Manage identities and governance in Azure Flashcards
What cloud service model does Microsoft Entra ID fall under?
Platform as a service (PaaS)
What is the function of Microsoft Entra ID?
Microsoft-managed directory service in the cloud.
What are the advantages of Microsoft Entra ID compared to AD DS?
MFA, SSO, identity protection, and self-service password reset.
How does Microsoft Entra ID differ to AD DS?
Focused on providing IAM services to web-based apps, unlike AD DS, which is more focused on on-premises apps.
What is an Entra ID domain referred to as?
A tenant.
Are organizations able to create multiple Entra ID tenants under a single subcription?
Yes.
Must an Azure subscription be associated with an Entra tenant?
Yes; Every Azure subscription must be associated with only one Microsoft Entra tenant.
Can a single Entra tenant be associated with multiple Azure subscirptons?
Yes; Allows you to use the same users, groups, and applications to manage resources across multiple Azure subscriptions.
Does an Entra tenant have a DNS name?
Yes; Each Microsoft Entra tenant is assigned the default DNS name, consisting of a unique prefix.
What is the prefix of an Entra tenant DNS name?
The prefix is the name derived from the Microsoft account used to create an Azure subscription or provided explicitly when creating an Entra tenant.
What is the full DNS naming convention of an Entra tenant?
“prefix.onmicrosoft.com”
What is the purpose of Entra ID?
Acts as a security boundary and a container for Microsoft Entra objects such as users, groups, and applications.
Describe the structure of Entra ID
Users and groups are created in a flat structure not a hierarchy, and there are no OUs or GPOs.
What protocol(s) does Entra ID use for communication and authentication/authorizatoin?
HTTP/HTTPs via SAML, OAuth, etc.
How is the Entra ID directory service queried?
Uses the REST API over HTTP and HTTPS instead of LDAP(s)
Aside from the free instances of Entra ID that come with O365, what are the two versions of Entra ID?
Microsoft Entra ID P1 or P2
What are the two ways an organization can implement an Entra ID license?
You can procure it as an extra license or as a part of the Microsoft Enterprise Mobility + Security.
Define ‘Microsoft Identity Manager (MIM)’
Hybrid identity solution; Can bridge on-premises authentication stores such as AD DS, LDAP, Oracle, etc., with Microsoft Entra ID.
How does Entra ID P2 differ from P1?
- Microsoft Entra ID Protection
- Microsoft Entra Privileged Identity Management
What SLA does Microsoft guarantee for Entra ID?
Guaranteed at least 99.9% availability.
Define ‘Microsoft Entra ID Protection’
Provides enhanced functionalities for monitoring and protecting user accounts; Define user risk policies and sign-in policies.
Define Microsoft Entra Privileged Identity Management.’
Lets you configure additional security levels for privileged users such as administrators.
What are the 3 types of supported user accounts in Entra ID?
- Cloud identity
- Directory-synchronized identity
- Guest user
Define a ‘Cloud identity’ user account type
A user account defined only in Microsoft Entra ID.
Define a ‘Directory-synchronized identity’ user account type
User accounts that are initially defined in an on-premises Active Directory synchronized through Entra Connect.
Define a ‘Guest user’ account type
Defined outside Azure.
What is the purpose of a guest user?
Useful when external vendors or contractors need access to your Azure resources.
Where is info and settings that describe a user stored?
In the user account profile.
What are the two types of groups used to organize user accounts?
- Security groups
- Microsoft 365 groups
Define a ‘Microsoft 365 group’
Provide collaboration opportunities; Access to a shared mailbox, calendar, files, SharePoint site, and more.
Describe a ‘Security group’ and its purpose
Used to manage access to resources based on user/device membership.
What is best practice for configuring user access to resources?
Use security groups to set permissions for all group members at the same time, rather than adding permissions to each member individually.
What is best practice for configuring guest access to resrouces?
Add Microsoft 365 groups to enable group access for guest users.
What are the 3 access designation methods that can be used to determine user/device group membership?
- Assigned
- Dynamic user
- Dynamic device
Define an ‘assigned’ access right
Members of a group must be assigned manually.
Define a ‘dynamic user’ access right
Dynamic membership rules automatically add and remove group members based on user attributes.
Define a ‘dynamic device’ access right
Dynamic membership rules automatically add and remove group members devices based on user attributes.
Can a dynamic device membership rule be applied to a Microsoft 365 group?
No; Security groups only.
What is the purpose of an administrative unit?
For the division of roles and responsibilities.
Define a ‘region’
A geographical area on the planet containing at least one, but potentially multiple datacenters.
How many Azure regions are there?
Over 60
What is Azure’s preferred distance between region pairs?
At least 300 miles.
What Azure services don’t require a region/location?
Microsoft Entra ID, Microsoft Azure Traffic Manager, and Azure DNS.
When deploying a service, what is to be considered when selecting a region?
Some services or Azure Virtual Machines features are available only in certain regions.
Define an ‘Azure subscripton’
A logical unit of Azure services that’s linked to an Azure account.
Can subscriptions have different billing and payment configurations?
Yes.
Can multiple Azure accounts be linked to the same subscription?
Yes.
What are the 3 ways to procure an Azure subscription?
- Enterprise agreement (EA)
- Microsoft reseller
- Microsoft partner
What are the most common subscription types?
Free, Pay-As-You-Go, Enterprise Agreement, and Student.
Define an ‘Enterprise agreement’
Suited for large organizations; Provides flexibility to buy cloud services and software licenses under one agreement; Comes with discounts and Software Assurance.
What does a resource tag consist of?
Each resource tag has a name and a value.
What is the max number of tags a resource/resource group can have?
Maximum of 50 tag name/value pairs.
Are tags applied to a resource group inherited by the resources in the group?
No.
Define ‘Azure Policy’
Service in Azure that enables you to create, assign, and manage policies to control or audit your resources.
What is the purpose of Azure Policy?
Enforce different rules over your resource configurations so the configurations stay compliant with corporate standards and SLAs.
What is the purpose of an Azure management group?
Provide a governance scope above subscriptions; Manage access, policy, and compliance across your subscriptions.
When a new subscription is procured, where is it logically located?
By default, all new subscriptions are allocated to the root management group.
Are policies inherited within a management group?
Yes; All subscriptions within a management group automatically inherit the conditions applied to that management group.
Is a management group hierarchal?
Yes; A management group tree can support up to six levels of depth.
How are management groups identified?
A management group has a directory unique identifier (ID) and a display name.
Can the UID for a management group be changed?
No.
Can Azure Policy perform remediation?
Yes; Conduct real-time remediation, and remediation on your existing resources.
Define a ‘policy definition’
The compliance conditions for a resource, and the actions to complete when the conditions are met.
Define an ‘initiative definition’
A set of policy definitions that help you track your resource compliance state to meet a larger goal.
What are the 3 steps to create an azure policy?
- Create policy definitions
- Create an initiative definition
- Define the scope of initiative definition
What are the two policy definition offerings?
- built-in policy definitions
- new/created policy definitions
To satisfy the finance team’s request for billing by department, multiple resource groups have been created and the resource tags applied. What’s the next step?
Create an Azure policy; An Azure policy requires that a resource tag is applied before the resource is created.
Define a ‘Security principal’
An object that requests access to resources; User, group, service principal.
Define a ‘Role definition’
A set of permissions that lists the allowed operations; Reader, Contributor, Owner, User Access Administrator.
Define an ‘RBAC scope’
The boundary for the requested level of access, or “how much” access is granted; Management group, subscription, resource group, resource
What does a ‘role definition’ consist of?
Sets of permissions that are defined in a JSON file; Each permission set has its own name.
What does an asterisk in in a role definition JSON file represent?
The asterisk “*” wildcard means “all” permissions.
What built-in role has the highest level of access in Azure?
Owner
In a role definition JSON file, how is effective permissions determined?
The system subtracts NotActions permissions from Actions permissions.
In a role definition JSON file, what permission set determines granted access?
Actions.
In a role definition JSON file, what permission set determines denied access?
NotActions.
In a role definition JSON file, what permission set defines the scope; where the role definition is applied?
The AssignableScopes permission set; Can be management groups, subscriptions, resource groups, or resources.
Define ‘role assignment’
The process of scoping a role definition to limit permissions for a requestor, such as a user, group, service principal, or managed identity.
Define ‘Microsoft Entra admin roles’
Used to manage resources in Microsoft Entra ID, such as users, groups, and domains.
Define ‘Azure RBAC roles’
Provide more granular access management for Azure resources.
Define the contributor RBAC
The Contributor role can create and manage all types of Azure resources. This role can’t grant access to others.
Define the User Access Administrator RBAC
The User Access Administrator role can manage user access to Azure resources.
Define a member user
Native member of the Microsoft Entra organization that has a set of default permissions.
What is the Azure CLI command to create a new user?
az ad user create
What is the PowerShell command to create a new user?
New-MgUser
What is the Azure CLI command to delete a user?
az ad user delete
What is the PowerShell command to delete a new user?
Remove-MgUser
What are the 3 ways to assign access rights?
- Direct assignment: Assign a user the required access
- Group assignment: Assign a group the required access rights
- Rule-based assignment
By default, who can grant guest user access?
Users and administrators in Microsoft Entra ID can invite guest users, but the Global Administrator can limit or disable this ability.
What is the advantage of Microsoft Entra B2B instead of federation?
With Microsoft Entra B2B, you don’t take on the responsibility of managing and authenticating partners’ credentials and identities.
How do Azure subscriptions manage access?
The subscriptions use Microsoft Entra ID for single sign-on (SSO) and access management.
What is Azure RABC built on?
An authorization system built on Azure Resource Manager that provides fine-grained access management for resources in Azure.
What is the inheritance order for scope in Azure?
Management group, Subscription, Resource group, Resource.
Suppose a team member can’t view resources in a resource group. Where would the administrator go to check the team member’s access?
Go to the resource group and select Access control (IAM) > Check Access.
When is a user considered registered for SSPR?
When they’ve registered at least the number of methods that you’ve required to reset a password.
