AZ-500 Notes : Microsoft Learn- IAM - Module 2
Part 1 - Manage Identity and Access
Module 2 - Implement Hybrid Identity
Unit 1 of 10 - Intro
Unit 2 of 10 - Deploy Azure AD Connect
I'm interested in learning more about the password hash synchronization. I hope they explain it in gory detail. All I can think of with this is the PTH (Pass The Hash) exploit that I learned in the Offensive Security course.
"Using AD Connect Health works by installing an agent on each of your on-premises sync servers."
Unit 3 of 10 - Explore authentication options
"Choosing an Azure AD Authentication method is important as it is one of the first important decisions when moving to the cloud as it will be the foundation of your cloud environment and is difficult to change at a later date."
Yes, and everyone stampeded to the cloud before they thought through this part.
Oh, and the "units" in this module are really tiny. They state one thing and move on.
Unit 4 of 10 - Configure Password Hash Synchronization (PHS)
Yeah! They didn't do a "deep dive" but did mention that it doesn't just synchronize the hash. It sends the hash encrypted to AAD which stores it and compares the hash of the logon credentials to the stored hash. [Encrypted in transit, decrypted and then (presumed) encrypted at rest.]
And here's something that looks to me like it would be twisted into a test question in some manner:
"It is important to understand that this is same sign-in, not single sign-on. The user still authenticates against two separate directory services, albeit with the same user name and password."
Here's another interesting page of the documentation about PHS:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs
Unit 5 of 10 - Implement Pass-through Authentication (PTA)
"PTA allows users to sign in to both on-premises and cloud-based applications using the same user account and passwords. When users sign-in using Azure AD, Pass-through authentication validates the users’ passwords directly against an organization's on-premise Active Directory."
"PTA is a free feature, and you don't need any paid editions of Azure AD to use it."
Unit 6 of 10 - Deploy Federation with Azure AD
"Federation is a collection of domains that have established trust. The level of trust may vary, but typically includes authentication and almost always includes authorization."
This was in an "important" box - so it may end up a question...
"If you decide to use Federation with Active Directory Federation Services (AD FS), you can optionally set up password hash synchronization as a backup in case your AD FS infrastructure fails."
One of the things I wish they had put in this section (it may be included later) - is at least a link to the deployment steps for implementing these identity configurations.
The other thing I wish they had included is a way to check/determine how an environment is set up. Perhaps it's because I come from a networking background, but I've always had a keen eye to not just configure but to verify configurations.
From what I can see in the portal - if you go to "Azure AD Connect" you can see the sync status of Azure AD Connect sync along with a User Sign-In area. The "User Sign-In" area shows Enabled/Disabled for Federation, Seamless single sign-on, Pass-through authentication, Certificate-based authentication and Email as alternate login ID.
Unit 7 of 10 - Explore the authentication decision tree
There's a little bit about "identity is the new perimeter" - which is something I hear a lot when discussing cloud. One thing that people forget is that it is not (and should not be) the _only_ perimeter. Having your entire security built around identity is not going to be good when accounts get compromised. Just because it's "important," doesn't mean it's "enough" to secure the environment.
"If you need to apply user-level Active Directory security policies such as account expired, disabled account, password expired, account locked out, and sign-in hours on each user sign-in, Azure AD requires some on-premises components."
"Sign-in features not natively supported by Azure AD:
Sign-in using smartcards or certificates.
Sign-in using on-premises MFA Server.
Sign-in using third-party authentication solution.
Multi-site on-premises authentication solution."
I can see questions which mention one (or more) of these things in the scenario and ask which authentication solution should be used. If you see any of these things, you're going to use Federation.
Here's another thing that I can see as generating a question:
"Azure AD Identity Protection requires Password Hash Sync regardless of which sign-in method you choose, to provide the Users with leaked credentials report. Organizations can fail over to Password Hash Sync if their primary sign-in method fails and it was configured before the failure event."
Unit 8 of 10 - Configure password writeback
"Password writeback is a feature enabled with Azure AD Connect that allows password changes in the cloud to be written back to an existing on-premises directory in real time"
And this final "important" note: "To use self-service password reset (SSPR) you must have already configured Azure AD Connect in your environment."
Unit 9 - Knowledge Check
Unit 10 - Summary
