Monday, February 18, 2019

AZ-102 Study notes - Part 4

Manage identities (15-20%)

Manage Azure Active Directory (AD)

Add custom domains 

Add a purchased domain and add the MX or Text records. (ms=msXXXXXX)
The person who creates the tenant is automatically the global administrator.
TTL must be 60 minutes.
Make suire you don't have any unmanaged PowerBI tenants.

Configure Azure AD Identity Protection

Azure AD identity protection is P2 level and above.
You can force people to register for MFA - once everyone is register you can add everyone.

User / sign on risk prevents or forces MFA sign in from compromised users.

Azure AD Join, and Enterprise State Roaming

With Azure AD settings you can enable local admin rights for Azure AD members.
The local admins are set as device admins.
ESR allows Windows 10 user data to be synced between devices. Data is encrypted. Requires "EMS".

Configure self-service password reset

Password reset - selected groups or all. One or two methods. Email / Office Phone / Mobile Phone / Security questions (and how many 3-5).
Users can be forced to register and can be force to re-register after a period. 
You can be notified on Admin passwords or user password resets.

Implement conditional access policies

Conditional (- platforms, locations, apps, device state, etc.) / Control statements - (Block / grant, MFA, limited experiences, etc)

Manage multiple directories

Each tenant is independent and a domain name can only be used by a single tenant.

Perform an access review

Access reviews allow you to schedule reports when you approve or deny access to a group or application. If a viewer does not response, we can remove automatically or email.

Recommendations suggest best action. Users can advise on reasons.

Implement and manage hybrid identities

Install and configure Azure AD Connect

Requirements:
Azure AD premium
Global Admin of Azure AD
Azure AD connection health agent installed.
Connectivity (outbound - no ssl inspection.)

Configure federation and single sign-on

Use the Azure AD Connect tool to add an AD FS server, add an AD FS WAP server, and configure a federated domain.

Deploy seamless single sign on via the Azure AD Connect tool.
Deploy group policies to enable SSO.

Manage Azure AD Connect

You can configure health alerts from Azure AD connect health in the portal.

Manage password sync and writeback

Premium feature.
Account used must have elevated rights.
Configured through the Azure AD connect utility.

No comments:

Post a Comment

TIP 0005: Test bad SSL

This is a tool for testing "memorable site for testing clients against bad SSL configs" https://badssl.com/