For each of the following statements, select Yes if the statement is true. Otherwise, select No. - Global administrators are exempt from conditional access policies - A conditional access policy can add users to Azure Active Directory (Azure AD) - Conditional access policies can force the use of multi-factor authentication (MFA) to access cloud apps

- Global administrators are exempt from conditional access policies → No - A conditional access policy can add users to Azure Active Directory (Azure AD) → No - Conditional access policies can force the use of multi-factor authentication (MFA) to access cloud apps → Yes

For each of the following statements, select Yes if the statement is true. Otherwise, select No. - Windows Hello for Business can use the Microsoft Authenticator app as an authentication - Windows Hello for Business can use a PIN code as an authentication method - Windows Hello for Business authentication information syncs across all the devices registered by a user

- Windows Hello for Business can use the Microsoft Authenticator app as an authentication → No - Windows Hello for Business can use a PIN code as an authentication method → Yes - Windows Hello for Business authentication information syncs across all the devices registered by a user → No

For each of the following statements, select Yes if the statement is true. Otherwise, select No. - Azure Defender can detect vulnerabilities and threats for Azure Storage - Cloud Security Posture Management (CSPM) is available for all Azure subscriptions - Azure Security Center can evaluate the security of workloads deployed to Azure or on-premises

- Azure Defender can detect vulnerabilities and threats for Azure Storage → Yes - Cloud Security Posture Management (CSPM) is available for all Azure subscriptions → Yes - Azure Security Center can evaluate the security of workloads deployed to Azure or on-premises → Yes

For each of the following statements, select Yes if the statement is true. Otherwise, select No. - Network security groups (NSGs) can deny inbound traffic from the internet - Network security groups (NSGs) can deny outbound traffic to the internet - Network security groups (NSGs) can filter traffic based on IP address, protocol, and port

- Network security groups (NSGs) can deny inbound traffic from the internet → Yes - Network security groups (NSGs) can deny outbound traffic to the internet → Yes - Network security groups (NSGs) can filter traffic based on IP address, protocol, and port → Yes

Topic 2 Flashcards by Mauro Di Grazia

Select the answer that correctly completes the sentence.

Applications registered in Azure Active Directory (Azure AD) are associated automatically to a
↘
- guest account
- managed identity
- service principal
- user account

service principal

How well did you know this?

Not at all

Perfectly

Which three authentication methods does Windows Hello for Business support? Each correct answer presents a complete solution.

A. fingerprint
B. facial recognition
C. PIN
D. email verification
E. security question

A. fingerprint
B. facial recognition
C. PIN

How well did you know this?

Not at all

Perfectly

Select the answer that correctly completes the sentence.

When you enable security defaults in Azure Directory (Azure AD), ________ will be enabled for all Azure AD users.
↘
- Azure AD Identity Protection
- Azure AD Privileged Identity Management (PIM)
- multi-factor authentication (MFA)

multi-factor authentication (MFA)

How well did you know this?

Not at all

Perfectly

You have an Azure subscription.
You need to implement approval-based, time-bound role activation.
What should you use?

A. Windows Hello for Business
B. Azure Active Directory (Azure AD) Identity Protection
C. access reviews in Azure Active Directory (Azure AD)
D. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)

D. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)

How well did you know this?

Not at all

Perfectly

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Global administrators are exempt from conditional access policies
A conditional access policy can add users to Azure Active Directory (Azure AD)
Conditional access policies can force the use of multi-factor authentication (MFA) to access cloud apps

Global administrators are exempt from conditional access policies → No
A conditional access policy can add users to Azure Active Directory (Azure AD) → No
Conditional access policies can force the use of multi-factor authentication (MFA) to access cloud apps → Yes

How well did you know this?

Not at all

Perfectly

When security defaults are enabled for an Azure Active Directory (Azure AD) tenant, which two requirements are enforced?

A. All users must authenticate from a registered device.
B. Administrators must always use Azure Multi-Factor Authentication (MFA).
C. Azure Multi-Factor Authentication (MFA) registration is required for all users.
D. All users must authenticate by using passwordless sign-in.
E. All users must authenticate by using Windows Hello.

B. Administrators must always use Azure Multi-Factor Authentication (MFA).

C. Azure Multi-Factor Authentication (MFA) registration is required for all users.

How well did you know this?

Not at all

Perfectly

Which type of identity is created when you register an application with Active Directory (Azure AD)?

A. a user account
B. a user-assigned managed identity
C. a system-assigned managed identity
D. a service principal

D. a service principal

How well did you know this?

Not at all

Perfectly

Which three tasks can be performed by using Azure Active Directory (Azure AD) Identity Protection?

A. Configure external access for partner organizations.
B. Export risk detection to third-party utilities.
C. Automate the detection and remediation of identity based-risks.
D. Investigate risks that relate to user authentication.
E. Create and automatically assign sensitivity labels to data.

C. Automate the detection and remediation of identity based-risks.

D. Investigate risks that relate to user authentication.

B. Export risk detection to third-party utilities.

How well did you know this?

Not at all

Perfectly

Select the answer that correctly completes the sentence.

When using multi-factor authentication (MFA), a password is considered something you
↘
- are
- have
- know
- share

know

Password = know
Device / code / key = have
Biometric = you are

How well did you know this?

Not at all

Perfectly

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Windows Hello for Business can use the Microsoft Authenticator app as an authentication
Windows Hello for Business can use a PIN code as an authentication method
Windows Hello for Business authentication information syncs across all the devices registered by a user

Windows Hello for Business can use the Microsoft Authenticator app as an authentication → No
Windows Hello for Business can use a PIN code as an authentication method → Yes
Windows Hello for Business authentication information syncs across all the devices registered by a user → No

How well did you know this?

Not at all

Perfectly

Select the answer that correctly completes the sentence.

An Azure resource can use a system-assigned _________ to access Azure services.
↘
- Azure Active Directory (Azure AD) joined device
- managed identity
- service principal
- user identity

managed identity

How well did you know this?

Not at all

Perfectly

Select the answer that correctly completes the sentence.

You can use _____ in the Microsoft 365 Defender portal to identify devices that are affected by an alert.
↘
- classifications
- incidents
- policies
- Secure score

incidents

How well did you know this?

Not at all

Perfectly

What are two capabilities of Microsoft Defender for Endpoint?

A. automated investigation and remediation
B. transport encryption
C. shadow IT detection
D. attack surface reduction

A. automated investigation and remediation
D. attack surface reduction

How well did you know this?

Not at all

Perfectly

Match the Azure networking service to the appropriate description.
Each service may be used once, more than once, or not at all.

Services
- Azure Bastion
- Azure Firewall
- Network security group (NGS)

Answer Area
- Provides Network Address Translation (NAT) services
- Provides secure and seamless Remote Desktop connectivity to Azure virtual machines
- Provides traffic filtering that can be applied to specific network interfaces on a virtual network

Provides Network Address Translation (NAT) services → Azure Firewall
Provides secure and seamless Remote Desktop connectivity to Azure virtual machines → Azure Bastion
Provides traffic filtering that can be applied to specific network interfaces on a virtual network → Network security group (NSG)

How well did you know this?

Not at all

Perfectly

Select the answer that correctly completes the sentence.

Azure Advisor
Azure Bastion
Azure Monitor
Azure Sentinel
↘
is a cloud-native security information and event management (SIEM) and security orchestration automated response (SOAR) solution used to provide a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Azure Sentinel

How well did you know this?

Not at all

Perfectly

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Azure Defender can detect vulnerabilities and threats for Azure Storage
Cloud Security Posture Management (CSPM) is available for all Azure subscriptions
Azure Security Center can evaluate the security of workloads deployed to Azure or on-premises

Azure Defender can detect vulnerabilities and threats for Azure Storage → Yes
Cloud Security Posture Management (CSPM) is available for all Azure subscriptions → Yes
Azure Security Center can evaluate the security of workloads deployed to Azure or on-premises → Yes

How well did you know this?

Not at all

Perfectly

Select the answer that correctly completes the sentence.

Reports
Hunting
Attack simulator
Incidents
↘
in the Microsoft 365 security center to view an aggregation of alerts that relate to the same attack.

Incidents

How well did you know this?

Not at all

Perfectly

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Network security groups (NSGs) can deny inbound traffic from the internet
Network security groups (NSGs) can deny outbound traffic to the internet
Network security groups (NSGs) can filter traffic based on IP address, protocol, and port

Network security groups (NSGs) can deny inbound traffic from the internet → Yes
Network security groups (NSGs) can deny outbound traffic to the internet → Yes
Network security groups (NSGs) can filter traffic based on IP address, protocol, and port → Yes

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Microsoft Intune can be used to manage Android devices
Microsoft Intune can be used to provision Azure subscription
Microsoft Intune can be used to manage organization-owned devices and personal devices

Microsoft Intune can be used to manage Android devices → Yes
Microsoft Intune can be used to provision Azure subscription → No
Microsoft Intune can be used to manage organization-owned devices and personal devices → Yes

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

You can create one Azure Bastion per virtual network
Azure Bastion provides secure user connections by using RDP
Azure Bastion provides a secure connection to an Azure virtual machine by using the Azure portal

You can create one Azure Bastion per virtual network → Yes
Azure Bastion provides secure user connections by using RDP → Yes
Azure Bastion provides a secure connection to an Azure virtual machine by using the Azure portal → Yes

What feature in Microsoft Defender for Endpoint provides the first line of defense against cyberthreats by reducing the attack surface?

A. automated remediation
B. automated investigation
C. advanced hunting
D. network protection

network protection

Select the answer that correctly completes the sentence.

In Microsoft Sentinel, you can automate common tasks by using
↘
- deep investigation tools
- hunting search-and-query tools
- playbooks
- workbooks

playbooks

Which two types of resources can be protected by using Azure Firewall?

A. Azure virtual machines
B. Azure Active Directory (Azure AD) users
C. Microsoft Exchange Online inboxes
D. Azure virtual networks
E. Microsoft SharePoint Online sites

A. Azure virtual machines
D. Azure virtual networks

You plan to implement a security strategy and place multiple layers of defense throughout a network infrastructure.
Which security methodology does this represent?

A. threat modeling
B. identity as the security perimeter
C. defense in depth
D. the shared responsibility model

defense in depth

For each of the following statements, select Yes if the statement is true. Otherwise, select No. - Microsoft Defender for Endpoint can protect Android devices - Microsoft Defender for Endpoint can protect Azure virtual machines that run Windows 10 - Microsoft Defender for Endpoint can protect Microsoft SharePoint Online sites and content from viruses

- Microsoft Defender for Endpoint can protect Android devices → Yes - Microsoft Defender for Endpoint can protect Azure virtual machines that run Windows 10 → Yes - Microsoft Defender for Endpoint can protect Microsoft SharePoint Online sites and content from viruses → No

What can you use to scan email attachments and forward the attachments to recipients only if the attachments are free from malware? A. Microsoft Defender for Office 365 B. Microsoft Defender Antivirus C. Microsoft Defender for Identity D. Microsoft Defender for Endpoint

A. Microsoft Defender for Office 365

Which feature provides the extended detection and response (XDR) capability of Azure Sentinel? A. integration with the Microsoft 365 compliance center B. support for threat hunting C. integration with Microsoft 365 Defender D. support for Azure Monitor Workbooks

C. integration with Microsoft 365 Defender

What can you use to provide threat detection for Azure SQL Managed Instance? A. Microsoft Secure Score B. application security groups C. Microsoft Defender for Cloud D. Azure Bastion

C. Microsoft Defender for Cloud

For each of the following statements, select Yes if the statement is true. Otherwise, select No. - Microsoft Secure Score in the Microsoft 365 security center can provide recommendations for Microsoft Cloud App Security - From the Microsoft 365 Defender portal, you can view how your Microsoft Secure Score compares to the score of organizations like yours - Microsoft Secure Score in the Microsoft 365 Defender portal gives you points if you address the improvement action by using a third-party application or software

- Microsoft Secure Score in the Microsoft 365 security center can provide recommendations for Microsoft Cloud App Security → Yes - From the Microsoft 365 Defender portal, you can view how your Microsoft Secure Score compares to the score of organizations like yours → Yes - Microsoft Secure Score in the Microsoft 365 Defender portal gives you points if you address the improvement action by using a third-party application or software → Yes

Which Azure Active Directory (Azure AD) feature can you use to restrict Microsoft Intune-managed devices from accessing corporate resources? A. network security groups (NSGs) B. Azure AD Privileged Identity Management (PIM) C. conditional access policies D. resource locks

C. conditional access policies

Select the answer that correctly completes the sentence. - Azure Active Directory (Azure AD) Privileged Identity Management (PIM) - Azure Defender - Azure Sentinel - Microsoft Cloud App Security ↘ can use conditional access policies to control sessions in real time

Microsoft Cloud App Security

Select the answer that correctly completes the sentence. Azure DDoS Protection Standard can be used to protect ↘ - Azure Active Directory (Azure AD) applications - Azure Active Directory (Azure AD) users - resource groups - virtual networks

virtual networks

What should you use in the Microsoft 365 Defender portal to view security trends and track the protection status of identities? A. Attack simulator B. Reports C. Hunting D. Incidents

B. Reports

You have a Microsoft 365 E3 subscription. You plan to audit user activity by using the unified audit log and Basic Audit. For how long will the audit records be retained? A. 15 days B. 30 days C. 90 days D. 180 days

D. 180 days

To which type of resource can Azure Bastion provide secure access? A. Azure Files B. Azure SQL Managed Instances C. Azure virtual machines D. Azure App Service

C. Azure virtual machines

What are three uses of Microsoft Cloud App Security? A. to discover and control the use of shadow IT B. to provide secure connections to Azure virtual machines C. to protect sensitive information hosted anywhere in the cloud D. to provide pass-through authentication to on-premises applications E. to prevent data leaks to noncompliant apps and limit access to regulated data

A. to discover and control the use of shadow IT C. to protect sensitive information hosted anywhere in the cloud E. to prevent data leaks to noncompliant apps and limit access to regulated data

Select the answer that correctly completes the sentence. In the Microsoft 365 Defender portal, an incident is a collection of correlated ↘ - alerts - events - vulnerabilities - Microsoft Secure Score improvement actions

alerts

You need to connect to an Azure virtual machine by using Azure Bastion. What should you use? A. PowerShell remoting B. the Azure portal C. the Remote Desktop Connection client D. an SSH client

B. the Azure portal

Which service includes the Attack simulation training feature? A. Microsoft Defender for Cloud Apps B. Microsoft Defender for Identity C. Microsoft Defender for SQL D. Microsoft Defender for Office 365

D. Microsoft Defender for Office 365

Which type of alert can you manage from the Microsoft 365 Defender portal? A. Microsoft Defender for Storage B. Microsoft Defender for SQL C. Microsoft Defender for Endpoint D. Microsoft Defender for IoT

C. Microsoft Defender for Endpoint

For each of the following statements, select Yes if the statement is true. Otherwise, select No. - Microsoft Sentinel data connectors support only Microsoft services - You can use Azure Monitor workbooks to monitor data collected by Microsoft Sentinel - Hunting provides you with the ability to identify security threats before an alert is triggered

- Microsoft Sentinel data connectors support only Microsoft services → No - You can use Azure Monitor workbooks to monitor data collected by Microsoft Sentinel → Yes - Hunting provides you with the ability to identify security threats before an alert is triggered → Yes

Which two Azure resources can a network security group (NSG) be associated with? A. a virtual network subnet B. a network interface C. a resource group D. a virtual network E. an Azure App Service web app

A. a virtual network subnet B. a network interface

What is a use case for implementing information barrier policies in Microsoft 365? A. to restrict unauthenticated access to Microsoft 365 B. to restrict Microsoft Teams chats between certain groups within an organization C. to restrict Microsoft Exchange Online email between certain groups within an organization D. to restrict data sharing to external email recipients

B. to restrict Microsoft Teams chats between certain groups within an organization

What can you use to deploy Azure resources across multiple subscriptions in a consistent manner? A. Microsoft Defender for Cloud B. Azure Blueprints C. Microsoft Sentinel D. Azure Policy

B. Azure Blueprints