AZ-900 Microsoft Azure Fundamentals Exam

Evaluate Identity Management and Access Control

Microsoft Entra ID is a cloud-based service that manages identities and access for various Microsoft services, including Microsoft 365 and Azure. It acts as a directory, storing user accounts and their associated permissions. This service is essential for controlling who can access cloud resources and what they can do. Every user set up to use Microsoft services has an account in one or more Microsoft Entra instances, granting them access to the service.

Microsoft Entra ID offers a range of features to manage identities and access. These include application management, which allows you to manage both cloud and on-premises apps using single sign-on and the My Apps portal. It also provides authentication features like self-service password reset and multi-factor authentication (MFA). For developers, Microsoft Entra ID enables building apps that sign in all Microsoft identities and get tokens to call various APIs.

Microsoft Entra ID also supports Business-to-Business (B2B) scenarios, allowing you to manage guest users and external partners while maintaining control over your data. Additionally, Business-to-Customer (B2C) features enable you to customize how users sign up, sign in, and manage their profiles when using your apps. These features are crucial for managing access for both internal and external users.

Conditional Access is another key feature, allowing you to manage access to your cloud apps based on specific conditions. Device Management helps you control how devices access your corporate data, whether they are cloud-based or on-premises. These features enhance security by ensuring that only authorized users and devices can access resources.

Microsoft Entra Domain Services allows you to join Azure virtual machines to a domain without needing domain controllers. Hybrid identity solutions, using Microsoft Entra Connect, provide a single user identity for authentication and authorization to all resources, regardless of their location. This is important for organizations that have both cloud and on-premises resources.

Identity governance features, available in Microsoft Entra ID P2, include privileged identity management (PIM), access reviews, and entitlement management. These tools help manage and audit access to critical assets. Microsoft Entra ID Protection helps detect potential vulnerabilities affecting your organization's identities and allows you to configure policies to respond to suspicious actions. These features are essential for maintaining a secure environment.

Examine Microsoft Entra Domain Services

Microsoft Entra Domain Services provides managed domain services, such as domain join, group policy, LDAP, and Kerberos/NTLM authentication. This allows you to use these services without needing to manage domain controllers in the cloud. It's designed to support legacy applications that can't use modern authentication or when you don't want directory lookups to always go back to an on-premises Active Directory environment. This service lets you move those legacy applications to Azure without the overhead of managing the AD DS environment in the cloud.

When you create a Domain Services managed domain, you define a unique namespace, like aaddscontoso.com. Azure then deploys two Windows Server domain controllers into your chosen Azure region. These domain controllers are managed by Azure, including backups and encryption. The managed domain synchronizes one-way from Microsoft Entra ID, providing access to users, groups, and credentials. Resources created directly in the managed domain are not synchronized back to Microsoft Entra ID. Applications and VMs connected to the managed domain can use standard AD DS features.

In hybrid environments, Microsoft Entra Connect synchronizes identity information from on-premises AD DS to Microsoft Entra ID, which then synchronizes to the managed domain. This allows for a consistent identity for users. For cloud-only environments, you don't need an on-premises AD DS to use Domain Services. You can also expand a managed domain to have multiple replica sets in different Azure regions for disaster recovery.

Domain Services is compatible with traditional AD DS environments, supporting operations like domain-join, secure LDAP (LDAPS), Group Policy, and DNS management. It simplifies deployment by integrating with your Microsoft Entra tenant through a single wizard. User accounts, group memberships, and credentials are automatically available from your Microsoft Entra tenant. Passwords for users in Domain Services are the same as in your Microsoft Entra tenant, allowing users to use their corporate credentials.

Key benefits of Domain Services include support for NTLM and Kerberos authentication, high availability with multiple domain controllers, and the ability to use replica sets for geographical disaster recovery. The managed domain is a stand-alone domain, not an extension of an on-premises domain, but you can create one-way outbound forest trusts if needed. Your IT team doesn't need to manage, patch, or monitor domain controllers for this managed domain.

In summary, Microsoft Entra Domain Services provides a way to use traditional domain services in Azure without the complexity of managing domain controllers. It integrates with Microsoft Entra ID, supports legacy applications, and offers high availability and disaster recovery options. It is a valuable tool for organizations looking to move legacy applications to the cloud while maintaining familiar authentication and management practices.

Understand Microsoft Entra ID

Microsoft Entra ID is a cloud-based service that manages identity and access for various Microsoft services like Microsoft 365, Dynamics 365, and Azure. It acts as a directory, storing user accounts and their permissions, and provides authentication and authorization services. This means it verifies who you are and what you're allowed to access. Every Azure subscription has a trust relationship with a Microsoft Entra tenant, which is used to authenticate users and devices.

Microsoft Entra ID provides common identity and access capabilities for all web services. If you use Microsoft services, you're already using Microsoft Entra ID for sign-on and access management. All users set up to use Microsoft services are defined as user accounts in one or more Microsoft Entra instances. These accounts are what allow you to access Microsoft Entra ID.

Microsoft Entra ID offers both free and paid services. Paid services, like Enterprise Mobility + Security, provide more comprehensive solutions for enterprise-scale development, management, and security. The person who signs up for a Microsoft Entra or Azure subscription is automatically assigned the Owner role for Azure resources and the Global Administrator role for the directory. These roles allow them to manage services and features within the Azure portal.

Administrators in Microsoft Entra ID have different roles that determine what they can do, such as creating or editing users, assigning administrative roles, resetting passwords, managing licenses, or managing domains. To optimize connectivity, specific Microsoft Entra admin center URLs should be added to your allowlist, especially if you use proxy servers or firewalls. This ensures smooth communication between your network and the Microsoft Entra admin center.

Microsoft Entra ID also offers features like single sign-on (SSO), which allows users to access multiple applications with one set of credentials. It also supports Business-to-Business (B2B) collaboration, allowing you to manage guest users and external partners. Additionally, Business-to-Customer (B2C) features help you customize how users sign up and manage their profiles when using your apps. You can also connect your on-premises directory to Microsoft Entra ID using Microsoft Entra Connect.

The Microsoft Entra admin center is a web-based portal where you can manage all Microsoft Entra products. It is organized by product, allowing you to access features like user and group management, device management, application management, and security settings. The admin center also provides information on the latest updates, including product launches, roadmap items, and change announcements.

Integrate Directory Services with Azure Resources

Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity and access management service. It allows you to manage user identities and control access to Azure resources. Microsoft Entra ID is essential for securing cloud environments by providing a centralized system for authentication and authorization. It enables features like multi-factor authentication, password policy enforcement, and token-based authentication, enhancing overall security.

Microsoft Entra Domain Services provides managed domain services, such as domain join, group policy, and LDAP, without the need to deploy and manage domain controllers in Azure. This service is particularly useful for migrating legacy applications to the cloud that rely on traditional Active Directory features. It is important to note that Microsoft Entra Domain Services does not support SMB access using Microsoft Entra credentials from devices joined to or registered with Microsoft Entra ID.

Integrating these directory services with Azure resources is crucial for seamless identity and access management. For example, you can use Microsoft Entra ID to control access to Azure SQL Database, virtual machines, and web apps. This integration ensures that only authorized users can access these resources, enhancing security and compliance. When using on-premises AD DS for authentication, the AD DS credential should be synced to the Microsoft Entra ID that the storage account is associated with.

When integrating with Azure file shares, you can use either Microsoft Entra Domain Services or on-premises Active Directory Domain Services (AD DS) for authentication. However, the Microsoft Entra tenant must reside in the same subscription as the file share. For multi-forest AD DS environments, a forest trust must be configured correctly to support authentication from another forest.

In summary, integrating directory services like Microsoft Entra ID and Microsoft Entra Domain Services with Azure resources is essential for managing identities, controlling access, and enhancing security. These services provide a centralized and efficient way to manage user access across various Azure resources, ensuring that only authorized users can access sensitive data and applications.

Analyze Security Features and Best Practices

Microsoft Entra ID is a cloud-based service that manages identities and access for various Microsoft services, including Microsoft 365 and Azure. It acts as a central directory, authenticating users and authorizing their access to resources. Every Azure subscription has a trust relationship with a Microsoft Entra tenant, which is used to verify the identities of users and devices. This ensures that only authorized individuals and devices can access resources.

Microsoft Entra ID offers several security features. It provides common identity and access capabilities for all web services, including Microsoft services and other products. User accounts are defined within Microsoft Entra instances, granting access to these services. Paid services like Enterprise Mobility + Security enhance these capabilities with enterprise-scale security solutions. The person who signs up for an Azure subscription is assigned the Owner role by default, which allows them to manage resources. Additional users can be granted specific roles to access services.

Administrators play a crucial role in managing Microsoft Entra ID. The person who signs up for a subscription is also assigned the Global Administrator role, granting access to all directory features. There are different administrator roles for managing the directory and identity-related features. These roles determine what actions an administrator can perform, such as creating users, assigning roles, resetting passwords, and managing licenses. To optimize connectivity, specific Microsoft Entra admin center URLs should be added to allowlists, which can improve performance and prevent legitimate traffic from being blocked by firewalls or proxy servers.

Microsoft Entra ID also provides features for managing external users and connecting on-premises directories. Users can leave an organization on their own, but in some cases, an administrator may need to delete their account. Microsoft Entra Connect allows organizations to connect their on-premises directories to Microsoft Entra ID, creating a hybrid environment. Additionally, Microsoft Entra ID Governance offers advanced identity governance capabilities, while Microsoft Entra Permissions Management provides visibility into permissions across cloud infrastructures.

Microsoft Entra ID offers a range of features, including:

• Application Management: Managing cloud and on-premises apps with single sign-on.
• Authentication: Managing password resets, multi-factor authentication, and smart lockouts.
• B2B and B2C: Managing guest users and customizing sign-in experiences for customers.
• Conditional Access: Managing access to cloud apps.
• Device Management: Managing how devices access corporate data.
• Domain Services: Joining Azure virtual machines to a domain without domain controllers.
• Hybrid Identity: Providing a single user identity for all resources.
• Identity Protection: Detecting vulnerabilities and responding to suspicious actions.

The Microsoft Entra admin center is a web-based portal for managing Microsoft Entra products. It is organized by product, with sections for Identity, Protection, Identity Governance, Verified ID, Permissions Management, and Global Secure Access. The admin center provides a unified experience for configuring and managing Microsoft Entra solutions. It also includes a "What's new" section that provides information about the latest updates to the Microsoft Entra product.

Conclusion

This section covered key aspects of directory services in Azure, focusing on Microsoft Entra ID and Microsoft Entra Domain Services. We explored how Microsoft Entra ID manages identities and access, offering features like single sign-on, multi-factor authentication, and conditional access. We also examined Microsoft Entra Domain Services, which provides managed domain services for legacy applications in Azure. Additionally, we discussed how to integrate these services with various Azure resources to ensure seamless identity and access management. Finally, we analyzed the security features and best practices for securing directory services, emphasizing the importance of identity protection and threat detection. Understanding these concepts is crucial for effectively managing and securing cloud environments in Azure.