Azure Security

Question 1

What are Security Principals in Azure Identity Management?

Answer 1

A security principal is any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account, or the security groups for these accounts.

Question 2

What is a Security Identifier (SID)?

Answer 2

Security identifiers (SIDs) provide a fundamental building block of the Windows security model. They work with specific components of the authorization and access control technologies in the security infrastructure of the Windows Server operating systems. A SID is a value of variable length that’s used to uniquely identify a security principal that represents any entity that can be authenticated by the system.

Question 3

What are Security Descriptors in Azure Identity Management?

Answer 3

A security descriptor is a data structure that’s associated with each securable object. All objects in Active Directory and all securable objects on a local computer or on the network have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all the security permissions that apply to that object.

Question 4

What are the two types of ACLs in Azure Identity Management?

Answer 4

• DACL (Discretionary ACL)
• SACL (System ACL)

Question 5

What is an Application Object?

Answer 5

A Microsoft Entra application is defined by its one and only application object. The application object resides in the Microsoft Entra tenant where the application was registered (known as the application’s “home” tenant). An application object is used as a template or blueprint to create one or more service principal objects.

Question 6

What does a Application Object of a Microsoft Entra tenant application describe?

Answer 6

1. How the service can issue tokens
2. Resources that the application might need access
3. Actions that the application can take

Question 7

What is a Service Principal Object?

Answer 7

To access resources secured by a Microsoft Entra tenant, the entity that requires access must be represented by a security principal. This is true for both users (user principal) and applications (service principal). The security principal defines the access policy and permissions for the user/application in the Microsoft Entra tenant.

Question 8

What are the 3 types of Service Principals?

Answer 8

1. Application
2. Managed Identity
3. Legacy

Question 9

What is an Application type of Service Principal?

Answer 9

This type of service principal is the local representation, or application instance, of a global application object in a single tenant or directory. A service principal is created in each tenant where the application is used and references the globally unique app object.

Question 10

What is a Managed Identity?

Answer 10

This type of service principal is used to represent a managed identity. Managed identities provide an identity for applications to use when connecting to resources that support Microsoft Entra authentication. When a managed identity is enabled, a service principal representing that managed identity is created in your tenant.

Question 11

What is a Legacy Service Principal?

Answer 11

This type of service principal represents a legacy app, which is an app created before app registrations were introduced or an app created through legacy experiences. A legacy service principal can have credentials, service principal names, reply URLs, and other properties that an authorized user can edit, but doesn’t have an associated app registration.

Question 12

What are the different types of managed identites?

Answer 12

1. System Assigned
2. User Assigned

Question 13

What is the relation between Application Object and Service Principal?

Answer 13

The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant.

Question 14

What are the different types of Permissions?

Answer 14

1. Delegated-access
2. App-only access

Question 15

What are the different types of consents?

Answer 15

1. static user consent
2. incremental and dynamic user consent
3. admin consent

Question 16

What is a Shared Access Signature?

Answer 16

A shared access signature (SAS) is a signed URI that points to one or more storage resources and includes a token that contains a special set of query parameters. The token indicates how the resources may be accessed by the client. One of the query parameters, the signature, is constructed from the SAS parameters and signed with the key that was used to create the SAS.

Question 17

What are the types of Shared Access Signatures?

Answer 17

1. User delegation SAS
2. Service SAS
3. Account SAS

Question 18

What is a Stored Access Policy?

Answer 18

A stored access policy provides an extra level of control over service-level shared access signatures (SAS) on the server side. Establishing a stored access policy groups SAS and provides more restrictions for signatures that are bound by the policy. You can use a stored access policy to change the start time, expiry time, or permissions for a signature, or to revoke it after it has been issued.

Question 19

What is Microsoft Graph?

Answer 19

Microsoft Graph is the gateway to data and intelligence in Microsoft 365. It provides a unified programmability model that you can use to access the tremendous amount of data in Microsoft 365, Windows 10, and Enterprise Mobility + Security.

Question 20

What are the different components of Microsoft Graph?

Answer 20

1. Microsoft Graph API
2. Microsoft Graph Connectors
3. Microsoft Graph Data Connect