AZ-500 Notes : Microsoft Learn- IAM - Module 1 (part2)
Part 1 - Manage Identity and Access
Module 1 - Secure Azure Solutions with AAD
[One thing I will say about blogging your studies - it really helps you to know where you left off. The interface in the MS training will mark the page as read (and give you the points) if you click on it.]
Unit 5 of 12 - Deploy AAD Domain Services
"Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos / NTLM authentication that is fully compatible with Windows Server Active Directory. You use these domain services without the need to deploy, manage, and patch domain controllers in the cloud."
The "Domain Services" seems to separate what it does from the directory itself in some kind of abstraction in AAD.
If you're an old AD admin, remember how you had to log into a DC for this and that? Or make sure your Global Catalog was here - or you had to understand your Operations Masters roles? Well, none of that anymore in AAD. It seems to now be all "under the hood" in Azure - and the Azure Portal is just a big, consolidated MMC where you just do what you need to do, and it works where you need it to work.
For those who never wrestled with AD or those who need a refresher:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview
Unit 6 of 12 - Create and Manage AD Users
Azure AD defines users in three ways:
1) Cloud identities - (users only in AAD)
2) Directory-synchronized identities - (users from on-premises AD that were synchronized with AAD)
3) Guest users - (from outside Azure - like gmail accounts, etc.)
Unit 7 of 12 - Manage Users with Azure AD Groups
Azure allows you to define two different types of groups:
SECURITY GROUPS - requires Azure AD Administrator
MICROSOFT 365 GROUPS - can be created by users
"These groups provide collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and more. This option also lets you give people outside of your organization access to the group. This option is available to users as well as admins."
Well, if I think about this, it somewhat makes sense. Anything that deals with the servers and information processing (which would use a Security Group) is going to require Admins. Anything that deals with "collaboration" is going to be at the user level. You don't want your admins setting permission for every "team calendar" or Sharepoint site. Not that I like this - because users tend to just put everyone (more convenient) or focus on giving access and never remember to remove access. (And this is why we have Security teams - to remind them.)
Three ways to assign group rights:
1) Assigned - specific users (added) and specific permissions (granted to the group)
2) Dynamic User - rules automatically add and remove users based on attributes
3) Dynamic Device - (Security Groups only) - rules add and remove devices from Security Groups based on attributes
Unit 8 of 12 - Configure Azure AD administrative units
"An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. An administrative unit can contain only users and groups. Administrative units restrict permissions in a role to any portion of your organization that you define."
Remember old Microsofties - there are no more OUs. AUs are not OUs. OUs used to have users _and_ computers. AUs are just users and groups (of users).
"NOTE: To use administrative units, you need an Azure Active Directory Premium license for each administrative unit admin, and Azure Active Directory Free licenses for administrative unit members."
One main thing I'm seeing here is that Azure likes everything FLAT. Peering makes a flat network. The IAM makes a flat user space. If you want to segment it in any way, you're going to have to work on that yourself and it's going to cost. That's going to be a tough sell to many companies - since the people authorizing the money are not very likely to understand/value containment of breach or least privilege.
Unit 9 of 12 - Implement Passwordless Authentication
Replaces passwords with -
Something you have
Something you are (biometric) or something you know (PIN)
The material here is a little confusing since it talks about Windows Hello for Business - but it's not showing as an option in the screen shot.
FIDO2 Security Keys (on a USB)
FIDO2 Smartcard (preview)
Microsoft Authenticator App
Unit 10 - Try this exercise
Unit 11- Knowledge Check
Unit 12 - Summary
If you're following along in the Microsoft Learn site, note that when you finish Module 1, you will have more than the 1300 points of the module itself. I think you also earn points for signing up, etc. Finish more than Module 1 and you will get from Level 1 to Level 2 in XP points.
