AZ-102 Study notes - Part 4
Manage identities (15-20%)
Manage Azure Active Directory (AD)
Add custom domains
Add a purchased domain and add the MX or Text records. (ms=msXXXXXX)
The person who creates the tenant is automatically the global administrator.
TTL must be 60 minutes.
Make suire you don't have any unmanaged PowerBI tenants.
Configure Azure AD Identity Protection
Azure AD identity protection is P2 level and above.
You can force people to register for MFA - once everyone is register you can add everyone.
User / sign on risk prevents or forces MFA sign in from compromised users.
Azure AD Join, and Enterprise State Roaming
With Azure AD settings you can enable local admin rights for Azure AD members.
The local admins are set as device admins.
ESR allows Windows 10 user data to be synced between devices. Data is encrypted. Requires "EMS".
Configure self-service password reset
Password reset - selected groups or all. One or two methods. Email / Office Phone / Mobile Phone / Security questions (and how many 3-5).
Users can be forced to register and can be force to re-register after a period.
You can be notified on Admin passwords or user password resets.
Implement conditional access policies
Conditional (- platforms, locations, apps, device state, etc.) / Control statements - (Block / grant, MFA, limited experiences, etc)
Manage multiple directories
Each tenant is independent and a domain name can only be used by a single tenant.
Perform an access review
Access reviews allow you to schedule reports when you approve or deny access to a group or application. If a viewer does not response, we can remove automatically or email.
Recommendations suggest best action. Users can advise on reasons.
Implement and manage hybrid identities
Install and configure Azure AD Connect
Azure AD premium
Global Admin of Azure AD
Azure AD connection health agent installed.
Connectivity (outbound - no ssl inspection.)
Configure federation and single sign-on
Use the Azure AD Connect tool to add an AD FS server, add an AD FS WAP server, and configure a federated domain.
Deploy seamless single sign on via the Azure AD Connect tool.
Deploy group policies to enable SSO.
Manage Azure AD Connect
You can configure health alerts from Azure AD connect health in the portal.
Manage password sync and writeback
Account used must have elevated rights.
Configured through the Azure AD connect utility.