AZ-102 AAD
enable a one-time bypass
The one-time bypass feature allows a user to authenticate a single time without performing two-step verification. The bypass is temporary and expires after a specified number of seconds. In situations where the mobile app or phone is not receiving a notification or phone call, you can allow a one-time bypass so the user can access the desired resource.
conditional access policy
Users or groups Applications they're attempting to access Controls to be fulfilled, such as Multi-Factor Authentication
Microsoft's cloud-based identity and access management service
What is Azure Active Directory
RBAC is an allow model.
What this means is that when you are assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete. So, if one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you will have write permissions on that resource group.
How does Azure Multi-Factor Authentication Server handle user data?
With Multi-Factor Authentication Server, user data is stored only on the on-premises servers. No persistent user data is stored in the cloud. When the user performs two-step verification, Multi-Factor Authentication Server sends data to the Azure Multi-Factor Authentication cloud service for authentication. Communication between Multi-Factor Authentication Server and the Multi-Factor Authentication cloud service uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS) over port 443 outbound.
AAD Conditional Access
With conditional access, you can implement automated access control decisions for accessing your cloud apps that are based on conditions.
How does RBAC work
You control access to resources using RBAC by creating role assignments, which control how permissions are enforced. To create a role assignment, you need three elements: a security principal, a role definition, and a scope. You can think of these elements as "who", "what", and "where".
A role definition in Azure is a collection of permissions?
`true
What is an MFA Provider?
here are two types of Auth providers, and the distinction is around how your Azure subscription is charged. The per-authentication option calculates the number of authentications performed against your tenant in a month. This option is best if you have a number of users authenticating only occasionally. The per-user option calculates the number of individuals in your tenant who perform two-step verification in a month. This option is best if you have some users with licenses but need to extend MFA to more users beyond your licensing limits.
Role-based access control (RBAC)
is an authorization system in Azure that helps you manage who has access to Azure resources, what they can do with those resources, and where they have access.
Sign-in risk:
is an indicator of the likelihood (high, medium, or low) that a sign-in wasn't made by the legitimate owner of a user account. Azure AD calculates the sign-in risk level during a user's sign-in. You can use the calculated sign-in risk level as condition in a conditional access policy.
NotActions permissions
is not a deny rule - it is simply a convenient way to create a set of allowed permissions when specific permissions need to be excluded.
Scope (where
is where the access applies to. This is helpful if you want to make someone a Website Contributor, but only for one resource group.
role assignment
the process of binding a role to a security principal at a particular scope, for the purpose of granting access. To grant access, you create a role assignment. To revoke access, you remove a role assignment.
Role definition (what you can do)
A role definition is a collection of permissions. It's sometimes just called a role. A role definition lists the permissions that can be performed, such as read, write, and delete. Roles can be high-level, like Owner, or specific, like Virtual Machine Contributor.
Security principal
A security principal is just a fancy name for a user, group, or application that you want to grant access to.
How is Azure Active Directory helping employees
Azure AD helps your employees sign in and access resources in
Suppose you want to assign a role to allow a user to create and manage Azure resources but not be able to grant access to others. Which of the following built-in roles would support this?
Contributor
Azure Active Directory Identity Protection
Get a consolidated view of flagged users and risk events detected using machine learning algorithms Set risk-based Conditional Access policies to automatically protect your users Improve security posture by acting on vulnerabilities
IAM
Identity and Access control management On this blade, you can see who has access to that area and their role. Using this same blade, you can grant or remove access.
What is the inheritance order for scope in Azure?
Management group, Subscription, Resource group, Resource
Is my organization charged for sending the phone calls and text messages that are used for authentication?
No, you are not charged for individual phone calls placed or text messages sent to users through Azure Multi-Factor Authentication. If you use a per-authentication MFA provider, you are billed for each authentication but not for the method used. Your users might be charged for the phone calls or text messages they receive, according to their personal phone service.
How to get Multi-Factor Authentication?
One of the following Azure Active Directory Premium licenses P1/P2 Azure MFA Service (Cloud) Azure MFA Server Multi-Factor Authentication for Office 365 Azure Active Directory Global Administrators
built-in roles
Owner - Has full access to all resources, including the right to delegate access to others. Contributor - Can create and manage all types of Azure resources, but can't grant access to others. Reader - Can view existing Azure resources. User Access Administrator - Lets you manage user access to Azure resources.
Multi-factor authentication (MFA)
Security based on layer approach password and 2 of more additional authentication method additional authentication method Something you know (typically a password) Something you have (a trusted device that is not easily duplicated, like a phone) Something you are (biometrics)
SSPR
Self Service Password reset