AZ-500: Secure identity and access Flashcards
Security Principle
Use a centralized identity and authentication system to govern your organization’s identities and authentications for cloud and non-cloud resources.
Microsoft Entra ID
Microsoft Entra ID is a cloud-based identity and access management service that your employees can use to access external resources.
Microsoft Entra ID Free
Microsoft Entra ID Free. Provides user and group management, on-premises directory synchronization, basic reports, self-service password change for cloud users, and single sign-on across Azure, Microsoft 365, and many popular SaaS apps
Microsoft Entra ID P1.
P1 lets your hybrid users access both on-premises and cloud resources. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft
Microsoft Entra ID P2
P2 also offers Microsoft Entra ID Protection to help provide risk-based Conditional Access to your apps and critical company data and Privileged Identity Management to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed.
Types of Users
Internal member: These users are most likely full-time employees in your organization.
Internal guest: These users have an account in your tenant, but have guest-level privileges. It’s possible they were created within your tenant prior to the availability of B2B collaboration.
External member: These users authenticate using an external account, but have member access to your tenant. These types of users are common in multitenant organizations.
External guest: These users are true guests of your tenant who authenticate using an external method and who have guest-level privileges.
Internal member
These users are most likely full-time employees in your organization.
Internal guest
These users have an account in your tenant, but have guest-level privileges. It’s possible they were created within your tenant prior to the availability of B2B collaboration.
External member
These users authenticate using an external account, but have member access to your tenant. These types of users are common in multitenant organizations.
External guest
These users are true guests of your tenant who authenticate using an external method and who have guest-level privileges.
Creating a user Basic section
User principal name: Enter a unique username and select a domain from the menu after the @ symbol. Select Domain not listed if you need to create a new domain. For more information, see Add your custom domain name.
Mail nickname: If you need to enter an email nickname that is different from the user principal name you entered, uncheck the Derive from user principal name option, then enter the mail nickname.
Display name: Enter the user’s name, such as Chris Green or Chris A. Green
Password: Provide a password for the user to use during their initial sign-in. Uncheck the Auto-generate password option to enter a different password.
Account enabled: This option is checked by default. Uncheck to prevent the new user from being able to sign-in. You can change this setting after the user is created. This setting was called Block sign in in the legacy create user process.
User principal name(creating a user basic section)
Enter a unique username and select a domain from the menu after the @ symbol. Select Domain not listed if you need to create a new domain. For more information, see Add your custom domain name.
Mail nickname( Creating a user basic section)
If you need to enter an email nickname that is different from the user principal name you entered, uncheck the Derive from user principal name option, then enter the mail nickname.
Display name(creating a user basic section)
Enter the user’s name, such as Chris Green or Chris A. Green
Password(Creating a user basic section)
Provide a password for the user to use during their initial sign-in. Uncheck the Auto-generate password option to enter a different password.
Account Enabled (Creating a user basic section)
This option is checked by default. Uncheck to prevent the new user from being able to sign-in. You can change this setting after the user is created. This setting was called Block sign in in the legacy create user process.
Properties
Identity: Enter the user’s first and last name. Set the User type as either Member or Guest.
Job information: Add any job-related information, such as the user’s job title, department, or manager.
Contact information: Add any relevant contact information for the user.
Parental controls: For organizations like K-12 school districts, the user’s age group may need to be provided. Minors are 12 and under, Not adult are 13-18 years old, and Adults are 18 and over. The combination of age group and consent provided by parent options determine the Legal age group classification. The Legal age group classification may limit the user’s access and authority.
Settings: Specify the user’s global location.
Identify Properties creating a user
Enter the user’s first and last name. Set the User type as either Member or Guest.
Job Information Properties creating a user
Add any job-related information, such as the user’s job title, department, or manager.
Contact information Properties creating a user
Add any relevant contact information for the user.
Settings Properties creating a user
Specify the user’s global location.
Assignment options
You can assign the user to an administrative unit, group, or Microsoft Entra role when the account is created. You can assign the user to up to 20 groups or roles. You can only assign the user to one administrative unit. Assignments can be added after the user is created.
Group types
Security: Used to manage user and computer access to shared resources.
Microsoft 365: Provides collaboration opportunities by giving group members access to a shared mailbox, calendar, files, SharePoint sites, and more
Security group nesting
When nesting an existing security group to another security group, only members in the parent group will have access to shared resouces and applications. Nested group members don’t have the same assigned membership as the parent group members.
Membership types
Assigned: Lets you add specific users as members of a group and have unique permissions.
Dynamic user: Lets you use dynamic membership rules to automatically add and remove members. If a member’s attributes change, the system looks at your dynamic group rules for the directory to see if the member meets the rule requirements (is added), or no longer meets the rules requirements (is removed).
Dynamic device: Lets you use dynamic group rules to automatically add and remove devices. If a device’s attributes change, the system looks at your dynamic group rules for the directory to see if the device meets the rule requirements (is added), or no longer meets the rules requirements (is removed).
What to know before adding access rights to a group
After creating a Microsoft Entra group, you need to grant it the appropriate access. Each application, resource, and service that requires access permissions needs to be managed separately because the permissions for one may not be the same as another. Grant access using the principle of least privilege to help reduce the risk of attack or a security breach.
How access management in Microsoft Entra ID works
Microsoft Entra ID helps you give access to your organization’s resources by providing access rights to a single user or to an entire Microsoft Entra group. Using groups lets the resource owner or Microsoft Entra directory owner assign a set of access permissions to all the members of the group. The resource or directory owner can also give management rights to someone such as a department manager or a help desk administrator, letting that person add and remove members.
Ways to assign access rights
Direct assignment. The resource owner directly assigns the user to the resource.
Group assignment. The resource owner assigns a Microsoft Entra group to the resource, which automatically gives all of the group members access to the resource. Group membership is managed by both the group owner and the resource owner, letting either owner add or remove members from the group.
Rule-based assignment. The resource owner creates a group and uses a rule to define which users are assigned to a specific resource. The rule is based on attributes that are assigned to individual users. The resource owner manages the rule, determining which attributes and values are required to allow access the resource.
External authority assignment. Access comes from an external source, such as an on-premises directory or a SaaS app. In this situation, the resource owner assigns a group to provide access to the resource and then the external source manages the group members.
Can users join groups without being assigned?
The group owner can let users find their own groups to join, instead of assigning them. The owner can also set up the group to automatically accept all users that join or to require approval.
After a user requests to join a group, the request is forwarded to the group owner. If it’s required, the owner can approve the request and the user is notified of the group membership. If you have multiple owners and one of them disapproves, the user is notified, but isn’t added to the group.
B2B
Microsoft Entra External ID that lets you invite guest users to collaborate with your organization. With B2B collaboration, you can securely share your company’s applications and services with external users, while maintaining control over your own corporate data. Work safely and securely with external partners, large or small, even if they don’t have Microsoft Entra ID or an IT department.
Microsoft Entra External ID
Microsoft Entra External ID combines powerful solutions for working with people outside of your organization. With External ID capabilities, you can allow external identities to securely access your apps and resources
When to use External ID
If you’re an organization or a developer creating consumer apps, use External ID to quickly add authentication and customer identity and access management (CIAM) to your application. Register your app, create customized sign-in experiences, and manage your app users in a Microsoft Entra tenant in an external configuration. This tenant is separate from your employees and organizational resources.
If you want to enable your employees to collaborate with business partners and guests, use External ID for B2B collaboration. Allow secure access to your enterprise apps through invitation or self-service sign-up. Determine the level of access guests have to the Microsoft Entra tenant that contains your employees and organizational resources, which is a tenant in a workforce configuration.
Self service with External ID
With External ID, customers can sign in with an identity they already have. You can customize and control how customers sign up and sign in when using your applications. Because these CIAM capabilities are built into External ID, you also benefit from Microsoft Entra platform features like enhanced security, compliance, and scalability
External ID B2B collaboration
allows your workforce to collaborate with external business partners. You can invite anyone to sign in to your Microsoft Entra organization using their own credentials so they can access the apps and resources you want to share with them. Use B2B collaboration when you need to let business guests access your Office 365 apps, software-as-a-service (SaaS) apps, and line-of-business applications. There are no credentials associated with business guests. Instead, they authenticate with their home organization or identity provider, and then your organization checks the user’s eligibility for guest collaboration.
What is a workforce Tenant?
A workforce tenant configuration is a standard Microsoft Entra tenant that contains your employees, internal business apps, and other organizational resources. In a workforce tenant, your internal users can collaborate with external business partners and guests using B2B collaboration.
External Tenant
An external tenant configuration is used exclusively for apps you want to publish to consumers or business customers. This distinct tenant follows the standard Microsoft Entra tenant model, but is configured for consumer scenarios. It contains your app registrations and a directory of consumer or customer accounts.
B2B direct connect
B2B direct connect lets you create two-way trust relationships with other Microsoft Entra organizations to enable the Teams Connect shared channels feature. This feature allows users to seamlessly sign in to Teams shared channels for chat, calls, file-sharing, and app-sharing. When two organizations mutually enable B2B direct connect, users authenticate in their home organization and receive a token from the resource organization for access. Unlike B2B collaboration, B2B direct connect users aren’t added as guests to your workforce directory
B2B direct connect features
A shared channel owner can search within Teams for allowed users from the external organization and add them to the shared channel.
External users can access the Teams shared channel without having to switch organizations or sign in with a different account. From within Teams, the external user can access files and apps through the Files tab. The shared channel’s policies determine the user’s access.
You use cross-tenant access settings to manage trust relationships with other Microsoft Entra organizations and define inbound and outbound policies for B2B direct connect.
Azure Active Directory B2C
Azure Active Directory B2C (Azure AD B2C) is Microsoft’s legacy solution for customer identity and access management. Azure AD B2C includes a separate consumer-based directory that you manage in the Azure portal through the Azure AD B2C service. Each Azure AD B2C tenant is separate and distinct from other Microsoft Entra ID and Azure AD B2C tenants. The Azure AD B2C portal experience is similar to Microsoft Entra ID, but there are key differences, such as the ability to customize your user journeys using the Identity Experience Framework.
Microsoft Entra Microsoft Graph API for B2B collaboration
Microsoft Graph APIs are available for creating and managing External ID features.
Cross-tenant access settings API: The Microsoft Graph cross-tenant access API lets you programmatically create the same B2B collaboration and B2B direct connect policies that are configurable in the Azure portal. Using the API, you can set up policies for inbound and outbound collaboration. For example, you can allow or block features for everyone by default and limit access to specific organizations, groups, users, and applications. The API also allows you to accept MFA and device claims (compliant claims and Microsoft Entra hybrid joined claims) from other Microsoft Entra organizations.
B2B collaboration invitation manager: The Microsoft Graph invitation manager API is available for building your own onboarding experiences for business guests. You can use the create invitation API to automatically send a customized invitation email directly to the B2B user, for example. Or your app can use the inviteRedeemUrl returned in the creation response to craft your own invitation (through your communication mechanism of choice) to the invited user.
Multi - Tenant applications
A multitenant organization is an organization that has more than one instance of Microsoft Entra ID. There are various reasons for multi-tenancy. For example, your organization might span multiple clouds or geographical boundaries.
Multitenant organizations use a one-way synchronization service in Microsoft Entra ID, called cross-tenant synchronization. Cross-tenant synchronization enables seamless collaboration for a multitenant organization. It improves user experience and ensures that users can access resources, without receiving an invitation email and having to accept a consent prompt in each tenant.
Cross-tenant synchronization settings are configured under the Organization-specific access settings. To learn more about multitenant organizations and cross-tenant synchronization see the multitenant organizations documentation and the feature comparison.
Microsoft Entra Connect
Microsoft Entra Connect is an on-premises Microsoft application that’s designed to meet and accomplish your hybrid identity goals. ( on prem deployment)
Microsoft Entra Connect features
Password hash synchronization - A sign-in method that synchronizes a hash of a users on-premises AD password with Microsoft Entra ID.
Pass-through authentication - A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn’t require the additional infrastructure of a federated environment.
Federation integration - Federation is an optional part of Microsoft Entra Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
Synchronization - Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.
Health Monitoring - Microsoft Entra Connect Health can provide robust monitoring and provide a central location in the Microsoft Entra admin center to view this activity.
Password hash synchronization
Password hash synchronization - A sign-in method that synchronizes a hash of a users on-premises AD password with Microsoft Entra ID.
Federation
Federation is an optional part of Microsoft Entra Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
Pass-through authentication
A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn’t require the additional infrastructure of a federated environment.
Synchronization
Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.
What is Microsoft Entra Connect Health?
Microsoft Entra Connect Health provides robust monitoring of your on-premises identity infrastructure. It enables you to maintain a reliable connection to Microsoft 365 and Microsoft Online Services. This reliability is achieved by providing monitoring capabilities for your key identity components. Also, it makes the key data points about these components easily accessible.
Why use Microsoft Entra Connect?
Integrating your on-premises directories with Microsoft Entra ID makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. Users and organizations can take advantage of:
Users can use a single identity to access on-premises applications and cloud services such as Microsoft 365.
Single tool to provide an easy deployment experience for synchronization and sign-in.
Provides the newest capabilities for your scenarios.
Why use Microsoft Entra Connect Health?
When authenticating with Microsoft Entra ID, your users are more productive because there’s a common identity to access both cloud and on-premises resources. Ensuring the environment is reliable, so that users can access these resources, becomes a challenge. Microsoft Entra Connect Health helps monitor and gain insights into your on-premises identity infrastructure thus ensuring the reliability of this environment. It is as simple as installing an agent on each of your on-premises identity servers.
Microsoft Entra Cloud Sync
Microsoft Entra Cloud Sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It accomplishes this by using the Microsoft Entra cloud provisioning agent instead of the Microsoft Entra Connect application. However, it can be used alongside Microsoft Entra Connect Sync and it provides the following benefits:
How is Microsoft Entra Cloud Sync different from Microsoft Entra Connect Sync?
With Microsoft Entra Cloud Sync, provisioning from AD to Microsoft Entra ID is orchestrated in Microsoft Online Services. An organization only needs to deploy, in their on-premises or IaaS-hosted environment, a light-weight agent that acts as a bridge between Microsoft Entra ID and AD. The provisioning configuration is stored in Microsoft Entra ID and managed as part of the service.
Authentication Methods
Cloud authentication
Federated Authentication
Cloud authentication
Microsoft Entra password hash synchronization. The simplest way to enable authentication for on-premises directory objects in Microsoft Entra ID. Users can use the same username and password that they use on-premises without having to deploy any other infrastructure. Some premium features of Microsoft Entra ID, like Identity Protection and Microsoft Entra Domain Services, require password hash synchronization, no matter which authentication method you choose.
Microsoft Entra pass-through authentication. Provides a simple password validation for Microsoft Entra authentication services by using a software agent that runs on one or more on-premises servers. The servers validate the users directly with your on-premises Active Directory, which ensures that the password validation doesn’t happen in the cloud.
password hash synchronization
The Active Directory domain service stores passwords in the form of a hash value representation, of the actual user password. A hash value is a result of a one-way mathematical function (the hashing algorithm). There’s no method to revert the result of a one-way function to the plain text version of a password.
Microsoft Entra pass-through authentication
Microsoft Entra pass-through authentication. Provides a simple password validation for Microsoft Entra authentication services by using a software agent that runs on one or more on-premises servers. The servers validate the users directly with your on-premises Active Directory, which ensures that the password validation doesn’t happen in the cloud.
Implement multifactor authentication
Multifactor authentication is a process in which a user is prompted for additional forms of identification during a sign-in event. For example, the prompt could be to enter a code on their cellphone or to provide a fingerprint scan. When you require a second form of identification, security is increased because this additional factor isn’t easy for an attacker to obtain or duplicate.
OATH tokens
Microsoft Entra ID supports the use of OATH TOTP (Time-based One Time Password) SHA-1 tokens that refresh codes every 30 or 60 seconds. You can purchase these tokens from the vendor of your choice.
OATH TOTP hardware tokens typically come with a secret key, or seed, pre-programmed in the token. You need to input these keys into Microsoft Entra ID as described in the following steps. Secret keys are limited to 128 characters, which might not be compatible with all tokens. The secret key can contain only the characters a-z or A-Z and digits 1-7. It must be encoded in Base32.
Programmable OATH TOTP hardware tokens that can be reseeded can also be set up with Microsoft Entra ID in the software token setup flow.
OATH hardware tokens are supported as part of a public preview.
After you acquire tokens, you need to upload them in a comma-separated values (CSV) file format. Include the User Principal Name (UPN), serial number, secret key, time interval, manufacturer, and model.
Kerberos authentication
Kerberos is an authentication protocol that is used to verify the identity of a user or host. This topic contains information about Kerberos authentication in Windows Server 2012 and Windows 8.
Kerberos and Windows
The Windows Server operating systems implement the Kerberos version 5 authentication protocol and extensions for public key authentication, transporting authorization data, and delegation. The Kerberos authentication client is implemented as a security support provider (SSP), and it can be accessed through the Security Support Provider Interface (SSPI). Initial user authentication is integrated with the Winlogon single sign-on architecture.
The Kerberos Key Distribution Center (KDC) is integrated with other Windows Server security services that run on the domain controller. The KDC uses the domain’s Active Directory Domain Services database as its security account database. Active Directory Domain Services is required for default Kerberos implementations within the domain or forest.
What is delegated authentication - a benefit of kerberos?
Services that run on Windows operating systems can impersonate a client computer when accessing resources on the client’s behalf. In many cases, a service can complete its work for the client by accessing resources on the local computer. When a client computer authenticates to the service, New Technology Local Area Network Manager (NTLM) and Kerberos protocol provide the authorization information that a service needs to impersonate the client computer locally. However, some distributed applications are designed so that a front-end service must use the client computer’s identity when it connects to back-end services on other computers. Kerberos authentication supports a delegation mechanism that enables a service to act on behalf of its client when connecting to other services.
practical applications of keberebos
Single sign on.
Using Kerberos authentication within a domain or in a forest allows the user or service access to resources permitted by administrators without multiple requests for credentials. After initial domain sign on through Winlogon, Kerberos manages the credentials throughout the forest whenever access to resources is attempted.
Interoperability.
The implementation of the Kerberos V5 protocol by Microsoft is based on standards-track specifications that are recommended to the Internet Engineering Task Force (IETF). As a result, in Windows operating systems, the Kerberos protocol lays a foundation for interoperability with other networks in which the Kerberos protocol is used for authentication. In addition, Microsoft publishes Windows Protocols documentation for implementing the Kerberos protocol. The documentation contains the technical requirements, limitations, dependencies, and Windows-specific protocol behavior for Microsoft’s implementation of the Kerberos protocol.
More efficient authentication to servers.
Before Kerberos, NTLM authentication could be used, which requires an application server to connect to a domain controller to authenticate every client computer or service. With the Kerberos protocol, renewable session tickets replace pass-through authentication. The server is not required to go to a domain controller (unless it needs to validate a Privilege Attribute Certificate (PAC)). Instead, the server can authenticate the client computer by examining credentials presented by the client. Client computers can obtain credentials for a particular server once and then reuse those credentials throughout a network logon session.
Mutual authentication.
By using the Kerberos protocol, a party at either end of a network connection can verify that the party on the other end is the entity it claims to be. NTLM does not enable clients to verify a server’s identity or enable one server to verify the identity of another. NTLM authentication was designed for a network environment in which servers were assumed to be genuine. The Kerberos protocol makes no such assumption.
New Technology Local Area Network Manager (NTLM)
NTLM authentication is a family of authentication protocols that are encompassed in the Windows Msv1_0.dll. The NTLM authentication protocols include LAN Manager version 1 and 2, and NTLM version 1 and 2. The NTLM authentication protocols authenticate users and computers based on a challenge/response mechanism that proves to a server or domain controller that a user knows the password associated with an account. When the NTLM protocol is used, a resource server must take one of the following actions to verify the identity of a computer or user whenever a new access token is needed:
Contact a domain authentication service on the domain controller for the computer’s or user’s account domain, if the account is a domain account.
Look up the computer’s or user’s account in the local account database, if the account is a local account.
Where is NTLM still used?
NTLM authentication is still supported and must be used for Windows authentication with systems configured as a member of a workgroup. NTLM authentication is also used for local logon authentication on non-domain controllers. Kerberos version 5 authentication is the preferred authentication method for Active Directory environments, but a non-Microsoft or Microsoft application might still use NTLM.
Passwordless authentication
Each organization has different needs when it comes to authentication. Microsoft Azure and Azure Government offer the following four passwordless authentication options that integrate with Microsoft Entra ID:
Windows Hello for Business
Microsoft Authenticator
Passkeys FIDO2 (Fast IDentity Online 2)
Certificate-based authentication
Windows Hello for Business
Windows Hello for Business is ideal for information workers that have their own designated Windows PC. The biometric and PIN credentials are directly tied to the user’s PC, which prevents access from anyone other than the owner. With public key infrastructure (PKI) integration and built-in support for single sign-on (SSO), Windows Hello for Business provides a convenient method for seamlessly accessing corporate resources on-premises and in the cloud.
Microsoft Authenticator
You can also allow your employee’s phone to become a passwordless authentication method. You may already be using the Authenticator app as a convenient multifactor
Passkeys (FIDO2)
The FIDO (Fast IDentity Online) Alliance helps to promote open authentication standards and reduce the use of passwords as a form of authentication. FIDO2 is the latest standard that incorporates the web authentication (WebAuthn) standard.
FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication. FIDO allows users and organizations to leverage the standard to sign in to their resources without a username or password using an external security key or a platform key built into a device.
Users can register and then select a FIDO2 security key at the sign-in interface as their main means of authentication. These FIDO2 security keys are typically USB devices, but could also use Bluetooth or NFC. With a hardware device that handles the authentication, the security of an account is increased as there’s no password that could be exposed or guessed.
Password authn options
Microsoft offers the following three passwordless authentication options that integrate with Microsoft Entra ID:
Microsoft Authenticator - turns any iOS or Android phone into a strong, passwordless credential by allowing users to sign into any platform or browser.
FIDO2-compliant security keys - useful for users who sign in to shared machines like kiosks, in situations where use of phones is restricted, and for highly privileged identities.
Windows Hello for Business - best for users on their dedicated Windows computers
Microsoft Entra Password Protection Design Principle
Domain controllers (DCs) never have to communicate directly with the internet.
No new network ports are opened on DCs.
No Microsoft Entra Domain Services schema changes are required. The software uses the existing Microsoft Entra domain container and serviceConnectionPoint schema objects.
Any supported Microsoft Entra Domain Services domain or forest functional level can be used.
The software doesn’t create or require accounts in the Microsoft Entra Domain Services domains that it protects.
User clear-text passwords never leave the domain controller, either during password validation operations or at any other time.
The software isn’t dependent on other Microsoft Entra features. For example, Microsoft Entra password hash sync (PHS) isn’t related or required for Microsoft Entra Password Protection.
Incremental deployment is supported, however the password policy is only enforced where the Domain Controller Agent (DC Agent) is installed.
What is SSO?
Single sign-on is an authentication method that allows users to sign in using one set of credentials to multiple independent software systems. Using SSO means a user doesn’t have to sign in to every application they use. With SSO, users can access all needed applications without being required to authenticate using different credentials.
