Manage Azure identities and governance Flashcards
Manage Azure AD users and groups, access to resources, subscriptions/governance
What technological need did Microsoft Entra ID (fka Azure AD) fulfill?
It came about because people needed an internet friendly way to authenticate on the open internet,
which others suck at.
It is primarily identity and access management in the public internet
How can businesses maintain an on premise directory which is applied in azure?
They use Active Directory (AD) and sync it with Microsoft Entra ID via an on-premises computer that runs the Microsoft Entra Connect sync service.
How are Microsoft Entra ID non-free tiers charged?
Costs are incurred per user per month
What does Microsoft Entra ID P1 get you compared to the free version?
P1 is intended for small businesses and adds:
- Conditional Access
- RBAC
- Group management (e.g. dynamic groups)
- password policies, self service stuff (password changes, advanced security reports
- Advanced Security & usage reports
- Cross tenant sync
- Session lifecycle management
What does Microsoft Entra ID P2 get you compared to P1?
- Risk based conditional access
What does Microsoft Entra ID Suite get you compared to P1 & P2?
Risk based access control, which is Access control policies can be applied to protect organizations when a sign-in or user is detected to be at risk. There is sign in risk and user risk protection signals.
What do you get with the free Microsoft Entra ID tier?
Support multifactor authentication, SSO unlimited across any SaaS app, basic reports, self-service password change for cloud users, and single sign-on across Azure, Microsoft 365, and many popular SaaS apps.
Manage users and groups in the cloud.
Sync your on-premises directory with Microsoft Entra ID.
What is conditional access in Microsoft Entra ID?
if-then statements; if a user wants to access a resource, then they must complete an action. For example: If a user wants to access an application or service like Microsoft 365, then they must perform multifactor authentication to gain access.
What is risk based conditional access?
Risk-based Conditional Access in Azure uses signals to assess the risk of sign-ins and user accounts. It automatically responds to risky behaviors by enforcing actions like blocking access or requiring multifactor authentication (MFA). This helps protect organizations by continuously monitoring and mitigating potential threats.
Where can you see the time and date a resource group was created in the azure portal?
In the Settings / Deployments Blade
How is a role defined? IE What attributes does it have
Name
Id
IsCustom
Description
Actions [] - Array of strings that specifies the control plane actions that the role allows to be performed.
NotActions [] - Array of strings that specifies the control plane actions that are excluded from the allowed Actions.
DataActions [] - Array of strings that specifies the data plane actions that the role allows to be performed to your data within that object.
NotDataActions [] - Array of strings that specifies the data plane actions that are excluded from the allowed DataActions.
AssignableScopes [] - Array of strings that specifies the scopes that the role is available for assignment.
Condition - For built-in roles, condition statement based on one or more actions in role definition.
ConditionVersion
What are the privledged & general built in roles of Azure?
Contributor - Manage resources, but no RBAC role assignment
Owner - Full access over resources & RBAC
RBAC Admin - Full access over Azure resources by assigning roles using RBAC
User Access Adminstrator - Lets you manage user access to azure resources
reader - view all resources but no changes
Can you transfer Microsoft Entra P1/P2 Licenses across tenants?
No!
Where can you find the template that was used to create a resource group via ARM?
In reosource group, Settings/Deployments blade and the “view template” option
What kind of groups support lifetimes/expiriations?
Microsoft 365 Groups
In Microsoft Entra ID, what is the purpose of an external identity provider?
To allow users outside of your organization to access your resources.
What are the supported maximum # of devices in Entra ID?
5, 10 20 or unlimited
Whe moving existing resources from one resource group to another, do the resources have to change their region to match the region of the target resource group?
In the case of an appp service plan, no! The app service plan cannot change regions.
What are the different kind of resource locks?
CanNotDelete = Cannot be deleted
ReadOnly = Can’t be deleted or modified
Can you move resources to different subscriptions when lock free?
Yes
What are the two types of managed identities?
System Assigned - An identity that is created in Microsoft Entra ID that is tied to the lifecycle of a service, so when service is deleted the identity is deleted too.
User Assigned - You can create a managed identity as a stand alone resource. The identity is managed separatly from the resources that use it.
What are managed identities?
They are a feature of Azure Active Directory, that provides an automatically managed identity for services running in azure. They are essentially a wrapper around a service principal, providing a more streamlined and secure way to manage and use identities for Azure resources.
This type of service principal is used to represent a managed identity. Managed identities eliminate the need for developers to manage credentials
How do service principals and managed identities differ?
The main difference between service principals and managed identities is that service principals are created and managed manually, while managed identities are automatically created and managed by Azure. Managed identities also provide additional security features, such as automatic rotation of credentials and seamless integration with Azure services.
What is the link between an Microsoft Entra Application and a service princpal?
A service principal is created in every tenant where the application is used. Similar to a class in object-oriented programming, the application object has some static properties that are applied to all the created service principals (or application instances).
When the application registers itself with a tenant a security princiapal is created, which is the security identity used by the application to access specific Azure resources.
Application Service principal is is a local representation, or application instance, of a global application object in a single tenant or directory.
Mikes Thoughts: it is like registering a GitHub app to a GitHub organization which “installs” the app in the orgainzation.
What are the three ways to achieve hybrid identity management with Microsoft Entra ID?
Password hash synchronization (PHS)
Pass-through authentication (PTA)
Federation (AD FS)
Can you modify the department information of all users from Microsoft Entra ID?
No, you can only do that for users whos source is from Microsoft Entra ID. Users who are defined from Windows AD Server or as a Microsoft Account cannot be modified.
