Lesson 5 Enable end-user self-service

© Copyright Microsoft Corporation. All rights reserved.

1
Deploy Azure AD features: users, groups,
administrative units, passordless authentication

© Copyright Microsoft Corporation. All rights reserved.

2
User Accounts
• To view the Azure AD users, access the All users blade
• Azure AD defines users in three ways:
• Cloud identities
• Directory-synchronized identities
• Guest users

©Microsoft Corporation
Azure

3
Create and Manage Users (1 of 3)
Adding users:
• Synchronizing users from Windows Server Active Directory
• Manually creating users by using the Azure portal

©Microsoft Corporation
Azure

4
Create and Manage Users (2 of 3)

Creating a User…

©Microsoft Corporation
Azure

5
Create and Manage Users (3 of 3)

Inviting a user…

©Microsoft Corporation
Azure

6
 5/24/2022 1:16 PM

Manage User Accounts

Must be Global
User profile Deleted users Sign in and audit
Administrator or User
(picture, job, contact can be restored log information
Administrator to
info) is optional for 30 days is available
manage users

© Copyright Microsoft Corporation. All rights reserved.

Add or delete users using Azure Active Directory - https://docs.microsoft.com/azure/active-

directory/fundamentals/add-users-azure-active-directory

7
 5/24/2022 1:16 PM

Perform bulk account updates

Create the comma-separated Must be signed in as a Global

Azure AD supports bulk user
values (CSV) template you administrator or User
and group member updates
can download from the Portal administrator

© Copyright Microsoft Corporation. All rights reserved.

The latest JTA (Jan 2022) now states, Perform bulk updates. Previously this was just bulk user accounts.

Bulk create users in Azure Active Directory -

https://docs.microsoft.com/azure/active-directory/users-
groups-roles/users-bulk-add
Bulk add group members in Azure Active Directory -
https://docs.microsoft.com/azure/active-directory/enterprise-
users/groups-bulk-import-members
✔ Establish or implement a naming convention for usernames, display names and aliases. The password for the new users
needs to conform to the password complexity rules you have set for your directory. User parameters include User Principal
Name, Display Name, Given Name, Department, and Job Title.

8
 5/24/2022 1:16 PM

Create Group Accounts

Group Types Assignment Types

• Security groups • Assigned
• Microsoft 365 groups • Dynamic User
• Dynamic Device (Security groups only)

© Copyright Microsoft Corporation. All rights reserved.

Manage app and resource access using Azure Active Directory groups –
https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups

Quickstart: View your organization's groups and members in Azure Active Directory -
https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal

✔ Have you given any thought to which groups you need to create? How will you assign users to groups?

9
Assign Licenses to Users and Groups

Microsoft Azure is a cloud service that provides many built-in

services for free.
• Azure AD comes as a free service
• Gain additional Azure AD functionality with a P1 or P2 license

Additional Services (like O365 are paid cloud services)

• Microsoft paid cloud services require licenses
• Licenses are assigned to those who need access to the
services
• Each user or group requires a separate paid license
• Administrators use management portals and PowerShell
cmdlets to manage licenses

© Copyright Microsoft Corporation. All rights reserved.

Assign or remove licenses in the Azure Active Directory portal - https://docs.microsoft.com/azure/active-

directory/fundamentals/license-users-groups
Choose the best license for your business - https://www.microsoft.com/security/business/identity-access-
management/azure-ad-pricing?rtc=1#office-SKUChooser-q6q98uk

Take a minute to show in the Portal the basic licensing tasks. This topic is not in the student content.

10
Prerequisites for Guest Users in Azure AD
• You can invite anyone to collaborate with your organization by adding them to your
directory as a guest user.
• Guest users can sign in with their own work, school, or social identities.
• To test guest-related scenarios, you need
• An Azure AD user with a role that allows creating user accounts

• A valid email account

©Microsoft Corporation
Azure

11
Add Guest Users to Azure AD
Sign into Azure portal and add a guest user

©Microsoft Corporation
Azure

12
Assign an App to a Guest User
Add the Active Directory for GitHub Enterprise app to your test tenant and assign
the test guest user to the app.

©Microsoft Corporation
Azure

13
Accept the Guest User Invite

• Sign-in to your test guest user's email account

• In the inbox, locate the "You're invited" email
• In the email body, select Get Started
• Select Accept Invitation

©Microsoft Corporation
Azure

14
 5/24/2022 1:16 PM

Passwordless

• Increased security
Log in without using a password, ever. • Better user experience
• More insights with logs and audits

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-
phone
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-
security-key
Passwordless launch blog - Passwordless authentication is now generally available! - Microsoft Tech
Community

Microsoft offers three passwordless authentication options that cover many scenarios. These methods
can be used in tandem:
• Windows Hello for Business is best for users on their dedicated Windows computers.
• Security key sign-in with FIDO2 Security keys is especially useful for users who sign in to shared
machines like kiosks, in situations where use of phones is restricted, and for highly privileged
identities.
• Phone sign in with the Microsoft Authenticator app is useful for providing a passwordless option to
users with mobile devices. The Authenticator app turns any iOS or Android phone into a strong,
passwordless credential by allowing users to sign into any platform or browser. Users sign in by
getting a notification to their phone, matching a number displayed on the screen to the one on their
phone, and then using their biometric data or PIN to confirm.
• FIDO2 Smartcards and Temporary Access Pass are both in preview.

Benefits of passwordless authentication

• Increased security - Reduce the risk of phishing and password spray attacks by removing passwords
as an attack surface.
• Better user experience - Give users a convenient way to access data from anywhere. Provide easy
access to applications and services such as Outlook, OneDrive, or Office while mobile.
• Robust insights - Gain insights into users passwordless activity with robust logging and auditing.

15
Authentication Method strength and security

© Copyright Microsoft Corporation. All rights reserved.

Authentication methods and features - Azure Active Directory | Microsoft Docs

How each authentication method works

Some authentication methods can be used as the primary factor when you sign into an application or
device, such as using a FIDO2 security key or a password. Other authentication methods are only
available as a secondary factor when you use Azure AD Multi-Factor Authentication or SSPR.

To learn more about how each authentication method works, see the following separate conceptual
articles:
• Windows Hello for Business
• Microsoft Authenticator app
• FIDO2 security key
• OATH hardware tokens (preview)
• OATH software tokens
• SMS sign-in and verification
• Voice call verification

Authentication Method and its Security versus Usability

• Windows Hello for Business – Secure / Convenient / Easily available
• Microsoft Authenticator App – Secure / Convenient / Easily available
• FIDO2 security keys – Secure / Convenient / Little harder to get but still available
• OATH hardware tokens – Somewhat secure / Usable / Easily available
• SMS – Somewhat secure / Easy to use (requires an extra device and keying in data) / Easily available
• Voice – Somewhat secure / Somewhat usable / Somewhat available
• Password – Not secure / Very convenient / Always available

16
What is FIDO2?

• FIDO2 security keys are an unphishable

specification-based passwordless authentication
method that can come in any form factor
• Fast Identity Online (FIDO) is an open specification
for passwordless authentication
• FIDO allows users and organizations to leverage
the specification to sign in to their resources
without a username or password using an external
security key or a platform key built into a device

© Copyright Microsoft Corporation. All rights reserved.

FIDO2: Moving the World Beyond Passwords using WebAuthn & CTAP (fidoalliance.org)

The FIDO (Fast IDentity Online) Alliance helps to promote open authentication specifications and reduce the
use of passwords as a form of authentication. FIDO2 is the latest specification that incorporates the web
authentication (WebAuthn) specification.

Users can register and then select a FIDO2 security key at the sign-in interface as their main means of
authentication. These FIDO2 security keys are typically USB devices, but could also use Bluetooth or NFC. With
a hardware device that handles the authentication, the security of an account is increased as there's no
password that could be exposed or guessed.

FIDO2 security keys can be used to sign in to their Azure AD or hybrid Azure AD joined Windows 10 devices
and get single-sign on to their cloud and on-premises resources. Users can also sign in to supported browsers.
FIDO2 security keys are a great option for enterprises who are very security sensitive or have scenarios or
employees who aren't willing or able to use their phone as a second factor.

The following process is used when a user signs in with a FIDO2 security key:

1. The user plugs the FIDO2 security key into their computer.
2. Windows detects the FIDO2 security key.
3. Windows sends an authentication request.
4. Azure AD sends back a nonce.
5. The user completes their gesture to unlock the private key stored in the FIDO2 security key's secure
enclave.
6. The FIDO2 security key signs the nonce with the private key.
7. The primary refresh token (PRT) token request with signed nonce is sent to Azure AD.
8. Azure AD verifies the signed nonce using the FIDO2 public key.

17
9. Azure AD returns PRT to enable access to on-premises resources.

17
Implement Self-Service Password Reset

© Copyright Microsoft Corporation. All rights reserved.

18
Self-service password reset (SSPR) in Azure AD

Benefits of Self-service password reset:

• Administrators can change settings to accommodate new security requirements.
• It saves the organization money by reducing the number of calls and requests to help desk staff.
• It increases productivity, allowing the user to return to work faster.

Self-service password reset works in the following scenarios:

• Password change
• Password reset
• Account unlock

Authentication method of SSPR:

• Mobile app notification • Mobile phone
• Mobile app code • Office phone
• email • Security questions

© Copyright Microsoft Corporation. All rights reserved.

Self-service password reset (SSPR) is a feature of Azure AD that allows users to change or reset their
password, without administrator or help desk involvement.

If a user's account is locked or they forget the password, they can follow a prompt to reset it and get
back to work. Self-service password reset has several benefits:
• Administrators can change settings to accommodate new security requirements and
roll these changes out to users without disrupting their sign-in.
• It saves the organization money by reducing the number of calls and requests to help desk staff.
• It increases productivity, allowing the user to return to work faster.

Self-service password reset works in the following scenarios:

•Password change: when a user knows their password but wants to change it to something new.
•Password reset: when a user can't sign in, such as when they forget the password, and want to reset it.
•Account unlock: when a user can't sign in because their account is locked out.

To use self-service password reset, users must be:

•Assigned an Azure AD license. See Licensing requirements for Azure Active Directory self-service
password reset in the Learn More section below.
•Enabled for SSPR by an administrator.
•Registered, with the authentication methods they want to use. Two or more authentication methods are
recommended in case one is unavailable.

The following authentication methods are available for SSPR:

•Mobile app notification
•Mobile app code
•Email

19
•Mobile phone
•Office phone
•Security questions

When a user resets their password using self-service password reset, it can also be written back to an on-
premises Active Directory. Password write-back allows users to use their updated credentials with on-
premises devices and applications without a delay.

To keep users informed about account activity, admins can configure email notifications to be sent when
an SSPR event happens. These notifications can cover both regular user accounts and admin accounts.
For admin accounts, this notification provides an extra layer of awareness when a privileged
administrator account password is reset using SSPR. All global admins would be notified when SSPR is
used on an admin account.
•available.

19
Azure AD self-service password reset

Users can reset their own password

No admin / IT intervention

Reduces the loss of user productivity

Reduces helpdesk efforts

Users must be enrolled first

Requires an assigned license

Azure Active Directory (Azure AD) self-service password reset (SSPR) gives users the ability to change or reset
their password, with no administrator or help desk involvement. If a user's account is locked or they forget their
password, they can follow prompts to unblock themselves and get back to work. This ability reduces help desk
calls and loss of productivity when a user can't sign in to their device or an application.

How does the password reset process work?

A user can reset or change their password using the SSPR portal. They must first have registered their desired
authentication methods. When a user accesses the SSPR portal, the Azure platform considers the following
factors:
• How should the page be localized?
• Is the user account valid?
• What organization does the user belong to?
• Where is the user's password managed?
• Is the user licensed to use the feature?

When a user selects the Can't access your account link from an application or page, or goes directly to
https://aka.ms/sspr, the language used in the SSPR portal is based on the following options:
• By default, the browser locale is used to display the SSPR in the appropriate language. The password reset
experience is localized into the same languages that Microsoft 365 supports.
• If you want to link to the SSPR in a specific localized language, append ?mkt= to the end of the password
reset URL along with the required locale.
• For example, to specify the Spanish es-us locale, use ?mkt=es-us -
https://passwordreset.microsoftonline.com/?mkt=es-us.

After the SSPR portal is displayed in the required language, the user is prompted to enter a user ID and pass a
captcha. Azure AD now verifies that the user is able to use SSPR by doing the following checks:
• Checks that the user has SSPR enabled and is assigned an Azure AD license.

20
 • If the user isn't enabled for SSPR or doesn't have a license assigned, the user is asked to contact their
administrator to reset their password.
• Checks that the user has the right authentication methods defined on their account in accordance with
administrator policy.
• If the policy requires only one method, check that the user has the appropriate data defined for at
least one of the authentication methods enabled by the administrator policy.
• If the authentication methods aren't configured, the user is advised to contact their
administrator to reset their password.
• If the policy requires two methods, check that the user has the appropriate data defined for at least
two of the authentication methods enabled by the administrator policy.
• If the authentication methods aren't configured, the user is advised to contact their
administrator to reset their password.
• If an Azure administrator role is assigned to the user, then the strong two-gate password policy is
enforced. For more information, see Administrator reset policy differences.
• Checks to see if the user's password is managed on-premises, such as if the Azure AD tenant is using
federated, pass-through authentication, or password hash synchronization:
• If SSPR writeback is configured and the user's password is managed on-premises, the user is allowed
to proceed to authenticate and reset their password.
• If SSPR writeback isn't deployed and the user's password is managed on-premises, the user is asked to
contact their administrator to reset their password.

If all of the previous checks are successfully completed, the user is guided through the process to reset or
change their password.

20
Enable Azure AD Self-Service Password Reset
Prerequisites:
• A working Azure AD tenant with a Premium license
• A user with the Global Administrator role
• A non-privileged test user
• A group that the test user is a member of
Enable self-service password reset:
• via the Azure Portal
Select authentication methods and
registration options:
• Mobile app notification
• Mobile app code
• Email
• Mobile phone
• Office phone
Configure notifications and customizations
©Microsoft Corporation
Azure

21
Self-Service Password Reset
SSPR Authentication methods:
• Mobile app code

• Email

• Mobile phone

• Office phone

• Security questions

©Microsoft Corporation
Azure

22
Test Self-Service Password Reset
With SSPR enabled and configured, test the SSPR process as the test
user

©Microsoft Corporation
Azure

23
SSPR Licensing options
Feature Azure AD Microsoft 365 Microsoft 365 Azure AD
Free Business Business Premium P1 or
Standard Premium P2
Cloud-only user password ● ● ● ●
change
When a user in Azure AD knows
their password and wants to
change it
Cloud-only user password reset ● ● ●
When a user in Azure AD has
forgotten their password
Hybrid user password change or ● ●
reset with on-prem writeback
When a user in Azure AD that's
synchronized from an on-premises
directory using Azure AD Connect

© Copyright Microsoft Corporation. All rights reserved.

License self-service password reset - Azure Active Directory | Microsoft Docs

24
Self-Service Password Reset (SSPR) Writeback

Password writeback offers the following benefits:

• Enforcement of Active Directory Domain Services (AD DS) password
policies
• Zero-delay feedback

• Support for password changes from the Access Panel and Office 365

• Support for password writeback when an admin reset the password from
the Azure portal
• No need for opening inbound ports on the edge firewall

©Microsoft Corporation
Azure

25
Implement Self-Service Group Management
and Access Review

© Copyright Microsoft Corporation. All rights reserved.

26
Self-service group membership defaults
 When security groups are created in the Azure
portal or using Azure AD PowerShell, only the
group's owners can update membership

 Security groups created by self-service in

the Access panel My Groups and all Microsoft
365 groups are available to join for all users,
whether owner-approved or auto-approved.

 Self-service group management scenarios

o Delegated group management
o Self-service group management

27
Make a group available for user self-service
An Azure Active Directory Premium (P1 or P2) license is required for users to request to join a security group or
Microsoft 365 group and for owners to approve or deny membership requests

28
 5/24/2022 1:16 PM

Access Reviews
Enable organizations to recertify group memberships, application access, and
privileged role assignments

Evaluate guest user access

Evaluate employee access to applications and

group membership

Track reviews for compliance or risk-sensitive

applications

Evaluate the role assignment of administrative

users (PIM)
membership
Premium P2 license – Global admins and User
Admins membership

What are Azure AD access reviews? - https://docs.microsoft.com/en-us/azure/active-directory/governance/access-

reviews-overview

Why are Access Reviews important?

As new employees join,
•how do you ensure they have the right access to be productive?
As people move teams or leave the company,
•how do you ensure their old access is removed, especially when it involves guests?
Excessive access rights can lead to audit findings and compromises as they indicate a lack of control over access.
You must proactively engage with resource owners to ensure they regularly review who has access to their resources
.
Why to use Access Reviews?
•Too many users in privileged roles
•When automation is infeasible
•When a group is used for a new purpose
•Business critical data access
•Ask group owners to confirm they still need guests in their groups
•Have reviews recur periodically

29
When should you use access reviews?

Too many users in privileged roles

When automation is not possible
When a group is used for a new purposeTo maintain a policy's exception list
Ask group owners to confirm they still need guests in their groups

30
More details for Azure AD Access Reviews

 Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group
memberships, access to enterprise applications, and role assignments

 User's access can be reviewed on a regular basis to make sure only the right people have continued access

 What are Azure AD Review: https://youtu.be/kDRjQQ22Wkk

 Depending on what you want to review, you will create your access review in Azure AD access reviews, Azure
AD enterprise apps (in preview), or Azure AD PIM.

 Using this feature requires an Azure AD Premium P2 license

 Conduct an Azure AD Access Review

31
What is Security Crisis and Response Exercise

© Copyright Microsoft Corporation. All rights reserved.

32
 What is Security Crisis and Response Exercise
 The Security Crisis and Response Exercise provides a unique offering to customers via a 2-day custom,
interactive classroom experience on understanding security crisis situations and how to respond in the event
of a cybersecurity incident.
 Microsoft Cybersecurity Solutions Group allows DART to provide onsite reactive incident response and
remote proactive investigations. Members of the elite incident response team at Microsoft, the Detection and
Response Team (DART) delivers the exercise as a proactive readiness training with the objective of helping
our customers prepare for incident response through practice exercises.
 The simulation is based on real-life scenarios from recent cybersecurity incidents.
 The exercise focuses on topics such as Ransomware, Office 365 compromises, and compromises via
industry-specific malware via complex backdoor software.
 Each scenario covers the key areas of cybersecurity: Identify, Protect, Detect, Respond, and Recover and
covers a broad eco-system including supply chain vulnerabilities such as software vendors, IT service
vendors, and hardware vendors.

33
 Which is the benefits?
 With the Security Crisis and Response Exercise, your teams will receive tactical and strategic
recommendations and knowledge of the current cloudcentric threat landscape

 DART experts will detail relevant, recent case studies, including how the incidents occurred, the
impact on the organizations, and where even the smallest missteps created opportunities for
attackers.

 The scenarios that will be covered during the 2-day exercise includes:
o Ransomware
o O365 & Azure Intrusions
o Internal APT compromise
o Industry specific commodity malware, such as trojans (i.e. banking trojans)
o CPU related vulnerabilities (i.e. Spectre/Meltdown)

34
 How the Security Crisis and Response Exercise Works ?
 The first day of the 2-day simulation:
o Includes a walk through of the chosen scenario, where the instructor details operational,
logistical, and technical details of an anonymized security event.
o The customer will leave this phase of the simulation with a better understanding of the
indicators of compromise and the tactics of attackers for the scenario.
 The second day of the exercise:
o walks customers through the simulation once more but utilizes the customer’s own security
and IT processes to determine the likely impact for the customer’s own organization.
o During each stage of the simulation, we will discuss the capabilities and skill sets required to
limit organizational impact of a potential compromise.
Microsoft Detection and Response Team (DART)
https://www.microsoft.com/en-us/msrc/cdoc

35
Azure Information Protection Fundamentals

© Copyright Microsoft Corporation. All rights reserved.

36
Azure AD Identity Protection explained

Self-remediation workflow

Administrator remediation workflow

© Copyright Microsoft Corporation. All rights reserved.

37
 5/24/2022 1:16 PM

Azure AD Identity Protection Features

Automate the detection and Export risk detection data to

Investigate risks using data in
remediation of identity-based third-party utilities for further
the portal
risks analysis

What is Azure Active Directory Identity Protection? - https://docs.microsoft.com/en-us/azure/active-directory/identity-

protection/overview-identity-protection

Azure Active Directory Identity Protection includes three default policies that administrators can choose to enable.
These policies include limited customization but are applicable to most organizations. All of the policies allow for
excluding users such as your emergency access or break-glass administrator accounts.

Administrators can also choose to create a custom Conditional Access policy including sign-in risk as an assignment
condition.

38
 5/24/2022 1:16 PM

Risk Events

Each detected suspicious action is stored in a record called a risk event

Leaked credentials

Sign in from anonymous IP addresses

Impossible travel to atypical locations

Sign-in from unfamiliar locations

Sign-ins from infected devices

Sign-ins from IP addresses with

suspicious activity

Azure Active Directory risk detections - https://docs.microsoft.com/en-us/azure/active-directory/reports-

monitoring/concept-risk-events

Currently, Azure Active Directory detects six types of risk detections:

• Users with leaked credentials - When cybercriminals compromise valid passwords of legitimate users, they often
share those credentials.
• Sign-ins from anonymous IP addresses - This risk detection type identifies users who have successfully signed in
from an IP address that has been identified as an anonymous proxy IP address.
• Impossible travel to atypical locations - This risk detection type identifies two sign-ins originating from
geographically distant locations, where at least one of the locations may also be atypical for the user, given
past behavior.
• Sign-ins from infected devices - This risk detection type identifies sign-ins from devices infected with malware,
that are known to actively communicate with a bot server.
• Sign-in from unfamiliar locations - This risk detection type considers past sign-in locations (IP, Latitude /
Longitude and ASN) to determine new / unfamiliar locations.
• Sign-ins from IP addresses with suspicious activity - This risk detection type identifies IP addresses from which a
high number of failed sign-in attempts were seen, across multiple user accounts, over a short period of time.

39
 5/24/2022 1:16 PM

User Risk Policy

Provide the condition (risk

Applied to user sign-ins level) and action (block or
allow) Use a low threshold for
greater security
Automatically respond
Use a high threshold during
based on a specific user’s
policy roll out
risk level

User risk policies - https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-

protection-policies#user-risk-policy

Identity Protection can calculate what it believes is normal for a user's behavior and use that to base decisions
for their risk. User risk is a calculation of probability that an identity has been compromised. Administrators can
make a decision based on this risk score signal to enforce organizational requirements. Administrators can
choose to block access, allow access, or allow access but require a password change using Azure AD self-
service password reset.

40
 5/24/2022 1:16 PM

Sign-in Risk Policy

Applied to all browser traffic and sign-ins Provide the condition (risk level) and
using modern authentication action (block or allow)

Automatically respond to a specific risk Target all policies to specific users – omit
level certain types of users

How To: Configure and enable risk policies - https://docs.microsoft.com/en-us/azure/active-

directory/identity-protection/howto-identity-protection-configure-risk-policies

The sign-in risk policy detects suspicious actions that come along with the sign-in. It is focused on the sign-in activity
itself and analyzes the probability that the sign-in may not have been performed by the user. The sign-in risk checks
for things like whether a user has signed in from an unfamiliar location or unfamiliar IP address. You can then choose
to require MFA for users based on the risk level of their sign-ins.

The user risk policy detects the probability that a user account has been compromised by detecting risk events that
are atypical of a users behavior. Risk events require the recording of a user's activity over a length of time so that it's
possible to detect abnormalities. You can then choose to block access to users based on their risk levels.

Risky sign-ins
The risky sign-ins report contains filterable data for up to the past 30 days (1 month).
With the information provided by the risky sign-ins report, administrators can find:
• Which sign-ins are classified as at risk, confirmed compromised, confirmed safe, dismissed, or remediated.
• Real-time and aggregate risk levels associated with sign-in attempts.
• Detection types triggered
• Conditional Access policies applied
• MFA details
• Device information
• Application information
• Location information
Administrators can then choose to take action on these events. Administrators can choose to:
• Confirm sign-in compromise
• Confirm sign-in safe

41
Remediate risks detected by Azure AD Identity Protection

© Copyright Microsoft Corporation. All rights reserved.

Instructor demonstration:

- Azure AD Identity Protection

42
Lab 1 Ex 5 Enabling end-user self-service with Azure AD
and Azure AD Identity protection

43