Microsoft Identity and Access Administrator Exam Guide: Implement IAM solutions with Azure AD, build an identity governance strategy, and pass the SC-300 exam

BIRMINGHAM—MUMBAI

Microsoft Identity and Access Administrator Exam Guide

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Vijin Boricha

Publishing Product Manager: Mohd Riyan Khan

Senior Editor: Shazeen Iqbal

Content Development Editor: Rafiaa Khan

Technical Editor: Arjun Varma

Copy Editor: Safis Editing

Project Coordinator: Shagun Saini

Proofreader: Safis Editing

Indexer: Pratik Shirodkar

Production Designer: Ponraj Dhandapani

First published: March 2022

Production reference: 1230222

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80181-804-9

www.packt.com

Foreword

Over the course of my career, identity has always been an important part of any technical design or architecture. When I worked on the help desk, I can remember creating user accounts, resetting passwords, and adding users to security groups. As time progressed, my skills gravitated toward solution architect scenarios involving Active Directory build outs, upgrades, and maintenance, as well as onboarding solutions such as Azure Active Directory Connect. I am currently a program manager within the identity and network access division at Microsoft. I certainly didn't know my technical foundation would evolve into identity being one of my predominant areas of focus all these years later.

The cloud is here to stay, and is reshaping the common identity scenarios of old. Organizations are extending identities into the cloud, which takes identity outside of the four walls housing any infrastructure. As a result, a different approach needs to be implemented to maintain a secure posture and ensure the right amount of governance is applied.

The focus of this book is on the Microsoft SC-300 exam. Any individual who's studying for this exam should hopefully understand the importance of identity and access management. Perhaps this exam is a requirement for a job or maybe even a way to further prove technical skills and knowledge. One thing is sure: customers need to securely protect applications and user data at the perimeter using Azure identity and access management solutions. IT departments need to defend against malicious login attempts, safeguard credentials, protect identities, and enforce strong authentication options (all without disrupting productivity). This challenge is no easy one, especially with the rate of change in both the security and identity spaces.

Passing this exam means you'll receive the Microsoft Identity and Access Administrator Associate certification. You'll be uniquely prepared to design, implement, and operate an identity and access management system using Azure Active Directory. You'll be able to manage tasks such as configuring secure authentication and authorization access to enterprise applications. This role-based cert will provide administrators with ways of implementing seamless user experiences and self-service management capabilities to avoid disturbing end users' daily activities. Identity governance is another key element you should be able to plan for and build out. Additionally, you'll also learn how to troubleshoot, monitor, and configure reporting for the identity and access environment.

After going through studying and passing the certification, you'll find yourself better equipped to handle the ever-evolving identity and security threat landscape. This area of focus and study will kickstart your skills to be a great value addition for any company you work for in the future. Good luck and make sure you give yourself plenty of time to study and prep!

I'd like to quickly thank Dwayne for asking me to write this foreword. I'm honored to be thought of in this space! Dwayne is one of my security gurus and always has a great answer or approach to any situation if a question arises. He'll help you make the most sense out of the exam in a pragmatic way that will help you pass!

Shannon Kuehn

Senior Program Manager

Identity and Network Access

Contributors

About the author

Dwayne Natwick is a Senior Product Manager at Cloudreach, an Atos company and a Microsoft Expert MSP. He has been in IT, security design, and architecture for over 30 years. His love of teaching led him to become a Microsoft Certified Trainer (MCT) Regional Lead and a Microsoft Most Valuable Professional (MVP).

Dwayne has a master's degree in business IT from Walsh College, the CISSP from ISC2, and 18 Microsoft certifications, including Identity and Access Administrator, Azure Security Engineer, and Microsoft 365 Security Administrator. Dwayne can be found providing and sharing information on social media, at industry conferences, on his blog site, and on his YouTube channel.

Originally from Maryland, Dwayne currently resides in Michigan with his wife and three children.

About the reviewers

Sathish Veerapandian is a certified microsoft infrastructure/cloud architect with 14 years of international large-scale hands-on experience in planning, designing, and executing IT management of messaging platforms such as Microsoft Teams with Telephony, Skype for Business Voice, Microsoft Exchange, Intune deployment, Microsoft Azure, and Microsoft Security implementations. His dedication to serving the technical community has earned him the title of Microsoft MVP for the past 7 years, and he shares his technical knowledge and skills through local meetups and blogs and participates in Microsoft Ignite sessions. He is well known in the community for his contributions to Office 365 and the Microsoft Teams and Security platforms.

Shabaz Darr is an infrastructure master for Netcompany, based in the United Kingdom. He is a Microsoft MVP in Enterprise Mobility, specializing in Microsoft cloud technologies including Endpoint Manager, Security & Compliance, and Azure Virtual Desktop. He has over 15 years' experience in the IT industry, with 8 of those spent working with Microsoft cloud technologies. During this period, he assisted several global organizations with designing and implementing information protection strategies. He coauthored a book on the SC-400 Information Protection Microsoft certification exam and individually authored a book on the AZ-140 Azure Virtual Desktop Specialist exam, and was also a technical reviewer for the SC-900 Security Fundamentals book. He also has his own YouTube channel called I Am IT Geek where he creates video series on various Microsoft cloud technologies.

I would like to thank Packt for asking me to technically review this book, as well as thanking the author, Dwayne Natwick, for asking me to be part of this project. It has been a huge honor to be part of this book.

Bart Van Vugt is a freelance workplace/security architect and owner at BVV Consult. He has over 20 years of experience in the field, acting as a security architect with broad professional experience in enterprise security, identity and access management, information protection, cybersecurity, endpoint management, and cloud security. Guiding companies on their zero trust and cloud journey, providing architecture and security advice, and delivering hands-on deployments are part of the job.

In addition to that, Bart has been a passionate MCT since 2021, holding several certifications.

Bart was also recognized by Microsoft in 2021 by receiving digital badges from their Windows Customer Connection Program and Microsoft 365 Threat Protection Program: Community Member 2021.

Marcel Molenaar is a consultant, developer, solution architect, and an MCT with more than 25 years of experience in IT. As a developer, he has experience in many object-oriented programming languages, such as C++, C#, Java, Node.js, Python, and PowerShell. As a SharePoint consultant, he started working with SharePoint 2003 and implemented SharePoint farms for larger enterprises with lots of customizations and strict security conditions.

With the transition to the Microsoft 365 platform, his field of experience moved to SharePoint Online and the Azure platform. Marcel is fascinated by the cloud and new cloud-related technologies. He also loves the data platform and AI because of his scientific background.

He has worked as an MCT for more than 10 years. He teaches lots of students about Azure, Microsoft 365, security, data, and the Power Platform.

Marcel is self-employed and is the CEO of Marcel Molenaar IT Training. He lives and works in the Netherlands.

Bill Wheeler is a security architect for Avanade, a leading provider of cloud and security solutions delivered through the Microsoft ecosystem. Bill has been working in technology for over 25 years, 20 of which was with the Volkswagen Group of America, with a focus on infrastructure and security. Bill is a U.S. Marine Corps veteran.

Table of Contents

Preface

Section 1 – Exam Overview and the Evolution of Identity and Access Management

Chapter 1: Preparing for Your Microsoft Exam

Technical requirements

Preparing for a Microsoft exam

Resources available to prepare for the exam

Access to a subscription

Where to take the exam

Exam format

Resources available and accessing Microsoft Learn

Accessing Microsoft Learn

Finding content on Microsoft Learn

Exam pages on Microsoft Learn

Creating a Microsoft 365 trial subscription

Office 365 or Microsoft 365 trial subscription

Azure AD Premium subscription

Exam objectives

Who should take the SC-300 exam?

Summary

Chapter 2: Defining Identity and Access Management

Understanding IAM

Identity

Access

Learning identity and access use cases

Shopping websites

Personal email accounts

Social media accounts

Company applications

Understanding the scope of IAM

Defining IAM

Principle of least privilege

The evolution of IAM

Traditional

Advanced

Optimal

Summary

Section 2 - Implementing an Identity Management Solution

Chapter 3: Implementing and Configuring Azure Active Directory

Technical requirements

Configuring and managing AAD roles

Azure Active Directory tenant

Azure Active Directory roles

Planning and assigning roles

Configuring and managing custom domains

Adding and verifying a custom domain to set as the primary domain

Custom domains and sub-domains

Managing DNS and deleting a custom domain

Configuring and managing device registration options

Azure AD-registered devices

Azure AD-joined devices

Hybrid AD-joined devices

Configuring tenant-wide settings

Member and guest users

Managing security defaults

Summary

Chapter 4: Creating, Configuring, and Managing Identities

Technical requirements

Creating, configuring, and managing users

Member users

Guest and external users

AD (hybrid) users

Creating, configuring, and managing groups

Microsoft 365 groups

Security groups

Specialty groups

Dynamic groups

Managing licenses

License requirements

License features

Assigning licenses

Summary

Chapter 5: Implementing and Managing External Identities and Guests

Technical requirements

Managing external collaboration settings in Azure AD

B2B

B2C

Configuring external collaboration settings

Inviting external users individually and in bulk

Inviting guest users

Managing external user accounts in Azure AD

Managing guest user licenses

Password management

Multi-factor authentication

Configuring identity providers

Google configuration

Facebook configuration

Summary

Chapter 6: Implementing and Managing Hybrid Identities

Technical requirements

Implementing and managing Azure AD Connect

Hybrid identity

Azure AD

Windows AD

Azure AD Connect

Implementing and managing seamless SSO

Implementing and managing Azure AD Connect Health

Troubleshooting sync errors

Summary

Section 3 – Implementing an Authentication and Access Management Solution

Chapter 7: Planning and Implementing Azure Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR)

Technical requirements

Planning an Azure MFA deployment

What is MFA?

How does Azure AD MFA work?

What licenses include Azure AD MFA?

Azure authentication methods

Configuring Azure AD MFA

Implementing and managing MFA settings

Configuring and deploying SSPR

Deploying and managing password protection

Planning and implementing security defaults

Summary

Chapter 8: Planning and Managing Password-Less Authentication Methods

Technical requirements

Administering authentication methods (FIDO2/passwordless)

Modern authentication for identity and access management

Implementing an authentication solution based on Windows Hello for Business

Implementing an authentication solution with the Microsoft Authenticator app

Summary

Chapter 9: Planning, Implementing, and Administering Conditional Access and Azure Identity Protection

Technical requirements

Planning and implementing Conditional Access policies and controls

Zero-trust methodology

Conditional Access policies

Configuring Smart Lockout thresholds

Implementing and managing a user risk policy

Azure AD Identity Protection

Monitoring, investigating, and remediating elevated risky users

Summary

Section 4 – Implementing Access Management for Applications

Chapter 10: Planning and Implementing Enterprise Apps for Single Sign-On (SSO)

Technical requirements

Designing and implementing access management and SSO for apps

Discovering apps with Microsoft Defender for Cloud Apps

Integrating on-premises apps using Azure AD Application Proxy

Planning your line-of-business application registration strategy

Implementing application registrations

Planning and configuring multi-tier application permissions

Summary

Chapter 11: Monitoring Enterprise Apps with Microsoft Defender for Cloud Apps

echnical requirements

Planning your cloud application strategy

Discovering apps with Microsoft Defender for Cloud Apps

Implementing cloud app security policies

Planning and configuring cloud application permissions

Discovering apps by using Microsoft Defender for Cloud Apps or an ADFS app report

Discovering apps with Microsoft Defender for Cloud Apps app report

Discovering apps with an ADFS app report

Using Microsoft Defender for Cloud Apps to manage application access

Discovered app scoring

Sanctioning and unsanctioning apps

Summary

Section 5 – Planning and Implementing an Identity Governance Strategy

Chapter 12: Planning and Implementing Entitlement Management

Technical requirements

Defining catalogs and access packages

Catalogs

Access packages

Planning, implementing, and managing entitlements

Planning entitlements

Implementing entitlements

Managing entitlements

Implementing and managing terms of use

Managing the life cycle of external users in Azure AD Identity Governance settings

Access reviews

Summary

Chapter 13: Planning and Implementing Privileged Access and Access Reviews

Technical requirements

Defining a privileged access strategy for administrative users

Configuring PIM for Azure AD roles and Azure resources

Creating and managing break-glass accounts

Planning for and automating access reviews

Analyzing PIM audit history and reports

Summary

Section 6 – Monitoring and Maintaining Azure Active Directory

Chapter 14: Analyzing and Investigating Sign-in Logs and Elevated Risk Users

Technical requirements

Analyzing and investigating sign-in logs to troubleshoot access issues

Reviewing and monitoring Azure AD audit logs

Analyzing Azure Active Directory workbooks and reporting

Summary

Chapter 15: Enabling and Integrating Azure AD Logs with SIEM Solutions

Technical requirements

Enabling and integrating Azure AD diagnostic logs with Log Analytics and Microsoft Sentinel

Exporting sign-in and audit logs to a third-party SIEM

Reviewing Azure AD activity by using Log Analytics and Microsoft Sentinel

Summary

Chapter 16: Mock Test

Other Books You May Enjoy

Preface

This book simplifies identity and access management (IAM) concepts to help you pass the SC-300 certification exam. Packed with practical examples, you'll gain hands-on knowledge to drive strategic identity projects while modernizing identity solutions, implementing hybrid identity solutions, and monitoring identity governance.

Who this book is for

This book is for cloud security engineers, Microsoft 365 administrators, Microsoft 365 users, Microsoft 365 identity administrators, and anyone who wants to learn about IAM and gain SC-300 certification. You should have a basic understanding of the fundamental services within Microsoft 365 and Azure Active Directory before getting started with this Microsoft book.

What this book covers

Chapter 1, Preparing for Your Microsoft Exam, provides guidance on getting prepared for a Microsoft exam along with resources that can assist in your learning plan. This will include helpful links along with steps for gaining access to a trial Microsoft 365 subscription for hands-on practice.

Chapter 2, Defining Identity and Access Management, provides an overview of what IAM is and why it is important. This chapter will also discuss the evolution of IAM as cloud technologies have become more prevalent.

Chapter 3, Implementing and Configuring Azure Active Directory, focuses on the implementation and configuration of Azure Active Directory for cloud identities. This will include how to configure and verify custom domains and tenant-wide settings.

Chapter 4, Creating, Configuring, and Managing Identities, discusses how to plan, create, configure, and manage users, groups, and licenses within Azure Active Directory. This will include the bulk creation of users and dynamic group creation.

Chapter 5, Implementing and Managing External Identities and Guests, discusses how to plan and provide guest user access to Azure Active Directory. This will include how to invite guest users and how to manage access. The chapter will also discuss utilizing existing user identities with B2B and B2C access.

Chapter 6, Implementing and Managing Hybrid Identities, focuses on the planning and implementation of hybrid identity. This will include configuration of Azure Active Directory Connect for Windows Active Directory to Azure Active Directory and determining which synchronization type is the best fit for an organization.

Chapter 7, Planning and Implementing Azure Multi-Factor Authentication and Self-Service Password Reset, discusses the planning and implementation of Azure MFA and SSPR for users and groups. This will include deploying, managing, and configuring MFA for users and groups. This chapter will also cover the differences between verifying identity with MFA and SSPR.

Chapter 8, Planning and Managing Password-Less Authentication Methods, discusses how to plan and utilize password-less authentication methods. It will cover the various methods and how they can be deployed within Azure Active Directory.

Chapter 9, Planning, Implementing, and Administering Conditional Access and Azure Identity Protection, covers conditional access policies. This will include planning for these policies and testing them to verify that they are working correctly and providing the proper controls. In addition, we will discuss Azure Identity Protection and using sign-in and user risk conditions with policies.

Chapter 10, Planning and Implementing Enterprise Apps for Single Sign-On (SSO), focuses on enterprise applications and how to plan and implement SSO. This will include setting up an application proxy for connecting on-premises applications to Azure Active Directory.

Chapter 11, Monitoring Enterprise Apps with Microsoft Defender for Cloud Apps, discusses how Microsoft Defender for Cloud Apps is used to manage and monitor enterprise cloud applications. This includes how to utilize conditional access policies for cloud application access.

Chapter 12, Planning and Implementing Entitlement Management, discusses the planning and implementation process for entitlement management. This includes life cycle management for external users and managing the terms of use.

Chapter 13, Planning and Implementing Privileged Access and Access Reviews, discusses the planning and implementation for user privileged access. This will include how to determine and assign users with privileged access rights on a just-in-time basis. This chapter will also cover planning for access reviews.

Chapter 14, Analyzing and Investigating Sign-in Logs and Elevated Risk Users, discusses how to analyze and investigate sign-in logs and determine risks to elevated users.

Chapter 15, Enabling and Integrating Azure AD Logs with SIEM Solutions, discusses how Azure Active Directory logs can be integrated into SIEM solutions. This will include Azure Sentinel and third-party SIEM.

Chapter 16, Mock Test, provides a final assessment and mock exam questions to complete the final preparations to take the SC-300 exam.

To get the most out of this book

This book will explore configuring a tenant for use of Microsoft 365 and Azure. There will be exercises that will require access to Azure Active Directory. Chapter 1, Preparing for Your Microsoft Exam, provides directions for creating a trial license of Microsoft 365 and a free Azure account.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781801818049_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: By selecting the Download button, filtered data can then be downloaded to a .csv or .json file for up to 250,000 records.

Any command-line input or output is written as follows:

$PasswordProfile = New-Object -TypeName Microsoft.Open.

AzureAD.Model.PasswordProfile

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: The best way to obtain these features is through an Enterprise Mobility + Security (EMS) E5 license.

Tips or Important Notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at customercare@packtpub.com.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at copyright@packt.com with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you've read Microsoft Identity and Access Administrator Exam Guide, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.

Section