Configure Microsoft Entra ID

Question 1

Entra ID Feature Benefit: Single sign-on (SSO) access

Answer 1

Microsoft Entra ID provides secure single sign-on (SSO) to web apps on the cloud and to on-premises apps. Users can sign in with the same set of credentials to access all their apps.

Question 2

Entra ID Feature Benefit: Ubiquitous device support

Answer 2

Microsoft Entra ID works with iOS, macOS, Android, and Windows devices, and offers a common experience across the devices. Users can launch apps from a personalized web-based access panel, mobile app, Microsoft 365, or custom company portals by using their existing work credentials.

Question 3

Entra ID Feature Benefit: Secure remote access

Answer 3

Microsoft Entra ID enables secure remote access for on-premises web apps. Secure access can include multifactor authentication (MFA), conditional access policies, and group-based access management. Users can access on-premises web apps from everywhere, including from the same portal.

Question 4

Entra ID Feature Benefit: Cloud extensibility

Answer 4

Microsoft Entra ID can extend to the cloud to help you manage a consistent set of users, groups, passwords, and devices across environments.

Question 5

Entra ID Feature Benefit: Sensitive data protection

Answer 5

Microsoft Entra ID offers unique identity protection capabilities to secure your sensitive data and apps. Admins can monitor for suspicious sign-in activity and potential vulnerabilities in a consolidated view of users and resources in the directory.

Question 6

Entra ID Feature Benefit: Self-service support

Answer 6

Microsoft Entra ID lets you delegate selected administrator tasks to company employees. Providing self-service app access and password management through verification steps can reduce helpdesk calls and enhance security.

Question 7

Entra ID Key Concept: Identity

Answer 7

An identity is an object that can be authenticated. The identity can be a user with a username and password. Identities can also be applications or other servers that require authentication by using secret keys or certificates. Microsoft Entra ID is the underlying product that provides the identity service.

Question 8

Entra ID Key Concept: Account

Answer 8

An account is an identity that has data associated with it. To have an account, you must first have a valid identity. You can’t have an account without an identity.

Question 9

Entra ID Key Concept: Microsoft Entra Account

Answer 9

A Microsoft Entra ID account is an identity that’s created through Microsoft Entra ID or another Microsoft cloud service, such as Microsoft 365. Identities are stored in Microsoft Entra ID and are accessible to your organization’s cloud service subscriptions. The Microsoft Entra account is also called a work or school account.

Question 10

Entra ID Key Concept: Azure tenant (directory)

Answer 10

An Azure tenant is a single dedicated and trusted instance of Microsoft Entra ID. Each tenant (also called a directory) represents a single organization. When your organization signs up for a Microsoft cloud service subscription, a new tenant is automatically created. Because each tenant is a dedicated and trusted instance of Microsoft Entra ID, you can create multiple tenants or instances.

Question 11

Entra ID Key Concept: Azure Subscription

Answer 11

An Azure subscription is used to pay for Azure cloud services. Each subscription is joined to a single tenant. You can have multiple subscriptions.

Question 12

Active Directory Domain Services

Answer 12

AD DS is a traditional deployment of Windows Server-based Active Directory on a physical or virtual server, and includes AD Certificate Services (AD CS), AD Lightweight Directory Services (AD LDS, AD Federation Services (AD FS), and AD Rights Management Services (AD RMS). Recommendation is not to use unless targeting IaaS workloads that specifically depend on AD DS.

Question 13

Microsoft Entra ID (as contrasted to AD DS)

Answer 13

Different than installing AD DS on an Azure VM and joining to on-prem domain.
* Identity Solution: AD DS primarily a directory service, whereas Entra ID is a full identity solution, designed for internet-based applications that use HTTP and HTTPS communications.
* Communication Protocols: Because Entra is based on HTTP and HTTPS, it doesn’t use Kerberos auth, instead using protocols suitable to HTTP/HTTPS such as SAML, WS-Federation, and OpenID Connect for authentication (and OAuth for authorization).
* Federation Services: Entra includes Federation services and many third-party services such as Facebook.
* Flat Structure: Entra users and groups are created in a flat structure - no OUs or GPOs.
* Managed Service: Entra is a managed service. You manage only users, groups, and policies. If you deploy AD DS with VMs on Azure, you manage many other tasks including deployment, config, VMs, patching, and backend processes.

Question 14

Microsoft Entra Editions and Feature Comparison (Overall)

Answer 14

Free, Premium P1, Premium P2
* Shared across all 3:
* Unlimited SSO
* Core ID and Access Management
* Business-to-Business Collab
* Free Tier Limitation: 500,000 Directory Objects
* P1 and P2 Shared:
* Premium Features
* Hybrid Identities
* Advanced Group Access Managment
* Conditional Access
* P2 Only:
* Identity Protection
* Identity Governance

Question 15

Entra Edition Free Features

Answer 15

• Directory Objects: 500,000
• Unlimited Single Sign-on (Shared with Premium P1/P2)
• Core ID & Access Mgmt (Shared with P1/P2)
• Business-to-Business Collaboration (Shared with P1/P2)

Includes user/group mgmt, on-prem directory sync, and basic reports. SSO is supported across Azure, M365, many popular SaaS apps.

https://learn.microsoft.com/en-us/training/modules/configure-azure-active-directory/5-select-editions

Question 16

Entra Premium P1 Edition Features

Answer 16

• Unlimited Directory Objects (Same as P2)
• Unlimited SSO (Shared All 3)
• Core IAM (Shared All 3)
• B2B Collab (Shared All 3)
• IAM for M365 Apps (Shared with P2)
• Premium Features (Shared with P2)
• Hybrid IDs (Shared with P2)
• Advanced Group Access Management (Shared with P2)
• Conditional Access (Shared with P2)

Main differences from Free is the hybrid users access across both on-prem and cloud resources; adv admin like dynamic groups, self-service group management, and cloud write-back capabilities; Microsoft identity manager (on prem identity and access management suite). Also allow for self-service password reset for on-prem users.

https://learn.microsoft.com/en-us/training/modules/configure-azure-active-directory/5-select-editions

Question 17

Entra Premium P2 Edition Features

Answer 17

• Unlimited Directory Objects (Same as P1)
• Unlimited SSO (Shared All 3)
• Core IAM (Shared All 3)
• B2B Collab (Shared All 3)
• IAM for M365 Apps (Shared with P1)
• Premium Features (Shared with P1)
• Hybrid IDs (Shared with P1)
• Advanced Group Access Management (Shared with P1)
• Conditional Access (Shared with P1)
• Identity Protection (P2 ONLY)
• Identity Governance (P2 ONLY)

Main additions to Free and P1: risk-based Conditional Access to apps and critical company data (although this is shown on chart as being P1 as well?); privileged ID managedement to discover/restrict/monitor admins and their access to resources, and to provide just-in-time access when needed.

https://learn.microsoft.com/en-us/training/modules/configure-azure-active-directory/5-select-editions

Question 18

Entra ID User Account Type: Cloud Identity

Answer 18

User accounts with a cloud identity is defined only in Entra ID. Includes admin accounts and users who are managed as part of your org. Cloud identity can be for user accounts defined in your Entra organization, and also for user accounts defined in an external Microsoft Entra instance. When a cloud identity is removed from the primary directory, the user account is deleted.

Question 19

Entra ID User Account Type: Directory-synchronized identity

Answer 19

User accounts with a directory-synchronized identity are defined in an on-premises Active Directory. A sync activity occurs via Microsoft Entra Connect to bring the user accounts into Azure. The source of the accounts is Windows Server AD.

Question 20

Entra ID User Account Type: Guest User

Answer 20

Guest user accounts are defined outside Azure. Examples include users from other cloud providers, and Microsoft accounts like an Xbox LIVE account. The source for guest user accounts is Invited user. Guest user accoutns are useful when external vendors or contractors need access to your Azure resources.

Question 21

Entra ID User Account Type Selection Considerations

Between Cloud Identity, Directory-Sync Identity, or Guest User

Answer 21

• Consider where users are defined: e.g. are all within your entra tenant/org or some in external entra instances? Any users entirely outside your organization? Common to support two or more account types.
• Consider support for external contributors: e.g. supporting Guest user type; you can remove user account and access privs when no longer needed.
• Consider combination of user accounts: directory-synched users for users defined in WS AD. Support cloud ID users for internal Entra structure or users defined in external Microsoft Entra instance.

Question 22

Methods to add cloud identity users to Entra ID

Answer 22

Portal, M365 Admin Center, Microsoft Intune admin console, and Azure CLI

New Microsoft Graph and Entra APIs allow creation through PowerShell, but may not be in the test yet.

Question 23

Cloud Identity User Account Requirements and Setup

Answer 23

• Must have display name and associated user account name (account name is generally UPN/email).
• Global Admins and User Admins can preset profile data in user accounts
• Non-admin users can set some of their own profile data but cannot change display name or account name.

Consider:
* Supplying some profile data per your org’s requirements
* Restoration options - e.g. up to 30 days after account deletion. (After 30 days it cannot be restored).
* Gathering account data such as sign-in and audit log info for accounts to analyze and improve your infrastructure.

Question 24

Bulk User Account Creation/Deletion

Answer 24

• Usually done through the portal, but Azure PowerShell can be used for bulk upload of user accounts
• Only Global Admins and User Admins have privs to create/delete user accounts in portal
• Admin fills out CSV template for data for user accounts for create/delete (template can be downloaded from Entra admin center)
• Bulk lists of user accounts can be downloaded

Considerations:
* Naming conventions - account names, display names, user aliases - simplifies bulk operations by making account fields predictable/programmable
* Initial Passwords: convention for initial password - design to generate random and distribute in a secure way (e.g. email to users or manager)
* Strategies to minimize errors: errors can be found and downloaded on the bulk operations results page, and shows reasons for each error. General best practice is to upload smaller batches of users to troubleshoot as you go.

Question 25

Types of Entra Group Accounts

Only 2 Types

Answer 25

Security Groups: manage member and computer access to shared resources for a group of users. Usually used in conjunction with a security policy to apply same permissions to all members of the group.

M365 Groups: provide collab opportunities - shared mailbox, calendar, files, SharePoint site, and more.

Question 26

Who can implement Entra Security Groups?

Answer 26

Microsoft Entra Administrator

Question 27

Who can implement/use M365 Groups?

Answer 27

Normal users and Microsoft Entra Admins can implement, and these M365 groups can enable group access for guest users outside your Entra org.

Question 28

Ways to Assign Members Access Rights to a Group

Answer 28

• Assigned - specific users assigned as members; each user can have unique permissions
• Dynamic user - dynamic membership rules automatically add and remove group members based on member attributes. When member attributes change, Azure reviews dynamic group rules for the directory to either add or remove them from a group.
• Dynamic Device (security groups only): dynamic group rules automatically add or remove devices in security groups based on device attirbutes. If it meets the rule, it is added; if it no longer meets it is removed.