Identity, Access, and Security in Azure
Flashcard Study
What is Azure Active Directory?
Azure Active Directory is a cloud-based identity and access management service that allows users to sign-in and access resources.
What Azure AD licenses are available?
Azure Active Directory Free, Azure Active Directory Premium P1, Azure Active Directory Premium P2, and Office 365 Apps version are the Azure AD licenses available.
What does Azure Active Directory Premium P1 offer?
Azure Active Directory Premium P1 offers everything the free version offers, with the addition of hybrid users and resources in the cloud and advanced administration capabilities.
What does Azure Active Directory Premium P2 offer?
Azure Active Directory Premium P2 offers everything the free version and Premium P1 offer, with the addition of Azure Active Directory identity protection and privileged identity management.
What is Application Proxy in Azure AD?
Application Proxy is an application management feature in Azure AD that allows managing cloud and on-prem applications.
What is Single Sign-On in Azure AD?
Single sign-on is an application management feature in Azure AD that allows users to access multiple applications with a single set of credentials.
What is Self-Service Password Reset in Azure AD?
Self-service password reset is an authentication feature in Azure AD that allows users to reset their passwords without IT assistance.
What is Multi-Factor Authentication in Azure AD?
Multi-factor authentication is an authentication feature in Azure AD that requires users to provide multiple forms of authentication to access resources.
What is a custom banned password list in Azure AD?
A custom banned password list is an authentication feature in Azure AD that allows administrators to specify a list of passwords that are banned for use.
What is Smart Lockout in Azure AD?
Smart Lockout is an authentication feature in Azure AD that helps prevent brute-force attacks by locking out a user account after a specified number of unsuccessful sign-in attempts.
What does Privileged Identity Management in Azure AD do?
Privileged Identity Management in Azure AD allows administrators to manage, control, and monitor access to resources within an organization.
What is Azure Active Directory Domain Services (Azure AD DS)?
Azure Active Directory Domain Services is a managed version of a traditional on-prem active directory that offers domain join, group policy, LDAP, and Kerberos and NTLM authentication in the cloud, without the need to deploy or manage any domain controllers.
How does Azure Active Directory Domain Services work?
When you deploy Azure Active Directory Domain Services, Azure creates a managed domain on the specified virtual network and spins up two Windows server domain controllers running on VMs. The managed domain is configured for one-way synchronization, synchronizing objects from Azure Active Directory to the managed domain.
What is the difference between Azure Active Directory and Azure Active Directory Domain Services?
Azure Active Directory is the vehicle for users to sign-in with credentials, while Azure Active Directory Domain Services is the vehicle for providing advanced management. Azure Active Directory Domain Services replicates identity information from Azure Active Directory and is fully compatible with cloud-only Azure AD tenants and Azure AD tenants synchronized with an on-prem active directory.
How are Azure Active Directory Domain Services Domain Controllers managed?
The Domain Controllers for Azure Active Directory Domain Services are managed by the Azure platform and are not accessible or configurable by users.
Can users in external directories be synchronized into Azure Active Directory Domain Services?
No, users in external directories linked to Azure Active Directory will not be available in Azure Active Directory Domain Services because their credentials are not available for synchronization.
What are the benefits of using Azure Active Directory Domain Services?
Easy deployment, simplified user and group management, support for Kerberos and NTLM authentication, high availability, and the ability to deploy applications that rely on Windows integrated authentication.
What happens when you deploy Azure Active Directory Domain Services?
Azure creates a managed domain on the specified virtual network and spins up two Windows server domain controllers running on VMs, which are managed by the Azure platform.
How does one-way synchronization work in Azure Active Directory Domain Services?
The one-way synchronization feature in Azure Active Directory Domain Services synchronizes objects from Azure Active Directory to the managed Azure Active Directory Domain Services domain, providing a central set of users, groups, and credentials.
What types of authentication are supported by Azure Active Directory Domain Services?
Azure Active Directory Domain Services supports Kerberos and NTLM authentication.
What is the main function of Azure Active Directory?
The main function is to verify or authenticate credentials of an end user when signing into a device, service, or application.
What does Azure Active Directory's self-service password reset feature allow users to do?
The self-service password reset feature allows users to change their passwords, reset forgotten passwords, and unlock their accounts via a web browser from virtually any device.
What is multi-factor authentication and how does it work?
Multi-factor authentication requires users to provide a second form of authentication during sign-in to ensure their identity. It requires a combination of something the user knows, something the user has, and something the user is, and at least two of these authentication factors.
What is passwordless authentication and how does it work in Azure Active Directory?
Passwordless authentication is a method for users to authenticate without creating or remembering a password. Azure Active Directory allows for native authentication through passwordless methods such as biometrics and security keys.
How does password protection work in Azure Active Directory?
Azure Active Directory blocks weak passwords by maintaining a global banned password list, which is automatically updated. Custom password protection policies can also be defined and integrated with on-premise active directory environments to enforce the use of strong passwords.
Can users self-register for self-service password reset and multi-factor authentication in Azure Active Directory?
Yes, users can self-register for both self-service password reset and multi-factor authentication.
What is the URL for the password reset portal in Azure Active Directory?
The URL for the password reset portal is https://aka.ms/sspr.
What is the “something you know” piece in multi-factor authentication?
The something you know piece in multi-factor authentication is usually a password.
What is the “something you have” piece in multi-factor authentication?
The something you have piece in multi-factor authentication is usually a smart phone or hardware key.
What is the “something you are” piece in multi-factor authentication?
The something you are piece in multi-factor authentication includes biometrics such as fingerprints or face scans.
Can password protection policies be customized in Azure Active Directory?
Yes, password protection policies can be customized in Azure Active Directory to block passwords deemed insecure.
Can password protection be integrated with on-premise active directory environments in Azure Active Directory?
Yes, password protection in Azure Active Directory can be integrated with on-premise active directory environments by installing a component and receiving Azure's global banned password list and custom password protection policies.
What is Conditional Access in Azure AD?
Conditional Access is a feature in Azure Active Directory that allows you to decide who can access apps and data and who can’t, depending on conditions specified by you.
How does Conditional Access work?
Conditional Access works by looking at signals like user, location, device, application, and risk to automate access to apps and data.
What are the signals used in Conditional Access policies?
The signals used in Conditional Access policies include User or Group Membership, Named location information, Device, Application, Real-time sign-in risk detection, Cloud apps or actions, and User risk.
What is the Device signal used for in Conditional Access policies?
The Device signal is used to create a policy that targets users with specific devices or devices in a specific state.
What is the Real-time sign-in risk detection signal used for in Conditional Access policies?
The Real-time sign-in risk detection signal is used to identify risky sign-in behavior and force users to perform password changes or multifactor authentication before accessing apps or data.
What is the User risk signal used for in Conditional Access policies?
The User risk signal is used to evaluate the probability that a particular account is compromised and can be used as part of a Conditional Access policy.
What are access controls in Conditional Access policies?
Access controls in Conditional Access policies are used to dictate what happens when the conditions of a policy are met. They determine whether access should be granted or not and if extra verification is required.
What is the difference between signals and access controls in Conditional Access policies?
Signals are used to determine who or what gets targeted, while access controls are used to dictate what happens when the conditions of a policy are met.
Is Conditional Access only available in the paid editions of Azure AD?
Yes, Conditional Access is only available in the paid editions of Azure AD.
What license is required to use Conditional Access in Azure AD?
An Azure AD Premium P1 license is required to use Conditional Access in Azure AD. Microsoft 365 Business Premium licenses also have access to Conditional Access features.
What license is required for Risk-based policies in Conditional Access?
Access to Identity Protection, an Azure AD P2 feature, is required for Risk-based policies in Conditional Access.
What is Azure role-based access control (RBAC)?
Azure RBAC is a way to control access to Azure AD resources by using roles.
What are the most common built-in roles in Azure AD?
The most common built-in roles are Global Administrator, User Administrator, and Billing Administrator.
What can a Global Administrator do in Azure Active Directory?
A Global Administrator has access to all administrative features in Azure Active Directory.
What are the responsibilities of a User Administrator in Azure AD?
A User Administrator can create and manage user accounts and groups, manage support tickets, and monitor service health.
What are the responsibilities of a Billing Administrator in Azure AD?
A Billing Administrator can make purchases, manage subscriptions and support tickets, and monitor service health.
What is the process for using a custom role in Azure AD?
The process for using a custom role in Azure AD is to first create the role definition, which is a collection of permissions, and then assign it to a user by creating a role assignment.
What license do you need to use Custom roles in Azure AD?
You need an Azure AD Premium P1 or P2 license to use Custom roles in Azure AD.
What is Privileged Identity Management in Azure AD?
Privileged Identity Management in Azure AD is a feature that adds an extra level of security when assigning roles by requiring an action, such as an MFA check, before allowing the user to use the role.
What is an active assignment in Azure AD Privileged Identity Management?
An active assignment in Azure AD Privileged Identity Management doesn't require the user to perform any action to use the role. The user has the privileges of the role at all times.
What is the Zero Trust Methodology?
Zero Trust Methodology is a security approach that assumes that everything in the environment is connected to an open and untrusted network and requires the verification of everything before granting access.
What is meant by "Zero Trust"?
"Zero Trust" means that the organization does not trust the integrity of the corporate network and verifies everything before granting access.
What are the three principles that underpin the Zero Trust model?
The three principles that underpin the Zero Trust model are Verify explicitly, Least Privilege Access, and Assume Breach.
What is Least Privileged Access?
Least Privileged Access is a security principle that limits user access to resources based on "just-in-time" and "just-enough" access and ensures that users have the minimum necessary access to perform their job.
What are the six foundational pillars of the Zero Trust model?
The six foundational pillars of the Zero Trust model are Identities, Devices, Applications, Data, Infrastructure, and Networks.
What is meant by Identities in the Zero Trust model?
Identities in the Zero Trust model refer to users, services, and devices that need to be verified with strong authentication and access to resources must adhere to least privilege access principles.
What is Defense in Depth?
Defense in depth is a multi-layered approach to security, where each layer provides a separate layer of protection to slow down an attacker and prevent unauthorized access to data.
What are the layers of security in a typical Defense in Depth strategy?
Physical layer, Identity and Access security, Perimeter security, Network security, Compute layer, Application layer, and Data layer.
What is Physical security in the Defense in Depth model responsible for?
Physical security is responsible for limiting access to the datacenter to only authorized personnel.
What is Identity and Access security in the Defense in Depth model responsible for?
Identity and Access security controls access to infrastructure and change control.
What does Perimeter security protect against in the Defense in Depth model?
Perimeter security protects against DDoS attacks by filtering them before they cause an actual denial of service for end users.
What is the purpose of Network security in the Defense in Depth model?
Network security limits communications between resources to only that communication that is necessary through segmentation and access controls.
What is the Compute layer responsible for in the Defense in Depth model?
The Compute layer secures access to virtual machines by closing certain ports.
What does Application layer security do in the Defense in Depth model?
Application layer security ensures that applications are secure and free of security vulnerabilities.
What is Data layer security responsible for in the Defense in Depth model?
Data layer security controls access to business and customer data, and encryption to protect data.
What are the three parts of the CIA model?
Confidentiality, Integrity, and Availability.
How is Confidentiality maintained in the CIA model?
Confidentiality is maintained by encrypting sensitive data.
How is Integrity maintained in the CIA model?
Integrity is maintained by ensuring that data and messages are correct, and that data hasn't been tampered with.
How is Availability maintained in the CIA model?
Availability is maintained by making data available to those who need it.
What is the goal of the CIA model?
The goal of the CIA model is to think about security trade-offs in terms of Confidentiality, Integrity, and Availability.
What is Defender for Cloud?
Defender for Cloud is a tool for security posture management and threat protection that strengthens the security posture of cloud resources and protects workloads running in Azure, hybrid, and other cloud platforms.
What is the purpose of Defender for Cloud?
Defender for Cloud helps harden resources, track security posture, protect against cyber attacks, and streamline security management.
What is the secure score in Defender for Cloud?
The secure score in Defender for Cloud is a single score that indicates the current security situation at a glance. The higher the score, the lower the identified risk level.
What are security recommendations in Defender for Cloud?
Security recommendations in Defender for Cloud are customized and prioritized hardening tasks to improve security posture. They provide detailed remediation steps and some recommendations offer a "Fix" button for automated implementation.
What is the purpose of security alerts in Defender for Cloud?
Security alerts in Defender for Cloud detect threats to resources and workloads and appear in the Azure portal or can be sent by email to relevant personnel. They can also be streamed to SIEM, SOAR, or IT Service Management solutions as required.
What is the purpose of the security governance and regulatory compliance in Defender for Cloud?
The purpose of security governance and regulatory compliance in Defender for Cloud is to ensure compliance with security regulations such as NIST and Azure CIS or organization-specific security requirements.