Planning Azure AD identities is a key component of preparing for the MS-100 Microsoft 365 Identity and Services exam. By understanding and implementing Azure AD identities, you can effectively manage user identities and access in a cloud-based environment.
I. Understanding Azure AD identities
Azure AD is Microsoft’s cloud-based identity and access management service. It helps IT teams manage and secure employee sign-ins and access to external and internal resources. Azure AD identities exist in three varieties: cloud identities, synced identities, and federated identities.
1. Cloud identities:
These are users created and managed directly in Azure AD and have no on-premises component. They exist solely in the cloud and have both their identity and credentials managed in Azure AD.
2. Synced identities:
These are users that have been synchronized into Azure AD from an on-premises Active Directory. They use a tool such as Azure AD Connect to sync user information, passwords, and more to the cloud.
3. Federated identities:
These are users that are managed on-premises but are authenticated either into Azure AD or another federation service. They are most commonly used when companies have specific requirements around password policies, client access policies or sign-in methodology.
II. Choosing the best identity model
When planning Azure AD identities, you need to select an identity model that suits your organization’s needs. The decision essentially relies on your organization’s current deployment model, preferences, and future planning.
Here is a comparison table followed by a detailed discussion on when to use each.
Identity Model | Optimum Usage |
---|---|
Cloud Identity | If company doesn’t have or need an on-premises server |
Synced Identity | If company uses both on-premises and cloud servers |
Federated Identity | If company has specific requirements around password policies |
1. Cloud Identity:
This model is best if your organization does not have or require an on-premises server. All user authentication happens in Azure AD, eliminating the need for on-premise server.
2. Synced Identity:
If your organization has an on-premises server and also utilizes cloud services, use the Azure AD Connect to sync identities between both. This provides a consistent experience for users whether they’re using cloud or on-premise resources and it reduces the management overhead for IT professionals.
3. Federated Identity:
If your organization has specific security, access control, or password policy requirements, federated identities can use on-premises servers to authenticate users with Azure AD or another federation service.
III. Implementing Azure AD identities
Azure provides tools such as Azure AD Connect and Azure AD Connect Health to manage these identities. Azure AD Connect enables you to synchronize your on-premises directories to Azure AD, creating a common user identity for authentication and authorization to all resources, both on-premises and in the cloud. Azure AD Connect Health helps monitor and ensure your synchronizations are running smoothly and effectively.
Studying these identity models, understanding when to use each of them, and knowing how to implement them is critical for passing the MS-100 Microsoft 365 Identity and Services exam. Microsoft Learn and the official Microsoft documentation are the best resources to dive deeper into planning Azure AD identities.
Practice Test
Azure AD is a cloud-based, multi-tenant directory and identity service. True/False?
- True
- False
Answer: True
Explanation: Azure Active Directory is Microsoft’s multi-tenant, cloud-based directory, and identity management service.
Azure AD does not allow hybrid identities. True/False?
- True
- False
Answer: False
Explanation: Azure AD does allow hybrid identities, combining on-premises directory and cloud-based directory.
Which of the following are features of Azure AD?
- a) Password protection
- b) Identity governance
- c) Threat detection
- d) Object limitation
Answer: a) Password protection, b) Identity governance, c) Threat detection.
Explanation: Azure AD offers features such as password protection, identity governance, and threat detection, but not object limitation.
Azure AD Connect allows synchronization from Azure AD to on-premises AD. True/False?
- True
- False
Answer: False
Explanation: Azure AD Connect actually synchronizes from on-premises AD to Azure AD.
In Azure AD, Password Hash Synchronization (PHS) is the default configuration for syncing your on-premises users to Azure AD. True/False?
- True
- False
Answer: True
Explanation: Password Hash Synchronization is indeed the default configuration while setting up Azure AD Connect.
What is the maximum size of a security group in Azure AD?
- a) 5,000 members
- b) 50,000 members
- c) Unlimited
Answer: b) 50,000 members
Explanation: The maximum size for security groups that you can synchronize from your on-premises Active Directory to Azure AD is 50,000 members.
Azure AD calendars can be directly synced with Outlook. True/False?
- True
- False
Answer: False
Explanation: Azure AD doesn’t host calendars. Calendars are hosted in Exchange Online which syncs with Azure AD.
Azure AD B2C is intended to provide identity and access management solutions for employees in your organization. True/False?
- True
- False
Answer: False
Explanation: Azure AD B2C is an identity management service that enables you to customize and control how customers sign up, sign in, and manage their profiles when using your applications.
Which command should you run to check the synchronization status of Azure AD Connect?
- a) Get-ADSyncConnectorStatus
- b) Check-SyncStatus
- c) SyncStatus-Report
Answer: a) Get-ADSyncConnectorStatus
Explanation: The Get-ADSyncConnectorStatus command in PowerShell is used to check the synchronization status of Azure AD Connect.
Enabling password writeback with Azure AD Connect allows users to change their passwords directly in the cloud. True/False?
- True
- False
Answer: True
Explanation: Enabling password writeback with Azure AD Connect allows your Azure AD users to change their passwords directly in the cloud, and have them written back to an existing on-premises directory in real-time.
Azure AD B2B collaboration allows organizations to securely share applications and services with guest users from any other organization. True/False?
- True
- False
Answer: True
Explanation: Azure AD B2B collaboration is built to allow organizations to share applications and services securely with guest users from any other organization, while maintaining control over corporate data.
User behavior analytics are not available in Azure AD. True/False?
- True
- False
Answer: False
Explanation: Azure AD provides ‘Identity Protection’ that uses user behavior analytics and machine learning to alert, block suspicious activities, and protect your identities against attack.
Azure AD’s Company Branding feature allows organizations to customize their Azure AD sign-in pages. True/False?
- True
- False
Answer: True
Explanation: Azure AD allows companies to customize their Azure AD sign-in pages with Company Branding feature for a more consistent appearance.
Azure AD Identity Protection uses machine learning algorithms to identify signs of potentially harmful activities. True/False?
- True
- False
Answer: True
Explanation: Azure AD Identity Protection uses adaptive machine learning algorithms and heuristics to detect anomalies and suspicious incidents, enabling mitigation or remediation actions to be taken.
Azure AD Conditional Access ensures secure access to your applications. True/False?
- True
- False
Answer: True
Explanation: Azure AD Conditional Access allows to automate access control decisions for accessing your cloud apps based on conditions.
Interview Questions
What is Azure Active Directory?
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources.
Name two ways Azure Active Directory can be used?
Azure AD can be used for Internal resources such as apps on your corporate network and intranet, and external resources such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.
What is Azure AD Connect?
Azure AD Connect is a tool that connects functionalities of its two predecessors – Windows Azure Active Directory Sync, commonly referred to as DirSync, and Azure AD Sync (AAD Sync).
What are the primary functions of Azure AD Connect?
Azure AD Connect is responsible for synchronizing data from your on-premises Active Directory domain to the Azure AD tenant in the cloud.
What does the term identity in Azure AD refer to?
In Azure AD, an identity is an object that is created by an IT administrator, system developer, app developer, or system/device/process, that requires access to a protected resource.
What is Hybrid Identity with Azure AD?
Hybrid identity with Azure AD means that an individual has one identity for all resources, regardless of where these resources reside.
How does Conditional Access in Azure AD help with security?
Azure AD’s Conditional Access allows organizations to define a series of conditions that control when and how users can access applications.
What is Azure Multi-Factor Authentication?
Azure Multi-Factor Authentication is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions.
Can you explain the term single sign-on (SSO) with regards to Azure AD?
Single sign-on (SSO) is a property of access control of multiple related, yet independent, software systems. With this property, a user logs in once and gains access to all systems without being prompted to log in again.
What is a tenant in Azure AD?
A tenant represents an organization in Azure AD. It’s a dedicated Azure AD service instance that an organization receives and owns when it signs up for a Microsoft cloud service like Azure, Microsoft Intune, or Office 365.
What is the user principal name (UPN), in terms of Azure AD?
In Azure AD, the User Principal Name (UPN) is the user’s email address. It is used by the Azure AD to allow users to sign in.
What is self-service password reset (SSPR) in Azure AD?
Self-service password reset (SSPR) is a feature of Azure AD that allows users to reset their passwords without administrative intervention.
Name two types of objects in Azure AD.
Two types of objects in Azure AD are users and groups. Users represent individuals in the organization, while groups are a collection of users.
How do you define the term app registration in Azure AD?
App registration in Azure AD involves creating an identity for an application allowing it to authenticate itself with Azure AD.
What is the purpose of Azure AD B2B collaboration?
Azure AD B2B collaboration allows organizations to share their applications and services with guest users from any other organization, while maintaining control over their own corporate data.