Microsoft Azure Integration and Security exam AZ-101 – Resources Part 4 – Secure Identities

Secure identities (25-30%)

AZ-100, AZ-101 and AZ-102 are all ceasing in favour of the AZ-103 single exam. See the link to the new exam syllabus – here

On 21st December 2018, MS published a minor change to the AZ-101 exam which removed “Enable MFA for an Azure Tenant” and replaced it with “Enable MFA by using bulk update”.

Implement Multi-Factor Authentication (MFA)

May include but not limited to:
Configure user accounts for MFA;

Enable MFA by using bulk update

Using the MFA portal for your tenant, choose the “Update in bulk” dialogue on the main screen. The portal then requests you upload a CSV file with the following format;


Or you could iterate through a list of users using PoSh:

$users = "","",""
foreach ($user in $users)
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta

Configure fraud alerts;

MS Docs state that Fraud Alerts are only specific to the on-premises MFA Server at the time of writing. I’m not 100% clear on this though, so treat with caution.

Configure bypass options;

One-time-bypass is specific to the on-premises MFA server at the time of writing.

Configure trusted IPs;

The feature is available with the full version of Azure Multi-Factor Authentication (Azure AD P1/P2 SKUs), and not the free version for Global Administrators. This feature only works with IPv4 addressing as of January 2019.

Configure verification methods;

Nothing to do with Microsoft and their MFA service, but more for all services. Do consider that the tech community at large no longer considers text messaging as an okay verification method. The ability to compromise service providers SS7 protocols is widely known. Hardware tokens or smartphone apps like Microsoft, Google, LastPass or DUO authenticators are the most appropriate choices.

Manage role-based access control (RBAC);

Duplication! See below.

Implement RBAC policies;

Duplication! See below.

Assign RBAC Roles;

Duplication! See below.

Create a custom role;

Duplication! See below.

Configure access to Azure resources by assigning roles;

Duplication! See below.

Configure management access to Azure;

Duplication! See below.

Manage role-based access control (RBAC)

Owner is a powerful role in Azure RBAC. The key thing is that Owners can also grant further access to a resource they are Owners of. This probably isn’t great for you as the person administering the Azure tenant.
As a Global Administrator, I would suggest it’s much more likely that you’ll be choosing the Contributor role for granting access to resources. It lets you manage everything except access to the resource.

May include but not limited to:
Create a custom role;

When you create a custom role, it appears in the Azure portal with an orange resource icon.

Configure access to Azure resources by assigning roles;

Configure management access to Azure;

It’s difficult to see a great deal of value in this objective. I think it’s still here because the policy forcing all Azure Administrators through MFA is not yet default and until that time it’s useful to know how to configure management access to Azure.

Something that’s not part of the exam objective, but is pertinent, is the “break glass” accounts you should have setup for your Azure tenant.

Troubleshoot RBAC;

Implement RBAC policies;

I can’t find anything about RBAC policies, but Azure Policy does supplement RBAC, so I can only assume this is the intention of the objective.

Here’s the 2018 Ignite session BRK3085 – Deep dive into Implementing governance at scale through Azure Policy

Assign RBAC roles

Implement Azure Active Directory (AD) Privileged Identity Management (PIM)

Ammar Hasayen has a course on Pluralsight all about PIM

May include but not limited to:
Enable PIM;

PIM requires you to purchase Azure AD P2 or EMS E5 (which is a bundle which includes AAD P2) licenses for all the users which need to use PIM.
When enabling PIM, the Global Administrator that enabled PIM is the only user in the tenant who has PIM configuration access. It’s therefor critical that immediately after enabling PIM that you at least make all other Global Administrators eligible to be PIM administrator or assign them the role permanently. Again, though not an exam objective, consider your two “break glass” accounts to ensure you don’t lock yourself out of your tenant.

Activate a PIM role;

Configure just-in-time access, permanent access, PIM management access, and time-bound access;

Create a Delegated Approver account;

Process pending approval requests;

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s