Manage authentication by using Microsoft Entra ID Flashcards
Microsoft Entra authentication includes the following components
Self service password reset
Microsoft Entra multifactor authentication
Hybrid integration to write password changed back to on premises environment
Hybrid integration to enforce password protection policies for an on premises environment
Passwordless authentication
T or F
Microsoft Entra ID helps to protect a users identity and simplify their sign in experience
True
Self - service
Allows password reset through a web browser
Microsoft Entra multifactor authentication
additional form of authentication
ex. mobile app notification
phone call
text message
Passwordless authentication
security keys to sign in without the need for passwords
Self service password reset
password change
password reset
account lock
Mutilfactor authentication available for Microsoft Entra
Account lockout
Block/ unblock users
Report suspicious activity
notifications
open authorization tokens (OATH)
Phone call settings
providers
Account lockout
specify how many failed attempts
the lockout is only applied when a PIN code is entered for MFA
Block / unblock users
block MFA attempts - if device is stolen/lost
block last for 90 days
unblock users if fit
Where can you view suspicious activity events
in the audit logs and risk detection reports
Report suspicious activity and fraud alert
If Fraud Alert is enabled with Automatic Blocking and Report Suspicious Activity is enabled, the user will be added to the blocklist and set as high-risk and in-scope for any other policies configured
OATH tokens
Microsoft Entra ID supports the use of OATH TOTP (Time-based One Time Password) SHA-1 tokens that refresh codes every 30 or 60 seconds
OATH TOTP
hardware tokens typically come with a secret key, or seed, pre-programmed in the token
Passwordless authentication options
Microsoft Authenticator
FIDO2- compliant security keys
Windows Hello for Business
What devices would be best for Microsoft Authenticator
Shared devices
Kiosks
What devices would be best for FIDO2 compliant security keys
Dedicated non-windows devices
Dedicated windows 10 computers
Kiosks and shared computers
What devices would be best for Windows Hello for Business
Dedicated Windows 10 computers
T or F
When you deploy passwordless authentication you should first enable one or more pilot groups
True
Your communications to end users should include
Guidance on combined registration for both Microsoft Entra multifactor authentication and self-service password reset (SSPR)
Downloading Microsoft Authenticator
Registering in Microsoft Authenticator
Signing in with your phone
T or F
Microsoft Authenticator turns any iOS or Android phone into a strong, password less credential
True
T or F
Microsoft Entra logs registration of security keys and the Authenticator app, and any other changes to the authentication methods
True
Active Directory Federation Services (AD FS) Integration
directed here if user chooses “use your password instead”
Device registration
to used the authenticator app for password less authentication, the device needs to be registered in the Microsoft Entra tenant and cannot be a shared device
3 types of passwordless sign in deployments available with security keys
Microsoft Entra web apps on a supported browser
Microsoft Entra joined Windows 10 devices
Microsoft Entra hybrid joined Windows 10 devices
For Microsoft Entra web apps and Microsoft Entra joined Windows devices, use:
Windows 10 version 1809 or higher using a supported browser like Microsoft Edge or Mozilla Firefox (version 67 or higher).
For hybrid Microsoft Entra domain joined devices, use:
Windows 10 version 2004 or later.
Fully patched domain servers running Windows Server 2016 or 2019.
Latest version of Microsoft Entra Connect.
How can you restrict keys
Authenticator Attestation GUID (AAGUID)
T or F
Microsoft Entra Password Protection detects and blocks known weak passwords and their variants, and can also block weak terms that are specific to your organization
true
t or f
On-premises deployment of Microsoft Entra Password Protection uses the same global and custom banned password lists that are stored in Microsoft Entra ID, and does the same checks for on-premises password changes as Microsoft Entra ID does for cloud-based changes
true
Domain Controllers (DCs)
never communicate directly with the internet
T or F
Microsoft Entra Password Protection supports incremental deployment across DCs in a Microsoft Entra ID domain
True
When can the Microsoft Entra Password Protection DC agent software validate passwords?
When it’s installed on a DC and only for password changes that are sent to that DC
How to guarantee consistent behavior and universal Microsoft Entra Password Protection?
DC agent software must be installed on all DCs in a domain
T or F
Partial deployments aren’t secure and aren’t recommended for DC agent software
True.
partial deployment should only occur for testing purposes
What does The Microsoft Entra Password Protection Proxy service run on
any domain joined machine in the current Microsoft Entra ID forest
What is the services primary purpose for Microsoft entry Password Protection Proxy?
to forward password policy download requests from DCs to Microsoft Entra ID and then return the responses from Microsoft Entra ID to the DC
Where does the password filter DLL of the DC Agent receive user password validation request from
The OS and then the filter forwards them to the DC agent service that is running locally on the DC
How does the DC agent service handle password validation requests?
processes them by using the current password policy and returns the result pass or fail
How often does the DC Agent service check the age of the current policy
hourly
What are Microsoft Entra Password Protection policies a combination of?
Microsoft global banned password list and. the per-tenant custom based password list
What does the DC Agent never listen on?
a network available port
T or F
The proxy service is stateless
True
it never caches policies or any other state downloaded from Azure
what happens if their is no password policy available on the local DC?
the password is automatically accepted and an event message is logged to warn the administrator
T or F
there can be a delay between password policy configuration change
true
t or f
Microsoft Entra Password Protection acts as a supplement to existing Microsoft entra ID policies, not a replacement
true
Microsoft Entra ID creates a certificate that is by default valid for how many years
3
where can you change the certificate duration?
in the microsoft entry admin center
When you enable federation on SAML application, Microsoft Entra ID does what?
Creates a certificate that is by default valid for 3 years
T or F
Communication is critical to the success of any new service
True
Make sure you were letting your users know that a change is coming, when it has arrived, and what to do now
SAML
Security Assertion Markup Language
T or F
SSO for pre integrated enterprise applications are free
True
T or F
Objects in your directory and features may require specific licenses
True
Shared accounts - SSO
create a security group for each combination of user set and credentials
T or F
Choosing a SSO method depends on how the application is configured for authentication
True
Options for cloud applications to use SSO
OpenID Connect
OAuth
SAML
password-based
Linked
Can SSO be disabled?
yes
Options for on premises applications for SSO
password based
Integrated Windows Authentication
header-based
linked
OpenID Connect and OAuth
if the application supports it
SAML
when possible for apps that dont use OpenID Connect or OAuth
Password-based
when the application has an HTML sign in page.
password based is also known as password vaulting
Linked
choose linked when the application is configured for SSO in another identity provider service
Disabled
choose disabled SSO when the application isn’t ready to be configured for SSO
Integrated Windows Authentication (IWA)
for apps that uses IWA or claims aware applications
Header based
for when the app uses headers for authentication
T or F
You can integrate your cloud enabled SaaS applications with Microsoft Entra ID
True
Cloud enabled SaaS providers
Atlassian Cloud
ServiceNow
Slack
SuccessFactors
Workday
Cloud Integrations
AWS
Alibaba Cloud (role bases SSO)
Google Cloud Platform
Salesforce
SAP (Systems, Applications, and Products in Data Processing) Cloud Identity Platform
Integrating Slack with Microsoft Entra ID enables you to
control who has access to Slack in Microsoft Entra ID
enable your users to be automatically signed in to Slack with their Microsoft Entra accounts
manage your accounts in on central location
what is needed to integrate slack and microsoft entra id?
a microsoft entra subscription
slack single sign on enameled subscription
How can you configure the integration of Slack into Microsoft Entra ID?
add Slack from the gallery to your list of managed SaaS apps
How to configure and test Microsoft Entra SSO for Slack
enable the feature to users and then create a test user
Configure Microsoft Entra SSO
must be signed on as at least a cloud application administrator
go to - identity
applications,
enterprise applications,
slack,
single sign on
on SSO page select SAML
DIDs
user generated, self owned, globally unique identifiers rooted in decentralized systems trust systems
what are verifiable credentials?
data objects consisting of claims made by the issuer attesting information about a subject
t or f
the issuer’s DID creates a digital signature as proof that they attest to this information
True
how do most organizations provide credentials to employees?
centralized identity systems
How decentralized identity systems work
the issuer, user, and relying party (RP) each have a role in establishing and ensuring ongoing trusted exchange of each others credentials.
What passwordless authentication methods does Microsoft recommend?
Windows Hello
FIDO2 security keys
Microsoft Authenticator app