In this post, I have shared some quick tips, including Q/A and valuable links from Day 2 of our recently launched batch of Microsoft Azure Solutions Architect(AZ-303).
On our Day 1 Live Session, we covered Azure Active Directory, Azure AD Concepts, Azure AD Join, Azure AD Connect, Azure Identity Protection, Azure Conditional Access, Azure Multi-Factor Authentication(MFA).
In this post, I have covered concepts like Hybrid Identity, Password hash synchronization (PHS), Pass-through authentication (PTA), AD FS, Azure AD Health, Azure Networking for Beginners, IP Addressing, Azure Virtual Network, VNet Peering. We also covered hands-on Lab 3, Lab 8, Lab 9 out of our 25+ extensive labs(AZ-303).
So, here are some of the Q/A asked during the Live session from Module 2: Implement and Manage Hybrid Identities & Module 3: Implement Virtual Networking.
>Hybrid Identity
Hybrid identity creates a common user identity for authentication and authorization to all resources, regardless of location. One of three authentication methods can be used to achieve a hybrid identity with Azure AD, depending on your scenarios.
- Pass-through authentication (PTA)
- Password hash synchronization (PHS)
- Federation (AD FS)
➝Read more about the Hybrid Identity.
>Azure AD Pass-through Authentication
Azure AD Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. When users sign in using Azure AD, this feature validates users’ passwords directly against your on-premises Active Directory.
Q1: Does Conditional Access work with Pass-through Authentication?
Ans: Yes, All Conditional Access capabilities, including Azure AD Multi-Factor Authentication, work with Pass-through Authentication.
>Password hash synchronization with Azure AD
Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Azure AD Connect synchronizes a hash of a user’s password from an on-premises Active Directory instance to a cloud-based Azure AD instance.
You can use this feature to sign in to Azure AD services like Microsoft 365. You sign in to the service using the same password you use to sign in to your on-premises Active Directory instance.
Q2: Can admin overwrite synchronized passwords in Password hash synchronization?
Ans: Yes, An administrator can manually reset your password by using Windows PowerShell. The new password overrides your synchronized password, and all password policies defined in the cloud are applied to the new password.
If you change your on-premises password again, the new password is synchronized to the cloud, and it overrides the manually updated password.
>AD FS (Active Directory Federation Services)
AD FS (Active Directory Federation Services) provides simplified, secured identity federation and Web single sign-on (SSO) capabilities. Federation with Azure AD or O365 enables users to authenticate using on-premises credentials and access all resources in the cloud. As a result, it becomes important to have a highly available AD FS infrastructure to ensure access to resources both on-premises and in the cloud.
Advantages of deploying AD FS in Azure:
- High Availability
- Easy to Scale
- Cross-Geo Redundancy
➝Read more about the AD FS(Azure Directory Federation Services).
Q3. What are third-party multi-factor authentication providers available for AD FS?
Ans: AD FS provides an extensible mechanism for third party MFA providers to integrate. The list of vendors that have notified Microsoft is published at MFA providers for AD FS.
Some Famous offerings are Akamai MFA, a persona Adaptive Multi-Factor Authentication for Microsoft ADFS SSO, Microsoft Azure MFA, SecureMFA OTP Provider and many more.
>Choosing between PHS vs PTA vs AD FS
At the end of the day, choosing a hybrid identity authentication method starts with understanding the needs of the business. Check below comparison for selecting between PHS, PTA and AD FS.
![Difference]()
>Azure AD Connect Health
Azure Active Directory (Azure AD) Connect Health provides robust monitoring of your on-premises identity infrastructure. It enables you to maintain a reliable connection to Microsoft 365 and Microsoft Online Services.
The information is presented in the Azure AD Connect Health portal. Use the Azure AD Connect Health portal to view alerts, performance monitoring, usage analytics, and other information.
➝Read more about the Azure AD Connect Health.
Q4: What firewall ports do I need to open for the Azure AD Connect Health Agent to work?
Ans: The agent requires the following firewall ports to be open so that it can communicate with the Azure AD Connect Health service endpoints:
- TCP port 443
- TCP port 5671
The latest version of the agent doesn’t require port 567; check more requirements for using Azure AD Connect Health.
Azure Networking For Beginners
The networking services in Azure provide a variety of networking capabilities that can be used together or separately. These services provide connectivity between Azure resources, connectivity from an on-premises network to Azure resources, and the branch to branch connectivity in Azure – Virtual Network (VNet), ExpressRoute, VPN Gateway, Virtual WAN, Virtual Network NAT Gateway, Azure DNS, Azure Peering service, and Azure Bastion.
➝Read more about Azure Networking.
>Azure Virtual Network
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. Virtual Network enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks.
Q5: What are the different ways to create Virtual Networks?
Ans. You can create a Virtual Network in Azure using any of the following:
1. Using Azure portal: Azure portal is a web-based, unified console that provides an alternative to command-line tools. With the Azure portal, you can manage your Azure subscription using a graphical user interface.
2. PowerShell: Azure PowerShell is a module you add to Windows PowerShell or PowerShell Core that enables you to connect to your Azure subscription and manage resources.
3. Azure CLI: Azure CLI is a cross-platform command-line program that connects to Azure and executes administrative commands on Azure resources.
Q.6 Are Virtual Networks Secure in Azure?
Ans. Virtual Networks are isolated from one another in the Azure cloud and have their own set of properties. Network Security Groups (NSGs) can be used to restrict inbound or outbound traffic flow. You can also deploy a virtual firewall from multiple vendors through the Azure Marketplace.
![Azure Virtual Network]()
>IP Addressing
An Internet Protocol Address is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication. An IP Address serves two main functions: host or network interface identification and local addressing.
Q7: Why is Azure assigning IP 10.0.0.4 rather than 10.0.0.1?
Ans. Because x.x.x.0, x.x.x.1, x.x.x.2, x.x.x.3, x.x.x.255 IPs are reserved by Azure. So, these IP addresses are never assigned.
x.x.x.0: Network address
x.x.x.1: Reserved by Azure for the default gateway
x.x.x.2, x.x.x.3: Reserved by Azure to map the Azure DNS IPs to the VNet space
x.x.x.255: Network broadcast address
>Subnets
A subnet is a range of IP addresses in the virtual Network. You can divide a virtual network into multiple subnets for organization and security. Each Network interface card connected in a virtual machine is connected to one subnet only.
Q8: Can we change the address space of the subnet after creation?
Ans: If no resources are deployed within the subnet, you can change the address range. If any resources exist in the subnet, you must either move the resources to another subnet or delete them from the subnet first.
Q9: Is there a limit to the number of subnets in my Virtual Network?
Ans: Yes, there is a limit to the number of subnets per single virtual Network. The current limit of Subnets per virtual Network is 3000.
>Virtual Network Peering
Virtual Network Peering in Azure allows the traffic of one virtual Network to communicate to another virtual network. It is used for database failover, disaster recovery, or cross-region data replication. After creating virtual networks, we moved towards configuring Virtual Network Peering using the Azure portal.
➝Read more about the Virtual Network Peering.
Q10: Virtual Networking Peering connection is unidirectional or bidirectional?
Ans: Virtual Network peering connection is bidirectional. Suppose if you have one-directional Virtual Network peering and try reaching out to the Virtual Machines in the other Virtual Network, it will not work. The other Virtual Network doesn’t know how to reach you as you haven’t created the peering for the second Virtual Networking.
Q11: Can one Virtual Network do peering with more than one Virtual Network?
Ans: Yes, A single Virtual Network can peer with multiple Virtual Networks. Currently, the limit of Virtual network peering’s per virtual Network is 500. The networks can belong to the same subscription, different deployment models in the same subscription, or different subscriptions.
Q12: Are there any bandwidth limitations for peering connections?
Ans: No, Virtual Network peering, whether local or global, does not impose any bandwidth restrictions. Bandwidth is only limited by the Virtual Machine or the compute resource.
➝Read more about the Bandwidth limitations for peering connections.
Q13: How much do Virtual Network peering links cost?
Ans: There is no charge for creating a Virtual Network peering connection. Data transfer across peering connections is charged. Inbound and outbound traffic is charged at both ends of the peered networks. Virtual Network Peering within the same region is less costly than Global Virtual Network Peering.
➝Read more about the Virtual Network Peering Cost.
![virtual network]()
Quiz Time (Sample Exam Questions)!
With our Microsoft Azure Solutions Architect training program, we cover 220+ [AZ-303] & 200+[AZ-304] sample exam questions to help you prepare for the certification AZ-303 & AZ-304.
Note: Download the 25 Sample Exam Questions of Microsoft Azure Solutions Architect from here.
Check out one of the questions and see if you can crack this…
Ques. There is a requirement to ensure that virtual machines hosted in Virtual Networks can communicate across both virtual networks by using their private IP address. Which of the following can be used to fulfil this requirement?
A. Virtual Network Peering
B. VPN Gateway
C. Local Gateway
D. ExpressRoute
The right answer will be revealed in my next week’s blog.
Here is the answer to the question shared last week (Scroll down at the end of this post for the question).
Ques: What is a tenant in Azure AD?
A. A Tenant represents an entire organization.
B. A Tenant represents a user in an organization.
C. A Tenant represents a geographic location in an organization.
Answer: A
Explanation: A tenant represents an organization in Azure Active Directory. An organisation receives and owns a dedicated Azure AD service instance when it signs up for a Microsoft cloud service such as Azure, Microsoft Intune, or Microsoft 365.
Feedback
We always urge to improvise and be the best version of ourselves from the previous session; hence constantly ask for feedback from our attendees.
Here’s the feedback that we received from our trainees who had attended the session…
Related/References
- [Recap] Day 1: Azure Active Directory [Azure Solutions Architect] [AZ-303/304]
- Tips To Prepare Exam AZ-304: Microsoft Azure Architect Design
- Microsoft Azure Solution Architect AZ-303/AZ-304: Everything You Need To Know
- Microsoft Azure Architect Design Step By Step Activity Guides (Hands-On Labs)
- Azure Compute Options: What is Azure Computing?
Next Task For You
Are you still feeling confused about where to start or which certification is right for you? Just click on the register now button below to register for a Free Masterclass on Microsoft Azure Solutions Architect Certification, Live Demo & Q/A, which will help you better understand to choose the right path and clear certification exam.
The post [Recap] Day 2: Implement and Manage Hybrid Identities & Virtual Networking: [Azure Solutions Architect] [AZ-303/304] appeared first on Cloud Training Program.