Manage Azure identities and governance

Question 1

What technological need did Microsoft Entra ID (fka Azure AD) fulfill?

Answer 1

It came about because people needed an internet friendly way to authenticate on the open internet,
which others suck at.

It is primarily identity and access management in the public internet

Question 2

How can businesses maintain an on premise directory which is applied in azure?

Answer 2

They use Active Directory (AD) and sync it with Microsoft Entra ID via an on-premises computer that runs the Microsoft Entra Connect sync service.

Question 3

How are Microsoft Entra ID non-free tiers charged?

Answer 3

Costs are incurred per user per month

Question 4

What does Microsoft Entra ID P1 get you compared to the free version?

Answer 4

P1 is intended for small businesses and adds:
- Conditional Access
- RBAC
- Group management (e.g. dynamic groups)
- password policies, self service stuff (password changes, advanced security reports
- Advanced Security & usage reports
- Cross tenant sync
- Session lifecycle management

Question 5

What does Microsoft Entra ID P2 get you compared to P1?

Answer 5

• Risk based conditional access

Question 6

What does Microsoft Entra ID Suite get you compared to P1 & P2?

Answer 6

Risk based access control, which is Access control policies can be applied to protect organizations when a sign-in or user is detected to be at risk. There is sign in risk and user risk protection signals.

Question 7

What do you get with the free Microsoft Entra ID tier?

Answer 7

Support multifactor authentication, SSO unlimited across any SaaS app, basic reports, self-service password change for cloud users, and single sign-on across Azure, Microsoft 365, and many popular SaaS apps.
Manage users and groups in the cloud.
Sync your on-premises directory with Microsoft Entra ID.

Question 8

What is conditional access in Microsoft Entra ID?

Answer 8

if-then statements; if a user wants to access a resource, then they must complete an action. For example: If a user wants to access an application or service like Microsoft 365, then they must perform multifactor authentication to gain access.

Question 9

What is risk based conditional access?

Answer 9

Risk-based Conditional Access in Azure uses signals to assess the risk of sign-ins and user accounts. It automatically responds to risky behaviors by enforcing actions like blocking access or requiring multifactor authentication (MFA). This helps protect organizations by continuously monitoring and mitigating potential threats.

Question 10

Where can you see the time and date a resource group was created in the azure portal?

Answer 10

In the Settings / Deployments Blade

Question 11

How is a role defined? IE What attributes does it have

Answer 11

Name
Id
IsCustom
Description
Actions [] - Array of strings that specifies the control plane actions that the role allows to be performed.
NotActions [] - Array of strings that specifies the control plane actions that are excluded from the allowed Actions.
DataActions [] - Array of strings that specifies the data plane actions that the role allows to be performed to your data within that object.
NotDataActions [] - Array of strings that specifies the data plane actions that are excluded from the allowed DataActions.
AssignableScopes [] - Array of strings that specifies the scopes that the role is available for assignment.
Condition - For built-in roles, condition statement based on one or more actions in role definition.
ConditionVersion

Question 12

What are the privledged & general built in roles of Azure?

Answer 12

Contributor - Manage resources, but no RBAC role assignment
Owner - Full access over resources & RBAC
RBAC Admin - Full access over Azure resources by assigning roles using RBAC
User Access Adminstrator - Lets you manage user access to azure resources
reader - view all resources but no changes

Question 13

Can you transfer Microsoft Entra P1/P2 Licenses across tenants?

Answer 13

No!

Question 14

Where can you find the template that was used to create a resource group via ARM?

Answer 14

In reosource group, Settings/Deployments blade and the “view template” option

Question 15

What kind of groups support lifetimes/expiriations?

Answer 15

Microsoft 365 Groups

Question 16

In Microsoft Entra ID, what is the purpose of an external identity provider?

Answer 16

To allow users outside of your organization to access your resources.

Question 17

What are the supported maximum # of devices in Entra ID?

Answer 17

5, 10 20 or unlimited

Question 18

Whe moving existing resources from one resource group to another, do the resources have to change their region to match the region of the target resource group?

Answer 18

In the case of an appp service plan, no! The app service plan cannot change regions.

Question 19

What are the different kind of resource locks?

Answer 19

CanNotDelete = Cannot be deleted
ReadOnly = Can’t be deleted or modified

Question 20

Can you move resources to different subscriptions when lock free?

Answer 20

Yes

Question 21

What are the two types of managed identities?

Answer 21

System Assigned - An identity that is created in Microsoft Entra ID that is tied to the lifecycle of a service, so when service is deleted the identity is deleted too.

User Assigned - You can create a managed identity as a stand alone resource. The identity is managed separatly from the resources that use it.

Question 22

What are managed identities?

Answer 22

They are a feature of Azure Active Directory, that provides an automatically managed identity for services running in azure. They are essentially a wrapper around a service principal, providing a more streamlined and secure way to manage and use identities for Azure resources.

This type of service principal is used to represent a managed identity. Managed identities eliminate the need for developers to manage credentials

Question 23

How do service principals and managed identities differ?

Answer 23

The main difference between service principals and managed identities is that service principals are created and managed manually, while managed identities are automatically created and managed by Azure. Managed identities also provide additional security features, such as automatic rotation of credentials and seamless integration with Azure services.

Question 24

What is the link between an Microsoft Entra Application and a service princpal?

Answer 24

A service principal is created in every tenant where the application is used. Similar to a class in object-oriented programming, the application object has some static properties that are applied to all the created service principals (or application instances).

When the application registers itself with a tenant a security princiapal is created, which is the security identity used by the application to access specific Azure resources.

Application Service principal is is a local representation, or application instance, of a global application object in a single tenant or directory.

Mikes Thoughts: it is like registering a GitHub app to a GitHub organization which “installs” the app in the orgainzation.

Question 25

What are the three ways to achieve hybrid identity management with Microsoft Entra ID?

Answer 25

Password hash synchronization (PHS)
Pass-through authentication (PTA)
Federation (AD FS)

Question 26

Can you modify the department information of all users from Microsoft Entra ID?

Answer 26

No, you can only do that for users whos source is from Microsoft Entra ID. Users who are defined from Windows AD Server or as a Microsoft Account cannot be modified.