(AZ-900 topic) Describe identity, governance, privacy, and compliance features Flashcards
AZ-900 topic assess your ability to: Show an understanding of what Azure identity services are, show an understanding of Azure governance features and be able to talk about privacy and compliance resources Questions for this domain comprise 22% of the total questions for the AZ-900.
Which Azure tool allows you to view which user turned off a specific virtual machine during the last 14 days?
- Azure Activity Log
- Azure Monitor
- Azure Service Health
- Azure Event Hubs
Azure Activity Log
The correct answer is the Azure Activity Log - it is a logging service that provides insight into subscription-level events that have occurred in Azure. This includes a range of data, from Azure Resource Manager operational data to updates on Service Health events. Events such as starting and stopping of virtual machines can be found here.
What do you use to make sure that users of your application are who they say they are?
Authentication
Authentication is confirming users are who they say they are.
Your company plans to move several servers to Azure. The company’s compliance policy states a server named HRServer1 must be in a separate physical location from all other servers. Which Azure services can be used to meet the compliance policy requirements?
One Azure region for HRServer1 and another Azure region for all other servers.
The correct answer is to have one Azure region for server HRServer1 and another Azure region for all other servers. An Azure region is a set of data centers deployed in a specific geographic location. By placing HRServer1 in a different Azure region to other servers, you have ensured it resides in a separate physical location from all your other servers. The other answers are incorrect as they will not ensure HRServer1 is in a separate physical location. A resource group is simply a logical construct that groups multiple resources together so they can be managed as a single entity. Resources from different resource groups can reside in the same location. Having HRServer1 reside in a separate subnet or virtual network does not ensure it is in a separate physical location - again these are logical constructs that span the same region/physical location.
Your security team is hesitant to permit access to the Azure Public Cloud - to help reassure them of the compliance certifications awarded to Azure what service can you direct them to?
Service Trust Portal
The Service Trust Portal is the central location for all published audit reports of the Azure platform as well as risk assessments and security best practices.
What are region pairs?
A region that is linked with another region in the same geography
Azure has the concept of region pairs, these are two or more regions that are at least 300 miles apart within a single Geography. This enables the ability to replicate certain resources such as virtual machine storage across the geography providing protection against such events as natural disasters or civil unrest.
Which of the following regulates data privacy in the European Union (EU)?
ISO
GDPR
ITIL
NIST
GDPR
The General Data Protection Regulation (EU) 2016/679 (“GDPR”) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
How is authorization different from authentication?
Authentication is the process of proving that you are who you say you are. Authorization is the act of granting an authenticated party permission to do something.
Authentication is the process of proving that you are who you say you are. It’s sometimes shortened to AuthN. The Microsoft identity platform uses the OpenID Connect protocol for handling authentication. Authorization is the act of granting an authenticated party permission to do something. It specifies what data you’re allowed to access and what you can do with that data. Authorization is sometimes shortened to AuthZ. The Microsoft identity platform uses the OAuth 2.0 protocol for handling authorization.
Which of the following is the organization that defines standards used by the United States government?
ISO
GDPR
ITIL
NIST
NIST
The National Institute of Standards and Technology (NIST) promotes and maintains measurement standards and guidance to help organizations assess risk. It defines the standards that are used by the United States government as well as the US Department of Defense (DoD).
How many tenants can a user in Azure Active Directory belong to?
500
A single user can belong to a maximum of 500 Azure AD tenants as a member or a guest.
Which of the following are benefits of Azure geographies?
(choose 3)
- Any Azure geography can be used by anyone
- Azure has geographies throughout the world
- Data residency is honored within the geographical boundary
- They are fault tolerant and can often withstand complete region failure
- Azure has geographies throughout the world
- Data residency is honored within the geographical boundary
- They are fault tolerant and can often withstand complete region failure
(Azure geography can be used by anyone) - There are certain restrictions - for example, there are restrictions around who can use the Azure Government or China regions.
(Azure has geographies throughout the world) - Azure has geographies in the Americas, Europe, Asia Pacific, the Middle East and Africa.
(Data residency honored within geographical boundary) - Azure has geographies around the world providing data residency within each region to give customer peace of mind over their data sovereignty.
(Fault tolerant and can withstand complete region failure) - Azure Geographies are groups of one or more Azure Region. Every region already has fault-tolerance (more than one data-center) but most Geographies have more than one Region as well, giving you multiple levels of redundancy.
Which Azure solution would you implement to embed a watermark into Office documents that contain social security numbers?.
- Azure Active Directory (Azure AD) Identity Protection
- Azure Active Directory (Azure AD) conditional access
- Azure Active Directory (Azure AD) Privileged Identity Management
- Azure Information Protection
-Azure Information Protection
Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps an organization classify and, optionally, protect its documents and emails by applying labels. Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations. Azure Active Directory. This includes access to resources in Azure AD, Azure resources, and other Microsoft Online Services, like Office 365 or Microsoft Intune.
Which types of customers are eligible to use Azure Government to develop a cloud solution?
- United States government entity
- United States government contractor
- European government contractor
- Alabama Coushatta Tribe of Texas
- European government entity
- United States government entity
- United States government contractor
- Alabama Coushatta Tribe of Texas
Azure Government is a cloud platform available to US federal, state, local, and tribal government entities and their solution providers. European government entities or their contractors are not eligible to use Azure Government.
Which of the following is true in relation to Azure Management Groups?
- Management Groups allow you to create custom dashboards to view and analyse your cloud usage.
- Management Groups allow you to implement policy-based management for all Azure services.
- Management Groups allow you to easily create fully compliant environments and manage them.
- Management Groups allow you to apply policies with flexible hierarchies to multiple subscriptions.
-Management Groups allow you to apply policies with flexible hierarchies to multiple subscriptions.
Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called management groups and apply your governance conditions to the management groups. For example, you can apply policies to a management group that limits the regions available for virtual machine (VM) creation.
What does Azure Information Protection do?
- Allows you to centrally create and log application and network connectivity policies.
- Safeguards and allows control over keys and secrets.
- Provides the ability to securely share sensitive data with others.
- Provides a managed service for hardware security modules in the cloud.
-Provides the ability to securely share sensitive data with others.
Azure Information Protection helps control and secure information (including emails and documents) that is shared outside of your organization.
The Nutex Corporation wants to ensure that apps and services deployed on Azure are compliant with global and industry-specific compliance standards. Which of the following Azure products can be used to monitor and ensure that apps and services are compliant with the industry-specific compliance standards? (select all that apply)
- Azure Security Center
- Azure Express Route
- Microsoft Trust Center
- Azure Monitor
- Microsoft Compliance Manager
- Azure Service Bus
- Azure Security Center
- Microsoft Trust Center
- Azure Monitor
- Microsoft Compliance Manager
Azure Monintor is a comprehensive solution for collectiing, analyzing, and acting on telemetry from the cloud and on-premise environments.
Microsoft Trust Center is where the security and privacy settings for Microsoft Office programs are configured.
Azure Security Center is a security management system that strengthens the security of data centers and implements advanced threat protection for hybrid workloads in the cloud.
Microsoft Compliance Manager is a workflow-based risk assessment tool that tracks, assigns, and verifies regulatory compliance activities related to Microsoft cloud services. Compliance Manager helps manage regulatory compliance within the shared responsibility model for Microsoft cloud services. Compliance Manager offers a centralized dashboard for viewing standards, regulations, and control implementation details, as well as test results for Microsoft service assessments. It also includes tools to manage custom control implementations and compliance tracking by organizations.
Azure ExpressRoute extends your on-premise networks into the Microsoft cloud over a private connection. You can establish connections to Microsoft cloud services with ExpressRoute. ExpressRoute does not allow monitoring of compliance standards.
Azure Service Bus is an enterprise integration message broker. Service Bus can decouple applications and services. Service Bus has a secure platform that uses asynchronous data and state transfer. Azure Service Bus does not allow monitoring of compliance standards.
Dreamsuite Corporation’s rapid growth has exponentially increased the need for their development teams to create new environments.
Dreamsuite needs to ensure that these environments comply with Dreamsuite’s standards and requirements. What Azure service will allow for such a repeatable set of Azure resources?
- Azure Cosmos DB
- Azure Resource Manager templates
- Azure DevTest Labs
- Azure Blueprints
- Azure Batch
-Azure Blueprints
Azure Blueprints will meet Dreamsuite’s needs. Blueprints allow templates, access controls, and policies to be deployed as a single compliance package. The components are referred to as artifacts and can include items such as Azure Resource Manager (ARM) templates, resource groups, policy assignments, and more. Blueprints are designed for environment setup.
Azure Resource Manager templates can be a part (artifact) of an Azure Blueprint deployment, but as a standalone, they do not meet the scenario requirements. ARM templates don’t exist natively in Azure.
The Azure Cosmos DB is the backend database behind Azure Blueprints, but not the actual service required by the scenario.
Azure Batch is used to create and manage large pools of virtual machines. It does not meet the requirements of this scenario.
Azure DevTest labs allow for the quick provisioning of test environments, but this is only a subset of the standardization required in the scenario.
Unlike Azure Resource Manger templates, Azure Blueprints retain connection between the blueprint and what was deployed from it. This allows for tracking and auditing.
The Authorization process works on permissions.
True or false?
True
RBAC does not work closely with the Authorization process. True or false?
False
It does! Authorization lists the permissions the users have on a system, which is part of RBAC.