deck_16773708 Flashcards

1
Q

Fabrikam Inc. has adopted Azure as their cloud platform. Fabrikam currently has a hybrid identity model which is supported by ADConnect. Within the Azure environment there is 1 subscription labeled “Fab-Prod” which has a resource group labeled “Back-Office”. The “Back-Office” resource group has the following resources:

  1. “ADConnect” VM is running on a standard A2M spec VM
  2. “VPN-Gateway” is the VPN gateway which is configured for Site-to-Site VPN (Azure to on-premises)

There are 250 Azure Active Directory user accounts which has the Office E5 licenses assigned to each user individually. The Azure tenant is configured for Privilege Identity Management and has 3 global administrator accounts (Admin01, Admin02 and Admin03) enrolled which is used to manage the environment, these administrator accounts have EMS E5 license associated to each account. Admin01 is the subscription owner for the “Fab-Prod” subscription and permissions are handled via Privilege Identity Management (PIM).
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than once correct solution, while others might not have a correct solution.
You need to enroll “Admin02” into PIM so that the administrator is eligible to manage resources in the “Fab-Prod” subscription for a maximum of 8-hour time period. Admin02 requires full access to all resources within the subscription however he should not be able to add additional role assignments to the subscription. Which role should you assign to Admin02?

A. Owner role
B. Reader role
C. Contribution role
D. Security administrator role

A

C. Contribution role

Explanation:
Contributor role is correct as this lets you manage all resources in the “Fab-Prod” subscription except access to resources. Owner role is incorrect as this allows full control on the subscription. Reader role is incorrect as this only allows you to view resources but not make any changes. Security Admin role is incorrect as this is role is used to manage Azure Security Center specifically and not all resources within the subscription. https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following elements are not associated with an Azure Region?

A. Azure Virtual Machine
B. Azure Resource Group
C. Azure Managed Disk
D. Storage Account
E. None of the answer are correct
F. All of the answers are correct

A

E. None of the answer are correct

Explanation:
All the listed Azure resources are associated with an Azure region. The region chosen for deployment of resources that holds data affects data sovereignty and residency.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What Azure feature ensures that data residency, sovereignty, compliance and resiliency requirements are honored?

A. Azure Geography
B. Azure Region
C. Azure Resource Group
D. Azure Tenant
E. Azure Trust Center

A

A. Azure Geography

Explanation:
Azure geography ensures that data residency, sovereignty, compliance and resiliency requirements are honored within geographical boundaries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You create an Azure Information Protection classification policy that defines a number of classification levels. You configure labels for general, sensitive and confidential. You configure the visual marker for the confidential label as watermark. A few weeks later you change the policy by creating sub labels for the confidential class as Confidential \ All Employees and Confidential \ Recipients Only. You configure the visual marker for each of these as footer. When the Confidential \ All Employees classification is applied to the document, which of the following visual marking(s) is/are applied?

A. None
B. Footer and Watermark
C. Watermark
D. Footer

A

D. Footer

Explanation:
When you use sub-labels, don’t configure visual markings, protection, and conditions at the primary label. When you use sub-levels, configure these settings on the sub-label only. If you configure these settings on the primary label and its sub-label, the settings at the sub-label take precedence. https://docs.microsoft.com/en-us/azure/information-protection/faqs-infoprotect#can-a-file-have-more-than-one-classification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

When Azure Information Protection classifies a document, how can the classification label applied to the document? Choose 3.

A. Header and/or footer
B. Watermark
C. Encrypted metadata
D. Clear text metadata
E. Document fingerprint

A

A. Header and/or footer
B. Watermark
D. Clear text metadata

Explanation:
AIP can use a header, footer, watermark and clear text metadata to label a document as carrying a certain classification. The data can further be protected by encryption as well as the allowable actions (copy, print, etc) can be restricted. The metadata label added to the document header information must be clear text so that DLP solutions can identify documents belonging to certain classification, even if the document content (along with any visible labels) is encrypted and invisible to non integrated DLP scanners. Document fingerprint is used in O365 DLP, but is not part of AIP labeling. Digital text stenography is an advanced technique of invisibly watermarking documents, but it is not used by AIP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following should be chosen as the trigger when creating an Azure Security Center Playbook?

A. Triggers when a Windows Defender ATP alert occurs
B. When an event is created
C. When a data driven alert is triggered
D. When a response to an Azure Security alert is triggered
E. When an incident is created

A

D. When a response to an Azure Security alert is triggered

Explanation:
All of the options are valid triggers for Azure logic apps - the underlying technology used for ASC playbooks. When creating a playbook to be used with ASC, one must select When a response to an Azure Security Center alert is triggered as the trigger, else the playbook will not appear on the alert when View playbooks is selected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What Azure resource is created when an Azure Security Center playbook is created?

A. Azure Logic App
B. Azure Function
C. Microsoft Flow
D. Azure Log Analytics Workspace
E. Azure Playbook
F. Azure Runbook

A

A. Azure Logic App

Explanation:
The underlying technology used when ASC playbooks are created is an Azure Logic App. It does not require a Log Analytics workspace. MS Flow uses the same underlying technology but you cannot create ASC alert triggers in Flow.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You are the security administrator for your Azure subscription and are reviewing the security alerts as listed in Azure Security Center. You select one of the high severity alerts and select the resource identified by the alert as being attacked. What response options are available to you?

A. Click remediate from the alert details pane
B. Click isolate from the alert details pane
C. Select one or more of the recommended remediations steps and click Remediate
D. Manually execute the remediation steps recommended
E. Click investigate on the alert details pane
F. Click run playbooks on the alert details pane

A

D. Manually execute the remediation steps recommended
E. Click investigate on the alert details pane
F. Click run playbooks on the alert details pane

Explanation:
Generally speaking you would manually ac on the remediation steps listed on the alert details pane. The investigate button will launch the investigation interface of ASC. You can also run predefine playbooks to automatically execute action steps for common alerts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following is true for an Azure Security Center incident?

A. A single alert detected by more than one ASC detection mechanism
B. An aggregation of alerts that align with kill chain patterns
C. A single alert with a high probability of being a true positive
D. Any high severity alert (not low severity or medium severity alerts)
E. An alert detected by Azure Advanced Threat Protection

A

B. An aggregation of alerts that align with kill chain patterns

Explanation:
An aggregation of alerts that align with kill chain patterns is listed in ASC as a security incident. Incidents are listed with the other ASC alerts. They are almost always listed with a high severity and are very likely to be a true positive. Alerts are sometimes detected by multiple detection measures including ATP, but the defining factor for identifying an incident is multiple alerts that together alight to a known kill chain pattern. See: https://docs.microsoft.com/en-us/azure/security-center/security-center-incident-response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You are reviewing the security policies assigned to your subscription in Azure Security Center. In addition to the ASC Default policy that is already assigned, you need to assign the built-in policy initiative named Enable Data Protection Suite that contains a policy named Deploy Threat Detection on SQL servers. Choose the correct list of steps to accomplish your goals.

A. Azure Security Center, Security Policy, Assign Initiative, Select Enable Data Protection, Click Assign
B. Azure Policy, Assignments, Assign Initiative, Select Enable Data Protection, Click Assign
C. SQL Databases, Advanced Data Security, Assign Policy/Initiative, Select Enable Data Protection, Click Assign
D. Resource Group, Policies, Assign Initiative, Select Enable Data Protection, Click Assign

A

B. Azure Policy, Assignments, Assign Initiative, Select Enable Data Protection, Click Assign

Explanation:
Adding policies to Azure security center is performed through Azure Policy. There is no Assign Initiative option on the ASC security policy blade. From the resource group, clicking on the policies item redirects to Azure Policy - this option will work, but the assignment is performed on the RG level where the question refers to the subscription level. One can configure Advanced Data Security on the SQL database, but this will have to be repeated for all SQL servers - the policy applies the security measure to all SQL servers in the subscription. See: https://docs.microsoft.com/en-us/azure/security-center/tutorial-security-policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You plan to secure remote access from your on-premises network to your AKS cluster which is deployed to an existing Azure VNet. The solution should have the lowest possible latency and very high network speeds.

Solution: You implement a Site-to-Site VPN solution.

Does this solution meet the goal?

A. TRUE
B. FALSE

A

B. FALSE

Explanation:
You should make use of Express route. Express route enables you to connect from your on premises network to Azure with high speed and low latency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Question 12Correct

You are in the process of creating an Azure container registry via CLI in the “MyRG” resource group. Complete the following command to create the container registry labeled “MyContainer001”.

Az (1) create –resource group MyRG –(2) MyContainer001 (3) –Basic

A. 1=acr, 2=name, 3= sku
B. 1=akr, 2= id, 3= tier
C. 1=docker, 2=name, 3=tier
D. 1=acr, 2=id, 3=sku

A

A. 1=acr, 2=name, 3= sku

Explanation:
Option 1 is correct as the correct Azure CLI code is as follows: az acr -resource group MyRG - name MyContainer001 - sku Basic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You need to configure temporary access to an Azure VM on port 22, the solution should manage the inbound rules automatically in the back end and remove the rules when the time period expires. Which of the following technologies should you configure?

A. Network Security Group (NSG)
B. Application Security Groups (ASG)
C. Azure Firewall
D. Just In Time VM Access

A

D. Just In Time VM Access

Explanation:
Just in time VM access is correct as this allows you to connect to an Azure VM for a specific time period on specific ports - this is done automatically in the backend as this creates temporary NSG rules and removes them when the time expires. NSG is incorrect as this is a manual process and does not remove the rules after a specific time period. ASG is incorrect as this feature allows you to group VMs to make management easier for inbound and outbound traffic, however it cannot automatically create and remove NSG rules based on a time period. Azure firewall is incorrect as this is a stateful firewall and does not have the capability to automatically create rules for remote users to access VM’s based on a specific time period. https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You need to limit outbound HTTPS traffic to specific fully qualified domain names (FQDN). Which of the following technologies support this?

A. Network Security Groups (NSG)
B. Application Security Groups (ASG)
C. Azure Firewall
D. Just-in-time VM access (JIT VM Access)

A

C. Azure Firewall

Explanation:
Azure firewall is correct as this supports limiting outbound HTTPS traffic to a specified list of FQDNs including wildcards, this feature does not require SSL termination. NSG is incorrect as this does not have the ability to filter outbound traffic by FQDNs, rather by IPs or grouped IPs like the Internet tag. ASG is incorrect as this feature allows you to group VMs to make management easier for inbound and outbound traffic. JIT VM Access is incorrect as this is used to access Azure VMs remotely.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You have inherited an Azure environment which has plenty of resource groups. You have been tasked to manage access, policies and compliance for the subscriptions in an efficient manner.

Solution: You decide to make use of RBAC.

Does this solution meet the goal?

A. TRUE
B. FALSE

A

B. FALSE

Explanation:
False is correct, you cannot manage policies and compliance via RBAC, you should instead make use of Azure management groups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You need to harden your Docker containers.

Solution: You enable AppArmor.

Does this solution meet the goal?
A. TRUE
B. FALSE

A

A. TRUE

Explanation:
True is correct, you can use AppArmor, SELinux, GRSEC or another appropriate hardening system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

You need to delegate access to a system administrator to a specific VM labeled “LOB-VM” in the “Production” resource group. The system administrator should have full control over the VM but should not be able to grant additional users’ access. The resource group is home to a combination of resources across different departments. You need to grant RBAC access with strict security in mind. Which is the correct RBAC configuration?

A. Scope = “LOB-VM”, Role = “Owner”
B. Scope = “Production”, Role = “Owner”
C. Scope = “Production”, Role = “Contributor”
D. Scope = “LOB-VM”, Role = “Contributor”

A

D. Scope = “LOB-VM”, Role = “Contributor”

Explanation:
Option 4 is correct as you need to granularly define the scope and role, the scope is at the VM level which is correct, you cannot set it at the resource group level because that user will then have permissions on all resources in that resource group which is incorrect in this scenario. The Contributor role is correct as this role grants the full permission for a person except adding additional users to the resource. https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

18
Q

Fabrikam Inc. has adopted Azure as their cloud platform. Fabrikam currently has a hybrid identity model which is supported by ADConnect. Within the Azure environment there is 1 subscription labeled “Fab-Prod” which has a resource group labeled “Back-Office”. The “Back-Office” resource group has the following resources:

  1. “ADConnect” VM is running on a standard A2M spec VM
  2. “VPN-Gateway” is the VPN gateway which is configured for Site-to-Site VPN (Azure to on-premises)

There are 250 Azure Active Directory user accounts which has the Office E5 licenses assigned to each user individually. The Azure tenant is configured for Privilege Identity Management and has 3 global administrator accounts (Admin01, Admin02 and Admin03) enrolled which is used to manage the environment, these administrator accounts have EMS E5 license associated to each account. Admin01 is the subscription owner for the “Fab-Prod” subscription and permissions are handled via Privilege Identity Management (PIM).

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than once correct solution, while others might not have a correct solution.

You create an additional administrator account labeled “Admin04” as a normal Azure AD user. This account should be eligible for “Global Administrator” access via Privilege Identity Management for safekeeping and auditing purposes.

Solution: You enroll “Admin04” as an Azure AD role member with the global admin permission.

Does this solution meet the goal?
Your answer is correct

A. TRUE
B. FALSE

A

A. TRUE

Explanation:
True is correct, “Admin04” needs to be added as an “Azure AD roles” member as this is used for identities in Azure/Office 365. The user “Admin04” should not be configured under the “Azure resources” member as this is used to grant access to resources in Azure i.e. Owner role for a subscription. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user

19
Q

Fabrikam Inc. has adopted Azure as their cloud platform. Fabrikam currently has a hybrid identity model which is supported by ADConnect. Within the Azure environment there is 1 subscription labeled “Fab-Prod” which has a resource group labeled “Back-Office”. The “Back-Office” resource group has the following resources:

  1. “ADConnect” VM is running on a standard A2M spec VM
  2. “VPN-Gateway” is the VPN gateway which is configured for Site-to-Site VPN (Azure to on-premises)

There are 250 Azure Active Directory user accounts which has the Office E5 licenses assigned to each user individually. The Azure tenant is configured for Privilege Identity Management and has 3 global administrator accounts (Admin01, Admin02 and Admin03) enrolled which is used to manage the environment, these administrator accounts have EMS E5 license associated to each account. Admin01 is the subscription owner for the “Fab-Prod” subscription and permissions are handled via Privilege Identity Management (PIM).

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than once correct solution, while others might not have a correct solution.

You plan on rolling out Microsoft Intune to a control group of 20 random users. You need to assign EMS E3 licenses for all users which are part of the control group, this process should be scalable going forward and make license management for Intune users as easy as possible.

Solution: Create a new security group with an assigned membership type and configure group-based licensing.

Does this solution meet the goal?

A. TRUE
B. FALSE

A

A. TRUE

Explanation:
True is correct, the easiest way to manage licenses going forward for users is to create a new security group and configure group-based licensing, this will ensure whenever a new user is assigned to the group it will automatically assign a EMS E3 license to support Intune, it will also revoke an EMS E3 license whenever a user is removed from the group (i.e. when a user leaves the company). You need to configure an “Assigned” membership type as specific users are targeted and requires to be selected manually. https://docs.microsoft.com/en-us/microsoft-365/enterprise/identity-self-service-group-management

20
Q

Fabrikam Inc. has adopted Azure as their cloud platform. Fabrikam currently has a hybrid identity model which is supported by ADConnect. Within the Azure environment there is 1 subscription labeled “Fab-Prod” which has a resource group labeled “Back-Office”. The “Back-Office” resource group has the following resources:

  1. “ADConnect” VM is running on a standard A2M spec VM
  2. “VPN-Gateway” is the VPN gateway which is configured for Site-to-Site VPN (Azure to on-premises)

There are 250 Azure Active Directory user accounts which has the Office E5 licenses assigned to each user individually. The Azure tenant is configured for Privilege Identity Management and has 3 global administrator accounts (Admin01, Admin02 and Admin03) enrolled which is used to manage the environment, these administrator accounts have EMS E5 license associated to each account. Admin01 is the subscription owner for the “Fab-Prod” subscription and permissions are handled via Privilege Identity Management (PIM).

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than once correct solution, while others might not have a correct solution.

You have been tasked to better manage all user accounts per department in the Azure AD tenant. You plan to group all user accounts automatically by using a dynamic group membership called “Dynamic-Guests”. Which of the following criteria is the best to identify these accounts as the below information has been set for all users? Select 2 methods.
Your selection is correct

A. Job title
B. Manager
C. Location
D. Department

A

A. Job title
D. Department

Explanation:
Job title is correct as you can configure the dynamic rule to select “contains” “Job Title” i.e. (“Contains” “Marketing” will add accounts for Marketing director, marketing assistant etc.). Department is also correct as this can be used as part of the dynamic rule configuration i.e. (“Match” “Department” will add accounts per the department tag i.e. “Finance”). Location is incorrect as this is not a good parameter to use when filtering per department as there usually are several departments per location/region. Manager is incorrect as this not a good parameter to use as there might be some people reporting into a specific person that is not part of a specific department per sè i.e. several departments will report into the General Manager). https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership

21
Q

Fabrikam Inc. has adopted Azure as their cloud platform. Fabrikam currently has a hybrid identity model which is supported by ADConnect. Within the Azure environment there is 1 subscription labeled “Fab-Prod” which has a resource group labeled “Back-Office”. The “Back-Office” resource group has the following resources:

  1. “ADConnect” VM is running on a standard A2M spec VM
  2. “VPN-Gateway” is the VPN gateway which is configured for Site-to-Site VPN (Azure to on-premises)

There are 250 Azure Active Directory user accounts which has the Office E5 licenses assigned to each user individually. The Azure tenant is configured for Privilege Identity Management and has 3 global administrator accounts (Admin01, Admin02 and Admin03) enrolled which is used to manage the environment, these administrator accounts have EMS E5 license associated to each account. Admin01 is the subscription owner for the “Fab-Prod” subscription and permissions are handled via Privilege Identity Management (PIM).

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than once correct solution, while others might not have a correct solution.

You are tasked to secure all guest user identities by only allowing logging into Microsoft Teams via Windows and blocking sign ins from Android and iOS. When logging in the guest users must also use MFA. Which technology should you implement to accomplish this goal?

A. Conditional Access
B. Privilege Identity Management
C. Identity Protection

A

A. Conditional Access

Explanation:
Conditional Access is correct as this allows rules to be created that specifies specific criteria when signing in which can then grant access, request additional authentication or even decline the request when logging in from a platform that is denied. Privilege Identity management will not suffice as this enables users to activate additional roles with their identity like Global Admin or access to resources in Azure. MFA by itself will not suffice as there is limited options, either enabled, enforced or disabled and no automatic intelligence associated with it. Identity Protection will not suffice as this is mainly associated with risky sign ins and not blocking users from logging in via specific rule sets created like blocking specific platforms etc. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

22
Q

Fabrikam Inc. has adopted Azure as their cloud platform. Fabrikam currently has a hybrid identity model which is supported by ADConnect. Within the Azure environment there is 1 subscription labeled “Fab-Prod” which has a resource group labeled “Back-Office”. The “Back-Office” resource group has the following resources:

  1. “ADConnect” VM is running on a standard A2M spec VM
  2. “VPN-Gateway” is the VPN gateway which is configured for Site-to-Site VPN (Azure to on-premises)

There are 250 Azure Active Directory user accounts which has the Office E5 licenses assigned to each user individually. The Azure tenant is configured for Privilege Identity Management and has 3 global administrator accounts (Admin01, Admin02 and Admin03) enrolled which is used to manage the environment, these administrator accounts have EMS E5 license associated to each account. Admin01 is the subscription owner for the “Fab-Prod” subscription and permissions are handled via Privilege Identity Management (PIM).

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than once correct solution, while others might not have a correct solution.

True or false: You can configure an Azure Conditional Access policy for client applications like Microsoft Word.

A. TRUE
B. FALSE

A

B. FALSE

Explanation:
False is correct, you cannot specify a conditional access policy for a client application like Word or Outlook. Conditional Access policy sets requirements for accessing a service. It’s enforced when authentication to that service occurs. The policy is not set directly on a client application. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/faqs

23
Q

Fabrikam Inc. has adopted Azure as their cloud platform. Fabrikam currently has a hybrid identity model which is supported by ADConnect. Within the Azure environment there is 1 subscription labeled “Fab-Prod” which has a resource group labeled “Back-Office”. The “Back-Office” resource group has the following resources:

  1. “ADConnect” VM is running on a standard A2M spec VM
  2. “VPN-Gateway” is the VPN gateway which is configured for Site-to-Site VPN (Azure to on-premises)

There are 250 Azure Active Directory user accounts which has the Office E5 licenses assigned to each user individually. The Azure tenant is configured for Privilege Identity Management and has 3 global administrator accounts (Admin01, Admin02 and Admin03) enrolled which is used to manage the environment, these administrator accounts have EMS E5 license associated to each account. Admin01 is the subscription owner for the “Fab-Prod” subscription and permissions are handled via Privilege Identity Management (PIM).

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than once correct solution, while others might not have a correct solution.

You are planning on rolling out a new Azure AD Conditional Access policy to restrict access to only specific device platforms. Which of the following device platforms are supported by conditional access? Choose all that apply.

A. Android
B. iOS
C. Windows Phone
D. macOS

A

A. Android
B. iOS
C. Windows Phone
D. macOS

Explanation:
All of the above are correct. Conditional Access policies supports the following device platforms: Android, iOS, Windows Phone, Windows, macOS. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/technical-reference

24
Q

Fabrikam Inc. has adopted Azure as their cloud platform. Fabrikam currently has a hybrid identity model which is supported by ADConnect. Within the Azure environment there is 1 subscription labeled “Fab-Prod” which has a resource group labeled “Back-Office”. The “Back-Office” resource group has the following resources:

  1. “ADConnect” VM is running on a standard A2M spec VM
  2. “VPN-Gateway” is the VPN gateway which is configured for Site-to-Site VPN (Azure to on-premises)

There are 250 Azure Active Directory user accounts which has the Office E5 licenses assigned to each user individually. The Azure tenant is configured for Privilege Identity Management and has 3 global administrator accounts (Admin01, Admin02 and Admin03) enrolled which is used to manage the environment, these administrator accounts have EMS E5 license associated to each account. Admin01 is the subscription owner for the “Fab-Prod” subscription and permissions are handled via Privilege Identity Management (PIM).

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than once correct solution, while others might not have a correct solution.

The security department has requested that when configuring Single Sign On (SSO) for hybrid users that all user passwords are passed through the on-premises Active Directory domain controller for validation.

Solution: You configure Password Hash Sync and enable single sign on (SSO) with the ADConnect tool.

Does this solution meet the goal?

A. TRUE
B. FALSE

A

B. FALSE

Explanation:
False is correct as you will need to configure “Pass through Authentication” as this option allows user passwords to be passed through to the on-premises AD domain controller for validation. “Password hash sync” is incorrect as this will store a hash of the password in the cloud and authentication occurs in the cloud instead of on-premises. Enabling single sign on is correct as this is supported with “password Hash Sync” and “Pass through Authentication” and is a requirement for SSO. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom

25
Q

Fabrikam Inc. has adopted Azure as their cloud platform. Fabrikam currently has a hybrid identity model which is supported by ADConnect. Within the Azure environment there is 1 subscription labeled “Fab-Prod” which has a resource group labeled “Back-Office”. The “Back-Office” resource group has the following resources:

  1. “ADConnect” VM is running on a standard A2M spec VM
  2. “VPN-Gateway” is the VPN gateway which is configured for Site-to-Site VPN (Azure to on-premises)

There are 250 Azure Active Directory user accounts which has the Office E5 licenses assigned to each user individually. The Azure tenant is configured for Privilege Identity Management and has 3 global administrator accounts (Admin01, Admin02 and Admin03) enrolled which is used to manage the environment, these administrator accounts have EMS E5 license associated to each account. Admin01 is the subscription owner for the “Fab-Prod” subscription and permissions are handled via Privilege Identity Management (PIM).

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than once correct solution, while others might not have a correct solution.

Currently the on-premises identities are synced to Azure AD via the ADConnect tool installed on the “ADConnect” server which is connected to the on-premises network via the Site-to-Site VPN. The ADConnect tool has been configured and has been syncing identities for the past month without issue, however you received an email message saying “Azure Active Directory (Azure AD) didn’t register a synchronization attempt in the last 24 hours. What could be the cause? Select all that apply.

A. The work or school account used in the configuration wizard to setup directory synchronization has been deleted, disabled or password expired
B. The admin account used for directory synchronization was changed
C. There are network connection issues
D. Directory synchronization service has stopped

A

A. The work or school account used in the configuration wizard to setup directory synchronization has been deleted, disabled or password expired
B. The admin account used for directory synchronization was changed
C. There are network connection issues
D. Directory synchronization service has stopped

Explanation:
All of the above is correct as they can be possible causes of the identities not synching to Azure AD via the ADConnect tool. There are 2 methods to troubleshoot this issue: Method 1: Manually verify that the service is started and that the admin account can sign in, Method 2: Resolve the problem with the logon account for the directory synchronization service. https://support.microsoft.com/en-za/help/2882421/directory-synchronization-to-azure-active-directory-stops-or-you-re-wa

26
Q

Fabrikam Inc. has adopted Azure as their cloud platform. Fabrikam currently has a hybrid identity model which is supported by ADConnect. Within the Azure environment there is 1 subscription labeled “Fab-Prod” which has a resource group labeled “Back-Office”. The “Back-Office” resource group has the following resources:

  1. “ADConnect” VM is running on a standard A2M spec VM
  2. “VPN-Gateway” is the VPN gateway which is configured for Site-to-Site VPN (Azure to on-premises)

There are 250 Azure Active Directory user accounts which has the Office E5 licenses assigned to each user individually. The Azure tenant is configured for Privilege Identity Management and has 3 global administrator accounts (Admin01, Admin02 and Admin03) enrolled which is used to manage the environment, these administrator accounts have EMS E5 license associated to each account. Admin01 is the subscription owner for the “Fab-Prod” subscription and permissions are handled via Privilege Identity Management (PIM).
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than once correct solution, while others might not have a correct solution.
You have been requested to evaluate the security posture of all identities in Azure Active Directory. You need to provide the following information per user:
· Risk level
· Risk events
· Current status
Solution: You configure Azure AD Identity Protection.
Does this solution meet the goal?

A. TRUE
B. FALSE

A

A. TRUE

Explanation:
True is correct as Identity Protection allows you to view risk level, risk events and current status. Identity Protection also allows you to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview

27
Q

Fabrikam Inc. has adopted Azure as their cloud platform. Fabrikam currently has a hybrid identity model which is supported by ADConnect. Within the Azure environment there is 1 subscription labeled “Fab-Prod” which has a resource group labeled “Back-Office”. The “Back-Office” resource group has the following resources:

  1. “ADConnect” VM is running on a standard A2M spec VM
  2. “VPN-Gateway” is the VPN gateway which is configured for Site-to-Site VPN (Azure to on-premises)

There are 250 Azure Active Directory user accounts which has the Office E5 licenses assigned to each user individually. The Azure tenant is configured for Privilege Identity Management and has 3 global administrator accounts (Admin01, Admin02 and Admin03) enrolled which is used to manage the environment, these administrator accounts have EMS E5 license associated to each account. Admin01 is the subscription owner for the “Fab-Prod” subscription and permissions are handled via Privilege Identity Management (PIM).

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than once correct solution, while others might not have a correct solution.

You have been requested to create a new Azure AD application labeled “Office365-logging” which needs to retrieve information about user, admin and policy actions and events from Office 365. This app needs to support both work and school accounts including personal Microsoft accounts.

Solution: You create an Azure AD V1.0 endpoint

Does this solution meet the goal?

A. TRUE
B. FALSE

A

B. FALSE

Explanation:
False is correct. You will need an Azure AD V2.0 endpoint as the V1.0 endpoint does not support personal Microsoft accounts (it only supports work and school accounts). https://docs.microsoft.com/en-us/graph/auth-overview

28
Q

True or false: you can deploy a VM in the same virtual network where your Azure Kubernetes Cluster is running?

A. TRUE
B. FALSE

A

A. TRUE

Explanation:
True is correct, you can deploy a VM to the same VNet where a Kubernetes cluster is running, however the VM can’t be deployed to the same subnet as the Kubernetes cluster. https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni?toc=%2Fazure%2Fvirtual-network%2Ftoc.json

29
Q

True or false: you can deploy a VM in the same subnet where your Azure Kubernetes Cluster is running?

A. TRUE
B. FALSE

A

B. FALSE

Explanation:
False is correct, you cannot deploy a VM to the same subnet where a Kubernetes cluster is running, however the VM can be deployed to the same VNet. https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni?toc=%2Fazure%2Fvirtual-network%2Ftoc.json

30
Q

Which of the following security concerns are relevant to container solutions? Select all that apply.

A. Kernel Exploits
B. Denial-of-service attacks
C. Container breakouts
D. Poisoned images

A

A. Kernel Exploits
B. Denial-of-service attacks
C. Container breakouts
D. Poisoned images

Explanation:
All of the above is correct. Kernel Exploits: Unlike in a VM, the kernel is shared among all containers and the host. This sharing magnifies the importance of any vulnerabilities in the kernel. DoS: All containers share kernel resources. If one container can monopolize access to certain resources—including memory and user IDs—it can starve out other containers on the host. The result is a denial of service (DoS), whereby legitimate users are unable to access part or all the system. Container breakouts: An attacker who gains access to a container should not be able to gain access to other containers or the host. By default, users are not included in the container namespace, so any process that breaks out of the container will have the same privileges on the host as it did in the container. If you were root in the container, you will be root on the host. You need to prepare for potential privilege escalation attacks—whereby a user gains elevated privileges such as those of the root user. Poisoned images: How do you know that the images you’re using are safe, haven’t been tampered with, and come from where they claim to come from? If an attacker can trick you into running an image, both the host and your data are at risk. Similarly, you want to be sure that the images you’re running are up to date and don’t contain versions of software with known vulnerabilities. https://azure.microsoft.com/mediahandler/files/resourcefiles/container-security-in-microsoft-azure/Open%20Container%20Security%20in%20Microsoft%20Azure.pdf

31
Q

You need to ensure that all current and future resources that are compliant are enrolled into Azure Security Center.

Solution: You configure an Azure policy on the subscription level.

Does this solution meet the goal?

A. TRUE
B. FALSE

A

A. TRUE

Explanation:
True is correct as you can create an Azure policy to ensure all compliant resources are automatically enrolled into ASC. https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage

32
Q

Which of the following lists of data classifications is arranged from highest to lowest level of sensitivity?

A. 1. Confidential. 2. Internal only. 3. Public
B. 1. Sensitive. 2. Restricted. 3. Unrestricted
C. 1. Low. 2. Medium. 3. High
D. 1. Secret. 2. Top-Secret. 3. Sensitive. 4. Unclassified

A

A. 1. Confidential. 2. Internal only. 3. Public

Explanation:
Classification levels are usually defined from highest to lowest level of sensitivity, using various labeling strategies. Generally speaking the terminology is as follows: High, medium, low or Confidential, internal only, public or Restricted, sensitive, unrestricted or top-secret, secret, sensitive, unclassified. Each level of classification have a definition (or risk level if the data is lost or leaked), characteristics (what data are assigned to the level) and the protections applied (labeling, encryption and permissions). https://gallery.technet.microsoft.com/Data-Classification-for-51252f03/file/172083/1/Data%20Classification%20for%20Cloud%20Readiness%20(2017-04-11).pdf and https://docs.microsoft.com/en-us/azure/security/security-white-papers

33
Q

In data classification, which of the following data ownership roles are given no permissions to use the data? Choose 2

A. Owner
B. User
C. Administrator
D. Custodian

A

C. Administrator
D. Custodian

Explanation:
Using the data means having read and optionally modify and delete privileges for the data. Data users and owners (usually the user that created the data) are the only roles listed with these rights. Data custodians have delegate rights, meaning they can modify rights to the data for others (but not for themselves). Data administrators have only archive/restore rights. Owners have all rights to the data. https://gallery.technet.microsoft.com/Data-Classification-for-51252f03/file/172083/1/Data%20Classification%20for%20Cloud%20Readiness%20(2017-04-11).pdf and https://docs.microsoft.com/en-us/azure/security/security-white-papers

34
Q

Which of the following elements are not included in a data retention policy?

A. Data recovery rules
B. Data disposal rules
C. Regulatory requirements
D. Corporate requirements
E. Data retention periods per classification level
F. Data security measures

A

F. Data security measures

Explanation:
All of the answers list an item typically included in a data retention policy, except for data security measures that is held in a data classification policy. https://gallery.technet.microsoft.com/Data-Classification-for-51252f03/file/172083/1/Data%20Classification%20for%20Cloud%20Readiness%20(2017-04-11).pdf and https://docs.microsoft.com/en-us/azure/security/security-white-papers

35
Q

Which of the following are valid access control options for Storage Accounts? Choose 3

Your selection is correct
A. Access Key
B. Shared Access Key
C. Role Based Access Control
D. Service Key
E. Shared Access Signature

A

A. Access Key
C. Role Based Access Control
E. Shared Access Signature

Explanation:
Access keys, Azure AD RBAC and Shared Access Signatures are all valid access control methods for storage accounts. Service key and shared access key are not valid names for storage account access controls. https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide?toc=%2fazure%2fstorage%2fblobs%2ftoc.json#data-plane-security

36
Q

Which of the following access control options would you use to provide temporary anonymous access to a Storage Account?

A. Access Key
B. Shared Access Key
C. Role Based Access Control
D. Service Key
E. Shared Access Signature

A

E. Shared Access Signature

Explanation:
One would use a shared access signature to allow temporary (timed) access control for anonymous access to a storage account via a URI. https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide?toc=%2fazure%2fstorage%2fblobs%2ftoc.json#data-plane-security

37
Q

In what two ways should applications (not users) be granted access to storage account resources?

Correct selection
A. Access Key
B. Shared Access Key
C. OAuth
D. Service Key
E. Shared Access Signature

A

A. Access Key
C. OAuth

Explanation:
Access keys were traditionally used to provide access to storage account resources for applications. Azure AD can also provide access control for application service principals using OAuth. https://docs.microsoft.com/en-us/azure/storage/common/storage-auth?toc=%2fazure%2fstorage%2fblobs%2ftoc.json

38
Q

It is considered best practice to add an additional layer of access control security to Azure SQL databases. Which Azure features provides this capability?

A. Network Security Group
B. Azure Firewall
C. Azure SQL Database Firewall
D. Network Security Appliance
E. Azure Active Directory Conditional Access
F. Azure Information Protection

A

C. Azure SQL Database Firewall

Explanation:
Azure SQL Database has a built in firewall service commonly referred to as Azure SQL Database Firewall. A firewall rule is required for all sites and over the internet connections to the database.

39
Q

What are the types of authentication supported as an access control measure to Azure SQL Database?

A. Simple (clear text) authentication
B. Encrypted Challenge-response authentication
C. Azure Active Directory authentication
D. SQL authentication
E. RADIUS authentication
F. Multi-factor authentication

A

C. Azure Active Directory authentication
D. SQL authentication

Explanation:
AAD and SQL native authentication is supported by Azure SQL Database. The other answer options do not exist in the context of SQL Database. MFA is implemented by AAD but is not part of SQL Database. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-security-overview#authentication

40
Q

hich of the following is the correct actions for resetting the password for the SQL server admin login that is created as part of a new Azure SQL Database?

A. Azure portal, SQL Servers, select server, reset password
B. Azure portal, SQL Databases, select database, reset password
C. Azure portal, Azure Active Directory, select user, Reset password
D. SQL Query editor, connect to Azure SQL Database, ALTER LOGIN command
E. SQL Query editor, connect to Azure SQL Database, CREATE LOGIN command
F. SQL Query editor, connect to Azure SQL Database, LOGIN command

A

A. Azure portal, SQL Servers, select server, reset password

Explanation:
The server admin login can be changed from the Azure portal by using the Reset password button for the selected SQL Server. If you use AAD-integrated login, changing the user password using AAD in the Azure portal would work, but the question asks for changing the SQL server admin, specifically. There is no reset password button on the selected SQL database (must be changed at server level). Using the SQL command ALTER LOGIN would also work, but that requires the SQL Query editor and is not the best answer for the question. CREATE LOGIN is used to create additional SQL logins. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-manage-logins#unrestricted-administrative-accounts