Introduction
The following are the topics, on a high level, that we are going to dive into in-order to prepare for azure security engineer associate certificate.
- Secure access with Azure Active Directory :: Create and manage user across on prem and cloud
- Identity protection nad governance :: PIM, Role based access and azure policies
- Implement platform protection :: Perimeter, network, host and container security
- Secure you applications :: Key vault, Identity platform, AD etc
- Secure your data at rest :: Storage security, encryption, database security, Defender for cloud etc.
- Manage Security Operation :: logs from Azure resource monitor, implement Defender for cloud
- Capstone Project.
the exam on a whole is divided into four components, along with the number of questions we can expect from each section (it is not definite, just a estimate percentage). Exam contains 40-60 performance question along with MCQs.
- Manage Identity and Access - 25-30%
- Secure networking - 20-25%
- Secure compute, storage and databases - 20-25%
- Manage security Operation - 25-30%
Introduction to Azure Active Directory (Entra AD)
Azure AD ius microsoft cloud based active directory. You can create different groups for different teams within the company. Entra also provides conditional access for users along providing a secure score which will provide an overview on how you security poster holds up with rest of the users under the similar tenants.
Azure AD and Active directory are entirely two differnet services used based on the services each service provides. Azure AD is a cloud based identity provider for cloud based services where as Active Directory is used for authentication for on prem servers. The authentication mechanisms vary on each but we can combine the active directory with Azure AD to provide a hybrid identity to the users. This hybrid mechanism also provide the best of on prem active directory service along with the Cloud’s entra AD Service.
The main differences:
- Authentication method is different
- structure changes for active directory and Entra
- On - premises and on cloud authentication methods varies
The following are the authentication mechanism that we can use for hybrid authentication mechanism using cloud’ entra AD and on prem’s active director, y
- Azure AD pass Syncronization :: the user’s password will be hashed twice and is synced with on prem
- Azure AD pass through authentication :: Agent on the on prem, all the authentication is handled by servers on on-prem
- Federated Authentication :: Federated services server handles all the password related activites
- The identity data is stored based on the address provided during the registration of the susbcription. For Example: For Europe identity data is stored on EU data centers.
- In Azure AD B2B :: Guest users access through a link, which are stored in US data centers.
- In Azure AD B2C :: Identity data is not stored outside of US
- Azure AD multifactor authenction :: Data is stored in US data center and the push notification comes from US Data Center.
Entra AD Licensing
The following are the various AD licensing tier that we have available in Azure’s Entra AD
- Free Tier :: Manage users and groups with AD synchronization and self service password reset along with SSO for Office 365.
- Pay-as-you-go :: This will give you access all Azure B2C on pay-as-you-go basis
- Office 365 Apps :: All free tier offerings along with custom login and logout pages
- Active Directory Premium P1 :: Hybrid auth, AD identity protection, dynamic group management, self service for on prem users
- Active Directory Premium P2 :: P1 features plu conditional access and all other previleged features.