Identity, access and security

Question 1

Azure directory services

Answer 1

• Entra ID is a service that enables sign in and access to MS cloud applications and custom cloud applications.
• For on-prem, Active Directory running in Windows provides identity and access management
• Entra ID can be connected to AD to assist in maintaining the AD deployment, and add extra features such as sign-in monitoring

Question 2

Entra ID users

Answer 2

• IT admins: control access to applications and resources
• App developers: add standard functionality to applications such as SSO or working with existing user credentials
• Users: manage their identities, self-service password reset
• Online service subscribers: users of 365, Office 365, Azure and MS CRM are already using Entra ID to authenticate

Question 3

What does Entra ID do?

Answer 3

1. Authentication: verifying identity to access applications, password management, MFA, banned passwords, smart lockout etc.
2. SSO: remember only one username and one password to access multiple applications
3. Application management: features such as Application Proxy, SaaS apps, single sign-on etc
4. Device management: registration of devices, which enables features such as device-based Conditional Access

Question 4

Connecting On-prem AD with Entra ID

Answer 4

Connecting on-prem AD with cloud-based Entra ID precludes the need to maintain two separate identity sets.

MS Entra Connect can synchronise user identities between on-prem AD and Entra ID.

Question 5

What is Microsoft Entra Domain Services?

Answer 5

• A service that provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP) and Kerberos/NTLM authentication.
• Let’s customers run legacy applications in the cloud that can’t use modern authentication methods
• Customer defines a unique namespace, which becomes the domain name. Two Windows Service domain controllers are then deployed to the selected Azure region, and Azure handles the management, configuration and updating of the domain controllers.

Question 6

Azure authentication

Answer 6

• Authentication is the process of establishing the identity of a person, service or device, whom is required to provide some type of credential to prove who they are.
• Azure supports multiple authentication methods:
  
  • Standard passwords
  • Single sign-on (SSO)
  • Multifactor authentication (MFA)
  • Passwordless

Question 7

Single sign-on (SSO)

Answer 7

• Enables a user to sign in one time and use that credential to access multiple resources and applications from multiple providers. Those applications/providers must trust the initial authenticator.
• With SSO, the user only has to remember one ID and one password, as opposed to multiple which places strain on the user to remember, IT help desks to support, and presents a greater security risk.
• As users change roles or leave an organisation, access it tied to only one identity, which reduces effort for both users and administrators.

Question 8

Multifactor Authentication

Answer 8

• The process of prompting a user for an extra form of identification during the sign-in process. MFA helps protect against a password compromise
• MFA provides extra security by requiring two or more elements to fully authenticate. These elements fall into 3 categories:
  
  1. Something the user knows - e.g. a challenge question
  2. Something the user has - e.g. a code sent to their phone
  3. Something the user is - e. g. a biometric property such as fingerprint
• Microsoft Entra multifactor authentication is a MS service that provides MFA capabilities.

Question 9

Passwordless authentication

Answer 9

• More convenient way for users to authenticate without having to remember a password. The password is replaced by something the user has, plus something they are, or something they know.
• Needs to first be set up on a device. Then the device can be enrolled as “something the user has”. Then the user can authenticate with something they know or are (e.g a PIN or a fingerprint) without having to use a password
• Azure provides three passwordless authentication methods:
  
  1. Windows Hello for Business
  2. Microsoft Authenticator app
  3. FIDO2 security keys

Question 10

Windows Hello for Business

Answer 10

• Ideal for workers with their own Windows PC.
• Biometric and PIN credentials are directly tied to the user’s PC, which prevents anyone other than the owner accessing.

Question 11

Microsoft Authenticator App

Answer 11

• Turns any iOS or Android phone into a strong, passwordless credential by matching a number displayed on the screen to the one on their phone, and then using a PIN or biometric to confirm

Question 12

FIDO2 security keys

Answer 12

• FIDO allows users and organizations to leverage the standard to sign-in to their resources without a username or password by using an external security key or a platform key built into a device.
• Users can register and select a FIDO2 security key at the sign-in interface as their main means of authentication
• These FIDO2 security keys are typically USB devices, but could also be bluetooth or NFC (i.e. a hardware device replaces the password)

Question 13

Azure external entities

Answer 13

• MS Extra External ID refers to all the ways customers can securely interact with users outside their organisation
• External users can bring their own identities, and the customer manages access to their apps with Entra ID or Azure AD B2B
• The following capabilities make up External Identities:
  
  1. B2B collaboration - external users use their preferred identity to sign-in to customer’s MS applications, and they are represented in the customer’s directory as guest users
  2. B2B direct connect - establish a mutual, two-way trust with another Microsoft Entra organisation. Aren’t represented in the customer’s directory, but typically visible within a Teams shared channel.
  3. Azure Active Directory business to customer (B2C) - publish modern SaaS apps or custom-developed apps (excluding MS apps) to consumers and customers

Question 14

Azure conditional access

Answer 14

• A tool that Entra ID users to allow/deny access to resources based on identity signals. Signals could include who the user is, where the users is, and what device the user is requesting access from
• Conditional Access collects signals from the user, makes a decision based on those signals, and then enforces that decision by allowing or denying the access request, or challenging for a MFA response
• E.g. a user is not challenged for MFA if they access from a known location, but if they access from an unknown location they are challenged for MFA or denied access

Question 15

Azure role-based access control

Answer 15

• Azure provides built-in roles that describe common access rules for cloud resources.
• Customer defined their own roles, and each role is associated with a set of access permissions that relate to that role
• When individuals or groups are assigned to one or more role, they receive all the associated access permissions
• E.g. a new engineer joins, they are added to the RBAC group for engineers, and automatically receive access to everything the other engineers have access to
• Helps to implement the principle of least privilege access (i.e. only the access needed to complete a task, no more)

Question 16

How is RBAC applied to resources?

Answer 16

• RBAC is applied to a scope, which is a resource or set or resources
• Scopes can include:
  
  1. A management group (i.e. collection of multiple subscriptions)
  2. A single subscription
  3. A resource group
  4. A single resource
• Access granted to a parent scope are inherited by all the child scopes
• Potential roles that are provided differing levels of access to scopes include Reader, User, Observer, Contributor, Owner etc

Question 17

How is RBAC enforced?

Answer 17

• Azure RBAC is enforced on any action initiated against an Azure resource that passes through Azure Resource Manager
• Azure RBAC doesn’t enforce access permissions at the application or data level. Application security must be handled by the customer’s application

Question 18

Zero Trust model

Answer 18

• Security model that assumes the worst case scenario and protects resources with that expectation. Assumes breach at the outset, and then verifies each request as though it originated from an uncontrolled network
• Zero trust is based on the following principles:
  
  • Verify explicitly: always authenticate and authorise based on all available data points
  • User least privilege access: limit user access with Just-In-Time or Just-Enough-Access policies and data protection
  • Assume breach: minimise blast radius and segment access. Verify end-to-end encryption. Use analytics to improve protection

Question 19

Defense-in-depth

Answer 19

• A strategy that uses a series of mechanisms to slow the advance or an attach that aims at acquiring unauthorised access to data
• Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure.
• Layers:
  
  1. Physical security: protect hardware and datacenter
  2. Identity & Access: access to infrastructure and change control
  3. Perimiter: DDOS protection to filter large-scale attacks before they cause denial of service for users
  4. Network: limit communication between resources
  5. Compute: secure access to VMs
  6. Application: secure apps and ensure they are free from vulnerabilities
  7. Data: control access to business and customer data

Question 20

Microsoft Defender for Cloud

Answer 20

• Monitoring tool for security posture management and threat protection. It monitors your cloud, on-prem, hybrid and multicloud environments to provide guidance and notifications aimed at strengthening the security posture.
• Azure resources are automatically monitored and protected. For on-prem and other cloud environments, Defender deploys a Log Analytics agent to gather security-related data
• Helps detect threats across:
  
  1. Azure Paas services - detects threats and performs anomaly detection on Azure activity logs across Azure services
  2. Azure data services - help classify data in Azure SQL, get assessment for potential vulnerabilities
  3. Networks - limit exposure to brute force attacks. Set access policies on selected ports, for selected users, IP ranges or IP addresses, or for a limited amount of time.

Question 21

MS Defender - Assess, Secure and Defend

Answer 21

Defender for Cloud fills three vital needs to manage security of resources and workloads in the cloud and on-prem:
1. Continuously asses: vulnerability assessments/scans for VMs, container registries, and SQL servers.
2. Secure: Defender is constantly monitoring for new resources being deployed across workloads, and assesses if these new resources are configured according to security best practices. If they’re not, they are flagged and recommendations are provided for what to fix.
3. Defend: when a security threat is detected in any area of the environment, a security alert is generated. The resource(s) are detailed, along with remediation steps. Advanced threat protection also provided for deployed resources, such as securing ports with just-in-time access, and adaptive application controls to create allowlists for what apps should/should not run on the customer’s machines.