AZ-500: Microsoft Azure Security Technologies
Manage Identity and Access (30-35% of exam): Overview
I. Manage Azure Active Directory (Azure AD) Identities
1. Create and manage a managed identity for Azure resources
2. Manage Azure AD groups
3. Manage Azure AD users
4. Manage external identities by using Azure AD
5. Manage administrative units
1. Managed identities provide an automatically managed identity in Azure Active Directory for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications can use managed identities to obtain Azure AD tokens without having to manage any credentials.
2. Two types of groups
Security Groups - Used to manage access to a shared resource.
Microsoft 365 groups - Used to enable collaboration, gives users access to share inboxes, calendar, SharePoint sites, ect.
Three ways to assign group access
Assigned - Add user to group, static.
Dynamic User - User given group membership based on a set of rules, fluid.
Dynamic Device - Device is given (security) group membership based on a set of rules, fluid.
3. Azure AD defines users in three ways: Cloud Id, Directory-Synchronized Id, Guest Users
4. External users can be added as business-to-business (B2B), business-to-consumer (B2C), or guest roles.
5. Administrative unit - Azure AD resource that contains only users and groups and can be a container for other Azure AD resources.
Types of administrative unit roles: Authentication admin, Groups admin, Helpdesk admin, License admin, Password admin, User admin
II. Manage Secure Access by Using Azure AD
1. Configure Azure AD Privileged Identity Management (PIM)
2. Implement Conditional Access Policies, Including multifactor authentication
3. Implement Azure AD identity Protection
4. Implement Passwordless Authentication
5. Configure Access reviews
1. P2 License feature, Provides time-limited access to resources/privileges, can be set up to require MFA to activate any given role, can require justification for privileges (audited), and creates logs. This is used to help prevent lateral movement in the case of a compromise.
2. Use signals (user/location/device/app) to make access decisions and enforce them.
3. P2 License feature, Automate user risk and sign-in risk remediation
4. Use multiple authentication methods in lieu of a traditional password.
Windows Hello for Business - biometric and PIN authentication tied to a specific PC.
FIDO2 Security Keys - Generally on a USB drive, authentication through software.
Microsoft Authenticator App - Mobile app tied to a specific phone used to authenticate.
FIDO2 Smartcards - Software authentication on a smartcard (chip card).
Temporary Access Pass - Time-limited passcode.
5. Enable requirements to recertify group memberships, app access, and privileged roles.
III. Manage Application Access
1. Integrate single sign-on (SSO) and Identity Providers for Authentication
2. Create an App Registration
3. Configure App Registration Permission Scopes
4. Manage App registration Permission Consent
5. Manage API Permissions to Azure subscriptions and resources
6. Configure an Authentication Method for a Service Principal
Microsoft Identity Platform - App Registration > Client SDK > Endpoint > Target Audience
1. Use Azure AD to authenticate for non-Microsoft apps, you can also code this into apps.
2. Apps that authenticate with Azure AD must be registered to a directory, registration creates a unique Application ID.
3. Control/limit the amount of access provided to an application based on permissions.
4. Build a consent flow to provide an authentication option to a resource.
5. Microsoft Graph - Apps are authorized to call APIs when granted permissions by user/admins as part of the consent process.
Delegated Permissions - Used by apps that have a current signed-in user.
Application Permissions - Used by apps that do not have a signed-in user.
6. MS Link - Access Azure Sphere Public API with AAD application service principal
Managed Identities - Azure AD authentication, System-assigned or user-assigned.
Create a Managed ID Service Principal in AD.
Local endpoint requests token, token grants permissions to Service Principal.
IV. Manage Access Control
1. Configure Azure role permissions for management groups, subscriptions, resource groups, and resources
2. Interpret Role and Resource Permissions
3. Assign built-in Azure AD roles
4. Create and assign custom roles, including Azure roles and Azure AD roles
1. Azure Policy - Service in Azure that allows you to create, assign and manage policies. Focus on resource properties during deployment and for already existing resources.
Azure RBAC (Role-Based Access Control) - Used in conjunction with Azure AD admin roles to authenticate users, manages who has access to resources, what area they have access to, and what they can do with the resources.
2. Allow/restrict resource types, Allowed Virtual Machine SKUs (Shop-Keeping-Unit, purchasable item), Allowed/restrict geographical locations, Require/enforce a tag and its value, Azure Backup for VMs if enabled
Built-in Azure roles
Owner - Allows you to manage everything for a resource.
Contributor - Allows you to manage everything except access for a resource.
Reader - Allows you to view but not edit a resource.
User Access Administrator - Allows you to manage user access to a resource.
3. Azure AD roles - A name and set of permissions which are used for Access Control.
Built-in Azure AD roles
Global administrator - The highest level of access, can admin the admins.
User administrator - Creates and manages users/groups, and can reset most passwords.
Helpdesk administrator - Can reset passwords for non-admins.
Billing administrator - Can make purchases and manage subscriptions.
4. MS Link - Create and assign a custom role in Azure Active Directory
