Want to Avoid Accidently Deleting your Resources in Azure? It's Easier Than You Think
Sometimes, knowingly or unknowingly you might delete a resource group in Azure. In this article let's talk about how to configure Azure Resource Locking in order to protect them from being deleted or modified accidentally.Simple Cybersecurity Steps Every Nonprofit Can Take Using Microsoft 365
Your granted Microsoft 365 Business Premium licenses offer a suite of cybersecurity tools that can help protect your organization from cyber threats, even if you're not tech-savvy. This blog post will guide you through simple steps every nonprofit can implement to enhance their cybersecurity using Microsoft 365.How to Re-Register MFA
Working closely with nonprofits every day, I often come across a common challenge faced by MFA users. Recently, I worked with a nonprofit leader who faced an issue after getting a new phone. She was unable to authenticate into her Microsoft 365 environment because her MFA setup was tied to her old device. This experience highlighted how important it is to have a process in place for MFA re-registration. Without it, even routine changes like upgrading a phone can disrupt access to your everyday tools and technologies, delaying important work such as submitting a grant proposal. Why MFA is Essential for Nonprofits Before we discuss how to reset MFA, let’s take a step back and discuss why MFA is a necessity for nonprofits the way it is important for any organization. In the nonprofit world, protecting sensitive or confidential data—like donor information, financial records, and program details—is a top priority. One of the best ways to step up your security game is by using Multi-Factor Authentication (MFA). MFA adds an extra layer of protection on top of passwords by requiring something you have (like a mobile app or text message) or something you are (like a fingerprint). This makes it a lot harder for cybercriminals to get unauthorized access. If your nonprofit uses Azure Active Directory (AAD), or Microsoft Entra (as it is now called), with Microsoft 365, MFA can make a big difference in keeping your work safe. Since Microsoft Entra is built to work together with other Microsoft tools, it’s easy to set up and enforce secure sign-in methods across your whole organization. To make sure this added protection stays effective, it’s a good idea to occasionally ask users to update how they verify their identity. What Does MFA Re-Registration Mean for Nonprofits? MFA re-registration is just a fancy way of saying users need to update or reset how they authenticate, or verify, themselves. This might mean setting up MFA on a new phone (like the woman in the scenario above), adding an extra security option (like a hardware token), or simply confirming their existing setup. It’s all about making sure the methods and devices your users rely on for MFA are secure and under their control. When and Why Should Nonprofits Require MFA Re-Registration? Outside of getting a new phone, there may be other situations that raise cause for reason to re-register your MFA. A few scenarios include: Lost or Stolen Devices: Similar to the scenario above, if someone loses their phone or it gets stolen, you will have to re-register the new device. Role Changes: If someone’s responsibilities change, their MFA setup can be adjusted to match their new access needs. Security Enhancements: Organizations may require users to re-register for MFA to adopt more secure authentication methods, such as moving from SMS-based MFA to an app-based MFA like Microsoft Authenticator Policy Updates: When an organization updates its security policies, it might require all users to re-register for MFA to comply with new standards Account Compromise: If there is a suspicion that an account has been compromised, re-registering for MFA can help secure the account by ensuring that only the legitimate user has access With Microsoft Entra, managing MFA re-registration is straightforward and can be done with an administrator to the organization’s tenant. How to require re-registration of MFA To reset or require re-registration of MFA in Microsoft Entra, please follow the steps below. Navigate to portal.azure.com with your nonprofit admin account. Select Microsoft Entra ID Select the drop-down for Manage In the left-hand menu bar select Users > Select the user's name that you want to reregister to MFA (not shown). Once in their profile, select Manage MFA authentication methods Select Require re-register multifactor authentication Congratulations! The user will now be required to re-register the account in the Microsoft Authentication app.Understanding Conditional Access Policies in Microsoft Entra
For many nonprofits, data security can feel like walking a tightrope. Imagine an organization that provides housing assistance and collects personal information from clients—Social Security numbers, income details, and health records. A volunteer accidentally logs into the organization’s portal from an unsecured public Wi-Fi network. Without proper safeguards, this scenario could easily lead to a data breach. This is where Conditional Access in Microsoft Entra comes into play. It empowers organizations to enforce dynamic, context-aware access policies that help protect both users and the sensitive data they handle. Conditional Access (CA) policies are a core part of a Zero Trust security strategy, helping nonprofits and enterprises alike balance accessibility and security by evaluating real-time risk factors. What Is Conditional Access? Conditional Access is a policy-driven control mechanism in Microsoft Entra that determines how users access your cloud applications. These decisions are based on identity signals, environmental context, and real-time risk insights. Instead of offering unrestricted access after sign-in, CA evaluates conditions like device health, geographic location, and user behavior to decide whether access should be granted, limited, or blocked. For nonprofits, this means staff and volunteers can work flexibly while the organization maintains strong protections around sensitive systems such as donor databases, case management software, or finance portals. The Conditional Access Model: Signal, Decision, Enforcement Microsoft's Conditional Access operates through a clear three-stage model: Signal Collection: Each time a user attempts to access a resource, Conditional Access collects data points such as: The identity and role of the user (e.g., volunteer, admin) The location of the sign-in (trusted IP, known country) The type and health of the device used (managed, compliant, jailbroken) The application or service being accessed Risk assessment (from Microsoft Entra Identity Protection) Policy Decision: Using the collected signals, Microsoft Entra evaluates policies configured by your IT admin. Policies define the conditions under which access is allowed or restricted. If the user's sign-in context meets the policy criteria, the system determines whether additional requirements (like MFA) must be satisfied. Enforcement: Once a decision is made, enforcement is immediate. The system grants access challenges the user for more verification or blocks the attempt entirely. Enforcement can also limit session behavior using session controls (e.g., read-only access in SharePoint Online). Key Components of a Conditional Access Policy A Conditional Access policy includes two main segments: Assignments (who and what the policy applies to) and Access Controls (what should happen if the policy is triggered). Assignments 1. Users and Groups: Policies can target: Specific users (e.g., executive director) Security groups (e.g., all finance team members) Directory roles (e.g., Global Administrators) All users, with necessary exclusions for emergency access accounts 2. Cloud Apps or Actions: Define whether the policy applies to Exchange Online, SharePoint, Teams, or other applications Protect sensitive user actions such as registering security details or using privileged accounts 3. Conditions: Each policy can be fine-tuned using a wide array of conditions: Sign-in Risk: Flags sign-ins that appear risky based on impossible travel, leaked credentials, or unusual behavior. Policies can respond differently based on low, medium, or high-risk scores. Device Platforms: Enables targeting of specific OS platforms (iOS, Android, Windows, macOS) to enforce device-based controls like requiring compliant or hybrid-joined devices. Locations: Policies can include or exclude IP ranges and countries. Named locations (like your office IP range) can be marked as trusted to reduce friction. Client Apps: Differentiates between browser-based apps, desktop clients, and legacy protocols (e.g., POP, IMAP). Legacy protocols often bypass MFA and are common attack vectors, making them ideal for restricted access policies. Device State: Detects whether the device is marked as compliant by Intune or is domain-joined. Enforces that sensitive data only flows to trusted, healthy devices. These conditions are additive and must all be met for a policy to apply. Administrators can also use conditional filters and multiple policy layers to build complex enforcement scenarios. Access Controls Once conditions are met, Conditional Access determines the appropriate control. These fall into two categories: Grant Access or Block Access. Grant Access Controls: Access is granted only if certain criteria are met. Controls include: Require multi-factor authentication (MFA) for stronger verification Require device to be marked compliant by Microsoft Intune Require hybrid Azure AD join (for domain-joined, managed devices) Require approved client apps or app protection policies for mobile access Require terms of use acceptance to ensure informed compliance Require password change if user risk is high You can require all selected controls or at least one control to be satisfied before access is granted. Block Access: This control denies access entirely when risk signals cross a threshold or critical policy conditions are not met. Example use cases: Block access from countries your nonprofit doesn’t operate in Block sign-ins using legacy authentication Block users accessing high-risk apps from unmanaged devices Blocking overrides any grant conditions and is enforced in real-time. Best Practices for Conditional Access Implementation Use Report-only Mode First: Before enabling enforcement, simulate policy impact in audit mode to verify behavior. Always Exclude Break-glass Accounts: Keep at least two cloud-only Global Administrator accounts exempt from all Conditional Access policies, with complex, monitored credentials. However, you can create a policy specific to for your emergency accounts that have stronger conditional policies like user risk, sign-in risk, MFA FIDO2, etc. Some features may only be accessible through Microsoft Entra ID Plan 2. See here for more information: Risk policies - Microsoft Entra ID Protection | Microsoft Learn. Use Named Locations Strategically: Define known safe IP ranges (e.g., office, partner orgs) to simplify policy logic. Design for Least Privilege: Apply the minimal access necessary for users and apps to operate securely. Deploy MFA Broadly but Thoughtfully: Balance security with usability by requiring MFA on sensitive resources and risky sign-ins. Reassess Policies Quarterly: Align policies with changes in staff roles, service usage, and threat landscape. Use Templates and Baselines: Microsoft provides templates for common scenarios such as protecting privileged roles or blocking legacy authentication. Enable Real-time Monitoring: Utilize sign-in logs, diagnostic settings, and Entra Workbooks to track trends and investigate blocked access attempts. Conclusion Microsoft Entra Conditional Access gives nonprofits a powerful and flexible way to secure access to their cloud environments. By evaluating each login attempt against a set of contextual signals and adaptive policies, Conditional Access enforces security in real-time without unnecessary disruption. It supports the organization's mission by protecting sensitive data, ensuring compliance, and enabling secure remote work. Whether you’re managing grants, safeguarding health records, or coordinating volunteers, Conditional Access ensures that only the right individuals, under the right circumstances, can access the right information. Hyperlinks Building a Conditional Access policy - Microsoft Entra ID | Microsoft Learn Risk policies - Microsoft Entra ID Protection | Microsoft LearnWhat’s Included with Microsoft’s Granted Offerings for Nonprofits?
Are you a nonprofit looking to boost your impact with cutting-edge technology? Microsoft is here to help! From free software licenses to guided technical documentation and support, this program offers a range of resources designed to empower your organization. In this blog, we’ll dive into the incredible tools and grants available to nonprofits through Microsoft, showing you how to make the most of these generous offerings. Whether you’re managing projects or just trying to simplify your day-to-day tasks, there’s something here for everyone. Let’s explore what’s possible!Efficiently Removing Inactive Guest Users in M365/Azure
At the heart of this post is Kairos IMS, an innovative Impact Management System designed to empower human-serving nonprofits and social impact organizations. Co-developed by the Urban League of Broward County and our trusted technology partner, Impactful, Kairos IMS reduces administrative burdens, enhances holistic care, and enables organizations to leverage data for increased agility and seamless service delivery. In this blog series, we’ll take a closer look at the powerful technologies that fuel Kairos IMS, from Azure services to security frameworks, offering insight into how modern infrastructure supports mission-driven impact. Click here to learn more. Many organizations forget to offboard their guest users. Whether students drop out, graduate, or are removed from the program, their guest accounts often linger in your tenant—quiet, forgotten, and potentially risky. Let’s talk about why it matters and what you should be doing about it. The Hidden Risk of Inactive Guest Users It’s easy to think of guest users as harmless—after all, they’re just there temporarily, right? But the reality is that each inactive user is an open door. A door that, if left unlocked, could be used by someone with bad intentions. Here’s why: Their credentials may be compromised elsewhere. If a former student reused a password or their email account is breached, an attacker could gain access to your tenant through their still-active guest account. They may retain access to sensitive files. Even if you think they’ve moved on, inactive users might still be able to view shared documents, recordings, or internal communication threads. Your organization becomes a bigger target. The more accounts you have—especially inactive or unmonitored ones—the more surface area an attacker can exploit. Nonprofits are particularly vulnerable. You’re working hard to do good in the world, but limited time, resources, and staff often mean security takes a back seat. That’s why it’s critical to develop lightweight, repeatable processes that protect your community and your mission. Guest Access Shouldn’t Be Set and Forget Inviting students into your tenant helps them feel part of something bigger. But just as important as the welcome is the send-off. Not everyone who starts the program finishes it, and not everyone who finishes needs continued access to your resources. Here are a few things to consider: Do you have a system to track who’s still active? Are you reviewing guest user activity periodically? Do you know how to remove or disable users when they’re no longer part of the program? If the answer to any of these is “no,” you’re not alone—and you’re not too late. The Benefits of Cleaning Up Your Tenant Beyond improving your security posture, removing inactive guest users can: Keep your environment organized. It’s easier to manage active cohorts when your tenant isn’t cluttered with outdated accounts. Reduce licensing conflicts. Even though guest users don’t typically consume licenses, having too many users can complicate group access, permissions, and automated workflows. Show respect for your participants. Offboarding users when their participation ends is a sign of professionalism—and it protects their data, too. Up Next: How to Remove Inactive Guest Users Now that you understand why it's important to remove inactive guest users, the next step is knowing how. Fortunately, Microsoft 365 provides built-in tools and settings to help you manage and clean up guest access safely and efficiently. In our next section, we’ll walk you through a step-by-step guide to identify and remove inactive guest users from your tenant. How to Create a Dynamic Group for Guest Users in Microsoft Entra ID The first thing we need to do is create a dynamic group for guest users. This step is important because dynamic groups automatically include users based on specific attributes—in this case, identifying anyone with a user type of "Guest." Instead of manually adding or removing users from a group each time someone joins or leaves your program, dynamic groups keep everything up to date for you. It’s a simple way to ensure your access management stays clean, organized, and secure. Step-by-Step Instructions Sign in to the Microsoft Entra admin center You’ll need to access the admin portal to manage groups and set up dynamic rules. Go to https://entra.microsoft.com and log in with your admin credentials > navigate to Manage Entra ID. Access the Groups section This is where all your groups are managed within Entra ID. In the left-hand menu, select Groups under the “Manage” section. Create a new group This begins the process of defining your dynamic group. Click + New group to start creating a new group from scratch. Configure group settings You’ll choose the group type, give it a name, and specify that it will use dynamic membership. Select Security as the group type, enter a name (like "Guest Users"), and choose Dynamic User under Membership type. Add dynamic membership rule This is where you set the condition that defines who will be in the group. Under Dynamic user members, click Add dynamic query to build a rule based on user attributes. Define the membership rule We’ll configure the rule so that it targets users where the userType equals Guest. Select + Add expression > set the Property to userType, Operator to Equals, and Value to Guest. Add second expression to filter active guests This ensures only active guest accounts are included. Click Add expression again > set the Property to accountEnabled, Operator to Equals, and Value to true. Validate the rules This helps confirm that your rule works as intended before applying it. Select Validate Rules > click + Add users and choose a guest user from the list. Save the dynamic rule Once your conditions are set, saving them will apply the logic to the group. Click Save to finalize the rule and return to the group creation screen. Create the group Review all the settings and create the group so it begins auto-populating. Click Create, and your dynamic group will now include all guest users automatically. Navigate back to the group tab > select Dynamic Groups > and select your group to view the members and verify all guest users have been added. We're not done just yet! Now let's automate the review and removal of inactive guest users. 🔍 How to Set Up an Access Review for Inactive Guest Users in Microsoft Entra ID After establishing a dynamic group for guest users, the next crucial step is to regularly review their activity. Access reviews in Microsoft Entra ID allow you to automate the process of identifying and removing inactive guest users, thereby maintaining a secure and compliant environment. Step-by-Step Instructions Access the Identity Governance section In the Azure search bar, type and select Identity Governance, then click on Access Reviews. Initiate a new access review Click on + New access review to start the configuration process. Select what to review • Resource type: Choose Teams + Groups • Review scope: Select Select Teams + groups • Group selection: Choose the dynamic group you previously created for guest users • Scope: Set to Guest users only • User scope: Check the box for Inactive users only • Days inactive: Specify the number of days (e.g., 30) to define inactivity Configure the review settings • Reviewers: Select Selected user(s) or group(s) • Users or Groups: Select your desired reviewer(s) • Duration: Set the number of days the review will be open (e.g., 5 days) • Recurrence: Choose the frequency (e.g., monthly, quarterly) or set it as a one-time review • Start date: Specify when the review should begin • End date: Define when the review should end or select Never for ongoing reviews Set up review settings • Auto apply results to resource: Enable this to automatically apply the review outcomes • If reviewers don't respond: Choose Remove access or Take recommendations to revoke access for users not reviewed • Action to apply on denied guest users: Select Block user from signing in for 30 days, then remove user from the tenant Configure advanced settings (optional) • Justification required: Require reviewers to provide reasons for their decisions • Email notifications: Enable to send notifications to reviewers at the start and end of the review • Reminders: Set up reminders for reviewers during the review period • Additional content for reviewer email: Add any specific instructions or information for reviewers Review and create the access review • Name: Provide a descriptive name for the access review • Description: Optionally, add details about the purpose of the review • Review: Ensure all settings are correct • Create: Click Create to initiate the access review Managing guest access might feel like a behind-the-scenes task, but it plays a frontline role in protecting your nonprofit’s data, resources, and reputation. Whether a guest user is a student who graduated, a volunteer who moved on, or someone who left unexpectedly, leaving their access unchecked can expose your organization to unnecessary risk. By creating a dynamic group for guest users and setting up regular access reviews, you’re putting smart guardrails in place. These steps not only strengthen your security but also keep your Microsoft 365 environment tidy, efficient, and aligned with best practices. Security doesn’t have to be complicated—and it shouldn’t be an afterthought. With tools already available in Microsoft Entra ID, you can stay proactive, stay protected, and keep your mission moving forward with confidence.A Bird's Eye View with Microsoft Purview
Microsoft. Compliance, Security, & Governance Nonprofits are entrusted with the critical task of managing sensitive data, including Personally Identifiable Information (PII) and Protected Health Information (PHI). This responsibility underscores the importance of robust data governance. As cyberattacks become increasingly sophisticated, having a comprehensive data compliance strategy is not just advisable but essential. Nonprofits are particularly vulnerable to these attacks, which can exploit sensitive data for malicious purposes. Moreover, grant requirements often mandate stringent security measures to safeguard individuals' data. Compliance with regulations such as the European Union's General Data Protection Regulation (GDPR) is crucial. This regulation sets a high standard for data security and privacy, ensuring that organizations handling international data implement appropriate protective measures. By adhering to these compliance standards, nonprofits can not only protect their stakeholders' data but also enhance their credibility and trustworthiness in the eyes of donors and partners. Small organizations should assess their risk tolerance and current privacy standards to identify areas for improvement. Implementing a Data Protection Impact Assessment (DPIA) plan is highly recommended. A DPIA helps analyze and minimize data protection risks. Utilizing a DPIA template provides a structured framework for planning and mapping data protection processes. This ensures all necessary steps are taken to protect sensitive information and comply with data protection regulations. Download the DPIA template; to begin mapping out your data protection measures, mitigate risks, and build trust with stakeholders: Microsoft Word - dpia-template-v1.docx. Now that we have a clear understanding of the critical need for compliance measures. Let's explore how Microsoft provides organizations with the tools they need to begin protecting their sensitive data. Microsoft Purview Portal Welcome to Microsoft Purview Portal. Your solution for your compliance, data, and security needs. We learned about the importance of keeping sensitive data secure and the global enforcement of privacy and security standards for organizations of every size. So, what is Microsoft Purview Portal? How can it help nonprofits govern and become GDPR compliant? Microsoft Purview Portal is a cloud platform that allows you to manage solutions, monitor compliance, create policies, manage private data, Data Loss Prevention (DLP) measured, while improving your compliance posture. The features will depend on the type of Microsoft 365 license that your organization holds. Take advantage of 30-day free trials to try out scenarios with features for additional applications. Below is a list of applications and a brief description: Microsoft Purview Audit: Microsoft Purview Audit provides the ability to log and search for audited activities, powering forensic, IT, compliance, and legal investigations. Communication Compliance: This solution helps detect, capture, and act on inappropriate messages that can lead to potential data security or compliance incidents within your organization. Compliance Alerts: Compliance Manager alerts you to changes as soon as they happen, helping you stay on track with your compliance goals by setting up alert policies. Compliance Managers: Microsoft Purview Compliance Manager helps you assess and manage compliance across your multi-cloud environment, providing pre-built assessments, workflow capabilities, and a risk-based compliance score. Data Catalog: The Microsoft Purview Unified Catalog experience allows you to explore and understand your data categorized by governance domains, search through AI-powered copilot, and subscribe to data products. Data Lifecycle Management: This solution provides tools and capabilities to retain the content you need to keep and delete the content you don't, helping manage risk and liability. Data Loss Prevention: Microsoft Purview Data Loss Prevention (DLP) helps protect sensitive data by identifying, monitoring, and automatically protecting sensitive items across various Microsoft 365 services and endpoints eDiscovery: Microsoft Purview eDiscovery solutions help you manage internal and external investigations by identifying, holding, and exporting content found in mailboxes and sites. Information Protection: Microsoft Purview Information Protection helps you discover, classify, protect, and govern sensitive information wherever it lives or travels. Information Barriers: This solution allows you to restrict two-way communication and collaboration between groups and users in Microsoft Teams, SharePoint, and OneDrive, helping to avoid conflicts of interest and safeguard internal information. Insider Risk Mangement: Microsoft Purview Insider Risk Management helps you detect, investigate, and act on risky activities within your organization to mitigate potential data security incidents. Records Management: This solution uses intelligent classification to automate and simplify the retention schedule for regulatory, legal, and business-critical records in your organization. Associated Portals Microsoft Defender: A comprehensive security solution that protects devices, endpoints, email, collaboration tools, and cloud apps. It includes risk-based vulnerability management, attack surface reduction, next-generation protection, endpoint detection and response (EDR), automatic investigation and remediation, and managed hunting services: Microsoft Defender Portal. Microsoft Entra: A family of identity and network access products designed to implement a Zero Trust security strategy. It includes Microsoft Entra ID, Domain Services, Private Access, Internet Access, ID Governance, and ID Protection: Microsoft Entra Admin Center. Microsoft Fabric: An enterprise-ready, end-to-end analytics platform that unifies data movement, processing, ingestion, transformation, real-time event routing, and report building. It integrates services like Data Engineering, Data Factory, Data Science, Real-Time Intelligence, Data Warehouse, and Databases into a cohesive stack: Microsoft Fabric. Microsoft Priva: A set of solutions that support privacy operations across an organization's data landscape. It helps consolidate privacy protection, standardize compliance, and streamline regulation adherence with solutions like Consent Management, Privacy Assessments, Subject Rights Requests, and Tracker Scanning: Microsoft Priva Portal. Microsoft Service Trust: The Microsoft Service Trust Portal (STP) is a one-stop shop for security, regulatory compliance, and privacy information related to the Microsoft cloud. It provides content, tools, and resources to help organizations manage cloud data security and compliance: Microsoft Service Trust. The platform offers various tutorials to help users get started, such as those available on Microsoft Learn. These tutorials cover essential topics like safeguarding data across platforms, apps, and clouds, and improving risk and compliance posture. You can learn more about walkthrough guides here: Microsoft Purview setup guides | Microsoft Learn. Knowledge Center If you're looking to learn more about the key features of Microsoft Purview and how to start implementing its processes, you're in luck! Microsoft Purview offers a wealth of resources to help you get started. Whether you prefer to read through detailed documentation or watch a variety of curated videos, there are plenty of options available to suit your learning style. These resources cover everything from the basics of Microsoft Purview to best practices for data governance, risk management, and compliance. By leveraging these materials, you can gain a comprehensive understanding of how to effectively use Microsoft Purview to enhance your organization's data management strategies. So, dive in and explore the wealth of knowledge available to you! Engage The Community The Microsoft Purview Community is a dynamic platform where users can connect with experts, share knowledge, and explore the features of Microsoft Purview. It offers discussions, forums, and resources tailored to data governance, risk management, and compliance needs. Whether you're an experienced admin or a newcomer, the community provides valuable information and support to enhance your data management strategies. Join the Microsoft Purview Community today to leverage collective knowledge and expertise for better data management. Conclusion In conclusion, we have explored the extensive resources available to you for enhancing data privacy, compliance, and governance. You have discovered how to mitigate risks by conducting impact assessments, which are crucial for improving your security and compliance posture. Additionally, you have learned about the various guides and videos that provide step-by-step instructions on implementing effective measures. Microsoft Purview offers a comprehensive suite of tools designed to secure your organization and streamline your data management processes. To delve deeper into these resources, please refer to the detailed documentation and training materials provided below. These resources will equip you with the knowledge and skills needed to effectively utilize Microsoft Purview and ensure your organization's data remains secure and compliant. Hyperlinks Introduction to Microsoft Purview - Training | Microsoft Lear Microsoft Purview Information Protection | Microsoft Learn Learn about data loss prevention | Microsoft Learn Category: Microsoft Purview | Microsoft Community Hub Microsoft Purview Audit service description - Service Descriptions | Microsoft Learn Microsoft 365 User Subscription Suites for Small and Medium-sized Businesses What is GDPR, the EU’s new data protection law? - GDPR.eu GDPR compliance checklist - GDPR.euManagement Made Simple with Administrative Units - Microsoft Entra ID
Microsoft Entra ID, formerly known as Azure Active Directory, is a part of Microsoft Entra that manages both internal and external resources for your organization. These resources can reside in your Azure subscription or within your Microsoft 365 Tenant. Consequently, Entra ID assists IT administrators in managing who requires access to these resources. Organizations have the option to choose from three plans: Free, Microsoft Entra ID Plan 1, and Microsoft Entra ID Plan 2. Microsoft Entra ID is accessible through the Azure portal and the Microsoft Entra Admin Center, respectively. Additionally, within the Microsoft Entra Admin Center under Identity, you can manage devices, create lifecycle workflows, handle app resignations, and much more. In this lesson, we will learn about Administrative Units and how they can be utilized to manage your administrative staff within your organization. For license information please see a brief description on the different plans. However, you can learn more about the features here: Microsoft Entra Plans and Pricing | Microsoft Security. License Information: Microsoft Entra ID Free: Provides user and group management. Offers on-premises directory synchronization. Includes basic reports. Allows self-service password change for cloud users. Supports single sign-on across Azure, Microsoft 365, and many popular SaaS apps. Microsoft Entra ID Plan 1: Includes all features of the Free plan. Allows hybrid users to access both on-premises and cloud resources. Supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager, and cloud write-back capabilities for self-service password reset for on-premises users. Microsoft Entra ID Plan 2: Includes all features of the Free and Plan 1. Offers Microsoft Entra ID Protection for risk-based Conditional Access to apps and critical company data. Provides Privileged Identity Management to discover, restrict, and monitor administrators and their access to resources, and to provide just-in-time access when needed. Microsoft Entra Role Based Access Control (RBAC) Microsoft Entra ID allows for access control to be limited for Administrators if you do not need them to have tenant level administrative access. Restricting access to only what is necessary is crucial to abide the least privilege principle. This principle ensures that administrators have only the permissions necessary to perform their tasks, minimizing the risk of unauthorized access. For example, if you have external collaborations from a consultant who performs helpdesk tasks for only certain permissions to perform their duties. If needed, you can also build custom roles. However, most built-in roles can cover most use cases. Auditing administrative units involves monitoring and reviewing the activities within these units to ensure compliance with organizational policies and security standards. External Partner Delegation You can also delegate external partner to provision and deploy services on your behalf. Organizational Global and Billing Administrators can agree to external partnership agreements for Microsoft Partners. Microsoft Solution Partners (MSP) can provide a wide variety of services. You will have to sign partner agreement authorizing the partner to provide services on your behalf. Depending on the partner will on the scope of work. You can find a Microsoft Certified Solutions Partner here: Find the right app | Microsoft AppSource. Partners will send an email that will establishes a connection to your accounts. You can find this agreement in Microsoft Entra Admin Center & Microsoft Entra Admin Center. To see your partnership relationship follow the instructions below: Microsoft 365 Admin Center - Partnership Relationship Navigate to Microsoft 365 Admin Center: https://admin.microsoft.com/. Login with your Administrative Username and Password. Authenticate with the Microsoft Authentication App when prompted. In the left-hand menu locate and click on the Show all tab. Select the Settings tab, then click on Partnership relationships. Microsoft Entra Admin Center - Delegated Admin Partners Navigate to Microsoft Entra Admin Center: https://entra.microsoft.com/. Login with your Administrative Username and Password. Authenticate with the Microsoft Authentication App when prompted. In the home directory, in the left-hand menu click on the Identity tab. Next, select Roles & Admins, then click on Delegated admin partners. In both areas, you will be able to view the active relationship with your partner, including the specific type of partnership they have with your organization. It is advisable to consult your partner for detailed information regarding your partnership agreement before making any decisions to cancel or delete the partnership. Additionally, it is common practice to create an administrative unit for managing external partners, guests, and similar entities. This ensures that all external relationships are organized and managed efficiently. What is Administrative Units? Microsoft Entra ID Administrative Units are specialized containers within the Microsoft Entra ID environment designed to help you efficiently organize and manage users, groups, and devices. These units enable you to delegate administrative tasks to specific segments of your organization, ensuring that permissions are confined to a well-defined scope. This functionality is particularly beneficial for IT professionals, as it provides numerous use cases for delegating tasks, thereby enhancing operational efficiency and security. Administrative Units Use Cases To learn how implementation works within Microsoft Entra. An understanding of common scenarios for using administrative units below: Delegating Administrative Tasks: Administrative units allow you to delegate administrative tasks to specific segments of your organization. For example, you can delegate the Helpdesk Administrator role to regional support specialists, enabling them to manage users only in the region they support. Restricting Permissions: Administrative units help in restricting permissions to a defined scope. This is particularly useful in large organizations where different departments or regions need to manage their own resources without affecting others. Managing Users, Groups, and Devices: Administrative units can contain users, groups, or devices, making it easier to manage these resources within a specific scope. For instance, you can create an administrative unit for a particular department and manage all users, groups, and devices within that department. Implementing Least Privilege Access: By using administrative units, you can implement least privilege access, ensuring that administrators have only the permissions necessary to perform their tasks. This enhances security by minimizing the risk of unauthorized access. Organizing by Geography or Division: Administrative units can be used to organize resources by geography or division. For example, you might add users to administrative units based on their location (e.g., "Seattle") or department (e.g., "Marketing"), allowing for more granular management. Managing Properties of Groups: Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit. This allows administrators to manage properties of the group, such as group name or membership, without affecting the individual members of the group. Setting Policies at a Granular Level: Administrative units enable central administrators to set policies at a granular level. For example, in a large university with multiple autonomous schools, each school can have its own administrative unit with specific policies tailored to its needs. Conclusion In conclusion, Microsoft Entra ID Administrative Units offer a robust framework for managing user access and permissions within your organization. By leveraging these units, you can enhance security, improve efficiency, and maintain flexibility in your administrative tasks. Additionally, you have also learned how Administrative Units can be leveraged to manage external partners. Explore the possibilities and unlock the full potential of Microsoft Entra ID today! Hyperlink Administrative units in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn Overview of Microsoft Entra role-based access control (RBAC) - Microsoft Entra ID | Microsoft Learn Manage Microsoft-certified solution provider partner relationships | Microsoft Learn Find the right app | Microsoft AppSource
