WEBVTT 0:00:02.640000 --> 0:00:08.780000 Hi, in this video, I want to talk about the manage identity and access 0:00:08.780000 --> 0:00:15.820000 objective domain for the AZ-500 certification exam for the Microsoft certified 0:00:15.820000 --> 0:00:21.860000 security associate, security engineer associate. 0:00:21.860000 --> 0:00:23.340000 All right, let's go ahead and move in. 0:00:23.340000 --> 0:00:26.280000 What are we going to talk about in this video? 0:00:26.280000 --> 0:00:32.140000 All right, so this objective domain is broken out into four separate objectives. 0:00:32.140000 --> 0:00:34.600000 So I'm going to go through each one of these objectives and hit the details, 0:00:34.600000 --> 0:00:38.800000 managing Azure Active Directory identities, configuring secure access 0:00:38.800000 --> 0:00:44.260000 by using Azure AD, managing application access, and also managing access 0:00:44.260000 --> 0:00:50.500000 control. So what are the objectives, or the details within these objectives? 0:00:50.500000 --> 0:00:53.920000 So let's go ahead and let's take a look at these. 0:00:53.920000 --> 0:00:59.500000 So we start out with managing Azure Active Directory identities. 0:00:59.500000 --> 0:01:05.280000 So we look at users and groups, pretty standard basic functionality within 0:01:05.280000 --> 0:01:10.200000 Azure AD. If you're an Azure administrator, you're probably familiar with 0:01:10.200000 --> 0:01:15.200000 that. But we also take a look at some of the more advanced topics related 0:01:15.200000 --> 0:01:19.200000 to really hybrid identity. 0:01:19.200000 --> 0:01:22.940000 We'll talk about, you'll need to know about configuring password right 0:01:22.940000 --> 0:01:27.960000 back, and also authentication methods, including password hash, pass through 0:01:27.960000 --> 0:01:34.600000 authentication, what OAuth is, and also passwordless capabilities. 0:01:34.600000 --> 0:01:38.500000 Interestingly enough, they're not focusing on ADFS, although we do include 0:01:38.500000 --> 0:01:43.480000 ADFS in our learning path, because I think it's kind of necessary. 0:01:43.480000 --> 0:01:49.820000 All right, now what about the next objective? 0:01:49.820000 --> 0:01:55.760000 The next objective is configuring secure access by using Azure AD. 0:01:55.760000 --> 0:02:03.560000 So this really looks at kind of three main topic areas. 0:02:03.560000 --> 0:02:06.680000 The first is privileged identity management. 0:02:06.680000 --> 0:02:09.860000 So we'll look at monitoring privileged identity management. 0:02:09.860000 --> 0:02:14.840000 We'll look at conducting access reviews, what they are, and also, and 0:02:14.840000 --> 0:02:16.020000 this is in the order they have it. 0:02:16.020000 --> 0:02:18.040000 This really should be the first one. 0:02:18.040000 --> 0:02:23.120000 Actually, activating and configuring privileged identity management. 0:02:23.120000 --> 0:02:27.440000 And we will also take a look at what is one of my favorite sets of topics 0:02:27.440000 --> 0:02:33.000000 here, conditional access policies, and multi-factor authentication. 0:02:33.000000 --> 0:02:37.260000 And we'll look at what both of those are and how you can use them in conjunction, 0:02:37.260000 --> 0:02:40.820000 because those are, of course, going to be on your exam. 0:02:40.820000 --> 0:02:47.920000 And also, you've got configure Azure AD identity protection. 0:02:47.920000 --> 0:02:53.520000 So you need to understand what identity protection is and how identity 0:02:53.520000 --> 0:02:59.500000 protection is implemented within the Azure AD environment. 0:02:59.500000 --> 0:03:08.040000 Next, we're going to talk about managing application access. 0:03:08.040000 --> 0:03:09.660000 This is actually kind of fun in it. 0:03:09.660000 --> 0:03:16.460000 It really has two very separate sets of objectives. 0:03:16.460000 --> 0:03:20.260000 The first three really come to application registration. 0:03:20.260000 --> 0:03:25.840000 This is registering applications in Azure AD so that Azure AD can provide 0:03:25.840000 --> 0:03:31.240000 the authentication services and identity services for an application. 0:03:31.240000 --> 0:03:35.820000 So this could be, say, an application that your organization has created, 0:03:35.820000 --> 0:03:36.760000 a custom application. 0:03:36.760000 --> 0:03:41.760000 It could be one of the applications that are already in the Azure AD marketplace, 0:03:41.760000 --> 0:03:45.540000 or it could be a third party application that you want to register with 0:03:45.540000 --> 0:03:51.520000 Azure AD so that Azure AD can provide, again, authentication and also 0:03:51.520000 --> 0:03:53.300000 identity services. 0:03:53.300000 --> 0:03:56.880000 So that's what that is in the big picture. 0:03:56.880000 --> 0:03:59.920000 Now, you've got to be able to register an application. 0:03:59.920000 --> 0:04:06.160000 You have to understand what permissions are and also how to consent with 0:04:06.160000 --> 0:04:08.940000 the different options are for consenting for application registration 0:04:08.940000 --> 0:04:15.340000 permissions. We also have managing API access to Azure subscriptions and 0:04:15.340000 --> 0:04:22.080000 resources. How do you authenticate for calls against the actual Azure 0:04:22.080000 --> 0:04:27.760000 Resource Management API so that you could automate integrative processes 0:04:27.760000 --> 0:04:37.580000 having to do with Azure resources? 0:04:37.580000 --> 0:04:43.740000 Next domain that we have, last domain that we have here, is manage access 0:04:43.740000 --> 0:04:51.120000 control. So what are our actual details with the manage access control 0:04:51.120000 --> 0:04:56.820000 objective? Okay, well, first we've got configure permissions. 0:04:56.820000 --> 0:04:58.240000 All right, that's pretty straightforward. 0:04:58.240000 --> 0:05:03.180000 At the subscription at the resource and at the resource group. 0:05:03.180000 --> 0:05:07.680000 And the good news is if you understand really one of those from an operational 0:05:07.680000 --> 0:05:09.960000 standpoint, you really understand all of them. 0:05:09.960000 --> 0:05:16.300000 Also be able to create your own role-based access control roles. 0:05:16.300000 --> 0:05:22.640000 Be able to identify the appropriate role and apply principles of least 0:05:22.640000 --> 0:05:26.720000 privilege. Now, I will tell you this one here, identifying the appropriate 0:05:26.720000 --> 0:05:29.780000 role. That one can be a bit tricky. 0:05:29.780000 --> 0:05:34.540000 Okay, there are scores of roles that are built in. 0:05:34.540000 --> 0:05:40.560000 And it's not going to be necessary for you to memorize every single role 0:05:40.560000 --> 0:05:42.260000 that's built in. 0:05:42.260000 --> 0:05:47.860000 What I will say is you should be comfortable with and familiar with the 0:05:47.860000 --> 0:05:49.720000 big roles, if you will. 0:05:49.720000 --> 0:05:53.100000 So things like owner and contributor and reader. 0:05:53.100000 --> 0:05:58.920000 And also for resources that are covered in the exam. 0:05:58.920000 --> 0:06:01.880000 So things like virtual machines, for example. 0:06:01.880000 --> 0:06:03.520000 Things like storage accounts. 0:06:03.520000 --> 0:06:08.320000 You should be familiar with the roles that are specific to those resources. 0:06:08.320000 --> 0:06:12.300000 Okay, so that's something that I would say definitely recommend, you know, 0:06:12.300000 --> 0:06:13.380000 looking at while you're studying. 0:06:13.380000 --> 0:06:17.780000 Is anytime you're hitting a specific resource, just do a quick check. 0:06:17.780000 --> 0:06:21.080000 See if there are built in roles for that specific resource. 0:06:21.080000 --> 0:06:23.460000 Make sure you understand what they are. 0:06:23.460000 --> 0:06:24.880000 Okay, all right. 0:06:24.880000 --> 0:06:28.520000 Now, being able to interpret your permissions. 0:06:28.520000 --> 0:06:31.480000 Hopefully that's relatively straightforward. 0:06:31.480000 --> 0:06:34.240000 And I kind of feel like if you can apply the principle of least privilege 0:06:34.240000 --> 0:06:38.740000 and identify the appropriate role, then you could probably interpret permissions. 0:06:38.740000 --> 0:06:43.100000 I guess one thing you do want to make sure is if I have multiple roles 0:06:43.100000 --> 0:06:48.620000 assigned to me, what is the effective permission of those multiple roles? 0:06:48.620000 --> 0:06:51.500000 And finally also check access. 0:06:51.500000 --> 0:06:56.420000 So understand how you can check access and see what any identities access 0:06:56.420000 --> 0:07:00.020000 is to a particular resource group, et cetera. 0:07:00.020000 --> 0:07:07.120000 Okay, the only other thing on managing access control is just want to 0:07:07.120000 --> 0:07:08.440000 think a little bit. 0:07:08.440000 --> 0:07:11.100000 There is one little twist on that. 0:07:11.100000 --> 0:07:15.660000 And that is we now have deny roles, right, that you can use to explicitly 0:07:15.660000 --> 0:07:19.040000 deny specific actions slash permissions. 0:07:19.040000 --> 0:07:22.820000 Those are only applied right now at the time of this recording via Azure 0:07:22.820000 --> 0:07:27.120000 blueprints. So that's one that could be a little bit tricky. 0:07:27.120000 --> 0:07:29.260000 It can be a little bit confusing right now. 0:07:29.260000 --> 0:07:31.360000 I'm not saying that will stay that way all the time. 0:07:31.360000 --> 0:07:35.860000 There's really only one method that those can be applied. 0:07:35.860000 --> 0:07:41.340000 You cannot create your own and assign your own deny roles. 0:07:41.340000 --> 0:07:47.740000 All right, so there you go. 0:07:47.740000 --> 0:07:48.900000 Objective domain.