IAM Flashcards
Describe Azure Active Directory
Microsoft’s cloud based identity and access management service.
Describe the available versions of AAD.
Four editions:
- Free
- Office 365 apps
- AAD premium P1
- AAD premium P2
Describe AAD identity types
Users (employees and guests)
Service Principal (applications)
Managed Identity (Azure services. User and system assigned)
Devices
Compare user-assigned and system-assigned managed identities.
System-assigned: created as part of a resource, shares lifecycle with resource, cannot be shared. Intended for single resource workloads.
User-assigned: user created, independent lifecycle, can be assigned to multiple resources. Intended for workloads where resources are recycled frequently but permissions the same.
Describe types of AAD External Identities
- B2B collaboration (guest users, same dir as org employees)
- B2C access management (CIAM solution, allows customers to signin to services via a social identity, separate B2C directory.)
P1 or P2 tier feature.
Describe hybrid identities
Hybrid = identity created and managed by on-prem IdP and synchronised to Azure AD by using Azure AD Connect.
Describe the authentication methods for hybrid identities.
- Password hash synchronization: AAD does authN using the password hash.
- Pass-through Authentication: A software agent on on-prem server validates users directly with on-prem AD, so validation doesn’t occur in cloud.
- Federated Authentication: AAD passes off AuthN to a separate process like AD FS.
Describe MFA in Azure AD.
Require multiple forms of verification to authN.
Something you know
+
Something you have or something you are.
Describe Authentication methods in AAD.
- Authenticator App
- Windows Hello for Business
- FIDO2 (external security key)
- OATH one-time token (TOTP)
- Phone
- Passwords
Describe Windows Hello for Business
- Windows 10 authN feature.
- Two factor combination of PIN or biometric that is tied to a device.
- Windows 10 uses private key to sign data that is sent to the IdP.
NB: PIN/biometric is tied to the device, local to the device, and backed by hardware (TPM).
Describe when SSPR in Azure AD can be used and its requirements and features.
For PW changes, resets, and unlocks.
Users must:
- Be assigned an AAD license (P1, P2 tier)
- SSPR enabled by an Admin
- Registered with the AuthN methods they wish to use.
Can write back to on-prem AD. Notifications can be configured to alert SSPRs.
Describe the AuthN methods available for AAD SSPR.
- Authenticator app notification or code
- Mobile or office phone
- Security questions
Describe Azure AD Password Protection
Feature that blocks users from setting an easy password that belongs to a default global list or a user-admin’d custom list (P1 or P2).
Helps defend against password spray attacks.
Describe Conditional Access and its benefits
Conditional Access = Using signals to automate decisions for authorizing access to resources.
Key benefit is providing extra layers of security before allowing authenticated users to gain access to resources.
Describe the assignments (signals) of Conditional Access policies
Assignments = the conditions that trigger a policy (IF THEN …)
- User or Group membership
- Cloud Apps or Actions (i.e. scope a policy to include/exclude certain apps or actions.)
- Conditions [Location (IP), Device, Sign-in and User Risk (probabilities from AAD Identity Protection, client apps)]
Describe the Access Controls of Conditional Access
Access Controls = What to do (IF … THEN )
- Block access
- Grant access (can choose to enforce one or more controls e.g. MFA, device compliance, using approved client app, password change, require app protection policy.)
- Session (make use of session controls to limit experience.)
Describe Azure AD RBAC role types and role assignments.
AAD roles can be Built-in (global admin, user admin, billing admin) or Custom.
Role assignments combine a user (security principal), a role definition (built-in or custom), and a scope.
NB: custom Azure AD roles require premium P1 or P2 tier license.
Describe principles of identity governance in Azure AD
- Govern identity lifecycle
- Govern access lifecycle
- Secure privileged access for administrators.
Describe identity lifecycle governance capabilities of AAD
AAD premium tiers sync with cloud HR systems. For on-prem HR systems, Microsoft Identity Manager can import identities.
Describe access lifecycle governance capabilities of AAD
Dynamic groups that grant/revoke access based on identity attributes to automate access.
Describe privileged identity management capabilities of AAD
AAD PIM is a premium P2 service for mgmt, control and monitoring of access to important resources.
- JIT access
- Timebound access
- Approval based
- Visible (notifications when activated)
- Auditable (full access history)
Describe entitlement management and access review capabilities of AAD
Entitlement management is a P2 feature for IAM lifecycle governance.
- Create packages to bundle accesses and delegate creation and approval.
- Managing external users by package.
Describe Azure AD Identity Protection
Premium P2 feature that allows orgs to
- automate detection and remediation of identity risks (user and sign-in risks)
- Investigate risks using data
- Export risk data to 3rd party utilities for further analysis.
Low, medium, high risk tiers.
