Describe identity, governance, privacy, and compliance features

Question 1

What is authentication?

Answer 1

The process of establishing the identity of a person or service that wants to access a resource. It involves the act of challenging a party for legitimate credentials and provides the basis for creating a security principal for identity and access control. It establishes whether the user is who they say they are.

Question 2

What is authorization?

Answer 2

Authentication establishes the user’s identity, but authorization is the process of establishing what level of access an authenticated person or service has. It specifies what data they’re allowed to access and what they can do with it.

Question 3

What is Azure Directory?

Answer 3

Azure Directory provides identity services that enable your users to sign in and access both Microsoft cloud applications and cloud applications that you develop.

Question 4

How does Azure Active Directory compare to Active Directory?

Answer 4

For on-premise environments, Active Directory running on Windows Server provides an identity and access management service that’s managed by your own organization.

Azure Active Directory is Microsoft’s cloud-based identity and access management service.

When you secure identities on-premises with Active Directory, Microsoft doesn’t monitor sign-in attempts. When you connect Active Directory with Azure Active Directory, Microsoft can help protect you by detecting suspicious sign-in attempts at no extra cost.

Question 5

Who uses Azure Active Directory?

Answer 5

IT administrators - Can use Azure Active Directory to control access to applications and resources based on their business requirements.
App Developers - Developers can use Azure Active Directory to provide a standard-base approach for adding functionality to applications that they build, such as adding SSO functionality to and app or enabling an app to work with a user’s existing credentials.
Users - Users can manage their identities. For example, self-service password reset enables users to change to reset their password with no involvement from an IT administrator or help desk.
Online service subscribers - Microsoft 365, Microsoft Office 365, Azure and Microsoft Dynamics CRM online Subscribers are already using Azure Active Directory.

Question 6

What is a tenant?

Answer 6

A tenant is a representation of an organization. A tenant is typically separated from other tenants and has its own identity.

Question 7

What services does Azure Active Directory provide?

Answer 7

Authentication - This includes verifying identity to access applications and resources. It also includes providing functionality such as self-service password reset, multifactor authentication, a custom list of banned passwords, and smart lockout.
Single sign-on - SSO enables you to remember only one username and one password to access multiple applications.
Application management - You can mange your cloud and on-premise apps by using Azure Active Directory. Features like Application Proxy, SaaS apps, the My Apps portal, and single - sign-on provide a better user experience.
Device management - Along with accounts for individual people, Azure AD supports the registration of devices. Registration enables devices to be managed through tools like Microsoft Intune. It also allows for device-based Conditional Access policies to restrict access attempts to only those coming from known devices, regardless of the requesting user account.

Question 8

What kinds of resources can Azure AD help secure?

Answer 8

Azure AD helps users access both external and internal resources. External resources might include Microsoft Office 365, the Azure portal, and thousands of other software as a service SaaS applications. Internal resources might include apps on your corporate network and intranet, along with any cloud applications developed within your organization.

Question 9

How can I connect Active Directory with Azure AD?

Answer 9

Use Azure AD connect. Azure AD connect synchronizes user identities between on-premises Active Directory and Azure AD, Azure AD connect synchronizes changes between both identity systems so you can use features like SSO, MFA and self service password reset under both systems.

Question 10

What is multifactor authentication?

Answer 10

Something the user knows, something the user has, something the user is.

Question 11

What’s Azure AD multi-factor authentication?

Answer 11

Enables user to choose additional form of authentication during sign-in, such as phone call or mobile app notifications.

Azure Active Directory free edition enables Azure AD multi-factor authentication for administrators with the global admin level of access, via the Microsoft Authenticator app, phone call, or SMS code.

Azure Active Directory Premium (P1 or P2 licenses) allows for comprehensive and granular configuration of Azure AD Multi-factor authentication through conditional access policies.

Question 12

What is conditional access?

Answer 12

Conditional access is a tool that Azure Active Directory uses to allow or deny access to resources based on identity signals. These signals include who the user is, where the user is, and what device the user is requesting access from.

Conditional access helps IT administrators

• Empower users to be productive wherever and whenever
• Protect the organization’s assets

Question 13

When can I use Conditional Access?

Answer 13

Useful when you need to require multifactor authentication to access an application.
Required access to services only through approved client applications.
Require users to access your application only from managed devices.
Block access from untrusted sources such as access from unknown or unexpected locations.

Question 14

Where is conditional access available?

Answer 14

To use conditional access, you need an Azure AD premium P1 or P2 license.

Question 15

What is governance?

Answer 15

Describes the general process of establishing rules and policies and ensuring that those rules and policies are enforced.

Question 16

What is Azure role-based access control?

Answer 16

Azure RBAC enables you to control access.

Question 17

How is role-based access control applied to resources?

Answer 17

Role-based access control is applied to a scope, which is a resource or set of resources that his access applies to.

Scope include

• Management group
• Single Subscription
• Resource group
• Single resource

Question 18

When you grant access at a parent scope, are those permissions inherited by all child scopes?

Answer 18

Yes

Question 19

When should I use Azure RBAC?

Answer 19

When you need to
Allow one user to manage VMs in a subscription and another user to manage virtual networks
Allow a database administrator group to manage SQL databases in a subscription
Allow a user to manage all resources in a resource group, such as virtual machines, website, and subnets.
Allow an application to access all resources in a resource goup

Question 20

How is Azure RBAC enforced?

Answer 20

Azure RBAC is enforced on any action that’s initiated against an Azure resource that passes through Azure Resource manager.

Question 21

Who does Azure RBAC apply to?

Answer 21

You can apply Azure RBAC to an individual person or to a group. You can also apply Azure RBAC to other special identity types, such as service principals and managed identities.

Question 22

How do I manage Azure RBAC permissions?

Answer 22

You manage access permissions on the Access Control (IAM) pane in azure portal.

Question 23

What is a resource lock?

Answer 23

Prevents resources from being accidentally deleted or changed.

Question 24

How do I manage resource locks?

Answer 24

You can manage resource locks form the
Azure Portal
PowerShell
Azure CLI
Azure Resource Manager

Question 25

What levels of locking are available?

Answer 25

CanNotDelete - means authorized people can still read and modify a resource, but they can’t delete the resource without first removing the lock.
ReadOnly - means authorized people can read a resource, but they can’t delete or change the resource.

Question 26

How do I delete or change a locked resource?

Answer 26

You must firs remove the lock. Then you can apply the action.

Question 27

What are Azure Blueprints?

Answer 27

An Azure Blueprint is a package for creating specific sets of standards and requirements that govern the implementation of Azure services, security, and design.

Question 28

What are resource tags?

Answer 28

Another way to organize resources. Useful for 
Resource management
Cost management and optimization
Operations management
Security
Governance and regulatory compliance
Workload optimization and automation

Question 29

How do you manage resource tags?

Answer 29

You can add, modify, or delete resource tags through PowerShell, Azure CLI, Resource Manager templates, REST API, or Azure portal.

Question 30

What is Azure Policy?

Answer 30

Is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources. These policies enforce different rules across all of your resource configurations so that those configurations stay compliant with corporate standards.

Question 31

How does Azure Policy define policies?

Answer 31

Enables you to define both individual policies and groups of related policies, known initiatives.

Question 32

How do you implement a policy in Azure Policy?

Answer 32

Create a policy definition - Expresses what to evaluate and what action to take.
Assign the definition to resources - A policy assignment is a policy definition that takes place within a specific scope.
Review the evaluation results - When a condition is evaluated against your existing resources, each resource is marked as compliant or noncompliant.

Question 33

What are Azure Policy Initiatives?

Answer 33

An Azure policy initiative is a way of grouping related policies together. The initiative definition contains all of the policy definitions to help track your compliance state for a larger goal.

Question 34

What is the Enable Monitoring in Azure Security Center initiative?

Answer 34

Its goal is to monitor all of the available security recommendations for all Azure resource types in Azure Security Center.

Under this initiative, the following policy definitions are included
Monitor unencrypted SQL database in security center
Monitor OS vulnerabilities in Security Center
Monitor missing Endpoint Protection in Security Center

Question 35

How do I define an initiative?

Answer 35

You define initiatives by using the Azure portal of command-line tools. From the Azure portal, you can search the list of built-in initiatives that are built into Azure.

Question 36

How do I assign an initiative?

Answer 36

Like a policy assignment, an initiative assignment is an initiative definition that’s assigned to a specific scope of a management group, a subscription, or a resource group.

Question 37

How do you govern multiple subscriptions by using Azure Blueprints?

Answer 37

Instead of having to configure features like Azure Policy for each new subscription, with Azure Blueprints you can define a repeatable set of governance tools and standard Azure resources that your organization requires. in this way, development teams can rapidly build and deploy new environments with the knowledge that they’re building with organizational compliance with a set of built in components that speed the development and deployment phases.

Question 38

What resource templates does Azure Blueprint orchestrate?

Answer 38

Role assignments
Policy assignments
Azure Resource Manager templates
Resource groups

Question 39

What are the steps for implementing a blueprint in Azure Blueprints?

Answer 39

Create an Azure blueprint
Assign the blueprint
Track the blueprint assignments

Question 40

What is the cloud adoption framework?

Answer 40

Cloud Adoption Framework for Azure provides you with proven guidance to help with your cloud adoption journey. Help you create and implement the business and technology strategies needed to succeed in the cloud.

Question 41

What are the steps of the Cloud Adoption Framework?

Answer 41

Define a strategy
Make a plan
Ready your organization
Adopt the cloud
Govern and manage your cloud environments

Question 42

What are the steps for defining your strategy?

Answer 42

Define and document your motivations - Meeting with stakeholders and leadership can help you answer why you’re moving the cloud.
Document business outcomes - Meet with leadership from your finance, marketing, sales, and human resource groups to help you document your goals.
Evaluate financial considerations - Measure objectives and identify the return expected from a specific investment.
Understand technical considerations - Evaluate those technical considerations through the selection and completion of your first technical project.

Question 43

What are the steps for Make a plan?

Answer 43

Digital estate- create an inventory of the existing digital assets and workloads that you plan to migrate to the cloud.
Initial organizational alignment - Ensure that the right people are involved in your migration efforts, both from a technical standpoint as well form a cloud governance standpoint.
Skills readiness plan - Build a plan that helps individuals build the skills they need to operate in the cloud.
Cloud adoption plan - build a comprehensive plan that brings together the development, operations, and business teams toward a shared cloud adoptoin goal.

Question 44

What is ready your organization?

Answer 44

Here you create a landing zone, or an environment in the cloud to begin hosting your workloads

Azure setup guide - Review the Azure setup guide to become familiar with the tools and approaches you need to use to create a landing zone
Azure landing zone - Begin to build out the Azure subscriptions that support each of the major areas of your business.
Expand the landing zone - Refine your landing zone to ensure that it meets your operations, governance, and security needs.
Best practices - start with recommendation and proven practices to help ensure that your cloud migration efforts are scalable and maintainable.

Question 45

What is Adopt the cloud?

Answer 45

Migrate your first workload - Use the Azure migration guide to deploy your first project to the cloud.
Migration scenarios - Use additional in-depth guides to explore more complex migrations scenarios
best practices - Check with the Azure cloud migration best practices checklist to verify that you’re following recommended practices
Process improvements - identify ways to make the migration process scale while requiring less effort
Innovate

Question 46

What are the steps for Govern and manage your cloud environments?

Answer 46

Methodology - consider your end state solution. Then define a methodology that incrementally take your from your first steps all the way to full cloud governance.
Benchmark - Use the governance benchmark tool to assess your current state and future state to establish a vision for applying the framework.
Initial governance foundation - Create a MVP that captures the first of your governance plan.
Improve the initial governance foundation - Iteratively add governance controls that address tangible risks as you progress towards your end state solution.

Question 47

What groups are compliance categories available on Azure?

Answer 47

Global
US Gov
Industry
Regional

Question 48

What is criminal justice information service category?

Answer 48

Any US state or local agency that wants to access the FBI’s criminal justice information services database to adhere to the CJIS security policy.

Question 49

What is the European Union Model Clause?

Answer 49

Provide contractual guarantees around transfers of personal data outside the EU.

Question 50

What is the International Organization of Standards/International Electrotechnical Commission 27018?

Answer 50

Cover processing of personal information by cloud service providers.

Question 51

What is the National Institute of Standards and Technology Cybersecurity Framework?

Answer 51

NIST CSF is a voluntary framework that consists of standards, guidelines and best practices to manage cybersecurity-related risks.

Question 52

What is the Microsoft Privacy Statement?

Answer 52

Explains what personal data Microsoft collects.

Question 53

What is the Data Protection Addendum?

Answer 53

DPA defines the data processing and security terms for online services.

Question 54

What is the Trust Center?

Answer 54

Showcases Microsoft’s principles for maintaining data integrity in the cloud and how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services.

Question 55

What is the Azure compliance documentation?

Answer 55

Azure compliance documentation provides you with detailed documentation about legal and regulatory standards and compliance on Azure.

Question 56

What is Azure Government?

Answer 56

Azure government is a separate instance of the Microsoft Azure Service. It addresses the security and compliance needs of the US federal agencies, state and local governments, and their solution providers.

Question 57

What is Azure China 21Vianet?

Answer 57

It’s a physically separated instances of cloud services located in China. Azure China 21Vianet is independently operated and transacted by Shanghai Blue Cloud Technology.