SC-300 Part 1, Module 1 Flashcards
1
Q
What is Azure Active Directory (Azure AD)?
A
Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access:
- External resources
- Internal resources
2
Q
Azure AD helps your employees sign in and access what kinds of external resources?
A
External resources such as M365, the Azure portal, and thousands of other Software as a Service (SaaS) applications.
3
Q
Azure AD helps your employees sign in and access what kinds of internal resources?
A
Internal resources such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.
4
Q
Who is Azure AD intended for?
A
IT admins, App developers, and subscribers to Microsoft services.
5
Q
What permissions does the Global Admin have in Azure AD?
A
- Manage access to all admin features, and to services that federate to Azure AD.
- Assign admin roles to others.
- Reset admin and user passwords.
6
Q
What permissions does the User Admin have in Azure AD?
A
- Create/manage users and groups.
- Manage support tickets.
- Monitor service health.
- Change passwords for users, Helpdesk admins, and other User Admins.
7
Q
What permissions does the Billing Admin have in Azure AD?
A
- Making purchases.
- Manage subscriptions.
- Manage support tickets.
- Monitors service health.
8
Q
In the Azure portal, where can you see a list of roles?
A
On the “Roles and administrators” blade.
9
Q
Azure roles specify scope at what level?
A
Scope can be specified at multiple levels:
- Management group
- Subscription
- Resource group
- Resource
10
Q
Azure AD roles specify scope at what level?
A
Scope is at the tenant level.
11
Q
Azure roles info can be accessed using which 5 sources?
A
- Azure portal
- Azure CLI
- Azure PowerShell
- Azure Resource Manager templates
- REST API
12
Q
Azure AD roles info can be accessed in:
A
- Azure admin portal
- Azure AD PowerShell.
- M365 admin center
- MS Graph
13
Q
“Access management for Azure resources” switch
A
- Grants the Global Admin the User Access Admin role (an Azure role) on all subscriptions for a particular tenant.
- This enables the user to grant others access to Azure resources.
- Helpful for regaining access to a subscription.
14
Q
By default, what Azure resources does the Global Admin have access to?
A
By default, the Global Admin doesn’t have access to Azure resources.
15
Q
Do Azure AD roles span Azure AD and M365?
A
Several Azure AD roles span Azure AD and M365, such as the Global Admin and User Admin roles.
16
Q
Five ways to assign roles within Azure AD
A
- Assign a role to a user or group.
- Assign a user or group to a role.
- Assign a role to a broad-scope, like a Subscription, Resource Group, or Management Group.
- Assign a role using PowerShell or MSGraph API.
- Assign a role using Privileged Identity Management (PIM).
17
Q
What are the default restrictions for assigning roles?
A
There are no built in role assignment restrictions.
18
Q
How do you create a custom role in Azure AD?
A
- Roles and administrators blade > New custom role.
2. Provide a name, description, select the permissions, then select Create.
19
Q
How do you add a new user in Azure AD?
A
- Select Users > New User.
2. Populate the user’s info. Then select Create.
20
Q
What is a common method for assigning a role to a user in Azure AD?
A
- All users blade. Select the user.
- On the user’s profile page, select Assigned roles. Select Add assignments, select the role you want to assign. Select Add.
21
Q
What is a common method for removing a role in Azure AD?
A
- Select Users, then select a user.
- Select Assigned roles. Select the name of the role you want to remove.
- Select Remove assignments.
22
Q
What is a domain name?
A
A part of the identifier for many Azure AD resources:
- It’s part of a user name or email address for a user,
- Part of the address for a group.
- Sometimes part of the app ID URI for an application.
23
Q
A domain name is sometimes part of the ___ for an application.
A
App ID URI
24
Q
Who can manage domains in Azure AD?
A
The Global Administrator
25
How do you set a domain name in Azure AD?
1. Select Custom domain names.
2. Select a domain name from the list.
3. Select "Make primary".
26
How many custom domain names can you add to your Azure AD organization?
* You can add up to 900 managed domain names.
* If you're configuring all your domains for federation with on-premises Active Directory, you can add 450 domain names in each organization.
27
Where can you verify a subdomain you added to Azure AD?
Either in the Azure AD organization you added the subdomain to, or in a different Azure AD organization.
28
What do you do after changing the DNS registrar for your custom domain name?
No additional configuration tasks are needed in Azure AD.
29
What requirements must be met before deleting a custom domain name in Azure AD?
Ensure no resources in your organization rely on the domain name.
* No user has a name, email or proxy address that includes the domain name.
* No group has an email or proxy address that includes the domain name.
* Any application in your Azure AD has an app ID URI that includes the domain name.
30
What is ForceDelete?
An operation that reverts a domain name to the initial default domain name.
31
Where can you use the ForceDelete option?
Azure AD Admin Center
| MS Graph API
32
What requirements must be met before using ForceDelete?
* Ensure there are fewer than 1,000 references to the domain name.
* Any references where Exchange is the provisioning service must be updated or removed.
* The domain could not have been purchased via m365 domain subscription services.
* You can't be a partner administering on behalf of another custom org.
33
What two things result in an error when using ForceDelete?
* The number of objects to be renamed is greater than 1,000.
| * One of the apps to be renamed is a multi-tenant app.
34
With the proliferation of devices of all shapes and sizes and the bring your own device (BYOD) concept, IT professionals are faced with two somewhat opposing goals:
* Allow end users to be productive wherever and whenever.
| * Protect the organization's assets.
35
Who owns Azure AD registered devices?
The user or organization.
36
What is an Azure AD registered device?
A device that's registered to Azure AD without requiring an additional org account to sign into the device.
37
What tools are used to manage Azure AD registered devices?
A Mobile Device Management tool (MDM) like Intune.
Mobile Application Management
"maam and madam"
38
What are the key capabilities of Azure AD registered devices?
* SSO to cloud resources.
* Conditional Access when enrolled into Intune.
* Conditional Access via App protection policy.
* Enables Phone sign in with Microsoft Authenticator app.
39
How are Azure registered devices signed in?
They are signed in using a local account like a Microsoft Account or Windows 10 device, but additionally they have an Azure AD attached for access to org resources.
40
When can Azure AD device registration take place?
Can occur when accessing a work application for the first time or manually using the Windows 10 Settings menu.
41
Who owns Azure AD joined devices?
The organization, not the user.
42
Who can deploy Azure AD joined devices?
Any organization can deploy Azure AD joined devices.
43
Azure AD joined devices enable access to ____.
Both cloud and on-premises apps and resources.
44
Who is Azure AD join intended for?
Organizations that want to be cloud-first or cloud-only.
45
How are Azure AD joined devices managed?
Using a Mobile Device Management (MDM) tool like Intune, or co-managed with Intune and Microsoft Endpoint Configuration Manager.
46
How can access to resources by Azure AD joined devices be limited?
Admin can enforce organization-required configurations like requiring that storage be encrypted, password complexity, software installations, and software updates.
47
How can admins make their org's apps available to Azure AD joined devices?
Via Configuration Manager.
48
What are self-service options for Azure AD join?
Out of Box Experience (OOBE), bulk enrollment, or Windows Autopilot.
49
What connectivity do Azure AD joined devices have to on-premises resources?
Azure AD joined devices still maintain SSO access to on-premises resources when they are on the org's network. They can still authenticate to on-premises servers like file, print, and other applications.
50
What strategy do you use when you need to get mobile devices like tablets and phones under control? What strategy can you not use in this scenario?
Azure AD join. In this scenario, you can't use an on-premises domain join.
51
What strategy do you use when you want to transition from on-premises to cloud-based infrastructure? The strategy utilizes Azure AD and an MDM tool like Intune.
Azure AD join.
52
What type of organization is Azure AD join intended for?
Organizations that do not have an on-premises Windows Server Active Directory infrastructure.
53
What do you use when your users primarily need access to M365 or other SaaS apps integrated with Azure AD?
Azure AD join.
54
When you want to manage a group of users in Azure AD instead of in Active Directory, what do you use?
Azure AD join.
55
What solution can you make use of when you need to provide workers with joining capabilities and they're in remote branch offices with limited on-premises infrastructure?
Azure AD join.
56
You can configure Azure AD join for all Windows 10 devices with the exception of ___.
Windows 10 Home devices.
57
The goal of Azure AD joined devices is to simplify what four things?
* Windows deployments of work-owned devices
* Access to organizational apps and resources from any Windows device
* Cloud-based management of work-owned devices
* Users to sign in to their devices with their Azure AD or synced Active Directory work or school accounts.
58
Typically, orgs with an on-premises footprint rely on imaging methods to provision devices, and they often use ___ to manage them.
Configuration Manager or group policy (GP).
59
What are hybrid Azure AD joined devices?
Devices that are joined to your on-premises Active Directory and registered with your Azure AD.
60
Who owns hybrid Azure AD joined devices?
The organization
61
What type of organization are hybrid Azure AD joined devices suitable for?
They are suitable for hybrid organizations with existing on-premises AD infrastructure.
62
What are the key capabilities of hybrid Azure AD joined devices?
* SSO to both cloud and on-premises resources.
* Conditional Access through Domain join or through Intune if co-managed.
* Self-service Password Reset and Windows Hello PIN reset on lock screen.
* Enterprise State Roaming across devices.
63
What do you use when you want to continue to use Group Policy to manage device configuration?
Azure AD hybrid joined devices.
64
If you must support down-level Windows 7 and 8.1 devices in addition to Windows 10, you need to use ___.
Azure AD hybrid joined devices.
65
If you want to continue to use existing imaging solutions to deploy and configure devices, you need to use ___.
Azure AD hybrid joined devices.
66
If you have Win32 apps deployed to devices that rely on Active Directory machine authentication, you need to use ___.
Azure AD hybrid joined devices.
67
What are administrative units?
Resources that act as containers for other Azure AD resources. Used to restrict permissions in a role to any specified portion of your organization.
68
What happens when you use administrative units to delegate a role to regional support specialists?
Using administrative units limits the specialists' permissions to a specific portion of your organization.
69
You can manage administrative units by using ___, ___, or ___.
The Azure portal, PowerShell cmdlets and scripts, or Microsoft Graph.
70
In a global organization that has suborganization that are semi-autonomous in their operations, administrative units could ___.
represent the suborganizations.
71
An organization whose IT department is scattered globally might create administrative units that define ___.
relevant geographical boundaries
72
Administrative units are a common way to define ___ across Microsoft M365 services.
structure
73
You can expect the creation of administrative units in the organization to go through the following steps:
1. Initial adoption
2. Pruning
3. Stabilization
74
What is the first step that the creation of admin units in an org goes through?
1. Initial adoption: Org creates admin units using initial criteria. The number of admin units increases as the criteria are refined.
75
What is the second step that the creation of admin units in an org goes through?
2. Pruning: After the criteria are defined, admin units that are no longer required will be deleted.
76
What is the third step that the creation of admin units in an org goes through?
3. Stabilization: Your organizational structure is defined, and the number of admin units isn't going to change significantly in the short term.
77
Organization should move towards a more centralized/decentralized administration.
decentralized
78
One way to delegate app creation and management permissions is to assign one or more ___ to an application.
owners
79
By default in Azure AD, ___ can register application registrations and manage all aspects of applications they create.
all users
80
You can a built-in ___ that grants access to manage configuration in Azure AD for all applications. This grants IT experts access to manage broad app configuration permissions.
admin role
81
One way to delegate app creation and management permissions is to create a custom role defining specific permissions and assigning it to the scope of a ____ application as a limited owner, or at the ___ (all apps) as a limited admin.
directory scope
82
Two benefits of delegating the ability to perform admin tasks are:
1. Reduces global admin overhead.
| 2. Using limited permissions improves your security posture, reduces the potential for unauthorized access.
83
It's work to develop a delegation model that fits your needs. Developing a delegation model is an iterative design process, and we suggest you follow these steps:
* Define the ___ you need.
* Delegate app ___.
* Grant the ability to ___ applications.
* Delegate app ___.
* Develop a ___ plan.
* Establish ___ accounts.
* Secure your ___ roles.
* Make privileged ___ temporary.
```
roles
administration
register
ownership
security
emergency
admin
elevation
```
Rhinos ate red apple sauce. Elephants ate Eggos.
84
When delegating permissions, determine the Active Directory tasks that are carried out by admins and how they map to roles. Each task should be evaluated for ___, ___, and ___.
frequency, importance, and difficulty.
85
Tasks that you do ___, have limited ___, and are ___ to complete are excellent candidates for delegation.
routinely, risk, trivial
86
Tasks that you do ___ but have great impact across the organization and require high skill levels should be considered very carefully before delegating. Instead, you can temporarily ___ an account to the required role or reassign the task
rarely, elevate
87
Application Admin?
Grants the ability to manage all apps in the directory, including registrations, SSO settings, user and group assignments and licensing, Application Proxy settings, and consent. Doesn't grant ability to manage Conditional Access.
88
Cloud Application Admin
Grants abilities of the Application Admin, except it doesn't grant access to Application Proxy settings (because it has no on-premises permission).
89
By default, ___ can create application registrations.
all users
90
To selectively grant the ability to create app registrations:
1. Set "Users can register applications" to "No" in User settings.
2. Assign the user to the Application Developer role.
91
To selectively grant the ability to consent to allow an application to access data:
1. Set Users can consent to applications accessing company data on their behalf To No in User settings under Enterprise apps.
2. Assign the user to the Application Developer role.
92
When an Application Developer creates a new application registration, they are automatically added as ___.
the first owner
93
An enterprise application can have ___ owners, and a user can be the owner for ___ enterprise applications.
many, many
94
Enterprise Application Owner
Role that grants the ability to manage the enterprise apps that the user owns, including SSO settings, user and group assignments, and adding additional owners.
95
What ability does the Enterprise Application Owner role not grant?
It doesn't grant the ability to manage Application Proxy settings or Conditional Access.
96
Application Registration Owner
Role that grants the ability to manage application registrations for app that the user owns, including the application manifest and adding additional owners.
97
What are emergency accounts used for?
To maintain access to your identity management store when issue arises.
98
What does the Security Defaults feature do?
Enforces MFA on privileged Azure AD accounts.
99
What are tenant-wide settings?
Configuration options that apply to all resources within your tenant. They control the look, feel and configuration of your tenant and its members.
100
Tenant Properties
Where you give the name of your directory and set values like the primary contact.
101
User Settings
Where you define what global rights your users have, like registering applications.
102
External Collaboration Settings
Where you define what task an external guest user can perform like inviting more guest users.
103
In Azure AD, the default user permissions can be changed only in ___.
user settings
104
A user’s access consists of the ___ of user, their ___ assignments, and their ownership of ___ objects.
type, role, individual
105
Member users can ___.
* Register applications.
* Manage their own profile photo and mobile phone number.
* Change their own password.
* Invite guest users.
* Read all directory info (with few exceptions).
106
Guest users can ___.
* Manage their own profile.
* Change their own password.
* Retrieve some info about other users, groups, and apps.
* They cannot read all directory info.
107
Guest users can be added to the ___, which grants them full read and write permissions those contain.
admin roles
108
Using ___ minimizes the costs and time associated with implementing your own login, identity, profile management, and password management.
Sign in with Linkedin
109
Common identity-related attacks
Password spray, replay, and phishing.
110
Here you configure the actions that external users can take while using the cloud resources of your tenant.
External collaboration settings.
111
Tenant properties configuration options
* Name
* Country
* Notification language
* Tenant ID
* Technical content
* Global privacy contact
Privacy statement URL
112
To change the tenant display name:
1. Select Properties.
2. In the Name box, change the tenant name.
3. Select Save.
113
To find the country or region associated with your tenant:
1. Select Properties.
| 2. Locate the "Country or region" setting.
114
To find the location associated with your tenant:
In the properties blade, under "Tenant properties", locate Location.
115
To find the TenantID:
1. Select Properties.
| 2. Locate the TenantID field under the "Tenant properties" header.
116
What privacy info can you add about your org in Azure AD?
* Technical contact.
* Global privacy contact.
* Privacy statement URL.
117
What happens when you don't add your privacy info in Azure AD?
Your external guests will see text in the Review Permissions box that says, "has not provided links to their terms for you to review."
