SC-900

Ace your homework & exams now with Quizwiz!

service principal

An identity for an application. For an application to delegate its identity and access functions to Azure AD, the application must first be registered with Azure AD to enable its integration. Once registered, [this term] is created in each Azure AD tenant where the application is used.

-Azure App Service -Azure Storage

For which two services can you extend Microsoft Defender for Cloud by obtaining Defender plans? Defender for Cloud has the following Defender plans: -Microsoft Defender for Servers -Microsoft Defender for Storage -Microsoft Defender for SQL -Microsoft Defender for Containers -Microsoft Defender for App Service -Microsoft Defender for Key Vault -Microsoft Defender for Resource Manager -Microsoft Defender for DNS -Microsoft Defender for open-source relational database -Microsoft Defender for Azure Cosmos DB

Zero Trust

Which security model assumes that everything is an open and untrusted network?

Defense in Depth

Which security model uses a layered approach to security, providing mechanisms to stop a breach at the perimeter of each layer?

Functionality provided by Azure AD

-provides SSO -provides federation -is one perimeter of defense in depth -does NOT provide file services -does NOT provide encryption of data in transit

single sign-on (SSO)

allows a user to sign in with a single credential and have access to multiple applications and resources. It does not ensure that a user will not have to sign in again. It leverages a centralized identity provider. It has nothing to do with password resets.

Azure AD B2C customer identity access management (CIAM)

allows external users to sign in with their preferred social, enterprise, or local account identities to get single sign-on (SSO) to applications. AD DS cannot be configured to allow external users to authenticate with their social identities. ADWS is a Windows service that provides a web service interface to AD DS and Active Directory Lightweight Directory Services (AD LDS) directory service. Azure AD B2B allows you to share apps and services with a guest user.

single sign-on (SSO) for users

Which functionality is provided by Azure AD?

roles

What should you use in Azure AD to provide users with the ability to perform administrative tasks?

-Azure AD -Microsoft Teams

For which two services does Microsoft Secure Score provide recommendations?

virtual networks

What can you use in Azure to implement network segmentation based on departments?

Azure AD Password Protection - helps you defend against password spray attacks. Conditional Access brings signals together to make decisions and enforce organizational policies, but it cannot stop password attacks by itself. SSPR allows users to change or reset their password, without administrator or help-desk involvement, but it cannot prevent password attacks. Windows Hello for Business replaces passwords with strong two-factor authentication on devices.

A malicious user is attempting to access many user accounts by using commonly used passwords. The user repeats the action every 20 minutes to avoid triggering an account lockout. Which Azure AD feature can protect organizations from such attacks?

Azure AD Connect - designed to meet and accomplish hybrid identity goals. ADFS cannot be used for hybrid identity models. Microsoft Sentinel is not an identity product. PIM is used for managing and monitoring access to important resources.

An organization is migrating to the Microsoft cloud. The plan is to use a hybrid identity model. What can be used to sync identities between Active Directory Domain Services (AD DS) and Azure AD?

Audit (Premium)

In Microsoft Purview, what can be used to investigate possible security or compliance breaches and identify their scope based on records?

Insider risk management

In Microsoft Purview, what can you use to detect potential leaks of sensitive data and theft of intellectual property?

a retention label and a retention label policy

In Microsoft Purview, what can you use to label items as regulatory records, maintain proof of item deletion, and export information about disposed items?

Communication compliance

In Microsoft Purview, what can you use to scan for offensive language across an organization?

a sensitivity label and a sensitivity label policy

In Microsoft Purview, what should you create to automatically encrypt documents marked by users as sensitive?

Network Security Groups (NSG)

Provide network layer traffic filtering to limit traffic to resources within virtual networks in each subscription.

virtual networks

To implement network segmentation in Azure, what must you create?

Azure Web Application Filter

What Azure feature provides application-level filtering and SSL termination?

Azure Web Application Firewall (WAF)

What Azure feature provides application-level filtering and SSL termination?

1. Microsoft-managed controls 2. shared controls 3. customer-managed controls

What are the three types of controls used in Microsoft Purview Compliance Manager?

-something the claimant knows -something the claimant is -something the claimant has

What are three things that a user can use for Azure AD Multi-Factor Authentication (MFA)?

-Software as a service (SaaS) applications for business-critical workloads can be hosted outside of a corporate network. -Bring your own device (BYOD) can be used to complete corporate tasks.

What are two characteristics of an identity as the primary security perimeter model?

resource layer attacks, protocol attacks, and volumetric attacks

What are types of distributed denial-of-service (DDoS) attacks?

Conditional Access

What can be used to enforce MFA when users access an application registered in Azure AD?

Conditional Access - can be used to enforce MFA based on a condition (accessing an app). Password hash synchronization enables password sync with Active Directory. RBAC provides authorization, not authentication. NSGs provide rules for network access.

What can be used to enforce multi-factor authentication (MFA) when users access an application registered in Azure AD?

Microsoft Purview compliance portal

What can you use to monitor communications that contain sensitive information and minimize the exposed risk? It helps admins manage an organization's compliance requirements with greater ease and convenience and can help reduce data risks.

Azure AD Password Protection

What can you use to prevent users from using an organization's name or the names of the organization's products as passwords in Azure AD? This can also protect from password spray.

user risk

What can you use to receive alerts for potentially compromised user accounts without blocking the users form signing in?

user risk - represents the probability that a given identity or account is compromised. User risk can be configured for high, medium, or low probability. Admins can set up this signal without interrupting user sign-ins.

What can you use to receive alerts for potentially compromised user accounts without blocking the users from signing in?

an organization's progress towards implementing controls

What does the compliance score in Compliance Manager measure?

dynamic groups

What feature can you use to assign users with access to resources based on the city attribute of the user?

dynamic groups - have their membership determined automatically based on use attributes, such as city. No roles in Azure AD have dynamic membership. PIM allows you to force authentication based on rights.

What feature can you use to assign users with access to resources based on the city attribute of the user?

Users can authenticate once and access resources anywhere

What is a benefit of single sign-on (SSO) compared to other authentication models?

Federation enables access to services across organizations.

What is a characteristic of federation?

Verify explicitly

What is a guiding principle of the Zero Trust model?

Leaked credentials is a user risk. Atypical travel, anonymous IP address, and password spray are sign-in risks.

What is a user risk in Azure AD Identity Protection?

User Administrator

What is the least privileged Azure AD role that can be used to create and manage users and groups?

Azure AD Premium P2

What is the minimum edition of Azure AD needed to use Azure AD Privilege Identity Management (PIM)?

Microsoft Purview compliance portal

Where can you access and review sensitive files from a snapshot of the scanned items?

password hash synchronization

Which Azure AD feature allows you to authenticate users by using an on-premises Active Directory domain without needing to connect to on-premises domain controllers?

Self-Service Password Reset (SSPR)

Which Azure AD feature helps reduce help desk calls and the loss of productivity when a user cannot sign in to their device or an application?

Azure Firewall

Which Azure feature provides network-level filtering, application-level filtering, and outbound SNAT?

Azure Web Application Firewall (WAF)

Which Azure service provides centralized protection of web apps from common exploits and vulnerabilities?

Microsoft Defender for Office 365

Which Microsoft Defender 365 solution safeguards against malicious email threats?

security

Which Microsoft privacy principle defines the use and management of encryption keys?

Microsoft Defender for Cloud Apps

Which Microsoft solution allows you to meet compliance standards for General Data Protection Regulation (GDPR) and Payment Card Industry (PCI)?

OATH hardware tokens

Which authentication method can use a time-based, one-time password?

endpoints, identities, email, and applications

Which components can be protected by using Microsoft 365 Defender?

asymmetric encryption

Which encryption method uses a public key and private key pair?

Symmetric Encryption

Which encryption method uses the same key to encrypt and decrypt data?

assigning custodians

Which feature is only available in the Premium edition of eDiscovery for Microsoft Purview?

Azure AD

Which identity provider allows you to use software as a service (SaaS) and platform as a service (PaaS) in Azure with least administrative effort?

Authorization

Which pillar of an identity infrastructure is responsible for defining the level of access a user has over the resources on a network?

authorization

Which pillar of an identity infrastructure is responsible for defining the level of access a user has over the resources on a network?

Azure AD Identity Protection - Azure Identity Protection is a tool that allows organizations to utilize security signals to identify potential threats. Microsoft Defender can only protect the end-point, and it cannot help mitigate this specific task. While Conditional Access can be useful to improve the security of the organization, it cannot help mitigate this specific task. Azure AD Identity Protection is a service that enables you to manage, control, and monitor access to important resources in an organization.

Which service can help mitigate the impact of compromised user accounts?

Microsoft Defender for Cloud

Which service enables you to continually assess the security posture, identify threats, and harden resources in Azure and on-premises workloads?

-Assign an Azure AD license -Enable SSPR for the user -Register an authentication method

Which three actions should be performed to enable self-service password reset (SSPR) for a user?

-Azure AD Identity Protection -Azure AD Privileged Identity Management (PIM) -role-based access control (RBAC)

Which three features reduce the chance of a malicious user accessing a sensitive resource or an authorized user inadvertently affecting a sensitive resource?

- Azure AD Identity Protection - Azure AD Privileged Identity Management (PIM) - role=based access control (RBAC) - Azure AD Identity Protection is a tool that allows organizations to utilize security signals to identify potential threats. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. RBAC in Azure AD roles control access to Azure AD resources.

Which three features reduce the chance of a malicious user accessing a sensitive resource or an authorized user inadvertently affecting a sensitive resource? Each correct answers presents a complete solution.

-Microsoft Authenticator app -voice call

Which two additional forms of authentication are available in Azure AD for multi-factor authentication (MFA) from any device?

-email -security questions

Which two authentication methods are available for self-service password reset (SSPR) in Azure AD? Each correct answer presents a complete solution.

-endpoint detection and response (EDR) -vulnerability scanning for SQL resources

Which two features are part of Microsoft Defender for Cloud's enhanced security?

-Center for Internet Security (CIS) -National Institute of Standards and Technology (NIST)

Which two industry frameworks are used in the Azure Security Benchmark?

- group membership - device platform - Conditional Access signals include User or group membership, Named location information, Application, Real-time sign-in risk detection, Cloud apps or actions and User risk.

Which two signals can be used as part of Conditional Access? Each correct answer presents part of the solution.

managed identity

Which type of identity should you use to allow Azure virtual machines to access Azure Storage without having to handle password changes manually?

information barrier policy

Which type of policy can you use to prevent users from sharing files with users in other departments?

The AllowVNetInBound rule is processed first. The AllowAzureLoadBalancerInBound rule is processed second. The last rule that will be processed in the NSG, is the DenyAllInBound rule.

You have the following inbound network security group (NSG) security rules in Azure: -AllowVNetInBound with a priority of 65000 -AllowAzureLoadBalancerInBound with a priority of 65001 -DenyAllInBound with a priority of 65500 No other inbound rules were defined for the NSG. In which order will the rules be processed?

Azure AD Connect

designed to meet and accomplish hybrid identity goals. Can be used to sync identities between Active Directory Domain Services (AD DS) and Azure AD.

Federation

enables access to services across organizations. Identity providers can be on-premises, trust is not always bidirectional, and users do not need to maintain different usernames in other domains.


Related study sets

Chapter 18 Mutations and DNA Repair

View Set

Unit 1 - Regulation of Investment Advisers

View Set

human nutri study guide for final

View Set

Eating Disorders Practice Questions (Test #2, Fall 2020)

View Set

intro to public speaking mid term

View Set

An Update on Demineralization/Remineralization CE

View Set

Chapter 19: Documenting and Reporting

View Set