Correct Answer: D

A shared access signature (SAS) provides secure delegated access to resources in your storage account. With a SAS, you have granular control over how a client can access your data. For example:

- What resources the client may access.

- What permissions they have to those resources.

- How long the SAS is valid.

Incorrect Answers:

A. access keys

When you create a storage account, Azure generates two 512-bit storage account access keys. These keys can be used to authorize access to data in your storage account via Shared Key authorization. Rotate your keys if you believe they may have been compromised.

B. conditional access policies

Conditional Access in Azure Active Directory (Azure AD) controls access to cloud apps based on specific conditions that you specify. To allow access, you create Conditional Access policies that allow or block access based on whether or not the requirements in the policy are met.

C. certificates

Certificate based authentication cannot provide temporary access.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview

Correct Answer: B

BP1 is in draft mode.

When a blueprint is first created, it's considered to be in Draft mode. When it's ready to be assigned, it needs to be Published.

Reference:

https://docs.microsoft.com/en-us/azure/governance/blueprints/overview

https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-portal

Correct Answer: B

The BP1 artifacts include one Policy assignment and a Resource group, but no Role assignments.

Note: Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:

- Role Assignments

- Policy Assignments

- Azure Resource Manager templates (ARM templates)

Correct Answer: A

Yes, the BP1 artifacts include a Resource group. You must provide resource group name at the time of assignment.

Reference:

https://docs.microsoft.com/en-us/azure/governance/blueprints/overview

https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-portal

Correct Answer: A

With Password hash synchronization + Seamless SSO the authentication is in the cloud.

Azure AD password hash synchronization is the simplest way to enable authentication for on-premises directory objects in Azure AD. Users can use the same username and password that they use on-premises without having to deploy any additional infrastructure.

Incorrect Answers:

B. pass-through authentication and Azure AD Seamless Single Sign-On (Azure AD Seamless SSO)

Pass-through Authentication rely on on-premises infrastructure.

C. an Active Directory Federation Services (AD FS) server

Federation rely on on-premises infrastructure.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn#authentication-methods

Correct Answer: D

Modify is used to add, update, or remove properties or tags on a resource during creation or update. A common example is updating tags on resources such as costCenter. Existing non-compliant resources can be remediated with a remediation task. A single Modify rule can have any number of operations.

Incorrect Answers:

A. Append

Append is used to add additional fields to the requested resource during creation or update. A common example is specifying allowed IPs for a storage resource.

BC: The following effects are deprecated: EnforceOPAConstraint, EnforceRegoPolicy

Reference:

https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#modify

Correct Answer: A

Resources that are non-compliant to a deployIfNotExists or modify policy can be put into a compliant state through Remediation. Remediation is accomplished by instructing Azure Policy to run the deployIfNotExists effect or the modify operations of the assigned policy on your existing resources and subscriptions, whether that assignment is to a management group, a subscription, a resource group, or an individual resource.

When Azure Policy runs the template in the deployIfNotExists policy definition, it does so using a managed identity. Azure Policy creates a managed identity for each assignment, but must have details about what roles to grant the managed identity. If the managed identity is missing roles, an error is displayed during the assignment of the policy or an initiative.

Incorrect Answers:

B. A managed identity with the User Access Administrator role

Contributor role is required to remediate non-compliant resources.

C. A service principal with the Contributor role

Azure Policy uses a managed identity.

D. A service principal with the User Access Administrator role

Azure Policy uses a managed identity.

Reference:

https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources

Correct Answer: C

The Authorization Code Grant Type is used by both web apps and native apps to get an access token after a user authorizes an app.

Note: The Authorization Code grant type is used by confidential and public clients to exchange an authorization code for an access token.

After the user returns to the client via the redirect URL, the application will get the authorization code from the URL and use it to request an access token.

Incorrect Answers:

A. Background services

Several applications run as background tasks that do not require user interaction. They run independently without needing assistance from the user interface. Background jobs start the interaction and keep taking interactive user requests. It minimizes the load that applications generally put on the user interface.

B. Headless device authentication

A headless system is a computer that operates without a monitor, graphical user interface (GUI) or peripheral devices, such as keyboard and mouse.

Headless computers are usually embedded systems in various devices or servers in multi-server data center environments. Industrial machines, automobiles, medical equipment, cameras, household appliances, airplanes, vending machines and toys are among the myriad possible hosts of embedded systems.

Reference:

https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-oauth2

https://docs.pivotal.io/p-identity/1-11/grant-types.html#client-cred-roles

Correct Answer: A

How to include additional client data?

In case you need to store additional details about a client that don't fit into the standard parameter set the custom data parameter comes to help:

POST /c2id/clients HTTP/1.1 -

Host: demo.c2id.com -

Content-Type: application/json -

Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

{

  "redirect_uris" : [ "https://myapp.example.com/callback" ],

  "data" : { "reg_type" : "3rd-party",

  "approved" : true,

  "author_id" : 792440 }

}

The data parameter permits arbitrary content packaged in a JSON object. To set it you will need the master registration token or a one-time access token with a client-reg:data scope.

Incorrect Answers:

B. Resource owner password

The resource owner password credentials grant workflow allows for the exchanging of the user name and password of a user for an access token. When using the resource owner password credentials grant, the user provides the credentials (user name and password) directly to the application.

C. Support state parameter

Authorization protocols provide a state parameter that allows you to restore the previous state of your application. The state parameter preserves some state object set by the client in the Authorization request and makes it available to the client in the response.

Reference:

https://connect2id.com/products/server/docs/guides/client-registration

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-oauth2

https://connect2id.com/products/server/docs/guides/client-registration#example-client-credentials-grant

Correct Answer: A

The Network Watcher Network performance monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor the performance of Azure ExpressRoute.

Note: IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen,

IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.

IP flow verify looks at the rules for all Network Security Groups (NSGs) applied to the network interface, such as a subnet or virtual machine NIC. Traffic flow is then verified based on the configured settings to or from that network interface. IP flow verify is useful in confirming if a rule in a Network Security Group is blocking ingress or egress traffic to or from a virtual machine.

Reference:

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview