Azure Active Directory Flashcards

1
Q

What is Azure AD?

A

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Azure AD for?

A

Allowing an organization’s employees to sign in and access resources.

Those resources can be external (MS Office 365, Azure Portal, SaaS apps) or internal (apps on on-premises networks, on-prem workstations).

Azure AD also implements single-sign on (SSO).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the Azure AD editions?

A

Free - includes MFA, SSO, Basic Security and usage reports, and User management.

Office 365 Apps - includes everything from free plus self-service password reset, device write-back which offer two way sync between Azure AD and AD.

Premium P1 - includes everything from Free and O365 apps plus dynamics groups, self-service group management, MS Identity Manager and cloud write-back capabilities which allow self-service password reset for on-premises users.

Premium P2 - includes everything from Free, O365 and P1 plus Azure AD Identity Protection and Privileged Identity Management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What sources can Azure AD authorize and authenticate to and how?

A

On-premises AD using Azure AD Connect

Web applications using App registrations

Third-party Identity providers (eg. Facebook, Google) using External Identities

Microsoft 365 or Microsoft Azure by default.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the difference between Azure AD and AD ?

A

Active Directory (AD) is for on-premises and Azure AD is for cloud.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does an app registration do?

A

App registrations allows developers to integrate web apps to use Azure AD to authenticate users and request access to user resources such as email, calendar and documents.

An app registration has a globally unique object that contains an ApplicationID (represents the global app across all tenants) and an ObjectID (a unique value for an app object).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is SSO?

A

Single sign on allows users to sign-in once and have access to multiple apps and services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does external identities do?

A

It allows people outside an organization to access its app and resources with their preferred identity (eg., Facebook, Google, )

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Why would you use external identities?

A

To share apps with external users (B2B collaboration)

Develop apps intended for other Azure Ad tenants (single-tenant or multi-tenant)

Develop white-labelled apps for consumers and customers (Azure AD B2C)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the two types of external identity?

A

Business to Business (B2B) which allows external businesses to authenticate with your app

Business to customer (B2C) which allows customer to authenticate with your app.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a service principle?

A

A security identity used by app or services to access specific Azure resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What can service principles define?

A

Who can access the app and what resources the app can access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When is a service principle created?

A

When a user in the tenant consents to the app’s or API’s use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a managed identity?

A

An identity to manage the credentials for authenticating a cloud app with an Azure service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Why would you use a managed identity?

A

To authenticate to any service that support Azure AD authentication without storing credentials in code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the different types of managed identity?

A

System-Assigned and user-assigned.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is a system-assigned identity?

A

A managed identity created by Azure. It is tied to the lifecycle of the resource it was created for, and is deleted when/if the resource is. It is only assigned to the resource it was created for.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is a user-assigned identity?

A

A managed identity created by an Azure user.

It’s a standalone identity that can be assigned to multiple resources. It must be explicitly deleted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What identities does Azure AD support?

A

Users - employees and guest
Groups - a collection of users with the same permissions
Service principals (Application) - an identity for an app
Managed Identities
Devices - an identity for a device with properties like who owns the device

20
Q

What is the difference between managed and service principals?

A

Service Principals require to be manually configured whilst managed identities do not.

Also, managed identities are NOT available for every Azure resource, but service principals are.

21
Q

Does Azure AD B2C work with M365 services?

A

No, it only works with custom applications.

22
Q

Are Azure AD B2C users kept in the same directory as B2B and regular users?

A

No, they’re kept in a different directory.

23
Q

What is a hybrid identity?

A

A hybrid identity is an AD identity that exists and is synced with Azure AD.
Hybrid identities and authentication:
- Hybrid identity model allows users to access both on-premise and cloud apps, hybrid users are managed in the on-premise AD then use Azure AD Connect to synchronise to Azure AD
- Methods of authentication can be via password has synchronization, pass through authentication (PTA) or federated authentication.

24
Q

What is Azure AD Connect?

A

A tool that allows you to sync your on-premises AD with Azure AD.

25
Q

Can you make changes to a synced AD user in Azure AD?

A

No, hybrid users are read-only.

26
Q

What are the three ways of enabling hybrid identity?

A

Password hash synchronization
Pass-through authentication (PTA)
Federated authentication

27
Q

What is password hash synchronization?

A

Azure AD Connect synchronizes a hash, of the hash of a user’s password from on-premises AD to Azure AD.

Azure AD can then authenticate users, allowing them to login with the same username and password.

28
Q

Does password hashing enables leaked credential detection for accounts?

A

Yes.

29
Q

What is PTA?

A

A method of authentication where you can login with the same credentials, but your password is not stored in the cloud.

30
Q

How does PTA work?

A

A software agent on a user’s workstation validates a user’s credentials with Azure AD.

31
Q

What is Federated authentication?

A

A trust method of authentication. It allows Azure AD to delegate authentication to another system, more likely than not Active Directory Federation Services (ADFS)

32
Q

What is SSPR?

A

Self-service password reset (SSPR) allows user to change/reset their password without admin/helpdesk involvement.

Benefits it increases security, more cost efficient and increases user productivity by turning around reset faster.

Self-service works for password change, password reset and account unlock.

SPPR authentication via mobile app notification, mobile app code or email.

33
Q

What are the three advantages to SSPR?

A
  • Increased security - removes a layer that could be compromised
  • Saves money - reduces calls to IT
  • Increased productivity - lcoked out users can reset password and get back to work.
34
Q

What do you need to enable to allow SSPR?

A

If a user is enabled for SSPR - the user must specify another authentication method (Mobile App notification or code, Email, phone, security question).

At least one of the above must be enabled to use SSPR.

35
Q

What is Azure AD Password Protection?

A

Password protection is a feature in AAD that reduces the risk of users choosing weak passwords by blocking known weak passwords.

36
Q

Where does AAD Password Protection get its source of weak passwords from?

A

Global Banned password list - Microsoft maintained list. It also checks for variants weak passwords.

Custom banned password list - maintained by a organization. Usually includes password derived from company specific terms. Also checks variants of listed password.

37
Q

Does ADD Password protection use both lists?

A

Yes.

38
Q

True or False: ADD Password protection doesn’t integrate with AD.

A

False. It applies the same protection, but does require a software agent on-prem to work.

39
Q

What are the four Azure identity types?

A

User - Employees and guests are represented as users in Azure AD
Service principal - A security identity used by applications or services to access specific Azure resources
Managed identity - Typically used to manage the credentials for authenticating a cloud application with an Azure service. Two types: system assigned and user assigned.
Device - Piece of hardware, device identities can be setup in different ways in Azure AD.

40
Q

What is conditional access?

A

Monitors other user behaviours (signals) to drive security logic.
Conditional access signals can be user/group membership, name location, device, application, cluod apps/actions, user risk, etc. These signals can drive access control logic to block/grant access.

41
Q

What is CRUD?

A

Create, read, updated, delete

42
Q

What is Azure AD role based access control (RBAC)?

A

Provide granular access controls to give the minimum access required to perform function

43
Q

What is identity governance in Azure AD?

A

Tasks of Azure AD identity governance

  • Govern the identity lifecycle
  • Govern access lifecycle
  • Secure privileged access for administration

Identity lifecycle: Join, move leave

44
Q

What is Privileged Identity Management (PIM)?

A
45
Q

What is Azure AD Identity Protection?

A