Firefox about:blank
Overview of Azure Active Directory
Azure Active Directory (Azure AD) is the cloud-based identity and access management service
for Office 365. As such, it’s a vital part of Microsoft Teams because Teams leverages identities
stored in Azure AD for collaboration and communication.
The license requirements for using Azure AD identities and for accessing Teams are included in a
large number of different licensing bundles, such as Small Business Plans like Office 365
Business, Enterprise Plans like Office 365 Enterprise E1, Education Plans like Office 365
Education, and Developer Plans like Office 365 Developer.
Managed identities for Azure resources
In cloud deployments, a common challenge when building and deploying cloud applications is
how to manage the credentials in your code for authenticating to cloud services while still
keeping your credentials secured. Azure AD solves this problem with a feature called “managed
identities,” which provides access to Azure and Office 365 resources for custom applications and
services. The feature provides Azure services with an automatically managed identity in Azure
AD. You can use this identity to authenticate to any service that supports Azure AD
authentication, such as Exchange Online, SharePoint, OneDrive, and Microsoft Teams, without
any credentials in your code.
Azure AD Access Review
Because Azure AD enables you to collaborate internally within your organization and with users
from external organizations, such as partners, it’s essential that organizations regularly review
users’ access to ensure that only the right people have access to cloud resources. This can be
accomplished through an Azure AD feature titled Access Reviews, which enables organizations
to efficiently manage group memberships, access to enterprise applications, and role
assignments. User's access can be reviewed on a regular basis to make sure only the right
1 de 5 03/05/2020 22:27
�Firefox about:blank
people have continued access, and that no orphaned permissions provide users with unintended
access to cloud resources.
The following list describes scenarios in which Azure AD Access Reviews can be used:
Too many users in privileged roles. It's a good idea to check how many users have
administrative access, how many of them are Global Administrators, and if there are any
invited guests or partners that have not been removed after being assigned to do an
When automation is infeasible. You can create rules and reviews for dynamic
memberships on Security groups or Office 365 groups. This ensures that those users who
still need access continue to have access.
When a group is used for a new purpose. If you have a group that is going to be synced
to Azure AD, or if you plan to enable an application for everyone in a specific group, it
would be useful to ask the group owner to review the group membership prior to the group
being used in a different risk content.
Business critical data access. For certain resources, it might be required to ask people
outside of IT to regularly sign out and give a justification on why they need access for
To maintain a policy's exception list. In an ideal world, all users would follow the access
policies to secure access to your organization's resources. However, sometimes there are
business cases that require you to make exceptions.
Ask group owners to confirm they still need guests in their groups. Employee access
might be automated with some on premises identity access management tool, but not
invited guests. If a group gives guests access to business sensitive content, then it's the
group owner's responsibility to confirm the guests still have a legitimate business need for
Have reviews recur periodically. You can set up recurring access reviews of users at set
frequencies such as weekly, monthly, quarterly, or annually, and the reviewers will be
2 de 5 03/05/2020 22:27
�Firefox about:blank
notified at the start of each review. Reviewers can approve or deny access with a friendly
interface and with the help of smart recommendations.
Note: Using the Azure AD Access Reviews feature requires an Azure AD Premium P2 license.
Conditional Access
Conditional access is the set of rules for access control based on various specifications such as
client, service, registration procedure, location, compliance status, and so on. This is used to
decide whether the user's access to the company's data is possible.
By using Conditional Access policies, you can apply the right access controls when needed to
keep your organization secure and to stay out of your user’s way when not needed.
Group Naming Policy
group naming policy to enforce a consistent naming strategy for groups
created by users in your organization. You can use the policy to block specific words from being
3 de 5 03/05/2020 22:27
�Firefox about:blank
used in group names and aliases.
The naming policy is applied to groups that are created across all groups workloads (like
Outlook, Microsoft Teams, SharePoint, Planner, Yammer, and so on). It gets applied to both the
group name and group alias whenever a user creates a group or when group name or alias is
edited for an existing group.
The group naming policy consists of the following features:
Prefix-Suffix naming policy. You can use prefixes or suffixes to define the naming
convention of groups (for example: “GRP_US_My Group_Development”). The
prefixes/suffixes can either be fixed strings (like “Department”) or user attributes that will
get substituted based on the user who is creating the group.
You can upload a set of blocked words specific to their
organization that will be blocked in the group names that are created by users. (For
example: “salary statement, HR”).
Classification for Office 365 groups
in Office 365 is a feature of Azure Information Protection. It´s a cloud-based
solution that helps an organization to classify and optionally protect its content by applying
labels. Microsoft Teams does not currently support Azure Information Protection, so for now,
you can create text-based classifications that simply display in the Microsoft Teams client and
Office 365 Groups. While limited in use, they can still be used to set expectations with your users
when they create an Office 365 group. Currently in teams, classifications can only be configured
through the Azure AD PowerShell module. They are self-created simple text classifications such
as, Internal, External, Confidential, Highly Confidential. Group classifications aren't set by default,
and you need to create it in order for your users to set it.
: Classifications in Office 365 should not to be mistaken with classification of Azure RMS,
4 de 5 03/05/2020 22:27
�Firefox about:blank
Guest Access
Guest access allows teams in your organization to collaborate with people outside your
organization by granting them access to existing teams and channels on one or more of your
tenants. Anyone with a business or consumer email account, such as Outlook, Gmail, or others,
can participate as a guest in Teams with full access to team chats, meetings, and files. Guest
access is an org-wide setting in Teams and is turned off by default. Guest access is subject to
Azure AD and Office 365 service limits.
5 de 5 03/05/2020 22:27
