Group creation and management

- [Instructor] Group creation in an on-premises active directory domain is not that different with Azure active directory. I'm in my on-premises active directory domain in active directory users and computers. And what I'm going to do is I'm going to create a new group, I'm going to right click on any one of these folders or organizational units and choose new and then choose group. Once I have the wizard that comes up, I need to give it a name and I'll call it the accounting group and when I fill out the first box you see it automatically adds in the second box for pre windows 2000. Now under group scope and group type, this is important because you're going to get a lot of different results depending on which one you choose, on the group type by default it's going to be set to security, which you see here. That means I can go ahead and assign this group to access things like shared folders or applications, and I can add users to the security group and then they'll be able to go ahead and use those resources. If I choose the distribution option, this has to do with Microsoft Exchange using an email server. So if I have Exchange online then this doesn't really translate to helping me out within the Azure portal unless I'm synchronizing all of my users and groups using the Azure active directory connector. On the left hand side, we see the group scope, domain local is just the local domain you're logged into, global includes all the different domains under a single forest and universal allows you to create groups that include users and groups from multiple different forests. Now, the default is going to be global which will cover a single domain or multiple domains which is why I believe Microsoft made it the default, so that way if you created any new domains under the same forest in the future then you'd still be able to use that group. I'll click okay, and when I expand this column, we see our accounting group. Now I'm going to create a new user in active directory and add it to the group. So I'll right click and choose new, and I'll choose user and a wizard shows up and I'll say this is the accounting user. And I'll just make the user log on name acctuser click next and put in my password. Once again, we are bound by whatever the default rules are of creating a password, which means at least seven characters, one upper case at least and at least one number. You can choose to force the user to change the password in the next log on or you could say password never expires. You could also say the user cannot change their own password, that's not necessarily a great idea as many times we rotate those passwords based on days and you also have the option for account as disabled. I'm going to choose the password never expires just because this is a fake user and click finish. And now I'm going to go to the accounting group and click on members and now I'll click add and I'll just type in acc, check name, and there's my new accounting user and I've added that user to our group. I'm in the Azure portal at portal.azure.com, I'll click on Azure active directory and here we should see a list of all the users and groups in Azure active directory. Now, I'm not synchronizing my active directory on-premises to my Azure portal, but that's okay, I can still show you how to create groups and assign users to them. Here's a list of my users and if I go back, we can see a list of my groups. Now, I'm going to create a new group, we can see the group type of the two groups I have already are Microsoft 365. I'm going to click on new group and we can see the options here are security or Microsoft 365 and once again, the security group works exactly as it does on-premises. It's for accessing resources such as shared folders and applications, things like that. However, a Microsoft 365 group is going to be just like the distribution group that we saw in the on-premises active directory domain. So what this means is that if I add people into this group then I can send an email to that group and it'll reach everyone in the group all at once without having to send individual emails to them. So I'll give this group a name and it's called MyEmailGroup and you can see it automatically creates a group email address at whatever the default domain name is, under the group description I can give it a description if I'd like to, and under membership type we see it's set to assigned, assigned means that I can go in and add individual users to that group. The other option is going to be dynamic, dynamic means that I can create a group with certain rules and then anybody who applies to those rules are going to automatically be added. So for instance, if I said anyone whose properties include that they live in Chicago, then if you live in Chicago as the properties of your Azure active directory user you're automatically going to be added to the group and that's different from the on-premises groups that we can create. However, we can create those types of groups if we add something called dynamic access control into our on-premises active directory domain but it does require a lot of setup to get that to work. Now I can go ahead and set my owner, and now I can click on members and I can add one member or as many as I'd like and click create. And it says it was successfully created but you do need to refresh to get it to show up and there's MyEmailGroup. The big question is why do we need to create groups? Well, when we add groups to resources, let's say to a shared folder and we have many users come and go in a company, some companies have very high turnover. What can happen is, is that if you have a whole lot of different shared folders you'll have to go into each and every one of those folders and add and remove people as they come and go. However, if those users are a member of a group and the group is a member of those shared resources you only need to add or remove from the one group, on-premises and Azure active directory aren't that different when it comes to group creation and management, they both have options for security and distribution in ways that can save the CIS admin a lot of time and effort.