Section-Based – Manage Azure Identities and Governance Flashcards
You are managing an Azure subscription that contains a resource group named TD-RG1 which has a virtual machine named TD-VM1.
TD-VM1 has services that will deploy new resources on TD-RG1.
You need to make sure that the services running on TD-VM1 should be able to manage the resources in TD-RG1 using its identity.
Which of the following actions should you do first?
A. Configure the security settings of TD-RG1.
B. Configure the access control of TD-VM1.
C. Configure the managed identity of TD-VM1.
D. Configure the access control of TD-RG1.
C. Configure the managed identity of TD-VM1.
Explanation:
Incorrect
Microsoft Entra ID is a cloud-based identity and access management service that enables your employees access external resources. Example resources include Microsoft 365, the Azure portal, and thousands of other SaaS applications.
Microsoft Entra ID also helps them access internal resources like apps on your corporate intranet, and any cloud apps developed for your own organization.
There are two types of managed identities:
– System-assigned: some Azure services allow you to enable a managed identity directly on a service instance. When you enable a system-assigned managed identity, an identity is created in Microsoft Entra ID that is tied to the lifecycle of that service instance. So when the resource is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Microsoft Entra ID.
– User-assigned: you may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more instances of an Azure service. In the case of user-assigned managed identities, the identity is managed separately from the resources that use it.
In this scenario, you can use the system-assigned managed identity. Take note that this identity is restricted to only one resource. You can grant permissions to the managed identity by using Azure RBAC. The managed identity is authenticated with Microsoft Entra ID, so you don’t have to store any credentials.
Hence, the correct answer is: Configure the managed identity of TD-VM1.
The option that says: Configure the security settings of TD-RG1 is incorrect because it only provides security recommendations and security alerts for your resource group. As per the scenario, you need to ensure that the services running on TD-VM1 are able to manage the resources in TD-RG1 using its identity. Therefore, you need to configure the managed identity settings of TD-VM1.
The options that say: Configure the access control of TD-VM1 and Configure the access control of TD-RG1 are incorrect because these are only adding role assignments to an Azure resource. A role assignment is a process of attaching a role definition to a user, group, or service principal to provide access to a specific resource. Remember that access is granted by creating a role assignment, and access is revoked by removing a role assignment. You have to configure a managed identity instead.
Your company has a Microsoft Entra tenant named TD-Entra-ID that contains 3 User Administrators and 2 Global Administrators.
You recently purchased 5 Premium P1 licenses.
You need to make sure that the users in your tenant have access to all the Premium P1 features.
What should you do to satisfy the above requirement?
A. Select the user in your tenant and assign a new role in the Directory role blade of each user.
B. Select the user in your tenant and assign it to an administrative unit.
C. In the Licenses blade of Microsoft Entra ID, select the user in your tenant and assign the license.
D. Select the user in your tenant and add the user to a Microsoft Entra group.
C. In the Licenses blade of Microsoft Entra ID, select the user in your tenant and assign the license.
Explanation:
Microsoft Entra ID is a cloud-based identity and access management service that enables your employees access external resources. Example resources include Microsoft 365, the Azure portal, and thousands of other SaaS applications.
Microsoft Entra ID also helps them access internal resources like apps on your corporate intranet, and any cloud apps developed for your own organization.
There are several license plans available for the Microsoft Entra ID service, including:
– Microsoft Entra ID Free
– Microsoft Entra ID P1
– Microsoft Entra ID P2
To ensure that the users in your tenant have access to Premium P1 license features, you must manually add the license to each user or add the license to a group. Remember that only the users with active licenses can access and use the licensed Microsoft Entra ID services. Also, licenses are applied per tenant, and you can’t transfer them to other tenants.
Hence, the correct answer is: In the Licenses blade of Microsoft Entra ID, select the user in your tenant and assign the license.
The option that says: Select the user in your tenant and assign a new role in the Directory role blade of each user is incorrect because this approach only assigns a new role to your user. To assign the Premium P1 licenses to your users, you must go to the Licenses tab and click Assignments.
The option that says: Select the user in your tenant and assign it to an administrative unit is incorrect because this option only restricts permissions in a role to any portion of your organization that you define. You must select the user in your tenant and manually add the Premium P1 license.
The option that says: Select the user in your tenant and add the user to a Microsoft Entra group is incorrect because this approach would only work if the license is already added to the group. Take note that this option only adds the user to a Microsoft Entra ID group. To ensure that the users in the Microsoft Entra ID group have access to the Premium P1 license features, you will need to assign a license to the group.
You have an Azure Subscription and a Microsoft Entra group named Developers.
The Azure Subscription has a resource group named Dev.
You need to assign a role in the Developers group to allow the users to create Azure Logic Apps in the resource group.
Solution: In the Dev resource group, assign a User Access Administrator role to the Developers group.
Does the proposed solution meet the goal?
No Yes
No
Explanation:
Azure role-based access control (Azure RBAC) is a system that provides fine-grained access management of Azure resources. Using Azure RBAC, you can segregate duties within your team and grant just the right access to users that they need to perform their jobs.
The associated permissions for the User Access Administrator role are only related to the specific access of each user to access different Azure resources. This role cannot create or manage any type of Azure resources.
Since the requirement in the scenario is to allow the users to create Azure Logic Apps in the resource group, you have to assign a Contributor role to the users of the Developers group.
Hence, the correct answer is: No.
Your company has several client computers at the office headquarters. Two years ago, you migrated the on-premises directory to Microsoft Entra ID.
To meet the compliance requirement, personal and corporate devices must be registered and joined to the Microsoft Entra domain.
You received a report that a user cannot register her personal device to Microsoft Entra. Upon checking, the user was able to register her other devices in the past. You also verified that all other users were able to join their devices to Microsoft Entra last month.
You need to make sure that the user can access and join her new device to Microsoft Entra.
What must be done to satisfy the above requirement?
A. Modify the maximum number of devices per user in the device settings.
B. Assign a new role to the user.
C. Move the user to a new group.
D. Add a custom domain name.
A. Modify the maximum number of devices per user in the device settings.
Explanation:
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in external and internal resources.
The device settings in Microsoft Entra allows you to customize the maximum number of devices per user. It can be 5, 10, 20, or unlimited. If the users reached the limit, they will not be allowed to add new devices until one or more devices have been removed.
Hence, the correct answer is: Modify the maximum number of devices per user in the device settings.
The option that says: Move the user to a new group is incorrect because even if you move the user to a different group, the user won’t be able to access Microsoft Entra. You need to modify the maximum number of devices in the device settings.
The option that says: Add a custom domain name is incorrect because creating a new custom domain is not needed in the scenario. The user won’t still access Microsoft Entra.
The option that says: Assign a new role to the user is incorrect because a new role won’t resolve the problem of the user. Remember that the user was able to register and join her other devices to Microsoft Entra in the past. Therefore, the role associated with her doesn’t have any issues at all. You must modify the maximum number of devices in Microsoft Entra.
Your company recently created a new Azure subscription. You checked the subscription and it contains the following resources.
TD-RG1 | North Central US | Policy1
TD-RG2 |West-US | Policy2
TD-RG3 |North Europe | Polic3
TD-RG4 | East US | Policy4
TD-RG3 contains a web app named TD-App3 which is located in North Europe.
You plan to move TD-App3 to TD-RG1.
What is the effect of moving the web app to a different resource group?
A. The TD-App3 is moved to the North Central US region and the policy applied to the resource will be Policy 1.
B. The TD-App3 is moved to the North Central US region and the policy applied to the resource will be Policy 3.
C. The TD-App3 remains in the North Europe region and the policy applied to the resource will be Policy 3.
D. The TD-App3 remains in the North Europe region and the policy applied to the resource will be Policy 1.
D. The TD-App3 remains in the North Europe region and the policy applied to the resource will be Policy 1.
Explanation:
In this scenario, the TD-App3 is located in the North Europe region. Take note that you cannot change an App Service plan’s region. Also, if you move a resource to a new resource group or subscription, the location of the resource would not change. If you need to run your app in a different region, one alternative is app cloning. Cloning makes a copy of your app in a new or existing App Service plan in any region.
Since you plan to move TD-App3 to TD-RG1, the policy that will be applied to TD-App3 is the policy of TD-RG1 (Policy1). Remember that the assigned policy on the resource group will also be applied to the resources. You can also assign multiple policies in one resource group.
Hence, the correct answer is: The TD-App3 remains in the North Europe region and the policy applied to the resource will be Policy 1.
The option that says: The TD-App3 is moved to the North Central US region and the policy applied to the resource will be Policy 1 is incorrect because TD-App3 would still remain in the North Europe region even if you moved the resource to a different resource group.
The option that says: The TD-App3 remains in the North Europe region and the policy applied to the resource will be Policy 3 is incorrect because Policy 3 is only applied to the TD-RG3 resources. Since you moved the resources to TD-RG1, the policy applied to the TD-App3 is Policy1.
The option that says: The TD-App3 is moved to the North Central US region and the policy applied to the resource will be Policy 3 is incorrect because if you moved a resource to a different resource group, the location of the resource would not change.
You are managing a Microsoft Entra tenant that has 500 user accounts.
You created a new user account named AppAdmin.
You must assign the role of Application Administrator to the AppAdmin user account.
What should you do in the Microsoft Entra ID settings to accomplish this requirement?
A. Select the user profile and assign it to an administrative unit.
B. Select the user profile and add the role assignments.
C. Select the user profile and enable the My Staff feature.
D. Select the user profile and add the user to the admin group.
B. Select the user profile and add the role assignments.
Explanation:
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in external and internal resources. External resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications. Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.
Microsoft Entra has a set of built-in admin roles for granting access to manage configuration in Microsoft Entra for all applications. These roles are the recommended way to grant IT experts access to manage broad application configuration permissions without granting access to manage other parts of Microsoft Entra not related to application configuration. Here are the two common built-in roles in Microsoft Entra ID:
– Application Administrator: Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to consent to delegated permissions, and application permissions excluding Microsoft Graph. Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.
– Cloud Application Administrator: Users in this role have the same permissions as the Application Administrator role, excluding the ability to manage application proxy. Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.
If you want to grant a user permission to manage Microsoft Entra resources, you must assign them to a role that provides the permissions they need. Based on the given scenario, the new user account needs the role of Application Administrator. To grant a role to the new user account, you must select the user profile and click on add assignments in the assigned roles option. Add the Application Administrator role, and the user can now create and manage all aspects of app registrations and enterprise apps.
Hence, the correct answer is: Select the user profile and add the role assignments.
The option that says: Select the user profile and add the user to the admin group is incorrect because adding the user to the admin group doesn’t mean that the Application Administrator’s role is automatically assigned to the user account.
The option that says: Select the user profile and assign it to an administrative unit is incorrect because this option only restricts permissions in a role to any portion of your organization that you define. Take note that the requirement in the scenario is to assign an Application Administrator role to the new user account and not to restrict its permissions in your account.
The option that says: Select the user profile and enable the My Staff feature is incorrect because the My Staff feature simply enables you to delegate to a figure of authority, such as a store manager or a team lead, the permissions to ensure that their staff members are able to access to their Microsoft Entra accounts.
Your company has an Azure subscription named TD-Sub1 that contains the resources shown in the table below.
tutorialsdojovnet | VirtualNetwork
tutorialsdojovm | Virtual Machine
tutorialsdojovault | Recovery Service Vault
tutorialsdojostorage | Storage account
You created a new Azure subscription named TD-Sub2.
You plan to move the resources from TD-Sub1 to TD-Sub2.
Which resources in TD-Sub1 can you move to the new subscription?
A. Virtual machine, Virtual network, and Storage account
B. Virtual machine, Virtual network, Recovery Services vault, and Storage account
C. Virtual machine, Virtual network, and Recovery Services vault
D. Virtual machine and Virtual network
B. Virtual machine, Virtual network, Recovery Services vault, and Storage account
Explanation:
A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You decide how you want to allocate resources to resource groups based on what makes the most sense for your organization. Generally, add resources that share the same lifecycle to the same resource group so you can easily deploy, update, and delete them as a group.
If you need to move your resources to a new subscription or resource group under the same subscription, you can use Azure portal, Azure PowerShell, Azure CLI, or the REST API. Take note that when you move a resource to a new resource group or subscription, the location of the resource won’t change.
Hence, the correct answer is: Virtual machine, Virtual network, Recovery Services vault, and Storage account.
The following options are incorrect because you can move all these resources to a new subscription or resource group.
– Virtual machine, Virtual network, and Storage account
– Virtual machine, Virtual network, and Recovery Services vault
– Virtual machine and Virtual network
Your company has an Azure subscription that is used by several departments. The resources in the subscription are listed in the table below.
tutorialsdojoVM01 | virtual machine
tutorialsdojostorage01 | storage account
tutorialsdojoShare01 | File share
tutorialsdojoRG01 | resource group
tutorialsdojoBC01 | Blob container
There’s another Azure Administrator who created several virtual machines and storage accounts using an ARM template. You need to find the template that was used to deploy the new resources.
From which blade can you view the newly created ARM template?
A. tutorialsdojoRG01
B. tutorialsdojoStorage01
C. tutorialsdojoBC01
D. tutorialsdojoShare01
A. tutorialsdojoRG01
Explanation:
A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You decide how you want to allocate resources to resource groups based on what makes the most sense for your organization.
Generally, you should add resources that share the same lifecycle to the same resource group so you can easily deploy, update, and delete them as a group.
To view the ARM template that was used to deploy the resources, you can go to the resource group deployment settings and select the view template. If you select a template, you can check the inputs, outputs, and the template used during deployment. Remember that you can’t change the configuration of a template after you deployed it. Remember that in the ARM template of the virtual machine, you can find the resources associated with that specific virtual machine only.
Hence, the correct answer is: tutorialsdojoRG01.
The following options are incorrect because the ARM template that was used in the deployment can only be found in the resource group.
– tutorialsdojoBC01
– tutorialsdojoShare01
– tutorialsdojoStorage01
You created a new Azure subscription. The subscription has a resource group named TD-RG. The resources in TD-RG is created using ARM templates.
You need to get the exact date and time when the resources in TD-RG was deployed.
Solution: In the resource group settings, select Deployments.
Does the solution meet the goal?
A. Yes
B. No
A. Yes
Explanation:
A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You decide how you want to allocate resources to resource groups based on what makes the most sense for your organization. Generally, add resources that share the same lifecycle to the same resource group so you can easily deploy, update, and delete them as a group.
To verify the date and time the resources were deployed, you can select the resource group and click the deployment settings. You will see a summary of the deployment: the deployment name, status, last modified, duration, and related events. If you select the template, you can check the inputs, outputs, and the template used during deployment.
Hence, the correct answer is: Yes.
You need to grant several users who must belong to the same Azure group temporary access to the Microsoft SharePoint document library. The group must automatically be deleted after 180 days for compliance purposes.
Which two actions could you perform?
A. Set up an external identity provider.
B. Set up a dynamic membership on Microsoft 365 groups.
C. Set up an assigned membership on Microsoft 365 groups.
D. Set up an assigned membership on security groups.
E. Set up a dynamic membership on security groups.
B. Set up a dynamic membership on Microsoft 365 groups.
C. Set up an assigned membership on Microsoft 365 groups.
Explanation:
Microsoft Entra ID is a cloud-based identity and access management service that enables your employees access external resources. Example resources include Microsoft 365, the Azure portal, and thousands of other SaaS applications.
Microsoft Entra ID also helps them access internal resources like apps on your corporate intranet, and any cloud apps developed for your own organization.
When creating a new group in Microsoft Entra ID, you can select two types of membership.
-The assigned membership type lets you add specific users to be members of the group and to have unique permissions.
-While dynamic membership type lets you add and remove members automatically based on your dynamic membership rules (user attributes such as department, location, or job title).
Since you need to delete the groups automatically, you can set an expiration policy in Microsoft 365 groups. Take note that when a group expires, all of its associated services will also be deleted.
Hence, the correct answers are:
– Set up a dynamic membership on Microsoft 365 groups.
– Set up an assigned membership on Microsoft 365 groups.
The options that say: Set up an assigned membership on security groups and Set up a dynamic membership on security groups are incorrect because security groups can only be used for devices or users and not for groups.
The option that says: Set up an external identity provider is incorrect because external identities only allow users outside your organization to access your resources. This option won’t help you create an expiration policy.
Your company has an Azure subscription named ManilaSubscription that contains multiple virtual machines.
The subscription has a user named ManilaUser01 which has the following roles:
Backup Reader Storage Blob Data Contributor DevTest Labs User
You need to ensure that ManilaUser01 can assign a Reader role to all the users in the subscription.
What role should you assign?
A. Assign the User Access Administrator role.
B. Assign the Security Reader role.
C. Assign the Security Admin role.
D. Assign the Virtual Machine Contributor role.
A. Assign the User Access Administrator role.
Explanation:
Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. Access management for cloud resources is a critical function for any organization that is using the cloud. Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
The four fundamental Azure roles are Owner, Contributor, Reader, and User Access Administrator. To assign a Reader role to all the users in the Azure subscription, you must grant the user a User Access Administrator role. This role allows you to manage user access to the Azure resources.
Hence, the correct answer is: Assign the User Access Administrator role.
The option that says: Assign the Security Reader role is incorrect because this role only allows the user to view permissions in the Security Center.
The option that says: Assign the Virtual Machine Contributor role is incorrect because this role just lets you manage virtual machines. Take note that this role doesn’t allow you to access virtual machines directly nor assign a Reader role to all the users in the subscription.
The option that says: Assign the Security Admin role is incorrect. This role has the same permissions as the Security Reader role. The only difference is that it can update the security policy and dismiss alerts and recommendations.
You created a new Azure subscription. The subscription has a resource group named TD-RG. The resources in TD-RG is created using ARM templates.
You need to get the exact date and time when the resources in TD-RG was deployed.
Solution: In the resource group settings, select Properties.
Does the solution meet the goal?
A. No
B. Yes
A. No
Explanation:
A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You decide how you want to allocate resources to resource groups based on what makes the most sense for your organization. Generally, add resources that share the same lifecycle to the same resource group so you can easily deploy, update, and delete them as a group.
The properties in the resource group contain the name, location, location ID, resource ID, subscription, and subscription ID. This setting does not contain the date and time when the resources were deployed.
To verify the date and time the resources were deployed, you can select the resource group and click the deployment settings. You will see a summary of the deployment: the deployment name, status, last modified, duration, and related events. If you select a particular template, you can check the inputs, outputs, and the template used during deployment.
Hence, the correct answer is: No.
You have an Azure Subscription and a Microsoft Entra group named Developers.
The Azure Subscription has a resource group named Dev.
You need to assign a role in the Developers group to allow the users to create Azure Logic Apps in the resource group.
Solution: In the Dev resource group, assign a Logic App Operator role to the Developers group.
Does the proposed solution meet the goal?
No Yes
No
Explanation:
Azure role-based access control (Azure RBAC) is a system that provides fine-grained access management of Azure resources. Using Azure RBAC, you can segregate duties within your team and grant only the needed access to allow your users to perform their jobs.
The Logic App Operator role only lets you read, enable, and disable logic apps. You can’t edit, update, or create logic apps.
To satisfy the requirement in the scenario, you have to assign a Contributor role to the Developers Microsoft Entra ID group of the Dev resource group.
Hence, the correct answer is: No.
