Chapter 5: Identity Flashcards
What are the 3 components of Azure AD Identity?
Principal - unauthenticated entity that seeks authentication
Identity - identity profile that is authenticated using credentials
Authorization - actions that are permitted for an identity to perform
What is an Azure AD tenant?
A reserved Azure AD instance.
An individual tenant must be part of a single geography
You can have different tenants span different geographies.
Every tenant gets its own domain name - @microsoft.com
Organization = Tenant = Directory
Who are the ‘people’ in a tenant? What do they do?
Identity and access management resources
They perform actions on the resources within the subscriptions associated with an Azure AD tenant.
What is the relationship of a tenant to a subscription?
A subscription can be associated with only a single Azure AD tenant at a time.
One tenant can be associated with multiple subscriptions at the same time.
What are the features of Azure AD?
IAM Platform - i identity and access management
Identify Security - multi-factor auth, conditional access policies PIM (assume higher level of privileges for a point in time)
Collaboration & Development - B2B and B2C collaboration
Monitoring - audit logging, security monitoring, identity protection, risk management
Identity integration - SSO, Azure AD Connect, Azure AD Domain Services
Enterprise Access - control access to applications and devices in the cloud
What is the difference between Azure AD and AD?
Azure AD
Uses SAML, OAuth, WS-Federation
Global service
Cloud-based solution
Flat directory structure
AD
Uses Kerberos, LDAP, NTML
Hierarchical
On-premises
What are the steps for designing a Tenant?
Build security foundations - MFA, privileged users, etc.
Populate identity resources - add users, create groups, add devices, setup hybrid identity.
Manage Apps - identify apps to be used from the app gallery, and register apps from on prem.
Monitor and Automate - perform access reviews, automate user lifecycles, monitor admins.
What are the types of users in Azure AD?
Admins - native users with admin role assigned
Members - regular users native to Azure AD
Guest Members - external users invited to Azure AD tenant
All have a set of default permissions
What are the four main methods of creating and managing users?
Create/add users via Azure AD
Bulk add users - using CSV file or bulk add in Azure AD
Update user properties
Invite a guest account
What are the 3 steps to creating and managing users?
Create your type of user
Define role assignment - permissions and access
Define object ownership - apps, devices, groups, resources that are owned
What are user groups?
User groups have similar permissions, licenses, role assignments, etc.
What is the role of the group owner?
Owners manage the group itself
What are the 2 major group types?
Security groups, Microsoft 365 groups
What is a security group?
Used to manage access to shared resources for a group of users
What is a 365 group?
Shared access to give members access to shared mailbox, calendar, files, etc.
What are the 3 Azure AD Membership Types?
Assigned, dynamic user, dynamic device
What is an assigned membership type?
Users specifically selected to be members of a group
What is a dynamic user?
Automated rule-based versus- ex. Assign a user based on a department name
What is a dynamic device?
Automated rules for membership assignment via device attributes.
What are user admins?
Admins are members of Azure AD tenants with admin privileges
What are administrative units?
Help set scope of admins to specific user groups so admins don’t have full scope in a tenant.
What are examples of practical administrative unit use cases?
Business department
Geographical location
Parent or subsidiary organization
What is the purpose of SSPR?
Allow users the capability to reset a password on their own rather than requesting from the admin
Decreased admin overhead
Increased user productivity
What are the 5 major steps of SSPR?
Localization
Verification
Authentification
Password Reset
Nortification
What are some authentication methods?
Mobile app
Mobile app code
Email
Mobile phone
What are the 3 mthoeds of registering a device in Azure AD?
Registered
Joned
Hybrid Joined
What is Azure AD Registered?
bring your own device, least resterictive. Exists inside an Azure AD Tenant.
What is Azure AD Joined?
Deviced is owned by the organization and access Azure AD through a work account. Exist inside Azure AD tenant.
