Which azure ad licenses (select two) are made available through azure?
Candidates for this exam should have foundational knowledge of cloud services and how those services are provided with Microsoft Azure. The exam is intended for candidates who are just beginning to work with cloud-based solutions and services or are new to Azure. Show
Azure Fundamentals exam is an opportunity to prove knowledge of cloud concepts, Azure services, Azure workloads, security and privacy in Azure, as well as Azure pricing and support. Candidates should be familiar with the general technology concepts, including concepts of networking, storage, compute, application support, and application development. Azure Fundamentals can be used to prepare for other Azure role-based or specialty certifications, but it is not a prerequisite for any of them. Skills measured Describe cloud concepts (25–30%) Describe Azure architecture and services (35–40%) Describe Azure management and governance (30–35%) Azure Active Directory (Azure AD) is Microsoft’s enterprise cloud-based identity and access management (IAM) solution. Azure AD is the backbone of the Office 365 system, and it can sync with on-premise Active Directory and provide authentication to other cloud-based systems via OAuth. During the 2020 pandemic, Microsoft Teams saw a drastic 70% increase in daily Teams users in a single month. While it is unclear how many of those users are net new to Azure AD, we can assume that the 2020 pandemic jump-started both adoption and implementation of Azure AD to meet the demands of a remote workforce. Get the Free Pen Testing Active Directory Environments EBookIt’s week eleventeen of the pandemic at the time of this writing, and it seems more likely that enterprises won’t be returning the way things were in the before times. Sysadmins dealing with hybrid cloud environments should understand how Azure AD works, and most importantly, how to keep our data safe in this cloud-first world without the luxury of a secure perimeter. What is Windows Active Directory?Windows Active Directory (AD) is Microsoft’s predecessor to Azure AD. Microsoft released Active Directory in Windows 2000 server, and it became a standard for enterprise identity management. Active Directory lives on-premise in servers called Domain Controllers (DC). Each DC contains a catalog of users and computers that are authorized to access resources on the network. Users authenticate to DCs via Kerberos or NTLM authentication. AD security is one of our favorite topics because many attacks the Varonis Incident Response team researches involve AD at some point in the cyber kill chain. It could be a simple brute force attack to crack an old NTLM password or a privilege escalation attempt to take over an administrator account. AD security has been the topic of many conference talks and we even wrote a comprehensive guide to pen testing your AD environment to ensure its resilience to common off-the-shelf attacks. Any conversation about Azure AD has to mention AD classic, and we will explain why further along in the blog. Difference Between Windows and Azure ADAzure AD and Windows AD are both created by Microsoft, and they are both IAM systems, but that’s pretty much where the comparisons stop. They are fundamentally different systems that exist in an interconnected enterprise environment. Azure Active Directory
Windows Active Directory
The answer to the question, “so which one do I use?” is probably both. If you are running an established enterprise network, you most likely already have Windows AD, and you are adding Azure AD to manage your cloud infrastructure. If you are starting a brand new organization from scratch, Azure AD could meet all of your needs, especially if you plan on using an entirely cloud-based infrastructure. The other question you might ask is “which one is harder to configure than the other?” And I would say that neither one is more or less configurable than the other, and neither one is more or less secure than the other. Both systems require a qualified expert to manage and protect your network for companies larger than 100 users or so. Smaller shops will find Azure AD easier to manage overall. Azure AD Connect for Hybrid DeploymentsAzure AD Connect is Microsoft’s solution to enable hybrid Windows AD and Azure AD deployments. Azure AD Connect syncs data between the on-premise DCs and the cloud. Azure AD Connect will let you sync user accounts from your on-premise system to your Azure tenant. It also provides password hash synchronization, pass-through authentication, federation, and health monitoring. Those features allow your users to have the same user id and password on-premise and in the cloud and to ease the management of your hybrid environment. In short, you need Azure AD Connect if you have a hybrid environment. As a sysadmin or security pro, it’s important that your security solutions give you a unified view of each user regardless of whether they’re accessing cloud or on-prem resources. The Varonis Data Security Platform, for example, makes it easy to pinpoint a user and see their activity in Azure AD and Windows AD. Even though there are two user repositories behind the scenes, Varonis treats them as a single user with a comprehensive user behavior profile that includes on-prem and cloud activity. Azure Active Directory ConsiderationsOK, so if you have made it this far, you might be considering implementing Azure AD for your organization. Now you have real decisions to make. 1. Licensing: Azure AD licensing follows the same monthly subscription licensing as the Office 365 licenses. There are four license levels – Free, Office 365 Apps, Premium P1, and Premium P2. Office 365 Apps comes as part of your Office 365 subscription, and the Premium packages are a separate item. You get the Free license as part of a subscription to Azure, Dynamics 365, Intune, and Power Platform. The Premium tier adds features like advanced password protection, self-service password management for your users, advanced group access management, and conditional access. The features lists for Azure AD and Microsoft 365 are separate, and you need to look at both of them to understand everything available to you so you can build your implementation strategy. Ed. Note: Office 365 recently got renamed to Microsoft 365. At the time of this writing, Microsoft’s documentation contains both names, but they are the same thing. 2. Choose your scenario: Hybrid Azure AD or Azure AD? If you already have Windows AD, Hybrid might be your best option. If you are trying to build a cloud-only infrastructure, Azure AD is the better choice. For your Hybrid environment, you can go with Managed or Federated configurations. If you are going to create users in Windows AD, you need to have Azure AD Connect to sync with Azure AD. Are you going to use the device management in Azure AD? If so, you need Windows 10 on all those devices. 3. SSO: Are you going to enable Single Sign-on(SSO) with Azure AD? You will need to configure your cloud apps and services to use the Azure SSO, and set up a hybrid cloud for printing. 4. User Provisioning: How are you going to add your existing users to Azure? You can set up self-enrollment where users run the process themselves, Windows Autopilot, or have an admin enroll your users. Those four steps will set you on the right path. You will have to do some more homework to figure out all the answers, which will lead you to more questions that need different answers. How Does Azure Active Directory Work?Azure AD is a new system that Microsoft designed from the ground up to support cloud infrastructure. Azure AD uses REST APIs to pass data from one system to other cloud applications and systems that support REST (which is most cloud applications). Unlike Windows AD, Azure AD is a flat structure in a single tenant. Think of the tenant as a circle that surrounds all your stuff. You can control the stuff inside the tenant, but once it leaves that circle you lose some agency over what happens to your stuff. At Varonis, our approach to data security aligns with zero-trust principles, so as we continue we will weave in zero-trust when appropriate. Users and GroupsUsers and groups are the basic building blocks for Azure AD. You can further organize users into groups that will all behave similarly. For example, you may put your Product Management team in one Azure AD group and grant permissions at the group level, so when users leave the organization, you only need to deactivate one account, and the rest of the group stays the same. Users in Azure AD can come from both inside and outside of Azure AD. Let me restate that. Your Azure AD can contain identities for users inside of your organization and users from outside your organization that have a Microsoft account. See below: What this means is that you can bring people outside of your organization inside your tenant and grant them specific permissions just like they are part of your organization. When done correctly, this provides an additional level of security to the organization’s data. Adding User and Groups to Azure ADThere are several methods to populate your users and groups in Azure AD.
No matter which option you start with or use, later on, there are a few key points to make about adding users in Azure AD.
Custom DomainsAdding a custom domain to Azure AD will reduce the frustration that your users’ experience as they migrate to the new system. The default Azure AD domain looks like this:
That’s a lot to type. If you configured Azure AD to use a domain that you own, your users would thank you. It would look something like @notarealdomain.com instead. That’s much easier to deal with. Common Attacks Against Azure ADI’d like to say that the transition to Azure AD was smooth and without issue, but alas. Any significant transformation to a cloud-enabled infrastructure is bound to attract malicious attackers that want to infiltrate the new frontier. And so they did. The Varonis IR team investigates many brute force attacks against Azure AD. Attackers love to use vast collections of usernames and passwords from data breach dumps to try to break into Azure AD accounts—a method known as credential stuffing. Azure AD is available from the internet, so it’s a relatively easy target. A good password policy and multi-factor authentication, as well as behavioral monitoring of login activity and geo-hopping, can thwart most brute force attacks. Most. You still need to monitor your data to detect malicious activity inside your tenant in the event an attacker succeeds with a single login attempt. Phishing is the other top attack we see against Azure AD users. Phishing can lead to credential theft or malware infection, which can provide attackers with a foothold to access your tenant. One of the better enhancements Azure AD provides is warnings when you open an email from an outsider or untrusted source. You can enable this setting, and other email protections in the Azure AD Management Console. The Varonis IR team demonstrates how to use phishing to infiltrate and steal data in this Live Cyber Security Lab. Azure Skeleton Key AttackThis attack has to with Azure AD Connect, which we described above as the way to synchronize your Azure and on-prem AD. Azure AD Connect can be configured via a method called Pass-Through Authentication. When this method is used, a server called the “Azure Agent” is installed on-prem. Should an attacker compromise an organization’s Azure agent server they can create a backdoor that allows them to log in as any synchronized user. Varonis created a proof-of-concept that manipulates the Azure authentication function to 1.) give us a ‘skeleton key’ password that will work for all users, and 2.) dump all real clear-text usernames and passwords into a file. You can read the details and see the Azure Skeleton Key attack POC in action here. What Else Can I Configure in Azure AD?Microsoft provides enhancements and tools to Azure AD and Microsoft 365 to further securing and protecting your organization’s data in the cloud. Here are a few more options that you can enable to keep your organization more secure.
That’s not nearly a comprehensive list of tools to manage and secure Azure AD. Do check out the webinar about Microsoft Teams and see some other ways to prevent data leaks and to learn why one security professional said, “We wouldn’t even be considering OneDrive if we didn’t have Varonis in place.” What are the two features that Azure AD provides choose two?Provides user and group management, on-premises directory synchronization, basic reports, self-service password change for cloud users, and single sign-on across Azure, Microsoft 365, and many popular SaaS apps.
What are the types of Azure AD licenses?Azure Active Directory comes in four editions—Free, Office 365 apps, Premium P1, and Premium P2.
Which are the two types of Azure AD groups?Security Groups. A Security Group will be used to collectively assign resources to users. ... . Office 365 Groups. ... . Assigned. ... . Dynamic User. ... . Dynamic Device.. What is Azure AD licensing?Azure Active Directory (or Azure AD) enables you to manage identity (users, groups, etc.) and control access to apps, devices, and data via the cloud. That means that both identity and access are managed entirely from the cloud, and all of your cloud apps and services will utilize Azure AD.
|