Pass Microsoft Certified: Azure Security Engineer Associate Certification Exams in First Attempt Easily

Microsoft Certified: Azure Security Engineer Associate Certification Practice Test Questions, Microsoft Certified: Azure Security Engineer Associate Exam Practice Test Questions

Want to prepare by using Microsoft Certified: Azure Security Engineer Associate certification exam practice test questions efficiently. 100% actual Microsoft Certified: Azure Security Engineer Associate practice test questions and answers, study guide and training course from Exam-Labs provide a complete solution to pass. Microsoft Certified: Azure Security Engineer Associate exam practice test questions and answers in VCE Format make it convenient to experience the actual test before you take the real exam. Pass with Microsoft Certified: Azure Security Engineer Associate certification practice test questions and answers with Exam-Labs VCE files.

Azure Active Directory for Workloads

1. Lecture: Azure Active Directory (AD) Overview

To begin our journey down the path of identity, let's take a quick look at Azure as a whole. And you might have seen this image before, which you can find at the link below, where Microsoft has a pretty good writeup on Azure AD fundamentals. But to begin with, Azure AD is really becoming the centre of the identity world. You can kind of see it there in the middle of the picture. On the left hand side, we have "on premises," because people traditionally had Windows Server ActiveDirectories, sometimes known as Active Directory Domain Services, on premises, as well as other directories and things that they may have historically used. A lot of those directories are on premises. And now in the public cloud, SAS-based world, we've got all these other solutions running out there, whether it's serviceNow, Salesforce, et cetera. and identity sprawl was just becoming a big problem. People had identities in their businesses and then had the same identity in another business. Take an example. What if you could just trust the identity that a customer already has and the authentication mechanisms that they're already using when you onboard them and create a new user for them? And so Azure Adult ultimately provided a solution to that problem. How do we sync our identities on premises while also enabling consumer and business collaboration with the identities of other businesses and consumers with whom we interact? And at the heart of it all are three things: simple connection, self-service, and single sign on.In fact, if we look at the Azure AD features in a little bit more detail, aside from being an enterprise identity solution, that single identity keeps users, groups, and everything else in sync across your enterprise. That's point number one. Adding single sign-on provides the ability to have single sign-on for apps and services. We don't have to go sign on again and again every time we want to access something. If there are applications that we access, we've been given permission to access them. We'd already signed in when we logged in with our laptop. And maybe we use some kind of FaceID and other authentication on top of the password that's kind of there for you. And then we've got multi-factor authentication. It was kind of just alluding to that. It's one thing to have a password. That's something I know. What about something that I have? Maybe it's a cell phone, or I get a text message, and I can enter that code; maybe some biometrics, or something like that; it just adds to the security. So when we think of a single sign-on multifactor, they're both wonderful because I have multiple ways to authenticate. And then once I'm authenticated, I'm signed on. And now I can access all my apps and the infrastructure services that I need. And finally, just that. Self-service empowerment for the users Nothing more annoying than getting passwordreset calls day in, day out. We can empower users to do self-service password resets, but we can also empower them to access the apps and the services they need. They can go to my Appstore and request what they need. And so all of this comes together and is ultimately why Azure is so important, particularly as it relates to Azure. You're using Azure ad potentially for Office 365 andother things already when it comes to Azure. Now we're able to use that same idea, identity solutions, and give it permissions in the Azure world. And so, as you'll see in the upcoming demo, we'll create a new Azure AD tenant and then go from there, showing you how to create users, groups, etc.

2. Demo: Create Azure AD Tenant

In this demonstration, we're now going to look at creating a brand new Azure Active Directory tenant from the Azure Portal. So let's head over there to begin. And in the Azure Portal, the first thing to note is on the top right when you login to Azure. You log in with your account, and you can see it's associated with AZ Exam. If I click this other icon, "Directory Plus Subscription," and I go to the bottom, now I can see all the directories that I have access to with that account. So in my case, this account was originally only associated with this one directory, the default directory, Ncalia Live on Microsoft.com. If you create a brand new account, you'll see something similar based on your name that you've keyed in. And I've gone ahead and created this additional ad tenant, AZ Exam, which is what I use for a lot of the demos now going forward, as well as other domains that you may have seen in previous demos. But if I go ahead and go over to Azure Active Directory on the left-hand side, and if you don't have it in your favourite spot, the other way you can access it is by clicking All Services and then searching for Azure Active Directory. But in a moment, it will pop up with our Azure Active Directory menu, Blade. Okay. And once that's done, you'll be able to see Azxamdemo on Microsoft.com, as well as the domain Azcam. And I'm currently using the free tier of Azure Active Directory. And you will notice some services that you attempt to perform if you experiment with them. There's also the concept of these Azure Ad Premium, pOne, or pTwo licenses, and you can grab a free trial if you're experimenting with things in there. But for right now, if we want to create a new directory, what I need to do is on the right hand side, scroll down, and you'll see an area that says "Create a directory." If we click that, that allows us to enter a new organisation name. So perhaps I'll call this Azxamtest just to distinguish it from the one I already have, and I'll call it Azxamtest onmicrosoft.com. and that is available. Now. Those are globally unique. So if you try to do something that someone else has already done, it won't let you. It does need to be completely unique on the onmicrosoft.com domain, then choose the country that we were created in, and then go ahead and click Create. And that will take about a minute to get that directory created. So we'll skip ahead while that finishes, okay? And after a while, that notification pops up and the directory is created. Now what I need to do is click the directories and subscriptions filter and scroll down. I might have to just refresh it. It's not showing correctly. Refresh your portal and then click that again, and you can see we now have a Z exam, which is the current one that I'm in, and this new one, an AZ exam test. Now, here's something to keep in mind. If I click AZ Exam Test, it's now going to switch over to that ad tenant. I'll need to log in with my account. And then, if I go in here and scroll down to Subscriptions, which I may need to add back in, I can go back to all Services and just add Subscriptions back to your Favorites and click Subscriptions. And what you'll notice straight away is that I don't have any subscription yet because the original subscription I've got is only associated with that other Azure ad domain. Now, that's not to say I can't give additional subscriptions to additional domains. I can certainly have lots of domains with lots of subscriptions. But the subscription has one unique domain that it is associated with. If I want to give someone from another domain access to that subscription, they could be a user in this domain. I would need to trust them and grant them access to that other subscription. But I can't reassociate that subscription with this domain. So, once again, keep in mind and emphasise that subscription is a one-to-one map in with that Azure ad. Tanner specifically, the other thing is to just keep in mind that if we go back to Azure ActiveDirectory, you will see users and groups that we are going to cover in the next demonstration. But there is a role as administrator that is already created for you. If you go down to Global Administrator, this user is created automatically, and this is my user account. That is the global administrator for that specific domain. That's essentially the ultimate right for the domain. And you can give out additional global admin rights to other people as needed, but that's created for you automatically, which makes sense. The first person to create the Azure tenant needs to be the global administrator. Think of that as just as important as if you had a legacy Active Directory. That was kind of your administrator. You gave very few people those rights because they needed to be kept very secure. But with that, this demonstration concludes. If you need to head back, simply click the directory and subscription again and go back to your other domain if you've got one. And then, if you want to delete that other domain, just go back there and delete directly from Azure as well. But that's how you go about creating your new Azure AD tenant.

3. Demo: Move Subscription to another Directory

Alright, so by now we know how to create a new directory. We should know how to create a subscription, especially if you went ahead and created a free trial—or perhaps a pay as you go subscription. But how do we move those subscriptions around if we want to change the directory that they are associated with? But I'm going to head over to the Azure Portal, and what you can see here is that I'm in my AZ exam test. If I click "switch directories," this is the one. I'm in AZ for an exam test.And if I go to subscriptions on the left-hand side and click Subscriptions, you will see that I'm already in there. I have this page you go subscription, my subscription ID, of which I am an admin. Now if I want to move that, let's say I want to change the directory. I want to move it from Azxam Test in my domain name, azxamtesting.onmicrosoft.com, to AZ Exam. The AZ Exam demo dot on Microsoft.com is my domain. I haven't got any custom domain assigned to these yet, but that's basically the default domain that gets created. And I want to move the subscription from this tenant to this one. How do I go about moving into that directory? So I go ahead and click the subscription button. This will open it up here and show me a couple of things I can do. One, I can rename it here to give it something a bit more meaningful from a name perspective, and then I can go ahead and click Change Directory. So click that here, and the first thing you need to know is that changing the directory removes access for all RBAC users and other admins, including Co Edmunds, and you'll learn a bit more about RBAC later if you haven't already jumped ahead and covered it. But these are all the permissions associated with the subscription itself and resources, etc., so if you're going to remove those, you're going to have to set up your R bag permissions again because you're basically moving an entire directory. But here on the bottom, this is where everything takes effect. So it says from AZ Exam test, and I say to the directory AZ Exam, and I click Change, and it says the directory change right away. Now it doesn't take effect straight away; it takes about five minutes on average when I've tried this. But when it's completed, you will basically go up to your directory and subscription filter, change your directory to the other one, and then that subscription will basically appear here. And I've changed the colour scheme. So, as you know, I'm enrolled in this AZ exam subscription. If I go down to subscriptions, and you can see I'm already in there, I've got my Visual Studio Enterprise subscription. I don't have pay as you go enabled yet, but that will appear in about five minutes and the subscription transfer will be completed. And then I will go ahead and set up all my rights again. All right? And a little bit of time has passed now. So now I'm back in the portal. I've refreshed; I've logged back out and back in. And as you can see, I don't see the subscription there. And the reason is that I need to uncheck this box here because it says to show only subscriptions selected in the global subscriptions filter if I uncheck that. Now I see that page you went on, which transferred over successfully. And the reason it's not shown by default is because of this filter. If I click this up here, you can see I have the default filter, and it's only going to show me subscriptions by default that I've selected. You see that little box pop up there? Visual Studio Enterprise: Pay as You Go I can select all, and then they will all show up when I log in. In my case, I'm not going to keep the subscription, so I don't need to change anything there. I'm ultimately going to delete this one because I use my Visual Studio Enterprise one by default when I record in these demos. However, this should demonstrate how simple it is to transfer. But just be patient with it. Log back out and log back in if it's not showing up. And make sure you have your filters appropriately configured.

4. Demo: Create Users and Groups

in this demonstration. Now that you know how to create an Azure AD tenant, it often makes sense to then know how to create users and groups in that tenant. So we'll head over to the Azure Portal to get started, and in the portal, let's head straight over to Azure Active Directory. So click that if you don't have it in favourites again, or just click All Services and type "Azure Active Directory" and it will come up for you. And as you can see, we're in Azxamdemoonmicrosoft.com, with the abbreviation Azexam. Now I can go ahead on the left-hand side and click Users. And this is where I create new users in my directory. And I can see the users that are already in there. So I can go ahead and click "New User." And let's call this one John Smith. Very unique, I know. That could be J. Smith. Now this is important. If you just do a ZXAM on Microsoft.com, you'll notice it won't actually work. It'll give us a little error, and that's because if we can go back to the directory, you'll see it's a zxampdomo on.Microsoft.com is the full name for that specific tenant. So if we just add demo to that, we will then get the green check, and everything is good to proceed. For profile. This is just work data. First name, last name, job title, department, et cetera. Properties. You won't need to go into that; it's just around the source of authority, in this case, your Active Directory. There's nothing you need to configure there, and groups will come back after we've created the specific user here. And this is important: the director role. So what role do we want to give them inside of Azure Active Directory? They can be a user, or they could be a global administrator or limited administrator. And you can learn more about directory roles by clicking the link right here. And that will give you some more information on the different role types available to you. Then we go ahead and let you look at the password if you're just trying to give it to someone right next to you or if you're going to email it to someone. But you can see it there, and you can copy it and paste it out to give to that person. They will be prompted to change it after logging in for the first time. But you click Create, and that goes ahead and creates that user. And then we see John Smith there, ready and available. If I refresh now, you'll see that the source wasn't immediately updated when we returned to Users. Now, John Smith, you can see the source: Azure Active Directory. You can also see that some other sources, such as a Microsoft account, can be used. In fact, I can enter an email address here if I create a new guestuser. I can also say, "Invite somebody, perhaps my Gmail sender Nick [email protected], to come join my ad tenancy." And that will actually send an invitation out to me personally at my email address and allow me to log in as a guest user as well. You'll see that user type then appear as a guest, but that's it for users specifically there. That's how we create them. If we go back to the AZ exam tenant and click groups Now this is where I can go ahead and start to create groups of users. So perhaps I want to create an Azure administrator group. I'm going to create a security group. I'm not going to create an Office 365 Group. This is for security access to Azure AD. As an example, I'll refer to this as my Azure admins team. And then I can go ahead and say this is assigned. Click the members, and basically, you'll see them all listed here along with other service accounts that are there as well. I can simply type in "John" and you'll see John Smith is there. Click that name, click select, click create, and that's going to go ahead and create that group and include John Smith already in there. Well, how do I actually assign permissions to that person? Well, that's all done using RBAC, as you might have seen already if you jumped to that section. So we can go back to, say, our Azure subscription if I click it down here, go in and select the Visual Studio Enterprise subscription I have, click Access Control, and then go ahead and add a role assignment. So, once again, I sign rights and scope them to specific objects. So I can scroll through here and choose the Azure admins team, or I could still choose John Smith directly if I wanted to. But let's say I want to sign up for the group. This way, whenever I want to grant someone access, for example, subscription owner access, I simply click the role and select owner. This is the complete set of rights for the subscription. I'm assigning it to that group, and anybody I put in that group will be given access to the subscription. So this isn't something you'd want to just hand out to people at random. The subscription rights are obviously very important. But as you also saw from resource groups, you can assign rights specifically to a resource group. You might want to group people by department; you might want to group them by geography; you might want to group them by business division. There are basically all sorts of things that you can do to carve out the rights and roles that make the most sense for your organization. And with that, that concludes this demonstration and hopefully gives you an insight into how you create users and groups in Azure AD.

5. Demo: Self-Service Password Reset

First and foremost, you can see in this directory that this section is centred on who I want to configure self-service password reset for. I can choose "none selected," in which case I select specific groups or everyone. So I'm not going to do that right now. I want to show you more about the methods and the options available for them. So this is really important because, let's say, you give someone the ability to reset their password, or you can choose the number of methods that are required. So one or two here, and you can see the options. So mobile app code preview and mobile app notification are both new preview options there that work with a mobile app. But the common ones are email, mobile phone, and office phone security questions, and you can say, okay, one email is enough. They'll get an email to click "confirm" to make sure they're authenticated.

Or you could require an email and perhaps a text message to a mobile phone. That's what this is all about at this point. Furthermore, we have this registration section so that users must register when signing in, and we obviously want a certain number of days before you are asked to reconfirm your authentication information. So you want to make sure that authentication information is up to date.People change email addresses and things like that that they might be using for authentication, phone numbers, and all that kind of stuff. That's really what that's about, and that's really all there is to it. Once we've kind of got that configured, then we have a web page that the users can go to in order to reset their password. Essentially, the user will get a prompt when they're trying to log in. They can click the link, or you can simply go to Aka MSPR, and that will take them to a page where they can put in a user ID and some characters here. It'll prompt them for those questions and allow them to reset their password.

Now flipping back to the portal and clicking Properties, you can see here I've enabled self-service password reset, and I want you to see what it looks like when you actually go ahead and do that and what the users are prompted for the next time. If I go to this other tab that I've already gone ahead and selected, you can see more information that is required. And so I'm required to go in here and actually set up authentication. I've already done my telephone there, so I'm just going to blow that out, and I just need to do my email as well. So basically I type in an email address, it'll send me a code, and then I punch that code in once it comes through on my phone. By phone, I mean I'm receiving an email on Gmail on my phone there. So I'm going to input that code, and then both of those authentication methods are verified. So I click Finish, and now I've actually set up a self-service password reset for my account, so now I can go to that web page and do the reset, and it will actually work for me. However, there are a few other quick settings. Just notifications: notify users when their passwords are reset. Always a good thing to remember, and if you're having issues with admins or something else in your environment, you can also notify all admins when other admins change their password. So, if you just want to be in a high security profile for a while and know that whenever an admin resets, if you're worried about an attack or something, it might be a good idea to turn that on. Otherwise, it's honestly just a lot of noise for most people. There is largely a customization section here, so you can customise that Help Desk link if you want to, and the Help Desk email as well, and withdraw. That concludes this demonstration and hopefully gives you an idea of where you can do a self-service password reset.

6. Lecture: AD Connect Overview

As you saw from the previous module, there are a lot of directory services to think about, and often we already have something on premises. We most likely have an Active Directory controller running on Windows Server 2012 or 2016. We don't really want to create a whole new source of truth when we move towards Azure Active Directory. Perhaps we already started some of this when we did 365. But if we're starting out fresh, we need to make sure they remain in sync. And that's where Azure AD Connect really comes in. And so Azure AD Connect has a number of components. First of all, it has synchronisation services. This component is what's responsible for creating the users, groups, and other objects in Azure Active Directory. It's also responsible for making sure the identity information for your on-premises users and groups matches the cloud completely. What we don't want is a complete mismatch there, because then everything gets out of sync and gets very complicated. It also has an option for Active Directory Federation Services. This is optional, and Federation enables us to set up a hybrid environment with on-premises ADFS infrastructure. And this can be used by organisations to address more complex types of deployments, such as domain, join, and SSO. Or perhaps we have third-party MFA solutions. MFA is multi-factor authentication, which you'll hear about soon. Perhaps we have smart card solutions—things like that—that we need to integrate with. We might need to use Active Directory Federation Services.

And then finally, we have health monitoring, and this is called Azure Ad Connect Health, which you'll see in the third module in this section of the course. And this provides robust monitoring and provides a central location in Azure for you to view all your health activity and make sure that your domains are all in sync and there are no issues. It helps now to take a look at some of those Ad Connect sync features in particular. And first of all, we have the concept of filtering, and this is used when you want to limit which objects are synchronised with Azure Active Directory. By default, all users, contacts, groups, and Windows 10 computers are synchronized. And you can change this filter based on domains, organizational units, or other attributes if you want to. We then have the concept of password hash synchronization, and this synchronises the password hash in your on-premises Active Directory up to Azure AD. So the end user can use the same password on premises and in the cloud, but they only have to manage it in one location. since it uses your on-premises Active Directory as the authority. You can also use your own password policy that you decide to implement in your on-premises Active Directory. And this comes up a lot when clients are sometimes using password policies that are in, say, Active Directory Domain Services from Azure. These are the Azure Ad Domain services that are managed. To be specific, it may not give you the same password policy features. Whereas when you use an Ad Connect sync, if you've got a password policy on premises that will carry over to Azure AD, we then have the concept of "password right back," which will allow your users to change and reset their passwords in the cloud. And this will be returned to the premises. We have the concept of device writeback, which will allow registered devices in Azure AD to be written back to your on-premises Active Directory. So it can be used for conditional access. We have Prevent Accidental Delete, which is turned on by default. And this protects your cloud directory from numerous deletes at the same time. So by default, it allows 500 deletes per run. And you can change the setting depending on your organization's size. And finally, a great feature: obviously, automatic upgrade is enabled by default for all the Express Set installations.

And this ensures your Azure Ad Connect infrastructure is always up to date with the latest release. You don't have to worry about going ahead and updating any of that. Now, before we wrap up, make sure you understand the different password sync options. And there are three major ones. So we have password sync, and this is where we're ensuring that user passwords are the same in both directories, Active Directory Domain Services and Azure AD. An alternative is to have pass-through authentication. This is where we authenticate, and instead of Azure Ad Authenticated, we actually pass that request onto the AD DS server, which gets the approval and sends it back to the user that way. So essentially, a single source is being added. And finally, we have ADFS, which is using ActiveDirectory Federation Services to fully federate across AD, Azure AD, and other services. As an example of a SAS service, perhaps you have service now. A lot of people use the tickets and things like that. Perhaps that's using ADFS, and it's federated with your Active Directory Domain Service. So just make sure you understand these three. And with that, this concludes this part of the module.

7. Demo: Implementing AD Connect

You can see that we're already parked in here. I also own the domain Skylinesexam.com. And I've created a new user in this domain called Student Demo. So first name, student. Last name demo And that's all that's running in here. And I'm just about to pee into the domain controller. Setting up a domain controller is outside the scope of this course, but if you are having trouble with that, simply search for Active Directory Domain Services. You'll basically build a Windows server, and then you'll do what's called a DC promo to create your new Active Directory forest on that particular server. So let's go ahead and now do Ad Connect. So let's go over to Google Chrome on this machine. and you can see it in Azure. I'm in Azure Active Directory. And I've got my new Azure Active Directory domain, Skylinesadam onmicrosoft.com.And I want to now synchronise those users from my on-premises Active Directory up to this Azure Active Directory. So to do that, let's scroll down on the left-hand side, and you'll see a section called Azure Ad Connect. Select that, and you can see that syncStatus is not installed, but we can go ahead and click Download Azure Ad Connect. Okay, that download is complete, so let's go ahead and run that. After a little while, that pops up. If we click this icon at the bottom, you'll see the wizard, and you can see that. Welcome to Azure Ad Connect. Run this installation tool on the server where the synchronisation service component will be installed. So I'm already on the domain controller. I accessed Azure through Google Chrome on that domain controller. So I downloaded it straight to the machine I want, so I agree to the licence terms and privacy notice. Click Continue, and you can see that because I've only got a single Windows Server Active Directory forest, I can use Express settings for that. And you can see that it will configure identity synchronisation in the current ad forest of Skylines Exam. So we'll go ahead and click "Use Express Settings," and then I need to give a global administrator permission. So this is a user in Azure AD. That's a global administrator. So I already had one in this new domain called John Smith. So we will key him in here, and once complete, simply click Next if there's any problem. It will let you know straight away if that user isn't authenticated. And now I need to give some credentials for a local user who's a domain administrator on the local machine, the domain controller itself. Again, click "Next" once you've inputted that. Now, when we get to the screen, you can see our Azure ad signing configuration. So my active directory UPN suffix is skylines exam.com.But because I haven't verified that domain, I haven't added it as a custom domain to Azure ads. It's going to do the following. If you hover over this question mark, the UPN suffix will be changed to contoso.com. So in my case, Skylinescam.com became Skylinesexams.microsoft.com, which is the domain you initially create when you create an Azure Ad domain. In Azure AD, for example, my user will beuser at skylinexam.microsoft.com. So we're not going to get that single sign-on capability from using my on-premises credentials because that UPN suffix is going to change. So I'm going to continue. I'm going to say, "Yes, I want to continue without any verifying domains." Go ahead and click Next, and everything will continue and start synchronisation as soon as configuration completes. We'll check that and click Install, and everything will go ahead and install now, and then it will begin synchronising those users. So I should see that student demo user appear in Azure Active Directory when all is complete. Okay? And after five minutes or so, that task was completed successfully. and I'm going to go ahead and click Exit. And let's take a look now at Azure AD Connect in the portal itself. Refresh this refresh here.So let's go back up to the top, scroll back down to Azure AdConnect, and we can see that sync status is enabled. The last symbols were less than an hour ago. Password sync is enabled as well. And you can see user sign-in through federation disabled, seamless single sign-on disabled, and pass-through authentication disabled. Now, if I go over to my users in Azure AD, I should see that new user. There it is. Yes, student demo is now available in Active Directory. And you can see the source there, which is Windows Server AD, as opposed to these other use accounts, which were created directly in Azure Active Directory. So you can see very easily that it is installed in Ad Connect. Because you may have some legacy applications that rely on Active Directory Domain Services and do not fully support Azure Domain Services or Azure Active Directory, this is a great way to simply synchronise all of your users from Azure Active Directory that you may already have on premises or even ones that you may provision directly in the cloud. So with that, this concludes this demonstration, and I hope to have given you a good insight into Ad Connect.

8. Demo: Monitoring with AD Connect Health

There we are in that domain again. And we're still logged into Azure through our Chrome browser on that domain controller. and you can see our sync status is still enabled. I lost sync less than an hour ago. Everything's still in working order there. But if you want to get some more detail, we can scroll down and see at the bottom that there's this feature called Ad ConnectHealth under Health and Analytics. And this allows us to do two things. It allows us to monitor the synchronisation service as well as the on-premises infrastructure as well.So if we click Ad Connect Health, this will take us to the dashboard. And you'll see there the Quick Start item that we'll go to in a minute. But also, here's the status of our Azure Active Directory. Connect sync. So long as we did that and Ad Connect, which we did, we'll be okay. And if anything is wrong, we'll be notified. At this point, if we had Federation Services, we wouldn't need to install an additional item, and that would give us results and analytics around Ad Federation Services. The same is true for Active Directory domain services. If we want more information, we do need to install an additional piece for that. At the bottom, there are some other settings, like general settings for auto-update and users and groups as well. From a role-based access control perspective, you can get here also. But if we go back to Azure Ad Connect Healthand scroll to the top and it's hit this QuickStart item, and on the right hand side, you'll seeif we scroll further down this option to download inthe store, azure Ad Connect Health Agents so we canget health and usage information for our on premises services. So first, one downloads the Azure ad. Connect health for ADFS. We're not going to do that in this demo. So we don't have ADFS configured. We've already done the download of Azure AD Connect, which we used when we did the sync. But we can go ahead and grab this one: download Azure ADC. So let's grab this one that will now download, and we'll go ahead and run that and click Run and click Install. It will validate all the prerequisites for that. Okay, and that setup is successful. Let's go ahead and configure it. You'll see a bunch of PowerShell scripts. execute will get an authentication window for us to sign into Azure. So we'll go ahead and do that again. And then once complete, you should get thismessage at the end started Agent Services successfully,and then Agents Registration completed successfully. And so, that's all now in working order. So now if we go over to Azure AD again, let's close these down and have a look at Azure Active Directory. Go down to Ad Connect; everything still syncs there, and scroll to the bottom. Select Connect to Health. And if we scroll to the bottom now, we can see we also have health status for our Active Directory domain services as well. And if we click into that one, we just get some details. We've only got the one for us, and we can see things like replication status, operations, alerts, et cetera. We can go into Alerts and see if there are any that would appear over here. And then we can give a time range. And if we want to send notifications out, we can do it from this notification section as well. So, as you can see, Ad ConnectHealth really monitors the Ad Connect sync, Active Directory Federation Services, and Active Directory domain services. It can give us health for that as well. And with that, this concludes this demonstration, and hopefully that will arm you and get you ready. And with that, this concludes the demonstration.

9. Lecture: SSO and MFA

Let's take a minute now to talk about single sign-on, which you probably use a lot in your everyday life, particularly in your IT world and in Azure. This is provided by Azure AD Connect for users using password sync or pass-through authentication. It does require a company device with a modern browser in order for this to actually work. But, essentially, turning this on allows you to authenticate to your laptop using your Active Directory domain service credentials, and then you are no longer required to authenticate. with Azure AD. It's linked to that Azure account via your AD account. And so when you're in your browser, your browser already knows, "Okay, this person is already logged on locally onto the machine." I don't need to prompt them again in the Web browser. I can just pass through that authentication. It's important not to confuse single-sign-on with multifactor authentication as they serve two different purposes. Single sign-on is about signing on once and then being allowed access to all of my services. Multi-factor authentication is about checking to make sure I am who I say I am. And it works by requiring two or more of the following verification methods. So your common one is something you know, like your password. You go to a website, type in your password (which you know or remember), and that authenticates you. But that's not necessarily enough on its own. In fact, with modern security practices, we just assume that passwords will get compromised at some point. So we move on to something else. Something you have is one example. So maybe you have a cell phone with you that can receive text messages or phone calls, or maybe you are. So biometrics are really good security mechanisms here; perhaps use a fingerprint reader, which verifies you are who you say you are, but one alone is not enough. Multi-factor authentication is all about what it says: multi factor.So you might have your password plus the biometric password plus the text message, and then that will authenticate you into the system. And then you're signed on. Now you have access to all of your services with a single sign on.It's important then to understandthe different verification methods available. First of all, we have a phone call. This is where a call is placed to the registered phone number of the user. They might be required to enter a PIN. Just press "P" on their phone to verify they are who they say they are. That's one option there. Text message again, the common one wetalked about Google being classic example. Sign in, get the text message, enter the code, and move on. mobile app notification. This is a great one where, instead of getting a text message, you just go onto an app, approve the request, and everything moves forward. Mobile app verification codes with the mobile app, which is running on a smartphone, display a code that changes every 30 seconds, and the user finds the most recent code and enters it on the sign-in page. In contrast to the text message, the app actually cycles through it every 30 seconds. It displays a different code, which you then enter, and finally, you can integrate with this third-party solution. So with that, this concludes this section on MFA and single sign on.I definitely encourage you to just turn on MFA in the portal, and it will show you very easily how it works. And you can set it up so you just get a text message on your phone when you're signing into Azure. and that should make it pretty clear for you.

So when looking for preparing, you need Microsoft Certified: Azure Security Engineer Associate certification practice test questions and answers, study guide and complete training course to study. Open in Avanset VCE Player & study in real exam environment. However, Microsoft Certified: Azure Security Engineer Associate exam practice test questions in VCE format are updated and checked by experts so that you can download Microsoft Certified: Azure Security Engineer Associate certification exam practice test questions and answers files in VCE format.