AZ-104: Manage identities and governance in Azure Flashcards
Azure AD Permissions and roles
Permissions and roles
Azure AD uses permissions to help you control the access rights a user or group is granted. This is done through roles. Azure AD has many roles with different permissions attached to them. When a user is assigned a specific role, they inherit permissions from that role. For example, a user assigned to the User Administrator role can create and delete user accounts.
Understanding when to assign the correct type of role to the right user is a fundamental and crucial step in maintaining privacy and security compliance. If the wrong role is assigned to the wrong user, the permissions that come with that role can allow the user to cause serious damage to an organization.
Azure AD Administrator roles
Administrator roles in Azure AD allow users elevated access to control who is allowed to do what. You assign these roles to a limited group of users to manage identity tasks in an Azure AD organization. You can assign administrator roles that allow a user to create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and more.
Azure AD Member users
A member user account is a native member of the Azure AD organization that has a set of default permissions like being able to manage their profile information. When someone new joins your organization, they typically have this type of account created for them.
Anyone who isn’t a guest user or isn’t assigned an administrator role falls into this type.
Azure AD Guest users
Guest users have restricted Azure AD organization permissions. When you invite someone to collaborate with your organization, you add them to your Azure AD organization as a guest user. Then you can either send an invitation email that contains a redemption link or send a direct link to an app you want to share. Guest users sign in with their own work, school, or social identities. By default, Azure AD member users can invite guest users. This default can be disabled by someone who has the User Administrator role.
Poweshell invite guest user command
New-AzureADMSInvitation
Azure AD deleted user retention period
When you delete a user, the account remains in a suspended state for 30 days. During that 30-day window, the user account can be restored.
Access management in Azure
Azure AD roles:
Use Azure AD roles to manage Azure AD-related resources like users, groups, billing, licensing, application registration, and more.
Role-based access control (RBAC) for Azure resources: Use RBAC roles to manage access to Azure resources like virtual machines, SQL databases, or storage. For example, you could assign an RBAC role to a user to manage and delete SQL databases in a specific resource group or subscription.
Azure AD - Ways you can assign access rights:
.
Direct assignment: Assign a user the required access rights by directly assigning a role that has those access rights.
Group assignment: Assign a group the required access rights, and members of the group will inherit those rights.
Rule-based assignment: Use rules to determine a group membership based on user or device properties. For a user account or device’s group membership to be valid, the user or device must meet the rules. If the rules aren’t met, the user account or device’s group membership is no longer valid. The rules can be simple. You can select prewritten rules or write your own advanced rules
Modify the group to use dynamic assignment
You can change the group to use dynamic assignment. Membership then depends on whether a user meets the rules you set for the group. select Properties.
Change Membership type to Dynamic User. Select Save.
Select Add dynamic query.
Azure Active Directory B2B
With Azure Active Directory B2B, you don’t have to manage your external users’ identities. The partner has the responsibility to manage its own identities. External users continue to use their current identities to collaborate with your organization.
Why use Azure AD B2B instead of federation?
With Azure AD B2B, you don’t take on the responsibility of managing and authenticating the credentials and identities of partners. Giving access to external users is much easier than in a federation. You don’t need an AD administrator to create and manage external user accounts. Any authorized user can invite other users. A federation is where you have a trust established with another organization, or a collection of domains, for shared access to a set of resources. You might be using an on-premises identity provider and authorization service like Active Directory Federation Services (AD FS) that has an established trust with Azure AD. To get access to resources, all users have to provide their credentials and successfully authenticate against the AD FS server.
on-premises federation with Azure AD might be good if
our organization wants all authentication to Azure resources to happen in the local environment. Administrators can implement more rigorous levels of access control. But this means that, if your local environment is down, users can’t access the Azure resources and services they need.
Azure AD instance
When a company or organization signs up to use one of these offerings, they are assigned a default directory, an instance of Azure AD. This directory holds the users and groups that will have access to each of the services the company has purchased. This default directory can be referred to as a tenant. A tenant represents the organization and the default directory assigned to it.
Microsoft cloud-based which can use Azure AD
Microsoft offers several cloud-based offerings today - all of which can use Azure AD to identify users and control access. Microsoft Azure Microsoft 365 Microsoft Intune Microsoft Dynamics 365
Subscriptions in Azure
Subscriptions in Azure are both a billing entity and a security boundary. Resources such as virtual machines, websites, and databases are associated with a single subscription. Each subscription also has a single account owner responsible for any charges incurred by resources in that subscription. If your organization wants a subscription billed to another account, you can transfer the subscription. A subscription is associated with a single Azure AD directory. Multiple subscriptions can trust the same directory, but a subscription can only trust one directory.
Users and groups added to multiple subscriptions
When you add a user to a subscription, the user must be known to the associated directory
access to Azure resources
A user account contains all the information needed to authenticate the user during the sign-on process. Once authenticated, Azure AD builds an access token to authorize the user and determine what resources they can access and what they can do with those resources.
Azure AD defines users in three ways
Cloud identities - These users exist only in Azure AD. Their source is Azure Active Directory or External Azure Active Directory if the user is defined in another Azure AD instance but needs access to subscription resources controlled by this directory. When these accounts are removed from the primary directory, they are deleted.
Directory-synchronized identities - These users exist in an on-premises Active Directory. A synchronization activity that occurs via Azure AD Connect brings these users in to Azure. Their source is Windows Server AD.
Guest users - These users exist outside Azure. Their source is Invited user..
Adding Azure AD users
You can add cloud identities to Azure AD in multiple ways:
Syncing an on-premises Windows Server Active Directory
Using the Azure portal
Using the command line
Other options
add users to Azure AD Other options
You can also add users to Azure AD programmatically using the Azure AD Graph API, or through the Microsoft 365 Admin Center and the Microsoft Intune Admin console if you are sharing the same directory.
Azure AD membership type
Assigned (static). The group will contain specific users or groups that you select.
Dynamic user. You create rules based on characteristics to enable attribute-based dynamic memberships for groups.You can set up a rule for dynamic membership on security groups or on Microsoft 365 groups. This feature requires an Azure AD Premium P1 license.
Dynamic device. You create rules based on characteristics to enable attribute-based dynamic memberships for groups. You can set up a rule for dynamic membership on security groups or on Microsoft 365 groups. I This feature requires an Azure AD Premium P1 license.
three Azure AD roles that apply to all resource types
Owner, which has full access to all resources, including the right to delegate access to others.
Contributor, which can create and manage all types of Azure resources but can’t grant access to others.
Reader, which can view existing Azure resources.
Role definitions for Azure Resources
Each role is a set of properties defined in a JavaScript Object Notation (JSON) file. This role definition includes a Name, ID, and Description. It also includes the allowable permissions (Actions), denied permissions (NotActions), and scope (for example, read access) for the role.
For the Owner role, that means all actions, indicated by an asterisk (*); no denied actions; and all scopes, indicated by a forward slash (/).
What’s a role definition?
A role definition is a collection of permissions. A role definition lists the operations that can be performed, such as read, write, and delete. It can also list the operations that can’t be performed or operations related to underlying data.
a role definition has the following structure
Id Unique identifier for the role, assigned by Azure.
IsCustom True if a custom role, False if a built-in role.
Description A readable description of the role.
Actions [] Allowed permissions, * indicates all.
NotActions [] Denied permissions.
DataActions [] Specific allowed permissions as applied to data, for example Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
NotDataActions [] Specific denied permissions as applied to data.
AssignableScopes [] Scopes where this role applies. / indicates global, but can reach into a hierarchical tree.
Actions and NotActions
You can tailor the Actions and NotActions properties to grant and deny the exact permissions you need. These properties are always in the format: {Company}.{ProviderName}/{resourceType}/{action}.
The wildcard (*) operation under Actions indicates
indicates that the principal assigned to this role can perform all actions, or in other words, it can manage everything. Including actions defined in the future, as Azure adds new resource types.
DataActions and NotDataActions
Data operations are specified in the DataActions and NotDataActions properties. Data operations can be specified separately from the management operations. This prevents current role assignments with wildcards (*) from suddenly having access to data
Data operation
Delete blob data Log in to a VM as a regular user Send messages on an event hub Return a file/folder or list of files/folders Read a message from a queue
AssignableScopes
The AssignableScopes property of the role specifies the scopes (subscriptions, resource groups, or resources) within which the role is available for assignment. You can make the custom role available for assignment just in the subscriptions or resource groups that need it, thus avoiding cluttering the user experience for the rest of the subscriptions or resource groups.
Custom role creation requires (licenses)
Azure AD Premium P1 or P2 and cannot be done in the free tier
Creating a new role can be done through
Azure portal. You can use the Azure portal to create a custom role - Azure Active Directory > Roles and administrators > New custom role.
Azure PowerShell. You can use the New-AzADMSRoleDefinition cmdlet to define a new role.
Azure Graph API. You can use a REST call to the Graph API to programmatically create a new role.
Azure AD Connect
can provide your users with a common identity for Microsoft 365, Azure, and SaaS applications integrated with Azure AD in a hybrid identity environment.
Azure AD Connect
Sync services
his component is responsible for creating users, groups, and other objects. It also makes sure that identity information for your on-premises users and groups matches that in the cloud.
Azure AD Connect Health monitoring
Azure AD Connect Health supplies robust monitoring and a central location in the Azure portal for viewing this activity.
Azure AD Connect AD FS
Federation is an optional part of Azure AD Connect that you can use to configure a hybrid environment via an on-premises AD FS infrastructure. Organizations can use this to address complex deployments, such as domain join SSO, enforcement of the Active Directory sign-in policy, and smart card or third-party multi-factor authentication.
Password hash synchronization
This feature is a sign-in method that synchronizes a hash of a user’s on-premises Active Directory password with Azure AD
Azure AD Connect
Pass-through authentication
This allows users to sign in to both on-premises and cloud-based applications using the same passwords. This reduces IT helpdesk costs because users are less likely to forget how to sign in. This feature provides an alternative to Password hash synchronization that allows organizations to enforce their security and password complexity policies.
Integrating your on-premises directories with Azure AD Benefits
Users can use a single identity to access both on-premises applications and cloud services, such as Microsoft 365.
A single tool provides an easy deployment experience for synchronization and sign-in.
Integration provides the newest capabilities for your scenarios. Azure AD Connect replaces older versions of identity integration tools, such as DirSync and Azure AD Sync. For more information, see Hybrid Identity directory integration tools comparison.