Last updated on February 14, 2024
Azure Active Directory Cheat Sheet
- An identity and access management service that helps you access internal and external resources.
- Azure AD licenses: Free, Premium P1, Premium P2 and Pay as you go
- Free – user and group management in your on-premises directory
- Premium P1 – allows access to both on-premises and cloud resources.
- Premium P2 – provides an additional feature called Azure AD Identity Protection.
- Pay as you go – offers a feature called Azure AD B2C.
Features
- You can use Azure AD Authentication for a self-service password reset, MFA, custom banned password list and smart lockout.
- Allows you to manage external identities using Azure AD B2B.
- Azure AD B2C is a business-to-customer identity as a service that allows you to control how your users sign up, sign in, and manage their profiles when using your applications.
- Azure AD B2C provides you control on how your users sign up, sign in, and manage their profiles when using your applications.
- You can manage access in your cloud apps with conditional access.
- With Azure AD Device Management, it allows you to manage and configure device identities.
- If you need to manage domain services such as domain join, group policy, and authentication, you can use Azure AD Domain Services.
- Identity Governance ensures that only authorized people have the right access to specific resources.
- Supports hybrid identity to access resources in the cloud or on-premises.
- Use Azure AD Connect to accomplish your hybrid identity goals:
- A sign-in method that uses password hash synchronization.
- Pass-through authentication allows users to use the same password on-premises and in the cloud.
- Enable federation integration to sign in to Azure AD-based services without having to enter their passwords again.
- Synchronization between your on-premises environment and Azure AD.
- Health Monitoring with Azure AD Connect Health.
Concepts
- Users
- You can create a new user in your organization or a guest user.
- By enabling Multi-Factor Authentication, you provide additional security by requiring the user a second form of authentication. The additional forms that can be used with Azure AD MFA are:Â
- Microsoft Authenticator app
- OATH hardware token
- SMS
- Voice call
- You can also perform the following bulk operations:Â
- Bulk create
- Bulk inviteÂ
- Bulk deleteÂ
- Bulk restore
- Download users
- Self-service password reset enables users to manage their passwords from any device, at any time, and from any location.
- In the device settings, you can change the maximum number of devices per user.
- You can assign licenses to multiple users or groups to allow them to use the licensed Azure AD services. Licenses are applied per tenant, and you can’t transfer them to other tenants.
- Groups
- A collection of users, devices, groups, and service principals.
- You can easily manage access to your resources by creating an Azure AD group.
- A user can belong to multiple groups.
- Groups do not have security credentials.
- Group Types:
- Security – it contains users, devices, groups, and service principals as its members. The users and service principals are the owners of this group.
- Microsoft 365 – it contains users as its members. Both the users and service principals can be owners of this group.
- Membership type:
- Assigned – manually add users to be members of the group.
- Dynamic user – automatically adds and removes members using the dynamic membership rules.
- Dynamic device – automatically adds and removes members using the dynamic group rules.
- With external identities, you can allow users outside your organization to sign in using an external identity provider like Facebook and Google.
- Administrative roles can be used to grant access to Azure AD and other Microsoft services. There are two types of role definitions:
- Built-in roles – it has a fixed set of permissions.
- Custom roles – you can select permissions from a preset list. To create a custom role, you need to have an Azure AD Premium P1 or P2 plans.
- An Azure AD resource that can be a container for other Azure AD resources is called an administrative unit. It can only contain users and groups.
- Devices
- Azure AD registered
- The devices registered are personally owned devices (bring your own device or mobile device). These devices are signed in with a personal Microsoft account.
- The supported operating systems are Windows 10, macOS, iOS, and Android.
- A Mobile Device Management (MDM) helps you enforce configurations like storage must be encrypted, password complexity, and up-to-date security software.
- Key capabilities:
- Single sign-on (SSO) to cloud resources.
- Conditional access when enrolled in Microsoft Intune or via App protection policy.
- Enables phone sign-in with the Microsoft Authenticator app.
- Azure AD joined
- The devices and accounts are owned by an organization. It only exists in the cloud.
- The supported operating systems are Windows 10 devices (except Windows 10 Home) and Windows Server 2019 Virtual Machines running in Azure.
- Azure AD join is primarily used for organizations that do not have an on-premises Windows Server AD infrastructure.
- Key capabilities:
- SSO to both cloud and on-premises resources.
- Conditional access through MDM enrollment and MDM compliance evaluation.
- Self-service password reset and Windows Hello PIN reset on the lock screen.
- Enterprise State Roaming across devices.
- Hybrid Azure AD joined
- The devices and Active Directory Domain Services account are owned by an organization. It exists both in the cloud and on-premises resources.
- The supported operating systems are Windows 7, 8.1, 10, Windows Server 2008/R2, 2012/R2, 2016, and 2019.
- You can implement hybrid joined devices if you have an existing on-premises AD footprint and you want to benefit from the capabilities provided by Azure AD.
- Key capabilities:
- SSO to both cloud and on-premises resources.
- Conditional access through Domain join or through Microsoft Intune if co-managed.
- Self-service password reset and Windows Hello PIN reset on the lock screen.
- Enterprise State Roaming across devices.
- Azure AD registered
- If you register your application to use Azure AD, the users in your organization can do the following:
- Get an identity for their application that is recognized by Azure AD.
- Get secrets/keys that the application will use for authentication.
- Create a custom name and logo for your application.
- Apply Azure AD authorization (RBAC and oAuth)
- Declare the necessary permissions for the application.
- With application proxy, you can provide SSO and remote access for web apps hosted on-premises.
Monitoring
- Monitor the security and usage patterns of your environment with Azure AD reports and monitoring.
- With Azure AD Connect Health, you can view alerts, monitor performance and check usage analytics of your on-premises Active Directory and Azure AD.
Azure Active Directory Security
- Detect potential vulnerabilities and resolve suspicious actions with identity protection.
- Azure AD PIM helps you control the access within your organization.
- You can use security defaults to enable MFA in your organization.
- Enabling security defaults protects you from common identity-related attacks.
- You use block legacy authentication if a user is using a legacy application.
- Identity secure score helps you verify your configurations if it’s aligned with Microsoft’s best practice for security.
- You can lockout intruders that try to guess your users’ passwords or use brute-force methods in Azure AD using smart lockout.
- Manage, control, and monitor access to significant resources in your organization with Privileged Identity Management (PIM).
Authentication Fundamentals: The Basics
Learn more about Azure Active Directory in this playlist from the Microsoft Azure YouTube channel:
https://www.youtube.com/watch?v=AO-uTWSmU_E&list=PLLasX02E8BPBm1xNMRdvP6GtA6otQUqp0
Validate Your Knowledge
Question 1
Question Type: Single choice
You are managing an Azure AD tenant that has 500 user accounts.
You created a new user account named AppAdmin
.
You must assign the role of Application Administrator to the AppAdmin
 user account.
What should you do in the Azure Active Directory settings to accomplish this requirement?
- Select the user profile and add the role assignments.
- Select the user profile and add the user to the admin group.
- Select the user profile and assign it to an administrative unit.
- Select the user profile and enable the My Staff feature.
For more Azure practice exam questions with detailed explanations, check out the Tutorials Dojo Portal:
Azure Active Directory Cheat Sheet References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis
https://azure.microsoft.com/en-us/services/active-directory/