Identity : Azure AD Flashcards
Azure AD: Identity
An object that can get authenticated
Azure AD: Account
An identity that has data associated with it. You can’t have an account without an identity.
Azure AD: Azure AD Account.
An identity created through Azure AD or another Microsoft cloud service, such as Microsoft 365.
Identities are stored in Azure AD and accessible to your organization’s cloud service subscriptions.
This account is also sometimes called a Work or school account.
Azure AD: Azure subscription.
Azure subscription. Used to pay for Azure cloud services. You can have many subscriptions and they’re linked to a credit card.
Azure AD: Azure tenant/directory.
A dedicated and trusted instance of Azure AD, a Tenant is automatically created when your organization signs up for a Microsoft cloud service subscription.
Azure Directory Domain Services
Is the traditional deployment of Windows Server-based Active directory on a physical or virtual server.
Azure Active Directory (Azure AD) vs Azure Directory Domain Services (AD DS)
Azure AD is a managed service.
You only manage the users, groups, and policies.
Deploying AD DS with virtual machines using Azure means that you manage the deployment, configuration, virtual machines, patching, and other backend tasks.
Azure AD Free Pricing Tier
Provides user and group management (500k directory objects)
SSO
Basic reports
Azure AD: Azure Microsoft 365 Apps Service Pricing Tier
Free + identity & access management of Microsoft 365 apps
Azure Active Directory Premium P1 (pricing tier)
lets your hybrid users access both on-premises and cloud resources.
It also supports advanced administration,
dynamic groups,
self-service group management
Microsoft Identity Manager (an on-premises identity and access management suite)
cloud write-back capabilities, which allow self-service password reset for your on-premises users.
Azure Active Directory Premium P2. (Pricing tier)
In addition to the Free and P1 features, P2 also offers Azure Active Directory Identity Protection to help provide risk-based Conditional Access to your apps and critical company data. Privileged Identity Management is included to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed.
Azure AD Join
designed to provide access to organizational apps and resources and to simplify Windows deployments of work-owned devices.
Joining a device
is an extension to registering a device.
Joining provides the benefits of registering and changes the local state of a device.
Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account.
Self-service Password Reset (SSPR)
gives the users the ability to bypass the helpdesk and reset their own passwords.
Self-Service Password Reset (SSPR) Authentication methods
pick the number of authentication methods required to reset a password and the number of authentication methods available to users.
At least one authentication method is required to reset a password.
You can choose from email notification, a text, or code sent to user’s mobile or office phone, or a set of security questions.
Azure AD Users: Cloud Identities
These users exist only in Azure AD
Examples are administrator accounts and users that you manage yourself
Azure AD Users: Directory-synchronized identities.
These users exist in an on-premises Active Directory.
A synchronization activity that occurs via Azure AD Connect brings these users in to Azure.
Their source is Windows Server AD (WS AD).
Azure AD Users: Guest Users
These users exist outside Azure. (e.g, other cloud provider, Xbox LIVE account).
Their source is Invited user.
This type of account is useful when external vendors or contractors need access to your Azure resources.
Azure AD Bulk User Accounts
Using The Bulk Create option in the portal.
Fill out the CSV template.
Things to Note:
Establish naming conventions. (e.g., Smith.John@contoso.com)
Conventions for initial passwords.
Azure AD Group Accounts: Security Group
Used to manage member and computer access to shared resources for a group of users.
Azure AD Group Accounts: Microsoft 365 groups.
Provide members access to shared mailbox, Calender, files, SharePoint etc.
People outside of the org can have access to this group.
Azure AD: Adding Members to Groups: Assigned (Membership Type)
Lets you add specific users to be members of this group and to have unique permissions
Azure AD: Adding Members to Groups: Dynamic User (Membership Type)
Lets you use dynamic membership rules to automate the adding and removing of members.
Azure AD: Adding Members to Groups: Dynamic Device (Membership Type)
Lets you use dynamic group rules to automatically add and remove devices.
Azure AD: Administrative Units
Are used to restrict administrative scope/
Administrative unit (e.g., School of Business) only admins for the those in that administrative unit ( e.g., staff and students of the Business School)
Azure AD add user (CLI, PowerShell)
# create a new user az ad user create
# create a new user New-AzureADUser
Azure AD SSPR steps.
- Localization: check browsers locale - render SSPT page in appropriate language
- Verification: User enters their username and pass a captcha
- Authentication: enters the required data to authenticate their identity
- Password Reset: user can enter new password
- Notification: message to confirm the reset
SSPR : Authentication methods
Mobile app authentication - authenticator app
mobile app code - authenticator app
email - provide an external email address
mobile phone - provide a mobile number
office phone - provide an office phone num
security questions - answer security questions
How many authentication methods are required for SSPR?
This is specified by the administrator.
recommendations is 2 or more.
Authenticator as primary method, email or office phone as next best.
Three settings for the Self-service password reset enabled property:
Disabled: No users in the Azure AD organization can use SSPR. This value is the default.
Enabled: All users in the Azure AD organization can use SSPR.
Selected: Only the members of the specified security group can use SSPR.
Azure AD Registered Devices: Definition
Registered to Azure AD without requiring organizational account to sign in to the device
Azure AD Registered Devices: Primary Audience
To enable users to use their own device (BYOD) and mobile devices
Azure AD Registered Devices: Supported OS’s
Windows 10 or newer, iOS, Android, and macOS
Azure AD Joined Devices: Definition
Joined only to Azure AD requiring organizational account to sign in to the device
Azure AD Joined Devices: Primary Audience
Suitable for both cloud-only and hybrid organizations
Azure Active Directory (Azure AD) B2B collaboration
… is a feature within External Identities that lets you invite guest users to collaborate with your organization.
With B2B collaboration, you can securely share your company’s applications and services with guest users from any other organization, while maintaining control over your own corporate data.
With Azure AD B2B, Guest users sign in to your apps and services ______________
with their own work, school, or social identities.
do not require an Azure AD account
don’t need to manage external accounts or passwords
don’t need to sync accounts or manage account lifecycles
Inviting guest accounts (B2B)
A simple invitation (email or self-service sign up) and redemption process lets partners use their own credentials to access your company’s resources.
