Manage Azure identities and governance Flashcards
AAD: Identity
an object that can be authenticated. The identity can be a user with a username and password. Identities can also be applications or other servers that require authentication by using secret keys or certificates. Azure AD is the underlying product that provides the identity service.
AAD: an identity that has data associated with it.
Account
Azure AD account
an identity that’s created through AAD or another Microsoft cloud services such as 365. Also referred to as a work/school account.
Azure Tenant (Directory)
A single dedicated and trusted instance of Azure AD.
AD DS
Active Directory Domain Services- remember this is for managing OU’s on premise
Communication used for Azure AD
HTTPS and HTTP, unlike standard AD which uses kerberos.
Does Azure AD have OU’s or GPO’s
NO
Is Azure AD a managed service
Yes: You only manage users, groups, and policies.
AAD Free tier
Single Sign on, B2B. Core identity and access management.
AAD 365 tier
Includes all on free tier + identity and access management for 365 apps
License type: Allows hybrid users, self services groups, dynamic groups
AAD P1
License Type: Identity Protection and Identity management
AAD P2
Changes the local state of your device to allow users to sign into the device by using an organizational work or school account instead of a personal account
Azure Join (device)
Azure register (device)
Azure AD device registration provides the device with an identity that’s used to authenticate the device when a user signs into Azure AD. BYOD is mentioned in regards to this as well.
What does SSPR (self service password reset) require?
Global Administration privileges
which 3 options are available for SSPR in terms of users enabled
All, Selected, None
MFA SSPR options?
Email, text, security code sent to mobile or office phone, Set of Security questions
Cloud Identity
a user account defined only in AAD.
Directory Synced Identity
A user whom originated in an on premise Active Directory and has been synced to azure via azure AD connect
Guest user
User added to ad tenant from outside organization
What types of users have rights to add or manage users in AAD
Global administrators or user administrators
What are the two types of groups you can create in AAD
Security groups and Microsoft 365 groups
Dynamic device
(Security groups only) Apply dynamic group rules to automatically add and remove devices in security groups. When device attributes change, Azure reviews the dynamic group rules for the directory. If the device attributes meet the rule requirements, the device is added to the security group. If the device attributes no longer meet the rule requirements, the device is removed.
(user.jobTitle -eq “Cloud Administrator”)
Dynamic User query where any user with the job title equaling cloud administrator is added to the group
Which Azure AD role enables a user to manage all groups in your Teams tenants, and also assign other admin roles?
Global Administrator
4 ways to obtain an azure subscription
Enterprise agreement, partner, reseller, free
4 types of subs
free, enterprise, student, pay as you go
what section is used to monitor subscription billing and resource usage
Cost Management (Subscriptions)
What is the maximum amount of tags for a resource or resource group
50
are tags applied to a resource group inherited by resources in that group?
no
What is a reservation
Allows you to purchase a virtual machine or other resource for 1 or 3 years to lock in the pricing
the term data residency may or may not come up but you should associate it with what azure term
Region
What is a management groups purpose
to manage multiple subscriptions
How many levels of structure can a management group maintain (think of it as a tree with the resource group at the top and departments corresponding to subscriptions managed
6
do the subscriptions and submanagement groups inherit the parent level conditions
yes
what is a policy definition
expresses a condition to evaluate and the actions to perform when the condition is met. for example, you can create a policy definition to prevent VMs in your org from being deployed if they are exposed to a public IP
What is a initiative definition
a set of policy Definitions that you track your resource compliance state to meet a larger goal. Use this to ensure resource compliance with security regulations
what can you limit the scope to for the initiative definition
Management group, subscription, resource group
What is the process for reapplying a initiative definition for resources created prior to the definition
remediation
RBAC: What is a security principal
An object that represents something that requests access to resources such as a user or service principal
hierarchy of RBAC
Assignment attaches a role definition to a security principal at a particular scope
Action permissions and notactions permissions for 3 default roles
Owner
*
n/a
Contributor
*
-Microsoft.Authorization//Delete
- Microsoft.Authorization//Write
- Microsoft.Authorization/elevateAccess/Action
Reader
/*/read
n/a
Compare RBAC to AAD admin roles: Access Management
AAD only manages access to azure ad resources, where as rbac manages all azure resources
Compare RBAC to AAD admin roles: Scope Assignment
for AD, scope is defined at the tenant level, where rbac allow scope up to management groups down to resources
Compare RBAC to AAD admin roles: Role Definitions
RBAC :roles defined via portal, azure clie, powershell, ARM templates and rest API
AAD: Defined via azure admin portal, 365 admin portal, and powershell
is global administrator an azure ad role or a rbac role?
Azure AD- Remember office 365 roles are similar to azure AD roles
briefly describe azure ad federation
A federation is where you have a trust established with another organization, or a collection of domains, for shared access to a set of resources.
Azure Service to review logs for alll activity at a management/subscription level
activity logs
What tool provides the ability to query, identify, and remediate the majority of object sync errors in windows server AD in prep for deployment to microsoft 365
idFIX