Secure Identity and Access for Microsoft Azure Security Technologies

Sample Practice Questions

1. Question 1

   HOTSPOT -

   You need to create Role1 to meet the platform protection requirements.

   How should you complete the role definition of Role1? To answer, select the appropriate options in the answer area.

   NOTE: Each correct selection is worth one point.

   Hot Area:

   Explanation

   Scenario: A new custom RBAC role named Role1 must be used to delegate the administration of the managed disks in RG1. Role1 must be available only for

   RG1.

   Azure RBAC template managed disks "Microsoft.Storage/"

   Reference:

   https://blogs.msdn.microsoft.com/azureedu/2017/02/11/new-managed-disk-storage-option-for-your-azure-vms/ https://blogs.msdn.microsoft.com/azure4fun/2016/10/21/custom-azure-rbac-roles-and-how-to-extend-existing-role-definitions-scope/ 

   

2. Question 2

   You need to ensure that User2 can implement PIM . What should you do first?
   1. A. Assign User2 the Global administrator role.
   2. B. Configure authentication methods for contoso.com.
   3. C. Configure the identity secure score for contoso.com.
   4. D. Enable multi-factor authentication (MFA) for User2.
   Explanation

   The correct answer is: A. Assign User2 the Global administrator role..

   Assigning User2 the Global administrator role first is what enables them to implement Privileged Identity Management for the tenant, because PIM's initial enablement (the very first time the feature is turned on for the directory) requires Global administrator privileges. Lesser administrative roles cannot complete the initial PIM consent step that registers the PIM service principal and grants it the needed tenant-wide rights. Configuring authentication methods or enabling MFA for User2 is good security hygiene but does not bestow PIM-enablement rights. The identity secure score is a posture metric and is unrelated to who can implement PIM. Global administrator is the prerequisite role for the initial PIM rollout, so it is the right first assignment.

3. Question 3

   DRAG DROP - You need to perform the planned changes for OU2 and User1. Which tools should you use? To answer, drag the appropriate tools to the correct resources. Each tool may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Select and Place:

4. Question 4

   You need to meet the technical requirements for the finance department users. Which CAPolicy1 settings should you modify?
   1. A. Cloud apps or actions
   2. B. Conditions
   3. C. Grant
   4. D. Session
   Explanation

   The correct answer is: D. Session.

   The Session control of a Conditional Access policy is what you modify to enforce a finance-department-specific session experience such as App enforced restrictions, Conditional Access App Control, persistent browser session limits, or sign-in frequency. Session controls operate after the access decision is granted and shape what happens during the session — exactly where finance department user-experience requirements (for example, no persistent browsers, or a 1-hour sign-in frequency) are expressed. Cloud apps or actions selects which applications the policy targets; Conditions sets the contextual filters such as user risk, location, or device platform; Grant controls the access decision and the required authentication strength. Session is the panel that carries the per-session settings the finance technical requirements call for, so it is the right block to modify.

5. Question 5

   HOTSPOT - You need to delegate the creation of RG2 and the management of permissions for RG1. Which users can perform each task? To answer, select the appropriate options in the answer area. Note: Each correct selection is worth one point. Hot Area:
   Explanation

   Box 1: Admin3 only - The Contributor role has the necessary write permissions to create the resource group. Box 2: Admin4 only - You need Owner level access to be able to manage permissions. The Contributor role can do most things but cannot modify permissions on existing objects.

Other Microsoft Azure Security Technologies domains

• Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel (102 questions)
• Secure Compute Storage and Databases (146 questions)
• Secure Networking (81 questions)