Manage Azure identities and governance

Question 1

AAD: Identity

Answer 1

an object that can be authenticated. The identity can be a user with a username and password. Identities can also be applications or other servers that require authentication by using secret keys or certificates. Azure AD is the underlying product that provides the identity service.

Question 2

AAD: an identity that has data associated with it.

Answer 2

Account

Question 3

Azure AD account

Answer 3

an identity that’s created through AAD or another Microsoft cloud services such as 365. Also referred to as a work/school account.

Question 4

Azure Tenant (Directory)

Answer 4

A single dedicated and trusted instance of Azure AD.

Question 5

AD DS

Answer 5

Active Directory Domain Services- remember this is for managing OU’s on premise

Question 6

Communication used for Azure AD

Answer 6

HTTPS and HTTP, unlike standard AD which uses kerberos.

Question 7

Does Azure AD have OU’s or GPO’s

Answer 7

NO

Question 8

Is Azure AD a managed service

Answer 8

Yes: You only manage users, groups, and policies.

Question 9

AAD Free tier

Answer 9

Single Sign on, B2B. Core identity and access management.

Question 10

AAD 365 tier

Answer 10

Includes all on free tier + identity and access management for 365 apps

Question 11

License type: Allows hybrid users, self services groups, dynamic groups

Answer 11

AAD P1

Question 12

License Type: Identity Protection and Identity management

Answer 12

AAD P2

Question 13

Changes the local state of your device to allow users to sign into the device by using an organizational work or school account instead of a personal account

Answer 13

Azure Join (device)

Question 14

Azure register (device)

Answer 14

Azure AD device registration provides the device with an identity that’s used to authenticate the device when a user signs into Azure AD. BYOD is mentioned in regards to this as well.

Question 15

What does SSPR (self service password reset) require?

Answer 15

Global Administration privileges

Question 16

which 3 options are available for SSPR in terms of users enabled

Answer 16

All, Selected, None

Question 17

MFA SSPR options?

Answer 17

Email, text, security code sent to mobile or office phone, Set of Security questions

Question 18

Cloud Identity

Answer 18

a user account defined only in AAD.

Question 19

Directory Synced Identity

Answer 19

A user whom originated in an on premise Active Directory and has been synced to azure via azure AD connect

Question 20

Guest user

Answer 20

User added to ad tenant from outside organization

Question 21

What types of users have rights to add or manage users in AAD

Answer 21

Global administrators or user administrators

Question 22

What are the two types of groups you can create in AAD

Answer 22

Security groups and Microsoft 365 groups

Question 23

Dynamic device

Answer 23

(Security groups only) Apply dynamic group rules to automatically add and remove devices in security groups. When device attributes change, Azure reviews the dynamic group rules for the directory. If the device attributes meet the rule requirements, the device is added to the security group. If the device attributes no longer meet the rule requirements, the device is removed.

Question 24

(user.jobTitle -eq “Cloud Administrator”)

Answer 24

Dynamic User query where any user with the job title equaling cloud administrator is added to the group

Question 25

Which Azure AD role enables a user to manage all groups in your Teams tenants, and also assign other admin roles?

Answer 25

Global Administrator

Question 26

4 ways to obtain an azure subscription

Answer 26

Enterprise agreement, partner, reseller, free

Question 27

4 types of subs

Answer 27

free, enterprise, student, pay as you go

Question 28

what section is used to monitor subscription billing and resource usage

Answer 28

Cost Management (Subscriptions)

Question 29

What is the maximum amount of tags for a resource or resource group

Answer 29

50

Question 30

are tags applied to a resource group inherited by resources in that group?

Answer 30

no

Question 31

What is a reservation

Answer 31

Allows you to purchase a virtual machine or other resource for 1 or 3 years to lock in the pricing

Question 32

the term data residency may or may not come up but you should associate it with what azure term

Answer 32

Region

Question 33

What is a management groups purpose

Answer 33

to manage multiple subscriptions

Question 34

How many levels of structure can a management group maintain (think of it as a tree with the resource group at the top and departments corresponding to subscriptions managed

Answer 34

6

Question 35

do the subscriptions and submanagement groups inherit the parent level conditions

Answer 35

yes

Question 36

what is a policy definition

Answer 36

expresses a condition to evaluate and the actions to perform when the condition is met. for example, you can create a policy definition to prevent VMs in your org from being deployed if they are exposed to a public IP

Question 37

What is a initiative definition

Answer 37

a set of policy Definitions that you track your resource compliance state to meet a larger goal. Use this to ensure resource compliance with security regulations

Question 38

what can you limit the scope to for the initiative definition

Answer 38

Management group, subscription, resource group

Question 39

What is the process for reapplying a initiative definition for resources created prior to the definition

Answer 39

remediation

Question 40

RBAC: What is a security principal

Answer 40

An object that represents something that requests access to resources such as a user or service principal

Question 41

hierarchy of RBAC

Answer 41

Assignment attaches a role definition to a security principal at a particular scope

Question 42

Action permissions and notactions permissions for 3 default roles

Answer 42

Owner
*
n/a

Contributor
*
-Microsoft.Authorization//Delete
- Microsoft.Authorization//Write
- Microsoft.Authorization/elevateAccess/Action

Reader
/*/read
n/a

Question 42

Compare RBAC to AAD admin roles: Access Management

Answer 42

AAD only manages access to azure ad resources, where as rbac manages all azure resources

Question 43

Compare RBAC to AAD admin roles: Scope Assignment

Answer 43

for AD, scope is defined at the tenant level, where rbac allow scope up to management groups down to resources

Question 44

Compare RBAC to AAD admin roles: Role Definitions

Answer 44

RBAC :roles defined via portal, azure clie, powershell, ARM templates and rest API

AAD: Defined via azure admin portal, 365 admin portal, and powershell

Question 45

is global administrator an azure ad role or a rbac role?

Answer 45

Azure AD- Remember office 365 roles are similar to azure AD roles

Question 46

briefly describe azure ad federation

Answer 46

A federation is where you have a trust established with another organization, or a collection of domains, for shared access to a set of resources.

Question 47

Azure Service to review logs for alll activity at a management/subscription level

Answer 47

activity logs

Question 48

What tool provides the ability to query, identify, and remediate the majority of object sync errors in windows server AD in prep for deployment to microsoft 365

Answer 48

idFIX