MS SC 900 Assessment Flashcards
What is the minimum edition of Azure AD needed to use Azure AD Privilege Identity Management (PIM)?
Select only one answer.
A. Free
B. Office 365 Apps
C. Azure AD Premium P1
D. Azure AD Premium P2
D. Azure AD Premium P2
Explanation:
Azure AD Premium P2 is the only edition that provides PIM support.
You need to allow external users to use either Microsoft accounts or Google accounts to access an application hosted in Azure.
What is the minimum edition of Azure AD that you can use?
Select only one answer.
A. Free
B. Office 365 Apps
C. Azure AD Premium P1
D. Azure AD Premium P2
C. Azure AD Premium P1
Explanation:
Both Azure AD Premium P1 and P2 allow external users, but Azure AD Premium P1 is the minimum edition that allows this. Free and Office 365 apps do not provide external access.
An organization is migration to the Microsoft cloud. The plan is to use a hybrid identity model.
What can be used to sync identities between Active Directory Domain Services (AD DS) and Azure AD?
Select only one answer.
A. Active Directory Federation Services (AD FS)
B. Microsoft Sentinel
C. Azure AD Connect
D. Azure AD Privileged Identity Management (PIM)
C. Azure AD Connect
Explanation:
Azure AD Connect is designed to meet and accomplish hybrid identity goals. ADFS cannot be used for hybrid identity models. Microsoft Sentinel is not an identity product. PIM is used for managing and monitoring access to important resources.
Which authentication method can use a time-based, one-time password?
Select only one answer.
A. Windows Hello
B. OATH hardware tokens
C. strong passwords
D. password hash synchronization
B. OATH hardware tokens
Explanation:
OATH hardware tokens use time-based, one-time passwords. Strong passwords are not one-time passwords. Password hash synchronization syncs hashes across Active Directory and Azure AD. Windows Hello uses a camera or passcode for authentication.
Which two additional forms of authentication are available in Azure AD for multi-factor authentication (MFA) from any device? Each correct answer presents a complete solution.
A. the Microsoft Authenticator app
B. voice call
C. face recognition
D. fingerprint recognition
A. the Microsoft Authenticator app
B. voice call
Explanation:
The Microsoft Authenticator app and FIDO2 security key are available in Azure AD for MFA from any device. Face and fingerprint recognition are only available for Windows devices with Windows Hello.
What are three things that a user can use for Azure AD Multi-Factor Authentication (MFA)? Each correct answer presents a complete solution.
A. something the claimant knows
B. something the claimant has
C. something the claimant is
D. something the claimant can not reuse
E. something the claimant solves
A. something the claimant knows
B. something the claimant has
C. something the claimant is
Explanation:
Azure AD MFA works by requiring something you know (such as a password), and something you have (such as a phone), or something you are (biometrics).
Which Azure AD feature helps reduce help desk calls and the loss of productivity when a user cannot sign in to their device or an application?
A. Self-service password reset (SSPR)
B. Identity Protection
C. Conditional Access
D. Azure AD Password Protection
A. Self-service password reset (SSPR)
Explanation:
SSPR is a feature of Azure AD that allows users to change or reset their password without administrator or help desk involvement. Without enabling SSPR, Identity protection cannot provide the requested solution. Conditional Access brings signals together, to make decisions, and enforce organizational policies but not SSPR. Azure AD Password Protection reduces the risk when users set weak passwords.
Which three actions should be performed to enable self-service password reset (SSPR) for a user? Each correct answer presents part of the solution.
Select all answers that apply.
A. Assign an Azure AD license.
B. Enable SSPR for the user.
C. Register an authentication method.
D. Sign up for a Microsoft account.
E. Create a custom banned password list.
A. Assign an Azure AD license.
B. Enable SSPR for the user.
C. Register an authentication method.
Explanation:
To use SSPR, users must be assigned an Azure AD license that is enabled for SSPR by an administrator and registered with the authentication methods they want to use. Two or more authentication methods are recommended in case one is unavailable.
What can be used to enforce multi-factor authentication (MFA) when users access an application registered in Azure AD?
Select only one answer.
A. password hash synchronization
B. Conditional Access
C. role-based access control (RBAC)
D. a network security group (NSG)
B. Conditional Access
Explanation:
Conditional Access can be used to enforce MFA based on a condition (accessing an app). Password hash synchronization enables password sync with Active Directory. RBAC provides authorization, not authentication. NSGs provide rules for network access.
Which condition can you use in a Conditional Access policy to evaluate the likelihood that a user account was compromised?
Select only one answer.
A. location
B. device State
C. user risk
D. sign-in risk
C. user risk
Explanation:
User risk can evaluate the likelihood that a user account was compromised. Sign-in risk can identify whether the sign-in attempt is considered risky, such as attempts to sign-in from compromised IP networks. Device state verifies the device platform. Locations are associated to specific IP networks.
What should you use in Azure AD to provide users with the ability to perform administrative tasks?
Select only one answer.
A. app registrations
B. external identities
C. groups
D. roles
D. roles
Explanation:
Roles in Azure AD have permission to perform certain administrative tasks. You assign these roles to users.
What is the least privileged Azure AD role that can be used to create and manage users and groups?
Select only one answer.
A. Global Administrator
B. Security Administrator
C. User Administrator
D. Teams Administrator
C. User Administrator
Explanation:
User Administrator can manage both users and groups. Global Administrator can also manage users and groups, but the role has far too many privileges.
What can you use to receive alerts for potentially compromised user accounts without blocking the users from signing in?
Select only one answer.
A. real-time sign-in risk detection
B. user risk
C. Application Signal
D. cloud apps or actions
B. user risk
Explanation:
User risk represents the probability that a given identity or account is compromised. User risk can be configured for high, medium, or low probability. Admins can set up this signal without interrupting user sign-ins.
What is the difference between Azure AD role-based access control (RBAC) and Azure RBAC?
Select only one answer.
A. Azure AD roles control access to resources such as users, groups, and applications. Azure roles control access to resources, such as virtual machines.
B. Azure AD roles control access to resources, such as virtual machines. Azure roles control access to resources, such as users, groups, and applications.
C. Users with Azure AD roles can make purchases and manage subscriptions. Users with Azure roles have access to all the administrative features in Azure AD.
D. Users with Azure AD roles have access to all the administrative features in Azure AD. Users with Azure roles can make purchases and manage subscriptions.
A. Azure AD roles control access to resources such as users, groups, and applications. Azure roles control access to resources, such as virtual machines.
Explanation:
Azure AD built-in and custom roles are a form of RBAC in that Azure AD roles control access to Azure AD resources. This is referred as Azure AD RBAC. In the same way that Azure AD roles can control access to Azure AD resources, so too can Azure roles control access to Azure resources. This is referred to as Azure RBAC. Although the concept of RBAC applies to both Azure AD RBAC and Azure RBAC, what they control is different.
What is a user risk in Azure AD Identity Protection?
Select only one answer.
A. leaked credentials
B. atypical travel
C. password spray
D. anonymous IP address
A. leaked credentials
Explanation:
Leaked credentials is a user risk. Atypical travel, anonymous IP address, and password spray are sign-in risks.
Which security model uses a layered approach to security, providing mechanisms to stop a breach at the perimeter of each layer?
Select only one answer.
A. shared responsibility
B. defense in depth
C. Zero Trust
D. Payment Card Industry Data Security Standards (PCI DSS) compliance
B. defense in depth
Explanation:
Defense in depth uses a layered approach to security. Shared responsibility model is about defining the responsibilities of each party (company and vendor). PCI is a compliance regulation, not a security model.
Which encryption method uses the same key to encrypt and decrypt data?
Select only one answer.
A. symmetric encryption
B. asymmetric encryption
C. hashing
D. generating a public key
A. symmetric encryption
Explanation:
Symmetric encryption uses the same key to encrypt and decrypt the data. Asymmetric encryption uses a public key and private key pair. Hashing uses an algorithm to convert text to a unique fixed-length value called a hash. Public key cryptography is an encryption system that is based on two pairs of keys. Public keys are used to encrypt messages for a receiver.
What is a guiding principle of the Zero Trust model?
Select only one answer.
A. verify explicitly
B. advance user access
C. test for breach
D. trust the local network
A. verify explicitly
Explanation:
The Zero Trust model has three guiding principles which are verify explicitly, least privilege access, and assume breach.
Which pillar of an identity infrastructure is responsible for defining the level of access a user has over the resources on a network?
Select only one answer.
A. administration
B. authentication
C. authorization
D. auditing
C. authorization
Explanation:
Authorization is responsible for determining which level of access authenticated users have. Administration is responsible for managing user accounts. Authentication is responsible for identifying who a user is. Auditing is responsible for keeping track of how authentication, authorization, administration, and access to resources occurs.
What is a benefit of single sign-on (SSO) compared to other authentication methods?
Select only one answer.
A. Users can access resources in their domain.
B. Users can authenticate once and access resources anywhere.
C. Devices can be shared by multiple users.
D. Devices can only be used by a single user.
B. Users can authenticate once and access resources anywhere.
Explanation:
Users can authenticate once and access resources anywhere with SSO. Users accessing resources in their domain uses Basic authentication for a single domain, not SSO. Users are still required to be authenticated to share devices.
What are two characteristics of an identity as the primary security perimeter model? Each correct answer presents a complete solution.
Select all answers that apply.
A. Software as a service (SaaS) applications for business-critical workloads can be hosted outside of a corporate network.
B. Only corporate devices can be used to complete corporate tasks.
C. Bring your own device (BYOD) can be used to complete corporate tasks.
D. Software as a service (SaaS) applications for business-critical workloads that might be hosted cannot be hosted outside of a corporate network.
A. Software as a service (SaaS) applications for business-critical workloads can be hosted outside of a corporate network.
C. Bring your own device (BYOD) can be used to complete corporate tasks.
Explanation:
SaaS applications for business-critical workloads can be hosted outside of the corporate network and BYOD can be used to complete corporate tasks in the identity as the primary security perimeter model. The other options represent the traditional perimeter-based security model.
What is a feature of single sign-on (SSO)?
Select only one answer.
A. enables a user to sign in once, and then not have to sign in again
B. leverages individual identity providers
C. uses one credential to access multiple applications or resources
D. eliminates the need for password resets due centralized directory
C. uses one credential to access multiple applications or resources
Explanation:
SSO allows a user to sign in with a single credential and have access to multiple applications and resources. It does not ensure that a user will not have to sign in again. It leverages a centralized identity provider. It has nothing to do with password resets.
What are types of distributed denial-of-service (DDoS) attacks?
Select only one answer.
A. password spray, protocol attacks, and man-in-the-middle (MITM) attacks
B. password spray, dictionary attack, and resource layer attacks
C. resource layer attacks, protocol attacks, and volumetric attacks
D. dictionary attacks, man-in-the-middle (MITM) attacks, and volumetric attacks
C. resource layer attacks, protocol attacks, and volumetric attacks
Explanation:
Resource layer attacks, protocol attacks, and volumetric attacks are the most common DDoS attacks. Password sprays and MITM attacks are not DDoS attacks.
Which Azure feature provides network-level filtering, application-level filtering, and outbound SNAT?
Select only one answer.
A. distributed denial-of-service (DDoS) protection
B. Azure Firewall
C. Azure Web Application Firewall (WAF)
D. Azure Bastion hosts
