Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AZ-500 > AZ-500 Vocab, Terms, Rote Info > Flashcards

AZ-500 Vocab, Terms, Rote Info Flashcards

1
Q

Provides user and group management, on-premises directory synchronization, basic reports, self-service password change for cloud users, and single sign-on across Azure, Microsoft 365, and many popular SaaS apps.

A

Microsoft Entra ID Free License Feature

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

In addition to the Free features, also lets your hybrid users access both on-premises and cloud resources. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager, and cloud write-back capabilities, which allow self-service password reset for your on-premises users.

A

Microsoft Entra ID P1 License Features

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

This pricing tier provides Microsoft Entra ID Protection to help provide risk-based Conditional Access to your apps and critical company data and Privileged Identity Management to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed.

A

Microsoft Entra ID P2 License Features

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A thing that can get authenticated. can be a user with a username and password. Can also include applications or other servers that might require authentication through secret keys or certificates.

A

Identity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

An identity that has data associated with it. You can’t have an account without an identity.

A

Account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

An identity created through Microsoft Entra ID or another Microsoft cloud service, such as Microsoft 365. Identities are stored in Microsoft Entra ID and accessible to your organization’s cloud service subscriptions. This account is also sometimes called a Work or school account.

A

Microsoft Entra account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

This classic subscription administrator role is conceptually the billing owner of a subscription. This role enables you to manage all subscriptions in an account.

A

Account Administrator role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

This classic subscription administrator role enables you to manage all Azure resources, including access. This role has the equivalent access of a user who is assigned the Owner role at the subscription scope.

A

Service Administrator role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

This role helps you manage all Azure resources, including access. This role is built on a newer authorization system called Azure role-based access control (Azure RBAC) that provides fine-grained access management to Azure resources.

A

Owner role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

This administrator role is automatically assigned to whomever created the Microsoft Entra tenant. You can have multiple Global Administrators, but only Global Administrators can assign administrator roles (including assigning other Global Administrators) to users.

A

Microsoft Entra Global Administrator role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Used to pay for Azure cloud services. You can have many subscriptions and they’re linked to a credit card.

A

Azure subscription

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A dedicated and trusted instance of Microsoft Entra ID. The tenant is automatically created when your organization signs up for a Microsoft cloud service subscription. These subscriptions include Microsoft Azure, Microsoft Intune, or Microsoft 365. An Azure tenant represents a single organization.

A

Azure tenant

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Azure tenants that access other services in a dedicated environment

A

Single tenant

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Azure tenants that access other services in a shared environment, across multiple organizations

A

Multitenant

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Each Azure tenant has a dedicated and trusted Microsoft Entra directory. The Microsoft Entra directory includes the tenant’s users, groups, and apps and is used to perform identity and access management functions for tenant resources.

A

Microsoft Entra directory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Every new Microsoft Entra directory comes with an initial domain name, for example domainname.onmicrosoft.com. In addition to that initial name, you can also add your organization’s domain names. Your organization’s domain names include the names you use to do business and your users use to access your organization’s resources, to the list. Adding custom domain names helps you to create user names that are familiar to your users, such as alain@contoso.com.

A

Custom domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Personal accounts that provide access to your consumer-oriented Microsoft products and cloud services. These products and services include Outlook, OneDrive, Xbox LIVE, or Microsoft 365. Is created and stored in the Microsoft consumer identity account system that’s run by Microsoft.

A

Microsoft account (also called, MSA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

This user type is most likely a full-time employee in your organization

A

Internal Member

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

This user type has an account in your tenant, but only have guest-level privileges.

A

Internal guest

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

This user type authenticate using an external account, but has member access to your tenant. A common user type for organizations that have multiple tenants.

A

External member

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

This user type is a true guest of your tenant. They use an external authentication method and have guest level permissions.

A

External guest

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Group type that provides collaboration opportunities by giving group members access to a shared mailbox, calendar, files, SharePoint sites, and more.

A

Microsoft 365

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Group type used to manage user and computer access to shared resources.

A

Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Membership type that lets you add specific users as members of a group and have unique permissions.

A

Assigned

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Membership type that lets you use dynamic membership rules to automatically add and remove members. If a member’s attributes change, the system looks at your dynamic group rules for the directory to see if the member meets the rule requirements (is added), or no longer meets the rules requirements (is removed).

A

Dynamic User

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Membership type that Lets you use dynamic group rules to automatically add and remove devices. If a device’s attributes change, the system looks at your dynamic group rules for the directory to see if the device meets the rule requirements (is added), or no longer meets the rules requirements (is removed).

A

Dynamic Device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

The simplest way to enable authentication for on-premises directory objects in Microsoft Entra ID. Users can use the same username and password that they use on-premises without having to deploy any other infrastructure. Some premium features of Microsoft Entra ID, like Identity Protection and Microsoft Entra Domain Services, require this no matter which authentication method you choose. Requires the least effort of all authentication methods.

A

Microsoft Entra password hash synchronization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Provides a simple password validation for Microsoft Entra authentication services by using a software agent that runs on one or more on-premises servers. The servers validate the users directly with your on-premises Active Directory, which ensures that the password validation doesn’t happen in the cloud. Recommended to have 3 lightweight agents installed on existing servers to support this authentication type.

A

Microsoft Entra pass-through authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

When you choose this authentication method, Microsoft Entra ID hands off the authentication process to a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS), to validate the user’s password.

A

Federated authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q
  1. Install Microsoft Entra Connect
  2. Configure directory synchronization between your on-premises Active Directory instance and your Microsoft Entra instance
  3. Enable password hash synchronization
A

Steps to enable password hash synchronization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

An activity a security principal can perform on an object type. Sometimes referred to as an operation.

A

action

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

A definition that specifies the activity a security principal can perform on an object type. Includes one or more actions.

A

permission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

In Microsoft Entra ID, permissions that can be used to delegate management of directory resources to other users, modify credentials, authentication or authorization policies, or access restricted data.

A

privileged permission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

A built-in or custom role that has one or more privileged permissions.

A

privileged role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

A role assignment that uses a privileged role.

A

privileged role assignment

36
Q

When a security principal obtains more permissions than their assigned role initially provided by impersonating another role.

A

elevation of privilege

37
Q

Permissions with Conditional Access applied for added security.

A

protected action

38
Q

Provide just-in-time privileged access to Microsoft Entra ID and Azure resources
Assign time-bound access to resources using start and end dates
Require approval to activate privileged roles
Enforce multifactor authentication to activate any role
Use justification to understand why users activate
Get notifications when privileged roles are activated
Conduct access reviews to ensure users still need roles
Download audit history for internal or external audit
Prevents removal of the last active Global Administrator and Privileged Role Administrator role assignments

A

PIM key features

39
Q

You might need to configure extra permissions on resources that your application needs to access. For example, you must also update a key vault’s access policies to give your application access to keys, secrets, or certificates.

  1. Sign in to the Azure portal.
  2. Select your key vault and select Access policies.
  3. Select Add access policy, then select the key, secret, and certificate permissions you want to grant your application. Select the service principal you created previously.
  4. Select Add to add the access policy.
  5. Save.
A

Configure access policies on resources

40
Q
  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
  2. Browse to Identity, Applications, App registrations then select New registration.
  3. Name the application, for example “example-app”.
  4. Select a supported account type, which determines who can use the application.
  5. Under Redirect URI, select Web for the type of application you want to create. Enter the URI where the access token is sent to.
  6. Select Register.
A

Register an application with Microsoft Entra ID and create a service principal

41
Q
  1. Sign in to the Azure portal.
  2. Select the level of scope you wish to assign the application to. For example, to assign a role at the subscription scope, search for and select Subscriptions. If you don’t see the subscription you’re looking for, select global subscriptions filter. Make sure the subscription you want is selected for the tenant.
  3. Select Access control (IAM).
  4. Select Add, then select Add role assignment.
  5. In the Role tab, select the role you wish to assign to the application in the list. For example, to allow the application to execute actions like reboot, start and stop instances, select the Contributor role.
  6. Select the Next.
  7. On the Members tab. Select Assign access to, then select User, group, or service principal
  8. Select Select members. By default, Microsoft Entra applications aren’t displayed in the available options. To find your application, Search for it by its name.
  9. Select the Select button, then select Review + assign.
A

Assign a role to the application

42
Q

Some Azure resources, such as virtual machines allow you to enable a managed identity directly on the resource.

A service principal of a special type is created in Microsoft Entra ID for the identity. The service principal is tied to the lifecycle of that Azure resource. When the Azure resource is deleted, Azure automatically deletes the service principal for you.
By design, only that Azure resource can use this identity to request tokens from Microsoft Entra ID.
You authorize the managed identity to have access to one or more services.
The name of the service principal is always the same as the name of the Azure resource it is created for. For a deployment slot, the name of its identity is <app-name>/slots/<slot-name>.</slot-name></app-name>

A

System-assigned Managed Identity

43
Q

You may also create an identity as a standalone Azure resource. You can create this identity type and assign it to one or more Azure Resources. When you enable a this identity type:
A service principal of a special type is created in Microsoft Entra ID for the identity. The service principal is managed separately from the resources that use it.
This Identity type can be used by multiple resources.
You authorize the managed identity to have access to one or more services.

A

User-assigned Managed Identity

44
Q

A unique name within the network security group. The name can be up to 80 characters long. It must begin with a word character, and it must end with a word character or with ‘’. The name may contain word characters or ‘.’, ‘-‘, ‘’.

A

NSG Property type: Name

45
Q

A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities aren’t processed.
Azure default security rules are given the highest number with the lowest priority to ensure that custom rules are always processed first.

A

NSG Property Type: Priority

46
Q

Any, or an individual IP address, classless inter-domain routing (CIDR) block (10.0.0.0/24, for example), service tag, or application security group. If you specify an address for an Azure resource, specify the private IP address assigned to the resource. Network security groups are processed after Azure translates a public IP address to a private IP address for inbound traffic, and before Azure translates a private IP address to a public IP address for outbound traffic. Fewer security rules are needed when you specify a range, a service tag, or application security group. The ability to specify multiple individual IP addresses and ranges (you can’t specify multiple service tags or application groups) in a rule is referred to as augmented security rules. Augmented security rules can only be created in network security groups created through the Resource Manager deployment model. You can’t specify multiple IP addresses and IP address ranges in network security groups created through the classic deployment model.

A

NSG Property Type: Source or destination

47
Q

TCP, UDP, ICMP, ESP, AH, or Any. The ESP and AH protocols aren’t currently available via the Azure portal but can be used via Azure Resource Manager templates.

A

NSG Property Type: Protocol

48
Q

Whether the rule applies to inbound, or outbound traffic.

A

NSG Property Type: Direction

49
Q

You can specify an individual or range of ports. For example, you could specify 80 or 10000-10005. Specifying ranges enables you to create fewer security rules. Augmented security rules can only be created in network security groups created through the Resource Manager deployment model. You can’t specify multiple ports or port ranges in the same security rule in network security groups created through the classic deployment model.

A

NSG Property Type: Port range

50
Q

Allow or deny

A

NSG Property Type: Action

51
Q

his type of network peering connects two Azure virtual networks. Once peered, the virtual networks appear as one for connectivity purposes. Traffic between virtual machines in the peered virtual networks is routed through the Microsoft backbone infrastructure, through private IP addresses only. No public internet is involved. You can also peer across Azure regions.

A

Virtual network peering

52
Q

a specific type of virtual network gateway that is used to send traffic between an Azure virtual network and an on-premises location over the public internet. You can also use this to send traffic between Azure virtual networks. Each virtual network can have at most one of this type of gateway. You should enable Azure DDOS Protection Standard on any perimeter virtual network

A

VPN gateways

53
Q

provides a low-latency, high-bandwidth connection. There is no gateway in the path, so there are no extra hops, ensuring low latency connections. It’s useful in scenarios such as cross-region data replication and database failover. Because traffic is private and remains on the Microsoft backbone, also consider using this if you have strict data policies and want to avoid sending any traffic over the internet.

A

Virtual network peering

54
Q

provides a limited bandwidth connection and are useful in scenarios where you need encryption but can tolerate bandwidth restrictions. In these scenarios, customers are also not as latency-sensitive.

A

VPN Gateways

55
Q

A VPN gateway connection is a connection over IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This connection can be used for cross-premises and hybrid configurations. This connection requires a VPN device located on-premises that has a public IP address assigned to it.

A

Site-to-site VPN

56
Q

connection lets you create a secure connection to your virtual network from an individual client computer. This connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. Is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet.

A

A point-to-site (P2S) VPN

57
Q

VNet private address spaces can overlap. You can’t use overlapping spaces to uniquely identify traffic that originates from your VNet. Service endpoints enable securing of Azure service resources to your virtual network by extending VNet identity to the service. Once you enable service endpoints in your virtual network, you can add a virtual network rule to secure the Azure service resources to your virtual network. The rule addition provides improved security by fully removing public internet access to resources and allowing traffic only from your virtual network.

A

Key benefit of service endpoint: Improved security for your Azure service resources

58
Q

Today, any routes in your virtual network that force internet traffic to your on-premises and/or virtual appliances also force Azure service traffic to take the same route as the internet traffic. Service endpoints provide optimal routing for Azure traffic.

Endpoints always take service traffic directly from your virtual network to the service on the Microsoft Azure backbone network. Keeping traffic on the Azure backbone network allows you to continue auditing and monitoring outbound Internet traffic from your virtual networks, through forced-tunneling, without impacting service traffic. For more information about user-defined routes and forced-tunneling, see Azure virtual network traffic routing.

A

Key Benefit of Service endpoint: Optimal routing for Azure service traffic from your virtual network

59
Q

You no longer need reserved, public IP addresses in your virtual networks to secure Azure resources through IP firewall. There is no Network Address Translation (NAT) or gateway devices required to set up the service endpoints. You can configure service endpoints through a single selection on a subnet. There’s no extra overhead to maintaining the endpoints.

A

Key Benefit of service endpoint: Simple to set up with less management overhead

60
Q

The feature is available only to virtual networks deployed through the Azure Resource Manager deployment model.

A

Limitation of service endpoint

61
Q

Endpoints are enabled on subnets configured in Azure virtual networks. Endpoints can’t be used for traffic from your on-premises services to Azure services. For more information, see Secure Azure service access from on-premises.

A

Limitation of service endpoint

62
Q

For Azure SQL, a service endpoint applies only to Azure service traffic within a virtual network’s region.

A

Limitation of service endpoint

63
Q

For Azure Data Lake Storage (ADLS) Gen 1, the VNet Integration capability is only available for virtual networks within the same region. Also note that virtual network integration for ADLS Gen1 uses the virtual network service endpoint security between your virtual network and Azure Active Directory (Azure AD) to generate extra security claims in the access token. These claims are then used to authenticate your virtual network to your Data Lake Storage Gen1 account and allow access. The Microsoft.AzureActiveDirectory tag listed under services supporting service endpoints is used only for supporting service endpoints to ADLS Gen 1. Azure AD doesn’t support service endpoints natively. For more information about Azure Data Lake Store Gen 1 VNet integration, see Network security in Azure Data Lake Storage Gen1.

A

Limitation of service endpoint

64
Q

virtual network can be associated with up to 200 different subscriptions and regions by each supported service with active VNet rules configured.

A

Limitation of service endpoint

65
Q

Private endpoint property: Name

A

A unique name within the resource group.

66
Q

Private endpoint property: Subnet

A

The subnet to deploy, where the private IP address is assigned.

67
Q

Private endpoint property: Private-link resource

A

The private-link resource to connect by using a resource ID or alias, from the list of available types. A unique network identifier is generated for all traffic that’s sent to this resource.

68
Q

Private endpoint property: Target subresource

A

The subresource to connect. Each private-link resource type has various options to select based on preference

69
Q

Private endpoint property: Connection approval method

A

Automatic or manual. Depending on the Azure role-based access control permissions, your private endpoint can be approved automatically. If you’re connecting to a private-link resource without Azure role based permissions, use the manual method to allow the owner of the resource to approve the connection.

70
Q

Private endpoint property: Request message

A

You can specify a message for requested connections to be approved manually. This message can be used to identify a specific request.

71
Q

Private endpoint property: Connection status

A

A read-only property that specifies whether the private endpoint is active. Only private endpoints in an approved state can be used to send traffic. More available states: Approved: The connection was automatically or manually approved and is ready to be used. Pending: The connection was created manually and is pending approval by the private-link resource owner. Rejected: The connection was rejected by the private-link resource owner. Disconnected: The connection was removed by the private-link resource owner. The private endpoint becomes informative and should be deleted for cleanup.

72
Q

Private Link Service Property: Provisioning State (provisioningState)

A

A read-only property that lists the current provisioning state for Private Link service. Applicable provisioning states are: Deleting, Failed,Succeeded,*Updating. When the provisioning state is Succeeded, you’ve successfully provisioned your Private Link service.

73
Q

Private Link Service Property: Alias (alias)

A

is a globally unique read-only string for your service. It helps you mask the customer data for your service and at the same time creates an easy-to-share name for your service. When you create a Private Link service, Azure generates the alias for your service that you can share with your customers. Your customers can use this alias to request a connection to your service.

74
Q

Private Link Service Property: Visibility (visibility)

A

is the property that controls the exposure settings for your Private Link service. Service providers can choose to limit the exposure to their service to subscriptions with Azure role-based access control permissions. A restricted set of subscriptions can also be used to limit exposure.

75
Q

Private Link Service Property: Auto Approval (autoApproval)

A

controls the automated access to the Private Link service. The subscriptions specified in the auto-approval list are approved automatically when a connection is requested from private endpoints in those subscriptions.

76
Q

Private Link Service Property: Load balancer frontend IP configuration (loadBalancerFrontendIpConfigurations)

A

Private Link service is tied to the frontend IP address of a Standard Load Balancer. All traffic destined for the service will reach the frontend of the SLB. You can configure SLB rules to direct this traffic to appropriate backend pools where your applications are running. Load balancer frontend IP configurations are different than NAT IP configurations.

77
Q

Private Link Service Property: NAT IP configuration (ipConfigurations)

A

This property refers to the NAT (Network Address Translation) IP configuration for the Private Link service. The NAT IP can be chosen from any subnet in a service provider’s virtual network. Private Link service performs destination side NAT-ing on the Private Link traffic. This NAT ensures that there’s no IP conflict between source (consumer side) and destination (service provider) address space. On the destination or service provider side, the NAT IP address displays as source IP for all packets received by your service. Destination IP is displayed for all packets sent by your service.

78
Q

Private Link Service Property: Private endpoint connections (privateEndpointConnections)

A

This property lists the private endpoints connecting to Private Link service. Multiple private endpoints can connect to the same Private Link service and the service provider can control the state for individual private endpoints.

79
Q

Private Link Service Property: TCP Proxy V2 (EnableProxyProtocol)

A

This property lets the service provider use tcp proxy v2 to retrieve connection information about the service consumer. Service Provider is responsible for setting up receiver configs to be able to parse the proxy protocol v2 header.

80
Q

virtual network integration features

A

Requires a supported Basic or Standard, Premium, Premium v2, Premium v3, or Elastic Premium App Service pricing tier.

Supports TCP and UDP.

Works with App Service apps, function apps and Logic apps.

81
Q

Mounting a drive.
Windows Server Active Directory domain join.
NetBIOS.

A

unsupported virtual network integration features

82
Q

The App Service virtual network integration feature

A

enables your apps to access resources in or through a virtual network.

83
Q

Application Security Group (ASG)

A

enable you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic

84
Q

The dedicated compute pricing tiers, which include the Basic, Standard, Premium, Premium v2, and Premium v3.

This deploys directly into your virtual network with dedicated supporting infrastructure and is using the Isolated and Isolated v2 pricing tiers.

A

Two variations of App Service

85
Q
A

AZ-500 (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions