SC 900 Chapter Two
Fast Identity Online (FIDO)
An open standard for password less authentication. This allows users and organizations to leverage the standard to sign into their resources using an external security key or a platform key built into a device, eliminating the need for a username and password.
User risk.
For customers with access to Identity Protection, user risk can be evaluated as part of a Conditional Access policy. User risk represents the probability that a given identity or account is compromised. User risk can be configured for high, medium, or low probability.
Service-specific roles
For major Microsoft 365 services, Azure AD includes built-in, service-specific roles that grant permissions to manage features within the service. For example, Azure AD includes built-in roles for Exchange Administrator, Intune Administrator, SharePoint Administrator, and Teams Administrator roles that can manage features with their respective services
What are the four editions that Azure is available in?
Free, Office 365 apps, Premium P1 and Premium P2
Password-less Authentication
The end-goal for many organizations is to remove the use of passwords as part of sign-in events. When a user signs in with this method, credentials are provided by using methods like biometrics with Windows Hello for Business, or a FIDO2 security key. These authentication methods can't be easily duplicated by an attacker.
Malware linked IP address.
This risk detection type indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.
Leaked credentials
This risk detection type indicates that the user's valid credentials have been leaked. When cybercriminals compromise valid passwords of legitimate users, they often share those credentials. This sharing is typically done by posting publicly on the dark web, paste sites, or by trading and selling the credentials on the black market. When the Microsoft leaked credentials service acquires user credentials from the dark web, paste sites, or other sources, they're checked against Azure AD users' current valid credentials to find valid matches.
Azure AD threat intelligence.
This risk detection type indicates user activity that is unusual for the given user or is consistent with known attack patterns based on Microsoft's internal and external threat intelligence sources.
What are the two steps of Granting permission using custom Azure AD roles?
The first step involves creating a custom role definition, consisting of a collection of permissions that you add from a preset list. Once you've created your custom role definition, the second step is to assign that role to users or groups by creating a role assignment.
FIDO2
The latest standard that incorporates the web authentication (WebAuthn) standard and is supported by Azure AD. Security keys are an un-phishable standards-based passwordless authentication method that can come in any form factor. These FIDO2 security keys are typically USB devices but could also be Bluetooth or Near Field Communication (NFC) based devices, which are used for short-range wireless data transfer. With a hardware device that handles the authentication, the security of an account is increased as there's no password that could be exposed or guessed.
Azure AD Password hash synchronization
The simplest way to enable authentication for on-premises directory objects in Azure AD. Users can sign into Azure AD services by using the same username and password that they use to sign in to their on-premises Active Directory instance. Azure AD handles users' sign-in process.
Cross-service roles
There are some roles within Azure AD that span services. For example, Azure AD has security-related roles, like Security Administrator, that grant access across multiple security services within Microsoft 365. Similarly, the Compliance Administrator role you can manage Compliance-related settings in Microsoft 365 Compliance Center, Exchange, and so on.
Azure AD-specific roles
These roles grant permissions to manage resources within Azure AD only. For example, User Administrator, Application Administrator, Groups Administrator all grant permissions to manage resources that live in Azure AD.
Unfamiliar sign-in properties.
This risk detection type considers past sign-in history to look for anomalous sign-ins. The system stores information about previous locations used by a user, and considers these "familiar" locations. The risk detection is triggered when the sign-in occurs from a location that's not already in the list of familiar locations.
Atypical travel
This risk detection type identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
Anonymous IP address.
This risk detection type indicates a sign-in from an anonymous IP address; for example, a Tor browser or anonymized VPNs.
Azure AD threat intelligence.
This risk detection type indicates sign-in activity that is unusual for the given user or is consistent with known attack patterns based on Microsoft's internal and external threat intelligence sources.
Azure AD Premium offers integration with cloud-based HR systems
When a new employee is added to an HR system, Azure AD can create a corresponding user account. Similarly, when their properties, such as department or employment status, change in the HR system, synchronization of those updates to Azure AD ensures consistency.
"join, move, and leave" process.
When an individual first joins an organization, a new digital identity is created if one isn't already available. When an individual moves between organizational boundaries, more access authorizations may need to be added or removed to their digital identity. When an individual leaves, access may need to be removed, and the identity might no longer be required, other than for audit purposes.
access controls portion of the Conditional Access policy
When the Conditional Access policy has been applied, an informed decision is reached on whether to grant access, block access, or require extra verification.
Custom Banned Password Lists
admins can use this feature to support specific business security needs, prohibits passwords such as the org name or location.
Azure AD terms of use
allow information to be presented to users, before they access data or an application. Ensure users read relevant disclaimers for legal or compliance requirements. Are presented in a PDF format, using content that you create, such as an existing contract document. Can also be presented to users on mobile devices.
Azure AD pass-through authentication.
allows users to sign into both on-premises and cloud-based applications using the same passwords, like password hash synch. A key difference, however, is when users sign in using Azure AD, pass-through authentication validates users' passwords directly against your on-premises Active Directory. Password validation doesn't happen in the cloud.
password write back
allows users to use their updated credentials with on-prem devices and applications without delay.
B2B Collaboration
allows you to share your apps and resources with guest users from other organizations while maintaining control over your own data. Uses and invitation and redemption process. Can also enable self-service sign up user flows to let external users sign up for apps or resources themselves. Once the external users have redeemed their invitation or completed sign-up, they're represented in the same directory as employees but with a user type of guest.
Entitlement management
an identity governance feature that enables organizations to manage the identity and access lifecycle at scale. It automates access request workflows, access assignments, reviews, and expiration.
Internal resources examples
apps on your corporate network and intranet and cloud apps developed by your own organization.
OATH TOTP hardware tokens
are small hardware devices that look like a key fob that displays a code that refreshes every 30 or 60 seconds. typically come with a secret key, or seed, pre-programmed in the token. These keys and other information specific to each token must be input into Azure AD and then activated for use by end-users.
Something you are
biometrics like a fingerprint or face scan.
custom roles
give flexibility when granting access. A custom role definition is a collection of permissions that you choose from a preset list. The list of permissions to choose from are the same permissions used by the built-in roles. The difference is that you get to choose which permissions you want to include in a custom role.
Global Banned Password List
known weak passwords are automatically updated and enforced by Microsoft. This list is maintained by the Azure AD identity Protection team. It is sourced from real-world, actual password spray attacks.
OATH (Open Authentication)
open standard that specifies how time-based, one-time password (TOTP) codes are generated. One-time password codes can be used to authenticate a user. OATH TOTP is implemented using either software or hardware to generate the codes.
Hybrid Azure AD joined devices
organizations with existing on-premises Active Directory implementations can benefit from the functionality provided by this type of device connection. These devices are joined to your on-premises Active Directory and Azure AD requiring organizational account to sign into the device.
Azure AD Privileged Identity Management (PIM)
provides extra controls tailored to securing access rights. This helps you minimize the number of people who have access to resources across Azure AD, Azure, and other Microsoft online services. This provides a comprehensive set of governance controls to help secure your company's resources. This is a feature of Azure AD Premium P2.
Federated authentication.
recommended as an authentication for organizations that have advanced features not currently supported in Azure AD, including sign-on using smart cards or certificates, sign-on using on-premises multi-factor authentication (MFA) server, and sign-on using a third-party authentication solution. Azure AD hands off the authentication process to a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS), to validate the user's password. This sign-in method ensures that all user authentication occurs on-premises.
What are the two different Azure AD External Identities?
B2B and B2C
assignments portion
controls the who, what, and where of the Conditional Access policy.
Something you know
typically, a password or PIN
Azure AD joined
A device joined to Azure through an organizational account, which is then used to sign into a device. Generally owned by the organization.
Device
A piece of hardware, such as mobile devices, laptops, servers or printers. This type of identity gives admins info they can use when making access or configuration decisions.
Voice call verification.
As a secondary form of authentication, to verify their identity, during self-service password reset (SSPR) or Azure AD Multi-Factor Authentication. With this type of verification, an automated voice call is made to the phone number registered by the user. To complete the sign-in process, the user is prompted to press # on their keypad. Voice calls are not supported as a primary form of authentication, in Azure AD.
What must users be to use self-service password reset?
Assigned in Azure AD license. Enabled for SSPR by an admin. Registered, with the authentication methods they want to use. Two or more authentication methods are recommended in case one is unavailable.
What subscription of Azure are banned password lists a part of?
Azure AD Premium 1 Azure AD Premium 2
Custom roles require what licenses?
Azure AD Premium P1 or P2 license.
What are the three different ways that you can set up Azure Device Identities?
Azure AD registered devices Azure AD Joined Hybrid Azure AD joined devices.
Azure AD RBAC
Azure AD roles control access to Azure AD resources such as users, groups, and applications.
Azure RBAC
Azure roles control access to Azure resources such as virtual machines or storage using Azure Resource Management.
What can Azure AD be synchronized with?
Can be synced with your existing on-premises Active Directory, other directory services, or used as a standalone service.
Microsoft Authenticator app
Can be used as a primary form of authentication to sign into any Azure AD account or as an additional verification option during self-service password reset (SSPR) or Azure AD Multi-Factor Authentication events. To use it, a user must download the phone app from the Microsoft store and register their account. Microsoft Authenticator is available for Android and iOS.
What do IT admins use Azure AD for?
Can control access to corporate apps and resources based on business requirements. Can also be set up to require multi-factor authentication when accessing important organizational resources. Can be used to prevision between and existing Windows server and cloud apps. Can provided powerful tools to automatically help protect user identities and credentials to meet an org's access governance requirements.
Cloud apps or actions
Cloud apps or actions can include or exclude cloud applications or user actions that will be subject to the policy.
Azure Active Directory
Cloud based identity and access management service. Helps employees of an organization sign in and access resources.
What is two ways you can use for Azure AD Password Protection?
Default global banned password lists Custom banned password lists
What are the common default security features and controls?
Enforcing Azure Active Directory Multi-Factor Authentication registration for all users. Forcing administrators to use multi-factor authentication. Requiring all users to complete multi-factor authentication when needed.
Azure AD identity governance gives organizations the ability to do what?
Govern the identity lifecycle. Govern access lifecycle. Secure privileged access for administration.
Azure Active Directory Premium P1 Version
Includes all the abilities provided in the previous version and it supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager (an on prem identity and access management suite and cloud write back capabilities, which allow self-service password reset for you on-prem users.
Azure Active Directory Premium P2 Version
Includes all the abilities provided in the previous version and offers Azure Active Directory Identity Protection to help provide risk-based Conditional Access to your apps and critical company data. Also gives you Privileged Identity Management to help discover, restrict and monitor administrators and their access to resources and to provide just in time access when needed.
Azure AD Office 365 Apps Version
Includes all the abilities provided in the previous version and self-service password reset for cloud users and device writeback which offers two-way synchronization between on-prem directories and Azure AD. This addition of AD is included in subscriptions to Office 365 E1, E3, E5 F1 and F3.
PIM is:
Just in time, providing privileged access only when needed, and not before. Time-bound, by assigning start and end dates that indicate when a user can access resources. Approval-based, requiring specific approval to activate privileges. Visible, sending notifications when privileged roles are activated. Auditable, allowing a full access history to be downloaded.
role-based access control (RBAC)
Managing access using roles
External resources examples
Microsoft Office 365, the Azure Portal and any SaaS applications used by your organization.
Microsoft Azure Active Directory (Azure AD)
Microsoft's cloud-based identity and access management service.
Hybrid identity
Microsoft's identity solutions create a span on-premises and cloud-based capabilities. This creates a common user identity for authentication and authorization to all resources, regardless of location.
What are the methods available for SSPR?
Mobile app notification Mobile app code Email mobile phone office phone security questions
Named location information
Named location information can be created using IP address ranges and used when making policy decisions. Also, administrators can opt to block or allow traffic from an entire country/region's IP range.
Azure can securely enable the use of what?
Personal devices, such as mobiles and tablets and enable collaboration with business partners and customers.
User or group membership
Policies can be targeted to all users, specific groups of users, directory roles, or external guest users, giving administrators fine-grained control over access.
What does Azure AD enable an organization's employees, guests and others to do?
Sign in and access the resources they need including internal and external resources .
What are the two types of managed Identitites?
System-Assigned and User-Assigned
Azure Active Directory Free Version
This version allows you to administer users and create groups synchronize with on-prem Active Directory, create basic reports, configure self-service password changes for cloud users and enable sign-on across Azure M365 and many popular SaaS apps. This is included with subscriptions to Office 365, Azure Dynamics 365, Intune, and Power Platform.
SMS-based authentication
Used in mobile device text messaging can be used as a primary form of authentication. With this sign-in, users don't need to know a username and password to access applications and services. The user instead enters their registered mobile phone number, receives a text message with a verification code, and enters that in the sign-in interface.
Application.
Users attempting to access specific applications can trigger different Conditional Access policies.
What are the different types of identities that Azure AD Manages?
Users, Service Principals, managed identities and devices.
Microsoft Intune
a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM) to control how an organization's devices are used.
B2C access management
a customer identity access management solution. Allows external users to sign in with their preferred social, enterprise, or local account identities to get single sign-on to your applications.
Self-Service Password Reset (SSPR)
a feature of AD that allows the users to change or reset their password without admin or help desk involvement.
Conditional Access
a feature of Azure AD that provides an extra layer of security before allowing authenticated users to access data or other assets. It is implemented through policies that are created and managed in Azure AD. This type of policy analyses signals including user, location, device, application, and risk to automate decisions for authorizing access to resources (apps and data).
Password Protection
a feature of Azure AD that reduces the risk of users setting weak passwords.
Azure AD business-to-business (B2B) collaboration
a feature within External Identities includes the capacity to add guest users. An organization can securely share applications and services with guest users from another organization with this.
Monitoring privileged access
a key part of identity governance. When employees, vendors, and contractors are assigned administrative rights, there should be a governance process because of the potential for misuse.
Microsoft Entra
a product family that encompasses all of Microsoft's identity and access capabilities.
User
a representation of something that's managed by Azure AD. This is how employees and guests are represented. You can have several of these with the same access needs, for this you can make a group.
Privileged Identity Management (PIM)
a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. These include resources in Azure AD, Azure, and other Microsoft online services such as Microsoft 365 or Microsoft Intune. It mitigates the risks of excessive, unnecessary, or misused access permissions. It requires justification to understand why users want permissions and enforces multifactor authentication to activate any role.
Security Defaults
a set of basic identity security mechanisms recommended by Microsoft, when enabled these recommendations will be automatically enforced in your organization. The goal is to ensure that all orgs have a basic level of security enabled at no extra cost.
Azure AD External Identities
a set of capabilities that enable organizations to allow access to external users, such as customers or partners. Your customers, partners and other guests can "bring their own identities" to sign in.
Identity Protection
a tool that allows organizations to accomplish three key tasks: Automate the detection and remediation of identity-based risks. Investigate risks using data in the portal. Export risk detection data to third-party utilities for further analysis.
Managed Identity
a type of service principal that is automatically managed in Azure AD and eliminates the need for developers to manage credentials.
User-assigned
you can create a managed identity as a standalone Azure resource. Once you create a user-assigned managed identity you can assign it to one or more instances of Azure service. With this type of identity is managed separately from the resources that use it.
scope
defines the set of Azure AD resources the role member has access to. A custom role can be assigned at organization-wide scope, meaning the role member has the role permissions over all resources. A custom role can also be assigned at an object scope. An example of an object scope would be a single application. The same role can be assigned to one user over all applications in the organization and then to another user with a scope of only the Contoso Expense Reports app.
Dynamic groups
enable admins to create attribute-based rules to determine membership of groups. When any attributes of a user or device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any users to be added or removed from a group. If a user or device satisfies a rule for a group, they're added as a member of that group. If they no longer satisfy the rule, they're removed.
Azure Active Directory (AD) access reviews
enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignment. It ensures that only the right people have access to resources. Excessive access rights are a known security risk. However, when people move between teams, or take on or relinquish responsibilities, access rights can be difficult to control.
Service Principal
essentially, an identity for an application. For an application to delegate its identity and access functions to Azure AD, the application must first be registered with Azure AD to enable its integration. Once registered this is created in each Azure AD tenant where the application is used. This enables core features such as authentication and authorization of the application to resources that are secured by the Azure AD tenant.
Windows Hello for Business
replaces passwords with strong two-factor authentication on devices. This two-factor authentication is a combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). PIN entry and biometric gesture both trigger the use of the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user.
sign-in risk
represents the probability that a given authentication request isn't authorized by the identity owner. Sign-in risk can be calculated in real-time or calculated offline using Microsoft's internal and external threat intelligence sources.
user risk
represents the probability that a given identity or account is compromised. These risks are calculated offline using Microsoft's internal and external threat intelligence sources.
Identity Protection provides organizations with three reports that they can use to investigate identity risks in their environment.
risky users, risky sign-ins, and risk detections
Azure AD built-in roles,
roles with a fixed set of permissions.
Real-time sign-in risk detection
signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behavior - the probability that a given sign-in, or authentication request, isn't authorized by the identity owner. Policies can then force users to perform password changes or multi factor authentication to reduce their risk level or be blocked from access until an administrator takes manual action.
System Assigned
some azure services allow you to enable a managed identity directly on a service instance. When you enable this version of managed identity, an identity is created in Azure AD that's tied to the lifecycle of that service instance. When the resource is deleted, Azure automatically deletes the identity for you.
What does the Active Directory domain service (AD DS) do?
stores passwords in the form of a hash value representation, of the actual user password.
Something you have
such as a trusted device that's not easily duplicated, like a phone or hardware key
Conditional Access policies can be
targeted to members of specific groups or guests. For example, you can create a policy to exclude all guest accounts from accessing sensitive resources. Conditional Access is a feature of paid Azure AD editions.
Azure AD registered Devices
the goal of this device identity type is to provide users with support for bring your own device (BYOD) or mobile device senarios.
Passwords
the most common form of authentication, but they have many problems, especially if used in single-factor authentication, where only one form of authentication is used. If they're easy enough to remember, they're easy for a hacker to compromise.
Access lifecycle
the process of managing access throughout the user's organizational life. Users require different levels of access from the point at which they join an organization to when they leave it. At various stages in between, they'll need access rights to different resources depending on their role and responsibilities.
Password spray
this risk detection is triggered when a password spray attack has been performed.
Identity Protection categorizes risk into
three tiers: low, medium, and high. It can also calculate the sign-in risk, and user identity risk.
Software OATH tokens
typically, applications. Azure AD generates the secret key, or seed, that's input into the app and used to generate each OTP.
Conditional Access policies
used to require a terms of use statement being displayed and ensuring the user has agreed to those terms before accessing an application. Admins can then view who has agreed to terms of use, and who has declined.
Device
users with devices of specific platforms or marked with a specific state can be used.
User administrator:
users with this role can create and manage all aspects of users and groups. This role also includes the ability to manage support tickets and monitor service health.
Global administrator
users with this role have access to all administrative features in Azure Active Directory. The person who signs up for the Azure Active Directory tenant automatically becomes a global administrator.
Billing administrator
users with this role make purchases, manage subscriptions and support tickets, and monitor service health.
Account Unlock
when a user can't sign in because their account is locked out.
Password reset
when a user can't sign in, such as when they forget the password and want to reset it.
Password Change
when a user knows their password but wants to change it to something new
Microsoft Identity Manager
which can import records from on-premises HR systems such as SAP HCM, Oracle eBusiness, and Oracle PeopleSoft.
"Pay as you go" Version Azure AD
you are able to get other features licenses separately such as Azure Active Directory Business-to Customer (B2C)