Azure Active Directory

Question 1

What is Azure AD?

Answer 1

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service.

Question 2

What is Azure AD for?

Answer 2

Allowing an organization’s employees to sign in and access resources.

Those resources can be external (MS Office 365, Azure Portal, SaaS apps) or internal (apps on on-premises networks, on-prem workstations).

Azure AD also implements single-sign on (SSO).

Question 3

What are the Azure AD editions?

Answer 3

Free - includes MFA, SSO, Basic Security and usage reports, and User management.

Office 365 Apps - includes everything from free plus self-service password reset, device write-back which offer two way sync between Azure AD and AD.

Premium P1 - includes everything from Free and O365 apps plus dynamics groups, self-service group management, MS Identity Manager and cloud write-back capabilities which allow self-service password reset for on-premises users.

Premium P2 - includes everything from Free, O365 and P1 plus Azure AD Identity Protection and Privileged Identity Management.

Question 4

What sources can Azure AD authorize and authenticate to and how?

Answer 4

On-premises AD using Azure AD Connect

Web applications using App registrations

Third-party Identity providers (eg. Facebook, Google) using External Identities

Microsoft 365 or Microsoft Azure by default.

Question 5

What is the difference between Azure AD and AD ?

Answer 5

Active Directory (AD) is for on-premises and Azure AD is for cloud.

Question 6

What does an app registration do?

Answer 6

App registrations allows developers to integrate web apps to use Azure AD to authenticate users and request access to user resources such as email, calendar and documents.

An app registration has a globally unique object that contains an ApplicationID (represents the global app across all tenants) and an ObjectID (a unique value for an app object).

Question 7

What is SSO?

Answer 7

Single sign on allows users to sign-in once and have access to multiple apps and services.

Question 8

What does external identities do?

Answer 8

It allows people outside an organization to access its app and resources with their preferred identity (eg., Facebook, Google, )

Question 9

Why would you use external identities?

Answer 9

To share apps with external users (B2B collaboration)

Develop apps intended for other Azure Ad tenants (single-tenant or multi-tenant)

Develop white-labelled apps for consumers and customers (Azure AD B2C)

Question 10

What are the two types of external identity?

Answer 10

Business to Business (B2B) which allows external businesses to authenticate with your app

Business to customer (B2C) which allows customer to authenticate with your app.

Question 11

What is a service principle?

Answer 11

A security identity used by app or services to access specific Azure resources.

Question 12

What can service principles define?

Answer 12

Who can access the app and what resources the app can access.

Question 13

When is a service principle created?

Answer 13

When a user in the tenant consents to the app’s or API’s use.

Question 14

What is a managed identity?

Answer 14

An identity to manage the credentials for authenticating a cloud app with an Azure service.

Question 15

Why would you use a managed identity?

Answer 15

To authenticate to any service that support Azure AD authentication without storing credentials in code.

Question 16

What are the different types of managed identity?

Answer 16

System-Assigned and user-assigned.

Question 17

What is a system-assigned identity?

Answer 17

A managed identity created by Azure. It is tied to the lifecycle of the resource it was created for, and is deleted when/if the resource is. It is only assigned to the resource it was created for.

Question 18

What is a user-assigned identity?

Answer 18

A managed identity created by an Azure user.

It’s a standalone identity that can be assigned to multiple resources. It must be explicitly deleted.

Question 19

What identities does Azure AD support?

Answer 19

Users - employees and guest
Groups - a collection of users with the same permissions
Service principals (Application) - an identity for an app
Managed Identities
Devices - an identity for a device with properties like who owns the device

Question 20

What is the difference between managed and service principals?

Answer 20

Service Principals require to be manually configured whilst managed identities do not.

Also, managed identities are NOT available for every Azure resource, but service principals are.

Question 21

Does Azure AD B2C work with M365 services?

Answer 21

No, it only works with custom applications.

Question 22

Are Azure AD B2C users kept in the same directory as B2B and regular users?

Answer 22

No, they’re kept in a different directory.

Question 23

What is a hybrid identity?

Answer 23

A hybrid identity is an AD identity that exists and is synced with Azure AD.

Question 24

What is Azure AD Connect?

Answer 24

A tool that allows you to sync your on-premises AD with Azure AD.

Question 25

Can you make changes to a synced AD user in Azure AD?

Answer 25

No, hybrid users are read-only.

Question 26

What are the three ways of enabling hybrid identity?

Answer 26

Password hash synchronization
Pass-through authentication (PTA)
Federated authentication

Question 27

What is password hash synchronization?

Answer 27

Azure AD Connect synchronizes a hash, of the hash of a user’s password from on-premises AD to Azure AD.

Azure AD can then authenticate users, allowing them to login with the same username and password.

Question 28

Does password hashing enables leaked credential detection for accounts?

Answer 28

Yes.

Question 29

What is PTA?

Answer 29

A method of authentication where you can login with the same credentials, but your password is not stored in the cloud.

Question 30

How does PTA work?

Answer 30

A software agent on a user’s workstation validates a user’s credentials with Azure AD.

Question 31

What is Federated authentication?

Answer 31

A trust method of authentication. It allows Azure AD to delegate authentication to another system, more likely than not Active Directory Federation Services (ADFS)

Question 32

What is SSPR?

Answer 32

Self-service password reset (SSPR) allows user to change/reset their password without admin/helpdesk involvement.

Question 33

What are the three advantages to SSPR?

Answer 33

• Increased security - removes a layer that could be compromised
• Saves money - reduces calls to IT
• Increased productivity - lcoked out users can reset password and get back to work.

Question 34

What do you need to enable to allow SSPR?

Answer 34

If a user is enabled for SSPR - the user must specify another authentication method (Mobile App notification or code, Email, phone, security question).

At least one of the above must be enabled to use SSPR.

Question 35

What is Azure AD Password Protection?

Answer 35

Password protection is a feature in AAD that reduces the risk of users choosing weak passwords by blocking known weak passwords.

Question 36

Where does AAD Password Protection get its source of weak passwords from?

Answer 36

Global Banned password list - Microsoft maintained list. It also checks for variants weak passwords.

Custom banned password list - maintained by a organization. Usually includes password derived from company specific terms. Also checks variants of listed password.

Question 37

Does ADD Password protection use both lists?

Answer 37

Yes.

Question 38

True or False: ADD Password protection doesn’t integrate with AD.

Answer 38

False. It applies the same protection, but does require a software agent on-prem to work.