The Ultimate Guide on Microsoft Azure Fundamentals Certification

/ Sagar/Shanky

What is Azure AD?

Microsoft Active directory provides the identity to sign into Microsoft Cloud Azure. It also helps in controlling the access of applications and resources based on business requirements.Developers can use Azure AD to authenticate their applications using SSO functionality. Users can use Azure AD to maintain its identity and manage self service password reset portal. Microsoft office, Microsoft office 365, Azure and M Dynamics CRM online portals are already using Azure AD to authenticate and supports registration of devices.

Connecting on Prem DataCenter with Microsoft AD:

    :Azure AD connect synchronizes changes so that you can use SSO, MFA and self service password reset.

What is Azure AD DS or known as Azure Active Directory Domain Services ?

Azure AD DS ( Active Directory Domain Services) helps to manage Domain join, group policy, LDAP ( Lightweight directory access protocol) and Kerberos/NTLM authentication. Azure AD DS also integrates with Azure AD tenant that’s why users sign into services and applications.

When you create AD DS managed domain, you define namespace so called domains. In this the two domain controller are deployed into selected Azure region, this is known as replica set. Data is synced from Azure AD tenant to Azure AD DS that is managed domain. You can create the resources in managed domain i.e. (Azure AD DS) but they are not synced back to Azure AD tenant.

Managed Domain( Virtual Network ) <—————–Sync ——-Azure AD tenant <————–Azure AD Connect Sync——–> On-Premises AD

SSO :

MFA:

Passwordless Authentication

Windows Hello for Business: The biometric and PIN credentials are directly tied to the user’s PC, which prevents access from anyone other than the owner.
Microsoft Authenticator app : You know it matching a number displayed on the screen to the one on their phone
FIDO2 security keys: Uses Users can register and then select a FIDO2 security key at the sign-in interface for authenticationb

Azure External Identities:

B2B collaboration: Bussiness to Business where external users sign into your Microsoft apps.
B2B direct connect: Two way mutual trust with another Azure AD organizations. Uses Teams shared channel.
Azure AD B2C: Publish SAAS based or custom based apps that customers or clients can use for Identity and access management.

What is Azure conditional access ?

Conditional Access is a tool that Azure Active Directory uses to allow (or deny) access to resources based on identity signals. It also provide more granular MFA like if a user is at a known location then they might not need a MFA. Signals can be users device, application or users location.


Example of Azure conditional access are: Users to access application only from managed devices, limit email applications to connect to your email service , Access based on users role, location or network with MFA.

What is Azure RBAC ?

Azure Role based access in Azure enables you to control access through Azure role based access control (RBAC). A Role is assigned with a scope. For example a observer can only be granted role of reader for a particular scope ( management group, subscription, or resource group ).

RBAC is hierarchical in nature that is when you grant access at a parent scope, those permissions are automatically inherited by all child scopes.

Azure RBAC is enforced against Azure resources that passes through Azure resource manager. If you have separate read and write permissions means you have both permissions. Azure RBAC is not applied at app level.

What is a zero trust model?

Zero Trust model is a security model that assumes protects the resources by verifying each request originated from the uncontrolled network.

Zero Trust model follows three principals:

  • Verify explicitly: Always authenticate and authorize.
  • Use Least privilege access
  • Use Analytics to get visibility

What is defense-in-depth in Azure?

The defense-in-depth is to protect the information by using the layer wise mechanism to slow down the attacks. Every layer has protection enabled so if anyone breaches one layer is not allowed to access another layer.

Below is the list of the Layers that defense-in-depth contains.

  • Physical Layer protecting the hardware.
  • Identity and access controls the access to the Infrastructure using single sign-on (SSO) and multifactor authentication.
  • Perimeter layer uses DDOS protection by using firewalls to identify attacks.
  • Network Layer limits communication such as restrict inbound internet access and limit outbound access.
  • Compute layer secures access to virtual machines.
  • Application Layer protects the applications.
  • Data layer controls the data stored in a database, SAAS application, office 365.

What is Microsoft defender for cloud

Microsoft defender for cloud provide guidance and notifications for tightening the security of your cloud. Microsoft defender for cloud also deploys the log analytics.

  • Microsoft defender for cloud detects the threats across: Azure PAAS services, Azure Data services, Networks.
  • To implement security for hybrid cloud deploy Azure Arc and enable Defender for Cloud’s enhanced security features.
  • Defenders is also used for other clouds such as Microsoft Defender for Kubernetes, Defender for Cloud’s CSPM features.

Microsoft defender for cloud generates a security alert, suggests remediation steps

Leave a comment