AZ103
Azure AD B2B Features
1. Allows you to collaborate with partners outside of your organization 2. Users receive an email with a confirmation link upon invitation 3. Imported users are Azure AD External User Objects" 4. Access to shared apps, resources, documents, etc. 5. Partners access with their own credentials 6. Enterprise-level security
What are the 2 Design Authentication types ?
1. Cloud Authentication with On-Premise a. Password Hash Sync + Seamless SSO b. Pass-Through Authentication + Seamless SSO 2. Federated Authentication Methods a. AD FS b. 3rd Party Federation Providers
Azure HD Hybrid Identity with Password Hash Sync Features
1. Effort - 1.a - Least Effort Required 1.b - Part of AD Connect Sync Process that runs every two minutes 2. User Experience - 2.a - Deploy Seamless SSO eliminating unnecessary prompts after user signs in 3. Business Continuity - 3.a - Highly available as the cloud service scales with Microsoft datacenters 3.b - Deploy additional AD Connect server in staging mode in a standby configuration 4. Other Considerations - 4.a No immediate enforcement in on-premise account state changes. Consider running an immediate sync after bulk updates
Azure HD Hybrid Identity with Pass-through authentication
1. Effort - 1.a - Need 1 or more (recommend 3) agents installed on existing servers 1.b - Must have access to on-premise AD Controllers 1.c - Need outbound access to the internet 2. User Experience - 2.a - Deploy Seamless SSO eliminating unnecessary prompts after user signs in 3. Business Continuity - 3.a - Recommended to deploy 2 extra pass through agents for redundancy 3.b - Deploy password hash sync as a backup 4. Other Considerations - 4.a Consider password hash sync as a backup 4.b Remember pass-through auth enforces on the on-premises account policy at the time of sign in
What are the 4 Arm Template Constructs ?
1. Parameters - Define the inputs you want to pass into the ARM template during deployment 2. Variables - Values that you can use throughout your template. Used to simplify your template by creating reuse of values 3. Resources - Define the resources you wish to deploy or update 4. Outputs - Specify values that are returned after ARM deployment is complete
What are the 4 types of MFA
1. Phone Call 2. Text Message 3. Mobile App notification - Enter pin and verifies on mobile 4. Mobile app verification Code - Soft token on Mobile 5. Third Party Tokens - RSA
You need to map a drive to a data file share in an Azure storage account from your Windows 10 workstation. What outbound port should be opened from the home computer to the file share?
445
How many Azure AD Directories can a single user belong to?
500
What are Resource Manager templates?
A Resource Manager template precisely defines all the Resource Manager resources in a deployment. You can deploy a Resource Manager template into a resource group as a single operation.
Azure Active Directory Domain Services
AADDS Provides managed domain services Allows you to consume domain services without the need to patch and maintain domain controllers on laas Domain Join, Group Policy, LDAP, Kerberos, NTLM; all supported
Active Directory Domain Services
ADDS Legacy Active Directory since Windows 2000 Traditional Kerberos and LDAP functionality Deployed on Windows OS usually on VMs
Suppose you have a script that creates several VMs with different images. When the script issues the command to create the first VM you to block the script while the VM is created, instead you want the script to immediately move on to the next command. What is the best way to do this?
Add the '--no-wait' argument to your create command.
What are the AD Connect Features ?
Allows you to connect and sync On Premise Active Directory with Azure
What does AD Connect Health do?
Allows you to monitor the health of you AD under Health and Analytics. Monitor sync status and On Premise Health
Check When to Suppose you have an application running on a Windows virtual machine in Azure. What is the best-practice guidance on where the app should store data files?
An attached data disk
Your Azure AD tenant has a group called Developers and a subscription1 with a resource group called DEV. You need to give the Developers group the ability to create roles and role assignments. Which of these actions should you take?
Assign the Contributor role to the group
Domain Services Overview
Azure AD (AAD) Active Directory Domain Services (ADDS) Azure Active Directory Domain Services (AADDS)
What are the types of Azure AD connections
Azure AD B2C (Business to Consumer) Azure AD B2B (Business to Business)
What are Azure Quickstart templates?
Azure Quickstart templates are Resource Manager templates that are provided by the Azure community. Quickstart templates are available on GitHub. Many templates provide everything you need to deploy your solution. Others might serve as a starting point for your template. Either way, you can study these templates to learn how to best author and structure your own templates.
What's Azure Resource Manager?
Azure Resource Manager is the interface for managing and organizing cloud resources. Think of Resource Manager as a way to deploy cloud resources.
What are the support SSH key formats?
Azure currently supports SSH protocol 2 (SSH-2) RSA public-private key pairs with a minimum length of 2048 bits. Other key formats such as ED25519 and ECDSA are not supported.
Which protocol provides dynamic routing for Azure ExpressRoute?
Border Gateway Protocol (BGP)
What command will you run to log in to Azure to perform management activities?
Connect-AzAccount
What is the final rule that is applied in every Network Security Group?
Deny All
What are the 4 features of Azure AD?
Enterprise Identity Solution Single Sign-On Multifactor Authentication Self Service
True or false: for security reasons, you must use an image from the official Azure Marketplace when creating a new virtual machine.
False Azure lets you configure your virtual machines to meet your needs. This includes support for using your own VM images.
What storage account type is recommended for most scenarios using Azure Storage and is commonly used for blobs, files, queues, and tables?
General-purpose v2 accounts
What is an NSG
Is a Network Filter Used to allow or restrict traffic to resources in your Azure network Inbound Rules Outbound Rules
What are the key features of Azure Load Balancer?
Layer 4 Supports up to 100 instances Service monitoring Automated reconfiguration Hash-based distribution Internal and public options
Azure Standard Load Balancer features
Layer 4 Supports up to 1000 instances Any virtual machine in a single VNET. (Blended options Esupported) Supports HTTPS Supports AZ Secure by default
What are the 3 types of load balancers in Azure?
Load Balancer basic and standard Application Gateway Traffic Manager
You need to give your Development group the ability to create and manage a Custom API in Azure Logic App. What built-in role should you assign to this group?
Logic App Contributor
What are the components used by update management?
Microsoft Monitoring Agent (MMA) for Windows or Linux PowerShell Desired State Configuration (DSC) for Linux Automation Hybrid Runbook Worker Microsoft Update or Windows Server Update Services (WSUS) for Windows computers.
Active Directory Features
Modern AD service built directly for the cloud Often the same as 0365 directory service sync Can with On-premises directory service
Security group rules
NSGS use rules to allow or deny traffic moving through the network. Each rule identifies the source and destination address (or range), protocol, range), direction (inbound or outbound), a numeric priority, and whether to allow or deny the traffic that matches the rule. The following illustration shows NSG rules applied at the subnet and network interface levels.
What are the 3 types of VM disks?
Operating system storage. Every VM includes one disk that stores the operating system. This drive is registered as a SATA drive and labeled as the C: drive in Windows and mounted at "/" in Unix-like operating systems. Temporary storage. Every VM includes a temporary VHD that is used for page and swap files. Data on this drive may be lost during a maintenance event or redeployment. The drive is labeled as D: on a Windows VM by default. Do Data storage. A data disk is any other disk attached to a VM. You use data disks to store files, databases, and any other data that you need to persist across reboots.
What is the effect of security settings for a new virtual machine?
Outbound request are allowed. Inbound traffic is only allowed from within the virtual network. from
Suppose you have several Linux virtual machines hosted in Azure. You will administer these VMs remotely over SSH from three dedicated machines in your corporate headquarters. Which of the following authentication methods would typically be considered best-practice for this situation?
Private key with passphrase Private key access with a passphrase is the most secure option. Even if an attacker acquires your private key, they will be unable to use it without the passphrase.
Say you want to create a reusable template that uses the Custom Script Extension to configure web content on a VM. What's the best way to enable deployments specify script that configures web content?
Provide a parameter that specifies the script location.
When creating a Windows virtual machine in Azure, which port would you open using the INBOUND PORT RULES in order to allow remote-desktop access?
RDP (3389)
As an administrator, you need to lock a resource group to prevent other users in your organization from accidentally deleting or modifying critical resources. You use the Azure Portal to put a lock on a resource group that contains a virtual machine to prevent all users from starting or restarting the virtual machine. Which of the following locks would you apply?
ReadOnly
While working with RBAC, you get the error message "No more role assignments can be created (code: RoleAssignmentLimitExceeded)" when you try to assign a role. What is the likely fix for this issue?
Reduce the number of role assignments by assigning roles to groups instead
What command allows you to configure tenant, Subscription and environment cmdlets?
Run Set-AzureRmContext [-Tenant <String>] from Azure Cloud Shell
Your Azure subscription has the following resource groups: RG1 in the North Europe region using Policy1 RG2 in the West Europe region using Policy2 RG3 in the France Central region using Policy3 RG3 has a web app named MyWebApp3 located in France Central. You move MyWebApp3 to the RG2 resource group. What is the result of this action?
The App Service Plan for MyWebApp3 remains in France Central; Policy2 applies to MyWebApp3
What's the Custom Script Extension?
The Custom Script Extension is an easy way to download and run scripts on your Azure VMs. It's just one of the many ways you can configure a VM once it's up and running.
Suppose you're an administrator of several Azure virtual machines. You get a text message indicating some problems with your VMs. You are at a friend's house and only have your tablet with you. True or false: you'll still be able to access the Azure CLI using the tablet, even though you can't install the CLI on it.
True Azure Cloud Shell is available in the browser and runs with the full Azure CLI. If you prefer Powershell, Cloud Shell has that as well.
True or false: Azure public peering allows you to connect to services with public IP addresses without your traffic being routed over the internet
True Azure public peering enables private connections to services that are available on public IP addresses. Some examples of services that support this are: Azure Storage, and Azure SQL databases.
What are the types of Azure Disks
Ultra disks Azure ultra disks deliver high throughput, high IOPS, and consistent low latency disk storage for Azure laas VMs. Ultra disks include the ability to dynamically change the performance of the disk without the need to restart your virtual machines (VM), Ultra disks are suited for data-intensive workloads such as SAP HANA, top tier databases, and transaction- heavy workloads. Ultra disks can only be used as data disks. We recommend using premium SSDS as OS disks. Premium SSD disks Premium SSD disks are backed by solid-state drives (SSDS), and deliver high-performance, low-latency disk support for VMs running /O-intensive workloads. These drives tend to be more reliable because they have no moving parts. A read or write head doesn't have to move to the correct location on a disk to find the data requested. Standard SSD Premium storage is limited to specific VM sizes - so the VM type you create will impact the storage capabilities: size, max capacity, and storage type. What if you have a low-end VM, but you need SSD storage for /O performance? That's what Standard SSDS are for. Standard SSDS are between standard HDDS and premium SSDS from a performance and cost perspective. Standard HDD storage Standard HDD disks are backed by traditional hard disk drives (HDDS). Standard HDD disks are billed at a lower rate than the Premium disks. Standard HDD disks can be used with any VM size
How can you help Resource Manager determine the correct order to apply resources?
Use the dependson element to define when one resource must exist before another can be deployed.
What is a Network Security Group?
Virtual networks (VNets) are the foundation of the Azure networking model and provide isolation and protection. Network Security Groups (NSGS) are the main tool you use to enforce and control network traffic rules at the networking level. NSGS are an optional security layer that provides a software firewall by filtering inbound and outbound traffic the VNet.
Are Azure Domains Globally Unique?
Yes
You have created an Azure policy with the following settings: Scope: Subscription1Exclusions: Subscription1/AdatumRG1Policy Definition: Disallowed resource typesAssignment Name: Disallowed resource typesParameters: Not allowed resource types = Microsoft.Sql/servers What will be the effect of this Azure policy?
You can create Microsoft SQL servers in the AdatumRG1 resource group only
SMTP (port 25) is a special case, depending on your subscription level and when your account was created, outbound SMTP traffic may be blocked.
You can make a request to remove this restriction with business justification.
3. Most Azure commands return JSON by default. Sometimes this data set can be very large which makes it difficult to read and tricky to use the result of one command as input to another command. What can you use with Azure CLI to filter the results to get only the data that you need?
You can use the '--query' argument.
What does Declarative automation means that?
You define what resources you need but not how to create them.
You need to perform an Azure Monitor log query in your Log Analytics workspace to get the errors from a table called "SecurityEvents". Which query would you run in the workspace?
search in (SecurityEvents) "error" | take 100