Transcription
Exam SC-300 – Microsoft Identity and Access AdministratorThe Microsoft Identity and Access Administrator designs, implements, and operates anorganization’s identity and access management systems by using Azure Active Directory(Azure AD). They manage tasks such as providing secure authentication andauthorization access to enterprise applications. The administrator provides seamlessexperiences and self-service management capabilities for all users. Adaptive access andgovernance are core elements to the role. This role is also responsible fortroubleshooting, monitoring, and reporting for the identity and access environment.The Identity and Access Administrator may be a single individual or a member of alarger team. This role collaborates with many other roles in the organization to drivestrategic identity projects to modernize identity solutions, to implement hybrid identitysolutions, and to implement identity governance.Part of the requirements for: Microsoft Certified: Identity and Access AdministratorAssociateRelated exams: noneImportant: See detailsGo to Certification DashboardTable of ContentsSC-300 part 1: Implement an identity management solution . 2Unit 1: Implement initial configuration of Azure Active Directory . 2Introduction . 2Unit 2: Configure and manage Azure Active Directory roles . 2Unit 3: Exercise manage users roles . 2Unit 4: Configure and manage custom domains . 2Unit 5: Configure and manage device registration . 2Unit 6: Configure delegation by using administrative units . 2Unit 7: Configure tenant-wide setting . 31
SC-300 part 1: Implement an identitymanagement solutionUnit 1: Implement initial configuration of Azure Active of-azure-activedirectory/1-introductionUnit 2: Configure and manage Azure Active Directory irectory/2-configure-manage-rolesUnit 3: Exercise manage users irectory/3-exercise-manage-users-rolesUnit 4: Configure and manage custom edirectory/4-configure-manage-custom-domainsUnit 5: Configure and manage device tion Azure AD registered devicesAzure AD joined devicesHybrid Azure AD joined devicesUnit 6: Configure delegation by using administrative ts Plan your administrative unitsDelegate administration in Azure Active DirectoryPlan for DelegationDefine rolesDelegate app administrationDelegate app ownershipDevelop a security planEstablish emergency accounts2
Secure your administrator rolesUnit 7: Configure tenant-wide edirectory/7-configure-tenant-wide-options Configure tenant-wide user settingsMember and guest usersSign in with LinkedInManage security defaultsConfigure the external user optionsConfigure tenant properties for the directoryUnit 8: Exercise - setting tenant-wide sUnit 9: Knowledge check3
Unit 10: Summary and ResourcesNow that you have reviewed this module, you should be able to: Configure and manage Azure Active Directory roles.Configure and manage custom domains.Configure and manage device registration options.Configure delegation by using administrative units.Configure tenant-wide settingsUse these resources to discover more. Information about which roles manage Azure resources and which roles manageAzure AD resources is available at Classic subscription administrator roles, Azureroles, and Azure AD roles.For more information about roles, see Understand Azure role definitions.For information about how to use PIM, see Privileged Identity Management.The following step-by-step guides provide information on how you can useConditional Access to configure equivalent policies to those policies enabled bysecurity defaults:o Require MFA for administratorso Require MFA for Azure managemento Block legacy authenticationo Require MFA for all userso Require Azure AD MFA registration - Requires Azure AD IdentityProtection part of Azure AD Premium P2.4
SC-300 Part 2 Implement an Authentication and Access ManagementsolutionUnit 1: nit 2: What is Azure AD Multi-Factor i-factorauthenticationrotecting your cloud assets is one of the primary goals for security group. One of theprimary ways unauthorized users get access to systems is by obtaining a validusername/password combination. Azure can help mitigate this with several features ofAzure Active Directory including: Password complexity rules. This will force users to generate hard(er)-toguess passwords.Password expiration rules. You can force users to change their passwordson a periodic basis (and avoid using previous-used passwords).Self-service password reset (SSPR). This allows users to self-serve andreset their password if they have forgotten it without involving an ITdepartment.Azure AD Identity Protection. To help protect your organization'sidentities, you can configure risk-based policies that automatically respondto risky behaviors. These policies can either automatically block thebehaviors or initiate remediation, including requiring password changes.Azure AD password protection. You can block commonly used andcompromised passwords via a globally banned-password list.Azure AD smart lockout. Smart lockout helps lock out malicious hackerswho are trying to guess your users’ passwords or use brute-force methodsto get in. It recognizes sign-ins coming from valid users and treats themdifferently than the ones of malicious hackers and other unknown sources.Azure AD Application Proxy. You can provision security-enhanced remoteaccess to on-premises web applications.Single sign-on (SSO) access to your applications. This includes thousandsof pre-integrated SaaS apps.Azure AD Connect. Create and manage a single identity for each useracross your hybrid enterprise, keeping users, groups, and devices in sync.5
These are all great options which deter someone guessing or brute-forcing a password.However, sometimes passwords are obtained through social engineering, or poorphysical security practices (like putting your password on a sticky note under yourkeyboard!). In these cases, the above features won't stop an intrusion. Instead, securityadministrators will want to turn to Azure AD Multi-Factor Authentication (MFA).What is Azure AD MFA?Azure AD Multi-Factor Authentication (MFA) supplies added security for your identitiesby requiring two or more elements for full authentication.These elements fall into three categories: Something you know - which might be a password or the answer to a securityquestion.Something you possess - which might be a mobile app that receives a notificationor a token-generating device.Something you are - which typically is a biometric property, such as a fingerprintor face scan used on many mobile devices.Using Azure AD MFA increases identity security by limiting the impact of credentialexposure. To fully authenticate, a malicious hacker who has a user's password wouldalso need their phone or their fingerprint. Authentication with only a single factor isinsufficient, and without authentication from Azure AD MFA, a malicious hacker isunable to use those credentials to authenticate. You should enable Azure AD MFAwherever possible, because it adds enormous benefits to security.Azure AD MFA is the Microsoft two-step verification solution. Azure AD MFA helpssafeguard access to data and applications while meeting user demand for a simple signin process. It delivers strong authentication via a range of verification methods,including phone call, text message, or mobile app verification. The security of Azure AD6
MFA lies in its layered approach. Compromising multiple authentication factors presentsa significant challenge for malicious hackers. Even if a malicious hacker manages to learnthe user's password, it is useless without also possessing the trusted device. If the userloses the device, a person who finds it won't be able to use it without the user'spassword.How to get Multi-Factor Authentication?Multi-Factor Authentication comes as part of the following offerings: Azure Active Directory Premium or Microsoft 365 Business - Both ofthese offerings support Azure AD Multi-Factor Authentication using securitydefaults to require multi-factor authentication.Azure AD Free or standalone Microsoft 365 licenses - Use securitydefaults that require multi-factor authentication for your users andadministrators.Azure Active Directory Global Administrators - A subset of Azure ADMulti-Factor Authentication capabilities are available as a means to protectglobal administrator accounts.Unit 3:Unit 3: Plan your multi-factor authentication deploymentBefore starting a deployment of Azure AD Multi-Factor Authentication, there are severalthings you should decide.First, consider rolling out MFA in waves. Start with a small group of pilot users toevaluate the complexity of your environment and identify any setup issues orunsupported apps or devices. Then broaden that group over time and evaluating theresults with each pass until your entire company is enrolled.Next, make sure to create a full communication plan. Azure AD MFA has several userinteraction requirements including a registration process. Keep users informed everystep of the way and let them know what they are required to do, important dates, andhow to get answers to questions if they have trouble. Microsoftprovides communication templates including posters, and email templates to help draftyour communications.7
Azure AD MFA policiesAzure AD Multi-factor Authentication is enforced with Conditional Access policies.Conditional Access policies are IF-THEN statements. IF a user wants to access aresource, THEN they must complete an action. For example, a payroll manager wants toaccess the payroll application and is required to perform multi-factor authentication toaccess it. Other common access requests that might require MFA include: IF a specific cloud application is accessedIF a user is accessing a specific networkIF a user is accessing a specific client applicationIF a user is registering a new deviceDeciding supported authentication methodsWhen you turn on Azure AD MFA, you can choose the authentication methods you wantto make available. You should always support more than one method so users have abackup option in case their primary method is unavailable. You can choose from thefollowing methods:DECIDING SUPPORTED AUTHENTIMethodDescriptionMobile AppA mobile authentication app such as the Microsoft Authenticator app can be used to retrieve an OATHVerification code which is then entered into the sign-in interface. This code is changed every 30 seconds and the app wois limited. Note that this approach doesn't work in China on Android devices.Call to a phoneAzure can call a supplied phone number. The user then approves the authentication using the keypad.backup method.Text message to a A text message with a verification code can be sent to a mobile phone. The user then enters the verificphonesign-in interface to complete the authentication.Administrators can enable one or more of the options above and then users can opt-into each support authentication method they want to use.Selecting an authentication methodFinally, you must decide how users will register their selected methods. The easiestapproach is to use Azure Active Directory Identity Protection. If your organization8
has licenses for Identity Protection, you can configure it to prompt users to register forMFA the next time they sign in.Users can also be prompted to register for MFA when they try to use an application orservice that requires multi-factor authentication. Finally, you can enforce registrationusing a Conditional Access policy applied to an Azure group containing all users in yourorganization. This approach requires some manual work to periodically review the groupto remove registered users. There are some useful scripts in the documentation toautomate some of this process.Unit 4: Exercise - Enable Azure AD Multi-Factor /?terms sc-300%20exam&category Learn9
The Microsoft Identity and Access Administrator designs, implements, and operates an organization’s identity and access management systems by using Azure Active Directory (Azure AD). They manage tasks such as providing secure authentication and authorization access to ent
