Creating Azure Active Directory Tenant Users

Questions and Answers

What is the primary goal of the integration strategy in the given scenario?

To deploy Azure AD Connect

To sync user accounts to the Azure AD tenant

To reduce the number of necessary servers

To ensure password policies and user logon limitations are enforced (correct)

What is the purpose of password hash synchronization in the given scenario?

To reduce the number of necessary servers

To provide the Users with leaked credentials report (correct)

To failover to in case the primary sign-in method fails

To act as a primary sign-in method

What is the benefit of using pass-through authentication in the given scenario?

It reduces the number of necessary servers

It allows for seamless SSO (correct)

It ensures password policies and user logon limitations are enforced

It provides an additional layer of security

What is the purpose of Azure AD Connect in the given scenario?

To integrate Active Directory and Azure AD tenant

What is the main sign-in method used in the given scenario?

Pass-through authentication

What is the benefit of using Azure AD Identity Protection?

It provides the Users with leaked credentials report

What is the purpose of failover in the given scenario?

To switch to Password Hash Sync in case of failure

What is the name of the Azure AD tenant in the given scenario?

weylandindustries.com

What should you do after creating a directory?

Add tenant users

Where do you create a new user in the Azure portal?

Under Manage, select Users

What is the username of the regular user tenant?

[email protected]

What setting is configured in the Azure AD Identity Protection sign-in risk policy?

Sign-in risk level: Medium and above

What is the access setting for the Azure AD Identity Protection sign-in risk policy?

Allow access, Require multi-factor authentication

What happens when Group1 users sign in to Azure AD?

They are allowed access with multi-factor authentication

What happens when Group2 users sign in to Azure AD?

They are not affected by the policy

What is the purpose of the Azure AD Identity Protection sign-in risk policy?

To detect and mitigate sign-in risks

Which of the following roles allows a user to grant admin consent for published apps in Azure Active Directory?

Cloud application administrator

What is the purpose of enabling Security defaults in Azure Active Directory?

To enable multi-factor authentication

Where can you change the setting to prevent users from registering applications in Azure Active Directory?

User settings

Which Azure AD role can onboard Azure AD Identity Protection?

Global Administrator

Which Azure AD role can remediate users and configure policies in Azure AD Identity Protection?

Global Administrator and Security Administrator

What is required to grant admin consent for published apps in Azure Active Directory?

Cloud application administrator role

What is the assignment type of Group1 in Azure AD Privileged Identity Management (PIM)?

Active assignment type, permanently assigned

What happens when you set 'Users can register applications' to 'No' in Azure Active Directory?

Users cannot register applications

What is the effect of an Active assignment type in Azure AD PIM?

A role assignment that doesn't require a user to perform any action to use the role

Which of the following is a built-in role in Azure Active Directory?

Cloud application administrator

What is the primary reason for configuring Consent and permissions settings in Azure Active Directory?

To grant admin consent for published apps

Can a Security Administrator reset a user's password in Azure AD Identity Protection?

No

What can a Security Reader do in Azure AD Identity Protection?

View all Identity Protection reports and Overview blade

What is the error message shown in the exhibit related to when a developer tries to register an app in Azure Active Directory?

Not specified

Who is assigned the Security Administrator role in Azure AD PIM?

Group1 and Group2

What is the assignment type of Group2 in Azure AD Privileged Identity Management (PIM)?

Eligible assignment type, permanently eligible

What is the purpose of the NAT device in each office?

To allow multiple devices to share a single public IP address

What is the name of the Azure AD tenant used by the company?

contoso.com

What is the purpose of Microsoft Authenticator?

To generate time-based codes for two-factor authentication

What is the requirement for MFA in this scenario?

Either a text or phone call is required for MFA

Why is the New York IP address subnet not included in the 'skip multi-factor authentication for requests' setting?

The information is not provided in the scenario

What is the benefit of using Azure Blueprints in this scenario?

It defines a repeatable set of Azure resources that implements and adheres to an organization's standards

What is the purpose of creating separate subscriptions for each department?

To separate the financial and administrative responsibilities for each department

What is the role of Azure AD in this scenario?

It provides a single identity platform for all users and departments

Study Notes

Creating an Azure Active Directory Tenant User

• To create an Azure Active Directory (Azure AD) tenant user, go to the Azure portal, navigate to the Azure Active Directory flyout, and select Users under Manage.
• Click on All users and then select + New user to provide a Name and User name (e.g., user1) for the regular user tenant.
• You can also view the temporary password when creating the user.

Azure Active Directory Identity Protection

• An Azure AD Identity Protection sign-in risk policy can be created with settings for Assignments, Conditions, and Access.
• The policy settings include:
  • Assignments: Include Group1, exclude Group2
  • Conditions: Sign-in risk level: Medium and above
  • Access: Allow access, Require multi-factor authentication
• Based on the policy settings, identify what occurs when users sign in to Azure AD.

Azure Active Directory Roles and Permissions

• Global Administrator and Security Administrator have full access to Identity Protection, but only the Global Administrator can onboard Identity Protection.
• Security Administrator has full access to remediate users and configure policies, but cannot reset user passwords.
• Security Reader can view all Identity Protection reports and the Overview blade, but cannot configure policies.
• Only the Global Administrator can onboard Azure AD Protection, while the Global Administrator and Security Administrator can remediate users and configure policies.

Azure AD Connect and Seamless SSO

• To integrate Active Directory and Azure AD, recommend the use of pass-through authentication and seamless SSO with password hash synchronization.
• This solution meets the goal of ensuring password policies and user logon limitations affect user accounts synced to the Azure AD tenant, while reducing the number of necessary servers.

Azure Blueprints

• Azure Blueprints enable cloud architects and central IT groups to define a repeatable set of Azure resources that implement and adhere to an organization's standards, patterns, and requirements.
• Azure Blueprints can be used to configure each subscription to have the same role assignments when creating separate subscriptions for each department.

User Roles and Permissions

• To grant admin consent for published apps, assign the Cloud application administrator or Application administrator role to User1.
• Modifying the User settings in Azure AD by changing Users can register applications to No can prevent users from registering their own applications.

Description

Learn how to create a new Azure Active Directory tenant user, including setting up a new user and assigning a temporary password.