Describe the services and identity types of Azure AD Flashcards
Azure Active Directory (Azure AD)
- Azure AD is Microsoft’s cloud-based identity and access management service.
- It enables users to sign in and access resources, including internal and external services.
- Azure AD provides a single identity system for managing authorization and access across cloud and on-premises applications.
- It can be synchronized with on-premises Active Directory or other directory services or used as a standalone service.
- Azure AD allows secure access from personal devices and facilitates collaboration with business partners and customers.
- IT admins use Azure AD to control access, enforce multi-factor authentication, automate user provisioning, and meet access governance requirements.
- Developers can add single sign-on (SSO) to their apps using Azure AD’s standards-based approach and leverage APIs for personalized app experiences.
- Azure AD is included for subscribers of Azure services, Microsoft 365, and Dynamics 365, with the option to upgrade to Azure AD Premium for enhanced features.
Azure AD editions and licensing:
- Azure AD is available in four editions: Free, Office 365 Apps, Premium P1, and Premium P2.
- Azure AD Free allows user administration, group creation, synchronization with on-premises AD, basic reports, self-service password change, and single sign-on across Azure, Microsoft 365, and popular SaaS apps.
- Office 365 Apps edition includes all Free features, plus self-service password reset and device write-back.
- Azure AD Premium P1 includes Free and Office 365 Apps features, advanced administration (dynamic groups, self-service group management), Microsoft Identity Manager, and cloud write-back capabilities.
- Azure AD Premium P2 offers all P1 features, plus Azure AD Identity Protection for risk-based Conditional Access, Privileged Identity Management for admin access control, and just-in-time access.
- “Pay as you go” feature licenses allow you to get additional features separately, such as Azure AD B2C for customer-facing app identity and access management.
Users and Azure AD B2B collaboration
- A user identity in Azure AD represents an employee or guest who is managed within Azure AD.
- Groups can be created to simplify access management by assigning permissions to a group instead of individual users.
- Azure AD B2B collaboration enables organizations to securely share applications and services with guest users from other organizations.
- With B2B collaboration, organizations can collaborate with external partners and grant them access to specific resources.
- The interactive guide provides step-by-step instructions on adding a new user to Azure AD.
- The guide helps you navigate the process of adding a user and provides prompts on the screen for easy follow-up.
Service principals
- A service principal is an identity for an application in Azure AD.
- To integrate an application with Azure AD, it must be registered, and a service principal is created for it in each Azure AD tenant where it is used.
- Service principals enable authentication and authorization of the application to access resources secured by the Azure AD tenant.
- Application developers are responsible for managing and protecting the credentials associated with service principals.
- Service principals enable applications to delegate their identity and access functions to Azure AD.
Note: Service principals play a crucial role in enabling applications to securely access resources in Azure AD.
Managed identities
Managed identities are a type of service principal that are automatically managed in Azure AD.
They eliminate the need for developers to manage credentials.
Managed identities provide an identity for applications to use when connecting to Azure resources that support Azure AD authentication.
Managed identities can be used without any extra cost.
They enable developers to access Azure resources from their code without managing credentials.
There are two types of managed identities: system-assigned and user-assigned:
- System-assigned managed identities are enabled directly on a service instance and are tied to the lifecycle of that instance.
- User-assigned managed identities are standalone Azure resources that can be assigned to one or more instances of an Azure service.
- Azure automatically handles the creation and deletion of system-assigned managed identities, while user-assigned managed identities are managed separately from the resources that use them.
System-assigned and User-assigned managed identities
System-assigned managed identity:
- Created as part of an Azure resource, such as an Azure virtual machine or Azure App Service.
- Shares the lifecycle with the Azure resource it is created with. When the parent resource is deleted, the managed identity is also deleted.
- Cannot be shared with other Azure resources. It is associated with a single Azure resource.
- Commonly used for workloads that are contained within a single Azure resource, where independent identities are not required.
User-assigned managed identity:
- Created as a standalone Azure resource.
- Has an independent lifecycle and must be explicitly deleted.
- Can be shared and associated with multiple Azure resources.
- Commonly used for workloads that run on multiple resources and require a single identity to be shared across them.
- Ideal for scenarios where preauthorization to a secure resource is needed as part of a provisioning flow, or where multiple resources need to access the same resource consistently, even if the resources are recycled frequently.
Note: The choice between system-assigned and user-assigned managed identities depends on the specific requirements of your workload.
Device identities and Management
Device:
- A piece of hardware such as mobile devices, laptops, servers, or printers.
- Device identities provide administrators with information for access and configuration decisions.
Azure AD registered devices:
- Supports bring your own device (BYOD) or mobile device scenarios.
- Users can access organization resources using personal devices.
- Devices register to Azure AD without requiring an organizational account.
- Supported operating systems include Windows 10 and above, iOS, Android, and macOS.
Azure AD joined devices:
- Devices joined to Azure AD through an organizational account.
- Generally owned by the organization.
- Supported operating systems include Windows 10 or greater (except Home edition) and Windows Server 2019 Virtual Machines running in Azure.
Hybrid Azure AD joined devices:
- Devices joined to both on-premises Active Directory and Azure AD.
- Requires an organizational account to sign in to the device.
- Allows organizations with on-premises AD to benefit from Azure AD functionality.
Benefits of registering and joining devices to Azure AD:
- Provides users with single sign-on (SSO) to cloud-based resources.
- Azure AD joined devices benefit from SSO to resources and applications relying on on-premises Active Directory.
Device management:
- IT admins can use tools like Microsoft Intune for mobile device management (MDM) and mobile application management (MAM).
- Intune is a cloud-based service for controlling how an organization’s devices are used.
B2B Collaboration:
- B2B collaboration allows sharing of applications and services with guest users from other organizations.
- Admins can set up federation with external identity providers.
- External users sign in with their existing social or enterprise accounts.
- Invitation and redemption process is used for access.
- External users are represented as guests in the directory and can access resources with their credentials.
- Guest users can be managed similarly to employees and support single sign-on (SSO) to Azure AD-connected apps.
B2C Access Management
- Azure AD B2C is a customer identity access management (CIAM) solution.
- Allows external users to sign in with their preferred social, enterprise, or local account identities.
- Provides single sign-on (SSO) to applications.
- Supports millions of users and billions of authentications per day.
- Manages external users separately from the organization’s employee and partner directory.
- Supports SSO to customer-owned apps within the Azure AD B2C tenant.
- Customizable with branding to blend with web and mobile applications.
Azure AD hybrid authentication
Hybrid identity solutions bridge on-premises and cloud-based capabilities.
They provide a common user identity for authentication and authorization, regardless of location.
Choosing the right authentication method is crucial for organizations operating in a hybrid model.
Azure AD Password hash synchronization:
- Simplest way to enable authentication for on-premises directory objects in Azure AD.
- Users sign in to Azure AD services with the same on-premises Active Directory credentials.
- Password hash is extracted from on-premises Active Directory using Azure AD Connect.
- Password hash is synchronized to Azure AD for user authentication.
- Provides highly available cloud authentication even if the on-premises Active Directory goes down.
Azure AD pass-through authentication:
- Allows users to sign in to both on-premises and cloud-based applications using the same passwords.
- Password validation occurs directly against on-premises Active Directory, not in the cloud.
- Requires Azure AD Connect and one or more authentication agents.
- Authentication agents serve as intermediaries between Azure AD and on-premises Active Directory.
- Considerations for infrastructure footprint and high availability of sign-in requests.
Federated authentication:
- Recommended for organizations with advanced features not supported in Azure AD.
- Uses a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS).
- All user authentication occurs on-premises.
- Requires Azure AD Connect and additional servers to support federation.
- Password hash synchronization can be set up as a backup for AD FS failure.
Considerations:
- Azure AD Connect is required for all hybrid authentication options.
- The choice of authentication method is crucial and difficult to change once established.
- Consider infrastructure requirements, high availability, and compatibility with security policies.
An organization is launching a new app for its customers. Customers will use a sign-in screen that is customized with the organization’s brand identity. Which type of Azure External identity solution should the organization use?
A. Azure AD B2B
B. Azure AD B2C
C. Azure AD Hybrid identities
B. Azure AD B2C
Azure AD B2C is an authentication solution for customers that you can customize with your brand identity.
An organization has completed a full migration to the cloud and has purchased devices for all its employees. All employees sign in to the device through an organizational account configured in Azure AD. Select the option that best describes how these devices are set up in Azure AD.
A. These devices are set up as Azure AD registered.
B. These devices are set up as Azure AD joined.
C. These devices are set up as Hybrid Azure AD joined.
B. These devices are set up as Azure AD joined.
An Azure AD joined device is a device joined to Azure AD through an organizational account, which is then used to sign in to the device. Azure AD joined devices are generally owned by the organization.
Azure AD hybrid authentication
Hybrid identity solutions bridge on-premises and cloud-based capabilities.
They provide a common user identity for authentication and authorization, regardless of location.
Choosing the right authentication method is crucial for organizations operating in a hybrid model.
Azure AD Password hash synchronization:
- Simplest way to enable authentication for on-premises directory objects in Azure AD.
- Users sign in to Azure AD services with the same on-premises Active Directory credentials.
- Password hash is extracted from on-premises Active Directory using Azure AD Connect.
- Password hash is synchronized to Azure AD for user authentication.
- Provides highly available cloud authentication even if the on-premises Active Directory goes down.
Azure AD pass-through authentication:
- Allows users to sign in to both on-premises and cloud-based applications using the same passwords.
- Password validation occurs directly against on-premises Active Directory, not in the cloud.
- Requires Azure AD Connect and one or more authentication agents.
- Authentication agents serve as intermediaries between Azure AD and on-premises Active Directory.
- Considerations for infrastructure footprint and high availability of sign-in requests.
Federated authentication:
- Recommended for organizations with advanced features not supported in Azure AD.
- Uses a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS).
- All user authentication occurs on-premises.
- Requires Azure AD Connect and additional servers to support federation.
- Password hash synchronization can be set up as a backup for AD FS failure.
Considerations:
- Azure AD Connect is required for all hybrid authentication options.
- The choice of authentication method is crucial and difficult to change once established.
- Consider infrastructure requirements, high availability, and compatibility with security policies.
A developer wants an application to connect to Azure resources that support Azure AD authentication, without having to manage any credentials and without incurring any extra cost. Which option best describes the identity type of the application?
A. Service principal
B. Managed identity
C. Hybrid identity
B. Managed identity
Managed identities are a type of service principal that are automatically managed in Azure AD and eliminate the need for developers to manage credentials.
Azure AD hybrid authentication
Hybrid identity solutions bridge on-premises and cloud-based capabilities.
They provide a common user identity for authentication and authorization, regardless of location.
Choosing the right authentication method is crucial for organizations operating in a hybrid model.
Azure AD Password hash synchronization:
- Simplest way to enable authentication for on-premises directory objects in Azure AD.
- Users sign in to Azure AD services with the same on-premises Active Directory credentials.
- Password hash is extracted from on-premises Active Directory using Azure AD Connect.
- Password hash is synchronized to Azure AD for user authentication.
- Provides highly available cloud authentication even if the on-premises Active Directory goes down.
Azure AD pass-through authentication:
- Allows users to sign in to both on-premises and cloud-based applications using the same passwords.
- Password validation occurs directly against on-premises Active Directory, not in the cloud.
- Requires Azure AD Connect and one or more authentication agents.
- Authentication agents serve as intermediaries between Azure AD and on-premises Active Directory.
- Considerations for infrastructure footprint and high availability of sign-in requests.
Federated authentication:
- Recommended for organizations with advanced features not supported in Azure AD.
- Uses a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS).
- All user authentication occurs on-premises.
- Requires Azure AD Connect and additional servers to support federation.
- Password hash synchronization can be set up as a backup for AD FS failure.
Considerations:
- Azure AD Connect is required for all hybrid authentication options.
- The choice of authentication method is crucial and difficult to change once established.
- Consider infrastructure requirements, high availability, and compatibility with security policies.
