Describe access management capabilities of Microsoft Entra ID Flashcards
Conditional access
analyses signals including user, location, device, application, and risk to automate decisions for authorizing access to resources (apps and data).
t or f
Conditional Access policies at their simplest are if-then statements
true
ex. Conditional Access policy might state that if a user belongs to a certain group, then they’re required to provide multifactor authentication to sign in to an application.
A conditional access policy in Microsoft Entra ID consists of two components
assignments
access controls
t or f
When creating a conditional access policy, admins can determine which signals to use through assignments
true
Assignment portion of the policy controls:
who
what
where
when
users and groups
assign who the policy will include or exclude
cloud apps or actions
include or exclude cloud applications, user actions, authentication contexts
conditions
define where and when the policy will apply.
sign in risk
user risk
device platform
IP location info
client apps
filters for devices
access control
decision to block access, grant access, grant access with extra verification, or apply a session control
grant access
Administrators can grant access without any additional control, or they can choose to enforce one or more controls when granting access.
session
administrator can make use of session controls to enable limited experiences within specific cloud applications
RBAC - role based access control
managing access using roles
Does Microsoft Entra have built in and custom roles?
yes. these are consider a form of RBAC
Built in roles
global administrator
user administrator
billing administrator
Global administrator
users with this role have access to all administrative features in Microsoft Entra.
The person who signs up for the Microsoft Entra tenant automatically becomes a global administrator.
User administrator
users with this role can create and manage all aspects of users and groups.
This role also includes the ability to manage support tickets and monitor service health.
billing administrator
users with this role make purchases, manage subscriptions and support tickets, and monitor service health.
Custom roles
a collection of permissions that you choose from a preset list
t or f
Granting permission using custom Microsoft Entra roles is a two-step process
true
what is the first step for granting permission using custom Microsoft Entra roles
eating a custom role definition, consisting of a collection of permissions that you add from a preset list
what is the second step for granting permission using custom Microsoft Entra roles
assign that role to users or groups by creating a role assignment
t or f
Microsoft Entra ID is an available service if you subscribe to any Microsoft Online business offer, such as Microsoft 365 and Azure.
true
Microsoft Entra built in roles can be used in
Microsoft Entra specific roles
Service specific roles
Cross service roles
Microsoft Entra RBAC
control access to Microsoft Entra resources such as users, groups, and applications.
Azure RBAC
control access to Azure resources such as virtual machines or storage using Azure Resource Management.
An organization plans to implement Conditional Access. What do admins need to do?
Create policies that enforce organizational rules.
Sign-in risk is a signal used by Conditional Access policies to decide whether to grant or deny access. What is sign-in risk?
The probability that the authentication request isn’t authorized by the identity owner.
IT admins have been asked to review Microsoft Entra roles assigned to users, to improve organizational security. Which of the following should they implement?
Replace global admin roles with specific Microsoft Entra roles
