Identity & Access Management
There is a need to target policies and review spend budgets across several subscriptions you manage. What should be created for the subscriptions? a. A billing group b. A management group c. A nested resource group
A management group A management groups. Management groups can be used to organize and manage subscriptions.
Which of the following would be good example of when to use a resource lock? a. An ExpressRoute circuit with connectivity back to your on-premises network. b. A virtual machine used to test occasional application builds. c. A storage account used to store images processed in a development environment.
An ExpressRoute circuit with connectivity back to your on-premises network. An ExpressRoute circuit with connectivity back to your on-premises network. Resource locks prevent other users in your organization from accidentally deleting or modifying critical resources.
If you don't need on-premises AD integration, use this authentication method
Cloud-Only authentication
Azure AD supports which of the following security protocols? a. Kerberos b. OAuth c. OpenID Connect
OAuth OAuth is used for authorization.
Which of the following options can be used when configuring multifactor authentication in Azure? a. Block a user if stolen password is suspected. b. Configure IP addresses outside the company intranet that should be blocked. c. One time bypass for a user that is locked out.
One time bypass for a user that is locked out. Allowing one-time access is an available option.
If you want want to enforce user level AD security policies during sign in, you need the following authentication method:
Pass through Auth
The compliance auditors wants to ensure as employees change jobs or leave the company that their privileges are also changed or revoked. They are especially concerned about the Administrator group. To address their concerns. you implement which of the following? a. Access reviews b. Azure time-based policies c. JIT virtual machine access
Access reviews Access reviews. Access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access.
A company has implemented Azure AD PIM. There is a need to ensure a new hires request elevation before they make any changes in Azure, what should you do? a. Activate the new hire. b. Assign the new hire the Eligible role membership type. c. Include the new hire in an access review.
Assign the new hire the Eligible role membership type. Assign the new hire the Eligible role membership type. When someone is Eligible for role membership, they must request activation before they can use the role.
The company hires a new administrator and needs to create a new Azure AD user account for them. The new hire must be able to: - Read/write resource deployments they are responsible for. - Read Azure AD access permissions They should not be able to view Azure subscription information. What should be configured to make this work? a. Assign the user the Contributor role at the resource group level. b. Assign the user the Owner role at the resource level. c. Assign the user the Global Administrator role.
Assign the user the Contributor role at the resource group level. Assign the user the Contributor role at the resource group level. This will give the new hire the least privileges necessary for the role.
A company has three virtual machines (VM1, VM2, and VM3) in a resource group. The Helpdesk hires a new employee. The new employee must be able to modify the settings on VM3, but not on VM1 and VM2. Your solution must minimize administrative overhead. What should be set up? a. Assign the user to the Contributor role on the resource group. b. Assign the user to the Contributor role on VM3. c. Move VM3 to a new resource group and assign the user to the Contributor role on VM3.
Assign the user to the Contributor role on VM3. Assign the user to the Contributor role on VM3. This means the user will not have access to VM1 or VM2. By assigning the Contributor role to the current resource group is incorrect, as it would the new hire to change the settings on VM1 and VM2 and therefore would meet the requirements.
Identity Protection identifies risks in which of the following classifications? a. Specific IP address b. Atypical travel c. Unregistered device
Atypical travel Identity Protection can recognize logins from unexpected locations and times.
Your organization is considering multifactor authentication in Azure. Your manager asks about secondary verification methods. Which of the following options could serve as secondary verification method? a. Automated phone call. b. Emailed link to verification website. c. Microsoft account verification code.
Automated phone call. You can configure an automated phone call for verification.
Which tool can you use to synchronize Azure AD passwords with on-premises Active Directory? a. Azure AD Connect b. Active Directory Federation Services c. Password writeback
Azure AD Connect Azure AD Connect. Azure AD Connect sync is a main component of Azure AD Connect. It takes care of all the operations that are related to synchronize identity data between your on-premises environment and Azure AD.
Azure AD PIM is used to manage which of the following roles? a. Azure privileged users b. Azure resource groups c. Azure AD roles
Azure AD roles Azure AD roles. While not part of this question, you could all manage Azure resource roles.
Which of the following is an authentication option that integrates with Azure Active Directory, requiring you to use several differing methods, like your phone, to confirm your identity? a. FIDO2 security keys b. Microsoft Authenticator app c. Azure Active Directory Multi-Factor Authentication
Azure Active Directory Multi-Factor Authentication Azure Active Directory Multi-Factor Authentication (MFA) is a great way to secure your organization, but users often get frustrated with the extra security layer on top of having to remember their passwords. Passwordless authentication methods are more convenient because the password is removed and replaced with something you have, plus something you are or something you know. The other choices are passwordless authentication options that integrate with Azure AD. Azure AD DS) enables the use of ciphers such as NTLM v1 and TLS v1.
Which licensing plan supports Identity Protection? a. Azure Active Directory Free b. Azure Active Directory Premium P1 c. Azure Active Directory Premium P2
Azure Active Directory Premium P2 Identity Protection helps you configure risk-based conditional access for your applications to protect them from identity-based risks.
You have implemented Identity Protection and are reviewing the Risky users report. For each reported event you can choose any of the following actions? a. Confirm user compromise b. Delete the risk event c. Dismiss user account
Confirm user compromise Confirming that a user was compromised is a valid option when reviewing identity projection reports.
Which of the following methods enable you to automatically add or remove users to security groups or Microsoft 365 groups, so you don't always have to do it manually? a. Automatic add b. Dynamic user c. Microsoft 365 user
Dynamic user Dynamic user uses rules to automatically add and remove members.
Your organization has implemented multifactor authentication in Azure. Your goal is to provide a status report by user account. Which of the following values could be used to provide a valid MFA status? a. Enrolled b. Enforced c. Required
Enforced Enforced is a valid MFA status in the report screen.
If you need on-premises AD integration, have an existing federation provider and your authentication requirements ARE NOT natively supported by Azure AD, then use the following authentication method:
Federation Authentication
To enable Azure AD PIM for your directory, what Azure AD Role do you need to enable PIM? a. Office 365 Admin b. Co-Administrator c. Global Admin
Global Admin Global Admin. Of the options listed only the Global Admin role has the permission to enable PIM.
Identity Protection has reported that a user's credentials have been leaked. According to policy, the user's password must be reset. Which Azure AD role can reset the password? a. Global Administrator b. Security Administrator c. Security Operator
Global Administrator Global Administrator. To use Identity Protection a user must be in one of these roles. Each role has different privileges but only the Global Administrator can reset a user's password.
When configuring Azure AD roles, which of the following roles would allow the user to manage all the groups in a tenant and would be able to assign other admin roles? a. Global administrator b. Password administrator c. Security administrator
Global administrator Global administrator. Only the global administrator can manage groups across tenants and assign other administrator roles.
An organization has enabled Azure AD PIM. The senior IT manager wants the role set up so no action is required, what should you do? a. Give the manager JIT access to the role. b. Make the manager Permanent Active in the role. c. Make the manager Assigned to a role.
Make the manager Permanent Active in the role. Make the manager Permanent Active in the role. This type of role assignment doesn't require a user to perform any action to use the role.
If you need on-premises AD integration, but don't need to use cloud authentication, password protection and your authentication requirements are natively supported by Azure AD, then use the following authentication method:
Pass through Authentication Seamless SSO
The IT help desk wants to reduce the password reset support tickets. You suggest having users sign into both on-premises and cloud-based applications using the same password. Your organization does not plan on using Azure AD Identity Protection, so which feature would be easiest to implement given the requirements? a. Federation b. Pass-through authentication c. Password hash synchronization
Pass-through authentication Pass-through authentication. Pass-through Authentication (PTA) allows your users to sign-in to both on-premises and cloud-based applications by using the same passwords. PTA signs users in by validating their passwords directly against on-premises Active Directory. PTA does not provide Azure AD Identity Protection leaked credential reports.
If you need on-premises AD integration, and need to use cloud authentication, password protection and your authentication requirements are natively supported by Azure AD, then use the following authentication method:
Password Hash Sync + Seamless SSO
If you want sign in disaster recovery or leaked credential reports, you need the following authentication method:
Password hash sync
Conditional Access can be used to enable which of the actions listed below? a. Block or grant access from specific time of day. b. Designate privileged user accounts. c. Require multifactor authentication.
Require multifactor authentication. It is possible to force a user, group or users, or all users to use MFA with a conditional access policy.
A manager asks for an explanation of how Azure uses resource groups. Which of the following capabilities is a feature of how Azure uses resource groups? a. Resources can be in multiple resource group. b. Resources can be moved from one resource group to another resource group. c. Resource groups can be nested.
Resources can be moved from one resource group to another resource group. Resources can easily be moved between resource groups, so this is correct.
