Azure Entra ID Flashcards

1
Q

In Azure what are your options if RBAC does not have the permissions you require in a built-in role?

A

You can opt to create a custom role with the permissions you require.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How do you create a Custom role using the portal?

A

1: Log in to Azure Portal
2. Search Entra ID
3. Search in the side panel for roles and administrators
5: Create a custom role
6. Enter name and description
7. Select permissions
8. Create role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

In Azure RBAC, in what ways are all permissions defined by default?

A

Deny, you have to give permissions explicitly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

In Azure RBAC, can we set to deny permissions explicitly?

A

Yes, when using the JSON, we can use notActions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What happens if a user has several roles with permission?

A

The use gets tall the permissions of all the roles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Are roles stored in the tennant they are created in?

A

Yes, they exist only in that tenant; if there is another tenant, the roles are not visible to the tenant.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Can you have custom roles for Azure Enntra ID

A

Yes, you cna have roles for Azure Entra ID

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Can you use Deny for Azure Entyra ID roles?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Using Azure Entra ID, I require the ability to automatically grant new users access to resources; how can I achieve this?

A

You can create a dynamic group and set the attribute that is used to have the dynamic group add the user to the group. Use the dynamic group as part of the role /permission assignment for a resource or resource group. The user will automatically be added to the dynamic group, inherit the role/permissions, and get permission to access the resource or resource group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

In Azure Entra ID, can I add user devices and applications to a Dynamic group?

A

You can add users and devices but not applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a dynamic group in Azure Entra ID?

A

It is a group thet uses attributes to decide to add users or devices to the group automatically. For example, the group can be used when assigning roles to access resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

I have an AD Domain on-prem running on a single server (domain controller). I want the domain users to be able to log on to the new Azure account (tenant) and access resources. I also wish to do the most minor work deploying and managing any solution. What solution best meets these requirements?

A

Use Azure Connect Cloud; this is a cloud-based solution thet is managed by Azure and will extend the on-prem into Azure Entra ID.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is hybrid identity when using Azure Entra ID?

A

It’s where you have identities in Azure and on-prem, and they are synced somehow.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Describe Azure Entra ID Cloud Sync.

A
  1. This Azure cloud-based solution syncs on-prem AD and Azure Entra.
  2. Lifht weight agent deployed on-prem and managed using Azure Cloud Sync. Azure Cloud Sync management components are hosted in the Azure cloud, managed by Microsoft Azure, and configured by you.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

I wnat to have a way to sync my on-prem AD with Azure Entra ID; I wnat the most minor management of infrastructure and software and always have the software up to date.

A

Azure Entra ID Cloud Sync is a PaaS service and continually updated automatically by Microsoft and is always up to date.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How can you centralize your organization’s identity when you have on-prem ADs from several organizations that were acquired?

A

Azure Cloud Sync enables the centralization of your identity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

I require a highly available method to sync my on-prem AD to Azure Entra ID. What is the best option, and why is it available?

A

Use Azure Sync Cloud with its ability to deploy multiple agents for highly available solutions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

I have 200K AD users on-prem and wnat to sync with Azure Entra ID; what are my best options?

A

When using Azure Cloud sync, there is a limit of 50K users, so deploy 4 instances and use OU filters for each instance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What type of sync is Azure Entra Clouyd Sync using?

A

It’s using password hash sync.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Can Azure Entra ID Connect Sync connect to multiple separate AD forests?

A

No Azure Entra ID Connect Sync does not support this; use Azure Entra ID Cloud Sync.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Can Azure Entra ID Connect Sync connect to multiple active agents?

A

No Azure Entra ID Connect Sync does not support this; use Azure Entra ID Cloud Sync.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Does Azure Entra Coud Sync support passthrough?

A

No, Entra ID Cloud Sync does not. You can use the older Azure Entra ID Connect Passthrough, but Azure Entra Cloud Sybnnc is the preferred method, so relook at if passthrough is required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is a Disconnected Forest about AD?

A

This is a forest that is not connected with other forest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Can Azure Cloud Sync deal with connected forests? Explain.

A

No, but Azure Entra ID Connect ID can.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

The user is on the corporate network and logged in on their local device. The corporate AD is synced with Azure Enntra ID using a hashed password. Will the user be automatically logged in if they go to the Azure portal?

A

If seamless single sign-on (SSO) is enabled alongside password hash synchronization, users will not need to enter their passwords when signing into Azure services from domain-joined devices connected to the corporate network. In this scenario, Azure Entra ID recognizes the user from their on-premises credentials and automatically signs them in without requiring a password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

The user is on the corporate network and logged in on their local device. The corporate AD is synced with Azure Enntra ID using a password passthrough. Will the user be automatically logged in if they go to the Azure portal?

A

If seamless single sign-on (SSO) is enabled alongside password hash synchronization, users will not need to enter their passwords when signing into Azure services from domain-joined devices connected to the corporate network. In this scenario, Azure Entra ID recognizes the user from their on-premises credentials and automatically signs them in without requiring a password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is a device identity?

A

Device identity is an object in Microsoft Entra ID, similar to users, groups, or applications. It gives administrators information they can use when making access or configuration decisions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

How can I place requirements on a device, such as Authentication strength, password change, etc., using Azure Entra ID?

A

Conditional Access Policy (device-based), using the policy, you can grant or deny access based on may different situations.

29
Q

What is application management in Azure Entra DI?

A

Application management in Microsoft Entra ID is the process of creating, configuring, managing, and monitoring applications in the cloud.

30
Q

What is the first task you have to perform in Azure Entra ID to have Azure Entra UID manage an application?

A

Register the application with Azure Entra ID. When an application is registered in a Microsoft Entra tenant, users who are already assigned to it can securely access it.

31
Q

When registering an app with Azure Entra ID, what information is collected?

A
  1. An Application (client) ID that uniquely identifies your app
  2. A Redirect URI that you can use to direct responses back to your app
  3. A few other scenario-specific values, such as supported account types
32
Q

What types of Apps are supported by Azure Entra ID?

A
  1. Single-page app (SPA)
  2. Web app
  3. Web API
  4. Mobile and native apps
  5. Service, daemon, script
33
Q

How can I configure and use Azure Entra ID OAuth with an application?

A
  1. Register the app with Azure Entra ID Applications
  2. Configure the redirect URL
  3. Save client_id and tennand_id
  4. Grant Permissions to the API (Graph or other) (Delegated or Application)
  5. Implement OAuth in your application using the client_id and tennant_id
34
Q

What are Delegated permissions, and where are they used in Azure Entra ID?

A

It is used in Azure Entra ID Application when registering an application, it defines the application will be acting on behalf of the user

35
Q

What are Application permissions, and where are they used in Azure Entra ID?

A

It is used in the Azure Entra ID Application when registering an application; it defines the application on its own behalf.

36
Q

Explain the OAuth 2.0 siungle sign-on for an application registered with Azure Entra ID?

A
  1. User sign on with /OAuth/authorize with Azure Entra ID
    2 Auth token returned
  2. Request bearer token supplying auth token form /OAuth/token
  3. Return access token
  4. Use an access token to call API
37
Q

Where is SAML used with Azure Entra ID?

A
  1. Used for web app single sign-on
  2. Used for on-prem SSO for the cloud
  3. Used for external organizations to be federated and users to access cloud resources.
  4. Used for legacy applications to access cloud resources
38
Q

Explain what Azure Entra Entitlement Manage is for applications.

A

Entitlement Management in Azure Entra ID automates user access to resources through access packages, approval workflows, and periodic access reviews. It enables self-service access requests and simplifies managing internal and external user permissions. This helps enforce least privilege, improve security, and reduce administrative overhead.

39
Q

When using Azyre Sync, is data synced in both directions?

A

No, only from AD to Azure Entra ID.

40
Q

When would you use an access token?

A

When you want to call API for resources

41
Q

When would you use a refresh token?

A

When you want to renew the access token.

42
Q

Explain SCIM (System for Cross-domain Identity Management)?

A

SCIM is a standardized protocol that allows interoperability between identity providers (like Azure Entra ID) and third-party applications or services.

You can use it to provision and de-provision users in SaaS applications like Databricks.

It was developed by the Internet Engineering Task Force (IETF) and is defined in the SCIM 2.0 specification (RFC 7643 and RFC 7644). SCIM is designed to manage identity data in a standardized way and is a standardized protocol. It was developed by the Internet Engineering Task Force (IETF) and is defined in the SCIM 2.0 specification (RFC 7643 and RFC 7644). SCIM is designed to manage identity data in a standardized way, allowing interoperability between identity providers (like Azure Entra ID) and third-party applications or services.

43
Q

Give me three use cases for using SCIM?

A

User Account Provisioning: When a new employee joins the organization, Azure SCIM automatically creates accounts in cloud services like SaaS applications (e.g., Salesforce, ServiceNow).

Group Management: Automatically assigns users to specific groups based on their roles or departments.

User Deactivation: When employees leave the organization, SCIM deactivates or deletes their accounts across all integrated services to ensure proper access management.

44
Q

What is Entra Pricve Access?

A

This edge service thet enables users (laptops, mobile devices, etc.) to connect to the Azure edge node, where the connection will be authenticated again with the entry id, and the device will have an agent deployed to it.

45
Q

Describe what Azure Entra App Proxy is?

A

Azure Entra ID App Proxy allows secure remote access to on-premises web applications by routing traffic through the cloud without needing a VPN. It ensures secure authentication using Azure AD, enabling Single Sign-On (SSO) and multifactor authentication (MFA). The proxy integrates with existing security and compliance policies for seamless access management.

46
Q

Explain role inheritance in Azure RBAC and how it impacts permission assignments.

A

Role inheritance in Azure RBAC allows roles assigned to a parent resource to be automatically inherited by child resources, simplifying permission management across a resource hierarchy.

47
Q

Give an example of how custom roles integrate with resource-level permissions in Azure Entra ID.

A

Custom roles can be created at a resource level to provide more granular access control. For example, a custom role for a virtual machine could allow only start/stop operations without granting broader management permissions.

48
Q

Provide a real-world example of dynamic group usage for resource access management in Azure Entra ID.

A

A dynamic group could be used to automatically assign developers in a specific department access to a set of Azure DevOps resources based on their department attribute, simplifying access control management.

49
Q

What are some best practices for syncing large on-prem Active Directory instances with Azure Entra ID?

A

Use Azure Entra Cloud Sync with organizational unit (OU) filters to manage sync for large directories, splitting workloads across multiple agents for better performance and high availability.

50
Q

Describe specific use cases where Azure Entra ID Single Sign-On is used with third-party SaaS applications.

A

Azure Entra ID Single Sign-On can be used with third-party SaaS apps like Salesforce or ServiceNow, enabling seamless authentication for users through Azure AD without requiring separate credentials.

51
Q

How can device-based Conditional Access policies improve security in Azure Entra ID?

A

Device-based Conditional Access policies enforce security requirements such as multifactor authentication or password change policies based on device compliance, improving overall security.

52
Q

What are the benefits of using application groups in Azure Entra ID for managing permissions?

A

Application groups in Azure Entra ID help streamline the management of permissions by bundling applications with similar permission requirements, making it easier to apply policies consistently.

53
Q

Explain the concept of token lifetimes in Azure Entra ID and how to manage them.

A

Token lifetimes define how long access and refresh tokens remain valid. Managing token expiration is critical for balancing security and user convenience, with policies to revoke tokens if necessary.

54
Q

What are the security best practices for managing OAuth tokens in Azure Entra ID?

A

OAuth tokens should be stored securely, refreshed periodically, and scoped appropriately to minimize over-permissioning and prevent unauthorized access.

55
Q

Describe how to implement lifecycle management and periodic access reviews using Azure Entra Entitlement Management.

A

Azure Entra Entitlement Management automates user access workflows through periodic access reviews, approval processes, and automatic role assignment based on predefined rules.

56
Q

Explain how primary refresh tokens (PRT) work and their role in Azure Entra ID authentication.

A

Primary refresh tokens (PRT) are used to refresh authentication without requiring a new login. They are stored on devices and provide a seamless sign-in experience for users.

57
Q

What are the security and scalability considerations for using SCIM in Azure Entra ID?

A

When using SCIM, consider scalability to handle large volumes of users and ensure proper security practices, such as encrypting data in transit and limiting access to provisioning endpoints.

58
Q

Describe the architecture of Azure Entra Private Access and how it integrates with Zero Trust security.

A

Azure Entra Private Access uses an agent on devices and connects them to Azure edge nodes for secure access to internal applications. It integrates with Azure AD for authentication and Zero Trust enforcement.

59
Q

What are the key considerations for securing Azure Entra App Proxy in a large enterprise environment?

A

Securing Azure Entra App Proxy in an enterprise involves configuring network security rules, enforcing multifactor authentication, and ensuring that only authorized users can access internal applications.

60
Q

When using Axure Entra ID with pass -through-auth, can active directory security and policies be enforced?

A

Yes, because Azure Entra ID will pass the auth to AD to preform the auth and AD will implement any policies required.

61
Q

Is Azure Identity Protection a P1 or p2 feature?

A

Is Azure Identity Protection a P1 or p2 feature?

62
Q

What is an Azure Entra ID Security Group?

A

This is a group thet can be to group users thet can access Azure resources, RBAC is applied to the group.

63
Q

For Azure Entra ID, when you invite an external user, what state is the user in initially?

A

The user is in a PendingAcceptance state, where the user has to accept the terms and conditions.

64
Q

For Azure Entra ID, when you invite external users, what are the two methods available for accepting the invite?

A

Redemption process through the direct link.
Redemption process through email.
Automatic redemption process.

65
Q

For Azure Entra ID, what are external collaboration settings?

A

Microsoft Entra ID, external collaboration settings allow organizations to manage how external users—such as business partners, vendors, or guests—access and interact with their resources. These settings provide control over who can invite external users, which domains are permitted or blocked for collaboration, and the level of access granted to guest users within the directory.

Key aspects of external collaboration settings include:

Guest User Access: Administrators can define the extent of access guest users have to directory resources. Options range from granting guests the same access as internal members to restricting them to only their own profiles.

Guest Invite Settings: Organizations can specify who is authorized to invite external users. This can be configured to allow all users, only specific roles, or entirely restrict the ability to invite guests.

Collaboration Restrictions: Administrators can set policies to allow or block invitations to users from specific domains, thereby controlling which external organizations can participate in collaboration.

These settings are essential for maintaining security and compliance while facilitating collaboration with external entities. By configuring external collaboration settings, organizations can ensure that external users have appropriate access without compromising internal resources.

66
Q

What is the differenc ebetweem PIM and Entitlement Management?

A

PIM is focuses on short term access, JIT, Ideal for managing access to administrative roles in Azure AD, Azure resources, and other Microsoft Online Services. PIM can enforce temporary elevation for privileged roles, allowing users to gain elevated access only when needed and for a limited time.

Entitlement Management focuses on managing user access to various resources, including applications, groups, and SharePoint sites. Useful for onboarding/offboarding employees, granting resource access to external partners, and automating access requests. Entitlement Management is beneficial when you have complex or recurring access needs that span multiple groups or resources.

67
Q

What license do you need for Azure Entra ID Identity Protection?

A

P2

68
Q

For Entra Application Proxy, what license do you need?

A

P1