├── .github
├── CONTRIBUTING.md
├── ISSUE_TEMPLATE.md
├── PULL_REQUEST_TEMPLATE.md
├── cloudslice-bug.md
└── lab-bug.md
├── Allfiles
├── Demos
│ └── readme.md
├── Labs
│ ├── Lab1
│ │ └── SC300BulkUser.csv
│ ├── Lab2
│ │ ├── SC-300-Lab_ContosoPrivacySample.pdf
│ │ └── readme.md
│ ├── Lab23
│ │ ├── Contoso_TermsOfUse.pdf
│ │ └── readme.txt
│ ├── Lab26
│ │ ├── Contoso_TermsOfUse.pdf
│ │ └── readme.txt
│ ├── Lab7
│ │ ├── CreateDemoUsers.csv
│ │ └── CreateDemoUsers.ps1
│ └── readme.md
└── readme.md
├── Instructions
└── Labs
│ ├── Lab_00_SetUpLabResources.md
│ ├── Lab_01_ManageUserRoles.md
│ ├── Lab_02_WorkingWithTenantProperties.md
│ ├── Lab_03_AssignLicensesToUsersByGroupMembershipAAD.md
│ ├── Lab_04_ConfigureExternalCollaborationSettings.md
│ ├── Lab_05_AddGuestUsersToTheDirectory.md
│ ├── Lab_06_AddFederatedIdentityProvider.md
│ ├── Lab_07_AddHybridIdentityWithAzureADConnect.md
│ ├── Lab_08_EnableAzureADMultiFactorAuthentication.md
│ ├── Lab_09_ConfigureAndDeploySelfServicePasswordReset.md
│ ├── Lab_10_AzureADAuthenticationForWindowsAndLinuxVM.md
│ ├── Lab_11_AssignAzureResourceRolesInPrivilegedIdentityManagement.md
│ ├── Lab_12_ManageAzureADSmartLockoutValues.md
│ ├── Lab_13_ImplementAndTestAConditionalAccessPolicy.md
│ ├── Lab_14_EnableSignRiskPolicy.md
│ ├── Lab_15_ConfigureAAD_MultiFactorAuthRegPolicy.md
│ ├── Lab_16_UsingAzureKeyVaultForManagedIdentities.md
│ ├── Lab_17_DefenderForCloudAppsDiscoveryAndRestrictions.md
│ ├── Lab_18_DefenderForCloudAppsAccessPolicies.md
│ ├── Lab_19_RegisterAnApplication.md
│ ├── Lab_20_ImplementAccessManagementForApps.md
│ ├── Lab_21_GrantTenantWideAdminConsentToAnApplication.md
│ ├── Lab_22_CreateAndManageACatalogOfResourcesInAADEntitlementManagement.md
│ ├── Lab_23_AddTermsOfUseAcceptanceReporting.md
│ ├── Lab_24_ManageTheLifecycleOfExternalUsersInAADIdentityGovernanceSettings .md
│ ├── Lab_25_CreatingAccessReviewsForUsers.md
│ ├── Lab_26_ConfigurePrivilegedIdentityManagementForAADRoles.md
│ ├── Lab_27_MicrosoftSentinelKustoQueries.md
│ ├── Lab_28_MonitorIdentitySecureScore.md
│ ├── image-1.png
│ ├── image.png
│ └── media
│ ├── accepted-tou.png
│ ├── active-directory-no-privacy-statement-or-contact.png
│ ├── add-saml-idp.png
│ ├── azure-active-directory-properties-country-location.png
│ ├── azure-portal-menu-aad.png
│ ├── azurepassactivation.png
│ ├── bulkimportexample.png
│ ├── catalog-add-resources.png
│ ├── configure-platforms.png
│ ├── delia-no-office-license.png
│ ├── delia-office-license.png
│ ├── directory-role-remove-role.png
│ ├── directory-role-select-role.png
│ ├── linkedinlookup.png
│ ├── lp1-mod2-assign-license-group.png
│ ├── lp1-mod2-assign-user-license-options.png
│ ├── lp1-mod2-change-group-license.png
│ ├── lp1-mod2-create-group.png
│ ├── lp1-mod2-create-o365-group.png
│ ├── lp1-mod2-remove-user.png
│ ├── lp1-mod3-bulk-invite-option.png
│ ├── lp1-mod3-bulk-invite-users-upload-csv.png
│ ├── lp1-mod3-bulk-operations-results.png
│ ├── lp1-mod3-dynamic-group-membership-rule.png
│ ├── lp1-mod3-guest-user-access-restrictions.png
│ ├── lp1-mod3-guest-user-invite-settings.png
│ ├── lp1-mod3-new-guest-user-menu-selection.png
│ ├── lp1-mod3-template-csv.png
│ ├── lp2-mod1-azure-ad-conditional-access-policy.png
│ ├── lp2-mod1-conditional-access-new-policy-complete.png
│ ├── lp2-mod1-conditional-access-new-policy.png
│ ├── lp2-mod1-mfa-service-settings-and-users.png
│ ├── lp2-mod1-mfa-settings.png
│ ├── lp2-mod1-set-additional-mfa-settings.png
│ ├── lp2-mod1-users-mfa.png
│ ├── lp2-mod2-create-sspr-security-group.png
│ ├── lp2-mod2-enable-password-reset-for-selected-group.png
│ ├── lp2-mod2-get-back-into-your-account-page.png
│ ├── lp2-mod2-keep-your-account-secure-page.png
│ ├── lp2-mod2-sspr-verification-step-1.png
│ ├── lp2-mod3-browse-to-password-protection.png
│ ├── lp2-mod3-create-conditional-access-policy.png
│ ├── lp2-mod3-create-session-conditional-access-policy.png
│ ├── lp2-mod3-test-conditional-access-policy.png
│ ├── lp2-mod4-browse-to-identity-protection.png
│ ├── lp2-mod4-browse-to-mfa-registration-policy.png
│ ├── lp3-mod1-add-app-assignment.png
│ ├── lp3-mod1-azure-ad-gallery-search.png
│ ├── lp3-mod1-custom-role-permissions.png
│ ├── lp3-mod1-new-custom-role.png
│ ├── lp3-mod1-new-enterprise-application.png
│ ├── lp3-mod3-api-permissions-admin-consent.png
│ ├── lp3-mod3-app-roles-create-app-role.png
│ ├── lp3-mod3-demo-app-directory-id.png
│ ├── lp3-mod3-grant-admin-consent-in-enterprise-app.png
│ ├── lp3-mod3-pim-ad-roles-settings.png
│ ├── lp3-mod3-register-an-application.png
│ ├── lp4-mod1-catalog-roles-and-admins.png
│ ├── lp4-mod1-edit-marketing-catalog.png
│ ├── lp4-mod1-edit-terms-of-use-update.png
│ ├── lp4-mod1-edit-terms-of-use.png
│ ├── lp4-mod1-identity-governance-new-catalog.png
│ ├── lp4-mod1-manage-lifcycle-of-ext-users.png
│ ├── lp4-mod1-myaccount-setting-and-privacy-org-notes.png
│ ├── lp4-mod1-myaccount-setting-and-privacy.png
│ ├── lp4-mod1-new-catalog-marketing.png
│ ├── lp4-mod1-new-terms-of-use-create.png
│ ├── lp4-mod1-new-terms-of-use.png
│ ├── lp4-mod1-terms-of-use-accept-decline.png
│ ├── lp4-mod1-terms-of-use-ca-policy.png
│ ├── lp4-mod1-update-terms-of-use-version.png
│ ├── lp4-mod3-my-roles.png
│ ├── lp4-mod3-pim-activate-role.png
│ ├── lp4-mod3-pim-add-approver.png
│ ├── lp4-mod3-pim-add-role-assignment.png
│ ├── lp4-mod3-pim-assign-role.png
│ ├── lp4-mod3-pim-az-resource-overview.png
│ ├── lp4-mod3-pim-azure-resource-management.png
│ ├── lp4-mod3-pim-edit-compliance-role.png
│ ├── lp4-mod3-pim-edit-role-assignments.png
│ ├── lp4-mod4-sentinel-add-aad-connector.png
│ ├── lp4-mod4-sentinel-config-aad-connector.png
│ ├── mobile-tou.png
│ ├── portal-02-expose-api.png
│ ├── portal-03-scopes-list.png
│ ├── portal-05-app-reg-04-credentials.png
│ ├── portal-tenant-id.png
│ ├── properties-area.png
│ ├── security-defaults-disable-before-conditional-access.png
│ ├── selectonedrive.png
│ ├── user-tou.png
│ ├── view-history-menu.png
│ ├── view-history-pane.png
│ └── zoom-buttons.png
├── LICENSE
├── _build.yml
├── _config.yml
├── index.md
└── readme.md
/.github/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Contributing to Microsoft Learning Repositories
2 |
3 | MCT contributions are a key part of keeping the lab and demo content current as the Azure platform changes. We want to make it as easy as possible for you to contribute changes to the lab files. Here are a few guidelines to keep in mind as you contribute changes.
4 |
5 | ## GitHub Use & Purpose
6 |
7 | Microsoft Learning is using GitHub to publish the lab steps and lab scripts for courses that cover cloud services like Azure. Using GitHub allows the course’s authors and MCTs to keep the lab content current with Azure platform changes. Using GitHub allows the MCTs to provide feedback and suggestions for lab changes, and then the course authors can update lab steps and scripts quickly and relatively easily.
8 |
9 | > When you prepare to teach these courses, you should ensure that you are using the latest lab steps and scripts by downloading the appropriate files from GitHub. GitHub should not be used to discuss technical content in the course, or how to prep. It should only be used to address changes in the labs.
10 |
11 | It is strongly recommended that MCTs and Partners access these materials and in turn, provide them separately to students. Pointing students directly to GitHub to access Lab steps as part of an ongoing class will require them to access yet another UI as part of the course, contributing to a confusing experience for the student. An explanation to the student regarding why they are receiving separate Lab instructions can highlight the nature of an always-changing cloud-based interface and platform. Microsoft Learning support for accessing files on GitHub and support for navigation of the GitHub site is limited to MCTs teaching this course only.
12 |
13 | > As an alternative to pointing students directly to the GitHub repository, you can point students to the GitHub Pages website to view the lab instructions. The URL for the GitHub Pages website can be found at the top of the repository.
14 |
15 | To address general comments about the course and demos, or how to prepare for a course delivery, please use the existing MCT forums.
16 |
17 | ## Additional Resources
18 |
19 | A user guide has been provided for MCTs who are new to GitHub. It provides steps for connecting to GitHub, downloading and printing course materials, updating the scripts that students use in labs, and explaining how you can help ensure that this course’s content remains current.
20 |
21 |
22 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE.md:
--------------------------------------------------------------------------------
1 | # Module: 00
2 | ## Lab/Demo: 00
3 | ### Task: 00
4 | #### Step: 00
5 |
6 | Description of issue
7 |
8 | Repro steps:
9 |
10 | 1.
11 | 1.
12 | 1.
--------------------------------------------------------------------------------
/.github/PULL_REQUEST_TEMPLATE.md:
--------------------------------------------------------------------------------
1 | # Module: 00
2 | ## Lab/Demo: 00
3 |
4 | Fixes # .
5 |
6 | Changes proposed in this pull request:
7 |
8 | -
9 | -
10 | -
--------------------------------------------------------------------------------
/.github/cloudslice-bug.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: 'Lab Bug '
3 | about: Template for bugs from lab platform
4 | title: ''
5 | labels: 'cloudSlice'
6 | assignees: ''
7 |
8 | ---
9 |
10 | # Module/Lab: 00
11 | ## Exercise: 00
12 | ### Task: 00
13 | #### Step: 00
14 |
15 | Description of issue
16 |
17 | Repro steps:
18 |
19 | 1.
20 | 1.
21 | 1.
22 |
23 | ### Relevant screenshots
24 |
--------------------------------------------------------------------------------
/.github/lab-bug.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: 'Lab Bug '
3 | about: Template for Lab Instructions issues
4 | title: ''
5 | labels: ''
6 | assignees: ''
7 |
8 | ---
9 |
10 | # Module/Lab: 00
11 | ## Exercise: 00
12 | ### Task: 00
13 | #### Step: 00
14 |
15 | Description of issue
16 |
17 | Repro steps:
18 |
19 | 1.
20 | 1.
21 | 1.
22 |
23 | ### Relevant screenshots
24 |
--------------------------------------------------------------------------------
/Allfiles/Demos/readme.md:
--------------------------------------------------------------------------------
1 | Use this folder to store any supplemental demo files needed to support demos in this course.
2 |
--------------------------------------------------------------------------------
/Allfiles/Labs/Lab1/SC300BulkUser.csv:
--------------------------------------------------------------------------------
1 | version:v1.0,,,,,,,,,,,,,,,,
2 | Name [displayName] Required,User name [userPrincipalName] Required,Initial password [passwordProfile] Required,Block sign in (Yes/No) [accountEnabled] Required,First name [givenName],Last name [surname],Job title [jobTitle],Department [department],Usage location [usageLocation],Street address [streetAddress],State or province [state],Country or region [country],Office [physicalDeliveryOfficeName],City [city],ZIP or postal code [postalCode],Office phone [telephoneNumber],Mobile phone [mobile]
3 | Example: Chris Green, chris@contoso.com, myPassword1234, No,,,,,,,,,,,,,
4 | Malik Barden,MalikB@<<>>,samplePassword1234$, No,Malik,Barden,,Sales,,,,,,,,,
5 | Amina Hadzic,AminaH@<<>>,samplePassword1234$, No,Amina,Hadzic,,Sales,,,,,,,,,
6 | Lejla Selimagic,LejlaS@<<>>,samplePassword1234$, No,Lejla,Selimagic,,Sales,,,,,,,,,
7 | Omar Bennett,OmarB@<<>>,samplePassword1234$, No,Omar,Bennett,,Sales,,,,,,,,,
8 | Jurgis Zukas,JurgisZ@<<>>,samplePassword1234$, No,Jurgis,Zukas,,Sales,,,,,,,,,
9 | Bidisha Patowary,BidishaP@<<>>,samplePassword1234$, No,Bidisha,Patowary,,Sales,,,,,,,,,
10 | Andre Lawson,AndreL@<<>>,samplePassword1234$, No,Andre,Lawson,,Marketing,,,,,,,,,
11 | Monica Thomson,MonicaT@<<>>,samplePassword1234$, No,Monica,Thompson,,Marketing,,,,,,,,,
12 | Edita Gabryte,EditaG@<<>>,samplePassword1234$, No,Edita,Gabryte,,Marketing,,,,,,,,,
13 | Jelena Maric,JelenaM@<<>>,samplePassword1234$, No,Jelena,Maric,,Marketing,,,,,,,,,
14 |
--------------------------------------------------------------------------------
/Allfiles/Labs/Lab2/SC-300-Lab_ContosoPrivacySample.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Allfiles/Labs/Lab2/SC-300-Lab_ContosoPrivacySample.pdf
--------------------------------------------------------------------------------
/Allfiles/Labs/Lab2/readme.md:
--------------------------------------------------------------------------------
1 | Placeholder file for the SC-300 lab-2
2 |
--------------------------------------------------------------------------------
/Allfiles/Labs/Lab23/Contoso_TermsOfUse.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Allfiles/Labs/Lab23/Contoso_TermsOfUse.pdf
--------------------------------------------------------------------------------
/Allfiles/Labs/Lab23/readme.txt:
--------------------------------------------------------------------------------
1 | Placeholder document
2 |
--------------------------------------------------------------------------------
/Allfiles/Labs/Lab26/Contoso_TermsOfUse.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Allfiles/Labs/Lab26/Contoso_TermsOfUse.pdf
--------------------------------------------------------------------------------
/Allfiles/Labs/Lab26/readme.txt:
--------------------------------------------------------------------------------
1 | Placeholder document
2 |
--------------------------------------------------------------------------------
/Allfiles/Labs/Lab7/CreateDemoUsers.ps1:
--------------------------------------------------------------------------------
1 | # %ForceElevation% = Yes
2 | #Requires -RunAsAdministrator
3 |
4 | [CmdletBinding()]
5 | Param
6 | (
7 | [Parameter(Mandatory=$False)]
8 | [ValidateNotNullOrEmpty()]
9 | [ValidateScript({(Test-Connection -ComputerName "$_" -Count 4 -Quiet) -and (Test-WSMAN -ComputerName "$_")})]
10 | [String]$Server = "$($Env:Computername).$($Env:UserDnsDomain.ToLower())"
11 | )
12 |
13 | #Clear The Screen
14 | Clear-Host
15 |
16 | #Define Default Action Preferences
17 | $Global:DebugPreference = "SilentlyContinue"
18 | $Global:ErrorActionPreference = "Continue"
19 | $Global:VerbosePreference = "SilentlyContinue"
20 | $Global:WarningPreference = "Continue"
21 | $Global:ConfirmPreference = "None"
22 |
23 | #Define ASCII Characters
24 | $Equals = [Char]61
25 | $Space = [Char]32
26 | $SingleQuote = [Char]39
27 | $DoubleQuote = [Char]34
28 | $NewLine = "`n"
29 |
30 | #Load WMI Classes
31 | $Bios = Get-WmiObject -Namespace "root\CIMv2" -Class "Win32_Bios" -Property * | Select *
32 | $ComputerSystem = Get-WmiObject -Namespace "root\CIMv2" -Class "Win32_ComputerSystem" -Property * | Select *
33 | $ComputerSystemProduct = Get-WmiObject -Namespace "root\CIMv2" -Class "Win32_ComputerSystemProduct" -Property * | Select *
34 | $LogicalDisk = Get-WmiObject -Namespace "root\CIMv2" -Class "Win32_LogicalDisk" -Property * | Select *
35 | $OperatingSystem = Get-WmiObject -Namespace "root\CIMv2" -Class "Win32_OperatingSystem" -Property * | Select *
36 |
37 | #Retrieve property values
38 | $Make = $ComputerSystem.Manufacturer
39 | If ($Make -like "*Lenovo*") {$Model = $ComputerSystemProduct.Version} Else {$Model = $ComputerSystem.Model}
40 | $OSArchitecture = $($OperatingSystem.OSArchitecture).Replace("-bit", "").Replace("32", "86").Insert(0,"x").ToUpper()
41 | Try {$OSCaption = "{1} {2} {3}" -f $($OperatingSystem.Caption).Split(" ").Trim()} Catch {$OSCaption = "WindowsPE"}
42 | $OSVersion = [Version]$OperatingSystem.Version
43 | $OSVersionNumber = [Decimal]("{0}.{1}" -f $($OperatingSystem.Version).Split(".").Trim())
44 | $PSVersion = [Version]$PSVersionTable.PSVersion
45 | $OpticalDiskDriveLetter = $LogicalDisk | Where-Object {$_.DriveType -eq 5} | Select -First 1 -ExpandProperty DeviceID
46 | $SerialNumber = $Bios.SerialNumber.ToUpper()
47 | Try {([System.__ComObject]$TSEnvironment = New-Object -ComObject "Microsoft.SMS.TSEnvironment");($IsRunningTaskSequence = $True)} Catch {$IsRunningTaskSequence = $False}
48 |
49 | #Set Path Variables
50 | $ScriptDir = ($MyInvocation.MyCommand.Definition | Split-Path -Parent | Out-String).TrimEnd("\").Trim()
51 | $ScriptName = [System.IO.Path]::GetFileNameWithoutExtension($MyInvocation.MyCommand.Name)
52 |
53 | #Define Functions
54 | #Encode a plain text string to a Base64 string
55 | Function ConvertTo-Base64
56 | {
57 | [CmdletBinding(SupportsShouldProcess=$False)]
58 | Param
59 | (
60 | [Parameter(Mandatory=$True)]
61 | [ValidateNotNullOrEmpty()]
62 | [String]$String
63 | )
64 |
65 | $EncodedString = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($String))
66 | Write-Verbose -Message "$($NewLine)`"$($String)`" has been converted to the following Base64 encoded string `"$($EncodedString)`"$($NewLine)"
67 |
68 | Return $EncodedString
69 | }
70 |
71 | #Decode a Base64 string to a plain text string
72 | Function ConvertFrom-Base64
73 | {
74 | [CmdletBinding(SupportsShouldProcess=$False)]
75 | Param
76 | (
77 | [Parameter(Mandatory=$True)]
78 | [ValidateNotNullOrEmpty()]
79 | [ValidatePattern('^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$')]
80 | [String]$String
81 | )
82 |
83 | $DecodedString = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($String))
84 | Write-Verbose -Message "$($NewLine)`"$($String)`" has been converted from the following Base64 encoded string `"$($DecodedString)`"$($NewLine)"
85 |
86 | Return $DecodedString
87 | }
88 |
89 | #Start logging script output
90 | Start-Transcript -Path "$Temp\$ScriptName.log" -Force
91 |
92 | #Write information to the screen
93 | Write-Host "$($NewLine)"
94 | Write-Host "User = $($ComputerSystem.UserName)" -BackgroundColor Black -ForegroundColor Cyan
95 | Write-Host "Target Server = $($Server)" -BackgroundColor Black -ForegroundColor Cyan
96 | Write-Host "Manufacturer = $($Make)" -BackgroundColor Black -ForegroundColor Cyan
97 | Write-Host "Model = $($Model)" -BackgroundColor Black -ForegroundColor Cyan
98 | Write-Host "Operating System Architecture = $($OSArchitecture)" -BackgroundColor Black -ForegroundColor Cyan
99 | Write-Host "Operating System Caption = $($OSCaption)" -BackgroundColor Black -ForegroundColor Cyan
100 | Write-Host "Operating System Version = $($OperatingSystem.Version)" -BackgroundColor Black -ForegroundColor Cyan
101 | Write-Host "Powershell Version = $($PSVersion)" -BackgroundColor Black -ForegroundColor Cyan
102 | Write-Host "Script Directory = $($ScriptDir)" -BackgroundColor Black -ForegroundColor Cyan
103 | Write-Host "Script Name = $($ScriptName).ps1" -BackgroundColor Black -ForegroundColor Cyan
104 | Write-Host "Running Task Sequence = $($IsRunningTaskSequence)" -BackgroundColor Black -ForegroundColor Cyan
105 | Write-Host "$($NewLine)"
106 |
107 | #Perform the following actions based on if a task sequence is running or not (This is a good place to set variables)
108 | If ($IsRunningTaskSequence -eq $True)
109 | {
110 |
111 | }
112 | ElseIf ($IsRunningTaskSequence -eq $False)
113 | {
114 |
115 | }
116 |
117 | #Perform the following actions
118 | Import-Module -Name 'ActiveDirectory' -Force -NoClobber -ErrorAction Stop
119 |
120 | $Domain = Get-ADDomain -Server $Server
121 |
122 | $DomainDN = $Domain.DistinguishedName
123 |
124 | $Forest = $Domain.Forest
125 |
126 | $NetBiosNadme = $Domain.NetBiosName
127 |
128 | $ParentOUName = "Demo Accounts"
129 |
130 | If ((Get-ADOrganizationalUnit -Filter "Name -eq `"$ParentOUName`"" -Server $Server -ErrorAction SilentlyContinue))
131 | {
132 | Get-ADOrganizationalUnit -Filter "Name -eq `"$ParentOUName`"" -SearchScope SubTree -Server $Server | Set-ADObject -ProtectedFromAccidentalDeletion:$False -Server $Server -PassThru | Remove-ADOrganizationalUnit -Confirm:$True -Server $Server -Recursive -Verbose
133 | Write-Host ""
134 | }
135 | Else
136 | {
137 | Set-ADDefaultDomainPasswordPolicy $Forest -ComplexityEnabled $False -MaxPasswordAge "1000" -PasswordHistoryCount 0 -MinPasswordAge 0 -Server $Server
138 |
139 | New-ADOrganizationalUnit -Name $ParentOUName -Path $DomainDN -Verbose -Server $Server -ErrorAction Stop
140 |
141 | $ParentOU = Get-ADOrganizationalUnit -Filter "Name -eq `"$ParentOUName`"" -Server $Server
142 |
143 | $UserOU = New-ADOrganizationalUnit -Name "Users" -Path $ParentOU.DistinguishedName -Verbose -PassThru -Server $Server -ErrorAction Stop
144 | $GroupOU = New-ADOrganizationalUnit -Name "Groups" -Path $ParentOU.DistinguishedName -Verbose -PassThru -Server $Server -ErrorAction Stop
145 | $ServiceAccountOU = New-ADOrganizationalUnit -Name "Service Accounts" -Path $ParentOU.DistinguishedName -Verbose -PassThru -Server $Server -ErrorAction Stop
146 | $ServiceGroupOU = New-ADOrganizationalUnit -Name "Service Groups" -Path $ParentOU.DistinguishedName -Verbose -PassThru -Server $Server -ErrorAction Stop
147 |
148 | $UserCount = 1000 #Up to 2500 can be created
149 |
150 | $InitialPassword = "Password1" #Initial Password for all users
151 |
152 | $Company = "Contoso Computing, LLC."
153 |
154 | $Content = Import-CSV -Path "$($ScriptDir)\$($ScriptName).csv" -ErrorAction Stop | Get-Random -Count $UserCount | Sort-Object -Property State
155 |
156 | $Departments = (
157 | @{"Name" = "Accounting"; Positions = ("Manager", "Accountant", "Data Entry")},
158 | @{"Name" = "Human Resources"; Positions = ("Manager", "Administrator", "Officer", "Coordinator")},
159 | @{"Name" = "Sales"; Positions = ("Manager", "Representative", "Consultant", "Senior Vice President")},
160 | @{"Name" = "Marketing"; Positions = ("Manager", "Coordinator", "Assistant", "Specialist")},
161 | @{"Name" = "Engineering"; Positions = ("Manager", "Engineer", "Scientist")},
162 | @{"Name" = "Consulting"; Positions = ("Manager", "Consultant")},
163 | @{"Name" = "Information Technology"; Positions = ("Manager", "Engineer", "Technician")},
164 | @{"Name" = "Planning"; Positions = ("Manager", "Engineer")},
165 | @{"Name" = "Contracts"; Positions = ("Manager", "Coordinator", "Clerk")},
166 | @{"Name" = "Purchasing"; Positions = ("Manager", "Coordinator", "Clerk", "Purchaser", "Senior Vice President")}
167 | )
168 |
169 | $Users = $Content | Select-Object `
170 | @{Name="Name";Expression={"$($_.Surname), $($_.GivenName)"}},`
171 | @{Name="Description";Expression={"User account for $($_.GivenName) $($_.MiddleInitial). $($_.Surname)"}},`
172 | @{Name="SamAccountName"; Expression={"$($_.GivenName.ToCharArray()[0])$($_.MiddleInitial)$($_.Surname)"}},`
173 | @{Name="UserPrincipalName"; Expression={"$($_.GivenName.ToCharArray()[0])$($_.MiddleInitial)$($_.Surname)@$($Forest)"}},`
174 | @{Name="GivenName"; Expression={$_.GivenName}},`
175 | @{Name="Initials"; Expression={$_.MiddleInitial}},`
176 | @{Name="Surname"; Expression={$_.Surname}},`
177 | @{Name="DisplayName"; Expression={"$($_.GivenName) $($_.MiddleInitial). $($_.Surname)"}},`
178 | @{Name="City"; Expression={$_.City}},`
179 | @{Name="StreetAddress"; Expression={$_.StreetAddress}},`
180 | @{Name="State"; Expression={$_.State}},`
181 | @{Name="Country"; Expression={$_.Country}},`
182 | @{Name="PostalCode"; Expression={$_.ZipCode}},`
183 | @{Name="EmailAddress"; Expression={"$($_.GivenName.ToCharArray()[0])$($_.MiddleInitial)$($_.Surname)@$($Forest)"}},`
184 | @{Name="AccountPassword"; Expression={ (ConvertTo-SecureString -String $InitialPassword -AsPlainText -Force)}},`
185 | @{Name="OfficePhone"; Expression={$_.TelephoneNumber}},`
186 | @{Name="Company"; Expression={$Company}},`
187 | @{Name="Department"; Expression={$Departments[(Get-Random -Maximum $Departments.Count)].Item("Name") | Get-Random -Count 1}},`
188 | @{Name="Title"; Expression={$Departments[(Get-Random -Maximum $Departments.Count)].Item("Positions") | Get-Random -Count 1}},`
189 | @{Name="EmployeeID"; Expression={"$($_.Country)-$((Get-Random -Minimum 0 -Maximum 99999).ToString('000000'))"}},`
190 | @{Name="BirthDate"; Expression={$_.Birthday}},`
191 | @{Name="Gender"; Expression={"$($_.Gender.SubString(0,1).ToUpper())$($_.Gender.Substring(1).ToLower())"}},`
192 | @{Name="Enabled"; Expression={$True}},`
193 | @{Name="PasswordNeverExpires"; Expression={$True}}
194 |
195 | ForEach ($Department In $Departments.Name)
196 | {
197 | $CreateADGroup = New-ADGroup -Name "$Department" -SamAccountName "$Department" -GroupCategory Security -GroupScope Global -Path $GroupOU.DistinguishedName -Description "Security Group for all $Department users" -Verbose -OtherAttributes @{"Mail"="$($Department.Replace(' ',''))@$($Forest)"} -Server $Server -PassThru
198 | If ($Department -eq "Information Technology") {Add-ADGroupMember -Identity "Domain Admins" -Members $Department -Verbose -Server $Server}
199 | If ($Department -ne "Information Technology") {Add-ADGroupMember -Identity "Domain Users" -Members $Department -Verbose -Server $Server}
200 | }
201 |
202 | Write-Host ""
203 |
204 | ForEach ($User In $Users)
205 | {
206 | If (!(Get-ADOrganizationalUnit -Filter "Name -eq `"$($User.Country)`"" -SearchBase $UserOU.DistinguishedName -Server $Server -ErrorAction SilentlyContinue))
207 | {
208 | $CountryOU = New-ADOrganizationalUnit -Name $User.Country -Path $UserOU.DistinguishedName -Country $User.Country -Verbose -Server $Server -PassThru
209 | Write-Host ""
210 | }
211 | Else
212 | {
213 | $CountryOU = Get-ADOrganizationalUnit -Filter "Name -eq `"$($User.Country)`"" -Server $Server
214 | }
215 |
216 | If (!(Get-ADOrganizationalUnit -Filter "Name -eq `"$($User.State)`"" -SearchBase $CountryOU.DistinguishedName -Server $Server -ErrorAction SilentlyContinue))
217 | {
218 | $StateOU = New-ADOrganizationalUnit -Name $User.State -Path $CountryOU.DistinguishedName -State $User.State -Country $User.Country -Verbose -Server $Server -PassThru
219 | Write-Host ""
220 | }
221 | Else
222 | {
223 | $StateOU = Get-ADOrganizationalUnit -Filter "Name -eq `"$($User.State)`"" -Server $Server
224 | }
225 |
226 | $DestinationOU = Get-ADOrganizationalUnit -Filter "Name -eq `"$($User.State)`"" -SearchBase $CountryOU.DistinguishedName -Server $Server
227 |
228 | $CreateADUser = $User | Select-Object -Property @{Name="Path"; Expression={$DestinationOU.DistinguishedName}}, * | New-ADUser -Verbose -Server $Server -PassThru
229 |
230 | $AddADUserToGroup = Add-ADGroupMember -Identity $User.Department -Members $User.SamAccountName -Server $Server -Verbose
231 |
232 | Write-Host ""
233 | }
234 |
235 | ForEach ($Department In $Departments.Name)
236 | {
237 | $DepartmentManager = Get-ADUser -Filter {(Title -eq "Manager") -and (Department -eq $Department)} -Server $Server | Sort-Object | Select-Object -First 1
238 | $SetDepartmentManager = Get-ADUser -Filter {(Department -eq $Department)} | Set-ADUser -Manager $DepartmentManager -Verbose
239 | }
240 |
241 | Write-Host ""
242 | }
243 |
244 | #Stop logging script output
245 | $($NewLine)
246 | Write-Warning -Message "Run `'$($ScriptName).ps1`' twice if nothing happens initially. This is due to the OU deletion confirmation prompt."
247 | Stop-Transcript
248 |
--------------------------------------------------------------------------------
/Allfiles/Labs/readme.md:
--------------------------------------------------------------------------------
1 | Use this folder to store any supplemental lab files needed to support demos in this course.
2 |
--------------------------------------------------------------------------------
/Allfiles/readme.md:
--------------------------------------------------------------------------------
1 | Use this folder to store supplemental files for the labs or demos provided.
2 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_00_SetUpLabResources.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '00 - Lab Setup'
4 | learning path: '01'
5 | module: 'Module 01 - Implement an identity management solution'
6 | ---
7 |
8 | # Lab 00: Lab Environment Setup
9 |
10 | ## Lab scenario
11 |
12 | You need to create a new Azure subscription and request a Azure AD P2 license to be ready to complete the upcoming labs.
13 |
14 | #### Estimated time: 5 minutes
15 |
16 | ## Create an Azure account and add Azure Active Directory Premium P2 trial licenses
17 |
18 | The tasks in this exercise and the exercises in this learning path require you to already have an Azure subscription that you can use or to sign up for an Azure trial account. If you already have your own Azure subscription, you may skip this task and continue to the next.
19 |
20 | 1. In a web browser, go to [https://azure.microsoft.com/free](https://azure.microsoft.com/free).
21 |
22 | 1. Scroll down through the page to learn more about the benefits and free services available.
23 |
24 | 1. Select **Start free**.
25 |
26 | 1. Use the wizard to sign up for your Azure trial subscription.
27 |
28 | 1. You will need to an Azure AD P2 license to complete some of the exercises. In the organization you created, search for and then select **Azure Active Directory**.
29 |
30 | 1. In the left navigation menu, select **Getting started**.
31 |
32 | 1. Under Getting started with Azure AD, select **Get a free trial for Azure AD Premium**.
33 |
34 | 1. In the Activate pane, under **AZURE AD PREMIUM P2**, select **Free trial** and then select **Activate**.
35 |
36 | 1. In the navigation menu on the left, select **Overview**.
37 |
38 | 1. Refresh the browser until you see Azure AD Premium P2 under the organization name. It may take a couple of minutes.
39 |
40 | 1. You may need to sign out and sign back into Microsoft Azure if you encounter any problems with expected features not being available.
41 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_02_WorkingWithTenantProperties.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '02 - Working with Tenant Properties'
4 | learning path: '01'
5 | module: 'Module 01 - Implement an Identity Management Solution'
6 | ---
7 |
8 | # Lab 02: Working with tenant properties
9 |
10 | ### Login type = Microsoft 365 + E5 tenant log-in
11 |
12 | ## Lab scenario
13 |
14 | You need to identify and update the different properties associated with your tenant.
15 |
16 | #### Estimated time: 15 minutes
17 |
18 | ### Exercise 1 - Create a custom subdomains
19 |
20 | #### Task 1 - Create a custom subdomain name
21 |
22 | You would use Microsoft Entra ID to create a domain that you have purchased. If you want to create a subdomain to divide your existing .onmicrosoft.com domain, you have to use the Microsoft 365 admin center.
23 |
24 | 1. Browse to the [https://entra.microsoft.com](https://entra.microsoft.com) and sign in using a Global administrator account for the directory.
25 |
26 | 1. In the **Identity** menu, use the **Show more** option at the bottom.
27 |
28 | 1. Open the **Settings** menu, select **Domain names**.
29 |
30 | 1. Select **+ Add custom domain**.
31 |
32 | 1. In the **Custom domain name** field, create a custom subdomain for the lab tenant by putting **sales** in front of the **onmicrosoft.com** domain name. The format will look similar to this:
33 |
34 | ```
35 | Sales.labTenantName.onmicrosoft.com
36 | ```
37 |
38 | **Note** - You will be prompted to open the Microsoft 365 Admin center to complete this action.
39 |
40 | 1. Select **Add domain** to add the subdomain.
41 |
42 | 1. Enter the subdomain name `sales.tenantname.onmicrosoft.com` into the dialog. Remember to replace *tenantname* with the name of your tenant.
43 |
44 | 1. Select the **Use this domain** button at the bottom of the screen.
45 |
46 | 1. Select the **Close** button when the next screen opens up. For the purpose of this lab we will not set up the DNS.
47 |
48 | ### Exercise 2 - Changing the tenant display name
49 |
50 | #### Task 1 - Set the tenant name and technical contact
51 |
52 | 1. From within Microsoft Entra admin center, open the **Identity** menu.
53 |
54 | 1. In the left navigation, select **Overview** menu item, then select **Properties**.
55 |
56 | 1. Change the Tenant Properties for the **Name** and **Technical contact** in the dialog.
57 |
58 | | **Setting** | **Value** |
59 | | :--- | :--- |
60 | | Name | Contoso Marketing |
61 | | Technical contact | `your Global admin account` |
62 |
63 | 1. Select **Save** to update the tenant properties.
64 |
65 | **You will notice the name change immediately upon completion of the save.**
66 |
67 | #### Task 2 - Review the Country or region and other values associated with your tenant
68 |
69 | 1. In the **Identity** menu, select **Overview**, then select **Properties**.
70 |
71 | 2. Under **Tenant properties**, locate **Country or region** and review the information.
72 |
73 | **IMPORTANT** - When the tenant is created, the Country or region are specified at that time. This setting cannot be changed later.
74 |
75 | 3. In the **Properties** page, under **Tenant properties**, locate **Location** and review the information.
76 |
77 | 
78 |
79 | #### Task 3 - Finding the tenant ID
80 |
81 | Azure subscriptions have a trust relationship with Microsoft Entra ID. Microsoft Entra ID is trusted to authenticate users, services, and devices for the subscription. Each subscription has a tenant ID associated with it, and there are a few ways you can find the tenant ID for your subscription.
82 |
83 | 1. Open the Microsoft Entra admin center [https://entra.microsoft.com](https://entra.microsoft.com)
84 |
85 | 1. In the **Identity** menu, select **Overview**, then select **Properties**.
86 |
87 | 1. Under **Tenant properties**, locate **Tenant ID**. This is your unique tenant identifier.
88 |
89 | 
90 |
91 | **Note** - It is helpful if you record your Tenant-Id note Notepad or other location for use in future labs.
92 |
93 | ### Exercise 3 - Setting your privacy information
94 |
95 | #### Task 1 - Adding your privacy info on Microsoft Entra ID, including Global privacy contact and Privacy statement URL
96 |
97 | Microsoft strongly recommends you add both your global privacy contact and your organization's privacy statement, so your internal employees and external guests can review your policies. Because privacy statements are uniquely created and tailored for each business, we strongly recommend you contact a lawyer for assistance.
98 |
99 | **NOTE** - For information about viewing or deleting personal data, see [https://docs.microsoft.com/microsoft-365/compliance/gdpr-dsr-azure](https://docs.microsoft.com/microsoft-365/compliance/gdpr-dsr-azure). For more information about GDPR, see the [https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted).
100 |
101 | You add your organization's privacy information in the **Properties** area of Microsoft Entra ID. To access the Properties area and add your privacy information:
102 |
103 | 1. In the **Identity** menu, select **Overview**, then select **Properties**.
104 |
105 | 
106 |
107 | 2. Add your privacy info for your employees:
108 |
109 | - **Global privacy contact** - `AllanD@` **your Azure lab domain**
110 | - Allan Deyoung is a built-in users in your Azure lab tenant who works as an IT Admin, we will use him as the Privacy contact.
111 | - This person is also who Microsoft contacts if there's a data breach. If there's no person listed here, Microsoft contacts your global administrators.
112 |
113 | - **Privacy statement URL** -
114 |
115 | - In sample Privacy PDF is provided in your labs directory.
116 | - Type the link to your organization's document that describes how your organization handles both internal and external guest's data privacy.
117 |
118 | **IMPORTANT** -If you don't include either your own privacy statement or your privacy contact, your external guests will see text in the Review Permissions box that says, **** has not provided links to their terms for you to review. For example, a guest user will see this message when they receive an invitation to access an organization through B2B collaboration.
119 |
120 | 
121 |
122 | 3. Select **Save**.
123 |
124 | #### Task 2 - Check your Privacy Statement
125 |
126 | 1. Return to the Azure Home screen - Dashboard.
127 | 2. In the upper-right corner of the UI, Select on your username.
128 | 3. Choose **View account** from the dropdown menu.
129 |
130 | **A new browser tab will open automatically.**
131 |
132 | 4. Select the **Settings & Privacy** on the left menu.
133 | 5. Select **Privacy**.
134 | 6. Under **Organization's notice** select the **View** item next to Contoso Marketing organizational privacy statement.
135 |
136 | **A new browser tab will open with the Prvacy PDF file you linked to displayed.**
137 |
138 | 7. Review the sample Privacy statement.
139 | 8. Close the browser tab with the PDF in it.
140 | 9. Close the browser tab displaying the **My Account** items.
141 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_03_AssignLicensesToUsersByGroupMembershipAAD.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '03 - Assigning licenses using group membership'
4 | learning path: '01'
5 | module: 'Module 01 - Implement an identity management solution'
6 | ---
7 |
8 | # Lab 03: Assigning licenses using group membership
9 |
10 | ### Login type = Microsoft 365 + E5 tenant log-in
11 |
12 | ## Lab scenario
13 |
14 | Your organization has decided to use security groups in Microsoft Entra ID to manage licenses. You need to configure a new security group and assign a license to that group and verify group member license's have been updated.
15 |
16 | #### Estimated time: 25 minutes
17 |
18 | ### Exercise 1 - Create a security group and add a user
19 |
20 | #### Task 1 - Check to see if Delia Dennis has access to Office 365
21 |
22 | 1. Launch a new InPrivate browser window.
23 | 2. Connect to [https://www.office.com](https://www.office.com).
24 | 3. Select Sign in and connect as Delia Dennis.
25 |
26 | | **Setting** | **Value** |
27 | | :--- | :--- |
28 | | Username | DeliaD@`your domain name.com` |
29 | | Password| Enter the User password provided for DeliaD |
30 |
31 | 4. You should connect to the Office.com website, but see a message indicating you don't have a license.
32 |
33 | 
34 |
35 | 5. Close the browser window.
36 |
37 | #### Task 2 - Create a security group in Microsoft Entra ID
38 |
39 | 1. Browse to [https://entra.microsoft.com](https://entra.microsoft.com).
40 |
41 | 2. In the left navigation, under **Identity**, select **Groups**, then select **All groups**.
42 | 3. In the Groups page, on the menu, select **New group**.
43 | 4. Create a group using the following information:
44 |
45 | | **Setting**| **Value**|
46 | | :--- | :--- |
47 | | Group type| Security|
48 | | Group name| sg-SC300-O365|
49 | | Membership type| Assigned|
50 | | Owners| *Assign your own administrator account as the group owner*|
51 |
52 | 5. Select the **No members selected** text under Members.
53 | 6. Select **Delia Dennis** from the list of users.
54 | 7. Select the **Select** button.
55 |
56 | 
57 |
58 | 8. Select the **Create** button.
59 | 9. When complete, verify the group named **sg-SC300-O365** is shown in the **All groups** list.
60 |
61 | #### Task 3 - Add an Office license to sg-SC300-O365
62 |
63 | **Lab Tip** - You have to add and remove licenses via the Microsoft 365 admin center. This is a relatively new change.
64 |
65 | 1. Open a new tab in your browser.
66 |
67 | 2. Connect to the Microsoft 365 admin center at http://admin.microsoft.com.
68 |
69 | 3. Log in as your administrator account if prompted.
70 |
71 | 4. From the menu on the left, select **Billing** and then select **Licenses**.
72 |
73 | 5. Select **Office 365 E3** license from the list.
74 |
75 | 6. Select the **Groups** tab on the licensing screen.
76 |
77 | 7. Choose the **+ Assign licenses** item.
78 |
79 | 8. Search for **sg-SC300-O365** group the select it from the list.
80 |
81 | 8. Once you have added the group, select **Assign**.
82 |
83 | 9. Close the confirmation message.
84 |
85 | 10. Return to the browser tab with **Microsoft Entra admin center** open.
86 |
87 | 11. Navigate back to the **All groups** in the left navigation, under **Identity**, select **Groups**
88 |
89 | 12. In the Groups page, select **sg-SC300-O365**.
90 |
91 | 13. In the left navigation, select **Licenses**.
92 |
93 | 14. Notice that the Office 365 E3 license has been assigned.
94 |
95 | 15. You can exit out of the license screen.
96 |
97 | #### Task 4 - Confirm the Office 365 license
98 |
99 | 1. Launch a new InPrivate browser window.
100 | 2. Connect to [https://www.office.com](https://www.office.com).
101 | 3. Select Sign in and connect as Delia Dennis.
102 |
103 | | **Setting**| **Value**|
104 | | :--- | :--- |
105 | | Username | DeliaD@`your domain name.com`|
106 | | Password| Enter the password of the provided password |
107 |
108 | 4. You should connect to the Office.com website, and see no messages regarding license. All of the Office applications are available on the left.
109 |
110 | 
111 |
112 | 5. Close the browser window.
113 |
114 | ### Exercise 2 - Create a Microsoft 365 group in Microsoft Entra ID
115 |
116 | #### Task 1 - Create the group
117 |
118 | Part of your duties as an Microsoft Entra administrator is to create different types of groups. You need to create a new Microsoft 365 group for your organization's sales department.
119 |
120 | 1. Browse to [https://entra.microsoft.com]( https://entra.microsoft.com).
121 |
122 | 2. In the left navigation, under **Identity**, select **Groups**, then select **All Groups**.
123 |
124 | 3. In the Groups page, on the menu, select **New group**.
125 |
126 | 4. Create a group using the following information:
127 |
128 | | **Setting**| **Value**|
129 | | :--- | :--- |
130 | | Group type| Microsoft 365|
131 | | Group name| Northwest Sales|
132 | | Membership type| Assigned|
133 | | Owners| *Assign your own administrator account as the group owner*|
134 | | Members| **Alex Wilber** and **Bianca Pisani**|
135 |
136 | 
137 |
138 | 5. When complete, verify the group named **Northwest sales** is shown in the **All groups** list.
139 |
140 | ### Exercise 3 - Creating a dynamic group with all users as members
141 |
142 | #### Task 1 - Create the dynamic group
143 |
144 | As your company grows, manually group management is too time consuming. Since standardizing the directory, you can now take advantage of dynamic groups. You must create a new dynamic group to ensure you're ready for dynamic group creation in production.
145 |
146 | 1. Sign in to the [https://entra.microsoft.com](https://entra.microsoft.com) with an provided administrator account. You need at least User Administrator role in the tenant.
147 |
148 | 2. Select **Identity**.
149 |
150 | 3. Under **Groups**, select **All groups**, and then select **New group**.
151 |
152 | 4. On the New Group page, under **Group type**, select **Security**.
153 |
154 | 5. In the **Group name** box, enter **SC300-myDynamicGroup**.
155 |
156 | 6. Select the **Membership type** menu and then select **Dynamic User**.
157 |
158 | 7. Select an **Owner** for the group.
159 |
160 | 7. Under **Dynamic user members**, select **Add dynamic query**.
161 |
162 | 8. On the right above the **Rule syntax** box, select **Edit**.
163 |
164 | 9. In the Edit rule syntax pane, enter the following expression in the **Rule syntax** box:
165 |
166 | ```powershell
167 | user.objectId -ne null
168 | ```
169 |
170 | **Warning** - the `user.objectId` is case sensitive.
171 |
172 | 10. Select **OK**. The rule appears in the Rule syntax box.
173 |
174 | 
175 |
176 | 11. Select **Save**. The new dynamic group will now include B2B guest users as well as member users.
177 |
178 | 12. On the New group page, select **Create** to create the group.
179 |
180 | #### Task 2 - Verify the members have been added
181 |
182 | **Note** - The population of Dynamic group membership may take up to 15 minutes.
183 |
184 | 1. Select on the **Home** `Microsoft Entra admin center`.
185 | 2. Launch **Identity**.
186 | 3. In the **Groups** menu Select on **All groups**.
187 | 4. In the filter box type **SC300** and your newly created group will be listed.
188 | 5. Select on **SC300-myDynamicGroup** to open the group.
189 | 6. Notice that it shows that it contains 30+ **Direct members*.
190 | 7. Select on **Members** in the **Manage** menu.
191 | 8. Review the members.
192 |
193 | #### Task 3 - Experiment with alternate rules
194 |
195 | 1. Try making a group with only **Guest** users:
196 |
197 | - (user.objectId -ne null) and (user.userType -eq "Guest")
198 |
199 | 2. Try make a group with only **Members** of the Microsoft Entra users.
200 |
201 | - (user.objectId -ne null) and (user.userType -eq "Member")
202 |
203 | **Lab Tip** - If you get a Failed to Create Group message mentioning an Invalid Operator, confirm the spelling of the operator. Note I in objectId and the T in userType are capital letters.
204 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_04_ConfigureExternalCollaborationSettings.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '04 - Configure external collaboration settings'
4 | learning path: '01'
5 | module: 'Module 01 - Implement an identity management solution'
6 | ---
7 |
8 | # Lab 04: Configure external collaboration settings
9 |
10 | ### Login type = Microsoft 365 admin
11 |
12 | ## Lab scenario
13 |
14 | You must enable external collaboration settings for your organization for approved guests access.
15 |
16 | #### Estimated timing: 5 minutes
17 |
18 | ### Exercise 1 - Allowing guest users to be invited into your organization
19 |
20 | #### Task 1 - Enable Guest Users to perform self service sign-up
21 |
22 | 1. Sign in to the [https://entra.microsoft.com](https://entra.microsoft.com) as a tenant administrator.
23 | 2. Select **Identity**, then select **Users**.
24 | 3. Open the **All users** menu item, then select **User Settings**.
25 | 4. Select **Manage external user collaboration settings**.
26 | 5. Ensure that **YES** is marked for the setting **Enable guest self-service sign up via user flows**.
27 | 6. Select **Save** at the top of the screen.
28 |
29 | #### Task 2 - Configure external collaboration settings
30 |
31 | 1. Sign in to the [https://entra.microsoft.com](https://entra.microsoft.com) as a tenant administrator.
32 | 2. Select **Identity**.
33 | 3. Select **External Identities**, and then select **All identity providers**.
34 | 4. Select the **Email one-time passcode** item in the list of providers, then select **Configured**.
35 |
36 | **Note** - A one-time passcode is a very secure way to invite a user to join your organization.
37 |
38 | 5. Ensure that **Yes** is selected.
39 | 6. Select **Save** if needed.
40 | 7. Return to the **External Identities** menu.
41 | 8. Select **External Collaboration Settings** on the left
42 |
43 | 9. Under **Guest user access**, review access levels that are available and then select **Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)**.
44 |
45 | **NOTE**
46 | - Guest users have the same access as members (most inclusive): This option gives guests the same access to Microsoft Entra resources and directory data as member users.
47 | - Guest users have limited access to properties and memberships of directory objects: (Default) This setting blocks guests from certain directory tasks, like enumerating users, groups, or other directory resources. Guests can see membership of all non-hidden groups.
48 | - Guest user access is restricted to properties and memberships of their own directory objects (most restrictive): With this setting, guests can access only their own profiles. Guests are not allowed to see other users' profiles, groups, or group memberships.
49 |
50 | 
51 |
52 | 10. Under **Guest invite settings**, select **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions**!
53 |
54 | **NOTE**
55 | - Anyone in the organization can invite guest users including guests and non-admins (most inclusive): To allow guests in the organization to invite other guests including those who are not members of an organization, select this radio button.
56 | - Member users and users assigned to specific admin roles can invite guest users including guests with member permissions: To allow member users and users who have specific administrator roles to invite guests, select this radio button.
57 | - Only users assigned to specific admin roles can invite guest users: To allow only those users with administrator roles to invite guests, select this radio button. The administrator roles include Global Administrator, User Administrator, and Guest Inviter.
58 | - No one in the organization can invite guest users including admins (most restrictive): To deny everyone in the organization from inviting guests, select this radio button.
59 | - If Members can invite is set to No and Admins and users in the guest inviter role can invite is set to Yes, users in the Guest Inviter role will still be able to invite guests.
60 |
61 | 
62 |
63 | 11. Under **Collaboration restrictions**, review the available options and accept the default settings.
64 |
65 | **IMPORTANT**
66 | - You can create either an allow list or a deny list. You can't set up both types of lists. By default, whatever domains are not in the allow list are on the deny list, and vice versa.
67 | - You can create only one policy per organization. You can update the policy to include more domains, or you can delete the policy to create a new one.
68 | - The number of domains you can add to an allow list or deny list is limited only by the size of the policy. The maximum size of the entire policy is 25 KB (25,000 characters), which includes the allow list or deny list and any other parameters configured for other features.
69 | - This list works independently from OneDrive for Business and SharePoint Online allow/block lists. If you want to restrict individual file sharing in SharePoint Online, you need to set up an allow or deny list for OneDrive for Business and SharePoint Online.
70 | - The list does not apply to external users who have already redeemed the invitation. The list will be enforced after the list is set up. If a user invitation is in a pending state, and you set a policy that blocks their domain, the user's attempt to redeem the invitation will fail.
71 |
72 | 12. When finished, **Save** your changes.
73 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_05_AddGuestUsersToTheDirectory.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '05 - Add guest users to the directory'
4 | learning path: '01'
5 | module: 'Module 01 - Implement an identity management solution'
6 | ---
7 |
8 | # Lab 05: Add guest users to the directory
9 |
10 | ### Login type = Microsoft 365 admin
11 |
12 | ## Lab scenario
13 |
14 | Your company works with many vendors and, on occasion, you need to add some vendor accounts to your directory as a guest.
15 |
16 | #### Estimated time: 20 minutes
17 |
18 | ### Exercise 1 - Add guest users to the directory
19 |
20 | #### Task - Add the guest user
21 |
22 | 1. Sign in to the [https://entra.Microsoft.com](https://entra.microsoft.com) as a user who is assigned a limited administrator directory role or the Guest Inviter role, or as Global Administrator.
23 |
24 | 2. Select **Identity**.
25 |
26 | 3. Under **Users**, select **All users**.
27 |
28 | 4. Select **+ New user**.
29 |
30 | 5. On the New user menu, select **Invite external user** and then add your information as the guest user.
31 |
32 | **NOTE** - Group email addresses are not supported; enter the email address for an individual. Also, some email providers allow users to add a plus symbol (+) and additional text to their email addresses to help with things like inbox filtering. However, Microsoft Entra ID does not currently support plus symbols in email addresses. To avoid delivery issues, omit the plus symbol and any characters following it up to the @ symbol.
33 |
34 | 6. Enter an email address, such as **sc300externaluser1@sc300email.com**.
35 |
36 | 7. Select the **Properties** tab.
37 |
38 | 8. On the Users page, verify your account is listed and, in the **User type** column, verify **Guest** is shown.
39 |
40 | 9. When complete, select **Review + Invite**, then select **Invite**.
41 |
42 |
43 | After you send the invitation, the user account is automatically added to the directory as a guest.
44 |
45 |
46 | ### Exercise 2 - Invite guest users in bulk
47 |
48 | #### Task 1 - Bulk user invite
49 |
50 | A recent partnership has been established with another company. For now, employees of the partner company will be added as guests. You need to ensure you can import multiple guest users at one time.
51 |
52 | 1. Sign in to the [https://entra.microsoft.com](https://entra.microsoft.com) as your Global Administrator.
53 |
54 | 2. In the navigation pane, select **Identity**.
55 |
56 | 3. Under **Users**, select **All users**.
57 |
58 | 4. On the Users page, on the menu, select **Bulk operations > Bulk invite**.
59 |
60 | 
61 |
62 | 5. In the Bulk invite users pane, select **Download** to a sample CSV template with invitation properties.
63 |
64 | 6. Using an editor to view the CSV file, review the template.
65 |
66 | 7. Open the .csv template and add a line for each guest user. Required values are:
67 |
68 | - **Email address to invite** - the user who will receive an invitation
69 | - **Redirection url** - the URL to which the invited user is forwarded after accepting the invitation.
70 |
71 | 
72 |
73 | **Lab Tip** - The users listed in the screenshot and the template files are examples, they don't really exist. You will have to add a real users to fully test this feature.
74 |
75 | 8. Save the file.
76 |
77 | 9. On the Bulk invite users page, under **Upload your csv file**, browse to the file.
78 |
79 | **Note** - When you select the file, validation of the .csv file starts.
80 |
81 | 10. After the file contents are validated, you will see **File uploaded successfully**. If there are errors, you must fix them before you can submit the job.
82 |
83 | 
84 |
85 | 11. When your file passes validation, select **Submit** to start the Azure bulk operation that adds the invitations.
86 |
87 | 12. To view the job status, select **Select here to view the status of each operation**. Or, you can select **Bulk operation results** in the Activity section. For details about each line item within the bulk operation, select the values under the **# Success**, **# Failure**, or **Total Requests** columns. If failures occurred, the reasons for failure will be listed.
88 |
89 | 
90 |
91 | 13. When the job completes, you will see a notification that the bulk operation succeeded.
92 |
93 | #### Task 2 - Invite guest users with PowerShell
94 |
95 | 1. Open PowerShell as an administrator. This can be done by searching for PowerShell in Windows and choosing Run as administrator.
96 |
97 | **Note** - You need to have PowerShell version 7.2 or higher for this lab to function. When PowerShell opens you will get a version at the top of the screen, if you are running and older version, please update or this portion of the lab will fail.
98 |
99 | **Lab Tip** - The TouchType feature in the lab environment has issues typing into PowerShell. If you launch Notepad in your lab, then use TouchType to load the PowerShell instructions into Notepad, you can use **Cut & Paste** to enter them into PowerShell without typing.
100 |
101 | 2. You will need to Install the Microsoft.Graph PowerShell module if you have not used it before. Run the following two commands and when prompted to confirm press Y:
102 |
103 | ```
104 | Install-Module Microsoft.Graph
105 | ```
106 | 3. Confirm the Microsoft.Graph module is installed:
107 |
108 | ```
109 | Get-InstalledModule Microsoft.Graph
110 | ```
111 |
112 |
113 | 4. Next, you will need to login to Azure by running:
114 |
115 | ```
116 | Connect-MgGraph -Scopes "User.ReadWrite.All"
117 | ```
118 | The Edge browser will open and you will be prompted to sign-in. Use the MOD Administrator account to connect. Mark the consent box, then accpet the permissions request; then close the browser window.
119 |
120 | 5. Set the values for the email and redirect for the External user:
121 |
122 | ```
123 | Import-Module Microsoft.Graph.Identity.SignIns
124 |
125 | $params = @{
126 | invitedUserEmailAddress = "admin@fabrikam.com"
127 | inviteRedirectUrl = "https://myapp.contoso.com"
128 | }
129 | ```
130 |
131 | 6. Sent the MgInvitation command to invite the External user:
132 |
133 | ```
134 | New-MgInvitation -BodyParameter $params
135 | ```
136 |
137 | 7. You can close PowerShell at this point.
138 |
139 | You now know how to invite users within the Microsoft Entra admin center, Microsoft 365 Admin center, Bulk invitations with a csv file, and inviting users with PowerShell commands. You can go into the Microsoft Entra admin center, and check All Users to see that ADMIN has been added as an external suer.
140 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_06_AddFederatedIdentityProvider.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '06 - Add a federated identity provider'
4 | learning path: '01'
5 | module: 'Module 01 - Implement an identity management solution'
6 | ---
7 |
8 | # Lab 06: Add a federated identity provider
9 |
10 | ### Login type = Microsoft 365 admin
11 |
12 | ## Lab scenario
13 |
14 | Your company works with many vendors and, on occasion, you need to add some vendor accounts to your directory as a guest and allow them to use their Google account to sign-in.
15 |
16 | #### Estimated time: 25 minutes
17 |
18 | ### Exercise 1 - Configure identity providers
19 |
20 | #### Task 1 - Configure Google to be used as an identity provider
21 |
22 | **Important Note** - For this exercise, you will need a Gmail account on Google. Create a **new Google account** and then follow the steps for the exercise. Be sure to note the email address and password, they are necessary to complete the lab.
23 |
24 | 1. Go to the Google APIs at https://console.developers.google.com, and sign in with your Google account. We recommend that you use a shared team Google account.
25 |
26 | 2. Accept the terms of service if you're prompted to do so.
27 |
28 | **Create a new project:**
29 | 3. At the top of the page, select the project menu to open the Select a project page. Choose **New Project**. Leave the remaining fields with the default settings.
30 |
31 | 4. On the New Project page, give the project a name (for example, **MyB2BApp**), and then select **Create**.
32 |
33 | 5. Open the new project by selecting the link in the Notifications message box or by using the project menu at the top of the page.
34 |
35 | 6. In the left menu, select **APIs & Services**, and then select **OAuth consent screen**.
36 |
37 | 7. Under User Type, select **External**, and then select **Create**.
38 |
39 | 8. On the **OAuth consent screen**, under App information, enter an App name, such as **Microsoft Entra ID**.
40 |
41 | 9. Under User support email, select an email address. This should include the email address that you used to log into Google.
42 |
43 | 10. Under Authorized domains, select **+ Add domain**, and then add the microsoftonline.com domain.
44 |
45 | ```
46 | microsoftonline.com
47 | ```
48 |
49 | 11. Under Developer contact information, enter the email address for the lab account that you used to sign into the portal.
50 |
51 | 12. Select **Save and continue**.
52 |
53 | 13. In the left menu, select **Credentials**.
54 |
55 | 14. Select **+ Create credentials**, and then select **OAuth client ID**.
56 |
57 | 15. In the Application type menu, select Web application. Give the application a suitable name, like Microsoft Entra B2B. Under **Authorized redirect URIs**, add the following URIs:
58 |
59 | ```
60 | https://login.microsoftonline.com
61 | ```
62 | https://login.microsoftonline.com/te/**tenant ID**/oauth2/authresp
63 | (where is your tenant ID)
64 | ```
65 | https://login.microsoftonline.com/te/**tenant name**.onmicrosoft.com/oauth2/authresp
66 | (where is your tenant name)
67 | ```
68 |
69 | **Lab Tip** - Results should look similar to this, with your Tenant ID and Tenant Name.
70 | | URI # | Link |
71 | | :--- | :--- |
72 | | URIs 1 | https://login.microsoftonline.com |
73 | | URIs 2 | https://login.microsoftonline.com/te/aaaa1111bbbb2222cccc |
74 | | URIs 3 | https://login.microsoftonline.com/te/MyTenantName.onmicrosoft.com/oauth |
75 |
76 | 16. Select **Create**. Copy your **client ID** and **client secret**. You'll use them when you add the identity provider in the Azure portal.
77 |
78 | 17. You can leave your project at a publishing status of Testing.
79 |
80 | #### Task 2 - Add a test user
81 | 18. Select the **OAuth consent screen** under APIs and Services menu.
82 |
83 | 19. In the **Test Users* section of the page, choose **+ Add Users**.
84 |
85 | 20. Enter the gmail account you created (or are using) for this lab.
86 |
87 | 21. Select **Save**
88 |
89 |
90 | ### Exercise 2 - Configure Azure to work with an External identity provider
91 |
92 | #### Task 1 - Configure Microsoft Entra ID for Google federation
93 | 1. Sign in to the [https://entra.microsoft.com](https://entra.microsoft.com) as an admin.
94 |
95 | 2. Select **Microsoft Entra ID**.
96 |
97 | 3. Under **Identity**, select **External Identities**.
98 |
99 | 4. Choose **All identity providers** from the menu on the left.
100 |
101 | 5. Microsoft provides a direct federation for **Google** as an identity provider. This can be initiated by selecting **+ Google** from the **External Identities | All identity providers** page
102 |
103 | 6. After selecting + Google, another page will open with additional information that is required to configure Google as an identity provider.
104 |
105 | 7. Enter the **Client ID** and **Client secret** you obtained earlier.
106 |
107 | 8. Select **Save**.
108 |
109 | This completes the configuration of Google as an identity provider.
110 |
111 | #### Task 2 - Invite you Test User account
112 | 9. If you used an existing Gmail account, remember to delete the account with **External Identities | All identity providers**. You can also return to the Google developer console and delete the project that you created.
113 |
114 | 10. Open Microsoft Entra ID.
115 |
116 | 11. Go to Users and select **All users**.
117 |
118 | 12. Select **+ New User**.
119 |
120 | 13. Choose **Invite external user** from the dropdown menu.
121 |
122 | 14. Enter the information for the gmail account you set up as a test user for the Google App in Exercise 1 Task 2.
123 |
124 | 15. Enter a personal message as you want.
125 |
126 | 16. Select **Invite**.
127 |
128 | #### Task 3 - Accept the invitation and login
129 | 17. Use an InPrivate browser to log into your gmail account.
130 |
131 | 18. Open the **Microsoft Invitation on behalf of** in the Inbox.
132 |
133 | 19. Select the **Accept invitation** link in the message.
134 |
135 | 20. Enter your username and password as requested in the login dialog (if requested).
136 | **NOTE** If the ferderation is working correctly, this is where you will see the first results of your new Google External Identity provider. You will go to the login screen and be able to log in with your gmail credentials. If the federation is not work, or has not been set up, the user would be sent and ACCOUNT VERIFICATION email after the log in, to confirm the account. With the federation, no extra verification is needed.
137 |
138 | **NOTE** If you get an access error 500, wait about 30 seconds and refresh the page. Choose to RESUBMIT. This error is a timing issue only in the lab environment.
139 |
140 | 21. Read over the new **Permissions requested by:** message that you get. This message is coming from your Azure Lab Domain.
141 |
142 | 22. Choose **Accept**.
143 |
144 | 23. Once login is complete, you will be sent MyApplications.
145 |
146 | #### Task 4 - Login to Microsoft 365 using your Google account
147 | 24. Once you have finished the external user invite process of Task 3, you can log directly into Microsoft Online.
148 |
149 | 25. Open a new tab in the browser you have open.
150 | **NOTE** if you did not open a new InPrivate browser in Task 3, you should do so for this step.
151 |
152 | 26. Enter the following web address:
153 |
154 | ```
155 | login.microsoftonline.com
156 | ```
157 |
158 | 27. Select **Sign-in options** on the dialog.
159 |
160 | 28. Choose **Sign in to an organization**.
161 |
162 | 29. Enter your **lab tenant domain name** in the box and select **Next**.
163 |
164 | 30. Enter the **Google** email address and password that you created.
165 | At this point, you should see your account passed to Google for confirmation; then enter the Microsoft Office portal.
166 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_08_EnableAzureADMultiFactorAuthentication.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '08 - Enable multi-factor authentication'
4 | learning path: '02'
5 | module: 'Module 02 - Implement an Authentication and Access Management Solution'
6 | ---
7 |
8 | # Lab 08 - Enable multi-factor authentication
9 |
10 | ### Login type = Microsoft 365 + E5 tenant log-in
11 |
12 | ## Lab scenario
13 |
14 | To improve security in your organization, you've been directed to enable multifactor authentication for Microsoft Entra ID.
15 |
16 | #### Estimated time: 15 minutes
17 |
18 | **IMPORTANT** - A Microsoft Entra ID Premium license is required for this exercise.
19 |
20 | ### Exercise 1 - Review and enable Multi-factor Authentication in Azure
21 |
22 | #### Task 1 - Review Azure Multi-Factor Authentication options
23 |
24 | 1. Browse to the [https://entra.microsoft.com](https://entra.microsoft.com) and sign in using a Global administrator account for the directory.
25 |
26 | 2. Use the search feature and search for **multifactor**.
27 |
28 | 3. In the search results, select **Multifactor authentication**.
29 |
30 | Alternatively, you can open **Identity**, then select **Protection**, and select **Multifactor authentication**.
31 |
32 | 4. On the Getting started page, under **Configure**, select **Additional cloud-based MFA settings**.
33 |
34 | 
35 |
36 | 5. In the new browser page, you can see the MFA options for Azure users and service settings.
37 |
38 | 
39 |
40 | This is where you would select the supported authentication methods, in the screen above, all of them are selected.
41 |
42 | You can also enable or disable app passwords here, which allow users to create unique account passwords for apps that don't support multi-factor authentication. This feature lets the user authenticate with their Microsoft Entra identity using a different password specific to that app.
43 |
44 | #### Task 2 - Setup conditional access rules for MFA for Delia Dennis
45 |
46 | Next let's examine how to set up Conditional Access policy rules that would enforce MFA for guest users accessing specific apps on your network.
47 |
48 | 1. Switch back to the Microsoft Entra admin center and select **Identity**, then **Protection**, and then **Conditional access**.
49 |
50 | 2. On the menu, Select **+ New policy**. From the drop down select **+ Create new policy**.
51 |
52 | 
53 |
54 | 3. Name your policy, for example **MFA_for_Delia**.
55 |
56 | 4. Select **Users or workload identities** under Assignments.
57 |
58 | - Select **0 users or workload identities selected**
59 | - On the right side screen, select **Select users and groups** check box to configure.
60 | - Check **Users and groups** (available users will be populated to the right)
61 | - Choose **Delia Dennis** from the list of users then choose **Select** button.
62 |
63 | 5. Select **No target resources selected** in Target resources.
64 |
65 | - In the dropdown, make sure **Cloud apps** is selected.
66 | - Under Include, mark **Resources (formerly cloud apps)** and note the warning the pops up about possibly locking yourself out.
67 | - Now under Include section, choose the **Select resources** item.
68 | - In the **Select** section select the **None** link.
69 | - In the newly opened dialog, choose **Office 365**.
70 | - **Reminder** - in a previous lab we gave Delia Dennis an Office 365 license and logged into ensure it worked.
71 | - Choose **Select**.
72 |
73 | 6. Choose a network location in the Conditions section, then select **Not configured**.
74 |
75 | - In the **Conditions** section choose the **0 conditions selected** link.
76 | - At the bottom of the newly opened menu find the **Locations** section, and select **Not configured**.
77 | - Choose **Yes** for the **Configure** item.
78 | - Select **Any network or location**.
79 |
80 | 7. Under **Access Controls**, find the **Grant** section and select the **0 controls selected** link.
81 |
82 | - Select the **Require multifactor authentication** check box to enforces MFA.
83 | - Ensure that **Require all the slected controls** is selected.
84 | - Select **Select**.
85 |
86 | 8. Set **Enable policy** to **On**.
87 |
88 | 9. Select the **Create** button to create the policy.
89 |
90 | 
91 |
92 | MFA is now enabled for your selected user and application(s). The next time a guest tries to sign into that app they will be prompted to register for MFA.
93 |
94 | #### Task 3 - Test Delia's login
95 |
96 | 1. Open a new InPrivate Browsing windows.
97 | 2. Connect to https://www.office.com.
98 | 3. Select the sign-in option.
99 | 4. Enter **DeliaD@** `<>`.
100 | 5. Enter the password = Enter the Global admin password of the tenant (Note : Refer the 'Lab Resources' tab to retrieve the admin password).
101 |
102 | **Note** - At this point one of two things will happen. You should get a message that you need to set up Authenticator app and register for MFA. Follow the prompts to complete using your personal phone. NOTE - there is a chance that you might get a login failure message with several options on how to proceed. Select the **Try Again** option in this case.
103 |
104 | You can see that because of the Conditional Access rule we created for Delia, MFA is required to launch Office 365 home page.
105 |
106 | ### Exercise 2 - Configure MFA to be required for login
107 |
108 | #### Task 1 - Configure Microsoft Entra Per-User MFA
109 |
110 | Finally, let's look at how to configure MFA for user accounts. This is another way to get to the multi-factor auth settings.
111 |
112 | 1. Switch back to the Microsoft Entra admin center and find the Indentity left-hand navigation menu.
113 |
114 | 2. Select **Users**, then select **All users**.
115 |
116 | 3. At the top of the Users pane, select **Per-user MFA**.
117 | - NOTE: you may have to use the elipsis (...) to get to the Per-user MFA menu item.
118 |
119 | 
120 |
121 | 4. A new browser tab/window will open with a multi-factor authentication user settings dialog.
122 |
123 | You can enable or disable MFA on a user basis by selecting a user and then using the quick steps on the right side.
124 |
125 | 
126 |
127 | 5. Select **Adele Vance** with a check-mark.
128 | 6. Select the **Enable MFA** option under quick steps.
129 | 7. Read the notification popup if you get it, then select **enable multi-factor auth** button.
130 | 8. Select **Close**.
131 | 9. Notice that Adele now has **Enabled** as her MFA status.
132 | 10. You can select **service settings** to see the MFA setting screen, seen earlier in the lab.
133 | 11. Close the MFA setting tab.
134 |
135 | #### Task 2 -- Try logging in as Adele
136 |
137 | 1. If you want to see another example of MFA login process, you can try to log in a Adele.
138 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_09_ConfigureAndDeploySelfServicePasswordReset.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '09 - Enable Microsoft Entra self service password reset'
4 | learning path: '02'
5 | module: 'Module 02 - Implement an Authentication and Access Management Solution'
6 | ---
7 |
8 | # Lab 09 - Configure and deploy self-service password reset
9 |
10 | ### Login type = Microsoft 365 admin
11 |
12 | ## Lab scenario
13 |
14 | The company has decided to empower the employees and enable self-service password reset. You must configure this setting in your organization.
15 |
16 | #### Estimated time: 15 minutes
17 |
18 | ### Exercise 1 - Create a group with SSPR enabled and add users to it
19 |
20 | #### Task 1 - Create a group to assign SSPR to
21 |
22 | You want to roll out SSPR to a limited set of users first to make sure your SSPR configuration works as expected. Let's create a security group for the limited rollout and add a user to the group.
23 |
24 | 1. On the Microsoft Entra admin center, open the **Identity** navigation menu on the left.
25 | 1. Under **Groups**, select **All groups** and select **New Group** on the right side window.
26 |
27 | 2. Create a new group using the following information:
28 |
29 | | **Setting**| **Value**|
30 | | :--- | :--- |
31 | | Group type| Security|
32 | | Group name| SSPRTesters|
33 | | Group description| Testers of SSPR rollout|
34 | | Membership type| Assigned|
35 | | Members| Alex Wilber |
36 | | | Allan Deyoung |
37 | | | Bianca Pisani |
38 |
39 |
40 | 3. Select **Create**.
41 |
42 | 
43 |
44 | #### Task 2 - Enable SSPR for you test group
45 |
46 | Enable SSPR for the group.
47 |
48 | 1. Browse back to the **Identity** navigation menu.
49 |
50 | 2. Under **Protection**, select **Password reset**.
51 |
52 | 3. On the Password reset page Properties page, under **Self service password reset enabled**, select **Selected**.
53 |
54 | 4. Under **Select group**, replace the existing SSPRSecurityGroupUsers with **SSPRTesters** you just created.
55 |
56 | 5. On the Password reset page Properties page, select **Save**.
57 |
58 | 
59 |
60 | 6. On the **Password reset** screen, look under **Manage*, select and review the default values for each of the **Authentication methods**, **Registration**, **Notifications**, and **Customization** settings.
61 |
62 | **Note** it is important to have **phone** selected as one of the authentication methods for the rest of this lab, but you can have other options as well.
63 |
64 | #### Taks 3 - Register for SSPR with Allan
65 |
66 | Now that the SSPR configuration is complete, register a mobile phone number for the user you created.
67 |
68 | 1. Open a different browser or open an InPrivate or Incognito browser session and then browse to [https://aka.ms/ssprsetup](https://aka.ms/ssprsetup).
69 |
70 | This is to ensure you are prompted for user authentication.
71 |
72 | 2. Sign in as **AllanD@** `<>.onmicrosoft.com` with the password provided.
73 |
74 | **Note** - Replace the organization-domain-name with your domain name.
75 |
76 | 3. If prompted to update your password, enter a new password of your choice. Be sure to record the new password.
77 |
78 | 4. If prompted to stay signed in, choose Yes.
79 |
80 | 5. In the **More information required** dialog box, select **Next**.
81 |
82 | 6. On the Keep your account secure page, select **Next** to use the Authenticator app.
83 |
84 | 7. Follow the on screen instructions to set up your account in Authenticator by scanning the QR-code.
85 |
86 | 8. Complete the process by selecting **Done** when you successfully registered.
87 |
88 | - **Note** - at this point you have both registered for SSPR and MFA in a single step.
89 |
90 | 11. Close the browser. You do not need to complete the sign in process.
91 |
92 | #### Task 4 - Test SSPR
93 |
94 | Now let's test whether the user can reset their password.
95 |
96 | 1. Open a different browser or open an InPrivate or Incognito browser session and then browse to [https://portal.azure.com](https://portal.azure.com).
97 |
98 | This is to ensure you well be prompted for user authentication.
99 |
100 | 2. Enter **AlexW@** `<>.onmicrosoft.com` and then select **Next**.
101 |
102 | **Note** - Replace the organization-domain-name with your domain name.
103 |
104 | 3. On the Enter password page, select **Forgot my password**.
105 |
106 | 4. On the Get back into your account page, complete the requested information and then select **Next**.
107 |
108 | 5. Follow the on-screen instructions to get the verification code from Microsoft Authenticator app.
109 |
110 | 6. Enter your verification code and then select **Next**.
111 |
112 | 7. In the choose a new password step, enter and then confirm your new password.
113 |
114 | 8. When complete, select **Finish**.
115 |
116 | 9. Sign in as **AllanD** with the new password you created.
117 |
118 | 10. Enter your verification code and then verify you can complete the sign in process.
119 |
120 | 11. When finished, close your browser.
121 |
122 | #### Task 5 - What happens if you try a user not in SSPRTesters group?
123 |
124 | 1. As a test, open a new InPrivate browser window and try to log into the Azure Portal as GradyA, and select **Forgot my password** option.
125 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_10_AzureADAuthenticationForWindowsAndLinuxVM.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '10 - Microsoft Entra ID Authentication for Windows and Linux Virtual Machines'
4 | learning path: '02'
5 | module: 'Module 02 - Implement an Authentication and Access Management Solution'
6 | ---
7 |
8 | # Lab 10 - Microsoft Entra Authentication for Windows and Linux Virtual Machines
9 |
10 | ### Login type = Azure Resource login
11 |
12 | ## Lab scenario
13 |
14 | The company has decided that Microsoft Entra ID should be used to login to virtual machines for remote access. This lab will show how this can be setup for Windows and Linux virtual machines.
15 |
16 | #### Estimated time: 30 minutes
17 |
18 | ### Exercise 1 - Login to Windows Virtual Machines in Azure with Microsoft Entra ID
19 |
20 | #### Task 1 - Create a Windows Virtual Machine with Microsoft Entra ID login enabled
21 |
22 | 1. Browse to the [https://portal.azure.com](https://portal.azure.com)
23 |
24 | 1. Select **+ Create a resource**.
25 |
26 | 1. Type **Windows 11** in Search the Marketplace search bar, then **Enter**.
27 |
28 | 1. From the **Windows 11** box, select the **Create v** and choose **Windows 11 Enterprise, version 22H2** from the menu that opens.
29 |
30 | 1. Create the VM using the following values on the **Basics** tab:
31 |
32 | | Field | Value to use |
33 | | :-- | :-- |
34 | | Subscription | Accept the defualt |
35 | | Resource Group | Create New - rgEntraLogin |
36 | | Virtual machine name | vmEntraLogin |
37 | | Region | *default* |
38 | | Availability options | No infrastructure redundancy required |
39 | | Security Type | Standard |
40 | | Size | Standard DC1s_v3 - 1 vcpu, 8 GiB memory |
41 | | Admin Username | vmEntraAdmin |
42 | | Admin Password | Use the one provided by the lab environment or make us a secure password you can remember |
43 | | Licensing | Confirm you have a license |
44 |
45 | 1. You will not need to change anything on the **Disks** or **Networking** tabs, but you can review the values.
46 |
47 | 1. On the **Management** tab, check the box to **Login with Microsoft Entra ID** under the Microsoft Entra ID section.
48 |
49 | NOTE: You will notice that the **System assigned managed identity** under the Identity section is automatically checked and turned grey. This action should happen automatically once you enable Login with Microsoft Entra ID.
50 |
51 | 1. Go through the rest of the experience of creating a virtual machine.
52 |
53 | 1. Select **Review + create** then choose **Create**.
54 |
55 | #### Task 2 - Microsoft Entra ID login for existing Azure Virtual Machines
56 |
57 | 1. Browse to **Virtual Machines** in the [https://portal.azure.com](https://portal.azure.com).
58 |
59 | 1. Select the newly created Virtual Machine from Task 1.
60 |
61 | 1. Select **Access control (IAM)**.
62 |
63 | 1. Select **+ Add**, then **Add role assignment** to open the Add role assignment page.
64 |
65 | 1. Assign the following settings:
66 | - **Job function roles**
67 | - **Role**: Virtual Machine Administrator Login
68 | - **Members**: Choose User, group, or service principal. Then use **+ Select members** to add **User2** as a specific user for the VM.
69 |
70 | 1. Select **Review + assign** to complete the process.
71 |
72 | #### Task 3 - Update the Virtual Machine to allow the Microsoft Entra ID login
73 |
74 | 1. Select the **Connect** menu item.
75 |
76 | 1. On the **RDP** tab select the **Download RDP File**. If prompted choose the **Keep** option for the file. It will be saved into your Downloads folder.
77 |
78 | 1. Open the **Downloads** folder in File Manager.
79 |
80 | 1. Open the RDP.
81 |
82 | 1. Choose to log in as Alternate User.
83 |
84 | 1. Use the Admin (vmEntraAdmin) username and Password you created when setting up the virtual machine.
85 | - If prompted, say yes to allow access to the virtual machine or RDP session.
86 |
87 | 1. Wait for the virtual machine to open and all the software to load.
88 |
89 | 1. Select the **Start button** in the virtual machine.
90 |
91 | 1. Type **Control Panel** and launch the control panel app.
92 |
93 | 1. Select **System and Security** from the list of settings.
94 |
95 | 1. From the **System** setting, select the **Allow remote access** option.
96 |
97 | 1. At the bottom of the dialog box that opens you will see a **Remote Desktop** section.
98 |
99 | 1. **Uncheck** the box labeled **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
100 |
101 | 1. Select **Apply** and then **OK**.
102 |
103 | 1. **Exit** the virtual machine RDP session.
104 |
105 | #### Task 4 - Modify your RDP file to support the Microsoft Entra ID login
106 |
107 | 1. Open the **Downloads** folder in file manager.
108 |
109 | 1. **Make a copy** of the RDP file and add **-EntraID** to the end of the filename.
110 |
111 | 1. Edit the new version of the RDP file you just copied using **Notepad**. Add the these two lines of text to the bottom of the of the file:
112 | ```
113 | enablecredsspsupport:i:0
114 | authentication level:i:2
115 | ```
116 |
117 | 1. **Save** the RDP file. You should now have two versions of the file:
118 | - <>.RDP
119 | - <>-EntraID.RDP
120 |
121 | #### Task 5 - Connect to the Windows virtual machine using Microsoft Entra ID login
122 |
123 | 1. Open the **<>-EntraID.RDP
124 |
125 | 1. Select **Connect** when the dialog opens.
126 |
127 | 1. Instead of getting prompted on what User Account to log in with, you should get a message prompting on whether you want to connect to the remote computer.
128 |
129 | 1. Select **Yes** from the bottom of the screen.
130 |
131 | 1. The Remote Desktop session should open; and show the Windows Server login screen. **Other User** with an OK button should be displayed.
132 |
133 | 1. Select **OK**.
134 |
135 | 1. In the login dialog enter the following information:
136 | - Username = **AzureAD\User2@ your domain name**
137 | - Password = Enter the password provided by your lab provider
138 |
139 | NOTE: User2 is the user we granted access to log in as administrator during Task 1.
140 |
141 | 1. Windows should confirm the login and open to the normal Desktop.
142 |
143 | #### Task 6 -- Optional testing to explore the Microsoft Entra ID login
144 |
145 | 1. Check to see that User2 was the only user added to the Administrators group.
146 |
147 | 1. Use the secondary mouse click on the START button, then select **Computer Management** in the popup menu.
148 |
149 | 1. Open **Local Users and Groups** then navigate to **Groups, Administrators**.
150 |
151 | 1. You should see **Azure\User2....** in the list.
152 |
153 | 1. Check to see if other Microsoft Entra ID members can log in.
154 |
155 | 1. Exit out of the remote desktop session.
156 |
157 | 1. Launch the **<>-EntraID.RDP** file again.
158 |
159 | 1. Try to log in as other Microsoft Entra ID members.
160 |
161 | 1. You should notice that each of these users are denied access.
162 |
163 | ### Optional Exercise 2 - Login to Linux Virtual Machines in Azure with Microsoft Entra ID
164 |
165 | #### Task 1 - Create a Linux VM with system assigned managed identity
166 |
167 | 1. Browse to the [https://portal.azure.com](https://portal.azure.com)
168 |
169 | 1. Select **+ Create a resource**.
170 |
171 | 1. Search for **Ubuntu**.
172 |
173 | 1. Select on **Create** under **Ubuntu Server 22.04 LTS**. You may use other Linux servers for this test lab.
174 |
175 | 1. On the **Management** tab, check the box to enable **Login with Microsoft Entra ID**.
176 |
177 | 1. Ensure **System assigned managed identity** is checked.
178 |
179 | 1. Go through the rest of the experience of creating a virtual machine. During this preview, you’ll have to create an administrator account with username and password or SSH public key.
180 |
181 | #### Task 2 - Microsoft Entra ID login for existing Azure Virtual Machines
182 |
183 | 1. Browse to **Virtual Machines** in the [https://portal.azure.com](https://portal.azure.com).
184 |
185 | 1. Select **Access control (IAM)**.
186 |
187 | 1. Select Add > Add role assignment to open the Add role assignment page.
188 |
189 | 1. Assign the following role.
190 | - **Role**: Virtual Machine Administrator Login or Virtual Machine User Login
191 | - **Assign access to**: User, group, service principal, or managed identity
192 |
193 | 1. For detailed steps, see Assign Azure roles using the Azure portal.
194 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_11_AssignAzureResourceRolesInPrivilegedIdentityManagement.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '11 - Assign Azure resource roles in Privileged Identity Management'
4 | learning path: '02'
5 | module: 'Module 02 - Implement an authentication and access management solution'
6 | ---
7 |
8 | # Lab 11 - Assign Azure resource roles in Privileged Identity Management
9 |
10 | ### Login type = Azure Resource login
11 |
12 | ## Lab scenario
13 |
14 | Microsoft Entra Privileged Identity Management (PIM) can manage the built-in Azure resource roles, as well as custom roles, including (but not limited to):
15 |
16 | - Owner
17 | - User Access Administrator
18 | - Contributor
19 | - Security Admin
20 | - Security Manager
21 |
22 | You need to make a user eligible for an Azure resource role.
23 |
24 | #### Estimated time: 10 minutes
25 |
26 | ### Exercise 1 - PIM with Azure resources
27 |
28 | #### Task 1 - Assign Azure resource roles
29 |
30 | 1. Sign in to [https://entra.microsoft.com](https://entra.microsoft.com) using the provided administrator account.
31 |
32 | 2. Search for and then select **Privileged Identity Management.**
33 |
34 | 3. In the Privileged Identity Management page, in the left navigation, select **Azure resources.**
35 |
36 | **Lab Tip** - The next few steps are written for the Legacy Azure Resource experience. You can switch to the old experience at the top of your screen. Or you can complete the exercise in the new experience without the step-by-step.
37 |
38 | 4. In the Subscriptions dropdown choose the MOC Subscription##### item. Then at bottom of the screen, select **Manage resources**.
39 |
40 | 5. In the Azure resources – Discovery page, select your subscription.
41 |
42 | 6. In the **Overview** page, review the information.
43 |
44 | 
45 |
46 | **Lab Tip** - due to the nature of the lab environment, you won't see any resources. Refer to the picture for a sample.
47 |
48 | 7. In the left navigation menu, under **Manage**, select **Roles** to see the list of roles for Azure resources.
49 |
50 | 8. On the top menu, select + **Add assignments**.
51 |
52 | 9. In the Add assignments page, select the **Select role** menu and then select **API Management Service Contributor.**
53 |
54 | 10. Under **Select member(s),** select **No member selected**.
55 |
56 | 11. In the Select a member or group, search for your admin roles **User1-######@LODSPRODMCA.onmicrosoft.com** from your organization that will be assigned the role. Then chose **Select**.
57 |
58 | 12. Select **Next**.
59 |
60 | 13. On the **Settings** tab, under **Assignment type**, select **Eligible**.
61 |
62 | - **Eligible** assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.
63 |
64 | - **Active** assignments do not require the member to perform any action to use the role. Members assigned as active have the privileges always assigned to the role.
65 |
66 | 14. Specify an assignment duration by changing the start and end dates and times.
67 |
68 | 15. When finished, select **Assign**.
69 |
70 | 16. After the new role assignment is created, a status notification is displayed.
71 |
72 | #### Task 2 - Update or remove an existing resource role assignment
73 |
74 | **Note** - Due to the security enforced on this lab environment, you cannot complete these steps. Please review the steps in the user interface, but you won't be able to apply changes. We are actively working on getting a work-around in place for this.
75 |
76 | Follow these steps to update or remove an existing role assignment.
77 |
78 | 1. Open **Microsoft Entra Privileged Identity Management**.
79 |
80 | 2. Select **Azure resources**.
81 |
82 | 3. Select the subscription you want to manage to open its overview page.
83 |
84 | 4. Under **Manage**, select **Assignments**.
85 |
86 | 5. On the **Eligible assignments** tab, in the Action column, review the available options.
87 |
88 | 6. Select **Remove**.
89 |
90 | 7. In the **Remove** dialog box, review the information and then select **Yes**.
91 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_12_ManageAzureADSmartLockoutValues.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '12 - Manage Microsoft Entra smart lockout values'
4 | learning path: '02'
5 | module: 'Module 02 - Implement an Authentication and Access Management Solution'
6 | ---
7 |
8 | # Lab 12 - Manage Microsoft Entra smart lockout values
9 |
10 | ### Login type = Microsoft 365 admin
11 |
12 | ## Lab scenario
13 |
14 | You must configure the additional password protection settings for your organization.
15 |
16 | #### Estimated time: 5 minutes
17 |
18 | ### Exercise 1 - Manage Microsoft Entra smart lockout values
19 |
20 | #### Task - Add Smart Lockouts
21 |
22 | Based on your organizational requirements, you can customize the Microsoft Entra smart lockout values. Customization of the smart lockout settings, with values specific to your organization, requires Microsoft Entra ID Premium P1 or higher licenses for your users.
23 |
24 | 1. Browse to [https://entra.microsoft.com](https://entra.microsoft.com) and sign in using a Global administrator account for the directory.
25 |
26 | 2. Open the portal menu and then select **Identity**.
27 |
28 | 3. On the Identity menu, open the **Protection** menu.
29 |
30 | 4. In the left navigation, select **Authentication methods**.
31 |
32 | 5. Then select **Password protection**.
33 |
34 | 
35 |
36 | 6. In the Password protection settings, in the **Lockout duration in seconds** box, set the value to **120**.
37 |
38 | 7. Next to **Mode**, select **Enforced**.
39 |
40 | 8. Save your changes.
41 |
42 | **NOTE** - When the smart lockout threshold is triggered, you will get the following message while the account is locked:
43 | - Your account is temporarily locked to prevent unauthorized use. Try again later, and if you still have trouble, contact your admin.
44 |
45 | 9. This can be tested by choosing a user in your Microsoft Entra tenant, navigate in a private browser to and enter an incorrect password until the account gets notification that it is locked out.
46 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_13_ImplementAndTestAConditionalAccessPolicy.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '13 - Implement and test a conditional access policy'
4 | learning path: '02'
5 | module: 'Module 02 - Implement an Authentication and Access Management Solution'
6 | ---
7 |
8 | # Lab 13 - Implement and test a conditional access policy
9 |
10 | ### Login type = Microsoft 365 admin
11 |
12 | ## Lab scenario
13 |
14 | Your organization needs to be able to limit user access to its internal applications. You must deploy an Microsoft Entra conditional access policy.
15 |
16 | **Note** - For Conditional Access Policies, you can turn off Security Defaults, the key points to remember are from the training. Additional information on Security defaults can be found at this link:
17 |
18 | #### Estimated time: 20 minutes
19 |
20 | ### Exercise 1 - Set a conditional access policy to block DebraB from accessing Sway
21 |
22 | #### Task 1 -- Confirm DebraB has access to Sway
23 |
24 |
25 | 1. Launch a new InPrivate browser window.
26 | 2. Connect to [https://www.office.com](https://www.office.com)
27 | 3. When prompted, log in as DebraB:
28 |
29 | | Setting | Value |
30 | | :--- | :--- |
31 | | Username | **DebraB@** `<>.onmicrosoft.com` |
32 | | Password | Enter the provided password |
33 |
34 | 4. Bypass the welcome and introduction screens.
35 |
36 | 5. Open the **Apps** page, then then select on the **Sway** icon to see that it loads correctly.
37 |
38 | 6. Log out of Office and close your browser session.
39 |
40 | #### Task 2 - Create a conditional access policy
41 |
42 | Microsoft Entra conditional access is an advanced feature of Microsoft Entra ID that allows you to specify detailed policies that control who can access your resources. Using Conditional Access, you can protect your applications by limiting users' access based on things like groups, device type, location, and role.
43 |
44 | 1. Browse to [https://entra.microsoft.com](https://entra.microsoft.com) and sign in using a Global administrator account for the directory.
45 |
46 | 2. Open the portal menu and then select **Microsoft Entra ID**.
47 |
48 | 3. On the menu, under **Identity**, select **Protection**.
49 |
50 | 4. On the Security page, in the left navigation, select **Conditional access**.
51 |
52 | 5. On the **Overview (Preview)**, click **+ Create new policy**.
53 |
54 | 
55 |
56 | 6. In the **Name** box, enter **Block Sway for DebraB**.
57 |
58 | **Note** - Using this naming to help you quickly recognize the policy and its function.
59 |
60 | 7. Under **Assignments**, select **0 users and groups selected**.
61 |
62 | 8. On the Include tab, select **Select users and groups**, and then mark **Users and groups** check box.
63 |
64 | 9. In the Select pane, select **DebraB** account and then select **Select**.
65 |
66 | 10. In the **Target resources**, select **No target resource selected**.
67 |
68 | 11. Verify **Cloud apps** is selected and then select **Select apps**, then select **None** in the select section.
69 |
70 | 12. In the Select pane, search for **Sway** and select **Sway** and then select **Select**.
71 |
72 | 13. Under **Access controls**, within the **Grant** section, select **0 controls selected**.
73 |
74 | 14. In the Grant pane, select **Block access** and then select **Select**.
75 |
76 | **Note** - This policy is being configure for the exercise only and is being used to quickly demonstrate a conditional access policy.
77 |
78 | 15. Under **Enable policy**, select **On**, and then select **Create**.
79 |
80 | 
81 |
82 | #### Task 3 - Test the conditional access policy
83 |
84 | You should test your conditional access policies to ensure they working as expected.
85 |
86 | 1. Open a new 'InPrivate' browser tab and then browse to [https://sway.cloud.microsoft](https://sway.cloud.microsoft).
87 | - When prompted, log in as DebraB:
88 |
89 | | Setting | Value |
90 | | :--- | :--- |
91 | | Username | **DebraB@** `<>.onmicrosoft.com` |
92 | | Password | Enter the provided password |
93 |
94 | 2. Verify you are prevented from accessing Microsoft Sway.
95 |
96 | 
97 |
98 | 3. If you are signed in, close the tab, wait 1 minute, and then retry.
99 |
100 | **Note** - If you are auto-logged into Sway as DebraB, then you will need to manually log out. Your credentials / access were cached. Once you log out and sign-in, your Sway session should deny access.
101 |
102 | 4. Close the tab and return to the Conditional Access page.
103 |
104 | 5. Select the **Block Sway for DebraB** policy.
105 |
106 | 6. Under **Enable policy**, select **Off** and then select **Save**.
107 |
108 | ### Exercise 2 - Test conditional access policies with "What if"
109 |
110 | #### Task - Use What if to test conditional access policies
111 |
112 | 1. Open the Microsoft Entra admin center menu and then select **Microsoft Entra ID**.
113 |
114 | 1. On the menu, under **Identity**, select **Protection**.
115 |
116 | 1. On the Security page, in the left navigation, select **Conditional access**.
117 |
118 | 1. In the navigation pane, select **Policies**.
119 |
120 | 1. Select **What If**.
121 |
122 | 1. Under **User or Workload identity**, select **No user or service principal selected**.
123 |
124 | 1. Choose **DebraB** as the user.
125 |
126 | 1. Under **Cloud apps, actions, or authentication context**, select **Sway**.
127 |
128 | 1. Select **What if**. You will be provided with a report at the bottom of the tile for **Policies that will apply** and **Policies that will not apply**.
129 |
130 | This allows you to test the policies and their affectiveness before enabling the policies.
131 |
132 |
133 | ### Exercise 3 - Configure sign in frequency controls using a conditional access policy
134 |
135 | #### Task - Use the Microsoft Entra admin center to configure conditional access
136 |
137 | As part of your company's larger security configuration, you must test a conditional access policy that can be used to control sign in frequency
138 |
139 | 1. Browse to [https://entra.microsoft.com](https://entra.microsoft.com) and sign in using a Global administrator account for the directory.
140 |
141 | 2. Open the portal menu and then select **Microsoft Entra ID**.
142 |
143 | 3. On the menu, under **Identity**, select **Protection**.
144 |
145 | 4. On the Protection menu, in the left navigation, select **Conditional access**.
146 |
147 | 5. On the top menu, select **+ New policy** from the drop-down select **Create a new policy**.
148 |
149 | 
150 |
151 | 6. In the **Name** box, enter **Sign in frequency**.
152 |
153 | 7. Under **Assignments**, select **0 users and groups selected**.
154 |
155 | 8. On the Include tab, mark **Select users and groups**, then select the **Users and groups** check box.
156 |
157 | 9. In the Select pane, select your **Grady Archie** account and then select **Select**.
158 |
159 | 10. Select **Target Resources - No target resources selected**.
160 |
161 | 11. Within the **Include** make sure **Select resources** is selected, then choose **None** in the Select section.
162 |
163 | 12. In the Select pane, select **Office 365** and then select **Select**.
164 |
165 | 13. Under **Access controls**, select **Session**.
166 |
167 | 14. In the Session pane, select **Sign-in frequency**.
168 |
169 | 15. In the value box, enter **30**.
170 |
171 | 16. Select the units menu, select **Days**, and then select **Select**.
172 |
173 | 17. Under **Enable policy**, select **Report-only**, and then select **Create**.
174 |
175 | 
176 |
177 | **NOTE** - Report-only mode is a new Conditional Access policy state that allows administrators to evaluate the impact of Conditional Access policies before enabling them in their environment. With the release of report-only mode:
178 |
179 | - Conditional Access policies can be enabled in report-only mode.
180 | - During sign-in, policies in report-only mode are evaluated but not enforced.
181 | - Results are logged in the Conditional Access and Report-only tabs of the Sign-in log details.
182 | - Customers with an Azure Monitor subscription can monitor the impact of their Conditional Access policies using the Conditional Access insights workbook.
183 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_14_EnableSignRiskPolicy.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '14 - Enable sign in and user risk policies'
4 | learning path: '02'
5 | module: 'Module 02 - Implement an Authentication and Access Management Solution'
6 | ---
7 |
8 | # Lab 14 - Enable sign in and user risk policies
9 |
10 | ### Login type = Microsoft 365 admin
11 |
12 | ## Lab scenario
13 |
14 | As an additional layer of security, you need to enable and configure your Microsoft Entra organization's sign in and user risk policies.
15 |
16 | #### Estimated time: 10 minutes
17 |
18 |
19 | ### Exercise 1 - Enable User risk policy
20 |
21 | #### Task 1 - Configure the policy
22 |
23 | 1. Sign in to the [https://entra.microsoft.com]( https://entra.microsoft.com) using a Global administrator account.
24 |
25 | 2. Open the portal menu and then select **Microsoft Entra ID**.
26 |
27 | 3. On menu, under **Identity**, select **Protection**.
28 |
29 | 4. On the Security page, in the left navigation, select **Identity protection**.
30 |
31 | 5. In the Identity protection page, in the left navigation, select **User risk policy**.
32 |
33 | 
34 |
35 | 6. Under **Assignments**, select **All users** and review the available options.
36 |
37 | 7. You can select from **All users** or **Select individuals and groups** if limiting your rollout.
38 |
39 | 8. Additionally, you can choose to exclude users from the policy.
40 |
41 | 9. Under **User risk**, select **Low and above**.
42 |
43 | 10. In the User risk pane, select **High** and then select **Done**.
44 |
45 | 11. Under **Controls** > **Access**, select **Block access**.
46 |
47 | 12. In the Access pane, review the available options.
48 |
49 | **Tip** - Microsoft's recommendation is to Allow access and Require password change.
50 |
51 | 13. Select the **Require password change** check box and then select **Done**.
52 |
53 | 14. Under **Policy enforcement**, select **Enabled** and then select **Save**.
54 |
55 | #### Task 2 - Enable Sign-in risk policy
56 |
57 | 1. On the Identity protection page, in the left navigation, select **Sign-in risk policy**.
58 |
59 | 2. As with the User risk policy, the Sign-in risk policy can be assigned to users and groups and allows you to exclude users from the policy.
60 |
61 | 3. Under **Sign-in risk**, select **Low and above**.
62 |
63 | 4. In the Sign-in risk pane, select **High** and then select **Done**.
64 |
65 | 5. Under **Controls** > **Access**, select **Block access**.
66 |
67 | 6. Select the **Require multi-factor authentication** check box and then select **Done**.
68 |
69 | 7. Under **Policy enforcement**, select **Enabled** and then select **Save**.
70 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_15_ConfigureAAD_MultiFactorAuthRegPolicy.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '15 - Configure an Multifactor authentication registration policy'
4 | learning path: '02'
5 | module: 'Module 02 - Implement an Authentication and Access Management Solution'
6 | ---
7 |
8 | # Lab 15 - Configure an Multifactor authentication registration policy
9 |
10 | ### Login type = Microsoft 365 admin
11 |
12 | ## Lab scenario
13 |
14 | Multifactor authentication provides a means to verify who you are using more than just a username and password. It provides a second layer of security to user sign-ins. For users to be able to respond to MFA prompts, they must first register for Microsoft Entra Multifactor Authentication. You must configure your Microsoft Entra organization's MFA registration policy to be assigned to all users.
15 |
16 | #### Estimated time: 10 minutes
17 |
18 | ### Exercise 1 - Set up MFA registration policy
19 |
20 | #### Task 1 - Policy configuration
21 |
22 | 1. Sign in to the [https://entra.microsoft.com]( https://entra.microsoft.com) using a Global administrator account.
23 |
24 | 2. Open the portal menu and then select **Microsoft Entra ID**.
25 |
26 | 3. On the lefthand men, under **Identity**, select **Protection**.
27 |
28 | 4. On the Security page, in the left navigation, select **Identity protection**.
29 |
30 | 5. In the Identity protection page, in the left navigation under **Protect**, select **Multifactor authentication registration policy**.
31 |
32 | 
33 |
34 | 6. Under **Assignments**
35 |
36 | 7. Under **Assignments**, select **All users** and review the available options.
37 |
38 | 8. You can select from **All users** or **Select individuals and groups** if limiting your rollout.
39 |
40 | 9. Additionally, you can choose to exclude users from the policy.
41 |
42 | 10. Under **Controls**, notice that the **Require Microsoft Entra ID multifactor authentication registration** is selected and cannot be changed.
43 |
44 |
45 | #### Task 2 - Configure Microsoft Entra Identity Protection policy for MFA registration
46 |
47 | **Note**: Microsoft Entra Identity Protection requires Microsoft Entra ID Premium P2 to be activated.
48 |
49 | 1. In the Microsoft Entra admin center, navigate to **Microsoft Entra ID Protection** in the search bar.
50 |
51 | 1. Under **Protect** in the menu, select **Multifactor authentication registration policy**.
52 |
53 | 1. Under **Assignments**, select **All users** under Users, and select a user to enforce MFA.
54 |
55 | 1. Find the field **Policy enforcement** in the dialog. Set the value to **Enabled**.
56 |
57 | 1. Select **Save**.
58 |
59 | This will require the user to complete the MFA registration the next time they attempt to login.
60 |
61 | 1. From a private browser, navigate to `https://login.microsoftonline.com`. Enter a user name and password from the tenant. Note the additional security information requirements that the user is asked to enter.
62 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_16_UsingAzureKeyVaultForManagedIdentities.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '16 - Using Azure Key Vault for Managed Identities'
4 | learning path: '02'
5 | module: 'Module 02 - Implement an Authentication and Access Management Solution'
6 | ---
7 |
8 | # Lab 16 - Using Azure Key Vault for Managed Identities
9 |
10 | ### Login type = Azure Resource login
11 |
12 | ## Lab scenario
13 |
14 | When you use managed identities for Azure resources, your code can get access tokens to authenticate to resources that support Microsoft Entra authentication. However, not all Azure services support Microsoft Entra authentication. To use managed identities for Azure resources with those services, store the service credentials in Azure Key Vault, and use the managed identity to access Key Vault to retrieve the credentials.
15 |
16 | #### Estimated time: 20 minutes
17 |
18 | ### Exercise 1 - Use Azure Key Vault to manage Virtual Machine identities
19 |
20 | #### Task 1 - Create a Key Vault
21 |
22 | 1. Sign in to the [https://portal.azure.com]( https://portal.azure.com) using a Global administrator account.
23 |
24 | 1. At the top of the left navigation bar, select **+ Create a resource**.
25 |
26 | 1. In the Search the Marketplace box type in **Key Vault**.
27 |
28 | 1. Select **Key Vault** from the results.
29 |
30 | 1. Select **Create**.
31 |
32 | 1. Fill out all required information as shown below. Make sure that you choose the subscription that you're using for this lab.
33 | **Note** The Key vault name must be unique. Look for a green checkmark to the right of the field.
34 |
35 | - **Resource group** - rgSC300KeyVault
36 | - **Key vault name** - *anyuniquevalue*
37 | - On the **Access Configuration** page, select the **Vault Access Policy** radio button.
38 | 1. Select **Review + create**.
39 |
40 | 1. Select **Create**.
41 |
42 | #### Task 2 - Create a Windows Virtual Machine
43 |
44 | 1. Select **+ Create a resource**.
45 |
46 | 1. Type **Windows 11** in Search the Marketplace search bar.
47 |
48 | 1. Select **Windows 11** and from the plan dropdown choose **Windows 11 Enterprise, version 22H2**. Then choose **Create**.
49 |
50 | | Field | Values |
51 | | :-- | :-- |
52 | | VM Name | vmKeyVault |
53 | | Availability options | No infrastructure redundancy required |
54 | | Admin Username | adminKeyVault |
55 | | Password | Set a secure password that you can remember |
56 | | Licensing | Confirm you have an eligible license |
57 |
58 | 1. Make sure you mark the **Confirm licensing** checkbox.
59 |
60 | 1. Use the **Next** button to get to the **Management** tab.
61 |
62 | 1. On the **Management** tab, check the box next to **Enable system assigned managed identity**.
63 |
64 | 1. Go through the rest of the experience of creating a virtual machine.
65 |
66 | 1. Choose **Review + Create** then select **Create**.
67 |
68 | #### Task 3 - Create a secret
69 |
70 | 1. Navigate to your newly created Key Vault.
71 |
72 | 1. Open **Objects** on the left menu then Select **Secrets**.
73 |
74 | 1. Select **+ Generate/Import**.
75 |
76 | 1. In the Create a secret screen, from Upload options leave **Manual** selected.
77 |
78 | 1. Enter a name and value for the secret. The value can be anything you want.
79 |
80 | 1. Leave the activation date and expiration date clear, and leave Enabled as Yes.
81 |
82 | 1. Select **Create** to create the secret.
83 |
84 | #### Task 4 - Grant access to Key Vault
85 |
86 | 1. Navigate to your newly created Key Vault
87 |
88 | 1. Select **Access Policies** from the menu on the left side.
89 |
90 | 1. Select **+ Create**.
91 |
92 | 1. In the Add access policy section, under Configure from template (optional), choose **Secret Management** from the pull-down menu.
93 |
94 | 1. Use the Next button to move to the **Principal** tab.
95 |
96 | 1. In the search field enter the name of the VM you created in task 2 - **vmKeyVault**. Select the VM in the result list and choose Select.
97 |
98 | 1. Use the Next button to move to the **Review + Create** tab.
99 |
100 | 1. Select **Create**.
101 |
102 | #### Task 5 - Access data with Key Vault secret with PowerShell
103 |
104 | 1. Go to **vmKeyVault** and use RDP to connect to your virtual machine as **adminKeyVault**.
105 |
106 | 1. In the lab virtual machine, open PowerShell.
107 |
108 | 1. In PowerShell, invoke the web request on the tenant to get the token for the local host in the specific port for the VM.
109 |
110 | ```
111 | $Response = Invoke-RestMethod -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -Method GET -Headers @{Metadata="true"}
112 | ```
113 |
114 | 1. Next, extract the access token from the response.
115 |
116 | ```
117 | $KeyVaultToken = $Response.access_token
118 | ```
119 |
120 | 1. Use PowerShell’s Invoke-WebRequest command to retrieve the secret you created earlier in the Key Vault, passing the access token in the Authorization header. You’ll need the URL of your Key Vault, which is in the Essentials section of the Overview page of the Key Vault. Reminder - URI for Key Vault is on the Overview tab.
121 |
122 | - Key Vault URI -- get from Key Vaults Overview page in Azure Portal
123 | - Secrete Name -- get from Objects - Secrets page in the Key Vault
124 |
125 | ```
126 | Invoke-RestMethod -Uri https:///secrets/?api-version=2016-10-01 -Method GET -Headers @{Authorization="Bearer $KeyVaultToken"}
127 | ```
128 | 1. You should receive a response that looks like the following:
129 | ```
130 | 'My Secret' https://mi-lab-vault.vault.azure.net/secrets/mi-test/50644e90b13249b584c44b9f712f2e51 @{enabled=True; created=16…
131 | ```
132 | 1. This secret can be used to authenticate to services that require a name and password.
133 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_17_DefenderForCloudAppsDiscoveryAndRestrictions.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '17 - Defender for Cloud Apps application discovery and enforcing restrictions'
4 | learning path: '03'
5 | module: 'Module 03 - Implement Access Management for Apps'
6 | ---
7 |
8 | # Lab 17 - Defender for Cloud Apps application discovery and enforcing restrictions
9 |
10 | ### Login type = Microsoft 365 admin
11 |
12 | ## Lab scenario
13 |
14 | Microsoft Defender for Cloud Apps utilizes logs from network traffic to identify the applications that users are accessing. Traffic logs from on-premises firewalls will provide a snapshot report on the most common applications and the users that are accessing these apps. Traffic from managed devices will be fed into the Microsoft Defender for Cloud Apps discovery overview dashboard
15 |
16 | #### Estimated time: 10 minutes
17 |
18 | ### Exercise 1 - Defender for Cloud Apps discovery
19 |
20 | #### Task 1 - Discovery apps in Defender for Cloud Apps
21 |
22 | 1. Sign in to [https://security.microsoft.com](https://security.microsoft.com) using a Global Administrator account.
23 |
24 | 1. On the left menu, scroll to the heading named **Cloud Apps** and click **Cloud App Catalog**.
25 |
26 | 1. In **Browse by category** pane, select **Cloud storage**.
27 |
28 | 1. In the list of apps, note the **Risk score** next to the app name.
29 |
30 | 1. Open another browser tab and navigate to **www.dropbox.com**.
31 |
32 | 1. You will be able to access this website.
33 |
34 | 1. Close the tab for Dropbox.
35 |
36 | 1. Return to the Defender for Cloud Apps screen, and select the three-dot to the right of Dropbox.
37 |
38 | 1. Choose **Sanctioned** and then the **Next** button.
39 |
40 | #### Task 2 - Restrict Apps in Defender for Cloud Apps
41 |
42 | 1. Return to the **Discovered apps** tile and select the **Tag as unsanctioned** for Dropbox. **Note**: This is located next to the circled check-mark.
43 |
44 | 1. Click **Save**
45 |
46 | 1. This process allows you to block applications that are not sanctioned within your company policy, limiting Shadow IT within your organization.
47 |
48 | **Note**: There is a delay when sactioning and unsanctioning an application and that application. You may have to wait up to 5 minutes.
49 |
50 | Once the application has been blocked as unsanctioned, the application will not be accessible through browser, in-private browser, or store download on a Client that is onboarded to MDE (Microsoft Defender for Endpoint) integrated with Microsoft Defender for Cloud Apps.
51 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_18_DefenderForCloudAppsAccessPolicies.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '18 - Defender for Cloud Apps Access Policies'
4 | learning path: '03'
5 | module: 'Module 03 - Implement Access Management for Apps'
6 | ---
7 |
8 | # 18 - Defender for Cloud Apps Access and Session Policies
9 |
10 | ### Login type = Microsoft 365 admin
11 |
12 | ## Lab scenario
13 |
14 | Microsoft Defender for Cloud Apps allows us to create additional Conditional Access policies specific to the cloud apps that we are monitoring. Creating these policies can be done from within the Control menu within the Microsoft Defender for Cloud Apps portal.
15 |
16 | #### Estimated time: 20 minutes
17 |
18 | ### Exercise 1 - Create and test the Conditional Access App Contol policy
19 |
20 | #### Task 1 - Confirm that PradeepG has unconditional access to FORMS
21 |
22 | 1. Launch a new **InPrivate browsing** window.
23 | 2. Connect to [https://forms.microsoft.com](https://forms.microsoft.com).
24 | 3. Select the login in the upper-right corner of the page.
25 | 4. Log in as Pradeep Gupta.
26 | - Username = PradeepG@<<>>
27 | - Password = the password from your resources tab
28 | 5. Confirm that Microsoft Forms opens and that you do not get any warning messages.
29 | 6. Close the InPrivate browsing window.
30 |
31 | #### Task 2 - Configure Microsoft Entra ID to work with Defender for Cloud Apps
32 |
33 | 1. Navigate to [https://entra.microsoft.com](https://entra.microsoft.com) and go to Microsoft Entra ID.
34 |
35 | 2. Under **Identity**, select **Protection**.
36 |
37 | 3. Then select **Conditional Access**.
38 |
39 | 4. Select **+ Create new policy**.
40 |
41 | 5. Enter a policy name, such as **Monitor Pradeep using Forms**.
42 |
43 | 6. Under **Assignments**, choose **0 users and groups selected**, select **Specific users included**, select **Select users and groups** and mark the **Users and groups**.
44 |
45 | 7. Choose the **Pradeep Gupta** account for the lab tenant and select **Select**.
46 |
47 | 8. Under **Target resources**, select **No target resources selected**.
48 |
49 | 9. Select **Select apps**, and then choose **Microsoft Forms**, and select **Select**.
50 |
51 | 10. Under **Access controls**, select **Session** and **0 controls selected**.
52 |
53 | 11. Select the **Use Conditional Access App Control** box, leave the default of **Monitor only**, and select **Select**.
54 |
55 | 12. Under **Enable policy**, select **On**, and select **Create**.
56 |
57 | #### Task 3 - Log into Forms and validate that conditional access is monitoring
58 |
59 | 1. Launch a new **InPrivate browsing** window.
60 | 2. Connect to [https://forms.microsoft.com](https://forms.microsoft.com).
61 | 3. Select the login in the upper-right corner of the page.
62 | 4. Log in as Pradeep Gupta.
63 | - Username = PradeepG@<<>>
64 | - Password = the password from your resources tab
65 | 5. Confirm that Pradeep has access and that you get a new message:
66 | - Your company is monitoring the usage of this application.
67 | 6. Close the InPrivate browsing window.
68 |
69 | ### Exercise 2 - Setup alerts in Microsoft Defender for Cloud Apps
70 |
71 | #### Task 1 - Access Microsoft Defender for Cloud Apps and create Conditional Access App Control
72 |
73 | Registering your application establishes a trust relationship between your app and the Microsoft identity platform. The trust is unidirectional: Your app trusts the Microsoft identity platform—not the other way around.
74 |
75 | 1. Sign in to [https://security.microsoft.com](https://security.microsoft.com) using a Global Administrator account.
76 |
77 | 1. On the left menu, scroll to and select **Polices** in the **Cloud Apps** section of the menu on the left..
78 |
79 | 1. In the **Policies** menu, locate and select **Policy Management**.
80 |
81 | 1. Select **+ Create policy**. Select **Access policy**.
82 |
83 | 1. Enter a name for the policy, such as **Monitor Microsoft Forms access.**.
84 |
85 | 1. Leave the **Category** as **Access control**.
86 |
87 | 1. Under **Activities matching all of the following**, select the drop-down for **Intune compliant, Microsoft Entra Hybrid joined** and unselect **Microsoft Entra Hybrid joined**.
88 |
89 | 1. Select the drop-down for **Select apps**. Select **Microsoft Forms**.
90 |
91 | 1. Leave **Actions** as **Test**.
92 |
93 | 1. Under **Alerts**, leave **Create an alert...** checked and select **Send alert as email**.
94 |
95 | 1. Enter the lab admin email address and select **Enter** on your keyboard.
96 |
97 | 1. Select **Create** to create the access policy.
98 |
99 | #### Task 2 - Log in as Pradeep to Forms to trigger activity
100 |
101 | 1. Launch a new **InPrivate browsing** window.
102 | 2. Connect to [https://forms.microsoft.com](https://forms.microsoft.com).
103 | 3. Select the login in the upper-right corner of the page.
104 | 4. Log in as Pradeep Gupta.
105 | - Username = PradeepG@<<>>
106 | - Password = the password from your resources tab
107 | 5. Confirm that Pradeep has access and that you get a new message:
108 | - Your company is monitoring the usage of this application.
109 | 6. Close the InPrivate browsing window.
110 |
111 | #### Task 3 - Review the Activity in Defender for Cloud Apps
112 |
113 | 1. Return to the browswer running Defender for Cloud Apps.
114 | 2. Refresh the browser to ensure the most recent data is downloaded.
115 | 3. From the **Investigate** menu, select **Activity log**.
116 | 4. Using the **App: filter** pick **Microsoft Forms** from the list.
117 | 5. Notice the sign-on records for Pradeep.
118 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_19_RegisterAnApplication.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '19 - Register an application'
4 | learning path: '03'
5 | module: 'Module 03 - Implement Access Management for Apps'
6 | ---
7 |
8 | # Lab 19 - Register an application
9 |
10 | ### Login type = Microsoft 365 admin
11 |
12 | #### Estimated time: 30 minutes
13 |
14 | ### Exercise 1 - Register an application
15 |
16 | #### Task 1 - App registration
17 |
18 | Registering your application establishes a trust relationship between your app and the Microsoft identity platform. The trust is unidirectional: Your app trusts the Microsoft identity platform—not the other way around.
19 |
20 | 1. Sign in to [https://entra.microsoft.com](https://entra.microsoft.com) using the provided Administrator account.
21 |
22 | 2. Open the portal menu and then select **Microsoft Entra ID**.
23 |
24 | 3. On the **Identity** menu, under **Applications**, select **App registrations.**
25 |
26 | 4. On the **App registrations** page, on the menu, select **+ New registration**.
27 |
28 | 5. On the **register an application** blade, register an app named **Demo app** using the default values. You do not need to enter the redirect URI.
29 |
30 | 
31 |
32 | 6. Select the **Register** button.
33 |
34 | 7. When complete, you will be directed to the **Demo app** page.
35 |
36 | #### Task 2 - Configure platform settings
37 |
38 | Settings for each application type, including redirect URIs, are configured in **Platform configurations** in the Azure portal. Some platforms, like **Web** and **Single-page applications**, require you to manually specify a redirect URI. For other platforms, like mobile and desktop, you can select from redirect URIs generated for you when you configure their other settings.
39 |
40 | To configure application settings based on the platform or device you're targeting:
41 |
42 | Add and modify redirect URIs for your registered applications by configuring their platform settings.
43 |
44 | 1. Select your application in **App registrations** in the Microsoft Entra admin center.
45 |
46 | 2. Under **Manage**, select **Authentication**.
47 |
48 | 3. Under **Platform configurations**, select **+ Add a platform**.
49 |
50 | 4. In **Configure platforms**, select the tile for your application type (platform) to configure its settings.
51 |
52 | 
53 |
54 | | Platform| Configuration settings|
55 | | :--- | :--- |
56 | | Web| Enter a **Redirect URI** for your app, the location where Microsoft identity platform redirects a user's client and sends security tokens after authentication. Select this platform for standard web applications that run on a server.|
57 | | Single-page application| Enter a **Redirect URI** for your app, the location where Microsoft identity platform redirects a user's client and sends security tokens after authentication. Select this platform if you're building a client-side web app in JavaScript or with a framework like Angular, Vue.js, React.js, or Blazor WebAssembly.|
58 | | iOS/macOS| Enter the app **Bundle ID**, found in XCode in *Info.plist* or Build Settings. A redirect URI is generated for you when you specify a Bundle ID.|
59 | | Android| Enter the app **Package name**, which you can find in the AndroidManifest.xml file, and generate and enter the **Signature hash**. A redirect URI is generated for you when you specify these settings.|
60 | | Mobile and desktop applications| Select one of the **Suggested redirect URIs** or specify a **Custom redirect URI**. For desktop applications, we recommend: [https://login.microsoftonline.com/common/oauth2/nativeclient](https://login.microsoftonline.com/common/oauth2/nativeclient). Select this platform for mobile applications that aren't using the latest Microsoft Authentication Library (MSAL) or are not using a broker. Also select this platform for desktop applications.|
61 |
62 | 5. Select **Web** as your platform.
63 |
64 | 6. Enter `https://localhost` for the Redirect URI.
65 |
66 | 7. Select **Configure** to complete the platform configuration.
67 |
68 | #### Task 3 - Add credentials, certificate and client secret
69 |
70 | Credentials are used by confidential client applications that access a web API. Examples of confidential clients include web apps, other web APIs, and service-type and daemon-type applications. Credentials allow your application to authenticate as itself, requiring no interaction from a user at runtime.
71 |
72 | You can add both certificates and client secrets (a string) as credentials to your confidential client app registration.
73 |
74 | 
75 |
76 | **Note**: Sometimes called a *public key*, certificates are the recommended credential type, because as they provide a higher level of assurance than a client secret. When using a trusted public certificate, you can add the certificate using the Certificates & secrets feature. Your certificate must be one of the following file types: .cer, .pem, .crt.
77 |
78 |
79 | **Note**: The client secret, also known as an *application password*, is a string value your app can use in place of a certificate to identity itself. It's the easier of the two credential types to use. It's often used during development, but is considered less secure than a certificate. You should use certificates in your applications running in production.
80 |
81 | 1. Select your application in **App registrations** in the Azure portal.
82 |
83 | 2. Select **Certificates & secrets**, then **+ New client secret**.
84 |
85 | 3. Add a description for your client secret and duration
86 |
87 | - Description = SC300 lab secret
88 | - Duration = 90 days (3 months)
89 |
90 | 4. Select **Add**.
91 |
92 | 5. **Save the secret's value in notepad** for use in your client application code; The Certificate & Secrets page will display the new secret value. It's important you copy this value as it's only shown this one time; if you refresh your page and come back, it will only show as a masked value.
93 |
94 | With your web App registered, you're ready to add the scopes that your API's code can use to provide granular permission to consumers of your API.
95 |
96 | #### Task 5 - Add a scope
97 |
98 | The code in a client application requests permission to perform operations defined by your web API by passing an access token along with its requests to the protected resource (the web API). Your web API then performs the requested operation only if the access token it receives contains the scopes (also known as application permissions) required for the operation.
99 |
100 | First, follow these steps to create an example scope named Employees.Read.All:
101 |
102 | 1. Select **Identity**, then **Application** and finally select **App registrations**, and then select your API's app registration.
103 |
104 | 2. Select **Expose an API**, then **+ Add a scope**.
105 |
106 | 
107 |
108 | 3. You're prompted to set an **Application ID URI**. Set the value to **api://DemoAppAPI**
109 |
110 | - Note - The App ID URI acts as the prefix for the scopes you'll reference in your API's code, and it must be globally unique. You can use the default value provided, which is in the form api://, or specify a more readable URI like `https://contoso.com/api`.
111 |
112 | 4. Select **Save and continue**.
113 |
114 | 5. Next, specify the scope's attributes in the **Add a scope pane**. For this walk-through, use the values in the 3rd column - **Value**.
115 |
116 | | Field| Description| Value |
117 | | :--- | :--- | :--- |
118 | | Scope name| The name of your scope. A common scope naming convention is resource.operation.constraint.| Employees.Read.All|
119 | | Who can consent| Whether this scope can be consented to by users or if admin consent is required. Select Admins only for higher-privileged permissions.| Admins and users|
120 | | Admin consent display name| A short description of the scope's purpose that only admins will see.| Read-only access to employee records|
121 | | Admin consent description| A more detailed description of the permission granted by the scope that only admins will see.| Allow the application to have read-only access to all employee data.|
122 | | User consent display name| A short description of the scope's purpose. Shown to users only if you set Who can consent to Admins and users.| Read-only access to your employee records|
123 | | User consent description| A more detailed description of the permission granted by the scope. Shown to users only if you set Who can consent to Admins and users.| Allow the application to have read-only access to your employee data.|
124 |
125 | 7. Set the **State** to **Enabled**, and then select **Add scope**.
126 |
127 | 8. (Optional) To suppress prompting for consent by users of your app to the scopes you've defined, you can *pre-authorize* the client application to access your web API. Pre-authorize *only* those client applications you trust since your users won't have the opportunity to decline consent.
128 |
129 | 1. Under **Authorized client applications**, select **Add a client application.**
130 |
131 | 2. Enter the **Application (client) ID** of the client application you want to pre-authorize. For example, that of a web application you've previously registered.
132 |
133 | 3. Under **Authorized scopes**, select the scopes for which you want to suppress consent prompting, then select **Add application**.
134 |
135 | 4. If you followed this optional step, the client app is now a pre-authorized client app (PCA), and users won't be prompted for their consent when signing into it.
136 |
137 | #### Task 6 - Add a scope requiring admin consent
138 |
139 | Next, add another example scope named Employees.Write.All that only admins can consent to. Scopes that require admin consent are typically used for providing access to higher-privileged operations, often by client applications that run as backend services or daemons that don't sign in a user interactively.
140 |
141 | 1. To add the Employees.Write.All example scope, follow the steps above and specify these values in the **Add a scope** pane:
142 |
143 | | Field| Example value|
144 | | :--- | :--- |
145 | | Scope name| Employees.Write.All|
146 | | Who can consent| Admins only|
147 | | Admin consent display name| Write access to employee records|
148 | | Admin consent description| Allow the application to have write access to all employee data.|
149 | | User consent display name| None (leave empty)|
150 | | User consent description| None (leave empty)|
151 |
152 | 2. Make sure the State is set to **Enabled** then select **Add Scope**.
153 |
154 | - **Note**: If you successfully added both example scopes described in the previous sections, they'll appear in the **Expose an API** pane of your web API's app registration, similar to this image:
155 |
156 | 
157 |
158 | As shown in the image, a scope's full string is the concatenation of your web API's **Application ID URI** and the scope's **Scope name**.
159 |
160 | **Note**: For example, if your web API's application ID URI is `https://contoso.com/api` and the scope name is Employees.Read.All, the full scope is: `https://contoso.com/api/Employees.Read.All`
161 |
162 | **Note**: Next, you will configure a client app's registration with access to your web API and the scopes you defined by following the steps above.
163 | Once a client app registration is granted permission to access your web API, the client can be issued an OAuth 2.0 access token by the Microsoft identity platform. When the client calls the web API, it presents an access token whose scope (scp) claim is set to the permissions you've specified in the client's app registration. You can expose additional scopes later as necessary. Consider that your web API can expose multiple scopes associated with several operations. Your resource can control access to the web API at runtime by evaluating the scope (scp) claim(s) in the OAuth 2.0 access token it receives.
164 |
165 |
166 | ### Exercise 2 - Manage app registration with a custom role
167 |
168 | #### Task 1 - Create a new custom role to grant access to manage app registrations
169 |
170 | You need to create a new custom role for app management. This new role should be limited to only the specific permissions required to perform credential management.
171 |
172 | 1. Sign in to the [https://entra.microsoft.com](https://entra.microsoft.com) using a Global administrator account.
173 |
174 | 2. Open the portal menu and then select **Microsoft Entra ID**.
175 |
176 | 3. On the lefthand menu, under **Identity**, select **Roles and admins**.
177 |
178 | 4. Then select **Roles & admins** item, then select **+ New custom role**.
179 |
180 | 
181 |
182 | 5. In the New custom role dialog, on the Basics tab, in the name box, enter **My custom app role**.
183 |
184 | 6. Review the remaining options and then select **Next**.
185 |
186 | 7. On the Permissions tab, review the available permissions.
187 |
188 | 8. In the **Search by permission name or description** box, enter **credentials**.
189 |
190 | 9. In the results, select the **Manage** permissions and then select **Next**.
191 |
192 | ```
193 | microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials - Manage password single sign-on credentials or service principals.
194 | microsoft.directory/servicePrincipals/synchronizationCredentials/manage - Manage application provisioning secrets and credentials.
195 | ```
196 |
197 | 
198 |
199 | **Why pick those two** - For application provisionsing these two items are the bare minimum permissions needed to enable and enforce single sign-on for the application or service principal being created; and be able to assign the enterise application to a set of users or groups. Other permissions could also be granted. You can get a full list of available permissions at `https://docs.microsoft.com/azure/active-directory/roles/custom-enterprise-app-permissions`.
200 |
201 | 10. Select **Next**.
202 |
203 | 11. Review the changes and then select **Create**.
204 |
205 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_20_ImplementAccessManagementForApps.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '20 - Implement access management for apps'
4 | learning path: '03'
5 | module: 'Module 03 - Implement Access Management for Apps'
6 | ---
7 |
8 | # Lab 20 - Implement access management for apps
9 |
10 | ### Login type = Microsoft 365 admin
11 |
12 | ## Lab scenario
13 |
14 | Your organization requires that only specific users or groups have access to enterprise applications. You must assign a user to a specific application.
15 |
16 | #### Estimated time: 5 minutes
17 |
18 | ### Exercise 1 - Configure an Enterprise App
19 |
20 | #### Task 1 - Add an app to your Microsoft Entra tenant
21 |
22 | 1. Sign in to the [https://entra.microsoft.com](https://entra.microsoft.com) using the provided Administrator account.
23 |
24 | 2. Look at the menu on the left side of the screen.
25 |
26 | 3. On the Identity menu, under **Applications**, select **Enterprise applications**.
27 |
28 | 4. In the Enterprise applications pane, select **+ New application**.
29 |
30 | 
31 |
32 | 5. In the Browse Microsoft Entra Gallery page, in the **Search application** box, enter **GitHub**.
33 |
34 | 
35 |
36 | 6. In the results, select **GitHub Enterprise Cloud – Enterprise Account**.
37 |
38 | 7. In the **GitHub Enterprise Cloud – Enterprise Account**, review the settings and then select **Create**.
39 |
40 | 8. Once created, you will be redirected to the GitHub Enterprise Cloud – Enterprise Account page.
41 |
42 | #### Task 2 - Assign users to an app
43 |
44 | 1. On the GitHub Enterprise Cloud – Enterprise Account page, on the Overview page, under **Getting Started**, select **1. Assign users and groups**.
45 |
46 | 2. Alternatively, in the left navigation, under **Manage**, you can select **Users and groups**.
47 |
48 | 3. On the Users and groups page, on the menu, select **+ Add user/group**.
49 |
50 | 4. On the Add Assignment page, select **None selected** in the **Users and groups** section.
51 |
52 | 5. In the Users and groups pane, select Adele Vance and your MOD administrator account.
53 |
54 | 6. Select **Select**.
55 |
56 | 
57 |
58 | 7. Select **Assign**.
59 |
60 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_21_GrantTenantWideAdminConsentToAnApplication.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '21 - Grant tenant-wide admin consent to an application'
4 | learning path: '03'
5 | module: 'Module 03 - Implement Access Management for Apps'
6 | ---
7 |
8 | # Lab 21: Grant tenant-wide admin consent to an application
9 |
10 | ### Login type = Microsoft 365 admin
11 |
12 | ## Lab scenario
13 |
14 | For applications your organization has developed or for those that are registered directly in your Microsoft Entra tenant, you can grant tenant-wide admin consent from App registrations in the Azure portal.
15 |
16 | #### Estimated time: 15 minutes
17 |
18 | ### Exercise 1 - Admin Consent
19 |
20 | #### Task 1 - Grant admin consent in App registrations
21 |
22 | **Warning** - Granting tenant-wide admin consent to an application will grant the app and the app's publisher access to your organization's data. Carefully review the permissions the application is requesting before granting consent.
23 |
24 | The Global Administrator role is required in order to provide admin consent for application permissions to the Microsoft Graph API.
25 |
26 | 1. In a previous exercise, you created an app named Demo app. If necessary, in Microsoft Entra admin center, browse to **Identity**, **Applications**, then select **App registrations**, and then select **Demo app**.
27 |
28 | 2. On the **Demo app** page, locate and copy and save each **Application (client) ID** and **Directory (tenant) ID** values so that you can use them later.
29 |
30 | **Note** - **Demo app** is created in the previous labs. Please complete these labs before this lab.
31 |
32 | 
33 |
34 | 3. In the left navigation, under **Manage**, select **API permissions**.
35 |
36 | 4. Under **Configured permissions**, select **Grant admin consent**.
37 |
38 | 
39 |
40 | 5. Review the dialogue box, and then select **Yes.**
41 |
42 | **Warning** - Granting tenant-wide admin consent through App registrations will revoke any permissions that had previously been granted tenant-wide. Permissions previously granted by users on their own behalf will not be affected.
43 |
44 | #### Task 2 - Grant admin consent in Enterprise apps
45 |
46 | You can grant tenant-wide admin consent through Enterprise applications if the application has already been provisioned in your tenant.
47 |
48 | 1. In Microsoft Entra admin center, browse to **Identity** and **Applications**.
49 |
50 | 2. From the menu open **Enterprise applications**.
51 |
52 | 3. From the list of Enterprise applications pick the **Demo app** that we registered earlier.
53 |
54 | 4. On the **Demo app** page, in the left navigation, under **Security,** select **Permissions.**
55 |
56 | 5. Under **Permissions,** select **Grant admin consent.**
57 |
58 | 
59 |
60 | **Warning** - Granting tenant-wide admin consent through App registrations will revoke any permissions that had previously been granted tenant-wide. Permissions previously granted by users on their own behalf will not be affected.
61 |
62 | 6. When prompted, sign in using your Global Administrator account.
63 |
64 | 7. In the **Permissions requested** dialog box, review the information and then select **Accept**.
65 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_22_CreateAndManageACatalogOfResourcesInAADEntitlementManagement.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '22 - Create and manage a catalog of resources in Microsoft Entra entitlement management'
4 | learning path: '04'
5 | module: 'Module 04 - Plan and Implement and Identity Governance Strategy'
6 | ---
7 |
8 | # Lab 22: Create and manage a catalog of resources in Microsoft Entra entitlement management
9 |
10 | ### Login type = Microsoft 365 admin
11 |
12 | ## Lab scenario
13 |
14 | A catalog is a container of resources and access packages. You create a catalog when you want to group related resources and access packages. Whoever creates the catalog becomes the first catalog owner. A catalog owner can add additional catalog owners. You must create and configure a catalog in your organization.
15 |
16 | #### Estimated time: 15 minutes
17 |
18 | ### Exercise 1 - Building out resources in Entitlement Management
19 |
20 | #### Task 1 - Create a catalog
21 |
22 | 1. Sign in to [https://entra.microsoft.com](https://entra.microsoft.com) using a Global Administrator account.
23 |
24 | **Important** - To use and configure Microsoft Entra ID terms of use, you must have:
25 | - Microsoft Entra ID Premium P1, P2, EMS E3, or EMS E5 subscription.
26 | - If you don't have one of these subscriptions, you can get Microsoft Entra ID Premium trial.
27 | - One of the following administrator accounts for the directory you want to configure:
28 | - Global Administrator
29 | - Security Administrator
30 | - Conditional Access Administrator
31 |
32 | 2. Open the **Identity** menu, and then select **Identity Governance**.
33 |
34 | 3. In the left menu, under **Entitlement management**, select **Catalogs**.
35 |
36 | 4. On the top menu, select **+ New Catalog**.
37 |
38 | 
39 |
40 | 5. In the New catalog pane, in the **Name** box, enter **Marketing**.
41 |
42 | 6. In the **Description** box, enter **For marketing department users**. Users will see this information in an access package's details.
43 |
44 | 7. Under **Enabled**, select **Yes**.
45 |
46 | - **Enabled for external users** select **No**. This setting allows users in selected external directories to be able to request access packages in this catalog. No changes will be made to this setting.
47 |
48 | 9. You may choose to enable the catalog for immediate use or disable if you intend to stage it or keep it unavailable until you intend to use it. For this exercise, the catalog does not need to be enabled.
49 |
50 | 
51 |
52 | 10. Select **Create**.
53 |
54 | #### Task 2 - Add resources to a catalog
55 |
56 | To include resources in an access package, the resources must exist in a catalog. The types of resources you can add are groups, applications, and SharePoint Online sites. The groups can be cloud-created Microsoft 365 Groups or cloud-created Microsoft Entra security groups. The applications can be Microsoft Entra enterprise applications, including both SaaS applications and your own applications federated to Microsoft Entra ID. The sites can be SharePoint Online sites or SharePoint Online site collections.
57 |
58 | 1. On the Identity Governance page, if necessary, select **Catalogs**.
59 |
60 | 2. In the **Catalogs** list, select **Marketing**.
61 |
62 | 3. In the left navigation, under **Manage**, select **Resources**.
63 |
64 | 4. On the menu, select **+ Add resources**.
65 |
66 | 5. In the Add resources to catalog page, review the available options. Add the following items:
67 |
68 | | Resource Type | Value |
69 | | :------------- | :---------- |
70 | | **Groups and Teams** | Retail |
71 | | **Applications** | Box |
72 | | **Applications** | Salesforce |
73 | | **SharePoint sites** | Brand - pick this SharePoint from your list of available sites |
74 |
75 | 6. You may not have any resources in Groups and Teams, Applications, or SharePoint sites. Select any resource category and then select a resource from that category.
76 |
77 | 7. For this exercise, it is okay to choose any resource you may have available.
78 |
79 | 
80 |
81 | 8. When finished, Select **Add**. These resources can now be included in access packages within the catalog.
82 |
83 | #### Task 3 - Add additional catalog owners
84 |
85 | The user that created a catalog becomes the first catalog owner. To delegate management of a catalog, you add users to the catalog owner role. This helps share the catalog management responsibilities.
86 |
87 | 1. If necessary, in the Microsoft Entra admin center, browse to **Identity**, then select **Identity Governance** and select **Catalogs** and then select **Marketing**.
88 |
89 | 2. In the Marketing catalog page, in the left navigation menu, select **Roles and administrators**.
90 |
91 | 
92 |
93 | 3. On the top menu, review the available roles and then select **+ Add catalog owner**.
94 |
95 | 4. In the Select members pane, select your **Adele Vance** and then select **Select**.
96 |
97 | 5. Review the newly added role in the Roles and administrators list.
98 |
99 | #### Task 4 - Edit a catalog
100 |
101 | You can edit the name and description for a catalog. Users see this information in an access package's details.
102 |
103 | 1. In the Marketing page, in the left navigation, select **Overview**.
104 |
105 | 2. On the top menu, select **Edit**.
106 |
107 | 3. Review the setting and, under **Properties** > **Enabled**, select **Yes**.
108 |
109 | 
110 |
111 | 4. Select **Save**.
112 |
113 | #### Task 5 - Create Access reviews for guest users
114 |
115 | 1. Access reviews can manage the access lifecycle. Microsoft Entra Identity Governance provides an overview dashboard showing the status of access reviews. Select **Access reviews** in the **Identity Governance** menu.
116 |
117 | 1. Under the Access review menu, you can select **Access reviews** to configure an access review for guest users. You will select **+ New access review** to create your guest user access review. The tile will open to configure the access review for guest users.
118 |
119 | 1. Select **Teams + Groups** for **Select what to review**.
120 |
121 | 1. Under **Select review scope**, select **All Microsoft 365 groups with guest users**
122 |
123 | 1. Under **Select user scope**, select **Guest users only**.
124 |
125 | 1. Select **Next: Reviews**.
126 |
127 | 1. The next tile is where you configure who reviews and approves access, how often access will be reviewed, and when access will expire.
128 |
129 | 1. Under **Select reviewers**, select **Group owners** as these reviewers.
130 |
131 | - **Note**: Guest users should not be allowed to review their own access as a good identity governance practice.
132 |
133 | 1. Enter a **Duration (in days)**, default is 3, choose a **Review recurrence** and **Start date** for the review.
134 |
135 | 1. Select **Next: Settings** and configure the settings for how the review will take place and what happens when the guest user responds or does not respond. A good practice is to select **Auto apply results to resource** and select **Remove access** for **If reviewers don't respond**.
136 |
137 | 1. Select **Next: Review + create**, and select **Create** to create the new Access review.
138 |
139 |
140 | #### Task 6 - Delete a catalog
141 |
142 | You can delete a catalog, but only if it does not have any access packages.
143 |
144 | 1. In the Marketing catalog’s Overview page, on the top menu, select Delete.
145 |
146 | 2. In the Delete dialog box, review the information and then select **No**.
147 |
148 | **Note** - we are keeping the catalog for use in the next lab.
149 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_23_AddTermsOfUseAcceptanceReporting.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '23 - Add terms of use and acceptance reporting'
4 | learning path: '04'
5 | module: 'Module 04 - Plan and Implement and Identity Governance Strategy'
6 | ---
7 |
8 | # Lab 23: Add terms of use and acceptance reporting
9 |
10 | ### Login type = Microsoft 365 admin
11 |
12 | ## Lab scenario
13 |
14 | Microsoft Entra terms of use policies provide a simple method that organizations can use to present information to end users. This presentation ensures users see relevant disclaimers for legal or compliance requirements. This article describes how to get started with terms of use (ToU) policies.
15 |
16 | You must create and enforce a ToU policy for your organization.
17 |
18 | #### Estimated time: 20 minutes
19 |
20 | ### Exercise 1 - Set up a Term of Use and test them
21 |
22 | #### Task 1 - Add terms of use
23 |
24 | Once you have finalized your terms of use document, use the following procedure to add it.
25 |
26 | 1. Sign in to [https://entra.microsoft.com](https://entra.microsoft.com) using a Global Administrator account.
27 |
28 | 2. Open select **Identity Governance** in the lefthand navigation menu.
29 |
30 | 3. In the menu, under **Entitlement management**, select **Terms of use**.
31 |
32 | 4. On the Terms of use page, on the top menu, select **+ New terms**
33 |
34 | 
35 |
36 | 5. In the **Name** box, enter **Testing terms of use**.
37 |
38 | **Note** - This is the terms of use that will be used in the Azure portal.
39 |
40 | 6. Select the **Terms of use document box**, browse to your finalized terms of use PDF and select it.
41 |
42 | **ToU File Provided** - browse to the github repo AllFiles/Labs/Lab26 to get a sample Terms-of-User PDF document for use in this lab.
43 |
44 | 7. In the **Display name** box, enter **Contoso Terms of Use**.
45 |
46 | **Note** - This is the title that users see when they sign in.
47 |
48 | 8. Select **English** for the language for your terms of use document.
49 |
50 | **Note** - The language option allows you to upload multiple terms of use, each with a different language. The version of the terms of use that an end user will see will be based on their browser preferences.
51 |
52 | 9. To require end users to view the terms of use prior to accepting them, set **Require users to expand the terms of use** to **On**.
53 |
54 | 10. To require end users to accept your terms of use on every device they are accessing from, set **Require users to consent on every device** to **Off**. Users may be required to install additional applications if this option is enabled.
55 |
56 | **Warning** - Consent on every device will require users to register each device with Microsoft Entra ID prior to getting access. It is a good practice to require this setting to On; however for the purpose of a cleaner lab, we are using Off.
57 |
58 | 11. If you want to expire terms of use consents on a schedule, set **Expire consents** to **On**. When set to On, two additional schedule settings are displayed.
59 |
60 | 
61 |
62 | 12. Use the **Expire starting on** and **Frequency** settings to specify the schedule for terms of use expirations. The following table shows the result for a couple of example settings:
63 |
64 | | Expire starting on | Frequency | Result |
65 | |---|---|---|
66 | | Today's date | Monthly | Starting today, users must accept the terms of use and then reaccept every month.|
67 | | Date in the future | Monthly | Starting today, users must accept the terms of use. When the future date occurs, consents will expire and then users must reaccept every month. |
68 |
69 | For example, if you set the expire starting on date to **Jan 1** and frequency to **Monthly**, here is how expirations might occur for two users:
70 |
71 | | User | First accept date | First expire date | Second expire date | Third expire date |
72 | |---|---|---|---|---|
73 | | Alice | Jan 1 | Feb 1 | Mar 1 | Apr 1|
74 | | Bob | Jan 15 | Feb 1 | Mar 1| Apr 1 |
75 |
76 | 13. Use the **Duration before re-acceptance requires (days)** setting to specify the number of days before the user must reaccept the terms of use. This allows users to follow their own schedule. For example, if you set the duration to **30** days, here is how expirations might occur for two users:
77 |
78 | | User | First accept date | First expire date | Second expire date | Third expire date |
79 | |---|---|---|---|---|
80 | | Alice | Jan 1 | Jan 31 | Mar 2 | Apr 1|
81 | | Bob | Jan 15 | Feb 14 | Mar 16| Apr 15
82 |
83 | **Note** - It is possible to use the Expire consents and Duration before re-acceptance requires (days) settings together, but typically you use one or the other.
84 |
85 | 14. Under **Conditional Access**, select **Custom policy**.
86 |
87 | - Possible choices and when to use them:
88 |
89 | | Template | Description |
90 | |---|---|
91 | | **Access to cloud apps for all guests** | A Conditional Access policy will be created for all guests and all cloud apps. This policy impacts the Azure portal. Once this is created, you might be required to sign-out and sign-in. |
92 | |**Access to cloud apps for all users** | A Conditional Access policy will be created for all users and all cloud apps. This policy impacts the Azure portal. Once this is created, you will be required to sign-out and sign-in. |
93 | | **Custom policy** | Select the users, groups, and apps that this terms of use will be applied to. |
94 | | **Create Conditional Access policy later** | This terms of use will appear in the grant control list when creating a Conditional Access policy. |
95 |
96 | **IMPORTANT** - Conditional Access policy controls (including terms of use) do not support enforcement on service accounts. We recommend excluding all service accounts from the Conditional Access policy.
97 |
98 | Custom Conditional Access policies enable granular terms of use, down to a specific cloud application or group of users. For more information, see [https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-tou](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-tou).
99 |
100 | 15. When complete, select **Create**.
101 |
102 | 
103 |
104 | #### Continued Task 1 - Create the Conditional Access Policy
105 |
106 | 16. When the terms of use is created, you will automatically be redirected to the Conditional access policy page. On the page, in the **Name** box, enter **Enforce ToU**.
107 |
108 | 17. Under **Assignments**, select **Users identities**.
109 |
110 | 18. On the Include tab choose **Select users and groups**, then select **Users and groups** check box.
111 |
112 | 19. In the Select pane, select **Adele Vance** to use to test the terms of use policy.
113 |
114 | **Warning** - If you choose your administrator account, like all conditional access policies, be sure you have another account with enough permissions to change the conditional access policy. This is to ensure your administrator account will not be locked out should the conditional access policy result in an undesirable outcome.
115 |
116 | 20. Select **Target resources.**
117 |
118 | 21. Select **All cloud apps**.
119 |
120 | 22. Under **Access controls**, select **Grant**.
121 |
122 | 23. In the Grant pane, select **Contoso Terms of Use** and then select **Select**.
123 |
124 | 24. Under **Enable policy**, select **On**.
125 |
126 | 25. When complete, select **Create**.
127 |
128 | 
129 |
130 | 26. If you chose to use your own account, you can refresh your browser. You will be prompted to sign in again. When you sign in, you will be required to accept the terms of use.
131 |
132 | #### Task 2 - Log in as Adele
133 |
134 | 1. Open a new InPrivate browser window.
135 | 2. Connect to https://portal.azure.com.
136 | 3. If if comes up saying you are already logged in, Select on the logged in users name in the upper-right of the screen and choose **Sign in with a different account**.
137 | 4. Log in as Adele:
138 |
139 | | Setting | Value to enter |
140 | | :--- | :--- |
141 | | User Name | **AdeleV@** `<>.onmicrosoft.com` |
142 | | Password | Enter the tenant's admin password(Refer the Lab Resources tab to retrieve the tenant admin password) |
143 |
144 | 5. Validate Adele's login with the MFA request.
145 | 6. View the Terms of Use.
146 | 7. You can choose to **Accept** or **Decline**.
147 |
148 | **Note** - If you choose **decline** then during a future login as AdeleV you will again be required to view and accept the Terms of Use.
149 |
150 | **Note**: Terms of Use may take a few minutes to appear or you can logout and log back in to the portal.
151 |
152 | #### Task 3 - View report of who has accepted and declined
153 |
154 | The Terms of use page shows a count of the users who have accepted and declined. These counts and who accepted/declined are stored for the life of the terms of use.
155 |
156 | 1. In Microsoft Azure, in **Identity Governance > Terms of use**, locate your terms of use.
157 |
158 | 2. For a terms of use, select the numbers under **Accepted** or **Declined** to view the current state for users.
159 |
160 | 
161 |
162 | 3. In this exercise you may not have any accepted or declined terms of use. In the following example, the **Accepted** value was selected. You can see the reported user information for those that have accepted the terms of use.
163 |
164 | 
165 |
166 | 4. On the **Terms of Use Consents** page select **Download** to download a consents report.
167 |
168 | 5. On the **Identity Governance | Terms of Use** page, highlight **Testing terms of use** and select **View selected audit logs** to view the audit logs activity.
169 |
170 | #### Task 4 - What terms of use looks like for users
171 |
172 | 1. Once a terms of use is created and enforced, users who are in scope will see the terms of use page.
173 |
174 | 
175 |
176 | 2. Users can view the terms of use and, if necessary, use buttons to zoom in and out.
177 |
178 | 
179 |
180 | 3. On mobile devices, the terms of use will be displayed similar to the following example.
181 |
182 | 
183 |
184 | #### Task 5 - How users can review their terms of use
185 |
186 | Users can review and see the terms of use that they have accepted by using the following procedure.
187 |
188 | 1. Browse to [https://myapps.microsoft.com](https://myapps.microsoft.com/) and then sign in using your user account.
189 |
190 | 2. Select the user profile photo and then select **View account**. On the Overview page, select VIEW SETTINGS AND PRIVACY.
191 |
192 | 
193 |
194 | 3. On the Settings & Privacy page, select the **Privacy** tab.
195 |
196 | 
197 |
198 | 4. Under **Organization’s notice**, you can review the terms of use you have accepted.
199 |
200 | #### Task 6 - Edit terms of use details
201 |
202 | You can edit some details of terms of use, but you can't modify an existing document. The following procedure describes how to edit the details.
203 |
204 | 1. Sign in to the [https://entra.microsoft.com](https://entra.microsoft.com) as a Global administrator.
205 |
206 | 2. Open Microsoft Entra ID item and the select **Identity Governance** from the menu.
207 |
208 | 3. In the left navigation menu, under **Entitlement management**, select **Terms of use**.
209 |
210 | 4. Select the terms of use you want to edit.
211 | - Note: You have to click on open space, not directly on name of the Terms or Use.
212 |
213 | 5. On the top menu, select **Edit terms**.
214 |
215 | 6. In the Edit terms of use pane, you can change the following:
216 |
217 | - **Name** – this is the internal name of the ToU that is not shared with end users
218 |
219 | - **Display name** – this is the name that end users can see when viewing the ToU
220 |
221 | - **Require users to expand the terms of use** – Setting this to **On** will force the end use to expand the terms of use document before accepting it.
222 |
223 | - **Update an existing terms of use** document.
224 |
225 | - You can add a language to an existing ToU If there are other settings you would like to change, such as require users to consent on every device, expire consents, duration before reacceptance, or Conditional Access policy, you must create a new terms of use.
226 |
227 | 
228 |
229 | 7. Once you are done, select **Save** to save your changes.
230 |
231 | #### Task 7 - Update an existing terms of use document
232 |
233 | You may, on occasion, be required to update the terms of use document.
234 |
235 | 1. Select the terms of use you want to edit.
236 |
237 | 2. Select **Edit terms**.
238 |
239 | 3. In the **Language Options** table, identify the terms of use language you want to update and then, in the **Action** column, select **Update**.
240 |
241 | 
242 |
243 | 4. In the Update terms of use version pane, you can upload a new version of your terms of use document.
244 |
245 | 5. Additionally, you can use the **Require reaccept** toggle button if you want to require your users to accept this new version the next time they sign in. If you do not require your users to re-accept, their previous consent will stay current and only new users who have not consented before or whose consent expires will see the new version.
246 |
247 | 
248 |
249 | 6. Once you have uploaded your new pdf and decided on re-accept, select **Add**.
250 |
251 | 7. You will now see the most recent version under the Document column.
252 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_24_ManageTheLifecycleOfExternalUsersInAADIdentityGovernanceSettings .md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '24 - Manage the lifecycle of external users in Microsoft Entra Identity Governance settings'
4 | learning path: '04'
5 | module: 'Module 04 - Plan and Implement and Identity Governance Strategy'
6 | ---
7 |
8 | # Lab 24: Manage the lifecycle of external users in Microsoft Entra Identity Governance settings
9 |
10 | ### Login type = Microsoft 365 admin
11 |
12 | ## Lab scenario
13 |
14 | You can select what happens when an external user, who was invited to your directory through an access package request being approved, no longer has any access package assignments. This can happen if the user relinquishes all their access package assignments, or their last access package assignment expires. By default, when an external user no longer has any access package assignments, they are blocked from signing in to your directory. After 30 days, their guest user account is removed from your directory.
15 |
16 | #### Estimated time: 5 minutes
17 |
18 | ### Exercise 1 - Microsoft Entra Identity Governance settings
19 |
20 | #### Task 1 - Manage the lifecycle of external users in Microsoft Entra Identity Governance settings
21 |
22 | 1. Sign in to the [https://entra.microsoft.com](https://entra.microsoft.com) as a Global administrator.
23 |
24 | 2. Open the Microsoft Entra ID item and then select **Identity Governance**.
25 |
26 | 3. In the left navigation menu, under **Entitlement management**, select **Settings**.
27 |
28 | 4. On the top menu, select **Edit**.
29 |
30 | 
31 |
32 | 5. In the **Manage the lifecycle of external users** section, review the different settings for external users.
33 |
34 | 6. When an external user loses their last assignment to any access packages, if you want to block them from signing in to this directory, set the **Block external user from signing in to this directory** to **Yes**.
35 |
36 | 7. If a user is blocked from signing in to the directory, the user will be unable to re-request the access package or request additional access in this directory. Do not configure blocking them from signing in if they will subsequently need to request access to other access packages.
37 |
38 | 8. Once an external user loses their last assignment to any access packages, if you want to remove their guest user account in this directory, set **Remove external** user to **Yes**.
39 |
40 | **Note** - Entitlement management only removes accounts that were invited through entitlement management. Also, note that a user will be blocked from signing in and removed from this directory even if that user was added to resources in this directory that were not access package assignments. If the guest was present in this directory prior to receiving access package assignments, they will remain. However, if the guest was invited through an access package assignment, and after being invited was also assigned to a OneDrive for Business or SharePoint Online site, they will still be removed.
41 |
42 | 9. If you want to remove the guest user account in this directory, you can set the number of days before it is removed. If you want to remove the guest user account as soon as they lose their last assignment to any access packages, set **Number of days before removing external user from this directory** to **0**.
43 |
44 | 10. If you’ve made any changes, select **Save**.
45 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_25_CreatingAccessReviewsForUsers.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '25 - Creating Access Reviews for Internal and External Users'
4 | learning path: '04'
5 | module: 'Module 04 - Plan and Implement and Identity Governance Strategy'
6 | ---
7 |
8 | # Lab 25 - Creating Access Reviews for Internal and External Users
9 |
10 | ### Login type = Microsoft 365 admin
11 |
12 | ## Lab scenario
13 |
14 | Privileged user access should be regularly reviewed in a similar manner. Since these are elevated access assignments, the review of these should be done on a consistent basis as identified by the company. Unused and unnecessary privileged assignments should be removed. Automated removal should also be configured for users that are no longer with the company or have changed departments within the company.
15 |
16 | #### Estimated time: 5 minutes
17 |
18 | ### Exercise 1 - Create an internal Access review
19 |
20 | #### Task - Create a new Access review
21 |
22 | 1. Sign in to the [https://entra.microsoft.com](https://entra.microsoft.com) as a Global administrator.
23 |
24 | 2. Access reviews can manage the access lifecycle. Within **Microsoft Entra ID**, find **Identity Governance**, then select **Access reviews**.
25 |
26 | 3. Select **+ New access review**.
27 |
28 | 4. In the **Select what to review** box choose **Teams + Groups** from the dropdown.
29 |
30 | 5. Select **Select Teams + groups** and pick the **Sales and Marketing** group from the list, and hit **Select**.
31 |
32 | 6. Set the **Scope** to **All users**.
33 |
34 | 7. Select the **Next: Reviews** to move forward in the wizard.
35 |
36 | 8. The next step is to determine the reviewers. These reviewers can be the member themselves to do a self-review or can be assigned to supervisors if reviewing access for an entire department. You can also set the action when a reviewer does not respond to automatically remove that privileged access from the member.
37 |
38 | 9. Pick a reviewer **Alex Wilber** and review recurrence option **Annually**. Then select **Next: Settings**.
39 |
40 | 10. The advanced settings allow you to put a message as part of the review.
41 |
42 | 11. Switch to the **Next: Review + Create** tab to finalize the access review.
43 |
44 | 12. Name the access review **SC300 Access Review Test**.
45 |
46 | 13. Select **Create** at the bottom of the page.
47 |
48 | **Note** - When the access review is created, the access review list will populate with the roles and owners of the reviews.
49 |
50 | 14. Members that are being reviewed will receive an email when the review is initiated.
51 |
52 | 15. Selecting an access review of one of the roles will provide status on these access reviews.
53 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_26_ConfigurePrivilegedIdentityManagementForAADRoles.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '26 - Configure Privileged Identity Management for Microsoft Entra roles'
4 | learning path: '04'
5 | module: 'Module 04 - Plan and Implement and Identity Governance Strategy'
6 | ---
7 |
8 | # Lab 26: Configure Privileged Identity Management for Microsoft Entra roles
9 |
10 | ### Login type = Microsoft 365 admin
11 |
12 | ## Lab scenario
13 |
14 | A Privileged role administrator can customize Privileged Identity Management (PIM) in their Microsoft Entra organization, including changing the experience for a user who is activating an eligible role assignment. You must become familiar with configuring PIM.
15 |
16 | #### Estimated time: 30 minutes
17 |
18 | NOTE - There have been on-going changes to requiring MFA in lab environments. When you switch between users to complete this lab, you may be prompted to set up MFA.
19 |
20 | ### Exercise 1 - Configure Microsoft Entra role settings
21 |
22 | #### Task 1 - Open role settings
23 |
24 | Follow these steps to open the settings for an Microsoft Entra role.
25 |
26 | 1. Sign in to the [https://entra.microsoft.com](https://entra.microsoft.com) as a Global administrator.
27 |
28 | 2. Search for and then select **Privileged Identity Management.**
29 |
30 | 3. In the Privileged Identity Management page, in the left navigation, select **Microsoft Entra roles.**
31 |
32 | 4. On the Quick start page, in the left navigation, select **Settings.**
33 |
34 | 
35 |
36 | 5. Review the list of roles and then, in the **Search by role name**, enter **compliance**.
37 |
38 | 6. In the results, select **Compliance Administrator**.
39 |
40 | 7. Review the role setting details information.
41 |
42 | #### Task 2 - Require approval to activate
43 |
44 | If setting multiple approvers, approval completes as soon as one of them approves or denies. You cannot require approval from at least two users. To require approval to activate a role, follow these steps.
45 |
46 | 1. In the Role setting details page, on the top menu, select **Edit**.
47 |
48 | 
49 |
50 | 2. In the Edit role setting – Compliance Administrator page, select the **Require approval to activate** check box.
51 |
52 | 3. Select **Select approvers**.
53 |
54 | 4. In the Select a member pane, select your administrator account and then select **Select**.
55 |
56 | 
57 |
58 | 5. Once you have configured the role settings, select **Update** to save your changes.
59 |
60 | ### Exercise 2 - Use PIM to assign Microsoft Entra roles
61 |
62 | #### Task 1 - Assign a role
63 |
64 | With Microsoft Entra ID, a Global administrator can make permanent Microsoft Entra admin role assignments. These role assignments can be created using the Microsoft Entra admin center, the Azure portal, or using PowerShell commands.
65 |
66 | The Privileged Identity Management (PIM) service also allows Privileged role administrators to make permanent admin role assignments. Additionally, Privileged role administrators can make users eligible for Microsoft Entra admin roles. An eligible administrator can activate the role when they need it, and then their permissions expire once they're done.
67 |
68 | Follow these steps to make a user eligible for an Microsoft Entra admin role.
69 |
70 | 1. Sign in to [https://entra.microsoft.com](https://entra.microsoft.com) using a Global Administrator account.
71 |
72 | 2. Search for and then select **Privileged Identity Management.**
73 |
74 | **Note** - you can find it in the menu at Identity - Identity Governance - Privileged Identity Management.
75 |
76 | 3. In the Privileged Identity Management page, in the left navigation, select **Microsoft Entra roles.**
77 |
78 | 4. On the Quick start page, in the left navigation, select **Roles**.
79 |
80 | 5. On the top menu, select **+ Add assignments.**
81 |
82 | 
83 |
84 | 6. In the Add assignments page, on the **Membership** tab, review the settings.
85 |
86 | 7. Select the **Select role** menu and then select **Compliance Administrator**.
87 |
88 | 8. You can use the **Search role by name** filter to help located a role.
89 |
90 | 9. Under **Select member(s),** select **No members selected**.
91 |
92 | 10. In the Select a member pane, select **Miriam Graham** and then select **Select**.
93 |
94 | 
95 |
96 | 11. In the Add assignments page, select **Next**.
97 |
98 | 12. On the **Settings** tab, under **Assignment type**, review the available options. For this task, use the default setting.
99 |
100 | - Eligible assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.
101 | - Active assignments do not require the member to perform any action to use the role. Members assigned as active have the privileges always assigned to the role.
102 |
103 | 13. Review the remaining settings and then select **Assign**.
104 |
105 | #### Task 2 - Log in with Miriam
106 |
107 | 1. Open a new InPrivate browser window.
108 | 2. Connect to the Microsoft Entra admin center (https://entra.microsoft.com).
109 | **Note** - If it opens with a user logged in, Select on their name in the upper-right corner and select **Sign in as a different account**.
110 | 3. Log in a Miriam.
111 |
112 | | Field | Value |
113 | | :--- | :--- |
114 | | Username | **MiriamG@** `<>` |
115 | | Password | Enter the provided tenant admin password |
116 |
117 | 4. From the **Identity** menu, open **Users** and then select **All users**.
118 | 5. Find **Miriam** in the list of users
119 | 6. On the **Overview** page, look for the **Assigned roles**.
120 | 7. Select **Eligible assignments**.
121 | 1. Notice that the **Compliance Administrator** role is now available to Miriam.
122 |
123 | #### Task 3 - Activate your Microsoft Entra roles
124 |
125 | When you need to assume an Microsoft Entra role, you can request activation by opening **My roles** in Privileged Identity Management.
126 |
127 | 1. From the **Search, resources, services, and docs** bar, look for Privileged.
128 | 2. Open the **Privileged Identity Management** page.
129 | 3. On the Privileged Identity Management page, in the left navigation menu, select **My roles.**
130 |
131 | 4. In the My roles page, review the list of **Eligible assignments**.
132 |
133 | 
134 |
135 | 5. In the Compliance Administrator role row, select **Activate**.
136 |
137 | 6. In the Activate – Compliance Administrator pane, select **Additional verification required** and then follow the instructions to provide additional security verification. You are required to authenticate only once per session.
138 |
139 | 
140 |
141 | **Verification** - Based on our current lab environment configuration, you will be required configure MFA and log in successfully.
142 |
143 | 7. After you have completed the additional security verification, in the Activate – Compliance Administrator pane, in the **Reason** box, enter the **This is my justification for activating this role**.
144 |
145 | **Important Note** - the principal of least prvilege, you should only activate the account for the amount of time you need it. If the work needed to be done, only takes 1.5 hours, then set the duration to two hours. Similarily, if you know that you won't be able to do the work until after 3pm, choose a Custom activation time.
146 |
147 | 8. Select **Activate**.
148 |
149 | #### Task 4 - Assign a role with restricted scope
150 |
151 | For certain roles, the scope of the granted permissions can be restricted to a single admin unit, service principal, or application. This procedure is an example if assigning a role that has the scope of an administrative unit.
152 |
153 | 1. Remember to close out the browser windows for MiriamG, then open the Microsoft Entra admin center with your administrator account.
154 | 2. Browse to the Privileged Identity Management page, and in the left navigation menu, select Azure **Microsoft Entra roles.**
155 | 3. Select **Roles**.
156 | 4. In the Roles page, on the top menu, select **+ Add assignments.**
157 |
158 | 5. In the Add assignments page, select the **Select role** menu and then select **User administrator.**
159 |
160 | 6. Select the **Scope type** menu and review the available options. For now, you will use the **Directory** scope type.
161 |
162 | **Tip** - Go to [https://docs.microsoft.com/en-us/azure/active-directory/roles/admin-units-manage](https://docs.microsoft.com/en-us/azure/active-directory/roles/admin-units-manage) for more information about the administrative unit scope type.
163 |
164 | 7. As you did when assigning a role without a restricted scope, you would add members and complete the settings options. For now, select **Cancel**.
165 |
166 | #### Task 5 - Update or remove an existing role assignment
167 |
168 | Follow these steps to update or remove an existing role assignment.
169 |
170 | 1. In the Open Privileged Identity Management > Microsoft Entra roles page, in the left navigation, select **Assignments**.
171 |
172 | 2. In **Assignments** list, for Compliance Administrator, review the options in the **Action** column.
173 |
174 | 
175 |
176 | 3. Select **Update** and review the options available in the Membership settings pane. When complete, close the pane.
177 |
178 | 4. Select **Remove**.
179 |
180 | 5. In the **Remove** dialog box, review the information and then select **Yes**.
181 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_27_MicrosoftSentinelKustoQueries.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '27 - Microsoft Sentinel Kusto Queries for Microsoft Entra data sources'
4 | learning path: '04'
5 | module: 'Module 04 - Plan and Implement and Identity Governance Strategy'
6 | ---
7 |
8 | # Lab 27 OPTIONAL - Microsoft Sentinel Kusto Queries for Microsoft Entra data sources
9 |
10 | **Note** - This lab cannot be completed in the provided training lab environment at this time. We are leaving the lab step here, so you can optionally try it on your Bring You Own Subscription (BYOS) environment. Please read over the steps to see what is possible. We actively working to update this lab to find a work-around in the lab environment, and will update it soon.
11 |
12 | ### Login type = Azure Resource login
13 |
14 | ## Lab scenario
15 |
16 | Microsoft Sentinel is Microsoft's cloud-native SIEM and SOAR solution. Through connecting data sources from Microsoft and third-party security solutions, you have the ability to execute security operations tasks. In this lab exercise, you will create a Microsoft Sentinel workspace with data connectors to Microsoft Entra ID for executing hunting queries using Kusto Query Language (KQL).
17 |
18 | #### Estimated time: 30 minutes
19 |
20 | ### Exercise 1 - Configure Microsoft Sentinel for Kusto Queries
21 |
22 | #### Task 1 - Create a Microsoft Sentinel workspace
23 |
24 | 1. Sign in to the [https://portal.azure.com](https://portal.azure.com) as a Global administrator.
25 |
26 | 1. Search for and then select **Microsoft Sentinel**.
27 |
28 | 1. Select **+ Create** in the upper left corner.
29 |
30 | 1. In the **Add Microsoft Sentinel to a workspace** tile, select **+ Create a new workspace**.
31 |
32 | 1. In **Resource group**, select **Create new** and enter **Sentinel-RG**.
33 |
34 | 1. Name the workspace. Example - SentinelLogAnalytics.
35 |
36 | 1. Select a Region close to you.
37 |
38 | 1. Select **Review + Create** and then **Create**.
39 |
40 | 1. After the Log Analytics workspace deployment completes, choose the **Refresh** button. Then select your workspace and select **Add**. This will add the workspace to Microsoft Sentinel and open Microsoft Sentinel.
41 |
42 | 1. If prompted, select **OK** to activate the Microsoft Sentinel free trial.
43 |
44 | #### Task 2 - Add Microsoft Entra ID as a Data source
45 |
46 | 1. In **Microsoft Sentinel**, navigate on the menu to **Content management** and select **Content hub**.
47 |
48 | 1. Use the search box to look for **Entra** in the list of connectors, locate **Microsoft Entra ID** and mark the checkbox.
49 |
50 | 1. To the right, a preview tile will open. Select **Install**.
51 |
52 | 1. After the install finishes, select the **Data connectors** menu item in the Configuration menu.
53 |
54 | **Note** - You should show 1 Connector installed and see **Microsoft Entra ID** listed.
55 |
56 | 1. Select **Microsoft Entra ID** and then select **Open connector page**.
57 |
58 | 1. In the connector page, the instructions and next steps will be provided for the data connector. Verify that a check-mark is next to each of the **Prerequisites** to continue with the **Configuration**.
59 |
60 | 1. Under **Configuration**, check the boxes for **Sign-in logs** and **Audit logs**. Additional log sources are available but are currently in **Preview** and out of scope for this course.
61 |
62 | 1. Select **Apply Changes**.
63 |
64 | 1. Notification will be provided that the changes were applied successfully. Navigate to the **Microsoft Sentinel** workspace by selecting the **X** on the top right of the connector page.
65 |
66 | 1. Select **Refresh** on the **Microsoft Sentinel | Data connectors** tile and the number 1 will show in the **Connected** count.
67 |
68 | **Note** - The Microsoft Entra ID data connector may take a few minutes to show in the active count.
69 |
70 | #### Task 3 - Run Kusto query on User activity
71 |
72 | 1. In **Microsoft Sentinel**, navigate to **Logs** under the **General** menu heading.
73 |
74 | 1. Close the **Welcome to Log Analytics** window.
75 |
76 | 1. A window will open with sample queries, select **Audit**, and search to find **User IDs**.
77 |
78 | 1. Select **Run**.
79 |
80 | 1. This will provide a list of User IDs on Microsoft Entra ID. Since we have just created the workspace, you may not see results. Note the format of the query.
81 |
--------------------------------------------------------------------------------
/Instructions/Labs/Lab_28_MonitorIdentitySecureScore.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: '28 - Monitor and managed security posture with Identity Secure Score'
4 | learning path: '04'
5 | module: 'Module 04 - Plan and Implement and Identity Governance Strategy'
6 | ---
7 |
8 | # Lab 28 - Monitor and managed security posture with Identity Secure Score
9 |
10 | ### Login type = Microsoft 365 admin
11 |
12 | ## Lab scenario
13 |
14 | Microsoft Entra Identity Protection provides automated detection and remediation to identity-based risks, and provides data in the portal to investigate potential risks. Microsoft Entra Identity Protection also provides an Identity Secure Score to monitor and improve your identity security posture. In the same manner as Microsoft Defender XDR and Microsoft Defender for Cloud, Identity Secure Score provides improvement actions and recommendations that can improve your overall security posture for identity in Microsoft Entra ID. This lab will explore this capability.
15 |
16 | **Note** - Since this lab is running on a new created tenant environment, you will probably get an Identity Secure Score of 30% or less. It takes about 24 hours for viable data to enter the calculation to give you a valid score.
17 |
18 | #### Estimated time: 15 minutes
19 |
20 | ### Exercise 1 - Using Identity Secure Score to monitor and manage identity security posture
21 |
22 | #### Task 1 - Review Identity Secure Score and improvement actions
23 |
24 | 1. Sign in to the [https://entra.microsoft.com](https://entra.microsoft.com) as a Global administrator.
25 |
26 | 2. Open the **Protection** menu and select **Identity Secure Score**
27 |
28 | 3. In the **Overview** tile, you will find **Identity Secure Score**.
29 |
30 | 4. Select **Identity Secure Score**. This will take you to the Identity Secure Score dashboard.
31 |
32 | 5. Scroll down to view the **Improvement actions**.
33 |
34 | **Lab Tip** - In contrast to the improvement actions in Microsoft Defender for Cloud and Microsoft Defender XDR, these improvement actions are specific to identity. This provides a more focused list of potential actions to your security posture management. Any improvement actions initiated from this list will also provide an impact to your overall tenant security posture.
35 |
36 | #### Task 2 - Execute an improvement action
37 |
38 | 1. To improve one area of the identity security posture, select **Enable Microsoft Entra ID Protection sign-in risk policy**.
39 |
40 | 2. In the tile that opens, scroll down and select **Get Started**.
41 |
42 | 3. A new tab will open for **Identity Protection | Sign-in risk policy**.
43 | **Note** - by default the Get Started button will open in Azure Portal. You can use the portal or return to the Entra admin center. Either wil work.
44 |
45 | 6. Under Assignments, the **All Users** text.
46 |
47 | 7. Under Include, select All users.
48 |
49 | 8. Under Exclude, select Users and groups and choose your **MOD Administrator** account.
50 |
51 | - Microsoft recommends you exclude at least one account to prevent yourself from being locked out.
52 |
53 | 9. Under Sign-in risk - select the text that says **Low and above**.
54 |
55 | 10. Choose **Medium and above** then select **Done**.
56 |
57 | 10. In the **Controls** section choose the text that says **Block access**.
58 |
59 | 11. Select **Allow access - Require multifactor authentication**.
60 |
61 | 11. Select Done.
62 |
63 | 14. Confirm your settings and set policy enforcement to **Enabled**.
64 |
65 | 15. Select **Save**.
66 |
--------------------------------------------------------------------------------
/Instructions/Labs/image-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/image-1.png
--------------------------------------------------------------------------------
/Instructions/Labs/image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/image.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/accepted-tou.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/accepted-tou.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/active-directory-no-privacy-statement-or-contact.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/active-directory-no-privacy-statement-or-contact.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/add-saml-idp.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/add-saml-idp.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/azure-active-directory-properties-country-location.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/azure-active-directory-properties-country-location.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/azure-portal-menu-aad.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/azure-portal-menu-aad.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/azurepassactivation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/azurepassactivation.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/bulkimportexample.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/bulkimportexample.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/catalog-add-resources.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/catalog-add-resources.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/configure-platforms.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/configure-platforms.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/delia-no-office-license.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/delia-no-office-license.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/delia-office-license.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/delia-office-license.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/directory-role-remove-role.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/directory-role-remove-role.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/directory-role-select-role.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/directory-role-select-role.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/linkedinlookup.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/linkedinlookup.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp1-mod2-assign-license-group.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp1-mod2-assign-license-group.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp1-mod2-assign-user-license-options.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp1-mod2-assign-user-license-options.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp1-mod2-change-group-license.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp1-mod2-change-group-license.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp1-mod2-create-group.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp1-mod2-create-group.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp1-mod2-create-o365-group.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp1-mod2-create-o365-group.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp1-mod2-remove-user.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp1-mod2-remove-user.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp1-mod3-bulk-invite-option.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp1-mod3-bulk-invite-option.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp1-mod3-bulk-invite-users-upload-csv.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp1-mod3-bulk-invite-users-upload-csv.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp1-mod3-bulk-operations-results.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp1-mod3-bulk-operations-results.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp1-mod3-dynamic-group-membership-rule.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp1-mod3-dynamic-group-membership-rule.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp1-mod3-guest-user-access-restrictions.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp1-mod3-guest-user-access-restrictions.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp1-mod3-guest-user-invite-settings.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp1-mod3-guest-user-invite-settings.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp1-mod3-new-guest-user-menu-selection.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp1-mod3-new-guest-user-menu-selection.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp1-mod3-template-csv.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp1-mod3-template-csv.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp2-mod1-azure-ad-conditional-access-policy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp2-mod1-azure-ad-conditional-access-policy.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp2-mod1-conditional-access-new-policy-complete.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp2-mod1-conditional-access-new-policy-complete.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp2-mod1-conditional-access-new-policy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp2-mod1-conditional-access-new-policy.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp2-mod1-mfa-service-settings-and-users.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp2-mod1-mfa-service-settings-and-users.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp2-mod1-mfa-settings.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp2-mod1-mfa-settings.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp2-mod1-set-additional-mfa-settings.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp2-mod1-set-additional-mfa-settings.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp2-mod1-users-mfa.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp2-mod1-users-mfa.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp2-mod2-create-sspr-security-group.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp2-mod2-create-sspr-security-group.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp2-mod2-enable-password-reset-for-selected-group.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp2-mod2-enable-password-reset-for-selected-group.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp2-mod2-get-back-into-your-account-page.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp2-mod2-get-back-into-your-account-page.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp2-mod2-keep-your-account-secure-page.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp2-mod2-keep-your-account-secure-page.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp2-mod2-sspr-verification-step-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp2-mod2-sspr-verification-step-1.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp2-mod3-browse-to-password-protection.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp2-mod3-browse-to-password-protection.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp2-mod3-create-conditional-access-policy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp2-mod3-create-conditional-access-policy.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp2-mod3-create-session-conditional-access-policy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp2-mod3-create-session-conditional-access-policy.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp2-mod3-test-conditional-access-policy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp2-mod3-test-conditional-access-policy.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp2-mod4-browse-to-identity-protection.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp2-mod4-browse-to-identity-protection.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp2-mod4-browse-to-mfa-registration-policy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp2-mod4-browse-to-mfa-registration-policy.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp3-mod1-add-app-assignment.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp3-mod1-add-app-assignment.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp3-mod1-azure-ad-gallery-search.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp3-mod1-azure-ad-gallery-search.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp3-mod1-custom-role-permissions.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp3-mod1-custom-role-permissions.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp3-mod1-new-custom-role.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp3-mod1-new-custom-role.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp3-mod1-new-enterprise-application.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp3-mod1-new-enterprise-application.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp3-mod3-api-permissions-admin-consent.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp3-mod3-api-permissions-admin-consent.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp3-mod3-app-roles-create-app-role.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp3-mod3-app-roles-create-app-role.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp3-mod3-demo-app-directory-id.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp3-mod3-demo-app-directory-id.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp3-mod3-grant-admin-consent-in-enterprise-app.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp3-mod3-grant-admin-consent-in-enterprise-app.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp3-mod3-pim-ad-roles-settings.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp3-mod3-pim-ad-roles-settings.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp3-mod3-register-an-application.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp3-mod3-register-an-application.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod1-catalog-roles-and-admins.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod1-catalog-roles-and-admins.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod1-edit-marketing-catalog.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod1-edit-marketing-catalog.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod1-edit-terms-of-use-update.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod1-edit-terms-of-use-update.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod1-edit-terms-of-use.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod1-edit-terms-of-use.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod1-identity-governance-new-catalog.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod1-identity-governance-new-catalog.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod1-manage-lifcycle-of-ext-users.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod1-manage-lifcycle-of-ext-users.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod1-myaccount-setting-and-privacy-org-notes.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod1-myaccount-setting-and-privacy-org-notes.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod1-myaccount-setting-and-privacy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod1-myaccount-setting-and-privacy.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod1-new-catalog-marketing.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod1-new-catalog-marketing.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod1-new-terms-of-use-create.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod1-new-terms-of-use-create.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod1-new-terms-of-use.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod1-new-terms-of-use.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod1-terms-of-use-accept-decline.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod1-terms-of-use-accept-decline.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod1-terms-of-use-ca-policy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod1-terms-of-use-ca-policy.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod1-update-terms-of-use-version.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod1-update-terms-of-use-version.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod3-my-roles.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod3-my-roles.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod3-pim-activate-role.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod3-pim-activate-role.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod3-pim-add-approver.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod3-pim-add-approver.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod3-pim-add-role-assignment.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod3-pim-add-role-assignment.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod3-pim-assign-role.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod3-pim-assign-role.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod3-pim-az-resource-overview.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod3-pim-az-resource-overview.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod3-pim-azure-resource-management.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod3-pim-azure-resource-management.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod3-pim-edit-compliance-role.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod3-pim-edit-compliance-role.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod3-pim-edit-role-assignments.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod3-pim-edit-role-assignments.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod4-sentinel-add-aad-connector.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod4-sentinel-add-aad-connector.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/lp4-mod4-sentinel-config-aad-connector.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/lp4-mod4-sentinel-config-aad-connector.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/mobile-tou.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/mobile-tou.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/portal-02-expose-api.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/portal-02-expose-api.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/portal-03-scopes-list.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/portal-03-scopes-list.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/portal-05-app-reg-04-credentials.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/portal-05-app-reg-04-credentials.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/portal-tenant-id.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/portal-tenant-id.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/properties-area.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/properties-area.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/security-defaults-disable-before-conditional-access.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/security-defaults-disable-before-conditional-access.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/selectonedrive.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/selectonedrive.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/user-tou.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/user-tou.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/view-history-menu.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/view-history-menu.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/view-history-pane.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/view-history-pane.png
--------------------------------------------------------------------------------
/Instructions/Labs/media/zoom-buttons.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/5c26c034cc59c7341cb17e48373810da469a744b/Instructions/Labs/media/zoom-buttons.png
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2019 Sidney Andrews
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
--------------------------------------------------------------------------------
/_build.yml:
--------------------------------------------------------------------------------
1 | name: '$(Date:yyyyMMdd)$(Rev:.rr)'
2 | jobs:
3 | - job: build_markdown_content
4 | displayName: 'Build Markdown Content'
5 | workspace:
6 | clean: all
7 | pool:
8 | vmImage: 'Ubuntu 16.04'
9 | container:
10 | image: 'microsoftlearning/markdown-build:latest'
11 | steps:
12 | - task: Bash@3
13 | displayName: 'Build Content'
14 | inputs:
15 | targetType: inline
16 | script: |
17 | cp /{attribution.md,template.docx,package.json,package.js} .
18 | npm install
19 | node package.js --version $(Build.BuildNumber)
20 | - task: GitHubRelease@0
21 | displayName: 'Create GitHub Release'
22 | inputs:
23 | gitHubConnection: 'github-microsoftlearning-organization'
24 | repositoryName: '$(Build.Repository.Name)'
25 | tagSource: manual
26 | tag: 'v$(Build.BuildNumber)'
27 | title: 'Version $(Build.BuildNumber)'
28 | releaseNotesSource: input
29 | releaseNotes: '# Version $(Build.BuildNumber) Release'
30 | assets: '$(Build.SourcesDirectory)/out/*.zip'
31 | assetUploadMode: replace
32 | - task: PublishBuildArtifacts@1
33 | displayName: 'Publish Output Files'
34 | inputs:
35 | pathtoPublish: '$(Build.SourcesDirectory)/out/'
36 | artifactName: 'Lab Files'
37 |
--------------------------------------------------------------------------------
/_config.yml:
--------------------------------------------------------------------------------
1 | remote_theme: MicrosoftLearning/Jekyll-Theme
2 | exclude:
3 | - readme.md
4 | - .github/
5 | header_pages:
6 | - index.html
7 | author: Microsoft Learning
8 | twitter_username: mslearning
9 | github_username: MicrosoftLearning
10 | plugins:
11 | - jekyll-sitemap
12 | - jekyll-mentions
13 | - jemoji
14 | markdown: kramdown
15 | kramdown:
16 | syntax_highlighter_opts:
17 | disable : true
18 |
--------------------------------------------------------------------------------
/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Online Hosted Instructions
3 | permalink: index.html
4 | layout: home
5 | ---
6 |
7 | # Content Directory
8 |
9 | Required labs files can be [downloaded here](https://github.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator/archive/master.zip)
10 |
11 | Hyperlinks to each of the lab exercises and demos are listed below.
12 |
13 | ## Labs
14 |
15 | {% assign labs = site.pages | where_exp:"page", "page.url contains '/Instructions/Labs'" %}
16 | | Module | Lab |
17 | | --- | --- |
18 | {% for activity in labs %}| {{ activity.lab.module }} | [{{ activity.lab.title }}{% if activity.lab.type %} - {{ activity.lab.type }}{% endif %}]({{ site.github.url }}{{ activity.url }}) |
19 | {% endfor %}
20 |
--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
1 | # SC-300: Identity and Access Administrator
2 |
3 | - **[Link to labs (HTML format)](https://microsoftlearning.github.io/SC-300-Identity-and-Access-Administrator/)**
4 | - **Are you a MCT?** - Have a look at our [GitHub User Guide for MCTs](https://microsoftlearning.github.io/MCT-User-Guide/)
5 | - **Need to manually build the lab instructions?** - Instructions are available in the [MicrosoftLearning/Docker-Build](https://github.com/MicrosoftLearning/Docker-Build) repository
6 |
7 | ## What are we doing?
8 |
9 | - To support this course, we will need to make frequent updates to the course content to keep it current with the Azure services used in the course. We are publishing the lab instructions and lab files on GitHub to allow for open contributions between the course authors and MCTs to keep the content current with changes in the Azure platform.
10 |
11 | - We hope that this brings a sense of collaboration to the labs like we've never had before - when Azure changes and you find it first during a live delivery, go ahead and make an enhancement right in the lab source. Help your fellow MCTs.
12 |
13 | ## How should I use these files relative to the released MOC files?
14 |
15 | - The instructor handbook and PowerPoints are still going to be your primary source for teaching the course content.
16 |
17 | - These files on GitHub are designed to be used in conjunction with the student handbook, but are in GitHub as a central repository so MCTs and course authors can have a shared source for the latest lab files.
18 |
19 | - It will be recommended that for every delivery, trainers check GitHub for any changes that may have been made to support the latest Azure services, and get the latest files for their delivery.
20 |
21 | ## What about changes to the student handbook?
22 |
23 | - We will review the student handbook on a quarterly basis and update through the normal MOC release channels as needed.
24 |
25 | ## How do I contribute?
26 |
27 | - Any MCT can submit a pull request to the code or content in the GitHub repro, Microsoft and the course author will triage and include content and lab code changes as needed.
28 |
29 | - You can submit bugs, changes, improvement and ideas. Find a new Azure feature before we have? Submit a new demo!
30 |
31 | ## Notes
32 |
33 | ### Classroom Materials
34 |
35 | It is strongly recommended that MCTs and Partners access these materials and in turn, provide them separately to students. Pointing students directly to GitHub to access Lab steps as part of an ongoing class will require them to access yet another UI as part of the course, contributing to a confusing experience for the student. An explanation to the student regarding why they are receiving separate Lab instructions can highlight the nature of an always-changing cloud-based interface and platform. Microsoft Learning support for accessing files on GitHub and support for navigation of the GitHub site is limited to MCTs teaching this course only.
36 |
--------------------------------------------------------------------------------