HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table.
The subscription is linked to an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
You create the groups shown in the following table.
The membership rules for Group1 and Group2 are configured as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership
You have a Microsoft 365 tenant that uses an Azure Active Directory (Azure AD) tenant. The Azure AD tenant syncs to an on-premises Active Directory domain by using an instance of Azure AD Connect.
You create a new Azure subscription.
You discover that the synced on-premises user accounts cannot be assigned roles in the new subscription.
You need to ensure that you can assign Azure and Microsoft 365 roles to the synced Azure AD user accounts.
What should you do fist?
Answer:
C
You have an Azure subscription that contains an app named App1. App1 has the app registration shown in the following table.
You need to ensure that App1 can read all user calendars and create appointments. The solution must use the principle of least privilege.
What should you do?
Answer:
A
Reference:
https://docs.microsoft.com/en-us/graph/permissions-reference#calendars-permissions
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
You create and enforce an Azure AD Identity Protection sign-in risk policy that has the following settings:
✑ Assignments: Include Group1, exclude Group2
✑ Conditions: Sign-in risk level: Low and above
✑ Access: Allow access, Require multi-factor authentication
You need to identify what occurs when the users sign in to Azure AD.
What should you identify for each user? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Reference:
http://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-policies/ https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
HOTSPOT -
You have an Azure subscription that contains an Azure SQL database named SQL1.
You plan to deploy a web app named App1.
You need to provide App1 with read and write access to SQL1. The solution must meet the following requirements:
✑ Provide App1 with access to SQL1 without storing a password.
✑ Use the principle of least privilege.
✑ Minimize administrative effort.
Which type of account should App1 use to access SQL1, and which database roles should you assign to App1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/app-service/tutorial-connect-msi-sql-database?tabs=windowsclient%2Cdotnet
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains two users named User1 and User2 and a registered app named App1.
You create an app-specific role named Role1.
You need to assign Role1 to User1 and enable User2 to request access to App1.
Which two settings should you modify? To answer, select the appropriate settings in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Box 1: Roles and administrators -
Here you will find Role1 and be able to assign User1 to the role.
Box 2: Self Service -
Under Self Service, there is an option to ג€Allow users to request access to this applicationג€.
You have an Azure subscription that contains the resources shown in the following table.
You plan to deploy the virtual machines shown in the following table.
You need to assign managed identities to the virtual machines. The solution must meet the following requirements:
✑ Assign each virtual machine the required roles.
✑ Use the principle of least privilege.
What is the minimum number of managed identities required?
Answer:
B
We have two different sets of required permissions. VM1 and VM2 have the same permission requirements. VM3 and VM4 have the same permission requirements.
A user-assigned managed identity can be assigned to one or many resources. By using user-assigned managed identities, we can create just two managed identities: one with the permission requirements for VM1 and VM2 and the other with the permission requirements for VM3 and VM4.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
SIMULATION -
You need to ensure that a user named user2-12345678 can manage the properties of the virtual machines in the RG1lod12345678 resource group. The solution must use the principle of least privilege.
To complete this task, sign in to the Azure portal.
Answer:
See the explanation below.
1. Sign in to the Azure portal.
2. Browse to Resource Groups.
3. Select the RG1lod12345678 resource group.
4. Select Access control (IAM).
5. Select Add > role assignment.
6. Select Virtual Machine Contributor (you can filter the list of available roles by typing 'virtual' in the search box) then click Next.
7. Select the +Select members option and select user2-12345678 then click the Select button.
8. Click the Review + assign button twice.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current
SIMULATION -
You need to create a new Azure Active Directory (Azure AD) directory named 12345678.onmicrosoft.com. The new directory must contain a new user named [email protected]
To complete this task, sign in to the Azure portal.
Answer:
See the explanation below.
The first step is to create the Azure Active Directory tenant.
1. Sign in to the Azure portal.
2. From the Azure portal menu, select Azure Active Directory.
3. On the overview page, select Manage tenants.
4. Select +Create.
5. On the Basics tab, select Azure Active Directory.
6. Select Next: Configuration to move on to the Configuration tab.
7. For Organization name, enter 12345678.
8. For the Initial domain name, enter 12345678.
9. Leave the Country/Region as the default.
The next step is to create the user.
1. From the Azure portal menu, select Azure Active Directory.
2. Select Users then select New user.
3. Enter User1 in the User name and Name fields.
4. Leave the default option of Auto-generate password.
5. Click the Create button.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-access-create-new-tenant https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory
HOTSPOT -
You have an Azure subscription that contains a resource group named RG1. RG1 contains a storage account named storage1.
You have two custom Azure roles named Role1 and Role2 that are scoped to RG1.
The permissions for Role1 are shown in the following JSON code.
The permissions for Role2 are shown in the following JSON code.
You assign the roles to the users shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
