Microsoft Identity and Access Administrator

 

• The Microsoft identity and access administrator designs, implements, and operates an organization’s identity and access management systems by using Azure Active Directory (Azure AD). They configure and manage authentication and authorization of identities for users, devices, Azure resources, and applications.
• The identity and access administrator provides seamless experiences and self-service management capabilities for all users. They ensure that identity is verified explicitly to support Zero Trust principles. They automate management of Azure AD by using PowerShell and analyze events by using Kusto Query Language (KQL). They are also responsible for troubleshooting, monitoring, and reporting for the identity and access environment.
• The identity and access administrator collaborates with many other roles in the organization to drive strategic identity projects, to modernize identity solutions, to implement hybrid identity solutions, and to implement identity governance.

• They should be familiar with Azure and Microsoft 365 services and workloads.

Implement identities in Azure AD (20—25%) Configure and manage an Azure AD tenant

• Configure and manage Azure AD roles
• Configure delegation by using administrative units
• Analyze Azure AD role permissions
• Configure and manage custom domains
• Configure tenant-wide settings

Create, configure, and manage Azure AD identities

• Create, configure, and manage users
• Create, configure, and manage groups
• Configure and manage device join and registration, including writeback
• Assign, modify, and report on licenses

Implement and manage external identities

• Manage external collaboration settings in Azure AD
• Invite external users, individually or in bulk
• Manage external user accounts in Azure AD
• Configure identity providers, including SAML or WS-fed

Implement and manage hybrid identity

• Implement and manage Azure AD Connect
• Implement and manage Azure AD Connect cloud sync
• Implement and manage Password Hash Synchronization (PHS)
• Implement and manage Pass-Through Authentication (PTA)
• Implement and manage seamless Single Sign-On (SSO)
• Implement and manage Federation, excluding manual AD FS deployments
• Implement and manage Azure AD Connect Health
• Troubleshoot synchronization errors

Implement authentication and access management (25—30%) Plan, implement, and manage Azure Multifactor Authentication (MFA) and self-service password reset

• Plan Azure MFA deployment, excluding MFA Server
• Configure and deploy self-service password reset
• Implement and manage Azure MFA settings
• Manage MFA settings for users
• Extend Azure AD MFA to third party and on-premises devices
• Monitor Azure AD MFA activity

Plan, implement, and manage Azure AD user authentication

• Plan for authentication
• Implement and manage authentication methods
• Implement and manage Windows Hello for Business
• Implement and manage password protection and smart lockout
• Implement certificate-based authentication in Azure AD
• Configure Azure AD user authentication for Windows and Linux virtual machines on Azure

Plan, implement, and manage Azure AD conditional access

• Plan conditional access policies
• Implement conditional access policy assignments
• Implement conditional access policy controls
• Test and troubleshoot conditional access policies
• Implement session management
• Implement device-enforced restrictions
• Implement continuous access evaluation
• Create a conditional access policy from a template

Manage Azure AD Identity Protection

• Implement and manage a user risk policy
• Implement and manage sign-in risk policy
• Implement and manage MFA registration policy
• Monitor, investigate and remediate risky users
• Implement security for workload identities

Implement access management for Azure resources

• Assign Azure roles
• Configure custom Azure roles
• Create and configure managed identities
• Use managed identities to access Azure resources
• Analyze Azure role permissions
• Configure Azure Key Vault RBAC and policies

Implement access management for applications (15—20%) Manage and monitor application access by using Microsoft Defender for Cloud Apps

• Discover and manage apps by using Microsoft Defender for Cloud Apps
• Configure connectors to apps
• Implement application-enforced restrictions
• Configure conditional access app control
• Create access and session policies in Microsoft Defender for Cloud Apps
• Implement and manage policies for OAUTH apps

Plan, implement, and monitor the integration of Enterprise applications

• Configure and manage user and admin consent
• Discover apps by using ADFS application activity reports
• Design and implement access management for apps
• Design and implement app management roles
• Monitor and audit activity in enterprise applications
• Design and implement integration for on-premises apps by using Azure AD application proxy
• Design and implement integration for SaaS apps
• Provision and manage users, groups, and roles on Enterprise applications
• Create and manage application collections

Plan and implement application registrations

• Plan for application registrations
• Implement application registrations
• Configure application permissions
• Implement application authorization
• Plan and configure multi-tier application permissions
• Manage and monitor applications by using App governance

Plan and implement identity governance in Azure AD (20—25%) Plan and implement entitlement management

• Plan entitlements
• Create and configure catalogs
• Create and configure access packages
• Manage access requests
• Implement and manage terms of use
• Manage the lifecycle of external users in Azure AD Identity Governance settings
• Configure and manage connected organizations
• Review per-user entitlements by using Azure AD Entitlement management

Plan, implement, and manage access reviews

• Plan for access reviews
• Create and configure access reviews for groups and apps
• Create and configure access review programs
• Monitor access review activity
• Respond to access review activity, including automated and manual responses

Plan and implement privileged access

• Plan and manage Azure roles in Privileged Identity Management (PIM), including settings and assignments
• Plan and manage Azure resources in PIM, including settings and assignments
• Plan and configure Privileged Access groups
• Manage PIM requests and approval process
• Analyze PIM audit history and reports
• Create and manage break-glass accounts

Monitor Azure AD

• Design a strategy for monitoring Azure AD
• Review and analyze sign-in, audit, and provisioning logs by using the Azure AD console
• Configure diagnostic settings, including Log Analytics, storage accounts, and Event Hub
• Monitor Azure AD by using Log Analytics, including KQL queries
• Analyze Azure AD by using workbooks and reporting in the Azure AD console
• Monitor and improve the security posture by using the Identity Secure Score