Azure Identity, access, and security Flashcards
Entra ID
Microsoft Entra ID is a directory service that enables you to sign in and access both Microsoft cloud applications and cloud applications that you develop. Microsoft Entra ID can also help you maintain your on-premises Active Directory deployment.
For on-premises environments, Active Directory running on Windows Server provides an identity and access management service that’s managed by your organization.
Security for AD and Entra ID
When you secure identities on-premises with Active Directory, Microsoft doesn’t monitor sign-in attempts. When you connect Active Directory with Microsoft Entra ID, Microsoft can help protect you by detecting suspicious sign-in attempts at no extra cost. For example, Microsoft Entra ID can detect sign-in attempts from unexpected locations or unknown devices.
Microsoft Entra Connect
synchronizes user identities between on-premises Active Directory and Microsoft Entra ID
Microsoft Entra Connect synchronizes changes between both identity systems, so you can use features like SSO, multifactor authentication, and self-service password reset under both systems.
Microsoft Entra Domain Services
Microsoft Entra Domain Services is a service that provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication
How does Microsoft Entra Domain Services work?
When you create a Microsoft Entra Domain Services managed domain, you define a unique namespace. This namespace is the domain name. Two Windows Server domain controllers are then deployed into your selected Azure region. This deployment of DCs is known as a replica set. (Azure manages the DC’s)
SSO
enables a user to sign in one time and use that credential to access multiple resources and applications from different providers
MFA
Something the user knows – this might be a challenge question.
Something the user has – this might be a code that’s sent to the user’s mobile phone.
Something the user is – this is typically some sort of biometric property, such as a fingerprint or face scan.
Passwordless authentication
Passwordless authentication methods are more convenient because the password is removed and replaced with something you have, plus something you are, or something you know.
Options for passwordless:
Windows Hello for Business
Microsoft Authenticator app
FIDO2 security keys
Azure External Identities
With External Identities, external users can “bring their own identities.” Whether they have a corporate or government-issued digital identity, or an unmanaged social identity like Google or Facebook, they can use their own credentials to sign in
External Identities types
Business to business (B2B) collaboration - external users by letting them use their preferred identity to sign-in, typically as guest users.
B2B direct connect - mutual, two-way trust with another Microsoft Entra organization for seamless collaboration. B2B direct connect currently supports Teams shared channels, enabling external users to access your resources from within their home instances of Teams,they’re visible from within the Teams shared channel and can be monitored in Teams admin center reports.
Microsoft Azure Active Directory business to customer (B2C) -
Conditional Access
Conditional Access is a tool that Microsoft Entra ID uses to allow (or deny) access to resources based on identity signals. These signals include who the user is, where the user is, and what device the user is requesting access from.
Role Based Access control
Azure provides built-in roles that describe common access rules for cloud resources. You can also define your own roles. Each role has an associated set of access permissions that relate to that role. When you assign individuals or groups to one or more roles, they receive all the associated access permissions.
Zero Trust Model
Verify explicitly - Always authenticate and authorize based on all available data points.
Use least privilege access - Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.
Assume breach - Minimize blast radius and segment access. Verify end-to-end encryption. Use analytics to get visibility, drive threat detection, and improve defenses.
Defender for Cloud
a monitoring tool for security posture management and threat protection. It monitors your cloud, on-premises, hybrid, and multicloud environments to provide guidance and notifications aimed at strengthening your security posture.
