Manage azure identities and governance Flashcards
Is Azure Active Directory the same as windows active directory?
No, same idea but some non overlapping requirements and protocols when doing the job of Active Directory over the internet vs on a server
Can you sync your current active directory with a new azure Active Directory instance?
Yes
Does azure ad support single sign on?
Yeah, and using its api you can develop custom sso code for your non integrated 3rd class party apps
How much of the exam is based on identity and governance questions?
25%
What is Microsoft entra?
Entra is an enterprise identity service (umbrella product including the active directories) which includes SSO, MFA and conditional access to/guard against cyber attacks
What are the different features available with different licences for Microsoft entra ID?
https://www.microsoft.com/en-us/security/business/microsoft-entra-pricing
What is the difference between accounts, tenants, subscriptions?
Account:
Person or program (synonym of User) e.g. Joe Smith joe@example.com.
Apps have their own identities such as managed identities or they can also use service users
Tenant:
A representation of an organization. Usuqlly represented by a unique domain ea.com for example.
A tenant is required to do anything is azure and has a dedicated instance of azure active directory.
Every azure account is part of at least one tenant!!!!
Subscription:
A billing agreement with Microsoft on how you’re going to pay.
- Free subscriptions
- pay as you go
- enterprise agreements
Subscriptions can be assigned to tenants but this is not a requirement (in fact tenants can have multiple subscriptions).
Multiple accounts can be assigned to a tenant, each with different roles.
In Entra ID how can you switch between tenants?
Using the switch button in the manage settings cog in the Entra ID interface or via the ‘Switch directory’ link in the menu which appears when clicking your profile pic.
Is the use of AI to combat hacking attempts part of the Azure active directory free tier?
No its part of the P1 tier.
https://www.microsoft.com/en-us/security/business/microsoft-entra-pricing
How can you add a custom domain name to your new tenant?
There is a settings option to add a custom domain name so you could use your company’s domain name to access the tenant’s Active Directory instance but it’s necessary to prove ownership of the custom domain. This probably involves adding a TXT setting to the record of your domain purchase so that Azure can make a request to it and get the expected response.
What are standard groups in azure Active Directory?
Groups of users, of type security and of membership type assigned ( known, intentional) and have bulk operations and permissions given to them.
Are groups able to given roles by default?
No, there is a toggle switch to enable role assignation to a group.
What are dynamic groups?
A dynamic group is a group whose membership type is based on the results of a query. An example could be including employees in a certain department as being part of a dynamic group for that department. It is still a security group type.
Job title and country are other examples of many dynamic group query fields.
What are the management traits which can be performed on groups?
Access reviews
Access logs
Bulk operations
Privileged identity management
What are devices in azure Active Directory.
They represent the physical devices used by users that access and organisations resources e.g. phones, laptops, authentication devices
Is multifactor authentication a a part of the free tier azure active directory?
Using Microsoft Authenticator it’s free, but sms and phone are a part of a paid tier license.
Is license assignment to a user controlled in terms of legal requirements?
Yes, some licenses and features cannot be assigned unless the user has a location set so that GDPR rules can be enforced by Azure Active Directory.
What is the difference between a managed and unmanaged device in Azure Active Directory?
A managed device has specific criteria to meet in terms of encryption, password requirements , antivirus software running etc.
Related to conditional access which changes access conditions based on various factors including whether it is a managed device.
You can limit the number of a users devices.
What are azure ad bulk operations?
Certain tasks can be done in bulk like creating users. In the case of new users a csv template is downloaded that the administrator fils out and all use users are created in bulk by azure ad
How to add an external user to your azure ad ( a user with a different domain in their email and exists outside of your azure ad instance. Typically partners, vendors and contractors.)
These are invited as a guest user to the azure ad which they will have to accept to be added to you azure ad. They will be able to be managed in the same way as other non external users in your organisation. They will be able to self reset their passwords , can be assigned RBAC roles for permission management and have devices and conditional access rules such as using mfa.
What is self service password reset?
This is a paid feature allowing users to reset their own password.
It is configured in the properties tab of the left hand side bar of an organisation’s azure ad UI. It can be assigned in bulk or to individuals. This is a paid feature so you cannot assign to more users than you have purchased licenses.
What is AAD-Connect?
This is a service which synchronises azure ad with on prem Active Directory.
What does RBAC stand for?
Role based access control
What is RBAC?
It’s a system designed to give permissions and access to a user based on their role on their role.
What is the principal of least privilege?
Give the least permissions possible for the most secure IT system possible
What are the drawbacks to assign individual users individual permissions (not RBAC)?
Some users have too many privileges over the years and those users get asked to do things for other users without those permissions. More effort to maintain. Some users don’t have the permission they need more frequently. Higher chance of malicious user hacking using their unnecessary permissions.