Azure Services 2.4 Flashcards

identity, access, and security

1
Q

Identity Service AuthN and AuthZ

A

Authentication (AuthN) is the process of
proving that you are who you say you are.

Authorization (AuthZ) is the act of granting an
authenticated party permission to do something.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Identity Service Entra ID

A

Entra is Microsoft’s cloud-based identity
and access management service
which helps your employees sign in and access resources, including:
Internal resources, such as apps on your
corporate network or custom cloud apps.
External resources, such as Microsoft 365,
the Azure portal, and many SaaS apps.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Authentication methods in azure

A

Single Signon (SSO
MFA
Conditional Access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Single Sign on (SSO

A

Single sign-on means a user doesn’t have
to sign into every application they use.
The user logs in once and that credential is
used for multiple apps.
Single sign-on based authentication systems
are often called “modern authentication”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

MFA

A

MFA in Entra ID works by requiring
two or more of the following
authentication methods:
Something you know (pin or password)
Something you have (trusted device)
Something you are (biometric)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

MICROSOFT AUTHENTICATOR APP

A

The Microsoft Authenticator app can be used as a primary form
of authentication to sign into any Entra ID account.
Can also be used as an additional verification option during
self-service password reset (SSPR) or Entra ID MFA events.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

To use Microsoft Authenticator

A

a user must download the
phone app and register their account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Additional verification

A

2nd factor of authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is an OATH token

A

OATH (Open Authentication) is an open standard that specifies how time-based, one-time password (TOTP) codes are generated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Software OATH tokens

A

Are typically applications. Entra ID generates the secret key, or seed, that’s input into the app and used to generate each OTP.
EXAMPLE: Microsoft Authenticator App

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Hardware OATH tokens

A

Small hardware devices that look like a key fob that displays a code that refreshes every 30 or 60 seconds, with secret key/seed pre-programmed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is FIDO2

A

Uses public-key (asymmetric) cryptography for user
authentication.
User has a physical device (USB or NFC).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

FIDO Authentication sequence

A

Provide username
Cryptographic challenge
Use FIDO2 key to sign challenge
Service verifies response and grants access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Windows Hello for Business

A

An authentication feature built into Windows 10, replaces passwords with strong two-factor authentication on PCs and mobile devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Windows Hello for Business authenticates to

A

A Microsoft account.
An Active Directory account.
An Entra ID account.
Identity Provider Services OR .
Relying party services that support Fast ID Online (FIDO) v2.0 authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Windows Hello vs Hello Business

A

Hello is for personal devices and uses a pin or biometric gesture.
Hello for Business leverages key-based or certificate-based authentication.

17
Q

Windows hello for business
Solves the following problems

A

Strong passwords can be difficult to remember, and
users often reuse passwords on multiple sites.
Server breaches can expose symmetric network
credentials (passwords).
Passwords are subject to replay attacks.
Users can inadvertently expose their passwords due
to phishing attacks.

18
Q

External identities

A

B2B collaboration
B2B direct connect
Business-to-Consumer (B2C)
Entra ID multi-tenant organization

19
Q

B2B collaboration

A

Enable external users to use their preferred identity to sign into your Microsoft or other enterprise applications (SaaS apps, custom-developed apps, etc.).
Supports Entra ID and social identities

20
Q

B2B direct connect

A

Establish a mutual, two-way trust with another Entra ID organization for seamless collaboration.
Useful for heavy, daily collaboration with close business partners.
Supports multiple two-way trusts

21
Q

Business-to-Consumer (B2C)

A

Publish modern SaaS apps or custom-developed apps to consumers and customers, while using Entra ID B2C for identity and access management.
Supports Entra & social identities

22
Q

Entra ID multi-tenant organization

A

Collaborate with multiple tenants in a single Entra ID organization via cross-tenant synchronization.
Good for conglomerates, mergers, multi-cloud, dept/test/staging tenants

23
Q

Entra id conditional access

A

Used by Entra ID to bring signals together, to make decisions, and enforce organizational policies.

24
Q

Azure RBAC
Role Based Access Control

A

Azure RBAC helps you manage:
who has access to Azure resources,
what they can do with those resources
which resources/areas they have access to.
Built on Azure Resource Manager and
provides fine-grained access
management of Azure resources.

25
Q

three principles of Zero Trust

A

Verify explicitly
Use least privilege access
Assume breach

26
Q

Verify explicitly

A

Always authenticate and authorize based on all available
data points.

27
Q

Use least privilege access

A

Limit user access with Just-In-Time and Just-Enough-Access
(JIT/JEA), risk-based adaptive policies, and data protection.

28
Q

Assume breach

A

Segment access to minimize blast radius
Verify end-to-end encryption and use analytics to get
visibility, drive threat detection, and improve defenses.

29
Q

Zero Trust Security

A

Unlike the “trust but verify” approach, in Zero
Trust, no entity is trusted by default.
It is based on three principles: assume breach,
verify explicitly, and least privilege access.

30
Q

Zero Trust Security
Identities

A

Identities should be explicitly verified with strong
authentication using all available data points.
Users should be granted least privilege access.

31
Q

Zero Trust Security
Devices

A

Devices should be monitored for health and
compliance and updated when necessary.

32
Q

Zero Trust Security
apps

A

Only approved apps should be allowed to access
company data, and permissions managed.

33
Q

Zero Trust Security
data

A

Data should be classified, labeled, and encrypted
based on its attributes, at rest and in motion.

34
Q

Zero Trust Security
Infrastructure

A

Infrastructure version, configuration, JIT access,
should be managed.
Telemetry should be used to detect anomalous
activity that may indicate attack.

35
Q

Zero Trust Security
networks

A

Networks should be segmented to limit data access
and reduce threat exposure.
Real-time threat protection, end-to-end encryption,
monitoring, and analytics should be employed.

36
Q

Defense in-Depth

A

A layered (defense in depth) approach that
does not rely on one method to completely
protect your environment.

37
Q

Defender for Cloud

A

A unified infrastructure security management
system that strengthens the security posture of
your cloud and on-premises data centers.
Provides security guidance for compute, data,
network, storage, app, and other services.
Includes support for both Azure and onpremises workloads, as well as other public
clouds (AWS, GCP). Multi-cloud support