Entra ID Extended Services Flashcards
Entra Connect
Is all about establishing synchronization between our on-premises AD forest, ensuring that we get all of those identity and other relared objects, synchronized to Entra ID.
-Hybrid Identity
-Identity Security
-Migration
Entra Connect Tools
-Entra Connect Sync: Legacy on-prem deployment of identity sync software
-Entra Connect Cloud Sync: Modern cloud-native identity sync, managed in the cloud
-Entra Connect Health: Tools for monitoring sync and security (requires P1 license)
Architecture Overview
- Identity: Identity objects synchronized between AD and Entra ID
- Entra Connect: Installation of cloud-sync lightweight agent, or connect-sync infrastructure
- Configuration: Configuration managed in the cloud (cloud-sync) or on-prem (connect-sync)
Entra ID Domain Services (Azure AD Domain Services)
A Domain Services managed domain lets you run legacy applications in the cloud that can’t use modern authentication methods, or where you don’t want directory lookups to always go back to an on-premises AD DS environment.
-Entra ID is a modern identity platform, there are some legacy features, that you won’t get access to. If you do want access to these features, you can go and add Entra Domain Services
Traditional AD Features:
-Active Directory Domain Join
-Active Directory Group Policy
-Legacy Protocols (LDAP, Kerberos/NTLM,etc)
Architecture
When you want to deploy Entra DS, you do so by creating a “managed domain”
-Managed Domain: Provides the legacy AD functionality. Fully managed by Microsoft
Here, we’re talking about extending Entra ID.
-Synchronization: Objects are synchronized from your Entra ID tenant (one-way). Supports hybrid identities. (Entra ID»_space;> Entra DS Managed Domain)
Now, when you deploy that managed domain, you’re actually deploying it to…
-Virtual Network: Resources can only interact with the Managed Domain through a VNet.
–Any of your legacy applications whether that’s a VM or an app, that want to use those legacy features like domain join or LDAP or NTLM and Kerberos, they will need to be deployed to that same VNet or a VNet that has access to that VNet.
Entra ID External Identities
Maybe you’ve got a third-party IT support provider and you want to provide them with access to amnage resources in your Azure subscription.
-Most likely they have their own Entra ID tenant, with their own credentals
-So rather than, creating their own credentials in your tenant, you might want to provide access to their user accounts.
Business to Business (B2B)
Providing access to external identities, other businesses, we refer to those as “guest”. We want to provide them with access to resources that we manage, through our own…
-Entra ID Tenant: Your tenant that has access to resources you’d like to share with guest/partners
-Guest Identities: Invite users from other Identity Providers (Google, Facebook…)
-Settings: External collaboration settings define access and invite restrictions (for our tenant)
–That’s where you can change the default access levels, and you can say who can perform invites, and maybe restrict an organization from being allowed to be invited, or list specific organizations, that you want to support.
-What identity providers are supported
B2B Direct Connect
We are talking about lots of identities in a whole other organization, not inviting individual users, more of a organization to organization relationship.
-Only supports providing access to Shared Teams Channels
We want to provide them with access to resources that we manage, through our own…
-Entra ID Tenant: Your tenant that has access to resources you’d like to share with guest/partners
Not through an invite process, instead what you are going to do is…
-Trusted Organization: Configure mutual connection (in/out) to Entra organizations. No guest identity required
-Settings: Cross-tenant access settings (section) define trusted organizations and access levels.
–That’s where you’re going to add trusted organizations, and also where you can configure the default access levels for both B2B and B2B DC.
Business to Customers (B2C)
-Application: Your app which requires identity and access management
-B2C Tenant: Provide identity services for your app, supporting local or other identities.
–Dedicate this just your app for storing all of that identity information, that you require for one or more apps that you are developing
–You can allow your customers to create their own accounts or you can connect them to other identity providers.
-Customization: Customize branding, sign-up, sign-in, and profile editing for end-users.
Entra ID Governance Overview
Entra ID Governance is an identity governance solution that helps organizations improve productivity, strengthen security, and meet compliance and regulatory requirements. It helps organizations protect, monitor, and audit access to critical assets while ensuring employee productivity
Features:
-Entitlement Management: Providing scalable enterprise access management set of capabilities
-Privileged Identity Management (PIM): Enables you to manage, control, and monitor access to important resources in your organization. (JIT, Time-bound, Approval-based, Visible, Auditable)
-Access Reviews: Where we can go and perform regular checks of the permissions that have been assigned to our users. (Scheduled Checks & Automated Response)
-Lifecycle Workflows: Is a range of capabilities that helps you to extend upon your existing HR identity management and help you put together some processes that can simplify the management of these different stages of the identity. (Your users will start at the org (Joiner), they might move roles as they continue to work (Mover) and then they exit your org (Leaver).)
-Terms of Use: Ensure users read relevant disclaimers (Usage Policies & Acceptance/Consent)
Entra ID Entitlement Management
Provides scalable enterprise access management set of capabilities.
-How do we provide resources, to multiple different staff members?
-What role will they require access to?
-Who is responsible for configuring that access? or even removing access when is no longer required?
-Security Groups, M365 Groups, Applications, Teams, and Sharepoint Site
It does this through a range of different automated capabilities, where we can have users, requesting access. We can have that based on some specific role, it can be approved by a non-admin user, and then that access could be automatically granted or denied.
-Simplify: Simplify how internal and external entitlements are managed at scale
-Delegate: Delegate management of entitlements to non-admin users
-Automate: Automate provisiona and revocation of entitlements based on properties, time, etc
Implementation:
-Identities: Internal or external users to request (or be assigned access)
When you configure entitlement management, the first thing you are going to set up is…
-Access Package: Package of resources to be provided for a specific role/purpose
With AP, There are really two things, we are focused on:
-Resource: Role - The resource and role to be assigned (apps, groups, teams, site)
-Collection: Used to organize and manage resources and access packages
Considerations:
-Licenses are required for those who review, approve, request, or are assigned a package
-Access Packages created in the portal. User access managed through myaccess.microsoft.com
-Permissions: Full Access (Identity Gov Admin), Granular (Access Package Manager, Catalog Owner, etc.
Entra ID Privileged Identiy Management (PIM)
PIM enables you to limit standing administrator access to privileged roles, discover who has access, and review privileged access.
-Entra Premium P2 licensing is required
Features:
-Just-In-Time Access: Permissions are only activated as and when required. (Group membership, Azure AD Roles, or Azure RBAC)
-Time-Bound Access: Define start and end dates for access to resources (Users might be entitled to specific privileges, but they’re not necessarily going to be switched on all of the time)
-Activation Approval: Require request justification, and activation approval.
-Activation with MFA: Require the use of MFA to perform activation of privileges
-Audit Trail: Download audit history, and receive notifications
-Access Reviews: Review whether access to roles are still required (within PIM and outside PIM (I-G))
Implementation
- Identity: User/group/app with eligibility for privileges (Entra ID, Azure, or Groups)
- Assignment: An identity can have permanent or time-bound assignment
- Activation: Privileges must be activated for use (permanent or time-bound)
Entra ID Access Reviews
Is a feature that helps organizations manage and monitor access to their resources. Allow administrators to review and confirm whether users still need access to specific applications, groups, or other resources.
-Entitlement Management also has Access Reviews buiilt-in
Review Types:
-Teams and Groups (Identity Governance): Review membership and guest for groups (M365 also) and teams.
-Applications (Identity Governance): Review internal and guest user access to applications.
-Azure RBAC (PIM): Review active and eligible assignments for Azure RBAC roles.
-Entra ID Roles (PIM): Review active and eligible assignments for Entra ID Roles.
Implementation:
1. Access Review: Use the portal (ID Gov or PIM) to create access review.
2. Timing: Define the duration, frequency and end date for the review.
3. Reviewers: Specify who will perform the review. (owner, manager, self)
4. Settings: Reminders, justification, auto-apply. etc.
Entra ID Protection
Is a feature that helps organizations safeguard their identities, looking for signals that indicate there’s some sort of risk to do with the identity itself or the sign-in attempt for a given identity.
-Focused on protecting identities (not access)
-Measures whether there is any risk (low, medium, or high)
ID Protection Policies:
-Sign-in risk Policy: Monitors various signals to allow, deny, or require multi-factor auth (MFA) at the time of sign-in.
-User risk Policy: Monitors identities for risks and can block all future access or require a password change.
-MFA Resgistration Policy: Choose the include/exclude the users that must configure MFA.
Architecture:
-Tenant: Policies are configured at the tenant level, but can be applied to all/select users.
-Policy: One of each of the policies can be configured.
-Recommendation CAP: Achieve greater reporting/customization with Conditional Access Policies (CAP)
Entra ID Conditional Access
Enhance the security posture of your organization by enforcing access policies based on specific conditions.
-Entra Premium P1 licensing is required
Conditional Access Policies (CAP)
1. Identity: Guests, roles, users or groups
2. Target Resources: An app, action, or auth context (what are we protecting)
- Settings
Condition: Which situation the policy applies to
-Risk: Entra ID Identity Risk Protection user-risk and sign-in risk
-Device Platforms: The plaform being used, or a more advanced device property filter
-Locations: User-defined named locations (country or IP ranges) - Access Controls: Allow, Block or require additional requirements
Grant
-Authentication: Enforce MFA,authentication streangth, or a password reset
-Device Status: Is the device compliant, and/or hybrid Entra ID jonied
-App Status: Is the client app approved, and/or is it an app protection policy used
For these controls, you can specify whether it’s just one of these, that needs to be satisfied, or say all of them
Entra ID Self-Service Password Reset (SSPR)
Is a feature that allows users to reset their passwords without requiring assistance from IT support.
Configuration:
1. Enable SSPR: Can be off, on for all, or on for selected users (security group)
2. Authentication Methods: How users verify their identity (security questions, app code, etc)
3. User Registration: Users can register their information or administrator can do so
Considerations:
-Settings apply to non-admin users; default administrator policy applies to admins
-SSPR requires M356 licensing at least and Global Administrator privileges
-SSPR for hybrid identities (Entra Connect) requires “password writeback” and Premium P1 licensing
Entra ID App Proxy
It’s a way for your remote users to be proxied their access through Entra ID through to On-premises.
-Supports older legacy protocols such as Integrated Windows Authentication (IWA), Forms/Header-Based Authentication, and Microsoft Authentication Library (MSAL)
-On-prem apps via Entra ID: Access to on-premises web applications using Entra ID
-Single Sign-On Authentication: Provide SSO for web apps with various auth types
-Improved Security: Use Entra ID extended security. Only requires outbound access
Architecture:
1. Entra ID: Remote access via Entra ID App Proxy endpoint. Requires at least P1 license.
2. Application: Registered App with supported authentication type in a private network
3. App Proxy Connector: Agent running on Windows Server. Can be in a group. Connects to app and Entra ID. As long as it has connectivity to the app itself (running on the same network as your app) and outbound connectivity to Entra ID
-If your are using on-prem AD and you’ve got that synchronized with Entra Connect, then the app proxy connector will also need to talk to that domain.
-You don’t need any VPN or inbound firewall rules
Authentication Flow
- When Remote users want to access the application, they will use the “My Apps Portal” or a DNS configured
- When they go to that URL, they will need to enter in their username and password with the familiar Entra ID identity login experience
- Entra ID is going to create a token for that application you need access to and then the remote users are going to be able to use that token to talk to the connector, through the app proxy service.
- Then the app proxy service through the connector on-premises can go ahead and talk to whatever resources are required
Important note: an app being configured for App Proxy can be created directly through Enterprise Apps (this will create an App Registration for you automatically anyway).
