Describe Azure Identity, access and security Flashcards
1
Q
What is azure active directory? (AD)
A
- directory service that enables you to sign in and access both Microsoft cloud applications and cloud applications that you develop
- also helps maintain on-prem AD deployment
- microsofts cloud-based identity and access management service
- can detect sign-in attempts from unexpected locations or unknown devices
2
Q
who uses azure AD?
A
-IT admins
-App devs
-users
-online service subs
3
Q
what does azure AD do?
A
-authentication
-single sign-on
-app management
-device management
4
Q
What is Azure AD connect?
A
- synchronizes user identities between on-prem AD and Azure AD
- synchs changes between both systems so you can use single-in on, MFA and self-service password reset under both systems
5
Q
what is Azure AD Directory Domain Service (Azure AD DS)
A
- service that provides managed domain services such as domain join, group policy LDAP and NTLM authentication
- lets you use directory services without having to maintain infrastructure supporting it
- managed domain allows running legacy apps in cloud that cant use modern auth
6
Q
How does Azure AD DS work?
A
- when created you define a unique namespace, this is the domain name
- 2 windows server domain controllers are deployed into selected region
- you don’t need to manage or update the DCs, azure does it for you
7
Q
what is single sign-on (SSO)?
A
- enables users to sign in one time and use that credential to access multiple resources and apps from different providers
- the apps and providers must trust the initial authenticator
- only need to remember one ID and one password
- only as secure as the initial authenticator
8
Q
What is MFA?
A
- prompt user for extra form of ID during sign in
- protects against password compromise
- can be asked for something user knows (security q), something they have (phone code) or something they are (fingerprint)
- Azure AD MFA allows user to choose additional form of auth during sign in
9
Q
what is passwordless auth?
A
- most convenient security measure
- asked for something you have plus something you are or something you know
- Azure AD has 3 forms, windows hello, authenticator app and FIDO2 Sec keys
10
Q
what is windows hello
A
- biometric and PIN are directly tied to user’s PC
- once PC is registered they can log in using PIN
11
Q
what is auth app?
A
- MFA option and passwordless option
- sign into any platform by getting phone notification to match a number on the screen to the one on the phone and then use biometrics/pin to confirm
12
Q
what is FIDO2 security keys?
A
- unphishable standards-based passwordless auth method that can come in any form factor
- allows orgs to leverage standard to sign-in to their resources without password by using external sec key
- users register, select a key at the sign-in interface and go
- keys are usually USB devices but could be Bluetooth or NFC
13
Q
What is an external identity?
A
- a person, device or service that is outside of your org
14
Q
What is Azure External identities?
A
- refers to all the ways you can securely interface with users outside of org such as collaboration with partners, distributors, suppliers or vendors and
- external users can “bring own identities”
- e.g. social ID like facebook
- external users ID provider manages their ID and you manage access to your apps with Azure AD or AD B2C to keep resources protectedq
15
Q
what is B2B?
A
- business to business
- collaborate with external users by letting them use preferred ID to sign into Microsoft or other enterprise apps
- represented in the directory as guest users
16
Q
what is B2B direct connect?
A
- establish a mutal 2 way trust with another Azure AD organisation for seamless collaboration
- teams shared channels supported
- users arent represented in your directory but they’re visible from within their home instances of Teams
17
Q
What is AD B2C?
A
- Business to customer
- publish modern SaaS apps or custom-developed apps to consumers and customers while using B2C for ID and access management
18
Q
What is azure conditional access?
A
- tool that Azure AD uses to allow access to resources based on ID signals which include who the user is, where they are and what device they are requesting access from
- helps with MFA, users wont be asked for second auth if they at known location
- signal -> decision -> enforcement policy
19
Q
When is conditional access useful?
A
- MFA based on role, location or network (e.g. require MFA for admins but not regular users)
- require access to services only through approved client apps (e.g. only gmail can be used to connect to email service)
- require users to access app from managed devices
- block untrusted sources
20
Q
what is role based access control? (RBAC)
A
- control access of resources through roles as opposed to assigning access permissions to individuals
- azure provides built-in roles for common cases but you can also create custom roles
- roles contain perms
21
Q
How is RBAC applied to resources?
A
- RBAC applied to a scope which is a resource or set of resources that this applies to
- scopes include; management group, single sub, resource group, a single resource
- its hierarchical in nature, access to a parent scope is inherited by all child scopes
22
Q
How is RBAC enforced?
A
- enforced on any action that initiated against an Azure resource that passes through Azure resource manager
- doesn’t enforce access perms at the app or data level
23
Q
what is the zero trust model?
A
- security model that assumes the worst case scenario and protects resources with that expectation
- assume breach at the outset then verifies each request as though it originated from uncontrolled network
24
Q
what principles is zero trust model based on?
A
- verify explicitly; always auth and authorize based on all available data points
- use least privilege access ; limit user access with JIT, risk based adaptive policies and data protection
- assume breach; minimize blast radius and segment access, end-end encryption
- requires everyone to authenticate then grants accessed based on auth
25
what is defence in depth?
- objective is to protect info and prevent it from being stolen by those who arent authorised to access it
- strategy uses a series of mechanisms to slow advance of an attack that aims at acquiring unauthorised access to data
26
what are layers of defense in depth?
- each layer provides protection so that if one layer is breached another layer is in place to prevent further exposure
- removes reliance on any single layer of protection and slow down an attack and provides alert info
27
what are the specific layers of defense in depth?
- physical security; first line of defence
- ID and access layer
- perimeter layer; uses DDoS protection to filter large scale attacks
- network layer
- compute layer; restricts access to VMs
- app layer
- data layer
28
what is defender for the cloud?
- monitoring tool for security posture management and threat protection
- monitors your cloud on-prem, hybrid and multicloud environments to provide guidance and notifications
- natively integrated to azure so many services are monitored and protected without needing any deployment
29
how does defender for cloud provide azure native protections?
helps detect threats across;
- PaaS services such as App Service
- Data services such as Azure SQL
- Networks by limiting exposure to brute force attacks via reducing access to VM ports
30
how does defender for cloud defend hybrid resources?
- provides customised threat intel and prioritised alerts according to specific environments
- deploy azure arc and enable defender for cloud enhanced security features to extend protection to on-prem machines
31
How does defenders for cloud defend resources running on other clouds?
- defender for containers extends its container threat detection to your amazon EKS Linux clusters
- defender for servers brings advanced defenses to windows and Linux EC2 instances
32
what vital needs does defender for cloud fill?
- continuously access; know your security posture, ID and track vulnerabilities
- secure; harden resources and services with azure security benchmark
- defend - detect and resolve threats to resources, workloads and services
