Manage identities and governance in Azure

Question 1

What cloud service model does Microsoft Entra ID fall under?

Answer 1

Platform as a service (PaaS)

Question 2

What is the function of Microsoft Entra ID?

Answer 2

Microsoft-managed directory service in the cloud.

Question 3

What are the advantages of Microsoft Entra ID compared to AD DS?

Answer 3

MFA, SSO, identity protection, and self-service password reset.

Question 4

How does Microsoft Entra ID differ to AD DS?

Answer 4

Focused on providing IAM services to web-based apps, unlike AD DS, which is more focused on on-premises apps.

Question 5

What is an Entra ID domain referred to as?

Answer 5

A tenant.

Question 6

Are organizations able to create multiple Entra ID tenants under a single subcription?

Answer 6

Yes.

Question 7

Must an Azure subscription be associated with an Entra tenant?

Answer 7

Yes; Every Azure subscription must be associated with only one Microsoft Entra tenant.

Question 8

Can a single Entra tenant be associated with multiple Azure subscirptons?

Answer 8

Yes; Allows you to use the same users, groups, and applications to manage resources across multiple Azure subscriptions.

Question 9

Does an Entra tenant have a DNS name?

Answer 9

Yes; Each Microsoft Entra tenant is assigned the default DNS name, consisting of a unique prefix.

Question 10

What is the prefix of an Entra tenant DNS name?

Answer 10

The prefix is the name derived from the Microsoft account used to create an Azure subscription or provided explicitly when creating an Entra tenant.

Question 11

What is the full DNS naming convention of an Entra tenant?

Answer 11

“prefix.onmicrosoft.com”

Question 12

What is the purpose of Entra ID?

Answer 12

Acts as a security boundary and a container for Microsoft Entra objects such as users, groups, and applications.

Question 13

Describe the structure of Entra ID

Answer 13

Users and groups are created in a flat structure not a hierarchy, and there are no OUs or GPOs.

Question 14

What protocol(s) does Entra ID use for communication and authentication/authorizatoin?

Answer 14

HTTP/HTTPs via SAML, OAuth, etc.

Question 15

How is the Entra ID directory service queried?

Answer 15

Uses the REST API over HTTP and HTTPS instead of LDAP(s)

Question 16

Aside from the free instances of Entra ID that come with O365, what are the two versions of Entra ID?

Answer 16

Microsoft Entra ID P1 or P2

Question 17

What are the two ways an organization can implement an Entra ID license?

Answer 17

You can procure it as an extra license or as a part of the Microsoft Enterprise Mobility + Security.

Question 18

Define ‘Microsoft Identity Manager (MIM)’

Answer 18

Hybrid identity solution; Can bridge on-premises authentication stores such as AD DS, LDAP, Oracle, etc., with Microsoft Entra ID.

Question 19

How does Entra ID P2 differ from P1?

Answer 19

1. Microsoft Entra ID Protection
2. Microsoft Entra Privileged Identity Management

Question 20

What SLA does Microsoft guarantee for Entra ID?

Answer 20

Guaranteed at least 99.9% availability.

Question 21

Define ‘Microsoft Entra ID Protection’

Answer 21

Provides enhanced functionalities for monitoring and protecting user accounts; Define user risk policies and sign-in policies.

Question 22

Define Microsoft Entra Privileged Identity Management.’

Answer 22

Lets you configure additional security levels for privileged users such as administrators.

Question 23

What are the 3 types of supported user accounts in Entra ID?

Answer 23

1. Cloud identity
2. Directory-synchronized identity
3. Guest user

Question 24

Define a ‘Cloud identity’ user account type

Answer 24

A user account defined only in Microsoft Entra ID.

Question 25

Define a ‘Directory-synchronized identity’ user account type

Answer 25

User accounts that are initially defined in an on-premises Active Directory synchronized through Entra Connect.

Question 26

Define a ‘Guest user’ account type

Answer 26

Defined outside Azure.

Question 27

What is the purpose of a guest user?

Answer 27

Useful when external vendors or contractors need access to your Azure resources.

Question 28

Where is info and settings that describe a user stored?

Answer 28

In the user account profile.

Question 29

What are the two types of groups used to organize user accounts?

Answer 29

1. Security groups
2. Microsoft 365 groups

Question 30

Define a ‘Microsoft 365 group’

Answer 30

Provide collaboration opportunities; Access to a shared mailbox, calendar, files, SharePoint site, and more.

Question 31

Describe a ‘Security group’ and its purpose

Answer 31

Used to manage access to resources based on user/device membership.

Question 32

What is best practice for configuring user access to resources?

Answer 32

Use security groups to set permissions for all group members at the same time, rather than adding permissions to each member individually.

Question 33

What is best practice for configuring guest access to resrouces?

Answer 33

Add Microsoft 365 groups to enable group access for guest users.

Question 34

What are the 3 access designation methods that can be used to determine user/device group membership?

Answer 34

1. Assigned
2. Dynamic user
3. Dynamic device

Question 35

Define an ‘assigned’ access right

Answer 35

Members of a group must be assigned manually.

Question 36

Define a ‘dynamic user’ access right

Answer 36

Dynamic membership rules automatically add and remove group members based on user attributes.

Question 37

Define a ‘dynamic device’ access right

Answer 37

Dynamic membership rules automatically add and remove group members devices based on user attributes.

Question 38

Can a dynamic device membership rule be applied to a Microsoft 365 group?

Answer 38

No; Security groups only.

Question 39

What is the purpose of an administrative unit?

Answer 39

For the division of roles and responsibilities.

Question 40

Define a ‘region’

Answer 40

A geographical area on the planet containing at least one, but potentially multiple datacenters.

Question 41

How many Azure regions are there?

Answer 41

Over 60

Question 42

What is Azure’s preferred distance between region pairs?

Answer 42

At least 300 miles.

Question 43

What Azure services don’t require a region/location?

Answer 43

Microsoft Entra ID, Microsoft Azure Traffic Manager, and Azure DNS.

Question 44

When deploying a service, what is to be considered when selecting a region?

Answer 44

Some services or Azure Virtual Machines features are available only in certain regions.

Question 45

Define an ‘Azure subscripton’

Answer 45

A logical unit of Azure services that’s linked to an Azure account.

Question 46

Can subscriptions have different billing and payment configurations?

Answer 46

Yes.

Question 47

Can multiple Azure accounts be linked to the same subscription?

Answer 47

Yes.

Question 48

What are the 3 ways to procure an Azure subscription?

Answer 48

1. Enterprise agreement (EA)
2. Microsoft reseller
3. Microsoft partner

Question 49

What are the most common subscription types?

Answer 49

Free, Pay-As-You-Go, Enterprise Agreement, and Student.

Question 50

Define an ‘Enterprise agreement’

Answer 50

Suited for large organizations; Provides flexibility to buy cloud services and software licenses under one agreement; Comes with discounts and Software Assurance.

Question 51

What does a resource tag consist of?

Answer 51

Each resource tag has a name and a value.

Question 52

What is the max number of tags a resource/resource group can have?

Answer 52

Maximum of 50 tag name/value pairs.

Question 53

Are tags applied to a resource group inherited by the resources in the group?

Answer 53

No.

Question 54

Define ‘Azure Policy’

Answer 54

Service in Azure that enables you to create, assign, and manage policies to control or audit your resources.

Question 55

What is the purpose of Azure Policy?

Answer 55

Enforce different rules over your resource configurations so the configurations stay compliant with corporate standards and SLAs.

Question 56

What is the purpose of an Azure management group?

Answer 56

Provide a governance scope above subscriptions; Manage access, policy, and compliance across your subscriptions.

Question 57

When a new subscription is procured, where is it logically located?

Answer 57

By default, all new subscriptions are allocated to the root management group.

Question 58

Are policies inherited within a management group?

Answer 58

Yes; All subscriptions within a management group automatically inherit the conditions applied to that management group.

Question 59

Is a management group hierarchal?

Answer 59

Yes; A management group tree can support up to six levels of depth.

Question 60

How are management groups identified?

Answer 60

A management group has a directory unique identifier (ID) and a display name.

Question 61

Can the UID for a management group be changed?

Answer 61

No.

Question 62

Can Azure Policy perform remediation?

Answer 62

Yes; Conduct real-time remediation, and remediation on your existing resources.

Question 63

Define a ‘policy definition’

Answer 63

The compliance conditions for a resource, and the actions to complete when the conditions are met.

Question 64

Define an ‘initiative definition’

Answer 64

A set of policy definitions that help you track your resource compliance state to meet a larger goal.

Question 64

What are the 3 steps to create an azure policy?

Answer 64

1. Create policy definitions
2. Create an initiative definition
3. Define the scope of initiative definition

Question 64

What are the two policy definition offerings?

Answer 64

1. built-in policy definitions
2. new/created policy definitions

Question 65

To satisfy the finance team’s request for billing by department, multiple resource groups have been created and the resource tags applied. What’s the next step?

Answer 65

Create an Azure policy; An Azure policy requires that a resource tag is applied before the resource is created.

Question 66

Define a ‘Security principal’

Answer 66

An object that requests access to resources; User, group, service principal.

Question 67

Define a ‘Role definition’

Answer 67

A set of permissions that lists the allowed operations; Reader, Contributor, Owner, User Access Administrator.

Question 68

Define an ‘RBAC scope’

Answer 68

The boundary for the requested level of access, or “how much” access is granted; Management group, subscription, resource group, resource

Question 69

What does a ‘role definition’ consist of?

Answer 69

Sets of permissions that are defined in a JSON file; Each permission set has its own name.

Question 70

What does an asterisk in in a role definition JSON file represent?

Answer 70

The asterisk “*” wildcard means “all” permissions.

Question 71

What built-in role has the highest level of access in Azure?

Answer 71

Owner

Question 72

In a role definition JSON file, how is effective permissions determined?

Answer 72

The system subtracts NotActions permissions from Actions permissions.

Question 73

In a role definition JSON file, what permission set determines granted access?

Answer 73

Actions.

Question 74

In a role definition JSON file, what permission set determines denied access?

Answer 74

NotActions.

Question 75

In a role definition JSON file, what permission set defines the scope; where the role definition is applied?

Answer 75

The AssignableScopes permission set; Can be management groups, subscriptions, resource groups, or resources.

Question 76

Define ‘role assignment’

Answer 76

The process of scoping a role definition to limit permissions for a requestor, such as a user, group, service principal, or managed identity.

Question 77

Define ‘Microsoft Entra admin roles’

Answer 77

Used to manage resources in Microsoft Entra ID, such as users, groups, and domains.

Question 78

Define ‘Azure RBAC roles’

Answer 78

Provide more granular access management for Azure resources.

Question 79

Define the contributor RBAC

Answer 79

The Contributor role can create and manage all types of Azure resources. This role can’t grant access to others.

Question 80

Define the User Access Administrator RBAC

Answer 80

The User Access Administrator role can manage user access to Azure resources.

Question 81

Define a member user

Answer 81

Native member of the Microsoft Entra organization that has a set of default permissions.

Question 82

What is the Azure CLI command to create a new user?

Answer 82

az ad user create

Question 83

What is the PowerShell command to create a new user?

Answer 83

New-MgUser

Question 84

What is the Azure CLI command to delete a user?

Answer 84

az ad user delete

Question 85

What is the PowerShell command to delete a new user?

Answer 85

Remove-MgUser

Question 86

What are the 3 ways to assign access rights?

Answer 86

1. Direct assignment: Assign a user the required access
2. Group assignment: Assign a group the required access rights
3. Rule-based assignment

Question 87

By default, who can grant guest user access?

Answer 87

Users and administrators in Microsoft Entra ID can invite guest users, but the Global Administrator can limit or disable this ability.

Question 88

What is the advantage of Microsoft Entra B2B instead of federation?

Answer 88

With Microsoft Entra B2B, you don’t take on the responsibility of managing and authenticating partners’ credentials and identities.

Question 89

How do Azure subscriptions manage access?

Answer 89

The subscriptions use Microsoft Entra ID for single sign-on (SSO) and access management.

Question 90

What is Azure RABC built on?

Answer 90

An authorization system built on Azure Resource Manager that provides fine-grained access management for resources in Azure.

Question 91

What is the inheritance order for scope in Azure?

Answer 91

Management group, Subscription, Resource group, Resource.

Question 92

Suppose a team member can’t view resources in a resource group. Where would the administrator go to check the team member’s access?

Answer 92

Go to the resource group and select Access control (IAM) > Check Access.

Question 93

When is a user considered registered for SSPR?

Answer 93

When they’ve registered at least the number of methods that you’ve required to reset a password.