Azure Security Concepts

Question 1

An application you are developing needs access to a resource such as CosmosDb Blob storage or Service Bus.

The connection strings are stored in an Azure Key Vault as a Secret key value

To configure access to the Key Vault , what permissions will you need to assign to the App Identity

Answer 1

You will need the Read permission to read the secret by name.

The reference material often combines this with the List permission to access the secrets name.

Use Managed Identity For Azure App Services to create an identity for the App to allow your code access

You should NOT allow the app code to store the access key and password for the whole KeyVault (principle) - this means the credentials are visible in code.

Be aware that this solution allows access to all of the secrets in the key vault - if you just want to access the connection string then you should consider using Azure Key Vault Configuration Provider

https: //docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet
https: //docs.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-5.0

Question 2

True Or False

In Active Directory - An identity is always a User account on the system, with a username and password

Answer 2

False

An identity is just a thing that can be authenticated.

Obviously, this includes users with a user name and password, but it can also include apps or other servers, which might authenticate with secret keys or certificates.

Question 3

In Azure Active Directroy - What is a Principle?

Answer 3

A principal is an identity acting with certain roles or claims. Usually, it is not useful to consider identity and principal separately, but think of using ‘sudo’ on a Bash prompt in Linux or on Windows using “run as Administrator.” In both those cases, you are still logged in as the same identity as before, but you’ve changed the role under which you are executing.

Groups are often also considered principals because they can have rights assigned.

Question 4

In Azure Active Directroy - What is a Service Principle?

Answer 4

A service principal is an identity that is used by a service or app. And like other identities, it can be assigned roles.

Question 5

What are the benefits and features of Managed identities for Azure services

Answer 5

The creation of service principals can be a tedious process, and there are a lot of touch points that can make maintaining them difficult. Managed identities for Azure services are much easier and will do most of the work for you.

A managed identity can be instantly created for any Azure service that supports it.

When you create a managed identity for a service, you are creating an account on your organization’s Azure AD (a specific organization’s Azure AD instance is known as an “Azure AD Tenant”).

The Azure infrastructure will automatically take care of authenticating the service and managing the account.

You can then use that account like any other Azure AD account, including allowing the authenticated service secure access of other Azure resources.

Question 6

What is meant by the following security concept:

Tenant

Answer 6

Tenant is the location where Principals and Identities are stored

When you create a managed identity for a service, you are creating an account on your organization’s Azure AD (a specific organization’s Azure AD instance is known as an “Azure AD Tenant”)

Question 7

What is meant by the following security concept:

Role

Answer 7

Roles are sets of permissions, like “Read-only” or “Contributor”, that users can be granted to access an Azure service instance.

Roles can be granted at the individual service instance level, but they also flow down the Azure Resource Manager hierarchy.

Question 8

What is meant by the following security concept:

Identities

Answer 8

Identities include users with a user name and password, but it can also include apps or other servers, which might authenticate with secret keys or certificates.

Identities are mapped to roles directly or through group membership. Separating security principals, access permissions, and resources provides simple access management and fine-grained control.

Administrators are able to ensure the minimum necessary permissions are granted.

Question 9

Certificates are used in Azure for two primary purposes and are given a specific designation based on their intended use.

What are the two types of certificate?

Answer 9

Certificates are used in Azure for two primary purposes and are given a specific designation based on their intended use.

Service certificates are used for cloud services

Management certificates are used for authenticating with the management API

Question 10

True or False

Management certificates enable Secure communication with clients over HTTPS thourgh browsers and API clients

Answer 10

False

Management certificates are used for authenticating with the management API

Service certificates are used for cloud services and enable secure communication to and from the service. For example, if you deploy a web site, you would want to supply a certificate that can authenticate an exposed HTTPS endpoint

They are assigned to a deployment in the service definition file.

Question 11

True or False

Service certificates can be stored in a KeyVault

Answer 11

True

You can create certificates in Key Vault, or import existing certificates
You can securely store and manage certificates without interaction with private key material.
You can create a policy that directs Key Vault to manage the life cycle of a certificate.
You can provide contact information for notification about life-cycle events of expiration and renewal of certificate.
You can automatically renew certificates with selected issuers - Key Vault partner x509 certificate providers / certificate authorities.

Question 12

You want to store certificates in Azure to centrally manage them for your services. Which Azure service should you use?

A: AIP
B: Azure AD
C: Azure Key Vault
D: Azure ATP

Answer 12

Azure Key Vault is the correct answer, because it is a centralized cloud service for storing application secrets, referred to as a secret store.

AIP is a cloud-based solution that helps an organization classify, and optionally, protect its documents and emails by applying labels.

Azure AD is Microsoft’s cloud-based identity and access management service that helps employees of an organization sign-in and access resources.

Azure ATP is a cloud-based security solution that identifies, detects, and helps organizations investigate advanced threats, compromised identities, and malicious insider actions directed at that organization.

Question 13

Which of these options helps you most easily disable an account when an employee leaves your company?

A: Enforce multi-factor authentication (MFA)
B: Monitor sign-on attempts
C: Use single sign-on (SSO)

Answer 13

Use single sign-on (SSO)
SSO centralizes user identity, so you can disable an inactive account in a single step.

Enforce multi-factor authentication (MFA) is incorrect
While MFA provides additional security by requiring two or more elements for full authentication, it doesn’t help you disable inactive accounts.

Monitor sign-on attempts is incorrect
While monitoring can help you discover when someone attempts unauthorized access to one of your services, monitoring alone won’t help you disable inactive accounts.

Question 14

Cloud security is a shared responsibility between you and your cloud provider. Which category of cloud services requires the greatest security effort on your part?

A: Infrastructure as a service (IaaS)
B: Platform as a service (PaaS)
C: Software as a service (SaaS)

Answer 14

Infrastructure as a service (IaaS)

At this level, the cloud provider provides physical security to compute resources. However, it’s your responsibility to patch and secure your operating systems and software, as well as configure your network to be secure

Paas is incorrect
At this level, the cloud provider handles many security concerns, more than with other categories. The cloud provider handles physical security and keeping operating systems patched and up to date.

Software as a service (SaaS) is incorrect
At this level, the cloud provider handles most security concerns for you. Your main responsibility is to provide your organization’s users with proper access to the software.

Question 15

Which of these approaches is the strongest way to protect sensitive customer data?

A: Encrypt data as it sits in your database
B: Encrypt data as it travels over the network
C: Encrypt data both as it sits in your database and as it travels over the network

Answer 15

Encrypt data both as it sits in your database and as it travels over the network

Encrypting your data at all times, both as it sits in your database and as it travels over the network, minimizes the opportunity for an attacker to access your data in plain text.

While encrypting your data as it travels over the network (encryption in transit) is important, your data may be vulnerable as it sits in your database.

While encrypting your data as it sits in your database (encryption at rest) is important, your data may be read by others as it travels over the network between systems.

Question 16

Which sentence correctly describes OpenID Connect?

A: OpenID Connect is an authentication standard.
B: OpenID Connect is an authorization standard.
C: OpenID Connect is an identity provider.

Answer 16

A: OpenID Connect is an authentication standard. An example of an authorization standard is OAuth 2.0.

An example of an identity provider is Azure AD.

Question 17

You want users of your application to authenticate by using their accounts, which are stored in Microsoft 365. What must you do in Azure AD?

A: Register every Microsoft 365 user account in Azure AD.
B: Register the application in Azure AD.
C: Add the users to a single security group and register the group in Azure AD.

Answer 17

B Register the application in Azure AD.

If you want to use Azure AD as an authentication provider for an application, you must register that application in Azure AD.

A Is incorrect Only the application needs a record in Azure AD, not all the user accounts.

C is incorrect Only the application needs a record in Azure AD, not any security groups.

Question 18

In which of the following scenarios would OpenID Connect be the best option?

A: Securing your sign-in page
B: Connecting to a database
C: When you aren’t concerned about security or reliability

Answer 18

A: Securing your sign-in page

OAuth 2.0 and OpenID Connect let app and site developers authenticate users without taking on the responsibility of storing and managing passwords.

B is incorrect OpenID Connect can’t be used as an authentication mechanism against most database servers.

C is incorrrect - Quite the opposite, because OpenID Connect is best for reliability, security, and ease of use.

Question 19

Suppose you have decided to use OpenID Connect with your transportation company’s app to allow users to authenticate by using the same credentials they use to access Microsoft 365. These credentials are stored in Azure Active Directory (Azure AD)

What steps should you take in order

Answer 19

1. Create an Azure AD tenant in the portal
   Azure AD tenants can be created only in the Azure portal.
2. Register a web app
   Within the Azure AD tenant, you’ll need a registration for the application. The registration is a record of security details for the application in Azure AD
   Use the Web app/API type in application type for HTTP browser based apps
   Use the Native type for applications that are installed on a user’s device or computer.
3. Configure the app for authentication
   Microsoft provides middleware to facilitate this communication.

For DotNet Core
add the following values to the appsettings.json file:

ida: Tenant. This configuration value is the identity of the Azure AD directory that contains the application registration.
ida: ClientId. This configuration value is the GUID that uniquely identifies the client registration.

Question 20

Which AD Plans provide MultiFactor authentication functionalty?

Answer 20

Multi-Factor Authentication comes as part of the following offerings:

Azure Active Directory Premium or Microsoft 365 Business
Both of these offerings support Azure AD Multi-Factor Authentication using Conditional Access policies to require multi-factor authentication.

Azure AD Free or standalone Microsoft 365 licenses
Use pre-created Conditional Access baseline protection policies to require multi-factor authentication for your users and administrators.

Azure Active Directory Global Administrators
A subset of Azure AD Multi-Factor Authentication capabilities are available as a means to protect global administrator accounts.

Question 21

Which of the following authentication methods is not available for MFA?

A: Text message
B: Microsoft Authenticator app
C: Security questions

Answer 21

C Security Question

Security questions can only be used with Self-Service Password Reset.

Question 22

Which of the following authentication methods cannot be disabled?

A: Text message
B: Password
C: Microsoft Authenticator app

Answer 22

B: Password

Passwords are always usable as an authentication method and cannot be disabled.

Question 23

True or False. You must activate multi-factor authentication for all users in the directory you enable it in.

Answer 23

False

MFA can be enabled for a subset of your users; this is actually a recommendation - start small to ensure you don’t lock someone out of your systems.

Question 24

True or false: A role definition in Azure is a collection of permissions?

Answer 24

True

A role definition in Azure is a collection of permissions with a name that you can assign to a user, group, or application

Question 25

Suppose you want to assign a role to allow a user to create and manage Azure resources but not be able to grant access to others. Which of the following built-in roles would support this?

Owner
Contributor
Reader
User Access Administrator

Answer 25

B: Contributor
A contributor can create and manage all types of Azure resources, but they can’t grant access to other users.

An owner can create and manage all types of Azure resources; however, they can grant access to other users.
A reader can only view existing Azure Resources.
A user access administrator can only manage access of Azure resources.

Question 26

What is the inheritance order for scope in Azure?

A: Management group, Resource group, Subscription, Resource
B: Management group, Subscription, Resource group, Resource
C: Subscription, Management group, Resource group, Resource
D: Subscription, Resource group, Management group, Resource

Answer 26

B: Management group, Subscription, Resource group, Resource.

For example, if you assigned a Contributor role to a group at the Subscription scope level, it will be inherited by all Resource groups and Resources.

Question 27

You are implementing an application that authenticates users with Microsoft Identity Platform

Which Grant Flow and Account type should you use?

Grant flow options:
Implicit,
Authorization code

Account Type options:
multi tenant
multi tenant and personal
single tenant

Answer 27

Implicit grant flow
Single page apps run directly in the browser and have different security requirements compared to traditional web applications
Youi can implement the OAuth2 implicit grant flow with Microsoft Identity Platform
This allows the app user to get tokens without performing a backend server credential exchange, so they can sign in directly from the SPA

Multi tenant and personal account type
This account type allows users to log in with accounts in and Azure AD and Personal Microsoft account.

You should not user Authorization Code grant flow - This is used by server based web applications, and requires the application to provide a client secret or certificate to provide access tokens
SPA’s cannot securely store the client secrets

https: //docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-spa
https: //docs.microsoft.com/en-us/azure/active-directory/develop/authentication-flows-app-scenarios
https: //docs.microsoft.com/en-us/azure/active-directory/develop/single-and-multi-tenant-apps

Question 28

Which Account Type options allows users to sign in with their personal Microsoft account?

A: multi tenant
B: multi tenant and personal
C: single tenant

Answer 28

B: multi tenant and personal

Neither multi tenant not single tenant allow users to login with their Personal Microsoft accounts

Question 29

Which Grant flow should you choose for Single Page Apps

A: Implicit
B: Authorization code

Answer 29

A: Implicit

Youi can implement the OAuth2 implicit grant flow with Microsoft Identity Platform

This allows the app user to get tokens without performing a backend server credential exchange, so they can sign in directly from the SPA

Question 30

Which Grant flow should you choose for Web applications with a backend server?

A: Implicit
B: Authorization code

Answer 30

B: User Authorization Code grant flow

This is used by server based web applications, and requires the application to provide a client secret or certificate to retrieve access tokens

Browser based apps and Mobile apps cannot securely store the client secrets

Question 31

Your organization provides subscription-based web service access to your clients. These web service provides access to research material to your clients for a price.

In order to ensure access control, your services should meet the following requirements:

Use Azure API Management for all external access to these services.
Configure claims-based backend authorization.
Users have to be authenticated to use the service.
You need to recommend which policy to implement to ensure that Azure API Management complies with these requirements.

Which policy should you recommend?

A: Check HTTP header (check-header).
B: Authenticate with managed identity (authentication-managed-identity).
C: Restrict caller Ips (ip-filter).
D: Validate JWT (validate-jwt).

Answer 31

You should recommend the Validate JWT (validate-jwt) policy.

You can use the Validate JWT policy to pre-authorize requests in API Management by validating the access tokens for each incoming request. The tokens carry claims that provide authorization to the incoming API requests.

You should not recommend the Authenticate with managed identity (authentication-managed-identity) policy. You would use the authentication-managed-identity policy to authenticate with a backend service using the managed identity of the API Management service. This policy essentially uses the managed identity to obtain an access token from Azure Active Directory for accessing the specified resource. This policy cannot be used for user access control.

You should not recommend the Check HTTP header (check-header) policy. You would use the check-header policy to enforce that a request has a specified HTTP header. You can optionally check to see if the header has a specific value or check for a range of allowed values. You cannot extract any claims information about the user from an HTTP header.

You should not recommend the Restrict caller Ips (ip-filter) policy. The ip-filter policy filters (allows/denies) calls from specific IP addresses and/or address ranges. This type of policy will not authorize users by the claims they are carrying in their authentication token.

Question 32

True or False

Azure AD supports Anonymous authentication

Answer 32

True

Azure AD supports anonymous access in some scenarios, but not as an API automation mechanism policy

The element controls how Internet Information Services (IIS) 7 processes requests from anonymous users. You can modify the
element to disable Anonymous authentication, or you can configure Internet Information Services (IIS) to use a custom user account to process anonymous requests.

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/anonymousauthentication

Question 33

True or False

Azure App Configuration is designed as a more secure replacement for Azure Key Vault.

Answer 33

False

Azure App Configuration is not designed as a more secure replacement for Azure Key Vault. Azure App Configuration is designed to work with Azure Key Vault to provide a secure environment. Data is encrypted in Azure App Configuration, but Azure Key Vault uses a more secure storage environment through hardware-level encryption, granular access policies, and management operations.

Question 34

True or False

You can import configuration information directly from separate configuration files into Azure App Configuration.

Answer 34

True

You can import configuration information directly from separate configuration files into Azure App Configuration. You can also export configuration information out from Azure App Configuration to separate configuration files.

Question 35

True or False

You can configure separate configuration stores to support different environments including development, test, and production.

Answer 35

True

You can configure separate configuration stores to support different environments including development, test, and production. This gives you a way to manage applications throughout their lifecycle.

Question 36

Given a keyvault containing the following secrets:

App1:Database:Password
{“uri”:”https://vault1.vault.azure.net/secrets/DbPassword”}
No label

App1:Database:Password {“uri”:”https://vault1.vault.azure.net/secrets/DbPasswordProd”}
Label Production

What value would be provided if the application was configured with the following application configuration?

publicstaticIHostBuilderCreateHostBuilder(string[]args)=>
Host.CreateDefaultBuilder(args)
.ConfigureWebHostDefaults(webBuilder=>
webBuilder.ConfigureAppConfiguration((hostingContext,config)=>
{
varsettings=config.Build();
config.AddAzureAppConfiguration(options=>
options
.Connect(Environment.GetEnvironmentVariable(“AppConfigConnectionString”))
.ConfigureKeyVault(kv=>{
kv.SetCredential(newDefaultAzureCredential());
})
.Select(KeyFilter.Any,”Production”)
.Select(KeyFilter.Any,LabelFilter.Null)
);
})
.UseStartup());

A {“uri”:”https://vault1.vault.azure.net/secrets/DbPasswordProd”}

B The secret value of DbPassword secret

C myserver.database.windows.net

D The secret value of DbPasswordProd secret

Answer 36

D: You should expect the secret value of DbPassword secret as the method return.

The App1:Database:Password configuration key has two values in AppConfig1 that reference Vault1 secrets.

The value that is returned depends on how App1 filters the labels from AppConfig1.

By default, config.AddAzureAppConfiguration selects all configurations without any label. However, App1 first selects all configurations with the label Production in .Select(KeyFilter.Any,”Production”), and then selects configurations without any labels with.Select(KeyFilter.Any,LabelFilter.Null).

Because of this order, configuration keys without any labels overwrite the configurations with the label Production.

You should not expect the secret value of DbPasswordProd secret as the method return. App1 is configured to overwrite configurations with the label Production with configurations without any label.

To return the secret value of DbPasswordProd secret, you should change the Program.cs to select the configurations without labels before the configurations with the Production label as shown below:

config.AddAzureAppConfiguration(options =>
options
.Connect(Environment.GetEnvironmentVariable(“AppConfigConnectionString”))
.ConfigureKeyVault(kv => {
kv.SetCredential(new DefaultAzureCredential());
})
.Select(KeyFilter.Any, LabelFilter.Null)
.Select(KeyFilter.Any, “Production”)
);

You should not expect {“uri”:”https://vault1.vault.azure.net/secrets/DbPasswordProd”} as the method return.

The App1:Database:Password configuration key references Vault1 secrets. The URI shown in the exhibit is the secret that will be referenced when App1 loads this configuration.

You should not expect myserver.database.windows.net as the method return.
This is the return if you change the code to load the App1:Database:Host configuration key.

Question 37

You are creating an App Service app that must authenticate users with Azure Active Directory (Azure AD). The URL of the app is https://mup.azurewebsites.net. You enable App Service Authentication in the Azure Portal.

You need to modify Azure AD to allow users to login when they use your app.

What should you do?

A: Create an application proxy.
B: Create an enterprise application.
C: Configure Azure AD Connect.
D: Create an app registration.

Answer 37

You should create an app registration. This is similar to creating an app registration with other identity providers such as Google, Facebook, or Microsoft. The app registration allows you to define the app that is allowed to authenticate against Azure AD.

You should not create an application proxy. An application proxy allows users to access an on-premises application securely through Azure AD.

You should not configure Azure AD Connect. AD Connect allows you to synchronize an AD tenant with an on-premises AD domain.

You should not create an enterprise application. Enterprise applications allow you to integrate other applications with Azure AD, including your own apps.

Question 38

Which technology allows you to control which apps are allowed to authenticate against your AD account?

Answer 38

You should create an app registration. This is similar to creating an app registration with other identity providers such as Google, Facebook, or Microsoft. The app registration allows you to define the app that is allowed to authenticate against Azure AD.

Question 39

Which technology allows you to access an on premises application securely though Azure AD

Answer 39

You should create an application proxy. An application proxy allows users to access an on-premises application securely through Azure AD.

Question 40

Which technology allows users from your organisations Active Directory database to use applications secured by Azure Active directory

Answer 40

You should configure Azure AD Connect. AD Connect allows you to synchronize an AD tenant with an on-premises AD domain.

Question 41

How could you integrate non azure legacy applications with Azure AD?

Answer 41

You should create an enterprise application. Enterprise applications allow you to integrate other applications with Azure AD, including your own apps.

Question 42

What is hybrid identity with Azure Active Directory?

Answer 42

A solution to create a common user identity for authentication and authorization to all resources,
spanning on-premises and cloud-based capabilities,

Creating a single user identity for authentication and authorization to all resources, regardless of location.

When you ‘Hybrid join’ a device, it means that it is visible in both your on-premises AD and in Azure AD. Now you can. manage them in both as well. This way, you are able to use tools such as Single Sign-On and Conditional Access while still being able to apply GPO’s and other on-prem utilities.

Question 43

An Azure virtual machine (VM) is created with a system-assigned managed identity. Your company wants to start testing with user-assigned managed identities. The company has not used user-assigned managed identities prior to this.

You need to add a user-assigned managed identity to the VM. The system-assigned managed identity should remain valid.

Which PowerShell cmdlet should you run first?

A: New-AzUserAssignedIdentity
B: Update-AzVM
C: New-AzureADMSInvitation
D: New-AzureADUser

Answer 43

A: New-AzUserAssignedIdentity
You should use the New-AzUserAssignedIdentity cmdlet. This is used to create a user-assigned management identity. For example, you could use a statement similar to the following:

New-AzUserAssignedIdentity -ResourceGroupName myRG -Name miID

This would create a user-assigned managed identity miID.

You should not use Update-AzVM. This is used to associate the identity with the VM after creating the identity.

You should not use the New-AzureADUser cmdlet. This is used to create an Azure AD user account, not a user-assigned managed identity.

You should not use the New-AzureADMSInvitation cmdlet. This is used when you want to invite a new external user to your Azure AD.