1202 m10 Slides v1 Ti6 Onog31a

How To Make The Best Use Of Live Sessions
• Please log in 10 mins before the class starts and check your internet connection to avoid any network issues during
the LIVE session
• All participants will be on mute, by default, to avoid any background noise. However, you will be unmuted by
instructor if required. Please use the “Questions” tab on your webinar tool to interact with the instructor at any point
during the class
• Feel free to ask and answer questions to make your learning interactive. Instructor will address your queries at the
end of on-going topic
• We have dedicated support team to assist all your queries. You can reach us anytime at: support@edureka.co
• Your feedback is very much appreciated. Please share feedback after each class, which will help us enhance
your learning experience
Copyright © edureka and/or its affiliates. All rights reserved.

Microsoft Azure Administrator
Certification (AZ-104)
COURSE OUTLINE
MODULE 10
01. Managing Azure Subscriptions And 11. Implementing And Managing Hybrid
Resource Groups Identities
02. Azure Virtual Networks And Network

10. Manage Azure Active Directory (AD)
Security
03. Overview Of Azure Virtual Machines 09. Monitoring And Access Management
For Cloud Resources
08. Integrate On-premises Network With

04. Overview Of Azure Storage Services
Azure Virtual Network
07. Network Traffic Distribution And

05. Secure And Manage Azure Storage Connectivity
06. Configure Virtual Machines For High

Availability
Recap

Module 10 – Manage Azure Active
Directory (AD)

Topics
Following are the topics covered in this module:
▪ Identity Access Management ▪ Azure AD Domains and Tenants

▪ Azure Active Directory ▪ Azure AD Domain Services
▪ Multi Factor Authentication ▪ Azure AD Join
▪ Self-Service Password Reset ▪ Azure AD Single Sign-On
▪ Azure AD Identity Protection ▪ Manage Azure AD Objects
▪ Azure AD Conditional Access

Objectives
After completing this module, you should be able to:
▪ Implement access management with Azure users and

groups
▪ Understand Azure Active Directory Services
▪ Implement Self-Service Password Reset
▪ Configure Azure AD Identity Protection
▪ Comprehend domains and tenants and delegate

administrator roles

Identity Access Management

What Is Identity Access Management (IAM) ?
Microsoft Azure IAM solutions protect access to applications and resources across the corporate
data center and into the cloud
This enables additional levels of validation, such as multifactor authentication and conditional
access policies
Monitoring suspicious activity through advanced security reporting, auditing and alerting helps
mitigate potential security issues

How Azure IAM Will Help Your Business?
Create and manage a single identity Enforce rules-based multifactor
for each user across your hybrid authentication for both on-premise
enterprise and cloud apps
Provide single sign-on access to Provide secure remote access to on-

your applications premise Web applications Improve user productivity

What Is An Active Directory?

What Is An Active Directory?
▪ It is a software to arrange, store information that provides access and permissions to accounts on a
network
▪ Active Directory information is used to authenticate/authorize users, systems and resources which
are part of a network
Active Directory
Active Directory User
Computer
▪ Part of the organisation with a unique identity in the
domain ▪ Individual workstations, which are part of a network
▪ Can access the resources in the domain based on ▪ Each computer has a unique computer account
authorization that authenticates and authorises its access to the
▪ Each user account is unique and secured by a domain resources
password

Azure Active Directory

What Is Azure Active Directory (AD) ?
Azure AD is Microsoft’s multi-tenant, cloud-based directory and identity-management
service that combines core directory services, application access management, and
identity protection into a single solution
▪ If you already have an on-premises directory, it can be extended to the

cloud using the directory integration capabilities of Azure AD
▪ Two entities in Azure AD that will concern you the most during application
development are users and groups

How To Access Management Works In Azure
AD?
▪ The resource owner can assign a set of access permissions to a user or to all the members of the group
▪ They can also give management rights for the member list to someone else, letting that person add and remove
members, as needed
RESOURC
E
OWNER
GROUP PROJE Assigns the group to the

OWNER CT resource
EDU RESOUR
CE
PAUL JOHN
ROB

Access Rights Assignment
Direct Assignment Group Assignment

The resource owner assigns an
Azure AD group to the resource,
The resource owner directly
which automatically gives all of the
assigns the user to the resource
group members access to the
resource
Rule-based External Authority

Assignment Assignment
The resource owner assigns a
The resource owner creates a
group to provide access to the
group and uses a rule to define
resource and then the external
which users are assigned to a
source manages the group
specific resource
members

Who Uses Azure AD?
Application Microsoft Online

IT Administrators
Developers Subscribers
• As an IT admin, you can • As an app developer, Azure • Each Microsoft 365, Office
use Azure AD to control AD allows single sign-on 365, Azure, and Dynamics
access to your apps and (SSO) to your app to enable CRM Online tenant is
your app resources, based working with a user's pre- automatically an Azure AD
on your business existing credentials tenant
requirements • Azure AD also provides • One can immediately start
• Azure AD meets your APIs to help you build managing access to
access governance personalized app integrated cloud apps
requirements by protecting experiences leveraging
user identities and existing organizational data
credentials
Azure AD Licenses
If you subscribe to any Microsoft Online business service, you automatically get
Azure AD with access to all the free features
Azure AD paid licenses are built on top of your existing free directory, providing
enhanced monitoring, security reporting, and secure access for your mobile
workforce
To enhance your Azure AD implementation, you can add paid capabilities by

upgrading from Azure Free AD to Azure Active Directory Basic, Premium P1, or
Premium P2 licenses
Pay-as-you-go feature licenses such as Azure AD Business-to-Customer (B2C)

can help you provide identity and access management solutions for your customer-
facing apps

Azure AD Licenses
Azure AD Free Azure AD Premium P1
Along with the Free and
Basic features, P1 also
Provides user and group
lets your hybrid users
management, on-
access both on-premises
premises directory
and cloud resources,
synchronization, and
supports advanced
single sign-on across
administration, such as
Azure, Office 365, and
dynamic groups, and
many popular SaaS apps
cloud write-back
capabilities
Azure AD Basic Azure AD Premium P2
P2 also offers Azure AD
Along with the Free
Identity Protection to
features, Basic also
provide risk-based
provides cloud-centric app
conditional access to your
access, group-based
apps, Privileged Identity
access management, self-
Management to discover,
service password reset for
restrict, and monitor
cloud apps, and Azure AD
admins and their access
Application Proxy
to resources

Demo 1: Creating A Group And
Adding Members
Note: Refer to Module-10 Demo1 Document on LMS for all the steps in detail

Azure AD Authentication Methods:
Multi-Factor Authentication

Authentication Methods
▪ Microsoft Azure AD includes features, like Azure Multi-Factor Authentication (Azure MFA) and Azure AD self-
service password reset (SSPR), to help administrators protect their organizations and users with additional
authentication methods
▪ Azure MFA and Azure AD SSPR give admins control over configuration, policy, monitoring, and reporting using Azure
AD and the Azure portal to protect their organizations
▪ Additional verification may come in the form of authentication

methods such as:
A code provided in an email or text message
A phone call
A notification or code on their phone
Answers to security questions

Azure Multi-Factor Authentication (MFA)
Azure MFA is Microsoft's two-step verification solution that helps safeguard your
access to data and applications, while meeting the demand for a simple sign-in
process
It is recommended that you require Azure MFA for user sign-ins because:
It delivers strong authentication with a range of easy verification options
It enables your organization to protect and recover from account compromises

How Multi-Factor Authentication Works?
Because of Azure MFA’s layered approach, even if an attacker manages to learn the
user's password, it is useless without also having possession of the additional
authentication method
It works by requiring two or more of the following authentication methods:
• Something you know, such as a password
• Something you have - a trusted device that is not easily duplicated, like a
phone
• Something you are - biometrics

Azure Multi-Factor Authentication Limitations
Following are the limitations of the MFA authentication

method:
Compromise Hijacked Compromise

d Device Session d Data

Azure AD Authentication Methods:
Self-Service Password Reset

Azure Self-Service Password Reset (SSPR)
SSPR offers a simple means for IT admins to empower their users to reset or unlock
their own passwords or accounts without IT intervention
Password change: I know my password but want to change it to something new

Your Azure AD password is
an authentication method Password reset: I can't sign in and want to reset my password using
that cannot be disabled and one or more approved authentication
password reset includes:
Account unlock: I can't sign in because my account is locked out and I
want to unlock using one or more approved authentication methods

Azure Self-Service Password Reset (SSPR)

Why Use Azure SSPR?
Password reset today involves:
Users having to spend

High Helpdesk Costs
hours on the phone
Manual configuration and Limited control for admins

management enforcing security policies

How Azure SSPR Works?
The user selects the Can't access your account link or goes
directly to https://aka.ms/sspr
The user enters a user ID and passes a

captcha
Azure AD verifies that the user is able to use this feature by

running certain checks shown in the next slide
If it's determined, then the user is guided through the reset

process

How SSPR Works?
Azure AD verifies that the user is able to use this feature by doing the following checks:
Checks that the user has this feature enabled and has an Azure AD license assigned - If not, the user is
asked to contact their administrator to reset their password
Checks that the user has the right authentication methods defined on their account in accordance with
administrator policy
Checks to see if the user’s password is managed on-premises

Confirm Authentication Data With SSPR (For
Users)
01 Open the web browser on your device and go to the password reset registration page
02 Enter your username and the password that your administrator provided
▪ Office phone: Only
your admin can set this
Depending on how your IT staff has configured things, one or more of the option
03
following options are available for you to configure and verify: ▪ Authentication Phone
▪ Authentication Email
▪ Security Questions
04 Provide and verify the information that your administrator requires
05 Select finish. You can now use SSPR when you need to in the future

How To Deploy SSPR?
Enable
Choose Configure
Add users to password Test SSPR as
authentication password
register reset from the an end user
methods writeback
lock screen

Demo 2: Self-Service Password
Reset

Demo 3: Set The Password
Policies Using PowerShell

Azure AD Identity Protection

What Is Azure AD Identity Protection?
Azure AD Identity Protection is a feature of the Azure AD Premium P2 edition that enables you to:
Detect potential vulnerabilities affecting your organization's identities
Configure conditional access policies to automatically respond to suspicious

actions related to your organization's identities
Investigate suspicious incidents and take appropriate action to resolve them

Identity Protection Capabilities
Detecting Vulnerabilities Investigating Risk Risk Based Conditional

And Risky Accounts Events Access Policies
• Providing custom • Sending notifications for • Policy to mitigate risky
recommendations to risk events sign-ins by blocking them
improve overall security • Investigating risk events • Policy to block or secure
posture by highlighting using relevant information risky user accounts
vulnerabilities • Providing basic workflows • Policy to require users to
• Calculating sign-in risk to track investigations register for multi-factor
levels • Providing easy password authentication
• Calculating user risk reset actions
levels
Identity Protection Roles
Azure AD Identity Protection supports 3 directory roles:
Role Can do Cannot do

Complete access to Identity
Global administrator Protection and Onboard Identity Can do everything
Protection
Complete access to Identity Onboard Identity Protection, reset
Security administrator Protection passwords for a user
Onboard Identity Protection,
Read-only access to Identity
Security reader Protection
remediate users, configure
policies, reset passwords

Steps To Enable Identity Protection
1. In the Azure portal, click Marketplace 2. In the applications list, click on Identity > then
select Azure AD Identity Protection

Steps To Enable Identity Protection
3. On the Azure AD Identity Protection blade,
click Create. Once created, you can see the
overview page

How Azure AD Identity Protection Works?
1 Machine Learning
2
Azure AD uses adaptive machine learning
algorithms and heuristics to detect anomalies that
indicate potentially compromised identities
Using this data, Identity Protection generates

reports and alerts that enable you to evaluate the
detected issues and take appropriate mitigation
actions

How Azure AD Identity Protection Works?
3
To protect your organization's identities, you can To implement automated responses, Azure AD Identity
configure risk-based policies that respond to Protection provides you with three policies:
detected issues when a specified risk level has
been reached
Multi-factor Authentication Registration Policy
User Risk Policy
Sign-in Risk Policy

Multi-factor Authentication Registration Policy
▪ We already know MFA provides a second layer of security to user sign-ins and transactions
▪ Azure AD Identity Protection helps you manage the roll-out of MFA registration by configuring a policy
You can access the MFA policy

and other policies under the
Configure section on Identity
Protection Page

Sign-in Risk Policy
Is the sign-in done using an anonymous IP address,
or is the sign-in initiated from an unfamiliar location?
Azure AD detects risk events for a sign-in of a user in real-time
A risky sign-in indicates a sign-in attempt from someone that might not be the legitimate owner of a user
account
Based on the risk events that have been detected, Azure AD calculates a value that represents the
probability (low, medium, high) that the sign-in is not performed by the legitimate user
The sign-in risk policy is an automated response you can configure for a specific sign-in risk level
- block access to your resources, or require MFA to gain access.

User Risk Policy
With the user risk, Azure AD detects the probability that a user account has been compromised
All risk events that have been detected for a user and didn't get resolved are known as active user risk
events
Based on the user risk, Azure AD calculates a probability (low, medium, high) that a user has been
compromised
The user risk policy is an automated response you can configure for a specific user risk level -
block access to your resources, or require a password change to get the user account back

Demo 4: Block Access On A
Session Risk Detection

Azure AD Conditional Access

What Is Azure AD Conditional Access?
Conditional access is a capability of Azure AD that enables you to control how resources are
accessed in your cloud apps
By using conditional access you can empower users to be productive and protect their
corporate assets at the same time
Conditional access policies are enforced after the first-factor authentication has been
completed
There are two types of conditional access policies: Device based CA policy and App based
CA policy

Where Can Conditional Access Be Helpful?
Following are some common access concerns that conditional access can help you with:
Sign-in Risk Network Location
Device Management Client Application

Conditional Access Policies
The objective of a conditional access policy is to control how authorized users can
access cloud apps under specific conditions
A conditional access policy is defined by an access scenario of this

pattern
When this happens Then do this
Defines the reason for Specifies the response

triggering your policy of your policy
Condition Access Controls

What Are Conditions In Conditional Access?
▪ In the context of conditional access, When this happens is called a Condition:
Conditional Access Policy
▪ Conditions you haven't configured in a conditional access policy aren't applied

▪ Some conditions are mandatory to a conditional access policy in an environment

What Are Access Controls In Conditional
Access?
▪ In the context of conditional access, Then do this is called Access Controls:
Conditional Access Policy
▪ Each control is either a requirement that must be fulfilled by the user signing in, or a restriction on
what the user can do thereafter
▪ There are two types of controls:
Grant controls - To gate access
Session controls - To restrict access within a session

Azure AD Domains And Tenant

Azure AD Domains And Tenants
When an organisation has many tenants, the name of core domain of the tenant is usually used to
remove any ambiguity
The name of the core domain is in the form *.onmicrosoft.com, where the * varies
A tenant may have many subscriptions, exactly one directory (Azure AD), and one or more domains
associated with it

What Is An Azure Tenant?
• Your new tenant represents your organization and helps you to manage
a specific instance of Microsoft cloud services for your internal and
external users
• The Global administrator creates the tenant and can add additional
administrators to the tenant

Azure Tenant Settings
Each Azure AD tenant has settings which apply to the entire tenant. Here are those settings and the
values of each:
Setting Value
DirectorySynchronizationEnabled True
PasswordSynchronizationEnabled False
SelfServePasswordResetEnabled True
UsersPermissionToCreateGroupsEnabled False
UsersPermissionToReadOtherUsersEnabled True
UsersPermissionToCreateLOBAppsEnabled False
UsersPermissionToUserConsentToAppEnabled False

Create A Tenant In Azure AD
1. Sign-in to your Azure Portal, using a Global administrator account
2. Select Create a resource > then search for Azure Active Directory > the Create directory page
appears
Type an Organisation name

and an Initial domain name
Select
Create

What Is An Azure AD Domain?
• A domain is a DNS zone for which a tenant has proven ownership by

creating an DNS record as requested by Microsoft
• It represents the possible namespace which directory objects can use
• Each tenant has a core domain (onmicrosoft.com) and a default domain

and neither of these are necessarily the primary domain used by the
tenant

What Is An Azure AD Domain?
The primary Azure AD tenant used at Edureka is cloudedureka.onmicrosoft.com

Azure AD Domain Services

Azure AD Domain Services
• Azure AD provides managed domain services such as

domain join, group policy and Kerberos or NTLM
authentication
• These services integrate with your existing Azure AD

tenant, thus making it possible for users to log in using
their corporate credentials

Benefits Of Using Azure AD Domain Services
Azure AD Domain Services functionality works seamlessly regardless of whether your Azure AD tenant
is cloud-only or synced with your on-premises Active Directory.
No domain controller Highly available domain

deployment or patching with automatic remediation
Simple Available
required and backups
Fully compatible with

No need for complex VPN
Windows Server AD with Compatible Cost-effective
networking and pay-as-
the same functionality as
you-go
your on-premise AD

When To Use Azure AD Domain
Services?

Azure AD Domain Services Deployment
Scenarios
SECURE, STREAMLINED ADMINISTRATION OF AZURE VIRTUAL MACHINES
▪ If you have a bunch of servers on their own, you can

use your delegated admin rights to manage a whole
slew of machines
▪ You can also use Group Policy to manage and secure

domain-joined virtual machines

Azure AD Domain Services Deployment
Scenarios
LIFT-AND-SHIFT APPLICATIONS THAT USE WINDOWS INTEGRATED AUTHENTICATION
▪ To migrate a business apps that only support

Windows Integrated Authentication, you can
migrate and deploy the app in domain-joined
virtual machines, create custom organizational
units and provision service accounts, and
assign custom password policies to service
accounts

Demo 5: Enable Azure AD Domain
Services Using Portal

Create Azure AD Domain Services
1. Select Create a resource > search for domain services and click on Azure AD Domain Services >
on the Azure AD Domain Services page, click Create

Configure Azure AD Domain Services Basic
Settings
2. In the Basics pane, specify the DNS domain
name > choose the resource group and Azure
location click OK

Configure Azure AD Domain Services Network
Settings
3. In the Network pane, click on Virtual 4. Then create a new subnet or use an
Network and create one or select an existing one as shown
existing one

Configure Azure AD Domain Services Network
Settings
5. Click OK

Configure Azure AD Domain Services Admin
Group
6. To configure group membership, click AAD 7. Add users from
DC Administrators > then click on Add your Azure AD
members directory to the
administrator
group and click
on Select

Configure Azure AD Domain Services Admin
Group
8. Refresh to see the added members and click
OK

Configure Azure AD Domain Services
Synchronization
9. In the Synchronization pane, toggle the
synchronization button to Scoped > then click on
Select groups

Configure Azure AD Domain Services
Synchronization
10.In Select groups page, click on Select groups > choose the desired groups and click on Select >
then click OK

Configure Azure AD Domain Services Summary
11.On the Summary page, review the
configuration and click OK when
done

Update DNS Setting For Virtual Network
12.To update the DNS server
settings for the VNet in
which you have enabled
Azure AD Domain Services,
click on Overview tab
13.Under Required
configuration steps, click
Configure

Update DNS Setting For Virtual Network
14.After the DNS setting has been updated for your VNet, you can view it as shown

Azure AD Join

What Is Azure AD Join?
Azure AD Join allows you to join organization owned devices to Azure AD
Users can sign in to the device using their corporate credentials
Azure AD joined devices give you the following benefits:
• Single-sign-on (SSO) to apps secured by Azure AD

• Access to the Windows Store for Business using your corporate credentials
• Restricted access to apps and resources from devices compliant with corporate
policy

Azure AD Join Vs. Azure AD Domain Services
Following are the key differences between Azure AD join and Azure AD Domain Services to help
you choose, based on your use-cases:
Aspect Azure AD Join Azure AD Domain Services

Azure AD Domain Services managed
Device controlled by Azure AD
domain
OAuth/OpenID Connect based
Authentication Kerberos, NTLM protocols
protocols
Mobile Device Management (MDM)
Management Group Policy
software like Intune
Requires machines to be on the same
Networking Works over the internet virtual network as the managed
domain
Server virtual machines deployed in
Great for - End-user mobile or desktop devices
Azure

Demo 6: Azure AD Join

Azure AD Single Sign-On

What Is Azure AD Single Sign-On (SSO)?
Azure AD SSO allows application management for existing users by reducing the need to manage multiple
passwords
SSO enables single sign-on across apps by reducing or eliminating sign-in prompts
Coupling Azure AD SSO with conditional access policies provides high levels of security capabilities for
accessing apps
These capabilities allow for granular control over apps, or groups that need higher levels of security

Manage Azure AD Objects

Azure AD Objects – Users And Groups
Azure AD user management tools such as groups and administrator role assignments can be used to:
Assign licenses to groups rather than individually
Delegate permissions to distribute the overhead of Identity

Management to less-privileged roles
Assign enterprise app access to

groups

Assign Licenses To Users In Groups
▪ When users in Azure AD join a licensed group, they're automatically assigned the appropriate
licenses
▪ When users leave the group, Azure AD removes their license assignments
• Only users with active licenses will be able to

access and use the licensed Azure AD services
• These services require an Azure AD product and

license each of your users or groups for that product
Select Azure Active Directory, and then select Licenses to view

this page

View Assigned Licenses To A Product
You can go to All Products and select a product edition name to see its licensed users
and groups

Assign The License To A Group
1. Click on Assign in Licensed groups as
shown

Assign The License To A Group (Contd…)
2. Click on Users and groups and select the desired group > then click
OK

Assign The License To A Group (Contd…)
3. Click on Assignment Options and

select the options you want > then
click OK
4. Click on Assign

View The Assigned License To Group
5. Click on Licensed groups to
view

Delete The License To The Group
6. Select the licensed group and click on Remove
license

Delegate Administrator Roles
Following are the Azure AD administrator roles to help you distribute the work of application
management with more granularity:
Role name Permissions summary

Can add and manage enterprise apps, and configure proxy app
settings.
Application Administrator
They can view conditional access policies and devices, but not
manage them.
Can add and manage enterprise apps and enterprise app
registrations.
Cloud Application Administrator
They have all the permissions of an App Admin, except they can't
manage application proxy settings.
Can add and update app registrations, but can't manage enterprise
Application Developer
applications or configure an application proxy.
Summary


1202 m10 Slides v1 Ti6 Onog31a

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1202 m10 Slides v1 Ti6 Onog31a

Uploaded by

Copyright:

Available Formats

How To Make The Best Use Of Live Sessions

Copyright © edureka and/or its affiliates. All rights reserved.

02. Azure Virtual Networks And Network

08. Integrate On-premises Network With

07. Network Traffic Distribution And

06. Configure Virtual Machines For High

Copyright © edureka and/or its affiliates. All rights reserved.

Copyright © edureka and/or its affiliates. All rights reserved.

▪ Identity Access Management ▪ Azure AD Domains and Tenants

Copyright © edureka and/or its affiliates. All rights reserved.

▪ Implement access management with Azure users and

▪ Understand Azure Active Directory Services

▪ Implement Self-Service Password Reset

▪ Configure Azure AD Identity Protection

▪ Comprehend domains and tenants and delegate

Copyright © edureka and/or its affiliates. All rights reserved.

Copyright © edureka and/or its affiliates. All rights reserved.

Copyright © edureka and/or its affiliates. All rights reserved.

Provide single sign-on access to Provide secure remote access to on-

Copyright © edureka and/or its affiliates. All rights reserved.

Copyright © edureka and/or its affiliates. All rights reserved.

Copyright © edureka and/or its affiliates. All rights reserved.

Copyright © edureka and/or its affiliates. All rights reserved.

▪ If you already have an on-premises directory, it can be extended to the

Copyright © edureka and/or its affiliates. All rights reserved.

GROUP PROJE Assigns the group to the

Copyright © edureka and/or its affiliates. All rights reserved.

Direct Assignment Group Assignment

Rule-based External Authority

Copyright © edureka and/or its affiliates. All rights reserved.

Application Microsoft Online

To enhance your Azure AD implementation, you can add paid capabilities by

Pay-as-you-go feature licenses such as Azure AD Business-to-Customer (B2C)

Copyright © edureka and/or its affiliates. All rights reserved.

Copyright © edureka and/or its affiliates. All rights reserved.

Copyright © edureka and/or its affiliates. All rights reserved.

Copyright © edureka and/or its affiliates. All rights reserved.

▪ Additional verification may come in the form of authentication

A notification or code on their phone

Answers to security questions

Copyright © edureka and/or its affiliates. All rights reserved.

It delivers strong authentication with a range of easy verification options

It enables your organization to protect and recover from account compromises

Copyright © edureka and/or its affiliates. All rights reserved.

It works by requiring two or more of the following authentication methods:

• Something you know, such as a password

• Something you are - biometrics

Copyright © edureka and/or its affiliates. All rights reserved.

Following are the limitations of the MFA authentication

Compromise Hijacked Compromise

Copyright © edureka and/or its affiliates. All rights reserved.

Copyright © edureka and/or its affiliates. All rights reserved.

Password change: I know my password but want to change it to something new

Copyright © edureka and/or its affiliates. All rights reserved.

Copyright © edureka and/or its affiliates. All rights reserved.

Users having to spend

Manual configuration and Limited control for admins

Copyright © edureka and/or its affiliates. All rights reserved.

The user enters a user ID and passes a

Azure AD verifies that the user is able to use this feature by

If it's determined, then the user is guided through the reset

Copyright © edureka and/or its affiliates. All rights reserved.

Checks to see if the user’s password is managed on-premises