00:44.380000 --> 0:00:49.720000 I'm just going to say AAD because I'm lazy. 0:00:49.720000 --> 0:00:56.800000 And in Azure AD, you've got a bunch of users and they could be, they could 0:00:56.800000 --> 0:01:01.700000 be cloud users, they could be gas users, they could be sync users. 0:01:01.700000 --> 0:01:06.800000 And I don't want to manage their rights individually, so I'm going to 0:01:06.800000 --> 0:01:13.500000 add them to a group. 0:01:13.500000 --> 0:01:18.860000 And the reason that I want to add them to a group is because I'm going 0:01:18.860000 --> 0:01:28.120000 to have some sort of application such as my Azure subscription. 0:01:28.120000 --> 0:01:33.540000 And I want to use role -based access control. 0:01:33.540000 --> 0:01:48.020000 It's a reader. And I want to take the group and grant that group a role 0:01:48.020000 --> 0:01:51.960000 on a particular resource or a resource group or a subscription. 0:01:51.960000 --> 0:01:57.000000 And then of course, every user in that group has that permission. 0:01:57.000000 --> 0:02:01.260000 Now I can also within groups add other groups to a group. 0:02:01.260000 --> 0:02:06.480000 So you can have that layered concept. 0:02:06.480000 --> 0:02:11.260000 So group two and group two could be in group one. 0:02:11.260000 --> 0:02:20.960000 And then have all of their users also have the same rights. 0:02:20.960000 --> 0:02:22.640000 That's really the purpose behind groups. 0:02:22.640000 --> 0:02:28.820000 And if you've ever done anything with security, with authorization, then 0:02:28.820000 --> 0:02:31.640000 you're probably really mad at me for wasting a couple minutes of your 0:02:31.640000 --> 0:02:36.740000 time here. But the point being that it's very consistent with really any 0:02:36.740000 --> 0:02:41.620000 kind of authentication, authorization environment, including on-premises 0:02:41.620000 --> 0:02:43.300000 Active Directory. 0:02:43.300000 --> 0:02:45.260000 All right, so that's Azure AD groups. 0:02:45.260000 --> 0:02:47.200000 Now how do you go about creating groups? 0:02:47.200000 --> 0:02:50.660000 That process is really fairly straightforward. 0:02:50.660000 --> 0:02:55.680000 Now, what is the only thing that's really kind of particularly interesting 0:02:55.680000 --> 0:03:00.120000 here is the membership type. 0:03:00.120000 --> 0:03:05.140000 And you'll see that you've got these three different membership types, 0:03:05.140000 --> 0:03:08.200000 assigned dynamic user dynamic device. 0:03:08.200000 --> 0:03:11.360000 Now dynamic user and dynamic device are very cool. 0:03:11.360000 --> 0:03:15.820000 What they allow you to do is to specify membership in a security group 0:03:15.820000 --> 0:03:20.940000 based on attributes of your users or their devices. 0:03:20.940000 --> 0:03:26.960000 So maybe you have a high access group that is accessing one of your line 0:03:26.960000 --> 0:03:28.900000 of business applications. 0:03:28.900000 --> 0:03:32.760000 High access is kind of not really the right thing, but we'll say that. 0:03:32.760000 --> 0:03:34.440000 It's got a lot of access. 0:03:34.440000 --> 0:03:40.340000 You've got your line of business application that is using Azure AD for 0:03:40.340000 --> 0:03:42.240000 its authentication. 0:03:42.240000 --> 0:03:47.520000 And you want to say, okay, if anyone who has the word administrator in 0:03:47.520000 --> 0:03:50.100000 their job title, I want them to be part of this group. 0:03:50.100000 --> 0:03:50.980000 You could do that. 0:03:50.980000 --> 0:03:54.640000 And then that group is going to be dynamically maintained by Azure AD. 0:03:54.640000 --> 0:03:58.880000 And that's true for both users, dynamic users, and dynamic devices. 0:03:58.880000 --> 0:04:02.860000 That's only available with Azure AD premium. 0:04:02.860000 --> 0:04:04.020000 So just be aware of that. 0:04:04.020000 --> 0:04:07.840000 If you don't see those, then you don't have Azure AD premium. 0:04:07.840000 --> 0:04:10.620000 Now, what happens when you select that? 0:04:10.620000 --> 0:04:14.080000 Well, of course, when you select that, then you're going to be able to 0:04:14.080000 --> 0:04:18.440000 add the members that you want to add to that particular group. 0:04:18.440000 --> 0:04:24.100000 And that is done under the members, which if you're going through this 0:04:24.100000 --> 0:04:26.620000 environment, you can see it right there. 0:04:26.620000 --> 0:04:32.700000 Okay. Now, I can also create groups, of course, from the command line. 0:04:32.700000 --> 0:04:35.540000 Here is an example using Azure AD. 0:04:35.540000 --> 0:04:37.700000 You can do a similar thing with the Azure CLI. 0:04:37.700000 --> 0:04:38.900000 I just don't have it here. 0:04:38.900000 --> 0:04:43.060000 In this case, I am using Azure AD. 0:04:43.060000 --> 0:04:47.180000 And again, I've talked about this in other videos. 0:04:47.180000 --> 0:04:54.660000 It could be a little bit confusing when you're using the Azure PowerShell 0:04:54.660000 --> 0:04:57.320000 commands, because there are three different sets. 0:04:57.320000 --> 0:04:59.380000 This happens to be one of my thoughts I'd show you. 0:04:59.380000 --> 0:05:01.080000 New Azure AD group. 0:05:01.080000 --> 0:05:06.400000 If you see New Azure AD group or New AZ AD group, then they'll be pretty 0:05:06.400000 --> 0:05:07.380000 close to the same. 0:05:07.380000 --> 0:05:12.880000 There are some differences with the attributes that you can set. 0:05:12.880000 --> 0:05:18.200000 And then once I have the group, I can add a group member and same caveat. 0:05:18.200000 --> 0:05:23.840000 Now the one thing with the ad group member, the object ID is the group, 0:05:23.840000 --> 0:05:27.580000 the reference ID would be the user ID that you want to add in. 0:05:27.580000 --> 0:05:31.020000 So in this case, I would have to have the user ID already in order to 0:05:31.020000 --> 0:05:34.560000 add them in. So that is creating groups. 0:05:34.560000 --> 0:05:39.780000 As far as managing groups, you can see the properties. 0:05:39.780000 --> 0:05:42.320000 You can change the members and owners. 0:05:42.320000 --> 0:05:47.520000 You can define or you can actually see what members this group is a member 0:05:47.520000 --> 0:05:51.940000 of. And you can see the applications associated with. 0:05:51.940000 --> 0:05:57.480000 You actually can, if you've got a premium, you can do group license assignment. 0:05:57.480000 --> 0:06:01.240000 So if I have an application that is licensed and I want to give everybody 0:06:01.240000 --> 0:06:04.000000 in this group just license to use it, you can do that. 0:06:04.000000 --> 0:06:09.640000 And you can also view the resources that this group has access to. 0:06:09.640000 --> 0:06:14.100000 Now what I want to do is go ahead and demonstrate group management. 0:06:14.100000 --> 0:06:16.860000 I'm going to go ahead and provision a group. 0:06:16.860000 --> 0:06:21.680000 And I'm going to add users to that group. 0:06:21.680000 --> 0:06:29.060000 And then I am going to assign that group a role in my Azure environment. 0:06:29.060000 --> 0:06:32.720000 Where Azure itself with a subscription itself is really just an example, 0:06:32.720000 --> 0:06:38.100000 albeit a very common example of a cloud application that's using Azure 0:06:38.100000 --> 0:06:39.320000 AD for authentication. 0:06:39.320000 --> 0:06:43.500000 If you have Office 365, it's exactly the same thing. 0:06:43.500000 --> 0:06:48.240000 Office 365 is using Azure AD for its authentication. 0:06:48.240000 --> 0:06:51.500000 So let's go ahead and let's take a look at this. 0:06:51.500000 --> 0:06:59.820000 I have brought up my portal. 0:06:59.820000 --> 0:07:05.280000 Right now I am connected to my primary tenant. 0:07:05.280000 --> 0:07:08.240000 And I can change tenants or directories. 0:07:08.240000 --> 0:07:11.800000 That's again the exact same thing by moving through there. 0:07:11.800000 --> 0:07:14.040000 But I wanted to use this one. 0:07:14.040000 --> 0:07:18.780000 And what I'm going to do is I'm going to go ahead and I'm going to go 0:07:18.780000 --> 0:07:20.560000 to my Azure Active Directory. 0:07:20.560000 --> 0:07:24.580000 And within the Azure Active Directory, I'm going to go to groups. 0:07:24.580000 --> 0:07:28.880000 And I probably have a couple groups in here because I completely forgot 0:07:28.880000 --> 0:07:32.540000 to delete them. I actually only have one in here that I was going to create 0:07:32.540000 --> 0:07:34.000000 demos, but I already did. 0:07:34.000000 --> 0:07:36.800000 So let's go ahead and take a look. 0:07:36.800000 --> 0:07:38.740000 Now, this is very important. 0:07:38.740000 --> 0:07:40.240000 I didn't talk about this when I was going through it. 0:07:40.240000 --> 0:07:43.180000 Two types of security groups are two types of groups. 0:07:43.180000 --> 0:07:46.440000 There's security groups and Office 365. 0:07:46.440000 --> 0:07:50.240000 Office 365 groups are distribution groups. 0:07:50.240000 --> 0:07:54.700000 So if you're doing anything with security, you want a security group. 0:07:54.700000 --> 0:08:02.300000 And it's already used demo, we're going to call this another demo group. 0:08:02.300000 --> 0:08:03.840000 You can see that. 0:08:03.840000 --> 0:08:09.380000 And the group description amazingly is going to be another demo group. 0:08:09.380000 --> 0:08:13.120000 And now the membership type, it's showing assigned and that's because 0:08:13.120000 --> 0:08:22.340000 it doesn't realize that I actually have a license for premium P2 license, 0:08:22.340000 --> 0:08:27.380000 if that's okay. Owners, I can search and add owners if I want. 0:08:27.380000 --> 0:08:30.200000 We have full rights to manage the group. 0:08:30.200000 --> 0:08:34.640000 And members, no, no, no, we want new user. 0:08:34.640000 --> 0:08:38.760000 And this is a guest user that I added in another video. 0:08:38.760000 --> 0:08:43.640000 I'm going to put that user into this group and create the group. 0:08:43.640000 --> 0:08:47.540000 Now I can put users in afterwards as well. 0:08:47.540000 --> 0:08:50.440000 And there's my another demo group. 0:08:50.440000 --> 0:08:53.160000 So hopefully remember to delete after this. 0:08:53.160000 --> 0:08:58.760000 And you can see I've got my direct, I see members, I don't have any groups 0:08:58.760000 --> 0:09:00.760000 or devices or others. 0:09:00.760000 --> 0:09:04.360000 This doesn't belong to any groups and I don't have any additional owners. 0:09:04.360000 --> 0:09:07.320000 It's really pretty simple and go through here. 0:09:07.320000 --> 0:09:13.620000 I can add members, now have a member import capability. 0:09:13.620000 --> 0:09:16.660000 Download members, remove members. 0:09:16.660000 --> 0:09:19.280000 And I can add owners. 0:09:19.280000 --> 0:09:24.820000 And I can add groups that this would belong to. 0:09:24.820000 --> 0:09:30.240000 I can view any applications that this group has been associated with. 0:09:30.240000 --> 0:09:33.280000 View license assignments for this group. 0:09:33.280000 --> 0:09:38.360000 And also view any Azure resources that have been assigned access to this 0:09:38.360000 --> 0:09:43.480000 group. All right, now what I'm going to do is I'm going to go ahead and 0:09:43.480000 --> 0:09:45.480000 actually show you how you would apply that group. 0:09:45.480000 --> 0:09:55.180000 Relatively straightforward, I'm going to create a resource group here. 0:09:55.180000 --> 0:09:57.620000 Add. Well, there we go. 0:09:57.620000 --> 0:10:00.020000 I was almost a little bit concerned there. 0:10:00.020000 --> 0:10:08.280000 A group demo without a space. 0:10:08.280000 --> 0:10:14.060000 All right, and create it. 0:10:14.060000 --> 0:10:17.280000 And then I'm going to go to that resource. 0:10:17.280000 --> 0:10:19.440000 The resource itself is in material. 0:10:19.440000 --> 0:10:26.340000 You work any assignable or controllable resources this way. 0:10:26.340000 --> 0:10:29.260000 I'm going to go to my access control, I'm going to add. 0:10:29.260000 --> 0:10:31.500000 Roll assignment. 0:10:31.500000 --> 0:10:38.740000 I'm going to say, tributor and type in another. 0:10:38.740000 --> 0:10:44.020000 There's my another demo group and safe. 0:10:44.020000 --> 0:10:48.860000 So now if I check roll assignments, I will see that another demo group, 0:10:48.860000 --> 0:10:53.360000 along with many other things, has been added. 0:10:53.360000 --> 0:10:57.120000 Now the other thing that's pretty cool, I can go here and check access. 0:10:57.120000 --> 0:11:03.860000 And I'm going to search, let's say, search for new user. 0:11:03.860000 --> 0:11:06.700000 And I can click on new user. 0:11:06.700000 --> 0:11:11.940000 And it tells me there was an error, but you can see that new user has 0:11:11.940000 --> 0:11:16.940000 contributor because it's going through another demo group. 0:11:16.940000 --> 0:11:19.320000 And so that's groups. 0:11:19.320000 --> 0:11:25.480000 Fairly simple concept, just in terms of you're not really setting a lot 0:11:25.480000 --> 0:11:27.980000 of properties or attributes with groups. 0:11:27.980000 --> 0:11:31.200000 You can create groups, make sure for any kind of roll assignment that 0:11:31.200000 --> 0:11:34.860000 it's a security group and not an Office 365 group. 0:11:34.860000 --> 0:11:41.280000 Remember, in terms of the assignment type, you always have the assigned, 0:11:41.280000 --> 0:11:46.320000 but you can also have dynamic members or dynamic users and dynamic devices 0:11:46.320000 --> 0:11:49.780000 if you've got the premium license. 0:11:49.780000 --> 0:11:52.980000 But once you have groups, of course, the purpose of that is to assign 0:11:52.980000 --> 0:11:55.880000 them roles within a resource. 0:11:55.880000 --> 0:12:00.680000 I used Azure as an example resource to show you how to do that.