dec-2(m)

Question 1

Entra Application Proxy. When to use? what is the service running on the cloud side and on premise?

Answer 1

To enable users to access on-premises web applications (RDP, sharepoint, teams, etc) from remote client. Proxy service on the cloud side and Proxy connector on premises. You can enable single-sign-on (SSO), but
proxy does not authenticate user Azure file share access.

Question 2

Which SAS can be used and signed with Entra ID credential? What service(s) it can secure?

Answer 2

User delegtion SAS, Blob

Question 3

2 DDos Protection SKUS(s)?

Answer 3

Network Protection, IP-Protection

Question 4

which service can be interagrated with both DDos Protection SKUS?

Answer 4

Azure Firewall Manager

Question 5

Which DDos SKU provides Cost-protection and rapid-response team support?

Answer 5

Network Protection

Question 6

Is a Monitoring role is enough to set up container insight and monitor your AKS cluster?

Answer 6

No. A monitoring role allows to read monitoring data and edit monitoring settings within Azure monitor, but does not enable insight. Need Log Analytics contributor role.

Question 7

what 3 things you are settings for group membership access review?

Answer 7

review setting (group or M360 group with guest) -> select group
scope (guest user only or all users). - > select all users so that all users of group be reviewed.
reviewer setting -> select group owner

Question 8

to allow group owners to create their own group access review, what to do? To configure this, what role is needed to configure?

Answer 8

You need to be at least Identity Governance administrator. Global adim works.
Go to Identity Governance-> setting. On the Delegate who can create and manage access reviews page, set Group owners can create and manage access reviews for groups they own to Yes.

Question 9

What KV access policy permissions is needed for Always encryption?

Answer 9

get, list, unwrap key, wrap key, create, sign, verify

Question 10

What encryption keys are involved in Always encryption?

Answer 10

column encryption key, column master key

Question 11

In Always encryption, which encryption types are used for SSN column? How about for Salary column?

Answer 11

Deterministric (Equation-based Search with SSN column).
Radonmized (no computation with Salary column).

Question 12

Which Sentinel connector is for sign-in log?

Answer 12

Azure AD connector including user sign-in, audit and provisioning (user,group).

Question 13

Which Sentinel connector is for risk sign in attempt?

Answer 13

Azure AD identity protection

Question 14

deletion of resource lock on VM appears in which log?

Answer 14

Activity

Question 15

Owner assignment to a resource group can be searched in which log?

Answer 15

Activity

Question 16

Which client devices are supporting P2S VPN with Azure AD authentication?

Answer 16

Windows 10, Mac OS.

Question 17

Scenario: access to dev.azure.com (Azure pipeline), access to dns resolver (1.1.1.1).

what resources and rules we need?

Answer 17

Azure Firewall policy and 2 rules (application rule, and network rule) defined under it

Question 18

Allow access to SQL. Which firewall rule?

Answer 18

Application rule based on dns name like server1.database.windows.net

Question 19

Remote desktop connection using Azure Firewall. What do you need?

Answer 19

DNAT (Destination Network address Translation)

Question 20

URL filtering. Which Firewall SKU?

Answer 20

Premium

Question 21

Two restrictions to think about in Azure Disk Encryption. (i.e. VM series, and OS)

Answer 21

Basic and A series VM is not supported.
Windows only. And, Server core OS needs bdehdcfg

Question 22

To enable dynamic membership, what license needed?

Answer 22

P1

Question 23

Can JIT access to VM protected by Firewall in the same VNET?

Answer 23

Yes

Question 24

Can JIT access to VM protected by Firewall controlled by Firewall Manager?

Answer 24

No

Question 25

In Scenario with MDC and MMA (Microsoft Monitoring Agent), what resource and key are needed for onboarding?

Answer 25

Log Analytics workspace, and its workspace key

Question 26

what to use to protect backend servers in authentication

Answer 26

Managed identity

Question 27

To remediate the non-compliance policy, what to do?

Answer 27

Modify the policy assignment and create a remediation task.

Question 28

To allow access from specific FD to Function App or Web app, what needs to be done?

Answer 28

Add access restriction rule with the service tag ‘AzureFrontDoor.Backend’ and Further filter the specific instance with X-Azure-FDID header.

Question 29

What is the cloud-based workflow automation for MDC?

Answer 29

Logic app

Question 30

Can you attach NSG to ACR?

Answer 30

No. NSG can be attached to NIC or subnet

Question 31

Is Conditional Access related to Access Review?

Answer 31

No