What is Azure Active Directory?

Azure Active Directory (Azure AD) is Microsoft�s Identity Management(IDM)

service and multi-tenant cloud based directory.

The Azure AD provides a single sign-on (SSO) access to thousands of cloud SaaS
Applications like Office365, Salesforce.com, DropBox, and Concur.

If you are a Office365, Azure or Dynamics CRM Online customer, you might not
realize that you are already using Azure AD.

Every Office365, Azure and Dynamics CRM tenant is actually already an Azure AD
tenant.

Azure AD includes a full suite of IDM capabilities such as,

Access & Authentication

Multi-factor authentication
Device registration
Role based access control
Management

Self-service password management

Self-service group management
Privileged account management
Monitoring & Auditing

Application usage monitoring

Rich auditing
Security monitoring and alerting
These capabilities can help secure cloud-based applications, streamline IT
processes, cut costs and also help assure corporate compliance goals are pan.

Benefits of Azure AD
Single Sign-On - Quickly adopt cloud services, with an easy single-sign-on
experience powered by Azure AD�s fully automated SaaS app access management and
provisioning services capabilities.
Anywhere and Any Device Access - Empower employees with world-class cloud apps,
service and self-service capabilities accessible from device.
Secure Management - Easily and securely manage employee and vendor access to
your corporate social media accounts.
Secure Access - Improve application security with Azure AD multifactor
authentication and conditional access.
Application Monitoring - Monitor usage and protect your business from advanced
threats with security reporting and monitoring.
Secure mobile (remote) access to on-premises applications.
These benefits enable secure and consistent, self-service application access
management, empowering business owners to move quickly while cutting IT costs
and overhead.

Azure AD vs ADDS
Azure AD and Windows Server Active Directory (AD) are used for Authentication.
But Azure AD differs in many aspects, such as;

It doesn't have,
Active Directory forest and Trust relations
Organizational Units
Group Policies

It uses Open AD connect, O-Auth, WS-federation and SAML protocols for

Authentication and Authorization.

Azure AD Domain Names

A domain name is an important part of the identifier for many directory
resources such as,

User name or email address

Address for a group
App ID URI for an application.

Every domain name in Azure AD is either a basic\initial domain name, or a custom

domain name.

Azure AD basic Domain is in the form of <abc>.onmicrosoft.com and is created by

default when you subscribe in Azure AD. Also, it gets established when a
directory is created by the admin.

Custom Domain name is a domain name that is owned and used by an organization,
such as tcs.com, for uses such as hosting website.

Registering Custom Domains

For Production environments, it is required to have at least one verified custom
domain such as contoso.com. And in order to achieve a verified custom domain, it
is recommended to register a custom domain in Public Domain Registrar.

Why Custom Domain registration?

Organizations can own their custom domain name.

Access cloud application using a custom domain name such as app1.contoso.com.
Users can have their userid similar to on-premises ids such as [email protected]
.
It can be extended to leverage the SSO facility.
Custom domains are widely used in hybrid scenarios which will be discussed in
the next topic.

Adding Custom domain to Azure AD

Adding Custom Domain is simple:

Add the custom domain name to your directory.

Add a DNS entry for the domain name at the Public domain name registrar.
Verify the custom domain name in Azure AD.

Managing Users and Groups

Managing Users includes:

Add Users
Manage User's password
Change User's work info
Assign users to roles
Manage user profile
Delete a user

Managing Groups includes:

Creating Group
Adding Users to the group
Assigning group owner
Remember, while creating a user, you are creating a Cloud Identity for that user
and user account is created in the cloud, and not in the On-Premises AD.

Integrating SaaS Application

Azure Application Gallery provides more than 2500+ applications which can be
accessed by the normal AAD user.

Custom application can also be integrated with Azure AD to leverage the

following benefits;
App authentication and authorization
User authentication & authorization
SSO using federation or password
User provisioning & synchronization
Role-based access control
O-Auth authorization services
Application publishing private network to the internet

Role Based Access Control

Role Based Access Control(RBAC) is used to assign user \ groups \ service
principles to delegate administrative tasks.

RBAC can not control application access permission it is used only for
administration.

RBAC Roles can be managed by using,

Azure Portals
Azure PowerShell(PS)
Azure CLI

Scope and Features

RBAC roles can be applied at following levels:
Subscription
Resource Groups
Resources

Permissions are inherited from parent scope

Features
Access can be granted by using built-in roles
Custom roles can be created by using Azure PS, CLI and REST API
Role assignment changes are captured in RBAC Audit logs

-----------

Your company is planning on using Windows Azure and is investigating whether a

Basic subscription will suffice. Which of the features below is not available in
the Basic subscription? Self-service gp management

Which feature is provided only with Microsoft Azure Active Directory Premium P2?
Identity protection

Which services are offered in Active Directory Domain Services but not in
Microsoft Azure Active Directory? All

You are creating a user in the Microsoft Azure portal. Which are the default
roles can you assign to the user? All

You need to assign a user to a role in Microsoft Azure Active Directory. Which
Microsoft Azure PowerShell command should you run? Add-MsolRoleMember

Which Microsoft Azure Active Directory (AD) PowerShell command must you run
before you can manage a Microsoft Azure AD tenant from PowerShell? Connect-
MsolService

You need to implement multi-factor authentication (MFA). What is the minimum

version of Microsoft Azure Active Directory (AD) that you must deploy? Microsoft
Azure AD P1

When creating a new user in Microsoft Azure, how is the initial password
determined? A password is randomly generated.

-----------
Basic Authentication
User accounts, credentials are created, stored and managed only in the Azure AD.

Azure AD provides the Cloud Identity for the users.

Users can access the Apps hosted on Azure or SaaS apps using the Cloud Identity.

There is no synchronization with On-premises directory services.

This is mostly used when there is no existing On-Premises ADDS.

Synchronized Authentication with Pwd Hash

User accounts are synchronized from On-premises Windows Active Directory Domain
Services (ADDS) to Azure AD.

Passwords are synced as password hashes.

Azure AD connect is used for synchronization.
Users use a synchronized ID which is an On-Premises credential.
Users can access the SaaS Apps and On-Premises applications using same
credentials.
The Azure AD provides the authentication for cloud apps.
Windows AD provides the authentication for On-Premises applications.

Federated Authentication
User accounts only are synchronized from On-premises Windows Active Directory
Domain Services (ADDS) to Azure AD and the Passwords are not synchronized.

Azure AD is federated with Enterprise Active Directory Federation Services

(ADFS).
Azure AD connect is used for synchronization.
On-Premises Azure AD provides the Authentication.
Azure AD accepts SAML Tokens from ADFS server.
This method is most widely used.

Synchronized Authentication w\o Pwd Hash

User accounts only are synchronized from On-premises Windows Active Directory
Domain Services (ADDS) to Azure AD and Passwords are not synced.

Azure AD connect is used for synchronization.

Users should use two credentials one for Azure Apps and another one for On-
Premises Application.
To access the cloud apps, authentication is provided by Azure AD.
To access On-Premises application Windows AD provides the Authentication.

Synchronization Tool
Now that you understand the important information that you need to have for the
designing of Hybrid solution, let us know learn how to synchronize the objects
from On-premises to Azure AD

Azure AD Connect is the widely used tool for synchronization.

Azure AD Connect
AAD Connect is used to integrate your on-premises directories with Azure AD.

It makes the users more productive by providing a common identity for accessing
both cloud and on-premises resources.

Also, provides an easy deployment experience for synchronization to an

Administrator.

AAD Connect can be downloaded from AAD Connect

It should be installed in the On-premises Server from where users & groups need
to be synched with Azure AD tenant.

AAD Connect - Components

Azure Active Directory Connect is made up of three primary components:

1. Synchronization services - Responsible for

creating users, groups, and other objects.

validating identity information for your on-premises with the cloud.
2. Active Directory Federation Services - is an optional part of Azure AD
Connect and can be used

to configure a hybrid environment using an on-premises ADFS infrastructure.

by organizations to address complex deployments, such as SSO, smart card or 3rd
party MFA.
3. AAD Connect Health - serves as a single place to

monitor the health of key identity components and synchronization services.

view alerts, usage analytics, monitor performance, and other information to make
informed decisions.

--------------

Which components are included with Microsoft Azure Active Directory Connect? All

Your company�s Active Directory Domain Services (AD DS) domain is named
contoso.com, and the Azure Active Directory (Azure AD) domain is named
contoso.onmicrosoft.com. Synchronization is configured between the domains.
During an audit, you realize that specific attributes should be syncing, but are
not. You need to ensure all required attributes are syncing between the domains.
Run Azure AD connect ? Not Install Azure AD Connect Health, Not Run Azure AD
connect

You are the administrator for contoso.com. Contoso has an Office 365 (O365)
subscription for its users. Your work email address is [email protected]. The
administrator account in the O365 tenant is [email protected]. You
decide to create an Azure subscription. You need to ensure that the same users
in your O365 subscription appear in the Azure subscription. What should you do?
Log in to azure.microsoft.com, click Start for Free, and sign in with
[email protected]. Follow the steps on the screen.

You are the administrator for contoso.com. You create an Azure tenant named
contoso.onmicrosoft.com. Later, you decide that Anne, a user on your team,
should oversee contoso.onmicrosoft.com. You log in to contoso.onmicrosoft.com
and create a user account for Anne. You make Anne a Global Administrator. Which
of the following is true, now that Anne is a Global Administrator? Select one of
the options.
Both you and Anne are Global Administrators.

You are the administrator for contoso.com and the Global Administrator for
contoso.onmicrosoft.com. You create users for all the domain users in
contoso.onmicrosoft.com, and add the Department attribute (Sales, Marketing,
Accounting). You want to create a group containing all users in Sales or
Marketing. The group membership should always be up to date as new Sales and/or
Marketing users are added to contoso.onmicrosoft.com. You wish to achieve this
goal with as little administrative overhead as possible. What should you do?
Create a new Group with the Membership Type �Dynamic User�. Construct the query:
(user.department -eq "Sales") -or (user.department -eq "Marketing")

Consider a scenario where Azure AD Connect is installed, and Active Directory

Federation Services (AD FS) is configured, and Password-writeback is enabled.
You need to monitor synchronization events generated by Azure AD Connect. What
should you do first?
Install Azure AD connect Health from Azure Marketplace within the Azure Portal.

When planning for Microsoft Azure Active Directory Connect, what is the minimum
Forest Functional Level of the on-premises Active Directory?
Windows Server 2003

Which actions can you perform with Microsoft Azure Active Directory Connect but
not with Microsoft Azure Active Directory Sync?
Connect to multiple on-premises Exchange organizations and synchronized the
customer defined attributes.

-------------
1. Self service Password Reset
Azure AD Self-Service Password Reset(SSPR) combines a set of capabilities that
allow users to manage their own password from any device, location and at any
time. All while maintaining compliance with security policies.

This feature is essential for Hybrid solutions to,

enhance the End User Experience
reduce the dependency on the service desk

2. Self-Service Group Management

Self-service group management enables users to create and manage security groups
or Office 365 groups in Azure AD.

This feature is not available for mail-enabled security groups or distribution

lists.

Self-service group management currently comprises two essential scenarios:

Delegated group management

Self-service group management

3. Azure AD Application Proxy

Azure AD Application Proxy provides single sign-on (SSO) and secure remote
access for web applications hosted on-premises.

Azure AD Application Proxy supports different types of internal applications

such as:

Web applications that use Integrated Windows Authentication for authentication

Web applications that use form-based or header-based access
Web APIs that you want to expose to rich applications on different devices
Applications hosted behind a Remote Desktop Gateway
Rich client apps that are integrated with the Active Directory Authentication
Library (ADAL)

Where are the Users Located?

Azure Active Directory

Azure AD and on-premises AD using federation with AD FS

Azure AD and on-premises AD using DirSync, Azure AD Sync, Azure AD Connect - no

password sync

Azure AD and on-premises AD using DirSync, Azure AD Sync, Azure AD Connect -

with password sync

On-premises Active Directory

Cloud MFA for 1st and 4th scenario

MFA Server for 5th scenario
Either can be adopted for 2nd and 3rd scenario

What are the features needed?

Number of feature are available ,here is few features,

Mobile app verification code as a second factor

Phone call as second factor

One-way SMS as second factor

Two-way SMS as second factor

Hardware Tokens as second factor

App passwords for Office 365 clients that don�t support MFA

PIN mode

Remember MFA for trusted devices

Cloud MFA for 6th and 8th scenario

Server MFA for 4th and 5th scenario
Either option can be used for other scenarios

MFA uses two level of Authentication,

First Level,
User Enters User's credentials
MFA provider sends the verification code to the registered mobile device

Second Level
User enters the verification code
Finally user can access the resources

--------------

Managing Groups includes __________________. All (OK)

Your company has one Azure subscription. You create 5 Resource Groups within the
subscription: RG1, RG2, RG3, RG4, and RG5. You want to give a partner named John
the right to manage all of the resources within RG3 fully. John�s Live ID is
[email protected]. John should not be able to manage the resources in any other
resource group. What should you do?
Add John to your Azure Active Directory. Browse to RG3 and add John�s Azure
login as an Owner. ?
Add John to your Azure Active Directory. Click the Subscription and Add John�s
Azure login as an Owner.?
Log in to the Azure portal, browse to RG3 and add John�s Live ID as an
Owner. /////

You are the administrator for your company�s Azure Active Directory (Azure AD)
tenant, and on-prem Active Directory domain. A partner published a multi-tenant
Software as a Service (SaaS) application, and gave your company access to the
SaaS app. You configure access to several HR users in your company.
Later, a team member in HR moves to a new department and no longer needs access
to the partner�s app. You need to remove access to the app for this user,
without affecting access for other users. The user must still be able to access
other Line-of-Business (LOB) SaaS apps. What should you do?
Not Delete the team member from the Azure AD tenant ?
Delete the team member�s assignment to the app in the Azure portal?
Delete the team member from the on-prem Active Directory domain///////////
You are the administrator of your company�s Azure subscription, and Azure Active
Directory (Azure AD) tenant. Your company has an on-prem Active Directory. Your
boss asks you to research, allowing the company users to access the Line-of-
business (LOB) Software as a Service (SaaS) applications using Conditional
Access rules. You need to make sure your tenant meets the pre-requisites for
Conditional Access to SaaS apps. What is the lowest Azure subscription level
required to enable Conditional Access to SaaS apps? Azure Premium subscription
(OK)

What is a benefit of Role Basic Access Control (RBAC) in Microsoft Azure?

group/role management (OK) subscription/resource group??

What are the three types of Role Basic Access (RBAC) controls in Microsoft
Azure? All (OK)

The basic domain of Azure AD is in the form of _______________.

abc123.onmicrosoft.com (OK)

The basic domain name is primarily intended to be used as a bootstrapping

mechanism until a custom domain name is verified. True (OK)

How long does password writeback take to work? Immediately (OK)

A domain name is an important part of the identifier for ___________. All (OK)

If you create a user in Azure AD, It is called as __________________ Identity.

Cloud (OK)

Azure AD provides __________________. All (OK)

Azure AD provides _________________________________. All (OK)

If my on-premises account is disabled, then how long can I access my cloud

account? None ?

What feature of Privileged Identity Management allows you to define extended

permissions for a user over a limited period? Time-limited Activation

You are the Global Administrator for your company�s Windows Azure tenant. You
enable the self-service password reset feature. You create a new Azure Active
Directory (Azure AD) account for a user and give the user the temporary
password. Later from his home PC, the user attempts to log in to his O365 email
but can�t find the temporary password. He clicks �Can�t access your account� but
is not prompted to reset his password. Other users successfully reset their
passwords during this same timeframe. You need to explain to his manager why the
user was not able to reset his password when other users were able to reset
their passwords. What explanation should you give the user�s manager?
Before a user can use this feature, he must first define an authentication
method, such as a mobile number. This will be requested at the first successful
login.?

You are the administrator of your company�s Azure subscription and Azure Active
Directory (Azure AD) tenant. Many Software as a Service (SaaS) apps have been
published and are available to the users. Users use these apps only when
connected to the corporate network. A vendor who comes in with his laptop and
air card need access to the application. You create a user account for the
vendor in the Azure AD tenant, assign access to the app for the vendor, and give
the vendor a link to the application. The vendor is unable to access the
application. You need to ensure the vendor can access the application. What
should you do?
Create an account for the vendor in the Azure subscription ?
Have the user connect his laptop to the organization�s network?
------
To manage the Azure Ad, the required privilege is ____________________. AD
administrator

Contoso.com is your verified custom domain, then the UPN of the user1 will be
________________. [email protected]

You are the Global Administrator for your company�s Windows Azure tenant. You
assign two of your coworkers as Global Administrators. You click the Azure AD
Privileged Identity Management link and walk through the security wizard. You
add one of the coworkers to the role of Privileged Role Administrator Later, the
coworker attempts to access the Azure AD Privileged Identity Management service
and cannot access it. You need to ensure that your coworker has access to this
service. What should you do?
Instruct the user to activate the role. (OK)

Your company is using O365. The tenant administrator signs up for a free Azure
membership and creates an Azure Active Directory (Azure AD) tenant. He then
associates the Azure AD tenant with the Azure subscription. Multi-factor
authentication (MFA) is not enabled. You wish to enable the self-service
password reset feature for your cloud users. Which of the statements below is
true regarding your tenant and the self-service password reset feature?
You cannot enable this feature until you upgrade to a Basic Azure subscription.

Your network contains an Active Directory Domain Services (AD DS) domain named
contoso.com and an Azure Active Directory (Azure AD) domain named
contoso.onmicrosoft.com. You are using Role-Based Access Control (RBAC) policies
to control who has rights within the Azure subscription. You are a Global
Administrator and have the �owner� built-in role. A member of your team named
Mary should be allowed to create and manage all objects in the subscription, but
should not be able to add or remove role assignments. You need to give Mary only
the rights that she needs. This must be accomplished with the least amount of
administrative effort. What should you do?
Add Mary to the Contributor role (OK)

What types of accounts does password writeback work for? Not All, Synced IDs ?

Azure AD is not available in Azure Free Edition. False

-----------

Your company uses Windows Azure and has published several applications. Your
network team has informed you that there is much traffic coming from a specific
subnet. You believe one of the most commonly used apps may be to blamed. You
need to check which apps are being used the most, and where the traffic is
originating. From which blade in the Azure portal should you start your search?
Enterprise Applications /// Connector?? Cloud App

What type of SaaS gallery applications support Microsoft Azure Active Directory
automatic provisioning? Not Integrated apps

You have a corporate website with Anonymous access enabled. Later you configure
Azure Multi-factor Authentication (MFA) and configure it to Enable IIS
authentication. A user logs into the web page and is immediately presented the
webpage, with no authentication requests or prompts. You need to ensure that
users are prompted for MFA when accessing the webpage. What should you do?
In the IIS console, on the Default Web Site properties, enable Basic
authentication and disable Anonymous authentication?
In the IIS console, on the web page properties, enable Basic authentication and
disable Anonymous authentication

You are deciding between using an on-prem Multi-factor Authentication (MFA)

service, and a cloud-based service hosted in Azure. Which of the following
features are available only in the on-prem MFA service? Two-way SMS (Ok)
-------------
RBAC can be used _________________. Only for administration (OK)

You plan to implement self-service group management in Microsoft Azure. Who is

responsible for approving requests from users to join a group? A group Owner
(OK)

What is the significant user benefit achieved by implementing SaaS application

integration? Single sign-on to SaaS applications (OK)