Share this page!

Maybe Scrolly?
Nathan McNulty Profile picture
Twitter logo
16 Jul, 20 tweets, 13 min read
It's finally time to learn about Groups in Azure AD :)

Groups are foundational components for granting access to resources, email delivery, and even assigning licenses within Azure AD.

But first, you need users, so if you haven't yet, go create some :)

In Azure AD, we have a few different types of groups

The main group types are security and Microsoft 365 groups, but in Exchange we also have distribution lists which are mail enabled groups with no security context

Each group also has an assigned and dynamic membership type
Now, before we start creating groups, I need to warn you that Microsoft stupidly believes any user should be able to create groups, both security and M365 types

What you should know is that they can select any email address they want 😱

Let's start here: portal.azure.com/#blade/Microso…
You have 2 options:

1) Prevent users from creating groups - IT wants to be the bottleneck ;)

2) Create a naming policy, and optionally pester group owners to "renew" groups. If they don't, groups are automatically cleaned up.

docs.microsoft.com/en-us/microsof…

docs.microsoft.com/en-us/microsof…
With that out of the way, let's create some groups!

portal.azure.com/#blade/Microso…

Click "New group" and start with the simplest form - security groups using assigned membership

This is the traditional method you'd see in on-prem AD and will be most common/familiar to AD based ogs
Groups with "assigned" membership can now be granted a role in Azure AD, so I'm going to do that too

This also lets us use PIM to add users to the group allowing us to have different settings/approval workflows for different groups.

Very cool stuff:
docs.microsoft.com/en-us/azure/ac…
Next, security groups with dynamic membership

You'll quickly see how important it is to populate user attributes as that is the key to building these groups

While Azure AD doesn't come close to the flexibility of an IAM, this could be totally sufficient for many orgs
Microsoft 365 Groups are a weird beast

They create a ton of backend resources and are heavily used by Yammer and Teams

Overview
docs.microsoft.com/en-us/microsof…

These have an email address, so ensure your naming convention prevents abuse

You can recover them if an owner fails to renew
If you want, create an M365 group with dynamic membership for practice :)

Before we move to Powershell modules, let's look at Audit logs and group based licensing

Audit logs:
portal.azure.com/#blade/Microso…

Group based licensing takes planning but worth it:
docs.microsoft.com/en-us/azure/ac…
Ran out of time tonight, but on the plus side, got to snuggle a baby for an hour.

I'll finish this up tomorrow, but I did just push some of the Powershell code for creating groups.

Will push Get, Modify, and Delete tomorrow once I comment it all :)

github.com/nathanmcnulty/…
Time for some Powershell :)

If you haven't installed the modules, check out this repo and section of my previous thread:


Also a reminder, I love questions and try to respond to everyone I can. Please ask away :D
Let's create a group with the Az module

Authenticate:
Connect-AzAccount

Then create:
New-AzADGroup -DisplayName "Test Group 1" -MailNickname "TestGroup1"

There aren't many properties available when creating a group with these modules. Let's look at the others :)
Next, let's create a group with the AzureADPreview module

Authenticate:
Connect-AzureAD

Create:
New-AzureADGroup -DisplayName "Test Group 2" -MailEnabled $false -MailNickname "TestGroup2" -SecurityEnabled $true

-MailEnabled $true doesn't work yet, still not many options here
Finally, let's do the MSOnline module

Authenticate:
Connect-MsolService

Create:
New-MsolGroup -DisplayName "Test Group 3" -Description "Test Group 3"

So none had very many property options :-/

Let's see if we can change membership and properties with a Set/Update
The Az module does not appear to have a Set/Update cmdlet.. :(

At least it does have an add group member option:

Add-AzADGroupMember -MemberUserPrincipalName "tuser1@getsecurer.onmicrosoft.com" -TargetGroupDisplayName "Test Group 1" -Verbose

No output on this without -Verbsose
Hurray! The Azure AD module has cmdlets to deal with group membership, ownership, and attributes for both assigned and even dynamic groups!

Commands are too long for Twitter, so be sure to check the repo here:
github.com/nathanmcnulty/…
The MSOnline modules are disappointing (as usual)

Note that some of these cmdlets require ObjectId, so we have to do (Get-Group).ObjectId to get it.

Set-MsolGroup -ObjectId (Get-MsolGroup -SearchString "Test Group 3").ObjectId -DisplayName "Test Group 3 - Modified" -Verbose
OK, so let's use the "Get-" cmdlets to see if our changes went through :)

One of the neat discoveries I had going through this was the -AzureADMSGroup cmdlets can work with dynamic group properties

It's been around a while, but the documentation isn't really even there :P
And finally, we'll delete all the test groups with the "Delete-" cmdlets

Rather than type them all out here, you can check them out in the repo:
github.com/nathanmcnulty/…

Hopefully this gives you some ideas on how to build automation around groups in Azure AD :D
No Exchange yet, so no lists for now

Already have content for adding a custom domain to AAD, setting up the mail records, and for installing Azure AD Connect in Express mode

Plan to do properly delegated AAD Connect with ADFS, then migrate to PHS

Other suggestions welcome! :)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nathan McNulty

Nathan McNulty Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @NathanMcNulty

Nathan McNulty Profile picture
25 May
Let's learn about Users in Azure AD :)

In this thread, I'm covering the Azure Portal and Powershell modules. We'll look at Graph API later (setup required).

If you haven't already signed up for a M365 dev account, check the thread below and follow along!
whoami

I've been managing AAD/O365 for almost a decade, and I absolutely can (and will) be wrong

Please correct me, nerd snipe, whatever your style is, if you see something wrong or have suggestions

I want value here for beginners and veterans alike, but we start with basics
So, let's get started by logging into portal.azure.com with the Global Admin (GA) account for our developer tenant

In the middle of the dashbord, you'll see a link to View Azure Active Directory. Go ahead and click on that ;)

On the left, click Users, then click New User
Read 21 tweets
Nathan McNulty Profile picture
19 May
Did you know that you can get a free M365 E5 subscription with 25 user licenses to learn, create automation, and develop applications?

I know most folks never get the chance to admin this stuff, so sign up now, and let's walk through this together :)

developer.microsoft.com/en-us/microsof…
Upon visiting the Microsoft 365 Dev Center, it will ask you to sign in with your Microsoft account.

This will be the Microsoft account that your developer tenant will be associated with, but not the one you use to log into it.

You should see something like this 👇 Image
So we simply fill out a few forms that let Microsoft know what we intend to do.

Please do not abuse this or use it for business purposes.

I build automation scripts, test SSO like SAML/OIDC with various apps, and build documentation for sharing with others for learning. ImageImageImage
Read 10 tweets
Nathan McNulty Profile picture
6 Feb
I'm seeing another big push by vendors that their solution will fix education's ransomware woes

You can't make up for poor operational management by buying products

Do these free things first, then consider purchases that scale your staff

Note: #6 is for non-AD bound devices
1. For email filtering, I have a nice series here you can borrow ideas from:

blog.opsecedu.com/using-transpor…

For Office macros, it's how something like 90% of ransomware starts (rest is unpatched remote access).

At least block macros from the Internet:

microsoft.com/security/blog/…
3. Attackers move around your network easily when you have the same admin accounts on many machines. Make them all unique and make them work for it.

LAPS is a simple, effective way to do this.

blog.nowmicro.com/2018/02/28/con…

See @RyanLNewington's free LAPS Web:
github.com/lithnet/laps-w…
Read 10 tweets
Nathan McNulty Profile picture
5 Feb
You really should use (g)MSA's instead of user accounts for services, IIS, scheduled tasks, SQL, etc.

Even if you have a cred vault that rotates and handles dependencies, MSA's are probably still better.

Read Steve's thread for how they work, then this one for how to use them.
First, a couple of things Steve didn't mention:

1) MSA passwords are incredibly strong and rotate frequently enough that Kerberoasting is near impossible (especially with AES)

2) The password can be retrieved on one server and used on another, pass the hash/ticket still works..
OK, first, let's find out if you have a KDS root key set up. Run Powershell on a machine with the Active Directory Powershell Module installed and run this:

Get-KDSRootKey

If you get nothing, then run this:

Add-KDSRootKey –EffectiveImmediately

Now wait 10 hours.. seriously :(
Read 10 tweets
Nathan McNulty Profile picture
3 Feb
I could write a book...

You gain expertise through the process of fixing things, sometimes the things you break - don't fear mistakes.

As your expertise gets deeper, you find new exotic ways of breaking things where even Stack Overflow won't save you.

Here's a few of mine :)
First week on a new job, ran a driver cleanup script for ConfigMgr 2007 and forgot the params - dumped the entire driver catalog

Deployed apps based on UTC instead of local time

$list | % { Restart-Computer $_ } while the server I was running it from was in the list...
Filtered in Graylog to push a new client config without realizing it included some servers. New log sources flooded Graylog with 200GB of data.

Set up a mail flow rule to catch spoofing (from header contains domain) but forgot to specify from external... QT'd my outbound email.
Read 4 tweets
Nathan McNulty Profile picture
12 Jul 20
This is such an awesome writeup, but it's missing one thing - remediation steps

Some AD admins may know how to fix these issues, but it's fair to assume some do not.

I'd also highly recommend using PingCastle by @mysmartlogon as it audits most of this and more.

Thread time!
@mysmartlogon 1) Remove user rights to join devices to AD

Powershell: Set-ADDomain -Identity <Domain> -Replace @{"ms-DS-MachineAccountQuota"="0"} -Verbose
GPO: Modify Default Domain Controller Policy and remove Authenticated Users from the user rights assignment (1st pic)
ADSI: (2nd pic)
Instead, consider setting up bind accounts per tier/group/service and delegate to appropriate OU's:
moderndeployment.com/correct-domain…

Also, change binding to create objects in an OU with strict policies:
redircmp "OU=Bind,DC=Domain,DC=Com"

redirusr can be used for users if you want.
Read 17 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @NathanMcNulty has new unrolls!

Check out other threads from @NathanMcNulty!

Read all threads by @NathanMcNulty

:(