SC-300 Microsoft 身份存取和管理員- 01.執行身分識別管理解決方案
SC-300:執行身分識別管理解決方案
- 實作 Azure Active Directory 的初始設定
- 建立、設定及管理身分識別
- 實作及管理外部身分識別
- 實作及管理混合式身分識別
Azure AD安全性功能依照License options有不同的支援
Azure AD Free
Azure AD Premium P1
Azure AD Premium P2
Microsoft 365 Apps(basic)
| Features | Free | Microsft 365 Apps(basic) | Premium P1 | Premium P2 |
|---|---|---|---|---|
| MFA only for admin | V | V | V | V |
| MFA only for user | V | V | ||
| Single-sign on | V | V | V | V |
| Conditional Access | V | V | ||
| Identity Protection | V | |||
| Custom Role | X | |||
| self-service password reset (SSPR) | X | V | ||
| Customization of the smart lockout settings | V | V |
Licensing requirements for Azure Active Directory self-service password reset
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-licensing
Custom Domain
Admin access to Azure and Azure AD
Azure Portal - https://portal.azure.com
Azure AD Admin Portal - https://aad.portal.azure.com
M365 Admin Center - https://admin.microsoft.com
Cloud App Security (MCAS) Portal - https://portal.cloudappsecurity.com
將裝置Join或registered到Azure AD後,Conditional Access才能控制允許或阻擋裝置存取特定服務
Devices (endpoints) are a crucial part of Microsoft’s Zero Trust concept. Devices can be Registered, Joined, or Hybrid Joined to Azure AD. Conditional Access uses the device information as one of the decisions criteria to allow or block access to services
| Join Type | Purpose |
|---|---|
| Registered | Devices that are Azure AD registered are typically personally owned or mobile devices and are signed in with a personal Microsoft account or another local account. |
| Joined | Devices that are Azure AD joined are owned by an organization and are signed in with an Azure AD account belonging to that organization. They exist only in the cloud. |
| Hybrid Joined | Devices that are hybrid Azure AD joined are owned by an organization and are signed in with an Active Directory Domain Services account belonging to that organization. They exist in the cloud and on-premises. |
條件存取原則可以控管設備
1.Azure AD join device
情境cloud-first or cloud only organization
organization-owned device
先用雲端驗證後才存取內部部屬資源
只能是Windows 10 devices(not Home)
2.Hybird Azure AD joined devices
先用企業AD內部驗證,才存取雲端 或 先用Azure AD驗證在存取內部部屬資源
Active Directory machine authentication (需要有AD電腦帳號,所以必須是Windows並且是win7以上,不可以是家用版)
在Azure操作上只有兩種設定:註冊 與 加入JOIN
預設目錄 > Devices| Device settings
Users may join devices to Azure AD - All/Selected/None
Users may register their devices with Azure AD - All/None
委派
Administrative unit
1.create a new administrative unit
2.Assign roles
ex. Authentication administrator, Cloud device administator, groups administator, Password administator…等
3.Add user or group
Delegatiing app Administration
*Application Administator role
*Cloud Application Administrator role
Delegatiing app registration
*Application Developer role
Delegatiing app ownership
*Enterprise Application Owner role
*Application Registration role
預設目錄> Properties
Tenant properties > Manage Security defaults > Enable Security default: yes/no
控制以下5個設定
1.Requiring all users to register for azure ad multi-factor authentication
2.Requiring administrators to perform multi-factor authentication
3.Blocking legacy authentication protocols
4.Requiring users to perform multi-factor authentication when necessary
5.protect privileged activities like access to the azure portal
預設目錄 | User Settings
Enterprise applications
App registrations
Restrict access to Azure AD administration portal: yes/no
LinkedIn account connections
Allow users to connect their work or school acount with linkedin
Data…
yes/no
External collaboration settings
Guest user access
[ ] Guest users have the same access as members (most inclusive)
[ ] Guest users have limited access to properties and memberships of directory objects
[ ] Guest user access is restricted to …
Guest invite settings
[]Anyone in the ..
[]Member users and user assigned to ..
[]Only user assgined...
[]No one in the...
Identity Providers
- Guest users have the same access as members (most inclusive): This option gives guests the same access to Azure AD resources and directory data as member users.
- Guest users have limited access to properties and memberships of directory objects: (Default) This setting blocks guests from certain directory tasks, like enumerating users, groups, or other directory resources. Guests can see membership of all non-hidden groups.
- Guest user access is restricted to properties and memberships of their own directory objects (most restrictive): With this setting, guests can access only their own profiles. Guests are not allowed to see other users’ profiles, groups, or group memberships.
- Anyone in the organization can invite guest users including guests and non-admins (most inclusive): To allow guests in the organization to invite other guests including those who are not members of an organization, select this radio button.
- Member users and users assigned to specific admin roles can invite guest users including guests with member permissions: To allow member users and users who have specific administrator roles to invite guests, select this radio button.
- Only users assigned to specific admin roles can invite guest users: To allow only those users with administrator roles to invite guests, select this radio button. The administrator roles include Global Administrator, User Administrator, and Guest Inviter.
- No one in the organization can invite guest users including admins (most restrictive): To deny everyone in the organization from inviting guests, select this radio button.
- If Members can invite is set to No and Admins and users in the guest inviter role can invite is set to Yes, users in the Guest Inviter role will still be able to invite guests.
- You can create either an allow list or a deny list. You can’t set up both types of lists. By default, whatever domains are not in the allow list are on the deny list, and vice versa.
- You can create only one policy per organization. You can update the policy to include more domains, or you can delete the policy to create a new one.
- The number of domains you can add to an allow list or deny list is limited only by the size of the policy. The maximum size of the entire policy is 25 KB (25,000 characters), which includes the allow list or deny list and any other parameters configured for other features.
- This list works independently from OneDrive for Business and SharePoint Online allow/block lists. If you want to restrict individual file sharing in SharePoint Online, you need to set up an allow or deny list for OneDrive for Business and SharePoint Online.
- The list does not apply to external users who have already redeemed the invitation. The list will be enforced after the list is set up. If a user invitation is in a pending state, and you set a policy that blocks their domain, the user’s attempt to redeem the invitation will fail.
預設目錄> Enterprise applications | User Settings
Enterprise applications
Users can add gallery apps to My Apps: yes/no
Admin consent requests
Users can request admin consent to apps they are unable to consent to : yes/no
Who can review admin consent requests
Reviewer Type Reviewers
Office 365 Settings
New user 建立後是Member類型,有兩種Source
Windows Server AD
Azure Active Directory
New guest User 建立後是Guest類型,有多種Source,視使用者的email的不同而定
Inviter User (網域是自己組織的網域@onmicrosoft或個人微軟帳戶@outlook.com, @hotmail.com ,屬於B2C)
Microsoft Account
Azure Active Directory
External Azure Active Directory (其他組織 @abc.com,屬於B2B)
Bulk invite
csv檔(必要欄位email address, Redirection url)
- Email address to invite - the user who will receive an invitation
- Redirection url - the URL to which the invited user is forwarded after accepting the invitation.
Bulk create
select New guest user
Next page will select invite user
select New user
Next page will select create user
when invite a Microsoft Account
The user will receive a invitation email
when click Accept invitation
點選接受後,會導向一個個人頁面
Create, configure, and manage groups
Security groups:
有SID, 可以存取AAD
最一般會使用
管理存取資源
Microsoft 365 groups: 無SID, 可存取 M365
存取共用信箱、行事曆、Sharepoint
Group type
Security: Assigned/Dynamic user/Dynamic Device
Microsoft 365: Assigned/Dynamic user
Office 365 Group:
need to collaborate using shared files, group email, and shared calendar
Distribution Group:
need to send communications to everyone on the list
Mail-enabled Security Group:
assigned permissions to a Network Folder, SharePoint site/library, shared printer
Security Group:
access to a resource
members of Office 365 Group:
Users Only
members of Distribution group:
Mail-enabled Security, other Distribution groups and Users
members of Mail-enabled Security group:
Distribution, other Mail-enabled Security groups and Users
members of Security groups:
Distribution, Mail-enabled Security, Security groups and Users
License
- Azure AD
- Free
- P1
- P2
- O365
- E3
- G3
Assign Azure AD License can be a user or a group
如果user沒有設定Usage location就會license指派失敗
https://github.com/rgl/azure-content/blob/master/articles/cdn/cdn-country-codes.md
當指派license給group時:
1.Assign license時
如果透過Azure Portal建立的Microsoft 365 group會含有security屬性,此時才能指派license給這群組
如果透過Microsoft 365建立的Microsoft 365 group就沒有security屬性,此時就無法指派license給這個群組
2.只會授權給group裡面的member user,不會指派給group裡面的group裡的user
Azure AD licenses
FREE
Device Rigister / Join
Azure AD Business to Businiss (B2B) – 1.0 Endpoint
Guest----->School,Work MS Account / Other ORG’s Email Accounts
Run Assigned Apps
Azure AD Business to Consumer (B2C) – 2.0 Endpoint
User—>Personal MS Account/ Social Account
Admin or Access
OFFICE 365 APPS (BASIC)
Self-service password reset (SSPR)
PREMIUM P1
Multi-Factor Authentication (MFA)
Password Write-Back
Conditional Acces Policy
Dynamic groups
Banned Password Lists
Custom Roles
Group-based Licensing
PREMIUM P2
Privileged Identity Management (PIM)
-Just in Time (JIT) Administration
-Report for Admins
Identity Protection (IP)
Risk based Conditional Access Policy
Access Reviews
Entitlement Management
AD Connect
沒有留言:
張貼留言