1. What is Azure Active Directory?

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service,
which helps employees sign in and access resource in:
 External resources, such as Microsoft Office 365, the Azure Portal and thousands of other SaaS
applications.
 Internal resources such as apps on your corporate network and intranet along with any cloud
apps developed by your own organization.

2. What are Azure Licenses?

Microsoft Online business services, such as Office 365 or Microsoft Azure, require Azure AD for sign-in
and to help with identity protection. If you subscribe to any Microsoft Online business service, you
automatically get Azure AD with access to all the free features.

To enhance your Azure AD implementation, you can also add paid capabilities by upgrading to Azure
Active Directory Premium P1 or Premium P2 licenses. Azure AD paid licenses are built on top of your
existing free directory, providing self-service, enhanced monitoring, security reporting and secure
access for your mobile users.

3. What are the features of Azure AD license?

 Azure Active Directory Free: Provides user and group management on-premises directory
synchronization, basic reports self-service password change for cloud users and single sign-on
across Azure Office 365 and many popular SaaS apps.
 Azure Active Directory Premium P1: In addition to free features, P1 also lets your hybrid user
access both on-premises and cloud resources. It also supports advanced administration such as
dynamic groups, self-service group management, Microsoft Identity Manager (an on-premises
identity and access management suite) and cloud write-back capabilities which allow self-
service password reset for your on-premises users.
 Azure Active Directory Premium P2: in addition to the free and P1 features, P2 also offers
Azure Active Directory Identity Protection to help provide risk-based Conditional Access to your
apps and critical company data and Privileged Identity management to help discover, restrict
and monitor administrators and their access to resource and to provide just-in-time access
when needed.
 “Pay as you go” feature licenses: You can also get additional feature licences, such as Azure
Active Directory Business-to-Customer (B2C). B2C can help you provide identity and access
management solutions for your customer-facing apps.

4. What are the Azure AD Pricing Details?

Azure Active Directory comes in four editions—Free, Office 365 apps edition, Premium P1, and
Premium P2. The Free edition is included with an Azure subscription. The Premium editions are
available through a Microsoft Enterprise Agreement, the Open Volume License Program, and the Cloud
Solution Providers program. Azure and Office 365 subscribers can also buy Azure Active Directory
Premium P1 and P2 online.
 Premium P1: Designed to empower organizations with more demanding identity and access
management needs, Azure Active Directory Premium edition adds feature-rich enterprise-level
 identity management capabilities and enables hybrid users to seamlessly access on-premises
and cloud capabilities. This edition includes everything you need for information worker and
identity administrators in hybrid environments across application access, self-service identity
and access management (IAM), and security in the cloud. Price details below:

Enterprise Agreement: Contact Enterprise Agreement Representative

Online: $6 per user / per month

 Premium P2: Azure Active Directory Premium P2 includes every feature of all other Azure
Active Directory edition enhanced with advanced identity protection and privileged identity
management capabilities. Price details below:

Enterprise Agreement: Contact Enterprise Agreement Representative

Online: $9 per user / per month

5. What the features of Azure AD editions?

Free Office 365 Premium P1 Premium P2
Core Identity and Access Management
Directory Objects 5,00,000 No object No object No object limit
object limit limit
Limit
Single Sign-On (SSO) Upto 10 Upto 10 Unlimited Unlimited
apps apps
User Provisioning √ √ √ √
Federated Authentication (ADFS or 3rd P) √ √ √ √
User and Group Management (a/u/d) √ √ √ √
Device Registration √ √ √ √
Cloud Authentication (Pass-Through Auth, √ √ √ √
Password Hash sync, Seamless SSO)
Azure AD Connect Sync (On-Premises) √ √ √ √
Self-Service Password Change for Cloud Users √ √ √ √
Azure AD Join: Desktop SSO and administrator √ √ √ √
bitlocker recovery
Password Protection (global banned pass) √ √ √ √
Multi-factor Authentication for Administrator √ √ √ √
Basic security and usage reports √ √ √ √
Business to Business Collaboration
Azure AD features for guest users √ √ √ √
Identity & Access Management for Office 365
Company branding √ √ √
MFA (Phone & SMS) √ √ √
Group access management √ √ √
Self-Service password reset for cloud users √ √ √
Service Level Agreement (SLA) √ √ √
Device write-back (device objects two-way √ √ √
synchronization between on-premises
directories and Azure
Premium Features
Password Protection (custom banned √ √
password)
Password Protection for Windows Server √ √
Active Directory (global & custom banned
password)
Self-service password reset/change/unlock √ √
with on-premises write-back
Microsoft Cloud App Discovery √ √
Azure AD Join: MDM auto enrolment & local √ √
admin policy customization
Azure AD Join: Self-Service bitlocker recovery, √ √
enterprise state roaming
Advanced security and usage reports √ √
Hybrid Identities
Application Proxy √ √
Microsoft Identity Manager user CAL √ √
Connect Health √ √
Advanced Group Access Management
Dynamic Groups √ √
Group creation permission delegation √ √
Group naming policy √ √
Group expiration √ √
Usage guidelines √ √
Default classification √ √
Conditional Access
Conditional Access based on group, location √ √
and device status
SharePoint limited access √ √
Terms of Use (set up terms of use for specific √ √
access)
Microsoft Cloud App Security integration √ √
3rd party MFA partner integration √ √
3rd party identity governance partners √ √
integration
Vulnerabilities and risky accounts detection √ √
Risk events investigation √ √
Risk based Conditional Access policies √ √
Identity Protection
Vulnerabilities and risky accounts detection √
Risk events investigation √
Risk based Conditional Access policies √
Identity Governance
Privileged Identity Management (PIM) √
Access Reviews √
Entitlement Management √
Price Free Include $6 user / per $9 user / per
with O365 month month

6. Which features working Azure AD?

 Application Management
 Authentication
 Business-to-Business (B2B)
 Business-to-Customer (B2C)
 Conditional Access
  Azure Active Directory for Developers
 Device Management
 Domain Services
 Enterprise Users
 Hybrid Identity
 Identity Governance
 Identity Protection
 Managed identities for Azure resources
 Privileged identity management (PIM)
 Reports and monitoring

7. What is Application Management in Azure AD

Azure Active Directory (Azure AD) simplifies the way you manage your applications by providing a
single identity system for your cloud and on-premises apps. You can add your software as a service
(SaaS) applications, on-premises applications, and line of business (LOB) apps to Azure AD. Then users
sign in once to securely and seamlessly access these applications, along with Office 365 and other
business applications from Microsoft. You can reduce administrative costs by automating user
provisioning. You can also use multi-factor authentication and Conditional Access policies to provide
secure application access.

8. Why Manage application with cloud solution?

Organizations often have hundreds of applications that users depend on to get their work done. Users
access these applications from many devices and locations. New applications are added, developed,
and sunset every day. With so many applications and access points, it's more critical than ever to use a
cloud-based solution to manage user access to all applications.

9. What types of applications can I integrate with Azure AD?

There are four main types of applications that you can add to your Enterprise applications and manage
with Azure AD:

 Azure AD Gallery applications – Azure AD has a gallery that contains thousands of applications
that have been pre-integrated for single sign-on with Azure AD. Some of the applications your
organization uses are probably in the gallery. Learn about planning your app integration, or get
detailed integration steps for individual apps in the SaaS application tutorials.
 On-premises applications with Application Proxy – With Azure AD Application Proxy, you can
integrate your on-premises web apps with Azure AD to support single sign-on. Then end users
can access your on-premises web apps in the same way they access Office 365 and other SaaS
apps. Learn why to use Application Proxy and how it works.
 Custom-developed applications – When building your own line-of-business applications, you
can integrate them with Azure AD to support single sign-on. By registering your application
with Azure AD, you have control over the authentication policy for the application. For more
information, see guidance for developers.
 Non-Gallery applications – Bring your own applications! Support single sign-on for other apps
by adding them to Azure AD. You can integrate any web link you want, or any application that
renders a username and password field, supports SAML or OpenID Connect protocols, or
supports SCIM. For more information, see Configure single sign-on for non-gallery apps.
10. What is Authentication in Azure AD?
Authentication is the act of challenging a party for legitimate credentials, providing the basis for
creation of a security principal to be used for identity and access control. In simpler terms, it's the
process of proving you are who you say you are. Authentication is sometimes shortened to AuthN.

Authorization is the act of granting an authenticated security principal permission to do something. It

specifies what data you're allowed to access and what you can do with it. Authorization is sometimes
shortened to AuthZ.

11. What is Business-to-Business (B2B) in Azure AD?

Azure Active Directory (Azure AD) business-to-business (B2B) collaboration lets you securely share your
company's applications and services with guest users from any other organization, while maintaining
control over your own corporate data. Work safely and securely with external partners, large or small,
even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets
partners use their own credentials to access your company's resources. Developers can use Azure AD
business-to-business APIs to customize the invitation process or write applications like self-service sign-
up portals.

12. What is Business-to-Customer (B2C) in Azure AD?

Azure Active Directory B2C (Azure AD B2C) is an identity management service that enables custom
control of how your customers sign up, sign in, and manage their profiles when using your iOS,
Android, .NET, single-page (SPA), and other applications.

Azure Active Directory B2C (Azure AD B2C) is a customer identity access management (CIAM) solution
capable of supporting millions of users and billions of authentications per day. It takes care of the
scaling and safety of the authentication platform, monitoring and automatically handling threats like
denial-of-service, password spray, or brute force attacks.

Azure AD B2C is a white-label authentication solution. You can customize the entire user experience
with your brand so that it blends seamlessly with your web and mobile applications.

Customize every page displayed by Azure AD B2C when your users sign up, sign in, and modify their
profile information. Customize the HTML, CSS, and JavaScript in your user journeys so that the Azure
AD B2C experience looks and feels like it's a native part of your application.

13. What protocol is used by Azure AD B2C?

Azure AD B2C uses standards-based authentication protocols including OpenID Connect, OAuth 2.0,
and SAML. It integrates with most modern applications and commercial off-the-shelf software.

By serving as the central authentication authority for your web applications, mobile apps, and APIs,
Azure AD B2C enables you to build a single sign-on (SSO) solution for them all. Centralize the collection
of user profile and preference information, and capture detailed analytics about sign-in behaviour and
sign-up conversion.

14. What is Conditional Access in Azure AD?

The modern security perimeter now extends beyond an organization's network to include user and
device identity. Organizations can utilize these identity signals as part of their access control decisions.
 Conditional Access is the tool used by Azure Active Directory to bring signals together, to make
decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity
driven control plane.

Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource,
then they must complete an action. Example: A payroll manager wants to access the payroll application
and is required to perform multi-factor authentication to access it.

Administrators are faced with two primary goals:

 Empower users to be productive wherever and whenever

 Protect the organization's assets

By using Conditional Access policies, you can apply the right access controls when needed to keep your
organization secure and stay out of your user’s way when not needed.

Conditional Access policies are enforced after the first-factor authentication has been completed.
Conditional Access is not intended as an organization's first line of defence for scenarios like denial-of-
service (DoS) attacks, but can use signals from these events to determine access.

15. What is Azure Active Directory for Developers?

Microsoft identity platform is an evolution of the Azure Active Directory (Azure AD) developer
platform. It allows developers to build applications that sign in all Microsoft identities and get tokens to
call Microsoft APIs such as Microsoft Graph or APIs that developers have built. It’s a full-featured
platform that consists of an OAuth 2.0 and OpenID Connect standard-compliant authentication service,
open-source libraries, application registration and configuration, robust conceptual and reference
documentation, quickstart samples, code samples, tutorials, and how-to guides.

16. What is Device Management in Azure AD?

With the proliferation of devices of all shapes and sizes and the Bring Your Own Device (BYOD)
concept, IT professionals are faced with two somewhat opposing goals:
 Allow end users to be productive wherever and whenever
 Protect the organization's assets

To protect these assets, IT staff need to first manage the device identities. IT staff can build on the
device identity with tools like Microsoft Intune to ensure standards for security and compliance are
met. Azure Active Directory (Azure AD) enables single sign-on to devices, apps, and services from
anywhere through these devices.
 Your users get access to your organization's assets they need.
 Your IT staff get the controls they need to secure your organization.

Device identity management is the foundation for device-based conditional access. With device-based
conditional access policies, you can ensure that access to resources in your environment is only
possible with managed devices.
17. What is Domain Service in Azure AD?
Azure Active Directory (AAD) Domain Services allows organizations to “lift-and-shift” apps that use on-
premises AD for authentication to the cloud, extending the capabilities of AAD to provide many of the
features of on-premise Windows Server Active Directory (AD) but without the effort of installing
domain controllers (DCs), setting up ExpressRoute or a VPN to connect on-premise DCs to Azure.

Domain Services extends AAD to support Kerberos, NTLM, Group Policy, domain join, LDAP bind and
read, Secure LDAP, custom domain names, DNS management, and custom Organizational Units (OUs).
In addition to these features, it provides high availability, account lockout protection, and management
using familiar tools.

In the first part of this two-part series, I’ll show you how to set up Domain Services in Azure and
configure DNS. In the second part, I’ll discuss password hash synchronization requirements and how to
perform a domain join operation.

18. What is Enterprise User?

19. What is Hybrid Identity?

20. What is Identity Governance?

Azure Active Directory (Azure AD) Identity Governance allows you to balance your organization's need
for security and employee productivity with the right processes and visibility. It provides you with
capabilities to ensure that the right users have the right access to the right resources, and it allows you
to protect, monitor, and audit access to critical assets -- while ensuring employee productivity.

Identity Governance give organizations the ability to do the following tasks across employees, business
partners and vendors, and services and applications:
 Govern the identity lifecycle
 Govern access lifecycle
 Secure administration

Specifically, it is intended to help organizations address these four key questions:

 Which users should have access to which resources?
 What are those users doing with that access?
 Are there effective organizational controls for managing access?
 Can auditors verify that the controls are working?

21. What is Identity Protection?

Azure Active Directory Identity Protection enables organizations to configure automated responses to
detected suspicious actions related to user identities.

Microsoft has secured cloud-based identities for more than a decade. With Azure Active Directory
Identity Protection, in your environment, you can use the same protection systems Microsoft uses to
secure identities.
 The vast majority of security breaches take place when attackers gain access to an environment by
stealing a user’s identity. Over the years, attackers have become increasingly effective in leveraging
third-party breaches and using sophisticated phishing attacks. As soon as an attacker gains access to
even low privileged user accounts, it is relatively easy for them to gain access to important company
resources through lateral movement.

22. What are Managed Identities in Azure Resource?

A common challenge when building cloud applications is how to manage the credentials in your code
for authenticating to cloud services. Keeping the credentials secure is an important task. Ideally, the
credentials never appear on developer workstations and aren't checked into source control. Azure Key
Vault provides a way to securely store credentials, secrets, and other keys, but your code has to
authenticate to Key Vault to retrieve them.

The managed identities for Azure resources feature in Azure Active Directory (Azure AD) solves this
problem. The feature provides Azure services with an automatically managed identity in Azure AD. You
can use the identity to authenticate to any service that supports Azure AD authentication, including
Key Vault, without any credentials in your code.

The managed identities for Azure resources feature are free with Azure AD for Azure subscriptions.
There's no additional cost.

23. What are the terminologies of Manage Identity?

The following terms are used throughout the managed identities for Azure resources documentation
set:

 Client ID - a unique identifier generated by Azure AD that is tied to an application and service
principal during its initial provisioning.
 Principal ID - the object ID of the service principal object for your managed identity that is used
to grant role-based access to an Azure resource.
 Azure Instance Metadata Service (IMDS) - a REST endpoint accessible to all IaaS VMs created
via the Azure Resource Manager. The endpoint is available at a well-known non-routable IP
address (169.254.169.254) that can be accessed only from within the VM.

24. How does the manage identities for Azure resources work?
There are two types of managed identities:
 A system-assigned managed identity is enabled directly on an Azure service instance. When
the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that's
trusted by the subscription of the instance. After the identity is created, the credentials are
provisioned onto the instance. The lifecycle of a system-assigned identity is directly tied to the
Azure service instance that it's enabled on. If the instance is deleted, Azure automatically
cleans up the credentials and the identity in Azure AD.
 A user-assigned managed identity is created as a standalone Azure resource. Through a create
process, Azure creates an identity in the Azure AD tenant that's trusted by the subscription in
use. After the identity is created, the identity can be assigned to one or more Azure service
instances. The lifecycle of a user-assigned identity is managed separately from the lifecycle of
the Azure service instances to which it's assigned.
 Internally, managed identities are service principals of a special type, which are locked to only
be used with Azure resources. When the managed identity is deleted, the corresponding
service principal is automatically removed.

Your code can use a managed identity to request access tokens for services that support Azure AD
authentication. Azure takes care of rolling the credentials that are used by the service instance.
25. What is Privileged identity management (PIM)?
Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you
to manage, control, and monitor access to important resources in your organization. This includes
access to resources in Azure AD, Azure resources, and other Microsoft Online Services like Office 365 or
Microsoft Intune.

26. What is the purpose of PIM used?

Organizations want to minimize the number of people who have access to secure information or
resources, because that reduces the chance of a malicious actor getting that access, or an authorized
user inadvertently impacting a sensitive resource. However, users still need to carry out privileged
operations in Azure AD, Azure, Office 365, or SaaS apps. Organizations can give users just-in-time (JIT)
privileged access to Azure resources and Azure AD. There is a need for oversight for what those users
are doing with their administrator privileges. PIM helps to mitigate the risk of excessive, unnecessary,
or misused access rights.

27. What can be done with PIM?

PIM essentially helps you manage the who, what, when, where, and why for resources that you care
about. Here are some of the key features of PIM:
 Provide just-in-time privileged access to Azure AD and Azure resources
 Assign time-bound access to resources using start and end dates
 Require approval to activate privileged roles
 Enforce multi-factor authentication to activate any role
 Use justification to understand why users activate
 Get notifications when privileged roles are activated
 Conduct access reviews to ensure users still need roles
 Download audit history for internal or external audit

28. What PIM support?

PIM supports the following scenarios:

As a Privileged Role Administrator, you can:

 Enable approval for specific roles
 Specify approver users and/or groups to approve requests
 View request and approval history for all privileged roles

As an approver, you can:

 View pending approvals (requests)
 Approve or reject requests for role elevation (single and/or bulk)
 Provide justification for my approval/rejection

As an eligible role user, you can:

 Request activation of a role that requires approval
 View the status of your request to activate
 Complete your task in Azure AD if activation was approved

29. What is reports and monitoring in Azure AD?

Azure Active Directory (Azure AD) reports provide a comprehensive view of activity in your
environment. The provided data enables you to:
 Determine how your apps and services are utilized by your users
 Detect potential risks affecting the health of your environment
 Troubleshoot issues preventing your users from getting their work done
The reporting architecture relies on two main pillars:
 Security reports
 Users flagged for risk
 Risky sign-ins
  Activity reports
 Audit Logs
 Sign-ins

30. What is Tenant in Azure AD?

A tenant is the organization that owns and manages a specific instance of Microsoft cloud services. It's
most often used in an inexact manner to refer to the set of Azure AD and Office 365 services for an
organization. It is a dedicated and trusted instance of Azure AD that's automatically created when your
organization signs up for a Microsoft cloud service subscription, such as Microsoft Azure, Microsoft
Intune, or Office 365. An Azure tenant represents a single organization.

31. What is Identity secure score in Azure AD?

The identity secure score is number between 1 and 223 that functions as an indicator for how aligned
you are with Microsoft's best practice recommendations for security. Each improvement action in
identity secure score is tailored to your specific configuration.

The score helps you to:

 Objectively measure your identity security posture
 Plan identity security improvements
 Review the success of your improvements

32. How to get Azure Identity Secure Score?

The identity secure score is available in all editions of Azure AD. To access your score, go to the Azure
AD Overview dashboard.

33. How does ISS work?

Every 48 hours, Azure looks at your security configuration and compares your settings with the
recommended best practices. Based on the outcome of this evaluation, a new score is calculated for
your directory. It’s possible that your security configuration isn’t fully aligned with the best practice
guidance and the improvement actions are only partially met. In these scenarios, you will only be
awarded a portion of the max score available for the control.

Each recommendation is measured based on your Azure AD configuration. If you are using third-party
products to enable a best practice recommendation, you can indicate this configuration in the settings
of an improvement action. You also have the option to set recommendations to be ignored if they
don't apply to your environment. An ignored recommendation does not contribute to the calculation of
your score.

34. How does it help us?

The secure score helps you to:
 Objectively measure your identity security posture
 Plan identity security improvements
 Review the success of your improvements

35. Who can use Identity Secure Score?

 Global Admin
 Security Admin
 Security Readers

36. How controls are scored?

Controls can be scored in two ways. Some are scored in a binary fashion - you get 100% of the score if
you have the feature or setting configured based on our recommendation. Other scores are calculated
as a percentage of the total configuration. For example, if the improvement recommendation states
you’ll get 30 points if you protect all your users with MFA and you only have 5 of 100 total users
protected, you would be given a partial score around 2 points (5 protected / 100 total * 30 max pts = 2
pts partial score).
37. What does not sored mean?
Actions labelled as [Not Scored] are ones you can perform in your organization but won't be scored
because they aren't hooked up in the tool (yet!). So, you can still improve your security, but you won't
get credit for those actions right now.

38. How often is my scored updated?

The score is calculated once per day (around 1:00 AM PST). If you make a change to a measured action,
the score will automatically update the next day. It takes up to 48 hours for a change to be reflected in
your score.

39. My scored is changed. How do I figure out why?

Head over to the Microsoft 365 security center, where you’ll find your complete Microsoft secure
score. You can easily see all the changes to your secure score by reviewing the in-depth changes on the
history tab.

40. Does the secure scored measure my risk of getting breached?