Review Test 03
2. Which of the following sets the scope of a role to be the resource group myResourceGroup? /subscriptions/de324015-0284-4582-9d9c-6f1e52a30471 /subscriptions/{ef67bd4f-d0f2-4845-b6dd-6cba225b4f10}/resourceGroups/myResourceGroup/backupvm1 /subscriptions/{ef67bd4f-d0f2-4845-b6dd-6cba225b4f10}/resourceGroups/myResourceGroup
/subscriptions/{ef67bd4f-d0f2-4845-b6dd-6cba225b4f10}/resourceGroups/myResourceGroup Correct!
What is an ExpressRoute circuit? An ExpressRoute circuit implements a site-to-site connection across a VPN connection to an Azure datacenter. An ExpressRoute circuit is a direct hard-wired connection between your on-premises datacenter and an Azure datacenter. A backup service that provides connectivity to the Microsoft cloud if your VPN connection fails. A circuit provides a physical connection for transmitting data through the ExpressRoute provider's edge routers to the Microsoft edge routers.
A circuit provides a physical connection for transmitting data through the ExpressRoute provider's edge routers to the Microsoft edge routers. This is the correct answer.
Which of the following sentences describe a container image the best? A container image is a read-only portable package that contains software and may include an operating system. A container image is a set of commands that builds a container. A container image is a read-only portable package that contains software.
A container image is a read-only portable package that contains software and may include an operating system. A container image is an immutable package that contains all the application code, system packages, binaries, libraries, configuration files, and the operating system running in the container. Docker containers running on Linux share the host OS kernel and don't require a container OS as long as the binary can access the OS kernel directly.
Custom domain
A domain that you customize for your Azure AD directory. When you create an Azure AD directory, Azure automatically assigns it a default domain like <your-organization>.onmicrosoft.com. But you can customize domain names. Your users could then have accounts like [email protected] instead of [email protected].
What is a tenant in Azure AD? A tenant represents an entire organization. A tenant represents a user in an organization. A tenant represents a geographic location in an organization.
A tenant represents an entire organization. You create a tenant for your organization so that your internal users can be managed by Azure AD.
Azure Active Directory B2C (Azure AD B2C)
No personal data is stored outside of Europe, but policy configuration data is stored in US datacenters.
How Azure AD compares with Active Directory
Active Directory - Kerberos, NTLM - Forest, Domains, OUs AAD - Includes SAML, OAuth, WS-Federation -Tenants
1. What information does an Action provide in a role definition? An Action provides the allowed management capabilities for the role. An Action determines what data the role can manipulate. An Action decides what resource the role is applied to.
An Action provides the allowed management capabilities for the role. Correct. The Action defines what the role can do.
Which of the following best describes the relationship between a subscription and an Azure AD directory? An Azure AD directory has a 1:1 relationship with a subscription. An Azure AD directory can be associated with multiple subscriptions, but a subscription is always tied to a single directory. An Azure AD directory is associated with a single subscription, but a subscription can trust multiple directories.
An Azure AD directory can be associated with multiple subscriptions, but a subscription is always tied to a single directory. Correct. Azure subscriptions can only trust a single directory, but multiple subscriptions can be associated to a single Azure AD instance.
Azure AD directory
An Azure resource that's created for you automatically when you subscribe to Azure. You can create many Azure AD directories. Each of these directories represents a tenant.
Which connection type supports connectivity to Office 365? Point-to-site over a VPN connection through an Azure network gateway. Site-to-site over a VPN connection through an Azure network gateway. An ExpressRoute connection.
An ExpressRoute connection. This is the correct answer.
Account
An identity and its associated data. An account can't exist without an identity.
Azure AD account
An identity created in Azure AD or in services like Microsoft 365. These identities are stored in Azure AD. For example, internal staff members might use Azure AD accounts daily at work.
Azure AD tenant
An instance of an Azure AD. This tenant is created for you automatically when you first sign up for Azure or other services like Microsoft 365. A tenant, which represents an organization, holds your users, their groups, and applications.
Role-based access control (RBAC)
is an authorization system built on Azure Resource Manager that provides fine-grained access management of resources in Azure.
Essential features of Azure AD
Azure AD B2B Azure AD B2C Azure AD DS Application management Protect your apps through conditional-access policies Monitor your application access Azure AD Identity Protection
What does Azure AD B2B provide? Azure AD B2B allows you to manage your customers' identities. It provides access to applications and resources. Azure AD B2B allows you to let your users access virtual machines by using their company Azure AD credentials. Azure AD B2B allows you to invite external users to your tenant so that your staff can collaborate with them.
Azure AD B2B allows you to invite external users to your tenant so that your staff can collaborate with them. If your company works with external contractors, those contractors can be invited as guest users. When the work is done, access for those contractors can be revoked.
Hybrid identity for linking on-premises Active Directory with Azure AD
Azure AD password hash synchronization. Azure AD pass-through authentication. Federated authentication.
Azure AD licenses
Azure Active Directory Free Azure Active Directory Premium P1 Azure Active Directory Premium P2 Pay-as-you-go licenses for specific features
ExpressRoute overview
Azure ExpressRoute lets you seamlessly extend your on-premises networks into the Microsoft cloud. This connection between your organization and Azure is dedicated and private. Layer 3 connectivity Built-in redundancy Dynamic routing - xpressRoute uses the Border Gateway Protocol (BGP) routing protocol. BGP is used to exchange routes between on-premises networks and resources running in Azure.
Alerting and reporting
Azure Monitor Log Analytics
Monitor networks in Azure
Azure Network Watcher Network Performance Monitor Performance Monitor
2. Which storage option is the best choice that allows the host and container to share a file to manage name server resolution, for example the resolve.conf file on Linux? A volume Bind mount
Bind mount A bind mount, like a volume, is stored on the host filesystem at a specific folder location. However, bind mount data is expected to be updated by the host. The resolve.conf contents is expected to change by the host and used by both the container and host.
2. Which of the following is not a benefit of ExpressRoute? Redundant connectivity Consistent network throughput Encrypted network communication Access to Microsoft cloud services
Encrypted network communication Correct. ExpressRoute does provide private connectivity, but it isn't encrypted.
. What security benefits does Azure ExpressRoute provide? An ExpressRoute connection is automatically encrypted, to help protect traffic that passes across the internet to the Microsoft cloud. The speed at which data traverses an ExpressRoute connection makes it impossible to intercept by network monitors and packet sniffers. ExpressRoute uses a dedicated, private network to connect to the Microsoft cloud. Traffic doesn't traverse the public internet, so it's difficult to intercept. ExpressRoute uses a proprietary transmission protocol that constantly varies, so it's difficult to intercept traffic.
ExpressRoute uses a dedicated, private network to connect to the Microsoft cloud. Traffic doesn't traverse the public internet, so it's difficult to intercept. This is the correct answer.
Authentication protocols
Kerberos TLS/SSL
When should you use Azure ExpressRoute instead of Azure site-to-site connectivity? For handling enterprise-class and mission-critical workloads. For connecting mobile users directly to your virtual network running in Azure. For handling small-scale production workloads running on Azure virtual machines. To save connection costs for occasionally connected users to the Microsoft cloud.
For handling enterprise-class and mission-critical workloads. This answer is correct.
Azure Active Directory B2B (Azure AD B2B)
Guest users access applications through a link in an invitation email or a link shared directly with them. These redemption links are stored in US datacenters. If a user unsubscribes from invitation messages, their email address is also stored in US datacenters.
Which licensing plan supports Identity Protection? Azure Active Directory Free Azure Active Directory Premium P1 Azure Active Directory Premium P2
Identity Protection helps you configure risk-based conditional access for your applications to protect them from identity-based risks.
What is Microsoft peering? It provides a direct connection from your on-premises network to an Azure datacenter. It enables you to connect your on-premises network to Office 365 services and Dynamics 365. It provides a connection between your on-premises network and an ExpressRoute provider. It provides a point-to-site connection for computers in your on-premises location to Office 365 services.
It enables you to connect your on-premises network to Office 365 services and Dynamics 365. This is the correct answer.
What is an identity security score? It's a number between 1 and 223 that indicates exactly how many identities are secured in your organization. It's a number between 1 and 223 that indicates how aligned your security is with Microsoft best practices. It's a number between 1 and 223 that indicates how well your organization's tenants align with each other.
It's a number between 1 and 223 that indicates how aligned your security is with Microsoft best practices. Use an identity security score to see how secure your Azure AD instance is.
1. What is the Azure ExpressRoute service? It's a service that provides a VPN connection between on-premises and the Microsoft cloud. It's a service that encrypts your data in transit. It's a service that provides a direct connection from your on-premises datacenter to the Microsoft cloud. It's a service that provides a site-to-site VPN connection between your on-premises network and the Microsoft cloud.
It's a service that provides a direct connection from your on-premises datacenter to the Microsoft cloud. This answer is correct.
On which of the following operating systems does Docker for desktop run? Windows only Linux and Windows only Linux, macOS, and Windows
Linux, macOS, and Windows The desktop version of Docker runs on Linux, macOS, and Windows.
Multi-tenant
Multiple-tenant access to the same applications and services in a shared environment. These tenants represent multiple organizations.
3. How are NotActions used in a role definition? NotActions are subtracted from the Actions to define the list of permissible operations. NotActions are consulted after Actions to deny access to a specific operation. NotActions allow you to specify a single operation that is not allowed.
NotActions are subtracted from the Actions to define the list of permissible operations. Correct!
Network authentication
Password authentication Two-factor authentication Token authentication Biometric authentication Transactional authentication Computer recognition authentication CAPTCHA Single sign-on
Built-in Roles for Azure Resources
Owner, which has full access to all resources, including the right to delegate access to others. Contributor, which can create and manage all types of Azure resources but can't grant access to others. Reader, which can view existing Azure resources.
Azure Multi-Factor Authentication
Phone calls and text messages come from US datacenters, and global providers handle the routing. OAuth code validation happens in the US. Push notifications for the Microsoft Authenticator app come from US datacenters.
1. What does the term identity mean? Something that can be authenticated. It can be a user, application, service, or anything that needs to be identified. A user that can be authenticated. It has to be a user. Applications or services can't be considered as identities. The service that does the authentication for users. It can also be an application.
Something that can be authenticated. It can be a user, application, service, or anything that needs to be identified. An identity represents a user, or sometimes a service or an application, that needs access to do something.
Identity
Something that has to be identified and authenticated. An identity is typically a user who has username and password credentials, but the term can also apply to applications or services.
Global administrator
The role that gives you access to all administrative capabilities in Azure AD. When you create a tenant, you automatically have this role for the tenant. This role allows you to reset passwords for all users and administrators, for example.
Owner role
The role you use to manage all resources in Azure, including the access levels that users need for resources.
Role definitions
This role definition includes a Name, Id, and Description. It also includes the allowable permissions (Actions), denied permissions (NotActions), and scope (for example, read access) for the role.
Get started with Azure AD
https://docs.microsoft.com/en-us/learn/modules/intro-to-azure-ad/5-get-started
3. True or False, an organization can have more than one Azure AD directory. True False
True Correct. While a single directory is created for the organization initially, more can be created to divide the security across boundaries.
Connect Active Directory to Azure AD with Azure AD Connect
https://docs.microsoft.com/en-us/learn/modules/manage-users-and-groups-in-aad/6-azure-ad-connect
Protect your apps through conditional-access policies
Use conditional-access policies to require users to pass additional authentication challenges before they access an application. For example, you can configure a conditional-access policy to require users to complete a multi-factor authentication challenge after their credentials are verified and before they access the application. Conditional-access policies are available for Premium P1 and Premium P2 license tiers.
ExpressRoute supports two peering schemes:
Use private peering to connect to Azure IaaS and PaaS services deployed inside Azure virtual networks. The resources that you access must all be located in one or more Azure virtual networks with private IP addresses. You can't access resources through their public IP address over a private peering. Use Microsoft peering to connect to Azure PaaS services, Office 365 services, and Dynamics 365.
What is RBAC?
https://docs.microsoft.com/en-us/learn/modules/secure-azure-resources-with-rbac/2-rbac-overview
Pay-as-you-go licenses for specific features
You access specific Azure AD features, like Azure AD B2C, on a pay-as-you-go basis. Azure AD B2C lets you manage identity and access for consumer users and the applications they use.
Azure Active Directory Free
You can manage users and groups, and you get basic reports, on-premises Active Directory synchronization, and self-service password reset for Azure AD users. You also get single sign-on for Microsoft 365, Azure services, and many third-party SaaS applications.
Azure Active Directory Premium P1
You get all the features from the free tier, but you can also let users access on-premises and cloud-based services and resources. You can use self-service group management or dynamic groups, where users are added and removed automatically, based on your criteria. This tier supports on-premises identity management suites like Microsoft Identity Manager. Self-service password reset is also supported for users who are based on-premises.
Azure Active Directory Premium P2.
You get all the features of the previous two tiers, along with Active Directory Identity Protection. This feature helps you configure risk-based conditional access to protect applications from identity risks. You can also use privileged identity management, which lets you monitor and put detailed restrictions on administrators.
. What does Azure AD Application Proxy do? You use it to identify applications in your instance of Azure AD. You use it to add on-premises applications to your instance of Azure AD. You use it to add Azure AD Gallery applications to your instance of Azure AD.
You use it to add on-premises applications to your instance of Azure AD. By using Application Proxy in this way, you create secure remote access for your on-premises applications.
Azure subscription
Your level of access to use Azure and its services. For pay-as-you-go access, use your credit card to set up an Azure subscription. There are several types of subscriptions. For example, enterprise-level customers can use Azure Enterprise Agreement subscriptions. Each account can use many subscriptions.
Azure AD pass-through authentication.
agent is installed on on-premises servers that authenticate against the on-premises Active Directory. When an Azure AD user account tries to authenticate, password authentication is handled on-premises through these servers and Active Directory.
1. An Azure subscription is a _______________. billing entity and security boundary container that holds users monthly charge for Azure services
billing entity and security boundary Correct. Azure subscriptions manage resources, limits, and provide the charges billed to the account owner.
1. A container is launched using the --publish 80:8080 flag. Which of the following options is the most likely network configured used for the container? none bridge host
bridge The Bridge network configuration is an internal, private network used by the container and isolates the container network from the Docker host network. We use the publish flag to map ports between the container and host ports.
Which is correct Docker command to rebuild a container image? docker rebuild docker compile docker build
docker build You use the docker build command to rebuild a container image. Once you've built an image, the image can't be changed. The only way to change an image is to create a new image.
Azure AD Identity Protection
helps you to automatically detect, investigate, and remediate identity risks for users.
Connect your on-premises network to the Microsoft global network by using ExpressRoute
https://docs.microsoft.com/en-us/learn/modules/connect-on-premises-network-with-expressroute/
How Azure ExpressRoute works
https://docs.microsoft.com/en-us/learn/modules/connect-on-premises-network-with-expressroute/3-how-expressroute-works
Federated authentication
the authentication process is performed by an on-premises Active Directory Federation Services (AD FS) server that validates users' passwords. Use this authentication method if you want advanced measures like smart card-based authentication for users.
Azure AD password hash synchronization
the user's password is hashed twice and synchronized between the on-premises Active Directory and Azure AD. Users have the same credentials to access resources and applications both on-premises and in the cloud.