Identity and Governance

Question 1

How would you associate a number of VMs in the same resource group with their corresponding department?

Answer 1

Assign tags

Question 2

What is needed to enforce the use of MFA and device registration for global administrators?

Answer 2

Azure AD conditional access policy

Question 3

How do you implement Azure AD conditional access policy?

Answer 3

Create a new policy in the Azure portal
Set the policy to require MFA and AD device registration
Specify global administrators as the target
Specify locations that are untrusted

Question 4

What do you alter in an Azure AD conditional access policy to require MFA for global administrators?

Answer 4

Grant control

Question 5

Are you able to change the usage model (per enabled user/per authentication) after an MFA provider is created?

Answer 5

No

Question 6

What can you assign locks and tags to?

Answer 6

Subscriptions
Resource groups
Resources

Question 7

How do you allows users to use Azure AD Premium features?

Answer 7

From the Licenses section of the portal, assign a license

Question 8

How would you make a user an administrator for all workstations that will be joined to the Azure AD domain?

Answer 8

From the Devices section of the portal, go to device settings and configure an additional local administrator

Question 9

Who can can add devices to a group?

Answer 9

The owner of the group

Question 10

What can global administrators and cloud device administrators do with devices?

Answer 10

Manage already registered or joined devices

Question 11

What are some characteristics of tags?

Answer 11

• A resource can have 50 tags
• Values are case-sensitive, limit of 256
• Tag names are not case-sensitive, limit of 512
• Limits are halved for storage accounts
• Not inherited by default

Question 12

What command would you use for an immediate Azure AD sync?

Answer 12

Start-ADSyncSyncCycle -PolicyType Delta

Question 13

What command initiates a full Azure AD sync?

Answer 13

Start-ADSyncSyncCycle -policy initial

Question 14

In the Azure portal, how would you assign an administrative role to a user?

Answer 14

Directory > Users > Select user > Add role

Question 15

What role would allow a user to create Azure apps?

Answer 15

Some type of contributor role

Question 16

How would you access a report that details costs for each department?

Answer 16

Assign a tag to each resource > Subscriptions > Cost analysis, Download usage report

Question 17

What happens when you move a resource from one RG to another RG in a different region?

Answer 17

The resource is moved but the location stays the same

Question 18

What blade do you use to optimize and reduce your overall Azure spend by identifying idle/underutilized resources?

Answer 18

Advisor

Question 19

How do you ensure an admin can invite external partners to log into the Azure AD tenant?

Answer 19

Users > External collaboration settings

Question 20

Who is able to elevate themselves to gain access to the root management group?

Answer 20

Azure AD Global Administrators

Question 21

Can you dynamically assign unlicensed users to a group?

Answer 21

Yes

Question 22

Who can access traffic analytics?

Answer 22

Owner
Contributor
Network/Monitoring Contributor

Question 23

Describe the Contributor role

Answer 23

Lets you manage resources but cannot manage access to them

Question 24

Describe the Owner role

Answer 24

Grants full access to manage all resources
Allows you to assign roles in Azure ABAC

Question 25

Who can assign a user the owner role?

Answer 25

Owner
User Access admin

Question 26

How do Azure RBAC roles and Microsoft Entra ID roles work together?

Answer 26

They work independently
AD roles to not grant access to Azure resources and vice versa

Question 27

Describe the User Access Administrator role

Answer 27

Can manage access but not the resources themselves

Question 28

What do managed identities for Azure resources do?

Answer 28

Provide Azure services with an automatically managed identity in Microsoft Entra ID

Question 29

What was Azure Active Directory renamed to?

Answer 29

Microsoft Entra ID

Question 30

What do you use managed identities for?

Answer 30

So the identity can authenticate to any service that supports Azure AD authentication

Question 31

Why might you be unable to delete a vault?

Answer 31

Can’t delete a vault that contains backup data

Question 32

Why might you be unable to delete a VNET?

Answer 32

Has a Delete resource lock

Question 33

What do you need to bulk delete users in Azure AD?

Answer 33

User principal name

Question 34

What does “Append a tag and its value to resources” not apply to?

Answer 34

• Resources before the policy was applied, until they are changed
• Resource groups

Question 35

What would you use to grant local admin permissions for people in three different offices?

Answer 35

Administrative units

Question 36

What are administrative units useful for?

Answer 36

Restricting the administrative scope in independent divisions

Question 37

What do you need to bulk invite guest users?

Answer 37

A .csv template with email addresses and a redirection URL
Or, create a PowerShell script that runs New-MgInvitation for each external user

Question 38

What type of roles can be cloned?

Answer 38

You cannot clone built-in AD roles. You can clone built-in subscription roles

Question 39

How does group-based licensing assignment work?

Answer 39

• Does not support nested groups
• If you apply a license to a nested group, only the immediate first-level user members of the group have the license applied

Question 40

What happens when a user’s access package assignment expires?

Answer 40

They are removed from the group/team
Unless they have an assignment to another package that includes the same group/team

Question 41

How do Microsoft 365 groups and security groups interact?

Answer 41

Microsoft 365 groups cannot be added in security groups

Question 42

Is nesting supported for groups that can be assigned to a role?

Answer 42

No

Question 43

Who can assign the owner role?

Answer 43

Owner
User Administrator Access Role

Question 44

If a license is assigned by group, can you remove the license from a user in the group?

Answer 44

No, cannot remove without removing the group

Question 45

What does an asterisk denote in a role definition?

Answer 45

All actions

Question 46

Can you delete users or groups with assigned license?

Answer 46

Can delete a user regardless of license status
Cannot delete groups that have an assigned license

Question 47

Are administrators enabled for SSPR by default?

Answer 47

Yes, with a strong default two-gate password reset policy