SC-300T00A: Microsoft

Identity and Access

Administrator

© Copyright Microsoft Corporation. All rights reserved.

Explore identity in Microsoft
Entra ID

© Copyright Microsoft Corporation. All rights reserved.

Outline

• Explore identity
• Identity administration concepts
• Authentication and authorization
• Auditing and other identity concepts

© Copyright Microsoft Corporation. All rights reserved.

Learning objectives
After completing this module, you will be able to:

1 Review the identity capabilities of Microsoft Entra ID.

2 Explore Zero Trust principles in the context of identity and access.

Configure the basic capability of authentication and authorization.

3

© Copyright Microsoft Corporation. All rights reserved.

Explore identity
Author name

© Copyright Microsoft Corporation. All rights reserved. Date

Agenda

• Identity landscape
• Zero Trust and identity
• Why use an identity
• Identity administration concepts
• Authentication and authorization topics
• Auditing in identity and supplemental topics

© Copyright Microsoft Corporation. All rights reserved.

Identity landscape

© Copyright Microsoft Corporation. All rights reserved.

Identity landscape at Microsoft

1) Zero Trust
Verify explicitly Use least privilege Assume breach

2) Identity 3) Actions
Decentralize providers Authenticate – Prove – AuthN Continuous
• B2B Authorize – Get – AuthZ
• B2C Administer – Configure update
• Verifiable Credentials Audit - Report

4) Usage 5) Maintain
Secure ➔ Cryptography Protect – Detect – Respond
Services are paid ➔ Licenses

© Copyright Microsoft Corporation. All rights reserved.

Secure assets where they are with Zero Trust

Classic approach―restrict everything to a Zero Trust―protect assets anywhere with

“secure” network central policy

© Copyright Microsoft Corporation. All rights reserved.

Zero Trust concepts

© Copyright Microsoft Corporation. All rights reserved.

Microsoft Zero Trust principles
Guidance for technical architecture Microsoft Zero Trust Guidance Center | Microsoft Docs

Verify explicitly Use least privilege access Assume breach

Always validate all available data To help secure both data and Minimize blast radius for breaches and
points including: productivity, limit user access using: prevent lateral movement by:
• User identity and location • Just-in-time (JIT) • Segmenting access by network,
user, devices, and app awareness
• Device health • Just-enough-access (JEA)
• Encrypting all sessions end
• Service or workload context • Risk-based adaptive polices
to end
• Data classification • Data protection against out of • Use analytics for threat detection,
band vectors posture visibility and improving
• Anomalies
defenses

© Copyright Microsoft Corporation. All rights reserved.

Deploying Zero Trust solutions

Secure identity with Zero Trust

Identities―whether they represent, people, services, devices, or event IoT devices – define the Zero Trust control
plane. When an identity attempts to access a resource, verify that identity with strong authentication, and ensure
access is compliant and typical for that identity. Follow least privilege access principles.

© Copyright Microsoft Corporation. All rights reserved.

Zero Trust at Microsoft
Classify, Data
label,
Intersectional policy encrypt
assessment (context, risk)
Identities User requests Microsoft Information
access to resource Protection

Microsoft Resource Route through

Apps
Entra ID directs to AAD CASB
for auth Microsoft Entra
Conditional Apply controls
Microsoft Defender
• Verify explicitly and assess for
• Use least privileged Access anomalies for Cloud Apps
• Assume breach Policy enforcement
Infrastructure

App and/or device Network

Devices/
health and security Azure
Endpoints security verified Intersectional risk assessment verified Networking
(threat intel, familiarity)

Microsoft Endpoint Intelligent and Network

automation
Manager
Microsoft Sentinel and
Microsoft Defender XDR

© Copyright Microsoft Corporation. All rights reserved.

Architecture frameworks
Identity is an important pillar in the Azure architecture Frameworks.
• Adopting the cloud: Cloud Adoption Framework
• Build for cloud: Well-Architected Framework

Cloud Adoption Framework―identity Well-Architected Framework

Identity Baseline discipline overview - Cloud Adoption Framework | Microsoft Overview of the security pillar - Microsoft Azure Well-Architected Framework |
Docs Microsoft Docs
Identity and access management checklist - Microsoft Azure Well-Architected
Framework | Microsoft Docs
© Copyright Microsoft Corporation. All rights reserved.
Why an identity?

© Copyright Microsoft Corporation. All rights reserved.

Why use an identity?
To be able to prove what we are Authentication
To get permission to do something Authorization
To report on what was done Auditing
To be able to (self) administer an identity Administration

Authentication Authorization Administration Auditing

• User sign-on • How and where are • Single view management • Track who does what,
experience authorizations • Application of when, where and how
• Trusted source(s) handled? business rules • Focused alerting
• Federative protocols • Can a user access the • Automated requests, • In-depth collated
resource and what can approvals, and access reporting
• Level of assurance
they do when they assignment • Governance and
access it?
• Entitlement compliance
management
© Copyright Microsoft Corporation. All rights reserved.
What is an identity provider (IdP)?

An identity provider (IdP) is a system that creates, manages and stores digital
identities. Microsoft Entra ID is an example. The capabilities and features of identity
providers can vary. The most common components are:
• A repository of user identities
• An authentication system
• Security protocols that defend against intrusion
• Someone we trust

© Copyright Microsoft Corporation. All rights reserved.

Identity is the control plane
Secure access for a connected world

© Copyright Microsoft Corporation. All rights reserved.

Identity administration
concepts

© Copyright Microsoft Corporation. All rights reserved.

Administration

How identity objects are

Identity
managed, whether manually or proliferation
automated, over the lifetime of
the identity’s existence. Provision &
Identity updates
deprovision
Administration provides:
• A system which is highly configurable Password
Synchronization
around business processes. management
• The agility to scale resources according
to demand. Group Application entitlement
• Cost savings through the distribution
management management
and automation of management.
• Flexibility around synchronization, User interface Change control
proliferation, and change control.

© Copyright Microsoft Corporation. All rights reserved.

Management automation with PowerShell or CLI

Azure PowerShell CLI (command-line interface)

• Cross-platform PowerShell module, runs on • Cross-platform command-line interface,
Windows, macOS, Linux installable on Windows, macOS, Linux
• Requires Windows PowerShell or PowerShell • Runs in Windows PowerShell, Cmd, Bash and
other Unix shells.

Scripting language Action Command

az ad user create --display-name “New User” --password
Azure CLI Create User
“Password” --user-principal-name [email protected]
New-AzureADUser -DisplayName “New User” -PasswordProfile
Azure PowerShell Create User Password -UserPrincipalName “[email protected]” -
AccountEnabled $true -MailNickName “Newuser”

© Copyright Microsoft Corporation. All rights reserved.

Microsoft Graph

© Copyright Microsoft Corporation. All rights reserved.

Central Identity System

Centralized identity management or

central identity system is a single
identity tool where credentials are
stored and managed, to provide
authentication and authorization
capabilities.
• Credentials are verified when stored
• Management is by single authority
– admin or admin group
• Used for identity and access management

© Copyright Microsoft Corporation. All rights reserved.

Decentralized identity

What is decentralized
identity?
User-generated
Self-owned
Globally unique
identifier
Immutable
Censorship resistant
Tamper evasive

Microsoft Decentralized Identity

Whitepaper

© Copyright Microsoft Corporation. All rights reserved.

Decentralized identity (DID) Flow

Microsoft Decentralized Identity Whitepaper

© Copyright Microsoft Corporation. All rights reserved.
Microsoft Entra Verified ID
(preview as Verifiable Credentials)

• Microsoft Entra implementation of Decentralized Identity

• Aligns to the W3C decentralized identifiers (DIDs) spec using JSON documents

© Copyright Microsoft Corporation. All rights reserved.

Identity and access management solutions

An identity solution controls access to an organization’s apps and data. Users, devices, and applications have
identities.
© Copyright Microsoft Corporation. All rights reserved.
Microsoft Entra ID architecture and terms
Microsoft Entra ID is a cloud-based identity and access management solution, with
integrated security and a flat architectural design.

Concept Definition Usage

Purchase specific Azure cloud services needed
Subscription Pay over time for services and features. for your cloud solutions. There are many
subscriptions.
A tenant is a digital representation of your
Tenant
organization, like Contoso.com.
An object in the Microsoft Entra ID that gets
Identity Used to assign rights and access to resources.
authenticated.
Account An identity that has data associated with it.
Specific person who can be give access to
User A verified account associated with a person.
resources.
© Copyright Microsoft Corporation. All rights reserved.
What is Azure Business to Business (B2B)?

• Federation between two

directories.
• Used to prevent creation of
duplicate accounts for the same
user across directories.
• Enables and simplifies
organization collaboration.
• Create identities (called external
identities) to easily assign
resources.

© Copyright Microsoft Corporation. All rights reserved.

What is Microsoft Entra B2C?

Customers Business

Social IDs, email, local accounts Securely authenticate your Apps and APIs
customers using their
preferred identity provider

Business and Government IDs Capture login, preference, Analytics

and conversion data for
customers

Provide branded (white Integration with other systems

label) registration and
login experiences

© Copyright Microsoft Corporation. All rights reserved.

Microsoft 365 using Microsoft Entra ID

Microsoft 365 uses

Microsoft Entra ID to
manage user identities
behind the scenes.

© Copyright Microsoft Corporation. All rights reserved.

Compare Microsoft Entra ID to Microsoft Entra DS to on-
premises AD DS
Microsoft Entra Domain Microsoft Entra ID Active Directory Domain
Services Services
Provides managed domain Cloud-based identity and mobile Enterprise-ready lightweight
services with a subset of fully- device management that provides directory access protocol (LDAP)
compatible traditional AD DS user account and authentication server that provides key features
features such as domain join, services for resources such as such as identity and
group policy, LDAP, and Microsoft 365, the Azure portal, or authentication, computer object
Kerberos/NTLM authentication. SaaS applications. management, group policy,
and trusts.

© Copyright Microsoft Corporation. All rights reserved.

Licenses and MAU

License―purchased agreement to allow Monthly active users (MAU) billing―

users or guests to use a Microsoft pricing model for external users in
technology. Microsoft Entra ID.
Common SKU/licenses: • MAU billing available when you have a
subscription
• Microsoft Entra ID P1 or P2 license
• Report of active external users run each month
• Microsoft 365/Office 365 license
for billing
• Windows license
• First 50,000 MAUs free monthly (P1 and P2)
• License needed per user on the service
• Helps establish predictable pricing

© Copyright Microsoft Corporation. All rights reserved.

Authentication and
authorization

© Copyright Microsoft Corporation. All rights reserved.

Authentication

You validate someone’s identity to confirm who

they claim to be while providing an appropriate Convenience
level of validation and security throughout the
authentication transaction.
Identity authentication provides Sources
• Flexible, standards compliant, authentication that
integrates across organizations
• Integration of disparate sources, applications, and Protocols
protocols
• Employs many different industry-standard methods of
validation and assurance
Assurance

© Copyright Microsoft Corporation. All rights reserved.

Federated identity concepts
Federation is a collection of domains that have established trust. The level of trust may
vary, but typically includes authentication and almost always includes authorization.

Security Assertion Markup Web Services Federation (WS- OpenID Connect (OIDC)
Language (SAML) Fed) OIDC extends the OAuth 2.0
Open standard for exchanging An identity specification from a authorization protocol for use as
authentication and authorization Web Services Security framework an authentication protocol, so
data between an identity to provide single-sign-on via that you can do single sign-on
provider and a service provider. external identity exchange and using OAuth.
• The principal, generally authentication.
a user
• The identity provider (IdP)
• The service provider (SP)

© Copyright Microsoft Corporation. All rights reserved.

Claims-based identity in Microsoft Entra ID
When a user signs in, Microsoft Entra ID sends an ID token that contains a set of claims
about the user. A claim is simply a piece of information, expressed as a key/value pair.

Claims-based process (high level) Types of security tokens

1. User authenticates. ID token―used in OpenID Connect token used to
2. Identity provider sends claims. authenticate a user.
3. App normalizes or augments claims. Access token―issued by OAuth 2.0 server, contains
4. App uses token to make authorization decisions. user information and resource to be accessed.

Refresh token―token co-issued with the access

token to allow the application to renew access.

© Copyright Microsoft Corporation. All rights reserved.

Other topics on claims-based authentication

Claims-based topic Definition and usage

JSON Web Token (JWT) Open standard definition (RFC 7519) of security token.

A group of value-pair items stored in a security token that define different

Claim information in the token. Common attributes: username, encryption
type, and so on.

Assertion A package of data in the form of a token to share identity information.

Attribute A single value-pair of data within a security token.

The process by which an application adds app/user specific data into a

Augmentation
security token.

© Copyright Microsoft Corporation. All rights reserved.

Authorization

Covers what an identity can access and what

they are allowed to do once they gain access. Entitlement type
Identity authorization provides
• Methods of assigning entitlement allowing for increased
security and less administration.
• Ability to manage policy control.
Access policies
• A way to simplify enforcement by standardizing on a
common approach.

Enforcement

© Copyright Microsoft Corporation. All rights reserved.

Authorization―access tokens

Access tokens ID tokens Refresh tokens

• User information • Authenticate a user • Extra token to allow a new

access to be requested
• Target resources • OpenID Connect
• OAuth 2.0
• Short lifespan

• OAuth 2.0

© Copyright Microsoft Corporation. All rights reserved.

Common authorization approaches

Authorization type Description

Access control lists (ACLs) Explicit list of resource access. Very granular, hard to maintain.

Role-based access control (RBAC) Grant access based on the user's role.

Grant access based on one or more attributes of the user's current

Attribute-based access control (ABAC)
environment and identity.

Policy-based access control (PBAC) Role and policy combined to determine user access.

Microsoft Entra ID can support any of these methods and others, based on your business
and security goals.

© Copyright Microsoft Corporation. All rights reserved.

Auditing and other identity
concepts

© Copyright Microsoft Corporation. All rights reserved.

Auditing

Tracking who did what,

when did they do it and Collection Access logging
how did they obtain access
(who granted it)?
Identity auditing provides:
• Proactive/reactive reporting and
alerts to enforce policies and Change logging Alerting
identify problems quickly.
• Governance of auditing data
ensures proper authorizations,
historical accuracy, and
compliance. Reporting
Reporting types
• Collation and centralization Methodology
of audit data from disparate
resources.
© Copyright Microsoft Corporation. All rights reserved.
Audit, Report, and Monitor
When your identity solution built, you have to audit. Use the built-in reports and
monitor tools to make sure your system is functioning securely and optimally.

Log
Build/Maintain

Monitor/Audit

© Copyright Microsoft Corporation. All rights reserved.

Monitoring
Always think Zero Trust: Verify explicitly―Use least privilege access―Assume breach

Monitoring checklist: Monitoring services:

• Applications have logs and metrics. • Azure Monitor
• Components are monitored and correlated with • Application Insights
application telemetry. • Azure Service Health
• Key metrics, thresholds, and indicators are defined • Azure Resource Health
and captured.
• Azure Resource Manager
• A health model defined, based on performance,
• Azure Policy
and availability.
• Use Azure Service Health and Azure Resource
Health for alerts.
• Monitor long-running workflows for failures.

© Copyright Microsoft Corporation. All rights reserved.

Cryptography related to identity solutions

Cryptography is the process of converting data so that only a specific recipient will be able
to read it, using a key.
Cryptography within identity:
• Hashing―the creation of a statistically unique fixed length value to act as a unique identifier.
• Passwords are hashed instead of transmitted over the internet
• Digital signatures―sign a message so the receiver knows the origin of the message and that it has not
been tampered with.
• Encryption―process of encoding data into cipher text for storage or transmission.

© Copyright Microsoft Corporation. All rights reserved.

Summary

Zero Trust Why identity

• Verify explicitly • Authentication―who they are
• Least privilege
• Authorization―what they can do
• Assume breach
• Auditing―what they did

• Administration―maintenance

Identity designs Other identity concepts

• Centralized identity management • Tokens and claims-based identity
• Decentralized identity (DiD) • User, account, subscription, tenant
• Business to Business (B2B) • Cryptography
• Business to Consumer (B2C) • Licenses and MAU

© Copyright Microsoft Corporation. All rights reserved. © Copyright Microsoft Corporation. All rights reserved.
References
Decentralized Identity (Did)
https://docs.microsoft.com/azure/active-directory/verifiable-
credentials/decentralized-identifier-overview

Secure identity with Zero Trust

https://docs.microsoft.com/security/zero-trust/deploy/identity

Billing model for Microsoft Entra External Identities (MAU)

https://docs.microsoft.com/azure/active-directory/external-
identities/external-identities-pricing

Claims-based
https://docs.microsoft.com/sharepoint/dev/general-
development/claims-based-identity-term-definitions

© Copyright Microsoft Corporation. All rights reserved.

References
Explore Zero Trust security―Microsoft Learn module
https://docs.microsoft.com/learn/modules/examine-zero-trust-
approach-to-security-microsoft-365/

Secure identity with Zero Trust

https://docs.microsoft.com/security/zero-trust/deploy/identity

Billing model for Microsoft Entra External Identities (MAU)

https://docs.microsoft.com/azure/active-directory/external-
identities/external-identities-pricing

Claims-based
https://docs.microsoft.com/sharepoint/dev/general-
development/claims-based-identity-term-definitions

© Copyright Microsoft Corporation. All rights reserved.

End of presentation

© Copyright Microsoft Corporation. All rights reserved.