Manage Azure Identities and Governance

Question 1

What are the two primary types of users in Azure AD ?

Answer 1

Cloud-only users

Users synchronized from an on-premises directory

Question 2

When you create a new group for users, what are the two different types of groups ?

Answer 2

Security

Microsoft 365

Question 3

What kind of role must one have in order to enable, disable, or delete devices from Azure AD ?

Answer 3

Global administrator

Question 4

What are the three options for associating devices with Azure AD ?

Answer 4

Registering a device
Joining a device
Using hybrid AD joined

Question 5

…. are joined to your on-premises Active Directory and are registered with your Azure AD tenant.

Registered devices
Joined devices
Hybrid AD joined devices

Answer 5

Hybrid AD joined devices

Question 6

When a device is a …………………………., users can sign in to the device using an organizational account instead of a personal account.

Registered device
Azure AD Joined device
Hybrid AD - Joined device

Answer 6

Azure AD–Joined

Question 7

……. is good for personal devices, where as ……. is good for corporate devices.

Registering a device
Joining a device
Using hybrid AD joined

Answer 7

Registering a device

Joining a device

Question 8

…………. a device with Azure AD allows you to manage a device’s identity by implement- ing features like single sign on (SSO) and securing access using conditional access.

Answer 8

Associating

Question 9

Match the device with the right method for associating with Azure AD

A) Personal device
B) Corporate or Enterprise device
C) On premise Active Directory device

1) Joining Azure AD
2) Registering
3) Joining Hybrid Azure AD

Answer 9

A - 2
B - 1
C - 3

Question 10

The …………………. is one of the highest cost-incurring activities for many organizations, and many organizations have dedicated front-line help desks to handle such requests.

Answer 10

Password reset

Question 11

What three possible values for Membership Types when defining a new group ?

Which ones are only available with Azure AD Premium ?

Answer 11

Assigned
Dynamic user
Dynamic Device

Dynamic user and Dynamic device are only available with Azure AD Premium

Question 12

What are the four foundational built in roles in Azure RBAC role assignments ?

Are roles customizable ?

Answer 12

Reader
Contributor
Owner
User Access Administrator

Yes, you can customize them

Question 13

When managing Azure RBAC, what are the four possible different scopes ?

Answer 13

An individual resource
A resource group
A subscription
A management group

Question 14

………….. are used to manage access and allow or restrict users to Azure resources, while …………………….. are used to allow or restrict admins to perform identity tasks, such as creating new users, reset- ting the users’ passwords, and so on.

Answer 14

RBAC roles

Azure AD administrative roles

Question 15

True or false : RBAC roles and Azure AD administrative roles are identical in Azure

Answer 15

False, not the same thing

Question 16

True of false : It is possible to create a management group under a root management group

Answer 16

True, a single tenant in Azure can support up to 10,000 management groups

Question 17

Granting a user access to the Owner role at the management group scope will grant that user Owner rights to all the subscriptions under the management group that is inclusive of all the resource groups and resources within them.

What is this principal called ?

Answer 17

RBAC inheritance

Question 18

What is understood by “security principal” when speaking about managing RBAC in Azure ? (List the 4 possibilities)

Answer 18

A user
A group of users
A service principal
A managed identity

Question 19

To make an RBAC role assignment, what three dimensions must you define?

Answer 19

The role
The security principal
The scope

Question 20

What is the limit of role assignments per subscription ?

Answer 20

2000

Question 21

What is the limit of role assignments per management group ?

Answer 21

500

Question 22

In the Azure Portal, which blade is used to manage access to resources as well as role assignments ?

Answer 22

the Access Control (IAM) blade

Question 23

True or false : The Deny Assignments tab of the Access Control (IAM) blade is used to make or alter deny assignments.

Answer 23

False - Deny assignments are set and controlled by applying a resource lock for resources created through Azure Blueprints.

Question 24

How you can set deny assignments ?

Answer 24

By applying a resource lock for resources created through Azure Blueprints

Question 25

……………………. is a default deny mechanism with an explicit allow mechanism, whereas ……………………. is a default allow mechanism with an explicit deny system.

Answer 25

Azure RBAC

Policy

Question 26

True or false: When configuring the scope while assigning a Policy or an Initiative, it is possible to exclude a subscope.

Answer 26

True

Question 27

…………………………. are a collection of Policy definitions that are focused on the same goal. They allow for a set of policies to be grouped as a single item.

Answer 27

Initiative definitions

Question 28

What are the two types of resource locks ?

Answer 28

CanNotDelete

ReadOnly

Question 29

A CanNotDelete lock is applied to a resource within a resource group.

Can you delete this resource by deleting the resource group ?

Can you delete the resource group ?

Answer 29

No

No

Question 30

True or false : Tags applied at the resource group scope are inherited by child resources.

Answer 30

False - Tags are not inherited

Question 31

To apply tags to a subscription, resource group, or resource, the user applying the tag must have ……………………. to the resource

Answer 31

write access

Question 32

Which Azure service allows automatic tagging ?

Answer 32

Azure Policy

Question 33

Why is the location of a resource group important for compliance ?

Answer 33

Because the location specifies where the metadata for the resource group is stored

Question 34

True or false : All resources in Azure must be placed in resource groups

Answer 34

False
Taken from docs.microsoft.com

“Some resources can exist outside of a resource group. These resources are deployed to the subscription, management group, or tenant. Only specific resource types are supported at these scopes.”

Question 35

What are the three classic administrator roles ?

Answer 35

Account Administrator

Service Administrator

Service Co-Administrator

Question 36

What is the difference between a Service Administrator and a Service Co-Administrator ?

Answer 36

The Service Administrator and the Service Co-Administrator have the same level access in a subscription, except that the Service Co-Administrator cannot change the association of subscriptions to Azure directories

Question 37

What RBAC role are Services Administrators and Service Co-Administrators assigned at the subscription scope ?

Answer 37

Owner

Question 38

What two main types of quotas that can be applied to a subscription ?

Answer 38

Resource quotas (limits)

Spending quotas

Question 39

Which type of quota would block a user from deploying a VM ?

Answer 39

Resource quotas (limits)

Question 40

Which type of quota would not block actions from users, but send an alert once a certain threshold has been breached ?

Answer 40

Spending quotas (limits)

Question 41

How can you raise a service limit (resource quota) ?

Answer 41

Open a support ticket specifying the request to Microsoft

Question 42

True or False : Budgets are only applied at a subscription level

Answer 42

False : They are by default set at a subscription level, but you can also apply them to a management group level

Question 43

True or false : breaking threshold for a budget will stop services from running

Answer 43

False - it will send an alert, but services will continue to run

Question 44

For Azure billing and cost management, what are the three portals available ?

Answer 44

EA Portal - Only customers with an EA agreement

Account Portal - Account owners can access this

Azure Portal / Azure cost management - All subscriptions can access this

Question 45

What is a simple way to safely allow BYOD ?

Answer 45

Register Windows 10 as a device in Azure AD

Question 46

An administrator whats to manage corporate devices, independently of users. What method should he use for Azure AD ?

Answer 46

Azure AD Join enables administrators to manage device identity independently of users.

For example, dynamic security groups can be created based on device attributes and then conditional access policies could be applied to those groups.

Question 47

…………… is a feature of Azure AD which allows administrators to control access to cloud applications through additional checks such as user location, the device the user is accessing the cloud app from, and more.

Answer 47

Conditional Access

Question 48

Each tag needs … (2 things)

Answer 48

A name

A value pair

Question 49

True or false : Tags can be applied to resources, resource groups, subscriptions, and management groups

Answer 49

False : They cannot be applied to management groups

Question 50

Within a(n) ……………………………….. , an administrator can make use of session controls to enable limited experiences within specific cloud applications.

Answer 50

Conditional Access policy

Question 51

An administrator can make use of …………………… to enable limited experiences within specific cloud applications.

Answer 51

Session controls

Question 52

In conditional access, what is the difference between grant controls and session controls ?

Answer 52

Grant controls determine who gets access to the ressources (either granting or blocking)

Session controls enable limited experiences within specific cloud applications

Question 53

What are three approaches to creating a custom RBAC role ?

Answer 53

Clone a built - in RBAC role and modify it

Start from Scratch

Start from JSON and declare permissions

Question 54

When defining a custom RBAC role, what are the four “actions” that define the permissions of the role ?

Answer 54

Actions
NotActions
DataActions
NotDataActions

Question 55

When moving resources between groups or subscriptions, what is the maximum number of resources that can be done in a single move operation ?

Answer 55

800

Question 56

True or false : It is possible to move resources between subscriptions that have different Azure AD tenants

Answer 56

False, you need to first transfer ownership of the subscription to another account.

Question 57

What are three necessary conditions for moving resource between subscriptions ?

Answer 57

1. The subscriptions must be in the same Azure AD tenant
2. The source resource must be registered in the target subscription
3. Dependant resource must be in the same resource group

Question 58

True or false : During a move operation, Write and Delete actions are blocked, but the underlying services will continue to function

Answer 58

True

Question 59

True or false : During a move operation, Write and Delete actions are blocked and all services cease to function

Answer 59

False

Question 60

When transferring a subscription to a different Azure AD tenant, what is the major risk one should be attention to ?

Answer 60

Unexpected effects on RBACs associated with either the services or subscription being moved