Implement and manage identity and access

Question 1

Risk events are separated into what 3 types? How do you access these reports?

Answer 1

Risky Users, Risky Sign Ins, Risky Detections. To Access go to Azure Portal -> Azure Active Directory -> Security -> Identity Protection -> Reports

Question 2

How do you configure Identity Protection Alerts?

Answer 2

Azure Portal -> Azure Active Directory -> Security -> Identity Proection -> Users at Risk Detected/Alerts

Question 3

How do you access and implement the sign-in risk policy?

Answer 3

Azure Portal -> Azure Active Directory -> Security -> Identity Protection -> Sign-In Risk Policy

Question 4

How do you implement the sign-in risk policy?

Answer 4

Setup Assignments (Users, Conditions)
Setup Controls - Access, Allow, Block, Require pw reset
Microsoft recommends set the threshold to “Medium”

Question 5

How do you access the User Risk Policy?

Answer 5

Azure Portal -> Azure Active Directory -> Security -> Identity Protection -> User Risk Policy

Question 6

How do you implement the User Risk Policy?

Answer 6

Setup Assignments (Users, Conditions)
Setup Controls
Microsoft recommends set the threshold to “High”

Question 7

What behaviors are identified by sign-in risk policy?

Answer 7

This policy helps identify and respond to risky or unusual account sign-in behavior that might indicate the account has been compromised.

Question 8

What types of behaviors will the sign-in risk policy detect?

Answer 8

Anonymous IP Address
Atypical travel
Malware-linked IP address
Unfamiliar sign-in properties
Admin-confirmed user compromised
Malicious IP address
Suspicious Inbox Manipulation
Impossible travel

Question 9

What behaviors are identified by User Risk Policy?

Answer 9

This policy helps identify and respond to user account behavior or activities that seem suspicious and indicate the account might have been compromised.

Question 10

What types of behaviors are detected by the User risk policy?

Answer 10

Leaked Credentials

Azure AD Threat Intelligence

Question 11

What are the 2 types of available Identity Protection policies?

Answer 11

User Risk Policy

Sign-in Risk Policy

Question 12

What is Azure AD Identity Protection? What license is required?

Answer 12

Azure AD Identity Protection is an Azure AD Premium P2 feature that includes user risk and sign-in risk policies and alerts that help you stay on top of mitigating the potential of data loss.

Question 13

How do you configure PIM roles?

Answer 13

Go to Azure Portal -> search for Azure AD Privileged Identity Management -> then Azure AD Roles settings

Question 14

What is PIM?

Answer 14

Privileged Identity Management (PIM) enables your organization to protect important resources across Azure, Azure AD, Intune, and Office 365 apps & services by managing and auditing access to them.

Question 15

How are Role assignments created?

Answer 15

portal. azure.com
- > click Subscriptions
- > then Access Control (IAM)

Question 16

What is RBAC?

Answer 16

Azure Role-Based Access Control (RBAC) allows fine-grained access management of Azure resources. Allows you the ability to divide responsibility by role for and access to management of various machines, networks, resource groups, and so on.

Question 17

What 3 components does RBAC consist of?

Answer 17

Security Principal - object requesting access (user, group, service, etc)
Role Definition - a set of permissions that defines the actions that can be performed
Scope - the resources to which access will be granted

Question 18

In RBAC what is the scope resource hierarchy?

Answer 18

Management Group

• > Subscription
• > -> Resource Group
• > ->-> Resource

Question 19

What is the default option when you create a Conditional Access Policy?

Answer 19

the default option is Report Only.

This is good for testing the effect the policy will have on users

Question 20

Where do you create Conditional Access Policies?

Answer 20

Microsoft EndPoint Manager Admin Center

endpoint. microsoft.com
- > select Endpoint Security
- > Conditional Access
- >New Policy

Question 21

Aside from Compliance Policies, you can configure general compliance settings, where?

Answer 21

Microsoft EndPoint Manager Admin Center

• > choose Device
• > Compliance Policies
• > Compliance Policy Settings

Question 22

Where do you go to configure and manage device compliance for endpoint security?

Answer 22

Microsoft EndPoint Manager

endpoint. microsoft.com
- > select devices
- > Compliance Policies
- > Create Policy

Question 23

How are Conditional Access Policies related to Compliance Policies?

Answer 23

Compliance policies are configured separately but they can be used within Conditional Access Policies.

Question 24

What license is required for SSPR with Password write back?

Answer 24

Azure AD Premium P1 licenses

Question 25

What license is required for Conditional Access Policies?

Answer 25

Azure AD Premium license & Intune (Intune or Enterprise Mobility + Security license)

Question 26

To enable passwordless authentication you must sign in to the Azure Portal at?

Answer 26

portal.azure.cm
-> then select Azure Active Directory
-> Security
-> Authentication Methods
-> Authentication Methods Policy (Preview)
Then select either FIDO2 Security Key, Microsoft Authenticator Passwordless Sign In or Text Message

Question 27

In order to implement Windows Hello for SSO the devices must be first?

Answer 27

Devices must first be joined to Azure AD and Intune-enrolled.
Windows Hello incorporates biometrics, device-specific pins and is exclusive to Windows 10 devices

Question 28

MFA and other Sign-ons are reported in what report?

Answer 28

Azure AD’s Sign-Ins report

portal. azure.com
- > select Azure
- > Active Directory
- > User
- >Sign-Ins

Question 29

Azure AD Security Defaults include

Answer 29

All users must register for Azure MFA
Admins must use MFA
Legacy authentication protocols are blocked
Users are required to perform MFA when necessary
Privileges such as access to Azure Portal have been restricted

Question 30

What is involved in Azure AD Identity governance?

Answer 30

involved regularly analyzing and confirming or cleaning up group membership.

Question 31

How do you manage Identity Governance?

Answer 31

Go to Azure AD
-> select Identity Governance
-> Access Reviews
-> New
Azure Premium P2 licensing is required

Question 32

Security groups have an additional option for the membership type

Answer 32

Dynamic Device -> define the parameters of device properties for devices that will be included automatically

Question 33

Membership for the group can be one of two Office 365 group types

Answer 33

Assigned - you manually declare who is part of the group

Dynamic User - you define parameters of user properties for accounts that will be included automatically

Question 34

You can create 2 group types in Azure AD

Answer 34

Security - can be used to grant permission to shared resources
Office 365 - used to grant access to shared collaboration resources

Question 35

How do you create an Azure AD group?

Answer 35

Azure AD -> Groups -> New Group

Question 36

What is Microsoft Cloud App Discovery used for?

Answer 36

can be used to analyze existing SaaS app usage within your organization

Question 37

What 6 things does Azure AD Connect Health allow you to identify and manage?

Answer 37

Email Notifications
ADFS system Issues
Quick agent installation
Auto Upgrades
Top Application usage
Network locations & TCP connections

Question 38

Azure AD Connect consists of what 3 essential components?

Answer 38

Synchronization services
Active Directory Federation Services (AD FS)
Health monitoring

Question 39

Azure AD Connect Express settings include the following capabilities for Single AD forest setups

Answer 39

Configure sync of identities in the current AD forest
Configure PHS from on-premises AD to Azure AD
Start initial synchronization upon completion
Synchronize all attributes
Enable Auto Upgrade

Question 40

Azure AD Connect is configured using “default authentication settings” refers to?

Answer 40

Express Settings

Question 41

If Password Hash Synchronization (PHS) is not enabled?

Answer 41

You cannot utilize premium features in Azure AD, such as Identity Protection’s leaked credentials detection report.

Question 42

What are the 2 distinct Federation (AD FS) Authentication Methods?

Answer 42

AAD relies on another authentication system

Ideal when smart cards, certifications, or third-party multifactor authentication (MFA) are required

Question 43

What are the 2 distinct Pass-through Authentication (PTA) methods?

Answer 43

Password validation happens on-premises

Best for organizations that require on-premises authentication

Question 44

What are the 4 distinct Password Hash Synchronization (PHS) authentication methods?

Answer 44

Simplest to deploy
No additional infrastructure required
Users use the same username/password as on-premises
**Some premium features in AAD require PHS, such as Identity Protection
-> Password Hashes are stored in the cloud
-> Requires password agent installation on servers

Question 45

What are the 3 Microsoft 365 Hybrid Azure AD authentication methods?

Answer 45

Password hash synchronization (PHS) aka “same sign-on”
Pass-Through Authentication (PTA)
Federation (AD FS)