Ch. 1 Managing Azure Identities and Governance

Question 1

Azure AD B2C

Answer 1

Azure Active Directory
Business - to Customer

• allows customers to sign in to applications using their social media accounts, such as Facebook

Question 2

Azure AD B2B

Answer 2

Azure Active Directory
Business - to Business

• extends Azure AD to business partners

Question 3

What are the two types of users in Azure AD?

Answer 3

1. cloud-only users

2. users synchronized from an on-premises directory

Question 4

cloud - only users

Answer 4

• users that are created and managed exclusively in Azure AD

- their attributes can be updated directly in Azure AD

Question 5

What role must you be assigned to create a cloud - only user?

Answer 5

Global Administrator or User Administrator

Question 6

Where can you create a cloud-only user?

Answer 6

the Azure portal, Azure PowerShell, can the Azure command-line interface (CLI)

Question 7

What attributes are mandatory when creating a new user?

Answer 7

the username (sign in address for Azure AD) and the user’s name (given name and surname)

Question 8

groups

Answer 8

groups of objects that make role assignments and access permissions easier to manage

Question 9

What objects can a group contain?

Answer 9

groups, users, devices, or service principles

Question 10

Where can a group be created?

Answer 10

Azure portal, Azure PowerShell, the Azure CLI, and Microsoft Graph

Question 11

What are the two types of groups?

Answer 11

1. Security

2. Office 365

Question 12

security group

Answer 12

a group that allows you to share Azure resources access to a group of users, devices, or service principals

Question 13

Office 365 group

Answer 13

a group that allows access to a shared mailbox, calendar, SharePoint site, and so on

Question 14

What are the 3 types of memberships a group can be assigned?

Answer 14

1. Assigned
2. Dynamic User
3. Dynamic Device

Question 15

Membership Type: Assigned

Answer 15

this value allows you to select one or more users and add them to the group. Adding and removing users is performed manually.

Question 16

Membership Type: Dynamic User

Answer 16

This value allows you to use dynamic group rules to automatically add and remove members.

Question 17

Membership Type: Dynamic Device

Answer 17

This value allows you to use dynamic group rules to automatically add and remove devices.

Question 18

Dynamic group requirement

Answer 18

You can only create a dynamic group if you have a Premium AD license. Otherwise, the Membership Type option is unavailable and is set to Assigned.

Question 19

How do dynamic groups work?

Answer 19

Rules are created in a dynamic group. If a user or device has an attribute that matches the rule then that user or device is added to the group.

If the attributes changes and the user or device no longer matches the criteria for group membership, the entity will removed.

Question 20

Dynamic group membership processing

Answer 20

• processing is not immediate
• if an error occurs while processing a membership rule, it appears on the Group page in the Azure portal
• the current processing status can be viewed from the Group page

Question 21

Can you create a dynamic group for users and devices at the same time.

Answer 21

No

Question 22

Can user attributes be in a device-based ruled?

Answer 22

No

Question 23

Can the membership type of a group be changed after it is created?

Answer 23

Yes

Changing a static group to a dynamic group will remove all members from the static group and apply dynamic membership rules.

This change will also affect the access to the resources if the static groups has any previously assigned access for its members.

Question 24

Where can devices be managed in the Azure portal?

Answer 24

1. Under Devices in the Azure AD tenant.

2. Through the Devices blade for an individual user.

Question 25

What permissions do you need to enable or disable a device?

Answer 25

You must be a Global Administrator

Question 26

Disabling a device

Answer 26

• prevents a device from accessing Azure AD resources

- prevents a user from accessing Azure AD resources through that device

Question 27

Deleting a device

Answer 27

• prevents a device from accessing your Azure AD resources and removes all details that are attached to the device ( including BitLocker keys for Windows devices)
• a non-recoverable activity and is not recommended unless it is required for an activity such as device decommissioning

Question 28

Bulk Updates

Answer 28

• bulk user creations can now be done in Azure portal through a .csv file
• under Users you can select Bulk create, Bulk invite, and Bulk delete

Question 29

Guest User

Answer 29

• anyone who is invited to collaborate with your organization
• once created they should receive an invitation in their mailbox
• all users and admins can invite guests by default

Question 30

External Collaboration Settings

Answer 30

• settings which restrict the way guest users can be invited

- found under Users in Azure AD

Question 31

Content Status

Answer 31

• a value within a guest user account which shows if they have accepted an invite
• the guest user will appear as an “invited user” in the Azure portal until the user accepts the invitation.

Question 32

Azure AD Join

Answer 32

• allows users to work from enterprise and BYOD devices
• you can control these devices, the applications installed accessed from them and how those applications interact with your corporate data

Question 33

What are the 3 options to associate device with Azure AD?

Answer 33

1. registering a device
2. joining a device
3. using hybrid AD joined

Question 34

Azure AD Join: registering a device

Answer 34

• appropriate for personal devices

Question 35

Azure AD Join: joining a device

Answer 35

• useful for corporate - owned devices

Question 36

Azure AD Join: using hybrid AD joined

Answer 36

• devices are joined to your on-premises Active Directory and are registered with your Azure AD tenant

Question 37

What are some mobile device management solutions?

Answer 37

• Microsoft Intune
• Microsoft Endpoint Configuration Manager (MECM)
• Mobile Application Management (MAM)
• Group Policy (if it’s hybrid-Azure joined)

Question 38

Where is device registration configured?

Answer 38

in Azure AD under Device > Device Settings

Question 39

Users May Join Devices to Azure AD

Answer 39

• a settings that allows you to select the users and groups that can join devices to Azure AD
• only applies to Azure AD Join on Win 10 devices

Question 40

Additional Local Administrators On Azure AD Joined Devices

Answer 40

• you can choose which users are granted Local Administrator rights to the device
• available on Azure AD Premium or with the Enterprise Mobility Suite
• Global Administrator and the device owner are granted Local Administrator rights by default

Question 41

User May Regster Their Devices with Azure AD

Answer 41

allows users to register their devices with Azure AD (Workplace Join). Enrollment with MS Intune or Mobile Device Management for Office 365 requires Device Registration

• if either of these services are configured then ALL will be selected and the button associated with the setting will be disabled

Question 42

Require Multi-Factor Auth to Join Devices

Answer 42

• recommended when adding devices to Azure AD
• When set to Yes, users who are adding devices from the Internet must first use a second method of authentication
• prior to enabling this setting make sure MFA is configured for all users who are able to register devices and that they have gone through MFA setup

Question 43

Maximum Number of Devices Per User

Answer 43

• designates the maximum number of devices that an individual user can have in Azure AD
• if the quota is reached then the user will not be able to add a device until one of their existing devices is removed

Question 44

Hybrid AD Joined Devices Exception

Answer 44

• the MFA and max number of devices per user settings are not applicable to hybrid AD joined devices

Question 45

Manage Enterprise State Roaming Settings

Answer 45

• allows users to sync settings and app data across devices

- can be used with Azure AD Premium or EMS and is only applicable for Win 10 devices

Question 46

Azure AD Join Windows version requirements

Answer 46

hybrid - applicable to devices that are joined to an on-premises directory

• an IT admin must join these devices
• can join Win 10 and Win Server 2016 as well as lower versions such as Win 7, Win 8.1, Win Server 08, Win Server 08 R2, Win Server 12 and Win Server 12 R2

non-hybrid - applicable to devices that are not joined to an on-premises Active Directory
- requires Win 10 Professional and Win 10 Enterprise

Question 47

Self-service password reset (SSPR)

Answer 47

• allows users to reset their own passwords in Azure AD
• optionally write the password back to an on-premises environment when properly license and configured by using password writeback and Azure AD Connect
• users can change passwords, reset passwords, and unlock accounts without an IT Dept
• addresses both cloud-only and hybrid users

Question 48

SSPR License Requirements

Answer 48

Scenario User Type License Requirement

Password Change Cloud - only user Included in all editions of Azure AD

Password Reset Cloud-only user Microsoft 365 Business Standard, Microsoft 365 Business Premium,
Azure AD Premium P1, Azure AD Premium P2

Password Change/ Hybrid user Microsoft 365 Business Premium, Azure AD Premium P1, Azure AD
Unlock/Reset Premium P2

Question 49

role-based access control (RBAC)

Answer 49

• allows you to manage the entities (security principles) that have access to Azure resources and the actions that those entities can perform.
• determines who can do what (permissions)

Question 50

What entities in Azure can access be granted to?

Answer 50

users
groups
service principles
managed identities through role assignments
- this can then be applied at a scope (subscription), resource group, or even an individual resource

Question 51

Where does Azure RBAC apply?

Answer 51

to the management of resources created in the Azure Resource Manager (ARM) deployment model

Question 52

What is a role?

Answer 52

the definition of what actions are allowed and/or denied

Question 53

role inheritance

Answer 53

where child resources inherit the role assignments of any parents

ex. if a user is granted read access to a subscription, that user will have read access to all the resource groups and resources in that subscription

Question 54

managed identity

Answer 54

an identity which supports Azure AD authentication

Question 55

How does Azure handles different roles assigned to a security principle?

Answer 55

the most privileged access right takes precedence

Question 56

principle of least privilege

Answer 56

provide the minimum privileges to an object or user to perform actions as needed

Question 57

Using Groups with Azure RBAC

Answer 57

when assigning roles to a group all users in the group will inherit the assigned role

Question 58

role definition

Answer 58

• contains the list of permissions or declared permissions which define what actions can or cannot be performed against a type of resource, such as read, write or delete
• they can be built in or custom

Question 59

What is the difference between Azure Roles and Azure AD Roles?

Answer 59

Azure RBAC roles are used to manage access and allow or restrict users to resources, while Azure AD administrative roles are used to allow or restrict admins to perform identity tasks, such as creating new users, resetting passwords, etc.

A user who has Global Administrator right in Azure AD does not have permissions to create resources in Azure but he or she can perform all the identity tasks for an Azure AD tenant

Question 60

scope hierarchy

Answer 60

• There are 4 scopes at which RBAC can be applied and scopes are structured in a parent-child relationship where RBAC is inherited by any child scopes.

1. management group (the highest scope)
2. subscriptions
3. resource groups
4. resources

• An Azure AD tenant can support 10,000 management groups
• granting a user access to the Owner role at the management group scope will grant that user Owner rights to all the subscriptions under the management group that is inclusive of all the resource groups and resources within them

Question 61

Role assignment limits

Answer 61

2,000 role assignments in each subscription

500 role assignments per management group

Question 62

What permission do you need to create and remove role assignments?

Answer 62

Microsoft.Authorization/role Assignments/*

This permission is granted through the Owner or User Access Administrator built-in roles

Question 63

Can you revoke access rights at a child scope through the application of a more restrictive role assignment?

Answer 63

No, the role is inherited through the parent.

Question 64

deny assignment`

Answer 64

a setting that can be placed on a scope through Azure Blueprints and resource locks

deny assignments are evaluated before role assignments and can be used to exclude service principals from accessing child scopes

Question 65

custom role

Answer 65

• a role that provides a set of permissions that is not available in any of the built in roles
• can be assigned and created through Azure portal, Azure PowerShell, Azure CLI, and REST API
• can be shared between subscriptions that trust the same Azure AD directory
• limit of 5,000 custom roles per directory

Question 66

What are the 3 ways you can create a custom role in Azure Portal?

Answer 66

1. Clone from the existing built-in roles available
2. Start from scratch
3. Start from a JSON file to define the custom permissions

Question 67

How to clone a built in role.

Answer 67

• you clone the role closest to the permissions that you want and then add or remove permissions to the role.
• you can also rename the role to whatever you want.
• after you select the permissions you must select the Assignable Scopes
  * the scope can be defined as a subscription, resource group, or resource level
  * the custom role must have a t least one valid scope assigned
• to create a custom role, you must have the Microsoft.Authorization/roleDefinitions/write permissions on all AssignableScopes

Question 68

How to create a custom role by starting from scratch

Answer 68

• choose Start From Scratch from the Baseline Permissions

- can be time consuming because you will have to select all the permissions one-by-one

Question 69

Creating a custom role using a JSON file.

Answer 69

• you can also use a JSON file by selecting Start From JSON under Baseline Permissions (JavaScript Object Notation)
• the JSON file contains the role definitions
  • a name represented by the Name attribute.
  • an identifier represented by the Id attribute.
  • a description represented by the Description attribute
  • a flag that denotes if the role is custom or built-in represented by the IsCustomer attribute, this is set to false for
    built-in roles and true for custom roles
  • the actions that can or cannot be performed within the Azure management plan are represented by the Actions[ ]
    and NotActions [ ] atrributes
  • the scopes at which the role is available through the Assignable Scopes [ ] attribute

Question 70

Access Control (IAM)

Answer 70

• used to manage access to resources and it is where role assignments are applied or removed in Azure portal
• available at any scope where role assignments can be made (management group, subscription, resource group, and resource)

Question 71

What can you perform from the Access control (IAM) blade?

Answer 71

1. Check the effective access rights for a security principal at the current scope through the Check Access tab, including being able to view inheritance
2. Edit role assignments, both granting and revoking access rights through the Role Assignments tab
3. View deny assignments, which are controlled by Microsoft, through the Deny Assignments tab
4. View and manage permissions to classic resources through the Classic Administrators tab
5. View the available roles, both built-in and custom, through the Roles tab