SC-900 - May 5, 2023 Study Guide - Part 2 of 4 - Describe the capabilities of Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra (25-30% of Exam)

Hybrid Identity

Describe Azure AD Identities: A ______ Identity is a user identity for authentication and authorization that operate in a mixed cloud (on-premises and cloud-based) environment. Microsoft offers several ways to authenticate for this type of identity: * Azure AD Password hash synchronization * Azure AD Pass-through authentication * Federated authentication These authentication options do require an on-premises AD and require Azure AD Connect.

Azure AD device identity

Describe Azure AD Identities: An _____ __ ______ identity is a piece of hardware, such as mobile devices, laptops, servers, or printers. It is represented as an object in Azure AD. These identities can be set up in the following ways: * Azure AD registered devices * Azure AD joined devices * Hybrid Azure AD joined devices

Access Reviews

Identity Protection and Governance Capabilities of Azure AD: Azure AD ______ Reviews enable organizations to efficiently: * review and manage group memberships * review and manage access to enterprise applications * review and manage role assignments Regular ______ reviews ensure that only the right people have access to resources. It is a feature of Azure AD Premium P2.

System-assigned

Describe Azure AD Identities (Managed Identities 1/2): When you enable a ______-________ managed identity, an identity is created in Azure AD that is tied to the lifecycle of that service instance. When the resource is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Azure AD.

User-assigned

Describe Azure AD Identities (Managed Identities 2/2): With a ____-________ managed identity, you can assign it to one or more instances of an Azure service. With this type of managed identity, it is managed separately from the resources that use it.

Azure AD

_____ __ is the tool for identity and access management in the Microsoft Cloud. It simplifies the way organizations manage authorization and access by providing a single identity system for their cloud and on-premises applications. It also allows organizations to securely enable the use of personal devices, such as mobiles and tablets, and enable collaboration with business partners and customers. It is available in four editions: * Azure AD Free * Office 365 Apps * Premium P1 * Premium P2

Dynamic groups

_______ ______ enable admins to create attribute-based rules to determine membership of groups. When any attributes of a user or device change, the system evaluates all _______ ______ rules in a directory to see if the change would trigger any users to be added or removed from a group. Organizations can automate the access lifecycle process using this technology.

entitlement

An ___________ is a named set of access rights to a set of resources that a user can be granted access to either implicitly or explicitly through a request / approval process.

Password Protection

Authentication Capabilities of Azure AD: Azure AD ________ __________ reduces the risk of users setting weak passwords. It detects and blocks known weak passwords and their variants, and can also block other weak terms that are specific to your organization. The following are features of Azure AD ________ __________: * Global Banned Password lists * Custom Banned Password lists * Password spray protection * Hybrid Security

Self-Service Password Reset (SSPR)

Authentication Capabilities of Azure AD: ____-_______ ________ _____ (SSPR) is a feature of Azure AD that allows users to: * Change their password * Reset their password, or * Unlock their account without administrator or help desk involvement. The following authentication methods are available: * Mobile app notification * Mobile app code * Email * Mobile phone * Office phone * security questions

Multi-factor authentication (MFA)

Authentication Capabilities of Azure AD: _____-______ ______________ (___) works by requiring two or more of the following methods of authentication: * Something you know, like a PIN or password * Something you have, such as a trusted device that is not easily duplicated, like a phone or hardware key * Something you are - Biometrics like a fingerprint or face scan The following can be used with Azure AD MFA as an additional form of verification: * Microsoft Authenticator app * Windows Hello for Business * FIDO2 security key * OATH HW token (preview) or software token * SMS or voice call (Note: Pay attention if a test question asks for methods of authentication vs forms of verification!)

Passwords

Authentication Methods Available in Azure AD (1/4): _________ are the most common form of authentication, but they have many problems, especially if used in single-factor authentication, where only one form of authentication is used.

Phone-based authentication

Authentication Methods Available in Azure AD (2/4): Azure AD supports two options for _____-_____ authentication. * SMS-based authentication. Short message service (SMS) used in mobile device text messaging can be used as a primary form of authentication. * Voice call verification. Users can use voice calls as a secondary form of authentication, to verify their identity, during self-service password reset (SSPR) or Azure AD Multi-Factor Authentication.

OATH Open Authentication

Authentication Methods Available in Azure AD (3/4): ____ (____ ______________) is an open standard that specifies how time-based, one-time password (TOTP) codes are generated. This can be implemented using either software or hardware to generate codes: * Software ____ tokens are typically applications, which Azure AD generates the secret key, or seed, that is input into the app and used to generate each one-time password (OTP). * ____ TOTP hardware tokens are small hardware devices that look like a key fob that displays a code that refreshes every 30 or 60 seconds.

custom role

Azure AD Access Management Capabilities: A ______ _____ definition is a collection of permissions that you get to choose from a preset list, allowing for more flexibility when granting access. The list of permissions to choose from are the same permissions used by the built-in roles. The difference is that you get to choose which permissions you want to include in this type of role.

Azure AD-specific

Categories of Azure AD roles (1/3): _____ __-________ roles grant permissions to manage resources within Azure AD only. For example, User Administrator, Application Administrator, Groups Administrator all grant permissions to manage resources that live in Azure AD.

Conditional Access

Describe Access Management Capabilities of Azure AD: C___________ A_____ is a feature of Azure AD that provides an extra layer of security before allowing authenticated users to access data or other assets. It analyzes signals to make decisions and enforce organizational policies. (NOTE: It does not let you apply time-sensitive access permissions, that is a feature of PIM)

Managed Identity

Describe Azure AD Identities (4/4): _______ ________ are a type of service principal that are automatically managed in Azure AD and eliminate the need for developers to manage credentials. They provide an identity for applications to use when connecting to Azure resources that support Azure AD authentication and can be used without an extra cost. There are two types: * System-assigned * User-assigned

Azure AD joined device

Describe Azure AD Identities (Device Identities 2/3): An _____ __ ______ d_____ is joined to Azure AD through an organizational account, which is then used to sign in to the device. These devices are generally owned by the organization.

Risk Detections

Describe Azure AD Identity Protection (Reports (3/3): With the information provided by the ____ __________ report, administrators can find: * Information about each risk detection including type. * Other risks triggered at the same time * Sign-in attempt location * Link out to more detail from Microsoft Defender for Cloud Apps

Risky Users

Describe Azure AD Identity Protection (Reports 1/3): With the information provided by the _____ _____ report, administrators can find: * Which users are at risk, have had risk remediated, or have had risk dismissed * Details about detections * History of all risky sign-ins * Risk history

Risky Sign-Ins

Describe Azure AD Identity Protection (Reports 2/3): With the information provided by the ____ ____-___ report, administrators can find: * Which sign-ins are classified as a risk, confirmed compromised, confirmed safe, dismissed, or remediated. * Real-time and aggregate risk levels associated with sign-in attempts * Detection types triggered * Conditional Access policies applied * MFA details * Device, Application, and Location information

anonymous IP address

Describe Azure AD Identity Protection (Sign-In Risks 1/6): This risk detection type indicates a sign-in from an anonymous source, such as a Tor browser or anonymized VPNs.

atypical travel

Describe Azure AD Identity Protection (Sign-In Risks 2/6): This risk detection type identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.

Malware linked IP address

Describe Azure AD Identity Protection (Sign-In Risks 3/6): M______ ______ __ _______ : This risk detection type indicates sign-ins from IP addresses infected with malicious software that is known to actively communicate with a bot server.

Password spray

Describe Azure AD Identity Protection (Sign-In Risks 5/6): This sign-in risk detection is triggered when this brute force dictionary attack has been performed.

Azure AD threat intelligence

Describe Azure AD Identity Protection (User Risks 2/2): This risk detection type indicates user activity that is unusual for the given user or is consistent with known attack patterns based on Microsoft's internal and external intelligence sources.

assignment

Describe Entitlement Management: An a_________ of an access package to a user has all the resource roles of that access package. Access package a_________s typically have a time limit before they expire.

access package

Describe Entitlement Management: An access _______ is a bundle of all the resources with the access a user needs to work on a project or perform their task. They are used to govern access for internal employees, and also users outside your organization.

access request

Describe Entitlement Management: An access _______ is a request to access the resources in an access package. It typically goes through an approval workflow.

Access Lifecycle Management

Describe Identity Governance in Azure AD (2/3): ______ _________ __________ is the process of managing access throughout the user's organizational life. Users require different levels of access from the point at which they join an organization to when they leave it. Organizations can automate ? through technologies such as dynamic groups.

Privileged Access Lifecycle

Describe Identity Governance in Azure AD (3/3): __________ ______ Lifecycle is the process of managing special access (such as administrative rights) to resources. When employees, vendors, and contractors are assigned administrative rights, there should be a governance process because of the potential for misuse. Azure AD Privileged Identity Management (PIM) is a tool that provides a comprehensive set of governance controls to help secure your company's resources.

two-gate

Describe self-service password reset: If an Azure administrator role is assigned to the user, then the strong ___-____ password policy is enforced. The ___-____ policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number, and it prohibits security questions.

removal

Describe the capabilities of Azure AD Privileged Identity Management (PIM) (9/9): Azure AD Privileged Identity Management can prevent the _______ of the last active Global Administrator and Privileged Role assignments.

Azure AD RBAC

Difference between Azure AD roles and Azure roles (1/2): _____ __ ____ control access to Azure AD resources such as users, groups, and applications using the Microsoft Graph API.

Azure RBAC

Difference between Azure AD roles and Azure roles (2/2): _____ ____ control access to Azure resources such as virtual machines or storage using Azure Resource Management.

Privileged Identity Management (PIM)

Identity Protection and Governance Capabilities of Azure AD: Azure AD __________ ________ __________ (PIM) is a service in Azure AD that enables you to manage, control, and monitor access to resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune. It mitigates the risks of excessive, unnecessary, or misused access permissions. It provides time-based privileged access (such as Administrator or root) to resources in Azure AD, Azure, Microsoft Intune, Microsoft 365, and other Microsoft cloud services.

Entitlement Management

Identity Protection and Governance Capabilities of Azure AD: Azure AD ___________ __________ is an identity governance feature that enables organizations to manage the identity and access lifecycle at scale. It automates access request workflows, access assignments, reviews, and expiration for bundles of resources relevant to a project. It can help you more efficiently manage access to resources for internal or external users. It is a feature of Azure AD Premium P2 only.

Identity Governance

Microsoft Entra I_______ G_________ is about balancing identity security with user productivity in a way that can be justified and audited. It gives organizations the ability to do the following tasks: * Govern the identity lifecycle. * Govern access lifecycle. * Secure privileged access for administration.

role

PIM vs PAM (1/2): Azure AD Privileged Identity Management (PIM) applies protection at the ____ level with the ability to execute multiple tasks. It primarily allows managing accesses for AD ____s and ____ groups. Adding Azure AD PIM to Microsoft Purview PAM can extend privileged access to data outside of Microsoft 365 that is primarily defined by user roles or identity.

task

PIM vs PAM (2/2): Microsoft Purview Privileged access management (PAM) is defined and scoped at the ____ level. It applies only at the ____ level. Adding PAM to Azure AD PIM provides another granular layer of protection and audit capabilities for privileged access to Microsoft 365 data.

Windows Hello for Business

Passwordless Authentication Methods (1/3): _______ _____ ___ ________ passwordless authentication replaces passwords with strong two-factor authentication on devices. This two-factor authentication is a combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that a person is (biometrics). It can serve as a primary or secondary form of authentication.

Microsoft Authenticator app

Passwordless Authentication Methods (3/3): The _________ _____________ ___ can be used as a primary form of authentication to sign in to any Azure AD account or as an additional verification option during SSPW or Azure AD MFA. It turns any iOS or Android phone into a strong, passwordless credential.

built-in roles

Azure AD Access Management Capabilities: _____-__ _____ are roles with a fixed set of permissions. Common examples are: Global Administrator, User Administrator, Billing Administrator, etc. All of these roles are preconfigured bundles of permissions designed for specific tasks, which the fixed set of permissions can not be modified.

Passwordless authentication

Authentication Methods Available in Azure AD (4/4): When a user signs in with ____________ authentication, credentials are provided by using methods like: * biometrics with Windows Hello for Business * a FIDO2 security key * a phone with the Microsoft Authenticator app installed These authentication methods can not be easily duplicated by an attacker. Azure AD provides ways to natively authenticate using ____________ authentication methods to simplify the sign-in experience for users and reduce the risk of attacks.

roles

Azure AD Access Management Capabilities: Azure AD _____ control permissions to manage Azure AD resources. It allows you to grant granular permissions to your admins, abiding by the principle of least privilege.

Role-Based Access Control (RBAC)

Azure AD Access Management Capabilities: Managing access using roles is know as ____-_____ ______ _______ (____). All built-in roles are preconfigured bundles of permissions designed for specific tasks, which can save time with setting up users with only the amount of access needed to do the job. A few of the most common built-in roles are: * Global administrator * User administrator * Billing administrator

Password hash synchronization

Azure AD Hybrid Authentication Methods (1/3): ________ ____ _______________ is the simplest way to enable authentication for on-premises directory objects in Azure AD. Users can sign in to Azure AD services by using the same username and password that they use to sign in to their on-premises Active Directory instance. On-premise users can authenticate with Azure AD to access cloud-based applications, even if the on-premises Active Directory goes down/is not available. It supports authentication of on-premises identities without passing the credentials of AD DS for authentication.

pass-through authentication

Azure AD Hybrid Authentication Methods (2/3): Azure AD ____-_______ authentication allows users to sign in to both on-premises and cloud-based applications using the same password, but when signing in using Azure AD, it validates user's passwords directly against your on-premises Active Directory. This can be an important factor for organizations wanting to enforce their on-premises Active Directory security and password policies.

Federated Authentication

Azure AD Hybrid Authentication Methods (3/3): _________ authentication is recommended for organizations that have advanced features not currently supported in Azure AD, including sign-on using smart cards or certificates, sign-on using on-premises MFA servers, and sign-on using a third party authentication solution. With this authentication, Azure AD hands off the authentication process to a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS) to validate the user's password.

Global

Azure AD Password Protection and Management (1/4): A ______ banned password list with known weak passwords is automatically updated and enforced by Microsoft. This list is maintained by the Azure AD Identity Protection team, who analyzes security telemetry data to find weak or compromised passwords.

Custom

Azure AD Password Protection and Management (2/4): A ______ banned password list prohibits passwords such as the organization name, location, brand names, product names, company-specific internal terms, or abbreviations that have specific company meaning.

Password spray

Azure AD Password Protection and Management (3/4): ________ _____ attacks submit only a few of the known weakest passwords against each of the accounts in an enterprise. This technique allows the attacker to quickly search for an easily compromised account and avoid potential detection thresholds. Azure AD Password Protection efficiently blocks all known weak passwords likely to be used in this type of attack.

Hybrid security

Azure AD Password Protection and Management (4/4): ______ security integrates Azure AD Password Protection with an on-premises Active Directory environment. A component installed in the on-premises environment receives the global banned and custom password lists from Azure AD, so that no matter where a user changes their password, they are protected.

Service-specific

Categories of Azure AD roles (2/3): For major Microsoft 365 services, Azure AD includes built-in, _______-________ roles that grant permissions to manage features within the service. For example, Azure AD includes built-in roles for Exchange Administrator, Intune Administrator, SharePoint Administrator, and Teams Administrator roles that can manage features with their respective services.

Cross-service

Categories of Azure AD roles (3/3): _____-_______ are roles within Azure AD that span services. For example, Azure AD has security-related roles, like Security Administrator, that grant access across multiple security services within Microsoft 365. Similarly the Compliance Administrator role can manage Compliance-related settings in Microsoft 365 Compliance Center, Exchange, and so on.

Hybrid Azure AD joined device

Describe Azure AD Identities (Device Identities 3/3): Organizations with existing on-premises Active Directory implementations can benefit from the functionality provided by Azure AD by implementing ______ _____ __ ______ d_____. These devices are joined to your on-premises Active Directory and registered with Azure AD, requiring an organizational account to sign in to the device.

Office 365 Apps

Describe Azure AD (editions 2/4): The ______ ___ ____ edition allows you to do everything in the free version, plus self-service password reset for cloud users, and device write-back, which offers two-way synchronization between on-premises directories and Azure AD. This edition of Azure AD is included with subscriptions to: * Office 365 E1, E3, E5, F1, and F3

Premium P1

Describe Azure AD (editions 3/4): Azure AD _______ __ includes all the features in the free and Office 365 apps editions. It also supports advanced administration, such as: * dynamic groups * self-service group management * Microsoft Identity Manager (an on-premises IAM suite), and * cloud write-back capabilities, which allow for SSPR for your on-premises users.

Premium P2

Describe Azure AD (editions 4/4): Azure AD _______ __ offers all the Premium P1 features, and Azure AD Identity Protection to help provide risk-based Conditional Access to your apps and critical company data. It also gives you Privileged Identity Management (PIM) to help discover, restrict, and monitor administrators and their access to resources, and to provide JIT access when needed.

user

Describe Azure AD Identities (1/4): A ____ identity type is a representation of something that's managed by Azure AD, such as employees and guests.

group

Describe Azure AD Identities (2/4): A _____ is an identity type that allows you to give permissions to multiple users with the same access needs, instead of having to assign rights individually.

Service Principal

Describe Azure AD Identities (3/4): A _______ _________ is a security identity used by applications or services to access specific Azure resources. You can think of it as an identity for an application. For an application to delegate its identity and access functions to Azure AD, the application must first be registered with Azure AD to enable its integration.

Azure AD registered device

Describe Azure AD Identities (Device Identities 1/3): An _____ __ __________ d_____ is used to provide users with support for (BYOD) or mobile device scenarios. With this type of device, a user can access an organization's resources using a personal device. These types of devices can register to Azure AD without requiring an organizational account to sign in to the device.

external identities

Describe Azure AD Identities: Azure AD ________ __________ is a set of capabilities that enable organizations to allow access to external users, such as customers or partners. This allows customers, partners, and other guest users to "bring their own identities" to sign in. The two different types of these are: * Business to Business (B2B) collaboration * Business to Customer (B2C) customer identity access management (CIAM) solution It is a feature of Premium P1 and P2 Azure AD editions.

identities

Describe Azure AD Identities: The _________ that Azure AD manages are: * Users * Service principals * Managed identities (system-assigned & user-assigned) * devices

Automate

Describe Azure AD Identity Protection (Key Tasks 1/3): Identity Protection allows organizations to accomplish: ________ detection and remediation of identity-based risks.

Export

Describe Azure AD Identity Protection (Key Tasks 2/3): Identity Protection allows organizations to accomplish: ______ risk detection data to third-party utilities for further analysis.

Investigate

Describe Azure AD Identity Protection (Key Tasks 3/3): Identity Protection allows organizations to accomplish: ___________ risks using data in the portal. Administrators can review detections and take manual action on them if needed. There are 3 reports to ___________ identity risks: * Risky users * Risky sign-ins * Risk detections

Unfamiliar sign-in properties

Describe Azure AD Identity Protection (Sign-In Risks 4/6): U_________ ____-__ __________ : This risk detection type considers past sign-in history to look for anomalous sign-in properties. The system stores information about previous locations used by a user, and considers these 'familiar' locations. The risk detection is triggered when the sign-in occurs from a location that's not already in the list of familiar locations.

Azure AD threat intelligence

Describe Azure AD Identity Protection (Sign-In Risks 6/6): This risk detection type indicates Azure AD sign-in activity that is unusual for the given user or is consistent with known attack patterns based on Microsoft's internal and external threat intelligence sources.

leaked credentials

Describe Azure AD Identity Protection (User Risks (1/2): When cybercriminals compromise valid passwords of legitimate users, they often share those credentials. When the Microsoft leaked credentials service acquires user credentials from the dark web, paste sites, or other sources, they are checked against Azure AD users' current valid credentials to find valid matches.

Entra

Describe Azure AD: Microsoft _____ is a product family that encompasses all of Microsoft's identity and access capabilities, including Microsoft Azure Active Directory (Azure AD)..

Users or groups

Describe Conditional Access (Signals 1/7): Policies can be targeted to all _____, specific ______ of _____, directory roles, or external guest _____, giving administrators fine-grained control over access.

Named location

Describe Conditional Access (Signals 2/7): _____ ________ information can be created using IP address ranges, and used when making policy decisions. Also, administrators can opt to block or allow traffic from an entire country/region's IP range.

devices

Describe Conditional Access (Signals 3/7): Users with _______ of specific platforms or marked with a specific state (not patched, no anti-virus, etc.) can be used.

applications

Describe Conditional Access (Signals 4/7): Users attempting to access specific ____________ can trigger different Conditional Access policies.

sign-in

Describe Conditional Access (Signals 5/7): Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky ____-__ behavior - the probability that a given authentication request isn't authorized by the identity owner. Policies can then force users to perform password changes or multi factor authentication to reduce their risk level or be blocked from access until an administrator takes manual action.

cloud apps or user actions

Describe Conditional Access (Signals 6/7): Conditional Access policies allow administrators to assign controls to all or specific cloud ____ or user _______. For example, as part of user _______, administrators can enforce a Conditional Access policy when users register or join devices to Azure AD.

User risk

Describe Conditional Access (Signals 7/7): For customers with access to Identity Protection, ____ ____ can be evaluated as part of a Conditional Access Policy. It represents the probability that a given identity or account is compromised. It can be configured for high, medium, or low probability.

signal

Describe Conditional Access: A Conditional Access ______ acts as a trigger for a Conditional Access policy. Some of the common triggers may include: * User or group membership targeted * Named location information using IP address ranges * Devices of specific platforms or with a specific state * Applications with special clearance needs * Real-time sign-in risk detection * Cloud apps or user actions * User risk

policies

Describe Conditional Access: Conditional Access is implemented through ________ that are created and managed in Azure AD. Conditional Access ________ analyze signals including user, location, device, application, and risk to automate decisions for authorizing access to resources (apps and data). Conditional Access ________ are enforced after first-factor authentication is completed.

assignments

Describe Conditional Access: When creating a conditional access policy, admins can determine which signals to use through ___________. The ___________ portion of the policy controls the who, what, and where of the Conditional Access policy. If you have more than one ___________ configured, all ___________ must be satisfied to trigger a policy.

catalog

Describe Entitlement Management: A c_______ is a container of related resources and access packages. They are used for delegation, so that non-administrators can create their own access packages.

Identity Lifecycle Management

Describe Identity Governance in Azure AD (1/3): ________ _________ __________ aims to automate and manage the entire digital identity lifecycle process. "Join, Move, and Leave Model" * When an individual first joins an organization, a new digital identity is created if one isn't already available. * When an individual moves between organizational boundaries, more access authorizations may need to be added or removed to their digital identity. * When an individual leaves, access may need to be removed.

Assigned Enabled Registered

Describe self-service password reset: To use self-service password reset, users must be: * A_______ an Azure AD license. * E______ for SSPR by an administrator. * R_________ with the authentication methods they want to use. Two or more authentication methods are recommended in case one is unavailable.

write-back

Describe self-service password reset: When a user resets their password using SSPR, it can be written back to an on-premises AD. Password _____-____ allows users to use their updated credentials with on-premises devices and applications without a delay.

Business to Business (B2B)

Describe the Different External Identity Types (1/2): _________ __ ________ (___) collaboration is an external identity type that allows you to share your organization's applications and services with guest users from other organizations, while maintaining control over your own data. It uses an invitation and redemption process. Once the external user has redeemed their invitation or completed sign-up, they are represented in the same directory as employees but with a user type of guest. With ___, SSO to all Azure AD-connected apps are supported.

Business to Customer (B2C)

Describe the Different External Identity Types (2/2): ________ __ ________ (___) is an external identity type that allows external users to sign in with their preferred social, enterprise, or local account identities to get single sign-on (SSO) to your applications. It is a customer identity access management (CIAM) solution. It is an authentication solution that you can customize with your brand so that it blends with your web and mobile apps.

Azure AD Connect

Describe the authentication capabilities of Azure AD: _____ __ _______ is an on-premises Microsoft application that serves as a bridge between Azure AD and on-premises Active Directory and provides the following features: * Password hash synchronization * Pass-through authentication * Federation integration * Synchronization * Health Monitoring

just in time

Describe the capabilities of Azure AD Privileged Identity Management (PIM) (1/9): Azure AD Privileged Identity Management provides ____-__-____ previleged access to Azure AD and Azure resources, only when needed, and not before.

time-bound

Describe the capabilities of Azure AD Privileged Identity Management (PIM) (2/9): Azure AD Privileged Identity Management assigns ____-_____ access to resources by assigning start and end dates that indicate when a user can access resources.

approval

Describe the capabilities of Azure AD Privileged Identity Management (PIM) (3/9): Azure AD Privileged Identity Management requires specific ________ to activate privileged roles.

multi-factor authentication

Describe the capabilities of Azure AD Privileged Identity Management (PIM) (4/9): Azure AD Privileged Identity Management can enforce _____-______ ______________ to activate any role.

justification

Describe the capabilities of Azure AD Privileged Identity Management (PIM) (5/9): Azure AD Privileged Identity Management case use _____________ to understand why users activate privileged roles.

notifications

Describe the capabilities of Azure AD Privileged Identity Management (PIM) (6/9): Azure AD Privileged Identity Management can get _____________ when privileged roles are activated.

access reviews

Describe the capabilities of Azure AD Privileged Identity Management (PIM) (7/9): Azure AD Privileged Identity Management can conduct ______ _______ to ensure users still need (privileged) roles.

audit history

Describe the capabilities of Azure AD Privileged Identity Management (PIM) (8/9): Azure AD Privileged Identity Management can conduct _____ _______ for internal or external audit.

Identity Protection

Identity Protection and Governance Capabilities of Azure AD: Azure I_______ P_________ is a tool that allows organizations to accomplish three key tasks: * Automate the detection and remediation of identity-based risks * Investigate risks using data in the portal. * Export risk detection data to third-party utilities for further analysis. It categorizes risk into three tiers: low, medium, and high. You can query risk data through Microsoft Graph APIs.

Fast Identity Online (FIDO2)

Passwordless Authentication Methods (2/3): ____ ________ ______ (_____) is the latest open standard for passwordless authentication that incorporates the web authentication (WebAuthn) standard and is supported by Azure AD. ____ allows users and organizations to leverage the standard to sign into their resources using an external security key or a platform key built into a device, eliminating the need for a username and password. It can serve as a primary or secondary form of authentication.

Security defaults

S_______ d_______ are a set of basic identity security mechanisms recommended by Microsoft. When enabled, these recommendations will be automatically enforced in your organization. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. It is a great option for organizations that want to increase their security posture but don't know where to start, or are using the free tier of Azure AD licensing.