Manage azure identities and governance

Question 1

Is Azure Active Directory the same as windows active directory?

Answer 1

No, same idea but some non overlapping requirements and protocols when doing the job of Active Directory over the internet vs on a server

Question 2

Can you sync your current active directory with a new azure Active Directory instance?

Answer 2

Yes

Question 3

Does azure ad support single sign on?

Answer 3

Yeah, and using its api you can develop custom sso code for your non integrated 3rd class party apps

Question 4

How much of the exam is based on identity and governance questions?

Answer 4

25%

Question 5

What is Microsoft entra?

Answer 5

Entra is an enterprise identity service (umbrella product including the active directories) which includes SSO, MFA and conditional access to/guard against cyber attacks

Question 6

What are the different features available with different licences for Microsoft entra ID?

Answer 6

https://www.microsoft.com/en-us/security/business/microsoft-entra-pricing

Question 7

What is the difference between accounts, tenants, subscriptions?

Answer 7

Account:

Person or program (synonym of User) e.g. Joe Smith joe@example.com.
Apps have their own identities such as managed identities or they can also use service users

Tenant:

A representation of an organization. Usuqlly represented by a unique domain ea.com for example.

A tenant is required to do anything is azure and has a dedicated instance of azure active directory.

Every azure account is part of at least one tenant!!!!

Subscription:
A billing agreement with Microsoft on how you’re going to pay.

• Free subscriptions
• pay as you go
• enterprise agreements

Subscriptions can be assigned to tenants but this is not a requirement (in fact tenants can have multiple subscriptions).

Multiple accounts can be assigned to a tenant, each with different roles.

Question 8

In Entra ID how can you switch between tenants?

Answer 8

Using the switch button in the manage settings cog in the Entra ID interface or via the ‘Switch directory’ link in the menu which appears when clicking your profile pic.

Question 9

Is the use of AI to combat hacking attempts part of the Azure active directory free tier?

Answer 9

No its part of the P1 tier.
https://www.microsoft.com/en-us/security/business/microsoft-entra-pricing

Question 10

How can you add a custom domain name to your new tenant?

Answer 10

There is a settings option to add a custom domain name so you could use your company’s domain name to access the tenant’s Active Directory instance but it’s necessary to prove ownership of the custom domain. This probably involves adding a TXT setting to the record of your domain purchase so that Azure can make a request to it and get the expected response.

Question 11

What are standard groups in azure Active Directory?

Answer 11

Groups of users, of type security and of membership type assigned ( known, intentional) and have bulk operations and permissions given to them.

Question 12

Are groups able to given roles by default?

Answer 12

No, there is a toggle switch to enable role assignation to a group.

Question 13

What are dynamic groups?

Answer 13

A dynamic group is a group whose membership type is based on the results of a query. An example could be including employees in a certain department as being part of a dynamic group for that department. It is still a security group type.

Job title and country are other examples of many dynamic group query fields.

Question 14

What are the management traits which can be performed on groups?

Answer 14

Access reviews
Access logs
Bulk operations
Privileged identity management

Question 15

What are devices in azure Active Directory.

Answer 15

They represent the physical devices used by users that access and organisations resources e.g. phones, laptops, authentication devices

Question 16

Is multifactor authentication a a part of the free tier azure active directory?

Answer 16

Using Microsoft Authenticator it’s free, but sms and phone are a part of a paid tier license.

Question 17

Is license assignment to a user controlled in terms of legal requirements?

Answer 17

Yes, some licenses and features cannot be assigned unless the user has a location set so that GDPR rules can be enforced by Azure Active Directory.

Question 18

What is the difference between a managed and unmanaged device in Azure Active Directory?

Answer 18

A managed device has specific criteria to meet in terms of encryption, password requirements , antivirus software running etc.

Related to conditional access which changes access conditions based on various factors including whether it is a managed device.

You can limit the number of a users devices.

Question 19

What are azure ad bulk operations?

Answer 19

Certain tasks can be done in bulk like creating users. In the case of new users a csv template is downloaded that the administrator fils out and all use users are created in bulk by azure ad

Question 20

How to add an external user to your azure ad ( a user with a different domain in their email and exists outside of your azure ad instance. Typically partners, vendors and contractors.)

Answer 20

These are invited as a guest user to the azure ad which they will have to accept to be added to you azure ad. They will be able to be managed in the same way as other non external users in your organisation. They will be able to self reset their passwords , can be assigned RBAC roles for permission management and have devices and conditional access rules such as using mfa.

Question 21

What is self service password reset?

Answer 21

This is a paid feature allowing users to reset their own password.

It is configured in the properties tab of the left hand side bar of an organisation’s azure ad UI. It can be assigned in bulk or to individuals. This is a paid feature so you cannot assign to more users than you have purchased licenses.

Question 22

What is AAD-Connect?

Answer 22

This is a service which synchronises azure ad with on prem Active Directory.

Question 23

What does RBAC stand for?

Answer 23

Role based access control

Question 24

What is RBAC?

Answer 24

It’s a system designed to give permissions and access to a user based on their role on their role.

Question 25

What is the principal of least privilege?

Answer 25

Give the least permissions possible for the most secure IT system possible

Question 26

What are the drawbacks to assign individual users individual permissions (not RBAC)?

Answer 26

Some users have too many privileges over the years and those users get asked to do things for other users without those permissions. More effort to maintain. Some users don’t have the permission they need more frequently. Higher chance of malicious user hacking using their unnecessary permissions.

Question 27

In an RBAC setup what are permissions assigned to?

Answer 27

To the role, and every user with that role will receive the permission through the role.

Question 28

What are the benefits of RBAC?

Answer 28

Small number of roles , simplifying and reducing workload even for a high number of employees.

Simpler management so fewer errors.

Just confirm users are in the right role.

All users are the same for the role, no snowflakes.

Quicker and easier to add new users to the role and give them the required permissions for their role.

Question 29

What are the alternatives to RBAC?

Answer 29

Claim based permissions, but generally in azure it’s just RBAC.

An example of claims based access control is when a storage account can be accessed by using an access key or token.

Question 30

How many built in RBAC roles are there in Azure?

Answer 30

About 90 roles related to administrative work, teams passwords etc.

Question 31

What is the relationship between RBAC policies and a resource like a storage account?

Answer 31

You need to create a resource group and associate your storage account with it. The. You assign RBAC roles to the resource or the resource group.

Question 32

How to switch from claim based access control to azure Active Directory authorisation (azure AD has the RBAC policies) for a storage account?

Answer 32

In the configuration menu of the storage account, there is a radio button with “default to azure Active Directory authorisation in the azure portal “. You can also “disable storage account key access” here in the configuration menu.

Question 33

What does the owner role of a storage account allow permissions for?

Answer 33

Administration without adding or reading content.

Question 34

What are the owner, contributor and reader roles primary functions?

Answer 34

Owner manages resources and is the least restrictive,contributor manages resources but not assign roles and reader is just to read data but can’t delete or modify the contents or assign roles.

Data permissions are separate from the resource permissions!

Question 35

What is permission scope?

Answer 35

The range of resources where the permission role is applicable. In storage you could have the scope of the entire storage account, a blob storage container or a set of resources.

Question 36

Are azure custom RBAC roles a feee tier feature?

Answer 36

No they are a paid feature.

Question 37

How do you create a custom RBAC roles?

Answer 37

Via the subscription interface, there is an access control IAM and then create custom role button.

You can apply scopes to the custom role but it’s limited to 5000 customer roles.

Question 38

What are access assignments and how can you interpret them?

Answer 38

In the access control IAM page of a user or resource, there is a role assignments tab which shows all the RBAC roles on the resource and for which users or groups they apply.

Question 39

What are deny assignments?

Answer 39

Multiple role permissions are all applied to the user or resource. Deny assignments function to remove a specific access ( even if it it’s part of another role assigned to the resource or user).

Deny assignments are usually added using azure blueprints ( blueprints are not in the exam).

Question 40

What is an account/user?

Answer 40

Person or program
Can be a managed identity
The basis for authentication

Question 41

What is a subscription

Answer 41

A contract of payment for the used services in azure

Question 42

What is a tenant?

Answer 42

It represents an organisation, usually associated with a domain name. If you don’t have a domain name, Microsoft will create one for you.

Represents a dedicated instance of azure Active Directory.

Every account belongs to a tenant. You can create new tenants and switch between them easily.

Not every tenant needs a subscription, but without one you can’t pay for anything so you can’t create resources ( even free tier ones)

A tentant can have multiple subscriptions

More than one account can be a tenant owner.

Question 43

What are resource groups?

Question 44

If you have an RBAC role allowing resource group deletion, what happens if you try to delete a resource group that contains individual resources you don’t have the delete role for?

Answer 44

The only permission required to delete a resource group is permission to the delete action for deleting resource groups. You do not need permission to delete individual resources within that resource group. Additionally, delete actions that are specified in notActions for a roleAssignment are superseded by the resource group delete action. This is consistent with the scope hierarchy in the Azure role-based access control model.

Question 45

Is Microsoft billing managed within the azure portals?

Answer 45

No, there is a link in the subscription blade but it leads to another website.

Question 46

What is the difference between a budget and an anomaly alert?

Answer 46

Anomaly alerts are not user defined, the condition is defined by azure. New charges, significant changes in costs regular costs which have disappeared etc. A budget is user defined and is based on reaching user defined costs incurred thresholds

Question 47

What is the azure advisor?

Answer 47

It’s an automated system which provides recommended changes to your azure resources. These recommendations could be to change the vm type to fit better it’s usage. They are not limited to cost related recommendations.

Question 48

What are resource locks?

Answer 48

Deny permissions can be assigned to accounts to delete resources. If a resource has a lock then regardless of the permissions assigned to an account, the resource cannot be deleted until the lock is removed.

Note that RBAC polices do exist to give users permission to modify or add/rm locks.

Question 49

What is the concept of Azure policies?

Answer 49

To be able to set rules rules about your resources like minimum version of sql server or that every vm had to have a back up.

Question 50

What’s are some examples of the built in policies?

Answer 50

Best practices are generally already implemented in built in policies available for use, such as no public network access to azure storage, storage accounts should prevent shared access keys, configure azure file sync with public private endpoints or ensure geo redundant storage is enabled on storage accounts

Question 51

How is a policy definition written?

Answer 51

In json format. It can be duplicated and modified.

Question 52

How are policies used?

Answer 52

They are assigned to a scope eg production? Staging, one resource group, one resource etc.

Question 53

What does the policy enforcement ratio button activate?

Answer 53

When activated, resources which do not comply with the policy cannot be created. It’s a hard impasse. If policy enforcement is deactivated ( off) then you can break the policy rules but they will be reported on and made visible.

Question 54

How do policies affect existing storage?

Answer 54

By default, policies only affect new resources. Existing resources can be verified using a follow up remediation task, and it will modify directly where possible the existing resources or generate a deployment template to create new resources

Question 55

How do you customise the reporting message when policies are not complied with?

Answer 55

There is a tab non-compliance message tab when defining the policy where you can add a text string e.g. contact this guy admit that

Question 56

His long does it take to bring a new policy into effect?

Answer 56

About 30 minutes.

Question 57

What’s a common policy for VMs?

Answer 57

Limit the range of VMware sizes that employees can create to avoid that employees create very powerful and expensive machines without approval or other due process

Question 58

Where can you check policy compliance?

Answer 58

In a resource or resource group there is a compliance tab on the left hand menu blade. Click that to see a list of all associated policies and check the compliance state for each of them.

Question 59

How do vm size limitation policies manifest when creating a new cm?

Answer 59

The list of available vms has redistributed across categories like blocked.

Depending on the policy type (whether it’s enforcement enabled or a deny policy etc) the interface will adjust accordingly. E.g if enforce is set to false , the ui will not change to reflect that but once created the policies tab will see a bad compliance state ( wait 30 mins)

Question 60

How to see an overview of compliance policies across a different scope?

Answer 60

Through the portal, look for the policy service. You can change the scope and see the policy compliance of that scope.

Question 61

What are the minimum requirements for a custom policy definition?

Answer 61

A json doc with displayName, description,mode, parameters and policyRule.

Question 62

How to create a custom policy?

Answer 62

Policy -> definitions -> input custom json policy into text field -> add any additional metadata such as role definitions, whether it’s a storage account etc. -> click save -> assign policy to a resource or resource group -> set in the review and create tab whether this is a deny policy ( enforced) or if it’s just to audit in the compliance tabs

Question 63

What is the purpose of assigning tags to a resource?

Answer 63

Tags are name value metadata pairs which can be added to a resource and used as any other metadata would be used such as querying , organising, labelling etc. You could for example have a tag for the subject matter (billing, quotes) or contact details ( contact name or email for questions about the resource) team name, environment name etc.

Tags can be used as a filter in the cost analysis interface.

Tags can be be made mandatory via policies.

Question 64

What does it mean to move a resource?

Answer 64

It means to move a resource from one resource group to another. You select it and find the options ‘move to another region’ and ‘move to another resource group’. It’s can be a bit slow to query whether the move is possible.

Moving resources can break other resources which rely on it as moving a resource can change the resource because the subscription and the resource name are components of the resource ID so moving the resource changes the id and potentially breaks other parts of your infrastructure.

Question 65

In powershell how can you assign a policy to a resource?

Answer 65

New-AzPolicyAssignment -Scope $rg.Resourceld -PolicyDefinition §definition -Name RGLocationMatch -DisplayName
“Resource group location and region match “

Question 66

What are management groups?

Answer 66

Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called “management groups” and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group.

So management groups are to subscriptions what resource groups are to resources. Management groups can only contain subscriptions or other nested management groups