141-160 Flashcards
QUESTION 141
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Section: Describe identity, governance, privacy, and compliance features Explanation
Explanation/Reference:
Explanation:
Box 1: Yes
The tool you would use to sync the accounts is Azure AD Connect. The Azure Active Directory Connect synchronization services (Azure AD Connect sync) is a main component of Azure AD Connect. It takes care of all the operations that are related to synchronize identity data between your on-premises environment and Azure AD.
Box 2: Yes
As described above, third-party cloud services and on-premises Active Directory can be used to access Azure resources. This is known as ‘federation’.
Federation is a collection of domains that have established trust. The level of trust may vary, but typically includes authentication and almost always includes authorization. A typical federation might include a number of organizations that have established trust for shared access to a set of resources.
Box 3: Yes
Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. This is the primary built-in authentication and authorization service to provide secure access to Azure resources.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-whatis
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed
https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios
QUESTION 142
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Section: Describe identity, governance, privacy, and compliance features Explanation
Explanation/Reference:
Explanation:
Box 1: No
Azure Active Directory (Azure AD) is a cloud-based service. It does not require domain controllers on virtual machines.
Box 2: Yes
Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. This is the primary built-in authentication and authorization service to provide secure access to Azure resources and Microsoft 365.
Box 3: No
User accounts in Azure Active Directory can be assigned multiple licenses for different Azure or Microsoft 365 services.
QUESTION 143
Which two types of customers are eligible to use Azure Government to develop a cloud solution? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
- a Canadian government contractor
- a European government contractor
- a United States government entity
- a United States government contractor
- a European government entity
Correct Answer: CD
Section: Describe identity, governance, privacy, and compliance features Explanation
Explanation/Reference:
Explanation:
Azure Government is a cloud environment specifically built to meet compliance and security requirements for
US government. This mission-critical cloud delivers breakthrough innovation to U.S. government customers and their partners. Azure Government applies to government at any level – from state and local governments to federal agencies including Department of Defense agencies.
The key difference between Microsoft Azure and Microsoft Azure Government is that Azure Government is a sovereign cloud. It’s a physically separated instance of Azure, dedicated to U.S. government workloads only. It’s built exclusively for government agencies and their solution providers.
References:
https://docs.microsoft.com/en-us/learn/modules/intro-to-azure-government/2-what-is-azure-government
QUESTION 144
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Section: Describe identity, governance, privacy, and compliance features Explanation
Explanation/Reference:
Explanation:
Box 1: No
It is not true that you must deploy a federation solution or sync on-premises identities to the cloud. You can have a cloud-only environment and use MFA.
Box 2: No
Picture identification and passport numbers are not valid MFA authentication methods. Valid methods include: Password, Microsoft Authenticator App, SMS and Voice call.
Box 3:
You can configure MFA to be required for administrator accounts only or you can configure MFA for any user account.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods
QUESTION 145
You need to ensure that when Azure Active Directory (Azure AD) users connect to Azure AD from the Internet by using an anonymous IP address, the users are prompted automatically to change their password.
Which Azure service should you use?
- Azure AD Connect Health
- Azure AD Privileged Identity Management
- Azure Advanced Threat Protection (ATP)
- Azure AD Identity Protection
Correct Answer: D
Section: Describe identity, governance, privacy, and compliance features Explanation
Explanation/Reference:
Explanation:
Azure AD Identity Protection includes two risk policies: sign-in risk policy and user risk policy. A sign-in risk represents the probability that a given authentication request isn’t authorized by the identity owner.
There are several types of risk detection. One of them is Anonymous IP Address. This risk detection type indicates sign-ins from an anonymous IP address (for example, Tor browser or anonymous VPN). These IP addresses are typically used by actors who want to hide their login telemetry (IP address, location, device, etc.) for potentially malicious intent.
You can configure the sign-in risk policy to require that users change their password. References:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-sign-in-risk-policy
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
QUESTION 146
DRAG DROP
Match the term to the correct definition.
Instructions: To answer, drag the appropriate term from the column on the left to its description on the right. Each term may be used once, more than once, or not at all.
NOTE: Each correct match is worth one point.
Section: Describe identity, governance, privacy, and compliance features Explanation
Explanation/Reference:
Explanation:
Box 1: ISO
ISO is the International Organization for Standardization. Companies can be certified to ISO standards, for example ISO 9001 or 27001 are commonly used in IT companies.
Box 2: NIST
The National Institute of Standards and Technology (NIST) is a physical sciences laboratory, and a non- regulatory agency of the United States Department of Commerce.
Box 3: GDPR
GDPR is the General Data Protection Regulations. This standard was adopted across Europe in May 2018 and replaces the now deprecated Data Protection Directive.
The General Data Protection Regulation (EU) (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Box 4: Azure Government
US government agencies or their partners interested in cloud services that meet government security and compliance requirements, can be confident that Microsoft Azure Government provides world-class security, protection, and compliance services. Azure Government delivers a dedicated cloud enabling government
agencies and their partners to transform mission-critical workloads to the cloud. Azure Government services handle data that is subject to certain government regulations and requirements, such as FedRAMP, NIST
800.171 (DIB), ITAR, IRS 1075, DoD L4, and CJIS. In order to provide you with the highest level of security and compliance, Azure Government uses physically isolated datacenters and networks (located in U.S. only).
References: https://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
https://docs.microsoft.com/en-us/azure/azure-government/documentation-government-welcome
QUESTION 147
To what should an application connect to retrieve security tokens?
- an Azure Storage account
- Azure Active Directory (Azure AD)
- a certificate store
- an Azure key vault
Correct Answer: B
Section: Describe identity, governance, privacy, and compliance features Explanation
Explanation/Reference:
Explanation:
Azure AD authenticates users and provides access tokens. An access token is a security token that is issued by an authorization server. It contains information about the user and the app for which the token is intended, which can be used to access Web APIs and other protected resources.
Instead of creating apps that each maintain their own username and password information, which incurs a high administrative burden when you need to add or remove users across multiple apps, apps can delegate that responsibility to a centralized identity provider.
Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. Delegating authentication and authorization to it enables scenarios such as Conditional Access policies that require a user to be in a specific location, the use of multi-factor authentication, as well as enabling a user to sign in once and then be automatically signed in to all of the web apps that share the same centralized directory. This capability is referred to as Single Sign On (SSO).
References:
https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios
QUESTION 148
Your network contains an Active Directory forest. The forest contains 5,000 user accounts.
Your company plans to migrate all network resources to Azure and to decommission the on-premises data center.
You need to recommend a solution to minimize the impact on users after the planned migration. What should you recommend?
- Implement Azure Multi-Factor Authentication (MFA)
- Sync all the Active Directory user accounts to Azure Active Directory (Azure AD)
- Instruct all users to change their password
- Create a guest user account in Azure Active Directory (Azure AD) for each user
Correct Answer: B
Section: Describe identity, governance, privacy, and compliance features Explanation
Explanation/Reference:
Explanation:
To migrate to Azure and decommission the on-premises data center, you would need to create the 5,000 user accounts in Azure Active Directory. The easy way to do this is to sync all the Active Directory user accounts to Azure Active Directory (Azure AD). You can even sync their passwords to further minimize the impact on users.
The tool you would use to sync the accounts is Azure AD Connect. The Azure Active Directory Connect synchronization services (Azure AD Connect sync) is a main component of Azure AD Connect. It takes care of all the operations that are related to synchronize identity data between your on-premises environment and Azure AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-whatis
QUESTION 149
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Section: Describe identity, governance, privacy, and compliance features Explanation
Explanation/Reference:
Explanation:
Box 1: Yes
You can send Azure AD activity logs to Azure Monitor logs to enable rich visualizations, monitoring and alerting on the connected data.
All data collected by Azure Monitor fits into one of two fundamental types, metrics and logs (including Azure AD activity logs). Activity logs record when resources are created or modified. Metrics tell you how the resource is performing and the resources that it’s consuming.
Box 2: Yes
Azure Monitor can consolidate log entries from multiple Azure resources, subscriptions, and tenants into one location for analysis together.
Box 3: Yes
You can create alerts in Azure Monitor.
Alerts in Azure Monitor proactively notify you of critical conditions and potentially attempt to take corrective action. Alert rules based on metrics provide near real time alerting based on numeric values, while rules based on logs allow for complex logic across data from multiple sources.
References:
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor
https://docs.microsoft.com/en-us/azure/azure-monitor/overview
QUESTION 150
HOTSPOT
You create a resource group named RG1 in Azure Resource Manager. You need to prevent the accidental deletion of the resources in RG1.
Which setting should you use? To answer, select the appropriate setting in the answer area.
Hot Area:
Section: Describe identity, governance, privacy, and compliance features Explanation
Explanation/Reference:
Explanation:
You can configure a lock on a resource group to prevent the accidental deletion.
As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level
to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.
CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources
QUESTION 151
You have a resource group named RG1.
You need to prevent the creation of virtual machines only in RG1. The solution must ensure that other objects can be created in RG1.
What should you use?
- a lock
- an Azure role
- a tag
- an Azure policy
Correct Answer: D
Section: Describe identity, governance, privacy, and compliance features Explanation
Explanation/Reference:
Explanation:
Azure policies can be used to define requirements for resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources.
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
In this question, we would create an Azure policy assigned to the resource group that denies the creation of virtual machines in the resource group.
You could place a read-only lock on the resource group. However, that would prevent the creation of any resources in the resource group, not virtual machines only. Therefore, an Azure Policy is a better solution.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
QUESTION 152
What can Azure Information Protection encrypt?
- network traffic
- documents and email messages
- an Azure Storage account
- an Azure SQL database
Correct Answer: B
Section: Describe identity, governance, privacy, and compliance features Explanation
Explanation/Reference:
Explanation:
Azure Information Protection can encrypt documents and emails.
Azure Information Protection is a cloud-based solution that helps an organization to classify and optionally, protect its documents and emails by applying labels. Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations.
The protection technology uses Azure Rights Management (often abbreviated to Azure RMS). This technology is integrated with other Microsoft cloud services and applications, such as Office 365 and Azure Active Directory.
This protection technology uses encryption, identity, and authorization policies. Similarly to the labels that are applied, protection that is applied by using Rights Management stays with the documents and emails, independently of the location – inside or outside your organization, networks, file servers, and applications.
References:
https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
QUESTION 153
What should you use to evaluate whether your company’s Azure environment meets regulatory requirements?
- the Knowledge Center website
- the Advisor blade from the Azure portal
- Compliance Manager from the Service Trust Portal
- the Solutions blade from the Azure portal
Correct Answer: C
Section: Describe identity, governance, privacy, and compliance features Explanation
Explanation/Reference:
Explanation:
Compliance Manager in the Service Trust Portal is a workflow-based risk assessment tool that helps you track, assign, and verify your organization’s regulatory compliance activities related to Microsoft Cloud services, such as Microsoft 365, Dynamics 365, and Azure.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-with-service-trust-portal?view=o365- worldwide
QUESTION 154
HOTSPOT
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Section: Describe identity, governance, privacy, and compliance features Explanation
Explanation/Reference:
Explanation:
Azure Information Protection is used to automatically add a watermark to Microsoft Word documents that contain credit card information.
You use Azure Information Protection labels to apply classification to documents and emails. When you do this, the classification is identifiable regardless of where the data is stored or with whom it’s shared. The labels can include visual markings such as a header, footer, or watermark.
Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations. In this question, we would configure a label to be automatically applied to Microsoft Word documents that contain credit card information. The label would then add the watermark to the documents.
Reference:
https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
https://docs.microsoft.com/en-us/azure/information-protection/infoprotect-quick-start-tutorial
QUESTION 155
HOTSPOT
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Section: Describe identity, governance, privacy, and compliance features Explanation
Explanation/Reference:
Explanation:
The VNet will be marked as ‘Non-compliant’ when the policy is assigned. However, it will not be deleted and will continue to function normally.
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
If there are any existing resources that aren’t compliant with a new policy assignment, they appear under Non- compliant resources.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-portal
QUESTION 158
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Section: Describe identity, governance, privacy, and compliance features Explanation
Explanation/Reference:
Explanation:
Azure AD join only applies to Windows 10 devices. Reference:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy
https://docs.microsoft.com/en-us/azure/active-directory/devices/azureadjoin-plan
QUESTION 159
HOTSPOT
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Section: Describe identity, governance, privacy, and compliance features Explanation
Explanation/Reference:
Explanation:
The Microsoft Privacy Statement explains what personal data Microsoft processes, how Microsoft processes the data, and the purpose of processing the data
Reference:
https://privacy.microsoft.com/en-us/privacystatement
QUESTION 160
HOTSPOT
To complete the sentence, select the appropriate option in the answer area.
Hot Area:
Section: Describe identity, governance, privacy, and compliance features Explanation
Explanation/Reference:
Explanation:
Authentication, not authorization is the process of verifying a user’s credentials.
The difference between authentication and authorization is:
Authentication is proving your identity, proving that you are who you say you are. The most common example of this is logging in to a system by providing credentials such as a username and password. Authorization is what you’re allowed to do once you’ve been authenticated. For example, what resources you’re allowed to access and what you can do with those resources.
