Access & Identity
Users who are assigned limited administrator directory roles can use the Azure portal to invite B2B collaboration users. In addition to being invited to a directory or to a group, what else can B2B collaboration users be invited to? - Limited self-service functionality for modifying their profiles. - Network resources such as printers. - An application
An application.
Which two ways do you declare app roles by using the Azure portal? Certificates and secrets. Use the App manifest editor and API permissions. Use the App roles and App manifest editor.
Application roles are used to assign permissions to users. You define app roles by using the Azure portal. When a user signs into the application, Azure AD emits a roles claim for each role that the user has been granted individually to the user and from their group membership. The App roles and Manifest editor are found in the Manage section of the app.
Azure AD allows for the definition of two different types of groups; one type is Security groups, which are used to manage member and computer access to shared resources. What is the other type of group? Distribution groups, which are used for communications purposes via applications such as Teams and Exchange. Licensing groups, which are used to make it easier to administer software licenses. Microsoft 365 groups, which provide access to shared mailboxes, calendars, SharePoint sites, and so on.
Azure AD allows for the definition of Security groups and Microsoft 365 groups.
Typically, Azure AD defines users in three ways. Cloud identities and guest users are two of the ways. What is the third way Azure AD defines users? As non-connected users. As transitional users. As directory-synchronized identities.
Azure AD defines users as cloud identities, guest users, and as directory-synchronized identities
What action does Conditional Access perform? It is the component that enforces multifactor authentication policies for access. It analyzes signals such as user, device, and location to enforce organizational access policies. It monitors and logs all access attempts.
Conditional Access is the tool used by Azure Active Directory to bring signals together, make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity-driven control plane.
What are dynamic groups? Dynamic groups are Microsoft 365 groups whose memberships consist of Dynamics 365 users, who require special attribute configurations. Dynamic groups are security groups whose memberships are based on user attributes (such as userType, department, or country/region). Dynamic groups are groups whose membership numbers fluctuate significantly within a given timeframe.
Dynamic groups are security groups whose memberships are based on user attributes
Which one of the following is a best practice for building multi-tenant apps? Follow the principle of least user access to ensure that your app only requests permissions it actually needs. Test your app in each tenant to ensure functionality. Use names and descriptions that are only meaningful to your team.
Follow the principle of least user access to ensure that your app only requests permissions it actually needs. Provide appropriate names and descriptions for any permissions you expose as part of your app. This helps users and admins know what they are agreeing to when they attempt to use your app's APIs.
Azure AD guest users have restricted directory permissions. Which of the following answers best describes guest users capabilities? They can manage their own profile, change their own password, and add other B2B guests to groups. They can manage their own profile, change their own password, and retrieve some information about other users, groups, and apps. They can manage their own profile, change their own password, and identify group members or other directory objects.
Guest users can only manage aspects of their own profile information, like their password; and view available resource like apps.
The proliferation of many types of devices and bring your own device (BYOD) concept require IT professionals to accommodate two rather different goals. One goal is to allow users to be productive wherever and anytime. What is the other goal? Provide antimalware apps for a various devices. Establish baseline security guidelines for users. Protect the organization's assets.
Identity is new perimeter is a common security phrase these days, meaning that validation or both people and devices are required to protect company assets.
By default, who has the ability to create application registrations or consent to applications in Azure Active Directory? All Azure AD Users All Azure AD and Guest users Only users assigned the Global Administrator role
In Azure AD all users can register application registrations and manage all aspects of applications they create. Everyone also has the ability to consent to apps accessing company data on their behalf.
Azure AD group-based licensing makes large scale management easier. Typically, how soon are license modifications effective after group membership changes are made? Within the timeframe of local domain controllers being refreshed. Within minutes of a membership change. Within 24 hours of a membership change.
License modifications that result from group membership changes are typically effective within minutes of a membership change.
Which user provision modes are supported for applications in the Azure AD gallery? Administrator approved and automatic. You should only use Manual Provisioning to ensure security. Manual and automatic
Manual provisioning means there is no automatic Azure AD provisioning connector for the app yet. User accounts must be created manually, for example by adding users directly into the app's administrative portal or uploading a spreadsheet with user account detail. Consult the documentation provided by the app or contact the app developer to determine what mechanisms are available. Automatic means that an Azure AD provisioning connector has been developed for this application.
What is Microsoft's Cloud Access Security Broker solution? Microsoft Cloud App Security Microsoft Cloud Computing Services Microsoft Security Center
Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy.
Which authentication method requires the least effort regarding deployment, maintenance, and infrastructure? Password hash synchronization (PHS). Pass-through authentication (PTA). Federated authentication.
PHS requires the least effort regarding deployment, maintenance, and infrastructure, which typically applies to organizations that only need their users to sign in to Microsoft 365, SaaS apps, and other Azure AD-based resources.
Which task can a user with the Security Operator role perform? Configure alerts Confirm safe sign-in Reset a password for a user
Security Operators can view all Identity Protection reports and the Overview blade, dismiss user risk, confirm safe sign-in, and confirm compromise.
What service and connector work together to securely pass a user sign-on token from Azure AD to a web application running in an organization's on-premises datacenter? The Azure AD Application Proxy service and Application Proxy connector An Application Proxy connector and the Azure Firewall service The Azure AD Application Proxy service and Application Gateway
The Azure AD Application Proxy service and the Application Proxy connector work together to securely pass the user sign-on token from Azure AD to the web application.
Which of the following groups of information can be found in the Azure Active Directory Usage and insights report? The top used application in your organization -and- Who gave consent to an application -and- The top sign-in errors for each application The top used application in your organization and The applications with the most failed sign-ins and The service that logged the occurrence The top used applications in your organization and The application with the most failed sign-ins and The top sign-in errors for each application
The top used applications in your organization and The application with the most failed sign-ins and The top sign-in errors for each application
There are two risk policies that can be enabled in the directory. One is user risk policy. Which is the other risk policy? Mobile device access risk policy Sign-in risk policy Hybrid identity sign-in risk policy
There are three APIs that expose information about risky users and sign-ins. The first API, riskDetection, allows you to query Microsoft Graph for a list of both user and sign-in linked risk detections and associated information about the detection. The second API, riskyUsers, allows you to query Microsoft Graph for information about users that Identity Protection detected as being risky. The third API, signIn, allows you to query Microsoft Graph for information on Azure AD sign-ins with specific properties related to risk state, detail, and level.
What is the defining feature of hybrid identity solutions? -They create common user identities for authenticating and authorizing users who operate workstations that run on a variety of operating systems. -They create common user identities that are trusted for authentication and authorization between organizations. -They create common user identities for authentication and authorization to both on-premises and cloud-based resources.
They create common user identities for authentication and authorization to both on-premises and cloud-based resources.
Some situations might require the removal of a server from being monitored by the Azure AD Connect Health service. What needs to be done to start monitoring the same server again? -The Azure AD Connect Health service needs to be stopped and restarted on any other targeted server in the network. -The Health Agent needs to be uninstalled and reinstalled on this server. -The data already collected from this server needs to be deleted and then the Health Agent needs to be reactivated on the server.
To start monitoring a server again, the Health Agent needs to be uninstalled and reinstalled.
Which statement best describes the Cloud Application Administrator role? -Users in this role have the same permissions as the Application Administrator role, excluding the ability to manage application proxy. Users assigned to this role are not added as owners when creating new application registrations or enterprise applications. -Users in this role have the same permissions as the Application Management role, excluding the ability to manage application proxy. Users assigned to this role are not added as owners when creating new application registrations or enterprise applications. -Users in this role have the same permissions as the Site Administrator role, including the ability to manage application proxy.
Users in this role have the same permissions as the Application Administrator role, excluding the ability to manage application proxy. Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.
Azure AD B2B can be configured to federate with identity providers that use either of two protocols. One protocol is Security Assertion Markup Language (SAML); what is the other protocol? -WS-Federation (WS-Fed) -Layer Two Tunneling Protocol (L2TP) -Resource Location Protocol (RLP)
WS-Fed is one of two protocols that Azure AD B2B can make use of to federate with identity providers.
A domain name is included as part of a user name or email address for users and groups. Can a domain name also be included as part of an application or other resource? Yes, a domain name can be included as part of an application or other resource if the domain name is owned by the organization that contains the resource. A domain name can be included as part of the app ID URI for an application, but cannot be included as part of other resources. No, a domain name cannot be included as part of an application or other resource.
When an organization that contains and application or other resources, the domain can be included if it is owned by the same organization.
Which of the following directories is maintained by Microsoft and used to publish applications? SaaS directory Single sign-on app connected directory App gallery directory
the two directories that Microsoft maintains are the App gallery directory and the Microsoft services directory.
