Mod 6 - Explore Azure Identity and Security Options Flashcards
what two things do both On Prem and AZ AD have
- Can sync users, groups, and passwords
- Can enable device login via AD credentials
what two things can only On Prem AD do
- Allows for full use of all AD features ex. Users, Groups, Devices, GPOs
- Used for enforcing GPO on various systems and endpoints
what are the 4 unique things about AZ AD
- Limited as identity store
- Can’t use GPOs
- Can config computers to login via Azure AD, but usually don’t because can’t enforce GPO
- Azure AD is used to help Cloud-based apps to authenticate against always-on identity stores ex. On-prem AD
Can AZ trust external identity stores such as Google GSuite?
Yes
What is a main use of az ad
- Azure AD is used because it is a cloud store and can be used to authenticate users who need to access cloud resources. Ex. User who logins to office.com to access Excel uses Azure AD to do AAA OR App
Azure AD Domain Services
: Azure resource that enables you to use managed domain services—such as Windows Domain Join, group policy, LDAP, and Kerberos authentication—without having to deploy, manage, or patch domain controllers.
Is Azure AD Domain Services seperate or on same domain as On-Prem Domain and Azure AD Domain
Seperate
Describe the three steps of how you setup and use Azure AD Domain Services
- Azure spins up cluster of Domain Controllers(multiple VMs)that are PaaS(managed by Azure),
- Then deploy you jumpbox VM or edge server in Azure cloud which can connect to DC’s and manage these servers and the domain services environment ex. GPOs.
- Now you can join other IaaS VMs you’ve deployed that rely on GPOs or other domain services, to this cloud-hosted domain(Azure AD DS domain). Purpose of this resource is to allow you to manage and deploy on-prem VM workloads, which rely on GPO, in an IaaS environment like Azure.
Why use Azure AD Domain Services
Migrate servers into Azure that rely on a Domain Controller
Extra: For IaaS deployments that rely heavily on Group Policies and need these GPOs to come from the cloud. Don’t want to manage any of the Operating System env so the DC’s are PaaS
Azure AD Connect
This is a Microsoft application that is installed on an ON-Prem server in your on-prem datacenter. When running, the app syncs On-prem and Azure AD data
Describe the three steps of how you setup and use Azure AD Connect
- Install app on VM, Microsoft Azure AD Connect.
- After install, get wizard that prompts for on prem Domain creds to login to on prem domain controller.
- Then prompts for you to login to Azure AD with admin credentials that can create and update users in AD. Now every few minutes, it will sync changes in either ADs
Will azure manage pwds from external identities connected to AZ?
No, can connect with external identity stores ex. Gsuite, FB, github and allow accounts to be created in azure AD, but azure won’t manage the account pwd. Will show as a Guest type in Users section of Azure AD
what is RBAC?
Role Based Access Controls(RBAC),
What level can you set RBAC on
Assign roles at User Level and within these, gives them explicit permissions on what they can and can’t do on a specific type of resource.
Can also assign roles to a Subscription, Resource Group, or Management group
what two questions does RBAC answer
o What can I do?
o What resources can I do that with?
