Entra ID Flashcards
What is Microsoft Entra ID and its primary purpose?
Microsoft Entra ID is a centralized identity and access management tool that controls access to on-premises, cloud, and personal devices. It allows IT administrators, developers, and subscribers to manage identities and access across multiple environments.
What was Microsoft Entra formally known as?
It was formerly known as Azure Active Directory (AAD).
Who are the primary users of Microsoft Entra ID?
The primary users of Microsoft Entra ID are IT administrators, developers, and subscribers.
What is the Identity Secure Score in Entra ID?
The Identity Secure Score is a tool that measures an organization’s identity and access management setup against Microsoft’s best practices, helping organizations improve their security posture.
What is the difference between a Tenant and a Directory in Entra ID?
A tenant is an instance of Entra ID, while a directory is a container within the tenant that holds key resources and objects. Each tenant has one directory.
What are the 3 types of identities in Entra ID?
User Identities (employees, partners, etc.)
Workload Identities (applications, VMs, etc.)
Device Identities (mobile devices, desktops, etc.)
How do Internal and External User Identities differ?
Internal User Identities are for employees and internal members of the organization.
External User Identities are for B2B collaborators, like guests or external members. External users often have more restrictive permissions.
What is the difference between System-Assigned and User-Assigned Managed Identities?
System-Assigned Managed Identities are tied to a specific Azure resource (like a VM) and are deleted when the resource is shut down.
User-Assigned Managed Identities are independent of any Azure resource and can be shared across multiple resources. They persist even after resources are deleted.
What is the purpose of creating groups in Entra ID, and what are the 2 main types of groups?
Groups are used to bundle user identities to grant them the same access rights and permissions. The two main types of groups are:
Microsoft 365 Groups: For collaboration, can be created by anyone, and is for user identities only.
Security Groups: Created by an Entra ID admin and used to enforce security policies.
What is a Hybrid Identity, and why is it important?
A Hybrid Identity provides a single identity for users across both on-premises and cloud services. It is important because most organizations use a mix of on-prem and cloud environments, and Hybrid Identity enables seamless access between the two.
What is the difference between Workforce Tenant and External Tenant in Entra ID?
A Workforce Tenant is an internal tenant used for the organization’s internal workforce, but it can also allow external users for B2B collaboration.
An External Tenant is a client-facing tenant used to deploy apps and services to external users or customers.
What is an External Identity in Entra ID?
An External Identity is an identity that allows users from outside the organization to register and collaborate within an Entra ID tenant. This is often used for B2B collaboration.
What is a Conditional Access Policy (CAP) in Microsoft Entra ID?
A Conditional Access Policy (CAP) is a security feature that adds an extra layer of protection, controlling who can access an organization’s data, services, and environment. CAPs work like “if-else” statements, using identity signals like user, device, and location to determine access.
What are the two main components of a Conditional Access Policy?
Assignment: Defines “Who, What, When, and Where” the policy is applied, using logical AND to combine multiple conditions.
Access Control: Defines the access action, which can be:
- Block Access
- Grant Access (with or without additional requirements like MFA)
- Session Control (e.g., blocking certain actions or access to sensitive content)
How does Microsoft Entra ID’s Conditional Access policy function like an “if-else” statement?
Conditional Access Policies evaluate a set of if conditions (like user, location, device, etc.). If the conditions are met, then an access control action is applied (block, grant, or session control).