AZ-900 Azure Identity, Access, and Security

Microsoft Entra ID

directory service that enables you to sign in and access both Microsoft cloud applications and cloud applications that you develop, can also help you maintain your on-premises Active Directory deployment

Who Microsoft Entra ID is for?

IT administrators, App Developers, Users, and Online Service Subscribers

Microsoft Entra ID Services

Authentication, Single sign-on (SSO), application management, device management

Microsoft Entra Connect

a method of connecting Microsoft Entra ID with your on-premises active directory; it synchronizes user identities between on-premises Active Directory and Microsoft Entra ID

Microsoft Entra Domain Services

service that provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication all without need to deploy, manage, and patch domain controllers in the cloud; its managed domain lets you run legacy applications in the cloud that can't use modern auth methods

Replica Set

two windows domain controllers deployed into your selected Azure region

Authentication

process of establishing the identity of a person, service, or device; requires the person, service, or device to provide some type of credential to prove who they are

Azure Authentication Methods

Standard passwords, Single Sign-on (SSO), Multifactor authentication (MFA), and passwordless

Single sign-on (SSO)

enables a user to sign in one time and use that credential to access multiple resources and applications from different providers; for it to work the different applications and providers must trust the initial authenticator

Multifactor authentication

process of prompting a user for an extra form (or factor) of identification during the sign-in process; best for when password is compromised but the second factor wasn't

Passwordless authentication

a form of authentication that must be set up on a device before it can work; when the device is known, you provide something you know or are (PIN or fingerprint) to authenticate

Windows Hello for Business, Microsoft Authenticator app, FIDO2 security keys

Microsoft global Azure and Azure Government passwordless authentication options that integrate with Microsoft Entra ID

external identity

a person, device, service, etc. that is outside your organization

Microsoft Entra External ID

all the ways you can securely interact with users outside of your organization

Business to business (B2B) collaboration, B2B direct connect, Microsoft Azure Active Directory business to customer (B2C)

capabilities that make up external identities

Business to business (B2B) collaboration

collaborate with external users by letting them use their preferred identity to sign-in to your Microsoft applications or other enterprise applications; the users are represented as guest users in your directory

B2B direct connect

establish a mutual, two-way trust with another Microsoft Entra organization for seamless collaboration (ex: Teams); are not represented in your directory but visible in Teams shared channel

Microsoft Azure Active Directory business to customer (B2C)

publish modern SaaS apps or custom-developed apps (excluding Microsoft apps) to consumers and customers; while using this for identity and access management

Conditional Access

tool that Microsoft Entra ID uses to allow (or deny) access to resources based on identity signals - signals like who the user is, where the user is, and what device the user is requesting access from

Azure Role-Based Access Control (Azure RBAC)

to control who has access to specific actions for your organization

scope

a resource or set of resources that this access applies to

Resource Manager

management service that provides a way to organize and secure your cloud resources

Zero Trust

security model that assumes the worst case scenario and protects resources with that expectation; assumes breach at the outset, and then verifies each request as though it originated from an uncontrolled network

Zero Trust guiding principles

Verify explicitly, use least privilege access, assume breach

least privilege access

limit users with Just-In-Time and Just-Enough-Access (JIT/JEA) risk-based adaptive policies, and data protection

Defense-in-depth layers

Physical Security, Identity & Access, Perimeter, Network, Compute, Application, and Data

Defense-in-Depth strategy

uses a series of mechanisms to slow the advance of an attack that aims at acquiring unauthorized access to data

Physical Security layer

provide physical safeguards against access to assets; first line of defense

Identity and Access layer

ensure that identities are secure, that access is only granted only to what's needed, and that sign-in events and changes are logged; ensure SSO and MFA are used, control access and control, and audit events and changes

Perimeter layer

protects from network-based attacks against your resources; use DDoS protection to filter large-scale attacks and use firewalls to identify and alert attacks against your network

Network Layer

limit the network connectivity across all your resources to allow only what's required - reduce the risk of an attack spreading to other systems in your network

Compute Layer

makes sure that your compute resources are secure and that you have proper controls in place to minimize security issues; secure access to VMs and implement endpoint protection on devices and keep systems patched and current

Application Layer

integrate security into the application development lifecycle to reduce the number of vulnerabilities introduced in code

Data Layer

those who store and control access to data are responsible for ensuring that it's properly secured

Data Attackers are After

data stored in database, stored on disk inside VMs, stored in software as a service (SaaS) applications, and data managed through cloud storage

Microsoft Defender for Cloud

monitoring tool for security posture management and threat protection; monitors your cloud, on-premises, hybrid, and multicloud environments to provide guidance and notifications aimed at strengthening your security posture