AZ 101T04A ENU TrainerHandbook PDF

MCT USE ONLY.
STUDENT USE PROHIBITED

Microsoft
Official
Course
AZ-101T04
Securing Identities
MCT USE ONLY. STUDENT USE PROHIBITED
Securing Identities
AZ-101T04
Contents
■■ 0 | Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Start Here . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
■■ 1 | Introduction to Identity Protection in Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Azure Active Directory (Refresher) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Protecting Privileged Access in the Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Module 1 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
■■ 2 | Using Multi-Factor Authentication for Secure Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Introducing Multi-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Implementing MFA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Module 2 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
■■ 3 | Azure AD Privileged Identity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Getting Started with PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
PIM Security Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
PIM Directory Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
PIM for Role Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Module 3 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
0 | Welcome
Start Here
Azure Administrator Curriculum
This course is part of a series of courses to help you prepare for Microsoft’s Azure Administrator certifica-
tion tests. There are two exams:
●● AZ-100, Microsoft Azure Infrastructure and Deployment1, and
●● AZ-101, Microsoft Azure Integration and Security2.
Each exam measures your ability to accomplish certain technical tasks. For example, AZ-101 includes four
study areas, as shown in the table. The percentages indicate the relative weight of each area on the exam.
The higher the percentage, the more questions you are likely to see in that area.
AZ-101 Study Areas Weights

Evaluation and perform server migration to Azure 15-20%
Implement and manage application services 20-25%
Implement advanced virtual networking 30-35%
Securing identities 25-30%
✔️ This course will focus on preparing you for the Securing identities area of the AZ-101 certification
exam.
About this Course

Course Description
This course teaches IT Professionals to understand the challenges that organizations face in keeping
modern IT environments secure, as the more distributed environments that are part of a cloud-first or
hybrid world have rapidly created new security challenges for IT. The course focuses on three key areas in
the defense against attackers who target security vulnerabilities, resulting particularly from credential
1 https://www.microsoft.com/en-us/learning/exam-az-100.aspx
2 https://www.microsoft.com/en-us/learning/exam-az-101.aspx
MCT USE ONLY. STUDENT USE PROHIBITED 2 0 | Welcome
theft and compromised identities: Role-Based Access Control (RBAC), Multi-Factor Authentication (MFA),
and Azure Active Directory Privileged Identity Management (PIM). Students learn to implement two-step
verification to secure the sign-in process, as well has how to use advanced features like trusted IPs and
Fraud Alerts with MFA to customize their identity access strategy. Using Privileged Identity Management,
students learn how to apply just the right amount of access rights for just the right amount of time to the
various administrative roles as well as to resources.
Level: Intermediate
Audience
This course is for Azure Administrators. Azure Administrators manage the cloud services that span
storage, networking, and compute cloud capabilities, with a deep understanding of each service across
the full IT lifecycle. They take end-user requests for new cloud applications and make recommendations
on services to use for optimal performance and scale, as well as provision, size, monitor and adjust as
appropriate. This role requires communicating and coordinating with vendors. Azure Administrators use
the Azure Portal and as they become more proficient they use PowerShell and the Command Line
Interface.
Prerequisites
Successful Azure Administrators start this role with experience on operating systems, virtualization, cloud
infrastructure, storage structures, and networking.
Expected learning
●● Use Azure RBAC to grant a granular level of access based on an administrator’s assigned tasks.
●● Use Azure Multi-Factor Authentication to configure a strong authentication for users at sign-in.
●● User Azure AD Privileged Identity Management to configure access rights based on just-in-time
administration.
Syllabus
This course includes content that will help you prepare for the certification exam. Other content is
included to ensure you have a complete picture of Azure identity. The course content includes a mix of
videos, graphics, reference links, module review questions, and practice labs.
Module 1 – Introduction to Identity Protection in Azure
In this module, you’ll learn about Role-Based Access Control as the foundation to organizing and manag-
ing an organization’s administrative access based on the principle of least privilege. You will also review
Azure Active Directory concepts, as well as gaining insight into the threat landscape and security risks
that are exposed to IT organizations through breach of privileged access. Lessons include:
●● Role-Based Access Control
●● Azure Active Directory (Refresher)
●● Protecting Privileged Access in the Environment
Module 2 – Using Multi-Factor Authentication for Secure Access
In this module, you’ll learn about securing the sign-in process through Multi-Factor Authentication (MFA).
You’ll learn how MFA works and the differences in implementation between on-premises and cloud
scenarios. You’ll also learn about using conditional access policies to provide more fine-grained control
over apps and resources in your environment.
●● Introducing Multi-Factor Authentication
Start Here 3
●● Implementing MFA
Module 3 –Azure AD Privileged Identity Management
In this module, you’ll learn how to use Azure Privileged Identity Management (PIM) to enable just-in-time
administration and control the number of users who can perform privileged operations. You’ll also learn
about the different directory roles available as well as newer functionality that includes PIM being
expanded to role assignments at the resource level. Lessons include:
●● Getting Started with PIM
●● PIM Security Wizard
●● PIM for Directory Roles
●● PIM for Role Resources
✔️ The Managing Identities course also covers Azure RBAC and Azure Active Directory. This content has
been included here also to provide more context and foundation for the remainder of the course.
Study Guide
The Securing identities objective of the AZ-101 exam, consists of three main areas of study: Manage
role-based access control (RBAC), Implement Multi-Factor Authentication (MFA), and Implement Azure
Active Director (AD) Privileged Identity Management (PIM). These tables show you what may be included
in each test area and where it is covered in this course.
✔️ We recommend you use these tables as a checklist to ensure you are prepared in each area.
✔️ We recommend supplementing your study with a practice test.3 Also, hands-on practice is critical to
understanding these concepts and passing the certification exams. There are several ways to get an
Azure subscription4.
Manage RBAC
Testing May Include Course Content

Create a custom role 01-Introduction to Identity Protection in Azure
Configure access to Azure resources by assigning 01-Introduction to Identity Protection in Azure
roles
Configure management access to Azure 01-Introduction to Identity Protection in Azure
Troubleshoot RBAC 01-Introduction to Identity Protection in Azure
Implement RBAC policies 01-Introduction to Identity Protection in Azure
Assign RBAC Roles 01-Introduction to Identity Protection in Azure
Implement MFA

Enable MFA for an Azure tenant 02-Using Multi-Factor Authentication for Secure
Access
Configure user accounts for MFA 02-Using Multi-Factor Authentication for Secure
Access
Configure fraud alerts 02-Using Multi-Factor Authentication for Secure
Access
3 https://us.mindhub.com/az-100-microsoft-azure-infrastructure-deployment-microsoft-official-practice-test/p/MU-AZ-100
4 https://azure.microsoft.com/en-us/offers/ms-azr-0044p/
MCT USE ONLY. STUDENT USE PROHIBITED 4 0 | Welcome

Configure bypass options 02-Using Multi-Factor Authentication for Secure
Access
Configure Trusted IPs 02-Using Multi-Factor Authentication for Secure
Access
Configure verification methods 02-Using Multi-Factor Authentication for Secure
Access
Implement Azure AD PIM

Enable PIM 03-Azure AD Privileged Identity Management
Configure Just-in-time access 03-Azure AD Privileged Identity Management
Configure permanent access 03-Azure AD Privileged Identity Management
Configure PIM management access 03-Azure AD Privileged Identity Management
Configure time-bound access 03-Azure AD Privileged Identity Management
Create a Delegated Approver account 03-Azure AD Privileged Identity Management
Activate a PIM role 03-Azure AD Privileged Identity Management
Process pending approval requests 03-Azure AD Privileged Identity Management
1 | Introduction to Identity Protection in Azure
Role-Based Access Control

Course Introduction
Cloud adoption has driven companies to find new solutions to doing business and has transformed the
traditional IT enterprise. As environments have quickly become more distributed, with employees,
partners, and customers integrating new capabilities and services ever more quickly, the concepts around
security and protection of assets and resources has also radically changed.
In the traditional datacenter, the corporate firewall served as the perimeter for keeping out unauthorized
users. Now, identity has become the new control plane and IT organizations must consider it as a critical
element in defending against attackers targeting their environments and the data stored in those
environments.
Scope of the challenges
The graphic below is provided to give some idea of the scope of the challenges faced by modern IT
environments. Microsoft’s Intelligent Security Graph helps to provide real-time risk assessment and
insight into the global threat landscape. From the sheer volume of information, it is easy to see how in a
cloud connected world with the proliferation of accounts, partner and third-party dependencies, devices
that roam freely between work and home, the opportunities for attackers to do harm have greatly
expanded.
MCT USE ONLY. STUDENT USE PROHIBITED 6 1 | Introduction to Identity Protection in Azure
What’s the focus in this course?

While there are multiple aspects to securing identities in a modern IT environment, in this course, we will
focus on two specific features in Azure that form a key defense in preventing and mitigating the types of
security threats that attempt to make inroads through identity: Multi-Factor Authentication (MFA), and
Privileged Identity Management (PIM).
We begin with an overview of Role-Based Access Control in Azure because RBAC is foundational to how
you organize and manage your organization’s administrative access, based on the principle of least
privilege. We also cover an overview of Azure Active Directory itself. Both these lessons are also part of
AZ-100.5, Managing Identities, and we have included them in this course to provide more context and
foundational content in preparation for learning about MFA and PIM.
Role-Based Access Control

Managing access to resources in Azure is a critical part of an organization’s security and compliance
requirements. Role-based access control (RBAC) is the capability within Azure that lets you grant a very
granular level of access based on an administrator’s assigned tasks. This ensures an Administrator can do
exactly the task they need to do; no more, no less.
Role assignments
RBAC is configured by selecting a role (the definition of what actions are allowed and/or denied), then
associating the role with a security principal (user, group, or service). Finally, this combination of role and
security principal is scoped to a subscription, a resource group, or a specific resource.
Role-Based Access Control 7
–
✔️ Notice that access is inherited from subscriptions, to resource groups, and then to resources.
Using the Portal to implement RBAC
You can use the Azure Portal to make your role assignments. In this example, the ContosoBlueAD re-
source group shows on the Access Control (IAM) blade the current roles and scopes. You can add or
remove roles as you need. You can add synced users and groups to Azure roles, which enables organiza-
tions to centralize the granting of access.
For more information, you can see:

Get started with access management in the Azure portal: https://docs.microsoft.com/en-us/azure/
active-directory/role-based-access-control-what-is
Built-in Roles
Azure AD provides many built-in roles1 to cover the most common security scenarios. To understand
how the roles work we will examine three roles that apply to all resource types:
●● Owner has full access to all resources including the right to delegate access to others.
●● Contributor can create and manage all types of Azure resources but can’t grant access to others.
●● Reader can view existing Azure resources.
Role definition
1 https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles
Each role is a set of properties defined in a JSON file. This role definition includes Name, Id, and Descrip-
tion. It also includes the allowable permissions (Actions), denied permissions (NotActions), and scope
(read access, etc.) for the role.
Name: Owner
ID: 8e3af657-a8ff-443c-a75c-2fe8c4bcb65
IsCustom: False
Description: Manage everything, including access to resources
Actions: {*}
NotActions: {}
AssignableScopes: {/}
In this example the Owner role means all (*) actions, no denied actions, and all (/) scopes. This informa-
tion is available with the Get-AzureRmRoleDefinition cmdlet.
✔️ Take a minute to open the Azure Portal, open the Subscriptions or Resource Group blade, and click
Access Control (IAM). Click Add and take a few minutes to review the built-in roles and see which role
you would be most interested in using.
Built-in roles in Azure - https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-
roles
Create custom roles for Azure Role-Based Access Control - https://docs.microsoft.com/en-us/azure/
active-directory/role-based-access-control-custom-roles
Get-AzureRmRoleDefinition - https://docs.microsoft.com/en-us/powershell/module/azurerm.
resources/get-azurermroledefinition?view=azurermps-5.3.0
Role Definitions
Actions and NotActions
The Actions and NotActions properties can be tailored to grant and deny the exact permissions you need.
Review this table to see how Owner, Contributor, and Reader are defined.
Built-in Role Action NotActions

Owner (allow all actions) *
Contributor (allow all actions * /Microsoft.Authorization//Delete,
except writing or deleting role ‎Microsoft.Authorization//Write,
assignment) Microsoft.Authorization/elevate-
Access/Action ‎
Reader (allow all read actions) */read
AssignableScopes
Defining the Actions and NotActions properties is not enough to fully implement a role. You must also
properly scope your role.
The AssignableScopes property of the role specifies the scopes (subscriptions, resource groups, or
resources) within which the custom role is available for assignment. You can make the custom role
available for assignment in only the subscriptions or resource groups that require it, and not clutter user
experience for the rest of the subscriptions or resource groups.
* /subscriptions/[subscription id]
* /subscriptions/[subscription id]/resourceGroups/[resource group name]
* /subscriptions/[subscription id]/resourceGroups/[resource group name]/

[resource]
Example 1
Make a role available for assignment in two subscriptions.
“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e”, “/subscriptions/
e91d47c4-76f3-4271-a796-21b4ecfe3624”
Example 2
Makes a role available for assignment only in the Network resource group.
“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Net-
work”
✔️ Take a minute to open the Azure Portal and use the Access Control blade to add a role and then
assign it to a user. Can you see how for your organization which role assignments you would need?
Custom roles access control - https://docs.microsoft.com/en-us/azure/active-directory/role-based-
access-control-custom-roles#custom-roles-access-control2
Azure PowerShell and CLI

When you have large numbers of role assignments, you may prefer to use Azure PowerShell or the CLI.
#Role assignment properties
$roleName = “Contributor”
$assigneeName = <a href="mailto:josh@microsoft.com" title="" target="_
blank">josh@microsoft.com</a>
$resourceGroupName = “contosoblue”
Azure PowerShell
New-AzureRmRoleAssignment -RoleDefinitionName $roleName -SignInName $assign-
eeName -ResourceGroupName $resourceGroupName
CLI
az role assignment create –role $roleName –assignee $assigneeName –re-
source-group $resourceGroupName
✔️ If you have created a custom JSON role definition file you can use PowerShell or the CLI to create a
new custom role definition. In the following examples the sysops.json file has the custom definition.
#PowerShell
New-AzureRmRoleDefinition -InputFile .\sysops.json
#CLI
2 https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles
az role definition create –role-definition “./sysops.json”
Video - Role-Based Access Control
Demonstration - Role-Based Access Control
Practice - Role-Based Access Control
Role-based access control (RBAC) is the way that you manage access to resources in Azure. In this
Quickstart, you grant a user access to create and manage virtual machines in a resource group. Take a few
minutes to work through the Grant access for a user using RBAC and the Azure portal3. This Quick-
start steps through the basics of:
●● Creating a resource group in the Azure portal.
●● Assign a user to a role.
●● Remove the created role assignment.
Using PowerShell
Next, try the following tutorial4 to grant a user access to view all resources in a subscription and manage
everything in a resource group using Azure PowerShell. In this tutorial you will:
●● Create a user
●● Create a resource group
●● Use the Get-AzureRMRoleAssignment command to list the role assignments
●● Use the Remove-AzureRmResourceGroup command to remove access
3 https://docs.microsoft.com/en-us/azure/role-based-access-control/quickstart-assign-role-user-portal
4 https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-role-assignments-user-powershell

What is role-based access control - https://docs.microsoft.com/en-us/azure/role-based-access-con-
trol/overview
Azure Active Directory (Refresher)

Azure Active Directory
For both IT Admins and Developers
Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud-based directory and identity manage-
ment service. For IT Admins, Azure AD provides an affordable, easy to use solution to give employees and
business partners single sign-on (SSO) access to thousands of cloud SaaS Applications like Office365,
Salesforce.com, DropBox, and Concur.
For application developers, Azure AD lets you focus on building your application by making it fast and
simple to integrate with a world class identity management solution used by millions of organizations
around the world.
Identity management capabilities and integration

Azure AD also includes a full suite of identity management capabilities including multi-factor authentica-
tion, device registration, self-service password management, self-service group management, privileged
account management, role-based access control, application usage monitoring, rich auditing and security
monitoring, and alerting. These capabilities can help secure cloud-based applications, streamline IT
processes, cut costs, and help assure corporate compliance goals are met.
Additionally, Azure AD can be integrated with an existing Windows Server Active Directory, giving
organizations the ability to leverage their existing on-premises identity investments to manage access to
cloud based SaaS applications.
✔️ If you are an Office365, Azure or Dynamics CRM Online customer, you might not realize that you are
already using Azure AD. Every Office365, Azure and Dynamics CRM tenant is already an Azure AD tenant.
Whenever you want you can start using that tenant to manage access to thousands of other cloud
applications Azure AD integrates with.
What is Azure Active Directory? - https://docs.microsoft.com/en-us/azure/active-directory/active-directo-
ry-whatis
Azure Active Directory Benefits

Azure AD has many benefits.
Azure Active Directory (Refresher) 13
●● Single sign-on to any cloud or on-premises web app. Azure Active Directory provides secure single
sign-on to cloud and on-premises applications including Microsoft Office 365 and thousands of SaaS
applications such as Salesforce, Workday, DocuSign, ServiceNow, and Box.
●● Works with iOS, Mac OS X, Android, and Windows devices. Users can launch applications from a
personalized web-based access panel, mobile app, Office 365, or custom company portals using their
existing work credentials—and have the same experience whether they’re working on iOS, Mac OS X,
Android, and Windows devices.
●● Protect on-premises web applications with secure remote access. Access your on-premises web
applications from everywhere and protect with multi-factor authentication, conditional access policies,
and group-based access management. Users can access SaaS and on-premises web apps from the
same portal.
●● Easily extend Active Directory to the cloud. Connect Active Directory and other on-premises
directories to Azure Active Directory in just a few clicks and maintain a consistent set of users, groups,
passwords, and devices across both environments.
●● Protect sensitive data and applications. Enhance application access security with unique identity
protection capabilities that provide a consolidated view into suspicious sign-in activities and potential
vulnerabilities. Take advantage of advanced security reports, notifications, remediation recommenda-
tions and risk-based policies to protect your business from current and future threats.
●● Reduce costs and enhance security with self-service capabilities. Delegate important tasks such as
resetting passwords and the creation and management of groups to your employees. Providing
self-service application access and password management through verification steps can reduce
helpdesk calls and enhance security.
✔️ What reasons do you have for considering Azure Active Directory?
‎The power of common identity across any cloud) - https://myignite.microsoft.com/videos/54694

Active Directory Domain Services
Active Directory Domain Services (AD DS)

AD DS is the traditional deployment of Windows Server-based Active Directory on a physical or virtual
server. Although AD DS is commonly considered to be primarily a directory service, it is only one compo-
nent of the Windows Active Directory suite of technologies, which also includes Active Directory Certifi-
cate Services (AD CS), Active Directory Lightweight Directory Services (AD LDS), Active Directory Federa-
tion Services (AD FS), and Active Directory Rights Management Services (AD RMS). Although you can
deploy and manage AD DS in Azure virtual machines it’s recommended you use Azure AD instead, unless
you are targeting IaaS workloads that depend on AD DS specifically.
Azure AD is different from AD DS
Although Azure AD has many similarities to AD DS, there are also many differences. It is important to
realize that using Azure AD is different from deploying an Active Directory domain controller on an Azure
virtual machine and adding it to your on-premises domain. Here are some characteristics of Azure AD
that make it different.
●● Identity solution. Azure AD is primarily an identity solution, and it is designed for Internet-based
applications by using HTTP and HTTPS communications.
●● REST API Querying. Because Azure AD is HTTP/HTTPS based, it cannot be queried through LDAP.
Instead, Azure AD uses the REST API over HTTP and HTTPS.
●● Communication Protocols. Because Azure AD is HTTP/HTTPS based, it does not use Kerberos authen-
tication. Instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID
Connect for authentication (and OAuth for authorization).
●● Federation Services. Azure AD includes federation services, and many third-party services (such as
Facebook).
●● Flat structure. Azure AD users and groups are created in a flat structure, and there are no Organiza-
tional Units (OUs) or Group Policy Objects (GPOs).
✔️ Azure AD is a managed service. You only manage the users, groups, and policies. Deploying AD DS
with virtual machines using Azure means that you manage the deployment, configuration, virtual ma-
chines, patching, and other backend tasks. Do you see the difference?
Video - Azure Active Directory Overview
Active Directory Editions

Azure Active Directory comes in four editions—Free, Basic, Premium P1, and Premium P2. The Free
edition is included with an Azure subscription. The Azure Active Directory Basic, Premium P1, and Premi-
um P2 editions are built on top of your existing free directory, providing enterprise class capabilities
spanning self-service, enhanced monitoring, security reporting, Multi-Factor Authentication (MFA), and
secure access for your mobile workforce.
The Azure Active Directory Pricing5 page has detailed information on what is included in each of the
editions.
●● Azure Active Directory Free. Designed to introduce system administrators to Azure Active Directory.
This version includes common features such as directory objects, user/group management, single
sign-on, self-service password change, on-premises connect, and security/usage reports.
●● Azure Active Directory Basic. Designed for task workers with cloud-first needs, this edition provides
cloud centric application access and self-service identity management solutions. With the Basic
edition of Azure Active Directory, you get productivity enhancing and cost reducing features like
group-based access management, self-service password reset for cloud applications, and Azure Active
Directory Application Proxy (to publish on-premises web applications using Azure Active Directory), all
backed by an enterprise-level SLA of 99.9 percent uptime.
●● Azure Active Directory Premium P1. Designed to empower organizations with more demanding
identity and access management needs, Azure Active Directory Premium edition adds feature-rich
enterprise-level identity management capabilities and enables hybrid users to seamlessly access
on-premises and cloud capabilities. This edition includes everything you need for information worker
and identity administrators in hybrid environments across application access, self-service identity and
access management (IAM), and security in the cloud.
●● Azure Active Directory Premium P2. Azure Active Directory Premium P2 includes every feature of all
other Azure Active Directory editions enhanced with advanced identity protection and privileged
identity management capabilities.
✔️ Did you look through the pricing list to determine which features your organization needs?
5 https://aka.ms/edx-azure204x-az3
Choosing Between Azure AD and Azure AD DS

One of the main differences between Azure AD and Azure AD DS is the way devices are registered and
joined.
Azure AD Domain Services provides a managed AD domain in an Azure virtual network. You can join
machines to this managed domain using traditional domain-join mechanisms. Azure AD also enables you
to manage the identity of devices used by your organization and control access to corporate resources
from these devices. Azure AD joined devices give you the following benefits:
●● Single-sign-on (SSO) to applications secured by Azure AD.
●● Enterprise policy-compliant roaming of user settings across devices.
●● Access to the Windows Store for Business using your corporate credentials.
●● Windows Hello for .
●● Restricted access to apps and resources from devices compliant with corporate policy.
Aspect Azure AD Join Azure AD Domain Services

Device controlled by Azure AD Azure AD Domain Services
managed domain
Representation in the directory Device objects in the Azure AD Computer objects in the AAD-DS
directory. managed domain.
Authentication OAuth/OpenID Connect based Kerberos, NTLM protocols
protocols
Management Mobile Device Management Group Policy
(MDM) software like Intune
Networking Works over the internet Requires machines to be on the
same virtual network as the
managed domain.
Great for ... End-user mobile or desktop Server virtual machines deployed
devices in Azure
Choose between Azure Active Directory join and Azure Active Directory Domain Services - https://docs.
microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-compare-with-
azure-ad-join
Video - Azure Active Directory Editions

Video - Azure AD Authentication Options

This video will help you choose the right authentication option when setting up identity in Azure Active
Directory. During the video notice how often, MFA is mentioned. MFA provides another layer of security
for each of the options that are discussed. We will delve deeper into MFA in Module 2.

Choose the right authentication method for your Azure Active Directory hybrid identity solution -
https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn
Protecting Privileged Access in the Environ-

ment
Credential Theft
In today’s IT environment malicious users use credential theft attacks one of the main ways to gain access
to your environment. Credential theft attacks are those in which an attacker initially gains highest-privi-
lege access to a computer on a network and then uses freely available tooling to extract credentials from
the sessions of other logged-on accounts. Depending on the system configuration, these credentials can
be extracted in the form of hashes, tickets, or even plaintext passwords.
1. Credential theft begins by establishing a beachhead in a Tier 2 workstation or device. Through

phishing attacks and malware, the attacker gains access to local administrator accounts.
2. The local administrator accounts are used to compromise more hosts and credentials in Tier 2. The
attacker is looking to escalate their privileges into Tier 1 administrative permissions by presenting
recently gained credentials.
3. If the attacker can gain the Domain Admin credentials, possibly through unpatched servers, they
begin a more focused attack on your system. At the highest level, Tier 0, the attacker has unlimited
permissions to create new users or impersonate existing users.
4. Credential thefts often goes undetected. Attackers can steal data, destroy systems, and remain
undiscovered for a very long time.
✔️ Do you know of any credential theft attacks? Can you begin to see how identity becomes a mecha-
nism for attackers to obtain access to not only the system but the ability to do harm based on the level of
privilege granted through access to an exposed account.
Attractive Accounts for Credential Theft - https://docs.microsoft.com/en-us/windows-server/identi-
ty/ad-ds/plan/security-best-practices/attractive-accounts-for-credential-theft
Protecting Privileged Access in the Environment 19
Demonstration - Credential Theft

One of the main reasons to use Multi-Factor Authentication is to reduce credential thefts attacks, as
shown in this video. In conjunction with the other security best practices (outlined in the next topic), MFA
can reduce the attack surface dramatically by adding additional levels of verification when a user at-
tempts to sign-in.
Security Best Practices

Many consider identity to be the new boundary layer for security, taking over that role from the tradition-
al network-centric perspective. To help you get started, there is an Azure identity management and
access control security best practices page. The best practices were derived from consensus opinion and
Azure platform capabilities and feature sets.
●● Centralize your identity management. Ensure that IT can manage accounts from one single loca-
tion.
●● Enable Single Sign-On (SSO). Provide your users the ability to use the same set of credentials to sign
in and access the resources that they need, regardless of whether this resource is located on-premises
or in the cloud.
●● Deploy password management. leverage the self-service password reset capability and customize
the security options to meet your business requirements.
●● Enforce MFA for users. Enable Azure MFA for your users. This will add a second layer of security to
user sign-ins and transactions.
●● Use role-based access control (RBAC). Apply the principle of least privileges.
●● Control locations where resources are created using Resource Manager. Create security policies
with definitions that describe the actions or resources that are allowed and denied.
●● Guide developers to leverage identity capabilities for SaaS apps. Ensure developers use a secure
methodology to develop SaaS apps. Register any application that outsources authentication to Azure
AD.
●● Actively monitor for suspicious activities. Use Azure AD Premium anomaly reports6 and Azure AD
identity protection7 capabilities.
✔️ Take a minute to go through each item in the reference link. Are you following these best practices? In
this course we focus on enforcing MFA for users and implementing RBAC.
Azure Identity Management and access control security best practices - https://docs.microsoft.com/
en-us/azure/security/azure-security-identity-management-best-practices
6 https://docs.microsoft.com/en-us/azure/active-directory/active-directory-view-access-usage-reports
7 https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection
Video - Introduction to Identity

The following video is part of a series that was produced by the Enterprise Cybersecurity Group at
Microsoft. The presenters give a broad overview of the security initiatives that align to four basic pillars
that make up a secure modern enterprise: Identity, Apps and Data, Infrastructure, and Device. The
principles covered in all of the videos in this lesson apply to both on-premises and the cloud.
In this video, the focus is primarily on the Identity pillar with two key aspects: privileged access, which
includes the identity systems and the administrators of those systems; the identities themselves, including
the devices they are used on.
Video - Protect Your Privileged Access

This video explores the Securing Privileged Access Roadmap, introduced in the previous video. The
roadmap publishes Microsoft’s recommendations about what it think organizations should be doing to
protect their users and customers against various types of security attacks. Focusing on actions organiza-
tions can take to prevent things like credential attacks, and domain controller and Active Directory-relat-
ed attacks, the presenters introduce the idea of preparing and planning in three stages: immediate
actions within the first 2 – 4 weeks, the tasks that can be done within 1 – 3 months, and the actions that
will take longer (6 or more months).
For more information, see:
Securing Privileged Access – http://aka.ms/sparoadmap
Video - Protecting AD and Admin Privileges (2-4

Weeks)
This video continues with the Securing Privileged Access Roadmap and focuses on the first phase of the
roadmap, and organization’s first response to the most frequently used attack techniques. The presenters
discuss steps to immediately protect Active Directory and Administrator privileges. The four basic steps
are:
1. Create a separate Admin account for administrator tasks.
2. Set up Privileged Access Workstations8 (PAWs) for Active Directory administrators.
8 http://aka.ms/CyberPAW
3. Set up unique local administrator passwords9 for each host.

4. Set up unique local administrator passwords for servers.
Video - Protecting AD and Admin Privileges (1-3

Months)
This video continues with the Securing Privileged Access Roadmap and focuses on the middle phase of
the roadmap (1 – 3 months), and continues with the steps to harden systems and further protect Active
Directory and Administrator privileges. The six steps are:
1. Set up Privileged Access Workstations (PAWs)10 for Tier 1 and Tier 2 administrators.
2. Enable timebound privileges for administrators. (http://aka.ms/PAM, http://aka.ms/AzurePIM)
3. Enable Multifactor for elevation.
4. Implement Just Enough Administration (JEA)11.
5. Lower the attack surface12 of domains and domain controllers.
6. Perform threat detection analysis13.
✔️ While this series of videos introduces the Securing Privileged Access roadmap, Step 3, enable multi-
factor for elevation, is highlighted on the graphic as MFA will be the main focus of this module.
Video - Protecting AD and Admin Privileges (6

Months)
This video concludes the short series on the Securing Privileged Access Roadmap and focuses on the last
phase of the roadmap (6 months+), which initiates a more proactive security stance in the process of
protecting Active Directory and administrative privileges. This phase in the roadmap is where companies
can take steps to get ahead of the attacker techniques.
9 http://aka.ms/LAPS
10 http://aka.ms/CyberPAW
11 http://aka.ms/JEA
12 http://aka.ms/HardenAD
13 http://aka.ms/ata
The presenters cover the following 5 steps:

1. Review roles and delegation model.
2. Require multifactor authentication14 for all administrators.
3. Implement an administrative forest based on the Enhanced Security Administrative Environment
(ESAE)15 reference architecture.
4. Implement code integrity policies for domain controllers.
5. Virtualize domain controllers using shielded VMs16.
✔️ You can access the Securing Privileged Access Roadmap here17.
Securing the Modern IT Environment

Most enterprises combine traditional on-premises assets, remote resources, such as branch offices, and
some level of cloud solutions or services. In many cases, IT departments are not aware of third-party
solutions or services their users are using or that have not been authorized. Securing access in a modern
IT environment is extremely challenging because the environment is a very complex entity to begin with.
Where’s the security boundary today?
Also the traditional security boundary has been typically drawn around the network. However, because
users are now using so many third party applications, of software as a service (SaaS) resources, the data
flows easily in and out of the perimeter. Accordingly, attackers have had much success in gaining access
through the traditional network perimeter. In reality, identity has become the security “perimeter” in the
modern IT enterprise.
Credential theft scenario
In this next video, the presenter discusses the typical credential theft attack that was also covered in a
previous topic to explain how attackers can exploit holes in the system and use lateral movement within a
domain to persist their unauthorized access and presence and steal credentials. Once those credentials
are obtained, it is usually too late to prevent the attacker from gaining access to data and resources, as
with this method of attack an attacker can remain undetected for some time.
✔️ The video points out a common misconception in the assumption that using Run As protects against
credential theft or “pass the hash” attacks. A Run As session on a Windows computer is just as vulnerable
to attack as a standard fully logged on session.
14 http://aka.ms/Passport
15 http://aka.ms/ESAE
16 http://aka.ms/shieldedvms
17 http://aka.ms/sparoadmap
Video - Securing the Modern IT Environment

Module 1 Review Questions

Implementing Role-Based Access Control
Which built-in role lets you create and manage all types of Azure resources, but doesn't allow you to
grant additional permissions to users, groups, or service principals? With RBAC, how would you create a
custom role?
Suggested Answer ↓
The Contributor built-in role can create and manage all types of Azure resources, but can't grant access
to others. Contributor is one of three basic roles in Azure that apply to all resource groups. The others are
Owner - which has full access to all resources, including the right to delegate access to others, and
Reader - which can only view all existing Azure resources. To create a custom role, you would use Power-
Shell, the CLI, or a REST API.
Azure Active Directory

List three differences between Active Directory Domain Services (AD DS) and Azure Active Directory (AD).
Although the list is by no means conclusive, and you may identify others not listed, here are several
characteristics of Azure AD that make it different to AD DS: Azure AD is primarily an identity solution, and
it is designed for Internet-based applications by using HTTP and HTTPS communications; Because Azure
AD is HTTP/HTTPS based, it does not use Kerberos authentication. Instead, it uses HTTP and HTTPS
protocols such as SAML, WS-Federation, and OpenID Connect for authentication (and OAuth for authori-
zation). Also, Azure AD users and groups are created in a flat structure, and there are no Organizational
Units (OUs) or Group Policy Objects (GPOs).
Credential Theft
What are some common ways in which attackers use credential theft to gain access and control of IT
environments?
A common way in which an attackers initially gains access to environments is through phishing attacks or
malware in which a local administrator account at the Tier 2 level is compromised. Those accounts can
then serve as a way for the attacker to move latterly, stealing and compromising more hosts and creden-
tials, and quickly moving into Tier 1 server admin levels with the objective of acquiring Domain Admin
credentials. Once they obtain domain admin credentials, attackers can not only steal, alter, delete or
destroy business data and systems, but they can also persist their presence, undetected, so that they can
gain access to the system again at a later date.
2 | Using Multi-Factor Authentication for Secure
Access
Introducing Multi-Factor Authentication

Azure MFA Concepts
For organizations that need to be compliant with industry standards, such as PCI DSS version 3.2, MFA is
a must have capability to authenticate users. Beyond being compliant with industry standards, enforcing
MFA to authenticate users can also help organizations to mitigate credential theft attacks.
Azure MFA helps safeguard access to data and applications while maintaining simplicity for users. It
provides additional security by requiring a second form of authentication and delivers strong authentica-
tion through a range of easy to use authentication methods. How many methods can you identify from
this graphic?
The security of MFA two-step verification lies in its layered approach. Compromising multiple authentica-
tion factors presents a significant challenge for attackers. Even if an attacker manages to learn the user's
password, it is useless without also having possession of the additional authentication method. Authenti-
cation methods include:
●● Something you know (typically a password)
●● Something you have (a trusted device that is not easily duplicated, like a phone)
●● Something you are (biometrics)
✔️ Can you think of any ways to overcome the two-step authentication? For example, phishing, stolen
devices, or malware.
MCT USE ONLY. STUDENT USE PROHIBITED 26 2 | Using Multi-Factor Authentication for Secure Access
Multi-factor authentication - https://azure.microsoft.com/en-us/services/multi-factor-authentica-

tion/
Video - MFA Overview

✔️ This is an older video that refers to Windows Azure, but it still makes some excellent points about how
to use MFA.
Azure MFA Features

<img src="../../Linked_Image_FIles/AZ-101.4_Securing_Identities_image20.png" alt="Simple graphic
showing three icons representing three authentication factors or “forms:” phone call, text message, and
mobile app notification." title="">
Get more security with less complexity. Azure MFA helps safeguard access to data and applications
and helps to meet customer demand for a simple sign-in process. Get strong authentication with a range
of easy verification options—phone call, text message, or mobile app notification—and allow customers
to choose the method they prefer.
Mitigate threats with real-time monitoring and alerts. MFA helps protect your business with security
monitoring and machine-learning-based reports that identify inconsistent sign-in patterns. To help
mitigate potential threats, real-time alerts notify your IT department of suspicious account credentials.
Deploy on-premises or on Azure. Use MFA Server on your premises to help secure VPNs, Active
Directory Federation Services, IIS web applications, Remote Desktop, and other remote access applica-
tions using RADIUS and LDAP authentication. Add an extra verification step to your cloud-based applica-
tions and services by turning on Multi-Factor Authentication in Azure Active Directory.
Introducing Multi-Factor Authentication 27
Use with Office 365, Salesforce, and more. MFA for Office 365 helps secure access to Office 365
applications at no additional cost. Multi-Factor Authentication is also available with Azure Active Directo-
ry Premium and thousands of software-as-a-service (SaaS) applications, including Salesforce, Dropbox,
and other popular services.
Add protection for Azure administrator accounts. MFA adds a layer of security to your Azure adminis-
trator account at no additional cost. When it's turned on, you need to confirm your identity to create a
virtual machine, manage storage, or use other Azure services.
✔️ Is your organization using MFA? Do you see a need for the feature?
Multi-Factor Authentication - https://azure.microsoft.com/en-us/services/multi-factor-authentica-
tion/
MFA Licensing and Pricing

There are three pricing methods for Azure MFA.
Consumption based billing. Azure MFA is available as a stand-alone service with per-user and per-au-
thentication billing options.
●● Per user. You can pay per user. Each user has unlimited authentications. Use this model if you know
how many users you have and can accurately estimate your costs.
●● Per authentication. You can pay for a bundle (10) of authentications. Use this model when you are
unsure how many users will participate in MFA authentication.
MFA licenses included in other products. MFA is included in Azure AD Premium, Enterprise Mobility
Suite, and Enterprise Cloud Suite.
Direct and Volume licensing. MFA is available through a Microsoft Enterprise Agreement, the Open
Volume License Program, the Cloud Solution Providers program, and Direct, as an annual user based
model.
✔️ Which of these licensing options is appropriate for your organization?
MFA Pricing - https://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/
Microsoft Authenticator App

The Microsoft Authenticator app help prevent unauthorized access to accounts and to stop fraudulent
transactions by giving you an additional level of security for your work or school account (for example,
alain@contoso.com) or your personal Microsoft account (for example, alain@outlook.com). You can use it
either as a second verification method or as a replacement for your password when using phone sign-in.
When using the app for two-step verification, it can work in one of two ways:
●● Notification. The app sends a notification to your device. Make sure the notification is correct, and
then select Verify. If you don’t recognize the notification, select Deny.
●● Verification code. After you type your username and password, you can open the app and copy the
verification code provided on the Accounts screen on to the sign-in screen. The verification code acts
as a second form of authentication.
✔️ Remember these app choices. When you enable MFA for a user you will have a chance to select one
or both options.
Get the app - https://www.microsoft.com/en-us/account/authenticator
Microsoft Authenticator app FAQ - https://docs.microsoft.com/en-us/azure/active-directory/us-
er-help/microsoft-authenticator-app-faq
Video - Authenticator App
MFA for Global Admins

Azure MFA is included free of charge for global administrator security. Enabling MFA for global adminis-
trators provides an added level of security when managing and creating Azure resources, like virtual
machines. Secondary authentication includes phone call, text message, and the authenticator app.
You can use the portal to enable MFA for administrators. MFA configuration is done through the Active
Directory blade and the Configure MFA link.
Once you have located the global administrator of choice you can Enable MFA.
Introducing Multi-Factor Authentication 29
✔️ Remember you can only enable MFA for organizational accounts stored in Active Directory. These are
also called work or school accounts.
Enforce multi-factor authentication (MFA) for subscription administrators - https://docs.microsoft.com/
en-us/azure/security/azure-security-global-admin
On-Premises vs Cloud MFA

There are three questions to help you determine whether on-premises or cloud based MFA is needed.
What are you trying to secure?
What are you trying to secure Azure MFA MFA Server

First-party Microsoft apps ● ●
SaaS apps in the app gallery ●
Web applications published ●
through Azure AD App Proxy
IIS applications not published ●
through Azure AD App Proxy
Remote access such as VPN, RDG ● ●
Where are your users located?
User Location Azure MFA MFA Server

Azure Active Directory ●
Azure AD and on-premises AD ● ●
using federation with AD FS
Azure AD and on-premises AD ● ●
using Azure AD Connect - no
password hash sync or pass-
through authentication
Azure AD and on-premises AD ●
using Azure AD Connect - with
password hash sync or pass-
through authentication
On-premises Active Directory ●
What features do you need?
Feature Azure MFA MFA Server

Mobile app notification and ● ●
mobile app verification code as a
second factor
Mobile app verification code as a ● ●
second factor
Phone call or one-way SMS as ● ●
second factor
Hardware Tokens as second ●
factor
PIN mode ●
Fraud alert and MFA reports ● ●
Remember MFA for trusted ●
devices
Conditional access ● ●
✔️ Be sure to read more at the reference link. Are you ready for Azure MFA?
Which version of Azure MFA is right for my organization? - https://docs.microsoft.com/en-us/azure/
active-directory/authentication/concept-mfa-whichversion
Implementing MFA 31
Implementing MFA
Video - How MFA Works
✔️ This is an older video that refers to Windows Azure, but it still very relevant and provides an excellent
recap of the concepts behind MFA. Windows Azure is now Microsoft Azure
The MFA Process
Here is what happens when somebody attempts to connect to a resource which is being secured by
Azure AD MFA:
On-premises MFA authentication
If the service is on-premises the local MFA authentication service will validate the initial sign in by passing
the authentication request to the on-premises Active Directory.
If the correct credentials were entered and, validated, the request is then forwarded to Azure MFA
authentication server. The Azure MFA server will then send an additional verification challenge to the
user. The methods that can be easy configured to use are:
●● Phone Call. A call is placed to the users register phone.
●● Text Message. A six-digit code is sent to the user’s cell phone.
●● Mobile App Notification. A verification request is sent to a user’s smart phone asking them to
complete the verification by selecting Verify in the mobile app.
●● Mobile app verification code. A six-digit code is sent to the user mobile app. This code is then
entered on the sign in page.
●● Open Authentication (OATH) compliant tokens. This can also be used as a verification method.
Azure MFA authentication
If the service is running in Azure your sign in request will first be sent to Azure Active Directory for initial
validation, and then on to MFA authentication server running in Azure. Validation then continues as
above.
✔️ MFA provides security for the requesting user that someone cannot easy impersonate them. MFA
should be required on all services and, certainly on mobile services.
MFA User Settings
Let’s briefly look at the user settings that are available for MFA. Allow users to create app passwords to
sign in to non-browser apps. This would be applicable to older applications like Outlook 2010.
✔️ Notice if you are not using the Authenticator App then the last two verification options may not
apply.
The last selection is to cache passwords so that users do not have to authenticate on trusted devices. The
number of days before a user must re-authenticate on trusted devices can also be configured with the
value from 1 to 60 days. The default is 14 days.
When MFA is required the first time a user logs in they will be prompted to configure their settings
<img src="../../Linked_Image_FIles/AZ-101.4_Securing_Identities_image31.png" alt="Screenshot of the
additional security configuration page where a user can set the form of authentication required as well as
the specific method of how the authentication is provided. For example, with phone authentication, either
“send me a code by text message,” or "call me."" title="">
Authentication Methods
It’s common to hear news reports of passwords being stolen and identities being compromised. Requir-
ing a second factor in addition to a password immediately increases the security of your organization. For
this reason, Azure Active Directory (Azure AD) includes features, like Azure MFA and Azure AD self-service
password reset (SSPR), to help administrators protect their organizations and users with additional
authentication methods.
Implementing MFA 33
When a user needs to access a sensitive application, reset their password, or enable Windows Hello, they
may be asked to provide additional verification that they are who they say they are. Additional verifica-
tion may come in the form of authentication methods such as:
●● A code provided in an email or text message.
●● A phone call.
●● A notification or code on their phone.
●● Answers to security questions.
Azure MFA and Azure AD SSPR give administrators control over configuration, policy, monitoring, and
reporting using Azure AD and the Azure portal to protect their organizations.
✔️ Azure AD self-service password reset (SSPR) was covered in the Managing Identities course. The
following topic provides a high-level comparison of MFA and SSPR in terms of which feature supports
which authentication method.
MFA and SSPR Comparison

Azure AD self-service password reset (SSPR) and MFA may ask for additional information, known as
authentication methods or security info, to confirm you are who you say you are when using the associat-
ed features.
Administrators can define in policy which authentication methods are available to users of SSPR and MFA.
Some authentication methods may not be available to all features.
Microsoft highly recommends Administrators enable users to select more than the minimum required
number of authentication methods in case they do not have access to one.
Authentication Method Usage

Password MFA and SSPR
Security questions SSPR Only
Email address SSPR Only
Microsoft Authenticator app MFA and Public Preview for SSPR
SMS MFA and SSPR
Voice call MFA and SSPR
App passwords MFA only in certain cases
✔️ Your Azure AD password is considered an authentication method. It is the one method that cannot be
disabled.
Enabling Multi-Factor Authentication

To enable MFA, go to the User Properties in Azure Active Directory, and then the Multi-Factor Authentica-
tion option. From there, you can select the users that you want to modify and enable for MFA. You can
also bulk enable groups of users with PowerShell.
✔️ On first-time sign-in, after MFA has been enabled, users are prompted to configure their MFA set-
tings. For example, if you enable MFA so that users must use a mobile device, users will be prompted to
configure their mobile device for MFA. Users must complete those steps, or they will not be permitted to
sign in, which they cannot do until they have validated that their mobile device is MFA-compliant.
Trusted IPs
Trusted IPs is a feature to allow federated users or IP address ranges to bypass two-step authentication.
Notice there are two selections in this screenshot.
Which selections you can make depends on whether you have managed or federated tenants.
●● Managed tenants. For managed tenants, you can specify IP ranges that can skip MFA.
●● Federated tenants. For federated tenants, you can specify IP ranges and you can also exempt AD FS
claims users .
Implementing MFA 35
✔️ The Trusted IPs bypass works only from inside of the company intranet. If you select the All Federated
Users option and a user signs in from outside the company intranet, the user must authenticate by using
two-step verification. The process is the same even if the user presents an AD FS claim.
Trusted IPs - https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-
to-mfa-mfasettings#trusted-ips1
One-time Bypass
The one-time bypass feature allows a user to authenticate a single time without performing two-step
verification. The bypass is temporary and expires after a specified number of seconds.
✔️ In situations where the mobile app or phone is not receiving a notification or phone call, you can
allow a one-time bypass, so the user can access the desired resource.
Bypass options - https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-
to-mfa-mfasettings#one-time-bypass
Conditional Access Policies

As an administrator, you may want to apply a more fine-grained control over access to the apps in your
environment. You should consider conditional access policies.
Conditional access is a capability of Azure AD (with an Azure AD Premium license) that enables you to
enforce controls on the access to apps in your environment based on specific conditions from a central
location. With Azure AD conditional access, you can factor how a resource is being accessed into an
access control decision. By using conditional access policies, you can apply the right access controls
under the required conditions.
1 https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings
In the context of conditional access:

●● “When this happens” is called conditions.
●● “Then do this” is called access controls.
The combination of your conditions with your access controls represents a conditional access policy.
With access controls, you can either Block Access altogether or Grant Access with additional requirements
by selecting the desired controls. You can have several options:
●● Require MFA from Azure AD or an on-premises MFA (combined with AD FS).
●● Grant access to only trusted devices.
●● Require a domain-joined device.
●● Require mobile devices to use Intune app protection policies2.
In the preceding list, requiring additional account verification through MFA is a common scenario. While
users may be able to sign-in to most of your organization’s cloud apps, you may want that additional
verification for things like your email system, or apps that contain personnel records or sensitive informa-
tion. In Azure AD, you can accomplish this with a conditional access policy. An opportunity to try this is
provided at the end of this lesson.
✔️ Do you think conditional access would be something your organization is interested in?
Conditional access in Azure Active Directory - https://docs.microsoft.com/en-us/azure/active-directo-
ry/active-directory-conditional-access-azure-portal
Grant controls - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-ac-
cess-controls#grant-controls
Fraud Alerts
Configure the fraud alert feature so that your users can report fraudulent attempts to access their
resources. Users can report fraud attempts by using the mobile app or through their phone. Block user
when fraud is reported: If a user reports fraud, their account is blocked for 90 days or until an administra-
tor unblocks their account. An administrator can review sign-ins by using the sign-in report and take
appropriate action to prevent future fraud. An administrator can then unblock the user's account.
Code to report fraud during initial greeting: When users receive a phone call to perform two-step
verification, they normally press # to confirm their sign-in. To report fraud, the user enters a code before
pressing #. This code is 0 by default, but you can customize it.
2 https://docs.microsoft.com/intune/app-protection-policy
Implementing MFA 37
Block user when fraud is reported. If a user reports fraud, their account is blocked for 90 days or until
an administrator unblocks their account. An administrator can review sign-ins by using the sign-in report
and take appropriate action to prevent future fraud. An administrator can then unblock the user's
account.
Code to report fraud during initial greeting. When users receive a phone call to perform two-step
verification, they normally press # to confirm their sign-in. To report fraud, the user enters a code before
pressing #. This code is 0 by default, but you can customize it.
✔️ The default voice greetings from Microsoft instruct users to press 0# to submit a fraud alert. If you
want to use a code other than 0, record and upload your own custom voice greetings with appropriate
instructions for your users.
Turn on fraud alerts - https://docs.microsoft.com/en-us/azure/active-directory/authentication/
howto-mfa-mfasettings#turn-on-fraud-alerts3
Practice - MFA Authentication Pilot
To simplify the sign-in experience of your users, you might want to allow them to sign in to your cloud
apps using a user name and a password. However, some environments may have scenarios where it
would be advisable to require a strong form of account verification.
Take a few minutes to try this Quickstart4, where you configure an Azure AD conditional access policy
that requires multi-factor authentication (MFA) for a selected cloud app in your environment.
If you decide to try this Quickstart, you will need:
●● Access to an Azure AD Premium edition - Azure AD conditional access is an Azure AD Premium
capability.
3 https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings
4 https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa
●● A test account called Isabella Simonsen. If you don't know how to create a test account, see Add
cloud-based users5.
The specific tasks in this Quickstart include:
●● Create the required conditional access policy.
●● Evaluate a simulated sign in.
●● Test the conditional access policy.
✔️ If you can’t meet the prerequisites, read through the steps instead.
What is conditional access in Azure Active Directory - https://docs.microsoft.com/en-us/azure/
active-directory/active-directory-conditional-access-azure-portal
Practice - MFA Conditional Access
Take a minute to try the Tutorial: Complete an Azure Multi-Factor Authentication pilot roll out6. In
this tutorial, you walk you through configuring a conditional access policy enabling Azure MFA when
logging in to the Azure portal. The policy is deployed to and tested on a specific group of pilot users. You
will learn how to:
●● Enable Azure Multi-Factor Authentication.
●● Test Azure Multi-Factor Authentication.
✔️ Deployment of Azure MFA using conditional access provides significant flexibility for organizations
and administrators compared to the traditional enforced method.
Quickstart: Add new users to Azure Active Directory - https://docs.microsoft.com/en-us/azure/
active-directory/fundamentals/add-users-azure-active-directory
Create a group and add members in Azure Active Directory - https://docs.microsoft.com/en-us/azure/
active-directory/fundamentals/active-directory-groups-create-azure-portal
5 https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory
6 https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-mfa-applications
Module 2 Review Questions 39

Introducing Multi-Factor Authentication
What are the mechanisms generally used by Multi-Factor Authentication (MFA) two-step verification to
authenticating users at sign-in? What is the cost of Azure MFA for global administrators?
MFA authentication methods include: something the user knows (typically a password), something a user
has (such as a trusted device that is not easily duplicated, like a phone), and something a user us (biome-
trics). Azure MFA is included free of charge for global administrators.
Trusted IPs
What functionality does Trusted IPs provide? How do you select its different options?
Trusted IPs is a feature that allows federated users or IP address ranges to bypass two-step authentica-
tion. The options you select depend on whether you have managed or federated tenants. For managed
tenants, you can specify IP ranges that can skip MFA. And for federated tenants, you can specify IP ranges
and you can also exempt AD FS claims users.
Conditional Access Policies

What three questions should you consider to help you determine whether on-premises or cloud based
MFA is needed?
The three question that you need to ask when determining the type of MFA you want to implement are:
what are you trying to secure, where are your users located, and what features do you need? For exam-
ple, if you were trying to secure remote access such as VPN, while using Azure AD an on-premises AD
with AD FS, and you wanted to implement conditional access policies, you would use MFA Server.
3 | Azure AD Privileged Identity Management
Getting Started with PIM

Video - Identity Protection and PIM
This video covers two things: Identity Protection and PIM. PIM is the focus of this module. Identity Protec-
tion was covered in the Manage Identities course
Azure AD PIM
Azure AD Privileged Identity Management (PIM), also known as just-in-time administration, is a cloud-
based service designed to protect your cloud-based resources. With Azure AD PIM you can minimize the
number of users who can execute privileged operations in Azure AD, Azure, Office 365, or SaaS applica-
tions. Azure AD PIM helps to mitigate the risk of excessive, unnecessary, or misused access rights.
Azure AD Privileged Identity Management helps your organization:

●● See which users are assigned privileged roles to manage Azure resources, as well as which users are
assigned administrative roles in Azure AD.
MCT USE ONLY. STUDENT USE PROHIBITED 42 3 | Azure AD Privileged Identity Management
●● Enable on-demand, “just in time” administrative access to Microsoft Online Services like Office 365
and Intune, and to Azure resources of subscriptions, resource groups, and individual resources such as
virtual machines.
●● See a history of administrator activation, including what changes administrators made to Azure
resources (Preview).
●● Get alerts about changes in administrator assignments.
●● Require approval to activate Azure AD privileged admin roles.
●● Review membership of administrative roles and require users to provide a justification for continued
membership.
✔️ Azure AD PIM can manage users assigned to the built-in Azure AD organization roles, such as Global
Administrator. PIM can also manage the users and groups assigned via Azure RBAC roles, including
Owner or Contributor.
✔️ When you enable PIM for your tenant, a valid Azure AD Premium P2 or Enterprise Mobility + Security
E5 paid or trial license is required for each user that interacts with or receives a benefit from the service.
Azure AD PIM - https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-man-
agement/pim-configure
Azure Active Directory Privileged Identity Management subscription requirements - https://docs.
microsoft.com/en-us/azure/active-directory/privileged-identity-management/subscription-re-
quirements
PIM Tasks
Once Azure AD Privileged Identity Management is set up, you will see the navigation blade whenever you
open the application.
●● My Roles displays a list of eligible and active roles assigned to you. This is where you can activate any
assigned eligible roles.
●● Approve Requests displays a list of requests to activate eligible Azure AD directory roles by users in
your directory, which you are designated to approve.
●● Pending Requests displays any of your pending requests to activate eligible role assignments.
●● Review Access lists active access reviews you are assigned to complete, whether you're reviewing
access for yourself or someone else.
Getting Started with PIM 43
●● Azure AD directory roles displays the dashboard for privileged role administrators to manage role
assignments, change role activation settings, start access reviews, and more. This dashboard is
disabled for anyone who isn't a privileged role administrator.
●● Azure Resource roles displays a list of subscription resources you have role assignments.
✔️ At the time of writing, some Azure PIM features are in Preview. Like all Azure features and functionali-
ty, this is subject to frequent change, so we don’t always identify when a feature is in preview, unless
there is a specific reason to do so.
✔️ Take a few minutes to locate the PIM blade and review the tasks.
Navigate to your tasks - https://docs.microsoft.com/en-us/azure/active-directory/privileged-identi-
ty-management/pim-getting-started#navigate-to-your-tasks1
PIM Access
The global administrator who enables Azure AD Privileged Identity Management (PIM) for an organiza-
tion automatically get role assignments and access to PIM. No one else gets write access by default,
though, including other global administrators. Other global administrators, security administrators, and
security readers have read-only access to Azure AD PIM. To give access to PIM, the first user can assign
others to the Privileged role administrator role.
Whenever you assign a new role to someone, they are automatically set up as eligible to activate the role.
If you want to make them permanent in the role, click the user in the list. Select make perm in the user
information menu.
✔️Managing Azure AD PIM requires Azure MFA. Since Microsoft accounts cannot register for Azure MFA,
a user who signs in with a Microsoft account cannot access Azure AD PIM.
1 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started
Giving access to manage Azure AD Privileged Identity Management - https://docs.microsoft.com/

en-us/azure/active-directory/privileged-identity-management/pim-how-to-give-access-to-
pim#give-another-user-access-to-manage-pim2
PIM Dashboard
You can use a resource dashboard to perform an access review in Privileged Identity Management (PIM)
for Azure resources. The Admin View dashboard has three primary components:
●● A graphical representation of resource role activations.
●● Two charts that display the distribution of role assignments by assignment type.
●● A data area pertaining to new role assignments.

Use a resource dashboard to perform an access review - https://docs.microsoft.com/en-us/azure/
active-directory/privileged-identity-management/pim-resource-roles-overview-dashboards
Practice - Discover and Manage Azure Resources
Learn how to discover and manage Azure resources when you use Privileged Identity Management (PIM)
in Azure Active Directory (Azure AD). This information can be helpful to organizations that already use
PIM to protect administrator resources, and to subscription owners who are looking to secure production
resources.
Take a few minutes to try Discover Resources3.
✔️ You can only search for and select subscription resources to manage by using PIM. When you manage
a subscription in PIM, you can also manage child resources in the subscription.
Discover and manage Azure resources by using Privileged Identity Management -https://docs.micro-
soft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-dis-
cover-resources
2 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-give-access-to-pim
3 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-discover-resources
PIM Security Wizard 45
PIM Security Wizard

PIM Security Wizard
If you're the first person to run Azure PIM for your organization, you will be presented with a wizard. The
wizard helps you understand the security risks of privileged identities and how to use PIM to reduce
those risks. You don't need to make any changes to existing role assignments in the wizard if you prefer
to do it later.
✔️ It is important that you have at least one global administrator, and more than one privileged role
administrator with an organizational account (not a Microsoft account). If there is only one privileged role
administrator, the organization will not be able to manage PIM if that account is deleted.
✔️ After you have made changes, the wizard will no longer show up. The next time you or another
privileged role administrator use PIM, you will see the PIM dashboard.
Using the security wizard in Azure AD Privileged Identity Management - https://docs.microsoft.com/
en-us/azure/active-directory/privileged-identity-management/pim-security-wizard
Review Your Admins

In Step 1 you will be able to review the permanent and temporary admins in your organization. The more
permanent admins your organization has, the bigger it’s attack surface, leaving you vulnerable to cyber
attacks and security breaches. The idea here is that not all administrators in an organization need be in
that role on a permanent basis. While there will be a need for some permanent admin roles, you should
evaluate whether all administrators need that level of access all the time. This simple exercise gives an
organization more visibility into their administrative set up, where things can be easily missed or over-
looked in larger organizations. Personnel come and go all the time, and roles and assignments change
periodically.
✔️ Security Administrator is a new role used to administer Azure AD PIM.
Minimize Your Admins' Attack Surface

In Step 2 you can minimize your attack surface by removing administrators. You can also switch perma-
nent admins to temporary access rights. When an administrator becomes temporary, an email notifica-
tion is sent to update the admin of the admin of the change and explain the process for activating
administrative privileges. Again, the idea is to be able to block opportunities or close loopholes that
might present themselves to attackers, due to administrators having extended rights and privileges they
either don’t need, or no longer need to have.
Define Temporary Admin Settings

In Step 3 you can define default settings for your temporary admins. These settings only affect users who
are eligible admins, not permanent admins.
PIM Security Wizard 47
●● Activations. The time, in hours, that a role stays active before it expires. This can be between 1 and 72
hours.
●● Notifications. You can choose whether the system sends emails to admins confirming that they have
activated a role. This can be useful for detecting unauthorized or illegitimate activations.
●● Incident/Request Ticket. You can choose whether to require eligible admins to include a ticket
number when they activate their role. This can be useful when you perform role access audits.
●● Multi-Factor Authentication. You can choose whether to require users to verify their identity with
MFA before they can activate their roles. They only verify this once per session, not every time they
activate a role. Remember users who have Microsoft accounts for their email addresses (typically @
outlook.com, but not always) cannot register for Azure MFA. If you want to assign roles to users with
Microsoft accounts, you should either make them permanent admins or disable MFA for that role.
✔️You cannot disable MFA for highly privileged roles for Azure AD and Office365. Do you see why?
How to manage role activation settings in Azure AD Privileged Identity Management - https://docs.
microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-
change-default-settings
Email Notifications - https://docs.microsoft.com/en-us/azure/active-directory/privileged-identi-
ty-management/pim-email-notifications
Demonstration - PIM Security Wizard, Alerts,

and Reviews
PIM Directory Roles

Directory Roles
Azure AD PIM manages policies for privileged access for users in Azure AD. With PIM you can assign
users to one or more roles in Azure AD, and you can assign someone to be permanently in the role, or
eligible for the role. When a user is permanently assigned to a role, or activates an eligible role assign-
ment, then they can manage Azure AD, Office 365, and other applications with the permissions assigned
to their roles.
✔️ Only a Global Administrator can update which users are permanently assigned to roles in Azure AD.
An eligible administrator can activate the role when they need it, and then their permissions expire once
they're done.
PIM can assign users to many common administrator roles. Here are a few. Check the reference link for
other available roles.
●● Global administrator (also known as Company administrator) has access to all administrative
features. The person who signs up to purchase Office 365 automatically becomes a global admin. You
can have more than one global admin in your organization.
●● Privileged role administrator manages Azure AD PIM and updates role assignments for other users.
●● Billing administrator makes purchases, manages subscriptions, manages support tickets, and
monitors service health.
●● Password administrator resets passwords, manages service requests, and monitors service health.
Password admins are limited to resetting passwords for users.
●● Service administrator manages service requests and monitors service health.
✔️ Is there anyone, other than the Global Administrator, in your organization that needs a permanent
role assignment? Which roles are you interested in using PIM to make assignments?
Directory roles you can manage using Azure AD PIM - https://docs.microsoft.com/en-us/azure/
active-directory/privileged-identity-management/pim-roles
Demonstration - PIM Approval Workflows

You can use the default PIM approvals or select specific users and groups for a privileged role.
PIM Directory Roles 49
PIM Directory Alerts

Azure Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity
in your environment. When an alert is triggered, it shows up on the PIM dashboard. Select the alert to see
a report that lists the users or roles that triggered the alert.
Alerts are categorized into three areas: High (immediate action is needed), Medium (signals a potential
policy violation), and Low (suggests a preferable policy change). Here are some common alerts:
“Roles are being activated too frequently” alert
This alert triggers if a user activates the same privileged role multiple times within a specified period. You
can configure both the time (days, hours, and minutes) and the number of activations (2 to 100).
“There are too many global administrators” alert
PIM triggers this alert if two different criteria are met, and you can configure both. First, you need to
reach a certain threshold of global administrators (2 to 100). Second, a certain percentage (0 to 100%) of
your total role assignments must be global administrators.
“Administrators aren't using their privileged roles” alert
This alert triggers if a user goes a certain amount of time without activating a role. Specify the number of
days, from 0 to 100, that a user can go without activating a role.
✔️ PIM will also alert you if roles are being assigned outside of PIM. This is a high severity alert. You
should immediately check the users in the list and un-assign them from privileged roles assigned outside
of PIM.
How to configure security alerts in Azure AD Privileged Identity Management - https://docs.microsoft.
com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-securi-
ty-alerts
Practice - Assign Directory Roles
The Azure AD Privileged Identity Management (PIM) service also allows privileged role administrators to
make permanent directory role assignments. Additionally, privileged role administrators can make users
eligible for directory roles. An eligible administrator can activate the role when they need it, and then
their permissions expire once they're done. Take a few minutes and try it for yourself, Assign directory
roles to users using Azure AD PIM4.
In this tutorial, you learn how to:

●● Make a user eligible for a role.
●● Make a role assignment permanent.
●● Remove a user from a role.
✔️ At the time of this writing, there are no PIM related commands in the AzureAD or AzureADPreview
PowerShell Modules. You will need to install Microsoft.Azure.ActiveDirectory.PIM.PSModule from the
PowerShell Gallery. This will give you access to commands like <a href="https://www.powershellgallery.
com/items?q=Cmdlets:“Enable-PrivilegedRoleAssignment”" title="" target="_blank">Enable-Privileged-
RoleAssignment.
PowerShell Gallery Microsoft.Azure.ActiveDirectory.PIM.PSModule - https://www.powershellgallery.
com/packages/Microsoft.Azure.ActiveDirectory.PIM.PSModule/2.0.0.1513
Practice - Activate and Deactivate PIM Roles
If you have been made eligible for an administrative role, that means you can activate that role when you
need to perform privileged actions. Take a few minutes and try How to activate or deactivate roles in
Azure AD Privileged Identity Management5 tutorial.
4 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user
5 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role
PIM Directory Roles 51
In this tutorial, you learn how to:

●● Add the Privileged Identity Management application.
●● Activate a role.
●● Deactivate a role.
●● Cancel a pending request
Practice - Directory Roles (General)
With Azure AD Privileged Identity Management (PIM), you can manage, control, and monitor access
within your organization. This scope includes access to Azure resources, Azure AD and other Microsoft
online services like Office 365 or Microsoft Intune.
As you've already learned in this lesson, Azure PIM simplifies how you manage privileged access to
resources in Azure, and other services. From role activation or deactivation to setting up security alerts for
suspicious or unsafe activity in your environment, and many other tasks - PIM helps minimize your
environment's attack surface by more granular control of the roles that have administrative access and
sets of privileges.
There are many things to explore and try in this practice. As you have time try or review any of the follow-
ing tasks.
●● How to give other admins access to PIM6
●● How to add or remove a user role7
●● How to activate or deactivate a role8
●● How to change or view the default activation settings for a role9
●● How to configure security alerts10
6 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-give-access-to-pim
7 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user
8 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role
9 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings
10 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts
●● How to start an access review11

●● How to perform an access review12
●● How to complete an access review13
●● How to require MFA14
●● How to use the audit log15
✔️ Keep in mind the prerequisites to performing these exercises, such as a valid Azure AD Premium P2 or
Enterprise Mobility + Security E5 paid or trial license is required for each user that interacts with or
receives a benefit from the service.
11 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review
12 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-perform-security-review
13 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-complete-review
14 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-require-mfa
15 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-use-audit-log
PIM for Role Resources 53
PIM for Role Resources

Activate Roles
PIM is now being expanded from administrator privileges to resource role assignments. Using Just
Enough Administration (JEA) best practices users and group members with assignments in Azure sub-
scriptions or resource groups can activate their existing role assignment at a reduced scope.
Eligible role members can schedule activation for a future date and time. They can also select a specific
activation duration within the maximum (configured by administrators). If the start date and time are not
modified, the role is activated in seconds.
In this example, a user has requested activation of the Contributor role.
✔️ Do you see how PIM for Role Resources is different from PIM for Directory Roles?
For more information you can see:
Activate roles for Azure resources by using Privileged Identity Management - https://docs.microsoft.
com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-activate-
your-roles
Assign Roles
Role assignments can Just in time or Direct.
<img src="../../Linked_Image_FIles/AZ-101.4_Securing_Identities_image60.png" alt="Screenshot of the
New assignment page in the portal. “Membership settings” pane with the "Assignment type" box and the
related check box." title="">
●● Just in time. Provides the user or group members with eligible but not persistent access to the role
for a specified period or indefinitely (if configured in role settings).
●● Direct. Does not require the user or group members to activate the role assignment (known as
persistent access).
✔️ We recommend using direct assignment for short-term use, where access won’t be required when the
task is complete. Examples are on-call shifts and time-sensitive activities.
Manage security alerts for Azure resources by using Privileged Identity Management - https://docs.
microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-
configure-alerts
PIM Resource Alerts

PIM for Azure Resources generates alerts when there is suspicious or unsafe activity in your environment.
When an alert is triggered, it shows up on the Alerts page. This is the same as for the PIM Directory
Alerts.
The severity levels (high, medium, and low) are also the same, but the substance of the alert is different.
Alert Severity Trigger Recommendation

Too many owners Medium Too many users have Review the users in the
assigned to a resource. the owner role. list and reassign some
to less privileged roles.
Too many permanent Medium Too many users are Review the users in the
owners assigned to a permanently assigned list and re-assign some
resource. to a role. to require activation for
role use.
Duplicate role created. Medium Multiple roles have the Use only one of these
same criteria. roles.
✔️ You determine when the alert will fire by specifying the minimum number of owners and the mini-
mum percentage of owners. Read more at the reference link.
Manage security alerts for Azure resources by using Privileged Identity Management - https://docs.
microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-
configure-alerts
PIM Workflow Example

Approval workflows, to restrict and protect access to resources, were discussed in the previous lesson.
Now let’s look at a specific example.
PIM for Role Resources 55
1. Bob, a resource administrator, uses PIM to assign Alice as an eligible member to the owner role in the
Contoso subscription. With this assignment, Alice is an eligible owner of all resource groups (Test, Dev,
and Prod) within the subscription. Alice is also an eligible owner of all resources (like virtual machines)
within each resource group of the subscription.
2. Bob uses PIM to require all members in the owner role of the subscription request approval to be
activated. To help protect the resources in the Prod resource group, Bob also requires approval for
members of the owner role of this resource. The owner roles in Test and Dev do not require approval
for activation.
3. When Alice requests activation of her owner role for the subscription, an approver must approve or
deny her request before she becomes active in the role. If Alice decides to scope her activation to the
Prod resource group, an approver must approve or deny this request, too. But if Alice decides to
scope her activation to either or both Test and Dev, approval is not required.
✔️ You can selectively apply workflows. For example, is you have contract associates you could create a
custom role for access to the Prod resource group. You could then configure PIM to require members of
that role, and only that role, to be approved.
Approval workflow for Azure resource roles in Privileged Identity Management – https://docs.microsoft.
com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-approv-
al-workflow
Practice - PIM Resource Workflows
Take a few minutes to try the steps on the Approval Workflow16 page. In this practice you will:
●● Require approval to activate.
●● Specify approvers.
●● Request approval to activate.
●● Approve or deny a request.
16 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-approval-workflow
Notice that each role has both assignment and activation settings. The activation settings are just like
what you have already see earlier in the module. The assignment settings are new and include expiration
information.
Module 3 Review Questions 57

PIM Features
What is the main purpose of Azure AD PIM? What are some of the things you can do with it?
PIM is a cloud-based service designed to protect administration of your cloud-based resources. PIM has
many features including: enforce on-demand, just-in-time access; leverage per-role approval workflows,
attest admin role membership with access reviews, just-enough-administration for users and groups, and
provide visibility through alerts and audit reports.
Administrator Access
The PIM Security Wizard shows the three main ways you can control administrator access. What are these
ways?
There are three steps in the PIM Security Wizard. In Step 1, you review the permanent and temporary
admins in your organization removing any that are not needed. In Step 2, you switch permanent admins
to temporary admins. In Step 3, you configure the temporary admin settings like activation period, email
notification, and MFA authentication.
PIM Alerts
PIM alerts are an important feature to ensure you are being notified of important events. What are the
alert severity levels? What are some of the alerts you might see for PIM Directory roles? What are some
alerts you might see for PIM Role Resources?
There are three PIM alert levels: high, medium, and low. Some of the directory role alerts you might see
are: roles are being activated too frequently, there are too many global administrators, and Administra-
tors aren't using their privileged roles. Alerts for resources might include: too many owners assigned to a
resource, too many permanent owners assigned to a resource, and duplicate role created.

AZ 101T04A ENU TrainerHandbook PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AZ 101T04A ENU TrainerHandbook PDF

Uploaded by

Copyright:

Available Formats

MCT USE ONLY.

STUDENT USE PROHIBITED

AZ-101 Study Areas Weights

About this Course

Testing May Include Course Content

Testing May Include Course Content

Testing May Include Course Content

Testing May Include Course Content

Role-Based Access Control

What’s the focus in this course?

Role-Based Access Control

For more information, you can see:

Built-in Role Action NotActions

* /subscriptions/[subscription id]/resourceGroups/[resource group name]/

Azure PowerShell and CLI

az role definition create –role-definition “./sysops.json”

Video - Role-Based Access Control

Demonstration - Role-Based Access Control

Practice - Role-Based Access Control

For more information, you can see:

Azure Active Directory (Refresher)

Identity management capabilities and integration

Azure Active Directory Benefits

‎The power of common identity across any cloud) - https://myignite.microsoft.com/videos/54694

Active Directory Domain Services

Active Directory Domain Services (AD DS)

Video - Azure Active Directory Overview

Active Directory Editions

Choosing Between Azure AD and Azure AD DS

Aspect Azure AD Join Azure AD Domain Services

Video - Azure Active Directory Editions

Video - Azure AD Authentication Options

For more information, you can see:

Protecting Privileged Access in the Environ-

1. Credential theft begins by establishing a beachhead in a Tier 2 workstation or device. Through

Demonstration - Credential Theft

Security Best Practices

Video - Introduction to Identity

Video - Protect Your Privileged Access

Video - Protecting AD and Admin Privileges (2-4

3. Set up unique local administrator passwords9 for each host.

Video - Protecting AD and Admin Privileges (1-3

Video - Protecting AD and Admin Privileges (6

The presenters cover the following 5 steps:

Securing the Modern IT Environment

Video - Securing the Modern IT Environment

Module 1 Review Questions

Azure Active Directory

Introducing Multi-Factor Authentication

Multi-factor authentication - https://azure.microsoft.com/en-us/services/multi-factor-authentica-

Video - MFA Overview

Azure MFA Features

MFA Licensing and Pricing

Microsoft Authenticator App

Video - Authenticator App

MFA for Global Admins

On-Premises vs Cloud MFA

What are you trying to secure Azure MFA MFA Server

User Location Azure MFA MFA Server

Feature Azure MFA MFA Server

The MFA Process

MFA User Settings

MFA and SSPR Comparison