Manage identities and governance in Azure

Question 1

```

~~~

True or False: By default, when you create a new Azure subscription by using a Microsoft account, the subscription automatically includes a new Microsoft Entra tenant named Default Directory.

Answer 1

True

Question 2

True or false: If you subscribe to any Microsoft Online business services (for example, Microsoft 365 or Microsoft Intune), you automatically get Microsoft Entra ID with access to all the Free features.

Answer 2

True

Question 3

True or false: Within an Azure subscription, you can create a single Microsoft Entra tenant

Answer 3

False:

Within an Azure subscription, you can create multiple Microsoft Entra tenants

Question 4

An object in the ____ class contains an application definition and an object in the _____ class constitutes its instance in the current Microsoft Entra tenant.

Answer 4

An object in the Application class contains an application definition and an object in the servicePrincipal class constitutes its instance in the current Microsoft Entra tenant.
Separating these two sets of characteristics allows you to define an application in one tenant and use it across multiple tenants by creating a service principal object for this application in each tenant. Microsoft Entra ID creates the service principal object when you register the corresponding application in that Microsoft Entra tenant.

Question 5

Microsoft Entra ID doesn’t use Kerberos authentication; instead, it uses HTTP and HTTPS protocols such as ____, ____, and ____ for authentication, and uses ____ for authorization.

Answer 5

Microsoft Entra ID doesn’t use Kerberos authentication; instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID Connect for authentication, and uses OAuth for authorization.

Question 6

You can’t query Microsoft Entra ID by using LDAP; instead, Microsoft Entra ID uses the ____ ____ over ____ and ____

Answer 6

You can’t query Microsoft Entra ID by using LDAP; instead, Microsoft Entra ID uses the REST API over HTTP and HTTPS

Question 7

What does a Microsoft Entra ID P2 license give you in addition to the benifits of p1?

Answer 7

Microsoft Entra ID Protection. This feature provides enhanced functionalities for monitoring and protecting user accounts. You can define user risk policies and sign-in policies. In addition, you can review users’ behavior and flag users for risk.
Microsoft Entra Privileged Identity Management. This functionality lets you configure additional security levels for privileged users such as administrators. With Privileged Identity Management, you define permanent and temporary administrators. You also define a policy workflow that activates whenever someone wants to use administrative privileges to perform some task.

Question 8

What is an alternative to deploying a s2s vpn or replica domain controllers as vms in azure to provide a way to use AD DS credentials for authentication?

Answer 8

Microsoft Entra Domain Services

Question 9

True or false: you need to deploy a domain controller in azure to be able to use Microsoft Entra Domain Services

Answer 9

False, you do not need any domain controllers in the cloud to use Microsoft Entra Domain Services

Question 10

True or false: If you don’t have AD DS deployed locally, you cannot use Microsoft Entra Domain Services

Answer 10

False, if you don’t have AD DS deployed locally, you can choose to use Microsoft Entra Domain Services as a cloud-only service. This enables you to have similar functionality of locally deployed AD DS without having to deploy a single domain controller on-premises or in the cloud.

Question 11

Some global Azure services that don’t require you to select a region. These services include _____ ___ __, ____ ___ _____ ______ _____, and _____ ____.

Answer 11

Some global Azure services that don’t require you to select a region. These services include Microsoft Entra ID, Microsoft Azure Traffic Manager, and Azure DNS.

Question 12

What is another name for cross-region replication?

Answer 12

Region Pairing

Question 13

What is this service called?

Save money by paying ahead. You can pay for one year or three years of virtual machine, SQL Database compute capacity, Azure Cosmos DB throughput, or other Azure resources. Pre-paying allows you to get a discount on the resources you use. Reservations can significantly reduce your virtual machine, SQL database compute, Azure Cosmos DB, or other resource costs up to 72% on pay-as-you-go prices. Reservations provide a billing discount and don’t affect the runtime state of your resources.

Answer 13

Reservations

Question 14

____ is a service in Azure that enables you to create, assign, and manage policies to control or audit your resources. These policies enforce different rules over your resource configurations so the configurations stay compliant with corporate standards.

Answer 14

Azure policy

Question 15

One or more Azure policy definitions are grouped into an ____ , to control the scope of your policies and evaluate the compliance of your resources.

Answer 15

initiative definition

Question 16

A ___ ____ ____ describes the compliance conditions for a resource, and the actions to complete when the conditions are met

Answer 16

Azure policy definition

Question 17

What are the 4 basic steps to create and work with policy definitions in azure policy?

Answer 17

Step 1: Create policy definitions
A policy definition expresses a condition to evaluate and the actions to perform when the condition is met. You can create your own policy definitions, or choose from built-in definitions in Azure Policy. You can create a policy definition to prevent VMs in your organization from being deployed, if they’re exposed to a public IP address.

Step 2: Create an initiative definition
An initiative definition is a set of policy definitions that help you track your resource compliance state to meet a larger goal. You can create your own initiative definitions, or use built-in definitions in Azure Policy. You can use an initiative definition to ensure resources are compliant with security regulations.

Step 3: Scope the initiative definition
Azure Policy lets you control how your initiative definitions are applied to resources in your organization. You can limit the scope of an initiative definition to specific management groups, subscriptions, or resource groups.

Step 4: Determine compliance
After you assign an initiative definition, you can evaluate the state of compliance for all your resources. Individual resources, resource groups, and subscriptions within a scope can be exempted from having the policy rules affect it. Exclusions are handled individually for each assignment.

Question 18

After you create your initiative definition, the next step is to ____

Answer 18

The next step is to assign the initiative to establish the scope for the policies. The scope determines what resources or grouping of resources are affected by the conditions of the policies.

Question 19

An object that represents something that requests access to resources.

Answer 19

Security principal

Question 20

A set of permissions that lists the allowed operations. Azure RBAC comes with built-in role definitions, but you can also create your own custom role definitions.

Answer 20

Role definition

Question 21

The boundary for the requested level of access, or “how much” access is granted.

Answer 21

Scope

Question 22

An assignment attaches a role definition to a security principal at a particular scope. Users can grant the access described in a role definition by creating (attaching) an assignment for the role.

Answer 22

Role assignment

Question 23

• ____ permissions identify what actions are allowed.
• ____ permissions specify what actions aren’t allowed.
• ____ permissions indicate how data can be changed or used.
• ____ permissions list the scopes where a role definition can be assigned.

Answer 23

Actions permissions identify what actions are allowed.

NotActions permissions specify what actions aren’t allowed.

DataActions permissions indicate how data can be changed or used.

AssignableScopes permissions list the scopes where a role definition can be assigned.

Question 24

What built-in role has these notactions permissions?

• Microsoft.Authorization/*/Delete
• Microsoft.Authorization/*/Write
• Microsoft.Authorization/elevateAccess/Action

Answer 24

Contributor

Question 25

What are the available ways to authenticate a SSPR reset?

Answer 25

• Mobile app notification
• Mobile app code
• Email
• Mobile phone
• Office phone
• Security questions

Question 26

What license do you need for sspr?

Answer 26

If you’re not signed in and you’ve forgotten your password or your password has expired, you can use SSPR in Microsoft Entra ID P1 or P2.