305 - Azure Architect Flashcards

1
Q

Your company has an Azure Subscription. The company wants a way to enforce org standards and to assess compliance at the subscription level and have the standards apply throughout the organization.

If compliance standards change, you should be able to update the standards and bring resources into compliance through bulk remediation. Remediation for new resources should be automatic.

Which solution meets these requirements?

  • Azure Managed Identities
  • ARM Templates
  • Azure Conditional Access
  • Azure Policy
A

Azure Policy -
Lets you enforce organizational standards at any point in your hierarchy, from mgmt groups to individual resource level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You are designing a monitoring solution for a gaming website hosted in an Azure Web App. Following Requirements

  • Track how often users return to the website in a specified time period
  • Measure how specific events influence user activities
  • View user activity by region.

You need to provide a solution that minimizes admin effort.

  • Time Series Insights environments
  • Azure Monitor Alerts
  • application Insights
  • Azure AI Services
A

Application Insights: Retention feature that enables tracking of user behavior.

Azure Monitor helps detect potential problems with application or infrastructure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You are managing the Entra environment for your organization. You need to enable secure access for applications and services to Azure resources or applications. Which account or identity should you create for this purpose?

  • Device Identity
  • User Account
  • group Managed Service account (gMSa)
  • Service Principal Identity
A

Application Identity that you create in Entra to provide secure authentication and authorization for applications and services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You create an Azure subscription for your company. You plan to create a resource group for each department in your company. You want to allow only members of a particular department create resources in the resource group assigned to their department. Which azure feature should you use?

  • RBAC
  • Initiviates
  • Locks
  • Policies
A
  • RBAC
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You need to recommend a storage design solution on the Azure Cloud platform for marketing departments documents on a slow web page server. Move from File Share Servers to the Cloud. Which?

  • BLOB
  • Azure Files
  • Queue Storage
  • Managed Disks
A

Azure Files offers a fully managed file share solution that supports SMB (Server Message Block) protocol, which is ideal for seamlessly migrating existing file shares to the cloud.
- Easy Integration: It allows users to access files via familiar file share paths, making it straightforward for the marketing department to adapt to cloud storage without changing workflows.
- Web Page Access: Since the web page server is slow, Azure Files will provide cloud-based file access that can be managed independently of the web server, potentially improving response times.

Blob Storage could also work for storing documents but is more suited for unstructured data (e.g., images, videos) that don’t require typical file-sharing protocols.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

You are tasked with recommending security tools for in order to protect data at rest, in transit and in use.

Which 3 should you recommend?

  • Transparent Data Encryption
  • Always Encrypt
  • Firewall
  • Network Security Groups (NSG)
  • SSL / TLS
A

Transparent Data Encryption (TDE): TDE protects data at rest by encrypting the data within databases and stored files, helping to secure sensitive data against unauthorized access.

Always Encrypted: Always Encrypted protects data in use and at rest by encrypting sensitive data within applications before it reaches the database. This ensures that even database administrators cannot view the encrypted data, offering strong security for highly sensitive data.

SSL/TLS: SSL/TLS protocols protect data in transit by encrypting data as it moves between clients, applications, and servers, ensuring secure communication and preventing interception or tampering.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A medium sized company is using Entra ID to control access to their applications and services that are deployed in Azure. A recent security audit shows that the Global Administrator group is populated with people who do not need such broad access.

You need to restrict appropriately && want to able to grant elevated access only for specific periods of time (ie day or hour) when a person needs for specific task. What 2 actions should you perform?

  • Managed identities to further restrict access the resources
  • Privileged Identity Managed (PIM) to create additional rules for access
  • Add conditional access policies to your current restrictions
  • Assign more granular roles to the admin.
A

Use Privileged Identity Management (PIM) to create additional rules for access**: Azure PIM enables you to enforce just-in-time access, allowing administrators to gain elevated permissions only for specific periods. With PIM, you can also require approval workflows, multi-factor authentication (MFA), and alerts for elevated role assignments, ensuring that Global Administrator access is restricted to only those who need it temporarily.

Assign more granular roles to the admin: Reducing the scope of permissions by assigning more granular roles aligns with the principle of least privilege, granting users access only to the specific resources and actions they need. This removes unnecessary permissions from the Global Administrator role and assigns roles like Application Administrator or User Administrator as needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You are migrating on-prem workloads running windows and Linux VM to azure.

Need a monitoring strategy solution so that the logs and metrics are available in a centralized location in Azure. the logs should be store for at least 18 months and must be easy to view and query. Which solution?

  • Event Hubs
  • Log Analytics
  • A Storage Account
A

Log Analytics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You are designing a monitoring solution for a microservice solution hosted in AKS Cluster

You need to recommend a monitoring solution that meets the following requirements:

  • Measure the memory consumption of cluster nodes
  • Monitor the health of pods and deployments
  • Create alerts when persistent voluemes more than 80% full
  • Visualize the metrics and dashboards within the Azure Portal
A
  • Container Insights
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You are managing an Azure hybrid environment with resources both on-premises and in the cloud. Your task is to collect all diagnostic and audit logs centrally in an external third-party Security Information and Event Management (SIEM) system.

Requirement
Recommend the most suitable solution to route resource logs to an external third-party SIEM. The solution must allow for flexibility in real-time processing and enable routing of logs to different destinations.

Options

  • Azure Storage Account
  • Azure Service Bus
  • Azure Log Analytics Workspace
  • Azure Event Hubs
A

Azure Event Hubs is the most suitable option for routing resource logs to an external SIEM because it is specifically designed for high-throughput data streaming and real-time event ingestion. It allows you to:

Integrate with third-party SIEMs: Many SIEM systems can connect directly to Azure Event Hubs to retrieve logs and events in real time.
Support real-time processing: Azure Event Hubs allows logs to be processed in near real-time, providing the flexibility to respond quickly to security events.
Route logs to multiple destinations: By leveraging Event Hubs, you can set up different consumer groups for simultaneous streaming to various destinations, including analytics and storage platforms, along with your external SIEM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Your company has an on prem Active Directory (AD) domain that uses AD Connect to access Microsoft Entra ID.

Employees use single sign on (SSO) from corporate devices or their own devices to gain access to resources do their jobs. IT administrators reported the the RDP port of the on-prem AD server was open to perform a one-time admin task.

After reports of identity theft at a partner company - you need to

  • Close RDP
  • Enable MS Entra Conditional Access
  • Disable Password Hash Sync
  • Require Strong Password
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Your company has a Microsoft Entra tenant named company.com. The company has a marketing, finance, and research dept.

You are designing MFA for company.com. You need to ensure that MFA is only implemented for users in the research department. Which requirement should you include in your design?

  • Implement PIM
  • Configure authentication methods
  • Conditional Access Policy
  • Implement Entra ID protection
A

Using a Conditional Access Policy allows you to specify conditions, such as user department, to enforce MFA selectively. In this case, you can create a policy that applies MFA requirements only to users in the research department by:

Defining the user group or department as a condition in the policy.
Specifying MFA as the required control for this group.
This approach is targeted, flexible, and ensures that only users in the research department need to complete MFA, without impacting other departments.

Other Options:

PIM (Privileged Identity Management): Used for managing and controlling privileged access, not for applying MFA by department.
Configure Authentication Methods: While configuring authentication methods is part of MFA, it does not control who MFA is applied to.
Entra ID Protection: Primarily focuses on risk-based policies, which apply dynamically based on risk rather than specific department or group policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You have a hybrid identity environment that includes an on-premises Active Directory environment and a Microsoft Entra ID.

You need to create an authentication solution that verifies the following:

  • On Prem AD Security Policies Applied
  • Passwords are Validated against your on-premise AD
  • Passwords are not stored in the cloud

Which solution is best?

  • SSO
  • Password Hash Sync
  • Pass Through Authentication
  • Federated Authentication
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You create an Azure subscription for your company. You plan to create a resource group for each department in your company.

You want to allow only members of a particular department to create resources in the resource group in the department.

Which azure feature?
* Locks
* Initiatives
* Policies
* RBAC

A

RBAC helps you control which users or groups have access to resources and which permissions they have on those resources.

Locks allow you to prevent resources from being modified or deleted

Policies allow you to configure rules that control the types of Azure resources that are allowed in a subscription or resource groups.

Initiatives are groups of policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Company has a Entra tenant named company1.com

Company uses groups to provide access to resource. Each employee has a user in company.com

You need to recommend a solution to automatically remove users from groups that they are no longer need to be in

What do you recommend?

  • Conditional Access
  • Group Expiration
  • Access Review
  • Entra ID Protection
A

Access Review in Microsoft Entra ID (formerly Azure AD) allows you to set up periodic reviews to evaluate and remove users who no longer need access to specific groups or resources. It can be configured to automatically remove users if they fail to respond to the review, streamlining group membership management and helping ensure only necessary access is maintained.

Here’s how it would help in this case:

Regularly Review Group Membership: Allows you to define rules for users to confirm their need for access, prompting group owners or users to review their memberships.
Automated Removal: Users who no longer need access can be removed based on review outcomes, which keeps groups clean and maintains security.
The other options do not directly address group membership management in the same way:

Conditional Access controls access to resources based on conditions but does not manage group memberships.
Group Expiration applies only to groups with expiration policies, not necessarily to access needs.
Entra ID Protection focuses on identity protection rather than group membership management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Your company has a Entra ID p2 environment that hosts over 10,000 licensed users. The domain supports over 100 business-critical

  • Microsoft Entra ID Protection
A

Entra ID Protection enables an organization to
- Automate detection and remeidation of identity based risks
- Investigate risks based on portal data
- Export risk data for additional analysis

16
Q

Your company has a Entra subscription. Recent security breaches have resulted in inappropriate or outdated privilege assignments. You are designing access policies for different departments through your company to ease the problem. You want to implement a solution that

  • Provides permissions only when needed
  • Lets you set start and end dates for permission assignments
  • Send notifications when privileged roles are activated

Which Entra ID minimum license and Entra Feature should be used?

A

P2 and

17
Q

You are managing the Entra environemennt for your organiztion. You need to enable secure access for applications and services to Azure resouorces or applications.

  • Service Principal
A
18
Q

RBAC Role Assignments can be defined for a subscription or individual resource group in a blueprint? T/F

A

True

19
Q

T/F : A subscription owner can override blueprint Read Only and Do Not Delete resource locking options

A

False

20
Q

Your organization is preparing a landing zone to move on-premises resource to Azure cloud. You are requested to recommend a hierarchical level where policies must be placed so that they are applied to all workloads that require the same security, compliance, connectivity and feature settings. What is your recommendation

  • Subscription
  • Management
  • Resource Group
  • Resource
A

Management Group

21
Q

Migrating 250GB from On Prem To Azure SQL Database

  • Backup retention must be at least 14 Days
  • In memory OLTP must be supported
  • Columnstore indexes must be supported
  • There must be at least 8 GB in-memory OLTP storage per pool guaranteed.
A

Premium, 1000

21
Q

You are requested to provide resources for a marketing campaign that internal users can use to self-service request without the need for approval. There is a requirement for access to expire within 30 days. What should you recommend?

  • Lifecycle
  • Security Group
  • Access Review
  • Access Package
A

Access Package: Designed to provide a curated set of resources that users can request access wo without the need for approval

22
Q

T or F, Always encrypted encrypts data at rest, in memory and in use for protected columns

A

False

23
Q

You plan to use a blob storage account that allows four partners to access technical videos. The partners do not have accounts at your MS Entra Tenant. The partners should not be able to modify the storage account.

You need to design a strategy to allow secure access to the videos. What should you do?

  • Create Role Assignment
  • Provide Secondary Access Key
  • Create a Shared Access Signature (SAS)
  • Provide the Primary Access Key
A

SAS Token – allows granular permissions, expiration, no account requirement, and revocation.

24
Q

You are part of a team that uses Azure Stream Analytics to collect & analyze sensor data in real time. Recently, you have discovered that the incoming data has frequent value spikes that are skewing results.

You need to identify which Azure Stream Analytics feature to use to analyze this data and perform calculations based on time intervals. Which feature should you use?

  • Windowing Functions
  • Array Functions
  • Date and Time Functions
  • Aggregate Functions
A

Windowing Function in Azure Stream Analytics allows you to divide the data into time-based chunks, making it easier to analyze patterns, smooth out spikes and calculate metrics over specified intervals.

Array Functions - Used to work with arrays within the streaming data

Date & Time Functions - Enable you to manipulate date and time data

Aggregate Functions - Perform calculations across a set of values

25
Q

Your company uses Azure Synapse Analytics to support artificial intelligence (AI) development projects. As part of its data analysis work, the AI engineering team frequently executes complex queries. These queries join and aggregate data from multiple tables. However, the AI engineers complain that as their data sets continue to grow on a daily basis, query performance has started to degrade.

You need to recommend a solution that will use caching to reduce the execution time for the queries. What should you recommend ?

  • PolyBase integration
  • Result Set Caching
  • Serverless SQL Pool
  • Materialized Views
A

Result Set Caching - improves query performance by caching the results of executed queries in the user database.

26
Q

You need to select an application service to support the workload. The solution should manage job scheduling. You want to minimize costs related to the solution. Also, you are using high-performance computing (HPC).

  • AKS
  • Azure Batch
  • Azure Function
  • VMSS
A

Azure batch is designed to run large scale parallel and high performance computing batch jobs efficiently.

27
Q

The company has a Windows Workflow Foundation (WF) application that processes incoming invoices

A
  • Functions App
  • Logic App
  • WebJob
  • AKS
28
Q

You are developing a solution in which alerst and activity logs are collected from Azure resources are automatically analyzed by a 3rd party SIEM. The analysis must occus in real time.

A
  • Storage Account
  • Azure Log Analytics
  • Azure Monitor
  • Azure Event Hubs
29
Q

What is a next-hop IP Address?

A

The IP address of the next router or device in the path

KW: Routing Tables, Next-Hop Entry

Leads to efficient routing, redundancy, network security

30
Q
A