Manage identities and governance in Azure Flashcards
```
~~~
True or False: By default, when you create a new Azure subscription by using a Microsoft account, the subscription automatically includes a new Microsoft Entra tenant named Default Directory.
True
True or false: If you subscribe to any Microsoft Online business services (for example, Microsoft 365 or Microsoft Intune), you automatically get Microsoft Entra ID with access to all the Free features.
True
True or false: Within an Azure subscription, you can create a single Microsoft Entra tenant
False:
Within an Azure subscription, you can create multiple Microsoft Entra tenants
An object in the ____ class contains an application definition and an object in the _____ class constitutes its instance in the current Microsoft Entra tenant.
An object in the Application class contains an application definition and an object in the servicePrincipal class constitutes its instance in the current Microsoft Entra tenant.
Separating these two sets of characteristics allows you to define an application in one tenant and use it across multiple tenants by creating a service principal object for this application in each tenant. Microsoft Entra ID creates the service principal object when you register the corresponding application in that Microsoft Entra tenant.
Microsoft Entra ID doesn’t use Kerberos authentication; instead, it uses HTTP and HTTPS protocols such as ____, ____, and ____ for authentication, and uses ____ for authorization.
Microsoft Entra ID doesn’t use Kerberos authentication; instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID Connect for authentication, and uses OAuth for authorization.
You can’t query Microsoft Entra ID by using LDAP; instead, Microsoft Entra ID uses the ____ ____ over ____ and ____
You can’t query Microsoft Entra ID by using LDAP; instead, Microsoft Entra ID uses the REST API over HTTP and HTTPS
What does a Microsoft Entra ID P2 license give you in addition to the benifits of p1?
Microsoft Entra ID Protection. This feature provides enhanced functionalities for monitoring and protecting user accounts. You can define user risk policies and sign-in policies. In addition, you can review users’ behavior and flag users for risk.
Microsoft Entra Privileged Identity Management. This functionality lets you configure additional security levels for privileged users such as administrators. With Privileged Identity Management, you define permanent and temporary administrators. You also define a policy workflow that activates whenever someone wants to use administrative privileges to perform some task.
What is an alternative to deploying a s2s vpn or replica domain controllers as vms in azure to provide a way to use AD DS credentials for authentication?
Microsoft Entra Domain Services
True or false: you need to deploy a domain controller in azure to be able to use Microsoft Entra Domain Services
False, you do not need any domain controllers in the cloud to use Microsoft Entra Domain Services
True or false: If you don’t have AD DS deployed locally, you cannot use Microsoft Entra Domain Services
False, if you don’t have AD DS deployed locally, you can choose to use Microsoft Entra Domain Services as a cloud-only service. This enables you to have similar functionality of locally deployed AD DS without having to deploy a single domain controller on-premises or in the cloud.
Some global Azure services that don’t require you to select a region. These services include _____ ___ __, ____ ___ _____ ______ _____, and _____ ____.
Some global Azure services that don’t require you to select a region. These services include Microsoft Entra ID, Microsoft Azure Traffic Manager, and Azure DNS.
What is another name for cross-region replication?
Region Pairing
What is this service called?
Save money by paying ahead. You can pay for one year or three years of virtual machine, SQL Database compute capacity, Azure Cosmos DB throughput, or other Azure resources. Pre-paying allows you to get a discount on the resources you use. Reservations can significantly reduce your virtual machine, SQL database compute, Azure Cosmos DB, or other resource costs up to 72% on pay-as-you-go prices. Reservations provide a billing discount and don’t affect the runtime state of your resources.
Reservations
____ is a service in Azure that enables you to create, assign, and manage policies to control or audit your resources. These policies enforce different rules over your resource configurations so the configurations stay compliant with corporate standards.
Azure policy
One or more Azure policy definitions are grouped into an ____ , to control the scope of your policies and evaluate the compliance of your resources.
initiative definition
A ___ ____ ____ describes the compliance conditions for a resource, and the actions to complete when the conditions are met
Azure policy definition
What are the 4 basic steps to create and work with policy definitions in azure policy?
Step 1: Create policy definitions
A policy definition expresses a condition to evaluate and the actions to perform when the condition is met. You can create your own policy definitions, or choose from built-in definitions in Azure Policy. You can create a policy definition to prevent VMs in your organization from being deployed, if they’re exposed to a public IP address.
Step 2: Create an initiative definition
An initiative definition is a set of policy definitions that help you track your resource compliance state to meet a larger goal. You can create your own initiative definitions, or use built-in definitions in Azure Policy. You can use an initiative definition to ensure resources are compliant with security regulations.
Step 3: Scope the initiative definition
Azure Policy lets you control how your initiative definitions are applied to resources in your organization. You can limit the scope of an initiative definition to specific management groups, subscriptions, or resource groups.
Step 4: Determine compliance
After you assign an initiative definition, you can evaluate the state of compliance for all your resources. Individual resources, resource groups, and subscriptions within a scope can be exempted from having the policy rules affect it. Exclusions are handled individually for each assignment.
After you create your initiative definition, the next step is to ____
The next step is to assign the initiative to establish the scope for the policies. The scope determines what resources or grouping of resources are affected by the conditions of the policies.
An object that represents something that requests access to resources.
Security principal
A set of permissions that lists the allowed operations. Azure RBAC comes with built-in role definitions, but you can also create your own custom role definitions.
Role definition
The boundary for the requested level of access, or “how much” access is granted.
Scope
An assignment attaches a role definition to a security principal at a particular scope. Users can grant the access described in a role definition by creating (attaching) an assignment for the role.
Role assignment
- ____ permissions identify what actions are allowed.
- ____ permissions specify what actions aren’t allowed.
- ____ permissions indicate how data can be changed or used.
- ____ permissions list the scopes where a role definition can be assigned.
Actions permissions identify what actions are allowed.
NotActions permissions specify what actions aren’t allowed.
DataActions permissions indicate how data can be changed or used.
AssignableScopes permissions list the scopes where a role definition can be assigned.
What built-in role has these notactions permissions?
- Microsoft.Authorization/*/Delete
- Microsoft.Authorization/*/Write
- Microsoft.Authorization/elevateAccess/Action
Contributor
What are the available ways to authenticate a SSPR reset?
- Mobile app notification
- Mobile app code
- Mobile phone
- Office phone
- Security questions
What license do you need for sspr?
If you’re not signed in and you’ve forgotten your password or your password has expired, you can use SSPR in Microsoft Entra ID P1 or P2.
