Azure AD Certification Requirements and Best Practices

Author

Reads 323

Photo of Man Looking at the Mirror
Credit: pexels.com, Photo of Man Looking at the Mirror

To become certified in Azure Active Directory (Azure AD), you'll need to meet the certification requirements, which include having a basic understanding of identity and access management concepts, as well as experience with Azure AD.

There are two types of certifications available: AZ-500 and AZ-104. The AZ-500 certification focuses on security, compliance, and identity, while the AZ-104 certification covers Azure services, including Azure AD.

To prepare for the certification, it's recommended that you have at least six months of experience working with Azure AD, and have a good understanding of its features and capabilities.

Microsoft provides a variety of study materials to help you prepare, including online courses, study guides, and practice exams.

Azure AD Certification Requirements

A 2048-bit key length is highly recommended for the best combination of security and performance.

For Azure AD, the RSA cryptographic algorithm is currently the only supported option.

The SHA256 hash algorithm is the default choice for signing certificates, although SHA384 and SHA512 are also supported.

Certificates should be valid for only one year.

A self-signed certificate can be used for both client and server authentication.

Here's a summary of the key requirements:

App Registration and Authentication

Credit: youtube.com, Azure AD App Registrations, Enterprise Apps and Service Principals

To register an app in Azure AD, you'll need to create an AAD App registration, which is essentially a service principal that grants the necessary permissions for your automation to work. This service principal is where you'll explicitly grant permissions, such as reading and writing Win32 apps in Intune.

You can use the Graph Explorer tool to familiarize yourself with queries to the Microsoft Graph, but eventually, you'll want to use other programming logic to build your queries. To make calls to the Graph, you'll need an access token, which requires authenticating to AAD using an AAD App registration.

The certificate authentication process involves uploading the public portion of the certificate to the service principal, and then using the certificate for authentication in Azure Automation. You can also export the public portion of the certificate as a .cer file for use in Azure.

App Registrations

To create an app registration, you'll need to authenticate to Azure Active Directory (AAD) to get an access token. This token is required to make calls to the Microsoft Graph.

Credit: youtube.com, Azure AD App Registration in Plain English (Exam Prep FAQs)

AAD App registrations, also known as service principals, are used to get the necessary permissions for your automation to work. These permissions are explicitly granted on the service principal.

For example, if you want to read and write Win32 apps in Intune, your app registration must be granted permission DeviceManagementApps.ReadWriteAll.

To authenticate your app registration, you can use the public portion of a certificate, which you can export as a .cer file. This file can be uploaded and used for your service principal authentication.

You can use the following snippet to export the public portion of the certificate as a .cer file.

Configure App Authentication

To configure app authentication, you'll need to create an AAD app registration, which is essentially a service principal granted the necessary permissions for your automation to work. This service principal is where you'll explicitly grant permissions, like reading and writing Win32 apps in Intune.

You can create an AAD app registration in the Azure portal. To authenticate to AAD, you'll need an access token, which is obtained by authenticating to Azure Active Directory (AAD) using the service principal.

Credit: youtube.com, Entra App Registration: A deep dive into configuration part 1

You can use the Graph Explorer aka.ms/ge to familiarize yourself with queries to the Microsoft Graph, but you'll eventually want to use programming logic to build your query. To do this, you'll need to have an access token and a service principal.

To get an access token, you'll need to authenticate to AAD using the service principal. This can be done using certificate authentication or by storing the private key in Azure Key Vault. In Azure Automation, you can also simply upload the private key to the automation account.

To use certificate authentication, you'll need to upload the public portion of the certificate to the Certificates & secrets blade in the Azure portal. You can do this by selecting Upload Certificate and browsing to the .cer file. Once uploaded, you can use the certificate for authentication.

In Azure Automation, you can also use the MSAL.PS module to authenticate to Graph. This module is available in the Azure Automation gallery and can be easily added to your automation account.

Export Private Key

Credit: youtube.com, How to export certificate with private key

Exporting the private key is a crucial step in using the .pfx file for authentication.

If you marked the private key as exportable when creating the certificate, you can use a snippet to export the private portion as a .pfx file.

You'll need a valid reason to use the .pfx file for authentication with the Service Principal.

The exported .pfx file can then be uploaded and used for authentication with the Service Principal.

This process can be a bit tricky, but with the right information, you'll be able to successfully export the private key.

Managing Client Secrets

Client secrets are a short or long-lived password used to authenticate with the Microsoft Graph. They're a basic form of authentication, but come with a price.

You'll see client secrets used in many blogs and automation examples, but they're not the most secure option. If you look at the Certificates and secrets blade on the app registration, you'll see there are 3 ways to authenticate: Certificates, Application Secrets, and Federated Credentials.

Credit: youtube.com, AZ-900 Episode 27 | Azure Key Vault | Secret, Key and Certificate Management

Client secrets are only visible in the portal temporarily, and once you navigate away from the blade, they're obfuscated. However, they can be configured to be valid for up to 2 years, which is a long time for basic credentials to be hanging around.

Client secrets should not be hard-coded in PowerShell scripts, as this makes them visible to anyone who opens the script. This is a major security risk, especially if you're using a client secret to authenticate with the Microsoft Graph.

To mitigate this risk, you can store client secrets in a key vault. This is a more secure option, as key vaults are designed to securely store sensitive information.

Here are the key things to know about client secrets:

  • Client secrets are a short or long-lived password used to authenticate with the Microsoft Graph.
  • They can be configured to be valid for up to 2 years.
  • They should not be hard-coded in PowerShell scripts.
  • Storing client secrets in a key vault is a more secure option.

Frequently Asked Questions

Do I need az-900 before az 104?

No, you don't need to take Az-900 before Az-104, but taking Az-900 first is recommended if you're new to Azure. It's a good starting point for beginners.

Calvin Connelly

Senior Writer

Calvin Connelly is a seasoned writer with a passion for crafting engaging content on a wide range of topics. With a keen eye for detail and a knack for storytelling, Calvin has established himself as a versatile and reliable voice in the world of writing. In addition to his general writing expertise, Calvin has developed a particular interest in covering important and timely subjects that impact society.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.