Azure Identity and Access Management (IAM)

 Azure Identity and Access Management (IAM) – Project Manager SOP Draft

Project: Azure IAM Rollout & Modernization Program
Prepared by: Raju Ambhore – IT Project Manager (PMP, PRINCE2, ITIL, Azure Certified)
Audience: IAM Engineers, Security Architects, IT Admins, Compliance Teams

---

✅ Objective

This SOP outlines the strategic implementation approach I followed as Project Manager while leading an Azure IAM project for an enterprise client. It is built around Microsoft’s native IAM services and tools and ensures governance, compliance, and secure access control throughout the identity lifecycle.

---

🧱 Core Components with Implementation Guidance

1. Azure Active Directory (Azure AD)

Azure AD is the foundation of IAM in the Azure ecosystem.

• Setup Tasks:

  • Create Azure AD tenant or connect to existing.

  • Sync with on-prem AD using Azure AD Connect:
    Azure AD Connect Download & Setup

  • Enable SSO (Single Sign-On) across enterprise apps.

  • Enable MFA under security > Authentication methods.
    MFA Overview

2. Role-Based Access Control (RBAC)

• Task Plan:

  • Identify app/resource owners.

  • Define RBAC scopes: Subscription, Resource Group, Resource.

  • Assign built-in roles (Reader, Contributor) or create custom ones.

  • Use PIM for role elevation workflows.

  RBAC Best Practices

3. Conditional Access Policies

• Setup Steps:

  • Go to Azure AD > Security > Conditional Access.

  • Define conditions (user/group, sign-in risk, location, device platform).

  • Require MFA or block access for high-risk scenarios.

  Conditional Access Guide

4. Privileged Identity Management (PIM)

• Tasks:

  • Enable PIM for privileged roles.

  • Configure Just-in-Time access.

  • Require MFA & justification during activation.

  • Schedule periodic access reviews.

  PIM Documentation

5. Managed Identities

• Plan:

  • Assign system-managed identity to services (Azure VM, Logic Apps).

  • Use it to access Key Vault, Storage securely (no secrets stored in code).

  Managed Identity Docs

6. Azure AD Identity Protection

• Steps:

  • Enable Identity Protection under Azure AD > Security.

  • Set risk-based sign-in & user policies.

  • Enforce remediation (reset password, block access).

  Identity Protection Guide

---

🧠 Best Practices (From Real Deployment)

1. Always apply least privilege.

   • Use built-in roles and custom RBAC.

2. Enable MFA for all roles.

   • Especially for Global Admins and Security Admins.

3. Monitor Sign-in logs and audit logs regularly.

   • Integrate with Log Analytics / Microsoft Sentinel.

4. Use Conditional Access templates.

   • Don’t reinvent — Microsoft offers preset policies.

5. Enable PIM reviews every 90 days.

   • Ensure dormant roles are removed.

6. Use dynamic groups.

   • Auto-assign licenses and roles based on attributes like department, jobTitle.

---

📋 Implementation Plan & Timeline (Example)

Phase	Task	Owner	Timeline
Phase 1	Setup Azure AD tenant, domain verify	Azure Admin	Week 1
Phase 2	AD Connect + SSO Setup	Infra + IAM	Week 2
Phase 3	Define RBAC + Assign roles	PMO + Resource Owners	Week 3
Phase 4	Deploy MFA, Conditional Access	Security Team	Week 4
Phase 5	Enable PIM + Justification Policies	IAM Lead	Week 5
Phase 6	Configure Managed Identity & Dev Apps	App Dev	Week 6
Phase 7	Identity Protection + Monitoring	Compliance + SecOps	Week 7

---

✅ Final Thoughts

This SOP represents a real-life playbook based on my experience managing secure IAM rollouts in enterprise settings. It ensures that access governance aligns with regulatory compliance while minimizing operational friction.

Let me know if you'd like this converted to PDF, Word, or formatted with diagrams and screenshots for client presentation.

IAM Azure Implementation (Microsoft Entra ID)

 Technical SOP for Engineers: IAM Azure Implementation (Microsoft Entra ID)

Project Name: IAM Modernization using Azure Entra ID
Prepared By: Raju Ambhore, IT Project Manager
Audience: Technical Engineers (IAM, AD, Azure, Security Ops)

---

✅ Objective

As a Project Manager who's led enterprise IAM rollouts multiple times, I’ve found that a structured, hands-on approach is critical to success. Below, I’ve detailed every phase our engineering teams have executed — enriched with hints, troubleshooting advice, and best practices from real project experience. This SOP isn’t just theory — it’s what worked.

---

🔢 Phase 1: Environment Preparation

🔍 Audit Existing Infrastructure

• Begin by exporting your current AD user list using PowerShell:

  Get-ADUser -Filter * -Property * | Export-Csv ADUsers.csv -NoTypeInformation

• Identify which authentication methods are in play — check for LDAP, Kerberos or older NTLM integrations.

• Tip: Don't forget to check service accounts and stale users. This often uncovers security gaps early.

✅ Validate Prerequisites

• Ensure you have an active Azure subscription and Global Administrator rights.

• Add and verify your domain in Azure AD:

  • Navigate to Azure AD > Custom Domain Names > Add Custom Domain.

• Hint: Add TXT records to your DNS for verification. This process can take up to 30 minutes.

⚙️ Install Azure AD Connect

• Download from: Microsoft AD Connect

• Install on a dedicated server (recommended minimum: 4 cores, 8GB RAM).

• Choose Hybrid Azure AD Join if you want devices to sync for Intune/Endpoint Manager.

• Filter syncing to just required OUs to reduce load.

• Tip: Always enable staging mode first to validate sync without affecting production.

---

🛡️ Phase 2: Identity Federation and SSO

🔗 Setup Federation (SAML/OIDC)

• Head to Azure Portal > Enterprise Applications > New Application.

• Pick your app from gallery (like Salesforce, Workday) or create a non-gallery app.

• Under SSO tab:

  • Configure Identifier (Entity ID), Reply URL, and set Binding type (POST or Redirect).

  • Upload signing certificate.

  • Map claims like user.mail, user.displayname.

• Tip: If you're unsure of claims, test with SAML Tracer browser extension.

✅ Test SSO Integration

• Assign a test user.

• Attempt login from the app’s SSO URL.

• Verify logs under Azure AD > Sign-in Logs.

• Hint: Check timestamp mismatches; it’s a common SAML error due to NTP issues.

🔐 Conditional Access Setup

• Navigate to Azure AD > Security > Conditional Access.

• Define rules like:

  • Require MFA for users outside trusted locations.

  • Block legacy authentication (POP, IMAP).

• Tip: Use report-only mode initially to assess impact.

---

📡 Phase 3: Lifecycle Management (Provisioning)

🔁 Enable SCIM-based Provisioning

• Go to your application’s Provisioning tab.

• Input the SCIM endpoint and token provided by the vendor.

• Map required attributes — FirstName, LastName, Email, Manager.

• Hint: Test provisioning with one user first. Look for errors like missing required fields.

👥 Automate Group Assignment

• Create Dynamic Groups:

  • Go to Azure AD > Groups > New Group > Membership type: Dynamic User

  • Example rule:

    (user.department -eq "Finance")

• Tip: Review membership rules every quarter. They can drift as HR data evolves.

🧩 Configure HRMS Sync (Optional)

• Integrate with Workday or SuccessFactors using built-in connectors.

• Requires admin credentials and access tokens from HRMS side.

• Hint: Ensure HR updates (e.g., terminations) flow into AD cleanly.

---

⚡ Phase 4: MFA & Passwordless Auth

🔑 Enable Azure MFA

• Navigate to Azure AD > Users > MFA > Service Settings.

• Enforce via Conditional Access.

• Supported methods:

  • Microsoft Authenticator

  • SMS / Voice

• Tip: Encourage users to setup at least 2 methods for redundancy.

🔐 Enable Passwordless Authentication (FIDO2)

• Navigate to Azure AD > Authentication Methods > FIDO2 Security Keys.

• Enable FIDO2 and define target users/groups.

• Register devices like YubiKey using browser prompt.

• Hint: Ideal for high-privilege admins or execs.

---

🌟 Phase 5: Monitoring & Compliance

📊 Enable Audit Logs & Sign-in Logs

• Go to Azure AD > Monitoring > Logs.

• Send logs to Log Analytics Workspace for long-term retention.

• Integrate with Microsoft Sentinel for alerting and response.

• Tip: Set retention policies explicitly to avoid silent data loss.

🛡️ Compliance Reporting

• Launch Microsoft Compliance Manager.

• Generate assessments for:

  • GDPR, SOX, ISO 27001

• Assign action items and export reports to PDF.

• Hint: Schedule monthly reviews with compliance team.

---

🏙️ Support Links

• Entra ID Overview

• SSO Federation Setup

• SCIM Provisioning

• Azure MFA

---

📑 Engineer Checklist

---

This SOP reflects the hands-on playbook I’ve relied on for successful IAM deployments — real tasks, common pitfalls, and the shortcuts you wish you knew before starting.

Live Project Plan – Dynamics 365 CRM

 

 

Project Plan: Microsoft Dynamics 365 CRM 9.1 On-Premises Setup

Phase 1: Planning & Preparation

Task	Description	Owner	Duration
Define Scope	Finalize environments (DEV, STG, PROD), number of servers, roles	Project Manager	1 day
Allocate Resources	Assign technical team, service accounts, infrastructure	IT Manager	1 day
Finalize Requirements	Review HW/SW requirements, licensing, ports, and prerequisites	Solution Architect	2 days
Download Setup Files	CRM installer, Report Authoring Extension, SQL Server, Visual Studio, prerequisites	System Admin	1 day

Phase 2: Infrastructure Setup

Task	Description	Owner	Duration
Install Windows Server 2022	Install on all planned servers (AD, DB, FE, BE)	System Admin	2 days
Setup Network & IPs	Assign static IPs, DNS config	Network Admin	1 day
Setup Active Directory	Promote AD server, create domain, organizational units	AD Admin	1 day
Create Service Accounts	For CRM Admin, Service, Sandbox across all environments	AD Admin	0.5 day
Configure Firewall & Ports	Open required ports (80, 443, 1433, etc.)	Network Admin	1 day

Phase 3: Prerequisite Software Installation

Task	Description	Owner	Duration
Install SQL Server 2019	Developer/Enterprise Edition with Mixed Mode	DBA	1 day
Configure SQL Server	Setup users, collation, memory, tempDB, backups	DBA	1 day
Install SSRS 2019	SQL Reporting Services with service account	DBA	0.5 day
Install Visual Studio 2022	With SSIS, SSRS, SSAS extensions	Developer	1 day
Install AD FS & Cert Service	Configure claims-based authentication	AD Admin	1 day

Phase 4: Dynamics 365 CRM Installation

Task	Description	Owner	Duration
Install CRM Front-End Role	On FE server (use svcCRMAdmin)	CRM Admin	1 day
Install CRM Back-End Role	On BE server (SSRS, async, sandbox)	CRM Admin	1 day
Configure CRM Deployment	Organization, Base Currency, Language	CRM Admin	1 day
Update to v9.1	Apply CU/updates	CRM Admin	0.5 day

Phase 5: Integration and Testing

Task	Description	Owner	Duration
Configure Email Router or Server Profile	SMTP/POP3/Exchange settings	CRM Admin	1 day
Perform System Testing	Validate roles, access, reporting, integrations	QA	2 days
UAT with Business Users	Validate real-time CRM scenarios	Functional Lead	2 days

Phase 6: Go-Live Preparation

Task	Description	Owner	Duration
Backup Systems	Snapshot VMs, DB backups	SysAdmin	0.5 day
User Creation & Role Mapping	Assign security roles in CRM	CRM Admin	1 day
Documentation	Prepare configuration, user guides, admin guides	PM / CRM Admin	1 day
Final Approval & Sign-Off	Stakeholder review and approval	Project Manager	0.5 day

Phase 7: Go-Live & Support

Task	Description	Owner	Duration
Cutover & Go-Live	Switch over from staging to production	CRM Admin	0.5 day
Hypercare Support	Monitor logs, errors, system usage	Support Team	5 days
Handover to Operations	Transition to BAU support team	Project Manager	1 day

 

Microsoft Dynamics 365 On-Premises Upgrade Guide (v8.1/8.2 to 9.1)

🚀 Microsoft Dynamics 365 On-Premises Upgrade Guide (v8.1/8.2 to 9.1)

Upgrading Microsoft Dynamics 365 On-Premises from version 8.1 or 8.2 to 9.1 is a significant milestone for organizations aiming to modernize their CRM infrastructure. This guide is written from the perspective of an engineer who has led these upgrades, sharing field-tested steps, lessons learned, and best practices.

📎 SOP Reference

For full technical documentation, screenshots, and command-line examples, please refer to my published SOP document:
🔗 https://docs.google.com/document/d/e/2PACX-1vRrm-d9dCsGxoXgHGnic2AZDfJUVVog62SXgqcXHx1faPI0sgb819L6CHQh6ItZR4Q4MM-9QLojiw_6/pub

🔍 Why Upgrade to 9.1?

Dynamics 365 9.1 offers substantial enhancements in performance, compliance, and security. The earlier versions (8.1/8.2) no longer receive regular cumulative updates and may not support the latest OS or SQL versions.

🧰 Pre-Upgrade Engineering Tips

·         - Take full backups of databases and encryption keys.

·         - Validate available disk and memory resources.

·         - Create VM snapshots before starting upgrades.

·         - Prepare all necessary pre-requisite installers.

TIP 💡: Always test the upgrade process in a sandbox environment using a restored backup.

🧭 Recommended Microsoft Upgrade Flow

Based on Microsoft documentation and upgrade experience:

1. Ensure current environment is upgraded to Dynamics 365 v8.2.

2. Apply the latest CU for v8.2 (if not done already).

3. Set up a new environment with Windows Server 2019/2022 and SQL Server 2019.

4. Install Dynamics 365 9.0 from official Microsoft installer.

5. Apply latest CU for version 9.0 (e.g., CU 50).

6. Install Dynamics 365 9.1 base version (minimum 9.1.1.914).

7. Apply latest CU for 9.1 (e.g., CU 38 – 9.1.38.10).

8. Use Deployment Manager to import and upgrade Org DB.

9. Reconfigure SSRS Report Extensions.

10. Revalidate workflows, plugins, and reports.

🔐 IFD and Claims Configuration (Optional)

If you're exposing your CRM to external users, configure ADFS and IFD post-upgrade.
- Use proper SSL certificates.
- Configure relying party trust in ADFS.
- Test `/adfs/ls/` and federation metadata URLs.
Microsoft guide: https://learn.microsoft.com/en-us/dynamics365/customerengagement/on-premises/deploy/configure-the-ad-fs-server-for-ifd

🧪 Post-Upgrade Validation

·         - Confirm CRM service health (via logs & Event Viewer).

·         - Test custom reports and dashboards.

·         - Verify Outlook and external app integrations.

·         - Create rollback plan before going live.

📦 CU Versions Reference

• 9.0.50.03 – Oct 2023

• 9.1.38.10 – July 2025

📘 Full CU List: https://support.microsoft.com/en-us/topic/microsoft-dynamics-365-on-premises-cumulative-updates

📚 Microsoft Resources

• Upgrade Guide: https://learn.microsoft.com/en-us/dynamics365/customerengagement/on-premises/deploy/update-to-v91

• CU List: https://support.microsoft.com/en-us/topic/microsoft-dynamics-365-on-premises-cumulative-updates

• Claims & IFD: https://learn.microsoft.com/en-us/dynamics365/customerengagement/on-premises/deploy/configure-the-dynamics-365-server-for-claims-based-authentication

🧠 Final Thoughts

Upgrades require careful planning, time allocation, and testing. Do not rush this process. My recommendation is to always isolate the upgrade steps in a test environment and track each action in a log file. By following Microsoft’s structured process—and supplementing it with field-tested insights—you can upgrade with confidence.