Describe the identity protection and governance capabilities of Azure AD

Question 1

Azure AD identity governance

Answer 1

• Azure AD identity governance enables organizations to govern the identity lifecycle, access lifecycle, and secure privileged access for administration.
• It applies to employees, business partners, vendors, and various services and applications, whether on-premises or in the cloud.
• The key questions addressed by Azure AD identity governance are:
  • Which users should have access to which resources?
  • What actions are users performing with their access?
  • Are there effective controls in place to manage access?
  • Can auditors verify the effectiveness of these controls?

Question 2

Identity lifecycle management

Answer 2

• Identity lifecycle management is a crucial aspect of identity governance, involving the processes of join, move, and leave.
• When an individual joins an organization, a new digital identity is created, and access authorizations are granted.
• During movement within an organization, access authorizations may be modified based on changing organizational boundaries.
• When an individual leaves, access is revoked, and the identity may be retained for audit purposes.
• HR systems like Workday or SuccessFactors often serve as authoritative sources for employee information, syncing with Azure AD to maintain consistency.
• Azure AD Premium offers integration with cloud-based HR systems, automatically creating user accounts and synchronizing updates.
• Microsoft Identity Manager enables importing records from on-premises HR systems, ensuring identity lifecycle management for diverse environments.
• User provisioning applications and integrations with HR systems facilitate the updating of access rights and permissions throughout the identity lifecycle.

Question 3

access lifecycle management

Answer 3

• Access lifecycle management involves managing access rights throughout a user’s organizational tenure.
• Users require different levels of access as they progress through different stages within the organization.
• Access rights are granted based on the user’s role and responsibilities.
• Automation technologies like dynamic groups enable organizations to streamline the access lifecycle process.
• Dynamic groups use attribute-based rules to determine membership, evaluating changes in user or device attributes.
• When a user or device meets the criteria defined by a dynamic group rule, they are added as a member.
• If a user or device no longer meets the rule criteria, they are automatically removed from the group.
• Automation helps ensure timely and accurate assignment and revocation of access rights during the access lifecycle.

Question 4

Privileged access lifecycle management

Answer 4

• Monitoring privileged access is crucial for effective identity governance.
• Azure AD Privileged Identity Management (PIM) offers additional controls for securing access rights.
• PIM helps minimize the number of individuals with access to resources in Azure AD, Azure, and other Microsoft online services.
• PIM provides a comprehensive set of governance controls to enhance the security of an organization’s resources.
• Azure AD Premium P2 includes the PIM feature, enabling organizations to leverage its capabilities.
• With PIM, organizations can enforce a governance process for assigning administrative rights.
• PIM helps mitigate the potential risks associated with privileged access misuse.
• By implementing PIM, organizations can enhance their overall identity governance practices.

Question 5

Entitlement management

Answer 5

• Entitlement management is an identity governance feature that enables organizations to manage the identity and access lifecycle at scale.
• It automates access request workflows, access assignments, reviews, and expiration.
• Challenges in managing employee access include users not knowing what access they should have and difficulty in locating the right individuals for approval.
• Users may hold on to access longer than necessary, leading to potential security risks.
• Entitlement management allows the delegation of access package creation to non-administrators.
• Access packages contain resources that users can request, and policies define who can request access, who must approve it, and when access expires.
• It simplifies the management of access for external users, automatically inviting them into the directory and assigning access when approved.
• Access packages are used to manage access to resources.
• Entitlement management is a feature available in Azure AD Premium P2.

Question 6

Azure AD access reviews

Answer 6

• Azure AD access reviews enable organizations to manage group memberships, access to enterprise applications, and role assignments.
• Regular access reviews help ensure that only the right people have access to resources and reduce security risks.
• Access reviews are useful in scenarios such as having too many users in privileged roles, when automation is not possible, when controlling access to business-critical data, or when governance policies require periodic reviews.
• Access reviews can be created through Azure AD access reviews or Azure AD Privileged Identity Management (PIM).
• They can be used to review and manage access for both users and guests.
• Access reviews can be configured for users to review their own access or for one or more users to review everyone’s access.
• Progress can be tracked as reviewers complete the review process, and no access rights are changed until the review is finished.
• The review can be manually or automatically applied to remove access from a group membership or application assignment, except for dynamic groups or groups originating on-premises.
• Access reviews are a feature available in Azure AD Premium P2.

Question 7

Azure AD terms of use

Answer 7

• Azure AD terms of use allow organizations to present information to users before they access data or an application, ensuring they read relevant disclaimers for legal or compliance requirements.
• Use cases for requiring users to accept terms of use include accessing sensitive data or applications, recurring reminders for regulations, terms applicable to certain roles, or presenting terms to all users in the organization.
• Terms of use can be presented in a PDF format using content created by the organization, such as an existing contract document.
• Terms of use can also be displayed on mobile devices.
• Conditional Access policies are used to require the display of terms of use and ensure users agree to them before accessing an application.
• Admins can view the list of users who have agreed to the terms of use and those who have declined.
• Azure AD terms of use provide a way to enforce compliance and track user acceptance of terms.
• This feature helps organizations meet legal and compliance requirements regarding user consent and acknowledgment of policies.

Question 8

Privileged Identity Management (PIM)

Answer 8

• Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that helps manage, control, and monitor access to important resources in an organization.
• PIM covers resources in Azure AD, Azure, and other Microsoft online services like Microsoft 365 and Microsoft Intune.
• PIM addresses the risks associated with excessive, unnecessary, or misused access permissions.
• It follows the principle of “just in time” access, granting privileged access only when needed and not before.
• Access to resources can be time-bound, with start and end dates specifying the duration of access.
• Activation of privileges in PIM requires specific approval from authorized individuals.
• PIM provides notifications when privileged roles are activated to ensure visibility and awareness.
• A complete access history can be downloaded for auditing and monitoring purposes.
• Privileged Identity Management is a feature available with Azure AD Premium P2.
• By leveraging PIM, organizations can enhance security, reduce the attack surface, and maintain better control over privileged access.

Question 9

Identity Protection in Azure AD

Answer 9

• Identity Protection enables organizations to automate the detection and remediation of identity-based risks.
• It uses signals from various Microsoft services, analysing 6.5 trillion signals per day, to identify potential threats.
• Signals from Identity Protection are used by tools like Conditional Access and security information and event management (SIEM) tools for access decisions and further investigation.
• Risk is categorized into three tiers: low, medium, and high, and it calculates sign-in risk and user identity risk.
• Sign-in risks identified by Identity Protection include anonymous IP addresses, atypical travel patterns, malware-linked IP addresses, unfamiliar sign-in properties, password spray attacks, and Azure AD threat intelligence.
• User risks identified by Identity Protection include leaked credentials and Azure AD threat intelligence.
• Risk detections trigger actions such as requiring multi-factor authentication, password resets, or blocking access until administrative action is taken.
• Identity Protection provides reports on risky users, risky sign-ins, and risk detections for investigation and identification of security weaknesses.
• Organizations can enable automated remediation using risk policies and should aim to close events quickly to minimize potential risks.
• Identity Protection is a feature of Azure AD Premium P2, providing enhanced identity governance and security capabilities.

Question 10

Your organization has implemented important changes in their customer facing web-based applications. You want to ensure that any user who wishes to access these applications agrees to the legal disclaimers. Which Azure AD feature should you implement?

A. Entitlement management.

B. Azure AD Terms of Use.

C. Identity Protection.

Answer 10

B. Azure AD Terms of Use.

Azure AD Terms of Use presents information to users before they access data and can be configured to require users to accept the terms of use.

Question 11

An organization is project-oriented with employees often working on more than one project at a time. Which solution is best suited to managing user access to this organization’s resources?

A. Azure Terms of Use.

B. Identity Protection.

C. Entitlement management.

Answer 11

C. Entitlement management.

Entitlement management is well suited to handling project-based access needs. Entitlement management automates access requests, access assignments, reviews, and expiration for bundles of resources relevant to a project.

Question 12

An organization has recently conducted a security audit and found that four people who have left were still active and assigned global admin roles. The users have now been deleted but the IT organization has been asked to recommend a solution to prevent a similar security lapse happening in future. Which solution should they recommend?

A. Entitlement management.

B. Privileged Identity Management.

C. Identity Protection.

Answer 12

B. Privileged Identity Management.

Privileged Identity Management mitigates the risks of excessive, unnecessary, or misused access permissions.

Question 13

Your IT organization recently discovered that several user accounts in the finance department have been compromised. The CTO has asked for a solution to reduce the impact of compromised user accounts. The IT admin team is looking into Azure AD features. Which one should they recommend?

A. Identity Protection.

B. Conditional Access.

C. Entitlement management.

Answer 13

A. Identity Protection.

Identity Protection is a tool that allows organizations to utilize security signals to identify potential threats.