AZ-104: Manage identities and governance in Azure Flashcards

Question 1

Q

Azure AD Permissions and roles

Answer

A

Permissions and roles
Azure AD uses permissions to help you control the access rights a user or group is granted. This is done through roles. Azure AD has many roles with different permissions attached to them. When a user is assigned a specific role, they inherit permissions from that role. For example, a user assigned to the User Administrator role can create and delete user accounts.
Understanding when to assign the correct type of role to the right user is a fundamental and crucial step in maintaining privacy and security compliance. If the wrong role is assigned to the wrong user, the permissions that come with that role can allow the user to cause serious damage to an organization.

Question 2

Q

Azure AD Administrator roles

Answer

A

Administrator roles in Azure AD allow users elevated access to control who is allowed to do what. You assign these roles to a limited group of users to manage identity tasks in an Azure AD organization. You can assign administrator roles that allow a user to create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and more.

Question 3

Q

Azure AD Member users

Answer

A

A member user account is a native member of the Azure AD organization that has a set of default permissions like being able to manage their profile information. When someone new joins your organization, they typically have this type of account created for them.
Anyone who isn’t a guest user or isn’t assigned an administrator role falls into this type.

Question 4

Q

Azure AD Guest users

Answer

A

Guest users have restricted Azure AD organization permissions. When you invite someone to collaborate with your organization, you add them to your Azure AD organization as a guest user. Then you can either send an invitation email that contains a redemption link or send a direct link to an app you want to share. Guest users sign in with their own work, school, or social identities. By default, Azure AD member users can invite guest users. This default can be disabled by someone who has the User Administrator role.

Question 5

Q

Poweshell invite guest user command

Answer

A

New-AzureADMSInvitation

Question 6

Q

Azure AD deleted user retention period

Answer

A

When you delete a user, the account remains in a suspended state for 30 days. During that 30-day window, the user account can be restored.

Question 7

Q

Access management in Azure

Answer

A

Azure AD roles:
Use Azure AD roles to manage Azure AD-related resources like users, groups, billing, licensing, application registration, and more.
Role-based access control (RBAC) for Azure resources: Use RBAC roles to manage access to Azure resources like virtual machines, SQL databases, or storage. For example, you could assign an RBAC role to a user to manage and delete SQL databases in a specific resource group or subscription.

Question 8

Q

Azure AD - Ways you can assign access rights:

.

Answer

A

Direct assignment: Assign a user the required access rights by directly assigning a role that has those access rights.
Group assignment: Assign a group the required access rights, and members of the group will inherit those rights.
Rule-based assignment: Use rules to determine a group membership based on user or device properties. For a user account or device’s group membership to be valid, the user or device must meet the rules. If the rules aren’t met, the user account or device’s group membership is no longer valid. The rules can be simple. You can select prewritten rules or write your own advanced rules

Question 9

Q

Modify the group to use dynamic assignment

Answer

A

You can change the group to use dynamic assignment. Membership then depends on whether a user meets the rules you set for the group. select Properties.
Change Membership type to Dynamic User. Select Save.
Select Add dynamic query.

Question 10

Q

Azure Active Directory B2B

Answer

A

With Azure Active Directory B2B, you don’t have to manage your external users’ identities. The partner has the responsibility to manage its own identities. External users continue to use their current identities to collaborate with your organization.

Question 11

Q

Why use Azure AD B2B instead of federation?

Answer

A

With Azure AD B2B, you don’t take on the responsibility of managing and authenticating the credentials and identities of partners. Giving access to external users is much easier than in a federation. You don’t need an AD administrator to create and manage external user accounts. Any authorized user can invite other users. A federation is where you have a trust established with another organization, or a collection of domains, for shared access to a set of resources. You might be using an on-premises identity provider and authorization service like Active Directory Federation Services (AD FS) that has an established trust with Azure AD. To get access to resources, all users have to provide their credentials and successfully authenticate against the AD FS server.

Question 12

Q

on-premises federation with Azure AD might be good if

Answer

A

our organization wants all authentication to Azure resources to happen in the local environment. Administrators can implement more rigorous levels of access control. But this means that, if your local environment is down, users can’t access the Azure resources and services they need.

Question 13

Q

Azure AD instance

Answer

A

When a company or organization signs up to use one of these offerings, they are assigned a default directory, an instance of Azure AD. This directory holds the users and groups that will have access to each of the services the company has purchased. This default directory can be referred to as a tenant. A tenant represents the organization and the default directory assigned to it.

Question 14

Q

Microsoft cloud-based which can use Azure AD

Answer

A

Microsoft offers several cloud-based offerings today - all of which can use Azure AD to identify users and control access.
Microsoft Azure
Microsoft 365
Microsoft Intune
Microsoft Dynamics 365

Question 15

Q

Subscriptions in Azure

Answer

A

Subscriptions in Azure are both a billing entity and a security boundary. Resources such as virtual machines, websites, and databases are associated with a single subscription. Each subscription also has a single account owner responsible for any charges incurred by resources in that subscription. If your organization wants a subscription billed to another account, you can transfer the subscription. A subscription is associated with a single Azure AD directory. Multiple subscriptions can trust the same directory, but a subscription can only trust one directory.

Question 16

Q

Users and groups added to multiple subscriptions

Answer

A

When you add a user to a subscription, the user must be known to the associated directory

Question 17

Q

access to Azure resources

Answer

A

A user account contains all the information needed to authenticate the user during the sign-on process. Once authenticated, Azure AD builds an access token to authorize the user and determine what resources they can access and what they can do with those resources.

Question 18

Q

Azure AD defines users in three ways

Answer

A

Cloud identities - These users exist only in Azure AD. Their source is Azure Active Directory or External Azure Active Directory if the user is defined in another Azure AD instance but needs access to subscription resources controlled by this directory. When these accounts are removed from the primary directory, they are deleted.
Directory-synchronized identities - These users exist in an on-premises Active Directory. A synchronization activity that occurs via Azure AD Connect brings these users in to Azure. Their source is Windows Server AD.
Guest users - These users exist outside Azure. Their source is Invited user..

Question 19

Q

Adding Azure AD users

Answer

A

You can add cloud identities to Azure AD in multiple ways:
Syncing an on-premises Windows Server Active Directory
Using the Azure portal
Using the command line
Other options

Question 20

Q

add users to Azure AD Other options

Answer

A

You can also add users to Azure AD programmatically using the Azure AD Graph API, or through the Microsoft 365 Admin Center and the Microsoft Intune Admin console if you are sharing the same directory.

Question 21

Q

Azure AD membership type

Answer

A

Assigned (static). The group will contain specific users or groups that you select.
Dynamic user. You create rules based on characteristics to enable attribute-based dynamic memberships for groups.You can set up a rule for dynamic membership on security groups or on Microsoft 365 groups. This feature requires an Azure AD Premium P1 license.
Dynamic device. You create rules based on characteristics to enable attribute-based dynamic memberships for groups. You can set up a rule for dynamic membership on security groups or on Microsoft 365 groups. I This feature requires an Azure AD Premium P1 license.

Question 22

Q

three Azure AD roles that apply to all resource types

Answer

A

Owner, which has full access to all resources, including the right to delegate access to others.
Contributor, which can create and manage all types of Azure resources but can’t grant access to others.
Reader, which can view existing Azure resources.

Question 23

Q

Role definitions for Azure Resources

Answer

A

Each role is a set of properties defined in a JavaScript Object Notation (JSON) file. This role definition includes a Name, ID, and Description. It also includes the allowable permissions (Actions), denied permissions (NotActions), and scope (for example, read access) for the role.
For the Owner role, that means all actions, indicated by an asterisk (*); no denied actions; and all scopes, indicated by a forward slash (/).

Question 24

Q

What’s a role definition?

Answer

A

A role definition is a collection of permissions. A role definition lists the operations that can be performed, such as read, write, and delete. It can also list the operations that can’t be performed or operations related to underlying data.

Question 25

Q

a role definition has the following structure

Answer

A

Id Unique identifier for the role, assigned by Azure.
IsCustom True if a custom role, False if a built-in role.
Description A readable description of the role.
Actions [] Allowed permissions, * indicates all.
NotActions [] Denied permissions.
DataActions [] Specific allowed permissions as applied to data, for example Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
NotDataActions [] Specific denied permissions as applied to data.
AssignableScopes [] Scopes where this role applies. / indicates global, but can reach into a hierarchical tree.

Question 26

Q

Actions and NotActions

Answer

A

You can tailor the Actions and NotActions properties to grant and deny the exact permissions you need. These properties are always in the format: {Company}.{ProviderName}/{resourceType}/{action}.

Question 27

Q

The wildcard (*) operation under Actions indicates

Answer

A

indicates that the principal assigned to this role can perform all actions, or in other words, it can manage everything. Including actions defined in the future, as Azure adds new resource types.

Question 28

Q

DataActions and NotDataActions

Answer

A

Data operations are specified in the DataActions and NotDataActions properties. Data operations can be specified separately from the management operations. This prevents current role assignments with wildcards (*) from suddenly having access to data

Question 29

Q

Data operation

Answer

A

Delete blob data Log in to a VM as a regular user Send messages on an event hub Return a file/folder or list of files/folders Read a message from a queue

Question 30

Q

AssignableScopes

Answer

A

The AssignableScopes property of the role specifies the scopes (subscriptions, resource groups, or resources) within which the role is available for assignment. You can make the custom role available for assignment just in the subscriptions or resource groups that need it, thus avoiding cluttering the user experience for the rest of the subscriptions or resource groups.

Question 31

Q

Custom role creation requires (licenses)

Answer

A

Azure AD Premium P1 or P2 and cannot be done in the free tier

Question 32

Q

Creating a new role can be done through

Answer

A

Azure portal. You can use the Azure portal to create a custom role - Azure Active Directory > Roles and administrators > New custom role.
Azure PowerShell. You can use the New-AzADMSRoleDefinition cmdlet to define a new role.
Azure Graph API. You can use a REST call to the Graph API to programmatically create a new role.

Question 33

Q

Azure AD Connect

Answer

A

can provide your users with a common identity for Microsoft 365, Azure, and SaaS applications integrated with Azure AD in a hybrid identity environment.

Question 34

Q

Azure AD Connect

Sync services

Answer

A

his component is responsible for creating users, groups, and other objects. It also makes sure that identity information for your on-premises users and groups matches that in the cloud.

Question 35

Q

Azure AD Connect Health monitoring

Answer

A

Azure AD Connect Health supplies robust monitoring and a central location in the Azure portal for viewing this activity.

Question 36

Q

Azure AD Connect AD FS

Answer

A

Federation is an optional part of Azure AD Connect that you can use to configure a hybrid environment via an on-premises AD FS infrastructure. Organizations can use this to address complex deployments, such as domain join SSO, enforcement of the Active Directory sign-in policy, and smart card or third-party multi-factor authentication.

Question 37

Q

Password hash synchronization

Answer

A

This feature is a sign-in method that synchronizes a hash of a user’s on-premises Active Directory password with Azure AD

Question 38

Q

Azure AD Connect

Pass-through authentication

Answer

A

This allows users to sign in to both on-premises and cloud-based applications using the same passwords. This reduces IT helpdesk costs because users are less likely to forget how to sign in. This feature provides an alternative to Password hash synchronization that allows organizations to enforce their security and password complexity policies.

Question 39

Q

Integrating your on-premises directories with Azure AD Benefits

Answer

A

Users can use a single identity to access both on-premises applications and cloud services, such as Microsoft 365.
A single tool provides an easy deployment experience for synchronization and sign-in.
Integration provides the newest capabilities for your scenarios. Azure AD Connect replaces older versions of identity integration tools, such as DirSync and Azure AD Sync. For more information, see Hybrid Identity directory integration tools comparison.

Question 40

Q

Why use SSPR?

Answer

A

SSPR reduces the load on administrators, because users can fix password problems themselves, without having to call the help desk. Also, it minimizes the productivity impact of a forgotten or expired password. Users don’t have to wait until an administrator is available to reset their password.

Question 41

Q

The reset portal takes these steps

Answer

A

Localization: The portal checks the browser’s locale setting and renders the SSPR page in the appropriate language.
Verification: The user enters their username and passes a captcha to ensure that it’s a user and not a bot.
Authentication: The user enters the required data to authenticate their identity. They might, for example, enter a code or answer security questions.
Password reset: If the user passes the authentication tests, they can enter a new password and confirm it.
Notification: A message is usually sent to the user to confirm the reset.

Question 42

Q

Ways to authenticate SSPR

Answer

A

Mobile app notification
Mobile app code
Mobile phone
Office phone
Security questions
Email

Question 43

Q

SSRP phone calls are not supported

Answer

A

In free and trial Azure AD organizations

Question 44

Q

the minimum number of authentication methods

Answer

A

You can specify the minimum number of methods that the user must set up: one or two

Question 45

Q

SSRP recommendations

Answer

A

Enable two or more of the authentication reset request methods.
Use the mobile app notification or code as the primary method, but also enable the email or office phone methods to support users without mobile devices.
The mobile phone method isn’t a recommended method because it’s possible to send fraudulent SMS messages.
The security question option is the least recommended method because the answers to the security questions might be known to other people. Only use the security question method in combination with at least one other method.

Question 46

Q

SSRP Accounts associated with administrator roles

Answer

A

A strong, two-method authentication policy is always applied to accounts with an administrator role, regardless of your configuration for other users.
The security questions method isn’t available to accounts that are associated with an administrator role.

Question 47

Q

What SSRP notifications can you configure?

Answer

A

Notify users on password resets: The user who resets their own password is notified to their primary and secondary email addresses. If the reset was done by a malicious user, this notification alerts the user, who can take mitigation steps.
Notify all admins when other admins reset their password: All administrators are notified when another administrator resets their password.

Question 48

Q

If you’re not signed in and you’ve forgotten your password or your password has expired, you can use SSPR in… (licenses)

Answer

A

Azure AD Premium P1 or P2, Microsoft 365 Apps for business or Microsoft 365

Question 49

Q

The writeback support is available in…

Answer

A

Azure AD Premium P1 or P2 and Microsoft 365 Apps for business.

Question 50

Q

high-level steps to configure SSPR

Answer

A

Go to the Azure portal, go to Active Directory > Password reset.
Properties: Enable SSPR.
You can enable it for all users in the Azure AD organization or for selected users.
To enable for selected users, you must specify the security group. Members of this group can use SSPR
Authentication methods:
Choose whether to require one or two authentication methods.
Choose the authentication methods that the users can use.
Registration:
Specify whether users are required to register for SSPR when they next sign in.
Specify how often users are asked to reconfirm their authentication information.
Notifications: Choose whether to notify users and administrators of password resets.
Customization: Provide an email address or web page URL where your users can get help.

Question 51

Q

SSRP Setup prerequisites

Answer

A

An Azure AD organization
An Azure AD account with Global Administrator privileges.
A non-administrative user account.
A security group to test the configuration with.

Question 52

Q

Azure RBAC

Answer

A

Azure role-based access control (Azure RBAC) is the system that allows control over who has access to which Azure resources, and what those people can do with those resources. You achieve control by assigning roles to users, groups, or applications at a particular scope. A role might be described as a collection of permissions.

Question 53

Q

RBAC examples of built-in roles

Answer

A

Owner: Has full access to all resources, including the ability to delegate access to other users.
Contributor: Can create and manage Azure resources.
Reader: Can view only existing Azure resources.
User Access Administrator: Can manage access to Azure resources.

Question 54

Q

Azure AD roles examples

Answer

A

Global Administrator: Can manage access to administrative features in Azure AD. A person in this role can grant administrator roles to other users, and they can reset a password for any user or administrator. By default, whoever signs up for the directory is automatically assigned this role.
User Administrator: Can manage all aspects of users and groups, including support tickets, monitoring service health, and resetting passwords for certain types of users.
Billing Administrator: Can make purchases, manage subscriptions and support tickets, and monitor service health. Azure has detailed billing permissions in addition to Azure RBAC permissions. The available billing permissions depend on the agreement you have with Microsoft.

Question 55

Q

As Global Administrator, you might need to elevate your permissions to:

Answer

A

Regain lost access to an Azure subscription or management group.
Grant another user or yourself access to an Azure subscription or management group.
View all Azure subscriptions or management groups in an organization.
Grant an automation app access to all Azure subscriptions or management groups.

Question 56

Q

To assign a user administrative access to a subscription, you must have

Answer

A

Microsoft.Authorization/roleAssignments/write and Microsoft.Authorization/roleAssignments/delete permissions at the subscription scope. Users with the subscription Owner or User Access Administrator role have these permissions.

Question 57

Q

Assign the role by using Azure PowerShell

Answer

A

New-AzRoleAssignment `

- SignInName rbacuser@example.com `
- RoleDefinitionName "Owner" `
- Scope "/subscriptions/"

Question 58

Q

Assign the role by using the Azure CLI

Answer

A

az role assignment create \

- -assignee rbacuser@example.com \
- -role "Owner" \
- -subscription

Question 59

Q

What is Azure RBAC?

Answer

A

Azure role-based access control (Azure RBAC) is an authorization system in Azure that helps you manage who has access to Azure resources, what they can do with those resources, and where they have access. Azure role-based access control (Azure RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of resources in Azure. With Azure RBAC, you can grant the exact access that users need to do their jobs.

Question 60

Q

Azure subscriptions use Azure AD for…

Answer

A

single sign-on (SSO) and access management

Question 61

Q

How does RBAC calculate permissions?

Answer

A

The access granted by a role, the effective permissions, is computed by subtracting the NotActions operations from the Actions operations.

Question 62

Q

What is the scope difference between AzureAD roles and Azure roles?

Answer

A

Azure roles - Multiple scope levels (management group, subscription, resource group, resource)
Azure AD roles - Scope only at tenant level

Question 63

Q

What is the difference between the ways of retrieving role information for Azure and Azure AD?

Answer

A

Azure roles Role information accessible through Azure portal, Azure CLI, Azure PowerShell, Azure Resource Manager templates, REST API
Azure AD roles Role
information accessible in Azure admin portal, Microsoft 365 admin center, Microsoft Graph, Azure AD PowerShell

Question 64

Q

Who can create or assign custom roles in Azure RBAC?

Answer

A

Users with the roles User Access Administrator or Owner can create or assign custom roles in Azure RBAC.

Answer 65

A

User
An individual who has a profile in Azure Active Directory

Group
A set of users created in Azure Active Directory

Service principals
A security identity used by applications or services to access specific Azure resources

Managed identity
An identity in Azure Active Directory that is automatically managed by Azure

Answer 66

A

{Company}.{ProviderName}/{resourceType}/{action}

Answer 67

A

*
read
write
action
delete

Answer 68

A

The Azure PowerShell Get-AzProviderOperation cmdlet is useful to get the most current list of resource provider operations. In Azure CLI, use the az provider operation show command. You can find a published list of resource providers and operations in the Azure RBAC content on Docs.

Answer 69

A

Microsoft.Authorization/roleDefinitions/write

Answer 70

A

az role definition update –role-definition “<>”

Set-AzRoleDefinition -InputFile “<>”

Answer 71

A

az role definition list –custom-role-only true –output json | jq ‘.[] | {“roleName”:.roleName, “roleType”:.roleType}’

Get-AzRoleDefinition | ? {$_.IsCustom -eq $true} | FT Name, IsCustom

Answer 72

A

az role definition list –name “Virtual Machine Operator”

Get-AzRoleDefinition “Virtual Machine Operator”

Answer 73

A

az role assignment list –role “Virtual Machine Operator”

Get-AzRoleAssignment -RoleDefinitionName “Virtual Machine Operator”

Answer 74

A

If you decide you no longer need the custom role, you need to remove the role assignments before you can delete the role.

Answer 75

A

Azure portal
you can remove assignments by going to the subscription, resource group, or resource the custom role’s scope applies to. Then go to Access control (IAM) > Role assignments. Filter by the role name, select all the users assigned to the role, and select Remove.

Azure CLI
az role assignment delete –role “role name”

PowerShell
Remove-AzRoleAssignment -ObjectId -RoleDefinitionName “role name” -Scope /subscriptions/

Answer 76

A

Azure portal
you’d go to the subscription, resource group, or resource the custom role’s scope applies to. Then go to Access control (IAM) > Roles. To find the role, select Type > CustomRole.

Azure CLI
az role definition delete –name “role name”

PowerShell
Get-AzRoleDefinition “role name” | Remove-AzRoleDefinition

Answer 77

A

A resource group is a logical container for resources deployed on Azure. These resources are anything you create in an Azure subscription like virtual machines, Application Gateways, and CosmosDB instances. All resources must be in a resource group and a resource can only be a member of a single resource group. Many resources can be moved between resource groups with some services having specific limitations or requirements to move. Resource groups can’t be nested. Before any resource can be provisioned, you need a resource group for it to be placed in.

Answer 78

A

The deployments link takes you to a new panel with the history of all deployments to this resource group. Anytime you create a resource, it’s a deployment, and you see that history for the resource group here.

Answer 79

A

Consistent naming convention
Organizing for authorization
Organizing principles
Organizing for life cycle
Organizing for billing

Answer 80

A

start with using an understandable naming convention. You named our resource group msftlearn-core-infrastructure-rg. You’ve given some indication of what it’s used for (msftlearn), the types of resources contained within (core-infrastructure), and the type of resource it is itself (rg).

Answer 81

A

Resource groups can be organized in a number of ways:
Put all individual resource types in one resource group.
You could organize them by environment (prod, qa, dev). In this case, all production resources are in one resource group, all test resources are in another resource group, and so on.
You could organize them by department (marketing, finance, human resources).
You could even use a combination of these strategies and organize by environment and department.

Answer 82

A

Since resource groups are a scope of RBAC, you can organize resources by who needs to administer them. You could give them the proper permissions at the resource group level to administer the databases within the resource group. Similarly, the database administration team could be denied access to the resource group with virtual networks, so they don’t inadvertently make changes to resources outside the scope of their responsibility.

Answer 83

A

Resource groups serve as the life cycle for the resources within it. If you delete a resource group, you delete all the resources in it. Use this to your advantage, like in non-production environments. One resource group is easier to clean up than 10 or more resource groups.

Answer 84

A

Placing resources in the same resource group is a way to group them for usage in billing reports. If you’re trying to understand how your costs are distributed in your Azure environment, grouping them by resource group is one way to filter and sort the data to better understand where costs are allocated.

Answer 85

A

Tags are name/value pairs of text data that you can apply to resources and resource groups. Tags allow you to associate custom details about your resource.

Answer 86

A

A resource can have up to 50 tags.

The name is limited to 512 characters for all types of resources except storage accounts, which have a limit of 128 characters.

The tag value is limited to 256 characters for all types of resources. Tags aren’t inherited from parent resources. Not all resource types support tags, and tags can’t be applied to classic resources.

Answer 87

A

Tags can be added and manipulated through the Azure portal, Azure CLI, Azure PowerShell, Resource Manager templates, and through the REST API.

Answer 88

A

Select the checkbox on the left for each of the resources and click Assign tags in the top menu. (The option may be contained inside an … menu.) By selecting multiple resources, you can add a tag to them in bulk, making it easy if you have multiple resources you want to apply the same tag to.

Answer 89

A

If you’re running multiple VMs for different organizations, use the tags to group usage by cost center. You can also use tags to categorize costs by runtime environment, such as the billing usage for VMs running in the production environment. When exporting billing data or accessing it through billing APIs, tags are included in that data and can be used to further slice your data from a cost perspective.

Answer 90

A

You can retrieve all the resources in your subscription with a specific tag name or value. Tags enable you to retrieve related resources from different resource groups. This approach is helpful when you need to organize resources for billing or management.

Answer 91

A

Tagging resources can also help in monitoring to track down impacted resources. Monitoring systems could include tag data with alerts, giving you the ability to know exactly who is impacted.

Answer 92

A

If you want to automate the shutdown and startup of virtual machines in development environments during off-hours to save costs, you can use tags to assist in this automation. There are several solutions in the Azure Automation Runbooks Gallery that use tags in a similar manner to accomplish this result.

Answer 93

A

Billing
Related resource retrieval
Monitoring
Automation

Answer 94

A

Segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, allow only specific actions at a particular scope.

When planning your access control strategy, grant users the lowest privilege level that they need to do their work.

Use Resource Locks to ensure critical resources aren’t modified or deleted (as you’ll see in the next unit).

Answer 95

A

Resource locks are a setting that can be applied to any resource to block modification or deletion. Resource locks can set to either Delete or Read-only.

Resource locks can be applied to subscriptions, resource groups, and to individual resources, and are inherited when applied at higher levels.

Answer 96

A

Delete will allow all operations against the resource but block the ability to delete it.

Answer 97

A

Read-only will only allow read activities to be performed against it, blocking any modification or deletion of the resource.

Answer 98

A

unexpected results because some operations that seem like read operations actually require additional actions. For example, placing a Read-only lock on a storage account prevents all users from listing the keys. The list keys operation is handled through a POST request because the returned keys are available for write operations.

Answer 99

A

Because you deleted the assigned resources with the containing resource group, there won’t be any assignments left in this policy. Normally, if you assign a policy to a resource, you could delete the assignment without deleting the underlying resource here. To do this, you would select Assignments, then select the … for your assignment, and select Delete assignment.

Brainscape's Knowledge GenomeTM

AZ-104: Manage identities and governance in Azure Flashcards

Brainscape's Knowledge Genome^TM