Exam Summary - Azure Identities and Governance

Question 1

What Azure role(s) must you have before you can add or modify Azure identities (Users, Groups, Etc.)?

Answer 1

User Administator or Global Administrator Role

Question 2

What are the two cloud identities?

Answer 2

Local Azure AD

External Azure AD

Question 3

What is a Hybrid Identity?

Answer 3

An on premise to cloud directory-synchronized identity

Question 4

What are the Azure Guest Identities?

Answer 4

Azure AD B2B Collaboration
External Identities (Google, Facebook, Etc.)

Question 5

What PowerShell module is needed to connect to Azure AD, and what is the command to install it?

Answer 5

AzureAD

Install-Module -Name AzureAD

Question 6

What PowerShell command is used to connect to your Azure AD environment once the module as been installed?

Answer 6

Connect-AzureAD

Question 7

What PowerShell command is used to create a new Azure AD user?

Answer 7

New-AzureADUser

Question 8

What are your Azure group types?

Answer 8

Basic Group

Dynamic Group

Question 9

What AD group allows you to Bulk add using CSV templates?

Answer 9

Basic Groups

Question 10

What is a Dynamic AD Group?

Answer 10

Users can be added automatically and removed via Rules bases assignments determined by their user properties.

Question 11

Can users be automatically assigned roles and licenses when added into a dynamic groups?

Answer 11

Yes

Question 12

Which Azure AD group can you NOT manually add users or devices to?

Answer 12

Dynamic Groups

Question 13

How/where can you manage user and group properties?

Answer 13

Modify user and group properties In the Azure portal

Modify using the PowerShell AzureAD module

Question 14

Differentiate the difference between a “Cloud Device Administrator” and a “Device Administrator”

Answer 14

Cloud Device Admin:
Can add, enable, disable, and delete devices in Azure AD
Can NOT modify device properties

Device Admin:
Local machine Administrator
Can NOT modify the object in Azure AD

Question 15

What’s the minimum required licensing needed for Azure guest accounts?

Answer 15

Requires Azure AD Premium P2

Question 16

Although the invite needs to be reviewed, what roles can invite guest accounts into your Azure environment?

Answer 16

Administrators

Users

Question 17

What roles are required to review guest account invites?

Answer 17

Global Administrator

User Administrator

Question 18

Differentiate the difference between “Azure AD Registered” and “Azure AD Joined”

Answer 18

Azure AD Registered:
Personally Owned Device
MS Account or Local Account Sign-In
OS Supported - Win10, iOS, Android, macOS

Azure AD Joined:
Organization Owned Device
Azure AD Sign-In
OS Supported - Win10, Windows Server 2019 VMs in Azure

Question 19

What licensing is needed enabling user’s Self-Service Password Reset functionality?

Answer 19

Azure AD Free:
Cloud-Only Password Change

Azure AD Premium P1 or P2
Cloud-Only Password Change
Cloud-Only Password Reset
Hybrid Password Change or reset with on-prem writeback

Question 20

What are the “security principles” we can assign roles to in Azure?

Answer 20

Users
Groups
Service Principal
Managed Identity

Question 21

What is the User security principal?

Answer 21

An individual who has a profile in Azure Active Directory. You can also assign roles to users in other tenants.

Question 22

What is the Group security principal?

Answer 22

A set of users created in Azure Active Directory. When you assign a role to a group, all users within that group have that role.

Question 23

What is the “Service Principal” security principal?

Answer 23

A security identity used by applications or services to access specific Azure resources. You can think of it as a user identity (username and password or certificate) for an application.

Question 24

What is the Managed Identity security principal?

Answer 24

An identity in Azure Active Directory that is automatically managed by Azure. You typically use managed identities when developing cloud applications to manage the credentials for authenticating to Azure services.

Question 25

What three built in Azure roles apply to all resource types?

Answer 25

Owner
Contributor
Reader
(Example - Blob Storage Owner, Contributor, and Reader)

Question 26

What are the built-in Azure roles?

Answer 26

Owner
Contributor
Reader
User Access Administrator

Question 27

Define the built-in Azure owner role.

Answer 27

Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.

Question 28

Define the built-in Azure contributor role.

Answer 28

Can create/manage all resources, but cannot grant access.

Question 29

Define the built-in Azure reader role.

Answer 29

View all resources, but does not allow you to make any changes.

Question 30

Define the built-in Azure user access administrator role.

Answer 30

Lets you manage user access to Azure resources.

Question 31

What’s the PowerShell Cmdlet that allows you to assign a new role to a user?

Answer 31

New-AzRoleAssignment

Question 32

What are Azure Deny Assignments?

Answer 32

Blocks users from performing specific actions even if a role assignment allows it

Question 33

Does a role assignment or deny assignment take precedence?

Answer 33

Deny assignment

Question 34

Where do you have to create your own deny assignments?

Answer 34

Azure Blue Prints

Managed Apps

Question 35

What are the PowerShell Cmdlets to get role / deny assignments, as well as the Azure CLI get role assignment command?

Answer 35

Get-AzRoleAssignment
Get-AzDenyAssignment

az role assignment list

Question 36

Where/how can you create a custom role in Azure?

Answer 36

Portal
ARM Template
PowerShell
Azure CLI

Question 37

WHAT enforces rules to ensure your resources remain in compliant by focusing on the resource properties for both new and existing deployments?

Answer 37

Azure Policies

Question 38

Does Azure Policies apply remediation to resources that are not compliant?

Answer 38

No, but it does suggest remediations in the Azure Portal.

Question 39

Azure Policy Concepts
What is a:
1. Policy Definition
2. Assignment
3 Initiative

Answer 39

1. A rule
2. An Application of an initiative or policy to a specific scope
3. A collection of policy definitions

Question 40

What are the resource lock types?

Answer 40

Read-Only

Delete

Question 41

Can resource locks be inherited for:

1. Existing resources
2. Newly created resources

Answer 41

1. Yes

2. Yes

Question 42

Whom do locks apply to in your Azure environment?

Answer 42

All users and roles

Question 43

What are the PowerShell and Azure CLI basic lock creation commands?

Answer 43

PowerShell:
New-AzResourceLock -LockLevel -LockName - ResourceName

AzureCLI:
az lock create –name –lock-type –resource-group

Question 44

Each tag consists of what “pair”

Answer 44

Name and Value pair

Question 45

What access does your account need to be able to assign tags?

Answer 45

Must have Write access to Microsoft.Resource/tags provider

Question 46

What is an Azure Resource Group?

Answer 46

Containers that hold related Azure resources

Question 47

Does moving a resource to a different resource group change the location/region where it was originally located?

Answer 47

No

Question 48

Resource groups only store the WHAT about the resources it contains?

Answer 48

Metadata

Question 49

What would happen to the resources in a group when you delete that resource group?

Answer 49

Deletes all resources in that resource group

Question 50

What are the PowerShell and Azure CLI basic resource group creation commands?

Answer 50

PowerShell:
New-AzResourceGroup -Name - Location

AzureCLI:
az group create –name –location

Question 51

Can you move resources between subscriptions?
Can you transfer subscriptions between tenants?
Can a single tenant only have one subscription?

Answer 51

Yes
Yes
No

Question 52

What is Azure Cost Management?

Answer 52

Analyzes your environment to help determine where your Azure costs are going.

Question 53

What is Azure Cost Management “Cost Alerts”?

Answer 53

Cost alerts that can be generated when a threshold you defined is met.

Question 54

What is Azure Cost Management “Budgets”?

Answer 54

Allows you to apply budgets to cost thresholds and limits to control your Azure spend.

Question 55

What is Azure Cost Management “Recommendations”?

Answer 55

Displays ways to control costs through identifying trends in your usage.

Question 56

What are Azure Management Groups?

Answer 56

Use to manage access, policies and compliance across MULTIPLE subscriptions in your environment.