Azure Active Directory is a cloud-based identity and access management service that allows users to sign-in and access resources.

Azure Active Directory Free, Azure Active Directory Premium P1, Azure Active Directory Premium P2, and Office 365 Apps version are the Azure AD licenses available.

Azure Active Directory Premium P1 offers everything the free version offers, with the addition of hybrid users and resources in the cloud and advanced administration capabilities.

Azure Active Directory Premium P2 offers everything the free version and Premium P1 offer, with the addition of Azure Active Directory identity protection and privileged identity management.

Application Proxy is an application management feature in Azure AD that allows managing cloud and on-prem applications.

Single sign-on is an application management feature in Azure AD that allows users to access multiple applications with a single set of credentials.

Self-service password reset is an authentication feature in Azure AD that allows users to reset their passwords without IT assistance.

Multi-factor authentication is an authentication feature in Azure AD that requires users to provide multiple forms of authentication to access resources.

A custom banned password list is an authentication feature in Azure AD that allows administrators to specify a list of passwords that are banned for use.

Smart Lockout is an authentication feature in Azure AD that helps prevent brute-force attacks by locking out a user account after a specified number of unsuccessful sign-in attempts.

Privileged Identity Management in Azure AD allows administrators to manage, control, and monitor access to resources within an organization.

Azure Active Directory Domain Services is a managed version of a traditional on-prem active directory that offers domain join, group policy, LDAP, and Kerberos and NTLM authentication in the cloud, without the need to deploy or manage any domain controllers.

When you deploy Azure Active Directory Domain Services, Azure creates a managed domain on the specified virtual network and spins up two Windows server domain controllers running on VMs. The managed domain is configured for one-way synchronization, synchronizing objects from Azure Active Directory to the managed domain.

Azure Active Directory is the vehicle for users to sign-in with credentials, while Azure Active Directory Domain Services is the vehicle for providing advanced management. Azure Active Directory Domain Services replicates identity information from Azure Active Directory and is fully compatible with cloud-only Azure AD tenants and Azure AD tenants synchronized with an on-prem active directory.

The Domain Controllers for Azure Active Directory Domain Services are managed by the Azure platform and are not accessible or configurable by users.

No, users in external directories linked to Azure Active Directory will not be available in Azure Active Directory Domain Services because their credentials are not available for synchronization.

Easy deployment, simplified user and group management, support for Kerberos and NTLM authentication, high availability, and the ability to deploy applications that rely on Windows integrated authentication.

Azure creates a managed domain on the specified virtual network and spins up two Windows server domain controllers running on VMs, which are managed by the Azure platform.

The one-way synchronization feature in Azure Active Directory Domain Services synchronizes objects from Azure Active Directory to the managed Azure Active Directory Domain Services domain, providing a central set of users, groups, and credentials.

Azure Active Directory Domain Services supports Kerberos and NTLM authentication.

The main function is to verify or authenticate credentials of an end user when signing into a device, service, or application.

The self-service password reset feature allows users to change their passwords, reset forgotten passwords, and unlock their accounts via a web browser from virtually any device.

Multi-factor authentication requires users to provide a second form of authentication during sign-in to ensure their identity. It requires a combination of something the user knows, something the user has, and something the user is, and at least two of these authentication factors.

Passwordless authentication is a method for users to authenticate without creating or remembering a password. Azure Active Directory allows for native authentication through passwordless methods such as biometrics and security keys.

Azure Active Directory blocks weak passwords by maintaining a global banned password list, which is automatically updated. Custom password protection policies can also be defined and integrated with on-premise active directory environments to enforce the use of strong passwords.

Yes, users can self-register for both self-service password reset and multi-factor authentication.

The URL for the password reset portal is https://aka.ms/sspr.

The something you know piece in multi-factor authentication is usually a password.

The something you have piece in multi-factor authentication is usually a smart phone or hardware key.

The something you are piece in multi-factor authentication includes biometrics such as fingerprints or face scans.

Yes, password protection policies can be customized in Azure Active Directory to block passwords deemed insecure.

Yes, password protection in Azure Active Directory can be integrated with on-premise active directory environments by installing a component and receiving Azure's global banned password list and custom password protection policies.

Conditional Access is a feature in Azure Active Directory that allows you to decide who can access apps and data and who can’t, depending on conditions specified by you.

Conditional Access works by looking at signals like user, location, device, application, and risk to automate access to apps and data.

The signals used in Conditional Access policies include User or Group Membership, Named location information, Device, Application, Real-time sign-in risk detection, Cloud apps or actions, and User risk.

The Device signal is used to create a policy that targets users with specific devices or devices in a specific state.

The Real-time sign-in risk detection signal is used to identify risky sign-in behavior and force users to perform password changes or multifactor authentication before accessing apps or data.

The User risk signal is used to evaluate the probability that a particular account is compromised and can be used as part of a Conditional Access policy.

Access controls in Conditional Access policies are used to dictate what happens when the conditions of a policy are met. They determine whether access should be granted or not and if extra verification is required.

Signals are used to determine who or what gets targeted, while access controls are used to dictate what happens when the conditions of a policy are met.

Yes, Conditional Access is only available in the paid editions of Azure AD.

An Azure AD Premium P1 license is required to use Conditional Access in Azure AD. Microsoft 365 Business Premium licenses also have access to Conditional Access features.

Access to Identity Protection, an Azure AD P2 feature, is required for Risk-based policies in Conditional Access.

Azure RBAC is a way to control access to Azure AD resources by using roles.

The most common built-in roles are Global Administrator, User Administrator, and Billing Administrator.

A Global Administrator has access to all administrative features in Azure Active Directory.

A User Administrator can create and manage user accounts and groups, manage support tickets, and monitor service health.

A Billing Administrator can make purchases, manage subscriptions and support tickets, and monitor service health.

The process for using a custom role in Azure AD is to first create the role definition, which is a collection of permissions, and then assign it to a user by creating a role assignment.

You need an Azure AD Premium P1 or P2 license to use Custom roles in Azure AD.

Privileged Identity Management in Azure AD is a feature that adds an extra level of security when assigning roles by requiring an action, such as an MFA check, before allowing the user to use the role.

An active assignment in Azure AD Privileged Identity Management doesn't require the user to perform any action to use the role. The user has the privileges of the role at all times.

Zero Trust Methodology is a security approach that assumes that everything in the environment is connected to an open and untrusted network and requires the verification of everything before granting access.

"Zero Trust" means that the organization does not trust the integrity of the corporate network and verifies everything before granting access.

The three principles that underpin the Zero Trust model are Verify explicitly, Least Privilege Access, and Assume Breach.

Least Privileged Access is a security principle that limits user access to resources based on "just-in-time" and "just-enough" access and ensures that users have the minimum necessary access to perform their job.

The six foundational pillars of the Zero Trust model are Identities, Devices, Applications, Data, Infrastructure, and Networks.

Identities in the Zero Trust model refer to users, services, and devices that need to be verified with strong authentication and access to resources must adhere to least privilege access principles.

Defense in depth is a multi-layered approach to security, where each layer provides a separate layer of protection to slow down an attacker and prevent unauthorized access to data.

Physical layer, Identity and Access security, Perimeter security, Network security, Compute layer, Application layer, and Data layer.

Physical security is responsible for limiting access to the datacenter to only authorized personnel.

Identity and Access security controls access to infrastructure and change control.

Perimeter security protects against DDoS attacks by filtering them before they cause an actual denial of service for end users.

Network security limits communications between resources to only that communication that is necessary through segmentation and access controls.

The Compute layer secures access to virtual machines by closing certain ports.

Application layer security ensures that applications are secure and free of security vulnerabilities.

Data layer security controls access to business and customer data, and encryption to protect data.

Confidentiality, Integrity, and Availability.

Confidentiality is maintained by encrypting sensitive data.

Integrity is maintained by ensuring that data and messages are correct, and that data hasn't been tampered with.

Availability is maintained by making data available to those who need it.

The goal of the CIA model is to think about security trade-offs in terms of Confidentiality, Integrity, and Availability.

Defender for Cloud is a tool for security posture management and threat protection that strengthens the security posture of cloud resources and protects workloads running in Azure, hybrid, and other cloud platforms.

Defender for Cloud helps harden resources, track security posture, protect against cyber attacks, and streamline security management.

The secure score in Defender for Cloud is a single score that indicates the current security situation at a glance. The higher the score, the lower the identified risk level.

Security recommendations in Defender for Cloud are customized and prioritized hardening tasks to improve security posture. They provide detailed remediation steps and some recommendations offer a "Fix" button for automated implementation.

Security alerts in Defender for Cloud detect threats to resources and workloads and appear in the Azure portal or can be sent by email to relevant personnel. They can also be streamed to SIEM, SOAR, or IT Service Management solutions as required.

The purpose of security governance and regulatory compliance in Defender for Cloud is to ensure compliance with security regulations such as NIST and Azure CIS or organization-specific security requirements.