(AZ-900 topic) Describe identity, governance, privacy, and compliance features Flashcards

AZ-900 topic assess your ability to: Show an understanding of what Azure identity services are, show an understanding of Azure governance features and be able to talk about privacy and compliance resources Questions for this domain comprise 22% of the total questions for the AZ-900.

1
Q

Which Azure tool allows you to view which user turned off a specific virtual machine during the last 14 days?

  • Azure Activity Log
  • Azure Monitor
  • Azure Service Health
  • Azure Event Hubs
A

Azure Activity Log

The correct answer is the Azure Activity Log - it is a logging service that provides insight into subscription-level events that have occurred in Azure. This includes a range of data, from Azure Resource Manager operational data to updates on Service Health events. Events such as starting and stopping of virtual machines can be found here.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What do you use to make sure that users of your application are who they say they are?

A

Authentication

Authentication is confirming users are who they say they are.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Your company plans to move several servers to Azure. The company’s compliance policy states a server named HRServer1 must be in a separate physical location from all other servers. Which Azure services can be used to meet the compliance policy requirements?

A

One Azure region for HRServer1 and another Azure region for all other servers.

The correct answer is to have one Azure region for server HRServer1 and another Azure region for all other servers. An Azure region is a set of data centers deployed in a specific geographic location. By placing HRServer1 in a different Azure region to other servers, you have ensured it resides in a separate physical location from all your other servers. The other answers are incorrect as they will not ensure HRServer1 is in a separate physical location. A resource group is simply a logical construct that groups multiple resources together so they can be managed as a single entity. Resources from different resource groups can reside in the same location. Having HRServer1 reside in a separate subnet or virtual network does not ensure it is in a separate physical location - again these are logical constructs that span the same region/physical location.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Your security team is hesitant to permit access to the Azure Public Cloud - to help reassure them of the compliance certifications awarded to Azure what service can you direct them to?

A

Service Trust Portal

The Service Trust Portal is the central location for all published audit reports of the Azure platform as well as risk assessments and security best practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are region pairs?

A

A region that is linked with another region in the same geography

Azure has the concept of region pairs, these are two or more regions that are at least 300 miles apart within a single Geography. This enables the ability to replicate certain resources such as virtual machine storage across the geography providing protection against such events as natural disasters or civil unrest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following regulates data privacy in the European Union (EU)?

ISO
GDPR
ITIL
NIST

A

GDPR

The General Data Protection Regulation (EU) 2016/679 (“GDPR”) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How is authorization different from authentication?

A

Authentication is the process of proving that you are who you say you are. Authorization is the act of granting an authenticated party permission to do something.

Authentication is the process of proving that you are who you say you are. It’s sometimes shortened to AuthN. The Microsoft identity platform uses the OpenID Connect protocol for handling authentication. Authorization is the act of granting an authenticated party permission to do something. It specifies what data you’re allowed to access and what you can do with that data. Authorization is sometimes shortened to AuthZ. The Microsoft identity platform uses the OAuth 2.0 protocol for handling authorization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following is the organization that defines standards used by the United States government?

ISO
GDPR
ITIL
NIST

A

NIST

The National Institute of Standards and Technology (NIST) promotes and maintains measurement standards and guidance to help organizations assess risk. It defines the standards that are used by the United States government as well as the US Department of Defense (DoD).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How many tenants can a user in Azure Active Directory belong to?

A

500

A single user can belong to a maximum of 500 Azure AD tenants as a member or a guest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following are benefits of Azure geographies?
(choose 3)

  • Any Azure geography can be used by anyone
  • Azure has geographies throughout the world
  • Data residency is honored within the geographical boundary
  • They are fault tolerant and can often withstand complete region failure
A
  • Azure has geographies throughout the world
  • Data residency is honored within the geographical boundary
  • They are fault tolerant and can often withstand complete region failure

(Azure geography can be used by anyone) - There are certain restrictions - for example, there are restrictions around who can use the Azure Government or China regions.

(Azure has geographies throughout the world) - Azure has geographies in the Americas, Europe, Asia Pacific, the Middle East and Africa.

(Data residency honored within geographical boundary) - Azure has geographies around the world providing data residency within each region to give customer peace of mind over their data sovereignty.

(Fault tolerant and can withstand complete region failure) - Azure Geographies are groups of one or more Azure Region. Every region already has fault-tolerance (more than one data-center) but most Geographies have more than one Region as well, giving you multiple levels of redundancy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which Azure solution would you implement to embed a watermark into Office documents that contain social security numbers?.

  • Azure Active Directory (Azure AD) Identity Protection
  • Azure Active Directory (Azure AD) conditional access
  • Azure Active Directory (Azure AD) Privileged Identity Management
  • Azure Information Protection
A

-Azure Information Protection

Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps an organization classify and, optionally, protect its documents and emails by applying labels. Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations. Azure Active Directory. This includes access to resources in Azure AD, Azure resources, and other Microsoft Online Services, like Office 365 or Microsoft Intune.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which types of customers are eligible to use Azure Government to develop a cloud solution?

  • United States government entity
  • United States government contractor
  • European government contractor
  • Alabama Coushatta Tribe of Texas
  • European government entity
A
  • United States government entity
  • United States government contractor
  • Alabama Coushatta Tribe of Texas

Azure Government is a cloud platform available to US federal, state, local, and tribal government entities and their solution providers. European government entities or their contractors are not eligible to use Azure Government.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following is true in relation to Azure Management Groups?

  • Management Groups allow you to create custom dashboards to view and analyse your cloud usage.
  • Management Groups allow you to implement policy-based management for all Azure services.
  • Management Groups allow you to easily create fully compliant environments and manage them.
  • Management Groups allow you to apply policies with flexible hierarchies to multiple subscriptions.
A

-Management Groups allow you to apply policies with flexible hierarchies to multiple subscriptions.

Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called management groups and apply your governance conditions to the management groups. For example, you can apply policies to a management group that limits the regions available for virtual machine (VM) creation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does Azure Information Protection do?

  • Allows you to centrally create and log application and network connectivity policies.
  • Safeguards and allows control over keys and secrets.
  • Provides the ability to securely share sensitive data with others.
  • Provides a managed service for hardware security modules in the cloud.
A

-Provides the ability to securely share sensitive data with others.

Azure Information Protection helps control and secure information (including emails and documents) that is shared outside of your organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The Nutex Corporation wants to ensure that apps and services deployed on Azure are compliant with global and industry-specific compliance standards. Which of the following Azure products can be used to monitor and ensure that apps and services are compliant with the industry-specific compliance standards? (select all that apply)

  • Azure Security Center
  • Azure Express Route
  • Microsoft Trust Center
  • Azure Monitor
  • Microsoft Compliance Manager
  • Azure Service Bus
A
  • Azure Security Center
  • Microsoft Trust Center
  • Azure Monitor
  • Microsoft Compliance Manager

Azure Monintor is a comprehensive solution for collectiing, analyzing, and acting on telemetry from the cloud and on-premise environments.

Microsoft Trust Center is where the security and privacy settings for Microsoft Office programs are configured.

Azure Security Center is a security management system that strengthens the security of data centers and implements advanced threat protection for hybrid workloads in the cloud.

Microsoft Compliance Manager is a workflow-based risk assessment tool that tracks, assigns, and verifies regulatory compliance activities related to Microsoft cloud services. Compliance Manager helps manage regulatory compliance within the shared responsibility model for Microsoft cloud services. Compliance Manager offers a centralized dashboard for viewing standards, regulations, and control implementation details, as well as test results for Microsoft service assessments. It also includes tools to manage custom control implementations and compliance tracking by organizations.

Azure ExpressRoute extends your on-premise networks into the Microsoft cloud over a private connection. You can establish connections to Microsoft cloud services with ExpressRoute. ExpressRoute does not allow monitoring of compliance standards.

Azure Service Bus is an enterprise integration message broker. Service Bus can decouple applications and services. Service Bus has a secure platform that uses asynchronous data and state transfer. Azure Service Bus does not allow monitoring of compliance standards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Dreamsuite Corporation’s rapid growth has exponentially increased the need for their development teams to create new environments.

Dreamsuite needs to ensure that these environments comply with Dreamsuite’s standards and requirements. What Azure service will allow for such a repeatable set of Azure resources?

  • Azure Cosmos DB
  • Azure Resource Manager templates
  • Azure DevTest Labs
  • Azure Blueprints
  • Azure Batch
A

-Azure Blueprints

Azure Blueprints will meet Dreamsuite’s needs. Blueprints allow templates, access controls, and policies to be deployed as a single compliance package. The components are referred to as artifacts and can include items such as Azure Resource Manager (ARM) templates, resource groups, policy assignments, and more. Blueprints are designed for environment setup.

Azure Resource Manager templates can be a part (artifact) of an Azure Blueprint deployment, but as a standalone, they do not meet the scenario requirements. ARM templates don’t exist natively in Azure.

The Azure Cosmos DB is the backend database behind Azure Blueprints, but not the actual service required by the scenario.

Azure Batch is used to create and manage large pools of virtual machines. It does not meet the requirements of this scenario.

Azure DevTest labs allow for the quick provisioning of test environments, but this is only a subset of the standardization required in the scenario.

Unlike Azure Resource Manger templates, Azure Blueprints retain connection between the blueprint and what was deployed from it. This allows for tracking and auditing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

The Authorization process works on permissions.

True or false?

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

RBAC does not work closely with the Authorization process. True or false?

A

False

It does! Authorization lists the permissions the users have on a system, which is part of RBAC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

The Authorization process happens only after the identity is validated. True or false?

A

True

20
Q

Multi-factor is used in the Authorization process to add two or more levels of security from independent categories. True or False

A

False.

Multi-factor authentication is used in the authentication process.

21
Q

The Authentication process uses credentials such as user name and password. True or false.

A

True.

22
Q

The Authorization process sometimes uses a Captcha test.

A

False.

Authentication uses the Captcha test to ensure that the sign-on attempt is from a human and not a bot.

23
Q

You are part of the IT team at Nutex Corporation. your management has triggered an initiative to reduce costs to manage apps and services on Azure. To work for this initiative, you must know the best practices to reduce Azure costs.

Is the following statement about analyzing Azure costs on the Azure portal TRUE?

Cost Management data displayed for AWS usage includes the actual resource/service usage cost, tax, support, and refunds made on the AWS account

A

Cost Management data displayed for AWS usage includes the actual resource/service usage cost, tax, support, and refunds made on the AWS account.

False.

Cost Management shows AWS usage costs only. Tax, support, refunds, RI, credits, or any other charge types are not supported at this time.

24
Q

You are part of the IT team at Nutex Corporation. your management has triggered an initiative to reduce costs to manage apps and services on Azure. To work for this initiative, you must know the best practices to reduce Azure costs.

Is the following statement about analyzing Azure costs on the Azure portal TRUE?

The two types of Cost Management alerts are Budget alerts and Credit alerts.

A

The two types of Cost Management alerts are Budget alerts and Credit alerts.

False.

Azure portal automatically generates three, not two, types of Cost Management alerts: Budget, Credit, and Department spending quota alerts. Budget alerts notify customers when spending, based on usage or cost, reached or exceeds the amount defined in the alert condition of the budget. Credit alerts notify customers when Azure credit monetary commitments are consumed. Department spending quota alerts notify customers when department spending reaches a fixed threshold of the quota.

25
Q

You are part of the IT team at Nutex Corporation. your management has triggered an initiative to reduce costs to manage apps and services on Azure. To work for this initiative, you must know the best practices to reduce Azure costs.

Is the following statement about analyzing Azure costs on the Azure portal TRUE?

The AWS Cost and Usage report can be integrated with Azure Cost Management to analyze AWS costs on the Azure portal.

A

The AWS Cost and Usage report can be integrated with Azure Cost Management to analyze AWS costs on the Azure portal.

True.

Integration with the AWS Cost and Usage report can analyze AWS costs for the following scopes: AWS linked accounts under a management group, AWS linked account costs, and AWS consolidated account costs.

26
Q

You are part of the IT team at Nutex Corporation. your management has triggered an initiative to reduce costs to manage apps and services on Azure. To work for this initiative, you must know the best practices to reduce Azure costs.

Is the following statement about analyzing Azure costs on the Azure portal TRUE?

Azure costs can be filtered by the tags assigned to resources and services.

A

Azure costs can be filtered by the tags assigned to resources and services.

True.

Customers can filter and view Azure costs by the following: service, resource, tag assigned to resource and services, location, type of charge, invoice, and per day or per month.

27
Q

You are part of the IT team at Nutex Corporation. your management has triggered an initiative to reduce costs to manage apps and services on Azure. To work for this initiative, you must know the best practices to reduce Azure costs.

Is the following statement about analyzing Azure costs on the Azure portal TRUE?

Invoice Manager is a role available for Cost Management for customers with a Microsoft Customer Agreement

A

Invoice Manager is a role available for Cost Management for customers with a Microsoft Customer Agreement

True.

the five roles available for Cost Management for customers with a Microsoft Customer Agreement are:
Owner - manage billing settings and access, view all costs, and manage cost configuration.

Contributor - manage billing settings except for access, view all costs, and manage cost configuration.

Reader - view billing settings, cost data, and cost configuration

Invoice Manager - view and pay invoices, and view cost data and configuration

Azure subscription creator - create Azure subscriptions, view costs, and manage cost configuration.

28
Q

You are part of the IT team at Nutex Corporation. your management has triggered an initiative to reduce costs to manage apps and services on Azure. To work for this initiative, you must know the best practices to reduce Azure costs.

Is the following statement about analyzing Azure costs on the Azure portal TRUE?

Budget alerts are available only for customers with an Enterprise Agreement

A

Budget alerts are available only for customers with an Enterprise Agreement.

False.

Budget alerts are available for customers with an Enterprise Agreement or a Microsoft Customer Agreement, and customers who use Web Direct pay-as-you-go plans. Credit alerts and Department spending quota alerts are available only for customers with an Enterprise Agreement.

29
Q

The Nutex Corporation wants to work with the US government for some Azure services. You must explain the capabilities of Azure
Government to management.

Which of the following statements about Azure Government are TRUE? (Select all that apply.)

  • Azure Government Marketplace contains only Bring Your Own License (BYOL) and PayAs-You-Go (PayGo) images of products.
  • Azure Government uses the same underlying technologies as global Azure.
  • The Azure Pipelines service is not available with the Azure Government offering.
  • Azure Government uses physically isolated data centers located strategically around the globe.
  • Hybrid Identity exists only on the cloud after the on-premises directory and cloud directory are synchronized.
A
  • Azure Government uses the same underlying technologies as global Azure.
  • Azure Government Marketplace contains only Bring Your Own License (BYOL) and PayAs-You-Go (PayGo) images of products.
  • The Azure Pipelines service is not available with the Azure Government offering.

Azure Government uses the same underlying technologies as global Azure, such as infrastructure-as-a-Service (IaaS), Platform-as-a-Service
(PaaS), and Software-as-a-Service (SaaS). Azure Government includes auto scaling, Geo-Synchronous data replication, storage, data
management, identity management, and network, among other services.

The Azure Government Marketplace connects government agencies with independent software vendors (ISVs) that are offering their solutions
in Azure Government. Azure Marketplace is different to the Azure Government Marketplace in the following ways:
-Only Bring Your Own License (BYOL) and Pay-As-You-Go (PayGo) images are available in Azure Government Marketplace.
-A different set of images is available in Azure Government Marketplace.

Azure Pipelines is not available as part of Azure Government. Azure Pipelines is used by teams to configure continuous deployment for
applications hosted in Azure subscriptions.

Azure Government does not use physically isolated data centers located strategically around the globe. U.S. government agencies or their
partners interested in cloud services that meet government security and compliance requirements can use Azure Government. Azure
Government delivers a dedicated cloud enabling government agencies and their partners to transform mission-critical workloads to the cloud.
Azure Government services handle data that is subject to certain government regulations and requirements, such as FedRAMP, NIST 800.171
(DIB), ITAR, IRS 1075, DoD L4, and CJIS.

Hybrid entities do not exist only on the cloud after the on-premises directory and cloud directory are synchronized. Three identity models can
be used with Azure Government. They are On-premises (the Active Directory environments that most customers use today), Cloud identities
(those that originate, are managed, and exist only in Azure AD), and Hybrid identities (those that originate as on-premises identities but
become hybrid through directory synchronization to Azure AD).

30
Q

The Nutex Corporation wants to migrate its on-premises applications and services to Azure. You are the analyst tasked to investigate the
benefits of this migration to Azure.

Which of the following statements about the Azure TCO Calculator is TRUE?

  • The Azure TCO Calculator application can be downloaded from the Azure website.
  • Azure TCO Calculator calculates on-premises infrastructure costs based on three criteria: hardware, software, and networking costs.
  • Azure TCO Calculator primarily evaluates the total cost incurred to migrate on-premises application workloads to Microsoft Azure.
  • Customers interested in migrating from on-premises deployments to Azure must focus their calculations around the Compute, Storage, and Network requirements on Azure in order to evaluate the costs accurately.
A

-Customers interested in migrating from on-premises deployments to Azure must focus their calculations around the Compute, Storage, and Network requirements on Azure in order to evaluate the costs accurately.

Unfortunately, not all cloud TCO calculations are accurate enough to let you make an informed decision. Many are ballpark estimates because
they have failed to account for all performance metrics essential for rightsizing, and they may rely on metrics that have been averaged instead
of considering peaks and valleys. These imprecise assessment methods may cause you to estimate a configuration scenario that is not suited
to your performance requirements.

Metrics such as peak CPU utilization, allocated and peak RAM usage, observed storage on-premises (capacity and current occupancy), disk
IOPS and bandwidth, throughput, and usage patterns must be analyzed. This approach focuses on three areas: Compute, Storage, and
Network.

Microsoft’s Azure Total Cost of Ownership (TCO) Calculator allows you to evaluate potential cost savings if you migrate on-premises
application workloads to Microsoft Azure. You must specify the details of your existing infrastructure and various cost assumptions that you
want the tool to work with. You receive a report that shows your on-premises costs compared to Microsoft Azure costs. While you may get a
report of cost savings, TCO will NOT give you the total costs incurred to migrate on-premises application workloads to Microsoft Azure. TCO
may allow you to compare costs on databases, storage, and networking, but does NOT calculate the labor rate that may be involved with the
migration.

The Azure TCO Calculator calculates the on-premises infrastructure costs based on more than three criteria. It takes the following costs into
consideration:
Hardware, Software (for Windows as an OS), Electricity, Data center, Networking, Disk storage, IT labor, Virtualization

Azure TCO Calculator is an online calculator that can be accessed on the Azure website. Customers can use it to check their TCO but only the
results can be downloaded.

At the time of this writing, Azure Pipelines service is not available with the Azure Government offering.

31
Q

The Nutex Corporation wants to implement Azure locks to prevent administrators from accidentally deleting subscriptions and resources.

Which of the following statements about Azure locks are TRUE? (Select all that apply.)

  • A user with the appropriate permissions to modify or delete a resource can override an Azure lock and modify or delete a resource.
  • Applying an Azure lock to a parent scope enforces the lock on the resources within the scope.
  • Only Owner and User Access Administrator roles are granted permissions to create or delete Azure locks.
  • A CanNotModify lock prevents a user from modifying a resource but the user is able to delete the resource.
  • Applying an Azure lock to an Azure database permits changes but not operations on the resource.
A
  • Applying an Azure lock to a parent scope enforces the lock on the resources within the scope.
  • Only Owner and User Access Administrator roles are granted permissions to create or delete Azure locks.

Only Owner and User Access Administrator roles are granted permissions to create or delete Azure locks. These are the only roles which have access to Microsoft.Authorization/* and icrosoft.Authorization/locks/* actions by which locks can be created and deleted.

Applying an Azure lock to a parent scope enforces the lock on the resources within the scope. When you apply a lock to a parent scope, all resources within that scope inherit the same lock, even if they are added after the lock was applied. The most restrictive lock in the inheritance takes precedence.

Azure locks apply only to operations that occur in the management plane. Resource operations are not restricted; only resource changes are restricted. For example, a ReadOnly lock on an SQL Database does not prevent users from creating, updating, or deleting data in the database. It only prevents them from deleting or modifying the database.

Even if a user has all the permissions allowed in Azure, they cannot bypass or override the Azure locks. Azure locks are not bound to RBAC permissions.

CanNotModify is not a valid type of Azure lock. There are two types of Azure locks, ReadOnly and CanNotDelete. ReadOnly locks make the resource read-only, no changes can be made to the resource and it cannot be deleted. CanNotDelete locks prevent a resource from being deleted, although it can be modified.

32
Q

The Nutex Corporation is considering shifting a considerable part of their offices to Germany. You are tasked with providing the impact analysis on the infrastructure and services hosted on Azure.

Which of the following statements about Azure Germany are TRUE? (Select all that apply.)

  • Azure Germany offers a separate instance of Microsoft Azure services from within German data centers.
  • EU-based support staff provides technical and non-technical support to Azure Germany’s customers.
  • Configuration of the features available with Azure Germany is identical to Azure Global.
  • Azure Germany offers all the features available with Azure Global.
A
  • Azure Germany offers a separate instance of Microsoft Azure services from within German data centers.
  • EU-based support staff provides technical and non-technical support to Azure Germany’s customers.

Azure Germany offers a separate instance of Microsoft Azure services from within German data centers, and EU-based support staff provides technical and non-technical support to Azure Germany’s customers.

The data centers are in two cities: Frankfurt/Main and Magdeburg. The data centers connect through a private network. The German data centers ensure customer data remains in Germany. All customer data is exclusively stored in those data centers.

Due to data privacy compliance and restrictions, technical and non-technical support for Azure Germany comes from EU-based support staff. The German data trustee supervises all support that requires platform access.

Configuration of the features available with Azure Germany is not identical to Azure Global. There are configuration differences to Azure Global for features that are offered in Azure Germany, You should review your configurations and sample code to ensure that you are building and executing within the Azure Germany environment.

Certain services and features that are available with Azure Global are not available with Azure Germany.

33
Q

The Nutex Corporation needs to create, assign, and manage policies.

Which of the following statements about Azure Policy are TRUE? (Select all that apply.)

  • A new Policy Definition can be added from the PowerShell by using the NewPolicyDefinition cmdlet
  • Guest Configuration uses Desired State Configuration v2 to audit the settings of a Windows virtual machine
  • Remediation tasks created to remediate non-compliant resources use the Audit policy effect.
  • A Policy Definition is a collection of Initiative Definitions that achieve a common goal.
  • A virtual machine that does not log into a specified Log Analytics workspace is deemed non-compliant.
A
  • Guest Configuration uses Desired State Configuration v2 to audit the settings of a Windows virtual machine
  • A virtual machine that does not log into a specified Log Analytics workspace is deemed non-compliant.

Azure Policy can audit settings inside a machine. The validation is performed by the Guest Configuration extension and client. The extension, through the client, validates settings such as the configuration of the operating system, the configuration of the application, and the environment settings. To audit settings inside a machine, a virtual machine extension is enabled. The extension downloads applicable policy assignment and the corresponding configuration definition. You can use the Microsoft Desired State Configuration v2 utility to audit the settings of a Windows virtual machine.

Virtual machines are deemed as noncompliant if they are logging to the Log Analytics workspace specified in the policy or initiative assignment. Azure Monitor feature reports this.

A Policy Definition is not a collection of Initiative Definitions that achieve a common goal. A Policy Definition contains the conditions under which it is enforced and a defined effect that takes place if the conditions are met. An Initiative Definition is a collection of policy definitions that are tailored towards achieving a singular overarching goal.

The cmdlet used to add a new Policy Definition is New-AzPolicyDefinition not the New-PolicyDefinition cmdlet. The New-PolicyDefinition cmdlet is a legacy cmdlet that is not used any more to create policy definitions.

Remediation tasks created to remediate non-compliant resources do not use the Audit policy effect. Resources that are non-compliant to a deployIfNotExists policy can be put into a compliant state through Remediation. Remediation is accomplished by instructing Azure Policy to run the deployIfNotExists effect or the tag operations of the assigned policy on your existing resources. The Audit policy effect generates a warning event in the activity log but doesn’t fail the request.

34
Q

Jennifer has been asked to configure the authentication and authorization for the Nutex Sales app being deployed as an Azure web app. Only Active Directory authenticated Nutex sales representatives should be using the app, and the sales management team would like a single signon (SSO) experience.
Which technologies will be required to accomplish the requested configuration? (Choose all that apply.)

  • Active Directory Domain Services
  • Active Directory Federated Services
  • OAuth 2.0
  • Microsoft Account Authentication
  • Azure Active Directory
A
  • Active Directory Domain Services
  • Active Directory Federated Services
  • Azure Active Directory

Jennifer should configure Active Directory Domain Services (AD DS) and Azure Active Directory to synchronize using Active Directory Federated Services (AD FS). AD FS allows a user Single Sign-On access to applications by using AD FS as the identity provider to Azure Active Directory as a federation partner to integrate AD DS.

While Azure web apps support authentication using a variety of authentication providers including Google, Facebook, Twitter, and Microsoft Account, a Microsoft Account will not provide the single sign-on (SSO) experience requested by management.

Although Azure Active Directory supports using the OAuth 2.0 authentication protocol, it is not a requirement to provide single sign-on.

35
Q

You are the administrator of the Nutex Corporation. You build a Web API 2 HTTP API (hosted on-premises) for the NutexApp application, which is responsible for managing shipping orders. The identity management for the app has to be outsourced to Azure Active Directory B2C.

Service consumers will rely on Azure Active Directory B2C to add features to the app that will support sign up and sign-in for new accounts using identity providers like Facebook, Google, Amazon, LinkedIn, or using Microsoft accounts. Users should be able to sign in with their individual credentials. The consumer does not have to edit the profile attribute, but you want to allow the option to reset the password.

Which kind of policies should you create to meet the requirements with the least amount of effort? (Choose all that apply.)

  • Password reset policy
  • Sign-up or sign-in policy
  • Sign-up policy
  • Profile editing policy
  • Sign-in policy
A
  • Password reset policy
  • Sign-up or sign-in policy

You should create a sign-up or sign-in policy and a password reset policy. The sign-up or sign-in policy controls the consumer sign-up and sign-in experiences with a single policy. The sign-up or sign-in policy allows users to choose the right path for either sign-up or sign-in with identity provider credentials, depending on the context. This policy also describes the contents of tokens used for sign-ups or sign-ins from the application.

The password reset policy allows you to enable a fine-grained password reset on your application. Note that the tenant-wide password reset option that has been specified is still applicable for sign-in policies.

After creating a sign-in policy (with local accounts) or a sign-up policy, the user should see on the first page of the experience a link for “Forgot Password” reminder. If the user clicks the link, the link will not automatically trigger a password reset policy. It will generate a specific error code AADB2C90118, which is returned back to your app. You must write logic into your app to handle this error and invoke a specific password reset policy.

You should not configure a separate sign-in policy and a separate sign-up policy. For the least administrative effort, you should configure a sign-in or sign-up policy.

You should not create a profile editing policy. In this scenario, you do not have to edit the profile attribute. The profile editing policy enables profile editing on your application. This policy describes the experiences that consumers will go through during profile editing, to edit profiles, and to view the contents of tokens that the application will receive on successful completion.

36
Q

You are part of the IT team at the Nutex Corporation. Your management has triggered an initiative to reduce the costs to manage apps and services on Azure. To work for this initiative, you must know the best practices to reduce Azure costs.

Which of the following statements about Azure Reservations are TRUE? (Select all that apply.)

  • Azure Reservation is particularly useful when resources run for short durations.
  • The utilization percentages of Azure Reservations can be viewed on the Azure portal.
  • Azure Reservation discounts are not applicable for the duration of the overlap if the runtimes of two different SQL databases overlap.
  • The unused reserved hours for virtual machines can be carried forward.
  • Azure Reservations are not applicable for a refund and cannot be exchanged.
  • The size of a Cosmos DB reservation required is dependent on the compute capacity used by Cosmos DB resources.
A
  • The utilization percentages of Azure Reservations can be viewed on the Azure portal.
  • Azure Reservation discounts are not applicable for the duration of the overlap if the runtimes of two different SQL databases overlap.
  • The size of a Cosmos DB reservation required is dependent on the compute capacity used by Cosmos DB resources.

The SQL database reserved capacity discount is applied on an hourly basis to running SQL databases. The reservation is automatically applied to other SQL databases that do not run for an hour but match the reservation attributes. For example, a 16-core SQL database runs from 1 pm to 1:30 pm. Another 16-core SQL database runs from 1:30 to 2 pm. The reservation discount covers both. If the runtimes overlap, pay-as-you-go prices are charged for the duration of the overlap. The reservation discount applies to the compute usage for the rest of the
time.

Azure Reservations’ utilization percentages can be monitored to ensure that they are used optimally. To view the utilization percentage, follow
these steps:
1. Go to the Azure portal and select All services > Reservations and note the Utilization (%) for each reservation.
2. Select a reservation.
3. Review the reservation use trend over time.

The size of the Cosmos DB reservation should be based on the total amount of throughput that the existing or soon-to-be-deployed Azure
Cosmos DB resources will use. The size of a SQL Database reservation should be based on the total amount of compute used by the existing or soon-to-be-deployed single databases, elastic pools, or managed instances within a specific region and using the same performance tier and hardware generation.

It is not true that the unused reserved hours for virtual machines can be carried forward. A reservation discount is “use-it-or-lose-it”. If there are
no resources used for an hour, the reservation quantity for that hour is lost. When you shut down a resource, the reservation discount automatically applies to another matching resource in the specified scope. If no matching resources are found in the specified scope, then the reserved hours are lost.

An Azure reservation is particularly useful for resources that run for long, not short, periods, such as virtual machines, Azure Cosmos DBs, or SQL databases. If these resources are run continuously for long hours, the pay-as-you-go rates are charged. With Azure Reservation, discounts are applicable and up to 70% of the costs can be saved.

You can exchange a reservation for another reservation of the same type. You can also refund a reservation, up to $50,000 USD per year, if you no longer need it.

Self-service exchange and cancel capabilities are not available for US Government Enterprise Agreement customers. Other US Government subscription types, including pay-as-you-go and CSP, are supported.

37
Q

You company’s legal team wants to investigate whether your company complies with regulations regarding storing, processing, or transmitting
cardholder data. The legal team wants to know how the company’s e-commerce application adheres to these regulations.
Where can the legal team learn more about this?

  • Azure compliance documentation site
  • Governance Benchmark tool
  • Product Terms site
A

-Azure compliance documentation site

The Azure compliance documentation site (Azure compliance documentation | Microsoft Docs) allows the legal team to view all compliance documentation that adheres to the PCI DSS compliance. PCI DSS is a data security standard that payment industry stakeholders use. On the Azure compliance documentation site, you can find global compliance, US government compliance, financial compliance, healthcare compliance, and compliance in other industries.

You should not choose the Product Terms site. The Product Terms site lists the use terms, the time of availability, and privacy commitments of products or services offered by Azure, including Azure. The Product Terms site allows you to see the terms of the services and products. You can use the site to query the terms relevant to the Product(s) that you have purchased in a specific licensing program. You can also find detailed information on a product or service

38
Q

Which of the following is the organization that defines international standards across all industries?

  • ISO
  • NIST
  • ITIL
  • GDPR
A

-ISO

The International Organization for Standardization (ISO) is an independent nongovernmental organization and the world’s largest developer of voluntary international standards.

39
Q

Are Azure data centers in China operated by Microsoft and governed by Microsoft’s service level agreement (SLA)?

Yes or no.

A

No.

No. In China, Azure is not operated by Microsoft, but by 21Vianet. 21Vianet is a separate cloud service from Azure and is located in China. 21Vianet is operated by Shanghai Blue Cloud Technology Co, Ltd. If you choose to use Azure services in China, you must sign an Online Service Premium Agreement (OSPA) with 21Vianet.

Azure China does not have all the features that you may normally expect with Azure. Compliance and data protection laws may also be different in China.

40
Q

The Nutex Corporation has a partnership with the Verigon Corporation. Both Nutex and Verigon have multi-factor authentication (MFA) capabilities. Wendy, a user at Verigon, needs access to an application in Nutex named the AT application.

Which of the following should you configure to ensure that Wendy can access the AT application? (Choose all that apply.)

  • Create a policy named MFA policy on the AT application under Conditional Access. Under Conditions, choose Require multi-factor authentication under Allow access.
  • Configure MFA access for the AT application in Verigon.
  • Ensure that Verigon has sufficient Premium Azure AD licenses that support MFA.
  • Ensure that Nutex has sufficient Premium Azure AD licenses that support MFA.
  • Create a policy named MFA policy on the AT application under Conditional Access. Under Controls, choose Require multi-factor authentication under Allow access.
  • Configure MFA access for the AT application in Nutex.
A
  • Ensure that Nutex has sufficient Premium Azure AD licenses that support MFA.
  • Create a policy named MFA policy on the AT application under Conditional Access. Under Controls, choose Require multi-factor authentication under Allow access.
  • Configure MFA access for the AT application in Nutex.

To configure MFA on an application, you must find the application in Azure in the tenant that contains it. In this scenario, Nutex owns the AT application. You would choose Conditional Access under the application and click Add to create a policy. Once the policy is created, you can create assignments to grant users and groups access to the application. You can select the All Guest Users to allow access to external users or find a specific user. You can choose to specify conditions on device platforms, client apps, or locations. If you choose locations, you can allow users from any location or only allow users from trusted IPs. The Controls section of the policy allows you to block or allow access. If you choose to allow access, you can require multi-factor authentication.

Even though Nutex and Verigon have MFA capabilities, MFA policies are enforced at the resource organization, which is Nutex because it owns the AT application. When Wendy from Verigon attempts to access the AT application in the Nutex tenant, she will be asked to complete an MFA challenge. Wendy can set up her MFA with Nutex and choose their MFA option.

As Nutex owns the application, they must have sufficient Premium Azure AD licenses that support MFA, not Verigon. Wendy, the user from Verigon, consumes one of these licenses from Nutex.

41
Q

The Nutex Corporation wants to migrate apps to Azure. Before the migration, they want you to bolster the security of apps and resources on
their Azure network.

Which of the following statements are TRUE? (Select all that apply.)

  • Azure Firewall works at the Network and Application layers, whereas network security groups work only at the Network layer
  • Both Azure Firewall and network security groups can filter traffic based on threat intelligence data
  • Both Azure Firewall and network security groups filter traffic based on protocol.
  • Both Azure Firewall and network security groups support SNAT and DNAT.
  • Services tags are not supported with network security groups.
A
  • Azure Firewall works at the Network and Application layers, whereas network security groups work only at the Network layer
  • Both Azure Firewall and network security groups filter traffic based on protocol.

Network security groups filter traffic at the Network layer. However, Azure Firewall does more than a network security group. Azure Firewall can filter and analyze L3-L4 traffic, as well as L7 application traffic.

Service tags are labels that represent a range of IP addresses for particular services, such as Azure Key Vault, Data Lake, and Container Registry, and are supported by network security groups. They are managed by Microsoft and cannot be customized.

SNAT is a feature of the Azure Firewall. It is possible to configure Azure Firewall with a public IP address (PIP) that can be used to mask the IP address of Azure Resources that are sending out via the Firewall. SNAT is not supported by network security groups

DNAT is used to translate incoming traffic to the firewall’s public IP to the private IP addresses of the VNet. DNAT is not supported by network security groups

Only the Azure Firewall can filter traffic based on threat intelligence data.

42
Q

What is the name of the legal agreement that sets the obligations of the Azure customer and Microsoft to process and secure a customer and personal data?

  • ISO
  • GDPR
  • DPA
  • SLA
A

-DPA

A Data Protection Addendum (DPA) is a legal agreement between an Azure customer and Microsoft that sets the obligations of the Azure customer and Microsoft to process and secure a customer and personal data. A DPA allows an organization to stay in compliance with the GDPR or any regulatory privacy laws.

You should not choose GDPR. General Data Protection Regulation (GDPR) is a regulation in the EU that was developed to create data privacy laws across Europe. It replaces Data Protection Directive 95/46/EC and differs in several significant ways, such as:

  • Larger jurisdiction
  • Larger fines
  • Consent must be requested in a clear and easily accessible manner
  • Breach Notifications will be mandatory and must be completed within 72 hours of breach awareness
  • Privacy

You should not choose ISO. ISO is the abbreviation for the International Organization for Standardization.

You should not choose SLA. An SLA is a service level agreement that describes the level of service provided by a vendor. SLAs include details such as the following:

  • Service hours and performance, support structure, and penalties and credits.
  • Average response time to respond to a support ticket is a criterion for meeting an SLA.
  • Deny assignments prevent users from performing specific Azure resource actions even if a role assignment grants them access.
43
Q

A member of the legal department of your company wants to know what products and services are offered in your Azure licenses. Specifically, she wants to know specific information on a few products and services.

You redirect her to the Product Terms site. Will this action allow her to know specific information on the product and service license that you
purchased from Microsoft? Yes or no.

A

Yes.

The Product Terms site lists the use terms, the time of availability, and privacy commitments of products or services offered by Azure, including Azure. The Product Terms site allows you to see the terms of the services and products. You can use the site to query the terms relevant to the Product(s) that you have purchased in a specific licensing program. You can also find detailed information on a product or service.

44
Q

As an Azure administrator, you are required to enable multi-factor authentication (MFA) only for applications of the IT department.

How should you implement this strategy?

  • Azure Identity Hub
  • Azure AD Connect
  • Azure Identity Protection
  • Azure Conditional Access policy
A

-Azure Conditional Access policy

You should use an Azure Conditional Access policy. With a Conditional Access policy you can choose multiple
cloud apps for which you will enable multi-factor authentication.

You should not choose to use Azure Identity Protection because you cannot limit MFA to specific apps. Its aim is the detection and remediation of identity-based risks.

You should not choose to use Azure Identity Hub because it cannot achieve the requirements of the question. It allows your users to sign in to your iOS, Android, PHP, Windows, web, and Sharepoint apps using Facebook, ADFS, Office 365, and many more.

You should not choose to use Azure AD Connect because it is used for synchronizing on-premises users to Azure AD.

45
Q

The worldwide growth of Verigon Corporation has more than doubled its Azure subscriptions and resource usage. The increased complexity has made it difficult to forecast departmental expenses. Verigon needs a more granular method to track individual Azure resource usage costs by department.

What do you suggest as the first cost management step to obtain this information?

  • Under Cost Management in the Azure Portal, create a monthly budget for each department.
  • Use the Azure portal to apply a tag to each resource.
  • Create a resource group for each department.
  • Create a management group for each department.
A

-Use the Azure portal to apply a tag to each resource.

Verigon needs to first tag each resource so it can be associated with the appropriate project and/or department. Tags are name/value pairs that enable you to categorize resources and view consolidated billing by applying the same tag to multiple resources and resource groups. Tags can be applied via the portal, the Azure (CLI) command-line interface, or the Powershell New-AzTag cmdlet. The Tag Contributor role, or higher, is needed for access.

Creating a budget under Cost Management would be a good way to monitor subscription usage and costs. However, resources must be tagged as the first step in correlating the data in cost reporting.

A resource group is a container that holds related resources for an Azure solution. It is not designed for cost tracking or management. However, a tag can be assigned to a resource group.

A management group is a container used for more efficient control subscriptions. That is not the focus of this scenario.

Choosing Cost Management, Cost Analysis would be a good way to monitor subscription usage and costs. However, resources must be tagged as the first step in correlating the data in cost reporting.