Cloud identities & Managing Users and roles Flashcards

1
Q

How do you set password complexity requirements in O365?

A
Set using PowerShell cmdlet
• Must meet three of four complexity requirements
	○ Lowercase characters. (a-z)
	○ Uppercase characters. (A-Z)
	○ Numbers (0-9)
Symbols
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What length should a password be?

A

8-16 characters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How do you set password expiration policies?

A

Through the O365 admin centre

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

By default what password configurations are set to off?

A

Configuration options (default)
○ Password never expires (off)
○ Password expiration timeframe (90 days)
○ Password expiration notification (14 days)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How do you reset password in O365?

A
  • Reset through O365 Admin Center
  • Can send new password to external email
  • Require use to reset password on first login
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a soft delete?

A

Accounts deleted remain in recycle bin for 30 days during this period the account can be reactivated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a UPN?

A

User principle name is the name of a systems user in an E-mail address format.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What can an ObjectID be used for?

A

Used to manage group membership in PowerShell.
Used to add users to security groups.
Can’t use display or UPN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How do you configure MFA in O365?

A

○ Enable a user level or bulk enable in Active Users
○ Configured by end-user next login after enabled
○ Even if you enable MFA its not enforced until the user has gone through the full set up process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How do you retrieve all licenses types?

A

○ Get MsolAccountSku (For list of license types)

§ This will present a list of license types and the exact wording you will need to apply licenses to users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How do you add licenses to bulk imported users?

A

○ Add user licenses (UsageLocation must have value)
§ Set-MsolUserLicense -UserPrincipalName -AddLicenses
§ Get-MSolUser -UnLicensedUsersOnly | Set-MsolUserLicense-AddLicenses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How do you hard delete an account?

A

Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How do you retrieve soft deleted users?

A

Get-MsolUser -ReturnDeletedusers

Alternatively can be done through azure admin centre.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is directory synchronisation?

A
  • Directory synchronisation is the identity provisioning choice for enterprise customer moving to O365. Directory Synchronisation allows identities to be managed in on-premise AD and all updates to that identity are synchronised too O365.
  • Azure AD connect is a solution to sync the On-premise objects to azure AD
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What need to be prepared for Directory synchronisation?

A

• Attribute updates – Know the attributes that are going to Sync to Azure AD. It is recommended to leave the default selection when configuring the Azure AD Connect for Directory Synchronization. You should know how to stop a Sync of on
• Domain controller placement – It is obvious to keep the Directory Sync server on the site which has the DC. Determining the permissions required – Azure AD Connect requirement the below accounts
Determining the permissions required - Azure AD Connect requirement the below account:
• Planning for multi-forest/directory scenarios – Microsoft recommends to consolidate the multi forest into single forest before migrating Office 365.
• Capacity planning for Directory Sync – We need a server with decent configuration for directory Synchronization and normal hardware for SQL installation.
• Two-way synchronization – You to understand the write back options available and required for your organization.
By default, Hybrid exchange will write back below attributes from Azure AD to On-Premise AD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the two identity models available?

A

Cloud identity and Federated Identity.

17
Q

What is a cloud identity?

A

Identity will be created directly in Azure AD and Authentication and Authorization will be done at Azure AD only. We can create Identity Objects using PowerShell or from Office 365 Admin Portal.

18
Q

What is a Federated Identity?

A

Source of Authority will be in On-Premise AD and the On-Premise AD objects will be Synced to Azure AD using Azure AD Connect to enable the Microsoft 365 services by assigning a license. When a user tries to access Microsoft 365 service, Azure AD redirects the user to get an authentication token from On-Premise AD through web application proxy and ADFS server and with the valid token from On-Premise AD to Azure AD, the services will be allowed for user. We need to Plan and understand the requirements for Azure AD connect deployment and ADFS servers

19
Q

What is cloud authentication?

A

Identity will be in On-Premise or Azure AD but the authentication happens at Azure AD.
Cloud Authentication: Users will be created in Azure AD and the Authentication and Authorization will happen at Azure AD itself.

20
Q

What is Password Hash Sync with Seamless SSO?

A

User management will be in On-Premise and you Synchronize objects and Password Hash to Azure AD.

21
Q

What is Pass through authentication with seamless SSO?

A

User management will be in On-Premise and you Synchronize objects. Authentication will be done by Azure AD authentication services by running a small agent in On-Premise to validate the User identity with On-Premise AD. A max of 12 PTA agents can be installed, 1 Primary and 11 standalones.

22
Q

What is Federated authentication?

A

On-premises directory objects are synchronized with Office 365 and users accounts are managed on-premises. When a user access an Office 365 services, he will be redirected to On-Premise AD via ADFS servers.

23
Q

What is password writeback and how do you configure it?

A

Allow you to make a change to password and also update that in Active Directory. Not supported in 2003.
Option 1: On the AD Connect Configuration Wizard -> Configure -> Customize Synchronization Options -> enabled password writeback
Option 2: Azure Portal -> Azure AD -> Password Reset -> On-Premise Integration -> Enabled Writeback passwords to On-Premise Organization
Password writeback is a feature enabled with Azure AD Connect that allows password changes in the cloud to be written back to an existing on-premises directory in real time. Password writeback is supported in environments that use: Active Directory Federation Services.

24
Q

What is conditional access?

A

• With Azure Active Directory (Azure AD) conditional access, you can implement automated access control decision for accessing your cloud apps that are based on conditions.
• Conditional access policies are enforced after the first-factor authentication has been completed. Therefore, conditional access is not intended as a first line defence for scenarios like denial of service (DoS) attacks but can utilise signals from these events (e.g. The sign in risk level, location of the request and so on)
Following are some common access concerns that conditional access can help you with:

• Sign-in risk: Azure AD Identity Protection detects sign-in risks. How do you restrict access if a detected sign-in risk indicates a bad actor? What if you would like to get stronger evidence that a sign-in was performed by the legitimate user? What if your doubts are strong enough to even block specific users from accessing an app?
• Network location: Azure AD is accessible from anywhere. What if an access attempt is performed from a network location that is not under the control of your IT department? A username and password combination might be good enough as proof of identity for access attempts from your corporate network. What if you demand a stronger proof of identity for access attempts that are initiated from other unexpected countries or regions of the world? What if you even want to block access attempts from certain locations?
• Device management: In Azure AD, users can access cloud apps from a broad range of devices including mobile and also personal devices. What if you demand that access attempts should only be performed with devices that are managed by your IT department? What if you even want to block certain device types from accessing cloud apps in your environment? Client application: Today, you can access many cloud apps using different app types such as web-based apps, mobile apps, or desktop apps. What if an access attempt is performed using a client app type that causes known issues? What if you require a device that is managed by your IT department for certain app types?