(1) AZ-500 Manage identity and access in Azure Active Directory
Built-in Roles for Azure Resources (USES POWERSHELL) (3)
- Owner (full access to all resources, including the right to delegate access) - Contributor (create and manage all types of Azure resources but can't grant access to others) - Reader (can view existing Azure resources)
Some data operations that can be specified in DataActions and NotDataActions (3)
- Read a list of blobs in a container - Write a storage blob in a container - Delete a message in a queue
Azure AD allows you to define two different types of groups (2)
- Security groups (manage member and computer access to shared resources for a group of users) - Office 365 groups (lets you give people outside of your organization access to the group)
What is included in Azure AD Connect? (5)
- Sync services (makes sure that identity information for your on-premises users and groups matches that in the cloud) - Health monitoring (supplies robust monitoring and a central location in the Azure portal for viewing this activity) - AD FS (use to configure a hybrid environment via an on-premises AD FS infrastructure) - Password hash synchronization (sign-in method that synchronizes a hash of a user's on-premises Active Directory password with Azure AD) - Pass-through authentication ( sign in to both on-premises and cloud-based applications using the same passwords)
Add cloud identities to Azure AD in multiple ways (3)
- Syncing an on-premises Windows Server Active Directory (Azure AD Connect) - Use the Azure portal (manually add new users through the Azure portal, as User Administrator) - Use the command line (New-AzureADUser)
Azure AD Connect Benefits (3)
- Users can use a single identity to access both on-premises applications and cloud services - single tool provides an easy deployment experience for synchronization and sign-in - Integration provides the newest capabilities
Subscriptions in Azure are both (2)
- billing entity - security boundary
Which of the following sets the scope of a role to be the resource group myResourceGroup? - /subscriptions/de324015-0284-4582-9d9c-6f1e52a30471 - /subscriptions/{ef67bd4f-d0f2-4845-b6dd-6cba225b4f10}/resourceGroups/myResourceGroup/backupvm1 - /subscriptions/{ef67bd4f-d0f2-4845-b6dd-6cba225b4f10}/resourceGroups/myResourceGroup
/subscriptions/{ef67bd4f-d0f2-4845-b6dd-6cba225b4f10}/resourceGroups/myResourceGroup
What is a role definition?
A role definition is a collection of permissions
Creating a new role can be done through several mechanisms (3)
- Azure portal. (You can use the Azure portal to create a custom role - Azure Active Directory > Roles and administrators > New custom role) - Azure PowerShell. (You can use the New-AzureADMSRoleDefinition cmdlet to define a new role) - Azure Graph API. (You can use a REST call to the Graph API to programmatically create a new role.)
Typically, Azure AD defines users in three ways (3)
- Cloud identities (These users exist only in Azure AD - When these accounts are removed from the primary directory, they are deleted) - Directory-synchronized identities (These users exist in an on-premises Active Directory, source is Windows Server AD) - Guest users (These users exist outside Azure, Their source is Invited user)
What information does an Action provide in a role definition? - An Action provides the allowed management capabilities for the role. - An Action determines what data the role can manipulate. - An Action decides what resource the role is applied to.
An Action provides the allowed management capabilities for the role.
Which of the following best describes the relationship between a subscription and an Azure AD directory? - An Azure AD directory has a 1:1 relationship with a subscription. - An Azure AD directory can be associated with multiple subscriptions, but a subscription is always tied to a single directory. - An Azure AD directory is associated with a single subscription, but a subscription can trust multiple directories.
An Azure AD directory can be associated with multiple subscriptions, but a subscription is always tied to a single directory.
Companies that use an on-premise Windows Server Active Directory solution can integrate their existing users and groups with Azure Active Directory with
Azure AD Connect
What is Azure Active Directory (Azure AD)?
Azure AD is Microsoft's cloud-based identity and access management service which provides single sign-on and multi-factor authentication to help protect your users from 99.9 percent of cybersecurity attacks.
To create a new Azure AD go to this in the Azure Portal
Create a resource / Identity / Azure Active Directory
Data operations are specified in the
DataActions and NotDataActions properties
If you belong to multiple directories, you can switch the current directory you are working in through
Directory + subscription button in the Azure portal header
Users and groups can be added to one subscription (true/false)
False (Users and groups can be added to multiple subscriptions)
How are NotActions used in a role definition? - NotActions are subtracted from the Actions to define the list of permissible operations. - NotActions are consulted after Actions to deny access to a specific operation. - NotActions allow you to specify a single operation that is not allowed.
NotActions are subtracted from the Actions to define the list of permissible operations.
An organization can also be known as this in the Azure AD
Tenant
An organization can have more than one Azure AD directory. (true/false)
True
With Azure AD Connect, you can provide your users with a common identity for Office 365, Azure, and SaaS applications integrated with Azure AD in a hybrid identity environment. (true/false)
True
You can connect a Windows AD server to Azure AD to extend your directory into Azure. (true/false)
True
Azure AD is not
a cloud version of Windows Server Active Directory (also not intended as a complete replacement for an on-premises Active Directory)
A given subscription in Azure is associated with
a single Azure AD directory
Multiple subscriptions can trust the same directory, but
a subscription can only trust one directory
Once a user is authenticated, Azure AD builds
an access token to authorize the user and determine what resources they can access and what they can do with those resources
An Azure subscription is a _______________. - billing entity and security boundary - container that holds users - monthly charge for Azure services
billing entity and security boundary
