AZ-900 2.1 Multiple Choice Flashcards
What is identity in the context of Azure security?
a) A process of validating what an identity can do.
b) The unique identifier for any digital object.
c) The proof of who or what someone is.
d) A security certificate.
b) The unique identifier for any digital object.
2.2.1
Which of the following describes authentication?
a) Scoping an identity to specific actions.
b) A unique identifier for a digital object.
c) Proving the identity of a digital object.
d) Assigning permissions in Azure.
c) Proving the identity of a digital object.
2.2.1
What is the purpose of authorization?
a) To identify a user.
b) To prove the identity of a user.
c) To scope an identity to specific actions and permissions.
d) To manage user passwords.
c) To scope an identity to specific actions and permissions.
2.2.1
Which of the following is an example of identity in the physical world?
a) A house key.
b) A passport.
c) An event ticket.
d) A shared access signature (SAS) token.
b) A passport.
2.2.1
Which of the following is an example of authentication in the digital world?
a) An Azure Active Directory object.
b) Software licensing.
c) An email ID.
d) An email account password.
d) An email account password.
2.2.1
Which of the following is an example of authorization in the physical world?
a) A driver’s license.
b) A certificate of authenticity.
c) An event ticket.
d) A key card to enter a building.
c) An event ticket.
2.2.1
What is Azure Active Directory (Azure AD) primarily used for?
a) Managing physical security systems.
b) Managing identity, authentication, and authorization.
c) Handling software licensing.
d) Providing internet service.
b) Managing identity, authentication, and authorization.
2.2.1
What has Azure Active Directory been rebranded as?
a) Microsoft Azure.
b) Microsoft 365.
c) Microsoft Entra ID.
d) Azure Security Center.
c) Microsoft Entra ID.
2.2.1
According to the source, what is required to effectively administer any digital environment?
a) Only authentication.
b) Only authorization.
c) Identity, authentication, and authorization.
d) Just a strong password policy.
c) Identity, authentication, and authorization.
2.2.1
What does authentication provide?
a) A unique identifier.
b) Proof of who or what someone is.
c) Scoped permissions.
d) Access to physical resources.
b) Proof of who or what someone is.
2.2.1
Microsoft Entra is:
a) A single service for managing on-premises Active Directory.
b) A legacy office solution.
c) A product family that includes Azure AD and other services.
d) Another name for Active Directory.
c) A product family that includes Azure AD and other services.
2.2.2
As of July 11, 2023, Azure Active Directory was renamed to:
a) Microsoft Azure AD Services.
b) Azure AD Connect.
c) Microsoft Entra ID.
d) Active Directory Services.
c) Microsoft Entra ID.
2.2.2
Which of the following is a characteristic of Active Directory?
a) Cloud-native design.
b) Modern authentication protocols.
c) Designed for modern web applications.
d) Legacy authentication.
d) Legacy authentication.
2.2.2
Azure Active Directory (Microsoft Entra ID) is:
a) The same as Active Directory.
b) Designed for on-premise data centers.
c) Designed for cloud-enabled devices and services.
d) A legacy office solution.
c) Designed for cloud-enabled devices and services.
2.2.2
Every Azure account:
a) Requires a paid subscription to use Azure AD.
b) Needs approval to get an Azure AD/Entra ID instance.
c) Automatically has an Azure AD/Entra ID instance.
d) Can choose whether or not to implement Azure AD.
c) Automatically has an Azure AD/Entra ID instance.
2.2.2
A tenant in Azure Active Directory represents:
a) A single user account.
b) A billing subscription.
c) The organization as a whole.
d) A virtual machine instance.
c) The organization as a whole.
2.2.2
What is the maximum number of Azure AD/Microsoft Entra ID tenants a user can be a member or guest of?
a) 100
b) 250
c) 500
d) 1000
c) 500
2.2.2
In Azure, a subscription is:
a) A dedicated instance of Entra ID.
b) A billing entity where all resources are billed together.
c) An on-premises location.
d) A type of user account.
b) A billing entity where all resources are billed together.
2.2.2
If a subscription in Azure isn’t paid:
a) The tenant is suspended.
b) The user accounts are deleted.
c) All the resources and services associated with the subscription stop.
d) The Azure AD instance is disabled.
c) All the resources and services associated with the subscription stop.
2.2.2
Entra ID can help manage users in a hybrid cloud setup by:
a) Migrating all on-premises data to the cloud.
b) Replacing Active Directory.
c) Connecting an on-premises AD to Azure AD.
d) Disabling on-premises authentication.
c) Connecting an on-premises AD to Azure AD.
2.2.2
What is the fundamental principle of the Zero Trust model?
a) All users are trusted by default.
b) All users are assumed untrustworthy unless proven otherwise.
c) Trust is based on network location.
d) VPNs are required for all access.
b) All users are assumed untrustworthy unless proven otherwise.
2.2.4
In the Zero Trust model, how is a user’s trustworthiness established?
a) By their device being on the corporate network.
b) By verifying their identity through authentication.
c) By default, if they are an employee.
d) By using a VPN.
b) By verifying their identity through authentication.
2.2.4
What is a key characteristic of access in a Zero Trust environment?
a) Broad access to all network resources.
b) Unlimited access once inside the network.
c) Access based on device type.
d) Least privileged access (just enough permissions to perform the job).
d) Least privileged access (just enough permissions to perform the job).
2.2.4
What is a major challenge with the traditional trusted perimeter model?
a) It is too secure.
b) Remote work becomes a challenge.
c) It simplifies centralized management.
d) It relies on individual authentication.
b) Remote work becomes a challenge.
2.2.4
How does a VPN traditionally extend the trusted perimeter?
a) By restricting access to the corporate network.
b) By extending the trusted perimeter around a device, allowing access to the corporate network.
c) By authenticating individual users.
d) By removing the need for a trusted perimeter.
b) By extending the trusted perimeter around a device, allowing access to the corporate network.
2.2.4
What is a potential risk of the traditional trusted perimeter model?
a) Overly restricted access.
b) Complex management.
c) A rogue user or malware inside the trusted network can cause significant damage.
d) It is too expensive to maintain.
c) A rogue user or malware inside the trusted network can cause significant damage.
2.2.4
In a Zero Trust environment, what is access dependent on?
a) Network location.
b) Trusted identities after authorization and authentication.
c) Device type.
d) VPN connection.
b) Trusted identities after authorization and authentication.
2.2.4
How does Zero Trust support remote work?
a) By requiring all users to connect via VPN.
b) By trusting devices inside the corporate network.
c) By enabling authentication and authorization regardless of location.
d) By restricting access to only corporate devices.
c) By enabling authentication and authorization regardless of location.
2.2.4
What is a benefit of Zero Trust in action with mobile devices?
a) Full access to corporate and personal data.
b) Requires the device to be on the corporate network.
c) Corporate assets can be removed from a device without affecting personal information.
d) Eliminates the need for authentication.
c) Corporate assets can be removed from a device without affecting personal information.
2.2.4
What is the primary focus of management in a Zero Trust model?
a) Each individual device.
b) Network location.
c) The specific user and their identity.
d) VPN connections.
c) The specific user and their identity.
2.2.4
What is the central idea behind the MFA model?
a) Using a single strong password.
b) Authenticating using multiple different factors.
c) Avoiding password resets.
d) Using only biometric authentication.
b) Authenticating using multiple different factors.
2.2.5
Which of the following is NOT a factor used in MFA?
a) Something you know.
b) Something you have.
c) Something you are.
d) Something you wish.
d) Something you wish.
2.2.5
In an MFA model, how many factors are required to authenticate an identity?
a) Only one.
b) At least two.
c) Exactly three.
d) As many as possible.
b) At least two.
2.2.5
In the example provided, what is the first factor when logging into a website?
a) A code from an authenticator app.
b) A fingerprint scan.
c) Username and password.
d) A security question.
c) Username and password.
2.2.5
In the example, what is the second factor?
a) Username
b) Password
c) Smartphone with an authentication method.
d) Security question
c) Smartphone with an authentication method.
2.2.5
What is sent after the first factor is validated?
a) An email.
b) A signal requesting an additional factor.
c) A notification to IT support.
d) A password reset link.
b) A signal requesting an additional factor.
2.2.5
What does MFA provide for user identity?
a) A single layer of security.
b) Layered security.
c) No security.
d) Optional security.
b) Layered security.
2.2.5
What is becoming the norm as a first step of layered security for user identity?
a) Single sign-on.
b) Complex passwords.
c) Multi-Factor Authentication.
d) Biometric scanning
c) Multi-Factor Authentication.
2.2.5
Which of the following is an example of “something you are?”
a) A password.
b) A security token.
c) A smartphone.
d) Biometrics (fingerprint, facial recognition).
d) Biometrics (fingerprint, facial recognition).
2.2.5
What is the main purpose of MFA?
a) To make it easier to remember passwords.
b) To provide an additional layer of security.
c) To reduce the need for passwords.
d) To speed up the login process.
b) To provide an additional layer of security.
2.2.5
Conditional Access policies are essentially what type of statements?
a) If/then
b) Either/or
c) Must/must not
d) Can/cannot
a) If/then
2.2.6
What is a primary function of Conditional Access?
a) To bypass multi-factor authentication
b) To grant or block access to applications or services based on conditions
c) To eliminate the need for usernames and passwords
d) To provide guest access to resources
b) To grant or block access to applications or services based on conditions
2.2.6
Conditional Access is often paired with what for layered security?
a) Multi-Factor Authentication (MFA)
b) Single Sign-On (SSO)
c) Password Complexity Policies
d) Biometric Scanners
a) Multi-Factor Authentication (MFA)
2.2.6
In Azure, what is assigned to users or groups in a Conditional Access policy?
a) Roles
b) Conditions or signals
c) Permissions
d) Licenses
b) Conditions or signals
2.2.6
Which of the following can be used to scope a Conditional Access policy?
a) User’s favorite color
b) Application usage time
c) Location or IP address
d) User’s age
c) Location or IP address
2.2.6
What is a common scenario for using Conditional Access?
a) To bypass security protocols for faster access
b) To enforce MFA for all administrators
c) To provide unlimited access to all users
d) To disable auditing
b) To enforce MFA for all administrators
2.2.6
What type of authentication protocols can be blocked using Conditional Access policies?
a) Modern authentication protocols
b) Legacy authentication protocols
c) All authentication protocols
d) Only biometric protocols
b) Legacy authentication protocols
2.2.6
Conditional Access can grant access only to specific what?
a) Time of day
b) Locations
c) Types of data
d) Web browsers
b) Locations
2.2.6
Besides laptops and desktops, Conditional Access can also manage which other type of organization-managed devices?
a) Gaming consoles
b) Smart TVs
c) Mobile devices
d) Smart watches
c) Mobile devices
2.2.6
What does modern best practice encourage in relation to Conditional Access?
a) To disable Conditional Access
b) To use only simple passwords
c) To use Conditional Access
d) To ignore security alerts
c) To use Conditional Access
2.2.6
What is a primary goal of passwordless authentication?
a. To increase convenience while maintaining high security
b. To decrease security for increased convenience
c. To eliminate the need for multi-factor authentication
d. To make passwords easier to remember
a. To increase convenience while maintaining high security
2.2.7
What is one method used in passwordless authentication?
a. Microsoft Authenticator App with biometrics or PIN
b. Requiring longer, more complex passwords
c. Removing multi-factor authentication
d. Sending passwords via SMS
a. Microsoft Authenticator App with biometrics or PIN
2.2.7
Why can multi-factor authentication be frustrating for users?
a. It is always error-free
b. It can be less convenient and slower than password-only login
c. It requires no additional steps
d. It is impossible to implement
b. It can be less convenient and slower than password-only login
2.2.7
What does passwordless authentication replace in the login process?
a. Username
b. Multi-factor authentication
c. Password
d. Biometrics
c. Password
2.2.7
What is Windows Hello?
a. A Microsoft password manager
b. Face recognition in Windows and fingerprint scanner compatibility c. An optional security key
d. A type of password
b. Face recognition in Windows and fingerprint scanner compatibility
2.2.7
What is a FIDO2 compliance security key?
a. A software program that generates passwords
b. A type of biometric scanner
c. A hardware key plugged into a computer for authentication
d. An app for storing passwords
c. A hardware key plugged into a computer for authentication
2.2.7
In a passwordless login scenario with Microsoft Authenticator, what might a user be prompted to do after entering their username?
a. Enter their password
b. Check the Microsoft Authenticator app
c. Reset their password
d. Skip authentication
b. Check the Microsoft Authenticator app
2.2.7
What are the key components of passwordless authentication?
a. Something you know and something you have
b. Something you have, something you are, or something you know c. Only something you know
d. Only something you have
b. Something you have, something you are, or something you know
2.2.7
What is a drawback of traditional passwords?
a. They are very secure
b. They are easy to remember
c. They are often not stored securely
d. They increase security for the user account
c. They are often not stored securely
2.2.7
How does passwordless authentication affect the multi-factor authentication (MFA) framework?
a. It replaces MFA entirely
b. It is completely separate from MFA
c. It integrates further into the MFA framework
d. It reduces the security of MFA
c. It integrates further into the MFA framework
2.2.7
What is a primary challenge that external guest access aims to solve?
a. Streamlining interactions with consultants and customers in an Azure or Entra ID configuration.
b. Complicating internal IAM lifecycles.
c. Requiring external users to juggle multiple accounts.
d. Limiting the number of external identity providers.
a. Streamlining interactions with consultants and customers in an Azure or Entra ID configuration.
2.2.8
What is a downside of giving new IDs to every external user?
a. It simplifies the IAM lifecycle.
b. It requires external users to juggle two accounts.
c. It enhances security within the organization.
d. It improves integration with customer systems.
b. It requires external users to juggle two accounts.
2.2.8
Which solution is designed for interacting with internal resources?
a. Azure AD B2C
b. Entra External ID for customers
c. Azure AD B2B, now Entra External ID for partners
d. Microsoft account
c. Azure AD B2B, now Entra External ID for partners
2.2.8
In Entra External ID for partners, how is a user object created?
a. The external user’s existing ID is directly used.
b. A new user object is created inside your organization based on the external ID after the user accepts the invitation.
c. The user logs in using their current ID with their provider.
d. The organization trusts the authorization of the external provider.
b. A new user object is created inside your organization based on the external ID after the user accepts the invitation.
2.2.8
In Entra External ID for customers, how does the external user log in?
a. A new user object is created inside the organization.
b. The user logs in using their current ID with their provider.
c. The organization initiates an invitation to the external user ID.
d. Authorization happens within your organization.
b. The user logs in using their current ID with their provider.
2.2.8
What principle should be followed when assigning permissions for a guest account?
a. Assigning the most permissive access possible.
b. Granting identical permissions to Entra ID and Azure subscriptions.
c. The principle of least privilege.
d. Ignoring cross-tenant Conditional Access policies.
c. The principle of least privilege.
2.2.8
What can be applied to guest users to add an extra layer of security?
a. Unlimited access privileges.
b. Cross-tenant Conditional Access policies
c. Ignoring MFA requirements.
d. Direct access to all applications.
b. Cross-tenant Conditional Access policies
2.2.8
When inviting an external consultant, what is the first step if they are not using a Microsoft account?
a. Assign permissions.
b. Assign apps.
c. Configure the identity provider.
d. Apply a Conditional Access Policy.
c. Configure the identity provider.
2.2.8
What does external guest access enable?
a. Security only within organizational boundaries.
b. Visibility of external guest activity within your organizational IT borders.
c. Limiting the number of external identity providers.
d. Complicating internal IAM lifecycles.
b. Visibility of external guest activity within your organizational IT borders.
2.2.8
What does business-to-customer access allow for?
a. A federated level of trust for tenants.
b. Improved integration with customer systems.
c. Enhanced levels of complication within your organization.
d. Visibility of external guest activity outside your organizational IT borders.
b. Improved integration with customer systems.
2.2.8
Which of the following is a limitation that Azure Active Directory Domain Services (AD DS) can help overcome?
a. Legacy applications unable to use modern authentication protocols
b. Modern applications unable to use legacy authentication protocols c. Lack of support for cloud migrations
d. Inability to integrate with on-premises AD
a. Legacy applications unable to use modern authentication protocols
2.2.9
Which of the following authentication protocols are supported by Azure AD DS?
a. SAML and OAUTH
b. OpenID Connect
c. Kerberos
d. All of the above
c. Kerberos
2.2.9
If an organization has legacy applications requiring traditional Active Directory management, which of the following could be a solution?
a. Migrating all applications to modern protocols.
b. Configuring an Active Directory server on an Azure VM
c. Discontinuing use of legacy applications.
d. Using only Entra ID for all applications.
b. Configuring an Active Directory server on an Azure VM
2.2.9
What is a key benefit of Azure Active Directory Domain Services?
a. Requires extensive OS configuration and management.
b. Requires virtual machine management.
c. It is a managed service, so there’s no need for OS configuration or management
d. It uses only one Windows domain controller for cost savings.
c. It is a managed service, so there’s no need for OS configuration or management
2.2.9
What is the minimum number of Windows domain controllers that Azure AD DS utilizes by default?
a. One
b. Two
c. Three
d. Four
b. Two
2.2.9
When you create an Azure AD DS instance, what type of domain is it?
a. An extension of your on-premises AD domain.
b. Integrated with the Entra ID domain.
c. A stand alone domain with a unique namespace
d. A subdomain of the Azure Active Directory.
c. A stand alone domain with a unique namespace
2.2.9
How does synchronization work between Entra ID and Azure AD DS?
a. Two-way synchronization
b. No synchronization occurs
c. One-way sync from Entra ID to Azure AD DS
d. Azure AD DS syncs to Entra ID
c. One-way sync from Entra ID to Azure AD DS
2.2.9
What is a primary use case for Azure AD DS?
a. Supporting modern application development.
b. Replacing on-premises Active Directory entirely.
c. Migrating legacy enterprise applications to Azure VMs
d. Enhancing the security of cloud-native applications
c. Migrating legacy enterprise applications to Azure VMs
2.2.9
What type of maintenance is required from the user for Azure Active Directory Domain Services?
a. Operating System maintenance
b. Virtual Machine maintenance
c. No infrastructure maintenance required
d. Application maintenance
c. No infrastructure maintenance required
2.2.9
Which of the following is a key feature that Azure AD DS provides as a managed service?
a. Group Policy
b. SAML Token Support
c. OAUTH
d. Modern Authentication Protocols
a. Group Policy
2.2.9
What is the core principle behind Role-Based Access Control (RBAC)?
a. Controlling access to resources based on assigned roles
b. Granting full access to all users
c. Denying access to all resources by default
d. Managing network configurations
a. Controlling access to resources based on assigned roles
2.2.10
Which of the following is NOT a type of role in Azure RBAC?
a. Built-in roles
b. Custom roles
c. Pre-defined roles
d. Owner roles
c. Pre-defined roles
2.2.10
Which of the following is an example of a built-in role in Azure RBAC?
a. Administrator
b. Contributor
c. Auditor
d. Custom Operator
b. Contributor
2.2.10
What are the main components of custom roles?
a. Role definitions and permissions
b. Pre-defined settings and user groups
c. Azure defaults
d. Network configurations
a. Role definitions and permissions
2.2.10
What is the most important concept to remember when assigning roles in Azure?
a. Cost
b. Scope
c. Complexity
d. User Experience
b. Scope
2.2.10
What does “scope” refer to in the context of role assignments?
a. The number of users assigned to a role
b. The specific resources or services to which the role applies
c. The geographical location of the resources
d. The time period for which the role is valid
b. The specific resources or services to which the role applies
2.2.10
What is inheritance in the context of Azure RBAC?
a. The ability to transfer role assignments to another user
b. The capability of roles to inherit permissions from other roles or the application of permissions to a lower-level organizational construct
c. The process of creating new roles based on existing ones
d. The automatic assignment of roles to all users in a subscription
b. The capability of roles to inherit permissions from other roles or the application of permissions to a lower-level organizational construct
2.2.10
Why is it more efficient to assign roles to groups rather than individual users?
a. It simplifies the auditing process
b. It reduces the number of role assignments
c. It enhances security
d. It allows for more granular control
b. It reduces the number of role assignments
2.2.10
What is a key benefit of using built-in roles whenever possible?
a. They offer more customization options
b. They are based on broad, general use cases
c. They provide the highest level of security
d. They automatically adapt to changing resource configurations
b. They are based on broad, general use cases
2.2.10
What should organizations do to maintain effective role-based access control?
a. Grant all users the Owner role for simplicity
b. Regularly review, audit, and document role assignments
c. Avoid using custom roles
d. Assign roles at the lowest possible level to maximize control
b. Regularly review, audit, and document role assignments
2.2.10
What is the primary objective of defense in depth?
a. To protect information and prevent unauthorized access
b. To ensure all users have equal access to data
c. To complicate network configurations
d. To reduce the cost of security measures
a. To protect information and prevent unauthorized access
2.2.11
Defense in depth can be visualized as:
a. A set of layers with data at the center
b. A single, impenetrable wall
c. A complex algorithm
d. A randomly generated password
a. A set of layers with data at the center
2.2.11
In the castle analogy, which of the following represents a layer of defense?
a. The moat
b. The town square
c. The royal gardens
d. The stables
a. The moat
2.2.11
In an identity example of defense in depth, what is the user protected by?
a. Password
b. The drawbridge
c. The royal decree
d. The jester
a. Password
2.2.11
What is an additional layer of security beyond a password?
a. Multi-Factor Authentication (MFA)
b. A guest list
c. A welcome mat
d. An open door policy
a. Multi-Factor Authentication (MFA)
2.2.11
What does MFA provide?
a. Something the user knows
b. Something the user is
c. Something the user does
d. Something the user has
d. Something the user has
2.2.11
What is another layer of security that can be implemented with MFA and passwords?
a. Conditional Access policies
b. A suggestion box
c. An employee handbook
d. A security blanket
a. Conditional Access policies
2.2.11
Defense in depth at the identity level can play into:
a. Human resources
b. Application security
c. Janitorial services
d. Public relations
b. Application security
2.2.11
What should one remember about user identity?
a. It is unimportant to protect
b. It should be shared with everyone
c. It is the least important piece of data
d. It is the data to protect
d. It is the data to protect
2.2.11
What is considered best practice at the identity level?
a. Layered defense
b. Single-factor authentication
c. No defense
d. Password sharing
a. Layered defense
2.2.11
