Describe Identity, Governance, Privacy, and Compliance Features Flashcards
______________ is the process of establishing the identity of a person or service that wants to access a resource. It involves the act of challenging a party for legitimate credentials and provides the basis for creating a security principal for identity and access control. It establishes whether the user is who they say they are.
Authentication
______________ is the process of establishing what level of access an authenticated person or service has. It specifies what data they’re allowed to access and what they can do with it.
authorization
Compare Authentication and Authorization
True or false: Once authenticated, access rules define what kinds of applications, resources, and data that user can access.
False. Once authenticated, authorization defines what kinds of applications, resources, and data that user can access.
For on-premises environments, Active Directory running on Windows Server provides an identity and access management service that’s managed by your own organization. __________ is Microsoft’s cloud-based identity and access management service.
Azure AD
_____________ is Azure’s cloud-based identity and access management service.
Azure Active Directory
True or false: When you secure identities on-premises with Active Directory, Microsoft doesn’t monitor sign-in attempts. In contrast when you connect Active Directory with Azure AD, Microsoft can help protect you by detecting suspicious sign-in attempts at no extra cost.
True
True or false: With Azure AD, Microsoft controls the identity accounts and ensures that the service is available globally.
False. With Azure AD, you control the identity accounts, but Microsoft ensures that the service is available globally.
True or false: Azure Active Directory cannot be used for your on premise needs.
False.
What service provides identify and access management for all of the following in Azure?
- Authentication
- Single Sign On
- Application management
- Business to Business
- Business to Customer
- Device management
Azure Active Directory
IT Administrators can use ______ to control access to applications and resources based on their business requirements.
Azure AD
Developers can use ____________ to provide a standards-based approach for adding functionality to applications that they build, such as adding SSO functionality to an app or enabling an app to work with a user’s existing credentials.
Azure AD
True or false: Self-service password reset for Azure users to change or reset their password with no involvement from an IT administrator or help desk is not available through Azure AD.
False. self-service password reset enables users to change or reset their password with no involvement from an IT administrator or help desk.
Microsoft 365, Microsoft Office 365, Azure, and Microsoft Dynamics CRM Online subscribers are already using Azure AD using _______, which is a representation of an organization and is typically separated from other organizations and has its own identity.
tenant
True or false: Your Microsoft 365, Office 365, Azure, and Dynamics CRM Online will need special set up and is not automatically an Azure AD tenant.
False. Each Microsoft 365, Office 365, Azure, and Dynamics CRM Online tenant s automatically an Azure AD tenant.
What feature in Azure Active Directory enables an IT administrator to be managed through tools like Microsoft Intune. It also allows for device-based Conditional Access policies to restrict access attempts to only those coming from known devices, regardless of the requesting user account.
Device management
True or false: Azure AD helps users access both external and internal resources.
True. External resources might include Microsoft Office 365, the Azure portal, and thousands of other software as a service (SaaS) applications.
Internal resources might include apps on your corporate network and intranet, along with any cloud applications developed within your organization.
______________ enables a user to sign in one time and use that credential to access multiple resources and applications from different providers.
Single sign-on
True or false. Azure implements strict controls and doesn’t support connecting Active Directory with Azure AD.
False. Connecting Active Directory with Azure AD enables you to provide a consistent identity experience to your users.
____________ synchronizes user identities between on-premises Active Directory and Azure AD. With this, you can synchronize changes between both identity systems, so you can use features like SSO, multifactor authentication, and self-service password reset under both systems.
Azure AD Connect
What would you use to prevent users from using known compromised passwords?
Self-service password reset
What technique can IT Administrators use to create a consistent access model across its organization? Doing so greatly simplifies its ability to sign in to different applications, manage changes to user identities and control, and monitor and block unusual access attempts.
integrates its existing Active Directory instance with Azure AD
What would you use if you wanted to allow your employees to use their own mobile devices to access your applications?
Multifactor Authentication and Conditional Access
________________ is a process where a user is prompted during the sign-in process for an additional form of identification. Examples include a code on their mobile phone or a fingerprint scan.
Multifactor authentication
Multifactor authentication provides additional security for your identities by requiring two or more elements to fully authenticate. What are those 3 categories?
- Something the user knows: This might be an email address and password.
- Something the user has: This might be a code that’s sent to the user’s mobile phone.
- Something the user is: This is typically some sort of biometric property, such as a fingerprint or face scan that’s used on many mobile devices.
True or false: The full feature set of Azure AD Multi-Factor Authentication is provided for free in Azure.
False. It’s an extra cost add on. Azure Active Directory Premium (P1 or P2 licenses) allows for comprehensive and granular configuration of Azure AD Multi-Factor Authentication through Conditional Access policies (explained shortly).
True or false: Multifactor authentication increases identity security by limiting the impact of credential exposure (for example, stolen usernames and passwords). With multifactor authentication enabled, an attacker who has a user’s password would also need to have possession of their phone or their fingerprint to fully authenticate.
True
__________________ enables users to choose an additional form of authentication during sign-in, such as a phone call or mobile app notification.
Azure AD Multi-Factor Authentication
_______________ is a tool that Azure Active Directory uses to allow (or deny) access to resources based on identity signals. These signals include who the user is, where the user is, and what device the user is requesting access from, which ultimately are used to make decisions and enforce organizational policies.
Conditional Access
What could be used if you wanted allow a user to not be challenged for second authentication factor if they’re at a known location? However, they might be challenged for a second authentication factor if their sign-in signals are unusual or they’re at an unexpected location thus providing a more granular multifactor authentication experience for users.
Conditional Access
Identify 4 situations where Conditional Access is useful.
- Require multifactor authentication to access an application.
- Require access to services only through approved client applications.
- Require users to access your application only from managed devices.
- Block access from untrusted sources, such as access from unknown or unexpected locations.
A ____________ is a device that meets your standards for security and compliance.
managed device
True or false: To use Conditional Access, you need an Azure AD Premium P1 or P2 license. If you have a Microsoft 365 Business Premium license, you also have access to Conditional Access features.
True
________________ establishes the user’s identity.
- Authentication (AuthN)
___________ establishes the level of access that an authenticated user has.
- Authorization (AuthZ)
_____________ enables a user to sign in one time and use that credential to access multiple resources and applications.
- Single sign-on (SSO)
______________ is a cloud-based identity and access management service enabling an organization to control access to apps and resources based on its business requirements.
- Azure Active Directory (Azure AD)
_______________ provides additional security for identities by requiring two or more elements to fully authenticate using something the user knows, something the user has, and something the user is.
- Azure AD Multi-Factor Authentication
___________ is a tool that Azure AD uses to allow or deny access to resources based on identity signals such as the user’s location.
Conditional Access
How can the IT department ensure that employees at the company’s retail stores can access company applications only from approved tablet devices?
- SSO
- Conditional Access
- Multifactor authentication
Conditional Access
Conditional Access enables you to require users to access your applications only from approved, or managed, devices.
How can the IT department use biometric properties, such as facial recognition, to enable delivery drivers to prove their identities?
- SSO
- Conditional Access
- Multifactor authentication
Multifactor authentication
Authenticating through multifactor authentication can include something the user knows, something the user has, and something the user is.
How can the IT department reduce the number of times users must authenticate to access multiple applications?
- SSO
- Conditional Access
- Multifactor authentication
SSO
SSO enables a user to remember only one ID and one password to access multiple applications.
The term __________ describes the general process of establishing rules and policies and ensuring that those rules and policies are enforced.
governance
True or false: Governance is most beneficial when you have:
- Multiple engineering teams working in Azure.
- Multiple subscriptions to manage.
- Regulatory requirements that must be enforced.
- Standards that must be followed for all cloud resources.
True
True or false: When running in the cloud, a good governance strategy helps you maintain control over the applications and resources that you manage in the cloud. Maintaining control over your environment ensures that you stay compliant with Industry standards, like PCI DSS and Corporate or organizational standards, such as ensuring that network data is encrypted.
True
With the concept of role based access control, what level of privilege is best to assign?
only grant lowest level of privilege required for the role
What access method provides for the following?
- Fine grained access management
- Segregate duties within the team and grant only the amount of access to users that they need to perform their jobs
- Enables access to the Azure Portal and controlling access to resources
Role based access control (RBAC)
True or false: Role based access controls are a premium feature requiring additional costs for your subscription.
False. It’s included in all subscriptions.
Role-based access control is applied to a _________, which is a resource or set of resources that this access applies to.
scope
True or false: Scopes include:
- A management group (a collection of multiple subscriptions).
- A single subscription.
- A resource group.
- A single resource.
True
True or false: When you grant access at a parent scope, those permissions are not inherited by the child scopes requiring you to assign the same permissions for the additional scopes..
False. When you grant access at a parent scope, those permissions are inherited by all child scopes.