Identity, Access and Security Flashcards
What is Microsoft Entra and Microsoft Entra ID?
- web version of Microsoft Active Directory
- Identity management system
What was Microsoft Entra called before?
Azure Active Directory
How do Active Directory and Microsoft Entra compare?
- lot of similiarities but not direct replacements of each other
- Active directory is designed to be run on a server and controls lots of different objects
- Microsoft Entra is cloud focused, still handles identity but it not a replacement
- Active directory procotols do not work over the internet
How do you work with Entra?
- you can use Entra APIs to integrate it into your application code and handle authentication and authorization
Describe the Entra ID Model?
- Client App -> redirects user to identity provider, log in directly there,
- Identity Provider -> identity provider provides token back to say yes
- Server/Web Server -> receives token from Client app for identification and can check in with identity provider to see if token is valid
What are the benefits of using Entra as your identity /authentication manager?
- security: Microsoft is world leader with Active Directory, multiple options to handle authentication needs
- reduced development time + easier support: microsoft offers own support for Entra, and integration is only a few lines of code
- additional features are available: AI can be used to check login patterns and recognize login-threats; conditional access; audit features
- centralized administration
- Single sign-on, tie in with on-premise Active directory
- Integrates with other Azure Services
What is Authentication?
- user proving who they say they are
- usually via user id and pw
What is Authorization?
- assumes you are who you say you are
- is to ensure that a user is permitted to perform an action
What is the Entra function : Conditional Access and what does it consider?
- not all attempts to log into a system are equally safe
- attempts to rank certain attributes across a spectrum as being normal and routine to being highly suspicious and unexpected
- additional steps for verification should be taken at the higher end
- you can configure how risky a login you allow
What signals does Conditional Access of Entra ID use?
- User and location
- device (brand new, personal, company, …)
- application to login-to
- real-time risk
What are the steps of Conditional Access of Entra Id?
- Signals to consider
- Verification of every access attempts
- Access to Apps and data
What options exist in Conditional Access in Entra Id to verify every access attempt?
- Allow Access
- Require MFA
- Block access
What are Factos in Multi-Factor Authentication?
- Something you know
- Something you have
- Something you are
What are examples for the factors in MFA?
- Know: Password
- Have: Smartphone (SMS, authentication app)
- Are: Fingerprint, Face scan, fingerprint
Describe the “Passwordless” alternative to MFA
- using gestures to login, like swiping a symbol
- using a pin or biometrics recognition (Iris, face, fingerprint)
- ## all the data is kept on the device
Describe Role-based Access control
- microsofts preferred solution for authorization
- hundreds of built-in roles in entra
- possibility of custom roles
- distinction between entra administrator and administering the roles and custom roles for applications your are developing
Name an example for a role
Developer-role with all rights to create apps, restarts apps, scale services, create directories, …
What is the Principle of Least Privilege?
- everyone only has the rights/privileges to do, what he needs to do
- you try to get granular with the assignments
How do you deal with extra permissions in addition to roles?
- not adviced to do so
- try to avoid unexpected expections with special privileges for certain users
What roles are very common in Entra Id?
- Reader
- Contributor
- Owner
What are Owner-level permissions?
- full access to that particular resource
- and also allow to assign permissions to users
What are Contributor-level permissions?
- full access to a resource
- but you cannot share that permission with anybody else
What are Reader-level permissions?
- Read-only permissions
What is the Zero-Trust Model of Security?
- you can’t trust any connection or request regardless of where it comes from
- you’re going to force every request to include a proof of whos making it
What are the zero trust principles within Microsoft?
**1. Verify explicitly **(instead of verify a token once and make it usable for the rest of a day, verify more intensly)
2. Principle of Least Privilege (Tone done who has access to what)
3. Assume breach - think there is already a breach happening, redesign how applications talk to each other, how data gets stored within network drives, databases etc.
Name example ways of verifying identity
- user ID + password
- include other things like IP addresses, geographic location, same device
- add additional elements
What is Just-in-Time access?
- elevation of privilege for just a short period of time
- like 30 or 60 min
- afterwards go back
What does the Zero-Trust approach mean for network security?
- security inside network needs to exist
- utilizing encryption so that applications inside the network are communicating using encrypted HTTPS type channel
- network segmentation to reduce access to physical networks to users who need it
- threat detection
What is included in Threat intelligence? And what does is enable=?
- analytics
- automation
- monitoring
Enables to see, who access what using what device
What is the Concept of Defense in Depth?
- You are way more secure the more defence you have in place
- use multiple security layers
Name a few examples of Defense in Depth
- Data - i.e. virtual network endpoint
- application - API manamgent
- Compute - Windows Update
- Network- NSG, use of subnets, deny by default
- Perimeter - i.e. DDoS, firewalls
- Identity & access - Entry ID
- Physical - Door locks and key cards
What is the Concept Microsoft Defender for Cloud?
- non-free Service for Security in Azure
- based on the services, production infrastructure you get several security products to enhance security on them
- 30 day free trial
- also includes governance, anti-virus, …
Which Azure Service provides network traffic filtering across multiple subscriptions and virtual networks?
- Azure Firewall
- managed, cloud-based network security service
- that protects your Azure Virtual Network Resources
- stateful firewalls as a service and built-in high availability and unrestricted cloud scalability
