azure:az-104_2024:identity_and_access_management [Core Dump]

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.
[[azure:az-104_2024:az-104_study_guide_2024|AZ-104 Study Guide 2024]]
====== Identity and Access Management ======
====== Users and Groups ======
  * **Security groups**: Used to manage user and computer access to shared resources.
  * **Microsoft 365 groups**: Provides collaboration opportunities by giving group members access to a shared mailbox, calendar, files, SharePoint sites, and more.
  * [[https://learn.microsoft.com/en-us/entra/fundamentals/concept-learn-about-groups]]
  * M365 groups can be setup to expire after a specified period of time
      * [[https://learn.microsoft.com/en-us/microsoft-365/solutions/microsoft-365-groups-expiration-policy]]
      * When a group expires, almost all of its associated services (the mailbox, Planner, SharePoint site, team, etc.) are also deleted.
      * When a group expires it is <color :#fff200>"soft-deleted"</color> which means it can still be recovered for up to 30 days.
      * Expiration policies are only supported for dynamic groups.
  * <color :#fff200>Entra ID Security groups do not support expiration policies.</color>
  * <color :#fff200>There is an option for Groups that allows roles to be assigned to them. This setting can only be set when the group is created and cannot be changed later.</color>
    * Using this feature requires a Microsoft Entra ID P1/P2 license.

====== Azure Organization/Structure/Scoping ======
  * Within the Azure ecosystem there are several organizational structures

===== Management Groups =====
  * //Management groups// provide a governance scope (for Azure Resources) above subscriptions.
  * By moving multiple subscriptions under a management group, you can create one Azure role assignment on the management group. The role will inherit that access to all the subscriptions.
  * A management group tree can support <color :#fff200>up to six levels of depth</color>.

{{:azure:scope-levels.png|}}

----
===== Administrative Units =====
  * //Administrative Units (AU)// provide an administrative scope <color :#fff200>over a subset of Entra ID users and groups</color>.
  * Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but not the members of the group.
  * AUs cannot be nested.
{{:azure:rbac-admin-roles.png|}}


===== Control Plane vs. Data Plane =====
  * [[https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/control-plane-and-data-plane]]

====== Microsoft Entra ID vs. Azure Roles ======
  * //ARM (Azure Resource Manager)/Azure/RBAC// roles are distinct from Azure Entra ID roles.
      * And //Data Access// roles/permissions are distinct from resource access roles/permissions. <color :#fff200>For example, having the //Owner// role for a storage account does not give a user access to the data in the storage account.</color>
      * The //control plane permissions// are distinct from the //data plane permissions//.
  * //Entra ID roles// (sometimes referred to as //Administrative Roles//) are used for managing access to //identity objects// within the Entra ID tenant itself.
    * Although Microsoft Entra ID roles are typically set at a tenant level, you can make scope adjustments using [[https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units|administrative units]].
  * //Azure RBAC roles// are used for managing access to resources in an Azure subscription

  * Examples of [[https://learn.microsoft.com/en-us/azure/role-based-access-control/overview|Azure roles]]:
    * Owner - this is role with the highest level of access, which includes the ability to grant users access to resources
    * Contributor - this role grants permissions for read/write access to the scope it's assigned to, but (unlike //Owner//) it does not grant the permissions needed to assign permissions to principles to access resources.
    * Reader
  * A **role assignment** is a combination of an //identity, role (permissions), and scope.//. This could be thought of as the who, what and where respectively <color :yellow>(Is there a better way to say this?)</color>.
  * With a role there are control plane actions (just referred to as //actions//) and //Data Actions//, which are actions at the data plane layer. <color :yellow>[Say more about this.]</color>
  * The //Activity Log// shows only control plane logs.

  * //Microsoft Entra Domain Services// provides traditional AD functionality (as-a-service) in Azure. But there are no domain controllers to manage and maintain.
    * Supports LDAP, NTLM and Kerberos protocols

===== Entra ID/Administrative Roles =====
   * <color :#fff200>Privileged Roles</color> and permissions can be used to delegate management of directory resources to other users, modify credentials, authentication or authorization policies, or access restricted data.
  * Examples of Entra ID roles:
    * Global Admin
      * When you create a new Microsoft Entra tenant, you are automatically assigned the Global Administrator role
    * Application Admin
    * Application Developer
    * Billing Admin
===== Azure Roles =====
  * Owner vs. Contributor
    * **Owner** grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
    * **Contributor** grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.

  * <color :#fff200>Azure Roles are //additive//, meaning when multiple roles are assigned to a user the user gets the sum of all permissions granted by all roles.</color>

==== Role Assignments ====
   * An <color :#fff200>Azure role assignment condition</color> is an optional check that you can add to your role assignment to provide more fine-grained access control. For example, you can add a condition that requires an object to have a specific tag to read the object.

====== Administrative Units ======
  * The default scope for Entra Id roles is global (the entire tenant)
  * //Administrative Units (AU)// can be used to limit scope of Entra ID roles to a unit that is a subset of the tenant
  * AU's do not apply to resources, they only apply to tenant entities
      * Entra ID roles are also referred to as //Administrative roles//, hence the name //Administrative Units//
  * An [[https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units|administrative unit]] can contain only users, groups, or devices.
  * //AU's// are used to limit the scope of permissions (for Entra ID roles) to only the users, groups or devices that it contains.
  * An example usage would be, assigning someone the //Password Administrator// role at the //AU// level, so they can reset non-administrative passwords for only the users in the //AU//.
  * [[https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-assign-roles|Other examples of permissions]] that can be assigned to //AU's//.
  * //Nesting// **is not** supported
  * ☝️Putting groups in an AU **does not** implicitly give the ability to access and change the attributes of the members of the group. The members must be explicitly added to the AU.

====== Management Groups ======
  * //Management Groups// can be used to apply budget, RBAC roles and policies at a scope above subscriptions.

====== Password Handling ======
  * ❓Does Microsoft 365 Business Standard License support password writeback? Answer: It does not support it. [[https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-licensing|See Docs]]

====== Custom Domain Name ======
  * To add a custom domain name to an Entra ID tenant you must create either //TXT or MX record// for the domain name to verify ownership of the domain.

====== Microsoft Entra Connect ======
  * The //Microsoft Entra Connect synchronization services (Microsoft Entra Connect Sync)// is a main component of Microsoft Entra Connect. It takes care of all the operations that are related to synchronize identity data between your on-premises environment and Microsoft Entra ID. Microsoft Entra Connect Sync is the successor of DirSync and Azure AD Sync.
  * [[https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-whatis]]

  *  A server in staging mode is not running password sync or password writeback, even if you selected these features during installation. 
  * When you disable staging mode, the server starts exporting, enables password sync, and enables password writeback.
  * [[https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-staging-server#staging-mode]]

====== User Profile Attributes ======
  * User Profile Attributes are built-in attributes, like company Display Name and Job Title, and custom attributes that can be assigned to users and groups (Security Groups/M365 Groups).
<callout type="warning">
By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes.
</callout>
  * **Attribute Assignment Administrator role** - Users with this role can assign and remove custom security attribute keys and values for supported Microsoft Entra objects such as users, service principals, and devices.

----
Attributes can be assigned to the following entities:
  * Users: Attributes like name, email, job title, department, location, etc.
  * Groups: Attributes like description, membership rules, expiration policies.
  * Applications: Attributes like display name, description, sign-in URL, etc.
  * Devices: Attributes like device type, operating system, serial number, etc.
  * Service Principals: Attributes like display name, description, application ID, etc.

====== Licensing ======
  * Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the Usage location for all members. You can set this value in Microsoft Entra by going to Identity > Users > All users > select a user > Properties.
  * When you assign licenses to a group or you make bulk updates, such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the tenant.

====== Global Admin Elevated Access ======
  * [[https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin]]
  * As a Global Administrator in Microsoft Entra ID, you might not have access to all subscriptions and management groups in your directory.
   * There is a setting on the Entra Id tenant/directory that allows a Global Admin to <color :#fff200>"manage access to all Azure subscriptions and management groups in this tenant."</color> This allows the user to assign themselves and others roles to access resources.
   * This setting gives the user the User Access Administrator role for the root scope that is inherited by all management groups/subscriptions.
   * Although it's a per-user settings it is enabled from the tenant blade, not the user properties blade.
   * Also, it results in an Azure role being assigned to the user, not a Entra Id/Administrative role being assigned. <color :#fff200>So, it might seem a little counterintuitive for the role to get assigned from tenant blade, but this a special case of bootstrapping the ability to assign RBAC roles.</color>

====== Multi-factor Authentication (MFA) ======
  * Conditional Access based MFA is also call Per-Authentication MFA in contrast to Per-User MFA.

====== Conditional Access ======
  * [[https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview]]