Professional Documents
Culture Documents
AZ-101T04
Securing Identities
MCT USE ONLY. STUDENT USE PROHIBITED
Securing Identities
AZ-101T04
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
Contents
■■ 0 | Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Start Here . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
■■ 1 | Introduction to Identity Protection in Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Azure Active Directory (Refresher) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Protecting Privileged Access in the Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Module 1 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
■■ 2 | Using Multi-Factor Authentication for Secure Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Introducing Multi-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Implementing MFA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Module 2 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
■■ 3 | Azure AD Privileged Identity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Getting Started with PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
PIM Security Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
PIM Directory Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
PIM for Role Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Module 3 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
MCT USE ONLY. STUDENT USE PROHIBITED
0 | Welcome
Start Here
Azure Administrator Curriculum
This course is part of a series of courses to help you prepare for Microsoft’s Azure Administrator certifica-
tion tests. There are two exams:
●● AZ-100, Microsoft Azure Infrastructure and Deployment1, and
●● AZ-101, Microsoft Azure Integration and Security2.
Each exam measures your ability to accomplish certain technical tasks. For example, AZ-101 includes four
study areas, as shown in the table. The percentages indicate the relative weight of each area on the exam.
The higher the percentage, the more questions you are likely to see in that area.
1 https://www.microsoft.com/en-us/learning/exam-az-100.aspx
2 https://www.microsoft.com/en-us/learning/exam-az-101.aspx
MCT USE ONLY. STUDENT USE PROHIBITED 2 0 | Welcome
theft and compromised identities: Role-Based Access Control (RBAC), Multi-Factor Authentication (MFA),
and Azure Active Directory Privileged Identity Management (PIM). Students learn to implement two-step
verification to secure the sign-in process, as well has how to use advanced features like trusted IPs and
Fraud Alerts with MFA to customize their identity access strategy. Using Privileged Identity Management,
students learn how to apply just the right amount of access rights for just the right amount of time to the
various administrative roles as well as to resources.
Level: Intermediate
Audience
This course is for Azure Administrators. Azure Administrators manage the cloud services that span
storage, networking, and compute cloud capabilities, with a deep understanding of each service across
the full IT lifecycle. They take end-user requests for new cloud applications and make recommendations
on services to use for optimal performance and scale, as well as provision, size, monitor and adjust as
appropriate. This role requires communicating and coordinating with vendors. Azure Administrators use
the Azure Portal and as they become more proficient they use PowerShell and the Command Line
Interface.
Prerequisites
Successful Azure Administrators start this role with experience on operating systems, virtualization, cloud
infrastructure, storage structures, and networking.
Expected learning
●● Use Azure RBAC to grant a granular level of access based on an administrator’s assigned tasks.
●● Use Azure Multi-Factor Authentication to configure a strong authentication for users at sign-in.
●● User Azure AD Privileged Identity Management to configure access rights based on just-in-time
administration.
Syllabus
This course includes content that will help you prepare for the certification exam. Other content is
included to ensure you have a complete picture of Azure identity. The course content includes a mix of
videos, graphics, reference links, module review questions, and practice labs.
Module 1 – Introduction to Identity Protection in Azure
In this module, you’ll learn about Role-Based Access Control as the foundation to organizing and manag-
ing an organization’s administrative access based on the principle of least privilege. You will also review
Azure Active Directory concepts, as well as gaining insight into the threat landscape and security risks
that are exposed to IT organizations through breach of privileged access. Lessons include:
●● Role-Based Access Control
●● Azure Active Directory (Refresher)
●● Protecting Privileged Access in the Environment
Module 2 – Using Multi-Factor Authentication for Secure Access
In this module, you’ll learn about securing the sign-in process through Multi-Factor Authentication (MFA).
You’ll learn how MFA works and the differences in implementation between on-premises and cloud
scenarios. You’ll also learn about using conditional access policies to provide more fine-grained control
over apps and resources in your environment.
●● Introducing Multi-Factor Authentication
MCT USE ONLY. STUDENT USE PROHIBITED
Start Here 3
●● Implementing MFA
Module 3 –Azure AD Privileged Identity Management
In this module, you’ll learn how to use Azure Privileged Identity Management (PIM) to enable just-in-time
administration and control the number of users who can perform privileged operations. You’ll also learn
about the different directory roles available as well as newer functionality that includes PIM being
expanded to role assignments at the resource level. Lessons include:
●● Getting Started with PIM
●● PIM Security Wizard
●● PIM for Directory Roles
●● PIM for Role Resources
✔️ The Managing Identities course also covers Azure RBAC and Azure Active Directory. This content has
been included here also to provide more context and foundation for the remainder of the course.
Study Guide
The Securing identities objective of the AZ-101 exam, consists of three main areas of study: Manage
role-based access control (RBAC), Implement Multi-Factor Authentication (MFA), and Implement Azure
Active Director (AD) Privileged Identity Management (PIM). These tables show you what may be included
in each test area and where it is covered in this course.
✔️ We recommend you use these tables as a checklist to ensure you are prepared in each area.
✔️ We recommend supplementing your study with a practice test.3 Also, hands-on practice is critical to
understanding these concepts and passing the certification exams. There are several ways to get an
Azure subscription4.
Manage RBAC
3 https://us.mindhub.com/az-100-microsoft-azure-infrastructure-deployment-microsoft-official-practice-test/p/MU-AZ-100
4 https://azure.microsoft.com/en-us/offers/ms-azr-0044p/
MCT USE ONLY. STUDENT USE PROHIBITED 4 0 | Welcome
–
✔️ Notice that access is inherited from subscriptions, to resource groups, and then to resources.
Using the Portal to implement RBAC
You can use the Azure Portal to make your role assignments. In this example, the ContosoBlueAD re-
source group shows on the Access Control (IAM) blade the current roles and scopes. You can add or
remove roles as you need. You can add synced users and groups to Azure roles, which enables organiza-
tions to centralize the granting of access.
Built-in Roles
Azure AD provides many built-in roles1 to cover the most common security scenarios. To understand
how the roles work we will examine three roles that apply to all resource types:
●● Owner has full access to all resources including the right to delegate access to others.
●● Contributor can create and manage all types of Azure resources but can’t grant access to others.
●● Reader can view existing Azure resources.
Role definition
1 https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles
MCT USE ONLY. STUDENT USE PROHIBITED 8 1 | Introduction to Identity Protection in Azure
Each role is a set of properties defined in a JSON file. This role definition includes Name, Id, and Descrip-
tion. It also includes the allowable permissions (Actions), denied permissions (NotActions), and scope
(read access, etc.) for the role.
Name: Owner
ID: 8e3af657-a8ff-443c-a75c-2fe8c4bcb65
IsCustom: False
Description: Manage everything, including access to resources
Actions: {*}
NotActions: {}
AssignableScopes: {/}
In this example the Owner role means all (*) actions, no denied actions, and all (/) scopes. This informa-
tion is available with the Get-AzureRmRoleDefinition cmdlet.
✔️ Take a minute to open the Azure Portal, open the Subscriptions or Resource Group blade, and click
Access Control (IAM). Click Add and take a few minutes to review the built-in roles and see which role
you would be most interested in using.
For more information, you can see:
Built-in roles in Azure - https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-
roles
Create custom roles for Azure Role-Based Access Control - https://docs.microsoft.com/en-us/azure/
active-directory/role-based-access-control-custom-roles
Get-AzureRmRoleDefinition - https://docs.microsoft.com/en-us/powershell/module/azurerm.
resources/get-azurermroledefinition?view=azurermps-5.3.0
Role Definitions
Actions and NotActions
The Actions and NotActions properties can be tailored to grant and deny the exact permissions you need.
Review this table to see how Owner, Contributor, and Reader are defined.
Example 1
Make a role available for assignment in two subscriptions.
“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e”, “/subscriptions/
e91d47c4-76f3-4271-a796-21b4ecfe3624”
Example 2
Makes a role available for assignment only in the Network resource group.
“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Net-
work”
✔️ Take a minute to open the Azure Portal and use the Access Control blade to add a role and then
assign it to a user. Can you see how for your organization which role assignments you would need?
For more information, you can see:
Custom roles access control - https://docs.microsoft.com/en-us/azure/active-directory/role-based-
access-control-custom-roles#custom-roles-access-control2
Azure PowerShell
New-AzureRmRoleAssignment -RoleDefinitionName $roleName -SignInName $assign-
eeName -ResourceGroupName $resourceGroupName
CLI
az role assignment create –role $roleName –assignee $assigneeName –re-
source-group $resourceGroupName
✔️ If you have created a custom JSON role definition file you can use PowerShell or the CLI to create a
new custom role definition. In the following examples the sysops.json file has the custom definition.
#PowerShell
New-AzureRmRoleDefinition -InputFile .\sysops.json
#CLI
2 https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles
MCT USE ONLY. STUDENT USE PROHIBITED 10 1 | Introduction to Identity Protection in Azure
Role-based access control (RBAC) is the way that you manage access to resources in Azure. In this
Quickstart, you grant a user access to create and manage virtual machines in a resource group. Take a few
minutes to work through the Grant access for a user using RBAC and the Azure portal3. This Quick-
start steps through the basics of:
●● Creating a resource group in the Azure portal.
●● Assign a user to a role.
●● Remove the created role assignment.
Using PowerShell
Next, try the following tutorial4 to grant a user access to view all resources in a subscription and manage
everything in a resource group using Azure PowerShell. In this tutorial you will:
●● Create a user
●● Create a resource group
●● Use the Get-AzureRMRoleAssignment command to list the role assignments
●● Use the Remove-AzureRmResourceGroup command to remove access
3 https://docs.microsoft.com/en-us/azure/role-based-access-control/quickstart-assign-role-user-portal
4 https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-role-assignments-user-powershell
MCT USE ONLY. STUDENT USE PROHIBITED
Role-Based Access Control 11
●● Single sign-on to any cloud or on-premises web app. Azure Active Directory provides secure single
sign-on to cloud and on-premises applications including Microsoft Office 365 and thousands of SaaS
applications such as Salesforce, Workday, DocuSign, ServiceNow, and Box.
●● Works with iOS, Mac OS X, Android, and Windows devices. Users can launch applications from a
personalized web-based access panel, mobile app, Office 365, or custom company portals using their
existing work credentials—and have the same experience whether they’re working on iOS, Mac OS X,
Android, and Windows devices.
●● Protect on-premises web applications with secure remote access. Access your on-premises web
applications from everywhere and protect with multi-factor authentication, conditional access policies,
and group-based access management. Users can access SaaS and on-premises web apps from the
same portal.
●● Easily extend Active Directory to the cloud. Connect Active Directory and other on-premises
directories to Azure Active Directory in just a few clicks and maintain a consistent set of users, groups,
passwords, and devices across both environments.
●● Protect sensitive data and applications. Enhance application access security with unique identity
protection capabilities that provide a consolidated view into suspicious sign-in activities and potential
vulnerabilities. Take advantage of advanced security reports, notifications, remediation recommenda-
tions and risk-based policies to protect your business from current and future threats.
●● Reduce costs and enhance security with self-service capabilities. Delegate important tasks such as
resetting passwords and the creation and management of groups to your employees. Providing
self-service application access and password management through verification steps can reduce
helpdesk calls and enhance security.
✔️ What reasons do you have for considering Azure Active Directory?
For more information, you can see:
The Azure Active Directory Pricing5 page has detailed information on what is included in each of the
editions.
●● Azure Active Directory Free. Designed to introduce system administrators to Azure Active Directory.
This version includes common features such as directory objects, user/group management, single
sign-on, self-service password change, on-premises connect, and security/usage reports.
●● Azure Active Directory Basic. Designed for task workers with cloud-first needs, this edition provides
cloud centric application access and self-service identity management solutions. With the Basic
edition of Azure Active Directory, you get productivity enhancing and cost reducing features like
group-based access management, self-service password reset for cloud applications, and Azure Active
Directory Application Proxy (to publish on-premises web applications using Azure Active Directory), all
backed by an enterprise-level SLA of 99.9 percent uptime.
●● Azure Active Directory Premium P1. Designed to empower organizations with more demanding
identity and access management needs, Azure Active Directory Premium edition adds feature-rich
enterprise-level identity management capabilities and enables hybrid users to seamlessly access
on-premises and cloud capabilities. This edition includes everything you need for information worker
and identity administrators in hybrid environments across application access, self-service identity and
access management (IAM), and security in the cloud.
●● Azure Active Directory Premium P2. Azure Active Directory Premium P2 includes every feature of all
other Azure Active Directory editions enhanced with advanced identity protection and privileged
identity management capabilities.
✔️ Did you look through the pricing list to determine which features your organization needs?
5 https://aka.ms/edx-azure204x-az3
MCT USE ONLY. STUDENT USE PROHIBITED 16 1 | Introduction to Identity Protection in Azure
6 https://docs.microsoft.com/en-us/azure/active-directory/active-directory-view-access-usage-reports
7 https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection
MCT USE ONLY. STUDENT USE PROHIBITED 20 1 | Introduction to Identity Protection in Azure
8 http://aka.ms/CyberPAW
MCT USE ONLY. STUDENT USE PROHIBITED
Protecting Privileged Access in the Environment 21
9 http://aka.ms/LAPS
10 http://aka.ms/CyberPAW
11 http://aka.ms/JEA
12 http://aka.ms/HardenAD
13 http://aka.ms/ata
MCT USE ONLY. STUDENT USE PROHIBITED 22 1 | Introduction to Identity Protection in Azure
14 http://aka.ms/Passport
15 http://aka.ms/ESAE
16 http://aka.ms/shieldedvms
17 http://aka.ms/sparoadmap
MCT USE ONLY. STUDENT USE PROHIBITED
Protecting Privileged Access in the Environment 23
Suggested Answer ↓
The Contributor built-in role can create and manage all types of Azure resources, but can't grant access
to others. Contributor is one of three basic roles in Azure that apply to all resource groups. The others are
Owner - which has full access to all resources, including the right to delegate access to others, and
Reader - which can only view all existing Azure resources. To create a custom role, you would use Power-
Shell, the CLI, or a REST API.
Suggested Answer ↓
Although the list is by no means conclusive, and you may identify others not listed, here are several
characteristics of Azure AD that make it different to AD DS: Azure AD is primarily an identity solution, and
it is designed for Internet-based applications by using HTTP and HTTPS communications; Because Azure
AD is HTTP/HTTPS based, it does not use Kerberos authentication. Instead, it uses HTTP and HTTPS
protocols such as SAML, WS-Federation, and OpenID Connect for authentication (and OAuth for authori-
zation). Also, Azure AD users and groups are created in a flat structure, and there are no Organizational
Units (OUs) or Group Policy Objects (GPOs).
Credential Theft
What are some common ways in which attackers use credential theft to gain access and control of IT
environments?
Suggested Answer ↓
A common way in which an attackers initially gains access to environments is through phishing attacks or
malware in which a local administrator account at the Tier 2 level is compromised. Those accounts can
then serve as a way for the attacker to move latterly, stealing and compromising more hosts and creden-
tials, and quickly moving into Tier 1 server admin levels with the objective of acquiring Domain Admin
credentials. Once they obtain domain admin credentials, attackers can not only steal, alter, delete or
destroy business data and systems, but they can also persist their presence, undetected, so that they can
gain access to the system again at a later date.
MCT USE ONLY. STUDENT USE PROHIBITED
2 | Using Multi-Factor Authentication for Secure
Access
The security of MFA two-step verification lies in its layered approach. Compromising multiple authentica-
tion factors presents a significant challenge for attackers. Even if an attacker manages to learn the user's
password, it is useless without also having possession of the additional authentication method. Authenti-
cation methods include:
●● Something you know (typically a password)
●● Something you have (a trusted device that is not easily duplicated, like a phone)
●● Something you are (biometrics)
✔️ Can you think of any ways to overcome the two-step authentication? For example, phishing, stolen
devices, or malware.
For more information, you can see:
MCT USE ONLY. STUDENT USE PROHIBITED 26 2 | Using Multi-Factor Authentication for Secure Access
Mitigate threats with real-time monitoring and alerts. MFA helps protect your business with security
monitoring and machine-learning-based reports that identify inconsistent sign-in patterns. To help
mitigate potential threats, real-time alerts notify your IT department of suspicious account credentials.
Deploy on-premises or on Azure. Use MFA Server on your premises to help secure VPNs, Active
Directory Federation Services, IIS web applications, Remote Desktop, and other remote access applica-
tions using RADIUS and LDAP authentication. Add an extra verification step to your cloud-based applica-
tions and services by turning on Multi-Factor Authentication in Azure Active Directory.
MCT USE ONLY. STUDENT USE PROHIBITED
Introducing Multi-Factor Authentication 27
Use with Office 365, Salesforce, and more. MFA for Office 365 helps secure access to Office 365
applications at no additional cost. Multi-Factor Authentication is also available with Azure Active Directo-
ry Premium and thousands of software-as-a-service (SaaS) applications, including Salesforce, Dropbox,
and other popular services.
Add protection for Azure administrator accounts. MFA adds a layer of security to your Azure adminis-
trator account at no additional cost. When it's turned on, you need to confirm your identity to create a
virtual machine, manage storage, or use other Azure services.
✔️ Is your organization using MFA? Do you see a need for the feature?
For more information, you can see:
Multi-Factor Authentication - https://azure.microsoft.com/en-us/services/multi-factor-authentica-
tion/
Once you have located the global administrator of choice you can Enable MFA.
MCT USE ONLY. STUDENT USE PROHIBITED
Introducing Multi-Factor Authentication 29
✔️ Remember you can only enable MFA for organizational accounts stored in Active Directory. These are
also called work or school accounts.
For more information, you can see:
Enforce multi-factor authentication (MFA) for subscription administrators - https://docs.microsoft.com/
en-us/azure/security/azure-security-global-admin
Implementing MFA
Video - How MFA Works
✔️ This is an older video that refers to Windows Azure, but it still very relevant and provides an excellent
recap of the concepts behind MFA. Windows Azure is now Microsoft Azure
Here is what happens when somebody attempts to connect to a resource which is being secured by
Azure AD MFA:
On-premises MFA authentication
If the service is on-premises the local MFA authentication service will validate the initial sign in by passing
the authentication request to the on-premises Active Directory.
If the correct credentials were entered and, validated, the request is then forwarded to Azure MFA
authentication server. The Azure MFA server will then send an additional verification challenge to the
user. The methods that can be easy configured to use are:
●● Phone Call. A call is placed to the users register phone.
●● Text Message. A six-digit code is sent to the user’s cell phone.
●● Mobile App Notification. A verification request is sent to a user’s smart phone asking them to
complete the verification by selecting Verify in the mobile app.
●● Mobile app verification code. A six-digit code is sent to the user mobile app. This code is then
entered on the sign in page.
●● Open Authentication (OATH) compliant tokens. This can also be used as a verification method.
Azure MFA authentication
MCT USE ONLY. STUDENT USE PROHIBITED 32 2 | Using Multi-Factor Authentication for Secure Access
If the service is running in Azure your sign in request will first be sent to Azure Active Directory for initial
validation, and then on to MFA authentication server running in Azure. Validation then continues as
above.
✔️ MFA provides security for the requesting user that someone cannot easy impersonate them. MFA
should be required on all services and, certainly on mobile services.
Let’s briefly look at the user settings that are available for MFA. Allow users to create app passwords to
sign in to non-browser apps. This would be applicable to older applications like Outlook 2010.
✔️ Notice if you are not using the Authenticator App then the last two verification options may not
apply.
The last selection is to cache passwords so that users do not have to authenticate on trusted devices. The
number of days before a user must re-authenticate on trusted devices can also be configured with the
value from 1 to 60 days. The default is 14 days.
When MFA is required the first time a user logs in they will be prompted to configure their settings
<img src="../../Linked_Image_FIles/AZ-101.4_Securing_Identities_image31.png" alt="Screenshot of the
additional security configuration page where a user can set the form of authentication required as well as
the specific method of how the authentication is provided. For example, with phone authentication, either
“send me a code by text message,” or "call me."" title="">
Authentication Methods
It’s common to hear news reports of passwords being stolen and identities being compromised. Requir-
ing a second factor in addition to a password immediately increases the security of your organization. For
this reason, Azure Active Directory (Azure AD) includes features, like Azure MFA and Azure AD self-service
password reset (SSPR), to help administrators protect their organizations and users with additional
authentication methods.
MCT USE ONLY. STUDENT USE PROHIBITED
Implementing MFA 33
When a user needs to access a sensitive application, reset their password, or enable Windows Hello, they
may be asked to provide additional verification that they are who they say they are. Additional verifica-
tion may come in the form of authentication methods such as:
●● A code provided in an email or text message.
●● A phone call.
●● A notification or code on their phone.
●● Answers to security questions.
Azure MFA and Azure AD SSPR give administrators control over configuration, policy, monitoring, and
reporting using Azure AD and the Azure portal to protect their organizations.
✔️ Azure AD self-service password reset (SSPR) was covered in the Managing Identities course. The
following topic provides a high-level comparison of MFA and SSPR in terms of which feature supports
which authentication method.
✔️ On first-time sign-in, after MFA has been enabled, users are prompted to configure their MFA set-
tings. For example, if you enable MFA so that users must use a mobile device, users will be prompted to
configure their mobile device for MFA. Users must complete those steps, or they will not be permitted to
sign in, which they cannot do until they have validated that their mobile device is MFA-compliant.
Trusted IPs
Trusted IPs is a feature to allow federated users or IP address ranges to bypass two-step authentication.
Notice there are two selections in this screenshot.
Which selections you can make depends on whether you have managed or federated tenants.
●● Managed tenants. For managed tenants, you can specify IP ranges that can skip MFA.
●● Federated tenants. For federated tenants, you can specify IP ranges and you can also exempt AD FS
claims users .
MCT USE ONLY. STUDENT USE PROHIBITED
Implementing MFA 35
✔️ The Trusted IPs bypass works only from inside of the company intranet. If you select the All Federated
Users option and a user signs in from outside the company intranet, the user must authenticate by using
two-step verification. The process is the same even if the user presents an AD FS claim.
For more information, you can see:
Trusted IPs - https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-
to-mfa-mfasettings#trusted-ips1
One-time Bypass
The one-time bypass feature allows a user to authenticate a single time without performing two-step
verification. The bypass is temporary and expires after a specified number of seconds.
✔️ In situations where the mobile app or phone is not receiving a notification or phone call, you can
allow a one-time bypass, so the user can access the desired resource.
For more information, you can see:
Bypass options - https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-
to-mfa-mfasettings#one-time-bypass
1 https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings
MCT USE ONLY. STUDENT USE PROHIBITED 36 2 | Using Multi-Factor Authentication for Secure Access
Fraud Alerts
Configure the fraud alert feature so that your users can report fraudulent attempts to access their
resources. Users can report fraud attempts by using the mobile app or through their phone. Block user
when fraud is reported: If a user reports fraud, their account is blocked for 90 days or until an administra-
tor unblocks their account. An administrator can review sign-ins by using the sign-in report and take
appropriate action to prevent future fraud. An administrator can then unblock the user's account.
Code to report fraud during initial greeting: When users receive a phone call to perform two-step
verification, they normally press # to confirm their sign-in. To report fraud, the user enters a code before
pressing #. This code is 0 by default, but you can customize it.
2 https://docs.microsoft.com/intune/app-protection-policy
MCT USE ONLY. STUDENT USE PROHIBITED
Implementing MFA 37
Block user when fraud is reported. If a user reports fraud, their account is blocked for 90 days or until
an administrator unblocks their account. An administrator can review sign-ins by using the sign-in report
and take appropriate action to prevent future fraud. An administrator can then unblock the user's
account.
Code to report fraud during initial greeting. When users receive a phone call to perform two-step
verification, they normally press # to confirm their sign-in. To report fraud, the user enters a code before
pressing #. This code is 0 by default, but you can customize it.
✔️ The default voice greetings from Microsoft instruct users to press 0# to submit a fraud alert. If you
want to use a code other than 0, record and upload your own custom voice greetings with appropriate
instructions for your users.
For more information, you can see:
Turn on fraud alerts - https://docs.microsoft.com/en-us/azure/active-directory/authentication/
howto-mfa-mfasettings#turn-on-fraud-alerts3
To simplify the sign-in experience of your users, you might want to allow them to sign in to your cloud
apps using a user name and a password. However, some environments may have scenarios where it
would be advisable to require a strong form of account verification.
Take a few minutes to try this Quickstart4, where you configure an Azure AD conditional access policy
that requires multi-factor authentication (MFA) for a selected cloud app in your environment.
If you decide to try this Quickstart, you will need:
●● Access to an Azure AD Premium edition - Azure AD conditional access is an Azure AD Premium
capability.
3 https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings
4 https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa
MCT USE ONLY. STUDENT USE PROHIBITED 38 2 | Using Multi-Factor Authentication for Secure Access
●● A test account called Isabella Simonsen. If you don't know how to create a test account, see Add
cloud-based users5.
The specific tasks in this Quickstart include:
●● Create the required conditional access policy.
●● Evaluate a simulated sign in.
●● Test the conditional access policy.
✔️ If you can’t meet the prerequisites, read through the steps instead.
For more information, you can see:
What is conditional access in Azure Active Directory - https://docs.microsoft.com/en-us/azure/
active-directory/active-directory-conditional-access-azure-portal
Take a minute to try the Tutorial: Complete an Azure Multi-Factor Authentication pilot roll out6. In
this tutorial, you walk you through configuring a conditional access policy enabling Azure MFA when
logging in to the Azure portal. The policy is deployed to and tested on a specific group of pilot users. You
will learn how to:
●● Enable Azure Multi-Factor Authentication.
●● Test Azure Multi-Factor Authentication.
✔️ Deployment of Azure MFA using conditional access provides significant flexibility for organizations
and administrators compared to the traditional enforced method.
For more information, you can see:
Quickstart: Add new users to Azure Active Directory - https://docs.microsoft.com/en-us/azure/
active-directory/fundamentals/add-users-azure-active-directory
Create a group and add members in Azure Active Directory - https://docs.microsoft.com/en-us/azure/
active-directory/fundamentals/active-directory-groups-create-azure-portal
5 https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory
6 https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-mfa-applications
MCT USE ONLY. STUDENT USE PROHIBITED
Module 2 Review Questions 39
Suggested Answer ↓
MFA authentication methods include: something the user knows (typically a password), something a user
has (such as a trusted device that is not easily duplicated, like a phone), and something a user us (biome-
trics). Azure MFA is included free of charge for global administrators.
Trusted IPs
What functionality does Trusted IPs provide? How do you select its different options?
Suggested Answer ↓
Trusted IPs is a feature that allows federated users or IP address ranges to bypass two-step authentica-
tion. The options you select depend on whether you have managed or federated tenants. For managed
tenants, you can specify IP ranges that can skip MFA. And for federated tenants, you can specify IP ranges
and you can also exempt AD FS claims users.
Suggested Answer ↓
The three question that you need to ask when determining the type of MFA you want to implement are:
what are you trying to secure, where are your users located, and what features do you need? For exam-
ple, if you were trying to secure remote access such as VPN, while using Azure AD an on-premises AD
with AD FS, and you wanted to implement conditional access policies, you would use MFA Server.
MCT USE ONLY. STUDENT USE PROHIBITED
3 | Azure AD Privileged Identity Management
Azure AD PIM
Azure AD Privileged Identity Management (PIM), also known as just-in-time administration, is a cloud-
based service designed to protect your cloud-based resources. With Azure AD PIM you can minimize the
number of users who can execute privileged operations in Azure AD, Azure, Office 365, or SaaS applica-
tions. Azure AD PIM helps to mitigate the risk of excessive, unnecessary, or misused access rights.
●● Enable on-demand, “just in time” administrative access to Microsoft Online Services like Office 365
and Intune, and to Azure resources of subscriptions, resource groups, and individual resources such as
virtual machines.
●● See a history of administrator activation, including what changes administrators made to Azure
resources (Preview).
●● Get alerts about changes in administrator assignments.
●● Require approval to activate Azure AD privileged admin roles.
●● Review membership of administrative roles and require users to provide a justification for continued
membership.
✔️ Azure AD PIM can manage users assigned to the built-in Azure AD organization roles, such as Global
Administrator. PIM can also manage the users and groups assigned via Azure RBAC roles, including
Owner or Contributor.
✔️ When you enable PIM for your tenant, a valid Azure AD Premium P2 or Enterprise Mobility + Security
E5 paid or trial license is required for each user that interacts with or receives a benefit from the service.
For more information, you can see:
Azure AD PIM - https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-man-
agement/pim-configure
Azure Active Directory Privileged Identity Management subscription requirements - https://docs.
microsoft.com/en-us/azure/active-directory/privileged-identity-management/subscription-re-
quirements
PIM Tasks
Once Azure AD Privileged Identity Management is set up, you will see the navigation blade whenever you
open the application.
●● My Roles displays a list of eligible and active roles assigned to you. This is where you can activate any
assigned eligible roles.
●● Approve Requests displays a list of requests to activate eligible Azure AD directory roles by users in
your directory, which you are designated to approve.
●● Pending Requests displays any of your pending requests to activate eligible role assignments.
●● Review Access lists active access reviews you are assigned to complete, whether you're reviewing
access for yourself or someone else.
MCT USE ONLY. STUDENT USE PROHIBITED
Getting Started with PIM 43
●● Azure AD directory roles displays the dashboard for privileged role administrators to manage role
assignments, change role activation settings, start access reviews, and more. This dashboard is
disabled for anyone who isn't a privileged role administrator.
●● Azure Resource roles displays a list of subscription resources you have role assignments.
✔️ At the time of writing, some Azure PIM features are in Preview. Like all Azure features and functionali-
ty, this is subject to frequent change, so we don’t always identify when a feature is in preview, unless
there is a specific reason to do so.
✔️ Take a few minutes to locate the PIM blade and review the tasks.
For more information, you can see:
Navigate to your tasks - https://docs.microsoft.com/en-us/azure/active-directory/privileged-identi-
ty-management/pim-getting-started#navigate-to-your-tasks1
PIM Access
The global administrator who enables Azure AD Privileged Identity Management (PIM) for an organiza-
tion automatically get role assignments and access to PIM. No one else gets write access by default,
though, including other global administrators. Other global administrators, security administrators, and
security readers have read-only access to Azure AD PIM. To give access to PIM, the first user can assign
others to the Privileged role administrator role.
Whenever you assign a new role to someone, they are automatically set up as eligible to activate the role.
If you want to make them permanent in the role, click the user in the list. Select make perm in the user
information menu.
✔️Managing Azure AD PIM requires Azure MFA. Since Microsoft accounts cannot register for Azure MFA,
a user who signs in with a Microsoft account cannot access Azure AD PIM.
For more information, you can see:
1 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started
MCT USE ONLY. STUDENT USE PROHIBITED 44 3 | Azure AD Privileged Identity Management
PIM Dashboard
You can use a resource dashboard to perform an access review in Privileged Identity Management (PIM)
for Azure resources. The Admin View dashboard has three primary components:
●● A graphical representation of resource role activations.
●● Two charts that display the distribution of role assignments by assignment type.
●● A data area pertaining to new role assignments.
Learn how to discover and manage Azure resources when you use Privileged Identity Management (PIM)
in Azure Active Directory (Azure AD). This information can be helpful to organizations that already use
PIM to protect administrator resources, and to subscription owners who are looking to secure production
resources.
Take a few minutes to try Discover Resources3.
✔️ You can only search for and select subscription resources to manage by using PIM. When you manage
a subscription in PIM, you can also manage child resources in the subscription.
For more information, you can see:
Discover and manage Azure resources by using Privileged Identity Management -https://docs.micro-
soft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-dis-
cover-resources
2 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-give-access-to-pim
3 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-discover-resources
MCT USE ONLY. STUDENT USE PROHIBITED
PIM Security Wizard 45
✔️ It is important that you have at least one global administrator, and more than one privileged role
administrator with an organizational account (not a Microsoft account). If there is only one privileged role
administrator, the organization will not be able to manage PIM if that account is deleted.
✔️ After you have made changes, the wizard will no longer show up. The next time you or another
privileged role administrator use PIM, you will see the PIM dashboard.
For more information, you can see:
Using the security wizard in Azure AD Privileged Identity Management - https://docs.microsoft.com/
en-us/azure/active-directory/privileged-identity-management/pim-security-wizard
●● Activations. The time, in hours, that a role stays active before it expires. This can be between 1 and 72
hours.
●● Notifications. You can choose whether the system sends emails to admins confirming that they have
activated a role. This can be useful for detecting unauthorized or illegitimate activations.
●● Incident/Request Ticket. You can choose whether to require eligible admins to include a ticket
number when they activate their role. This can be useful when you perform role access audits.
●● Multi-Factor Authentication. You can choose whether to require users to verify their identity with
MFA before they can activate their roles. They only verify this once per session, not every time they
activate a role. Remember users who have Microsoft accounts for their email addresses (typically @
outlook.com, but not always) cannot register for Azure MFA. If you want to assign roles to users with
Microsoft accounts, you should either make them permanent admins or disable MFA for that role.
✔️You cannot disable MFA for highly privileged roles for Azure AD and Office365. Do you see why?
For more information, you can see:
How to manage role activation settings in Azure AD Privileged Identity Management - https://docs.
microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-
change-default-settings
Email Notifications - https://docs.microsoft.com/en-us/azure/active-directory/privileged-identi-
ty-management/pim-email-notifications
●● Global administrator (also known as Company administrator) has access to all administrative
features. The person who signs up to purchase Office 365 automatically becomes a global admin. You
can have more than one global admin in your organization.
●● Privileged role administrator manages Azure AD PIM and updates role assignments for other users.
●● Billing administrator makes purchases, manages subscriptions, manages support tickets, and
monitors service health.
●● Password administrator resets passwords, manages service requests, and monitors service health.
Password admins are limited to resetting passwords for users.
●● Service administrator manages service requests and monitors service health.
✔️ Is there anyone, other than the Global Administrator, in your organization that needs a permanent
role assignment? Which roles are you interested in using PIM to make assignments?
For more information, you can see:
Directory roles you can manage using Azure AD PIM - https://docs.microsoft.com/en-us/azure/
active-directory/privileged-identity-management/pim-roles
Alerts are categorized into three areas: High (immediate action is needed), Medium (signals a potential
policy violation), and Low (suggests a preferable policy change). Here are some common alerts:
“Roles are being activated too frequently” alert
This alert triggers if a user activates the same privileged role multiple times within a specified period. You
can configure both the time (days, hours, and minutes) and the number of activations (2 to 100).
“There are too many global administrators” alert
PIM triggers this alert if two different criteria are met, and you can configure both. First, you need to
reach a certain threshold of global administrators (2 to 100). Second, a certain percentage (0 to 100%) of
your total role assignments must be global administrators.
“Administrators aren't using their privileged roles” alert
This alert triggers if a user goes a certain amount of time without activating a role. Specify the number of
days, from 0 to 100, that a user can go without activating a role.
✔️ PIM will also alert you if roles are being assigned outside of PIM. This is a high severity alert. You
should immediately check the users in the list and un-assign them from privileged roles assigned outside
of PIM.
For more information, you can see:
How to configure security alerts in Azure AD Privileged Identity Management - https://docs.microsoft.
com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-securi-
ty-alerts
MCT USE ONLY. STUDENT USE PROHIBITED 50 3 | Azure AD Privileged Identity Management
The Azure AD Privileged Identity Management (PIM) service also allows privileged role administrators to
make permanent directory role assignments. Additionally, privileged role administrators can make users
eligible for directory roles. An eligible administrator can activate the role when they need it, and then
their permissions expire once they're done. Take a few minutes and try it for yourself, Assign directory
roles to users using Azure AD PIM4.
If you have been made eligible for an administrative role, that means you can activate that role when you
need to perform privileged actions. Take a few minutes and try How to activate or deactivate roles in
Azure AD Privileged Identity Management5 tutorial.
4 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user
5 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role
MCT USE ONLY. STUDENT USE PROHIBITED
PIM Directory Roles 51
With Azure AD Privileged Identity Management (PIM), you can manage, control, and monitor access
within your organization. This scope includes access to Azure resources, Azure AD and other Microsoft
online services like Office 365 or Microsoft Intune.
As you've already learned in this lesson, Azure PIM simplifies how you manage privileged access to
resources in Azure, and other services. From role activation or deactivation to setting up security alerts for
suspicious or unsafe activity in your environment, and many other tasks - PIM helps minimize your
environment's attack surface by more granular control of the roles that have administrative access and
sets of privileges.
There are many things to explore and try in this practice. As you have time try or review any of the follow-
ing tasks.
●● How to give other admins access to PIM6
●● How to add or remove a user role7
●● How to activate or deactivate a role8
●● How to change or view the default activation settings for a role9
●● How to configure security alerts10
6 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-give-access-to-pim
7 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user
8 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role
9 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings
10 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts
MCT USE ONLY. STUDENT USE PROHIBITED 52 3 | Azure AD Privileged Identity Management
11 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review
12 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-perform-security-review
13 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-complete-review
14 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-require-mfa
15 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-use-audit-log
MCT USE ONLY. STUDENT USE PROHIBITED
PIM for Role Resources 53
✔️ Do you see how PIM for Role Resources is different from PIM for Directory Roles?
For more information you can see:
Activate roles for Azure resources by using Privileged Identity Management - https://docs.microsoft.
com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-activate-
your-roles
Assign Roles
Role assignments can Just in time or Direct.
<img src="../../Linked_Image_FIles/AZ-101.4_Securing_Identities_image60.png" alt="Screenshot of the
New assignment page in the portal. “Membership settings” pane with the "Assignment type" box and the
related check box." title="">
●● Just in time. Provides the user or group members with eligible but not persistent access to the role
for a specified period or indefinitely (if configured in role settings).
●● Direct. Does not require the user or group members to activate the role assignment (known as
persistent access).
✔️ We recommend using direct assignment for short-term use, where access won’t be required when the
task is complete. Examples are on-call shifts and time-sensitive activities.
For more information, you can see:
Manage security alerts for Azure resources by using Privileged Identity Management - https://docs.
microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-
configure-alerts
MCT USE ONLY. STUDENT USE PROHIBITED 54 3 | Azure AD Privileged Identity Management
The severity levels (high, medium, and low) are also the same, but the substance of the alert is different.
1. Bob, a resource administrator, uses PIM to assign Alice as an eligible member to the owner role in the
Contoso subscription. With this assignment, Alice is an eligible owner of all resource groups (Test, Dev,
and Prod) within the subscription. Alice is also an eligible owner of all resources (like virtual machines)
within each resource group of the subscription.
2. Bob uses PIM to require all members in the owner role of the subscription request approval to be
activated. To help protect the resources in the Prod resource group, Bob also requires approval for
members of the owner role of this resource. The owner roles in Test and Dev do not require approval
for activation.
3. When Alice requests activation of her owner role for the subscription, an approver must approve or
deny her request before she becomes active in the role. If Alice decides to scope her activation to the
Prod resource group, an approver must approve or deny this request, too. But if Alice decides to
scope her activation to either or both Test and Dev, approval is not required.
✔️ You can selectively apply workflows. For example, is you have contract associates you could create a
custom role for access to the Prod resource group. You could then configure PIM to require members of
that role, and only that role, to be approved.
For more information, you can see:
Approval workflow for Azure resource roles in Privileged Identity Management – https://docs.microsoft.
com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-approv-
al-workflow
Take a few minutes to try the steps on the Approval Workflow16 page. In this practice you will:
●● Require approval to activate.
●● Specify approvers.
●● Request approval to activate.
●● Approve or deny a request.
16 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-approval-workflow
MCT USE ONLY. STUDENT USE PROHIBITED 56 3 | Azure AD Privileged Identity Management
Notice that each role has both assignment and activation settings. The activation settings are just like
what you have already see earlier in the module. The assignment settings are new and include expiration
information.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 3 Review Questions 57
Suggested Answer ↓
PIM is a cloud-based service designed to protect administration of your cloud-based resources. PIM has
many features including: enforce on-demand, just-in-time access; leverage per-role approval workflows,
attest admin role membership with access reviews, just-enough-administration for users and groups, and
provide visibility through alerts and audit reports.
Administrator Access
The PIM Security Wizard shows the three main ways you can control administrator access. What are these
ways?
Suggested Answer ↓
There are three steps in the PIM Security Wizard. In Step 1, you review the permanent and temporary
admins in your organization removing any that are not needed. In Step 2, you switch permanent admins
to temporary admins. In Step 3, you configure the temporary admin settings like activation period, email
notification, and MFA authentication.
PIM Alerts
PIM alerts are an important feature to ensure you are being notified of important events. What are the
alert severity levels? What are some of the alerts you might see for PIM Directory roles? What are some
alerts you might see for PIM Role Resources?
Suggested Answer ↓
There are three PIM alert levels: high, medium, and low. Some of the directory role alerts you might see
are: roles are being activated too frequently, there are too many global administrators, and Administra-
tors aren't using their privileged roles. Alerts for resources might include: too many owners assigned to a
resource, too many permanent owners assigned to a resource, and duplicate role created.