Identity Management

Question 1

What is the name of the service providing managed domain services in Azure?

Answer 1

Azure Active Directory Domain Services

• provides a managed domain controller
• features: Domain Join, Group Policy, LDAP, Kerberos, NTLM

Question 2

What are the two options for providing AD domain services in Azure?

Answer 2

1. Install a domain controller on a VM (Active Directory Domain Services)
2. Azure Active Directory Domain Services - managed domain controller

Question 3

What are the main Azure AD features?

Answer 3

1. Enterprise Identity Solution
2. Single Sign-On for apps and infrastructure services
3. Multifactor Authentication
4. Self Service - password resets, access requests

Question 4

What is the limit for # of objects and in what version of AAD?

Answer 4

Only FREE version has a limit of 500,000 objects.

Question 5

What AAD license do you need for Identity Protection, PIM, Access Reviews, and 3rd party MFA?

Answer 5

Premium 2

Question 6

What are the components of AD Connect?

Answer 6

1. Synchronization Services
2. Active Directory Federation Services (optional)
3. Health Monitoring

Question 7

AD Connect sync features

Answer 7

1. Filtering - what objects are synced (e..g. what domains)
2. Password hash synchronization - allows to keep your on-premises AD password policy
3. Password writeback - users can change passwords in the cloud
4. Device writeback - from AAD to AD for conditional access
5. Prevent accidental deletes
6. Automatic upgrade of AD Connect

Question 8

What are the password sync options?

Answer 8

1. Password Sync - passwords are kept in both AD DS and AAD
2. Passthrough Authentication - AD DS is the source
3. AD Federation Services - full federation across AD DS and Azure AD, along with other services or SaaS apps e.g. ServiceNow

Question 9

What is the hybrid authentication option required by Identity Protection?

Answer 9

Password Hash Sync

Question 10

What does Authentication Federation mean?

Answer 10

It means that authentication is handed over to a separate authentication system - allows to use smart cards. You can customize sign-in pages.

Question 11

Which hybrid authentication option requires the least effort?

Answer 11

Password Hash Sync

Question 12

What needs to be added to on-prem for passthrough authentication to work?

Answer 12

Authentication Agents need to installed on existing servers - recommended are 3
- hash sync can be used as backup

Question 13

What does Identity Protection provide?

Answer 13

Leaked credential reports

Question 14

In IAM Add role assignment, what are the 3 options for “Assign access to”?

Answer 14

1. Azure AD user, group, or application
2. User assigned managed identity
3. System assigned managed identity

Question 15

What are the two new roles that come with PIM?

Answer 15

Security Administrator and Privileged Role Administrator