In this blog, I am going to share some quick tips, including Q&As and useful links from Day 3 of our recent batch of Cloud Security for Azure, AWS, Google Cloud & Oracle, which is a continuation of Module 1, and include topics like Resource locks, Privileged Identity Management, Hybrid Identity, Authentication options, and others got covered.
We also covered hands-on lab on Lab 3, Lab 5, Lab 6 out of 18+ hands-on extensive labs.
Previously, in Day 1 session we got an overview of cloud security concepts and different security approaches.
And in Day 2 Live Session, we talked about Azure Active Directory and its features and the differences between Azure AD and AD DS. Azure AD users, groups, and roles, etc.
So, here are some of the Q&As asked during the Live session from Module 1: Manage Identity and Access.
Resource Groups
Azure Resource Group is a logical collection of all resources. The resource group stores metadata about the resources. It is generally created on an environment basis such as development, production, or testing resource groups.
Basically, it provides a way to monitor, control access, provision, and manage to bill for collections of assets/resources that are being used by a client.
Q1. What is the Advantage of Resource Groups?
Ans. Azure Resources Groups conceptually organize virtual machines, storage accounts, virtual networks, web apps, databases, or database servers. Users combine resources for a specific project into a single resource group so that resources in the production and testing environment are not mismatched or mixed.
>Know more about Resource Group
Resource Locks
You can lock a subscription, resource group, or resource as an administrator to protect other users in your company from deleting or updating key resources by accident. Any permissions the user may have been overridden by the lock.
You can choose between CanNotDelete and ReadOnly as the lock level. The locks in the portal are referred to as Delete and Read-only, respectively.
- Authorized users can still view and change a resource using CanNotDelete, but they can’t delete it.
- Authorized users can read but not delete or update a resource if it is set to ReadOnly. Applying this lock is analogous to limiting all authorized users to the Reader role’s permissions.
Tags
Tags are used to properly classify Azure resources, resource groups, and subscriptions into a taxonomy. A name and a value pair make up each tag. For example, you can give all of the resources in production the name Environment and the value Production.
>Know more about Tagging
Q2. Can tags applied to a resource group be inherited?
Ans. The resources don’t inherit tags applied to the resource group or subscription.
Azure Blueprints
An Azure Blueprint is a collection of rules and regulations that govern the deployment of Azure services, as well as their security and architecture. Such packages are reusable, allowing for resource consistency and compliance to be maintained.
Q3. Can I manage my blueprints as code?
Ans. Yes, there is an API for each blueprint. This implies blueprint definitions can be kept as code and continuously pushed to Azure.
The following is a typical Azure Blueprint lifecycle:
- Designing a blueprint
- The blueprint will be published.
- Creating or modifying a new blueprint version
- A fresh version of the blueprint is being published.
- deletion of a specific blueprint version
- Delete the blueprint in its entirety
>Know more about Azure RBAC Vs Azure Policies Vs Azure Blueprints
Q4. What is the difference between a blueprint and an Azure Resource Manager template?
Ans. A blueprint definition’s key building block (artefact) is a Resource Manager template. In new blueprints, you can use any of your current Resource Manager templates. While Resource Manager templates are only utilized during deployment and do not maintain relationships with deployed resources, Azure Blueprints do, allowing for better tracking and auditing of deployments as well as the ability to update subscriptions that are governed by the same blueprint.
->Know more about ARM Template
Azure Subscription
Azure Subscriptions are a logical unit of Azure services that are linked to an Azure account. In order to take advantage of Azure’s cloud-based services, you must have a subscription as it serves as a single billing unit for Azure resources used in that account.
Q5. Can I move my resources from one Subscription to another?
Ans. Using the Azure portal, you can move a resource and its associated resources to a different subscription. Select the resource group containing the VM you want to relocate by going to Browse > Resource groups. Select Move and then Move to another subscription at the top of the resource group’s page.
Azure Subscription Management
If you simply have a few subscriptions, managing them on your own is rather simple. Create a management group hierarchy to help manage your subscriptions and resources if you have a lot of them. Azure management groups make it easier to keep track of your subscribers’ access, policies, and compliance. Each management group holds one or more subscriptions in its container.
Q6. What is the tenant in Azure?
Ans. In Azure Active Directory, a tenant represents an organization. When a company registers up for a Microsoft cloud service like Azure, Microsoft Intune, or Microsoft 365, it obtains and controls a dedicated Azure AD service instance. Each Azure AD tenancy is different and independent of the others.
Privileged Identity Management
Privileged Identity Management (PIM) is an Azure Active Directory (Azure AD) service that lets you manage, regulate, and monitor access to critical resources in your company. Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 and Microsoft Intune are examples of these resources.
An Azure AD Premium P2 license is required to use this functionality.
What does PIM do?
Privileged Identity Management allows you to activate roles on a time and approval basis, reducing the risk of excessive, unneeded, or misused access permissions on the resources you care about.
Privileged Identity Management includes the following major features:
- Provide just-in-time privileged access to Azure AD and Azure resources
- Assign time-bound access to resources using start and end dates
- Require approval to activate the privileged roles
- Enforce MFA to activate any role
- Use justification to understand why users activate
- Get notifications when privileged roles are activated
- Conduct access reviews to ensure users still need roles
- Download audit history for internal or external audit
- Prevents removal of the last active Global Administrator role assignment
>Know more about Authentication And Authorization
Hybrid Identity
Businesses and companies are increasingly using a combination of on-premises and cloud applications. Both on-premises and in the cloud, users demand access to those programmers. Managing users on-premises and in the cloud presents unique challenges.
Microsoft’s identity management solutions include both on-premises and cloud-based options. These solutions establish a single user identity that can be used to authenticate and authorize access to any resource, regardless of location. This is what we refer to as a hybrid identity.
>Know more about Hybrid Identity
Depending on your situation, one of three authentication techniques can be utilized to accomplish hybrid identity with Azure AD. The three ways are as follows:
- Password hash synchronization (PHS)
- Pass-through authentication (PTA)
- Federation (AD FS)
AD Connect
Azure AD Connect is a Microsoft tool that helps you meet and achieve your hybrid identity objectives. It has the following characteristics:
- Password hash synchronization – A sign-in technique that synchronizes a user’s on-premises AD password with Azure AD using a hash of the password.
- Pass-through authentication –A sign-in mechanism that lets users utilize the same password on-premises and in the cloud without the need for federated infrastructure.
- Federation integration – Federation is an optional feature of Azure AD Connect that may be used to set up a hybrid environment with on-premises AD FS. It also includes AD FS management features such as certificate renewal and the deployment of additional AD FS servers.
- Synchronization -Users, groups, and other objects are created by you. Also, make sure your on-premises users and groups’ identity information matches what’s in the cloud. Password hashes are also included in this synchronization.
- Health Monitoring- Azure AD Connect Health provides provide robust monitoring and a central location to observe this activity in the Azure portal.
>Know more about AD Connect
Authentication options
Because Microsoft provides the most secure sign-in experience, they recommend passwordless authentication techniques like Windows Hello, FIDO2 security keys, and the Microsoft Authenticator app. Passwords should be replaced with more secure authentication mechanisms, despite the fact that a user can sign in using other standard methods such as a username and password.
Q7. How does each authentication method work?
Ans. When you sign in to an app or device, some authentication methods, such as a FIDO2 security key or a password, can be utilized as the primary factor. When you utilize Azure AD Multi-Factor Authentication or SSPR, other authentication methods are only available as a secondary factor.
Pass-through Authentication
Pass-through Authentication in Azure Active Directory (Azure AD) allows your users to sign in to both on-premises and cloud-based applications using the same credentials. This feature gives your users a better experience by requiring them to remember fewer passwords, as well as lowering IT support expenses because they are less likely to forget how to sign in. This functionality checks users’ passwords against your on-premises Active Directory when they sign in using Azure AD.
Password hash synchronization
One of the sign-in methods used to achieve hybrid identity is password hash synchronization. Azure AD Connect synchronizes a hash of a user’s password from an on-premises Active Directory instance to an Azure AD instance in the cloud.
Federation with Azure AD
A federation is a group of domains that have formed a bond of trust. The level of trust can vary, but it almost always includes authentication and authorization. A typical federation would consist of several groups that have built trust in order to share access to a set of resources.
You can use Azure AD to federate your on-premises system and use it for authentication and permission. All user authentication takes place on-premises with this sign-in technique. Administrators can use this strategy to implement more stringent levels of access restriction. Federation is possible using AD FS and PingFederate.
Q8.What is Azure Active Directory Seamless Single Sign-On?
Ans. When users are on their corporate devices linked to your corporate network, Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) immediately signs them in. When enabled, users can sign in to Azure AD without having to write in their passwords or, in most cases, even their usernames. This functionality allows your users to easily access your cloud-based applications without the need for any on-premises components.
Password writeback
Password writeback ensures that when a password is changed in Azure AD, it is written back to the local AD, as the name suggests. It is a feature of Azure AD Connect.
Q9. What are the key capabilities of SSPR?
Ans. SSPR has the following key capabilities:
- Self-service enables end-users to reset their passwords, whether they are expired or not, without having to contact an administrator or helpdesk.
- Password Writeback is a cloud-based system for managing on-premises passwords and resolving account lockouts.
- Administrators can view password reset and registration activities in their organization using password management activity reports.
>Know more about Cloud Security
Quiz Time (Sample Exam Questions)!
With our Cloud Security For Azure, AWS, Google Cloud & Oracle training program, we cover 220+ sample exam questions to help you prepare for the certification like AZ-500.
Check out one of the questions and see if you can crack this…
Ques: You want to give a resource group access to a user, but you don’t want him to make any changes in that resource group. Which azure feature will you use for this?
A. AD Connect
B. Azure Policy
C. Resource Lock
D.PIM
The correct answer will be revealed in my next week’s blog.
Here is the answer to the question shared in the previous blog.
Ques: You want to assign a network administrator role to one of your newly joined technical team members. Which Azure feature you will use to assign this role?
A. RBAC
B. Resource Group
C. Subscription
D. Policy
Answer: A
Explanation: RBAC helps you in assigning a role-based access control, so you can assign network administrator roles through RBAC.
Feedback
We always work on improving and being the best version of ourselves from previous sessions hence constantly ask for feedback from our attendees
Here’s the feedback that we received from our trainees who had attended the session…
Related/References
- [Recap] Day 1:Cloud Security Concepts [For Azure, AWS, Google & Oracle]
- Microsoft Azure Security Technologies: Step By Step Activity Guides
- Microsoft Azure Security Technologies Certification
- Azure Security Center [AZ-500]: Everything You Should Know
- [AZ-500] All about Azure Active Directory
Next Task For You
To get more clarity on what to expect in the training program, I recommend you to attend the FREE Class I’m holding this weekend! This FREE class will help you to understand what the training program looks like and give will you a clear vision to plan your career ahead!
Join me in the FREE Session and fast track your success!
Click on the below image and Register for our FREE CLASS Now!
![Microsoft Agentic AI Business Solutions Architect [AB-100] | K21 Academy](https://test.k21academy.com/wp-content/uploads/2025/11/Microsoft-Agentic-AI-Business-Solutions-Architect-AB-100-Exam-Overview1.png)
