Identity services provide authentication and authorization to help protect your organizational resources and data. Over the years, Microsoft has implemented several such identity services: Active Directory Domain Services (AD DS), Azure Active Directory (Azure AD), and Azure AD Domain Services. The MD-102 exam primarily covers content that relates to Azure AD.
This skill covers how to:
- Implement user authentication on Windows devices, including Windows Hello for Business, passwordless, and tokens
- Manage role-based access control (RBAC) for Intune
- Register devices in and join devices to Azure AD
- Implement the Intune Connector for Active Directory
- Manage the membership of local groups on Windows devices
- Implement and manage Local Administrative Passwords Solution (LAPS) for Azure AD
Overview of identity solutions
Before we get into the specific content covered in the exam, it’s perhaps worth reviewing these identity providers. There are two identity providers you must be familiar with in the Endpoint Administrator role:
- AD DS Windows Server role used to support identity in on-premises environments
- Azure AD Cloud-based identity solution used to provide single sign-on (SSO) for cloud apps such as Microsoft 365 and Azure
A third identity provider, Azure AD Domain Services, is a managed Azure service that provides an identity solution that closely resembles the behavior of AD DS but runs in the cloud without needing Windows server computers configured as domain controllers. This identity solution is out of this course’s scope.
Need More Review? Implement Hybrid Identity with Windows Server
For more information about Azure AD Domain Services, refer to the Microsoft Learn website at https://learn.microsoft.com/training/modules/implement-hybrid-identity-windows-server.
Active Directory Domain Services
Detailed knowledge of Windows Server and AD DS is outside the scope of the MD-102 exam. However, it’s probably worth at least discussing the fundamentals of AD DS to help put Azure AD into context.
AD DS, commonly referred to as either Windows Active Directory or just Active Directory, is a role of associated services installed on Windows Servers. Windows Server installed with the AD DS role is a complex environment that has benefitted organizations for more than 20 years and has many legacy components necessary to support AD feature backward compatibility. AD DS has the following features:
- Hierarchical and granular and based on the X.500 standard.
- Implements Lightweight Directory Access Protocol (LDAP) for managing directory objects.
- Administrative ability is defined by group membership.
- Objects are stored in containers called organizational units (OUs) that represent the structure of your organization, as shown in Figure 2-1.
- Group Policy manages the administration of objects, as indicated in Figure 2-1.
FIGURE 2-1 Management tools on an Active Directory domain controller
- Kerberos protocol is primarily used for AD DS authentication.
- Computer objects represent computers that join an Active Directory domain.
Note Joining an AD DS Domain
Only computers running the Windows operating system can be domain-joined.