Azure Active Directory Flashcards
What is Azure AD?
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service.
What is Azure AD for?
Allowing an organization’s employees to sign in and access resources.
Those resources can be external (MS Office 365, Azure Portal, SaaS apps) or internal (apps on on-premises networks, on-prem workstations).
Azure AD also implements single-sign on (SSO).
What are the Azure AD editions?
Free - includes MFA, SSO, Basic Security and usage reports, and User management.
Office 365 Apps - includes everything from free plus self-service password reset, device write-back which offer two way sync between Azure AD and AD.
Premium P1 - includes everything from Free and O365 apps plus dynamics groups, self-service group management, MS Identity Manager and cloud write-back capabilities which allow self-service password reset for on-premises users.
Premium P2 - includes everything from Free, O365 and P1 plus Azure AD Identity Protection and Privileged Identity Management.
What sources can Azure AD authorize and authenticate to and how?
On-premises AD using Azure AD Connect
Web applications using App registrations
Third-party Identity providers (eg. Facebook, Google) using External Identities
Microsoft 365 or Microsoft Azure by default.
What is the difference between Azure AD and AD ?
Active Directory (AD) is for on-premises and Azure AD is for cloud.
What does an app registration do?
App registrations allows developers to integrate web apps to use Azure AD to authenticate users and request access to user resources such as email, calendar and documents.
An app registration has a globally unique object that contains an ApplicationID (represents the global app across all tenants) and an ObjectID (a unique value for an app object).
What is SSO?
Single sign on allows users to sign-in once and have access to multiple apps and services.
What does external identities do?
It allows people outside an organization to access its app and resources with their preferred identity (eg., Facebook, Google, )
Why would you use external identities?
To share apps with external users (B2B collaboration)
Develop apps intended for other Azure Ad tenants (single-tenant or multi-tenant)
Develop white-labelled apps for consumers and customers (Azure AD B2C)
What are the two types of external identity?
Business to Business (B2B) which allows external businesses to authenticate with your app
Business to customer (B2C) which allows customer to authenticate with your app.
What is a service principle?
A security identity used by app or services to access specific Azure resources.
What can service principles define?
Who can access the app and what resources the app can access.
When is a service principle created?
When a user in the tenant consents to the app’s or API’s use.
What is a managed identity?
An identity to manage the credentials for authenticating a cloud app with an Azure service.
Why would you use a managed identity?
To authenticate to any service that support Azure AD authentication without storing credentials in code.
What are the different types of managed identity?
System-Assigned and user-assigned.
What is a system-assigned identity?
A managed identity created by Azure. It is tied to the lifecycle of the resource it was created for, and is deleted when/if the resource is. It is only assigned to the resource it was created for.
What is a user-assigned identity?
A managed identity created by an Azure user.
It’s a standalone identity that can be assigned to multiple resources. It must be explicitly deleted.