Entra ID Essentials Flashcards
Key Features
-Identity Platform
-Single Sign-On: Ensure that users get access to solutions adn services with just a single identity
-Identity Security: Ensuring that our identity and credentials have not been leaked, MFA and more
-Enterprise Capabilities: Managing access to applications or providing tools for self-service and more
-Hybrid and Cloud
-Flexible OS Support
To manage access we’re going to store identity relared “Objects” like “application entities” or “user accounts”.
-Entra ID is all about manageing these objects, that allows us to provide access from these different entities to these different resources
Azure Subscription Relationship
-Every Entra ID Tenant will have a onmicrosoft.com domain
-You can add a custom domain
-You have to associate a subscription with your Entra ID tenant (a subscription can only be associated with 1 tenant)
-Your tenant can be associated with zero or one or more subscription
Extended Features
(Identity & Device Management, Federation and SSO, Resource Access)
-Privileged Identity Management (JIT Access - Access Reviews)
-Conditional Access (Conditional Access Policies)
-Identity Protection (Sign-in risk & User-risk)
-Quality-of-life, self-service, etc.
You can manage your Entra ID tenant through: The Azure Portal (portal.azure), Entra Admin Center (entra.microsoft.com) and Microsoft 365 Admin Center (admin.microsoft)
User Identities
User Identity: Enables people to access enterprise managed resources easily
-Properties: Name, Office, City, Mail
-Cloud Identity: Can be created in the cloud with no on-premises infrastructure required
-Synchronized Idenitity: Can be “synchronised” from on-premises
-Guest Identity: Can be “invited” (as a guest) from partner identities (Google, Facebook)
Application Identities
Application needs to authenticate to access resources > Application Identity validated by Entra ID > Resources accept and authorize access (as long as the identity has permissions)
-Helps control both access to an app, and the access an app has to other resources
-The app itself can reside anywhere; inside or outside of Azure
-Application must be registered within an Entra ID tenant (Application Registration)
-Authentication relies on the use of a client secret or certificate (more secure)
Inside the App created
Enterprise Applications
Is a place where you can manage all of the apps that you are providing access to for you users. How they can access it?, Who can access it?, Who should be able to manage it? and more.
Inside our app:
-Owners: Who owns this app?
-Users and groups: Which users or groups should have access?
-Application proxy: You have a app on-premises and you don’t want to require a VPN or on-premises access.
-Conditional Access: How and what conditions users accessing your app need to have. (MFA, where they are, etc.)
App Registration
-Authentication: In “Supported Account Types”, if we want the app to be used across multiple tenants we can switch options.
-API Permissions : Important feature if you are working with security, or when you are architecting applications that need to go and access other resources. (You app needs permissions to interact with Entra ID)
-App Roles: You might create roles within you app to let, some users read data, and others, write data
Managed Identities
-Provides an identity to a resource that exists within an Azure subscription
-Authentication is managed by Azure (no credentials need to be stored)
- System-Assigned: enabled for a single resource for as long as it exists.
-You can create them inside of the resource, on “Identity” - User-Assigned: used by one or more resources and is not tied to the lifecycle of the resource.
-You can create them in “Managed Identities” (not inside the resource)
Benefits of Groups
-Reduced Administration: Simplified access to permissions, apps, and licensing
-Improved Security: Reduce the incorrect assignment of permissions
Automation & Self-service: Leverage automation and provide users with self-service
Security Groups
-You can grant access and permissions to a group of users instead of for each individual user
-Simplifies assignment of Entra ID Roles, Azure RBAC Roles, and Entra ID Licensing.
-Allows an “Owner” to be specified, providing some self-service capabilities
-Members can be assigned manually (assigned user group)
-Members can be managed by the plaform (dynamic user group)
Microsoft 365 Groups
-We create this type of group, when we want to provide access to Microsoft 365 resources, SharePoint, Exchange Online, etc.
-Simplifies administration of collaborative spaces for users/projects/teams
-Allows an “Owner” to be specified, providing some self-service capabilities
-Provides additional advanced features such as expiry, sensitivity labels, etc.
-Members can be assigned manually (assigned M365 group)
-Members can be managed by the plaform (dynamic M365 group)
Entra ID Dynamic Groups
The purpose is to automatically manage group memberships by configuring rules
-Dynamic User Groups: Control user’s membership into security groups
-Dynamic M365 Groups: Control user’s membership into M365 groups
-Dynamic Device Groups: Control device’s membership into device groups
Considerations:
-Dynamic User and M365 groups require at least Entra ID Premium P1 licensing
-You cannot manually change the membership of dynamic groups
-Dynamic groups can be for devices or users (but not both at the same time)
Entra ID Administrative Units (AUs)
An administrative unit is a Microsoft Entra resource that can be a container for other Microsoft Entra resources.
The Problem to solve: For Admis to manage objects in Entra ID, you might provide them permissions to the entire Entra ID tenant. They will have access to manage EVERYTHING
Solution: With AUs, you can provide access more granularly. For example, IT Admins AU would only manage objects in Australia and the IT Admins EU only manage objects in Europe.
-Simplifies the assignment of Entra ID permissions to Entra ID objects. (small scope)
-Helps you follow the “Least Priviliege Principle”
-Can include a mix of Entra ID Users, Devices, and Security Groups.
-Memberships can be assigned, or dynamic
-Allows objects to exist in multiple AUs at the same time
Considerations
-AUs require at least Entra ID Premium P1 Licensing, and you’ll need to do that for any of the users who are assigned permissions scoped at the administrative unit level
-Permissions at the AU level, do not apply to the members of security groups.
-You cannot nest an AU within another AU.
Restricted Management - AUs
Allows you to protect specific objects in your tenant from modification by anyone other than a specific set of administrators that you designate.
For example, you might not want a Admin with “Global Administrator” to have access to everything. With a Restricted Unit, means the Admin would not have access to manage users by default.
-The only people that will have the ability to manage these objects is anyone who is DIRECTLY assigned permissions scoped at the administrative unit level