Manage Azure Identities and Governance Flashcards
What are the two primary types of users in Azure AD ?
Cloud-only users
Users synchronized from an on-premises directory
When you create a new group for users, what are the two different types of groups ?
Security
Microsoft 365
What kind of role must one have in order to enable, disable, or delete devices from Azure AD ?
Global administrator
What are the three options for associating devices with Azure AD ?
Registering a device
Joining a device
Using hybrid AD joined
…. are joined to your on-premises Active Directory and are registered with your Azure AD tenant.
Registered devices
Joined devices
Hybrid AD joined devices
Hybrid AD joined devices
When a device is a …………………………., users can sign in to the device using an organizational account instead of a personal account.
Registered device
Azure AD Joined device
Hybrid AD - Joined device
Azure AD–Joined
……. is good for personal devices, where as ……. is good for corporate devices.
Registering a device
Joining a device
Using hybrid AD joined
Registering a device
Joining a device
…………. a device with Azure AD allows you to manage a device’s identity by implement- ing features like single sign on (SSO) and securing access using conditional access.
Associating
Match the device with the right method for associating with Azure AD
A) Personal device
B) Corporate or Enterprise device
C) On premise Active Directory device
1) Joining Azure AD
2) Registering
3) Joining Hybrid Azure AD
A - 2
B - 1
C - 3
The …………………. is one of the highest cost-incurring activities for many organizations, and many organizations have dedicated front-line help desks to handle such requests.
Password reset
What three possible values for Membership Types when defining a new group ?
Which ones are only available with Azure AD Premium ?
Assigned
Dynamic user
Dynamic Device
Dynamic user and Dynamic device are only available with Azure AD Premium
What are the four foundational built in roles in Azure RBAC role assignments ?
Are roles customizable ?
Reader
Contributor
Owner
User Access Administrator
Yes, you can customize them
When managing Azure RBAC, what are the four possible different scopes ?
An individual resource
A resource group
A subscription
A management group
………….. are used to manage access and allow or restrict users to Azure resources, while …………………….. are used to allow or restrict admins to perform identity tasks, such as creating new users, reset- ting the users’ passwords, and so on.
RBAC roles
Azure AD administrative roles
True or false : RBAC roles and Azure AD administrative roles are identical in Azure
False, not the same thing
True of false : It is possible to create a management group under a root management group
True, a single tenant in Azure can support up to 10,000 management groups
Granting a user access to the Owner role at the management group scope will grant that user Owner rights to all the subscriptions under the management group that is inclusive of all the resource groups and resources within them.
What is this principal called ?
RBAC inheritance
What is understood by “security principal” when speaking about managing RBAC in Azure ? (List the 4 possibilities)
A user
A group of users
A service principal
A managed identity
To make an RBAC role assignment, what three dimensions must you define?
The role
The security principal
The scope
What is the limit of role assignments per subscription ?
2000
What is the limit of role assignments per management group ?
500
In the Azure Portal, which blade is used to manage access to resources as well as role assignments ?
the Access Control (IAM) blade
True or false : The Deny Assignments tab of the Access Control (IAM) blade is used to make or alter deny assignments.
False - Deny assignments are set and controlled by applying a resource lock for resources created through Azure Blueprints.
How you can set deny assignments ?
By applying a resource lock for resources created through Azure Blueprints
……………………. is a default deny mechanism with an explicit allow mechanism, whereas ……………………. is a default allow mechanism with an explicit deny system.
Azure RBAC
Policy
True or false: When configuring the scope while assigning a Policy or an Initiative, it is possible to exclude a subscope.
True
…………………………. are a collection of Policy definitions that are focused on the same goal. They allow for a set of policies to be grouped as a single item.
Initiative definitions
What are the two types of resource locks ?
CanNotDelete
ReadOnly
A CanNotDelete lock is applied to a resource within a resource group.
Can you delete this resource by deleting the resource group ?
Can you delete the resource group ?
No
No
True or false : Tags applied at the resource group scope are inherited by child resources.
False - Tags are not inherited
To apply tags to a subscription, resource group, or resource, the user applying the tag must have ……………………. to the resource
write access
Which Azure service allows automatic tagging ?
Azure Policy
Why is the location of a resource group important for compliance ?
Because the location specifies where the metadata for the resource group is stored
True or false : All resources in Azure must be placed in resource groups
False
Taken from docs.microsoft.com
“Some resources can exist outside of a resource group. These resources are deployed to the subscription, management group, or tenant. Only specific resource types are supported at these scopes.”
What are the three classic administrator roles ?
Account Administrator
Service Administrator
Service Co-Administrator
What is the difference between a Service Administrator and a Service Co-Administrator ?
The Service Administrator and the Service Co-Administrator have the same level access in a subscription, except that the Service Co-Administrator cannot change the association of subscriptions to Azure directories
What RBAC role are Services Administrators and Service Co-Administrators assigned at the subscription scope ?
Owner
What two main types of quotas that can be applied to a subscription ?
Resource quotas (limits)
Spending quotas
Which type of quota would block a user from deploying a VM ?
Resource quotas (limits)
Which type of quota would not block actions from users, but send an alert once a certain threshold has been breached ?
Spending quotas (limits)
How can you raise a service limit (resource quota) ?
Open a support ticket specifying the request to Microsoft
True or False : Budgets are only applied at a subscription level
False : They are by default set at a subscription level, but you can also apply them to a management group level
True or false : breaking threshold for a budget will stop services from running
False - it will send an alert, but services will continue to run
For Azure billing and cost management, what are the three portals available ?
EA Portal - Only customers with an EA agreement
Account Portal - Account owners can access this
Azure Portal / Azure cost management - All subscriptions can access this
What is a simple way to safely allow BYOD ?
Register Windows 10 as a device in Azure AD
An administrator whats to manage corporate devices, independently of users. What method should he use for Azure AD ?
Azure AD Join enables administrators to manage device identity independently of users.
For example, dynamic security groups can be created based on device attributes and then conditional access policies could be applied to those groups.
…………… is a feature of Azure AD which allows administrators to control access to cloud applications through additional checks such as user location, the device the user is accessing the cloud app from, and more.
Conditional Access
Each tag needs … (2 things)
A name
A value pair
True or false : Tags can be applied to resources, resource groups, subscriptions, and management groups
False : They cannot be applied to management groups
Within a(n) ……………………………….. , an administrator can make use of session controls to enable limited experiences within specific cloud applications.
Conditional Access policy
An administrator can make use of …………………… to enable limited experiences within specific cloud applications.
Session controls
In conditional access, what is the difference between grant controls and session controls ?
Grant controls determine who gets access to the ressources (either granting or blocking)
Session controls enable limited experiences within specific cloud applications
What are three approaches to creating a custom RBAC role ?
Clone a built - in RBAC role and modify it
Start from Scratch
Start from JSON and declare permissions
When defining a custom RBAC role, what are the four “actions” that define the permissions of the role ?
Actions
NotActions
DataActions
NotDataActions
When moving resources between groups or subscriptions, what is the maximum number of resources that can be done in a single move operation ?
800
True or false : It is possible to move resources between subscriptions that have different Azure AD tenants
False, you need to first transfer ownership of the subscription to another account.
What are three necessary conditions for moving resource between subscriptions ?
- The subscriptions must be in the same Azure AD tenant
- The source resource must be registered in the target subscription
- Dependant resource must be in the same resource group
True or false : During a move operation, Write and Delete actions are blocked, but the underlying services will continue to function
True
True or false : During a move operation, Write and Delete actions are blocked and all services cease to function
False
When transferring a subscription to a different Azure AD tenant, what is the major risk one should be attention to ?
Unexpected effects on RBACs associated with either the services or subscription being moved
