Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Microsoft Azure Security Engineer > Manage identity and access > Flashcards

Manage identity and access Flashcards

1
Q

What are the 4 types of user accounts in Entra ID?

A
  1. Internal member
  2. Internal guest
  3. External member
  4. External guest
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Define an ‘Internal member’ user account

A

Most likely full-time employees in an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Define an ‘Internal guest’ user account

A

An account in the tenant with guest level priviledge.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Define an ‘External member’ user account

A

Users authenticate using an external account, but have member access to a tenant.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Define an ‘External guest’

A

Guests of your tenant who authenticate using an external method and who have guest-level privileges.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the minimum role needed to create a new user?

A

User Administrator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the minimum role needed to invite an external guest?

A

Guest Inviter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the minimum rule needed to assign a Entra ID role to another user?

A

Privileged Role Administrator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Can a security group be nested within another security group?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How are permissions inherited with a nested security group?

A

Only members in the parent group will have access to shared resources in the child group, not vise versa.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Can a dynamic user/devices membership change?

A

Membership will change automatically if underlying attributes change.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Is it possible for a user to join a group without being assigned membership by an admin or policy?

A

Yes, by requesting access to the group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Describe the process of a user requesting access to a group

A

User can either be granted access automatically, or the request will need to be approved by an owner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

If there are multiple owners for a group, does each owner need to approve an access request?

A

Yes; If one of them disapproves, the user is notified, but isn’t added to the group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How is a guest user identified?

A

Their user principal name contains the ‘#EXT#’ identifier.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How are users identified when using Entra B2B?

A

Guest users uses their own identity management system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Does a guest user need an Entra account to gain user access with Entra B2B?

A

No.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Is Entra B2B enabled by default?

A

Yes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

How is Entra B2B collaboration managed with other Entra tentans/organizaitons?

A

Cross-tenant access settings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are controls that can be implemented with cross-tenant access settings?

A

Manage scope access to users/groups/apps; MFA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What setting determines who can invite non-Entra ID external users?

A

External collaboration settings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

How can external collaboration settings restrict access?

A

Define who can invite external users, allow or block B2B specific domains, and set restrictions on guest user access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Describe ‘self-service sign up’

A

Create a sign-up experience for external users who want to access your apps.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

How can an Azure based self-service sign-up be integrated with external cloud systems?

A

With API connectors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

How can the self-service sign-up process be customized?

A

Custom approval workflows, perform identity verification, and validate user-provided information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

How can guest users sign-in with a social account or external identity provider? (Facebook, Google, etc.)

A

Federation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Can a second Entra tenant be created to manage external identities?

A

Yes; External configuration allows you to manage your apps and customer accounts separately from your workforce.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What are the best use cases for implementing Entra B2B?

A

Let business guests access your Office 365 apps, software-as-a-service (SaaS) apps, and line-of-business applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Define an ‘Entra Tenant’

A

A dedicated and trusted instance of Microsoft Entra ID that contains an organization’s resources, including registered apps and a directory of users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What are the two tenant configurations?

A
  1. Workforce
  2. External
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Describe a ‘Workforce’ Entra ID tenant and its purpose

A

A standard Microsoft Entra tenant that contains your employees, internal business apps, and other organizational resources and the capability to invite guests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Describe an ‘External Tenant’ Entra ID Tenant and its purpose

A

Used exclusively for apps you want to publish to consumers or business customers while identities are managed by External ID.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is the purpose/function of external ID in a workforce tenant?

A

Collaborating with business partners from external organizations like suppliers, partners, vendors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

How does SSO function with External ID in an External Tenant?

A

SSO to apps registered in the external tenant is supported. SSO to Microsoft 365 or to other Microsoft SaaS apps isn’t supported.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Does an External Tenant support entitlement management?

A

No.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Describe ‘Entra B2B direct connect’

A

create two-way trust relationships with other Microsoft Entra organizations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is the purpose/function of implementing Entra B2B direct connect?

A

A users to seamlessly sign in to Teams shared channels for chat, calls, file-sharing, and app-sharing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

How is access authenticated with Entra B2B direct connect?

A

Users authenticate in their home organization and receive a token from the resource organization for access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Describe ‘Entra entitlement management for business guest sign-up’

A

Configure policies that manage access for external users and determine who the individual requesting access is.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Describe ‘cross-tenant synchronization’

A

Automates creating, updating, and deleting B2B users across a multitenant configuration.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

How does cross-tenant synchronization operate?

A

Is a push process from the source tenant, not a pull process from the target tenant; Inbound only organizational setting to allow the administrator of a source tenant to synchronize users into a target tenant.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

What types of user accounts can be synced in cross-tenant synchronization?

A

Internal members only.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

How is a cross-tenant synchronization established?

A

Define a trust relationship between a source tenant and a target tenant.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What properties are configured on the source tenant in a cross-tenant synchronization?

A

Automatic redemption; Sync settings
configuration; Users in scope.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What properties are configured on the target tenant in a cross-tenant synchronization?

A

Cross-tenant access settings; Automatic redemption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

What is the overall function of Microsoft Entra Identity Protection?

A

Detect, investigate, and remediate identity-based risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What are some of the signals used to determine risky sign-in behavior?

A

Anonymous IP address usage
Password spray attacks
Leaked credentials

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

How does Microsoft Entra Identity Protection detect sign-in risk?

A

During each sign-in, real-time sign-in detections generate a sign-in session risk level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Once Microsoft Entra Identity Protection determines risk, what occurs?

A

Based on this risk level, policies are then applied to protect the user and the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

What are the 3 reports Entra Identity Protection provides?

A
  1. Risk detections
  2. Risky sign-ins
  3. Risky users
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Define a ‘Risk detection’

A

Each risk detected is reported as a risk detection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Define a ‘Risky sign-in’

A

Reported when there are one or more risk detections reported for that sign-in.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

What conditions define a ‘Risky user’?

A

The user has one or more Risky sign-ins; One or more risk detections have been reported.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

How can a risky sign-in be remediated automatically?

A

Require user to input MFA or secure password reset based on detected risk level, if successful the risk is remediated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

What role provides full access to Identity protection?

A

Security Administrator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

What roles provide view all Identity Protection reports and Overview?

A

Security Operator and Security Reader.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

What role(s) can dismiss user risk, confirm safe sign-in, confirm compromise?

A

Security Administrator and Security Operator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

What role provides read-only access to Entra Identity Protection?

A

Global reader.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

What is the least privilege role needed to create sign-in polices?

A

Conditional Access administrators.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

What Entra ID license is needed for Entra Identity Protection?

A

Entra ID P2.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Describe ‘password hash synchronization with Microsoft Entra ID’

A

Hybrid identity sign-in method implemented by Entra Connect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

How does ‘password hash synchronization’ function?

A

Synchronizes a hash of a users on-premises AD password with Microsoft Entra ID.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Describe ‘Pass-through authentication’

A

Allows users to use the same password on-premises and in the cloud, but doesn’t require the additional infrastructure of a federated environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Describe ‘Entra Connect Federation’

A

Used to configure a hybrid environment with an on-premises AD FS infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

What service is used to monitor the healthy of on prem identity infrasturcute?

A

Entra Connect Health.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

What are the two Microsoft offerings for synching hybrid identities?

A
  1. Entra Cloud Sync
  2. Entra Connect Sync
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

How does Entra Connect Sync function?

A

Orchestrated in Microsoft Online Services using a cloud provisioning agent installed on the AD server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

What are the key benefits of Entra Cloud Sync compared to Entra Connect Sync?

A

Sync from a regional multi-forest AD; Can use multiple lightweight agents instead of one application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

What are the key benefits of Entra Connect Sync compared to Entra Cloud Sync?

A

Support for device objects; Pass-Through Authentication; Allows unlimited AD objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

What are the two forms of cloud autneticaton?

A
  1. Entra password hash synchronization
  2. Entra pass-through authentication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

What form of cloud authentication supports sign-in disaster recovery or leaked credential reports?

A

Entra password hash synchronization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

What cloud authentication method is required for Entra Identity Protection?

A

Password Hash Sync.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

What is the best use case for password hash sync cloud authentication?

A

Orgs that only need their users to sign in to Microsoft 365, SaaS apps, and other Microsoft Entra ID-based resources..

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

How often does password hash sync perform password synchronization?

A

Every 2 minutes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

What needs to be installed for password hash sync to function?

A

Microsoft Entra Connect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

How many Entra Cloud Sync agents need to be installed for passthrough authentication to function?

A

At least one, but 3 is recommended.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

Which cloud hybrid authentication method can enforce on prem policies at the time of sign-in?

A

Pass-through Authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

How should redundancy/failover be planned when utilizing Password hash synchronization?

A

Deploy a second Microsoft Entra Connect server in staging mode in a standby configuration.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

How should redundancy/failover be planned when utilizing Pass-through Authentication?

A

Deploy two extra pass-through authentication agents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

Which cloud authentication method can serve as a failover to the other authentication method?

A

Use password hash synchronization as a backup authentication method for pass-through authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

What are the 3 required steps to use password hash synchronization?

A
  1. Install Microsoft Entra Connect
  2. Configure directory synchronization
  3. Enable password hash synchronization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

Can the failover between pass-through authentication and password hash synchronization be automated?

A

No; the failover must be manually initiated from Entra Connect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

What is the purpose for using federated authentication?

A

Required when customers have an authentication requirement that Microsoft Entra ID doesn’t support natively.

84
Q

Which cloud authentication method is best for high availability and disaster recovery?

A

Pass-through Authentication paired with federation.

85
Q

What cloud authentication method is best for an organization wanting to enforce on prem AD policies?

A

Entra pass-through authentication.

86
Q

Does pass-through authentication store credentials in the cloud?

A

No.

87
Q

Which cloud authentication method works with conditional access polices?

A

Entra pass-through authentication.

88
Q

How is communication secured between an agent and Entra ID?

A

With TLS Certificates.

89
Q

Define ‘Federation’

A

A collection of domains that have established authentication and authorization trust.

90
Q

What is the purpose of federation?

A

To ensure all user authentication occurs on-prem.

91
Q

Describe ‘Self-service password reset’

A

Gives end users he ability to change or reset their password, with no administrator or help desk involvement.

92
Q

What are the 3 scenarios self-service password reset can be used?

A
  1. Password change
  2. Password reset
  3. Account unlock
93
Q

How are passwords modified in azure, be updated on-prem?

A

Password writeback

94
Q

Define ‘Entra multifactor authentication’

A

Requires two or more of the following authentication methods.

95
Q

What are the 3 forms of authentication Entra MFA offers?

A
  1. Something you know
  2. Something you have
  3. Something you are
96
Q

What is the recommended way to enable and use Entra MFA?

A

With Conditional Access policies.

97
Q

What is the function/purpose of a conditional access policy?

A

React to sign-in events and request additional actions before a user is granted access to an application or service.

98
Q

What can be included in the scope of a conditional access policy?

A

Users and groups.

99
Q

How can repeated MFA attempts that might be an attack be prevented?

A

By configuring account lockout settings to specify how many failed attempts to allow before the account becomes locked out for a period of time.

100
Q

What is the only form of authentication that can use account lockout settings?

A

When the user supplies a PIN.

101
Q

What can be done to mitigate a stolen/lost second authentication factor?

A

By blocking the user.

102
Q

If a suspicious MFA prompt is received, what can an end user do?

A

Use the report a multifactor authentication prompt as suspicious.

103
Q

What is the outcome of a user reporting a MFA prompt as suspicious?

A

The account is set to “High risk user” and its logged as an even in the sign-in report as a sign-in that was rejected by the user.

104
Q

Does Entra ID support the use of OATH tokens?

A

Yes.

105
Q

How are OATH tokens implemented in Entra ID?

A

Tokens must be uploaded in a CSV file.

106
Q

What must be included in the OATH Token CSV file?

A

User Principal Name (UPN), serial number, secret key, time interval, manufacturer, and model.

107
Q

How are OATH Tokens activated once uploaded?

A

Select activate for the token and enter the token’s one-time password (OTP)

108
Q

Describe passwordless authentication

A

Password is removed and replaced with something you have, plus something you are or something you know.

109
Q

What can be used for ‘something you have’ in passwordless authentication?

A

Windows 10 Device, phone, or security key.

110
Q

What can be used for ‘something you are’ in passwordless authentication?

A

Biometric.

111
Q

What can be used for ‘something you know’ in passwordless authentication?

A

PIN.

112
Q

What are the four options for implementing passwordless authentication in Azue?

A
  1. Windows Hello for Business
  2. Microsoft Authenticator
  3. Passkeys FIDO2 (Fast IDentity Online 2)
  4. Certificate-based authentication
113
Q

What is the best use case for Windows Hello for Business?

A

Ideal for information workers that have their own designated Windows PC.

114
Q

How is a phone used to become a form of authentication is passwordless authentication?

A

By using the Microsoft Authenticator app.

115
Q

What is the least privilege roles required to implement and manage authentication methods?

A

Authentication Administrator.

116
Q

How do Passkeys (FIDO2) function?

A

Users can register and select a FIDO2 security key at the sign-in interface to of authentication either via USB, Bluetooth, or NFC.

117
Q

What is the max amount of supported keys allowed for each passwordless method?

A

No more than 20 sets of keys.

118
Q

What control is used to detect and block known weak passwords?

A

Microsoft Entra Password Protection.

119
Q

What is best practice for deploying Microsoft Entra Password Protection on-prem?

A

The DC agent software must be installed on all DCs in a domain.

120
Q

What must every device in the Entra ID forest (hybrid-joined) be configured with for Entra Password protection to function?

A

Microsoft Entra Password Protection Proxy service.

121
Q

What is the purpose of the Microsoft Entra Password Protection Proxy service?

A

Forward password policy download requests from DCs to Microsoft Entra ID and return the responses back to the DC.

122
Q

What is the purpose of the password DLL filter of the Password Protection agent?

A

Receives user password-validation requests from the operating system of the device and forwards them to the agent Service on the DC.

123
Q

How does the Entra Password Protection Proxy service instance on a device communicate with the DC?

A

By creating a serviceConnectionPoint object in Microsoft Entra ID used to query the proxy via RPC protocol over TCP.

124
Q

How long is the certificate Entra ID creates for federation via SAML valid for by default?

A

3 years.

125
Q

What are the methods cloud applications can use to configure SSO?

A

OpenID Connect, OAuth, SAML, password-based, or linked.

126
Q

What are the methods on-prem applications can use to configure SSO?

A

Password-based, Integrated Windows Authentication, header-based, or linked.

127
Q

What is the best use case for password based SSO for an on-prem application?

A

When the application has an HTML sign-in page of for shared accounts.

128
Q

What is the best use case for linked based SSO?

A

When the application is configured for SSO in another identity provider service (federated)

129
Q

Describe a ‘Decentralized Identifier (DID)’

A

User-generated, self-owned, globally unique identifiers rooted in decentralized systems trust systems.

130
Q

What is the purpose of Decentralized Identifiers (DIDs)

A

Microsoft’s verifiable credential solution uses decentralized credentials (DIDs) to cryptographically reupdate an identity.

131
Q

Define the concept of ‘verifiable credentials’

A

Data objects consisting of claims made by the issuer attesting information about a subject.

132
Q

How are verifiable credentials verified?

A

Claims are identified by schema and include the DID issuer and subject. The issuer’s DID creates a digital signature as proof that they attest to this information.

133
Q

What is the main responsibility of the DC Agent service in Microsoft Entra Password Protection?

A

To process password validation requests from the password filter DLL of the DC Agent using the current locally available password policy and return the result of pass or fail.

134
Q

What is the max amount of management groups?

A

10,000

135
Q

How many levels of depth does a group management tree support?

A

6 levels, not including the root or subscription level.

136
Q

What is the purpose of a root management group?

A

Allows for global policies and Azure role assignments to be applied at the directory level.

137
Q

What role must a Global Admin first elevate to, in order to assign other roles/groups/users to manage the root management group?

A

User Access Administrator.

138
Q

How are permissions passed to objects of a management group?

A

All Azure RBAC and role definitions are inherited by child resources.

139
Q

What two roles are specifically allow users to perform actions only on the management group scope?

A

Management Group Contributor and Management Group Reader.

140
Q

How manage management groups can be defined as the scope of a custom role definition?

A

Only 1 - to prevent role definition and role assignment disconnection.

141
Q

What 3 conditions must be true in order to move a management group or subscription to be the child of a different management group?

A
  1. Write and role assignment write permissions on the child subscription or management group.
  2. Write access on the target parent management group.
  3. Write access on the existing parent management group.
142
Q

How are management group operations audited?

A

Azure Activity log.

143
Q

What is the PowerShell command to update/change info about a management group?

A

Update-AzManagementGroup

144
Q

What is the Azure CLI command to update/change info about a management group?

A

az account management-group update

145
Q

What two conditions must be followed to delete a non-root management group?

A
  1. No child management groups or subscriptions under the management group.
  2. Write permissions on the management group.
146
Q

What is the PowerShell command to delete a non-root management group?

A

Remove-AzManagementGroup.

147
Q

What is the Azure CLI command to delete a non-root management group?

A

az account management-group delete.

148
Q

What is the PowerShell command to move a non-root management group?

A

New-AzManagementGroupSubscription.

149
Q

What is the Azure CLI command to move a non-root management group?

A

az account management-group subscription add.

150
Q

List the 3 components of role assignment

A
  1. Security principal
  2. Role definition
  3. Scope
151
Q

Define role assignment

A

Grants the service principal the permissions in a role definition at a specified scope.

152
Q

Does Azure RBAC support deny assignments to a scope?

A

Yes; Attaches a set of deny actions to a user, group, service principal, or managed identity at a particular scope.

153
Q

How is an access request initiated with Azure RBAC?

A

Service principal makes API call to Azure Resource Manager with a token including the user’s group memberships.

154
Q

Once Azure Resource Manager receives an access request what is its first action?

A

Retrieves all the role assignments and deny assignments that apply to the scope upon access is being requested, and subtracts NotActions from the allowed Actions.

155
Q

What is the purpose of an Entra role?

A

Control access to Microsoft Entra resources.

156
Q

What is the purpose of an Azure RBAC role?

A

Control access to Azure resources.

157
Q

Describe ‘Microsoft Entra Permissions Management’

A

A loud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities across any cloud provider.

158
Q

What is the purpose of Microsoft Entra Permissions Management?

A

Detects, automatically remediates, and continuously monitors unused and excessive permissions.

159
Q

Does Microsoft Entra Permissions Management require a separate license?

A

Yes.

160
Q

Can access to resources be limited by time with Entra Privileged Identity Management?

A

Assign time-bound access to resources using start and end dates.

161
Q

How can access to privileged roles be limited?

A

Require admin approval to activate privileged roles along with justification.

162
Q

What are the two ways a role definition can be assigned to a member/user?

A
  1. Active
  2. Eligible
163
Q

Define ‘Active’ role assignment

A

Active assignments don’t require the member to perform any action to use the role and is assigned immediately.

164
Q

Define ‘Eligible’ role assignment

A

Require the member of the role to perform an action to use the role.

165
Q

What is the max number of custom roles allowed?

A

500

166
Q

What is the purpose/function of Entra ID Governance?

A

Govern the identity and access lifecycle; Secure privileged access for administration.

167
Q

How does Entra ID Governance automate the creation of a new identity?

A

Inbound provisioning from your organization’s HR sources.

168
Q

How does Entra ID Governance automate provisioning tasks?

A

Lifecycle workflows to automate workflow tasks that run at certain key events.

169
Q

Describe an ‘access package’

A

A bundle of all the resources with the access a user needs to work on a project or perform their task.

170
Q

A security administrator needs to add a role assignment for a new user. Which step should they take to add a condition to the role assignment?

A

Select the Constrained recommended option under Delegation type on the Conditions tab.

171
Q

Can certain applications restrict access by user?

A

With certain types of applications, you have the option of requiring users to be assigned to the application preventing everyone except users that are assigned to the application.

172
Q

What types of applications can restrict access by requiring user assignment?

A

Applications configured for federated SSO with SAML; pre-built Entra applicaitons.

173
Q

For applicaitons that do not natively support user assignment, how can it be implemented?

A

Use PowerShell to set the appRoleAssignmentRequired property on the service principal.

174
Q

What are the four options Entra ID provides to deploy applicaitons?

A
  1. Entra My Apps
  2. Microsoft 365 application launcher
  3. Direct sign-on to federated apps (service-pr)
  4. Deep links to federated, password-based, or existing apps
175
Q

What are the 3 ways access is granted to Microsoft applications?

A
  1. License assignment
  2. User consent
  3. Administrator consent
176
Q

What is the direct outcome of registering a new application in Entra ID?

A

A service principal is automatically created for the app registration which creates the app’s identity in the Entra tenant.

177
Q

What permissions is necessary to register an application in an Entra tenant?

A

Application.ReadWrite.Allpermission. or Cloud Application Administrator.

178
Q

After registering an application in Entra ID, what is the next step?

A

Assign a role to the application to determine what the application can access.

179
Q

What parameters must be copied from an application into a program’s authentication request in order to programmatically login?

A

Tenant ID and the application ID.

180
Q

What two authentication methods are available for application service principals?

A

Password-based authentication (application secret) and certificate-based authentication.

181
Q

What is the recommended authentication for an application service principal?

A

Certificate-based authentication

182
Q

What two steps must be completed to implement certificate-based authentication for an application?

A
  1. Upload certificate
  2. Enable the confidential client application code to use the certificate
183
Q

What is the purpose of creating a self-signed cert to use in certificate-based authentication for an application?

A

For testing purposes only.

184
Q

What is the PowerShell command to create a self-signed cert?

A

New-SelfSignedCertificate.

185
Q

When implementing authentication, what must be considered to store keys, certificates, and secrets?

A

Configure extra permissions on resources that your application needs to access like key vault.

186
Q

What is required for an application to access a protected resource?

A

Application needs the resource owner’s authorization via consent or deny.

187
Q

What are the two ways an application can access data?

A
  1. Delegated access (access on behalf of a user)
  2. App-only access (Access without a user)
188
Q

Describe how an application can access data using on behalf of a user

A

Client application accesses the resource on behalf of the user and must be assigned the appropriate delegated permissions (scope) to allow access to a resource on behalf of itself.

189
Q

Describe how an application can delegates user access to data

A

User signs into the application, and relies on the privileges that the user has been granted for them to access the resource.

190
Q

What is the purpose of App-only access (Access without a user)?

A

For scenarios such as automation, and back up, or apps that runs as a background service.

191
Q

How does App-only access (Access without a user) function?

A

Client app is assigned an app roles (permissions) instead of delegated scopes.

192
Q

What are the two types of security principals?

A
  1. user principal
  2. service principal
193
Q

What are the 3 types of service principals?

A
  1. Application
  2. Managed identity
  3. Legacy
194
Q

Describe an ‘Application’ service principal

A

A local representation of an app for use in a specific tenant.

195
Q

Describe an ‘Application’ object.

A

Global representation of your application for use across all tenants.

196
Q

Describe a ‘Managed identity’ service principal

A

Provides an identity for applications to use when connecting to resources that support Microsoft Entra authentication.

197
Q

Describe a ‘Legacy’ service principal

A

An app created before app registrations were introduced or an app created through legacy experiences.

198
Q

What are the two types of managed identity service principals?

A
  1. System-assigned
  2. User-assigned
199
Q

What is the purpose/function of a system-assigned managed identity service principal?

A

Allows a single resource to request access to different services or resources via Entra ID.

200
Q

What is the purpose/function of a user-assigned managed identity service principal?

A

A managed identity that can be used by multiple resources/services to access one or more services.

201
Q

Describe ‘Entra application proxy’

A

Replaces the need for a VPN or reverse proxy, and provides remote access for on-prem applications.

202
Q

Should users on an internal network use Entra application proxy?

A

No, may cause latency.

203
Q

What are 3 prerequisites for implementing an Entra application proxy?

A
  1. Connectors installed on-prem or in Azure VM
  2. Entra application proxy Connectors with TLS 1.0 enabled
  3. Network access settings - Connect to Azure via 443
204
Q

A company wants to ensure that their web application is secure and protected from unauthorized access. They want to implement a security mechanism that will allow users to authenticate themselves before accessing the application. What is the first step they need to take?

A

Implement an authentication mechanism such as OAuth or OpenID Connect.

205
Q

A developer wants to provide permissions-based access to their web API. What steps should they take to achieve this?

A

The developer should register the web API with the Microsoft identity platform, assign an owner, create an app role, and add a scope.

Microsoft Azure Security Engineer (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions