Manage Identities Flashcards
what is authentication and how do you do it? [2.1]
the “who” is trying to access, by presenting credentials, identity verification process, you’re the owner of the identity
who can authenticate? [2.1]
person, an application, device, script or service
what is IdP? [2.1]
identity provider, IdP is a system that verifies a user’s identity during the authentication process, service that stores, manages, and verifies identities. secures access to resources for users, services, apps and scripts
what is authorization? [2.1]
process of determining what you can you can access and what you can do with that access, and either granting or denying that access, the “what” you’re trying to access
what is authn and authz sometimes referred to? [2.1]
Identity and Access Management or IAM
mention some open source industry standard protocols for authn? [2.1]
SAML (security assertion markup language); commonly used with federation and enterprise authenticationand OpenID Connect; modern cloud native authn mechanism that both web.based and mobile applications can use to request authn info
mention some open source industry standard protocols for authz? [2.1]
OAuth (Open Authorization); can be used to authorize access to resources without the user needing to authenticate and provide credentials
what does a system provide once a user is authenticated? [2.1]
the system provides an authentication token
what is OAuth in depth? [2.1]
protocol (set of rules or standards that govern how systems communicate to authorize access to resources). instead of giving each app/service your credentials, you provide it to a service you trust (i.e google) , and that service then gives a token (a kind of digital permission slip) to the apps.these apps can then use the token to acess the resources they need without seeing/storing your credentials. (with OAuth you can see and revoke any access for any app that’s using OAuth to access your resources.
what is Microsoft Entra ID? [2.2]
cloud-based idenitty and access management service that provides single sign-on (SSO), identity management and authorization for cloud-based apps like MS365 and the Azure portal. both a IdP and a SP (service provider)
what is an Entra tenant? [2.2]
security and management boundary for identities, storing information about users, groups, devices and applications for a single org. includes organizational objects such as users, groups and devices but also application registrations for apps that you’re developing or enterprise apps that are secured by Entra.
what is a usage point of Microsoft Identity Platform? [2.2]
allow users to bring their own identity, incl. personal MS accounts, Google and Facebook accounts, etc.
what is the difference between a tenant and a directory?
tenant is a dedicated and isolated instance of the Entra ID service that an org receives when it signs up for a MS cloud service such as Azure, MS 365, Dynamics 365 (associated with a unique tenant ID). directory is a container for objects such as users, groups, and applications and is used to manage access to resources in azure. each tenant has one directory.
what is Microsoft Entra Domain services? [2.2]
service that provides identity and access management for private enterprise networks, typically deployed on Windows servers (physical or virtual machines) as domain controllers (once you deploy Entra Domain Services to a windows server, they are referred to as domain controllers). EDS manage domain controllers for you.
which authn/authz protocols do Entra Domain Services use? [2.2]
Lightweight Directory Access protocol (LDAP), Kerberos and [legacy] NT Land Manager (NTLM)
Key features of P1? [2.2]
identity protection, access reviews, just-in-time access (JIT)
Key features of P1? [2.2]
app proxy, dynamic groups, password writeback, conditional access, password protection
what is a security principal? [2.3]
identity that’s stored by an IdP, representing a user, group, service, device, or application requesting access to resources secured by the identity provider
what’s the two most common types of security principals? [2.3]
user principals and service principals
what do user principles represent in MS Entra? [2.3]
users/people who access resources secured by MS Entra ID (can be cloud-only users or be synced from Entra Domain Services - directory-synced users)
what are service principles in MS Entra ID used for? [2.3]
applications, services, background services that need to run without user input, that requires access to resources secured by Entra ID. also known as managed identity
what are the four common operations you can perform on user accounts in Entra ID? [2.4]
create, read, update and delete (crud)
what roles are required to manage Entra ID users? [2.4]
the user administrator role or a more privileged role like global admin
what’s verified ID? [2.2]
bring their own digital identities
what’s workload identity? [2.2]
trust relationship between Entra ID and a workload and provide passwordless access to resources
where can you create users? [2.4]
portal, powershell, Azure CLI
can all members read users? [2.4]
all members (includes guests) can read users and their public properties, but guest users can be restricted
which command can you use in Azure Powershell to create a new Azure AD user? [2.4]
‘New-EntraUser’ commandlet
what command do you use in the Azure CLI to create a new Entra ID user? [2.4]
‘az ad user create’
what is the retention period for deleted users in Entra ID? [2.4]
deleted users are retained for 30 days unless they are restored or permanently deleted
what is the “source of truth” in user management within Entra ID? [2.4]
the original location where the user was created, and it is where the user need to be updated or deleted. recommended to create the user in Entra ID (even in regards to Entra Domain Services, the user will be synced), so you can do the admin work in Entra ID
what are “break glass” accounts in Entra ID and why are they important? [2.4]
emergency access global admin accounts that provide important backup in case of critical access issues
what is the syntax convention used in Azure PowerShell commands for managing users? [2.4]
verb-noun convention, such as ‘new-AzADUser’ or ‘Get-AzADUser’
what is the syntax convention used in Azure CLI commands? [2.4]
command always starts with the object that’s being referenced
what roles are required to manage or delete privileged roles? [2.4]
privileged authentication admin role or something more privileged like global admin
what are the two types of Entra ID groups? [2.6]
security groups and microsoft 365 groups
what is the primary use of security groups in AAD/Entra ID? [2.6]
to manage access to resources secured by your Entra ID tenant, such as users, devices, other security groups and service principals
what are MS 365 groups used for? [2.6]
collaboration in MS 365, incl. teams, shared email inboxes, calendars, files in SharePoint etc.
who can be members of security groups? [2.6]
users, devices, other security groups, service principals
who can be direct members of MS 365 groups? [2.6]
only users
what is assigned membership in Entra ID groups? [2.6]
method where users or devices are manually added to a group by an admin or group owner, without any dynamic rules
what is a dynamic group in Entra ID? [2.6]
a group with the membership type ‘dynamic’, where users are automatically managed based on user or device properties, such as location or department
what are the two types of dynamic groups? [2.6]
dynamic user groups and dynamic device groups
can a dynamic group have both devices and users? [2.6]
no
can service principals be added to dynamic groups? [2.6]
now
what license is required for users in dynamic groups? [2.6]
Premium P1 license is required for each user in a dynamic group. they do not need to be assigned the license, but you must have enough licenses to cover all the members in the group
who can manage assigned group memberships? [2.6]
you can delegate management using built-in roles like groups administrator and user administrator, or define group owners
who can manage dynamic group memberships? [2.6]
global admin, intune administrator, or user administrator
how long are deleted MS365 groups retained? [2.6]
30 days, and they can be restored by an admin
how long are deleted security groups retained? [2.6]
deleted security groups are permanently deleted and can not be restored
what is required for a user to request to join a security group or MS 365 group + approve/deny membership requests? [2.6]
at least a P1 license
who can manage group memberships for groups created by non-administrative users in Entra ID/Azure AD? [2.6]
the ability to manage group memberships for groups created by non-admin users depends on the policy applied when the group was created. it can be configured to allow anyone to join, require approval, or require an owner or admin to manage the membership
who can manage group memberships for groups created by admins in Entra ID/Azure AD? [2.6]
groups created by admins using the azure portal, only privileged roles like global admin, groups admin, user admin, intune admin or designated group wners can manage the group memberships. dynamic group rules can only be managed by privileged roles
what happens when you nest security groups in Entra ID/Azure AD? [2.6]
creates a group hierarchy that can match your organizational chart
what is a service principal in Entra ID? [2.9]
service principals are identities assigned to applications, background processes or other automated tools to access resources secured by Entra ID. they are used for authentication and authorization, not to represent user identites
how is a service principal created in Entra ID? [2.9]
- by registering an application in Entra ID, which creates a global identity and an associated service principal in the tenant or 2. creating a managed identity for an azure resource, which is a microsoft-managed service principal representing that resource
what is the difference between a managed identity and a self-managed service principal? [2.9]
managed identities are service principals managed by microsoft for azure resources. microsoft manages the credentials and sometimes authentication. self-managed service principals are managed by the user, who must handle credentials, authentication and authorization
what are the two types of authentication available for a self-managed service principal? [2.9]
password-based authentication (using an application secret, password that you provide along with the application or client ID to authenticate) and certificate based authentication (latter is the most recommended – client validate the cert used with a third-party certificate authority as part of the authentication process. the app signs an authn request using a private key, which is verified by entra id using the public key)
why might you use a self-managed service principal over a managed identity? [2.9]
if the azure service does not support managed identities, or if the application is running outside of azure, such as on-prem or in another cloud service like AWS
what is the difference between a global identity and a managed identity in Entra ID? [2.9]
a global identity refers to an application identity created when an application is registered in entra id, which can be used across multiple entra id tenants. a managed identity is a microsoft managed service principal created for an azure resource
what is the difference between an application and its associated service principal? [2.9]
the service principal is used to authenticate your application in the tenant where it is created. you could create service principals that represents your application in those tenants and just have one application registration in your tenant that represents your application globally. / an app registration creates a global identity for the app in entra id. the service principal is a local identity used to authenticate and authorize the application within a specific entra id tenant
where are service principals and registered applications stored? [2.9]
in the azure portal, service principals are found under enterprise applications in Entra ID, registered applications are found under the app registration blade
what setting should you configure to restrict application registration to only administrative roles in entra id?
disabling the “users can register applications”setting in the Entra ID user settings restrict application registration to users with specific administrative roles, such as app developer, cloud app admin, or application admin
can service principals be used outside of azure? [2.9]
yes, service principals can be used on non-azure resources such as on-prem servers or apps running on other cloud services like AWS. this allows them to access resources secured by entra id
what roles can manage app registrations in entra id? [2.9]
(least to most privileged) application developer [can register applications and delegate permissions on their behalf], cloud application administrator [can manage all application registrations and request consent for delegation], application administrator [has all the cloud app admin permissions plus the ability to approve certain non-ms graph consent requests and manage application proxies]
what are managed identities in Azure, and why are they important? [2.10]
managed identities are azure identities that allow azure resources to authenticate and access other azure resources secured by Entra ID without needing to manage credentials
what are the two types of managed identities in azure? [2.10]
- system assigned managed identity: tied to a single azure resource and share its lifecycle. when the resource is deleted, the managed identity is deleted as well. 2. user assigned managed identities: can be associated with multiple azure resources and their lifecycle is independent of the resource. deleting the resource doesn’t delete the user-assigned identity
in which scenarios is a user-assigned managed identity more ideal? [2.10]
deleting an azure resource does not affect the user-assigned identity, making them ideal for resources like VM scale sets or availability sets
what are the minimum required roles to manage managed identities for VMs? [2.10]
system assigned: create, update, delete: virtual machine contributor / read: reader; user assigned: create: managed identity contributor; assign to a vm: virtual machine contributor + managed identity operator; read: reader role for the resource group; remove from a VM: virtual machine contributor
what role allows creating and assigning managed identities to virtual machines? [2.10]
creating a user-assigned managed identity: managed identity contributor role; assigning the identity to a VM: requires both virtual machine contributor and managed identity operator roles
what makes azure arc resources special regarding managed identities? [2.10]
azure arc allows resources outside of azure (like on-premises servers or resources in other clouds) to authenticate with entra id using managed identities, enabling seamless management without needing to handle credentials
can a single azure resource have both system-assigned and user-assigned managed identities? [2.10]
yes, an azure resource can have one system assigned managed identity and one OR many user-assigned managed identities simultaneously
what powershell command would you use to remove a user-assigned managed identity from a VM? [2.10]
you would use update-azVM powershell command, setting the identity type to none, and specifying the virtual machine and resource group
what is azure ad b2b used for?[2.11]
azure ad b2b is designed for collaboration between organizations, allowing external identities such as partners and suppliers to access resources in your azure ad tenant as if they were internal users
what is azure ad b2c designed for? [2.11]
azure ad b2c is designed for allowing consumers or customers to sign in to applications developed by a company, supporting external identities from various identity providers like google or facebook
can external users invited via azure ad b2b use self-service sign-up? [2.11]
yes, users can sign up via self-service, bringing their own identity from identity providers like google or facebook. however, self service sign-up is limited to non-Microsoft apps
what are the supported identity providers for azure ad b2b external identities? [2.11]
supported identity providers include azure ad tenants, microsoft accounts, google, facebook, one-time passwords and other saml or ws-fed identity providers
what is azure ad b2b direct connect? [2.11]
azure ad b2b direct connect establishes a two-way trust between azure ad organizations for seamless collaboration, but it is currently only available for use with microsoft teams
what is the azure ad b2b multi-tenant feature used for? [2.11]
the azure ad b2b multi-tenant feature enables cross-tenant synchronization for managing collaboration between multiple azure ad tenants within the same organization
how can you configure guest user access in azure ad? [2.11]
guest user access can be configured under external collaboration settings, allowing you to set guest access permissions such as limiting their availability to view other users or groups or controlling who can invite guest users
what is required to configure google as an external identity provider in azure ad b2b? [2.11]
you need to register an application in the google developer console, obtain a client id and secret and add google as an identity provider in azure ad external identities settings
what does the user flow in azure ad b2b enable? [2.11]
the user flow in azure ad b2b defines the process of self-service sign-up for external users, including which identity providers are used and which applications can be accessed
how are azure ad b2b and azure ad b2c tenants different? [2.11]
azure ad b2b uses the same tenant as employees, while azure ad b2c uses a separate, dedicated tenant. azure ad b2c cannot be used to manage azure, microsoft 365 or other apps secures by azure ad
what is single-sign on and why is it important? [3.1]
SSo allows users to access both on-premises and cloud apps with a single set of credentials, centralizing identity management and improving security by eliminating the need for multiple logins
what is conditional access in entra id? [3.1]
conditional access allows administrators to enforce additional authentication based on user identity, device, location and other conditions during sign-in
how can you enable multi factor authentication in the free version of entra id? [3.1]
in the free version, mfa can be enabled on a per-user basis using the legacy portal or powershell. microsoft also recommends using security defaults, a simplified way to enforce MFA
what are security defaults in entra id? [3.1]
security defaults is a feature that enforces baseline security settings like MFA for all users and administrators. it also blocks legacy authentication protocols like IMAP, SMTP, and POP3
which privileged activities require MFA when security defaults are enabled? [3.1]
activities like accessing the azure portal, powershell and the azure CLI require MFA under security defaults
what is the difference between MFA policies in entra id premium P1 and P2? [3.1]
P1 offers conditional MFA based on scenarios like user location or device. P2 adds risk-based policies which only trigger MFA when there’s a potential risk, reducing unnecessary prompts
what is passwordless authentication and why is it recommended? [3.1]
passwordless authentication uses biometrics or devices (instead of passwords) for sign-in, reducing the risk of compromised credentials
how does entra id analyze the risk of a sign-in event? [3.1]
entra id analyzes attributes like location, device and password used during sign-in to determine the risk level and enforce security measures accordingly
which legacy authentication protocols are blocked by security defaults? [3.1]
security defaults blocks older protocols like IMAP, SMTP, and POP3 that do not support MFA
how is per-user MFA configured using the legacy method? [3.1]
per-user mfa can be configured through a legacy azure portal or powershell, allowing administrators to enforce MFA individually for each user
what is the recommended approach for break glass accounts when using security defaults? [3.1]
it’s recommended to use FIDO2 security keys for break glass accounts (backup admin accounts) when security defaults is enabled to avoid lockout situations
what do conditional access policies in azure ad help with? [3.2]
provide greater flexibility in how users authenticate, allowing for additional security measures based on conditions like user location, device and group membership
what point do conditional access policies apply during authentication? [3.2]
they apply after the first factor of authentication, typically a username and password
how do conditional access policies work in azure ad? [3.2]
conditional access policies function like if-then statements. the “if” part is triggered by signals, such as user identity, location, device or application. the “then” part determines whether access is granted or blocked, and if granted, under what conditions (like requiring mfa or compliant devices)
what are the licensing requirements for conditional access policies in azure ad? [3.2]
p1: enables basic conditional access policies based on user identity, device, location, and application
p2: [all of above] and adds risk-based policies that evaluate the risk level of sign-ins and provide adaptive security responses (like prompting mfa based on risk)
which azure ad admin role can create conditional access policies? [3.2]
conditional access administrator or security admin roles
why is it important to test conditional access policies in report-only mode before enabling them? [3.2]
it allows you to verify the policy’s behaviour without affecting users, ensuring that it works as intended before it’s fully enforced
what should you do before enabling a conditional access policy for administrators? [3.2]
exclude break-glass admin accounts from the policy to ensure that access is still possible in emergency situations
what is microsoft’s recommendation for MFA in high-value accounts? [3.2]
use stronger authentication methods like the microsoft authenticator app or fido2 security keys instead of sms-based mfa due to security risks like SIM swaps
what kind of authentication does a policy blocking legacy authentication aim to prevent? [3.2]
it blocks older authentication methods that don’t support modern security protocols, like IMAP, POP3, and SMTP
how can named locations be used in conditional access policies? [3.2]
named locations allow policies to be applied or excluded based on specific geographic areas or IP ranges, helping enforce location-based access control
what is the benefit of creating conditional access policies using templates? [3.2]
templates provide quick and efficient ways to create common policies, saving time and reducing the chances of configuration errors
what are named locations, and why are they important in conditional access policies? [3.2]
named locations are defined geographical or IP-based areas that policies can use to either allow, relax, or deny access, such as blocking access from outside a specific country
what is azure ad identity protection, and what does it detect? [3.3]
tool that automates the detection and remediation of identity-based risks. it also provides reporting in the azure portal and allows data export to external services. it detects two types of risks: user risk - the probability that an identity has been compromised and is no longer under the user’s control; sign-in risk – the probability that a sign-in is compromised, not performed by the legitimate user. sign-in risks can be detected in real-time or aggregated after the sign-in
what factors can contribute to a high-risk sign-in? [3.3]
factors contributing to a high-risk sign-in include: impossible travel for login based on location, IP addresses linked to malware, use of anonymous access, unfamiliar sign-in properties (such as new operating systems), leaked or weak credentials
how does microsoft assess high-risk sign-in? [3.3]
combining data from other azure ad customers, public service like outlook.com and xbox, and machine learning algorithms
what are the three main benefits of azure ad identity protection? [3.3]
- usability and security balance; it doesn’t challenge every sign-in with MFA, only risky users or sign-ins 2. self-remediation; it enables users to remediate their passwords or identities, reducing response times 3. reduced it workload; it lowers the burden on help desks and security teams by reducing the volume of data they need to address
what are the requirements to configure azure ad identity protection? [3.3]
to configure azure ad identity protection, you need an azure ad premium p2 license, either the conditional access admin or security admin role, and recommended to use a test user account and enable policies in report only mode before fully activating them
how does azure ad password protection enhance password security? [3.3]
detects and blocks weak passwords, preventing users from using passwords from a globally banned list. also supports custom banned password lists based on an organization’s needs. this ensures that password policies are enforced when users change or reset passwords both in the cloud and in hybrid environments where on-prem password changes occur.
what is the difference between the global and custom banned password lists in azure ad password protection? [3.3]
global banned password list; automatically applied to all users in an azure ad tenant and includes weak passwords detected by azure ad security telemetry. this is included with all azure ad editions, even the free version / custom banned password list; organization can create custom lists of banned passwords, but this feature requires an azure ad premium p1 license
what are the steps and requirements to implement azure ad password protection in a hybrid environment? [3.3]
- install agents; install two agents on each domain controller in the on-prem in the active directory domain services (ad ds) 2. policy synchronization; the password protection policies used in azure ad will also be enforced on-prem 3. licensing and roles; custom banned password lists require a p1 license. you also need the security admin role in azure and domain admin privileges in ad ds 4. use a test user account to configure policies in “report only” mode before enforcing them
what tools and methods are used to simulate and investigate identity risks in azure ad? [3.3]
simulation of risks can be done using a VPN and tools like the TOR browser to create risky sign-ins. to investigate risks, admins can 1. review reports; navigate to azure ad > security > identity protection > risky users or risky sign-ins to see flagged activities 2. configure alerts; alerts can be set up to notify global admins, security admins, and other relevant roles when risky sign-ins or users are detected
what is the primary benefit of enabling single sign-on (sso) in a hybrid identity environment? [3.4]
enabling single sign-on allows users to use the same identity and credentials across both on-premises active directory domain services (ad ds), azure ad, and any applications published in azure ad. this centralizes identity management, simplifying authentication and enhancing security
what are the two methods for synchronizing identities between active directory domain services and azure active directory? [3.4]
- active directory connect sync (legacy method): requires a server that’s part of the ad ds domain (cannot be a domain controller) and a database
- active directory connect cloud sync (recommended method): uses a provisioning agent and can deploy multiple agents for high availability
why is azure ad unable to read passwords directly from active directory? [3.4]
active directory stores passwords as one-way hashes, meaning azure ad cannot read them. to authenticate users, azure ad must verify a hash of the password or hand off the responsibility back to on-premises
what are the three authentication options available for hybrid identity, and what is unique about each? [3.4]
- password hash synchronization: sends a hash of the password to azure ad for password verification 2. pass-through authentication: azure ad uses agents to verify passwords directly against ad ds domain controllers 3. federation: involves setting up ad federation services (ad fs) and having azure ad hand off authentication to on-premises systems
what is an advantage of using password hash synchronization? [3.4]
it provides business continuity in case of on-premises network/server failure and allows azure ad identity protection to analyze passwords for leaked credentials and apply smart lockout
why might password hash synchronization not enforce all active directory domain services account restrictions? [3.4]
since password hash synchronization does not communicate with ad ds during authentication, account restrictions like logon hours are not applied by azure ad
what are the benefits of using pass-through authentication for hybrid identity? [3.4]
pass-through authentication validates user passwords directly against on-premises ad ds domain controllers, enforcing ad ds account restrictions, such as logon hours and account lockout policies
what is the main disadvantage of pass-through authentication? [3.4]
it is not currently supported by azure ad connect cloud sync, limiting its flexibility in certain cloud-centric environments
why is federation the least recommended authentication method by microsoft? [3.4]
federation is complex, requires at least four additional servers for high availability, and relies heavily on the on-premises ad fs servers for authentication.it’s also being deprecated in favour of password hash synchronization
what additional functionality does password writeback enable when using azure ad connect? [3.4]
password writeback allows for password updates to be reflected in active directory domain services from azure ad, enabling self-service password reset (SSPR) and compliance with on-premises password policies
what license is required to implement password writeback from azure ad to ad ds? [3.4]
azure ad premium p1 is required for password writeback and self-service password reset (SSPR) functionality
what are the system requirements for the server that will run the azure ad connect cloud sync agent? [3.4]
the server needs to be running windows server 2016 or later, have at least 4 gb of memory and .NET framework 4.7.1 or later installed
why should you deploy multiple provisioning agents when using azure ad connect cloud sync? [3.4]
multiple provisioning agents should be deployed to ensure high availability and avoid single points of failure in the hybrid identity setup
why should azure ad connect sync not be installed on a domain controller? [3.4]
security and isolation: running azure ad connect sync on a DC could expose sensitive data and increase the risk of security issues; performance: both services are resource-intensive and running them on the same server could impact performance; role conflicts: azure ad connect sync requires high privileges, which can conflict with the role of the DC; best practices: microsoft recommends separating critical services for better manageability and reduced complexity
what is the benefit of passwordless authentication in Azure AD? [3.6]
provides multiple factors of authentication without using passwords, increasing both security and user convenience. methods like biometrics, device authentication (windows hello for business) and hardware security keys (fido2) are used instead of traditional passwords
how does windows hello for business work for passwordless authentication? [3.6]
windows hello for business allows users to log in with a pin or biometric authentication (like fingerprint or facial recognition) on a windows 10 or later device. the device completes a handshake with azure ad using public key infrastructure (PKI), without sending passwords
what is the role of the trusted platform module (TPM) in passwordless authentication with windows hello for business? [3.6]
the trusted platform module (TPM) securely stores keys on the device, ensuring that the device is authenticated, alongside the user, during sign-in. the process uses public key infrastructure (PKI) without sending the actual password
what is the function of the microsoft authenticator app in passwordless authentication? [3.6]
microsoft authenticator turns an iOS or android phone into a passwordless credential. users sign in by responding to a push notification and providing proof of presence, such as biometrics, to authenticate without a password
when would you use a fido2 security key for passwordless authentication in azure ad? [3.6]
fido2 security keys are suitable for shared machines (e.g help desks or call centers) restricted environments where phones are not allowed or for highly privileged accounts, such as global admins
what is the temporary acces pass in azure ad, and when is it used? [3.6]
a temporary pass is a time-limited, one-time-use pass that allows users to register or recover their passwordless credentials. it is useful when setting up passwordless authentication for new users or devices
what are the requirements to configure passwordless authentication in azure ad? [3.6]
the azure ad authentication policy admin role is required to configure passwordless authentication. additional requirements depend on the method chosen, such as joining devices to azure ad or registering with mobile authenticator
what are the use cases for microsoft authenticator in passwordless authentication? [3.6]
ideal for users on non-windows devices, those working remotely, or in bring-your-own-device (BYOD) environments. it allows passwordless login through push notifications on mobile phones
what are the benefits of using fido2 security keys over other passwordless methods? [3.6]
fido2 security keys are secure, don’t require mobile phones, and can be used in restricted areas or for privileged accounts like administrators. they use public key cryptography to authenticate users without transmitting passwords
what is the core concept behind decentralized identities? [3.7]
give users control over their own identity, taking it away from traditional identity providers. users can store their verifiable credentials in a digital wallet and share them with verifiers, without needing usernames, passwords or personal documents
what are the three main components of a decentralized identity system? [3.7]
- issuer; issues digitally signed credentials to users and validates them / 2. holder; stores credentials in a digital wallet and shares them when needed / 3. verifier; confirms the user’s identity based on the presented credentials without needing access to usernames or PIL (personally identifiable information)
what are some advantages of decentralized identity over traditional identity management? [3.7]
users have full controll over their identity and credentials, preventing third-party identity providers from sharing personal data without consent. users can also revoke access to their identity at any time
what is microsoft entra verified id and how does it work in azure? [3.7]
decentralized identity solution that allows azure ad tenant to issue and verify verifiable credentials. it enables organizations to create customized credentials for users, who can store them in their digital wallets (e.g. microsoft authenticator)
what azure resources are required to set up microsoft entra verified id for issuing verifiable credentials? [3.7]
- an azure subscription 2. azure key vault for securly storing public/private keys used for credential signing 3. (optional) azure storage for storing files used to build credentials 4. azure web app and dns records to validate domain ownership 5. service principals to allow verified id access to key vault
what are the necessary privileges for setting up microsoft entra verified id? [3.7]
global admin or authentication policy admin for directory configuration / application admin for app registration and admin consent / contributor role for azure subscription or resource group to deploy key vault
what are the key steps in configuring microsoft entra verified id in azure? [3.7]
- create a key vault to store credentials keys 2. set up verified id in the azure portal, defining organizational settings and verifying domain ownership 3. register a decentralized identity and verify domain ownership via JSON file hosting 4. create a verifiable credential (e.g. employee card) and issue it using a web app
how does the microsoft authenticator app fit into the decentralized identity model with microsoft entra verified id? [3.7]
the microsoft authenticator app serves as the digital wallet where users store and manage their verified credentials. it allows users to scan QR codes to add new credentials and present them to verifiers
what roles and permissions are needed for managing azure key vault when using microsoft entra verified identity? [3.7]
- the contributor role in the azure subscription or resource group for key vault management 2. access policy must be configured to allow signing and key management permissions
what are the default permissions in an azure ad tenant and how do they differ from azure subscription permissions?[4.1]
in an azure ad tenant, all users have default permissions, which allow them to perform tasks like listing users and creating groups. these default permissions can be adjusted tenant-wide. in contrast there are no default permissions for users in an azure subscription any access to an azure subscription must be explicitly granted
what are the two components of access management in azure? [4.1]
- scope (where): this refers to the location where the access is granted (e.g. azure ad tenant, azure subscriptions)
- actions (what): this specifies the level or type of access a user has at a given scope, such as create, read, update or delete actions
how are permissions combined when a user is assigned multiple roles? [4.1]
permissions are additive when multiple roles are assigned. this means that each new role adds any missing permissions to the user. for instance, if a user has read and write access, and you assign them a role with only read access, their permissions remain unchanged
what is a role assignment in azure? [4.1]
a role assignment in azure involved assigning a user or group to a specific role at a defined scope. it includes three elements:
a. role definition: defines the actions that can be performed
b. scope: defines where those actions can be performed
c. user or group: specifies who can perform those actions
describe the azure mgmt hierarchy? [4.1]
a. top level: azure ad tenant: roles like global admin or application admin can be scoped here to manage object like applications, users, and groups
b. applications registrations: roles here are limited to managing applications
c. administrative units: these units group users, groups and devices, allowing management through specific roles like helpdesk admin or groups admin.
d. mgmt group: located under the azure ad tenant, mgmt groups group subscriptions for policy and permission assignment. the root mgmt group is at the top, and subscriptions can be grouped under various mgmt groups
e. resource groups and resources: resources within a subscription are grouped into resource groups, and permissions can be scoped to either resource groups or individual resources
what are the key roles and scopes within the azure mgmt hierarchy? [4.1]
azure ad roles: scoped to azure ad tenant, application registrations, or administrative units. examples include global admin and application developer
azure rbac roles (azure roles): scoped to mgmt groups, subscriptions, resource groups or individual resources. examples include owner, contributor, and reader roles.
azure rbac roles do not grant access to manage azure ad resources, and vice versa for azure ad roles
what is the purpose of administrative units in azure ad? [4.1]
containers used to delgate administrative access to a specific scope of users, groups or devices. they help manage administrative tasks without giving broader tenant level permissions.
require an azure ad p1 license for each admin. cannot be nested. adding a group to an administrative unit does not automatically give access to all group members; they must also be added individually
what is the process of elevating access for a global admin in azure? [4.1]
to manage the root mgmt group and other mgmt groups in azure, global admin must elevate their access by: navigating to azure ad and selecting properties > enabling “access mgmt for azure resources” and saving the changes > the global is then granted the “user access admin” role above the root mgmt group. this process should be used sparingly, primarily for correcting permissions issues or setting up the mgmt hierarchy.
what is the basic naming convention for azure ad roles? [4.2]
azure ad roles follow the naming convention of job function and access level. job function can be something like helpdesk, applications or global roles like security or compliance. access levels include administrator, developer, operator, or reader, with administrator granting the highest privileges and reader the least
what is the difference between privileged and non-privileged roles in azure ad? [4.2]
privileged roles, such as privileged authentication administrator or privileged role administrator, can modify settings that affect higher-privileged roles like global administrator. non-privileged roles have more limited capabilities and cannot modify these higher-level roles
what are the four main types of azure roles (rbac)? [4.2]
- privileged administrator roles (e.g. owner, contributor)
- job function roles (e.g. VM contributor)
- custom roles (created to provide granular access)
- classic subscription administrator roles (e.g. account administrator, service administrator, co-administrator)
what is the key difference between azure control plane and data plane roles? [4.2]
control or management plane roles allow the management of azure resources, such as assigning roles or configuring services. data plane roles provide access to the data stored within these resources, such as the ability to read or modify data in a storage account
how do control plane role names differ from data plane role names in azure? [4.2]
control plane roles use a broad naming convention of resource + access level (e.g. VM contributor). data plane roles include the term “data” and often specify a sub-resource (e.g. storage blob data contributor)
what are role-assignable groups in azure ad, and how do they work? [4.2]
role-assignable groups in azure ad allow you to assign roles to groups of users rather than individuals, reducing administrative overhead. these groups must be configured as role-assignable at creation and cannot be modified later. only global administrators or privileged role administrators can create them
what is required to create a role-assignable group in azure ad? [4.2]
at least an azure ad p1 license is required to configure role-assignable groups. membership in the group must be assigned (dynamic groups are not supported), and only global administrators or privileged role administrators can create these groups
what roles are required to assign azure ad and azure rbac roles? [4.2]
to assign azure ad roles, you need at least the privileged role administrator role. to assign azure rbac roles, you need at least the user access administrator role at the relevant scope
what is the difference between the storage account contributor role and the storage blob data contributor role? [4.2]
the storage account contributor role provides access to manage the storage account but does not grant data plane permissions by default. the storage blob data contributor role, however, provides data plane access, allowing the user to read and write to blob storage
what is a role definition in azure ad? [4.3]
a role definition, sometimes referred to as role, is a collection of permissions. it consists of a name, an optional description, and a list of allowed actions (permissions). any actions not explicitly allowed are denied by default
how are actions formatted in azure ad roles? [4.3]
actions in azure ad roles follow this format:
1. type – currently, only the “microsoft.directory” type is used
2. subtype – e.g. “users” or “applications”
3. property set (optional) – a group of permissions that can be edited together, like contact info for a user
4. permission – this specific action like “create”, “read”, “update” or “delete”
what are the scopes in azure ad role assignments? [4.3]
azure ad role assignments can be assigned to three scopes:
1. the tenant itself
2. administrative units
3. applications
a single role can be assigned to one or more scopes
what are control plane and data plane actions in azure roles? [4.3]
control plane actions manage resources like creating a storage account / data plane actions manage access to the data within those resources, like reading data from a storage account. you can define both allowed actions and not actions as exclusions to allowed actions in both planes
what is the difference between “not actions” and “deny assignments” in azure roles? [4.3]
“not actions” in azure roles are exclusions from allowed actions, but they are not deny assignments. if another overlapping role allows the action listed as a “not action”, the user will still be able to perform that action because all actions are additive
what is required to create custom azure ad roles? [4.3]
azure ad p1/p2 for every user with a custom role assignment & the necessary privileges, such as the privileged role administrator or global administrator role
what is an assignable scope in azure RBAC? [4.3]
assignable scopes in azure rbac specify where a role can be assigned. they can include management groups, subscriptions, or resource groups. roles can be assigned to specific resources, but the assignable scope must be higher in the resource hierarchy, like a resource group or subscription
why are permanent privileges a security problem in azure ad and azure resources? [4.4]
permanent privileges pose a security risk because if an attacker gains unauthorized access to a system using a privileged account, it could lead to a major breach. the credentials for a privileged account are often the target of cyberattacks, making it safer to use just-in-time (jit) access to reduce exposure
what is just-in-time access in the context of azure ad privileged identity management (pim)? [4.4]
jit access is a security measure where users are granted access to privileged roles only when needed, for a limited time. this reduces the risk of unauthorized access by ensuring privileges are only activated when necessary
what key features does azure ad PIM offer to improve security? [4.4]
PIM allows for JIT access to roles, time bound assignments, role activation with approval, justification and MFA, role auditing and access reviews, email notifications for role usage and auditing
what are the two types of role assignments in PIM and how do they differ? [4.4]
active assignment: privileges are assigned and ready to use at all times. no role activation is required
eligible assignment: users must activate the role when needed. once activated, the role is available for a limited time, typically up to 24 hours by default
what are some actions required before activating an eligible role in PIM? [4.4]
a user may be required to: perform MFA, provide a business justification, get approval from designated approvers
can service principals be assigned as eligible to azure ad roles in PIM? why or why not? [4.4]
no, service principals cannot be assigned as eligible for azure ad roles in PIM because they do not have mechanism to request approval for role activation
what are the licensing requirements for using PIM in azure ad? [4.4]
pim requires p2 license for anyone assigned to a role or those who can approve/reject role activation requests. the user setting up PIM, however, does not require a P2 license
who can manage azure ad role assignments in PIM? [4.4]
only users with the privileged role administrator or global administrator roles can manage assignments for other administrators. global admins, security admins, global readers and security readers can view azure ad role assignments in PIM
who can manage azure resource role assignments in PIM? [4.4]
for azure resources, only an owner or user access admin can manage assignments. global admins in azure ad do not have default access to manage azure resource roles but can elevate their access to do so
what happens once you manage an azure resource with PIM? [4.4]
once an azure resource (like a management group, subscription, or resource group) is managed by PIM, it cannot be unmanaged, so caution should be taken when enabling PIM in production environments
what role configuration settings are available in PIM? [4.4]
role activation duration, MFA requirements, justification and IT ticket requirements, approval requests, email notifications for role usage and auditing
what is a privilege sprawl, and why is it important to manage within an organization? [4.5]
privilege sprawl occurs when users accumulate excessive privileges over time, often as they move between roles or gain temporary access for projects. this leads to security risks because individuals may retain unnecessary access to sensitive systems or data, violating the principle of least privilege. managing privilege sprawl is crucial for maintaining a secure environment, reducing the attack surface and ensuring compliance with regulations. regular access reviews and tools like PIM help prevent privilege sprawl by identifying and removing unnecessary permissions
how do access reviews help address privilege sprawl, and what are the typical types of access reviews in azure ad? [4.5]
access reviews are a mechanism to periodically evaluate and adjust user access to ensure they align with current job responsibilities . they help mitigate privilege sprawl by identifying unnecessary or outdated permissions and ensuring compliance with the least privilege principle.
in azure ad typical access reviews include:
- group membership: reviewing whether users still need access to specific security or ms 365 groups.
- application access: verifying if users still require access to applications secured by azure ad
- role assignments: reviewing azure ad or azure resource role assignments, such as global admin or other privileged roles
reviews can be initiated manually or scheduled to recur, and recommendations (like denying access for users inactive for 30 days) can help streamline decisions
what are the main steps involved in creating an access review for azure ad roles using PIM? [4.5]
- navigate to entra or azure portal: go to identity governance in ms entra or PIM in azure
- select roles: under pim, choose azure ad roles or azure resource roles depending on the scope
- start a new review: click new to initiate a review
- define review parameters: set a name, start date, recurrence, and roles to include
- select reviewers: assign a group or individuals responsible for the review
configure completion settings: decide if pim should automatically apply results, such as removing inactive users, or if changes shoul be manual - launch the review: once configured, start the review, and the assigned reviewers will receive notifications to complete it
what are the licensing requirements for setting up and conducting access reviews in azure ad, and what roles are required to initiate them? [4.5]
licensing: access reviews require azure ad p2 licenses for all users involved in the review process, including those being reviewed and the reviewers. for reviews involving service principals, an entra workloads identities premium plan is also required.
roles required: to create access reviews for azure ad roles, you need to have the PIM role admin or global admin role. to create reviews for azure resources, you need the owner or user access admin role for these resources
how do automatic and manual actions work in access reviews, and when should you choose one over the other? [4.5]
automatic actions: once the review is completed, azure ad can automatically apply the results, such as removing users who no longer need access. this is useful for maintaining an up-to-date security posture without manual intervention and is ideal for routine reviews where the risk of incorrect removal is low
manual actions: after the review, administrators manually apply the changes based on the reviewers’ decisions. this is better suited for critical roles where more oversight is needed before making changes, ensuring the right users retain their access
what are the two types of application permissions in azure ad and how do they differ? [4.6]
application permissions: allow an application to access azure ad secured resources directly, often without user interaction
delegated permissions: allow an application to access resources on behalf of a user. the application only has access to the resources that the user can access, acting with the user’s privileges
how does delegated access work for applications in azure ad, and what limits are placed on it? [4.6]
delegated access allows an application to access resources on behalf of a user, meaning the application’s access is limited to the permissions that the user has. the application can only perform actions the user could perform, and this access is provided through user or admin consent. the application’s permissions are a combination of the user’s permissions and the specific permissions requested by the application
what is the difference between static and dynamic consent in azure ad? [4.6]
static consent: means the list of permissions required by the application is predefined and listed in the application registration. users are prompted to consent to these permissions the first time they sign in
dynamic consent: allows an application to request permissions incrementally. the application might start by requesting minimal permissions and can later request additional permissions as needed
what are user consent and admin consent, and how do they function in azure ad? [4.6]
user consent: allows a user to authorize an application to access specific data they have access to when signing into the application for the first time. this can be static or dynamic.
admin consent:allows an administrator to authorize an application on behalf of multiple users, usually for an entire org. admin consent is necessary for permissions that require higher-level access, such as certain microsoft graph permissions
what role is the least privileged one that can grant admin consent to microsoft graph permissions? [4.6]
the least privileged role that can grant admin consent to microsoft graph permissions is the privileged role administrator. for other delegated permissions outside of microsoft graph, the least privileged role is the cloud application administrator.
what are scopes in context of application permissions in azure ad? [4.6]
scopes are bundles of privileges or permissions an application can request to access azure ad secured resources. when a user or admin grants consent, they are granting the application the ability to act within those specified scopes, limiting what the application can do with the user’s or organization’s data
what is the significance of the “maintain access to data you have given access to” consent option? [4.6]
this option appears because azure ad provides a refresh token to the application, allowing it to maintain access to the user’s data even after the user logs out. this is commonly seen when applications request ongoing access to resources without requiring the user to be actively signed in.
how is a service principal involved in application authorization? [4.6]
when an application is registered in azure ad, a service principal is created, representing the app. permissions are then granted to this service to access resources or APIs. this enables non-interactive applications to authenticate and perform actions securely
what happens if a user attempts to sign into an app that requires admin consent? [4.6]
if an app requires admin consent and the user doesn’t have the permissions to provide it, they will be shown an “admin required consent” screen. depending on settings, the user may request admin consent or the admin can approve it through the azure ad portal
what are permission scopes in azure ad? [4.6]
scopes are predefined bundles of permissions that an application can request when acting on behalf of a user. even if a user has higher-level permissions, the application can only access what is explicitly consented to by the user through these scopes
what protections are in place to prevent users from granting overly broad permissions? [4.6]
certain high-privilege or broad permissions can only be granted by administrators through admin consent, preventing regular users from accidentally giving applications too much access to sensitive data
how can user consent be managed in azure ad? [4.6]
in azure ad, user consent can be configured or restricted via the enterprise applications section, under consent and permissions. administrators can enable or disable user consent, set who can review admin consent requests, and use permission classifications to granularly control which permissions users can consent to
what is the difference registering an application and granting permissions? [4.6]
registering an application creates a service principal in azure ad, which identifies the app. granting permissions is a separate step where the application is given the necessary scopes (permissions) to interact with azure ad- secured resources
how does delegated access impact an application’s actions? [4.6]
an application with delegated access can only perform actions that the user it is acting on behalf of can perform. for instance, if a user has read access to emails but no admin privileges, the application will only be able to read the user’s emails, even if broader access is requested
