SC-300 Microsoft Identity and Access Administrator Study Cram

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone welcome to this sc 300 study cram the microsoft identity and access administrator exam that when you pass it you're going to get the identity and access administrator associate as always if this video is useful please like and subscribe and you can hit the bell icon to get notified of new content now obviously the huge focus for this exam is all about azure active directory and if you think about xero trust and the move where identity really is the front door and that first perimeter it's so important to have a good grasp all around azure id and how we use it as part of our organization now the first resource i'm going to urge you to leverage is actually the microsoft page so if we jump over and go and look at the site you want to go and look at the exam sc 300 page it says hey you need to get 700 or above for the score tells you how you can schedule the exam go and look at the skills measured so go and download that exam skills outline where it will go through all of the specific skills and what you want to be able to do is tick off against each of those to say yep i understand that i've tried that out and you want to get hands-on you want to actually be able to say hey yeah i've done this i've set this up and i feel confident all these various things and sometimes it will show you hey it changed this is the bit that changed so if maybe you did some studying before i can go and check that and see what's different since maybe when i last looked at the documentation and then go through the free training it's really good so go through all the different learning paths try the stuff out and it's going to put you in a fantastic position to go ahead and take and pass the exam so my goal for this video is obviously it's a cram i'm not going to cover every single thing you need to know i want to try and hit all of the key points at least from a theoretical level so maybe it helps some things fit together maybe it's a little bit of revision just prior to taking the exam to help you out so let's get going so if i think about azure ad well azure id is a identity provider it's something we run in the cloud so i can think about i have my azure ad and that's an important point so i as an organization will have my specific tenant so i can think about a tenant is a particular instance of azure active directory now by default when you get that tenant it's gonna have a name it's gonna be something dot on microsoft dot com but you can then go and add your own custom names to that so providing you own that public dns domain i can go and add that to my azure active directory i have to verify i own it i have to go and create a record in dns to prove hey i actually have responsibility for that zone and then i can use that name instead of the onmicrosoft.com if we were to quickly jump over and take a look at this we can see that i'm actually using the azure ad portal i don't have to do this all i'm simply doing is going to aad.portal.azure.com but i can still get to all of these various aspects through the regular portal i can go to azure active directory it's just the azure id portal kind of brings the things together that i want to be able to show so it's just a little bit more convenient so if i go and look at my azure ad instance and you may have access to multiple ones you could select the little drop down you can see maybe all the different directories that you might want to switch to that you leverage but right now i'm focused on saviletech.net and if i look at my azure active directory we can see we actually have custom domain names down here so for your organization if you're getting started what you're going to see is that default dot on microsoft.com names one with savile tech lab but i went ahead and added saviletech.net to it and you can see it's verified so i created those dns records that were required to prove i actually owned that now once you've actually added a custom domain you've made that dns change you can delete it so you don't have to leave that record kind of in place that proved you owned it you may want to delete one of these you can delete a custom name but to delete it you have to be not using it anymore as part of your azure id it can't be used as part of a username an email a proxy a group email a group proxy an app id uri so you'd have to make sure you've gone through and removed all of those things but if you've done that then sure you could go ahead and remove a custom name there is a false delete option via the azure id admin sensor the microsoft graph and that will try and change any references it finds to the on microsoft.com version but it only works for up to a thousand objects i can't update multiple tenant apps so there were limitations with that now i get a number of properties as part of my azure active directory i can do things like branding i have the ability to have special logos some special text as part of my azure ad instance so once again if we jump over i can go to well firstly you just have on the overview of your azure active directory you can see the primary domain what my license level is so what is the highest license i have present in my azure id users get licensed individually or maybe i assign it by a group but based on the highest license that exists that's the functionality level of my azure active directory so i can see that right there and then there are various properties i have as well within my azure id i have a name i have notification languages i have a technical contacts global privacy contacts privacy statements access management for azure resources so you'll notice down here i can set this box to yes and what this does is if i'm using azure and obviously i have azure subscriptions well all those subscriptions trust a certain azure ad instance and what happens here is if i set that box and i can kind of think about that the whole point of azure id is what i'm actually going to do is have all different types of cloud applications are going to trust a particular azure ad tenant so there's this whole idea of trusting here and once again these could be sas applications third-party sas it could be things like azure it might be something that is yours so it's an application you are creating against azure id it could even be something on premises that you're making available via azure id but if i set that box what it's going to actually do is give me this special role on all of the subscriptions so i can change access control on any subscription that trusts my azure ad tenant so that's what that option is doing right there that action access management for azure resources then you'll see this option for managed security defaults i'm going to come back to that later on but this is where hey i don't have azure adp1 or p2 so i can't use the regular conditional access i don't have the usual mfa rights so what this lets me do is if i turn this on it sets a certain number of key policies it makes users register for mfa for privileged actions like portal or powershell or cli it's going to make me mfa it's going to block legacy authentication and hey it's just going to give me some base level protection now i am going to use the authenticator app for that user mfa i don't get the regular sms and phone type options then also you have company branding i can set based on different languages background images my logo icons for certain types of things sign in page text with this limited markup format you can see i can do bold italics underlines there's some special characters i can use to make my little log on screen a little bit more personal so i have those options available to me now when i think about well okay i have this azure ad thing what am i actually doing with it obviously a big primary part is user authentication and authorization remember authentication is proving i am who i say i am authorization is then what can i do so authentication might involve things like mfa for a strong authentication might be passwordless authorization of roles given to me that control what i can do on a certain scope now when i think about users i can absolutely have the idea of just a cloud account so if it's cloud i'm creating it directly in azure active directory but more commonly what you're typically actually going to have is i've probably got an active directory already so i want to take my existing users from on-premises and make them usable in my azure id so here i can think about well i've got my regular active directory and in that there's users and i want to be able to use them in azure id now what we're going to leverage this thing called azure ad connect so i have now there is also an azure ad connect cloud sync and what happens here is instead of me running the engine in my infrastructure it actually runs in the cloud so that engine that's doing the synchronization runs in the cloud and i have lots of lightweight agents on premises to facilitate the communication to my domain controllers so there is another option to this but the way azure ad connect works is it has connector spaces so i can think about what connector space to import and export to my on-premises active directory so there's an import and an export it's mainly import from the ad and then i also have a connector space between my azure id and my azure id connect and once again this is doing import and export and once again most of the flow is this way i'm exporting from a d and i'm importing into azure id there's a very limited amount maybe device right back some things that flow that way and then these things synchronize into the metaverse so i've got this sync going on here and the net result of what this does is hey my user objects can also now appear in here so these will show as synced objects now with azure ad connect there's only one active i can optionally have standby so something went wrong with the active hey i can trigger that standby or again i can use the azure ad connect cloud sync now how is there a relationship between the user in azure id and the user in ad and it's the azure id object references the ad object so in my azure id i have the idea of a source anchor you might hear it called an immutable id as well and what this points to normally that's how changing something is there's an msds consistency guide which is actually based on the object id when i first set up the synchronization and this was the reason for this special attribute was hey what if i move users between domains well the object id has part the domain that's part of it it might change or this will never change so if i move a user between domains i'm still going to point to the same one and we can actually see this so if i jump over to my azure ad connect instance for a second and i load up synchronization service manager we can see the various connectors we have so here we can see well sure enough there's a connector from [Music] azure id and there is one from ad and where these all me is in the metaverse and i can search the metaverse and i can see the connectors so the two objects my user on premises and my user object in azure id so they're the two objects that are joined together by the rule and i can see the attributes and we can see that cloud anchor attribute and then we can actually see hey the cloud source anchor as it's showing me here and that's going to match on this object for the user and so what we see is if we look at the connectors again if i look at my azure ad object we see cloud anchor and then we can actually see source anchor value so that's the important value to think about so i have that source anchor attribute in azure ad and it says e e o s h blah blah blah and what that is gonna map on if we go and look here is this msds consistency guide now this looks a little bit different it's like wait that's 13 f1 0e that's not the same value it's just a using different encoding so if i actually and i've pre got this ready in powershell what i'm doing here is well hey if i put in that immutable object that we saw in the source anchor and then i convert the encoding well sure enough it matches 13 f1 that's the value we saw in that msds consistency good this is just a really long way of saying that it's the azure ad object points to the a d object not yet a d really has no concept of the azure ad object it doesn't really care about it it's just there that way now i can actually have multiple azure ad connects going to the same ad there's even now architectures that i can have the same object going to different azure ids so i could have like commercial i could have one in u.s government but i can only really have regular device right back from one of them self-service password reset is going to focus on one of those things now that's the idea and i should actually show you this if we go and look at the azure id portal for a second we can see this so i can go and look at hey my users and it will show us is it directory synced or not and i can see lots of them are no so these are all cloud accounts but then some of them say yes so these were synchronized from active directory and if it's synchronized from active directory active directory is always the source of truth often i won't be able to change many of the attributes because ad is controlling the object if it's a cloud account i'll be able to go and change lots of different things about it if it's synced from active directory most of the changes have to come from ad there's very limited amounts of change i can actually make in azure id now if i already had objects in my azure id and i start doing this synchronization there are different types of matches that we can have so when i have this match based on source anchor to this msds consistency guide this is what we call a hard match we have a huge certainty it's definitely the same object if we do not find this match available we don't have that hard match then it would try and match on things like the proxy address the user principal name attributes in azure id and that would be a soft match that helps me get a relationship for objects that may already be there if i'm now starting the synchronization now another thing we can synchronize if we think about that object on premises well their password is a hash so they have this password hash one of the things we can turn on is a password hash sync it does not send the original hash it's a hash of the hash a per user saw a thousand share iterations so i can't reverse it but then what that gives us is in azure ad this object has this hash of the hash available as well so that gives us some different capabilities in how i might actually do my authentication so that opens up some different things it is recommended to always turn on that password hashing even if i'm not using that password hash for my cloud authentication i can think about well if azure id knows those hashes when it goes and trolls the dark web looks for leaked credentials hey i find a match on the password it can alert me to that can help stop a breach replay attack but the general advisement is use cloud authentication use that password hash the only scenario where i'm truly using that global scale for authentication is the password hash authentication any other method when relying on something on premises it limits the scale options for that so let's run through those authentication options so i can think about hey i'm a user and then i want to authenticate against azure active directory so i want to sync against my azure id i have my user object and ideally i have that password hash of the hash replicated from there the ideal authentication is cloud authentication cloud auth so i'm authenticating directly against azure id there's no other components installed and one of the nice things to do if i'm using one of the other options i'm going to talk about if we still have this password hash sync turned on if there's a problem with one of the others i can fail over to use that cloud authentication with the password hashtag as a break glass hey things are broken i want my users to authenticate still i can then switch over to that so it's still a really powerful thing to turn on and again it gives us those various identity protection benefits and there's some other and types of password protection and lockout it gives us so that's option one and this is the preferred i just do that direct cloud authentication option two is well i'm still actually authenticating against azure ad but we call it this pass through authentication and what's happening with pastoral authentication i can think about when i have my on-premises ad still so i've got my ad bit there and what we install are some fairly lightweight agents and when i authenticate azure id and i send it my username my password there's basically an auth queue hey i need these things to be authenticated and checked so these agents connect outbound 443 go and look at hey this is queued up to be authenticated they will then talk to the on-premises active directory and if it passes they give a yes no hey i'm authenticated and i get my tokens back from azure ad so this is pass-through authentication i might use this if there were some circumstances where maybe azure id didn't meet my requirements maybe there's some very specific log-on hours in the past there were things like certificate-based authentication potentially um but that that's actually really not a good option as there's native ways to do that maybe some lockout scenarios but this this generally i'm not going to use this most time i'm going to use the cloud authentication the other option actually this is where the certificate based authentication really came in is federation so with federation and this is a huge thing in the cloud i have some federation service so i can think about hey i'm running a federation service this could be adfs is a native active directory version there are third parties as well and now what happens when i try and authenticate with federation i try and go to aad but it's going to redirect me to my federation service my federation service will then authenticate me so it's actually my username password goes here potentially i may have tokens already so i may not actually get prompted for this it may give me a single sign-on experience but this is what's actually doing the check it will go and talk to my active directory check whatever tokens i need it will then generate a saml token and it's that that passes to me which i then present to azure ad and then azure ad there's relationships i've got that federation it will then issue me azure id access and refresh tokens there's a huge amount of complexity to the federation i do it as a box there's not there's front ends then there's the back end services i'm exposing the services out to the internet and it's not really buying me anything this is just the authentication the authorization as we will see is still happening really against azure id with things like conditional access so there's a huge amount of work for this and it's not really buying me a whole set of services now this in the past was one of the only ways to get certificate-based authentication but that is actually now coming to azure ad as well if i did want to use this that azure ad connect can actually help me set up adfs to facilitate that complete component so there is actually ways i can have that but if i was to think about my orders of preference cloud authentication using the password hash sync that's the preferred approach hey i've got something that maybe i wanted to go against my domain controllers maybe those logon hours or maybe certain lockout scenarios i can use password authentication hey i want to use federation certificate-based authentication in the past sure i would do that so those are the things that i could think about how the actual authentication can happen with azure ad now if i think about that there's a number of key components maybe there's federation services but certainly in terms of the health of my azure active directory whereas the azure id there's my on-premises active directory domain services domain controllers so there's actually dc's hosting this then there's the azure ad connect itself so if i want to make sure things are healthy all of these things are important and federation if i'm using it so what we have is azure ad connect health so if we jump over what we have here is azure id connect health and this is looking at all of those different components i can see for example it understands my active directory domain services environment if i was to go and look at it it knows about my domain my domain controllers my sites it's showing me if there's any problems it showed me information about ldap for example ntlm authentication kerberos authentication and it's doing this because i actually have azure id connect health agents running on my domain controllers additionally it understands the health of azure ad connect because it has an agent built in there as well so it knows the health of my replication and option you can see it can do adfs as well there's various settings hey auto update the agents allow microsoft to access my tenant data if i want for troubleshooting purposes the whole point here is this azure id connect is monitoring all of the things that matter when i think about the health of my azure active directory it's not just azure id for it to be healthy the replication has to be working ad has to be working if i'm using federation and it's adfs adfs has to be working so azure ad connect gives me that all of those things are outbound 443 to azure i'm not opening up ports for azure id to talk to the service they establish the outbound connection that's really common with nearly everything you'll ever see they all establish outbound 443 to the cloud service and through that they actually get that communication there is um role-based access control as well you can have different things as i owner who can change everything there's contributor who can't change permissions and then there's readers so that's thinking about okay great so i'm healthy and we talked about those users for a second so what what can i what can i do with all those users so if we jumped over and had a quick look i have my users and once again what i can do is going to vary if i look at a cloud account you can see if i do edit i can basically change everything i have full access to all of the different fields because it's a cloud account if i was to look at a synchronized account and i do the same edit most of the things are grayed out the only thing i could really change is things like the usage location because that impacts some of the licensing but this really goes to show the ad is the source of truth in most of these things but what i can do is will i can assign roles so i could go and add assignments i can add them to various groups i can assign licenses and i can also assign licenses by giving a license to a group which is then inherited which you can see happening right here there's a license assigned to a group which i'm part of so i inherit that license i can delete users so if i deleted a user it goes into a tombstone state so there is the option to undelete users for up to 30 days to go into that tombstone for 30 days and then i could restore that user so i do have that ability so we have synchronized users we have cloud users and then you'll also see this guest type so we have guest users and when we look at these guests we can see the identity issuer so some of these are saying mail so it's going to get emailed a one-time passcode some of them are another azure id some of them are facebook i've got other ones that's a microsoft account i've got some that are gmail so i've got google.com somebody using phone based authentication so they get text to code it says all these different types of things i could actually phone his member not guess sorry so for all these different types of external identities i can make available to my azure id so these are typically we call them guest accounts but technically i could even once they've been added i could make them a member so things treat them slightly differently but i can think here i can also have external an external identity which by default will be a guest and these can come from lots of different places so i can think about another azure id a microsoft account it could be gmail it could be facebook and i have control of this for my tenant i could use something like saml or wsfed i can do that one-time passcode where they'll get emailed a passcode and have to type that into authenticate so all of these is b2b business to business external collaboration and the key point is the authentication happens in the home realm so wherever that account lives that's where it's authenticated the site exception you might say is the one-time passcode because they get emailed a passcode but even then they have to get to their mailbox so they still have to be able to authenticate to their mailbox to be able to get access to that one-time passcode so you can still argue in a way the authentication is still happening at that home realm so we have those different types of guest accounts i can invite people individually and then people redeem that invite so i can do a single invite the other option is you can do bulk so if we go over here once again so notice i can say i want to do a new guest user and i can invite the user i really put in the email addresses the thing we care about add a message i can give them groups and roles at this point i can set that usage location because again that's important from a lot of the licensing thing so that would be able to hey i can add a single person then they would redeem that invite all i can think about bulk operations i could do a bulk invite and what this will do is give me a csv template that i would download and edit and then upload and it can then do on mass i could use a powershell script there's lots of other things i could do now the one thing i did want to stress is i talked about well i don't have to leave them as guests you'll see this correlation nearly all of these external things are guests however this one is not this one is a member and that is an external azure id so i can take what is a guest and make them a member if i want this could be in the scenario for example that maybe it's all about the relationship maybe there's been a merger of companies and i don't want policies that maybe i'm targeting guest accounts to apply to them so i can change it and actually now make that person a member even though the identity is external so don't think hey externals are always guests they are by default but i can change it to a member if i wanted to now i can perform operations on users give them roles give them licenses assign them applications we're going to talk about all that stuff but it's kind of untidy to do that the thing we would rather do is well hey let's actually go ahead and i want to create a group so i can think about creating groups and then add in all of these different types of users they could be a cloud account it could be external it could be sync all of these can be added in so all of these different types of objects could be added into the group i can mix them there's no issue with that they can all be put in the group and then the group i can grant licenses certain roles if it's a special type of group in azure id grant them applications etc etc now there are two types of groups and it depends on what i'm trying to do if we jump over and look at our groups we'll see there's the idea that i can have if i go and create a new group is it security or microsoft 365. so security is hey i want to be able to actually grant this permissions to certain types of object microsoft 365 is more about collaboration scenarios and then i can think about well what is the membership assigned is i'm manually adding the objects into the group dynamic both user and device is i'm going to create a query and then based on that query it would populate the group membership so based on some attribute of the user or device they'll automatically get added and removed which is really powerful from the group for example if i was to look and you can see the membership type on the right hand column i have a dynamic well i've got a dynamic here for ios devices for example and what i'm doing is my dynamic membership rule is looking for type device os type is an ipad or an iphone and then it adds in those devices so there's my super ipad but likewise i could do it for users as well so i've got another one here for justice league which has members and that membership rule is just simply matching on the job title starts with hero because then i've got a wild card so it could be heroin would apply as well and that's a really powerful thing to use because if i think about often people get added to groups and they're never removed from the groups that's that's not a great thing so what we want to be able to do ideally is with these dynamic rules hey there's some attribute of the user changes they get added to the group they take a new role and that attribute changes again they get removed from the group so i have this much nicer set of life cycle things happening for me the next thing we think about is roles so roles are huge roles are about what a person can do now in azure ad typically roles are given to users and not groups there is a way so if i go and look actually back at that group creation if i do a new group you'll see now this option for azure 80 roles can be assigned to the group so i have to set this to yes if i set this to yes it's going to do a couple of things firstly it has to be assigned i cannot do dynamic anymore so it's only assigned but then this group will show up to be granted azure ad roles so it has to be this special type it sets a flag on the group i think it is assignable to roll and then yes it can be given azure ad roles but without this being set i cannot grant a group an azure ad role i could grant it an azure role and that's the common way we do it so in azure resource manager absolutely i can grant groups all the different azure roles but for azure ad roles generally we give those to people unless we create that special type of group that says okay yep i'm only going to be assigned i'm not dynamically generating membership and then yes i can grant roles to that and the users in that group would get that role now there are huge numbers of roles and so i can really think about typically when i think of roles i'm setting that role at the tenant level so i add some role to a user it's tenant wide there's not really this concept of organizational units we have in regular active directory hey i get a role i'm selling it for everything and there are a huge number of roles so if we go and look at my azure ad tenant and i can see roles and administrators you'll see this huge number so it's not just azure ad it's for some cloud services that trust azure id there are things like microsoft 365 dynamics 365 roles in here as well there is the option to create a custom role custom role is very limited today what we'll see is in the permissions the only permissions you can do are about app registrations and enterprise apps so it's not all of the different types of action available it's only those around app management essentially that's probably going to expand in the future but today if i create a custom role i can only select permissions around app registration and the management of enterprise applications now these azure id roles remember are completely different from azure resource manager roles they don't really relate they're completely separate but remember i did show you there's that one exception in my properties if i set this access management for azure resources and i had that turned on what you'll notice if i just go and look at regular azure if i go and look at my subscription because it trusts that azure ad tenant if i look at my role assignments you'll see down the bottom i have user access administrator and you can see that was inherited from root so when i turn that on it gives me this user access administrator role and that role basically lets me set permissions on everything so i can change the assignment of permissions on all of the different objects in any azure ad subscription that trusts that particular azure id tenant but going back to the regular roles so if i go back over here look at my roles administrators there are some very powerful roles obviously things like global administrator this is the initial person that sets up the tenant becomes a global administrator it should be limited they can grant all roles reset any password there are things like user administrator they can create manage reset passwords for users they can reset help desk admins they cannot reset global admins though so they couldn't hey i'm going to go and reset a global admin password so i can go and become a global admin it will not let you do that and there's i mean lots of others i would take some time to go through these the descriptions are good it helps me understand exactly what they can do and then it actually shows me the specific permissions as well on what i can actually have and from one of these i could select if i want to add assignment from the role itself remember i could also from the user from within here i could do assigned roles and add an assignment as well now there is a best practice about using privileged identity management which we're going to talk about so british identity management is the idea that i don't have a role all the time i'm eligible for a certain role and when i need to use it i'm going to elevate up i'll get that set of permissions for a certain time window maybe i have to mfa maybe i have to give a description a service ticket and i get it just in time for when i need to do that thing i don't sit there with it all the time i elevate up and we will talk about pim later on in this cram there are some other nice things i can do in here so when i actually think about my various roles that are available so we'll go back over here my role as administrators so you can see all the different roles here but also as part of my azure id i have that usage and insights so this is nice that i can get some idea of what's happening in my environment so i could actually go and say hey applications being used what authentication methods are being used just to give me some nice ideas about general things happening in my environment so this is very useful and if i was using pim if i go to producer density management it has that same concept so in producer identity management if i was to look for example at azure ad roles i get things like discovery and insights so this helps me get an idea of well who is a global administrator hey i have three permanent global administrators hey who has high privilege roles so it's starting to give me some insights this discovery and insights yes we have it for general azure id but you'll also see this show up in certain specific sets of functionality so that is there as well but those roles when i'm giving them remember it applies to the entire tenant what about if i don't want to do that what about if i do want to say hey i want you to have a role but over a subset it could be the scenario where well actually there's some location and i would like the local administrative person there to be able to manage accounts for just people in that office there's not the hierarchical organizational unit structure we have in active directory but what we do have is the idea of a administrative units and what i can do in administrative units is i can add users and i can add groups now a really important thing here what's going to happen is yes i can add users i can add groups and remember groups have users in them but the users in the group do not fall under the permission of a scope given at administrative unit because yes i can also be given a role at an administrative unit level but i only get permission that role for the users directly added if there were users in the group and the group is added to the administrative unit i get the role for the group object not for the users that are in the group because the danger there would be hey i could add users into the group to give myself permission to manage the users and maybe then use it to elevate permissions so if i want someone to have a certain role over users i have to explicitly add the users into that administrative unit even if they're in a group that's been added so it's a really important thing to understand adding a group does not give me the role for the people in the group they have to be added directly so if i jump over here and if we have a quick look so if we look in our azure id i have administrative units you can see i've got justice league so i've added users into this administrative unit i've also added groups the key point if that hero group had users in it like thor i do not have the permission over thor that's the key point in here so even though hero group is here unless i added thor directly as a user i do not have permission and the permissions are or there are certain roles that we can apply so i could give someone for example help desk admin i don't know what that error is but i could give someone a help desk admin with the scope set to the administrative unit and that's the key point so it is possible to give people access to hey i can manage just certain things but not everything else so i'm delegating certain roles to only the objects directly put into this administrative unit and a user could be part of multiple administrative units so i could also an avengers so there's thor so if i was a role over there then yes i'd have that kind of permission i don't know what what this is doing just erroring today it's tired it's 6 30 in the morning on sunday so everything's still waking up i think so but we can see they're the roles i can give at administrative unit level and there are sorts of things i might want to do for some local set of users and that's really the the key point around that when i also think about user roles and we're going to talk about apps a little bit later on but when i think of those roles for my azure id there are two roles particularly around app management so there is the application administrator and this can give the ability to manage all applications in the directory including registrations single sign-on settings group assignments licensing application proxy which lets me make on-premises applications available via azure id it doesn't give me the ability to manage conditional access and then there is a cloud application administrator which is basically exactly the same except it does not give me the ability to manage at proxy so i can only manage the cloud application so that's the big difference between those things at an application level so look at my enterprise apps there are obviously roles within each application as well now when it comes to registering applications i can control that so if i look at user settings i can say hey look users can register applications so that's not a role that's a permission i'm setting at the tenant so i'm saying hey a user can basically write they can create an application against my azure id i'm creating some in-house application that i want available so i'm building that against my particular azure active directory if i think about enterprise applications or if i go to my enterprise applications under here as well i have user settings and these are about well can users add gallery apps to their sets of applications do i can i as a user request an admin to consent to some app i cannot consent for myself maybe i don't have the permission the um delegated permission it's asking for is too broader in terms of tenant scope so i as a user can't consent to that so hey let users basically request up and say hey admin please go and consent this app for me so that's an available option that we can actually do so this is all really about the idea of those roles and the different things i can do at the role level so a huge number of roles key point is they're mostly tenant wide if i need to give it to a subset then i can create administrative unit add users adding groups have to explicitly add in the users now this is all thinking about user objects which is great but we also think a lot today about the idea of a device i can think about well we have all these different types of device today now when i think about a device it could be a pc it could be a mobile device like a tablet or a phone it could be an iot device there's a huge scopes of different types of device we have and there's many times i want to think about the device as a known entity to azure active directory because there are things we might want to check there are things we might want to manage now there are different types of ownership of devices now i could think about a personal device so if it's a personal device one of the things we can do is i can register so we can do azure id registration this is probably going to be if it's a personal device and what that does is it creates an object for that in my azure active directory it makes it a known entity and one of the big things i can then do is i can add things like mobile device management mdm that can then say hey it's your device but if you want to access these corporate resources we want to make sure you have a passcode we want to make sure you're not jailbroken you're updating things i'm i can check maybe your compliance i can check your healthy so the things i can do so for azure id registered i could think about hey bring your own devices your mobile devices your windows 10 your windows 11 ios android mac os if it's registered i'm still signing in with a personal account with a local account i can't sign in as an azure id account it's registered it does give me things like single sign-on to resources it does work with the mobile device management it sets a minimum bar most of the time for how i think about personal devices interacting with corporate resources but again my authentication is personal local the next option i can do is to actually azure adjoin so an aad join this is going to be more if it's a corporate device corporate owned and once again with that as well i can still do mdm azure id is not doing really policy active directory has group policy i can do a whole bunch of stuff deploy stuff check stuff and full stuff don't really do that azure id on a device level i need a device management solution to do that in tune is very common for a cloud-based mobile device management it says mobile mdm but it's also hey windows 10 windows 11 applies to that as well so now i'm thinking corporate owned windows 10 11 pro not home so pro and above windows server 2019 and above if i'm using the azure ad login extension so it has to be running in azure and then there's an extension and then it actually joins windows server to azure right now i've got a whole video if you go and search my channel i have a video on the azure id join for windows and i talk about how that's actually working now when i do this i now auth with my azure id account it then opens me up so yes i still get for both of these i get single sign on yes for both of those but now i could use things like windows hello for business a password list type solutions another cool thing it actually does is if i had line of sight to an active directory domain controller i actually get authentication to ad resources as well it does a cool thing where it goes and checks it knows about the objects by azure ad connect and i also get kerberos tokens if i have line of sight even though i'm azure adjoined and not adjoined so there you go there's a third option so the third option is hybrid joint so we've hybrid joined oh that's not right where's my ad gone there's my id wrong window one window let's change that let's get it confusing we've hybrid joined i'm actually joining to my active directory so hybrid joined i'm joining ad but what happens is via azure ad connect it's also doing that registration so i get that as well so hybrid joined is hey i'm joining ad but through azure ad connect it then also registers me with azure active directory honestly for this it's going to be corporate again obviously i'm joining ads this is going to be a corporate device i would typically use this where i couldn't use the azure id join so if i'm thinking it's a corporate windows 7 windows 8 windows server 2008 and above this would apply to because if i'm windows 10 or windows 11 most of the time i would rather just azure adjoin again i still get access to these if i have line of sight through the kerb ross i still get that but it removes a lot of that dependency on there obviously my logon i'm signing in with an organization account so my auth here is the id account so i'm authenticating against my ad on the device it's joined to the domain i'll authenticate with my ad account but because it's registered i still get that single sign-on experience so i get that capability management it's going to vary most likely it's more of a traditional hey i'm using group policy for management i might use things like system center configuration manager um those are gonna be the common things i'm gonna leverage now in terms of all of those things so that's not a device it becomes known i can use that later on with conditional access as part of a policy around device health and various other types of things now i mentioned authentication a number of times there and i've got kind of authentication here there are different options for authentication so when i think of authentication i can think about well password so hey there's just a password and we kind of go uh yuck we don't like that today we don't like just doing a password so we can move up so we can think about well password plus mfa and that mfa is maybe sms voice and that's that's that's better i mean that's good so we're like okay yeah we're pretty okay with that and then it moves up into well i could do password but now i'm going to add that to things like mfa but using the authenticator app or maybe i'm using things like an otp could be software could be hardware so now we're like really really happy um that's better so that's a better option and then i guess i'll use my universal super best one is passwordless so password list could be things like hey hello for business it could be those 502 um security keys we have so this is just i don't even know how to draw an even happier face but this is just the best we do fireworks saying how great this is so when i think about authentication in my company we really don't want just password ever it's just not very secure it's what we call a network secret i can use it anywhere so even though it might seem longer than a pin a pin is normally per device so i have to have the device and the pins saying i have and something i know so it's more secure than just this network secret that i can try anywhere so we have these different levels of things we want to do and then there's always a balance of security and usability and availability of the solutions we have to balance those things but generally passwordless is super convenient and it's super secure so that's kind of the best one now there were different methods i can use i talked about sms it was about voice password mfa apps some of them can be used as the primary source of authentication some of them can only be used as a secondary microsoft has a nice document that goes through the different authentication methods it's like well hey can it be primary and can it be secondary can it be used for self service password reset remember self service password reset is the ability for users to go in and reset their own passwords based on some set of requirements i have pre-configured maybe security questions they have to be able to answer so i have all of the control over those various things but we can see all those different methods here like a voice call can't be used for primary authentication nor can of software tokens or hardware tokens what's not shown on here is certificate-based authentication that is in preview right now that would actually let me use certificates which is kind of a cool thing we have all these different options available now in terms of users actually registering for these things as part of my azure ad under user settings if i go to user features you have this option for combined security information registration experience which actually is i think it was yesterday went generally available it's been around for two years but this is now a combined experience to register both my self-service password reset and my mfa information to see what i can use in my tenant so if i go to security and i can go to my authentication methods these are the different things that i have so fido 2 security authenticator app text messaging temporary access pass certificate-based authentication as i talked about those are the things that are lit up in my environment now i did also mention self-service password reset so while i'm kind of looking around this area if we go back we see here password reset and this is really powerful and when i enable this self-service password reset if i have azure id premium p1 or above when i change the password it actually writes it back to on premises active directory if it's a synchronized account and then synchronizes it to azure id using azure id connect so here password reset i've got enabled for everyone and you tell it well what is required to be able to do that reset do i want one or two methods the user has to do what method can they use to do that proof of who they are to be able to set their new password do i want security questions how many questions do they have to answer to actually get reset i can select the questions i can add custom questions if i wanted to so i have full control over exactly what they can actually do there's different ways to force the actual usage of um this combined security registration that then lets me fill in all of these different details and the mfa identity protection has an mfa registration option um there's abilities to do things via actual mfa sign up there's things i could set on a conditional access policy to say hey you require mfa which will make the register on the first use so there's different options but hey there's different ways i can actually go and drive all of these different things you can see here registration require users to register when signing in and that again if i'm using the combined registration policy would make them set up the mfa as well as the password reset now i said hey get rid of passwords that's the the best thing if you can the reality is there's still passwords out there so there is password protection as part of azure ads if i go back to security go back to those authentication methods one of the things we have is password protection and this does a number of different things so firstly there's just default passwords it's going to protect me from it won't let me use silly passwords or easy variations like i can't switch an s for a five it won't let me do that i could add my own custom banned passwords now i did savile and cowboy because i'm in texas but if there's for example if i was in seattle maybe i would add seahawks um to that list and i want people doing that as well so i can enforce not only the standard but also this idea of a custom list that i can go and add now one of the other things you're seeing here is enable password protection on windows server active directory so the way that is going to actually work is the password protection is going to have a number of components on premises as well so if i think about these on-premises active directory what it's going to have is on each of my domain controllers that's not the main where's my picture domain controllers there we go on this on my domain controllers it installs a small password protection agent service now adds a dc agent password filter dll to the lsa ss now that's the process used for any time i change a password and i can do that on windows server 2012 and above domain controllers and what's going to happen is i also deploy a proxy service on a member server this just avoids the domain controllers having to talk directly to azure ad there's going to be this proxy service that talks to azure id and gets the password policies and then the agent on domain controllers talk to the proxy service and what that's now going to do is enforce those password policies for my on-premises active directory as well as my azure active directory so i'm going to have all of those things coming together the other feature we see here is smart lockout so this is the idea maybe someone's trying to attack you by locking out your accounts now depending on what i'm doing potentially this might also hit my domain controllers it does pass through authentication so what smart lockout does is after 10 failed attempts it's locking me out for one minute now that's initially if i do it again well it starts lengthening that lockout so it's actually gonna start increasing in duration every time so if someone john is trying to just breach lock me out it's gonna get stopped now what it does remember is the last three bad password hashes i think we've all been in the scenario where we're sure we know our password and we type our password in and it doesn't work so we tried different password we thought and it doesn't work so let me try the other one maybe we mistyped it so it won't lock us out through that if i keep using the same password that's wrong it's going to remember the last three and not lock me out because of that now this feature is default it's always enabled and what this is doing if you think about it by having this smart lockout here so that says gonna look out at 10 attempts for a minute what i want to do is protect my on-prem id so there's also the idea in active directory it has a lockout threshold if i go to my policies account lockout policy i can set numbers there as well and what i want to make sure is my on-prem is a bigger value so i want to make sure my ad lockout threshold is greater than the number in azure so if this is 10 maybe this is 15 for example and the azure 80 lockout duration is longer than the lock actuation that would be on ads it's basically a way to help protect me from knocking out the ad account so it's that first line of defense if i am talking to my ad as part of my authentications if you do get locked out there is no way to unlock an account in azure id technically a user could do a self-service password reset that would unlock themselves um adfs has its own concepts of extranet lockout and extranet smart lockout so that's different from what we're doing here um but yeah i can't unlock it in azure radio i just have to sit and wait unless the user does that self-service password reset one other thing so i talked about average ids there are times where maybe i want to limit what i can do against services that trust a different azure id now there are ways to do this honestly they're pretty hideous so in azure id i can configure a list of permitted tenants so then only i will be able to issue tokens for those tenants i've trusted but to do this i have to have a proxy on premises for which all the traffic flows they can do tls inspection because these are going to be https so i have to be able to inspect the packet and then what it has to do is not only inspect the packet but insert into the header this list of allowed tenants this restrict access to tenants option and then i also have to have it mark who is my tenant the client service must also directly request the token from azure ad so it's modern authentication like oauth2 and then the net result of that is if i try as a client to get a token against the tenant that's not in that list that's been injected by my tls inspection it's going to fail but that's very heavy in terms of actual implementation the good news is it's actually a much much better option it's in preview at the time of recording but there's now something called cross tenant access settings now i would not expect it to be on the exam today because it is in preview but with cross tenant access settings i can go to my external identities and now what i can actually do is i can change my defaults so i could say my default for example both inbound and outbound outbound could say hey i don't allow external collaboration and then i would go and add specific organizations that i do want to allow i can also change my inbound settings to only allow guests from certain tenants and i can even configure things like trust so for example i could say if i look at this one i could say trust hey trust if it token says they've done mfa or if it's compliant or if it's hybrid azure adjoined this gets rid of the challenge that in the past we had to do things like a double mfa because we would not trust a mfa claim made by a token from another tenant with these cross tenant access settings i can absolutely do that now so again it's in preview right now without that yes i can restrict access to other tenants but it just really is fairly hideous to do it's very very complex and there's lots of components and tls inspection and things i'm gonna have but technically yes you could do it okay so azure id is kind of the center of our identity world we can see hey it's the center of all our applications um other services coming in well one of the things i probably want to be able to do then is we talk about authentication authentication is proving who i am to azure ad but now i want to think about authorization well can they actually do these various things and our solution for this conditional access this is probably the most powerful feature in azure id it's so powerful we're going to give it a little cape just to kind of show it's a superhero flapping in the wind it's fantastic now this is a p1 and above feature so my users have to be licensed for azure adp one but the net result of what this is going to do if i think about i have my azure id in terms of authorization so every time i want to get a token to access something well think of this as putting a barrier around my azure id anything that wants to use it goes through conditional access and i can then do various checks as part of that now i guess before i go into conditional access what if i don't have premium what if i just got free so there is security defaults which i showed earlier i can hey turn on security defaults i'm not going to use both i do secure defaults or ideally i'm using conditional access so remember the whole point of security defaults is that i don't have paid licenses i've only got the free tenant and what it's going to let me do is really some bare minimum protection for my environment so if i go back to my tenant and then i go back to my properties i've got my managed security defaults down here at the bottom and then if i select that all i've got is this option for hey do you want to enable security defaults now i've got it set to no i've got it set to no because well i have premium so i've got conditional access now what i what what does that do what if i set that to hey yes turn on security defaults so this is i'm a company i've only got the free sku but i want some basic protection so what i can think about this free with security defaults is it's going to do things like hey um register for mfa for all users but that mfa is going to be using the authenticator app they can't do sms they can't do voice it limits what i can do it's going to block legacy auth so it's all insecure protocols which is how most of the attacks happen are just going to be blocked admins are going to use mfa and privileged actions will use mfa for users so things like how i'm accessing the portal or powershell or cli it's going to make the users use mfa for that so that's how i can hey if i've got the free but i want some it's better nothing it lets users do mfa again only using the authenticator app admins can have more options global admins they can always and some other admins can always do mfa even on free and they get more flexibility in those options document goes through all of that um but it gives me something so if i don't have the paid at minimum at least turn on security defaults but if i have conditional access i'm not going to turn that on because conditional access gives me super super granular access to very very different things that i might want to use so if i think about what am i doing with conditional access there's all these signals coming in every time i try to do an authorization there's signals so i could think about well in terms of the the signals that are available or there's conditional access i can think well there's hey who is it the user um what groups maybe are they in i could think about what roles do they have are there guests there's signals there there's signals about well what location are they coming from that location might be based on ip addresses it might be based on country based on ip it could be based on gps coordinates if i want a mobile type device it might be based on what application they're trying to access or what action are they trying to perform they're trying to do security registration i could put policy around that they're accessing from a certain device what do i know about the device hey remember that registration that join compliance i can start to use that what is the risk that that's an interesting one what is the risk of currently things that are happening and then the whole point is with all these different signals i can make decisions i can have maybe conditions i might decide to just block i might decide to just allow i might say hey you have to do an mfa maybe i require a joined device maybe i'm going to have session controls based on things i'm seeing how you're coming from some device i don't normally see uh i i want to do a few more things there's lots of other things we can actually do so let's actually take a look at one we can kind of get an idea of that and i would urge you to take some time and really get confident with these because this is one of the most powerful things we have if i go to conditional access under security we have named locations so remember name locations could be hey i want to create it based on country based on the public ip but also we have this option based on gps coordinates so i'm on my mobile phone or something else hey i could now determine the country based on the gps or i could just add a particular set of ips maybe they're my on-premises locations set of nat gateways to the internet so i'll know it's coming from my on-premises i would stress with xero trust we start to care less and less about the network we don't trust it but i still might want to know it might give me some sense of some signal on things i might want to do so i can still use that then we have policy so i can create a policy i can create a new policy or i can create one from a template there's templates based on user identities maybe service principles or devices so there's a whole bunch of templates i can use to get started or i can just say hey new policy i give it a name and then well who is it applying to i have include i can include users groups i can include service principles if it's a user or group i could base it on particular users i could base it on all guests and external users people who have certain roles people who are insert actually certain users specifically or certain groups also i can exclude so exclude is really powerful because they're going to be times or maybe all the time certain people should be excluded we might talk about the idea of emergency accounts there's very often going to be at least one account i'm going to exclude from conditional access i do something wrong i do think silly especially when i'm dealing with all cloud apps and i lock myself out i lock everyone out of my azure id tenant including all my admin accounts so generally that exclude is really powerful i probably got a group i create i've exclude and i'm going to have a certain break glass account in that so if the absolute worst happens at least this one account can still get in so you'll see exclude very very common i can do those same hey users external users and groups etc so select who is it applying to i can say all users and notice it's warning you it's like uh just just be aware it's kind of uh it's gonna affect everyone this could be a bad day in a resume generating a bit then i can target well what am i targeting is it an application i could say all cloud apps and again that's super dangerous or a particular app any application that's registered or i've created against my azure ad including things like azure id app proxy apps or i could target an action hey i'm registering my security information maybe when i'm doing that original security registration i want to be in a more secure maybe i'm going to use location i want to be in a corporate or maybe i have to be on a corporate joined machine i could use things for that there's also authenticating context which is about hey i now get this check i can perform when i'm trying to access certain types of data in this case for example sharepoint and it's going to make me have this authentication context that maybe requires a higher mfa or a stricter set of requirements about what i can actually connect from so we have these different things what am i targeting then we have conditions so i can have the users overall risk high medium low the individual sign in risk high medium low no risk these are using identity protection both of these which is a p2 feature i can target particular device platforms and i can exclude particular device platforms i could target particular locations i can target particular client applications so hey modern authentication clients or legacy ones i could target i could filter for certain devices so here i could look at the property of the device and require some property to be true for example maybe it's a secure access workstation i'm accessing this really critical thing so i'm going to look at the properties of the device i'm connecting it from and i'm looking for maybe attribute custom attribute 10 is saw so then this would apply and then this will allow me to then get access to the application everything else would be rejected so i have all these different things i can check and then my controls hey i could block access i could grant access i could require mfa i could make it be wrapped as compliant all these different types of things i could do make them change the password this could be hey i looked at the user risk the user risk was high make them change their password and i can configure well do they have to meet all of them or i just require one of them so it's maybe hey you do mfa or you're on a compliant device either device is managed by the company so i've got some degree of comfort with that so i have all these really powerful things i can do with this and then we have this idea of session controls and there's many different types of session controls in here that we have this idea of app enforced restrictions so app enforce restrictions apply to only certain applications and this is where for example i'm integrating with mobile application management to do certain checks so that's where maybe hey i want certain compliance this is office 365 sharepoint online exchange online i want to do those various things i might have those mobile application management policies though as well remember so when i think about that device management and i talked about hey i might want to use mdm so with mdm mdm manages the whole device there might be time so i don't want that it's the user's own device they don't want me managing the device at all but on that personal device they have all their various applications so i've got twitter and i don't know whatever else but then i've got hey outlook and maybe sharepoint and they're corporate apps and they're going to connect to a corporate account so what i can do is there's things like mobile application management and what that says is when i try and connect the app to a corporate resource well the app then is managed by mab so the device isn't but the app is and it can create a wall so i couldn't take corporate data and copy it to a personal app i can have restrictions i require a pin to open up the app even if the device doesn't have it so there are ways i can do app restrictions even if i'm not managing the complete device now the other thing we kind of saw there for a second if we jump back over so beyond that we have all of these ideas about well conditional access app control and sign-in frequency persistent browser sessions customized continuous access evaluation disable resilience defaults which is a problem with azure id so what are these things doing these fairly big options here so one of the big technologies that you have in the microsoft world is so hey were these session controls so yes we have things like app control but then you have this idea about well the actual there's a defender for cloud apps so i could think about defender for cloud apps this used to be called cloud app security it's the microsoft casb secure casb solution so a cloud access security broker and i think about what this does is for one thing it's almost like a reverse proxy so when i'm when i turn this on when i connect to the application it now goes through this service instead of talking to it directly so now i can start to see what users are doing when they work with this device now also what we can feed into here is network device logs so i'm going through some other firewall or something else i can start to feed in there are also api connectors so maybe i'm talking to some cloud application that enables me to see well what are users doing and then actually through the api i could set controls and policies of what i want to do so what defender for cloud apps lets me do is well what cloud apps out there are users actually leveraging it gives me a way to maybe go and find things like shadow it and if i actually go and look at the portal super quickly so if we go to portal.cloudapp security.com it says the whole idea of now i don't have really anything going on in mind but i'm just trying to show you the the areas of functionality we have discovery so there's hey i could discover apps discover resources i have configurations about where i want to get data actually from there's the ability to investigate exactly what's happening in my environment there's control so i can create policies to help find certain types of behavior i have the ability to then actually perform things like disable a user if i see bad things happening i can integrate things like defender atp azure information protection to lock down certain types of content but it's all about finding out what users are actually doing so my discovered apps i really i don't have any discovered in my environment because i'm not doing anything with this but there's literally thousands and thousands of applications available in here so it goes to cloud catalog and what it does is it it rates them by risk so we can see here all these different types of apps that it knows about and it's using over 90 different risk indicators to say well is it risky or not so if i just picked i'm just going to randomly pick one i don't know let's pick a seven so it shows us all of the risk indicators of why is it a seven well okay from a security remember passwords oh it's not iso 2718. so if all these indicators that can help us decide now well do i want to sanction this application or it's unsanctioned or there's other things i might want to do around the application itself and again just think of this as saying that conditional access basically lets me say hey i want this to be used to be able to leverage this particular application so that's why we're really thinking about that as part of conditional access so we can actually hook in to our session controls but then again we had also things like hey there was the sign in um window so normally we have this 90-day rolling sign-in before we have to re-authenticate for our two apps and open id connect apps we could change that behavior there's things like persistent browser when it says hey do you want to have to re-off auth after you close the browser no or i can control that behavior things like continuous access evaluation continuous access evaluation is normally we get a one hour access token because we can never revoke a token continuous access evaluation certain applications will actually go and talk to azure ad to find out about policies that apply for it so then if it detected your location has changed it could invalidate your token likewise azure id could go and talk to the app and say hey this user's been disabled or they've changed their password stop letting that token be used so that lets me now give out longer lasting tokens let's say 24 hours instead of these very short one-hour ones because i now have the ability to actually go and revoke it so that's kind of one of those useful things another thing i can do is i could require a terms of use and in terms of use is essentially i define a pdf document and that is the terms of use and you saw that when i looked at the azure id so if i go back over here and we go close that down one of the things i had in my grant was i had these terms of use general tou twitter tou and if we go and just look at conditional access i have terms of use i just upload a pdf document and you can say hey do they have to re-accept it every so often so they have to scroll through all of the content i can have different language versions of it and what will happen is with this they will just get prompted to have to accept this before they can actually continue so that's really the key point of using these terms of use now i did mention earlier about the idea of a break glass account so i can think that okay great i have all these different types of accounts it could be a cloud account it could be most commonly synchronized for my on-premises active directory could be a guest account but things can happen that conditional access i do thank silly and lock myself out there might be some issue with certain types of mfa i might use federation and saying it goes wrong on premises so we really like the idea of a minimum having a couple of break glass accounts so i can think about a break glass account these are not being used day to day but these would be highly privileged accounts for example global admins they should not be tied to any particular user i don't want to use a particular user's phone for example for mfa i could use a hardware token so i could maybe lock away that could be used as part of it but it should be a cloud account i don't want to rely on any kind of pastoral authentication i don't want to rely on any kind of federation i want that password hash there it's just natively in the cloud not expire i don't wanna mess something up and it's expired and i've locked myself out and it is a ga and that's perm permanent it's not saying i have to elevate up and i want to make sure if i if i do have mold let's say we have two of these at least one of them it's not using any kind of phone mfa for example when i use a phone mfa there's more services involved than using something like a token so you want to be super careful about that exclude one from conditional access minimum in case i do think still in additional access and i break something what i want to make sure i have on these is auditing and alerting configured so if i see something happening on here i've reloaded it slowing down if i see something happening as part of the environment if i see someone using that account it's gonna alert me so hey this account normally shouldn't be used it's very restricted i see something happening hey i'll know someone's using it it can send me an email it could trigger an action i want to make sure every 90 days rotate password and you might have that locked away somewhere whatever you're doing there's some great documentation about this it talks about securing that emergency access so this is a set of guidelines about those emergency access accounts that i want to make sure i think about this is all in the links below beetles about creating them things to consider for them etc so you really want to make sure you think about these to help protect the environment because things happen we make mistakes where humans at least have these accounts available if that worst thing ever did happen but just in general when i think about my conditional access i really do want to be careful of any time i say all apps for all users and generally bad things can happen there so use that in a very very limited way when i start out with conditional access remember you can have those templates make sure you do the kind of um audit first before i actually go and enable that conditional access policy let's go and see what the behavior would be and then i can actually go and enable it so it enforces those various actions if i'm trying something out i can think hey let's just put it in report only mode initially once i see what the impact will be then i can actually start enforcing it so that's a property on each of the conditional access if i'm having problems with conditional access what we can do is there are well firstly there's signing logs so if i go to my azure ad oh let's go over here if i go to my azure active directory well just in general if i go to monitoring we have this idea of signing logs and there's lots of different types of logs for azure ad but if i go to my sign in logs one of the things i can actually have here so i have all of these details about the various user sign-ins that i've got going on in my environment and as part of this it shows me here conditional access so i can see hey there's something happening regarding conditional access there's also the idea of troubleshooting and support so under troubleshooting and support for example there's this virtual assistant that might help guide me through certain problems i'm having hey look hey conditional access there's things that could help me through that and also just directly if i go to conditional access i could look specifically at logs here and again there's that troubleshooting directly from this environment as well so there's various things i can do to actually help me when i'm leveraging these technologies now if i go back to conditional access one of the big things we focused on was around this idea of risk and i said at the time well this is a p2 features using identity protection so if i think about risk that's huge a lot of the things we want to do now is modify what we require based on am i detecting some element of risk and so this risk is really facilitated by identity protection and this is a p2 feature so this risk element i'm getting that information from azure ad identity protection when i think about risk there's this is pyramid idea of risk because i can think about well there are risk detections so i can i see some risk now that risk detection could be related to a particular sign in it could be some offline signal like hey i'm scouring the dark web and i find a leaked password it could be i'm coming from an anonymous ip there's all these different risk detections and then as a user i have particular sign-ins and some of these sign-ins may have certain risk detections associated with them and then of course there's the user themselves and that user themselves well they have risk signals based on sign-ins but also those direct maybe hey i found their credential so this whole idea of different things that come in some of them related directly to the users sign in some related to other things some of them might be combinations of signals hey based on the time they're logging in the device the location this is not a common thing uh impossible travel irregular behavior not common with what we typically see them doing so all these different signals and there's there's a huge number of different signals available if we go and look at the documentation it talks about risk types and risk detection leaked credentials we talked about as ready coming in sign-in risk anonymous ip atypical travel anomalous token and you'll notice a lot of these actually say offline and the only two that are real time is actually this idea of anonymous ip so i'm coming in from like a tour browser and also this idea of unfamiliar signing properties so these are the two that i can use when i say sign in for conditional access they are the ones that are used as part of sign-in risk they're the only two all of these other risks they can go into the reporting of a sign-in so done offline but they're not considered by the conditional access sign-in risk and then there's other types additional risk detected and you get different levels of information on if i'm a p2 user compared to hey if i'm a p1 or not i may just say hey there's elevated risk but it won't tell me exactly what i'm thinking about so that's an important point that hey when i come to conditional access it's only the real time signal so when i think about these risk detections the real time for these is only that anonymous ip and then you have that idea of the unfamiliar signing now the reality is those two are huge they cover most of the key things related to a sign-in anyway but these are the signals that i actually have as part of the risk for the signing that's the important part that's the sign-in risk just those two the user risk option we had remember that uses that all up all of these different signals what's the user's current risk all of those things do come into play because if i think about hey what we know about users normal log on time normal devices normal apps access normal ips normal countries unfamiliar signing would target all of those key things that would normally signal some type of attack and then machine learning can be used and access that result via apis around signing around the user actual behavior so i already showed you in conditional access where i had that user and sign in risk option as a best practice in your conditional access you don't want user and signing risk in the same policy because generally my actions are going to be different if i think it's a sign-in risk i'm probably going to want to do an mfa if it's a user risk i'm probably going to make them change their password so i'm going to have different actions most of those times blocking is fairly rare because then the user can't remediate whereas if i just make them change password well that if they successfully change their password which would make them do an mfa that helps show well they're healthy again and i can actually help remediate that risk that's actually being done so conditional access signage just uses two of those but then all three of these different levels and then have reporting so i have reports show me risk detections show me risky sign-ins show me risky users and i can view all of those things so this is a key piece of functionality with this obviously from a protection perspective there is a native protection capability and identity protection we tend not to use it it's better to use conditional access and what i mean by this is if we go and look at this in action if we go and look actually directly at identity protection well firstly we see those reports risky users risky sign-ins and risk detections we see those three categories and also you'll see risky workload identities so service principles now work but then there is this idea of protection and i can create a policy hey if the user risk is high which is going to make them change password sign in risk do mfa conditional access is more granular and it's going to get confusing if you use both of them so most of the time you're probably not going to use these so my false policy would be off and i would just use conditional access for that but it does have its own native one but generally hey it's better to use conditional access the other thing we see here is this idea of mfa registration policy so i can drive people to complete that mfa registration but once again if i'm using that combined security registration maybe i'm driving this through self-service password reset maybe i'm driving this through conditional access i don't want multiple things driving the same combined security registration so generally you're going to pick one of them and use that that's going to be a much much better option for that but realize this identity protection this ability to act on risk really is huge but it is a p2 feature okay so if i go back to this picture for a second one of the key points about azure id is it becomes this single identity for all of my cloud services sure azure and microsoft 365 but third-party sas applications applications i create maybe premises applications i have on premises that i want to make available i want to pre-authenticate them with azure id and when i do that well now i get all the power of conditional access applying to all of these things as well so i already talked about when i think about these so these sas applications in particular so i'm going to focus here about the idea of enterprise applications so these are applications that i want to make available to people in my tenant remember there's the application administrator role that can do everything including kind of the app proxy and then there's the cloud administrator role who can only manage cloud applications i can add many applications to my azure id tenant i can set at an individual application individual application owners for example so if i jump over and look at my enterprise applications you can see a whole bunch i have a whole bunch of applications i've added to my azure ad tenant i could go and look at any particular one of these doesn't really matter and as part of that you'll notice hey look you have to assign users and groups to it so i have to grant permission to this particular application for users and groups to be able to use it let's actually pick a different one for a second let's pick docusign then i might need to go and set up single side-on now there's different ways i can think about doing the single sign-on it varies by application what the exact method is i'm going to come back to that in a second i might need to provision user accounts now this is going to vary by application and in particular things like self-service now if i go back to enterprise applications and i do add we'll see some featured applications if i just select one of these um actually i picked docusign it shows me how single sign-on can work it's a password-based sign-on saml based sign-on linked sign-on and it also shows me provisioning automatic provisioning is supported for this particular application so there's different options available for the applications if i was to pick another application let's say cloud app security we notice this one for single sign-on is using open id connect a real cloud native authentication method so different apps will support different options within there but when i add the application whatever i do i can go and add particular owners so i can add an owner to an application and that will give whoever these people are the ability to manage all aspects of that particular application and then i can think about well actually granting users or groups a particular role within that application and depending on the application there's going to be different roles available to me so that that's gonna be very different depending on exactly what i'm doing now once i've done all that actually wanna go back up you have that whole single sign on option now this is going to vary by application on exactly what they support so the typical ones we're going to see as part of this i have the idea that okay for my enterprise application because i want that single sign-on that's really the big deal about this i have my identity in azure id i don't want to have separate credentials for those applications they're trusting azure ad for the identity so i want the idea of my single sign-on some of them use saml some of them are going to use open id connect some of them might use oauth 2. remember oauth2 is not actually authentication it's authorization but we'll see that a lot when something consents hey i want to act on your behalf of if you see that hey application x wants to access your calendar or access your pictures that's it asking for consent you're delegating to it that particular permission on resources you own to act on your behalf so you might use oauth 2.0 and a lot of times i can actually customize the token so after i add the application i might go in and actually modify the tokens also you might see that idea of skim so when i think about well there's maybe attributes on the cloud service i'm trying to access maybe it needs a user object or a group object or some property rather than me having to manually go and run a script or do something over there what skim does is this system for cross identity management there's a user endpoint and a group endpoint and it enables azure ad to talk to that other service and if there is something that needs to be created on their end it can do it via skim now if it doesn't support the skin azure id may spit out a script and it says hey go and run this script or maybe there's some manual action you have to go and do but ideally when you're adding the application you're going to see that auto provisioning is there and it's going to use skim to actually go and do that work now also as part of the applications you're going to see other options so if i go back over here for a second if we go and look at the kind of properties for the application you'll see this idea that i can customize the name and the logo and other things but you see enabled for users to sign in then you also see assignment required and visible to users so like wait why do i have all these different kind of options available for me so i can think about well enabled for users to sign in whether users assigned to the application can actually sign into that application that makes sense assignment required well even users that aren't assigned can they still use the application and then visible to users well whether the users assigned an application can see it in my apps see it in the microsoft 365 app launcher so i can have controls over all of those different things and how the application surfaces and how i can leverage those things again ideally we definitely want to be using sort of these protocols for the single sign-in there are options where they can cache passwords and then kind of do this password injection into a site we don't want that if we can help it would rather use this sam or oidc oauth2 then but also sometimes we just add an app and it shows up in the portal but it's not doing any other kind of single sign-on but we want really these to be used and then we want skim to do that actual configuration of objects if they're required on the other end if i'm curious about what applications i'm using well when i go and look at my enterprise applications if i'm just in enterprise apps over here the first thing i can actually do is we have the logs as always and one of the great things we have is this idea of usage and insights so i'm looking at activity and we have usage and insights so if i look at this this gives me some nice idea and i showed this earlier hey look which applications are being used unsuccessful sign-ins failed sign-ins i could see detail of the particular types of activities this might give me an idea which applications are the most used in my environment i want to give those um some love i can also go and just look at regular audit logs if i wanted to so i could just go over here and just look at my audit logs and i would just see hey the regular logs and all that's really doing is the regular azure ad logs but it's setting the category to application management so that's what we're doing over there so this is one type but it's a huge type of application and it's hey these enterprise applications and the ones we're really making available to the users in our environment and there's just a huge massive number of those but then there there are other types remember maybe we already had applications on premises so if we go to this this other side here maybe today i have some apps i have kind of app one maybe i have app two they might be in different data centers actually what i'd like to do is as the user well i don't want them to have to sit in my network anymore but it is a web-based application it's using http https what if they could go via azure ad azure ad could act not only as maybe the authentication i could pre-authenticate them with azure ad but azure ad actually makes them available acts as kind of that reverse proxy service that things could actually go and talk to so we have is this idea of this app azure id app proxy so we have the app proxy cloud service and obviously that's running out there in the cloud then obviously there's azure id and what we're going to do is we think about this azure id app proxy well azure already has better talk to the application to reverse proxy it but i don't want to open up ports from the cloud to my on-premises environment so what we deploy is on-premises some agents i can think i can deploy multiple ones for scale purposes so we have this at proxy agent and obviously i can put these into an app proxy so these are at proxy connectors so i can put them in an app proxy connector group and i'd probably create groups based on locations or maybe i want different app connected proxies for certain applications i want some dedicated to this really important application but these have to have line of sight to the servers that actually host the application these then establish an outbound connection over really 443 but i think it needs 80 as well to the app proxy so the connection is that way and then i create an azure id hey i create app one for example i'd create app 2 as well and i would say hey this application well i want to pre-authenticate with azure id and this is the url hey here's the cert you're going to use for people coming in and then this is the connector group this is how you actually can then redirect the traffic so the user will come in and talk here authenticate if the authentication passes which means straight away i'm not even talking to the servers yet if someone's trying to do a ddos or some other type of attack if i'm pre-authenticating azure id is going to stop that if i don't pre-orphan just do pass-through then it's really just acting as a reverse proxy but but now hey then i'll go and talk and then send the responses back i'm not opening up anything out to the internet it connects to the service and then through that essentially tunnel i can get those capabilities and one of the other nice things is these apps don't even have to speak cloud they don't have to understand azure id at all they could just use ad and kerberos and what will happen is these app proxy connectors well the connector can talk to your domain controllers i can use kerberos constrain delegation it can then go and get a token as the user from my domain controllers talk to the app as if it's me but i did the pre-authentication up here against azure active directory this can even work with things like remote desktop gateway which goes over 443 so if we looked at this really quickly so it's just another type of application i'm adding to my azure id so if i go to my enterprise applications and do new application what i want to do now is create my own i want to configure application proxy for secure access so i could just say hey i don't have one to use when i say proxy one and then what i would do is know it's the things it's asking me for i have an internal url and then i have an external url so internal url is what it's going to go and actually talk to from the app proxy connectors how do i want to make it available and i can use all the different custom names i have added to my azure id do i want pre-authentication or not which connector group am i going to use and then i have things about well secure cookies persistent cookie application timeouts translate urls all of those good things but this is basically giving me the ability to make those on-premises applications available out to the internet without actually having to open up the internet so that's taking my on-prem with azure adi at proxy then the other thing i'm going to want to do is i am just writing an application some line of business app for my company or maybe i want to make it available to other people i actually want to do app registrations so it's going badly the board starts to get upset when you do two they're too big i forget refresh it again in a second so i can do an app registration every app in azure id has some globally unique app registration somewhere when i add those enterprise applications in the home tenant of that vendor they have an app registration so that's globally unique it's just in their tenant so when i do an app registration in my azure ad it creates the app object so this is globally unique and then what also happens is then in my tenant i get a service principle that is the representation of that app so i get that now if my application was multi-tenant and another azure ad tenant used my app well they would create a service print they would get a service principle created that points back to that app object in my tenant if you watch my managed identity deep dive video i actually in the first 10 minutes i go through this i show an app object and the service principle and how it relates to that so if you're super interested i go through all of that but the key point here is i can create an app registration against my tenant i showed earlier that option for giving users the ability to do app registrations and then this service principle i can add things like a secret i.e a password or a certificate so that enables some service or daemon to run as that service principle authenticate as itself and then i can i can give this various permissions if i want to to then actually be able to go and leverage that i'll just write other and then me so i can create that registration so again if i jump over so notice i can do create my own application and i can say hey register an app to integrate with azure id so an app you're developing so i've got that option now do note i didn't really go over it but integrate any other app you don't find in the gallery so even if i don't find the app in the gallery doesn't mean i can't add it to azure id i can go through an ad via saml or whatever means i can still add other applications if i needed to do that so when you register an application or i can just go to azure id and do app registrations now when i do an app registration hey i'll give it a name but then notice i can figure is this only for my tenant or is it multi-tenant or is it multi-tenant and personal microsoft accounts or is it only for personal microsoft accounts so i have all these different choices now about how i want people to authenticate and use my application and i have a redirect uri so remember the redirect uri is going to be well after they go and and create the token this is where the client is going to be redirected to this is where security tokens can be sent after authentication so i configure these options and then once i do the registration once i have an application well then if i needed to i could go in and add certificates or client secrets so the app can authenticate as itself now a really big deal about these are permissions now this is this is a service principle i get a service principle that represents this application i could give this application its service principal access to my azure resources so now i could go and access certain resource groups certain subscriptions i can also give it certain api permissions so you'll notice for example with this service principle firstly you can see here certain administrative users over this application but i could give it directly api permissions now when i give permissions there's two types if i select microsoft graph there are application permissions application permissions are permissions that the application has itself it's acting as itself so that service principle is going to have these permissions then there's delegated permissions this is where the application is acting on behalf of the user that's using the application this is where the user would get that consent pop-up to say hey the application wants to be able to read your user profile or access your pictures or look at your calendar they would say yes i want to allow that so those are the delegated permissions so that's when the app is acting on behalf of the user using the app app permissions are when it's acting on its own behalf they're its own permissions if i'm adding application permissions directly well then once i grant those hey as an admin i would go and grant consent to those app permissions and for the application so it would run those under its own set of service principles if i gave it a delegated permission that was broader than a user could consent to that's where i had that option earlier where a user could request for their admin to consent on behalf of the organization as well so i might also have that admin consent for those purposes so we have these different types of applications that i have against my azure active directory enterprise apps it's some app that someone has created and i want to use it in my tenant so i get a service principle that represents that app from another tenant i can make my own apps from on-premises available via azure id at proxy and i can create my own line of business apps against azure id as an app registration and maybe even let other companies use them so that's where we see those different types of permissions all come together okay so lots of different things there this is very complicated i've got a whole video going over service principles and app registrations and enterprise applications as well that would be useful if you're curious about how all of that stuff fits together so let's think for a second about users i have this idea of all of these different types of capabilities and i have all these types of things for users and things they can do and all of this great stuff but i want to let's make sure i'm not running out so let's go over here okay so i can think about the idea that i'm a user so i'm a user and remember as a user lots of different things can happen to me i can be given roles when i think about roles well they could be azure id roles they could be azure roles i can be added to groups and remember if my group is that is assignable to role type well then i can actually grant roles to groups i might be assigned applications i might be added to microsoft 365 groups or teams i might be added to sharepoint online sites it says all these different things that can happen to me and remember i can also get assigned things like licenses which i can also be given by assigning licenses to groups and once again also resource permissions i can be given or that could be given to a group so all these different things can happen to me and over a period of time my role might change what i need access to might change and it can get really hard to track those things i make sure i don't end up with this huge amount of privileges that i just don't need anymore so how can we help control that so this is where the feature entitlement management so we have this now entitlement management is a p2 feature all of the things i'm about to talk about now so remember identity um protection was a p2 feature we now talked about real enterprise governance and management so all of these are p2 features so with entitlement management what i can do is well all of these things i just talked about sharepoint online access microsoft 365 group teams assigned application groups i can put all of these things together into something called a package now a package has attributes there are certain rules around the package there are policies built around the package a policy can have things like who has to approve it i can have a life cycle so hey you get this but then you're going to lose it after six months and i can actually take packages and put them in a catalog so i can go and browse and see and once again so it's roles i can have roles so i can have different package owners i can have catalog owners i can have different roles to manage all of those things and this is probably easier to go and see so if we jump over so i'm in my i actually got identity governance here in the menu or just under regular azure id you will see identity governance so identity governments we have this idea of the access packages and what i do is i've created one already we just put in if i edit i've got it in this general catalog it's not hidden and there's a link i could give people so they could go and sign up for this thing and the whole point of what this has is well there's resources i can grant this thing groups and teams and applications and sharepoint sites so groups and teams hey i can go and add other types of objects even if it's not part of that catalog so i could give it a group i could give it access to a certain team i could add a certain application even if it's not part the catalog i could add sharepoint sites so i can add different resources to the package and then i can have policies so a policy i can define well who is allowed to ask for this so request i could say only for people in my directory and there any specific people i could say users not in my directory and then i could configure specific directories that were allowed to ask for this so if i had some partner organizations i could grant them the ability to go and request access to this entitlement package i can have requested informations have to give certain information there's a life cycle hey you get this assignment for one year i can configure an access review so remember that option i can have access reviews for this as well so remember this whole ability to have this and have these different resource roles remember by having groups well groups remember can have licenses they can give access to other resources i can even have azure ad roles assigned to groups so this opens up a lot of really powerful things and then the catalog is just really about grouping the various things together i can create catalogs and in the catalog i can add in resources but i can also add in access packages so i can make different things available to them so this is really powerful in terms of thinking of well i want to think about a certain role or certain type of interaction i don't want to individually grant these 20 things to this user who's coming in for six months to do a contract i have entitlement management i create the package of resources roles associated with that package of functionality they get it it lasts for six months and then it expires so type of management lets me pour all of those different things together now we saw that interesting option about the idea that well access review so what's access review all about very often we have a challenge people get a certain app assigned they get a certain role assigned they get added to a certain group it's for a purpose they're doing a certain function but it gets forgotten about so just keep it forever so they get this mounting set of permissions wouldn't it be great if periodically i could go and examine those maybe someone's going to get delegated to do that maybe it's their manager checks it maybe it's a self-check hey do you still need this thing and if not hey you lose it maybe it's a one-off maybe it's a recurring thing so roles groups assigned applications guess what i can do with these things i can do an access review and once again this is the p2 feature and as part of the access review exactly how i said well who is doing the access review is it me is it myself is it a self review is it my manager is it some delegated person and one of the things that's in preview at time recording i can actually do two and three phase access reviews so i have that ability and then there's well maybe there's this idea of actually a recurrence every three months just make them confirm hey you still need this thing i can't even understand there's any recurrence it's losing too many stretches i'm trying to write and then i can have an action hey you don't need this anymore it automatically removes you from the group or removes you from the role removes you from that app assignment and these are available so when i think about this hey yeah it's roles but that could be azure ad roles so when i think about access reviews this could be an aad role this could be an azure role and a scope hey group membership hey assigned application so all of those things are available to me now the way i use these differs depending on exactly which one of those i'm actually trying to do if for example i'm thinking about the idea of a group or application we're going to do that through identity governance so i go to identity governance we have the idea of access reviews we have this whole section about it so i'm going to go to my access reviews and then here i can create a new access review so my access review hey am i looking at teams and groups or applications i'm picking one of those things if it was a group for example i could say hey what particular am i focusing on or maybe if i do applications what particular application i'm just going to pick one am i focusing on guest users only or all users and then what is the review so how long is the review lasting is it got a recurrence when does it start who is reviewing it so here we have the idea i could delegate it to particular people i could make the user self review or it's whoever is the manager as part of the object and here's this hey multi-stage review so my default is two but i can add up to 3. but again that's in preview you're not likely to see that on the exam at this time until it goes ga so we have these options about the access review and then let's turn that off so whatever i pick here to do self because it's easier i'm going to say nine start date one time and then you have all these different options so also apply the results to the resource so you could remove for example if i said i don't need it anymore if they don't respond remove access or approve access or take some recommendations so there's the idea of recommendations of what it thinks it should do i can give information to the reviewer like hey they're not signed in for 30 days that might give me a good hint they're really not using this anymore they don't need this they're not an active account and then i can have things like hey they have to do a justification email notifications etc so those are the ideas around the teams groups the applications all of those different things available to me and then i have the idea of what about an azure id role or an azure role so that actually fires off through saint called privilege identity management so here i'll go to pim which we're going to talk about in a second actually but i'll start with azure adrolls and within azure a d-rolls i would um pick a certain one for example so i could say hey manage azure id roles and then from here i have the idea of access reviews so once again i could now go and create a new access review give it a name start date frequency duration hey what type who are the reviewers all of those same things again i'm configuring as part of this azure id and i'd have to say which role i'm actually doing this for or i could think about i don't know what that error is or i could think about actually i want to do it for azure roles so i could do azure resources and then once again through my azure resources i would select whatever resource i'm looking at and then once again i can do access reviews from here so the actual way i interact varies depending on what is the target for the resource but the whole point is this is just now giving me the ability to interact and also remember we saw that option as part of our um entitlement management our packages so also all of those things and remember my entitlement management can also hook into those access reviews so all these things is a great way to go and see exactly what is happening in the environment there are audit reports available to go and see how people are responding and just lots of great information okay speaking of roles and maybe even groups because remember those is assignable to role groups can have roles assigned to it we don't like the idea of just giving people roles it's really risky from a security perspective we like just in time i get the role only when i actually need to do something with the role so for these well guess what here we have privileged identity management and guess what it's a p2 feature so this is really about the idea of different roles now these roles can be both azure ad roles and azure resource manager roles it can manage both of those for an arm i always select the role and the scope of the role hey is this at a subscription resource group particular resource for azure ad i can pick a scope i.e an administrative unit if the role is applicable to administrative units remember not every role works with administrative units so if it does hey they're going to let me see that option available and obviously groups if that group has the um i think it is assignable to role is assignable to role it's when you check that option when i create the group to say hey allow it to have azure ad roles then i can manage group memberships as well and what this is going to basically let me do is i can either make someone eligible for the role or the group membership which means they don't have it by default and this is jip if i say eligible it's just in time they don't have it by default they can elevate up and get that role when they need it so this is what we like the eligible idea and then i could say maybe hey look you have to do an mfa to do the elevation so i have to elevate up and i get it for some time period an hour two hours three hours i might have to put a justification maybe do a service ticket reference whatever those things are or i can do active active is it's just there now there's still benefits to using pim even for active because just like this i still have a certain life cycle management i.e hey you're getting this but you're getting it for n months for example so i'm limiting it's not like i'm going to give it to you and forget which is a regular assignment this is hey i'm giving it to you but i'm going to issue for three months so even if i don't remember to an access review or go back and check you don't have it forever you have it for that configured amount of time so if we go and look at pim which were already in here i'm already in p.m because we jumped over to look at the access review function so remember we have these three options azure ad roles azure resources and then those privileged access groups is in preview right now because hey i can grant roles to groups so if i start with azure id roles well there's settings i can configure for the various different roles what are my requirements as part of them and there's huge numbers of roles in here so if i search for global admin it's telling me hey look i have options around sort of maximum durations require justification on activation hey on activation require mfa and that's kind of set to yes it's obviously a big one for that but you can change it you can do edit i can change those things require justification and then we have the idea of assignments do i allow a permanent eligible i.e elevation up do i allow permanent active i.e you're assigned it and it's just there i don't have to do an elevation or maybe i don't you can only have an active assignment for six months i can have notifications sent when people get the role when they're assigned when they activate up to that role so all these different settings per role on those and then what i'm going to do is i'm going to assign it so when i do an assignment i select the role now remember this is azure id so if i select something like help desk administrator notice the scope is now a choice because help desk administrator i can apply at an administrative unit as well so it's giving me that choice if i picked a role that was not assignable at administrative unit level um and actually the top of my head let's try the application all that is as well let's try that one right that one doesn't give me the option that's only assignable at the directory level but the whole point here is hey i select a role i select who i'm giving it to and then i'm going to say am i making it eligible so you have to elevate up or i'm making it active so if it's eligible i could say hey they're only eligible to use it for this period of time maybe i'm going to make it eligible for a week so they're saying that's too long um actually it's added a year already so i've just added a week to the year sorry so it was doing it for one year already so years the maximum time i'm allowed to make it eligible so they can go and activate up for a one year period and it would be for the duration of whatever was configured maybe it's three hours or something or active um hey active can be six months was the default i think i had there so then a justification why am i making it active why they need this role so i have those options when i assign it to them and then as the user well i would go into pim i can see my eligible roles and i would say activate so for my case i can do teams admin i would activate up and notice my maximum duration is one hour i have to put a reason in i could set an activation time in the future and then i would get that role likewise i can do it for groups so my pim cloud group is cloud assignable so i can add users who can add themselves into that group they can make themselves into the group for an hour or two hours whatever and azure resources so here now actually before i do that so this would be resources a role given at a subscription level or i could change the resource type to any of these so maybe instead i want to assign a role to azure management group or resource group or resource so i would select the options based on the level i wanted to grant the role at so i'm going to discover all these things because maybe i want to grant the role to this resource group so then i would play okay i want to add an assignment of this role at the resource group level so that's the difference from an azure perspective then everything else is the same hey is it active is it um let's just pick one doesn't matter doesn't matter is it eligible or active exactly the same again and all those timing options i have all the same setting options available for durations and hey do i want mfa and all of that good stuff and there's just a lot of roles in azure so it's going to take a while to enumerate all of those various details but i have those same options available to me and i can leverage that so that's really the the key point about all of these different things and then we can see them i could pick one of them oops weird um again it's sunday i think the things are tired there we go i can edit all of those same options again for hey activation options do i want mfa assignment options okay do i allow permanent do i allow permanent active i can control all of how i want to make these roles actually available to the things so think of pim is all about that just in time access and we want to be doing that i don't want especially privileged roles this is those break glass accounts i should not have global admins walking around i should need to pimp and the benefit then is well i'm not just walking around with those permissions after mfa all the time i have to mfa up when i need to do something with those permissions it just helps give me that basic protection so this is really thinking about this whole sum of functionality around my azure active directory i think about the types of accounts hey cloud accounts external identities synchronized accounts i think about protecting all of this with conditional access i'm integrating all of my apps the enterprise apps apps i'm writing apps from on-premises i want identity protection to help with the risk which is a huge thing when we think about xero trust we have things like defender for cloud apps to act as that casb solution that can integrate with a conditional access to make them go through that to get access to the application i have different authentication options ideally we want to be using that cloud authentication the password hash sync it's the geo scale option it removes any requirements for on-premises things or federation or pastoral authentication again historically federation was useful if we use certificate-based authentication but that's now coming in azure ad as well so really try and get this password hash sync i didn't want to be passwordless that's the best all up option and then all these different ways to think about controlling the roles the groups the assigned applications maybe team sites microsoft 365 sharepoint online entitlement management access reviews pim for the just in time now there is also the idea of just monitoring and maintaining um the azure id there's lots and lots of different logs available for aad so we saw some of them earlier on if i go to my azure active directory we see sign in logs audit logs provisioning logs there's also things around risk so there's identity protection logs as well if i just go and looked at one of them for example so just look at audit logs there's actually export data settings so i can send all of these different types of logs to other places a log analytics workspace for long term uh maybe analysis up to a couple of years there's even a longer term retention for cheaper money said it's a storage account for super cheap just keeping it sending it to event hub to like a third-party sim solution and then i can set all the types of log i want to send hey risky users user risk events adfs signing logs service principal risk events audit logs so all of these things are available to me i can filter all of these different types of reports you'll see for all of them i always have this ability to add filters user agent status it's going to vary depending on exactly what i'm looking at if i'm using azure sentinel it's actually going to be pulling those logs and you saw me i had an export to azure sentinel if we quickly looked at sentinel sentinel was a microsoft sim saw solution so that ability to go and see everything going on from all these different signals and azure ideas the identity is a huge part of that and it helps bring all those signals together with machine learning and intelligence and alert me if there's incidents if there's things happening when i have azure ad connected well then it opens up certain types of hunting i can do so i could go and do different types of hunting which is basically running queries so rare audit activity initiated by an application so it shows me the query it's going to use to actually go and find information about this it's looking at different types of things happening against my various environment you can see all these different types of queries i can run some of them are using azure ad some of the using other types of connector azure id account lockout now i can find information about accounts that have been locked out but it really brings together all of these signals into this one place i can use to actually go and and hunt and react and even automate responses another really powerful thing in azure id is the workbooks so there's a huge number of workbooks i can use to get insight it's like signings it's a nice little workbook that gives me a graphical view of the sign-ins in my environment where they're coming from devices they're coming from who can kind of see all these different things happening i could see there were workbooks about legacy authentication if i want to go and see those so just take some time to go and understand and go through those those various things because that's obviously a part of it is understanding how i can get information about my environment so i think that was it are there things i wanted to cover we obviously covered a lot but take the time go through the online training go through the skills assessed try and try these things out and see what the options are to configure them um relax when you take the exam don't stress out take note of how many questions you're going to have take note of how much time you have don't freak out if you don't know the answer to something but always try don't leave anything blank there's no negative points for trying eliminate the obvious wrong things then give it your best shot if you don't pass the first time take note of where you are weaker and just redouble your efforts in that area and you'll pass it next time and there is a huge amount of work goes into preparing these videos so a like and subscribe is appreciated but really just good luck i hope you do well and i hope you found this useful and until next video take care you

Info

Channel: John Savill's Technical Training

Views: 174,556

Rating: undefined out of 5

Keywords: azure, azure cloud, microsoft azure, microsoft, cloud

Id: LGpgqRVG65g

Channel Id: undefined

Length: 163min 29sec (9809 seconds)

Published: Tue Mar 22 2022