SC-900
service principal
An identity for an application. For an application to delegate its identity and access functions to Azure AD, the application must first be registered with Azure AD to enable its integration. Once registered, [this term] is created in each Azure AD tenant where the application is used.
-Azure App Service -Azure Storage
For which two services can you extend Microsoft Defender for Cloud by obtaining Defender plans? Defender for Cloud has the following Defender plans: -Microsoft Defender for Servers -Microsoft Defender for Storage -Microsoft Defender for SQL -Microsoft Defender for Containers -Microsoft Defender for App Service -Microsoft Defender for Key Vault -Microsoft Defender for Resource Manager -Microsoft Defender for DNS -Microsoft Defender for open-source relational database -Microsoft Defender for Azure Cosmos DB
Zero Trust
Which security model assumes that everything is an open and untrusted network?
Defense in Depth
Which security model uses a layered approach to security, providing mechanisms to stop a breach at the perimeter of each layer?
Functionality provided by Azure AD
-provides SSO -provides federation -is one perimeter of defense in depth -does NOT provide file services -does NOT provide encryption of data in transit
single sign-on (SSO)
allows a user to sign in with a single credential and have access to multiple applications and resources. It does not ensure that a user will not have to sign in again. It leverages a centralized identity provider. It has nothing to do with password resets.
Azure AD B2C customer identity access management (CIAM)
allows external users to sign in with their preferred social, enterprise, or local account identities to get single sign-on (SSO) to applications. AD DS cannot be configured to allow external users to authenticate with their social identities. ADWS is a Windows service that provides a web service interface to AD DS and Active Directory Lightweight Directory Services (AD LDS) directory service. Azure AD B2B allows you to share apps and services with a guest user.
single sign-on (SSO) for users
Which functionality is provided by Azure AD?
roles
What should you use in Azure AD to provide users with the ability to perform administrative tasks?
-Azure AD -Microsoft Teams
For which two services does Microsoft Secure Score provide recommendations?
virtual networks
What can you use in Azure to implement network segmentation based on departments?
Azure AD Password Protection - helps you defend against password spray attacks. Conditional Access brings signals together to make decisions and enforce organizational policies, but it cannot stop password attacks by itself. SSPR allows users to change or reset their password, without administrator or help-desk involvement, but it cannot prevent password attacks. Windows Hello for Business replaces passwords with strong two-factor authentication on devices.
A malicious user is attempting to access many user accounts by using commonly used passwords. The user repeats the action every 20 minutes to avoid triggering an account lockout. Which Azure AD feature can protect organizations from such attacks?
Azure AD Connect - designed to meet and accomplish hybrid identity goals. ADFS cannot be used for hybrid identity models. Microsoft Sentinel is not an identity product. PIM is used for managing and monitoring access to important resources.
An organization is migrating to the Microsoft cloud. The plan is to use a hybrid identity model. What can be used to sync identities between Active Directory Domain Services (AD DS) and Azure AD?
Audit (Premium)
In Microsoft Purview, what can be used to investigate possible security or compliance breaches and identify their scope based on records?
Insider risk management
In Microsoft Purview, what can you use to detect potential leaks of sensitive data and theft of intellectual property?
a retention label and a retention label policy
In Microsoft Purview, what can you use to label items as regulatory records, maintain proof of item deletion, and export information about disposed items?
Communication compliance
In Microsoft Purview, what can you use to scan for offensive language across an organization?
a sensitivity label and a sensitivity label policy
In Microsoft Purview, what should you create to automatically encrypt documents marked by users as sensitive?
Network Security Groups (NSG)
Provide network layer traffic filtering to limit traffic to resources within virtual networks in each subscription.
virtual networks
To implement network segmentation in Azure, what must you create?
Azure Web Application Filter
What Azure feature provides application-level filtering and SSL termination?
Azure Web Application Firewall (WAF)
What Azure feature provides application-level filtering and SSL termination?
1. Microsoft-managed controls 2. shared controls 3. customer-managed controls
What are the three types of controls used in Microsoft Purview Compliance Manager?
-something the claimant knows -something the claimant is -something the claimant has
What are three things that a user can use for Azure AD Multi-Factor Authentication (MFA)?
-Software as a service (SaaS) applications for business-critical workloads can be hosted outside of a corporate network. -Bring your own device (BYOD) can be used to complete corporate tasks.
What are two characteristics of an identity as the primary security perimeter model?
resource layer attacks, protocol attacks, and volumetric attacks
What are types of distributed denial-of-service (DDoS) attacks?
Conditional Access
What can be used to enforce MFA when users access an application registered in Azure AD?
Conditional Access - can be used to enforce MFA based on a condition (accessing an app). Password hash synchronization enables password sync with Active Directory. RBAC provides authorization, not authentication. NSGs provide rules for network access.
What can be used to enforce multi-factor authentication (MFA) when users access an application registered in Azure AD?
Microsoft Purview compliance portal
What can you use to monitor communications that contain sensitive information and minimize the exposed risk? It helps admins manage an organization's compliance requirements with greater ease and convenience and can help reduce data risks.
Azure AD Password Protection
What can you use to prevent users from using an organization's name or the names of the organization's products as passwords in Azure AD? This can also protect from password spray.
user risk
What can you use to receive alerts for potentially compromised user accounts without blocking the users form signing in?
user risk - represents the probability that a given identity or account is compromised. User risk can be configured for high, medium, or low probability. Admins can set up this signal without interrupting user sign-ins.
What can you use to receive alerts for potentially compromised user accounts without blocking the users from signing in?
an organization's progress towards implementing controls
What does the compliance score in Compliance Manager measure?
dynamic groups
What feature can you use to assign users with access to resources based on the city attribute of the user?
dynamic groups - have their membership determined automatically based on use attributes, such as city. No roles in Azure AD have dynamic membership. PIM allows you to force authentication based on rights.
What feature can you use to assign users with access to resources based on the city attribute of the user?
Users can authenticate once and access resources anywhere
What is a benefit of single sign-on (SSO) compared to other authentication models?
Federation enables access to services across organizations.
What is a characteristic of federation?
Verify explicitly
What is a guiding principle of the Zero Trust model?
Leaked credentials is a user risk. Atypical travel, anonymous IP address, and password spray are sign-in risks.
What is a user risk in Azure AD Identity Protection?
User Administrator
What is the least privileged Azure AD role that can be used to create and manage users and groups?
Azure AD Premium P2
What is the minimum edition of Azure AD needed to use Azure AD Privilege Identity Management (PIM)?
Microsoft Purview compliance portal
Where can you access and review sensitive files from a snapshot of the scanned items?
password hash synchronization
Which Azure AD feature allows you to authenticate users by using an on-premises Active Directory domain without needing to connect to on-premises domain controllers?
Self-Service Password Reset (SSPR)
Which Azure AD feature helps reduce help desk calls and the loss of productivity when a user cannot sign in to their device or an application?
Azure Firewall
Which Azure feature provides network-level filtering, application-level filtering, and outbound SNAT?
Azure Web Application Firewall (WAF)
Which Azure service provides centralized protection of web apps from common exploits and vulnerabilities?
Microsoft Defender for Office 365
Which Microsoft Defender 365 solution safeguards against malicious email threats?
security
Which Microsoft privacy principle defines the use and management of encryption keys?
Microsoft Defender for Cloud Apps
Which Microsoft solution allows you to meet compliance standards for General Data Protection Regulation (GDPR) and Payment Card Industry (PCI)?
OATH hardware tokens
Which authentication method can use a time-based, one-time password?
endpoints, identities, email, and applications
Which components can be protected by using Microsoft 365 Defender?
asymmetric encryption
Which encryption method uses a public key and private key pair?
Symmetric Encryption
Which encryption method uses the same key to encrypt and decrypt data?
assigning custodians
Which feature is only available in the Premium edition of eDiscovery for Microsoft Purview?
Azure AD
Which identity provider allows you to use software as a service (SaaS) and platform as a service (PaaS) in Azure with least administrative effort?
Authorization
Which pillar of an identity infrastructure is responsible for defining the level of access a user has over the resources on a network?
authorization
Which pillar of an identity infrastructure is responsible for defining the level of access a user has over the resources on a network?
Azure AD Identity Protection - Azure Identity Protection is a tool that allows organizations to utilize security signals to identify potential threats. Microsoft Defender can only protect the end-point, and it cannot help mitigate this specific task. While Conditional Access can be useful to improve the security of the organization, it cannot help mitigate this specific task. Azure AD Identity Protection is a service that enables you to manage, control, and monitor access to important resources in an organization.
Which service can help mitigate the impact of compromised user accounts?
Microsoft Defender for Cloud
Which service enables you to continually assess the security posture, identify threats, and harden resources in Azure and on-premises workloads?
-Assign an Azure AD license -Enable SSPR for the user -Register an authentication method
Which three actions should be performed to enable self-service password reset (SSPR) for a user?
-Azure AD Identity Protection -Azure AD Privileged Identity Management (PIM) -role-based access control (RBAC)
Which three features reduce the chance of a malicious user accessing a sensitive resource or an authorized user inadvertently affecting a sensitive resource?
- Azure AD Identity Protection - Azure AD Privileged Identity Management (PIM) - role=based access control (RBAC) - Azure AD Identity Protection is a tool that allows organizations to utilize security signals to identify potential threats. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. RBAC in Azure AD roles control access to Azure AD resources.
Which three features reduce the chance of a malicious user accessing a sensitive resource or an authorized user inadvertently affecting a sensitive resource? Each correct answers presents a complete solution.
-Microsoft Authenticator app -voice call
Which two additional forms of authentication are available in Azure AD for multi-factor authentication (MFA) from any device?
-email -security questions
Which two authentication methods are available for self-service password reset (SSPR) in Azure AD? Each correct answer presents a complete solution.
-endpoint detection and response (EDR) -vulnerability scanning for SQL resources
Which two features are part of Microsoft Defender for Cloud's enhanced security?
-Center for Internet Security (CIS) -National Institute of Standards and Technology (NIST)
Which two industry frameworks are used in the Azure Security Benchmark?
- group membership - device platform - Conditional Access signals include User or group membership, Named location information, Application, Real-time sign-in risk detection, Cloud apps or actions and User risk.
Which two signals can be used as part of Conditional Access? Each correct answer presents part of the solution.
managed identity
Which type of identity should you use to allow Azure virtual machines to access Azure Storage without having to handle password changes manually?
information barrier policy
Which type of policy can you use to prevent users from sharing files with users in other departments?
The AllowVNetInBound rule is processed first. The AllowAzureLoadBalancerInBound rule is processed second. The last rule that will be processed in the NSG, is the DenyAllInBound rule.
You have the following inbound network security group (NSG) security rules in Azure: -AllowVNetInBound with a priority of 65000 -AllowAzureLoadBalancerInBound with a priority of 65001 -DenyAllInBound with a priority of 65500 No other inbound rules were defined for the NSG. In which order will the rules be processed?
Azure AD Connect
designed to meet and accomplish hybrid identity goals. Can be used to sync identities between Active Directory Domain Services (AD DS) and Azure AD.
Federation
enables access to services across organizations. Identity providers can be on-premises, trust is not always bidirectional, and users do not need to maintain different usernames in other domains.
