Skip to content

AZ-500

Licenses
EntraID features P1 P2 Entra Suite
Portal X X
RBAC X X
Conditional Access X X
Password Protection X X
Cross-tenant user sync X X
Group management X X
Session lifetime management X X
SharePoint limited access X X
Reports X X
PROTECTION
Risk-based conditional access X X
Device filtering conditional access X X
Real-time sign-in assessment X X
Real-time user assessment X X
Authentication context X X
Risk event investigation X X
Token protection X X
GOVERNANCE
Automated user provisioning
to cloud and on-prem apps		 X X X
HR-driven provisioning X X X
Terms-of-use attestation X X X
Basic entitlement management X X
Privileged Identity management (PIM) X X
VERIFIED ID
Verifiable credentials issuance
and verification		 X X X
INTERNET ACCESS X
PRIVATE ACCESS X

Explore the Microsoft identity platform - Training | Microsoft Learn

ENTRA ID

AUTHN

Components:

Portal, Oauth2, OIDC, MSGraph APIs, open source libraries (MSAL)…

Service Principals

An application registered in EntraID gets a global unique object ID and a service principal.

The app can be single tenant or multi-tenant.

Object ID: scoped across the home tenant. It is like a class with static properties used as template to create the app instances through service principals.

It defines mainly:

  • How to issue tokens
  • Resources available
  • Actions permitted

Service principal:

An app registration will create a SP, with specific permissions (eg: delegated).

  • Application: App Instance = SP single tenant representation of a global object ID.

  • Managed Identity: for services supporting EntraID authn. Can have permissions updates but not direct edits.
    No need to manage certificates in the app.

  • System assigned: 1 identity <--> 1 managed SP
    If you require that each resource has its own identity, or have resources that require a unique set of permissions and want the identity to be deleted as the resource is deleted, then you should use a system-assigned identity.

  • User assigned:     N to N map to resources
    User-assigned identities can be used by multiple resources, and their life cycles are decoupled from the resources’ life cycles with which they’re associated.

Best practice recommendations for managed system identities - Managed identities for Azure resources | Microsoft Learn

  • Legacy

You can login directly against the cloud IdP or to a Passthrough authentication agent.
With Pass-through Authentication, the user’s password is validated against the on-premises Active Directory, ensuring a secure and seamless authentication experience.

AADS/Entra Domain Services creates managed Domain Controllers in another VNet to sync the authentication of users coming from another IdP. It is only synced from the Main DC to the managed replicas direction.

SSO

Kerberos

  • Kerberos Authentication Overview | Microsoft Learn kerberos-authentication-illustration.jpg
  • KDC = Key Distribution Center
  • If client credentials are valid, the KDC emits a Ticket Granting Ticket (TGT).
  • Before accessing a specific service, the client sends the TGT back to the KDC to receive a new ticket scoped for the target service.
  • Until this new ticket expires, the client can access the target server without repeating the authentication process.

Cons: - pass-the-ticket attack - Kerberoasting - Missing sync between servers' clocks

Guest Users

Authentication happens against their IdP (social network, external AD, mail...) while authorization happens against our service (OAuth2).

EntraAD B2B

Guest users could be: - from an external Azure AD tenant - from an external Microsoft account - synced from an on-prem Domain Controller - guest users created on the EntraID host tenant

EntraAD B2C

Conditional Access:

Apply policies to target

  • users (external, groups, roles)
  • Actions (registration...)
  • Apps
  • Platforms
  • Locations

To require:

  • MFA
    MFA settings Number matching prevents accidental approval by requiring the user to type in a two-digit code from the login screen to their Authenticator app.

    OATH TOTP tokens: users can have a max of 5 between hardware based tokens and authentication apps.

  • something you know (psw)

  • Smt you have (usb key, mobile app...)

  • Smt you are (fingerprint)

  • Allow only enrolled devices

  • IP filtering (named locations)
  • VPN
  • certificate based auth
  • passkeys (FIDO2) an MFA setup might include:
    1. Something You Have: A FIDO2 security key or a mobile device with FIDO2 capabilities.
    2. Something You Are: Biometric verification like a fingerprint or facial recognition.
    3. Something You Know: A password or PIN.

To then report risky users and accesses (malicious IP, psw spray, anonymous IP...)

AUTHZ

OAuth2

is an authz method where third party apps can get authorized on behalf of a user to web hosted resources (MSGraph, Az Key Vaults...) by exchanging tokens provided by the IdP.

The tokens are given by Az Identity and validated by MSGraph API.

Explore Microsoft Graph - Training | Microsoft Learn

Microsoft Graph Fundamentals - Training | Microsoft Learn

Tokens can be

  • ID tokens
  • Access tokens: are sent in the http req as bearer tokens in the Authorization header
  • Refresh tokens

In OAuth2 permissions are called scopes.

Permissions can be:

  • Delegated: a user must be present to sign-in
  • App-only: background services apps (daemons)

Consent type:

  • Static: need to know all the resources in advance
  • Dynamic: you can increment the scope access over time
  • Admin

User management

Administrative Units

Administrative units restrict permissions in a role to any portion of your organization that you define (geographical, business unit...), if you assign a role to a user that is not a member of an administrative unit, the scope of the role is the entire tenant.

You can assign the user to an administrative unit, group, or Microsoft Entra role when the account is created. You can assign the user to up to 20 groups or roles.

A.U. can't be nested. Entra ID Governance can't manage A.U.

Users

Global Admins and Auth Admins can create and delete users (also admin), B2B users and B2C users. User Administrator can't delete other admins. Deleted users are soft deleted for 30 days.

Licenses: depending on user location there should be available Free, P1 and P2 licenses. Licenses could be also assigned to a group and inherited by their users, a user has to be removed from the group to have his license retired. If the user is instead synced from an on-premise AD it will be soft deleted.

External Identities

B2B collaboration is a feature within Microsoft Entra External ID that lets you invite guest users to collaborate with your organization.

The partner uses their own identity management solution, so there's no external administrative overhead for your organization.

Groups

Members can include: users, service principals, groups, devices.

Options:

  • AD Roles can be assigned

  • Membership:

  • Assigned

  • Dynamic users membership (query rules)

  • Dynamic device

  • Name, Description

  • Owners

Microsoft 365 Groups: share access to calendar, Teams channels, SharePoint sites...

Roles

RBAC can give specific permissions to some user or group to a given scope like a management group, a resource group, a resource or an entire subscription.

Policies

  • Tracking compliance
  • Offers remediations
  • Track Events

Global Administrator

Suggested to have less than 5. Can revoke MFA and edit all other roles.

Resources

Subscription > Management group > resource group > resource > resource internal scope.

Can be locked.

I can deploy a template of resources through a BLUEPRINT.

PIM (Privileged Identity Management)

Give the roles just in time for a limited amount of time.

Hybrid Cloud

Azure Connect

On-prem application to sync AD accounts to the cloud.

Filtering on identities to sync (computers, users, groups..) psw hash sync: uses on-prem AD as authentication authority Psw writeback: reset your psw in the cloud conditioned by on-prem policies Federation features

Psw policy doesn't apply to synchronized accounts from on-prem using Connect. Implement password hash synchronization with Microsoft Entra Connect Sync - Microsoft Entra ID | Microsoft Learn

Entra Cloud Sync

Cloud architecture: one or more agents installed in on-prem apps while the configuration is kept in the cloud, no need to connect AD forests to network. No need to manage upgrades.

Entra Domain Service

Two Windows domain controller server are deployed in the Azure cloud to create a new domain connected to the legacy AD. The synch is one-way from the legacy on-prem and EntraID to the cloud managed replica. HA through multiple DC replicas. It is useful for giving access to legacy on-prem apps (LDAP, NTLM, Kerberos) through SSO and to give those accounts a fine grained policy protection.

If an account is locked out in EntraDS it is not locked out in tits original source directory (EntraID or on-prem).

NTLM - requires an application server to connect to a domain controller to authenticate every client computer or service. - NTLM does not enable clients to verify a server's identity or enable one server to verify the identity of another. NTLM authentication was designed for a network environment in which servers were assumed to be genuine. The Kerberos protocol makes no such assumption.

  • LDAP

IDENTITY PROTECTION

Tool to identify and remediate suspicious login activities - password policies - geospatial login checks - MFA - Suspicious behaviour detection - self-remediation workflows

Sign-in (suggested at medium level) and user risks (suggested at high level) can be remediated. - self-remediation workflow - reset password when SSPR is impossible - user admin can't reset psw in case of an incident - dismiss risk - close detection Depending on the risk the user can be unblocked by resetting their psw or logging in from a known location.

Smart lockout: - by default 10 different failed attempts are allowed on public cloud - customizations require P1 license - Use much higher thresholds for on-prem lockout polices - even admins can't unlock a lockout user

Risk Event Detection

Risk policies can be at low, medium or high level for:

  • User (legacy): related to identity risks as leaked credentials or anomalous activity.
  • Sign-in (legacy): if a member of the target user group has a risk detected during sign-in, a remediation policy could be automatically triggered like asking for MFA. Detects impossible travel, malware or anonymous IPs...
  • MFA registration: can be used in combination of both user and sign-in risk policy
  • Conditional Access (💸 P2 license):
    • Foundation: require MFA, compliant device...
    • Zero Trust: no browser session, no unknown apps...
    • Remote work
    • Protect administrators
    • Emerging threats: require anti-phishing MFA for admins It is a second-layer access protection, not used for DoS attacks or similar. Policies cover these signals:
      • user/group
      • cloud app
      • client app
      • device status (eg: domain joined)
      • IP
      • sign-in risk

Access Reviews, available in PIM and Enterprise Applications, could be needed when:

  • periodical audits
  • guest users
  • change of group members or scope
  • users not in EntraID
  • policy exceptions

Privileged Identity Management (PIM)

  • P2 license
  • temporary role assignments for users or groups from 1 to 24 hours
  • monitor and alert on changes
  • can require stroger authentication proof like MFA or Conditional Access Policy
  • user role: it provides a list of built-in user roles to be enabled if the current user is eligible, plus the custom roles defined by the User Access Administrator
  • resource access: there are resources specific roles like Owner, Reader or Contributor
  • group membership: a Global Admin or Privileged Role Admin can add as members users to EntraID security groups or Microsoft365 groups. Max 500 groups definitions.

Zero Trust model: Assume breach and implement least privilege principle together with enforcing authentication between all the entities communicating in the internal network.

  • InTune checks for device configuration
  • Entra ID checks for user and groups
  • Access polices for device health Plan a project with a pilot group to test PIM settings JIT (just in time) access for 28 built-in roles

Microsoft Identity Management

  • manages users and groups access to on-prem apps
  • differences from Entra ID: both focuses on identity and access management, including the provisioning of users in sync with external HR apps, but MIM has a broader scope over the identity lifecycle management including on-premise.
  • passwordless MFA (FIDO 2)

Azure Policies

When you enable Defender for Cloud, the Microsoft cloud security benchmark (MCSB) becomes the default initiative.

Azure Defender initiative:
- group of policies - There also regulatory compliance initiatives useful to detect non-conformities with legal security frameworks like ISO27001 (Regulatory Compliance details for ISO 27001:2013 - Azure Policy | Microsoft Learn) eg: Policy definitions for Azure Kubernetes Service

Types:
- built-in - custom - static for regulatory compliances

Modes:
- all (default) - indexed: only resources supporting tags and locations

Some built-in policies:
- App slots should use a managed identity - App Configuration should disable public network access - APIs should use encrypted protocols - Allowed VM size SKU - Configure container registries to disable anonymous authentication - Add a tag to resources

Effects in evaluation order:
- Disabled - Append - Modify - Deny - Audit - Manual - AuditIfNotExists - DenyAction

Possible states of a resources in a policy scope:
- compliant - non compliant - exempted - Mitigated: The exemption is granted because the policy intent is met through another method. - Waiver: The exemption is granted because the non-compliance state of the resource is temporarily accepted. - conflict - unknown

Shared Responsibility Model

Management groups

  • Management Groups:
    • Root Management Group: The top-level container for all resources within an Azure Active Directory (Azure AD) tenant.
    • Child Management Groups: Can be created within the root group or other child groups to further organize resources based on business units, departments, or projects.
    • Apply policies at the management group level to enforce consistent standards across multiple subscriptions.
  • Subscriptions:
    • Contain a collection of resource groups and resources.
    • Can be assigned to one or more management groups.
  • Resource Groups:
    • A logical container for related Azure resources.
    • Can be assigned to one subscription.
  • Resources:
    • Individual Azure services, such as virtual machines, storage accounts, and databases.
    • Belong to a specific resource group.

RBAC

Locks When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the same parent lock. The most restrictive lock in the inheritance takes precedence.

NETWORKING (Platform Protection)

LOAD BALANCER

L4 (TCP/UDP), REGIONAL

can be internal or external (get assigned a Public IP)

APP GATEWAY

L7, REGIONAL: redirection, rewrite, https,

Can have on top a WAF (OWASP threats)

AZ FRONT DOOR

L7,  GLOBAL

Uses anycast to manage the connection as close as possible to the client ( the lowest number of BGP network hops) with hundreds of PoPs (point of  presence) CDN connected through a high speed WAN.

NSG – Network Security Group (L4)

Allows us to groups network resources through tags instead of caring of IPs

SUBNET specifics

  • Service endpoint: identifies an internal subnet to be allowed to call other internal services by allowing it in the target service firewall
  • Private endpoint: identifies a specific service instance inside a private subnet. Requires also a DNS configuration in order to be found by other internal services.

FIREWALL

L4: network rules

L7: app rules (FQDN, TLS inspection, URL filtering, IDPR = Intrusion Detection Protection System)

ROUTING

Az automatically creates routing tables for each new subnet adding system default routes.

You don't need to define route tables or gateways for Azure to route traffic between subnets.

  • Parent VNet prefix
  • 0.0.0.0/0 Internet
  • 10.0.0.0/8 None
  • 192.168/16, 172.16/12 None

UDR

When you create a route table and associate it to a subnet, the table's routes are combined with the subnet's default routes. If there are conflicting route assignments, user-defined routes override the default routes.

  • Virtual appliance: private VM inet, private LB IP
  • VNet VPN GW
  • VNet
  • None
  • Internet

Diagnose an Azure virtual machine routing problem | Microsoft Learn

ExpressRoute

Dedicated physical connection to an Azure tenant

VPN

IpSec/K encrypted connection.

  • P2P
  • Point to site
  • Site to site

Can be established also inside an ExpressRoute connection.

DDOS Protection

  • Attack analytics
  • Support
  • Multilayered protection (if there is also a WAF)

HOST

Azure update manager

Automatic VM patching

TPM

Secure boot

Anti malware, local firewall

Azure disk encryption (Win BitLocker/Linux DM-crypt)

Bastion (managed jump-box)

CONTAINERS

AKS

KEY VAULT

Stores:

  • Keys
  • Secrets
  • certificates

Permissions:

  • Access policies
  • RBAC: granular

STORAGE ACCOUNT

Enabling storage keys you can access containers/blobs/queue/files through SAS signed by the storage account access private key.

DB

Firewall

Encryption

  • At rest
  • In transit: always encrypted (deterministic or randomized)

Dynamic Data Masking: hiding data without encryption.

Classification.

Az MONITOR

To collect logs I need first to create Diagnostic Settings, where I can collect also metrics, EntraID events

Login dates Location of access Apps used