6. What is Conditional Access in Azure AD?
Conditional Access is Azure AD's zero-trust policy engine that evaluates signals to make access decisions.
Signals (Conditions):
- User/Group membership
- IP location/Named locations
- Device platform/state
- Application being accessed
- Risk level (requires P2)
Access Controls:
// Example: Require MFA for admins
{
"displayName": "Require MFA for Admins",
"state": "enabled",
"conditions": {
"users": {
"includeRoles": [
"62e90394-69f5-4237-9190-012177145e10" // Global Admin
]
},
"applications": {"include": ["All"]}
},
"grantControls": {
"operator": "OR",
"builtInControls": ["mfa"]
}
}
// Example: Block legacy authentication
{
"displayName": "Block Legacy Auth",
"conditions": {
"users": {"include": ["All"]},
"applications": {"include": ["All"]},
"clientAppTypes": ["other", "exchangeActiveSync"]
},
"grantControls": {
"operator": "OR",
"builtInControls": ["block"]
}
}
Common Policies:
- Require MFA for all users
- Block legacy authentication
- Require compliant devices
- Block high-risk sign-ins
- Require approved client apps
7. What are Service Principals and Managed Identities?
Service Principal:
A security identity used by applications or services to access Azure resources.
// Create service principal
az ad sp create-for-rbac --name "MyApp" --role contributor \
--scopes /subscriptions/{sub}/resourceGroups/{rg}
// Output includes:
{
"appId": "xxx", // Client ID
"displayName": "MyApp",
"password": "xxx", // Client Secret
"tenant": "xxx" // Tenant ID
}
// Authenticate with service principal
az login --service-principal --username {appId} --password {secret} --tenant {tenant}
Managed Identity:
Azure-managed service principal that eliminates credential management.
// System-assigned (tied to resource lifecycle)
az vm identity assign --name myVM --resource-group myRG
// User-assigned (independent lifecycle)
az identity create --name myIdentity --resource-group myRG
az vm identity assign --name myVM --resource-group myRG \
--identities /subscriptions/{sub}/resourceGroups/myRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity
// Use in code (Python)
from azure.identity import DefaultAzureCredential
credential = DefaultAzureCredential()
# Automatically uses managed identity when running in Azure
8. What is Azure AD B2B and B2C?
| Aspect | B2B (Business-to-Business) | B2C (Business-to-Consumer) |
|---|
| Users | Partners, vendors, contractors | Customers, consumers |
| Scale | Thousands | Millions |
| Identity Source | Partner's Azure AD, social | Social, local accounts |
| Directory | Same Azure AD tenant | Separate B2C tenant |
| Customization | Limited | Fully customizable |
| Pricing | Monthly active users | Monthly active users |
B2B Invitation:
// Invite external user via Graph API
POST https://graph.microsoft.com/v1.0/invitations
{
"invitedUserEmailAddress": "partner@contoso.com",
"inviteRedirectUrl": "https://myapp.com",
"sendInvitationMessage": true
}
B2C User Flow:
- Sign up/Sign in
- Password reset
- Profile editing
- Custom policies for complex scenarios
9. How does Azure AD Connect work?
Azure AD Connect synchronizes on-premises AD identities to Azure AD for hybrid identity scenarios.
Components:
-
Sync Engine: Synchronizes identity data
-
Password Hash Sync: Syncs password hashes
-
Pass-through Auth: Validates passwords on-premises
-
Federation: ADFS integration
-
Health Agent: Monitoring
Authentication Options:
// 1. Password Hash Sync (Recommended)
- Password hashes synced to Azure AD
- Cloud authentication
- Seamless SSO capable
- Works if on-prem AD unavailable
// 2. Pass-through Authentication
- Passwords validated on-premises
- Agent on-premises required
- Real-time password validation
- Password policies enforced
// 3. Federation (ADFS)
- ADFS handles authentication
- Complex scenarios (smart cards)
- High availability required
Sync Rules:
- Users, groups, contacts
- Filtering by OU or attribute
- Attribute transformations
- Typically syncs every 30 minutes
10. What are OAuth 2.0 and OpenID Connect?
OAuth 2.0:
Authorization framework for delegated access to APIs.
OpenID Connect (OIDC):
Authentication layer built on top of OAuth 2.0.
// Authorization Code Flow (Web apps)
1. GET /authorize?client_id=xxx&response_type=code&redirect_uri=xxx&scope=openid profile
2. User authenticates
3. Redirect to callback with ?code=xxx
4. POST /token with code to get tokens
// Tokens received:
{
"access_token": "xxx", // For API access
"id_token": "xxx", // User identity (OIDC)
"refresh_token": "xxx", // Get new tokens
"expires_in": 3600
}
// Client Credentials Flow (Service-to-service)
POST /token
grant_type=client_credentials
&client_id=xxx
&client_secret=xxx
&scope=https://graph.microsoft.com/.default
// Common Scopes
openid // Required for OIDC
profile // User profile info
email // Email address
offline_access // Refresh token
User.Read // Microsoft Graph
11. What is Privileged Identity Management (PIM)?
PIM provides just-in-time privileged access to Azure AD and Azure resources, reducing the risk of standing admin access.
Key Features:
// Role assignment types:
1. Eligible - Must activate when needed
2. Active - Always active (not recommended)
// Activation settings:
{
"maxDuration": "PT8H", // Max 8 hours
"requireMfa": true,
"requireJustification": true,
"requireApproval": true,
"approvers": ["user@domain.com"]
}
// Activate role via PowerShell
$schedule = New-Object Microsoft.Open.MSGraph.Model.MsRoleAssignmentSchedule
$schedule.Duration = "PT4H"
New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest `
-PrincipalId $userId `
-RoleDefinitionId $roleId `
-DirectoryScopeId "/" `
-Action "SelfActivate" `
-ScheduleInfo $schedule `
-Justification "Need to manage users"
PIM Capabilities:
- Azure AD roles (Global Admin, etc.)
- Azure resource roles (Owner, Contributor)
- Access reviews
- Alerts and notifications
- Audit history
12. What are Azure AD App Registrations?
App registrations define your application's identity in Azure AD for authentication and authorization.
// App registration components:
{
"displayName": "My Application",
"signInAudience": "AzureADMyOrg", // Single tenant
// Or "AzureADMultipleOrgs" for multi-tenant
"web": {
"redirectUris": ["https://myapp.com/callback"],
"implicitGrantSettings": {
"enableAccessTokenIssuance": false,
"enableIdTokenIssuance": true
}
},
"api": {
"oauth2PermissionScopes": [{
"id": "xxx",
"value": "access_as_user",
"adminConsentDisplayName": "Access API",
"type": "User"
}]
},
"requiredResourceAccess": [{
"resourceAppId": "00000003-0000-0000-c000-000000000000", // Graph
"resourceAccess": [{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d", // User.Read
"type": "Scope"
}]
}]
}
Key Concepts:
-
Application ID (Client ID): Unique identifier
-
Directory ID (Tenant ID): Azure AD tenant
-
Client Secret/Certificate: Authentication credentials
-
Redirect URIs: Where tokens are sent
-
API Permissions: What app can access
13. How do you implement RBAC in Azure?
Azure Role-Based Access Control manages who has access to Azure resources.
// RBAC Components:
// 1. Security Principal (who)
// 2. Role Definition (what)
// 3. Scope (where)
// Built-in roles:
Owner // Full access
Contributor // All except access management
Reader // View only
User Access Admin // Manage user access
// Assign role via CLI
az role assignment create --assignee user@domain.com \
--role "Contributor" \
--scope /subscriptions/{sub}/resourceGroups/{rg}
// Custom role definition
{
"Name": "Custom Reader Plus",
"Description": "Can read and restart VMs",
"Actions": [
"*/read",
"Microsoft.Compute/virtualMachines/restart/action"
],
"NotActions": [],
"AssignableScopes": ["/subscriptions/{sub}"]
}
// Create custom role
az role definition create --role-definition custom-role.json
Scope Hierarchy:
Management Group > Subscription > Resource Group > Resource
(Permissions inherit downward)
14. What is Identity Protection in Azure AD?
Identity Protection uses machine learning to detect and respond to identity-based risks.
Risk Types:
User Risk:
- Leaked credentials
- Unusual user behavior
- Compromised account patterns
Sign-in Risk:
- Anonymous IP address
- Atypical travel
- Malware-linked IP
- Unfamiliar sign-in properties
// Risk-based Conditional Access policy
{
"displayName": "Block High Risk Sign-ins",
"conditions": {
"users": {"include": ["All"]},
"applications": {"include": ["All"]},
"signInRiskLevels": ["high"]
},
"grantControls": {
"builtInControls": ["block"]
}
}
// Self-remediation policy
{
"displayName": "Require MFA for Medium Risk",
"conditions": {
"signInRiskLevels": ["medium"],
"userRiskLevels": ["medium"]
},
"grantControls": {
"builtInControls": ["mfa", "passwordChange"]
}
}
15. What is Azure AD Domain Services?
Azure AD DS provides managed domain services (LDAP, Kerberos, NTLM, Group Policy) without deploying domain controllers.
Use Cases:
- Lift-and-shift legacy apps requiring AD
- Apps that can't use modern auth
- LDAP authentication needs
- Domain join Azure VMs
// Azure AD DS provides:
- Domain join for Azure VMs
- LDAP bind and search
- Kerberos authentication
- NTLM authentication
- Group Policy (limited)
- Password hash sync from Azure AD
// NOT included:
- Schema extensions
- Trust relationships
- Forest trusts
- FSMO role access
Architecture:
- Two domain controllers (HA)
- Managed by Microsoft
- Syncs from Azure AD
- Dedicated subnet required