Azure Infrastructure: Exam 70-533 - Manage Azure Identities

in technology •  9 months ago

I'm not following the normal module order from the learning objectives for a fairly simple reason. I'm trying to follow it more in the manner which an Enterprise Organisation would (should?) implement their migration from on-premises infrastructure to the cloud.


Managing Azure Identities

A critical part of moving to the cloud is to ensure that security and identity management is appropriately taken care of. As part of that, we'll look at managing identity in the shift to the cloud.



  • Directory as a Service
  • Self service password change
  • Single Sign on
  • Basic reports and user/group/device provisioning and registration

Basic (adds)

  • Group based access management
  • Self service password reset for cloud users
  • Company branding
  • App proxy
  • SLA

Premium (adds)

  • Self service functionality (groups, dynamic groups, app management, applications)
  • Self service password reset with on-premises write back
  • Advanced reporting
  • Cloud/On-premises MFA
  • Automated password rollover
  • Connect health
  • Advanced usage reports

Premium 2 (adds)

  • Identity protection
  • Privileged identity management
    Special note - you can have only P2, only P1, or both

Integrating Azure Active Directory (AAD)

  1. Synchronization
    • Synchronize user and password
  2. Federation
    • Synchronize user
    • Requires a Federation Server
    • Authentication is passed back to the on-premises server. More seamless. Enables MFA
  3. Passthrough authentication
    • Passwords are stored on the server
    • Requires AD Connect and agents which listen to a queue. No inbound requests

So we link Azure Active Directory with our on-premises directory, and we have an extended identity platform into the Azure cloud. Given identity is crucial to ongoing business as usual, monitoring tools exist.

Monitoring Azure AD

  • Health reports available from agents within the Portal
  • Anomoly Reports
  • Integrated Application reports
  • Error Reports
  • User specific reports
  • Activity Logs
  • Enterprise Applications
  • Users/Groups
  • Audit logs

Azure Active Directory Business to Consumer (AAD B2C)

  • Requires a separate tenant.
    • One tenant holds the infrastructure and internal identity
    • One tenant holds the consumer identity
  • Allows consumer access using
    • Microsoft account
    • Google account
    • LinkedIn
    • Amazon

Note: Need to understand what fields need to be filled in to set up external authentication provider

Azure Active Directory Business to Busines (AAD B2B)

  • Allows a user to authenticate from a trusted exteernal source, whilst the organisation controls authorization of access to assets
  • Understand a viral tenant
  • Understand bulk import

Azure Active Directory Domain Services

  • Provides an alternative to standing up replicated Domain Controllers as IaaS services.
  • No schema extensions
  • No trusts
  • No LDAP write
  • No geo-distributed deployments
    Note: Understand the difference between an AAD device join (prefer end user devices) and an AAD-DS device join (prefer server devices)

Finally : Understand the differences between Active Directory and Azure Active Directory

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Congratulations @piquet! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes received

Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word STOP

To support your work, I also upvoted your post!

Do not miss the last post from @steemitboard!

Participate in the SteemitBoard World Cup Contest!
Collect World Cup badges and win free SBD
Support the Gold Sponsors of the contest: @good-karma and @lukestokes

Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

Congratulations! This post has been upvoted from the communal account, @minnowsupport, by Piquet from the Minnow Support Project. It's a witness project run by aggroed, ausbitbank, teamsteem, theprophet0, someguy123, neoxian, followbtcnews, and netuoso. The goal is to help Steemit grow by supporting Minnows. Please find us at the Peace, Abundance, and Liberty Network (PALnet) Discord Channel. It's a completely public and open space to all members of the Steemit community who voluntarily choose to be there.

If you would like to delegate to the Minnow Support Project you can do so by clicking on the following links: 50SP, 100SP, 250SP, 500SP, 1000SP, 5000SP.
Be sure to leave at least 50SP undelegated on your account.