Part 5: Identity/Governance

Question 1

Authentication

Authorization

Answer 1

Authentication is the process of establishing the identity of a person or service that wants to access a resource.

Authorization is the process of establishing what level of access an authenticated person or service has.

Question 2

Azure Active Directory

Answer 2

Azure AD is Microsoft’s cloud-based identity and access management service.

Question 3

Single sign-on

Answer 3

Single sign-on enables a user to sign in one time and use that credential to access multiple resources and applications from different providers.

Question 4

Azure AD Connect

Answer 4

Question 5

Azure AD services

Answer 5

Authentication

Single sign-on

Application management

Device management

Question 7

Multifactor Authentication

Answer 7

Something the user knows

This might be an email address and password.

Something the user has

This might be a code that’s sent to the user’s mobile phone.

Something the user is

This is typically some sort of biometric property, such as a fingerprint or face scan that’s used on many mobile devices.

Question 8

Conditional Access (Premium P1 or P2)

Answer 8

Conditional Access is a tool that Azure Active Directory uses to allow (or deny) access to resources based on identity signals.

Signals

who the user is

where the user is

what device the user is requesting access from.

Question 9

Cloud Adoption Framework

Answer 9

The Cloud Adoption Framework for Azure provides you with proven guidance to help with your cloud adoption journey.

Stages (DeePRAG)

Define,Plan,Ready,Adopt,Govern

Question 10

Subscription Strategy

Answer 10

Billing

Access control

Subscription limits

Question 11

Role Based Access Control (RBAC)

Answer 11

Scope

Management group

Subscription

Resource group

Resource

Question 12

How is RBAC enforced?

Answer 12

Azure RBAC is enforced on any action that’s initiated against an Azure resource that passes through Azure Resource Manager.

Question 13

Who does Azure RBAC apply to?

Answer 13

person

group

special identity types, such as service principals and managed identities.

Question 14

How do I manage Azure RBAC permissions?

Answer 14

The Access control (IAM) pane in the Azure portal.

Question 15

What is a Resource Lock?

Answer 15

A resource lock prevents resources from being accidentally deleted or changed.

Question 16

How do I manage resource locks?

Answer 16

Azure portal

PowerShell

Azure CLI

Azure Resource Manager template.

Question 17

What levels of locking are available?

Answer 17

CanNotDelete

ReadOnly

Question 18

Azure blueprints

Question 19

Tags

Answer 19

Resource tags are another way to organize resources.

Question 20

How do I manage resource tags?

Answer 20

PowerShell

Azure CLI,

Azure Resource Manager templates

REST API

Azure portal.

Question 21

Tag examples

Answer 21

AppName

CostCenter.

Owner

Environment

Impact

Question 22

Azure Policy

Answer 22

Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resource

Question 23

Policy Initiatives

Answer 23

An Azure Policy initiative is a way of grouping related policies into one set.

The initiative definition contains all of the policy definitions to help track your compliance state for a larger goal.

Question 24

Builtin Initiative example

Answer 24

Initiative: Enable Monitoring in Azure Security Center

Policies:

Monitor unencrypted SQL Database in Security Center

Monitor OS vulnerabilities in Security Center

Monitor missing Endpoint Protection in Security Center

Question 25

Compliance standrads

Answer 25

HIPAA

ISO 27001

Question 26

Scope of initiaves

Answer 26

management group

subscription

resource group

Question 27

Azure blueprints

Answer 27

Azure Blueprints can define a repeatable set of governance tools and standard Azure resources that your organization requires.

Can handle multiple subscriptions!

Question 28

What are blueprint artifacts?

Answer 28

Each component in the blueprint definition is known as an artifact.

Question 29

Blueprint artifacts examples

Answer 29

Deploy threat detection on SQL servers (no parameters)

Allowed locations (parameter for allowed locations)

Question 30

Blueprint builtin example

Answer 30

ISO 27001: Shared Services Blueprint

Question 31

What is a control?

Answer 31

A known good standard that you can compare your solution against to ensure security.

Question 32

Compliance categories (image)

Answer 32

Question 33

Compliance categories

Answer 33

Criminal Justice Information Service

Cloud Security Alliance STAR Certification

European Union Model Clauses

Health Insurance Portability and Accountability Act

International Organization of Standards/International Electrotechnical Commission 27018

Multi-Tier Cloud Security Singapore

Service Organization Controls 1, 2, and 3

National Institute of Standards and Technology Cybersecurity Framework

United Kingdom Government G-Cloud

Question 34

Microsoft Privacy Statement

Answer 34

Explains what personal data Microsoft collects, how Microsoft uses it, and for what purposes.

Question 35

Online Services Terms (OST)

Answer 35

Legal agreement between Microsoft and the customer

applies specifically to Microsoft’s online services that you license through a subscription

Question 36

Data Protection Addendum (DPA)

Answer 36

further defines the data processing and security terms for online services

Compliance with laws

Disclosure of processed data

Data Security

Data transfer, retention, and deletion

Question 37

Trust Center

Answer 37

part of the Microsoft Trusted Cloud Initiative

provides support and resources for the legal and compliance community

Access to the Trust Center doesn’t require an Azure subscription or a Microsoft account.

Question 38

Azure compliance documentation

Answer 38

detailed documentation about legal and regulatory standards and compliance on Azure

Question 39

Compliance blueprints

Answer 39

reference blueprints, or policy definitions, for common standards that you can apply to your Azure subscription

Example: PCI DSS

Payment Card Industry (PCI) Data Security Standard (DSS)

Question 40

Azure Government

Answer 40

a separate instance of the Microsoft Azure service. It addresses the security and compliance needs of US federal agencies, state and local governments

Question 41

Azure China 21Vianet

Answer 41

Operated by 21Vianet. It’s a physically separated instance of cloud services located in China.