Manage azure identities and governance Flashcards

1
Q

Is Azure Active Directory the same as windows active directory?

A

No, same idea but some non overlapping requirements and protocols when doing the job of Active Directory over the internet vs on a server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Can you sync your current active directory with a new azure Active Directory instance?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Does azure ad support single sign on?

A

Yeah, and using its api you can develop custom sso code for your non integrated 3rd class party apps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How much of the exam is based on identity and governance questions?

A

25%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is Microsoft entra?

A

Entra is an enterprise identity service (umbrella product including the active directories) which includes SSO, MFA and conditional access to/guard against cyber attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the different features available with different licences for Microsoft entra ID?

A

https://www.microsoft.com/en-us/security/business/microsoft-entra-pricing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the difference between accounts, tenants, subscriptions?

A

Account:

Person or program (synonym of User) e.g. Joe Smith joe@example.com.
Apps have their own identities such as managed identities or they can also use service users

Tenant:

A representation of an organization. Usuqlly represented by a unique domain ea.com for example.

A tenant is required to do anything is azure and has a dedicated instance of azure active directory.

Every azure account is part of at least one tenant!!!!

Subscription:
A billing agreement with Microsoft on how you’re going to pay.

  • Free subscriptions
  • pay as you go
  • enterprise agreements

Subscriptions can be assigned to tenants but this is not a requirement (in fact tenants can have multiple subscriptions).

Multiple accounts can be assigned to a tenant, each with different roles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

In Entra ID how can you switch between tenants?

A

Using the switch button in the manage settings cog in the Entra ID interface or via the ‘Switch directory’ link in the menu which appears when clicking your profile pic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Is the use of AI to combat hacking attempts part of the Azure active directory free tier?

A

No its part of the P1 tier.
https://www.microsoft.com/en-us/security/business/microsoft-entra-pricing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How can you add a custom domain name to your new tenant?

A

There is a settings option to add a custom domain name so you could use your company’s domain name to access the tenant’s Active Directory instance but it’s necessary to prove ownership of the custom domain. This probably involves adding a TXT setting to the record of your domain purchase so that Azure can make a request to it and get the expected response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are standard groups in azure Active Directory?

A

Groups of users, of type security and of membership type assigned ( known, intentional) and have bulk operations and permissions given to them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Are groups able to given roles by default?

A

No, there is a toggle switch to enable role assignation to a group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are dynamic groups?

A

A dynamic group is a group whose membership type is based on the results of a query. An example could be including employees in a certain department as being part of a dynamic group for that department. It is still a security group type.

Job title and country are other examples of many dynamic group query fields.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the management traits which can be performed on groups?

A

Access reviews
Access logs
Bulk operations
Privileged identity management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are devices in azure Active Directory.

A

They represent the physical devices used by users that access and organisations resources e.g. phones, laptops, authentication devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Is multifactor authentication a a part of the free tier azure active directory?

A

Using Microsoft Authenticator it’s free, but sms and phone are a part of a paid tier license.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Is license assignment to a user controlled in terms of legal requirements?

A

Yes, some licenses and features cannot be assigned unless the user has a location set so that GDPR rules can be enforced by Azure Active Directory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the difference between a managed and unmanaged device in Azure Active Directory?

A

A managed device has specific criteria to meet in terms of encryption, password requirements , antivirus software running etc.

Related to conditional access which changes access conditions based on various factors including whether it is a managed device.

You can limit the number of a users devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are azure ad bulk operations?

A

Certain tasks can be done in bulk like creating users. In the case of new users a csv template is downloaded that the administrator fils out and all use users are created in bulk by azure ad

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How to add an external user to your azure ad ( a user with a different domain in their email and exists outside of your azure ad instance. Typically partners, vendors and contractors.)

A

These are invited as a guest user to the azure ad which they will have to accept to be added to you azure ad. They will be able to be managed in the same way as other non external users in your organisation. They will be able to self reset their passwords , can be assigned RBAC roles for permission management and have devices and conditional access rules such as using mfa.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is self service password reset?

A

This is a paid feature allowing users to reset their own password.

It is configured in the properties tab of the left hand side bar of an organisation’s azure ad UI. It can be assigned in bulk or to individuals. This is a paid feature so you cannot assign to more users than you have purchased licenses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is AAD-Connect?

A

This is a service which synchronises azure ad with on prem Active Directory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What does RBAC stand for?

A

Role based access control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is RBAC?

A

It’s a system designed to give permissions and access to a user based on their role on their role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is the principal of least privilege?

A

Give the least permissions possible for the most secure IT system possible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What are the drawbacks to assign individual users individual permissions (not RBAC)?

A

Some users have too many privileges over the years and those users get asked to do things for other users without those permissions. More effort to maintain. Some users don’t have the permission they need more frequently. Higher chance of malicious user hacking using their unnecessary permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

In an RBAC setup what are permissions assigned to?

A

To the role, and every user with that role will receive the permission through the role.

28
Q

What are the benefits of RBAC?

A

Small number of roles , simplifying and reducing workload even for a high number of employees.

Simpler management so fewer errors.

Just confirm users are in the right role.

All users are the same for the role, no snowflakes.

Quicker and easier to add new users to the role and give them the required permissions for their role.

29
Q

What are the alternatives to RBAC?

A

Claim based permissions, but generally in azure it’s just RBAC.

An example of claims based access control is when a storage account can be accessed by using an access key or token.

30
Q

How many built in RBAC roles are there in Azure?

A

About 90 roles related to administrative work, teams passwords etc.

31
Q

What is the relationship between RBAC policies and a resource like a storage account?

A

You need to create a resource group and associate your storage account with it. The. You assign RBAC roles to the resource or the resource group.

32
Q

How to switch from claim based access control to azure Active Directory authorisation (azure AD has the RBAC policies) for a storage account?

A

In the configuration menu of the storage account, there is a radio button with “default to azure Active Directory authorisation in the azure portal “. You can also “disable storage account key access” here in the configuration menu.

33
Q

What does the owner role of a storage account allow permissions for?

A

Administration without adding or reading content.

34
Q

What are the owner, contributor and reader roles primary functions?

A

Owner manages resources and is the least restrictive,contributor manages resources but not assign roles and reader is just to read data but can’t delete or modify the contents or assign roles.

Data permissions are separate from the resource permissions!

35
Q

What is permission scope?

A

The range of resources where the permission role is applicable. In storage you could have the scope of the entire storage account, a blob storage container or a set of resources.

36
Q

Are azure custom RBAC roles a feee tier feature?

A

No they are a paid feature.

37
Q

How do you create a custom RBAC roles?

A

Via the subscription interface, there is an access control IAM and then create custom role button.

You can apply scopes to the custom role but it’s limited to 5000 customer roles.

38
Q

What are access assignments and how can you interpret them?

A

In the access control IAM page of a user or resource, there is a role assignments tab which shows all the RBAC roles on the resource and for which users or groups they apply.

39
Q

What are deny assignments?

A

Multiple role permissions are all applied to the user or resource. Deny assignments function to remove a specific access ( even if it it’s part of another role assigned to the resource or user).

Deny assignments are usually added using azure blueprints ( blueprints are not in the exam).

40
Q

What is an account/user?

A

Person or program
Can be a managed identity
The basis for authentication

41
Q

What is a subscription

A

A contract of payment for the used services in azure

42
Q

What is a tenant?

A

It represents an organisation, usually associated with a domain name. If you don’t have a domain name, Microsoft will create one for you.

Represents a dedicated instance of azure Active Directory.

Every account belongs to a tenant. You can create new tenants and switch between them easily.

Not every tenant needs a subscription, but without one you can’t pay for anything so you can’t create resources ( even free tier ones)

A tentant can have multiple subscriptions

More than one account can be a tenant owner.

43
Q

What are resource groups?

A
44
Q

If you have an RBAC role allowing resource group deletion, what happens if you try to delete a resource group that contains individual resources you don’t have the delete role for?

A

The only permission required to delete a resource group is permission to the delete action for deleting resource groups. You do not need permission to delete individual resources within that resource group. Additionally, delete actions that are specified in notActions for a roleAssignment are superseded by the resource group delete action. This is consistent with the scope hierarchy in the Azure role-based access control model.

45
Q

Is Microsoft billing managed within the azure portals?

A

No, there is a link in the subscription blade but it leads to another website.

46
Q

What is the difference between a budget and an anomaly alert?

A

Anomaly alerts are not user defined, the condition is defined by azure. New charges, significant changes in costs regular costs which have disappeared etc. A budget is user defined and is based on reaching user defined costs incurred thresholds

47
Q

What is the azure advisor?

A

It’s an automated system which provides recommended changes to your azure resources. These recommendations could be to change the vm type to fit better it’s usage. They are not limited to cost related recommendations.

48
Q

What are resource locks?

A

Deny permissions can be assigned to accounts to delete resources. If a resource has a lock then regardless of the permissions assigned to an account, the resource cannot be deleted until the lock is removed.

Note that RBAC polices do exist to give users permission to modify or add/rm locks.

49
Q

What is the concept of Azure policies?

A

To be able to set rules rules about your resources like minimum version of sql server or that every vm had to have a back up.

50
Q

What’s are some examples of the built in policies?

A

Best practices are generally already implemented in built in policies available for use, such as no public network access to azure storage, storage accounts should prevent shared access keys, configure azure file sync with public private endpoints or ensure geo redundant storage is enabled on storage accounts

51
Q

How is a policy definition written?

A

In json format. It can be duplicated and modified.

52
Q

How are policies used?

A

They are assigned to a scope eg production? Staging, one resource group, one resource etc.

53
Q

What does the policy enforcement ratio button activate?

A

When activated, resources which do not comply with the policy cannot be created. It’s a hard impasse. If policy enforcement is deactivated ( off) then you can break the policy rules but they will be reported on and made visible.

54
Q

How do policies affect existing storage?

A

By default, policies only affect new resources. Existing resources can be verified using a follow up remediation task, and it will modify directly where possible the existing resources or generate a deployment template to create new resources

55
Q

How do you customise the reporting message when policies are not complied with?

A

There is a tab non-compliance message tab when defining the policy where you can add a text string e.g. contact this guy admit that

56
Q

His long does it take to bring a new policy into effect?

A

About 30 minutes.

57
Q

What’s a common policy for VMs?

A

Limit the range of VMware sizes that employees can create to avoid that employees create very powerful and expensive machines without approval or other due process

58
Q

Where can you check policy compliance?

A

In a resource or resource group there is a compliance tab on the left hand menu blade. Click that to see a list of all associated policies and check the compliance state for each of them.

59
Q

How do vm size limitation policies manifest when creating a new cm?

A

The list of available vms has redistributed across categories like blocked.

Depending on the policy type (whether it’s enforcement enabled or a deny policy etc) the interface will adjust accordingly. E.g if enforce is set to false , the ui will not change to reflect that but once created the policies tab will see a bad compliance state ( wait 30 mins)

60
Q

How to see an overview of compliance policies across a different scope?

A

Through the portal, look for the policy service. You can change the scope and see the policy compliance of that scope.

61
Q

What are the minimum requirements for a custom policy definition?

A

A json doc with displayName, description,mode, parameters and policyRule.

62
Q

How to create a custom policy?

A

Policy -> definitions -> input custom json policy into text field -> add any additional metadata such as role definitions, whether it’s a storage account etc. -> click save -> assign policy to a resource or resource group -> set in the review and create tab whether this is a deny policy ( enforced) or if it’s just to audit in the compliance tabs

63
Q

What is the purpose of assigning tags to a resource?

A

Tags are name value metadata pairs which can be added to a resource and used as any other metadata would be used such as querying , organising, labelling etc. You could for example have a tag for the subject matter (billing, quotes) or contact details ( contact name or email for questions about the resource) team name, environment name etc.

Tags can be used as a filter in the cost analysis interface.

Tags can be be made mandatory via policies.

64
Q

What does it mean to move a resource?

A

It means to move a resource from one resource group to another. You select it and find the options ‘move to another region’ and ‘move to another resource group’. It’s can be a bit slow to query whether the move is possible.

Moving resources can break other resources which rely on it as moving a resource can change the resource because the subscription and the resource name are components of the resource ID so moving the resource changes the id and potentially breaks other parts of your infrastructure.

65
Q

In powershell how can you assign a policy to a resource?

A

New-AzPolicyAssignment -Scope $rg.Resourceld -PolicyDefinition §definition -Name RGLocationMatch -DisplayName
“Resource group location and region match “

66
Q

What are management groups?

A

Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called “management groups” and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group.

So management groups are to subscriptions what resource groups are to resources. Management groups can only contain subscriptions or other nested management groups