AZ-500: Manage identity and access
Efficiently managing Azure Active Directory (Azure AD) is crucial for maintaining security and productivity within an organization. Here are some common tasks and the corresponding Azure CLI and PowerShell commands to help you perform them effectively.
Tasks and Corresponding Roles:
- Task: Create a new user
- Role: User Administrator
2. Task: Invite an external guest
- Role: Guest Inviter
3. Task: Assign Microsoft Entra roles
- Role: Privileged Role Administrator
Login to Powershell
Install-Module -Name Az -AllowClobber -Force
Import-Module Az
Connect-AzAccount -DeviceCode
1. Create a New User (User Administrator)
Azure CLI:
az ad user create --display-name "John Doe" --user-principal-name johndoe@pswalia1ugmail.onmicrosoft.com --password MyStrongPassword123
New-AzADUser -DisplayName "John Doe" -UserPrincipalName "johndoe@pswalia1ugmail.onmicrosoft.com" -Password "MyStrongPassword123"
Assigning a role to a user-
Note: Azure-CLI does not have functionality for Assigning Entra ID roles. Therefore, I used MG-Module in Powershell.
#Login
Connect-MgGraph -Device -Scopes `
"User.Read.All", `
"User.Invite.All", `
"Directory.Read.All", `
"Directory.ReadWrite.All", `
"Group.Read.All", `
"Group.ReadWrite.All", `
"RoleManagement.Read.Directory", `
"RoleManagement.ReadWrite.Directory", `
"Application.Read.All", `
"Application.ReadWrite.All", `
"Policy.Read.All", `
"Policy.ReadWrite.ConditionalAccess", `
"DeviceManagementApps.Read.All", `
"DeviceManagementApps.ReadWrite.All", `
"DeviceManagementConfiguration.Read.All", `
"DeviceManagementConfiguration.ReadWrite.All", `
"IdentityProvider.Read.All", `
"IdentityProvider.ReadWrite.All", `
"Policy.ReadWrite.AccessReview", `
"SecurityEvents.Read.All", `
"SecurityEvents.ReadWrite.All"
#role id
$role = Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'User Administrator'"; $role.id
#user id
$user = Get-MgUser -UserId "johndoe@pswalia1ugmail.onmicrosoft.com"; $user.Id
#Role Assignment
New-MgRoleManagementDirectoryRoleAssignment -PrincipalId $user.Id -RoleDefinitionId $role.Id -DirectoryScopeId "/"
2. Invite an External Guest (Guest Inviter)
PowerShell:
# Create and send the invitation
New-MgInvitation -InvitedUserEmailAddress "rasahsa@otpku.com" -InviteRedirectUrl "https://secdrivor.com/tools/pii_randomizer/" -SendInvitationMessage
3. Assign Microsoft Entra Roles (Privileged Role Administrator)
PowerShell:
#role id
$role = Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'Privileged Role Administrator'"; $role.id
#user id
$user = Get-MgUser -UserId "johndoe@pswalia1ugmail.onmicrosoft.com"; $user.Id
#Role Assignment
New-MgRoleManagementDirectoryRoleAssignment -PrincipalId $user.Id -RoleDefinitionId $role.Id -DirectoryScopeId "/"
By mastering these commands, you can streamline your Azure AD management tasks, ensuring that your organization’s resources and users are managed efficiently and securely.