Describe Azure identity, access, and security Flashcards
Microsoft Entra ID (Azure AD)
Is a directory service that enables you to sign in and access both Microsoft cloud applications and cloud applications that you develop. Microsoft Entra ID can also help you maintain your on-premises Active Directory deployment.
-Identity and Access Management service in Azure
-Identities management – users, groups, applications
-Access management – subscriptions, resource groups, roles, role assignments, authentication & authorization settings, etc.
What does Microsoft Entra ID do?
-Authentication
-Single sign-on
-Application Management
-Device Management
-Sync with on-premises AD via sync services
–Conditional Access is a tool that Microsoft Entra ID uses to allow (or deny) access to resources based on identity signals. These signals include who the user is, where the user is, and what device the user is requesting access from.
Microsoft Entra Domain Services (Azure AD DS)
Microsoft Entra Domain Services is a service that provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication.
-You get the benefit of domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.
-A Microsoft Entra Domain Services managed domain lets you run legacy applications in the cloud that can’t use modern authentication methods, or where you don’t want directory lookups to always go back to an on-premises AD DS environment.
Authentication methods in Azure
-Single sign-on (SSO) enables a user to sign in one time and use that credential to access multiple resources and applications from different providers. For SSO to work, the different applications and providers must trust the initial authenticator.
-Multifactor authentication is the process of prompting a user for an extra form (or factor) of identification during the sign-in process.
-Passwordless authentication methods are more convenient because the password is removed and replaced with something you have, plus something you are, or something you know.
Azure External Identities (Entra External ID)
Microsoft Entra External ID refers to all the ways you can securely interact with users outside of your organization. If you want to collaborate with partners, distributors, suppliers, or vendors, you can share your resources and define how your internal users can access external organizations.
With External Identities, external users can “bring their own identities.” Whether they have a corporate or government-issued digital identity, or an unmanaged social identity like Google or Facebook, they can use their own credentials to sign in. The external user’s identity provider manages their identity, and you manage access to your apps with Microsoft Entra ID or Azure AD B2C to keep your resources protected.
Azure Role-based Access Control (RBAC)
-Authorization system built on Azure Resource Manager (ARM)
-Designed for fine-grained access management of Azure Resources
Role assignment is combination of:
-Role definition – list of permissions like create VM, delete SQL, assign permissions, etc.
-Security Principal – user, group, service principal and managed identity
-Scope – resource, resource groups, subscription, management group
Hierarchical:
Management Groups > Subscriptions > Resource Groups > Resources
-Built-in and Custom roles are supported
Zero Trust
Is a security model that assumes the worst case scenario and protects resources with that expectation. Zero Trust assumes breach at the outset, and then verifies each request as though it originated from an uncontrolled network.
-Verify explicitly - Always authenticate and authorize based on all available data points.
-Use least privilege access - Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.
-Assume breach - Minimize blast radius and segment access.
Instead of assuming that a device is safe because it’s within the corporate network, it requires everyone to authenticate. Then grants access based on authentication rather than location.
Defense-in-depth - Model
The objective of defense-in-depth is to protect information and prevent it from being stolen by those who aren’t authorized to access it. Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure.
Microsoft Defender for Cloud (Security Center & Azure Defender)
Microsoft Defender for Cloud is a unified security management solution for Azure resources. It provides centralized visibility into the security posture of your Azure environment and helps you identify and mitigate potential security risks. ASC provides several features, including:
-Continuous Security Assessment: ASC continuously monitors your Azure resources and provides recommendations to improve their security posture.
-Threat Protection: ASC provides threat protection for Azure resources, including virtual machines, containers, and Azure Kubernetes Service (AKS) clusters.
-Security Posture Management: ASC provides a dashboard that displays the security posture of your Azure environment, including security recommendations and compliance status.
-Security Alerts and Incidents: ASC provides security alerts and incidents to help you identify and respond to potential security threats.
All the components of Microsoft Defender:
-Security Policies and Recommendations
-Security Alerts and Incidents
-Just-in-Time VM Access
-Network Security Group (NSG) Flow Logs
-Adaptive Application Controls
-Vulnerability Assessment
-Threat Protection
-Secure Score
-Compliance Dashboard
-Advanced Threat Protection for Azure SQL
Microsoft Sentinels (SIEM)
Microsoft Sentinel is a cloud native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution that runs in the Azure cloud. It aims to enable holistic security operations by providing collection, detection, response, and investigation capabilities.
You can use Microsoft Sentinel for security event analysis in cloud and on-premises environments. Common use cases include:
-Visualization of log data
-Anomaly detection and alerting
-Investigation of security incidents
-Proactive threat hunting
-Automated response to security events
-Designed to filter traffic to (inbound) and from (outbound) Azure resources located in - Azure Virtual Network
-Filtering controlled by rules
-Ability to have multiple inbound and outbound rules
Rules are created by specifying:
-Source/Destination (IP addresses, service tags, application security groups)
-Protocol (TCP, UDP, any)
-Port (or Port Ranges, ex. 3389 – RDP, 22 – SSH, 80 HTTP, 443 HTTPS)
-Direction (inbound or outbound)
-Priority (order of evaluation)
Application Security Groups (ASG)
-Feature that allows grouping of virtual machines located in Azure virtual network
-Designed to reduce the maintenance effort (assign ASG instead of the explicit IP address)
User-defined Routes (RT)
-Custom (user-defined, static) routes (UDRs)
-Designed to override Azure’s default routing or add new routes
-Managed via Azure Route Table resource
-Associated with a zero or more Virtual Network subnets
Azure Firewall
-Managed, cloud-based firewall service (PaaS, Firewall as a Service)
-Built-in high availability
-Highly Scalable
-Inbound & outbound traffic filtering rules
-Support for FQDN (Fully Qualified Domain Name), ex. microsoft.com
-Fully integrated with Azure Monitor for logging and analytics
Azure DDoS Protection
-DDoS protection service in Azure
-All Azure services are already protected by the Basic DDoS Protection
Designed to:
-Detect malicious traffic and block it while allowing legitimate users to connect
-Prevent additional costs for auto-scaling environments
Two tiers:
-Basic – automatically enabled for Azure platform
-Standard – additional mitigation & monitoring capabilities for Azure Virtual Network resources
-Standard tier uses machine learning to analyze traffic patterns for better accuracy
-If the resource is protected with DDoS Protection Standard, any scale out costs during a DDoS attack are covered and customer will get the cost credit back for those scaled out resources
Azure Key Vault
-Managed service for securing sensitive information (application/platform) (PaaS)
Secure storage service for:
-Keys
-Secrets
-Certificates
-Highly integrated with other Azure services (VMs, Logic Apps, Data Factory, Web Apps, etc.)
Centralization
-Access monitoring and logging
