Manage identities and governance in Azure Flashcards
Administrator roles
Administrator roles in Azure AD allow users elevated access to control who is allowed to do what. You assign these roles to a limited group of users to manage identity tasks in an Azure AD organization. You can assign administrator roles that allow a user to create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and more
Administrator roles Con’t
If your user account has the User Administrator or Global Administrator role, you can create a new user in Azure AD by using either the Azure portal, the Azure CLI, or PowerShell. In PowerShell, use the cmdlet New-AzureADUser. In the Azure CLI, use az ad user create
Member users
A member user account is a native member of the Azure AD organization that has a set of default permissions like being able to manage their profile information. When someone new joins your organization, they typically have this type of account created for them
Guest users
Guest users have restricted Azure AD organization permissions. When you invite someone to collaborate with your organization, you add them to your Azure AD organization as a guest user
Account Deletion
When you delete a user, the account remains in a suspended state for 30 days. During that 30-day window, the user account can be restored
Account Commands
powershell - New-AzureADUser
Azure CLI
az ad user create
Azure AD roles
Use Azure AD roles to manage Azure AD-related resources like users, groups, billing, licensing, application registration, and more
ole-based access control (RBAC) for Azure resources
se RBAC roles to manage access to Azure resources like virtual machines, SQL databases, or storage. For example, you could assign an RBAC role to a user to manage and delete SQL databases in a specific resource group or subscription
Access rights through single user or group assignment
- Direct assignment: Assign a user the required access rights by directly assigning a role that has those access rights.
- Group assignment: Assign a group the required access rights, and members of the group will inherit those rights.
- Rule-based assignment: Use rules to determine a group membership based on user or device properties. For a user account or device’s group membership to be valid, the user or device must meet the rules. If the rules aren’t met, the user account or device’s group membership is no longer valid. The rules can be simple. You can select prewritten rules or write your own advanced rules
Azure AD
s Microsoft’s cloud-based identity and access management service which provides single sign-on and multi-factor authentication to help protect your users from 99.9 percent of cybersecurity attacks
Tenant
A tenant represents the organization and the default directory assigned to it.
Subscriptions
Resources such as virtual machines, web sites, and databases are always associated to a single subscription. Each subscription also has a single account owner who is responsible for any charges incurred by resources in that subscription. If your organization wants the subscription to be billed to another account, you can transfer ownership of the subscription. A given subscription is also associated to a single Azure AD directory. Multiple subscriptions can trust the same directory, but a subscription can only trust one directory
Users and groups
an be added to multiple subscriptions - this allows the user to create, control, and access resources in the subscription. When you add a user to a subscription, the user must be known to the associated directory as shown in the following image
Adding users
- Syncing an on-premises Windows Server Active Directory
Azure AD Connect is a separate service that allows you to synchronize a traditional Active Directory with your Azure AD instance. This is how most enterprise customers add users to the directory. The advantage to this approach is users can use single-sign-on (SSO) to access local and cloud-based resources.
Use the Azure portal
Use the Azure portal
You can manually add new users through the Azure portal. This is the easiest way to add a small set of users. You need to be in the User Administrator role to perform this function
Security groups
These are the most common and are used to manage member and computer access to shared resources for a group of users
This option requires an Azure AD administrator
Microsoft 365 groups
These groups provide collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and more.
This option also lets you give people outside of your organization access to the group. This option is available to users as well as admins
Assigned Membership
Assigned. The group will contain specific users or groups that you select.
Dynamic user Membership
You create rules based on characteristics to enable attribute-based dynamic memberships for groups. For example, if a user’s department is Sales, that user will be dynamically assigned to the Sales group. You can set up a rule for dynamic membership on security groups or on Office 365 groups. If the user’s department changes in the future, they are automatically removed from the group. This feature requires an Azure AD Premium P1 license
Roles / intro
Azure AD provides several built-in roles to cover the most common security scenarios. To understand how the roles work, let’s examine three roles that apply to all resource types
Owner / Contributor / Reader
- Owner, which has full access to all resources, including the right to delegate access to others.
- Contributor, which can create and manage all types of Azure resources but can’t grant access to others.
- Reader, which can view existing Azure resources
JSON NOTATIONS FOR PERMISSIONS
Owner (allow all actions) * -
Contributor (allow all actions except writing or deleting role assignments) * Microsoft.Authorization//Delete, Microsoft.Authorization//Write, Microsoft.Authorization/*/elevateAccess/Action
Reader (allow all read actions) */read -
DataActions and NotDataActions
Data operations are specified in the DataActions and NotDataActions properties. This allows data operations to be specified separately from the management operations. This prevents current role assignments with wildcards (*) from suddenly having access to data. Here are some data operations that can be specified in DataActions and NotDataActions
Custom Roles
Custom role creation requires Azure AD Premium P1 or P2 and cannot be done in the free tier.
Azure AD Connect
This is a free tool you can download and install to synchronize your local AD with your Azure directory
What’s included in Azure AD Connect?
Sync services. This component is responsible for creating users, groups, and other objects. It also makes sure that identity information for your on-premises users and groups matches that in the cloud.
What’s included in Azure AD Connect? 1
Health monitoring. Azure AD Connect Health supplies robust monitoring and a central location in the Azure portal for viewing this activity.
What’s included in Azure AD Connect? 2
AD FS. Federation is an optional part of Azure AD Connect that you can use to configure a hybrid environment via an on-premises AD FS infrastructure. Organizations can use this to address complex deployments, such as domain join SSO, enforcement of the Active Directory sign-in policy, and smart card or third-party multi-factor authentication
What’s included in Azure AD Connect? 3
Password hash synchronization. This feature is a sign-in method that synchronizes a hash of a user’s on-premises Active Directory password with Azure AD.
What’s included in Azure AD Connect? 4
Pass-through authentication. This allows users to sign in to both on-premises and cloud-based applications using the same passwords. This reduces IT helpdesk costs because users are less likely to forget how to sign in. This feature provides an alternative to Password hash synchronization that allows organizations to enforce their security and password complexity policies.
RBAC ROLES
Owner: Has full access to all resources, including the ability to delegate access to other users.
Contributor: Can create and manage Azure resources.
Reader: Can view only existing Azure resources.
User Access Administrator: Can manage access to Azure resources.
Identify the right scope
management groups, subscriptions, resource groups, and resources
Azure AD roles
Global Administrator: Can manage access to administrative features in Azure AD. A person in this role can grant administrator roles to other users, and they can reset a password for any user or administrator. By default, whoever signs up for the directory is automatically assigned this role.
User Administrator: Can manage all aspects of users and groups, including support tickets, monitoring service health, and resetting passwords for certain types of users.
Billing Administrator: Can make purchases, manage subscriptions and support tickets, and monitor service health. Azure has detailed billing permissions in addition to RBAC permissions. The available billing permissions depend on the agreement you have with Microsoft.
Azure roles
Manage access to Azure resources like VMs, storage, networks, and more
Multiple scope levels (management group, subscription, resource group, resource)
Role information accessible through Azure portal, Azure CLI, Azure PowerShell, Azure Resource Manager templates, REST API
Azure AD roles
Manage access to Azure Active Directory resources like user accounts and passwords
Scope only at tenant level
Role information accessible in Azure admin portal, Microsoft 365 admin center, Microsoft Graph, Azure AD PowerShell
What are resource groups?
Resource groups are a fundamental element of the Azure platform. A resource group is a logical container for resources deployed on Azure. These resources are anything you create in an Azure subscription like virtual machines, Application Gateways, and CosmosDB instances
Logical grouping
Resource groups exist to help manage and organize your Azure resources. By placing resources of similar usage, type, or location, you can provide some order and organization to resources you create in Azure. Logical grouping is the aspect that you’re most interested in here, since there’s a lot of disorder among our resources.
Authorization
Resource groups are also a scope for applying role-based access control (RBAC) permissions. By applying RBAC permissions to a resource group, you can ease administration and limit access to allow only what is needed
What is Azure Policy?
Azure Policy is a service you can use to create, assign, and manage policies. These policies apply and enforce rules that your resources need to follow. These policies can enforce these rules when resources are created, and can be evaluated against existing resources to give visibility into compliance.
RBAC
ROLE BASED ACCESS CONTROL
RBAC provides fine-grained access management for Azure resources, enabling you to grant users the specific rights they need to perform their jobs. RBAC is considered a core service and is included with all subscription levels at no cost
How RBAC defines access
RBAC uses an allow model for access. When you are assigned to a role, RBAC allows you to perform specific actions, such as read, write, or delete. Therefore, if one role assignment grants you read permissions to a resource group, and a different role assignment grants you write permissions to the same resource group, you will have both read and write permissions on that resource group
What are resource locks?
Resource locks are a setting that can be applied to any resource to block modification or deletion
Types Of Resource locks
Resource locks can set to either Delete or Read-only. Delete will allow all operations against the resource but block the ability to delete it.
Read-only will only allow read activities to be performed against it, blocking any modification or deletion of the resource. Resource locks can be applied to subscriptions, resource groups, and to individual resources, and are inherited when applied at higher levels
Removing Locks
When a resource lock is applied, you must first remove the lock in order to perform that activity. By putting an additional step in place before allowing the action to be taken on the resource, it helps protect resources from inadvertent actions, and helps protect your admins from doing something they may not have intended to do
Azure subscriptions
First, remember that each Azure subscription is associated with a single Azure AD directory. Users, groups, and applications in that directory can manage resources in the Azure subscription. The subscriptions use Azure AD for single sign-on (SSO) and access management. You can extend your on-premises Active Directory to the cloud by using Azure AD Connect. This feature allows your employees to manage their Azure subscriptions by using their existing work identities. When you disable an on-premises Active Directory account, it automatically loses access to all Azure subscriptions connected with Azure AD
What is RBAC?
Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of resources in Azure. With RBAC, you can grant the exact access that users need to do their jobs. For example, you can use RBAC to let one employee manage virtual machines in a subscription while another manages SQL databases within the same subscription
scopes and roles
The scope of a role assignment can be a subscription, a resource group, or a single resource. A role assigned at a parent scope also grants access to the child scopes contained within it
Security principal (who)
A security principal is just a fancy name for a user, group, or application that you want to grant access to.
Role definition (what you can do)
A role definition is a collection of permissions. It’s sometimes just called a role. A role definition lists the permissions that can be performed, such as read, write, and delete. Roles can be high-level, like Owner, or specific, like Virtual Machine Contributor
built in roles
Owner - Has full access to all resources, including the right to delegate access to others.
Contributor - Can create and manage all types of Azure resources, but can’t grant access to others.
Reader - Can view existing Azure resources.
User Access Administrator - Lets you manage user access to Azure resources
Scope (where)
Scope is where the access applies to. This is helpful if you want to make someone a Website Contributor, but only for one resource group
role assignment
A role assignment is the process of binding a role to a security principal at a particular scope, for the purpose of granting access. To grant access, you create a role assignment
RBAC is an allow model
RBAC is an allow model. What this means is that when you are assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete. So, if one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you will have read and write permissions on that resource group
billing zones
AZURE BILLING ZONES
Zone Areas
Zone 1 United States, US Government, Europe, Canada, UK, France, Switzerland
Zone 2 East Asia, Southeast Asia, Japan, Australia, India, Korea
Zone 3 Brazil, South Africa, UAE
DE Zone 1 Germany
Azure Advisor
a free service built into Azure that provides recommendations on high availability, security, performance, operational excellence, and cost. Advisor analyzes your deployed services and looks for ways to improve your environment across each of these areas
Azure Cost Management
built-in Azure tool that can be used to gain greater insights into where your cloud money is going. You can see historical breakdowns of what services you are spending your money on and how it is tracking against budgets that you have set. You can set budgets, schedule reports, and analyze your cost areas
cost analysis
Make the most of it based on the findings gathered through planning and increasing cost visibility. You might consider purchase and licensing optimizations or infrastructure deployment changes based on your findings in the Cost Analysis tool
Moving Resource Groups
You can move resources from one resource group to another resource group in a different subscription
Tag Limitations
Always check whether your Azure resource supports tags. For example, you can’t set tags on generalized VMs.
You can apply tags on resource groups, but tags aren’t automatically inherited by resources from their resource group. If you want all the resources in a resource group to have a tag, you must do this manually.
You can apply a maximum of 50 tags to a single resource or resource group in Azure
Moving Resource: Identify Type
First you need to identify the resource type of the resources you want to move. In the Azure portal, you can see the resource type for each resource on the All resources page. The same Type column is also included in the list of resources in a resource group
Moving Resource: Check Limitations on the resource Type
After identifying the resource types of your resources, you must investigate whether they can be moved, and the restrictions that might be in place. Check your resource types against the move support for resources list. The list shows whether each resource type can be moved between resource groups or between subscriptions
These resources can be moved
Azure Storage accounts
Azure virtual machines
Azure virtual networks
These resources can’t be moved
Azure Active Directory domain services
Azure Backup vaults
Azure App Service gateways
SSL Certificates
you can’t automatically move third-party SSL certificates
Virtual Machines move
If you want to move a virtual machine, all of its dependents must go with it.
You can’t move virtual machines with certificates in Azure Key Vault between subscriptions.
You can’t move virtual machine scale sets with standard load balancers or a standard public IP.
You can’t move any managed disks that are in availability zones to different subscriptions.
What happens when you move a resource group ?
When you start a move operation, the resource group holding your resources and the new destination resource group are locked. You can’t do write or delete operations on the resource groups until the move operation ends. Your resources aren’t affected, but you can’t add, delete, or update any resources in these resource groups
Locations for Moves
Your moved resources don’t change location. For example, if you have a storage account in the East US region, and you move it to another resource group, it keeps its East US region location
Move resources between subscriptions
Depending on the resource type, you can move your resources between subscriptions, or between resource groups within the same subscription
Move guidance for networking resources
When moving a virtual network, you must also move its dependent resources
For VPN Gateways, you must move IP addresses, virtual network gateways, and all associated connection resources
Local network gateways can be in a different resource group
Moving Network Components on a VM
To move a virtual machine with a network interface card to a new subscription, you must move all dependent resources. Move the virtual network for the network interface card, all other network interface cards for the virtual network, and the VPN gateways
Peered virtual network
To move a peered virtual network, you must first disable the virtual network peering. Once disabled, you can move the virtual network. After the move, reenable the virtual network peering
Subnet links
You can’t move a virtual network to a different subscription if the virtual network contains a subnet with resource navigation links. For example, if an Azure Cache for Redis resource is deployed into a subnet, that subnet has a resource navigation link
Prepare to test your move
Before attempting to move a resource, you can test whether it will be successful by calling the validate move operation from the Azure REST API
Basics of device identity
Device identity in Azure Active Directory (Azure AD) helps you control the devices that you add to your organization’s Azure AD instance
azure AD registered
azure AD registered: These devices fall into the Bring Your Own Device (BYOD) category. They’re typically privately owned, or they use a personal Microsoft account or another local account. This method of device registration is the least restrictive because it supports devices running Windows 10, iOS, iPadOS, Android, and macOS. Device security is typically provided from a password, a PIN, a pattern, or Windows Hello
Azure AD joined
These devices are owned by your organization. Users access your cloud-based Azure AD instance through their work account. Device identities exist only in the cloud. This option is available only to Windows 10 or Windows Server 2019 devices. Windows Server 2019 Server Core installation isn’t supported. Security for this option uses either a password or Windows Hello
Hybrid Azure AD joined
Hybrid Azure AD joined: This option is similar to Azure AD joined. The devices are owned by the organization, and they’re signed in with an Azure AD account that belongs to that organization. Device identities exist in the cloud and on-premises. The hybrid option is better suited to organizations that need on-premises and cloud access. This option supports Windows 7, 8.1, and 10, and Windows Server 2008 or later
Conditional access
Conditional access in Azure AD uses data from sources known as signals, validates them against a user-definable rule base, and chooses the best outcome to enforce your organization’s security policies
Basics of Azure AD join
Azure AD join, you can join devices to your Azure Active Directory organization without needing to sync with an on-premises Active Directory instance
Supported devices
Azure AD join works with Windows 10 or Windows Server 2019 devices. Windows Server 2019 Server Core installation isn’t supported
Identity infrastructure: Managed environment
This environment uses pass-through authentication or password hash sync to provide single sign-on (SSO) to your devices
Identity infrastructure: Federated environments
These environments require the use of an identity provider. That provider must support the WS-Trust and WS-Fed protocols for Azure AD join to work natively with Windows devices. WS-Fed is required to join a device to Azure AD. WS-Trust is needed to sign in to an Azure AD joined device
Identity infrastructure:
Smart cards and certificate-based authentication
These methods aren’t valid ways to join devices to Azure AD. But, if you have Active Directory Federation Services configured, you can use smart cards to sign in to Azure AD joined devices. We recommend that you use a service like Windows Hello for Business, which supports passwordless authentication to Windows 10 devices
Identity infrastructure:
Manual user configuration
Manual user configuration: If you create users in your on-premises Active Directory instance, you need to synchronize the accounts to Azure AD by using Azure AD Connect. If you create users in Azure AD, no additional setup is needed
Device management
MDM provides a means to enforce organization-required configurations like requiring storage to be encrypted, password complexity, software installations, and software updates
Azure AD joined devices, there are two approaches
MDM only: All joined devices are managed exclusively through an MDM provider, like Intune. If your organization uses group policies, you’ll need to review your MDM policy for support.
Co-management: All joined devices use a combination of a locally installed System Center Configuration Manager agent and your MDM provider. Microsoft Intune provides co-management capabilities through Configuration Manager. You use Configuration Manager to manage the device while MDM delivers user-management policies
On-premises web applications
Access to those applications needs each user to add the app to their trusted sites or intranet zone, depending on where the app exists.
Azure Data Box products
The Azure Data Box family can be divided into two groups, for offline and online data transfer. Offline data transfer allows you to move large amounts of data to Azure whenever you have time, network bandwidth, or cost constraints. Because your organization doesn’t want to tie up its network bandwidth while shifting the vehicle data to Azure, this solution might be ideal
Offline data transfer
Data Box Disk: Provides one ~35-TB transfer to Azure. Connect and copy data over USB.
Data Box: Provides one ~80-TB transfer to Azure per order. Connect and copy data to the device over standard network interface protocols like SMB and NFS.
Data Box Heavy: Provides one ~800-TB transfer to Azure. Use high-throughput network interfaces to connect and copy data to the device. This process uses standard network interface protocols like SMB and NFS. Data Box Heavy is like two Data Boxes, each with an independent node
Online data transfer
Online data transfer enables a link between your on-premises assets and Azure
Transferring huge amounts of data to Azure is similar to copying data to a networking share. Online data transfer is ideal when you need a continuous link to transfer a massive amount of data
Data Box Edge
This device is a dedicated appliance with 12 TB of local SSD storage. It can preprocess and run machine learning on data before uploading it to Azure
Data Box Gateway
This device is an entirely virtual appliance. It’s based on a virtual machine that you provision in your on-premises environment
Azure Data Factory
Azure Data Factory is a service that enables you to organize, move, and transform large quantities of data from many different sources. In Data Factory, you create data pipelines that ingest data from relational databases, NoSQL databases, and other systems. You can use Azure Machine Learning, Hadoop, Spark, and other services to process and transform that data. Then, at the end of the pipeline, you can publish the transformed data to Azure SQL Data Warehouse, Azure SQL Database, Azure Cosmos DB, and Azure Storage.
What is Azure File Sync?
Azure File Sync allows you to extend your on-premises file shares into Azure. It works with your existing on-premises file shares to expand your storage capacity and provide redundancy in the cloud. It requires Windows Server 2012 R2 or later. You can access your on-premises file share with any supported file sharing protocol that Windows Server supports, like SMB, NFS, or FTPS
cloud tiering
n optional feature of Azure File Sync that allows frequently accessed files to be cached locally on the server. Files are cached or tiered according to the cloud tiering policy you create
Storage Sync Service
is the high-level Azure resource for Azure File Sync. The service is a peer of the storage account, and it can also be deployed to Azure resource groups
sync group
outlines the replication topology for a set of files or folders. All endpoints located in the same sync group are kept in sync with each other. If you have different sets of files that must be in sync and managed with Azure File Sync, you would create two sync groups and different endpoints
registered server
represents the trust relationship between the on-premises server and the Storage Sync Service. You can register multiple servers to the Storage Sync Service. But a server can be registered with only one Storage Sync Service at a time
Azure File Sync agent
a downloadable package that enables Windows Server to be synced with an Azure file share. The agent has three components:
FileSyncSvc.exe. Service that monitors changes on endpoints.
StorageSync.sys. Azure file system filter driver.
PowerShell management cmdlets.
server endpoint
represents a specific location on a registered server, like a folder on a local disk. Multiple server endpoints can exist on the same volume if their paths don’t overlap
cloud endpoint
the Azure file share that’s part of a sync group. The whole file share syncs and can be a member of only one cloud endpoint. An Azure file share can be a member of only one sync group at a time
System requirements
Azure File Sync has these system requirements for your local file server:
Operating system: Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019, in either Datacenter or Standard edition in full or core deployments.
Memory: 2 GB of RAM or more.
Patches: Latest Windows patches applied.
Storage: Locally attached volume formatted in the NTFS file format. Remote storage connected by USB isn’t supported.
ntfs
The supported features are:
Access control lists (ACLs): ACLs are preserved and enforced on Windows Server endpoints.
NTFS compression: Compressing files to save space is fully supported.
Sparse files: Sparse files are stored in a more efficient way than normal files. Sparse files are supported, but, during the sync to the cloud, they’re stored as normal full files.
Storage account
The storage account is used to store the file share. In Azure, a storage account is where all Azure Storage data objects, like blobs, files, queues, and disks, are stored. There are some limitations on the kind of storage account that can be used. Select StorageV2 with a hot access tier
File share
The file share is the cloud version of a normal on-premises file share. It will store all files and folders. You control the size of the file share by specifying a quota size. You can increase the quota later if you need to.
Storage Sync Service
The Storage Sync Service is responsible for establishing trust between your company’s server and Azure. This service is where you connect the file share in Azure with the file directory on your server
Sync group
The sync group must contain one cloud endpoint that represents an Azure file share and one or more server endpoints that map to a path on a registered Windows file server. The sync group manages the process by using metadata stored in a hidden folder: .SystemShareInformation. Don’t delete this folder
