AZ-304 Microsoft Azure Architect Design – Design authentication
1. Design Identity and Security (25-30%)
The second major section of this exam says Design Identity and Security. And as you can see, it is worth a significant percentage of the exam score. So put a lot of emphasis on this. Identity. Within Microsoft Azure is usually we’re talking about Microsoft Azure Active Directory as the identity as a service. So we’re going to start talking about the concepts of authentication and authorization. Also included in identity and Security is the concept of governance.
And so governance is the act of enacting company policies that are enforced by the technology, by policies and Blueprints within Azure itself. Finally, we’re going to talk a little bit about application security. As application developers, how can you implement and take advantage of Microsoft Azure security solutions in your applications? And this includes storing your secrets in a key vault and running your applications under managed identities. So in this section and the sections that follow, we’re going to be talking mostly about Azure Active Directory.
2. A Note about Azure AD for AZ-304
So in this section of the course, we’re going to talk about the second major objective of this exam, which says designed for identity and security and is worth 25% to 30% of your exam score. Now, we do need to acknowledge that there does seem to be quite a bit of overlap between the AZ 303 requirements when it comes to identity and security and AZ 304. So in this video, we’re going to talk about how we’re going to deal with that overlap. This is the requirements for the AZ 303 exam. It clearly says Implement Azure Active Directory, implement and managed hybrids, identities configure, fraud alerts, configure user accounts for MFA, manage multiple directories, implement self-service password reset. And if we switch over to the AZ 304 requirements, what we’re talking about in this course, we can see that it says recommend a solution for single sign on recommend a solution for conditional access, recommend a solution for self service. So the AZ 303 exam is much more on the implementation that details the decisions that you’re making as you’re setting up Azure, whereas the AZ 304 course leads you up to the point where you decide to use those tools in your solution. So let’s be clear about the differences between this. AZ 303 is the how to Perform Tasks exam and AZ Three or Four is the strategy or what to perform.
So, to be frank with you, we’re not going to cover how to create an Azure ad tenant. I’m not going to show you in the portal how I created one, how I created users and groups and roles and setting up the relationships between those objects within the Azure ad that is not only covered by the AZ 303 course, that is not even on this exam. There will not be a question on the AZ Three or Four exam asking you about what is the different types of users that you can create or what’s the difference between a user and a guest? That’s not going to be a question on this exam. We are going to cover authentication in terms of the decisions that we need to make to determine what type of authentication to add to our applications. We’re going to cover authorization.
Again, those decisions that you’re making in terms of how you’re going to authorize people and decide what level of access to grant we are going to cover. There are a couple of advanced ad topics that are on 304 that are not on 303. We will talk about about that in this course as well. Clearly, there are, there are a couple of sections that are more strategic, including governance and application security. So that’s going to be in this course as well.
3. Intro to Azure Active Directory
So in this section, we’re going to be talking about identity management within Azure. Now, as you may know, Microsoft’s preferred identity management solution is called Azure Active Directory. I have it pegged as a favorite to my favorites bar. Or you can go into all services and to start typing Azure Active Directory and you’ll see Azure Active Directory come up as an option. Now you might might recognize the term Active Directory from the very famous Windows solution that many companies use to manage logins inside a corporate network. Now, this is slightly different. It’s a related product and you can connect the two, but this does not replace your on premises Active Directory. This works alongside of it to manage identity in the cloud. So I’m going to choose that active directory.
Now, you can see that I already have one set up and it takes me to my default directory. Now there is a free tier, so it shouldn’t harm you at all to create your own Active Directory if you don’t have one. If I go into the top right menu here, where it has my user account, you can see that there is a switch directory option. And by clicking it, I can basically see what my Active Directory accounts are, which one is set up to the default, et cetera. So in this section of the course, we’re going to talk about Active Directory, how to set it up for the first time, how to connect to your on premises Active Directory defining roles, using self service identity management as one of the topics, and basically your strategy for setting up Active Directory to manage identity for your applications in the Cloud.
4. Create a New Azure Active Directory
All right. So what we’re going to talk about in this video is creating a brand new Active Directory account. Now, for myself, when I go into Active Directory, I already have an account. But it’s quite possible if you’re just starting out, that you don’t have an account. If you go into this Active Directory service and you don’t have an account, it’s going to prompt you to create one. If you already have an account and you want to go through and create a second account, then there is a Create a Directory link even within existing Active directories. So I’m going to say create a Directory. Now, we do need to give the organization a name. So let’s call this test ad version two. This simply has to be an organization name that you’re going to identify with this Directory. Now, Active Directory does create a domain name, and this domain name is actually used when connecting with it.
So create an active directory domain name. That is something that if you’re going to have external people connecting to your Active Directory, this is something that they’re going to see. So I’m going to put Azed Sgdtest Ad Two as my domain name, and you can see that it fully qualifies for it. I choose my region. So I am located in Canada. I’m going to scroll up to there and I’m going to click Create. It says here Directory creation will take about 1 minute. So I’m going to click this button. I’m going to pause the video. When we come back, we’re going to have a brand new Active Directory account that we can start playing with and creating users roles, assigning permissions to etc. And having our applications use as its authentication service. So I’ll pause the video. When we come back, we’ll have an Active Directory to work with.
5. Self-Service Password Reset
So in this video, we’re going to talk about the various selfservice options that end users have to manage their accounts. Now, if I go down to the password reset option of this active directory, you’ll see that there is a selfservice password reset option. This is not enabled by default and it’s not even available for free accounts. Once you upgrade to a Premium account, then you are able to allow end users to manage their own passwords, which includes they lost the password, they’ll be able to recover it through SMS message or through email. But like I said, we do need to enable this and we do need to be on a Premium account in order for this to work. Without this enabled, then people are going to have problems with their passwords. They’re going to have to come to you or more likely your support line in order to say, I’m having trouble logging in. Can you reset my password? So this is a way of reducing costs for allowing users to reset their own password.
Also, it’s obviously incredibly convenient to be able to change your password. Even if you feel like it’s time to change your password, you can change it without having to talk to someone. And again, this is Helpdesk systems, having people have to do their password stuff through Helpdesk. It’s a cost and a volume issue, right? So again, this is not available for the free account. If we wanted to, we can go and set this to a free trial. And so we have a couple of options here. The Enterprise Mobility and security option or the Azure Ad Premium P two option? So if I want to say activate the free trial, then it’s going to activate. Now this is including, it’s a 30 days access and it gets you up to 100 users and applications within your account. So let’s activate the free trial on this account. Now this activated fairly quickly, almost instantly actually. I had to switch directory to a different directory and then switch back in order for it to recognize it. But it does say Azure Ad for Office 365 instead of Azure Ad free.
So now I should have access to a few more things that we’re going to need to talk about in this section. If we go back to the password reset, we can see that we have the option. Now to enable password reset options, I can select it for a particular group. We don’t even have any groups in this account. Or I can say I want password reset available to all users. And so this, again, this is for end users. These are the people who you’ve created accounts under the Users tab or have invited as guest users to be able to manage their passwords. So click save. And now it’s going to allow users to manage their own passwords. Now, in order for users to be able to change their passwords, we’re basically going to allow them to have to validate by email or by SMS message. We can have a mobile app. So there’s a Microsoft mobile app that basically will let them have a code that they can approve or some type of security questions where they give their mother’s main name in the street they grew up on in order to validate.
That’s a bit of an insecure method, but if you allow them to validate their email through email and a mobile phone, then they can modify their passwords once they’ve gone through that. So by default those are the authentication methods and you can obviously set them up for that. Of course, if you are turning this on, then you might want users to have to be forced to sign up with an email address or a phone number when they create their account in order to have that ready for them when they forget their password. So there’s no point sort of not having an email, not having a phone number, losing your password, and then you’re basically forcing them to go through support to change their password at that point. There’s also the ability for them to revalidate and reconfirm that their phone numbers and email addresses are still correct every X number of days. This is another security precaution under notifications.
When the password does change, it’s a good idea to send the user an email to say, oh, we just changed your password. That way if there’s a hacking attempt or something’s happened, there’s at least an audit trail and users will be notified that somebody has modified their password most of the time. Hopefully they expect it. Now, you can also set this up to notify admins when other admins reset their password. So that’s another security point where an administrative account had does a password reset. Maybe we do want the other admins to know so that Bob’s account didn’t get packed and Bob’s admin. So that’s a pretty serious violation. So I would turn that on. If you want to allow people to go through a Help desk, there’s a Contact your administrator link.
You can sort of customize that and put a contact portal. Maybe they’ve got you’ve got a Helpdesk account that they can create things, etc. So we don’t have on premises integration, which means imagine you have an Active Directory within your network and you synchronize those accounts to the Internet through Microsoft Azure Active Directory. Person changes their password through Azure active directory. Do you want to write back those passwords to the on premises? That allows users to change their Windows login through password switch in the Internet? So those are the options if you’ve got Ad Connect enabled. So setting a password reset, it’s a smart idea from saving money from allowing users to manage it. Again, you do have to be on a premium account for that, but once you’ve done that, it’s a pretty good idea to enable it.
Interesting posts
The Growing Demand for IT Certifications in the Fintech Industry
The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »
CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared
In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »
The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?
If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »
SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification
As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »
CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?
The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »
Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?
The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »