Identity and Access Administrator Associate

Question 1

what are the three concepts of zero trust ?

Answer 1

• verify explicitly
• use least privilege
• assume breach

Question 2

when we say verify explicitly and always validate all available data points including… what do we mean

Answer 2

always verify
- user identity and location
- device health
- service or workload context
- data classification
- anomalies

Question 3

what are some of the tools we can use with azure to achieve least privilege

Answer 3

• Just in Time JIT
• Just enough access JEA
• Risk Based adaptive policies

Question 4

what does Identity give us the ability to do ?

Answer 4

• to prove who we are / authentication
• to get permissions to do something
• to report on what was done / auditing
• to it manage and self administer identity - Administration

Question 5

The most common components of an identity solution are the following

Answer 5

• a repository of user identities
• an authentication system
• security protocols that defend against intrusion
• someone we trust

Question 6

what does SSO do for us ?

Answer 6

SSO enhances usability by reducing password fatigue. It also provides better security by decreasing the potential attack surface.

Question 7

what are two of the common identity protocols ?

Answer 7

Open ID Provider
SAML identity Provider

Question 8

what is identity proliferation ?

Answer 8

deals with the storage of identity objects within the environment. Often, organizations have identities in places such as Active Directory, other directory services and application specific identity stores.

Question 9

what is provisioning and de-provisioning as it relates to identity ?

Answer 9

are actually two separate capabilities. Provisioning speaks towards how identity objects are created within a system. Deprovision focuses on the removal of an identity from having access (deletion, disablement of security principle or removal of access).

Question 10

what is identity updates as it relates to identity ?

Answer 10

surrounds how identity information is updated throughout the environment. The idea is to move away from a manual effort to a more automated and streamlined approach.

Question 11

what is synchronization as it relates to identity ?

Answer 11

is ensuring that identity systems within an environment are up to date with the latest identity information. This information is often crucial for determining access. The key things that influence this capability are how synchronization is performed whether it’s manual, time-based or event driven.

Question 12

what is password management as it relates to identity ?

Answer 12

focuses on where and how passwords are set throughout the identity infrastructure. In most organizations, the Service Desk is still the focal point for forgotten passwords.

Question 13

what is group management as it relates to identity ?

Answer 13

focuses on how an organization manages groups (for example, Active Directory and/or LDAP) within their environment. Groups are one of the most common form for determining access permissions to resources and are expensive to manage and operate.

Question 14

what is application entitlement management as it relates to identity ?

Answer 14

Application Entitlement Management - defines on how identities are granted access to applications. It focuses on providing coarse-grained application entitlements that are enforced as a capability contained within the Authorization pillar. On the other hand, fine-grained entitlements are managed as attributes relating to an identity.

Question 15

what is change control as it relates to identity ?

Answer 15

capability focuses on how changes flow through the environment whether manually completed by a Service Desk professional. There can be automation with or without workflow, which drives the change process. Some organizations still send emails to complete requests while others have rich and mature processes to execute the change.

Question 16

what is Microsoft Graph ?

Answer 16

Microsoft Graph exposes REST API’s and client libraries to access data on the following Microsoft cloud services such as Microsoft Entra ID

Question 17

what is a high level overview of the acronym IAM?

Answer 17

Identity and access management is called IAM for short, and identity solutions controls access to an organizations apps and data. Users, devices, and applications have identities. IAM components support the authentication and authorization of these and other identities. The process of authentication controls who or what u

Question 18

Microsoft Entra Terminology: Identity

Answer 18

Identity is an object that can get authenticated. An identity can be a user with a username and password. Identities also include applications or other servers that might require authentication through secret keys or certificates

Question 19

Microsoft Entra Terminology: Account

Answer 19

Account is an identity that has data associated with it. you cant have an account without an identity.

Question 20

Microsoft Entra Terminology: Microsoft Entra Account

Answer 20

An identity created through Microsoft entra ID or another Microsoft cloud service such as Microsoft 365. Identities are stored in Microsoft Entra ID and accessible to your organizations cloud service subscriptions. This account is sometimes also called a work or school account.

Question 21

Microsoft Entra Terminology: User

Answer 21

A single personable verifiable identity in Microsoft Entra ID

Question 22

Microsoft Entra Terminology: Group

Answer 22

A container of users or identities that can be assigned security privileges or restrictions. Often used to control access to specific shared resources to a set of accounts instead of assigning individually.

Question 23

Microsoft Entra Terminology: Administrative unit

Answer 23

a portioned off piece of a Microsoft Entra tenant used to create an administrative boundary.

Question 24

what are Microsoft Entra External Identities

Answer 24

Microsoft Entra external identities refers to all the ways you can securely interact with users outside of your organization

Question 25

What is Microsoft External Identities B2B collaboration.

Answer 25

Collaborate with external users by letting them use their preferred identity to sign in to your Microsoft applications or other enterprise applications (SaaS apps, custom-developed apps, etc.). B2B collaboration users are represented in your directory, typically as guest users.

Question 26

What is Microsoft B2B Direct Connect

Answer 26

Establish a mutual, two-way trust with another Microsoft Entra organization for seamless collaboration. B2B direct connect currently supports Teams shared channels, enabling external users to access your resources from within their home instances of Teams. B2B direct connect users aren't represented in your directory, but they're visible from within the Teams shared channel and can be monitored in Teams admin center reports.

Question 27

what is Microsoft Entra Domain Services?

Answer 27

Provides managed domain services with a subset of fully compatible traditional AD DS features such as domain join, group policy, LDAP, and Kerberos / NTLM authentication.

Question 28

what is Microsoft Entra ID?

Answer 28

Cloud-based identity and mobile device management that provides user account and authentication services for resources such as Microsoft 365, the Azure portal, or SaaS applications.

Question 29

what is authentication?

Answer 29

authentication is validating the identity user or app or device is who they proclaim to be

Question 30

what is federated identity?

Answer 30

federation is a collection of domains that have established trust. The level of trust varies but typically included authentication and almost always authorization

Question 31

what does federation allows us to do ?

Answer 31

federation allows you to apply existing identities from trusted sources like an existing on premise active directory

Question 32

what is SAML?

Answer 32

Open standard for exchanging authentication and authorization data between an identity provider and a service provided.

Question 33

SAML: Principal

Answer 33

Generally a user or device

Question 34

SAML:IDP

Answer 34

Identity Provider

Question 35

SAML: SP

Answer 35

Service provider

Question 36

what is OpenID Connect?

Answer 36

OpenID connect (OIDC) is an authentication protocol built on OAuth 2.0. This protocol enables a user to securely sign in a user to an application.  OpenID connect extends the OAuth 2.0 authorization protocol for use as an authentication protocol so that you can do single sign on using OAuth.

Question 37

what concept does OpenID connect introude?

Answer 37

OpenID connect introduces the concept of an ID token. Which is a security token that allows the client to verify the identity of the user. The ID token also gets basic profile information about the user.

Question 38

what is claim based identity in Microsoft Entra ID?

Answer 38

When a user signs in Entra ID send an ID token that contains a set of claims about the user. A claim is simply a piece of information expressed as a key/value pair. For example email=bob@yo.com

Question 39

describe a high level overview of how claim based identity in Microsoft Entra ID works?

Answer 39

1. the user authenticates 2. the identity provider or IDP sends a set of claims 3. the app normalizes the arguments for the claims (optional) 4. the app uses the claims to make authorization decisions

Question 40

what are security tokens in Microsoft Entra ID?

Answer 40

Entra ID authenticates users and provides security tokens, such as access token, refresh tokens, and ID tokens. Security tokens allow a client application to access protected resources on a resource server. There are three commons types of tokens access tokens, refresh tokens and ID tokens.

Question 41

what are access tokens within Microsoft Entra?

Answer 41

an access token is a security token that issued by an authorization server as part of an OAuth 2.0 flow, it contains information about the user and the resource for which the token is intended. The information can be used to access web API's and other protected resources. 

Question 42

what are refresh tokens within Microsoft Entra?

Answer 42

because access tokens are valid for only a short period of time, the authorization servers will sometimes issue a refresh token at the same time the access token Is issued. The client application can then exchange the refresh token for a new access token when needed. 

Question 43

what are ID tokens within Microsoft Entra?

Answer 43

ID tokens are sent to the client application as part of an OpenID connect flow. They can be sent alongside or instead of an access token. ID tokens are used by the client to authenticate the user. 

Question 44

what is a JSON web token or JWT?

Answer 44

A JSON web token is a compact and self contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWT's can be signed using a secret or public private key pair.

Question 45

what is a claim when talking about claim based identity ?

Answer 45

a value pair of data within a security token. There are multiple claims transferred within the token from the claim that defines the type of the token to the encryption method. Here is an example: Header { "alg": "HS256", "typ": "JWT" } Content payload { "sub": "1234567890", "name": "John Doe", "aud": "https://jwt.io" }

Question 46

what is an assertion when talking about claim based identity ?

Answer 46

Assertion - a package of data, usually in for form of token that share the identity and security information about a user or account across security domains.

Question 47

what is an attribute when talking about claim based identity ?

Answer 47

Attribute - a value pair of data within a token.

Question 48

what is augmentation when talking about claim based identity ?

Answer 48

Augmentation - the process of adding other claims to the user token to provide extra detail about the user. This could include data from human resource (HR) systems, from an application like SharePoint, or other systems.

Question 49

what does authorization cover ?

Answer 49

Authorization covers what an identity can access and what they are allowed to do once they gain access.

Question 50

what are access policies?

Answer 50

Access policies focus on a set of applications, data, and which users and groups can perform activities. Think of it as the set of rules around getting your job done. Focus on the least access you need.

Question 51

what are access control lists ?

Answer 51

an explicit list of specific entities who do or don’t have access to a resource or functionality, offers fine control over resources but often becomes difficult to maintain with large groups of users and resources.

Question 52

how would you describe RBAC or role based access control ?

Answer 52

the most common approach to enforcing authorization. Roles are defined to describe the kinds of activities an entity can perform. Grant access to roles rather that to individual entities. An admin can then assign roles to different entities to control which ones have access to what resources and what functionality. 

Question 53

how would you describe attribute based access control or ABAC?

Answer 53

Attribute based access control ABAC – rules are applied to attributes of the entity, the resources being accessed, and the current environment to determine whether access to some resources or functionality is permitted.

Question 54

what would be an example of attribute based access control ?

Answer 54

The following is an example of Attribute based access control ABAC - An example might be only allowing users who are managers to access files identified with a metadata tag of “managers during working hours only” during the hours of 9AM - 5PM on working days. In this case, access is determined by examining the user’s attribute (status as manager), the resource’s attribute (metadata tag on a file), and also an environment attribute (the current time).

Question 55

what is Policy based access control or PBAC?

Answer 55

Policy based access control PBAC – a strategy for managing user access to one or more systems where the business role of the user is combined with policies to determine what access the user has.

Question 56

True or false, you must activate multifactor authentication for all users in the directory you enable it in?

Answer 56

False

Question 57

Does OAuth 2.o help with authorization or authentication ?

Answer 57

OAuth 2.0 is really about authorization not authentication

Question 58

what is a simple way to describe OIDC?

Answer 58

It uses things like OIDC which is authentication for modern applications

Question 59

what does OAuth 2.0 allows us to do ?

Answer 59

It also uses OAuth 2.0, this allows me to do authorization

Question 60

what does AAD connect or Azure AD connect do for us?

Answer 60

AAD connect or Azure AD connect helps us manage our on-prem identities and bring them up to the cloud, this replication only goes from on-prem AD up to the cloud not from the cloud back to on-prem AD

Question 61

how do we typically assign permissions to manage Microsoft Entra Resources in our tenant ?

Answer 61

In Microsoft Entra ID if one of your users needs permission to manage Microsoft Entra Resources, you must assign them to a role that provides the permissions they need.

Question 62

what is the Global Adminstrator role in an Azure Tenant ?

Answer 62

Global administrator role – manages access to all admin features in Microsoft Entra ID and services that federate to Microsoft Entra ID, this role allows you to assign admin roles to others, reset the password for an user and all other admins.

Question 63

what is the user administrator role in an Azure Tenant ?

Answer 63

User Administrator Role – this role allows you to create and manage all aspects of users and groups. Also allows you to manage support tickets as well as monitor service health, change passwords for users.

Question 64

what does the biling administrator role do for us in an Azure Tenant ?

Answer 64

Biling administrator role – allows you to make purchases, manage subscriptions, manage support tickets, monitor service health.

Question 65

what is the portal navigation for assigning a role to a user or group in Microsoft Entra

Answer 65

Microsoft Entra ID --> Roles and Administrators --> Select a role --> Add Assignment

Question 66

what are some of the ways we can assign a role to a user in Microsoft Entra?

Answer 66

using the portal using powershell using the Microsoft Graph API using PIM

Question 67

what are administrative units in Microsoft Entra ?

Answer 67

Administrative units are Microsoft Entra ID resources that can be containers for other Microsoft Entra resources. An Administrative unit can contain only, users, groups and devices.

Question 68

how do administrative units restrict permissions in Microsoft Entra ?

Answer 68

Administrative units restrict permissions in a role to any portion of your organization that you define. You could for example use administrative units to delegate the helpdesk administrator role to regional support specialists. So they can manage users only in the region that they support. In Microsoft Entra ID, using a single tenant if you assign a user any administrator role there now an admin over every user in the tenant. Administrative units are containers created to solve for this challenge in Microsoft Entra ID. If you want a user administrator to be able to manage only a specific set of users and groups, say only manage users in the research department of a hospital. You could set up an administrative unit.

Question 69

what are the common roles assigned to manage administrative units ?

Answer 69

- Authentication Administrator - Groups Administrator - Help Desk Administrator - License Administrator - Password Administrator - User Administrator

Question 70

what are some other common use cases for Administrative units ?

Answer 70

You can use administrative units to logically group Microsoft Entra resources. To create administrative units you have to have the role of global administrator or a privileged role administrator After we create the administrative unit we then want to add users or groups to it. Users can be part of multiple administrator units. You cannot nest administrative units. You can apply roles at the administrative unit level so they don’t have that whole role over the whole tenant.

Question 71

what are some of the ways you can delegate application creating and management permissions in Microsoft Entra ID?

Answer 71

- Restricting who can create applications and manage the applications they create. By default in Entra ID all users can register application registrations and manage all aspects of applications they create. You can restrict to only allow selected people that permission - Assigning one or more owners to an application. A simple way to grant someone the ability to manage all aspects of Microsoft Entra ID configuration for a specific application. - Assigning a built-in administrative role that grants access to manage configuration in Microsoft Entra ID for all applications. The recommended way to grant IT experts access to manage broad application configuration permissions without granting access to manage other parts of Microsoft Entra ID not related to application configuration. - Create a custom role to define specific permissions. Then assign the role to a user to assign a limited-owner. Or you could assign at the directory scope - all applications - as a limited-administrator.

Question 72

what are some of the ways in which we need to plan for delegation in Entra ID?

Answer 72

- Define the roles you need - Delegate app administration - Grant the ability to register applications - Delegate app ownership - Develop a security plan - Establish emergency accounts - Secure your administrative roles - Make privileged elevation temporary

Question 73

what are the most privileged application administrator roles in Entra?

Answer 73

- The application administrator role, which grants the ability to manage all applications in the directory. Including registrations, single sign on settings, users and group assignments and licensing. Application proxy settings and consent. It doesn’t grant the ability to manage conditional access. - The cloud application administrator role which grants all the abilities of the application administrator except it doesn’t grant access to application proxy settings

Question 74

How does Single Sign on or SSO work (Forcepoint Overview)

Answer 74

1. the user requests a web page via the cloud proxy 2. the cloud service identifies the users account, a) for local users this is based on IP address b) for roaming users this typically requires the user to enter an email address 3. the service redirects the user's browser to the identity provided configured for the account. 4. the users browser makes an authentication request to the identity provider. 5. the identity provider authenticates the user. 6. an authentication token is posted to the users browser. 7. The token is forwarded to the Forcepoint cloud service. 8. The token is validated against the identity provider’s metadata, and the user is identified. Policy settings for the user are checked, and the request is permitted or blocked. 9. The cloud service redirects the user’s browser back to the requested URL. 10. Account identification and authentication cookies are set in the user’s browser. The next time the user accesses the service, the user’s account is identified and the session authenticated via the cookie, without redirecting to the IdP 11. The browser requests the URL for the second time. 12. The URL is retrieved and served to the user.