In this video, explore various real-world scenarios and discover what authentication solution works best.
- [Instructor] The second major section of the exam says, design identity and security and is worth 25 to 30% of the exam. This is the largest topic on the AZ 304 exam and should perhaps get more study time than the other sections. The first sub category of this is to design authentication. Azure Active Directory is the premier authentication solution within Azure. Whenever you see a question on the exam, looking for a solution for authentication, Azure AD has to be top of mind. You would have covered the implementation aspects of Azure AD on the AZ 303 exam, so this exam will not cover the basics of that. The AZ 304 exam requirements ask you to recommend a solution for a number of authenticated related problems. So of course, all of the answers will be in the Azure active directory set of products. It's a bit like the TV show "Jeopardy." The category is authentication, this is the recommended solution for authentication. What is Azure AD? This Azure feature enables single sign on. What is Azure AD app registration? This Azure feature allows you to enable conditional access to resources. What is Azure AD conditional access? Okay, I won't search the analogy any further, you get the idea. So if you see a question asking about a solution for network access authentication, many Azure services now support integration with Azure AD for authentication, look at Azure storage and Azure SQL database as examples of that. Don't forget that Azure AD does integrate with your on-premises active directory, using AD connect. You can set up health monitoring of that connection using Azure AD connect health. If the synchronization of your on-prem AD and Azure AD were ever to fail, this could be a security issue as employees that have left your organization would possibly retain access to their Azure hosted apps. If you choose to study for the AZ 303 exam before this one, you would have learned about the implementation of Azure AD, so hopefully this section is mainly a reminder. The AZ 304 exam focuses on three specific aspects of Azure active directory, multifactor authentication, AD connect and self-service password reset. It's important to be familiar with how MFA works with Azure AD. The user interface inside of Azure has changed recently, I recommend setting up an MFA on a real Azure AD account. Be familiar with all of the options for validating your login, including SMS, authenticator app, phone call and email. Know when those options are available and when they are not available. When you want to integrate Azure AD with your on-premises AD, how do you do that? If the synchronization of your on premises AD and Azure AD were to fail, that would be a potential security problem. Users who leave or are let go from your company would retain their access to their Azure apps, and new users added would not be able to access them at all. If you wanted to set up an alert to let you know when that synchronization fails, what feature of Azure AD lets you do that? Finally, self-service password reset. Seems like a logical feature, letting users reset their own passwords and not needing to contact support to do so but there are complexities here. If you use Azure AD connect to do a password synchronization with your on-premises server, changing the password in the cloud means that that password has to be sent back to your on-premises AD. To allow passwords to be written back to AD is a feature that has to be enabled. Like I said, there are complexities to it. If you have multiple security features enabled they might conflict with each other. How does multifactor authentication and self-service password reset interact? Can you even allow people to change their passwords if you have MFA enabled? There are also various forms of conditional access that only enable MFA under certain conditions. For instance, you can add the additional MFA protection for only users trying to log in from outside the network or in a way they have never tried before.
- Exam details
- Optimizing costs
- Logging and monitoring
- Designing for security
- Designing data storage
- Designing business continuity
- Designing infrastructure