Azure Security AD-General Info

Question 1

What is Azure AD and how does it compare to on-prem AD DS?

Answer 1

Azure AD -active directory allows us to perform active directory services in Azure and offers SSO functionality and it does sync with on-prem AD DS services.

Question 2

What are the benefits of using Az AD?

Answer 2

Az AD provides us with MFA, PIM, RBAC and multiple other features and capabilities.

Question 3

How many products are there with Az AD?

Answer 3

There is the free tier, MS 365 and the two Premium tiers P1 and P2 .

Question 4

What additional features does Premium P2 offer?

Answer 4

The premium P2 offers PIM -privilege identity management, risk mitigation conditional access.

Question 5

How is Az AD different from AD DS and what protocols does it support?

Answer 5

Az AD does not support LDAP, it can support API requests,Az AD supports Open ID, SAML for auth and OAUTH for authorization.

Question 6

What is the highest level of Admin role and how many should we have?

Answer 6

The highest level of admin role is Global Admin and ideally we should have two Global admins.

Question 7

Explain why has the identity layer become so important in auth and authorisation?

Answer 7

Now that we have hybrid topologies and modern networks with most apps being SAAS we require the access to our apps and services to be controlled at the users workstations.

Question 8

What is Az AD DS ?

Answer 8

Az AD DS is the same as Windows Server AD DS on prem as it is a Az managed service so we cannot create it and it syncs with on prem AD services and Az AD.

Question 9

Does AZ AD INTEGRATE with AZ AD DS?

Answer 9

Yes, you can sync and integrate AZ AD with AZ AD DS.

Question 10

Is AZ AD DS service a Az managed service?

Answer 10

Yes, AZ AD DS is a fully managed service from Azure.

Question 11

What is Az AD Connect?

Answer 11

Az AD Connect lets us connect and sync both on-prem and Az AD .

Question 12

How many groups are there with Az AD?

Answer 12

There is two groups the SECURITY GROUP and the M 365 GROUP.

Question 13

Name the different ways that I can assign group access rights?

Answer 13

group access rights can be assigned statically or dynamically with predefined policy.

Question 14

What is a AZ admin unit?

Answer 14

an administrative unit is a group of users or groups.

Question 15

Is there any benefit in using passwordless method of connectivity?

Answer 15

yes , not having to remember passwords is convenient and much safer .

Question 16

what is Password hash synchronization?

Answer 16

pwd hash sync allows me to sync my pwd onprem with my pwd in Az.

Question 17

what is AD FS and why would I use it?

Answer 17

AD Federation services allows me to use onprem AD FS to authenticate users for hybrid networks.

Question 18

What does Az health monitoring do?

Answer 18

AZ Health monitoring monitors the health for the AZ AD Connect.

Question 19

What do I need to do to setup AZ AD CONNECT?

Answer 19

To setup AZ AD Connect I need to add agents to onprem servers.

Question 20

List the three way that I can authenticate using AZ AD?

Answer 20

using AZ AD I can authenticate using AZ AD just in the cloud, or AZ AD and AD FS for federation or password protection with hash sync and passthru.

Question 21

Explain password hash sync?

Answer 21

password hash sync allows me to sync my pwds onprem and in the cloud so only one password is used.

Question 22

Is the password hash encrypted during the pwd hash sync process?

Answer 22

yes, the pwd hash is encrypted and then decrypted and stored in azure.

Question 23

Is passthru authentication free?

Answer 23

yes PTA is free and it is lightweight as an agent.

Question 24

Is IDENTITY the new control plane for IT SECURITY?

Answer 24

yes identity is the new control plane for IT SECURITY.

Question 25

Does password protection require password hash sync?

Answer 25

yes password protection does require password hash sync feature enabled.

Question 26

What is password write back?

Answer 26

password write back allows me to make sure my pwd changes in azure is also changed on my AD DS system onprem via AZ AD CONNECT.

Question 27

What port does password write back use ?

Answer 27

port 443 is used for write back.

Question 28

How many default IDENTITY PROTECTION policies are there?

Answer 28

there are three identity protection policies.

Question 29

If there is a sign in risk detected what should i do?

Answer 29

enable MFA when a risk is identified.

Question 30

If a risk is identified with identity what should we do?

Answer 30

if risk is identified then enable a pwd reset .

Question 31

Can I block/permit users with risk identified ?

Answer 31

yes, users can be blocked or permitted it all depends on your policy defined and business security policies.

Question 32

Is sig in risk part of conditional access policy?

Answer 32

yes sign in risk is part of the conditional risk policy.

Question 33

How can I define my conditional access parameters?

Answer 33

define the conditional access using either “location” or browsers and mobile apps etc.

Question 34

How can I secure my apps and services with MFA?

Answer 34

MFA provides a second form of auth and additional layer of security its easier for the users as well and complies with regulatory compliance requirements.

Question 35

Is MFA available with SAAS apps?

Answer 35

yes MFA is available with SAAS apps like servicenow.

Question 36

List the MFA auth types?

Answer 36

voice calls, one way SMS, authenticator app, authenticator app code.

Question 37

what is the default number of days that the pwd is cached with MFA?

Answer 37

it is 14 days by default a password is cached but you can select between 1 to 60 days.

Question 38

with MFA and FRAUD alerts , what is the number thats pressed before the # when a call is received?

Answer 38

the number 0 is pressed before the hash # when fraud is communicated.

Question 39

How can I enable MFA for my users?

Answer 39

on the portal or through powershell under AZ AD i can select groups and enable MFA.

Question 40

what are the three user states for MFA?

Answer 40

the three user states is enabled, disabled and enforced.

Question 41

Can I enabled MFA for any types of accounts?

Answer 41

No I cannot enable MFA for any type of account only for organizational accounts.

Question 42

Explain conditional access when it comes to IDENTITY?

Answer 42

conditional access is the core now with hybrid networking and WFH as it can help enforce our business security policies and gives us flexibility etc.

Question 43

What brings the signals together in ACTIVE DIRECTORY?

Answer 43

the conditional access brings the signals together that determines if a user is allowed or not to access my network.

Question 44

Can you name some of the signals that are considered with conditional access?

Answer 44

yes, some of the signals are location, device the users is using to access my network, apps being used etc.

Question 45

What are the access controls used with conditional access?

Answer 45

some of the access controls is location , managed devices, domain joined devices, apps being used etc.

Question 46

with AD identity access can I enable access reviews?

Answer 46

yes i can enable access reviews which basically allows me to review the people accessing my network.

Question 47

Which premium product will i need for access reviews?

Answer 47

I will require the Premium P2 license for the access reviews feature which allow me to regularly ensure access to my network is reviewed.

Question 48

which admin ca reset a users password?

Answer 48

the global admin can reset a users password.

Question 49

which license provides identity protection?

Answer 49

the P2 premium license provides the identity protection.

Question 50

How can IDENTITY PROTECTION help protect our identities?

Answer 50

IDENTITY PROTECTION helps with identifying risks, investigating them and thirdly remediating the risks with our identities, it is a feature of the AZ AD.

Question 51

what are some of the user sign in risk?

Answer 51

source of sign is is an IP that might be related to botnet service, or a atypical travel , sign in originating from multiple locations distance apart etc.