Mod 13 - Describe Azure identity, access, and security Flashcards
What are the 4 things Azure AD does
- Authentication
- Single sign-on
- Application management
- Device management
replica set
Two Windows Server domain controllers are then deployed into your selected Azure region
Is information synchronized between AZ AD and AZ AD DS?
A managed domain is configured to perform a one-way synchronization from Azure AD to Azure AD DS
Single sign-on (SSO)
enables a user to sign in one time and use that credential to access multiple resources and applications from different providers
what is the security of SSO dependent on?
Single sign-on is only as secure as the initial authenticator because the subsequent connections are all based on the security of the initial authenticator.
what are the 3 cats of MFA
- Something the user knows – this might be a challenge question.
- Something the user has – this might be a code that’s sent to the user’s mobile phone.
- Something the user is – this is typically some sort of biometric property, such as a fingerprint or face scan.
What’s passwordless authentication?
Azure auth method that enrolls a trusted device and enables you to enter in something you know or are. Ex. something you have, plus something you are, or something you know.
three passwordless authentication options that integrate with Azure Active Directory (Azure AD):
- Windows Hello for Business: ideal for information workers that have their own designated Windows PC. The biometric and PIN credentials are directly tied to the user’s PC, which prevents access from anyone other than the owner
- Microsoft Authenticator app: allow your employee’s phone to become a passwordless authentication method
- FIDO2 security keys: are an unphishable standards-based passwordless authentication method that can come in any form factor. These FIDO2 security keys are typically USB devices, but could also use Bluetooth or NFC
what is Azure external identities
Azure AD External Identities refers to all the ways you can securely interact with users outside of your organization
what are the 3 capabilities of external identities
- Business to business (B2B) collaboration - Collaborate with external users by letting them use their preferred identity to sign-in to your Microsoft applications or other enterprise applications (SaaS apps, custom-developed apps, etc.). Shows users as guests in AD
- B2B direct connect - Establish a mutual, two-way trust with another Azure AD organization for seamless collaboration. B2B direct connect currently supports Teams shared channels, enabling external users to access your resources from within their home instances of Teams. B2B direct connect users aren’t represented in your directory, but they’re visible from within the Teams shared channel and can be monitored in Teams admin center reports.
- Azure AD business to customer (B2C) - Publish modern SaaS apps or custom-developed apps (excluding Microsoft apps) to consumers and customers, while using Azure AD B2C for identity and access management.
Conditional Access is useful in 4 ways
- Require multifactor authentication (MFA) to access an application depending on the requester’s role, location, or network
- Require access to services only through approved client applications
- Require users to access your application only from managed devices
- Block access from untrusted sources, such as access from unknown or unexpected locations.
How is role-based access control applied to resources?
Role-based access control is applied to a scope, which is a resource or set of resources that this access applies to.
what 4 things do AZ scopes include
- A management group (a collection of multiple subscriptions).
- A single subscription.
- A resource group.
- A single resource.
How is Azure RBAC enforced?
Azure RBAC is enforced on any action that’s initiated against an Azure resource that passes through Azure Resource Manager
describe the allow model RBAC uses
Role-based access control, using an allow model, grants all of the permissions assigned in all of the assigned roles. Ex. user with The role permissions: Role 1 - read || Role 2 - write || Role 3 - read and write. They would have read and write