Identity and Governance Flashcards
How would you associate a number of VMs in the same resource group with their corresponding department?
Assign tags
What is needed to enforce the use of MFA and device registration for global administrators?
Azure AD conditional access policy
How do you implement Azure AD conditional access policy?
Create a new policy in the Azure portal
Set the policy to require MFA and AD device registration
Specify global administrators as the target
Specify locations that are untrusted
What do you alter in an Azure AD conditional access policy to require MFA for global administrators?
Grant control
Are you able to change the usage model (per enabled user/per authentication) after an MFA provider is created?
No
What can you assign locks and tags to?
Subscriptions
Resource groups
Resources
How do you allows users to use Azure AD Premium features?
From the Licenses section of the portal, assign a license
How would you make a user an administrator for all workstations that will be joined to the Azure AD domain?
From the Devices section of the portal, go to device settings and configure an additional local administrator
Who can can add devices to a group?
The owner of the group
What can global administrators and cloud device administrators do with devices?
Manage already registered or joined devices
What are some characteristics of tags?
- A resource can have 50 tags
- Values are case-sensitive, limit of 256
- Tag names are not case-sensitive, limit of 512
- Limits are halved for storage accounts
- Not inherited by default
What command would you use for an immediate Azure AD sync?
Start-ADSyncSyncCycle -PolicyType Delta
What command initiates a full Azure AD sync?
Start-ADSyncSyncCycle -policy initial
In the Azure portal, how would you assign an administrative role to a user?
Directory > Users > Select user > Add role
What role would allow a user to create Azure apps?
Some type of contributor role
How would you access a report that details costs for each department?
Assign a tag to each resource > Subscriptions > Cost analysis, Download usage report
What happens when you move a resource from one RG to another RG in a different region?
The resource is moved but the location stays the same
What blade do you use to optimize and reduce your overall Azure spend by identifying idle/underutilized resources?
Advisor
How do you ensure an admin can invite external partners to log into the Azure AD tenant?
Users > External collaboration settings
Who is able to elevate themselves to gain access to the root management group?
Azure AD Global Administrators
Can you dynamically assign unlicensed users to a group?
Yes
Who can access traffic analytics?
Owner
Contributor
Network/Monitoring Contributor
Describe the Contributor role
Lets you manage resources but cannot manage access to them
Describe the Owner role
Grants full access to manage all resources
Allows you to assign roles in Azure ABAC
Who can assign a user the owner role?
Owner
User Access admin
How do Azure RBAC roles and Microsoft Entra ID roles work together?
They work independently
AD roles to not grant access to Azure resources and vice versa
Describe the User Access Administrator role
Can manage access but not the resources themselves
What do managed identities for Azure resources do?
Provide Azure services with an automatically managed identity in Microsoft Entra ID
What was Azure Active Directory renamed to?
Microsoft Entra ID
What do you use managed identities for?
So the identity can authenticate to any service that supports Azure AD authentication
Why might you be unable to delete a vault?
Can’t delete a vault that contains backup data
Why might you be unable to delete a VNET?
Has a Delete resource lock
What do you need to bulk delete users in Azure AD?
User principal name
What does “Append a tag and its value to resources” not apply to?
- Resources before the policy was applied, until they are changed
- Resource groups
What would you use to grant local admin permissions for people in three different offices?
Administrative units
What are administrative units useful for?
Restricting the administrative scope in independent divisions
What do you need to bulk invite guest users?
A .csv template with email addresses and a redirection URL
Or, create a PowerShell script that runs New-MgInvitation for each external user
What type of roles can be cloned?
You cannot clone built-in AD roles. You can clone built-in subscription roles
How does group-based licensing assignment work?
- Does not support nested groups
- If you apply a license to a nested group, only the immediate first-level user members of the group have the license applied
What happens when a user’s access package assignment expires?
They are removed from the group/team
Unless they have an assignment to another package that includes the same group/team
How do Microsoft 365 groups and security groups interact?
Microsoft 365 groups cannot be added in security groups
Is nesting supported for groups that can be assigned to a role?
No
Who can assign the owner role?
Owner
User Administrator Access Role
If a license is assigned by group, can you remove the license from a user in the group?
No, cannot remove without removing the group
What does an asterisk denote in a role definition?
All actions
Can you delete users or groups with assigned license?
Can delete a user regardless of license status
Cannot delete groups that have an assigned license
Are administrators enabled for SSPR by default?
Yes, with a strong default two-gate password reset policy
