MS-102 Identity Management Flashcards
Claude generated (24 cards)
What is Entra ID Connect and what are its primary synchronization options?
a tool to connect on-premises identity infrastructure with Entra ID. Primary synchronization options include:
Password Hash Synchronization (PHS):
Pass-through Authentication (PTA):
Federation with AD FS:
What is Password Hash Synchronization (PHS) and its benefits?
A synchronization method that copies a hash of a hash of user passwords from on-premises AD to Entra ID Benefits include:
-Simplest authentication option with lowest maintenance
-No on-premises authentication infrastructure required
-Built-in password leak detection
-Supports seamless SSO
What is Pass-through Authentication (PTA) and when should it be used?
An authentication method where password validation occurs against on-premises Active Directory without replicating password hashes to the cloud. Used when:
-Organization security policies prohibit syncing password hashes to the cloud
-You need to enforce on-premises user account states, password policies, and logon hours immediately
-You need to log authentication events to on-premises servers
What is Federation in Entra ID and when is it appropriate?
delegates authentication to a separate trusted authentication system like AD FS. Appropriate when:
-Smart card authentication or certificates are required
-On-premises MFA server must be used
-Third-party authentication solution must be used
-You need to use sign-in solutions not supported by Entra
What is Hybrid Identity in Microsoft 365?
A user identity that exists both in on-premises Active Directory and in Entra ID, linked together with Entra ID Connect. Enables users to use the same credentials to access both on-premises and cloud resources.
What are Administrative Units in Entra ID?
containers of resources that can be used to delegate administrative permissions to specific portions of your organization. They allow you to segment your Entra ID resources and assign administrators to specific segments rather than the entire tenant.
What is Privileged Identity Management (PIM) and its key features?
A service in Entra ID that enables you to manage, control, and monitor access to important resources. Key features include:
-Just-in-time privileged access to Entra ID and Azure resources
-Time-bound access with start/end dates
-Approval workflows for role activation
-Multi-factor authentication requirement for role activation
-Notifications when privileged roles are activated
-Access reviews to recertify continued need for privileges
Entra ID Identity Protection
A security service that uses machine learning algorithms and heuristics to detect anomalies and risk events related to user identities. It provides:
-Risk-based Conditional Access
-real-time detection of suspicious activities
-Risk investigation and remediation workflows
-Risk event types (sign-ins from anonymous IP addresses, impossible travel, etc.)
-User risk levels (low, medium, high)
What is Conditional Access in Entra ID and what conditions can be evaluated
A feature that controls access to applications and resources based on specific conditions. Conditions that can be evaluated include:
-User or group membership
-IP location information
-Device status (compliant, hybrid Azure AD joined)
-Application being accessed
-Real-time risk detection
-Microsoft Intune app protection policies
what are Entra ID Security Defaults?
A set of basic identity security mechanisms enabled with one click for all users in a tenant. They include:
-Requiring all users to register for MFA
-Requiring administrators to perform MFA
-Blocking legacy authentication protocols
-Requiring MFA for high-risk activities
-Protecting privileged activities like access to the Entra ID portal
What is Multi-Factor Authentication in Microsoft 365 and what methods are supported?
: A security feature that requires users to verify their identity using multiple verification methods. Supported methods include:
-Microsoft Authenticator app (push notification or code)
-OATH hardware tokens and OATH software tokens
-SMS text messages
-Voice call to phone
-Windows Hello for Business
-FIDO2 security keys
What is Self-Service Password Reset (SSPR) and how is it configured?
: A feature that allows users to reset their passwords without administrator intervention. Configuration includes:
-Defining which users/groups can use SSPR
-Specifying required authentication methods (phone, email, security questions)
-Setting registration requirements
-Configuring notifications for password resets
-Enabling on-premises password writeback
What is Password Writeback?
A feature that allows password changes made in Entra ID (including SSPR) to be written back to on-premises Active Directory.
Requires:
-Entra ID Connect with the correct permissions
-Outbound connectivity from on-premises to Entra ID
-Entra ID Premium P1 or P2 license
What is Entra ID Seamless Single Sign-On?
A feature that automatically signs users in when they are on their corporate devices connected to the corporate network.
What are Microsoft 365 Groups and how do they differ from other group types?
Microsoft 365 Groups are the foundation for team collaboration in Microsoft 365. Unlike traditional security groups, they:
-Provide a single identity for a team across multiple Microsoft 365 services
-Include a shared mailbox, calendar, and document library
-Connect to Teams, Planner, Power BI, and other services
-Support self-service creation and management by users
What is Group-Based Licensing in Entra ID?
feature that allows administrators to assign licenses to Entra ID groups instead of individual users. Benefits include:
-Automating license management based on group membership
-Enforcing consistent license assignments for specific roles
-Simplifying license tracking and management
-Supporting license inheritance from multiple groups
What are External Identities in Entra ID?
Features that allow external users to access your resources with their own identities. Types include:
-B2B collaboration: For business partners, with invitation workflow
-B2B direct connect: For cross-tenant collaboration with partner organizations
-Entra ID B2C: For customer identity and access management
What are Access Reviews in Entra ID?
Scheduled reviews of user access to applications, groups, and roles to ensure only appropriate users retain access. Features include:
-Automated periodic reviews of access rights
-Self-attestation by users or review by designated reviewers
-Automatic removal of access if not approved
-Audit trail of all review decisions
-Reporting and compliance capabilities
What is the difference between Permanent and Eligible role assignments in PIM?
Permanent assignment: User always has the role privileges; no activation needed
Eligible assignment: User must activate the role when needed, subject to:
-Approval requirements
-Time limitations
-Multi-factor authentication
-Justification requirement
-Notification of activation
What is Identity Governance in Entra ID?
A set of capabilities to ensure appropriate access to resources across your organization. Components include:
-Access reviews for groups and applications
-Privileged access management and lifecycle
-Terms of use for conditional access
-Access package catalogs
-Entitlement management workflows
-Lifecycle workflows for identity management
What is Identity Secure Score in Microsoft 365?
A measurement of an organization’s security posture for identity-related security controls. It:
-Provides visibility into identity security configurations
-Compares settings to Microsoft-recommended baselines
-Offers improvement actions with relative impact scores
-Tracks progress over time
-Reports on identity-related security settings
What are the primary passwordless authentication methods in Microsoft 365?
Primary passwordless authentication methods include:
-Windows Hello for Business: Biometric and PIN-based authentication
-Microsoft Authenticator app: Phone-based passwordless sign-in
-FIDO2 security keys: Physical security keys using standards like WebAuthn
-Certificate-based authentication: Smart cards or software certificates
-Temporary Access Pass: Time-limited codes for account recovery
What is Entra ID Password Protection?
A feature that helps prevent users from creating passwords that can be easily guessed. It includes:
-Global banned password list maintained by Microsoft
-Custom banned password list defined by administrators
-Detection of common character substitutions (like “0” for “o”)
-Application to both cloud and on-premises environments (with proxy)
-Password policy enforcement during password creation/change operations
What are Tenant Restrictions in Entra ID?
A feature that allows organizations to control which Entra ID tenants their users can access. It works by:
-Restricting access based on authorized tenant IDs
-Implemented through proxy servers or firewalls
-Blocking access to unauthorized Microsoft 365 tenants
-Requiring specific configuration in proxy systems
-Using HTTP headers to control tenant access
