Correct Answer: AE

The Conditional Access feature in Azure Active Directory (Azure AD) offers one of several ways that you can use to secure your app and protect a service.

Conditional Access enables developers and enterprise customers to protect services in a multitude of ways including:

◉ Multi-factor authentication

◉ Allowing only Intune enrolled devices to access specific services

◉ Restricting user locations and IP ranges

Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policy:

◉ Service accounts and service principals.

If your organization has these accounts in use in scripts or code, consider replacing them with managed identities.

You can use either guest accounts or multi-tenant app registrations to allow users from other tenants to access your application.

Incorrect Answers:

B. Azure AD managed identities

Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication.

D. an Azure application security group

Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups.

Note: The correct options should be application registration with Azure, this will allow the authentication of users on the AD to access the application. A default application registration validates that the user has valid login credentials. This can be your Active Directory or in case of a multi-tenant application the directory where the user is originated from.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-conditional-access-dev-guide

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management

https://www.re-mark-able.net/understanding-azure-active-directory-application-registrations/

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant

Correct Answer: D

Azure Storage encrypts all data in a storage account at rest. You can manage your own keys. Customer-managed keys must be stored in Azure Key Vault or Key Vault Managed Hardware Security Model (HSM).

You can use a new or existing key vault to store customer-managed keys. The storage account and the key vault must be in the same region, but they can be in different subscriptions.

Note: You must use either Azure Key Vault or Azure Key Vault Managed Hardware Security Module (HSM) (preview) to store your customer-managed keys. You can either create your own keys and store them in the key vault or managed HSM, or you can use the Azure Key Vault APIs to generate keys. The storage account and the key vault or managed HSM must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions.

Incorrect Answers:

A. a certificate issued by an integrated certification authority (CA) and stored in Azure Key Vault

Azure Storage encryption supports RSA and RSA-HSM keys of sizes 2048, 3072 and 4096. Certificate is not required.

B. a managed identity that is configured to access the storage account

No need to create a managed identity. You select the custom encryption key from "Encryption" in Settings window.

C. an Azure Active Directory Premium subscription

Not a valid option in this context.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-key-vault?tabs=portal

Correct Answer: A

Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:

⦿ Role Assignments

⦿ Policy Assignments

⦿ Azure Resource Manager templates (ARM templates)

⦿ Resource Groups

Role assignments can be defined for the entire subscription or nested to a specific resource group included in the blueprint.

Incorrect Answers:

B. Azure Policy

A policy is a default allow and explicit deny system focused on resource properties during deployment and for already existing resources.

C. Azure Security Center

Azure Security Center provides unified security management and advanced threat protection across hybrid cloud workloads.

Reference:

https://docs.microsoft.com/en-us/azure/governance/blueprints/overview

Correct Answer: A

It's typically possible for someone with appropriate Azure role-based access control (Azure RBAC) on the subscription, such as the 'Owner' role, to be allowed to alter or delete any resource. This access isn't the case when Azure Blueprints applies locking as part of a deployed assignment. If the assignment was set with the Read Only or Do Not Delete option, not even the subscription owner can perform the blocked action on the protected resource.

This security measure protects the consistency of the defined blueprint and the environment it was designed to create from accidental or programmatic deletion or alteration.

Incorrect Answers:

B. Resource locks at the resource group level

Owners can remove the locks and delete the resources.

C. Resource locks at the subscription level

Owners can remove the locks and delete the resources. Moreover, a read-only lock on a subscription prevents Azure Advisor from working correctly.

Reference:

https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking

Correct Answer: D

You need to do app registration which supports Multi-tenant apps that are available to users in both their home tenant and other tenants.

Incorrect Answers:

A. a conditional access policy

Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action.

B. pass-through authentication

Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords.

C. guest accounts

Managing guest users for every new user joined/moved in west.preparationlabs.com is a tedious task.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant

Correct Answer: A

Step 1: Azure AD Application proxy

Azure AD Application Proxy is a prerequisite for a scenario with an on-premises legacy applications published for cloud access,

Note: Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client. Application Proxy includes both the Application Proxy service which runs in the cloud, and the Application Proxy connector which runs on an on-premises server.

Step 2: an Azure AD Enterprise Application

The Enterprise Applications blade might be confused with App Registrations because the Enterprise Application blade contains the list of your service principals. However, the term Enterprise App generally refers to applications published by other companies in the AAD gallery that can be used within your organization. For example, if you want to integrate Facebook and manage SSO within your organization, you can integrate it from the Enterprise Applications dropdown in the applications blade. Your own applications will also be represented in the Enterprise Applications blade as Service Principals, which are instantiations of your applications in the tenant.

Step 3: an Azure AD conditional access policy

Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane.

With hybrid identity to Azure AD and hybrid identity management these scenarios become possible.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-add-on-premises-application#add-an-on-premises-app-to-azure-ad

https://thesleepyadmins.com/2019/02/

Correct Answer: D

You can use the capabilities in Azure Active Directory B2B to collaborate with external guest users and you can use Azure RBAC to grant just the permissions that guest users need in your environment

MIM enables the organization to have the right users and access rights for Active Directory for on-premises apps, and Azure AD Connect can then make available in Azure AD for Microsoft 365 and cloud-hosted apps.

Incorrect Answers:

A - a lot of work on prem (Fabricam) and mainly to give all users access to Azure. Not suitable

B - No access to on prem resources in Techzen

C - All Fabricam users would get access

Reference:

https://docs.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-2016

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-external-users

https://docs.microsoft.com/en-us/azure/active-directory/external-identities/what-is-b2b

Correct Answer: D

You use Azure Policy to enforce tagging rules and conventions. By creating a policy, you avoid the scenario of resources being deployed to your subscription that don't have the expected tags for your organization. Instead of manually applying tags or searching for resources that aren't compliant, you create a policy that automatically applies the needed tags during deployment.

Note: Organizing cloud-based resources is a crucial task for IT, unless you only have simple deployments. Use naming and tagging standards to organize your resources for these reasons:

Resource management: Your IT teams will need to quickly locate resources associated with specific workloads, environments, ownership groups, or other important information. Organizing resources is critical to assigning organizational roles and access permissions for resource management.

Incorrect Answers:

A. an Azure data catalog that uses the Azure REST API as a data source

Azure Data Catalog is a fully managed cloud service. It lets users discover the data sources they need and understand the data sources they find.

B. Azure Active Directory (Azure AD) administrative units

An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. An administrative unit can contain only users and groups. Administrative units restrict permissions in a role to any portion of your organization that you define.

C. an Azure management group that uses parent groups to create a hierarchy

Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called "management groups" and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group.

Reference:

https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/decision-guides/resource-tagging

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies

Correct Answer: C

Data must be available if a single Azure datacenter fails. It means the storage account must support ZRS replication.

Also, solution should support storage tiers.

Only General-purpose V2 supports ZRS and storage tiers.

Incorrect Answers:

A. Blob storage

ZRS is supported only in General-purpose V2 accounts.

B. Storage (general purpose v1)

General Purpose v1 (GPv1) accounts don't support tiering

Reference:

https://en.wikipedia.org/wiki/Central_Europe

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers#storage-accounts-that-support-tiering

https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview#types-of-storage-accounts

Correct Answer: B

Zone-redundant storage (ZRS) replicates your Azure Storage data synchronously across three Azure availability zones in the primary region. Each availability zone is a separate physical location with independent power, cooling, and networking. ZRS offers durability for Azure Storage data objects of at least 99.9999999999% (12 9's) over a given year.

With ZRS, your data is still accessible for both read and write operations even if a zone becomes unavailable. If a zone becomes unavailable, Azure undertakes networking updates, such as DNS re-pointing.

Incorrect Answers:

A. Geo-redundant storage (GRS)

We can achieve the requirements with ZRS, that is cheaper as compared with GRS.

C. Locally-redundant storage (LRS)

Locally redundant storage (LRS) replicates your data three times within a single data center in the primary region.

D. Read-access geo-redundant storage (RA-GRS)

We can achieve the requirements with ZRS, that is cheaper as compared with RA-GRS.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy#redundancy-in-the-primary-region