Microsoft Entra ID Cheat Sheet

• An identity and access management service that helps you access internal and external resources.
• Microsoft Entra  licenses: Free, Premium P1, Premium P2 and Pay as you go
  • Microsoft Entra ID Free – user and group management in your on-premises directory
  • Microsoft Entra ID P1 – allows access to both on-premises and cloud resources.
  • Microsoft Entra ID P2 – provides an additional feature called Microsoft Entra ID Protection.
  • Pay as you go – offers a feature called Azure AD B2C.

Features

• You can use Microsoft Entra authentication for a self-service password reset, MFA, custom banned password list and smart lockout.
• Allows you to manage external identities using Azure AD B2B.
• Azure AD B2C is a business-to-customer identity as a service that allows you to control how your users sign up, sign in, and manage their profiles when using your applications.
• Azure AD B2C provides you control on how your users sign up, sign in, and manage their profiles when using your applications.

• You can manage access in your cloud apps with conditional access.
• With Microsoft Entra Device Management, allows you to manage and configure device identities.
• If you need to manage domain services such as domain join, group policy, and authentication, you can use Microsoft Entra Domain Services.
• Microsoft Entra ID Governance ensures that only authorized people have the right access to specific resources.
• Supports hybrid identity to access resources in the cloud or on-premises.
• Use Microsoft Entra Connect to accomplish your hybrid identity goals:
  • A sign-in method that uses password hash synchronization.
  • Pass-through authentication allows users to use the same password on-premises and in the cloud.
  • Enable federation integration to sign in to Microsoft Entra-based services without having to enter their passwords again.
  • Synchronization between your on-premises environment and Microsoft Entra.
  • Health Monitoring with Microsoft Entra Connect Health.

Concepts

• Users
  • You can create a new user in your organization or a guest user.
  • By enabling Multi-Factor Authentication, you provide additional security by requiring the user a second form of authentication. The additional forms that can be used with Microsoft Entra MFA are: 
    • Microsoft Authenticator app
    • OATH hardware token
    • SMS
    • Voice call
  • You can also perform the following bulk operations: 
    • Bulk create
    • Bulk invite 
    • Bulk delete 
    • Bulk restore
    • Download users
  • Self-service password reset enables users to manage their passwords from any device, at any time, and from any location.
  • In the device settings, you can change the maximum number of devices per user.
  • You can assign licenses to multiple users or groups to allow them to use the licensed Microsoft Entra services. Licenses are applied per tenant, and you can’t transfer them to other tenants.
• Groups
  • A collection of users, devices, groups, and service principals.
  • You can easily manage access to your resources by creating a Microsoft Entra groups.
  • A user can belong to multiple groups.
  • Groups do not have security credentials.
  • Group Types:
    • Security – it contains users, devices, groups, and service principals as its members. The users and service principals are the owners of this group.
    • Microsoft 365 – it contains users as its members. Both the users and service principals can be owners of this group.
  • Membership type:
    • Assigned – manually add users to be members of the group.
    • Dynamic user – automatically adds and removes members using the dynamic membership rules.
    • Dynamic device – automatically adds and removes members using the dynamic group rules.
• With external identities, you can allow users outside your organization to sign in using an external identity provider like Facebook and Google.
• Administrative roles can be used to grant access to Microsoft Entra and other Microsoft services. There are two types of role definitions:
  • Built-in roles – it has a fixed set of permissions.
  • Custom roles – you can select permissions from a preset list. To create a custom role, you need to have a Microsoft Entra ID P1 or P2 plans.
• A Microsoft Entra resource that can be a container for other Microsoft resources is called an administrative unit. It can only contain users and groups.
• Devices
  • Microsoft Entra registered
    • The devices registered are personally owned devices (bring your own device or mobile device). These devices are signed in with a personal Microsoft account.
    • The supported operating systems are Windows 10, macOS, iOS, and Android.
    • A Mobile Device Management (MDM) helps you enforce configurations like storage must be encrypted, password complexity, and up-to-date security software.
    • Key capabilities:
      • Single sign-on (SSO) to cloud resources.
      • Conditional access when enrolled in Microsoft Intune or via App protection policy.
      • Enables phone sign-in with the Microsoft Authenticator app.
  • Microsoft Entra joined
    • The devices and accounts are owned by an organization. It only exists in the cloud.
    • The supported operating systems are Windows 10 devices (except Windows 10 Home) and Windows Server 2019 Virtual Machines running in Azure.
    • You can implement hybrid joined devices if you have an existing on-premises AD footprint and you want to benefit from the capabilities provided by Microsoft Entra.
    • Key capabilities:
      • SSO to both cloud and on-premises resources.
      • Conditional access through MDM enrollment and MDM compliance evaluation.
      • Self-service password reset and Windows Hello PIN reset on the lock screen.
      • Enterprise State Roaming across devices.
  • Microsoft Entra hybrid joined devices
    • The devices and Active Directory Domain Services account are owned by an organization. It exists both in the cloud and on-premises resources.
    • The supported operating systems are Windows 7, 8.1, 10, Windows Server 2008/R2, 2012/R2, 2016, and 2019.
    • You can implement hybrid joined devices if you have an existing on-premises AD footprint and you want to benefit from the capabilities provided by Microsoft Entra.
    • Key capabilities:
      • SSO to both cloud and on-premises resources.
      • Conditional access through Domain join or through Microsoft Intune if co-managed.
      • Self-service password reset and Windows Hello PIN reset on the lock screen.
      • Enterprise State Roaming across devices.
• If you register your application to use Microsoft Entra, the users in your organization can do the following:
  • Get an identity for their application that is recognized by Microsoft Entra.
  • Get secrets/keys that the application will use for authentication.
  • Create a custom name and logo for your application.
  • Apply Microsoft Entra authorization (RBAC and oAuth)
  • Declare the necessary permissions for the application.
• With application proxy, you can provide SSO and remote access for web apps hosted on-premises.

Monitoring

• Monitor the security and usage patterns of your environment with Microsoft Entra reports and monitoring.
• With Microsoft Entra Connect Health, you can view alerts, monitor performance and check usage analytics of your on-premises Active Directory and Microsoft Entra.

Microsoft Entra Directory Security

• Detect potential vulnerabilities and resolve suspicious actions with identity protection.
• Microsoft Entra PIM helps you control the access within your organization.
• You can use security defaults to enable MFA in your organization.
• Enabling security defaults protects you from common identity-related attacks.
• You use block legacy authentication if a user is using a legacy application.
• Identity secure score helps you verify your configurations if it’s aligned with Microsoft’s best practices for security.
• You can lockout intruders that try to guess your users’ passwords or use brute-force methods in Microsoft Entra using smart lockout.
• Manage, control, and monitor access to significant resources in your organization with Privileged Identity Management (PIM).

Authentication Fundamentals: The Basics

Learn more about Azure Active Directory in this playlist from the Microsoft Azure YouTube channel:
https://www.youtube.com/watch?v=AO-uTWSmU_E&list=PLLasX02E8BPBm1xNMRdvP6GtA6otQUqp0

Validate Your Knowledge

Question 1

Question Type: Single choice

You are managing a Microsoft Entra tenant that has 500 user accounts.

You created a new user account named AppAdmin.

You must assign the role of Application Administrator to the AppAdmin user account.

What should you do in the Microsoft Entra ID settings to accomplish this requirement?

1. Select the user profile and add the role assignments.
2. Select the user profile and add the user to the admin group.

3. Select the user profile and assign it to an administrative unit.
4. Select the user profile and enable the My Staff feature.

For more Azure practice exam questions with detailed explanations, check out the Tutorials Dojo Portal:

Azure Active Directory Cheat Sheet References:

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis
https://azure.microsoft.com/en-us/services/active-directory/