Part 2 - Identity and access management solutions Flashcards
Describe the four pillars of Identity
Identity is a concept that spans an entire environment, so organizations need to think about it broadly. There are four fundamental pillars of identity that organizations should consider when creating an identity infrastructure. There’s a collection of processes, technologies, and policies for managing digital identities and controlling how they’re used to access resources.
- Administration. Administration is about the creation and management of identities for users, devices, and services. As an administrator, you manage how and under what circumstances the characteristics of identities can change (be created, updated, deleted).
2, Authentication. The authentication pillar tells the story of how much assurance for a particular identity is enough. In other words, how much does an IT system need to know about an identity to have sufficient proof that they really are who they say they are? It involves the act of challenging a party for legitimate credentials. Authentication is sometimes shortened to AuthN.
- Authorization. The authorization pillar is about processing the incoming identity data to determine the level of access an authenticated person or service has within the application or service that it wants to access. Authorization is sometimes shortened to AuthZ.
- Auditing. The auditing pillar is about tracking who does what, when, where, and how. Auditing includes having in-depth reporting, alerts, and governance of identities.
Addressing each of these four pillars is key to a comprehensive and robust identity and access control solution.
Azure AD is available in four editions: Free, Office 365 Apps, Premium P1, and Premium P2. Describe each edition.
Azure Active Directory Free. The free version allows you to administer users and create groups, synchronize with on-premises Active Directory, create basic reports, configure self-service password change for cloud users, and enable single sign-on across Azure, Microsoft 365, and many popular SaaS apps. The free version also has an upper limit of 500000 objects that can be held in Azure AD. The free edition is included with subscriptions to Office 365, Azure, Dynamics 365, Intune, and Power Platform.
Office 365 Apps. The Office 365 Apps edition allows you to do everything included in the free version, plus self-service password reset for cloud users, and device write-back, which offers two-way synchronization between on-premises directories and Azure AD. The Office 365 Apps edition of Azure Active Directory is included in subscriptions to Office 365 E1, E3, E5, F1, and F3.
Azure Active Directory Premium P1. The Premium P1 edition includes all the features in the free and Office 365 apps editions. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager (an on-premises identity and access management suite) and cloud write-back capabilities, which allow self-service password reset for your on-premises users.
Azure Active Directory Premium P2. P2 offers all the Premium P1 features, and Azure Active Directory Identity Protection to help provide risk-based Conditional Access to your apps and critical company data. P2 also gives you Privileged Identity Management to help discover, restrict, and monitor administrators and their access to resources, and to provide just-in-time access when needed.
Azure AD manages different types of identities: users, service principals, managed identities, and devices. Describe each.
A user identity is a representation of something that’s managed by Azure AD. Employees and guests are represented as users in Azure AD. If you have several users with the same access needs, you can create a group. You use groups to give access permissions to all members of the group, instead of having to assign access rights individually.
A service principal is a security identity used by applications or services to access specific Azure resources. You can think of it as an identity for an application.
A managed identity is automatically managed in Azure AD. Managed identities are typically used to manage the credentials for authenticating a cloud application with an Azure service.
A device is a piece of hardware, such as mobile devices, laptops, servers, or printer. Device identities can be set up in different ways in Azure AD, to determine properties such as who owns the device. Managing devices in Azure AD allows an organization to protect its assets by using tools such as Microsoft Intune to ensure standards for security and compliance. Azure AD also enables single sign-on to devices, apps, and services from anywhere through these devices.
What is OATH?
OATH (Open Authentication) is an open standard that specifies how time-based, one-time password (TOTP) codes are generated. One-time password codes can be used to authenticate a user. OATH TOTP is implemented using either software or hardware to generate the codes.
Software OATH tokens are typically applications such as the Microsoft Authenticator app and other authenticator apps.
OATH TOTP hardware tokens typically come with a secret key, preprogrammed in the token, which must be input into Azure AD. Users are associated with a specific hardware token. The hardware token does a refresh of the code every 30 or 60 seconds.
Describe Windows Hello for Business
Windows Hello, an authentication feature built into Windows 10, replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that’s tied to a device and uses a biometric or PIN.
There are two configurations for Windows Hello: Windows Hello and Windows Hello for Business.
- Windows Hello is configured by a user on their personal device and is referred to as “Windows Hello convenience PIN”. It uses a PIN or biometric gesture and is unique to that device. Windows Hello convenience PIN is not backed by asymmetric (public or private key) or certificate-based authentication.
- Windows Hello for Business is configured by Group Policy or mobile device management (MDM) policy such as Microsoft Intune, and always uses key-based or certificate-based authentication. It’s much more secure than Windows Hello convenience PIN. By default, Windows Hello convenience PIN is disabled on all domain-joined computers.
Describe self-service password reset (SSPR) in Azure AD
Self-service password reset (SSPR) is a feature of Azure AD that allows users to change or reset their password, without administrator or help desk involvement.
Describe password protection and management capabilities of Azure AD
Password Protection is a feature of Azure AD that reduces the risk of users setting weak passwords. Azure AD Password Protection detects and blocks known weak passwords and their variants, and can also block other weak terms that are specific to your organization.
With Azure AD Password Protection, default global banned password lists are automatically applied to all users in an Azure AD tenant. To support your own business and security needs, you can define entries in a custom banned password list. When users change or reset their passwords, these lists are checked to enforce the use of strong passwords.
You should use extra features like Azure Active Directory multifactor authentication, not just rely on strong passwords enforced by Azure AD Password Protection.
Describe the Global banned password list
A global banned password list with known weak passwords is automatically updated and enforced by Microsoft. This list is maintained by the Azure AD Identity Protection team, who analyze security telemetry data to find weak or compromised passwords. Examples of passwords that might be blocked are P@$$w0rd or Passw0rd1 and all variations.
Variations are created using an algorithm that transposes text case and letters to numbers such as “1” to an “l”. Variations on Password1 might include Passw0rd1, Pass0rd1, and others. These passwords are then checked and added to the global banned password list and made available to all Azure AD users. The global banned password list is automatically applied and can’t be disabled.
If an Azure AD user tries to set their password to one of these weak passwords, they receive a notification to choose a more secure one. The global banned list is sourced from real-world, actual password spray attacks. This approach improves the overall security and effectiveness, and the password validation algorithm also uses smart fuzzy-matching techniques. Azure AD Password Protection efficiently detects and blocks millions of the most common weak passwords from being used in your enterprise.
Describe Custom banned password lists
Admins can also create custom banned password lists to support specific business security needs. The custom banned password list prohibits passwords such as the organization name or location. Passwords added to the custom banned password list should be focused on organizational-specific terms such as:
Brand names
Product names
Locations, such as company headquarters
Company-specific internal terms
Abbreviations that have specific company meaning
The custom banned password list is combined with the global banned password list to block variations of all the passwords.
Banned password lists are a feature of Azure AD Premium 1 or 2.
Describe conditional access and its benefits
Conditional Access is a feature of Azure AD that provides an extra layer of security before allowing authenticated users to access data or other assets. Conditional Access is implemented through policies that are created and managed in Azure AD. A Conditional Access policy analyses signals including user, location, device, application, and risk to automate decisions for authorizing access to resources (apps and data).
Describe conditional access signals
Conditional Access can use the following signals to control the who, what, and where of the policy:
- User or group membership. Policies can be targeted to specific users and groups (including admin roles), giving administrators fine-grained control over access.
- Named location information. Named location information can be created using IP address ranges, and used when making policy decisions. Also, administrators can opt to block or allow traffic from an entire country’s IP range.
- Device. Users with devices of specific platforms or marked with a specific state can be used.
- Application. Users attempting to access specific applications can trigger different Conditional Access policies.
- Real-time sign-in risk detection. Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to perform password changes or multifactor authentication to reduce their risk level or be blocked from access until an administrator takes manual action.
- Cloud apps or actions. Cloud apps or actions can include or exclude cloud applications or user actions that will be subject to the policy.
- User risk. For customers with access to Identity Protection, user risk can be evaluated as part of a Conditional Access policy. User risk represents the probability that a given identity or account is compromised. User risk can be configured for high, medium, or low probability.
Describe Azure AD role-based access control
Managing access using roles is known as role-based access control (RBAC). Azure AD built-in and custom roles are a form of RBAC in that Azure AD roles control access to Azure AD resources. Azure AD roles control permissions to manage Azure AD resources. For example, allowing user accounts to be created, or billing information to be viewed. Azure AD supports built-in and custom roles.
A few of the most common built-in roles are:
- Global administrator: users with this role have access to all administrative features in Azure Active Directory. The person who signs up for the Azure Active Directory tenant automatically becomes a global administrator.
- User administrator: users with this role can create and manage all aspects of users and groups. This role also includes the ability to manage support tickets and monitor service health.
- Billing administrator: users with this role make purchases, manage subscriptions and support tickets, and monitor service health.
There are many built-in roles for different areas of responsibility. All built-in roles are preconfigured bundles of permissions designed for specific tasks.
Describe identity governance in Azure AD
Azure AD identity governance gives organizations the ability to do the following tasks:
- Govern the identity lifecycle.
2, Govern access lifecycle. - Secure privileged access for administration.
These actions can be completed for employees, business partners and vendors, and across services and applications, both on-premises and in the cloud.
Describe the identity life cycle.
Managing users’ identity lifecycle is at the heart of identity governance.
When planning identity lifecycle management for employees, for example, many organizations model the “join, move, and leave” process. Or, when an individual first joins an organization, a new digital identity is created if one isn’t already available. When an individual moves between organizational boundaries, more access authorizations may need to be added or removed to their digital identity. When an individual leaves, access may need to be removed, and the identity might no longer be required, other than for audit purposes.
Describe what is entitlement management and access reviews
Entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale. Entitlement management automates access request workflows, access assignments, reviews, and expiration.
Azure Active Directory (AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignment. Regular access reviews ensure that only the right people have access to resources. Excessive access rights are a known security risk. However, when people move between teams, or take on or relinquish responsibilities, access rights can be difficult to control.
Entitlement management is a feature of Azure AD Premium P2.