Describe the access management capabilities of Azure AD

Question 1

Conditional Access

Answer 1

• Conditional Access is a feature of Azure AD that adds an extra layer of security for authenticated users.
• Policies are created and managed in Azure AD to implement Conditional Access.
• Conditional Access policies analyse signals such as user, location, device, application, and risk to make access authorization decisions.
• Policies are enforced after the first-factor authentication is completed.
• Conditional Access is not the first line of defence against scenarios like denial-of-service (DoS) attacks, but it can use signals from these events.
• Policies can require specific actions, such as multi-factor authentication, based on user group membership or other conditions.

Question 2

Conditional Access Controls

Answer 2

• User or group membership: Policies can be targeted to specific user groups, directory roles, or external guest users.
• Named location information: IP address ranges can be used to create named locations for policy decisions. Blocking or allowing traffic from specific countries/regions is also possible.
• Device: Policies can consider specific device platforms or states when making access decisions.
• Application: Different Conditional Access policies can be triggered based on the application users are attempting to access.
• Real-time sign-in risk detection: Integration with Azure AD Identity Protection allows policies to detect risky sign-in behaviour and prompt users for additional authentication or password changes.
• Cloud apps or user actions: Conditional Access policies can be assigned to specific applications or user actions, such as device registration or joining.
• User risk: If Identity Protection is available, user risk can be evaluated as part of a policy based on the probability of an identity or account being compromised.
• Assignments: Assignments control the who, what, and where of the policy. Multiple assignments are logically ANDed, and all assignments must be satisfied to trigger a policy.

Question 3

Access Controls

Answer 3

• Conditional Access policies enforce access controls to determine whether to grant or block access.
• Common access control decisions include blocking access, granting access, or requiring specific conditions to be met.
• Conditions for granting access can include multi-factor authentication, compliant devices, hybrid Azure AD joined devices, approved client apps, app protection policies, or password changes.
• Session controls can be used to control user access within specific cloud applications, such as blocking download or copy/print capabilities for sensitive documents or requiring file labelling.
• Session controls can also include sign-in frequency and application-enforced restrictions based on device information.
• Conditional Access policies can be targeted to specific user groups or guests, allowing fine-grained control over access.
• Conditional Access is a feature available in paid Azure AD editions.

Question 4

Azure AD built-in roles

Answer 4

• Azure AD has many built-in roles, which are roles with predefined sets of permissions.
• The Global administrator role has access to all administrative features in Azure AD and is automatically assigned to the person who signs up for the Azure AD tenant.
• The User administrator role can create and manage users and groups, manage support tickets, and monitor service health.
• The Billing administrator role can make purchases, manage subscriptions and support tickets, and monitor service health.
• Built-in roles have preconfigured bundles of permissions tailored for specific tasks.
• The permissions included in the built-in roles cannot be modified.

Question 5

Azure AD Custom Roles

Answer 5

• Custom roles provide flexibility when granting access in Azure AD.
• A custom role definition is a collection of permissions chosen from a preset list, which includes the same permissions used by built-in roles.
• Creating a custom role definition involves selecting the desired permissions for the role.
• Assigning the custom role to users or groups is done through a role assignment, which grants the specified permissions at a defined scope.
• Scopes define the set of Azure AD resources that the role member has access to.
• A custom role can be assigned multiple times at different scopes, such as organization-wide or specific to an object like a virtual machine or application.
• Custom roles require an Azure AD Premium P1 or P2 license.

Question 6

Categories of Azure AD roles

Answer 6

• Azure AD has Azure AD-specific roles that grant permissions to manage resources within Azure AD only.
• Service-specific roles are built-in roles in Azure AD that grant permissions to manage features within specific Microsoft 365 services, such as Exchange, Intune, SharePoint, and Teams.
• Cross-service roles in Azure AD span multiple services and provide access across various security or compliance-related functionalities.
• Some Microsoft 365 services have their own role-based access control systems, while others use Azure AD roles for administrative access.
• Azure AD roles differ in their scope and where they can be used.
• Azure AD is the central identity and access management service for Microsoft 365 services and offers a unified approach to managing identity across the ecosystem.

Question 7

Difference between Azure AD RBAC and Azure RBAC

Answer 7

• Azure AD RBAC controls access to Azure AD resources like users, groups, and applications.
• Azure RBAC controls access to Azure resources such as virtual machines and storage using Azure Resource Management.
• Azure AD RBAC and Azure RBAC are both forms of RBAC but focus on different types of resources.
• Role definitions and role assignments for Azure AD RBAC are stored in the Azure AD data store.
• Role definitions and role assignments for Azure RBAC are stored in the Azure Resource Manager data store.
• Azure AD RBAC and Azure RBAC have separate policy decision points where access checks are performed.
• It is important to understand the distinction between Azure AD RBAC and Azure RBAC when managing access to different types of resources within the Azure ecosystem.

Question 8

An organization plans to implement Conditional Access. What do admins need to do?

A. Create policies that enforce organizational rules.

B. Check that all users have multi-factor authentication enabled.

C. Amend your apps to allow Conditional Access.

Answer 8

A. Create policies that enforce organizational rules.

Conditional Access is implemented using policies that enforce organizational rules.

Question 9

Sign-in risk is a signal used by Conditional Access policies to decide whether to grant or deny access. What is sign-in risk?

A. The probability that the device is owned by the identity owner.

B. The probability that the authentication request isn’t authorized by the identity owner.

C. The probability that the user is authorized to view data from a particular application.

Answer 9

B. The probability that the authentication request isn’t authorized by the identity owner.

Sign-in risk is the real-time calculation that a given authentication request isn’t authorized by the identity owner.

Question 10

IT admins have been asked to review Azure AD roles assigned to users, to improve organizational security. Which of the following should they implement?

A. Remove all global admin roles assigned to users.

B. Create custom roles.

C. Replace global admin roles with specific Azure AD roles.

Answer 10

C. Replace global admin roles with specific Azure AD roles.

By following the least privilege security model and assigning specific admin roles, such as billing administrator or user administrator, to more users, instead of global admin roles, organizational security is improved.