Cloud identities & Managing Users and roles

Question 1

How do you set password complexity requirements in O365?

Answer 1

Set using PowerShell cmdlet
• Must meet three of four complexity requirements
	○ Lowercase characters. (a-z)
	○ Uppercase characters. (A-Z)
	○ Numbers (0-9)
Symbols

Question 2

What length should a password be?

Answer 2

8-16 characters

Question 3

How do you set password expiration policies?

Answer 3

Through the O365 admin centre

Question 4

By default what password configurations are set to off?

Answer 4

Configuration options (default)
○ Password never expires (off)
○ Password expiration timeframe (90 days)
○ Password expiration notification (14 days)

Question 5

How do you reset password in O365?

Answer 5

• Reset through O365 Admin Center
• Can send new password to external email
• Require use to reset password on first login

Question 6

What is a soft delete?

Answer 6

Accounts deleted remain in recycle bin for 30 days during this period the account can be reactivated.

Question 7

What is a UPN?

Answer 7

User principle name is the name of a systems user in an E-mail address format.

Question 8

What can an ObjectID be used for?

Answer 8

Used to manage group membership in PowerShell.
Used to add users to security groups.
Can’t use display or UPN.

Question 9

How do you configure MFA in O365?

Answer 9

○ Enable a user level or bulk enable in Active Users
○ Configured by end-user next login after enabled
○ Even if you enable MFA its not enforced until the user has gone through the full set up process.

Question 10

How do you retrieve all licenses types?

Answer 10

○ Get MsolAccountSku (For list of license types)

§ This will present a list of license types and the exact wording you will need to apply licenses to users

Question 11

How do you add licenses to bulk imported users?

Answer 11

○ Add user licenses (UsageLocation must have value)
§ Set-MsolUserLicense -UserPrincipalName -AddLicenses
§ Get-MSolUser -UnLicensedUsersOnly | Set-MsolUserLicense-AddLicenses

Question 12

How do you hard delete an account?

Answer 12

Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force

Question 13

How do you retrieve soft deleted users?

Answer 13

Get-MsolUser -ReturnDeletedusers

Alternatively can be done through azure admin centre.

Question 14

What is directory synchronisation?

Answer 14

• Directory synchronisation is the identity provisioning choice for enterprise customer moving to O365. Directory Synchronisation allows identities to be managed in on-premise AD and all updates to that identity are synchronised too O365.
• Azure AD connect is a solution to sync the On-premise objects to azure AD

Question 15

What need to be prepared for Directory synchronisation?

Answer 15

• Attribute updates – Know the attributes that are going to Sync to Azure AD. It is recommended to leave the default selection when configuring the Azure AD Connect for Directory Synchronization. You should know how to stop a Sync of on
• Domain controller placement – It is obvious to keep the Directory Sync server on the site which has the DC. Determining the permissions required – Azure AD Connect requirement the below accounts
Determining the permissions required - Azure AD Connect requirement the below account:
• Planning for multi-forest/directory scenarios – Microsoft recommends to consolidate the multi forest into single forest before migrating Office 365.
• Capacity planning for Directory Sync – We need a server with decent configuration for directory Synchronization and normal hardware for SQL installation.
• Two-way synchronization – You to understand the write back options available and required for your organization.
By default, Hybrid exchange will write back below attributes from Azure AD to On-Premise AD

Question 16

What are the two identity models available?

Answer 16

Cloud identity and Federated Identity.

Question 17

What is a cloud identity?

Answer 17

Identity will be created directly in Azure AD and Authentication and Authorization will be done at Azure AD only. We can create Identity Objects using PowerShell or from Office 365 Admin Portal.

Question 18

What is a Federated Identity?

Answer 18

Source of Authority will be in On-Premise AD and the On-Premise AD objects will be Synced to Azure AD using Azure AD Connect to enable the Microsoft 365 services by assigning a license. When a user tries to access Microsoft 365 service, Azure AD redirects the user to get an authentication token from On-Premise AD through web application proxy and ADFS server and with the valid token from On-Premise AD to Azure AD, the services will be allowed for user. We need to Plan and understand the requirements for Azure AD connect deployment and ADFS servers

Question 19

What is cloud authentication?

Answer 19

Identity will be in On-Premise or Azure AD but the authentication happens at Azure AD.
Cloud Authentication: Users will be created in Azure AD and the Authentication and Authorization will happen at Azure AD itself.

Question 20

What is Password Hash Sync with Seamless SSO?

Answer 20

User management will be in On-Premise and you Synchronize objects and Password Hash to Azure AD.

Question 21

What is Pass through authentication with seamless SSO?

Answer 21

User management will be in On-Premise and you Synchronize objects. Authentication will be done by Azure AD authentication services by running a small agent in On-Premise to validate the User identity with On-Premise AD. A max of 12 PTA agents can be installed, 1 Primary and 11 standalones.

Question 22

What is Federated authentication?

Answer 22

On-premises directory objects are synchronized with Office 365 and users accounts are managed on-premises. When a user access an Office 365 services, he will be redirected to On-Premise AD via ADFS servers.

Question 23

What is password writeback and how do you configure it?

Answer 23

Allow you to make a change to password and also update that in Active Directory. Not supported in 2003.
Option 1: On the AD Connect Configuration Wizard -> Configure -> Customize Synchronization Options -> enabled password writeback
Option 2: Azure Portal -> Azure AD -> Password Reset -> On-Premise Integration -> Enabled Writeback passwords to On-Premise Organization
Password writeback is a feature enabled with Azure AD Connect that allows password changes in the cloud to be written back to an existing on-premises directory in real time. Password writeback is supported in environments that use: Active Directory Federation Services.

Question 24

What is conditional access?

Answer 24

• With Azure Active Directory (Azure AD) conditional access, you can implement automated access control decision for accessing your cloud apps that are based on conditions.
• Conditional access policies are enforced after the first-factor authentication has been completed. Therefore, conditional access is not intended as a first line defence for scenarios like denial of service (DoS) attacks but can utilise signals from these events (e.g. The sign in risk level, location of the request and so on)
Following are some common access concerns that conditional access can help you with:

• Sign-in risk: Azure AD Identity Protection detects sign-in risks. How do you restrict access if a detected sign-in risk indicates a bad actor? What if you would like to get stronger evidence that a sign-in was performed by the legitimate user? What if your doubts are strong enough to even block specific users from accessing an app?
• Network location: Azure AD is accessible from anywhere. What if an access attempt is performed from a network location that is not under the control of your IT department? A username and password combination might be good enough as proof of identity for access attempts from your corporate network. What if you demand a stronger proof of identity for access attempts that are initiated from other unexpected countries or regions of the world? What if you even want to block access attempts from certain locations?
• Device management: In Azure AD, users can access cloud apps from a broad range of devices including mobile and also personal devices. What if you demand that access attempts should only be performed with devices that are managed by your IT department? What if you even want to block certain device types from accessing cloud apps in your environment? Client application: Today, you can access many cloud apps using different app types such as web-based apps, mobile apps, or desktop apps. What if an access attempt is performed using a client app type that causes known issues? What if you require a device that is managed by your IT department for certain app types?