Design Identity and Access Management

Question 1

Identity

Answer 1

We used to look at on Prem as being the trusted Premitter but its now just another resource, We can now orchestrate solutions based on Identity as center

• User
• Application/Service Principal
• Managed Identities

Question 2

Azure AD Tenant Architecture

Answer 2

Azure Active Directory is Global, the Azure Active Directory Tenant is an instance of the Azure AD service inside of the Azure Cloud

When we Create a Azure AD tenant we get a default domain name for that, like prefix.onmicrosoft.com

Azure Azure Directory Tenant is one to many relationship, where an AAD can be assigned to different subscription but a subscription can only have one AAD

Question 3

AZURE AD and Features

Answer 3

A global cloud-based identity service for Azure that provides Identity repository

• IAM Platform
• Identity Security > MFA and PIM
• Collaboration and Development > B2B B2C
• Monitoring > Audit logs, risk management, identity protech and security monitoring
• Identity Integration > Hybrid Identity
• Enterprise Access

Question 4

AD vs AAD

Question 5

AZURE AD Hybrid Identities

Answer 5

Extending Identity and access into the cloud

• Simplify the user login

Question 6

AZURE AD External Identities

Question 7

AZURE AD Connect

Question 8

AZURE AD Domain Services

Question 9

Azure Roles vs AD Roles

Question 10

AZURE AD Roles

Answer 10

Set of roles that we have specifically for providing access to manage IDENTITY OBJECTS inside of our AD TENANT themselves like users, applications devices inside our AD tenant

Global Admin > manage Azure AD resources
Billing Admin > perform billing tasks
User Administrator > manage user and groups
Helpdesk Administrator > Password resets

Question 11

AZURE Groups

Answer 11

Groups reduce the effect required to manage access

• Assigned
  Group Admins/Owners determine Permission
  Manually Managed by Admin or Owners
• Dynamic
  Device/User attributes
  Require AAD Premium P1 license
  Platform Managed no manually changes required

Permission > Security Groups
0365 > MS 0365 groups for Collaboration

Question 12

AZURE Access Control

Question 13

AZURE Roles

Answer 13

Azure Roles are for resources inside our subscription.

• Owner > Full access to resources and delegates access
• Reader > Can only view Resources
• Contributor > Create and manage resources but cannot manage the access
• User Access Administrator > Can delegate access to resources but cannot manage them

Question 14

AZURE Administrative Units

Question 15

AZURE RBAC

Answer 15

RBAC = Who can do what and where

Azure RBAC

WHO > Security Principals > Users
What > Role Assignments > Roles
Where > Effeective Permissions > Scope

Question 16

AZURE Device Management

Question 17

AZURE AD Identity Protection

Answer 17

Protecting Identities themselves from being compromised

• Automate the detection and remediation
• Risk Analysis related to data and reports
• Export data and integrate with security tools

Requires Azure AD Premium P2 Licensing
Risk events
Risk Policies

Question 18

Sign-In Risk Policy

Question 19

User Risk Policy