IAM

Question 1

Describe Azure Active Directory

Answer 1

Microsoft’s cloud based identity and access management service.

Question 2

Describe the available versions of AAD.

Answer 2

Four editions:

• Free
• Office 365 apps
• AAD premium P1
• AAD premium P2

Question 3

Describe AAD identity types

Answer 3

Users (employees and guests)
Service Principal (applications)
Managed Identity (Azure services. User and system assigned)
Devices

Question 4

Compare user-assigned and system-assigned managed identities.

Answer 4

System-assigned: created as part of a resource, shares lifecycle with resource, cannot be shared. Intended for single resource workloads.

User-assigned: user created, independent lifecycle, can be assigned to multiple resources. Intended for workloads where resources are recycled frequently but permissions the same.

Question 5

Describe types of AAD External Identities

Answer 5

• B2B collaboration (guest users, same dir as org employees)
• B2C access management (CIAM solution, allows customers to signin to services via a social identity, separate B2C directory.)

P1 or P2 tier feature.

Question 6

Describe hybrid identities

Answer 6

Hybrid = identity created and managed by on-prem IdP and synchronised to Azure AD by using Azure AD Connect.

Question 7

Describe the authentication methods for hybrid identities.

Answer 7

• Password hash synchronization: AAD does authN using the password hash.
• Pass-through Authentication: A software agent on on-prem server validates users directly with on-prem AD, so validation doesn’t occur in cloud.
• Federated Authentication: AAD passes off AuthN to a separate process like AD FS.

Question 8

Describe MFA in Azure AD.

Answer 8

Require multiple forms of verification to authN.

Something you know
+
Something you have or something you are.

Question 9

Describe Authentication methods in AAD.

Answer 9

• Authenticator App
• Windows Hello for Business
• FIDO2 (external security key)
• OATH one-time token (TOTP)
• Phone
• Passwords

Question 10

Describe Windows Hello for Business

Answer 10

• Windows 10 authN feature.
• Two factor combination of PIN or biometric that is tied to a device.
• Windows 10 uses private key to sign data that is sent to the IdP.

NB: PIN/biometric is tied to the device, local to the device, and backed by hardware (TPM).

Question 11

Describe when SSPR in Azure AD can be used and its requirements and features.

Answer 11

For PW changes, resets, and unlocks.

Users must:

• Be assigned an AAD license (P1, P2 tier)
• SSPR enabled by an Admin
• Registered with the AuthN methods they wish to use.

Can write back to on-prem AD. Notifications can be configured to alert SSPRs.

Question 12

Describe the AuthN methods available for AAD SSPR.

Answer 12

• Authenticator app notification or code
• Mobile or office phone
• Email
• Security questions

Question 13

Describe Azure AD Password Protection

Answer 13

Feature that blocks users from setting an easy password that belongs to a default global list or a user-admin’d custom list (P1 or P2).

Helps defend against password spray attacks.

Question 14

Describe Conditional Access and its benefits

Answer 14

Conditional Access = Using signals to automate decisions for authorizing access to resources.

Key benefit is providing extra layers of security before allowing authenticated users to gain access to resources.

Question 15

Describe the assignments (signals) of Conditional Access policies

Answer 15

Assignments = the conditions that trigger a policy (IF THEN …)

• User or Group membership
• Cloud Apps or Actions (i.e. scope a policy to include/exclude certain apps or actions.)
• Conditions [Location (IP), Device, Sign-in and User Risk (probabilities from AAD Identity Protection, client apps)]

Question 16

Describe the Access Controls of Conditional Access

Answer 16

Access Controls = What to do (IF … THEN )

• Block access
• Grant access (can choose to enforce one or more controls e.g. MFA, device compliance, using approved client app, password change, require app protection policy.)
• Session (make use of session controls to limit experience.)

Question 17

Describe Azure AD RBAC role types and role assignments.

Answer 17

AAD roles can be Built-in (global admin, user admin, billing admin) or Custom.

Role assignments combine a user (security principal), a role definition (built-in or custom), and a scope.

NB: custom Azure AD roles require premium P1 or P2 tier license.

Question 18

Describe principles of identity governance in Azure AD

Answer 18

• Govern identity lifecycle
• Govern access lifecycle
• Secure privileged access for administrators.

Question 19

Describe identity lifecycle governance capabilities of AAD

Answer 19

AAD premium tiers sync with cloud HR systems. For on-prem HR systems, Microsoft Identity Manager can import identities.

Question 20

Describe access lifecycle governance capabilities of AAD

Answer 20

Dynamic groups that grant/revoke access based on identity attributes to automate access.

Question 21

Describe privileged identity management capabilities of AAD

Answer 21

AAD PIM is a premium P2 service for mgmt, control and monitoring of access to important resources.

• JIT access
• Timebound access
• Approval based
• Visible (notifications when activated)
• Auditable (full access history)

Question 22

Describe entitlement management and access review capabilities of AAD

Answer 22

Entitlement management is a P2 feature for IAM lifecycle governance.

• Create packages to bundle accesses and delegate creation and approval.
• Managing external users by package.

Question 23

Describe Azure AD Identity Protection

Answer 23

Premium P2 feature that allows orgs to

• automate detection and remediation of identity risks (user and sign-in risks)
• Investigate risks using data
• Export risk data to 3rd party utilities for further analysis.

Low, medium, high risk tiers.