Create, Configure, and Manage Identities

Question 1

Access to ________ workloads is controlled using two methods:

1. Provide a definitive identity for each user for every service.
2. Ensuring just enough access to do job.

Answer 1

Cloud-based Workloads

Question 2

What is Microsoft’s cloud-based identity and management service?

Answer 2

Azure Active Directory (Azure AD)

Question 3

After authentication, what does Azure use to determine what resources the user can access?

Answer 3

Access Token

Question 4

What Dashboard can be used to switch between Azure AD directories?

Answer 4

Directory + Subscription

Question 5

What user only exists in Azure AD?

Answer 5

Cloud identities

Question 6

What are two Sources of cloud identities in Azure AD?

Answer 6

1. Azure Active Directory

2. External Azure Active Directory

Question 7

What user exists in an on-premises Active Directory?

Answer 7

Directory-synchronized identities

Question 8

What is the Source of Directory-synchronized identities?

Answer 8

Windows Server AD

Question 9

What user exists outside of Azure AD?

Answer 9

Guest users

Question 10

What is the Source of a Guest user?

Answer 10

Invited user

Question 11

On what blade can you create a new user and a security group in Azure?

Answer 11

Azure Active Directory blade

Question 12

How long is a user in a suspended state after deletion?

Answer 12

30 days

Question 13

Which roles will allow you to restore or permanently delete users?

Answer 13

• Global Administrator
• Partner Tier 1 Support
• Partner Tier 2 Support
• User Administrator

Question 14

On what blade in Azure AD can you assign Licenses?

Answer 14

Marketing blade

Question 15

On what blade in Azure AD can you restore deleted Users?

Answer 15

Users

Question 16

What two types of user groups are defined in Azure AD?

Answer 16

• Security Groups

- Microsoft 365 Groups

Question 17

What type of group manages member and computer access to shared resources for a group of users?

Answer 17

Security Group

Question 18

What type of group provides collaboration by giving members access to a shared mailbox, calendar, Sharepoint site, and more?

Answer 18

Microsoft 365 Group

Question 19

What two Membership types are available for Azure AD groups?

Answer 19

• Assigned

- Dynamic

Question 20

Group membership generated by a formula each time the group is used including any recipient in Active Directory that matches its filter.

Answer 20

Dynamic Licensing

Question 21

Eliminating the need for Powershell to adjust licensing on a per-user basis, what feature of Azure AD ensures that licenses are dynamically assigned based on group membership?

Answer 21

Group-based licensing

Question 22

What licenses allow group-based licensing?

Answer 22

• Azure AD Premium 1

- E3, A3, GCC G3, E3 for GCCH, or E3 for DOD

Question 23

What Group type can you apply group-based licensing to?

Answer 23

Security

Question 24

Can an administrator disable individual service plans within a license after applying it?

Answer 24

Yes

Question 25

What portal is required to apply group-based licensing?

Answer 25

Azure AD

Question 26

How long do changes to group-based licensing changes take to go into affect?

Answer 26

A few minutes

Question 27

Describe the affects of a user being assigned multiple different and similar licenses as the result of different group memberships.

Answer 27

• Similar licenses will only consume one license

- The user’s licensing is a combination of all assigned licenses.

Question 28

Because some services are not available in all locations, what should be specified in the User Profile before assigning the license?

Answer 28

Usage location

Question 29

If usage location is not specified in the User Profile, what location is used?

Answer 29

Location of the directory

Question 30

What is a licensing error state?

Answer 30

Communication post-assignment through the Azure AD portal that there is an issue with the group-based license assignment.

Question 31

How should you resolve an Azure AD error of “not enough licenses”?

Answer 31

Purchase more licenses or free unused licenses

Question 32

What is the Powershell coding for “not enough licenses”?

Answer 32

CountViolation

Question 33

How should you resolve an Azure AD error of “Conflicting service plans”?

Answer 33

You should disable one of the two plans

Question 34

What is the Powershell coding for “Conflicting service plans”?

Answer 34

MutuallyExclusiveViolation

Question 35

How should you resolve an Azure AD error of “Other products depend on this license”?

Answer 35

Find another means of providing the service plan to the affected user.

Question 36

What is the Powershell coding for “Other products depend on this license”?

Answer 36

DependencyViolation

Question 37

How should you resolve an Azure AD error of “Usage location isn’t allowed”?

Answer 37

Change the Usage location in the User Profile

Question 38

What is the Powershell coding for “Usage location isn’t allowed”?

Answer 38

ProhibitedInUsageLocationViolation

Question 39

How should you resolve an Azure AD error of “Duplicate proxy addresses”?

Answer 39

Edit to unique proxy addresses and force license processing on the affected group.

Question 40

How should you resolve an Azure AD error of “Azure AD Mail and ProxyAddresses attribute change”?

Answer 40

Review license assignments that inadvertently update the proxy address for a specific user.

Question 41

How should you resolve an Azure AD error of “LicenseAssignmentAttributeConcurrencyException” in audit logs?

Answer 41

No action required. This informational error indicates that a user is getting the same license from two group memberships.

Question 42

How should you resolve an Azure AD error of “More than one product license assigned to a group”?

Answer 42

Use Azure AD to review the users who failed to be assigned a license and the products affected.

Question 43

What happens if a license with dependent licenses is removed from a group?

Answer 43

The affected users’ license will change from inherited to direct so as to maintain the dependent license.

Question 44

How should you resolve an Azure AD error of “License operation failed. Make sure that the group has necessary services before adding or removing a dependent service”?

Answer 44

EITHER
- Ensure that the group has the prerequisite license installed
OR
- Create a standalone group with the minimum required products for the add-on.

Question 45

How do you refresh a group to show changes to licensing?

Answer 45

Use the Reprocess button

Question 46

How do you refresh a user after making updates to licensing?

Answer 46

Use the Reprocess button

Question 47

When migrating user licenses, what is the one thing you should avoid?

Answer 47

A process that results in the removal of a license

Question 48

What is the recommended user license migration process?

Answer 48

1. Leave existing automation in place.
2. Create a new licensing group populated with users.
3. Assign the required licenses to those groups reflecting automation in step 1.
4. Verify license application for groups.
5. Verify no licenses application failures.

Question 49

During a license migration, when is it safe to remove direct licensing?

Answer 49

When direct and inherited licensing are equivalent.

Question 50

True or false: license changes to users or groups in Azure AD are simultaneous?

Answer 50

True

Question 51

List five assumptions you should verify about license assignments before performing a license migration.

Answer 51

1. Ensure users have inherited, not direct licensing.
2. You have enough licenses available.
3. Users don’t have a conflicting license.
4. Proper time is allowed for on-premise changes to sync to Azure AD.
5. Dynamic membership should be done by group, licenses are not adjusted.

Question 52

Typically, Azure AD defines users in three ways. Cloud identities and guest users are two of the ways. What is the third way Azure AD defines users?

Answer 52

As directory-synchronized identities.

Question 53

Azure AD group-based licensing makes large-scale management easier. Typically, how soon are license modifications effective after group membership changes are made?

Answer 53

Within minutes of a membership change.

Question 54

Azure AD allows for the definition of two different types of groups; one type is Security groups, which are used to manage member and computer access to shared resources. What is the other type of group?

Answer 54

Microsoft 365 groups, which provide access to shared mailboxes, calendars, SharePoint sites, and so on.