Azure Services 2.4

Question 1

Identity Service AuthN and AuthZ

Answer 1

Authentication (AuthN) is the process of
proving that you are who you say you are.

Authorization (AuthZ) is the act of granting an
authenticated party permission to do something.

Question 2

Identity Service Entra ID

Answer 2

Entra is Microsoft’s cloud-based identity
and access management service
which helps your employees sign in and access resources, including:
Internal resources, such as apps on your
corporate network or custom cloud apps.
External resources, such as Microsoft 365,
the Azure portal, and many SaaS apps.

Question 3

Authentication methods in azure

Answer 3

Single Signon (SSO
MFA
Conditional Access

Question 4

Single Sign on (SSO

Answer 4

Single sign-on means a user doesn’t have
to sign into every application they use.
The user logs in once and that credential is
used for multiple apps.
Single sign-on based authentication systems
are often called “modern authentication”.

Question 5

MFA

Answer 5

MFA in Entra ID works by requiring
two or more of the following
authentication methods:
Something you know (pin or password)
Something you have (trusted device)
Something you are (biometric)

Question 6

MICROSOFT AUTHENTICATOR APP

Answer 6

The Microsoft Authenticator app can be used as a primary form
of authentication to sign into any Entra ID account.
Can also be used as an additional verification option during
self-service password reset (SSPR) or Entra ID MFA events.

Question 7

To use Microsoft Authenticator

Answer 7

a user must download the
phone app and register their account.

Question 8

Additional verification

Answer 8

2nd factor of authentication

Question 9

What is an OATH token

Answer 9

OATH (Open Authentication) is an open standard that specifies how time-based, one-time password (TOTP) codes are generated.

Question 10

Software OATH tokens

Answer 10

Are typically applications. Entra ID generates the secret key, or seed, that’s input into the app and used to generate each OTP.
EXAMPLE: Microsoft Authenticator App

Question 11

Hardware OATH tokens

Answer 11

Small hardware devices that look like a key fob that displays a code that refreshes every 30 or 60 seconds, with secret key/seed pre-programmed.

Question 12

What is FIDO2

Answer 12

Uses public-key (asymmetric) cryptography for user
authentication.
User has a physical device (USB or NFC).

Question 13

FIDO Authentication sequence

Answer 13

Provide username
Cryptographic challenge
Use FIDO2 key to sign challenge
Service verifies response and grants access

Question 14

Windows Hello for Business

Answer 14

An authentication feature built into Windows 10, replaces passwords with strong two-factor authentication on PCs and mobile devices.

Question 15

Windows Hello for Business authenticates to

Answer 15

A Microsoft account.
An Active Directory account.
An Entra ID account.
Identity Provider Services OR .
Relying party services that support Fast ID Online (FIDO) v2.0 authentication.

Question 16

Windows Hello vs Hello Business

Answer 16

Hello is for personal devices and uses a pin or biometric gesture.
Hello for Business leverages key-based or certificate-based authentication.

Question 17

Windows hello for business
Solves the following problems

Answer 17

Strong passwords can be difficult to remember, and
users often reuse passwords on multiple sites.
Server breaches can expose symmetric network
credentials (passwords).
Passwords are subject to replay attacks.
Users can inadvertently expose their passwords due
to phishing attacks.

Question 18

External identities

Answer 18

B2B collaboration
B2B direct connect
Business-to-Consumer (B2C)
Entra ID multi-tenant organization

Question 19

B2B collaboration

Answer 19

Enable external users to use their preferred identity to sign into your Microsoft or other enterprise applications (SaaS apps, custom-developed apps, etc.).
Supports Entra ID and social identities

Question 20

B2B direct connect

Answer 20

Establish a mutual, two-way trust with another Entra ID organization for seamless collaboration.
Useful for heavy, daily collaboration with close business partners.
Supports multiple two-way trusts

Question 21

Business-to-Consumer (B2C)

Answer 21

Publish modern SaaS apps or custom-developed apps to consumers and customers, while using Entra ID B2C for identity and access management.
Supports Entra & social identities

Question 22

Entra ID multi-tenant organization

Answer 22

Collaborate with multiple tenants in a single Entra ID organization via cross-tenant synchronization.
Good for conglomerates, mergers, multi-cloud, dept/test/staging tenants

Question 23

Entra id conditional access

Answer 23

Used by Entra ID to bring signals together, to make decisions, and enforce organizational policies.

Question 24

Azure RBAC
Role Based Access Control

Answer 24

Azure RBAC helps you manage:
who has access to Azure resources,
what they can do with those resources
which resources/areas they have access to.
Built on Azure Resource Manager and
provides fine-grained access
management of Azure resources.

Question 25

three principles of Zero Trust

Answer 25

Verify explicitly
Use least privilege access
Assume breach

Question 26

Verify explicitly

Answer 26

Always authenticate and authorize based on all available
data points.

Question 27

Use least privilege access

Answer 27

Limit user access with Just-In-Time and Just-Enough-Access
(JIT/JEA), risk-based adaptive policies, and data protection.

Question 28

Assume breach

Answer 28

Segment access to minimize blast radius
Verify end-to-end encryption and use analytics to get
visibility, drive threat detection, and improve defenses.

Question 29

Zero Trust Security

Answer 29

Unlike the “trust but verify” approach, in Zero
Trust, no entity is trusted by default.
It is based on three principles: assume breach,
verify explicitly, and least privilege access.

Question 30

Zero Trust Security
Identities

Answer 30

Identities should be explicitly verified with strong
authentication using all available data points.
Users should be granted least privilege access.

Question 31

Zero Trust Security
Devices

Answer 31

Devices should be monitored for health and
compliance and updated when necessary.

Question 32

Zero Trust Security
apps

Answer 32

Only approved apps should be allowed to access
company data, and permissions managed.

Question 33

Zero Trust Security
data

Answer 33

Data should be classified, labeled, and encrypted
based on its attributes, at rest and in motion.

Question 34

Zero Trust Security
Infrastructure

Answer 34

Infrastructure version, configuration, JIT access,
should be managed.
Telemetry should be used to detect anomalous
activity that may indicate attack.

Question 35

Zero Trust Security
networks

Answer 35

Networks should be segmented to limit data access
and reduce threat exposure.
Real-time threat protection, end-to-end encryption,
monitoring, and analytics should be employed.

Question 36

Defense in-Depth

Answer 36

A layered (defense in depth) approach that
does not rely on one method to completely
protect your environment.

Question 37

Defender for Cloud

Answer 37

A unified infrastructure security management
system that strengthens the security posture of
your cloud and on-premises data centers.
Provides security guidance for compute, data,
network, storage, app, and other services.
Includes support for both Azure and onpremises workloads, as well as other public
clouds (AWS, GCP). Multi-cloud support