Identity

Question 1

Azure AD Definition

Answer 1

Azure AD is Microsoft’s multi-tenant cloud-based directory and identity management service.

Question 2

Azure AD Benefits and Features (6)

Answer 2

• SSO to any cloud or on-premises web app
  
  • SSO includes M365, thousands of SaaS apps like Salesforce, DocuSign, Box, ServiceNow, etc.
• Work with iOS, macOS, Android, and Windows devices
  
  • Just use your same credentials on all of these devices, incl. apps on them.
• Protect on-prem web applications with secure remote access.
  
  • Access on-prem web apps from anywhere and protect with MFA, CA policies, and group-based access management.
• Easily extend AD to the cloud
  
  • Connect AD on-premises (AAD Connect) to have a consistent set of users, groups, passwords, and devices across both environments.
• Protect sensitive data and applications
  
  • App access security protection capabilities. View suspicious sign-in activities and potential vulnerabilities - advanced security reports, notifications, remediation recommendations, risk-based policies.
• Reduce costs and enhance security with self-service capabilities
  
  • SSPR - can reduce helpdesk calls and enhance security.

Question 3

Azure AD Concepts (5)

Answer 3

• Identity - Object that can be authenticated.
• Account - An identity that has data associated with it.
• Azure AD Account - An identity created through Azure AD or another MSFT cloud service, e.g., M365. This account is also sometimes called a Work or school account.
• Azure Subscription - Used to pay for Azure cloud services. Can have many, and they are linked to a credit card.
• Azure tenant/directory - A dedicated and trusted instance of Azure AD, a tenant is automatically created when your org signs up for a MSFT cloud service subscription. Terms Tenant/Directory are often used interchangeably

Question 4

Active Directory Domain Services (ADDS) vs Azure AD

Answer 4

Important Note: AD DS is only one component of the Windows Active Directory suite, which also includes: AD CS, AD LDS, AD FS, and AD RMS. Azure AD is different than deploying an AD domain controller on an Azure VM and adding it to your on-premises domain.

• AD DS
  
  • Traditional deployment of Win Server-based AD on a physical or virtual server
  • Communication Protocol based on Kerberos for authentication
  • Has OU and GPO - non-flat structure, like AAD.
  • You manage the deployment, configuration, VMS, patching, and other backend tasks
• Azure AD
  
  • It is an identity solution designated for internet-based apps; uses HTTP/S communications
  • REST API Querying - since HTTP/S-based, cannot be queried by LDAP.
  • Communication Protocols - it uses HTTP/S protocols such as SAML, WS-Federation, and OpenID Connect for authentication (and OAuth for authorization).
  • Includes Federation Services and many 3rd party services e.g., FB.
  • Has a flat structure - users and groups are created in a flat structure, no Org Units (OU) or GPOs
  • Is a managed service, you only manage the users, groups, and polici

Question 5

Azure AD Editions

Answer 5

• Azure AD Free
  
  • SSO, Core Identity and Access Management, B2B Collaboration
• Azure AD Microsoft 365 Apps
  
  • IAM for M365 apps
• Azure AD Premium P1
  
  • Premium Features, Hybrid Identities, Adv. Group Access Management, Conditional Access
• Azure AD Premium P2
  
  • Identity Protection, Identity Governance

Question 6

Azure AD Join Definition

Answer 6

AAD Join is designed to provide access to organizational apps and resources and to simplify Windows deployments of work-owned devices. Benefits of AAD Join

Question 7

Azure AD Join Benefits (6)

Answer 7

• Single Sign On
• Enterprise compliant roaming of user settings across joined devices. Users don’t need to connect to a Microsoft account (e.g., Hotmail) to observe settings across devices.
• Access to MSFT Store for Business - users can access apps pre-selected by their org.
• Windows Hello - for secure and convenient access
• Restriction of access to apps from devices that do not meet compliance policies.
• Seamless access to on-premise resources

Question 8

Azure AD Device Connection Options (3)

Answer 8

• Azure AD Registered - registration provides the device with an identity that is used to authenticate the device when a user signs-in to Azure AD. You manage a device’s identity, which means you can enable or disable the device. https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register
• Azure AD Joined - this is an extension to registering a device. Provides same benefits as registering and changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account. https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join
  
  • Hybrid Azure Joined - Hybrid Azure AD joined devices require network line of sight to your on-premises domain controllers periodically. Without this connection, devices become unusable. If this requirement is a concern, consider Azure AD joining your devices. https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid

NOTE: Registration combines with MDM solution, like Intune, provides additional deice attributes in Azure AD. You can create conditional access rules that enforce access from devices to meet your standards for security and compliance.

Question 9

Self-Service Password Reset (SSPR) Definition

Answer 9

Gives the users the ability to bypass the helpdesk and reset their own passwords.

Note: Azure Administrators can always reset their passwords no matter what options are configured.

Question 10

Azure AD Type of Users

Answer 10

• Cloud identities
  
  • Users exist only in Azure AD. Can be in Azure AD or an external Azure AD - when removed from primary directory, they are deleted.
• Directory-synchronized identities
  
  • Users exist in an on-premises AD. Synchronization occurs via Azure AD Connect and brings these users into Azure. The source is WS AD.
• Guest Users
  
  • User exists outside Azure. E.g., accounts from other cloud providers and Microsoft accounts, like XBox LIVE account. Useful when external vendors or contractors need access to your Azure resources. Once their help is not needed, you can remove their account and access.

Question 11

Azure AD Group Account Types (2)

Answer 11

• Security groups
  
  • Used to manage member and computer access to shared resources for a group of users. E.g., create sec group for sec policy - give permissions to a set of individuals.
  • Requires Azure AD administrator role.
• M365 groups
  
  • Provide Collab opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and more.
  • You can give access to people outside your organization.

Question 12

Ways to Add Members to Azure AD Groups (3)

Answer 12

• Assigned -
  
  • Let’s you add specific users to be members of group and have unique permissions.
• Dynamic User -
  
  • Let’s you use dynamic membership rules to automatically add and remove members. When a member’s attributes change, Azure reviews the dynamic group rules for the directory. E.g., job title changes.
• Dynamic Device (Security Groups only)
  
  • Lets you use dynamic group rules to automatically add and remove devices.