Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

az-204 > (AZ-204 topic) Implement Azure Security > Flashcards

(AZ-204 topic) Implement Azure Security Flashcards

Test takers will need to understand how to secure their Azure Solutions using authentication and authorization tools like Microsoft Identity Platform, Azure Active Directory, OAuth 2.0, & Managed Identities. Additionally, they will be expected to understand how to leverage Azure Key Vault to store secrets, keys, & certifications in addition to use those keys securely in their applications & other azure services. Questions for this domain comprise 25% of the total questions for this exam.

1
Q

You need to enable managed identity for a VM. Using the PowerShell statement below, complete the last piece of the segment using the options below..

  • $vm= Get-AzVM -ResourceGroupName “AzureDale” -Name “ComputeWoodVM”*
  • Update-AzVM -ResourceGroupName “AzureDale” -Name $vm*
  • AssignIdentity: $SystemAssigned
  • AssignIdentity: $UserAssigned
  • IdentityId: $UserAssigned
  • IdentityId: $SystemAssigned
A

-IdentityId: $SystemAssigned

Correct, this will enable a managed identity for the VM to use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the three components of an App Configuration resource?

  • Config, Key, Label
  • Key, Value, Group
  • Key, Value, Label
  • Config, Key, Value
A

-Key, Value, Label

You can set a series of key-value pairs for your application to use and create groups of pairs using labels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which level of blob storage can you NOT apply a Shared Access Signature (SAS) to?

  • At the Container Level (Blob Containers, Queues, Tables, etc.)
  • The Snapshot Level — (Blob Snapshots)
  • The Service Level — (Blob Service, File Share Service, etc.)
  • At the Object Level (individual blobs)
A

-The Snapshot Level — (Blob Snapshots)

Blob snapshot-level SAS is not supported.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You need to create a new Azure Key Vault (AKV) access policy for your secrets. Which of the following commands will accomplish this?

az keyvault set-policy –name chamberOfSecrets –object-id –certificate-permissions

az keyvault set-policy –name chamberOfSecrets –object-id –secret-permissions

az keyvault create-policy –name chamberOfSecrets –object-id –secret-permissions

az keyvault create-policy –name chamberOfSecrets –object-id –key-permissions

A

az keyvault set-policy –name chamberOfSecrets –object-id –secret-permissions

Correct, this will create a new policy that is designed to work with your secrets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You are developing a solution using Azure Key Vault. You have a web application and would like to ensure that only the application can access the secrets in the Key Vault and not the application users. Out of the options below, how can you accomplish this?

  • Register your web app with AD, register your app with Key Vault, associate a certificate with your Azure AD web app, and have your web app use the certificate to authenticate to Key Vault.
  • Build a Managed Identity and store it inside the Key Vault. Have your application reference the identity whenever it needs to access secrets associated with it.
  • Get a shared access signature (SAS) for your secret in the Key Vault, and have your web app use the SAS to get secrets from the Key Vault.
  • Register your application in Key Vault, and have your web app pass credentials to the Key Vault.
A

-Register your web app with AD, register your app with Key Vault, associate a certificate with your Azure AD web app, and have your web app use the certificate to authenticate to Key Vault.

Certificates can be used to authenticate to Key Vault, and you can ensure your web app has access to the certificate and not the users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Your company is in the process of developing an Azure API. One of the requirements is to implement authentication to ensure all api calls are secured but those credentials cannot be sent directly to the API. What authentication method will satisfy this requirment?

  • Basic
  • Utilize a Managed Identity
  • Anonymous
  • Certificate based Authentication
A

-Utilize a Managed Identity

A managed identity will offload the need to authenticate against the API as caller will need to first Authenticate with AzureAD to recieve an access token, which would then be used to authorize access to the API.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When configuring your custom application to use OAuth authentication with Azure Active Directory, which of the following steps needs to be completed first?

  • Register your application with Azure Active Directory in Enterprise Applications.
  • Containerize and push your application to Azure Container Registry.
  • Create a Managed Identity for your application to authenticate with.
  • Update your application to utilize its assigned application id & map to your AAD application endpoint.
A

-Register your application with Azure Active Directory in Enterprise Applications.

Once you’ve registered your application in Enterprise Application, you can collect your application ID and endpoint URI for configuration in your application code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Your company is developing an application that will have multiple instances running across multiple nodes in different regions. What solution can be used to ensure the configurations for each node are always consistent?

  • Use Azure API Management.
  • Have the nodes pull their configuration file from a shared Azure File Share.
  • Use an Azure Function to copy the configuration file from a source golden image.
  • Utilize Azure App Configuration.
A

-Utilize Azure App Configuration.

Using Azure App Configuration, you can have all your nodes point to a central point that can store all of your configurations key value pairs. You can restrict access by utilizing access keys that will only grant the level of control your application needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You are developing an application that stores keys, secrets, and certificates in Azure Key Vault. The application leverages Azure Key Vault APIs to interact with Azure Key Vault. There is a requirement for the application to allow recovery of an accidental deletion of the key vault or key vault objects. Key vault objects must be retained for 90 days after deletion. You need to protect the key vault and key vault objects. Which of the following should you use to ENABLE the retention period and prevent accidental deletion?

  • Object Lock
  • Access Policy
  • Soft Delete
  • Purge Protection
A

-Soft Delete

When you enable soft-delete, resources marked as deleted are retained for a specified duration (defaults to 90 Days)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Recently, you company implemented new compliance standards that require new access controls to be set on your company files at rest in your Azure Storage Containers. These standards require all actions in the storage account be monitored and audited regularly. Which of the following solutions will meet this new requirement?

  • Create a Diagnostic Setting for Azure Monitor with Storage Account and enable StorageRead, StorageWrite, and StorageDelete log collection and send the data to Log Analytics
  • Enable the Storage Account Audit feature and have it stream data to an Event Hub
  • Create a Diagnostic Setting for Azure Monitor with Storage Account and enable StorageRead, StorageWrite, and StorageDelete log collection with no retention
  • Enable Change Tracking on your Storage Account
A

-Create a Diagnostic Setting for Azure Monitor with Storage Account and enable StorageRead, StorageWrite, and StorageDelete log collection and send the data to Log Analytics

This will not only monitor, but also place the log data in Log Analytics, where you can search the data and build dashboards which can be used to create consistent and accurate auditing dashboards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following Azure CLI commands can be used to create a new Azure Key Vault?

az keyvault new –name “vaultname” –resource-group “yourRGname” –location “westus”

az vault new –name “vaultname” –resource-group “yourRGname” –location “westus”

az keyvault create –name “vaultname” –resource-group “yourRGname” –location “westus”

az create keyvault –name “vaultname” –resource-group “yourRGname” –location “westus”

A

az keyvault create –name “vaultname” –resource-group “yourRGname” –location “westus”

This follows the correct structure for creating a new Azure Key Vault.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You have a billing document management site that needs to ensure scanned forms containing customer data are processed and store securely. Your have a requirement to keep all scanned forms for at least 1 year. You need to ensure that the forms, when accessed from a third-party source, cannot be compromised. With this in mind, what can you do to store the forms and ensure security?

  • Place all forms in an Azure Key Vault for safekeeping
  • Encrypt all incoming forms using an Azure Key Vault key & store them in a Blob Container
  • Store all forms in an Azure Storage Blob and restrict access to only those using a Shared Access Signature
  • Scrape the data into a CosmosDb container and delete the forms once the data has been validated
A

-Encrypt all incoming forms using an Azure Key Vault key & store them in a Blob Container

Keeping it in an Azure Storage Blob keeps the data accessible to only authorized processes and individuals while encrypting the documents ensures that even if they’re accessed by an unauthorized party, they’ll be unable to steal or manipulate the data inside.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You have an Azure App Service website that houses sensitive company data your users log in to daily. You have a new requirment from your security team that all users who authenticate against your web app will need to validate their identity using Multi-Factor Authentication (MFA) since your website contains sensitive data. Your application uses Azure AD to authenticate your users. What is the first step you should take to enable MFA?

  • Enable Multi-Factor Authentication on your Azure App Service instance.
  • Enforce the use of OAuth 2.0 in your web application
  • Create a conditional access policy that enforces MFA on all authentication attempts.
  • Create a conditional access policy that enforces MFA on all authentication attempts to your website.
A

-Create a conditional access policy that enforces MFA on all authentication attempts to your website.

Creating a conditional access policy will ensure users are prompted where MFA is required and not every time they login.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Recently, your company implemented new compliance standards that require new access controls to be set on your company files at rest in your Azure Storage Containers. These standards require files access to be controlled based on factors such as IP, access protocol, and Azure AD rights. In order to be in compliance with this new standard, which setting should you implement to restrict file access?

  • Managed Identities
  • Connection Strings
  • Role-Based Access Control (RBAC)
  • Shared Access Signature (SAS) Token
A

-Role-Based Access Control (RBAC)

Azure storage can utilize authentication and authorization from AzureAD through the use of RBAC. This allows assignments to both individual users & groups based on a role, rather than assignments based on the user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You’re building a function to process data from an Event Hub subscription into a CosmosDB running the MongoDB API. You have a requirement to secure access to both the CosmosDB instance & the Event Hub subscription. How can you accomplish this without storing secrets in your function code?

  • Create a User-Assigned Managed Identity for your Function & grant the required access to both services
  • Create a secret in Azure Key Vault for both services and add the secret URI’s to your function to allow access
  • Create a System-Assigned Managed Identity for your Function & grant the required access to both services
  • Functions are not required to authenticate against Azure services since they are a trusted service and already have access
A

-Create a System-Assigned Managed Identity for your Function & grant the required access to both services

Using a system-assigned managed identity will allow you to control access for your function without the need to manage keys or store potentially compromising information in your code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You are the administrator of the Nutex Corporation. You want to upload a certificate into the certificate portion of an Azure key vault. You want to do that with PowerShell. You must fill the empty spaces in the following PowerShell script (see image) using the code snippets below.

  1. Import-AzKeyVaultCertificate
  2. Remove-AzureKeyVaultManagedStorageAccount
  3. Get-AzKeyVault
  4. Get-AzureKeyVaultSecret
  5. Remove-AzKeyVaultCertificate
  6. Get-AzKeyVaultCertificate
A

See attached image for solution.

First you would use the Get-AzKeyVaultCertificate cmdlet. This cmdlet is used to search for an existing certificate in the key vault. You verify if a certificate exists. If yes, the text ‘Skipped replacing certificate…’ will be displayed.

You would use the Get-AzKeyVault cmdlet to retrieve and store the key vault in the variable $vault.

You would use the Remove-AzKeyVaultCertificate cmdlet to remove an existing certificate from the key vault.

You would use the Import-AzKeyVaultCertificate cmdlet to upload a new certificate into the key vault.

You would not use the Remove-AzureKeyVaultManagedStorageAccount cmdlet. This cmdlet removes a key vault storage account and any SAS definitions. In this scenario, you want to upload a certificate into the certificate portion of an Azure key vault, not remove the key vault.

You would not use the Get-AzureKeyVaultSecret cmdlet. This cmdlet retrieves secrets in a key vault. In this scenario, you need to retrieve the certificate in the key vault, not the secrets of the key vault.

17
Q

You work as an Azure architect for your company and are involved in an application review for a corporate system implemented around the globe via regions in Azure. The system is installed on a VM that looks for new vaccines and automatically interacts with a blob storage account by sending and receiving sensitive DNA data. Every branch which contains a VM uploads and downloads data to a different blob storage account. Currently, there are five thousand VMs across multiple Azure regions operating worldwide. Your company does not want to change the infrastructure. Permission for downloaded data depends on the location and is often changed. The audited code is
as follows:

public async Task ConnectionStringAsync(){

string connectionString = ConnectionString;
BlobServiceClient service = new BlobServiceClient(connectionString);
await service.GetPropertiesAsync();

}

Security is the company’s primary goal. What change would you make to better secure the application?

  • Use Azure AD OAuth2 Implicit grant flow to authenticate.
  • Use a third party solution such as KeyCloak or Ping.ID.
  • Use Key Vault to store credentials in the storage account.
  • Use a token credential that can use an Azure Active Directory application to authenticate.
  • Use Azure AD-managed identities.
  • Use SAS tokens.
  • Use Active Directory Federation Services to authenticate.
A
  • Use Azure AD-managed identities.

You would use Azure AD-managed identities. The managed identities for Azure resources solves the problems of logins and passwords. Azure AD-managed identities provides Azure services with a managed identity in Azure AD. You can use the identity to authenticate to Key Vault or any service that uses Azure AD authentication, without needing to provide credentials in your code. The code that runs on the VM requests a token from two endpoints that are accessible only from the VM. You can use Managed Identity in permissions definition for different storage accounts.

You would not use SAS tokens because the permission for downloaded data depends on the location and is often changed. SAS tokens do not resolve problems of often-changed permissions.

You would not use the Azure AD Oauth2 Implicit grant flow. A suitable scenario for the OAuth2 Implicit grant flow is to enable user-agent applications, such as JavaScript applications executing within a browser. Azure AD Oauth2 Implicit grant flow will not integrate with Azure Active Directory for storage of logins and passwords.

Using Active Directory Federation Services (ADFS) is not a complete solution and needs more changes. You need to implement ADFS as two additional virtual machines and integrate it with Active Directory. The question asks what changes you should implement in the code, not to build a new infrastructure.

Using a third-party solution such as KeyCloak or Ping.ID is not a complete solution. It is not the best answer because you need to implement KeyCloak or PingID on additional virtual machines and integrate it with Azure Active Directory. The question asks what changes you should implement in the code, not to build a new infrastructure.

You would not use a token credential that can use an Azure Active Directory application to authenticate. This solution still needs to store a login and password in the code.

You would not use Key Vault to store credentials in the storage account. While Key Vault can store SAS tokens, it does not resolve the problem of often-changed permissions.

18
Q

Application Insights is only useful for Web Applications. True or false.

A

False.

Application Insights can be configured in any application where you can install and/or configure the application insights module, including non-cloud native applications, so it is not just useful for web applications.

19
Q

What resource is responsible for validating your token after authenticating in the case of OAuth?

  • The Authorization Server (The identity provider, such as Azure AD)
  • The Resource Server (Such an an Azure WebApp)
  • The Resource Owner
A
  • The Resource Server (Such an an Azure WebApp)

Correct! The resource server is responsible for refreshing the authentication token once issues from the identity provider.

20
Q

With Managed Identities, a standalone resource that can be assigned to a configuration store such as a group, but can persist after that configuration store is removed is an example of what?

  • A System-Assigned Identity
  • A System Identifier
  • A User Group
  • A User-Assigned Identity
A
  • A User-Assigned Identity

User-Assigned identities stick around after a configuration store has been removed. Additionally, configuration stores can have many user-assigned identities, and user-assigned identities can be assigned to multiple configuration stores.

21
Q

Fill in the blank - Shared Access Signatures come in 3 varieties: the Account Level, the ___ Level, and the User Level.

  • Container level.
  • Blob level
  • Service level
  • System level
A
  • Service level

Correct! When building a SAS, you can build them at the Account Level, the SERVICE Level, or the User Level.

22
Q

What two types of data is Azure Monitor collecting from your environments?

  • Metrics and Events
  • Events and Logs
  • Metrics and Logs
  • Only Event data
A
  • Metrics and Logs

Azure Monitor collects metric and log data.

23
Q

What service gives you the ability to centralize cloud application settings for standardization and security?

  • Azure Service Bus
  • Azure App Configuration
  • Azure API Management
  • Azure Blob Storage
A
  • Azure App Configuration

Azure App Configuration allows you to centralize, standardize, and secure your application configurations.

24
Q

Microsoft Graph API can be used for a variety of things, including…

  • Creating graphs for complex geographic data
  • Storing, Retrieving, and Manipulating User Data in Azure AD
  • Creating charts and dashboards for use by your leadership team
  • Generating geographic data about 2 points on a map
A
  • Storing, Retrieving, and Manipulating User Data in Azure AD

While the Graph API can be used to also correlate data in Microsoft 365 products, its primary concern will be on utilizing it in conjunction with Azure AD and user data.

25
Q

Which command creates a System-Assigned identity?

  • az appconfig identity assign –name greatMage –resource-group secure-bourne –identities /subscription/[subscription id]/resourcegroups secure-bourne/provider/Microsoft.ManagedIdentity/userAssignedIdentities/greatMage
  • az appconfig identity assign –name greatSage –resource-group secure-bourne
  • az appconfig create assign –name greatSage –resource-group secure-bourne
  • az appconfig identity assign –name greatMage –resource-group secure-bourne –identities /subscriptions/[subscription id]/resourcegroups secure-bourne/providers/Microsoft.ManagedIdentity/userAssignedIdentities/greatMage
A
  • az appconfig identity assign –name greatSage –resource-group secure-bourne
26
Q

You can register your application for use with OAuth Authentication using which of the following?

  • Azure AD OAuth Registration
  • Azure Privileged Identity Management
  • Azure AD Enterprise Application Gallery
  • Azure Security Center
A
  • Azure AD Enterprise Application Gallery

You can register your application to authenticate with Azure AD using the Enterprise Application Gallery.

27
Q

What kind of Azure service endpoints support HTTP operations (methods) to provide various access to the service resources?

  • HTTP APIs
  • Azure SMTP APIs
  • Azure SOAP APIs
  • Azure Representational State Transfer (REST) APIs
A
  • Azure Representational State Transfer (REST) APIs

Azure Representational State Transfer (REST) APIs are service endpoints that support sets of HTTP operations.

28
Q

When wanting to use secrets in your application, which of the following should be your first step?

  • Run the “az keyvault secret show” command.
  • Run the “az keyvault create” command.
  • Run the “az keyvault secret set” command.
  • Create a storage blob to store you secrets in.
A
  • Run the “az keyvault create” command.

This is the correct first step to take for creating a new secret.

29
Q

In the context of Role-Based Access Controls, Coarse Grain Access can be defined as…

  • Write Access to all resources inside of a storage account
  • Read or Write Access to all resources inside of a blob container
  • Read or Write Access to all resources inside of a storage account
  • Read Access to all resources inside of a storage account
A
  • Read or Write Access to all resources inside of a storage account

Correct! Coarse Grain access is Read or Write Access to all resources inside of a storage account.

30
Q

In Azure App Configuration, when configuring keys, spellsEarth and spellsearth are parsed as the same key. True or false.

A

False.

Keys are case-sensitive in Azure App Configuration, so spellsEarth and spellsearth would be considered different keys.

31
Q

What does Azure Monitor use to define the actions to take once an alert has been triggered?

  • Action Group
  • Alert Condition
  • Alert Scope
  • Alert Rule
A
  • Action Group

Action Groups tell Azure Monitor what is should do once the Alert is triggered. This includes sending notification, kicking off workbooks or logic apps, or even opening a ticket.

32
Q

You are the administrator of the Nutex Corporation. You do not want to put a secure value such as a password directly in your ARM template or parameter file. You want to retrieve the value from an Azure Key Vault during deployment. You are not the owner of the key vault. You need to set the permission for secrets to set, delete, get, and list.

Which PowerShell cmdlets must you use to perform for a key vault secret to pass a secure parameter value during deployment?

A

You would choose the following:

  1. New-AzKeyVault with the EnabledForTemplateDeployment parameter set
  2. ConvertTo-SecureString
  3. Set-AzKeyVaultPolicy
  4. Set-AzKeyVaultSecret

First you would use the New-AzKeyVault cmdlet to create the Azure Key Vault. You have to define the VaultName, the resource group, and the location. The following creates an Azure Key Vault in a resource group:

New-AzResourceGroup -Name $resourceGroupName -Location $location
New-AzKeyVault ‘
-VaultName $keyVaultName ‘
-resourceGroupName $resourceGroupName ‘
-Location $location ‘
-EnabledForTemplateDeployment
$secretvalue = ConvertTo-SecureString ‘N0S8ntz$uk’ -AsPlainText –Force
$secret = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name ‘ExamplePassword’ -SecretValue $secretvalue

You would set the EnabledForTemplateDeployment parameter, instead of the EnabledForDeployment parameter, of the New-AzKeyVault cmdlet to true so that you can access the key vault during template deployment. The EnabledForDeployment parameter allows the resource provider to access the vault when the key vault is referenced in resource creation, not during deployment.

Then you would create a variable with the password as content. With the ConvertTo-SecureString cmdlet, you can create an encrypted password.

You would then use the Set-AzKeyVaultPolicy cmdlet to give access to create secrets. The following gives permissions for set, delete, get, and list:

Set-AzKeyVaulPolicy -Vaultname -userPrincipalName -PermissionsToSecrets set, delete, get, list

Then you would use the Set-AzKeyVaultSecret cmdlet to create the secret itself in the key vault.

33
Q

You are the administrator of the Nutex Corporation. You have a backend application API named APINutex and a client application named ClientNutex that needs to call the API. You want to configure ClientNutex so that it can call APINutex using OAuth 2.0.

What are the appropriate tasks to do this?

A

You would choose the following:

  1. Register APINutex in Azure AD to represent the API.
  2. Register ClientNutex in Azure AD to represent a client application that needs to call the API.
  3. In Azure AD, grant permissions to allow ClientNutex to call the APINutex.
  4. Configure ClientNutex to call APINutex using OAuth 2.0 user authorization.

First, you would register APINutex in Azure AD to represent the API. To protect an API with Azure AD, you first need to register the application that represents the API in Azure AD.

You would then register ClientNutex in Azure AD to represent a client application that needs to call the API APINutex. A client application that calls the API must be registered as an application in Azure AD. In this example, the client application is ClientNutex in the API Management developer portal.

The third step is to grant permissions to allow ClientNutex to call the APINutex in Azure AD. After you have registered the two applications, you need to grant permissions to allow ClientNutex to call APINutex.

You would then configure ClientNutex to call APINutex using OAuth 2.0 user authorization. Once this has been done, you can specify the client registration page URL, the authorization endpoint URL, and the Token endpoint URL to configure an OAuth 2.0 authorization server, so that the ClientNutex application can obtain access tokens from Azure AD.

34
Q

You work as an Azure architect for your company and are involved in an application review for a corporate system implemented around the globe via regions in Azure. The system is installed on a VM that looks for new vaccines and automatically interacts with a blob storage account by sending and receiving sensitive DNA data. Every branch which contains a VM uploads and downloads data to a different blob storage account. Currently, there are five thousand VMs across multiple Azure regions operating worldwide. Your company does not want to change the infrastructure. Permission for downloaded data depends on the location and is often changed. The audited code is as follows:

public async Task ConnectionStringAsync()
{
string connectionString = ConnectionString;
BlobServiceClient service = new BlobServiceClient(connectionString);
await service.GetPropertiesAsync();
}

Security is the company’s primary goal. What change would you make to better secure the application?

  • Use Active Directory Federation Services to authenticate.
  • Use SAS tokens.
  • Use Azure AD-managed identities.
  • Use a token credential that can use an Azure Active Directory application to authenticate.
  • Use a third party solution such as KeyCloak or Ping.ID.
  • Use Key Vault to store credentials in the storage account.
  • Use Azure AD OAuth2 Implicit grant flow to authenticate.
A

Use Azure AD-managed identities.

You would use Azure AD-managed identities. The managed identities for Azure resources solves the problems of logins and passwords. Azure AD-managed identities provides Azure services with a managed identity in Azure AD. You can use the identity to authenticate to Key Vault or any service that uses Azure AD authentication, without needing to provide credentials in your code. The code that runs on the VM requests a token from two endpoints that are accessible only from the VM. You can use Managed Identity in permissions definition for different storage accounts.

You would not use SAS tokens because the permission for downloaded data depends on the location and is often changed. SAS tokens do not resolve problems of often-changed permissions.

You would not use the Azure AD Oauth2 Implicit grant flow. A suitable scenario for the OAuth2 Implicit grant flow is to enable user-agent applications, such as JavaScript applications executing within a browser. Azure AD Oauth2 Implicit grant flow will not integrate with Azure Active Directory for storage of logins and passwords.

Using Active Directory Federation Services (ADFS) is not a complete solution and needs more changes. You need to implement ADFS as two additional virtual machines and integrate it with Active Directory. The question asks what changes you should implement in the code, not to build a new infrastructure.

Using a third-party solution such as KeyCloak or Ping.ID is not a complete solution. It is not the best answer because you need to implement KeyCloak or PingID on additional virtual machines and integrate it with Azure Active Directory. The question asks what changes you should implement in the code, not to build a new infrastructure.

You would not use a token credential that can use an Azure Active Directory application to authenticate. This solution still needs to store a login and password in the code.

You would not use Key Vault to store credentials in the storage account. While Key Vault can store SAS tokens, it does not resolve the problem of often-changed permissions.

35
Q

You have to develop an ASP.Net Core application. The application is used to work with blobs in an Azure storage account. The application authenticates via Azure AD credentials.

Role based access has been implemented on the containers that contain the blobs. These roles have been assigned to the users.

You have to configure the application so that the user’s permissions can be used with the Azure Blob containers.

Which of the following would you use as the Permission for the Microsoft Graph API?

  • User.Read
  • User.Write
  • client_id
  • user_impersonation
A

User.Read

https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app?tabs=dotnet

36
Q

You have to build a web application that would be deployed onto Azure. The web application would not allow anonymous access. The authentication would be carried out via Azure AD.

The application needs to abide by the following requirements

  1. Users must be able to log into the web application using their Azure AD credentials
  2. The personalization of the web application must be based on the membership in Active Directory groups

You have to configure the application manifest file

  • {*
  • …..*
  • “appId”:”44d3ece4-2c21-48c1-8857-db3524a086b0”*
  • ____________:”All”,*
  • ____________:true*
  • }*

Which of the following would go into the second blank?

  • “allowPublicClient”
  • “oauth2Permissions”
  • “requiredResourceAccess”
  • “oauth2AllowImplicitFlow”
A
  • “oauth2AllowImplicitFlow”
    https: //docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest
37
Q
A

az-204 (15 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions