Manage identity and access Flashcards
What is Microsoft Entra ID?
a cloud based identity and access management service that enables your employees access external resources.
Resources that employees can access with Microsoft Entra ID
Microsoft 365
Azure portal
SaaS applications
apps on corporate intranet
cloud apps developed for you own organization
Who uses Microsoft Entra ID?
IT admins
App Developers
Microsoft 365, Office 356, Azure, or Dynamics CRM Online subscribers
What are Microsoft Entra ID licenses?
add paid features by upgrading to P1 or P2 licenses.
licenses provide self-service, enhanced monitoring, security reporting, and secure access for mobile users
T or f
If you subscribe to any Microsoft Online business service, you automatically get access to Microsoft Entra ID Free
True
T or F
To enhance your Microsoft Entra implementation, you can also add paid features by upgrading to Microsoft Entra ID P1 or Premium P2 licenses
True
T or F
Microsoft Entra paid licenses are built on top of your existing free directory
true
Microsoft Entra ID Free
user and group management
on premises directory synchronization
basic reports
self service password change for cloud users
single sign on across Azure
Microsoft 365
many SaaS apps
Microsoft Entra ID P1
in addition to the free features -
lets hybrid users access both on premises and cloud resources
supports advanced administration - such as dynamic groups, self-service group management, Microsoft Identity Manager, and cloud write-back capabilities which allow self-service password reset for your on-premises user
Microsoft Entra ID P2
In addition to the Free and P1 features
offers Microsoft Entra ID Protection to help provide risk-based Conditional Access to your apps and critical company data and Privileged Identity Management to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed
Pay as you go - feature licenses
such as Business-to-Customer (B2C).
B2C can help you provide identity and access management solutions for your customer-facing apps.
Which features work in Microsoft Entra ID?
Application management
Authentication
Microsoft Entra ID for developers
B2B
B2C
Conditional Access
Device Management
Domain Services
Enterprise Users
Hybrid Identity
Identity governance
Identity protection
Managed identities for Azure resources
Privileged identity management (PIM)
Monitoring and health
Workload identities
T or F
Microsoft Entra ID allows you to create several types of users in your tenant, which provides greater flexibility in how you manage your organization’s users.
true
t or f
Global Administrator can create users and assign roles
true
t or f
The required role of least privilege varies based on the type of user you’re adding and if you need to assign Microsoft Entra roles at the same time
true
Microsoft Entra users:
Task - create a new user.
What is the role?
role - User Administrator
Microsoft Entra users:
Task - Invite an external guest
What is the role?
role - Guest Inviter
Microsoft Entra users:
Task - Assign Microsoft Entra roles
What is the role?
role - Privileged Role Administrator
Type of users
Internal member
internal guest
external member
external guest
Internal member
most likely full time employees
Internal guest
account in your tenant but have guest level privileges
External member
authenticate using an external account but have member access to your tenant.
- common in multitenant organizations
External guest
true guest of your tenant who authenticate using an external method and who have guest level privileges
t or f
Internal guest and members have credentials in your Microsoft Entra tenant that can be managed by administrators
True
T or F
External members authenticate to their home Microsoft
True
How to create a new user in Microsoft Entra ID
sign in to the Microsoft Entra admin center as a USER Administrator
T or F
With Microsoft Entra you can grant access and permissions to a group of users instead of each individual
True
The groups that can’t be managed in the Azure portal
Groups synced from on-premises Microsoft Entra ID can be managed only in on-premises Microsoft Entra ID.
Distribution lists and mail-enabled security groups are managed only in Exchange admin center or Microsoft 365 admin center. You must sign in to Exchange admin center or Microsoft 365 admin center to manage these groups.
Microsoft Entra ID lets you use groups to manage access to applications, data, and resources. Resources can be:
Part of the Microsoft Entra organization, such as permissions to manage objects through roles in Microsoft Entra ID
External to the organization, such as for Software as a Service (SaaS) apps
Azure services
SharePoint sites
On-premises resources
How many group types are there?
2
Security - used to manage user and computer access to shared resources
Microsoft 365 - provides collaboration opportunities by giving group members access to shared mailbox, calendar, files, SharePoint sites, and more
How many group membership types are there?
3
Assigned - Lets you add specific users as members of a group and have unique permissions
Dynamic user - Lets you use dynamic membership rules to automatically add and remove members
Dynamic device - Lets you use dynamic group rules to automatically add and remove devices
t of f
Each application, resource, and service that requires access permissions needs to be managed separately.
true
permissions for one may not be the same for the other
How access management in Microsoft Entra ID works
Microsoft Entra ID helps you give access to your organization’s resources by providing access rights to a single user or to an entire Microsoft Entra group
Ways to assign access rights
Direct assignment
Group assignment
Rule based assignment
External authority assignment
T or F
The group owner can let users find their own groups to join, instead of assigning them
True
T or F
the owner can set up the group to automatically accept all users that join or to require approval
true
Recommend when to use external identities
B2B collaboration - with Microsoft Entra External ID you can invite guest users to collaborate with your organization
T or F
With Microsoft Entra B2B, the partner uses their own identity management solution, so there’s no external administrative overhead for your organization
True
The partner uses their own identities and credentials, whether or not they have a Microsoft Entra account.
You don’t need to manage external accounts or passwords.
You don’t need to sync accounts or manage account lifecycles.
With B2B collaboration with other Microsoft Entra organizations you can control and manage settings such as
managed inbound and outbound B2B collab
scope access to specific users, group, and applications
MFA
cross tenant access
device claims
t or F
You can use external collaboration settings to define who can invite external users, allow or block B2B specific domains, and set restrictions on guest user access to your directory.
True
t or f
Use Microsoft cloud settings to establish mutual B2B collaboration between the Microsoft Azure global cloud and Microsoft Azure Government or Microsoft Azure operated by 21Vianet.
True
What is self-service sign up
a self-service sign-up user flow, you can create a sign-up experience for external users who want to access your apps
t or f
You can delegate guest user management to application owners so that they can add guest users to any app
True
t or f
Non-administrators use their Access Panel to add guest users to applications or groups.
true
t or f
Administrators set up self-service app and group management.
true
how do non administrators add guest users to applications or groups?
Access panel
How to customize the onboarding experience for B2B guest users
Use Microsoft Entra entitlement management to configure policies that manage access for external users.
Use the B2B collaboration invitation APIs to customize your onboarding experiences.
Integrate with identity providers
external users can sign in with their existing social or enterprise accounts instead of creating a new account just for your application
Integrate with SharePoint and OneDrive
to share files, folders, list items, document libraries, and sites with people outside your organization, while using Azure B2B for authentication and management
Secure external identities
managed access with Microsoft Entra ID or Microsoft Entra B2C
the following capabilities make up External Identities
B2B collab
B2B direct connect
Microsoft Entra B2C
Microsoft Entra multitenant organization
B2B collaboration
Collaborate with external users by letting them use their preferred identity to sign in to your Microsoft applications or other enterprise applications
- typically guest users
B2B direct connect
Establish a mutual, two-way trust with another Microsoft Entra organization for seamless collaboration
Microsoft Enter B2C
Publish modern SaaS apps or custom-developed apps (excluding Microsoft apps) to consumers and customers, while using Microsoft Entra B2C for identity and access management
Microsoft Entra multitenant organization
Collaborate with multiple tenants in a single Microsoft Entra organization via cross-tenant synchronization
T or F
With B2B collaboration you can invite anyone to sign in to your Microsoft Entra organization using their own credentials
True
Ways to add external users to your organization for B2B collaboration
invite users with them using their Microsoft Entra accounts
use self service sign up
Microsoft Entra entitlement management
Microsoft Entra Identity protection
helps organizations detect, investigate, and remediate identity based risks
Detect risks from?
Active Directory
Microsoft Accounts
gaming - Xbox
Identity Protection provides three key reports for administrators to investigate risks and take action:
Risk detections - Each risk detected is reported as a risk detection
Risky sign ins - A risky sign-in is reported when there are one or more risk detections reported for that sign-in.
Risky users - A Risky user is reported when either or both of the following are true:
The user has one or more Risky sign-ins.
One or more risk detections have been reported.
Automatic remediation
Risk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multifactor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.
Manual remediation
When user remediation isn’t enabled, an administrator must manually review them in the reports in the portal, through the API, or in Microsoft 365 Defender.
Administrators can perform manual actions to dismiss, confirm safe, or confirm compromise on the risks.
making use of the data
Data from Identity Protection can be exported to other tools for archive, further investigation, and correlation.
A company wants to collaborate with a vendor outside of their organization. Which capability of Microsoft Entra External ID should they use?
b2b collab
An organization wants to enable automatic remediation for identity-based risks detected by Microsoft Entra ID Protection. What access controls can be required based on the detected risk level?
Providing a strong authentication method, performing multifactor authentication, or performing a secure password reset
A User Administrator wants to add a new user to their Microsoft Entra ID organization. What steps should they follow?
Sign in to the Azure portal in the User Administrator role, navigate to Microsoft Entra ID Users, and select either Create new user or Invite external user from the menu.
A company wants to manage identity and access for external users at scale by automating access request workflows, access assignments, reviews, and expiration. Which feature should they use?
Microsoft Entra entitlement management
A company wants to create a sign-up experience for external users who want to access their apps. What options can they provide as part of the sign-up flow?
Providing options for different social or enterprise identity providers.