Azure Security Flashcards
Will a network security group protect you from DDOS attacks?
No, NSG is a software firewall to the black layer for traffic.
Will rate limiting help protect your instance from a DDOS attack?
Yes, rate limiting is one of the ways you can limit a DDOS attack.
What are the capabilities of global Admin in Azure?
- Has full access to manage Azure Active Directory (AAD) and its resources.
- Can manage all aspects of users, groups, roles, and settings in Azure AD.
- Can assign other admin roles, including other global admins.
- This is the highest-level role in Azure AD.
- Access all administrative features in Azure AD and Microsoft services like Office 365.
- Can elevate access to manage all subscriptions and management groups in an Azure tenant.
Owner
Abilities:
Has full access to all resources, including the ability to delegate access to others.
Can create, delete, and modify resources.
Can assign roles to others within the scope of a resource or resource group.
Commonly used to manage entire subscriptions, resource groups, or individual resources.
Scope: Subscription, resource group, or specific resource.
Contributor
Abilities:
Can create, delete, and modify resources, but cannot assign roles to others.
Can manage all resources in a subscription or resource group except for access control permissions.
Cannot grant access to other users or change access policies.
Scope: Subscription, resource group, or specific resource.
User Administrator
Abilities:
Can manage all aspects of user and group management.
Can create, delete, and update users and groups.
Can reset passwords for non-admin users and assign non-administrative roles.
Cannot manage global settings, roles like Global Administrator, or other privileged roles.
Scope: Azure AD tenant, focused on users and groups.
Privileged Role Administrator
Abilities:
Can manage role assignments in Azure AD.
Can assign or remove roles for users, including Global Administrator and other high-privilege roles.
Can configure and manage Azure AD Privileged Identity Management (PIM).
Can activate or deactivate eligible roles for other users through PIM.
Cannot change settings that affect the entire Azure AD tenant (such as user settings).
Scope: Azure AD role assignments and Privileged Identity Management (PIM).
Security Administrator
Abilities:
Can manage security-related features in Azure AD, including Conditional Access, Identity Protection, and MFA (Multi-Factor Authentication) settings.
Can monitor security alerts and incidents.
Can read all Azure AD reports and set security policies.
Cannot change administrative roles but can manage security aspects.
Scope: Security policies and reports across the Azure AD tenant.
Authentication Administrator
Abilities:
Can manage authentication methods (e.g., passwordless authentication, multi-factor authentication).
Can enable or disable authentication for users and reset passwords.
Can revoke sessions for users and manage aspects of sign-in policies.
Does not have full control over users but focuses on authentication management.
Scope: Authentication-related policies and settings in Azure AD.
Directory Readers
Abilities:
Can read basic directory information (users, groups, directory settings) but cannot make any changes.
Useful for monitoring, reporting, and auditing purposes.
Cannot modify any resources in the directory.
Scope: Read-only access to the Azure AD tenant.
Reader
Abilities:
Has view-only access to all resources.
Can see all settings, configurations, and statuses of resources but cannot make changes.
Useful for monitoring or audit purposes.
Scope: Subscription, resource group, or specific resource.