Chapter 5: Identity

Question 1

What are the 3 components of Azure AD Identity?

Answer 1

Principal - unauthenticated entity that seeks authentication
Identity - identity profile that is authenticated using credentials
Authorization - actions that are permitted for an identity to perform

Question 2

What is an Azure AD tenant?

Answer 2

A reserved Azure AD instance.
An individual tenant must be part of a single geography
You can have different tenants span different geographies.
Every tenant gets its own domain name - @microsoft.com
Organization = Tenant = Directory

Question 3

Who are the ‘people’ in a tenant? What do they do?

Answer 3

Identity and access management resources
They perform actions on the resources within the subscriptions associated with an Azure AD tenant.

Question 4

What is the relationship of a tenant to a subscription?

Answer 4

A subscription can be associated with only a single Azure AD tenant at a time.
One tenant can be associated with multiple subscriptions at the same time.

Question 5

What are the features of Azure AD?

Answer 5

IAM Platform - i identity and access management
Identify Security - multi-factor auth, conditional access policies PIM (assume higher level of privileges for a point in time)
Collaboration & Development - B2B and B2C collaboration
Monitoring - audit logging, security monitoring, identity protection, risk management
Identity integration - SSO, Azure AD Connect, Azure AD Domain Services
Enterprise Access - control access to applications and devices in the cloud

Question 6

What is the difference between Azure AD and AD?

Answer 6

Azure AD
Uses SAML, OAuth, WS-Federation
Global service
Cloud-based solution
Flat directory structure

AD
Uses Kerberos, LDAP, NTML
Hierarchical
On-premises

Question 7

What are the steps for designing a Tenant?

Answer 7

Build security foundations - MFA, privileged users, etc.
Populate identity resources - add users, create groups, add devices, setup hybrid identity.
Manage Apps - identify apps to be used from the app gallery, and register apps from on prem.
Monitor and Automate - perform access reviews, automate user lifecycles, monitor admins.

Question 8

What are the types of users in Azure AD?

Answer 8

Admins - native users with admin role assigned
Members - regular users native to Azure AD
Guest Members - external users invited to Azure AD tenant
All have a set of default permissions

Question 9

What are the four main methods of creating and managing users?

Answer 9

Create/add users via Azure AD
Bulk add users - using CSV file or bulk add in Azure AD
Update user properties
Invite a guest account

Question 10

What are the 3 steps to creating and managing users?

Answer 10

Create your type of user
Define role assignment - permissions and access
Define object ownership - apps, devices, groups, resources that are owned

Question 11

What are user groups?

Answer 11

User groups have similar permissions, licenses, role assignments, etc.

Question 12

What is the role of the group owner?

Answer 12

Owners manage the group itself

Question 13

What are the 2 major group types?

Answer 13

Security groups, Microsoft 365 groups

Question 14

What is a security group?

Answer 14

Used to manage access to shared resources for a group of users

Question 15

What is a 365 group?

Answer 15

Shared access to give members access to shared mailbox, calendar, files, etc.

Question 16

What are the 3 Azure AD Membership Types?

Answer 16

Assigned, dynamic user, dynamic device

Question 17

What is an assigned membership type?

Answer 17

Users specifically selected to be members of a group

Question 18

What is a dynamic user?

Answer 18

Automated rule-based versus- ex. Assign a user based on a department name

Question 19

What is a dynamic device?

Answer 19

Automated rules for membership assignment via device attributes.

Question 20

What are user admins?

Answer 20

Admins are members of Azure AD tenants with admin privileges

Question 21

What are administrative units?

Answer 21

Help set scope of admins to specific user groups so admins don’t have full scope in a tenant.

Question 22

What are examples of practical administrative unit use cases?

Answer 22

Business department
Geographical location
Parent or subsidiary organization

Question 23

What is the purpose of SSPR?

Answer 23

Allow users the capability to reset a password on their own rather than requesting from the admin
Decreased admin overhead
Increased user productivity

Question 24

What are the 5 major steps of SSPR?

Answer 24

Localization
Verification
Authentification
Password Reset
Nortification

Question 25

What are some authentication methods?

Answer 25

Mobile app
Mobile app code
Email
Mobile phone

Question 26

What are the 3 mthoeds of registering a device in Azure AD?

Answer 26

Registered
Joned
Hybrid Joined

Question 27

What is Azure AD Registered?

Answer 27

bring your own device, least resterictive. Exists inside an Azure AD Tenant.

Question 28

What is Azure AD Joined?

Answer 28

Deviced is owned by the organization and access Azure AD through a work account. Exist inside Azure AD tenant.