Exam Summary - Azure Identities and Governance Flashcards
What Azure role(s) must you have before you can add or modify Azure identities (Users, Groups, Etc.)?
User Administator or Global Administrator Role
What are the two cloud identities?
Local Azure AD
External Azure AD
What is a Hybrid Identity?
An on premise to cloud directory-synchronized identity
What are the Azure Guest Identities?
Azure AD B2B Collaboration External Identities (Google, Facebook, Etc.)
What PowerShell module is needed to connect to Azure AD, and what is the command to install it?
AzureAD
Install-Module -Name AzureAD
What PowerShell command is used to connect to your Azure AD environment once the module as been installed?
Connect-AzureAD
What PowerShell command is used to create a new Azure AD user?
New-AzureADUser
What are your Azure group types?
Basic Group
Dynamic Group
What AD group allows you to Bulk add using CSV templates?
Basic Groups
What is a Dynamic AD Group?
Users can be added automatically and removed via Rules bases assignments determined by their user properties.
Can users be automatically assigned roles and licenses when added into a dynamic groups?
Yes
Which Azure AD group can you NOT manually add users or devices to?
Dynamic Groups
How/where can you manage user and group properties?
Modify user and group properties In the Azure portal
Modify using the PowerShell AzureAD module
Differentiate the difference between a “Cloud Device Administrator” and a “Device Administrator”
Cloud Device Admin:
Can add, enable, disable, and delete devices in Azure AD
Can NOT modify device properties
Device Admin:
Local machine Administrator
Can NOT modify the object in Azure AD
What’s the minimum required licensing needed for Azure guest accounts?
Requires Azure AD Premium P2
Although the invite needs to be reviewed, what roles can invite guest accounts into your Azure environment?
Administrators
Users
What roles are required to review guest account invites?
Global Administrator
User Administrator
Differentiate the difference between “Azure AD Registered” and “Azure AD Joined”
Azure AD Registered:
Personally Owned Device
MS Account or Local Account Sign-In
OS Supported - Win10, iOS, Android, macOS
Azure AD Joined:
Organization Owned Device
Azure AD Sign-In
OS Supported - Win10, Windows Server 2019 VMs in Azure
What licensing is needed enabling user’s Self-Service Password Reset functionality?
Azure AD Free:
Cloud-Only Password Change
Azure AD Premium P1 or P2
Cloud-Only Password Change
Cloud-Only Password Reset
Hybrid Password Change or reset with on-prem writeback
What are the “security principles” we can assign roles to in Azure?
Users
Groups
Service Principal
Managed Identity
What is the User security principal?
An individual who has a profile in Azure Active Directory. You can also assign roles to users in other tenants.
What is the Group security principal?
A set of users created in Azure Active Directory. When you assign a role to a group, all users within that group have that role.
What is the “Service Principal” security principal?
A security identity used by applications or services to access specific Azure resources. You can think of it as a user identity (username and password or certificate) for an application.
What is the Managed Identity security principal?
An identity in Azure Active Directory that is automatically managed by Azure. You typically use managed identities when developing cloud applications to manage the credentials for authenticating to Azure services.
What three built in Azure roles apply to all resource types?
Owner
Contributor
Reader
(Example - Blob Storage Owner, Contributor, and Reader)
What are the built-in Azure roles?
Owner
Contributor
Reader
User Access Administrator
Define the built-in Azure owner role.
Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
Define the built-in Azure contributor role.
Can create/manage all resources, but cannot grant access.
Define the built-in Azure reader role.
View all resources, but does not allow you to make any changes.
Define the built-in Azure user access administrator role.
Lets you manage user access to Azure resources.
What’s the PowerShell Cmdlet that allows you to assign a new role to a user?
New-AzRoleAssignment
What are Azure Deny Assignments?
Blocks users from performing specific actions even if a role assignment allows it
Does a role assignment or deny assignment take precedence?
Deny assignment
Where do you have to create your own deny assignments?
Azure Blue Prints
Managed Apps
What are the PowerShell Cmdlets to get role / deny assignments, as well as the Azure CLI get role assignment command?
Get-AzRoleAssignment
Get-AzDenyAssignment
az role assignment list
Where/how can you create a custom role in Azure?
Portal
ARM Template
PowerShell
Azure CLI
WHAT enforces rules to ensure your resources remain in compliant by focusing on the resource properties for both new and existing deployments?
Azure Policies
Does Azure Policies apply remediation to resources that are not compliant?
No, but it does suggest remediations in the Azure Portal.
Azure Policy Concepts What is a: 1. Policy Definition 2. Assignment 3 Initiative
- A rule
- An Application of an initiative or policy to a specific scope
- A collection of policy definitions
What are the resource lock types?
Read-Only
Delete
Can resource locks be inherited for:
- Existing resources
- Newly created resources
- Yes
2. Yes
Whom do locks apply to in your Azure environment?
All users and roles
What are the PowerShell and Azure CLI basic lock creation commands?
PowerShell:
New-AzResourceLock -LockLevel -LockName - ResourceName
AzureCLI:
az lock create –name –lock-type –resource-group
Each tag consists of what “pair”
Name and Value pair
What access does your account need to be able to assign tags?
Must have Write access to Microsoft.Resource/tags provider
What is an Azure Resource Group?
Containers that hold related Azure resources
Does moving a resource to a different resource group change the location/region where it was originally located?
No
Resource groups only store the WHAT about the resources it contains?
Metadata
What would happen to the resources in a group when you delete that resource group?
Deletes all resources in that resource group
What are the PowerShell and Azure CLI basic resource group creation commands?
PowerShell:
New-AzResourceGroup -Name - Location
AzureCLI:
az group create –name –location
Can you move resources between subscriptions?
Can you transfer subscriptions between tenants?
Can a single tenant only have one subscription?
Yes
Yes
No
What is Azure Cost Management?
Analyzes your environment to help determine where your Azure costs are going.
What is Azure Cost Management “Cost Alerts”?
Cost alerts that can be generated when a threshold you defined is met.
What is Azure Cost Management “Budgets”?
Allows you to apply budgets to cost thresholds and limits to control your Azure spend.
What is Azure Cost Management “Recommendations”?
Displays ways to control costs through identifying trends in your usage.
What are Azure Management Groups?
Use to manage access, policies and compliance across MULTIPLE subscriptions in your environment.
