AZ-900 2.1: Azure Identity, Authentication, and Authorization (Study Guide) Flashcards
What is the primary function of identity in a digital environment?
The primary function of identity is to uniquely identify a digital object, stating “this is who or what I am.” It’s the starting point for defining what something is within a digital environment, whether it’s a user, device, or service.
2.2.1
Explain the difference between authentication and authorization.
Authentication validates an identity, proving that a user or object is who or what they claim to be. Authorization, on the other hand, determines what that validated identity is allowed to do or access within a system, providing a defined scope of privileges.
2.2.1
Provide an example of authentication in the physical world, different from those in the source material, and explain how it proves identity.
A library card is a form of authentication. It proves your identity as a registered member of the library, allowing you to borrow books and access other library resources.
2.2.1
Describe how authorization can be limited in terms of time, location, or resource.
Authorization can be limited by granting access to a resource only during specific hours, to a particular geographic location, or to a restricted set of data or functions within an application.
2.2.1
Give an example of how a single object, like a keycard, can be used for both physical and digital authorization.
A keycard can grant physical access to a building and simultaneously authorize access to specific network resources or applications when swiped at a designated reader connected to a digital system.
2.2.1
What is the role of Azure Active Directory (Microsoft Entra ID) in the Azure environment?
Azure Active Directory (Microsoft Entra ID) provides identity, authentication, and authorization services for Azure resources, third-party applications, and cloud services, allowing for centralized management of access control.
2.2.1
Why are all three components – identity, authentication, and authorization – necessary for effective digital environment management?
Identity, authentication, and authorization are all needed in order to effectively administer any digital environment because identity establishes who or what is requesting access, authentication verifies their claim, and authorization ensures they only have access to the resources they are permitted to use.
2.2.1
Explain how a passport serves as an identity example.
A passport serves as an identity example because it contains personal information and a photograph, both of which are used to establish and verify who you are. It states, “this is who I am” to border agents and other authorities.
2.2.1
Why is a house key a form of authentication?
A house key is a form of authentication because it proves that you are the owner of a specific house or at least someone who is authorized to enter it. It validates your identity as someone who is meant to be there.
2.2.1
How is a shared access signature (SAS) token an example of authorization?
A shared access signature (SAS) token is an example of authorization because it grants temporary and limited access to specific resources in Azure Storage, such as a blob or a queue. It scopes what you can do and where you can go.
2.2.1
What is Microsoft Entra, and what is its relationship to Azure Active Directory?
Microsoft Entra is a product family encompassing expanded identity and access capabilities. Azure Active Directory (Azure AD) is a key component of Microsoft Entra, including identity and access management features.
2.2.2
Explain the difference between Azure Active Directory and Active Directory.
Azure Active Directory (now Microsoft Entra ID) is a cloud-native solution using modern architecture, protocols, and methods. Active Directory is a legacy on-premise/data center solution using older technologies and protocols.
2.2.2
Why was Azure Active Directory renamed to Microsoft Entra ID?
The renaming of Azure Active Directory to Microsoft Entra ID was done to help reduce confusion between the cloud-based Azure AD and the on-premises Active Directory.
2.2.2
What are the minimum requirements for an Azure AD/Entra ID instance?
The minimum requirements for an Azure AD/Entra ID instance are: it is automatic and mandatory with every Azure account and there must be at least one user created with the initial instance.
2.2.2
Describe what an Azure AD tenant is.
An Azure AD tenant represents an organization as a whole within Azure. It is a dedicated and completely separate instance of Azure AD/Entra ID for that specific organization.
2.2.2
How many Azure AD/Entra ID tenants can a single user be a member or guest of?
A single user in Azure can be a member or a guest of up to 500 Azure AD/Microsoft Entra ID tenants.
2.2.2
Explain the purpose of a subscription within the context of Azure and Azure AD.
A subscription is a billing entity within Azure that groups resources together for cost tracking and management. All resources within a subscription are billed together.
2.2.2
What happens if a subscription in Azure is not paid?
If a subscription in Azure is not paid, all the resources and services associated with that subscription will stop functioning.
2.2.2
How can Entra ID help manage users in a hybrid cloud environment?
Entra ID can connect to an on-premises Active Directory, enabling the same identities (users) to access both on-premises and Azure cloud resources, thus managing users in a hybrid cloud environment.
2.2.2
Explain the difference between Microsoft Entra and Microsoft Entra ID.
Microsoft Entra is the name of the product family. Microsoft Entra ID is the service that was formerly known as Azure Active Directory.
2.2.2
What is the fundamental difference between a traditional trusted perimeter security model and a Zero Trust security model?
The traditional model assumes trust based on network location, while Zero Trust assumes no inherent trust and requires verification of every user and device.
2.2.4
What are the main challenges associated with relying solely on a trusted perimeter model in today’s work environments?
The reliance on being inside the corporate network poses challenges for remote work, and a single point of entry can give a rogue user or malware broad access.
2.2.4
Describe the core principle of Zero Trust and how it addresses the vulnerabilities of the traditional security model.
Zero Trust operates on the principle of “never trust, always verify,” requiring authentication and authorization for every user and device regardless of location.
2.2.4
What does “least privileged access” mean in the context of Zero Trust security?
Least privileged access means granting users only the minimum necessary permissions to perform their specific job functions, limiting the potential damage from compromised accounts.
2.2.4
Why is centralized management considered a key component of a Zero Trust architecture?
Centralized management streamlines the enforcement of security policies across all users and devices, ensuring consistent application of Zero Trust principles.
2.2.4
Explain how Zero Trust shifts the focus from network location to user identity in granting access.
Zero Trust prioritizes verifying user identity and device posture over network location, granting access based on authentication and authorization rather than network trust.
2.2.4
How does Zero Trust facilitate secure access for remote workers without relying solely on VPNs?
Zero Trust allows remote workers to access resources by authenticating with identity, not over a VPN.
2.2.4
What is conditional access, and how does it contribute to the effectiveness of a Zero Trust implementation?
Conditional access allows access only from approved managed devices, and provides centrally controlled access.
2.2.4
How can Zero Trust help protect corporate assets on a mobile device in the event of a security breach or if the device is lost or stolen?
Zero Trust enables remote asset management, allowing administrators to remove corporate data from compromised devices without affecting personal information.
2.2.4
Explain how Zero Trust can be independent of network location.
A device can be approved and authenticated without being on a specific network, which allows access to those who need it independent of network location.
2.2.4
What are the three categories of authentication factors used in MFA?
The three categories are “something you know” (like a password), “something you have” (like a phone or security key), and “something you are” (like a biometric). MFA requires combining at least two of these for authentication.
2.2.5
Why is MFA considered a form of layered security?
MFA adds an extra layer of security because even if one factor is compromised (e.g., a password is stolen), the attacker still needs to bypass the other factor(s) to gain access. This significantly reduces the risk of unauthorized access.
2.2.5
Describe a common example of MFA in everyday online activity.
A common example is logging into a website or app. After entering your username and password, a code is sent to your phone via text message or an authenticator app, which you then enter to complete the login process.
2.2.5
What is the “something you know” component in the MFA model?
The “something you know” component refers to information that only the user should know, such as a password, PIN, or security question answer. This factor aims to verify the user’s identity based on their secret knowledge.
2.2.5
What role does a smartphone typically play in MFA?
A smartphone often serves as the “something you have” factor in MFA. It receives codes through SMS or authenticator apps, which the user then enters to verify their identity after entering their password.
2.2.5
Explain how MFA helps protect against unauthorized access to accounts.
MFA protects accounts by requiring multiple independent forms of verification. If an attacker gains access to one factor, such as a password, they still need to overcome the other factors (like a code sent to a phone) to successfully log in.
2.2.5
Why is MFA becoming increasingly common?
MFA is becoming increasingly common because it significantly improves security against various cyber threats, such as phishing attacks and password breaches, and as such many businesses and websites are adopting it as a standard security measure.
2.2.5
How many authentication factors are required for something to be considered MFA?
MFA requires at least two different authentication factors from the categories of “something you know, something you have, and/or something you are.” This combination strengthens the security of the user’s identity.
2.2.5
Describe the relationship between authentication and identity in the context of MFA.
In MFA, authentication is the process of verifying a user’s identity through multiple factors. Identity is what is being protected by this verification process, ensuring only authorized users can access sensitive information.
2.2.5
What is a password authenticator and how does it work?
A password authenticator is an application that generates unique, time-based codes used as an additional authentication factor. These codes are used as a “something you have” to verify the user’s identity.
2.2.5
What is Conditional Access and how does it enhance security?
Conditional Access is a feature in Azure AD that controls access to applications based on specific conditions. It enhances security by implementing rules that permit or deny access depending on whether the rules are met.
2.2.6
Explain the “if/then” logic behind Conditional Access policies.
Conditional Access policies operate on an “if/then” basis: “If” a user meets certain conditions (signals), “then” grant or block access to specified resources. This allows administrators to define granular access control rules.
2.2.6
Give three examples of conditions (signals) that can be used in a Conditional Access policy.
Examples of conditions include user identity (e.g., all administrators), location (e.g., within the United States), and device state (e.g., organization-managed device). These signals trigger the access decision.
2.2.6
Why is Conditional Access often paired with Multi-Factor Authentication (MFA)?
Conditional Access is often paired with MFA to provide a layered security approach. It ensures that even if a user’s password is compromised, access to sensitive resources is still protected by requiring a second authentication factor.
2.2.6
Explain why blocking legacy authentication protocols is a common use case for Conditional Access.
Legacy authentication protocols often lack modern security features and are vulnerable to attacks. Conditional Access can be used to block these protocols, forcing users to adopt more secure authentication methods.
2.2.6
How can Conditional Access be used to restrict access based on location?
Conditional Access can restrict access based on location by evaluating the IP address of the user’s connection. This allows administrators to limit access to specific applications to only users within defined geographic regions.
2.2.6
What are organization-managed devices, and how can Conditional Access leverage them?
Organization-managed devices are those enrolled and controlled by an organization, offering enhanced security and compliance. Conditional Access can require that users access certain applications only from these managed devices.
2.2.6
What is an access decision and how does it relate to the conditions set in the Conditional Access policy?
An access decision is the outcome of a Conditional Access policy, determining whether a user is granted or blocked from accessing a resource. It is directly influenced by whether the conditions defined in the policy are met.
2.2.6
Describe a scenario where you would enforce MFA for all administrators using Conditional Access.
A common scenario is requiring MFA for all administrators to protect privileged accounts from unauthorized access. If an administrator attempts to log in, the Conditional Access policy will trigger MFA, adding an extra layer of security.
2.2.6
What does modern best practice encourage concerning the use of conditional access?
Modern best practices encourage the use of Conditional Access to further improve security, and to require multi-factor authentication.
2.2.6
What is the central conflict that passwordless authentication seeks to address?
The central conflict that passwordless authentication seeks to address is the tension between security and convenience. Traditional methods like passwords offer convenience but are often weak in security, while multi-factor authentication enhances security but can be inconvenient for users.
2.2.7
Why are traditional passwords considered a weak security measure?
Traditional passwords are considered a weak security measure because they are often not stored securely and can be transmitted insecurely. They are also susceptible to being guessed, stolen, or phished, making them a vulnerable point of entry for unauthorized access.
2.2.7
How does multi-factor authentication (MFA) improve security, and what is its primary drawback?
Multi-factor authentication improves security by requiring a secondary piece of verification, such as something you have or something you are, in addition to the password. However, this added security layer can be less convenient and potentially frustrating for users, especially if it introduces additional steps or technical issues.
2.2.7
Explain how passwordless authentication utilizes the “something you have, something you are, or something you know” principle.
Passwordless authentication removes the password requirement and replaces it with a combination of factors like “something you have” (e.g., a phone or security key) and “something you are” (e.g., biometrics like a fingerprint or face scan) or “something you know” (e.g., a PIN). This approach leverages the principles of MFA without the user having to remember and enter a password.
2.2.7
Describe the function of the Microsoft Authenticator app in passwordless authentication.
The Microsoft Authenticator app serves as a multi-factor authentication tool that allows users to configure and authenticate various accounts using biometrics or a PIN. It integrates with services like Azure AD, Microsoft accounts, and others, providing a seamless and secure way to confirm authentication requests.
2.2.7
What is Windows Hello, and how does it contribute to passwordless login?
Windows Hello is a biometric authentication system built into Windows that allows users to log in using facial recognition or fingerprint scanning. This eliminates the need for a password, making the login process both more secure and more convenient.
2.2.7
What are FIDO2 security keys, and how do they enhance security?
FIDO2 security keys are hardware devices that are plugged into a computer to serve as a secondary authentication factor. Some FIDO2 keys even allow users to program a fingerprint directly into the key itself, providing an additional layer of security.
2.2.7
Outline the typical steps in a passwordless login scenario using the Microsoft Authenticator app.
A typical passwordless login scenario using the Microsoft Authenticator app involves entering the username, followed by a prompt to check the Authenticator app. The user then authenticates using biometrics or a PIN on their phone and confirms a numerical challenge within the app, completing the login process.
2.2.7
How does passwordless authentication balance speed and security during the login process?
Passwordless authentication is designed to be quick for authorized users because it automates the authentication process through biometrics or PINs, which are fast and seamless. It enhances security by making it extremely difficult for unauthorized individuals who do not possess the user’s device or biometric data to gain access.
2.2.7
How can MFA and passwordless authentication be implemented simultaneously to improve login security?
MFA and passwordless authentication can be implemented simultaneously to create a login experience that is both secure and convenient. By replacing the traditional password with something you have or something you are, the system retains robust security checks through MFA while reducing user inconvenience.
2.2.7
What is the primary challenge that Azure external guest access aims to solve?
The primary challenge is how to interact with external users (consultants, customers) in a streamlined Azure or Entra ID configuration. External guest access seeks to provide a secure and manageable way for external users to access organizational resources.
2.2.8
What are two potential solutions for interacting with external users, and what are the drawbacks of each?
One solution is to give new IDs to every external user, which requires them to juggle multiple accounts and increases internal IAM complexity. Another solution is to use the external user’s current IDs, but this approach can be difficult to manage across different types of external users (customers vs. consultants).
2.2.8
What are the two primary Microsoft solutions for managing external identities and how do they differ in purpose?
The two primary solutions are Entra External ID for partners (formerly Azure AD B2B) and Entra External ID for customers (formerly Azure AD B2C). Entra External ID for partners is designed for interacting with internal resources, while Entra External ID for customers is designed for interacting with externally-facing resources like applications and websites.
2.2.8
How does Entra External ID for partners work?
With Entra External ID for partners, the organization initiates an invitation to the external user’s existing ID, which is with another service provider. The external user accepts, and a new user object is created inside the organization based on that external ID.
2.2.8
How does Entra External ID for customers work?
With Entra External ID for customers, the external user already has an ID with another service or provider and they continue to use it. When accessing resources, they are given the option to simply use that external existing ID.
2.2.8
What are the steps involved in adding a guest user to an Azure environment?
The steps involved in adding a guest user include inviting a variety of account types and identity providers, assigning permissions based on the principle of least privilege, and optionally assigning the guest user to an application. Cross-tenant Conditional Access policies can also be applied.
2.2.8
What is the principle of least privilege, and why is it important when assigning permissions to guest accounts?
The principle of least privilege is the practice of granting users only the minimum level of access required to perform their job functions. It’s important because it limits the potential damage that a compromised guest account can cause.
2.2.8
What can be accomplished by using Conditional Access policies with guest users?
With Conditional Access policies, guest users can be required to use multi-factor authentication (MFA) or access resources from approved managed devices. This adds an extra layer of security, ensuring that guest users meet specific security requirements before accessing sensitive data or applications.
2.2.8
Summarize the steps involved in inviting an external consultant to collaborate within an Azure tenant.
To invite an external consultant, you need to configure the identity provider (if it’s not already a Microsoft one) and invite the external party. After the guest user accepts the invitation, you assign permissions, assign apps (optional), and apply a Conditional Access Policy (optional).
2.2.8
How does external guest access enhance security within an organization?
External guest access enhances security by enabling security outside organizational boundaries and providing visibility of external guest activity within IT borders. B2B access provides a federated level of trust for tenants, while B2C access allows for improved integration with customer systems.
2.2.8
What are some limitations of Entra ID that might lead an organization to consider using Azure AD DS?
Entra ID may not support legacy authentication protocols like Kerberos, NTLM, or LDAP that some older applications require. Organizations might also need features like Group Policy which are not natively available in Entra ID.
2.2.9
Name three legacy authentication protocols that Azure AD DS supports, but that Entra ID does not natively support.
Group Policy, LDAP (Lightweight Directory Access Protocol), NTLM (NT LAN Manager), and Kerberos.
2.2.9
Describe two alternative solutions to Azure AD DS that organizations might use to integrate legacy applications with Azure.
Organizations can continue using on-premises Active Directory with Azure AD Connect to sync identities, or they can configure and manage their own Active Directory server on an Azure VM (self-managed AD DS).
2.2.9
What does “lift and shift” mean in the context of migrating applications to Azure, and how does Azure AD DS facilitate this process?
“Lift and shift” refers to moving existing applications to Azure VMs without significant code changes. Azure AD DS provides the legacy authentication environment these applications need, allowing them to function in Azure.
2.2.9
Explain why Azure AD DS is considered a “managed service” and what benefits this provides to the user.
Azure AD DS is a “managed service” because Microsoft handles the underlying infrastructure, OS configuration, and maintenance of the domain controllers. This reduces the administrative overhead for the user.
2.2.9
When creating an Azure AD DS instance, what are some features?
An Azure AD DS instance has a unique namespace (like aadds-company.com), is a standalone domain separate from on-premises AD, and includes two Windows domain controllers for high availability.
2.2.9
How does the synchronization work between Entra ID and Azure AD DS? Is it one-way or bidirectional?
Synchronization between Entra ID and Azure AD DS is one-way, from Entra ID to Azure AD DS. Entra ID may also have a bidirectional sync with an on-premises Active Directory.
2.2.9
Explain why an organization might choose to use Azure AD DS instead of managing their own Active Directory server on an Azure VM.
Azure AD DS eliminates the need to manage the operating system, virtual machines, and underlying infrastructure of Active Directory. It provides a simpler, more cost-effective solution for organizations without the resources to manage their own AD environment.
2.2.9
What is an example of an Azure AD DS namespace?
An example of an Azure AD DS namespace is aadds-company.com. This should be unique for each AD DS instance.
2.2.9
Summarize the primary use case for Azure AD DS in the context of legacy applications and cloud migration.
The primary use case for Azure AD DS is to provide a managed, cloud-hosted Active Directory environment for legacy applications that don’t support modern authentication protocols, facilitating their migration to Azure.
2.2.9
What is the fundamental purpose of Azure Role-Based Access Control (RBAC)?
Azure RBAC controls access to resources and services by assigning roles to users, devices, applications, or services, ensuring that only authorized entities can perform specific actions. This approach enhances security and simplifies access management.
2.2.10
What are the two primary types of roles available in Azure RBAC? Briefly describe each.
The two primary types are built-in roles and custom roles. Built-in roles offer predefined sets of permissions for common use cases, such as Owner, Contributor, and Reader. Custom roles are designed for specific scenarios and provide granular control over permissions.
2.2.10
Why is the concept of “scope” so important when assigning roles in Azure?
Scope is important because it determines the resources to which a role assignment applies. Properly scoping roles ensures that users only have the permissions necessary for specific tasks on specific resources, minimizing the risk of accidental or malicious misuse.
2.2.10
Explain the principle of inheritance in the context of Azure RBAC.
Inheritance allows permissions to be propagated down a hierarchy. Instead of assigning the same role to multiple users, a group can be created, and the role assigned to the group. Then individual users can be added to the group to inherit the correct role.
2.2.10
How does using groups for role assignments contribute to efficiency in Azure RBAC?
Using groups to assign roles streamlines access management by allowing permissions to be managed at the group level rather than individually. This reduces administrative overhead and ensures consistent access control across multiple users.
2.2.10
What is the best practice of “least privilege” in Azure RBAC, and why is it important?
“Least privilege” means granting users only the minimum permissions required to perform their tasks. This practice limits the potential damage from compromised accounts or malicious insiders by restricting their access to only necessary resources.
2.2.10
Why should organizations prefer built-in roles over custom roles when possible?
Built-in roles are preferred because they are pre-defined, thoroughly tested, and aligned with common Azure usage scenarios. Using built-in roles reduces the risk of errors in permission configurations and simplifies management.
2.2.10
What are the potential consequences of “permission sprawl,” and how can it be avoided?
“Permission sprawl” occurs when roles are assigned too broadly, resulting in users having excessive access. It increases the risk of security breaches and makes it difficult to track and manage permissions effectively. Properly scoping roles helps to avoid this.
2.2.10
Why is regular review, auditing, and documentation crucial for Azure RBAC?
Regular review, auditing, and documentation ensure that role assignments remain appropriate and aligned with current needs. It helps identify and correct any misconfigurations, permission creep, or outdated access rights.
2.2.10
Explain how RBAC relates to controlling access to resources and services.
RBAC is the framework that allows you to specify what actions an identity (user, group, service principal, or managed identity) is authorized to perform on an Azure resource. You assign roles that define these actions, and these roles are applied within a defined scope, determining where those permissions are effective.
2.2.10
What is the primary objective of a defense-in-depth strategy?
The primary objective of a defense-in-depth strategy is to protect information from unauthorized access and prevent it from being stolen. The goal is to mitigate or reduce unauthorized data access.
2.2.11
Explain the castle analogy and how it relates to defense in depth.
The castle analogy represents layers of security with the “king” (data) at the center. Attackers must overcome multiple obstacles (moat, walls, guards) to reach the valuable asset.
2.2.11
Why is user identity considered the “data to protect” in the context of identity-based defense in depth?
User identity is the “data to protect” because it represents the individual’s access rights and privileges. Compromising an identity grants unauthorized access to resources.
2.2.11
Describe at least two layers of defense that can be used to protect a user’s identity.
Two layers of defense for user identity are a strong password and multi-factor authentication (MFA). MFA adds an extra layer by requiring something the user “has” in addition to what they “know.”
2.2.11
What is Multi-Factor Authentication (MFA) and why is it an important security measure?
MFA requires users to provide multiple verification factors to gain access, such as a password and a code from a mobile app. It’s important because it significantly reduces the risk of unauthorized access, even if a password is compromised.
2.2.11
What are Conditional Access policies and how do they enhance security?
Conditional Access policies enforce access controls based on conditions like location, device, or application. These policies enhance security by restricting access if specific criteria aren’t met.
2.2.11
Why is passwordless authentication important?
Passwordless authentication strengthens the user’s identity. It removes the vulnerability that passwords can be easily hacked.
2.2.11
How can defense in depth at the identity level play into application security?
Defense in depth at the identity level can control which users have access to specific applications and data within those applications. Properly managed identities ensure only authorized users can access sensitive resources.
2.2.11
Explain why the user identity is important across different types of cloud services (SaaS, PaaS, and IaaS).
The user identity is used to access different services on the cloud. It’s crucial to protect the user identity across all of these services.
2.2.11
How can the defense in depth strategy be extended to applications and network controls?
Defense in depth strategy can be extended by using policies to secure and manage access to applications and network controls. The strategy includes conditional access and multi-factor authentication.
2.2.11
