AZ-104: Manage identities and governance in Azure Flashcards
Azure AD Permissions and roles
Permissions and roles
Azure AD uses permissions to help you control the access rights a user or group is granted. This is done through roles. Azure AD has many roles with different permissions attached to them. When a user is assigned a specific role, they inherit permissions from that role. For example, a user assigned to the User Administrator role can create and delete user accounts.
Understanding when to assign the correct type of role to the right user is a fundamental and crucial step in maintaining privacy and security compliance. If the wrong role is assigned to the wrong user, the permissions that come with that role can allow the user to cause serious damage to an organization.
Azure AD Administrator roles
Administrator roles in Azure AD allow users elevated access to control who is allowed to do what. You assign these roles to a limited group of users to manage identity tasks in an Azure AD organization. You can assign administrator roles that allow a user to create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and more.
Azure AD Member users
A member user account is a native member of the Azure AD organization that has a set of default permissions like being able to manage their profile information. When someone new joins your organization, they typically have this type of account created for them.
Anyone who isn’t a guest user or isn’t assigned an administrator role falls into this type.
Azure AD Guest users
Guest users have restricted Azure AD organization permissions. When you invite someone to collaborate with your organization, you add them to your Azure AD organization as a guest user. Then you can either send an invitation email that contains a redemption link or send a direct link to an app you want to share. Guest users sign in with their own work, school, or social identities. By default, Azure AD member users can invite guest users. This default can be disabled by someone who has the User Administrator role.
Poweshell invite guest user command
New-AzureADMSInvitation
Azure AD deleted user retention period
When you delete a user, the account remains in a suspended state for 30 days. During that 30-day window, the user account can be restored.
Access management in Azure
Azure AD roles:
Use Azure AD roles to manage Azure AD-related resources like users, groups, billing, licensing, application registration, and more.
Role-based access control (RBAC) for Azure resources: Use RBAC roles to manage access to Azure resources like virtual machines, SQL databases, or storage. For example, you could assign an RBAC role to a user to manage and delete SQL databases in a specific resource group or subscription.
Azure AD - Ways you can assign access rights:
.
Direct assignment: Assign a user the required access rights by directly assigning a role that has those access rights.
Group assignment: Assign a group the required access rights, and members of the group will inherit those rights.
Rule-based assignment: Use rules to determine a group membership based on user or device properties. For a user account or device’s group membership to be valid, the user or device must meet the rules. If the rules aren’t met, the user account or device’s group membership is no longer valid. The rules can be simple. You can select prewritten rules or write your own advanced rules
Modify the group to use dynamic assignment
You can change the group to use dynamic assignment. Membership then depends on whether a user meets the rules you set for the group. select Properties.
Change Membership type to Dynamic User. Select Save.
Select Add dynamic query.
Azure Active Directory B2B
With Azure Active Directory B2B, you don’t have to manage your external users’ identities. The partner has the responsibility to manage its own identities. External users continue to use their current identities to collaborate with your organization.
Why use Azure AD B2B instead of federation?
With Azure AD B2B, you don’t take on the responsibility of managing and authenticating the credentials and identities of partners. Giving access to external users is much easier than in a federation. You don’t need an AD administrator to create and manage external user accounts. Any authorized user can invite other users. A federation is where you have a trust established with another organization, or a collection of domains, for shared access to a set of resources. You might be using an on-premises identity provider and authorization service like Active Directory Federation Services (AD FS) that has an established trust with Azure AD. To get access to resources, all users have to provide their credentials and successfully authenticate against the AD FS server.
on-premises federation with Azure AD might be good if
our organization wants all authentication to Azure resources to happen in the local environment. Administrators can implement more rigorous levels of access control. But this means that, if your local environment is down, users can’t access the Azure resources and services they need.
Azure AD instance
When a company or organization signs up to use one of these offerings, they are assigned a default directory, an instance of Azure AD. This directory holds the users and groups that will have access to each of the services the company has purchased. This default directory can be referred to as a tenant. A tenant represents the organization and the default directory assigned to it.
Microsoft cloud-based which can use Azure AD
Microsoft offers several cloud-based offerings today - all of which can use Azure AD to identify users and control access. Microsoft Azure Microsoft 365 Microsoft Intune Microsoft Dynamics 365
Subscriptions in Azure
Subscriptions in Azure are both a billing entity and a security boundary. Resources such as virtual machines, websites, and databases are associated with a single subscription. Each subscription also has a single account owner responsible for any charges incurred by resources in that subscription. If your organization wants a subscription billed to another account, you can transfer the subscription. A subscription is associated with a single Azure AD directory. Multiple subscriptions can trust the same directory, but a subscription can only trust one directory.
Users and groups added to multiple subscriptions
When you add a user to a subscription, the user must be known to the associated directory
access to Azure resources
A user account contains all the information needed to authenticate the user during the sign-on process. Once authenticated, Azure AD builds an access token to authorize the user and determine what resources they can access and what they can do with those resources.
Azure AD defines users in three ways
Cloud identities - These users exist only in Azure AD. Their source is Azure Active Directory or External Azure Active Directory if the user is defined in another Azure AD instance but needs access to subscription resources controlled by this directory. When these accounts are removed from the primary directory, they are deleted.
Directory-synchronized identities - These users exist in an on-premises Active Directory. A synchronization activity that occurs via Azure AD Connect brings these users in to Azure. Their source is Windows Server AD.
Guest users - These users exist outside Azure. Their source is Invited user..
Adding Azure AD users
You can add cloud identities to Azure AD in multiple ways:
Syncing an on-premises Windows Server Active Directory
Using the Azure portal
Using the command line
Other options
add users to Azure AD Other options
You can also add users to Azure AD programmatically using the Azure AD Graph API, or through the Microsoft 365 Admin Center and the Microsoft Intune Admin console if you are sharing the same directory.
Azure AD membership type
Assigned (static). The group will contain specific users or groups that you select.
Dynamic user. You create rules based on characteristics to enable attribute-based dynamic memberships for groups.You can set up a rule for dynamic membership on security groups or on Microsoft 365 groups. This feature requires an Azure AD Premium P1 license.
Dynamic device. You create rules based on characteristics to enable attribute-based dynamic memberships for groups. You can set up a rule for dynamic membership on security groups or on Microsoft 365 groups. I This feature requires an Azure AD Premium P1 license.
three Azure AD roles that apply to all resource types
Owner, which has full access to all resources, including the right to delegate access to others.
Contributor, which can create and manage all types of Azure resources but can’t grant access to others.
Reader, which can view existing Azure resources.
Role definitions for Azure Resources
Each role is a set of properties defined in a JavaScript Object Notation (JSON) file. This role definition includes a Name, ID, and Description. It also includes the allowable permissions (Actions), denied permissions (NotActions), and scope (for example, read access) for the role.
For the Owner role, that means all actions, indicated by an asterisk (*); no denied actions; and all scopes, indicated by a forward slash (/).
What’s a role definition?
A role definition is a collection of permissions. A role definition lists the operations that can be performed, such as read, write, and delete. It can also list the operations that can’t be performed or operations related to underlying data.