This post provides a comprehensive list of 50 common interview questions and their detailed answers, focusing on Azure Active Directory (Azure AD), now known as Microsoft Entra ID. This guide covers fundamental concepts, identity management, authentication, authorization, synchronization, and advanced features, designed to help you prepare for your next interview.
Basic Concepts and Core Services
Q: What is Azure Active Directory (Azure AD) / Microsoft Entra ID?
A: Azure Active Directory (now Microsoft Entra ID) is a cloud-based identity and access management (IAM) service. It helps employees sign in and access external resources (like Microsoft 365, the Azure portal, and thousands of other SaaS applications) and internal resources (like apps on your corporate intranet, and apps developed for your own organization).
Q: What is the primary difference between Azure AD and Windows Server Active Directory?
A:
Windows Server Active Directory (AD DS): A traditional on-premises directory service primarily for managing domain-joined devices and users within a corporate network. It uses Kerberos, NTLM, and LDAP.
Azure AD (Microsoft Entra ID): A cloud-based identity service for managing access to cloud applications and resources. It uses modern authentication protocols like OAuth 2.0, OpenID Connect, and SAML. It's not a domain controller in the cloud.
Q: What is a Tenant in Azure AD?
A: A tenant in Azure AD (Microsoft Entra ID) represents a single organization. It's a dedicated and isolated instance of Azure AD that your organization receives when it signs up for a Microsoft cloud service like Azure, Microsoft 365, or Intune. It's where your users, groups, and applications are registered and managed.
Q: What is a Directory in Azure AD?
A: In the context of Azure AD, "directory" is often used interchangeably with "tenant." It's the dedicated instance of Azure AD that your organization owns and manages.
Q: What are the different editions of Azure AD?
A: Azure AD comes in several editions:
Free: Included with Azure, Microsoft 365, and other Microsoft cloud services. Provides basic identity and access management.
Office 365 apps: Included with Microsoft 365 subscriptions. Adds features like company branding, MFA, and SSPR for cloud users.
Premium P1: Adds advanced features like hybrid identity capabilities, advanced administration, and self-service access management.
Premium P2: Includes all P1 features plus Azure AD Identity Protection and Privileged Identity Management (PIM).
Q: What is a User Principal Name (UPN) in Azure AD?
A: A User Principal Name (UPN) is the name of a user in an email address format (e.g.,
user@contoso.com). It consists of a user name (the UPN prefix) and a domain name (the UPN suffix). It's commonly used as the user's login name in Azure AD.
Q: What is an Azure AD Group? What are its types?
A: An Azure AD Group is a collection of users, other groups, or devices that can be used to manage access to resources.
Types:
Security groups: Used to manage access to Azure resources, Microsoft 365 apps, and other applications. Can be assigned licenses.
Microsoft 365 groups: Used for collaboration, providing a shared inbox, calendar, SharePoint site, etc. Can also be used for access management.
Q: What is a Managed Identity in Azure AD?
A: Managed Identities for Azure resources provide an automatically managed identity in Azure AD for applications to authenticate to services that support Azure AD authentication. This eliminates the need for developers to manage credentials in their code. There are two types:
System-assigned: Tied to the lifecycle of an Azure resource (e.g., a VM).
User-assigned: Created as a standalone Azure resource and can be assigned to multiple resources.
Q: What is the purpose of Azure AD Connect?
A: Azure AD Connect is a Microsoft tool designed to synchronize identities between an on-premises Windows Server Active Directory and Azure Active Directory. It enables hybrid identity scenarios, allowing users to use the same credentials for both on-premises and cloud resources.
Q: What is a Hybrid Identity?
A: A hybrid identity refers to a scenario where an organization manages user identities both on-premises (e.g., in Windows Server AD) and in the cloud (Azure AD). Azure AD Connect is used to synchronize these identities, providing a consistent user experience for accessing both on-premises and cloud resources.
Identity Synchronization and Management
Q: Explain the different synchronization options available with Azure AD Connect.
A: Azure AD Connect offers several synchronization options:
Password Hash Synchronization (PHS): Synchronizes a hash of the user's on-premises password hash to Azure AD. Simplest to implement.
Pass-through Authentication (PTA): Authenticates users directly against their on-premises Active Directory when they try to sign in to Azure AD. No password hashes are stored in the cloud.
Federation with AD FS: Uses Active Directory Federation Services (AD FS) on-premises to handle authentication. Azure AD redirects authentication requests to AD FS. Provides more control and advanced features.
Cloud Sync (Azure AD Connect cloud sync): A lightweight agent-based solution for synchronizing users, groups, and contacts from on-premises AD to Azure AD, suitable for disconnected AD environments or smaller deployments.
Q: What is the difference between Password Hash Synchronization and Pass-through Authentication?
A:
PHS: A hash of the password hash is synchronized to Azure AD. Authentication happens directly against Azure AD. If on-premises AD is down, users can still log in to cloud resources.
PTA: No password hashes are stored in Azure AD. Authentication requests are passed through to the on-premises AD for validation. If on-premises AD is down, users cannot log in to cloud resources.
Q: How does Azure AD Connect handle attribute filtering?
A: Azure AD Connect allows you to filter which objects (users, groups, contacts) and attributes are synchronized from on-premises AD to Azure AD. This can be done based on:
Organizational Units (OUs): Synchronize only objects from specific OUs.
Domains: Synchronize objects from selected domains.
Attributes: Filter objects based on specific attribute values (e.g.,
extensionAttribute1 -eq 'CloudUser').
Q: What is a Writeback feature in Azure AD Connect? Give an example.
A: Writeback features allow certain attributes or objects to be written back from Azure AD to the on-premises Active Directory.
Examples:
Password Writeback: Allows users to change or reset their password in Azure AD (e.g., via SSPR) and have that new password written back to their on-premises AD account.
Device Writeback: Registers Azure AD joined devices back to on-premises AD.
Group Writeback: Writes Microsoft 365 groups and their memberships back to on-premises AD.
Q: What is a Custom Domain Name in Azure AD? How do you add one?
A: A custom domain name is your organization's domain name (e.g.,
contoso.com) that you add to your Azure AD tenant. By default, your tenant has a.onmicrosoft.comdomain. Adding a custom domain allows users to sign in with their corporate email addresses and provides branding.Adding a custom domain: You add the domain in the Azure portal, then verify ownership by adding a specific DNS TXT or MX record to your domain's DNS zone.
Q: What is Azure AD Join? What are its benefits?
A: Azure AD Join allows devices (Windows 10/11) to be directly joined to Azure AD without requiring an on-premises Active Directory domain.
Benefits:
Enables single sign-on (SSO) to cloud resources.
Provides device management through MDM (e.g., Intune).
Simplifies device provisioning for cloud-first organizations.
Enhances security with Conditional Access.
Q: What is Hybrid Azure AD Join?
A: Hybrid Azure AD Join is a configuration where Windows devices are joined to both an on-premises Active Directory domain and registered with Azure AD. This allows devices to benefit from both on-premises group policies and cloud-based management (e.g., Conditional Access, Intune). It's common for organizations migrating to the cloud or operating in a hybrid environment.
Q: How do you manage users and groups in Azure AD?
A: Users and groups can be managed through:
Azure portal: Graphical interface for administration.
Azure AD PowerShell module: For scripting and automation.
Microsoft Graph API: For programmatic access and integration with applications.
Azure AD Connect: For synchronization from on-premises AD.
Q: What is the difference between a Guest User and a Member User in Azure AD?
A:
Member User: An internal user account belonging to your organization's Azure AD tenant.
Guest User: An external user account from another Azure AD tenant or a Microsoft account (e.g., Outlook.com, Gmail) invited to your tenant for collaboration. Guest users have limited permissions by default.
Q: What is Azure AD B2B Collaboration?
A: Azure AD B2B (Business-to-Business) Collaboration allows you to securely share your applications and services with guest users from other organizations or individuals with Microsoft accounts. It simplifies external user management and provides secure access to your resources.
Authentication and Authorization
Q: What is Multi-Factor Authentication (MFA) in Azure AD? Why is it important?
A: Multi-Factor Authentication (MFA) requires users to provide two or more verification methods to prove their identity during sign-in (e.g., password + phone call, password + authenticator app). It's crucial for security as it significantly reduces the risk of unauthorized access even if a password is stolen.
Q: How can MFA be enforced in Azure AD?
A: MFA can be enforced through:
Per-user MFA: Enabled directly on individual user accounts (legacy method, less flexible).
Conditional Access policies: The recommended method, allowing MFA to be required based on conditions like user group, location, device state, application being accessed, or sign-in risk.
Security Defaults: A baseline set of security policies, including MFA for administrators and all users, enabled by default for new tenants.
Q: What is Conditional Access in Azure AD? Give an example of its use.
A: Conditional Access is the tool used by Azure AD to bring signals together, to make decisions, and enforce organizational policies. It allows you to define "if-then" statements (e.g., "If a user is from an untrusted location, then require MFA").
Example: "Require MFA for all users accessing Salesforce from outside the corporate network."
Q: What are the components of a Conditional Access policy?
A: A Conditional Access policy consists of:
Assignments:
Users and groups: Who the policy applies to.
Cloud apps or actions: Which applications or actions are targeted.
Conditions: Sign-in risk, device platforms, locations, client apps, device state, filter for devices.
Access controls:
Grant: Block access, require MFA, require device to be marked as compliant, require Hybrid Azure AD joined device, require approved client app, require app protection policy.
Session: Use app enforced restrictions, use Conditional Access App Control, sign-in frequency, persistent browser session.
Q: What is Self-Service Password Reset (SSPR) in Azure AD?
A: Self-Service Password Reset (SSPR) allows users to reset their forgotten or expired passwords without administrator intervention. Users must register alternative verification methods (e.g., mobile phone, email) to prove their identity. It reduces helpdesk calls and improves user productivity.
Q: What is Azure AD Identity Protection? What features does it offer?
A: Azure AD Identity Protection is a feature of Azure AD Premium P2 that helps organizations detect, investigate, and remediate identity-based risks.
Features:
Risk detection: Detects various risk types (e.g., anomalous sign-in, impossible travel, leaked credentials).
Risk-based Conditional Access policies: Automatically responds to detected risks (e.g., block access, require MFA, require password change).
Vulnerability reporting: Identifies users at risk.
Integration with Azure Sentinel: For advanced threat hunting.
Q: Explain the concept of Single Sign-On (SSO) in Azure AD.
A: Single Sign-On (SSO) allows users to authenticate once with their Azure AD credentials and then access multiple applications and resources without re-entering their credentials. Azure AD supports SSO for thousands of SaaS applications, as well as custom applications, using protocols like SAML, OAuth 2.0, and OpenID Connect.
Q: What is Application Registration in Azure AD? Why is it needed?
A: Application Registration is the process of registering an application (web app, mobile app, API, desktop app) with Azure AD. This creates an application object and a service principal object in your tenant. It's needed so that Azure AD can:
Issue tokens to the application for authentication and authorization.
Understand which permissions the application requires.
Manage access to the application.
Q: What is a Service Principal in Azure AD? How does it relate to Application Registration?
A: When an application is registered in Azure AD, two objects are created:
Application object: A global representation of the application across all tenants.
Service principal object: A local representation of the application in a specific tenant. It defines what the application can actually do in that tenant, including permissions and access policies.
Every application that accesses resources in a tenant must have a service principal.
Q: What are Application Permissions and Delegated Permissions?
A: These are types of permissions an application can request to access resources protected by Azure AD.
Delegated Permissions: The application acts on behalf of a signed-in user. The application can only access what the user has permission to access, and the user must consent to the permissions.
Application Permissions: The application acts as its own identity (without a signed-in user). These permissions are typically granted by an administrator and are used for background services or daemons.
Advanced Features and Security
Q: What is Privileged Identity Management (PIM) in Azure AD?
A: Privileged Identity Management (PIM) is an Azure AD (Premium P2) service that enables you to manage, control, and monitor access to important resources in Azure AD, Azure, and other Microsoft Online Services. It provides just-in-time (JIT) and just-enough-access (JEA) capabilities for privileged roles, reducing the window of opportunity for malicious actors.
Q: How does PIM help improve security?
A: PIM improves security by:
Just-in-Time Access: Granting temporary permissions for privileged roles only when needed.
Just-Enough Access: Ensuring users only have the minimum necessary permissions.
Approval Workflow: Requiring approval for role activation.
Multi-Factor Authentication (MFA): Enforcing MFA for role activation.
Auditing and Reporting: Providing logs of all role activations and assignments.
Access Reviews: Periodically reviewing access to ensure it's still needed.
Q: What are Access Reviews in Azure AD?
A: Access Reviews in Azure AD allow organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. They enable administrators to periodically review who has access to what, ensuring that access rights are current and necessary, helping to reduce the risk of stale permissions.
Q: What is Azure AD B2C (Business-to-Consumer)? How does it differ from Azure AD B2B?
A:
Azure AD B2C: A separate, consumer-facing identity management service that allows your customers to sign up and sign in to your applications using their preferred social, enterprise, or local accounts. It's designed for customer-facing applications.
Azure AD B2B: For business-to-business collaboration, allowing you to invite external business users (guests) from other organizations to access your internal resources.
Key Difference: B2C manages customer identities for your applications, while B2B allows other organizations' users to access your resources.
Q: What is the purpose of Azure AD Connect Health?
A: Azure AD Connect Health is a monitoring agent that provides robust monitoring capabilities for your on-premises identity infrastructure (Azure AD Connect sync, AD FS, and AD DS). It helps you monitor the health of your synchronization services, identify potential issues, and provides insights into synchronization errors and performance.
Q: How do you implement passwordless authentication in Azure AD?
A: Azure AD supports several passwordless authentication methods:
Windows Hello for Business: For devices.
Microsoft Authenticator app: Using phone sign-in.
FIDO2 security keys: Hardware keys.
Temporary Access Pass (TAP): A time-limited passcode for onboarding or recovery.
Q: What is Azure AD Domain Services (Azure AD DS)? When would you use it?
A: Azure AD Domain Services (Azure AD DS) provides managed domain services (like domain join, group policy, LDAP, Kerberos/NTLM authentication) compatible with Windows Server Active Directory. It's used to lift-and-shift legacy applications to Azure that require traditional domain services, without deploying and managing domain controllers yourself. It synchronizes with Azure AD but is not a domain controller in the cloud.
Q: What is the Microsoft Graph API? How is it used with Azure AD?
A: The Microsoft Graph API is a unified API endpoint that allows you to access data and intelligence from Microsoft 365, Windows 10, and Enterprise Mobility + Security. It's the primary way to programmatically interact with Azure AD, allowing developers to manage users, groups, applications, devices, and more.
Q: What are Administrative Units in Azure AD?
A: Administrative Units (AUs) allow you to subdivide your Azure AD tenant into smaller, more manageable units. This enables you to delegate administrative permissions over a specific set of users or groups to a smaller group of administrators, without granting them tenant-wide administrative privileges. Useful for large organizations with distributed administration.
Q: How do you secure privileged access in Azure AD?
A: Securing privileged access involves several strategies:
Privileged Identity Management (PIM): For JIT/JEA access.
MFA for all administrators: Mandatory.
Conditional Access policies: To restrict access to privileged roles.
Dedicated administrative accounts: Separate from regular user accounts.
Azure AD Identity Protection: To detect and remediate risky sign-ins for privileged accounts.
Access Reviews: Regularly review privileged role assignments.
Break-glass accounts: Emergency access accounts.
Monitoring, Troubleshooting, and Best Practices
Q: What are Azure AD Audit Logs and Sign-in Logs?
A:
Audit Logs: Record all activities that modify resources in Azure AD (e.g., user creation, group membership changes, application registrations). Useful for tracking administrative actions and compliance.
Sign-in Logs: Record every sign-in attempt to Azure AD. Provides details like user, application, device, location, and sign-in status. Essential for monitoring authentication activity and troubleshooting sign-in issues.
Q: How can you use Azure Monitor with Azure AD?
A: Azure AD logs (Audit, Sign-in, Provisioning) can be sent to Azure Monitor Log Analytics workspace. This allows for:
Centralized logging and querying: Using Kusto Query Language (KQL).
Alerting: Creating alerts based on specific log events (e.g., failed sign-ins, risky users).
Dashboards: Visualizing identity data.
Integration with SIEM tools: Sending logs to external security information and event management systems.
Q: What is the concept of "Least Privilege" in Azure AD?
A: The principle of least privilege dictates that users and applications should only be granted the minimum necessary permissions to perform their required tasks, and no more. In Azure AD, this means assigning the most restrictive roles (e.g., "User Administrator" instead of "Global Administrator") and using PIM for just-in-time access.
Q: How do you troubleshoot user sign-in issues in Azure AD?
A:
Check Azure AD Sign-in Logs: Look for failed sign-ins, error codes, and details.
Verify User Credentials: Ensure correct username and password.
Check MFA Status: If MFA is required, ensure the user's MFA method is registered and working.
Review Conditional Access Policies: See if any policies are blocking access.
Check Azure AD Connect sync status: If hybrid, ensure the user account is synchronized correctly.
Verify User Principal Name (UPN): Ensure it matches the login attempt.
Test with a different device/network: To rule out local issues.
Q: What are some best practices for managing Azure AD?
A:
Implement MFA for all users, especially administrators.
Use Conditional Access policies to enforce security requirements.
Utilize Privileged Identity Management (PIM) for privileged roles.
Regularly review access with Access Reviews.
Enable Self-Service Password Reset (SSPR).
Monitor Azure AD logs (Audit and Sign-in) for suspicious activity.
Implement the principle of least privilege.
Plan your hybrid identity strategy carefully (PHS, PTA, Federation).
Secure your Azure AD Connect server.
Use strong password policies.
Q: What is the difference between Azure AD roles and Azure roles (RBAC)?
A:
Azure AD roles (Directory roles): Control permissions within Azure Active Directory itself (e.g., Global Administrator, User Administrator, Application Administrator). These roles govern who can manage users, groups, applications, and other directory objects.
Azure roles (RBAC - Role-Based Access Control): Control permissions to manage Azure resources (e.g., Virtual Machines, Storage Accounts, VNets) within an Azure subscription or resource group. These roles govern who can create, modify, or delete Azure resources.
Q: What is an Emergency Access Account (Break-Glass Account) in Azure AD?
A: An emergency access account (or break-glass account) is a highly privileged, cloud-only account in Azure AD that is excluded from all Conditional Access policies and other security controls. It's intended to be used only in extreme emergencies, such as when all other administrative accounts are locked out or compromised, to regain access to the tenant. These accounts should be highly secured, monitored, and used rarely.
Q: How do you manage external identities in Azure AD?
A: External identities are managed primarily through:
Azure AD B2B Collaboration: For inviting guest users from other organizations or Microsoft accounts.
Azure AD B2C: For managing customer identities for your applications.
Identity Governance features: Like Access Reviews for guest users.
Q: What is the concept of "Device State" in Conditional Access?
A: Device state refers to whether a device is compliant with organizational policies (e.g., encrypted, updated, antivirus installed) or joined to Azure AD (Azure AD Joined or Hybrid Azure AD Joined). Conditional Access policies can use device state as a condition to grant or block access, or to require additional controls like MFA.
Q: What is the role of Azure AD in securing SaaS applications?
A: Azure AD plays a central role in securing SaaS applications by:
Single Sign-On (SSO): Providing a unified login experience for users across multiple SaaS apps.
User Provisioning: Automatically creating, updating, and deleting user accounts in SaaS apps.
Conditional Access: Enforcing policies based on user, device, location, and app to control access.
Multi-Factor Authentication (MFA): Adding an extra layer of security for SaaS app access.
Application Proxy: Providing secure remote access to on-premises web applications through Azure AD.
No comments:
Post a Comment