click below
click below
Normal Size Small Size show me how
AZ900 - Part II
Azure Fundamentals - Authentication & Authorization, Security
Question | Answer |
---|---|
Every Azure account will have an ____ for managing users and permissions. | Azure Active Directory Service (AAD) |
All resources within a ______ are billed together. | subscription |
A tenant is a dedicated instance of ______ that represents your organization in Azure. | AAD |
An AAD user can be a member or guest of up to ______ tenants. | 500 |
A _____ is a billing entity. All resources belong to a single _______. | subscription |
You can have multiple subscriptions within a ________ to separate costs. | tenant |
Defines a trust boundary for secure access. Corporate network is an example. | Trusted Perimeter |
List 2 challenges with the trusted perimeter model. | Must be on corporate network to access resources. Rogue user/malware inside trusted perimeter can cause havoc. |
All users are assumed untrustworthy unless proven otherwise. Trust is based on identity, regardless of location, principle of least privilege applied. Offers simplified, centralized management. | Zero Trust |
Accessing M365 email, documents, and resources from anywhere based on identity, not VPN , centrally controlling access with conditional access policies and allowing mobile access from approved managed devices only are examples of. | Zero Trust In Action |
MFA is enabled in _____. | Azure AD |
Passwordless authentication removes the password requirement for user login and replaces it with ______, _______, and/or _____. | Something you have (Phone/Key fob) Something you know (PIN) Something you are (biometric) |
List the 3 passwordless authentication methods supported by Azure. | Microsoft Authenticator App Windows Hello FIDO2 Security Key |
Microsoft's MFA mobile app. Configured in Azure AD. Can authenticate in app with biometrics/pin. | Microsoft Authenticator App |
Passwordless authentication methods: Facial recognition on Windows 10/11. | Windows Hello |
_________ Provides authentication protections beyond username/password, uses if/then policies to grant access and is often paired with MFA. | Conditional Access |
Enforcing MFA for all admins or all users, blocking sign-in with legacy authentication protocols, granting access only to specific locations and requiring sign-in from organization managed devices are all examples of.. | Conditional Access Scenarios |
Name two options for providing an external user access to an Azure organization. | Create a separate organization account for external user.(User maintains 2 accounts) Invite guest user to Azure tenant (Uses existing account, B2B collaboration) |
Name some of the IdPs supported when adding a guest user to an Azure organization. | Microsoft, Google, Facebook and others. |
Name the 3 steps needed to setup guest access. | Configure IdP (If non-Microsoft) Invite External Party After guest accepts invite, assign permissions (optionally: assign apps, apply conditional access policy) |
Describe a limitation related to migration of legacy apps to Azure AD. | Apps must be able to support OAuth2.0. Legacy apps requiring GPO, LDAP, NTLM and Kerberos are not supported. |
Legacy applications that don't provide support for OAuth 2.0 cannot be migrated to Azure AD. Describe three possible solutions to this challenge. | 1. Continue using on-prem AD + Azure AD Connect 2. Configure DC on Azure VM (self managed AD) 3. Implement Azure AD DS (AADDS), Azure's Managed Directory service. |
Azure AD DS is a _______ meaning there is no need to configure or manage server OSes. Behind the scenes Azure provides ____ Windows domain controllers for HA. | managed service 2 |
True or False. Azure AD DS can be used to extend your on-prem domain/domain name into the Azure cloud. | False. Azure AD DS requiresa unique namespace/domain. This is a standalone domain, not an extension of the on-prem AD domain. |
Your organization wants to migrate legacy on-prem applications to the Azure cloud with a few requirements. Which service and options would you choose? - Must be a managed service - Will utilize users & groups from Azure AD | Azure AD DS with one-way sync from Azure AD |
This Azure service provides Single Sign-On capabilities to your applications in the Azure cloud. | Azure Active Directory Seamless Single Sign-On |
The first service created with every new Azure account. You can't use Azure without it! | AAD |
A single instance of AAD is called a/an _______. | tenant |
Billing entity that controls the cost of resources and services associated with it. | Subscription |
This Azure service offers a managed instance of Active Directory that integrates with classic features such as Kerberos, LDAP, NTLM and Group Policy, allows a one way sync of users and groups from azure AD and requires a separate unique domain. | Azure Active Directory Domain Services (AADDS) |
This Azure service protects against DDoS attacks by detecting and deflecting and provides various levels of protection depending on the service. There is no interruption to your service and Azure will mitigate the attack globally | DDoS Protection Service |
A personal resource firewall that can be attached to a VNet, subnet or network interface. Determines who can access the resources attached to it using rules for inbound and outbound traffic. | Network Security Group (NSG) |
This type of firewall is focused on the security of the application rather than the IP endpoint. You can group VMs and VNets into logical application groups and apply. | Application Security Group |
By default Azure managed PaaS services are reachable over the _________. | public internet (By default, traffic from VNET to PaaS will also traverse the public internet.) |
Your organziation needs to limit/remove public access to all managed storage and database services. Name two possible Azure soltions to solve this challenge. | Service endpoints (good) Private endpoints (better) |
This service allows an organziation to enable a direct connection between an Azure subnet to Azure PaaS services via Microsoft's private backbone. This option allows secure access from Azure VNETs only, on-prem traffic via public internet. | Service Endpoints (provide access to the entire managed service, not a specific instance of a managed service) |
This service allows an org to to enable a private connection to a specific instance of a managed service via a managed nw int on an Azure VNet. Also allows private connectivity from on-prem using VPN, ExpressRoute and access to other VNets via Peering. | Private Endpoint |
Name the most important benefit of using private endpoints vs serivce endpoints. | With private endpoints you can completely disable public access/internet exposure to a connected service. |
Name the best service based on the following requirements: End users need access to a managed SQL database from home office, connected to on-prem network with VPN. Public access to SQL must be blocked. | Private endpoint |
This Azure service provides threat alerts, policy and compliance metrics, a secure score, integrates with on-prem and other cloud providers and alerts for resources that aren't secure. | Microsoft Defender for Cloud (Requires Azure Arc for Google/AWS intergration) (Requires VM agent installation) |
Name the three step process to utilize Microsoft Defender for Cloud. | 1. Define Policies - Set of rules to evaluate a resource (use predefined or CYO) 2. Protect Resources - Actively protect through monitoring 3. Respond - Respond/Investigate all threats then go back to step 1 to define new policies for the alert. |
Microsoft Defender for Cloud helps to streamline the process for meeting regulatory compliance requirements using the _______. | Regulatory Compliance Dashboard |
This Defender for Cloud Dashboard helps you track your resources configuration in relation to security best practices (Resource Hygiene) | Recommendations |
You need multiple layers of defense for your infrastructure. Azure has physical, identity, permieter, network, compute, gateways and firewalls and data as protection layers. This is an example of ________. | Defense in depth |
This tool allows you to monitor security hygiene for VMs. Define policies to protect your resources better and respond to incidents. | Microsoft Defender for Cloud (formerly Azure Security Center) |
A secure way to share access to applications and resources with third parties without ever revealing credentials. | Azure Key Vault |
Share files and data inside and outside of Azure and still maintain control that data. You can control who views, edits, prints and more. | Azure Information Protection |
Azure SIEM tool. Allows you to collect, aggergate, analyze, and present security issues automatically for you to take action. | Azure Sentinel |
Your own dedicated Azure hardware to install Windows, Linux or SQL server VMs on. Gives your control without losing cloud benefits like scaling, scale sets, fault isolation and AZs. | Azure Dedicated Hosts |
You secure and manage users of your organizaiton. Monitor users' behavior, create a baseline of this behavior and report on any anomolies from it. | Microsoft Defender for Identity |
Describe the two steps to configure a conditional access policy. | Assign signals / conditions (users/groups, applications, location (IP), approved devices) Access decisions (grant/block access, prompt for MFA) |
The objective of _______ is to increase the convenience of logging into a system while still staying secure. | Passwordless Authentication |
With passwordless authentication the password requirement is replaced with _____, ______. | Something you have (phone/fob) Something you know/are (fingerprint/face/PIN) |