Implement and Manage Hybrid Identity Flashcards
What does each of these initialisms stand for?
- AADC
- PHS
- PTA
- SSO
- ADFS
- ADDCH
- Azure Active Directory Connect
- Password Hash Synchronization
- Pass-through Authentication
- Single Sign-on
- Active Directory Federated Services
- Azure Active Directory Connect Health
Within AADC, define synchronization.
Creates users, groups, other objects, and password hashes ensuring on-premises matches the cloud.
Within AADC, define password hash synchronization.
Sign-in method that synchronizes a hash of user’s on-premises AD password with Azure AD.
Within AADC, define pass-through authentication.
A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn’t require the additional infrastructure of a federated environment.
Within AADC, define Federation integration.
An optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure.
Within AADC, define health monitoring.
Azure AD Connect Health provides robust monitoring.
What is the difference between PHS and PTA
PTA processes all authentication on-premises. PHS is just ensuring the same password exists in both places.
What are examples of when Azure AD doesn’t support the authentication requirement natively and a federated service is required?
- Smartcards or Certificates
- MFA Providers (not Microsoft)
- Authentication via 3rd Parties
- Sign in with sAMAccountName
How do you ensure business continuity when using Federated systems?
Load-balancing authentication requests among a server farm.
Which one of the following are require on-premises services?
A. PTA
B. Federated Services
A
B
What authentication service does Microsoft recommend to protect against on-premises authentication outages?
password hash synchronization
What subscription level does Microsoft include Identity Protection in?
Azure AD Premium 2
An attribute immutable during the lifetime of an object.
sourceAnchor (aka immutableID)
With federation, what attribute works with userPrincipalName to uniquely identify a user?
sourceAnchor
What attribute allows objects to “hard match” existing objects in Azure AD with on-premises objects.
sourceAnchor
What rules does the sourceAnchor attribute value follow? (7)
- less than 60 characters
- no special characters
- globally unique
- string, integer, binary
- not based on user’s name
- not case-sensitive
- assigned when object is created
What are the two most common object attributes used as a sourceAnchor?
- objectGuid
2. employeeID
What format is UPN syntax (RFC 822)?
username@domain
What attribute does Azure AD Connect use by default to authenticate a user?
UPN
Since a verified domain for the UPN suffix is required by Azure AD, what should you do before syncing user accounts?
Add and verify the UPN suffix (e.g. contoso.com) to Azure AD
Can Azure AD verify a non-routable domain (e.g. contoso.local)?
No
Objects from each connected directory (CD), the actual directories, are staged here first before they can be processed by the provisioning engine.
Connector Space (CS)
Objects that need to be synced are created here based on the sync rules.
Metaverse (MV)
They decide which objects will be created (projected) or connected (joined) to objects in the MV.
Sync Rules
Bundles the process steps of copying objects and their attribute values according to the sync rules between the staging areas and connected directories.
Run Profiles
List benefits of Azure AD Cloud Sync
- sync multi-forested environments
- light-weight provisioning agents
- multiple agents can be used
- support for groups up to 50k members
How often does the Azure AD Cloud Sync run?
Every 2 Minutes
True or False:
Password hash synchronization is turned on by default with Azure AD Connect Express Settings?
True
FIPS
Federal Information Processing Standard
What is disabled under FIPS?
MD5
At what level does Pass-through authentication work?
A. Domain
B. User
C. Tenant
C. Tenant
True or False:
Azure AD Connect should only be run during the initial synchronization process.
False
Define Hard Match.
Azure AD matches the incoming object using the sourceAnchor attribute to the immutableId attribute of objects in Azure AD.
Define Soft Match
Azure AD falls back to use the ProxyAddresses and UserPrincipalName attributes to find a match.
What error occurs for the following scenario?
The hard match does not find any matching object AND soft match finds a matching object but that object has a different value of immutableId than the incoming object’s SourceAnchor, suggesting that the matching object was synchronized with another object from on premises Active Directory.
InvalidSoftMatch
What feature redues the number of synchronization errors seeen by Azure AD?
Azure AD Duplicate Attribute Resiliency
What is the most common reason for getting the InvalidSoftMatch error?
Two objects with different sourceAnchors have the same value for the ProxyAddress and/or UserPrincipalName
What error occurs for the following scenario?
Two objects of different “object type” (such as User, Group, Contact etc.) have the same values for the attributes used to perform the soft match.
ObjectTypeMismatch
What is the most common reason for getting the ObjectTypeMismatch error?
The ObjectTypeMismatch error is two objects of different type (User, Group, Contact etc.) have the same value for the ProxyAddresses attribute.
What error occurs for the following scenario?
Azure Active Directory enforces various restrictions on the data itself before allowing that data to be written into the directory.
ObjectTypeMismatch
What is the most common reason for getting the IdentityData ValidationFailed error?
The UserPrincipalName attribute value has invalid/unsupported characters.
What is the most common reason for getting the FederatedDomainChangeError?
For a synchronized user, the UserPrincipalName suffix was changed from one federated domain to another federated domain on premises.
What error occurs for the following scenario?
The suffix of a user’s UserPrincipalName is changed from one federated domain to another federated domain.
FederatedDomainChangeError
What error occurs for the following scenario?
When an attribute exceeds the allowed size limit, length limit or count limit set by Azure Active Directory schema.
LargeObject
What are reasons for getting the LargeObject error?
- Too many certificates
- Too large thumbnail photo
- Too many proxyAddresses
What error occurs for the following scenario?
A users object has administrative permissions and the same UserPrincipalName as an existing Azure AD object.
Admin role conflict
What is the reason for getting the Admin role conflict error?
Azure AD Connect is not allowed to soft match a user object from on-premises AD with a user object in Azure AD that has an administrative role assigned to it.
What license is needed to use Azure AD Connect Health?
Azure AD Premium P1
What services are installed with Azure AD Connect Health AD FS?
- Diagnostics Service
- Insights Service
- Monitoring Service
What role can manage access, view all information, and change settings within Azure AD Connect Health?
Owner
What role can view all information and change settings in Azure AD Connect Health?
Contributor
What role can only view all information in Azure AD Connect Health?
Reader
What button in Azure AD Connect Health will help you identify an orphaned user?
Diagnose
What is the defining feature of hybrid identity solutions?
They create common user identities for authentication and authorization to both on-premises and cloud-based resources.
Which authentication method requires the least effort regarding deployment, maintenance, and infrastructure?
Password hash synchronization (PHS)
Some situations might require the removal of a server from being monitored by the Azure AD Connect Health service. What needs to be done to start monitoring the same server again?
The Health Agent needs to be uninstalled and reinstalled on this server.
