Directory roles

- [Instructor] Now, let's talk about directory roles. There are three types of roles in Azure AD. A global administrator role, a user role and a limited administrator role. If I had to compare this to the on-premise roles in windows server active directory, then global administrator in Azure AD is roughly equivalent to an enterprise administrator. A simple user is equivalent to a domain user and the limited administrator is equivalent to other sub administrator roles we have. A global administrator role in Azure AD is the ultimate powerful role. It has 100% access to all objects and settings in the tenant. I'd recommend that you have at least two global administrators for redundancy and no more than three in a small to medium sized business because more administrators can mean more chaos. So it's best to keep that number to a minimum but at the same time also ensuring redundancy just in case one admin is taking a day off or is on a vacation. This applies only to the global administrator role. Then, a user role in Azure AD, as you can imagine, is just a regular user with almost no administrative privileges kind of like domain users on prem. By default, all new users in Azure, both hybrid and native will be assigned this role. If a person was an administrator on premises and that account was synchronized to Azure, this does not mean they will retain their administrative privileges in the cloud. They will have to be explicitly given those privileges they need in Azure AD. The third role, or should I say a collection of roles is the limited administrator roles. As you can guess, these roles can find the scope of the administrative privilege to specific tasks or resources only and not the entire tenant. There are several of these built-in limited administrator roles in Azure which we will explore shortly in the demo. So how this works is that all new users, native or hybrid are assigned the user role by default. Out of them, you first assign the global administrator role to yourself. That's of course, assuming that you were an enterprise administrator on premises. Then as I said, assign the global administrator role to another suitable member of your IT team. Make sure you know and account for each global administrator role. There are additional two other accounts that also have the same level of privilege. One, the Microsoft account that was used for sign up of this Azure subscription so that has global privileges being the first account in the tenant. And then, the service account you created in Azure AD for AD connect synchronization. It is very important and I cannot emphasize this enough to keep all of them super secured. Once you have assigned your actual account, the required administrative privileges keep the Microsoft account aside only to be used in case of emergencies not daily use. Same goes with the service account. After that, we go to the catalog of limited administrator roles and assign relevant ones to other individuals in the organization. Some roles may be assigned to just one user that has other roles to more than one. It's flexible. If you do not find a role that suits your exact requirement, you can also create a custom directory rule that allows you to be granular in terms of the permission assignment. After you create that custom role you can then use it and assign it to any user, just like other administrative roles. The rest of the users simply remain standard users with little or no administrative privileges whatsoever. That's usually the majority of the employees.