AZ-303: Modul 1 - Azure Active Directory (Azure AD)
Which types of MFA are avalable on Azure AD ?
* Call to phone * Text message to a phone * Microsoft Authenticator app options
What are the three types of users in Azure AD ?
* cloud identities (cloud only users) * syncronized users * guest users
What is a resource group
A resource group is a logical container for resources deployed on Azure. These resources are anything you create in an Azure subscription like virtual machines, Application Gateways, and CosmosDB instances.
How can a user reset his password in Azure AD ?
At least one authentication method is required to reset a password, but it is a good idea to have additional methods available. You can choose from *email notification * a text or code sent to the user's mobile or office phone * a set of security questions.
What is Azure AD Join ?
Azure AD Join is designed provide access to organizational apps and resources and to simply Windows deployments of work-owned devices.
What is Azure AD B2B?
Azure Active Directory (Azure AD) business-to-business (B2B) collaboration lets you securely share your company's applications and services with guest users from any other organization, while maintaining control over your own corporate data
What is Azure active directory?
Azure Active Directory (Azure AD) is Microsoft's multi-tenant cloud-based directory and identity management service. The Azure AD directory includes the tenant's users, groups, and apps and is used to perform identity and access management functions for tenant resources.
What is Azure AD B2C?
Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs. Azure Active Directory B2C (Azure AD B2C) is a customer identity access management (CIAM) solution capable of supporting millions of users and billions of authentications per day
What is Azure Active Directory Conditional Access
Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to perform multi-factor authentication to access it. Conditional Access policies are enforced after the first-factor authentication has been completed. Conditional Access is not intended as an organization's first line of defense for scenarios like denial-of-service (DoS) attacks but can use signals from these events to determine access.
What is and how do you implement Conditional Access including MFA?
Conditional access is the functionality of having the possibility of reacting to signals and making decisions to give access by sometimes requiring MFA ex. when the user is on public network It is configured AAD > Security > Conditional access. It uses policies under which a MFA can be triggered
What is and how do you implement and manage guest accounts?
Guest accounts are accounts which are outside your AD tenant, and have been verified by Microsoft
What is and how do you configure configure Azure AD Identity Protection?
Identity protection, is the process of * Automate the detection and remediation of identity-based risks. * Investigate risks using data in the portal. * Export risk detection data to third-party utilities for further analysis. Where risks sign of an identity being misused, and remediation is fx. adding MFA to a login You enable it on the AAD page as a risk sign in policy
What is and how do you manage multiple directories?
In Azure Active Directory (Azure AD), each tenant is a fully independent resource. There are these levels of independence: * Resource independence * Administrative independence * Synchronization independence Unlike other Azure resources, your tenants are not child resources of an Azure subscription.
What kind of independence is provided between Azure AD tenants?
In Azure Active Directory (Azure AD), each tenant is a fully independent resource: a peer that is logically independent from the other tenants that you manage. There is no parent-child relationship between tenants There is specifically the following idenpendence: * resource idenpendence * administration idenpendence * syncrononization idependence
What is a Azure service principal?
It is a system user for your app, maintained in Azure AD You grant the service principal access to the Azure resources that you need. Use the service principal instead of embedding credentials or creating a dummy account for your app In the Azure portal, you create an Azure AD application to represent your app. You then associate this application object with a service principal
What is Azure Active Directory Identity Protection ?
It is a tool build into Azure AD which provides: * Automate the detection and remediation of identity-based risks. * Investigate risks using data in the portal. * Export risk detection data to third-party utilities for further analysis. As an example, it can add MFA to a user signing in from atypical location
What are dynamic user groups in Azure AD ?
It is groups of people defined by one or more attributes of the users If a member's attributes change, the system looks at your dynamic group rules for the directory to see if the member meets the rule requirements (is added) or no longer meets the rules requirements (is removed)
What is Azure AD Connect?
It is the functionality synchronizing an on-prem AD directory with an Azure AD The advantage to this approach is users can use single-sign-on (SSO) to access local and cloud-based resources You need to be in the User Administrator role to perform this function
What is and how do you implement self-service password reset?
It is the possiblity to add the option of having users reset their own password, based on the knowledge of information or by them having access to devices It can be enabled for groups of users and for all users You enable it on the AAD page as password reset option
What are dynamic device groups in Azure AD ?
Like dynamic user groups, but with devices and using their attributes
What are the two options of having a device join Azure AD device management ?
Registering a device to Azure AD enables you to manage a device's identity. When a device is registered, Azure AD device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Azure AD. You can use the identity to enable or disable a device. Joining a device is an extension to registering a device. This means, it provides you with all the benefits of registering a device and in addition to this, it also changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account.
How many levels can management groups be nested ?
Root level plus 6 levels
Which groups are supported in Azure AD ?
Security groups. These are the most common and are used to manage member and computer access to shared resources for a group of users. For example, you can create a security group for a specific security policy. By doing it this way, you can give a set of permissions to all the members at once, instead of having to add permissions to each member individually. This option requires an Azure AD administrator. Office 365 groups. These groups provide collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and more. This option also lets you give people outside of your organization access to the group. This option is available to users as well as admins.
What is and how do you configure Trusted IPs?
Trusted Its are IP ranges which you trust, because they are under your control, like your own corporate network. They can be marked under locations that the location holds trusted IPs
What is and how do you configure fraud alerts?
The fraud alert feature lets users report fraudulent attempts to access their resources. When an unknown and suspicious MFA prompt is received, users can report the fraud attempt using the Microsoft Authenticator app or through their phone. It is configured in Azure Active Directory > Security > MFA > Fraud alert
What is the requirement for the identity of a guest user ?
The invited user will need to create an associated Microsoft account (MSA) if that specific email address isn't associated with one and the account will be added to the Azure AD as a guest user
What is and how do you configure verification methods?
Verification methods are used with MFA, and are the options you support in your organisation for MFA, could be phonecall, text message or OATH (Authenticator challange)
What is and how do you configure bypass options?
With the one-time bypass feature, users can authenticate once and bypass the MFA. This setting is temporary, and after a specified number of seconds, it will expire automatically. This can be a solution in cases when a phone or mobile app doesn't receive a phone call or a notification.
Can you have your own custom domain name ?
Yes it can be configured in the portal, only a verified domain name can be used (through a DNS record verification)
What is and how do you configure user accounts for MFA?
You do a policy under which MFA is required, it can be based on the access to a specific application od access from a specific location It can involve a group of users or all users You can also do the policy and not enable it, but check how often it is triggered before it is enabled
How do you create an Azure tenant in a Azure subscription ?
You don't, they are not part of a subscription Unlike other Azure resources, your tenants are not child resources of an Azure subscription
What is a management group
You organize subscriptions into containers called management groups and apply your governance conditions to the management groups. * Organizational alignment for your Azure subscriptions through custom hierarchies and grouping. * Targeting of policies and spend budgets across subscriptions and inheritance down the hierarchies. * Compliance and cost reporting by organization (business/teams).
How do you verify a custom domain name with Azure AD ?
You prove that you control the domain by adding a specific TXT record to the DNS server of the domain
How often must a trusted device reauthenticate, when it uses cached credentials ?
between 1 and 60 days, default is 14
What is the default domain name of an Azure AD?
domainname.onmicrosoft.com