You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" SC-900 Practice Test 5 "
0 of 62 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
SC-900
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking view questions. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
Answered
Review
Question 1 of 62
1. Question
Can you use SSPR (self-service password reset) with Microsoft authenticator?
Correct
Yes. Although you don’t see an explicit option for enabling Microsoft Authenticator in SSPR, the mobile app code/notification refers to the Authenticator app.
First, your admin enables any of the mobile app authentication methods for SSPR.
Then, when you navigate to the URL https://aka.ms/mfasetup to set up your account for SSPR/MFA, you see the option to use Microsoft Authenticator.
Option Yes is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks#mobile-app-and-sspr
Note: For this scenario, I enabled combined registration experience for both MFA and SSPR in Azure AD. This allows me to register for authentication methods just once and get the benefits of both MFA and SSPR. More details on the below link.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-registration-mfa-sspr-combined
Incorrect
Yes. Although you don’t see an explicit option for enabling Microsoft Authenticator in SSPR, the mobile app code/notification refers to the Authenticator app.
First, your admin enables any of the mobile app authentication methods for SSPR.
Then, when you navigate to the URL https://aka.ms/mfasetup to set up your account for SSPR/MFA, you see the option to use Microsoft Authenticator.
Option Yes is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks#mobile-app-and-sspr
Note: For this scenario, I enabled combined registration experience for both MFA and SSPR in Azure AD. This allows me to register for authentication methods just once and get the benefits of both MFA and SSPR. More details on the below link.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-registration-mfa-sspr-combined
Unattempted
Yes. Although you don’t see an explicit option for enabling Microsoft Authenticator in SSPR, the mobile app code/notification refers to the Authenticator app.
First, your admin enables any of the mobile app authentication methods for SSPR.
Then, when you navigate to the URL https://aka.ms/mfasetup to set up your account for SSPR/MFA, you see the option to use Microsoft Authenticator.
Option Yes is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks#mobile-app-and-sspr
Note: For this scenario, I enabled combined registration experience for both MFA and SSPR in Azure AD. This allows me to register for authentication methods just once and get the benefits of both MFA and SSPR. More details on the below link.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-registration-mfa-sspr-combined
Question 2 of 62
2. Question
This question requires you to select the correct answer from the dropdown.
For Azure VMs, who is responsible for applying patches as per the shared responsibility model?
Correct
Azure VM is an IaaS service hosted in Microsoft Azure. Although Microsoft is responsible for the physical components like compute and network, the cloud customer is responsible for patching their VMs.
Option Customer is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/3-describe-shared-responsibility-model#infrastructure-as-a-service-iaas
Patching Azure VM | (This security best practice talks about customers patching VMs)
Incorrect
Azure VM is an IaaS service hosted in Microsoft Azure. Although Microsoft is responsible for the physical components like compute and network, the cloud customer is responsible for patching their VMs.
Option Customer is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/3-describe-shared-responsibility-model#infrastructure-as-a-service-iaas
Patching Azure VM | (This security best practice talks about customers patching VMs)
Unattempted
Azure VM is an IaaS service hosted in Microsoft Azure. Although Microsoft is responsible for the physical components like compute and network, the cloud customer is responsible for patching their VMs.
Option Customer is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/3-describe-shared-responsibility-model#infrastructure-as-a-service-iaas
Patching Azure VM | (This security best practice talks about customers patching VMs)
Question 3 of 62
3. Question
Which of the following is an example of encryption at rest?
Correct
Encryption at rest encrypts data stored at a single location.
Data in an Azure Virtual Machine’s disk is stored in a single location. Encrypting a disk is an example of encryption at rest. Other examples include encrypting data on your hard drive/laptop/flash drive.
Option Encrypting an Azure VM’s disk is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest#encryption-at-rest-for-iaas-customers
Encryption in transit encrypts data that’s actively moving from one location to another.
For RDP sessions, data travels from a client to a remote machine. Option Sign into an Azure VM by using RDP is incorrect.
Reference Link: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview#rdp-sessions
For VPN connections, your mobile workforce connects to your corporate resources from home. Option Using VPN to access your corporate resources is incorrect.
Reference Link: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview#azure-vpn-encryption
For HTTPS access to cloud services, data travels between cloud customers and data centers.
Option Using HTTPS to access cloud services is incorrect.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/6-describe-ways-encryption-hashing-signing-secure-data (general, for all scenarios)
Incorrect
Encryption at rest encrypts data stored at a single location.
Data in an Azure Virtual Machine’s disk is stored in a single location. Encrypting a disk is an example of encryption at rest. Other examples include encrypting data on your hard drive/laptop/flash drive.
Option Encrypting an Azure VM’s disk is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest#encryption-at-rest-for-iaas-customers
Encryption in transit encrypts data that’s actively moving from one location to another.
For RDP sessions, data travels from a client to a remote machine. Option Sign into an Azure VM by using RDP is incorrect.
Reference Link: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview#rdp-sessions
For VPN connections, your mobile workforce connects to your corporate resources from home. Option Using VPN to access your corporate resources is incorrect.
Reference Link: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview#azure-vpn-encryption
For HTTPS access to cloud services, data travels between cloud customers and data centers.
Option Using HTTPS to access cloud services is incorrect.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/6-describe-ways-encryption-hashing-signing-secure-data (general, for all scenarios)
Unattempted
Encryption at rest encrypts data stored at a single location.
Data in an Azure Virtual Machine’s disk is stored in a single location. Encrypting a disk is an example of encryption at rest. Other examples include encrypting data on your hard drive/laptop/flash drive.
Option Encrypting an Azure VM’s disk is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest#encryption-at-rest-for-iaas-customers
Encryption in transit encrypts data that’s actively moving from one location to another.
For RDP sessions, data travels from a client to a remote machine. Option Sign into an Azure VM by using RDP is incorrect.
Reference Link: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview#rdp-sessions
For VPN connections, your mobile workforce connects to your corporate resources from home. Option Using VPN to access your corporate resources is incorrect.
Reference Link: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview#azure-vpn-encryption
For HTTPS access to cloud services, data travels between cloud customers and data centers.
Option Using HTTPS to access cloud services is incorrect.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/6-describe-ways-encryption-hashing-signing-secure-data (general, for all scenarios)
Question 4 of 62
4. Question
In which of the following scenarios are Azure Active Directory security defaults recommended to use?
Correct
Security defaults provide default security settings that Microsoft manages to keep your identities safe until you are ready to manage your own identities.
They are best suited for small/midsize organizations that aren’t ready to manage complex security requirements. So, option Organizations that do not know how to approach security is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/2-describe-different-authentication-methods#security-defaults-and-multifactor-authentication
The option Organizations with Azure AD premium licenses is incorrect as security defaults come with the free Azure AD tier. Azure AD premium users should try and implement Conditional Access.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/2-describe-different-authentication-methods#security-defaults-and-multifactor-authentication
Both security defaults and Conditional Access are similar in what they do. For example, both require Multi-Factor Authentication. But with Conditional Access, you can implement more granular & advanced security controls for MFA. For example, with Conditional Access, you can:
· Require MFA only when specific signals warrant it.
· Exclude specific users
· Or allow access only to compliant devices
Generally, enterprise organizations have these advanced security requirements. They would do well with Conditional Access.
Option Organizations with complex security requirements is incorrect because such organizations would use Conditional Access, not security defaults.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults#conditional-access
Option Organizations using Conditional Access policies is incorrect because security defaults are a precursor to Conditional Access.
Organizations should first take advantage of the out-of-the-box security settings provided by security defaults. As their security requirements become more complex, they can manage their own identities with Conditional Access.
Moreover, both Conditional Access and security defaults are mutually exclusive. If you have security defaults enabled, you cannot create a conditional access policy and vice-versa.
Security defaults provide default security settings that Microsoft manages to keep your identities safe until you are ready to manage your own identities.
They are best suited for small/midsize organizations that aren’t ready to manage complex security requirements. So, option Organizations that do not know how to approach security is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/2-describe-different-authentication-methods#security-defaults-and-multifactor-authentication
The option Organizations with Azure AD premium licenses is incorrect as security defaults come with the free Azure AD tier. Azure AD premium users should try and implement Conditional Access.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/2-describe-different-authentication-methods#security-defaults-and-multifactor-authentication
Both security defaults and Conditional Access are similar in what they do. For example, both require Multi-Factor Authentication. But with Conditional Access, you can implement more granular & advanced security controls for MFA. For example, with Conditional Access, you can:
· Require MFA only when specific signals warrant it.
· Exclude specific users
· Or allow access only to compliant devices
Generally, enterprise organizations have these advanced security requirements. They would do well with Conditional Access.
Option Organizations with complex security requirements is incorrect because such organizations would use Conditional Access, not security defaults.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults#conditional-access
Option Organizations using Conditional Access policies is incorrect because security defaults are a precursor to Conditional Access.
Organizations should first take advantage of the out-of-the-box security settings provided by security defaults. As their security requirements become more complex, they can manage their own identities with Conditional Access.
Moreover, both Conditional Access and security defaults are mutually exclusive. If you have security defaults enabled, you cannot create a conditional access policy and vice-versa.
Security defaults provide default security settings that Microsoft manages to keep your identities safe until you are ready to manage your own identities.
They are best suited for small/midsize organizations that aren’t ready to manage complex security requirements. So, option Organizations that do not know how to approach security is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/2-describe-different-authentication-methods#security-defaults-and-multifactor-authentication
The option Organizations with Azure AD premium licenses is incorrect as security defaults come with the free Azure AD tier. Azure AD premium users should try and implement Conditional Access.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/2-describe-different-authentication-methods#security-defaults-and-multifactor-authentication
Both security defaults and Conditional Access are similar in what they do. For example, both require Multi-Factor Authentication. But with Conditional Access, you can implement more granular & advanced security controls for MFA. For example, with Conditional Access, you can:
· Require MFA only when specific signals warrant it.
· Exclude specific users
· Or allow access only to compliant devices
Generally, enterprise organizations have these advanced security requirements. They would do well with Conditional Access.
Option Organizations with complex security requirements is incorrect because such organizations would use Conditional Access, not security defaults.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults#conditional-access
Option Organizations using Conditional Access policies is incorrect because security defaults are a precursor to Conditional Access.
Organizations should first take advantage of the out-of-the-box security settings provided by security defaults. As their security requirements become more complex, they can manage their own identities with Conditional Access.
Moreover, both Conditional Access and security defaults are mutually exclusive. If you have security defaults enabled, you cannot create a conditional access policy and vice-versa.
Where can you track the protection status of your organization’s identities, devices, and data in the Microsoft 365 Security Center?
Correct
The reports section in Microsoft 365 Security Center displays cards covering different areas like identities, data, and devices.
Option Reports is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-management-capabilities-of-microsoft-365/4-explore-security-reports-dashboards
In the Incidents section, you will find all the domains (users, mailboxes, and devices) that were affected by an alert. Option Incidents is an incorrect choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-management-capabilities-of-microsoft-365/5-describe-incidents-capabilities
In the Action center, you will approve or reject pending remediation actions. It is an incorrect choice.
The reports section in Microsoft 365 Security Center displays cards covering different areas like identities, data, and devices.
Option Reports is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-management-capabilities-of-microsoft-365/4-explore-security-reports-dashboards
In the Incidents section, you will find all the domains (users, mailboxes, and devices) that were affected by an alert. Option Incidents is an incorrect choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-management-capabilities-of-microsoft-365/5-describe-incidents-capabilities
In the Action center, you will approve or reject pending remediation actions. It is an incorrect choice.
The reports section in Microsoft 365 Security Center displays cards covering different areas like identities, data, and devices.
Option Reports is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-management-capabilities-of-microsoft-365/4-explore-security-reports-dashboards
In the Incidents section, you will find all the domains (users, mailboxes, and devices) that were affected by an alert. Option Incidents is an incorrect choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-management-capabilities-of-microsoft-365/5-describe-incidents-capabilities
In the Action center, you will approve or reject pending remediation actions. It is an incorrect choice.
Where can you enable Azure Defender in the Azure portal?
Correct
Microsoft offers a layered approach to security.
· A base layer – Only Azure Security Center (free, basic level of protection)
· An advanced layer – Azure Security Center with Azure Defender (paid, advanced protection with features like Just in time access, Adaptive application controls, vulnerability assessment, etc.)
Reference Link: https://techcommunity.microsoft.com/t5/itops-talk-blog/what-s-the-difference-between-azure-security-center-azure/ba-p/2155188
You access Azure Defender from Azure Security Center. You get the below screen only after upgrading.
Security Center is the correct choice.
Incorrect
Microsoft offers a layered approach to security.
· A base layer – Only Azure Security Center (free, basic level of protection)
· An advanced layer – Azure Security Center with Azure Defender (paid, advanced protection with features like Just in time access, Adaptive application controls, vulnerability assessment, etc.)
Reference Link: https://techcommunity.microsoft.com/t5/itops-talk-blog/what-s-the-difference-between-azure-security-center-azure/ba-p/2155188
You access Azure Defender from Azure Security Center. You get the below screen only after upgrading.
Security Center is the correct choice.
Unattempted
Microsoft offers a layered approach to security.
· A base layer – Only Azure Security Center (free, basic level of protection)
· An advanced layer – Azure Security Center with Azure Defender (paid, advanced protection with features like Just in time access, Adaptive application controls, vulnerability assessment, etc.)
Reference Link: https://techcommunity.microsoft.com/t5/itops-talk-blog/what-s-the-difference-between-azure-security-center-azure/ba-p/2155188
You access Azure Defender from Azure Security Center. You get the below screen only after upgrading.
Security Center is the correct choice.
Question 7 of 62
7. Question
In Microsoft 365 Defender, you can proactively find threats across devices, emails, apps, and identities with hunting.
Is the statement correct?
Correct
This is a slightly tricky question.
Hunting and Advanced hunting are two features with similar capabilities in Azure Sentinel and Microsoft 365 Defender respectively.
In Azure Sentinel, Hunting proactively hunts for threats across your organization’s data sources.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-capabilities-of-azure-sentinel/3-describe-sentinel-provide-integrated-threat-protection#hunting
In Microsoft 365 Defender, Advanced hunting, not hunting, proactively searches for malware, suspicious files in your devices, emails, and cloud apps.
So, the correct answer is No.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide
Incorrect
This is a slightly tricky question.
Hunting and Advanced hunting are two features with similar capabilities in Azure Sentinel and Microsoft 365 Defender respectively.
In Azure Sentinel, Hunting proactively hunts for threats across your organization’s data sources.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-capabilities-of-azure-sentinel/3-describe-sentinel-provide-integrated-threat-protection#hunting
In Microsoft 365 Defender, Advanced hunting, not hunting, proactively searches for malware, suspicious files in your devices, emails, and cloud apps.
So, the correct answer is No.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide
Unattempted
This is a slightly tricky question.
Hunting and Advanced hunting are two features with similar capabilities in Azure Sentinel and Microsoft 365 Defender respectively.
In Azure Sentinel, Hunting proactively hunts for threats across your organization’s data sources.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-capabilities-of-azure-sentinel/3-describe-sentinel-provide-integrated-threat-protection#hunting
In Microsoft 365 Defender, Advanced hunting, not hunting, proactively searches for malware, suspicious files in your devices, emails, and cloud apps.
So, the correct answer is No.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide
Question 8 of 62
8. Question
Your organization has developed a Single-page application for your employees. When you register the app with the Microsoft identity platform, a managed identity is automatically created.
Is the last statement TRUE?
Correct
When you register your app under ‘App registrations,’ in Azure AD, two objects are created:
· An application object (template/definition of your app); similar to a class in Java/C#
· A service principal object (instance of your app); similar to an object in Java/C#
Reference Link: https://docs.microsoft.com/en-us/answers/questions/270680/app-registration-vs-enterprise-applications.html
You can find the application object (with application ID) within the ‘App registrations’ section itself.
And the instance of the app (the service principal with an object ID) in the ‘Enterprise applications’ section.
So, the given statement is incorrect. When you register an app, a service principal is automatically created, not a managed identity.
The correct answer choice is No.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#app-registration-app-objects-and-service-principals (Refer to the paragraph with the title ‘App registration, app objects, and service principals’)
Note: The purpose and the reason why two objects are created in two different places is beyond the scope of this question/exam.
But, if you are inquisitive, John Savill has an awesome video on this topic: https://www.youtube.com/watch?v=WVNvoiA_ktw
And this MS docs link: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added
Incorrect
When you register your app under ‘App registrations,’ in Azure AD, two objects are created:
· An application object (template/definition of your app); similar to a class in Java/C#
· A service principal object (instance of your app); similar to an object in Java/C#
Reference Link: https://docs.microsoft.com/en-us/answers/questions/270680/app-registration-vs-enterprise-applications.html
You can find the application object (with application ID) within the ‘App registrations’ section itself.
And the instance of the app (the service principal with an object ID) in the ‘Enterprise applications’ section.
So, the given statement is incorrect. When you register an app, a service principal is automatically created, not a managed identity.
The correct answer choice is No.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#app-registration-app-objects-and-service-principals (Refer to the paragraph with the title ‘App registration, app objects, and service principals’)
Note: The purpose and the reason why two objects are created in two different places is beyond the scope of this question/exam.
But, if you are inquisitive, John Savill has an awesome video on this topic: https://www.youtube.com/watch?v=WVNvoiA_ktw
And this MS docs link: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added
Unattempted
When you register your app under ‘App registrations,’ in Azure AD, two objects are created:
· An application object (template/definition of your app); similar to a class in Java/C#
· A service principal object (instance of your app); similar to an object in Java/C#
Reference Link: https://docs.microsoft.com/en-us/answers/questions/270680/app-registration-vs-enterprise-applications.html
You can find the application object (with application ID) within the ‘App registrations’ section itself.
And the instance of the app (the service principal with an object ID) in the ‘Enterprise applications’ section.
So, the given statement is incorrect. When you register an app, a service principal is automatically created, not a managed identity.
The correct answer choice is No.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#app-registration-app-objects-and-service-principals (Refer to the paragraph with the title ‘App registration, app objects, and service principals’)
Note: The purpose and the reason why two objects are created in two different places is beyond the scope of this question/exam.
But, if you are inquisitive, John Savill has an awesome video on this topic: https://www.youtube.com/watch?v=WVNvoiA_ktw
And this MS docs link: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added
Question 9 of 62
9. Question
Can you implement Conditional Access policies to grant access only to the hybrid Azure AD joined devices?
Correct
A hybrid Azure AD joined machine is joined to both on-premises Active Directory and Azure AD.
Yes. You can create Conditional Access policies to grant access only to the hybrid Azure AD joined devices.
Note: As I create this question, ‘Device state’ is in preview and should not be tested in the exam. But no harm in learning ??
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#device-state-preview
Incorrect
A hybrid Azure AD joined machine is joined to both on-premises Active Directory and Azure AD.
Yes. You can create Conditional Access policies to grant access only to the hybrid Azure AD joined devices.
Note: As I create this question, ‘Device state’ is in preview and should not be tested in the exam. But no harm in learning ??
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#device-state-preview
Unattempted
A hybrid Azure AD joined machine is joined to both on-premises Active Directory and Azure AD.
Yes. You can create Conditional Access policies to grant access only to the hybrid Azure AD joined devices.
Note: As I create this question, ‘Device state’ is in preview and should not be tested in the exam. But no harm in learning ??
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#device-state-preview
Question 10 of 62
10. Question
Can you use an external email address (for example Gmail) to reset your password with Azure AD SSPR?
Correct
“Yes. You can use an external email address to reset your password with Azure AD SSPR (self-service password reset).
After the administrator enables SSPR for you in the Azure AD tenant, the next time you sign in to a cloud service, you need to register for SSPR by providing information on the alternate email address (if the email method is enabled)
Below, I have entered an external email address (Gmail) as an authentication email for SSPR. Whenever I forget a password or when my account is locked out, I can use this email to reset my password. SSPR doesn’t complain that I entered an external email address.
Below is the screenshot of when I am trying to recover my password with SSPR (Note the registered external email address).
”
From the above explanations, it is clear that you can use an external email address to reset your password with Azure AD SSPR.
Option Yes is the correct answer.
This question is based on practical experience. There isn’t a reference link I could find to this scenario.
Incorrect
“Yes. You can use an external email address to reset your password with Azure AD SSPR (self-service password reset).
After the administrator enables SSPR for you in the Azure AD tenant, the next time you sign in to a cloud service, you need to register for SSPR by providing information on the alternate email address (if the email method is enabled)
Below, I have entered an external email address (Gmail) as an authentication email for SSPR. Whenever I forget a password or when my account is locked out, I can use this email to reset my password. SSPR doesn’t complain that I entered an external email address.
Below is the screenshot of when I am trying to recover my password with SSPR (Note the registered external email address).
”
From the above explanations, it is clear that you can use an external email address to reset your password with Azure AD SSPR.
Option Yes is the correct answer.
This question is based on practical experience. There isn’t a reference link I could find to this scenario.
Unattempted
“Yes. You can use an external email address to reset your password with Azure AD SSPR (self-service password reset).
After the administrator enables SSPR for you in the Azure AD tenant, the next time you sign in to a cloud service, you need to register for SSPR by providing information on the alternate email address (if the email method is enabled)
Below, I have entered an external email address (Gmail) as an authentication email for SSPR. Whenever I forget a password or when my account is locked out, I can use this email to reset my password. SSPR doesn’t complain that I entered an external email address.
Below is the screenshot of when I am trying to recover my password with SSPR (Note the registered external email address).
”
From the above explanations, it is clear that you can use an external email address to reset your password with Azure AD SSPR.
Option Yes is the correct answer.
This question is based on practical experience. There isn’t a reference link I could find to this scenario.
Question 11 of 62
11. Question
Which of the following determines the level of access within an application?
Correct
All four options are the fundamental pillars of identity.
Authentication is verifying who the user says they are? The system challenges legitimate credentials before providing access. Azure AD technologies that implement Authentication are MFA, Windows Hello, etc. It doesn’t control access to specific parts of an app.
Authentication is an incorrect choice.
Azure AD handles the authorization of access to secured resources through Role-based access control (RBAC). With RBAC, you can assign permissions to a user/group. These permissions define what they can/cannot do (they determine the level of access).
In the below image, the Reader role has permissions only to read Azure AD Metrics definition. He cannot create/update/delete Metrics Definition.
Authorization is the correct choice.
Although both Administration & Auditing are two of the four pillars of identity, they do not determine access. Both are incorrect choices.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-identity-principles-concepts/3-define-identity-primary-security-perimeter
Incorrect
All four options are the fundamental pillars of identity.
Authentication is verifying who the user says they are? The system challenges legitimate credentials before providing access. Azure AD technologies that implement Authentication are MFA, Windows Hello, etc. It doesn’t control access to specific parts of an app.
Authentication is an incorrect choice.
Azure AD handles the authorization of access to secured resources through Role-based access control (RBAC). With RBAC, you can assign permissions to a user/group. These permissions define what they can/cannot do (they determine the level of access).
In the below image, the Reader role has permissions only to read Azure AD Metrics definition. He cannot create/update/delete Metrics Definition.
Authorization is the correct choice.
Although both Administration & Auditing are two of the four pillars of identity, they do not determine access. Both are incorrect choices.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-identity-principles-concepts/3-define-identity-primary-security-perimeter
Unattempted
All four options are the fundamental pillars of identity.
Authentication is verifying who the user says they are? The system challenges legitimate credentials before providing access. Azure AD technologies that implement Authentication are MFA, Windows Hello, etc. It doesn’t control access to specific parts of an app.
Authentication is an incorrect choice.
Azure AD handles the authorization of access to secured resources through Role-based access control (RBAC). With RBAC, you can assign permissions to a user/group. These permissions define what they can/cannot do (they determine the level of access).
In the below image, the Reader role has permissions only to read Azure AD Metrics definition. He cannot create/update/delete Metrics Definition.
Authorization is the correct choice.
Although both Administration & Auditing are two of the four pillars of identity, they do not determine access. Both are incorrect choices.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-identity-principles-concepts/3-define-identity-primary-security-perimeter
Question 12 of 62
12. Question
Which of the following implements Azure Security Benchmark’s security recommendations on an individual Azure service?
Correct
Security control is a high-level description of a feature. They are not specific to a technology/implementation. For example, Network security control protects virtual networks and prevents external attacks.
Option Security control is incorrect.
Reference Link: https://docs.microsoft.com/en-us/security/benchmark/azure/overview
A security benchmark contains security recommendations grouped by the security control. They target a specific technology.
For example, a recommendation could be that you implement security for Azure virtual network traffic with NSG rules and Azure Firewall.
Option Security benchmark is incorrect.
Reference Link: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic (NS-1: Implement security for internal traffic is a security recommendation)
A security baseline is the implementation of the benchmark recommendations on individual Azure services.
For example, in the Microsoft documentation, there are security baselines for different Azure services.
Security control is a high-level description of a feature. They are not specific to a technology/implementation. For example, Network security control protects virtual networks and prevents external attacks.
Option Security control is incorrect.
Reference Link: https://docs.microsoft.com/en-us/security/benchmark/azure/overview
A security benchmark contains security recommendations grouped by the security control. They target a specific technology.
For example, a recommendation could be that you implement security for Azure virtual network traffic with NSG rules and Azure Firewall.
Option Security benchmark is incorrect.
Reference Link: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic (NS-1: Implement security for internal traffic is a security recommendation)
A security baseline is the implementation of the benchmark recommendations on individual Azure services.
For example, in the Microsoft documentation, there are security baselines for different Azure services.
Security control is a high-level description of a feature. They are not specific to a technology/implementation. For example, Network security control protects virtual networks and prevents external attacks.
Option Security control is incorrect.
Reference Link: https://docs.microsoft.com/en-us/security/benchmark/azure/overview
A security benchmark contains security recommendations grouped by the security control. They target a specific technology.
For example, a recommendation could be that you implement security for Azure virtual network traffic with NSG rules and Azure Firewall.
Option Security benchmark is incorrect.
Reference Link: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic (NS-1: Implement security for internal traffic is a security recommendation)
A security baseline is the implementation of the benchmark recommendations on individual Azure services.
For example, in the Microsoft documentation, there are security baselines for different Azure services.
Which of the following defense in depth layer implements the Availability concern of the CIA principle?
Correct
CIA stands for Confidentiality, Integrity, and Availability. They represent security trade-offs in keeping your systems secure.
Defense in depth is a layered approach to security. Each of the defense in depth layers implements one or more of the CIA concerns.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/azure-well-architected-security/2-defense-in-depth#defense-in-depth-a-layered-approach-to-security
The Perimeter layer implements the Availability concern of the CIA principle. By providing DDoS protection, it ensures that the services are available to users. Option Perimeter is the correct answer.
The Physical security layer implements the Confidentiality principle because it grants access only to authorized personnel. Option Physical security is incorrect.
The Identity & Access layer implements the Integrity principle because it gives access only after verifying who the user they claim to be. Option Identity & access is incorrect too.
The Data layer implements the Integrity principle because data encryption at rest/in transit prevents unauthorized changes to the information. Option Data is an incorrect choice.
Incorrect
CIA stands for Confidentiality, Integrity, and Availability. They represent security trade-offs in keeping your systems secure.
Defense in depth is a layered approach to security. Each of the defense in depth layers implements one or more of the CIA concerns.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/azure-well-architected-security/2-defense-in-depth#defense-in-depth-a-layered-approach-to-security
The Perimeter layer implements the Availability concern of the CIA principle. By providing DDoS protection, it ensures that the services are available to users. Option Perimeter is the correct answer.
The Physical security layer implements the Confidentiality principle because it grants access only to authorized personnel. Option Physical security is incorrect.
The Identity & Access layer implements the Integrity principle because it gives access only after verifying who the user they claim to be. Option Identity & access is incorrect too.
The Data layer implements the Integrity principle because data encryption at rest/in transit prevents unauthorized changes to the information. Option Data is an incorrect choice.
Unattempted
CIA stands for Confidentiality, Integrity, and Availability. They represent security trade-offs in keeping your systems secure.
Defense in depth is a layered approach to security. Each of the defense in depth layers implements one or more of the CIA concerns.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/azure-well-architected-security/2-defense-in-depth#defense-in-depth-a-layered-approach-to-security
The Perimeter layer implements the Availability concern of the CIA principle. By providing DDoS protection, it ensures that the services are available to users. Option Perimeter is the correct answer.
The Physical security layer implements the Confidentiality principle because it grants access only to authorized personnel. Option Physical security is incorrect.
The Identity & Access layer implements the Integrity principle because it gives access only after verifying who the user they claim to be. Option Identity & access is incorrect too.
The Data layer implements the Integrity principle because data encryption at rest/in transit prevents unauthorized changes to the information. Option Data is an incorrect choice.
Question 14 of 62
14. Question
Just 10% of the users in your organization use personal iOS devices. Can you protect them with Microsoft Defender for Endpoint?
Correct
Yes. Not only iOS, with Microsoft Defender for Endpoint, you can also protect Android, Windows 10, Windows Server, Linux, and macOS devices.
Reference Link: Microsoft Defender for Endpoint on iOS | Microsoft Docs
Incorrect
Yes. Not only iOS, with Microsoft Defender for Endpoint, you can also protect Android, Windows 10, Windows Server, Linux, and macOS devices.
Reference Link: Microsoft Defender for Endpoint on iOS | Microsoft Docs
Unattempted
Yes. Not only iOS, with Microsoft Defender for Endpoint, you can also protect Android, Windows 10, Windows Server, Linux, and macOS devices.
Reference Link: Microsoft Defender for Endpoint on iOS | Microsoft Docs
Question 15 of 62
15. Question
Where can you manage your organization’s devices with Microsoft Intune?
Correct
Microsoft has combined the following two products into Microsoft Endpoint Manager
· (SCCM) System Center Configuration Manager (for managing desktop devices)
· Intune (for managing mobile devices)
Reference Link: Microsoft combines Intune with ConfigMgr | Computerworld
So, in the Microsoft Endpoint Manager admin center, you can manage all devices with Intune. Microsoft Endpoint Manager admin center is the correct answer.
In the admin center, go to Endpoint security -> All devices. Here you’ll see all your devices registered in Azure AD.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-endpoint-security-with-microsoft-intune/3-intune#role-based-access-control-with-microsoft-intune
In Microsoft 365 admin center, you can manage users/licenses/passwords, etc. but not devices. Option Microsoft 365 admin center is incorrect.
In Microsoft 365 security center, you monitor and respond to security threats. It is incorrect too.
There is nothing like the Intune admin center. Option Intune admin center is incorrect.
Reference Link:https://docs.microsoft.com/en-us/microsoft-365/security/defender/portals?view=o365-worldwide
Incorrect
Microsoft has combined the following two products into Microsoft Endpoint Manager
· (SCCM) System Center Configuration Manager (for managing desktop devices)
· Intune (for managing mobile devices)
Reference Link: Microsoft combines Intune with ConfigMgr | Computerworld
So, in the Microsoft Endpoint Manager admin center, you can manage all devices with Intune. Microsoft Endpoint Manager admin center is the correct answer.
In the admin center, go to Endpoint security -> All devices. Here you’ll see all your devices registered in Azure AD.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-endpoint-security-with-microsoft-intune/3-intune#role-based-access-control-with-microsoft-intune
In Microsoft 365 admin center, you can manage users/licenses/passwords, etc. but not devices. Option Microsoft 365 admin center is incorrect.
In Microsoft 365 security center, you monitor and respond to security threats. It is incorrect too.
There is nothing like the Intune admin center. Option Intune admin center is incorrect.
Reference Link:https://docs.microsoft.com/en-us/microsoft-365/security/defender/portals?view=o365-worldwide
Unattempted
Microsoft has combined the following two products into Microsoft Endpoint Manager
· (SCCM) System Center Configuration Manager (for managing desktop devices)
· Intune (for managing mobile devices)
Reference Link: Microsoft combines Intune with ConfigMgr | Computerworld
So, in the Microsoft Endpoint Manager admin center, you can manage all devices with Intune. Microsoft Endpoint Manager admin center is the correct answer.
In the admin center, go to Endpoint security -> All devices. Here you’ll see all your devices registered in Azure AD.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-endpoint-security-with-microsoft-intune/3-intune#role-based-access-control-with-microsoft-intune
In Microsoft 365 admin center, you can manage users/licenses/passwords, etc. but not devices. Option Microsoft 365 admin center is incorrect.
In Microsoft 365 security center, you monitor and respond to security threats. It is incorrect too.
There is nothing like the Intune admin center. Option Intune admin center is incorrect.
Reference Link:https://docs.microsoft.com/en-us/microsoft-365/security/defender/portals?view=o365-worldwide
Question 16 of 62
16. Question
Which of the following are the features of SSPR (self-service password reset)?
a. Password change
b. Password reset
c. Account unlock
d. Password write-back
Correct
The features of SSPR are:
· Password change (when you know the password and need to update it)
· Password reset (when you forgot the password)
· Unlock the account
· Password write-back to the on-premises directory (so you can access on-premises applications with the updated password)
All four choices are features of SSPR.
The option All four options is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/5-describe-self-service-password-reset
Incorrect
The features of SSPR are:
· Password change (when you know the password and need to update it)
· Password reset (when you forgot the password)
· Unlock the account
· Password write-back to the on-premises directory (so you can access on-premises applications with the updated password)
All four choices are features of SSPR.
The option All four options is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/5-describe-self-service-password-reset
Unattempted
The features of SSPR are:
· Password change (when you know the password and need to update it)
· Password reset (when you forgot the password)
· Unlock the account
· Password write-back to the on-premises directory (so you can access on-premises applications with the updated password)
All four choices are features of SSPR.
The option All four options is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/5-describe-self-service-password-reset
Question 17 of 62
17. Question
Which of the following is NOT a Zero Trust guiding principle?
The human resources organization want to ensure that stored employee data is encrypted. Which security mechanism would they use?
Correct
Encryption at rest:The Encryption at Rest designs in Azure use symmetric encryption to encrypt and decrypt large amounts of data quickly according to a simple conceptual model:
A symmetric encryption key is used to encrypt data as it is written to storage.
The same encryption key is used to decrypt that data as it is readied for use in memory.
Data may be partitioned, and different keys may be used for each partition.
Keys must be stored in a secure location with identity-based access control and audit policies. Data encryption keys are often encrypted with a key encryption key in Azure Key Vault to further limit access.
Encryption in transit: protects your data if communications are intercepted while data moves between your site and the cloud provider or between two services
Reference: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest
Incorrect
Encryption at rest:The Encryption at Rest designs in Azure use symmetric encryption to encrypt and decrypt large amounts of data quickly according to a simple conceptual model:
A symmetric encryption key is used to encrypt data as it is written to storage.
The same encryption key is used to decrypt that data as it is readied for use in memory.
Data may be partitioned, and different keys may be used for each partition.
Keys must be stored in a secure location with identity-based access control and audit policies. Data encryption keys are often encrypted with a key encryption key in Azure Key Vault to further limit access.
Encryption in transit: protects your data if communications are intercepted while data moves between your site and the cloud provider or between two services
Reference: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest
Unattempted
Encryption at rest:The Encryption at Rest designs in Azure use symmetric encryption to encrypt and decrypt large amounts of data quickly according to a simple conceptual model:
A symmetric encryption key is used to encrypt data as it is written to storage.
The same encryption key is used to decrypt that data as it is readied for use in memory.
Data may be partitioned, and different keys may be used for each partition.
Keys must be stored in a secure location with identity-based access control and audit policies. Data encryption keys are often encrypted with a key encryption key in Azure Key Vault to further limit access.
Encryption in transit: protects your data if communications are intercepted while data moves between your site and the cloud provider or between two services
Reference: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest
Question 20 of 62
20. Question
Which of the following measures might an organization implement as part of the defense in-depth security methodology?
Correct
Incorrect
Unattempted
Question 21 of 62
21. Question
A compliance admin is looking for regulatory information relevant to a specific region, which one link will provide the needed information?
Correct
[Correct] From the Service Trust Portal there are links to different sites containing compliance and regulatory documentation.
[Incorrect] Compliance Manager – measures your progress in completing actions that help reduce risks around data protection and regulatory standards. To find out more, see the Microsoft Compliance Manager documentation in the Learn More section below.
[Incorrect]Trust Documents – links to a security implementation and design information.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-microsoft-security-compliance-principles/3-describe-offerings-of-service-trust-portal
Incorrect
[Correct] From the Service Trust Portal there are links to different sites containing compliance and regulatory documentation.
[Incorrect] Compliance Manager – measures your progress in completing actions that help reduce risks around data protection and regulatory standards. To find out more, see the Microsoft Compliance Manager documentation in the Learn More section below.
[Incorrect]Trust Documents – links to a security implementation and design information.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-microsoft-security-compliance-principles/3-describe-offerings-of-service-trust-portal
Unattempted
[Correct] From the Service Trust Portal there are links to different sites containing compliance and regulatory documentation.
[Incorrect] Compliance Manager – measures your progress in completing actions that help reduce risks around data protection and regulatory standards. To find out more, see the Microsoft Compliance Manager documentation in the Learn More section below.
[Incorrect]Trust Documents – links to a security implementation and design information.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-microsoft-security-compliance-principles/3-describe-offerings-of-service-trust-portal
Question 22 of 62
22. Question
Among the 4 pillars of identity, which pillar tells the story of how much assurance for a particular identity is enough.
Correct
Correct Answer:
Authentication. The authentication pillar tells the story of how much assurance for a particular identity is enough. In other words, how much does an IT system need to know about an identity to have sufficient proof that they really are who they say they are? It involves the act of challenging a party for legitimate credentials. Authentication is sometimes shortened to AuthN.
Incorrect Answers:
Administration. Administration is about the creation and management of identities for users, devices, and services. As an administrator, you manage how and under what circumstances the characteristics of identities can change (be created, updated, deleted).
Authorization. The authorization pillar is about processing the incoming identity data to determine the level of access an authenticated person or service has within the application or service that it wants to access. Authorization is sometimes shortened to AuthZ.
Auditing. The auditing pillar is about tracking who does what, when, where, and how. Auditing includes having in-depth reporting, alerts, and governance of identities.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-identity-principles-concepts/3-define-identity-primary-security-perimeter
Incorrect
Correct Answer:
Authentication. The authentication pillar tells the story of how much assurance for a particular identity is enough. In other words, how much does an IT system need to know about an identity to have sufficient proof that they really are who they say they are? It involves the act of challenging a party for legitimate credentials. Authentication is sometimes shortened to AuthN.
Incorrect Answers:
Administration. Administration is about the creation and management of identities for users, devices, and services. As an administrator, you manage how and under what circumstances the characteristics of identities can change (be created, updated, deleted).
Authorization. The authorization pillar is about processing the incoming identity data to determine the level of access an authenticated person or service has within the application or service that it wants to access. Authorization is sometimes shortened to AuthZ.
Auditing. The auditing pillar is about tracking who does what, when, where, and how. Auditing includes having in-depth reporting, alerts, and governance of identities.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-identity-principles-concepts/3-define-identity-primary-security-perimeter
Unattempted
Correct Answer:
Authentication. The authentication pillar tells the story of how much assurance for a particular identity is enough. In other words, how much does an IT system need to know about an identity to have sufficient proof that they really are who they say they are? It involves the act of challenging a party for legitimate credentials. Authentication is sometimes shortened to AuthN.
Incorrect Answers:
Administration. Administration is about the creation and management of identities for users, devices, and services. As an administrator, you manage how and under what circumstances the characteristics of identities can change (be created, updated, deleted).
Authorization. The authorization pillar is about processing the incoming identity data to determine the level of access an authenticated person or service has within the application or service that it wants to access. Authorization is sometimes shortened to AuthZ.
Auditing. The auditing pillar is about tracking who does what, when, where, and how. Auditing includes having in-depth reporting, alerts, and governance of identities.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-identity-principles-concepts/3-define-identity-primary-security-perimeter
Question 23 of 62
23. Question
T/F: With federation, trust is always bidirectional.
How many editions of the azure active directory (AAD) are available?
Correct
Azure Active Directory (AAD) offers four main editions:
Free: Included with any Microsoft 365 subscription, this edition provides basic identity and access management features for up to 50,000 users.
Microsoft Entra ID P1 (formerly Azure AD Premium P1): This edition offers additional features such as self-service password reset, multi-factor authentication, and single sign-on across cloud and on-premises applications.
Microsoft Entra ID P2 (formerly Azure AD Premium P2): This edition includes all the features of P1, plus advanced identity protection, privileged identity management, and self-service access management for end users.
Microsoft Entra External ID: Designed for external users such as partners, customers, and guests, this edition provides secure access to your applications and data.
Therefore, the answer is 4.
Incorrect
Azure Active Directory (AAD) offers four main editions:
Free: Included with any Microsoft 365 subscription, this edition provides basic identity and access management features for up to 50,000 users.
Microsoft Entra ID P1 (formerly Azure AD Premium P1): This edition offers additional features such as self-service password reset, multi-factor authentication, and single sign-on across cloud and on-premises applications.
Microsoft Entra ID P2 (formerly Azure AD Premium P2): This edition includes all the features of P1, plus advanced identity protection, privileged identity management, and self-service access management for end users.
Microsoft Entra External ID: Designed for external users such as partners, customers, and guests, this edition provides secure access to your applications and data.
Therefore, the answer is 4.
Unattempted
Azure Active Directory (AAD) offers four main editions:
Free: Included with any Microsoft 365 subscription, this edition provides basic identity and access management features for up to 50,000 users.
Microsoft Entra ID P1 (formerly Azure AD Premium P1): This edition offers additional features such as self-service password reset, multi-factor authentication, and single sign-on across cloud and on-premises applications.
Microsoft Entra ID P2 (formerly Azure AD Premium P2): This edition includes all the features of P1, plus advanced identity protection, privileged identity management, and self-service access management for end users.
Microsoft Entra External ID: Designed for external users such as partners, customers, and guests, this edition provides secure access to your applications and data.
Therefore, the answer is 4.
Question 25 of 62
25. Question
An organization is launching a new app for its customers. Customers will use a sign-in screen that is customized with the organization’s brand identity. Which type of Azure External identity solution should the organization use?
Correct
[Correct]Azure AD B2C is an authentication solution for customers that you can customize with your brand identity.
There are two different Azure AD External Identities: B2B and B2C.
B2B collaboration allows you to share your apps and resources with external users.
B2C is an identity management solution for consumer and customer facing apps.
With the hybrid model, users accessing both on-premises and cloud apps are hybrid users managed in the on-premises Active Directory.
Reference https://docs.microsoft.com/en-us/learn/modules/explore-basic-services-identity-types/5-describe-external-identities
Incorrect
[Correct]Azure AD B2C is an authentication solution for customers that you can customize with your brand identity.
There are two different Azure AD External Identities: B2B and B2C.
B2B collaboration allows you to share your apps and resources with external users.
B2C is an identity management solution for consumer and customer facing apps.
With the hybrid model, users accessing both on-premises and cloud apps are hybrid users managed in the on-premises Active Directory.
Reference https://docs.microsoft.com/en-us/learn/modules/explore-basic-services-identity-types/5-describe-external-identities
Unattempted
[Correct]Azure AD B2C is an authentication solution for customers that you can customize with your brand identity.
There are two different Azure AD External Identities: B2B and B2C.
B2B collaboration allows you to share your apps and resources with external users.
B2C is an identity management solution for consumer and customer facing apps.
With the hybrid model, users accessing both on-premises and cloud apps are hybrid users managed in the on-premises Active Directory.
Reference https://docs.microsoft.com/en-us/learn/modules/explore-basic-services-identity-types/5-describe-external-identities
Question 26 of 62
26. Question
True/False: “A system-assigned managed identity can be associated with more than one Azure resource.”
Correct
FALSE
A system assigned managed identity is exclusively tied to a single azure source whereas a user assigned managed identity can be associated with more than one Azure resource
FALSE
A system assigned managed identity is exclusively tied to a single azure source whereas a user assigned managed identity can be associated with more than one Azure resource
FALSE
A system assigned managed identity is exclusively tied to a single azure source whereas a user assigned managed identity can be associated with more than one Azure resource
A company’s IT organization has been asked to find ways to reduce IT costs, without compromising security. Which feature should they consider implementing?
Correct
Correct
Self-service password reset (SSPR) is a feature of Azure AD that allows users to change or reset their password, without administrator or help desk involvement.
If a user’s account is locked or they forget the password, they can follow a prompt to reset it and get back to work. Self-service password reset has several benefits:
It increases security, as help desks add an extra security layer.
It saves the organization money by reducing the number of calls and requests to help desk staff.
It increases productivity, allowing the user to return to work faster.
Incorrect answers
FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.
Biometric sign in is secure but its not remote and involves higher cost
Reference: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/5-describe-self-service-password-reset
Incorrect
Correct
Self-service password reset (SSPR) is a feature of Azure AD that allows users to change or reset their password, without administrator or help desk involvement.
If a user’s account is locked or they forget the password, they can follow a prompt to reset it and get back to work. Self-service password reset has several benefits:
It increases security, as help desks add an extra security layer.
It saves the organization money by reducing the number of calls and requests to help desk staff.
It increases productivity, allowing the user to return to work faster.
Incorrect answers
FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.
Biometric sign in is secure but its not remote and involves higher cost
Reference: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/5-describe-self-service-password-reset
Unattempted
Correct
Self-service password reset (SSPR) is a feature of Azure AD that allows users to change or reset their password, without administrator or help desk involvement.
If a user’s account is locked or they forget the password, they can follow a prompt to reset it and get back to work. Self-service password reset has several benefits:
It increases security, as help desks add an extra security layer.
It saves the organization money by reducing the number of calls and requests to help desk staff.
It increases productivity, allowing the user to return to work faster.
Incorrect answers
FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.
Biometric sign in is secure but its not remote and involves higher cost
Reference: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/5-describe-self-service-password-reset
Question 28 of 62
28. Question
IT admins have been asked to review Azure AD roles assigned to users, to improve organizational security. Which of the following should they implement?
Your IT organization recently discovered that several user accounts in the finance department have been compromised. The CTO has asked for a solution to reduce the impact of compromised user accounts. The IT admin team is looking into Azure AD features. Which one should they recommend?
Correct
Correct. Identity Protection is a tool that allows organizations to accomplish three key tasks:
Automate the detection and remediation of identity-based risks.
Investigate risks using data in the portal.
Export risk detection data to third-party utilities for further analysis.
Incorrect. Entitlement management is an Azure tool that automates access to the applications and data needed for someone to be productive in a particular project or role.
Incorrect. Conditional access allows users access basis predefined rules and is not apt in this context
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-identity-protection-governance-capabilities/5-describe-azure
Incorrect
Correct. Identity Protection is a tool that allows organizations to accomplish three key tasks:
Automate the detection and remediation of identity-based risks.
Investigate risks using data in the portal.
Export risk detection data to third-party utilities for further analysis.
Incorrect. Entitlement management is an Azure tool that automates access to the applications and data needed for someone to be productive in a particular project or role.
Incorrect. Conditional access allows users access basis predefined rules and is not apt in this context
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-identity-protection-governance-capabilities/5-describe-azure
Unattempted
Correct. Identity Protection is a tool that allows organizations to accomplish three key tasks:
Automate the detection and remediation of identity-based risks.
Investigate risks using data in the portal.
Export risk detection data to third-party utilities for further analysis.
Incorrect. Entitlement management is an Azure tool that automates access to the applications and data needed for someone to be productive in a particular project or role.
Incorrect. Conditional access allows users access basis predefined rules and is not apt in this context
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-identity-protection-governance-capabilities/5-describe-azure
Question 30 of 62
30. Question
A company wants to make use of Windows Hello for Business when it comes to authentication. Which of the following authentication techniques are available in Windows Hello for Business?
You are planning to make use of Azure Bastion service. Can you use the Azure Bastion service to restrict traffic from the Internet onto an Azure Virtual Machine?
Correct
Yes, you can use Azure Bastion service to restrict traffic from the Internet onto an Azure Virtual Machine.
Azure Bastion provides a secure, browser-based SSH and RDP experience directly in the Azure portal, eliminating the need to open inbound public-facing ports on your virtual machines. This helps to enhance security by reducing the attack surface exposed to the internet.
Yes, you can use Azure Bastion service to restrict traffic from the Internet onto an Azure Virtual Machine.
Azure Bastion provides a secure, browser-based SSH and RDP experience directly in the Azure portal, eliminating the need to open inbound public-facing ports on your virtual machines. This helps to enhance security by reducing the attack surface exposed to the internet.
Yes, you can use Azure Bastion service to restrict traffic from the Internet onto an Azure Virtual Machine.
Azure Bastion provides a secure, browser-based SSH and RDP experience directly in the Azure portal, eliminating the need to open inbound public-facing ports on your virtual machines. This helps to enhance security by reducing the attack surface exposed to the internet.
Your company is planning on using Azure Active Directory. They already have user identities stored in their on-premise Active Directory. They want to sync the user identities from the on-premise Active Directory onto Azure Active Directory. Which of the following could be used?
Correct
Azure AD Connect : Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals.
Password hash synchronization – A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD.
Pass-through authentication – A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn’t require the additional infrastructure of a federated environment.
Federation integration – Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
Synchronization – Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.
Health Monitoring – Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect#:~:text=Azure%20AD%20Connect%20is%20the,AD%20password%20with%20Azure%20AD.&text=This%20synchronization%20also%20includes%20password%20hashes.
Incorrect answers:
Azure Blueprints : Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. https://docs.microsoft.com/en-us/azure/governance/blueprints/overview#:~:text=Just%20as%20a%20blueprint%20allows,standards%2C%20patterns%2C%20and%20requirements.
Azure Privileged Identity Management : Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:
Provide just-in-time privileged access to Azure AD and Azure resources
Assign time-bound access to resources using start and end dates
Require approval to activate privileged roles
Enforce multi-factor authentication to activate any role
Use justification to understand why users activate
Get notifications when privileged roles are activated
Conduct access reviews to ensure users still need roles
Download audit history for internal or external audit https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
Azure Identity Protection : Identity Protection is a tool that allows organizations to accomplish three key tasks:
Automate the detection and remediation of identity-based risks.
Investigate risks using data in the portal.
Export risk detection data to third-party utilities for further analysis. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
Incorrect
Azure AD Connect : Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals.
Password hash synchronization – A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD.
Pass-through authentication – A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn’t require the additional infrastructure of a federated environment.
Federation integration – Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
Synchronization – Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.
Health Monitoring – Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect#:~:text=Azure%20AD%20Connect%20is%20the,AD%20password%20with%20Azure%20AD.&text=This%20synchronization%20also%20includes%20password%20hashes.
Incorrect answers:
Azure Blueprints : Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. https://docs.microsoft.com/en-us/azure/governance/blueprints/overview#:~:text=Just%20as%20a%20blueprint%20allows,standards%2C%20patterns%2C%20and%20requirements.
Azure Privileged Identity Management : Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:
Provide just-in-time privileged access to Azure AD and Azure resources
Assign time-bound access to resources using start and end dates
Require approval to activate privileged roles
Enforce multi-factor authentication to activate any role
Use justification to understand why users activate
Get notifications when privileged roles are activated
Conduct access reviews to ensure users still need roles
Download audit history for internal or external audit https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
Azure Identity Protection : Identity Protection is a tool that allows organizations to accomplish three key tasks:
Automate the detection and remediation of identity-based risks.
Investigate risks using data in the portal.
Export risk detection data to third-party utilities for further analysis. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
Unattempted
Azure AD Connect : Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals.
Password hash synchronization – A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD.
Pass-through authentication – A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn’t require the additional infrastructure of a federated environment.
Federation integration – Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
Synchronization – Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.
Health Monitoring – Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect#:~:text=Azure%20AD%20Connect%20is%20the,AD%20password%20with%20Azure%20AD.&text=This%20synchronization%20also%20includes%20password%20hashes.
Incorrect answers:
Azure Blueprints : Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. https://docs.microsoft.com/en-us/azure/governance/blueprints/overview#:~:text=Just%20as%20a%20blueprint%20allows,standards%2C%20patterns%2C%20and%20requirements.
Azure Privileged Identity Management : Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:
Provide just-in-time privileged access to Azure AD and Azure resources
Assign time-bound access to resources using start and end dates
Require approval to activate privileged roles
Enforce multi-factor authentication to activate any role
Use justification to understand why users activate
Get notifications when privileged roles are activated
Conduct access reviews to ensure users still need roles
Download audit history for internal or external audit https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
Azure Identity Protection : Identity Protection is a tool that allows organizations to accomplish three key tasks:
Automate the detection and remediation of identity-based risks.
Investigate risks using data in the portal.
Export risk detection data to third-party utilities for further analysis. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
Question 34 of 62
34. Question
The security admin wants to increase the priority of a network security group, what five sources of information will the admin need to provide?
An organization is using Azure and wants to improve their security best practices. Which Azure specific benchmark would the IT security team need to consider?
Correct
Correct. The Azure Security Benchmark provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure.
Incorrect:
CIS is a forward-thinking nonprofit that harnesses the power of a global IT community to safeguard public and private organizations against cyber threats.
Cybersecurity Solutions Group enable customers to unlock the security capabilities of the intelligent cloud and next generation AI
Reference: https://docs.microsoft.com/en-us/security/benchmark/azure/
Incorrect
Correct. The Azure Security Benchmark provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure.
Incorrect:
CIS is a forward-thinking nonprofit that harnesses the power of a global IT community to safeguard public and private organizations against cyber threats.
Cybersecurity Solutions Group enable customers to unlock the security capabilities of the intelligent cloud and next generation AI
Reference: https://docs.microsoft.com/en-us/security/benchmark/azure/
Unattempted
Correct. The Azure Security Benchmark provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure.
Incorrect:
CIS is a forward-thinking nonprofit that harnesses the power of a global IT community to safeguard public and private organizations against cyber threats.
Cybersecurity Solutions Group enable customers to unlock the security capabilities of the intelligent cloud and next generation AI
Reference: https://docs.microsoft.com/en-us/security/benchmark/azure/
Question 36 of 62
36. Question
As the lead admin, it’s important to convince your team to start using Azure Sentinel. You’ve put together a presentation. What are the four security operation areas of Azure Sentinel that cover this area?
Which of the following can be used to provide just-in-time access to resources?
Correct
Azure AD Identity Protection : Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:
– Provide just-in-time privileged access to Azure AD and Azure resources
– Assign time-bound access to resources using start and end dates
– Require approval to activate privileged roles
– Enforce multi-factor authentication to activate any role
– Use justification to understand why users activate
– Get notifications when privileged roles are activated
– Conduct access reviews to ensure users still need roles
– Download audit history for internal or external audit
Incorrect answers:
Azure AD Identity Protection : Identity Protection is a tool that allows organizations to accomplish three key tasks:
Automate the detection and remediation of identity-based risks.
Investigate risks using data in the portal.
Export risk detection data to third-party utilities for further analysis.
Azure Multi-Factor Authentication : Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.
Azure Blueprints : Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements.
Incorrect
Azure AD Identity Protection : Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:
– Provide just-in-time privileged access to Azure AD and Azure resources
– Assign time-bound access to resources using start and end dates
– Require approval to activate privileged roles
– Enforce multi-factor authentication to activate any role
– Use justification to understand why users activate
– Get notifications when privileged roles are activated
– Conduct access reviews to ensure users still need roles
– Download audit history for internal or external audit
Incorrect answers:
Azure AD Identity Protection : Identity Protection is a tool that allows organizations to accomplish three key tasks:
Automate the detection and remediation of identity-based risks.
Investigate risks using data in the portal.
Export risk detection data to third-party utilities for further analysis.
Azure Multi-Factor Authentication : Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.
Azure Blueprints : Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements.
Unattempted
Azure AD Identity Protection : Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:
– Provide just-in-time privileged access to Azure AD and Azure resources
– Assign time-bound access to resources using start and end dates
– Require approval to activate privileged roles
– Enforce multi-factor authentication to activate any role
– Use justification to understand why users activate
– Get notifications when privileged roles are activated
– Conduct access reviews to ensure users still need roles
– Download audit history for internal or external audit
Incorrect answers:
Azure AD Identity Protection : Identity Protection is a tool that allows organizations to accomplish three key tasks:
Automate the detection and remediation of identity-based risks.
Investigate risks using data in the portal.
Export risk detection data to third-party utilities for further analysis.
Azure Multi-Factor Authentication : Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.
Azure Blueprints : Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements.
Question 38 of 62
38. Question
Which of the following provides “Network Address Translation”
Correct
Key features of Azure Firewall
Azure Firewall comes with many features, including but not limited to:
Built-in high availability and availability zones: High availability is built in so there’s nothing to configure. Also, Azure Firewall can be configured to span multiple availability zones for increased availability.
Network and application level filtering: Use IP address, port, and protocol to support fully qualified domain name filtering for outbound HTTP(s) traffic and network filtering controls.
Outbound SNAT and inbound DNAT to communicate with internet resources: Translates the private IP address of network resources to an Azure public IP address (source network address translation) to identify and allow traffic originating from the virtual network to internet destinations. Similarly, inbound internet traffic to the firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses of resources on the virtual network.
Multiple public IP addresses: These addresses can be associated with Azure Firewall.
Threat intelligence: Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains.
Integration with Azure Monitor: Integrated with Azure Monitor to enable collecting, analyzing, and acting on telemetry from Azure Firewall logs.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/4-describe-what-azure-firewall
Incorrect answers:
Azure Bastion : Azure Bastion provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal using Transport Layer Security (TLS). When you connect via Azure Bastion, your virtual machines don’t need a public IP address, agent, or special client software. https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/5-describe-what-azure-bastion
Network Security Group -Each rule specifies one or more of the following properties:
Name: Every NSG rule needs to have a unique name that describes its purpose. For example, AdminAccessOnlyFilter.
Priority: A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers. When traffic matches a rule, processing stops. This means that any other rules with a lower priority (higher numbers) won’t be processed.
Source or destination: Specify either individual IP address or an IP address range, service tag (a group of IP address prefixes from a given Azure service), or application security group. Specifying a range, a service tag, or application security group, enables you to create fewer security rules.
Protocol: What network protocol will the rule check? The protocol can be any of: TCP, UDP, ICMP or Any.
Direction: Whether the rule should be applied to inbound or outbound traffic.
Port range: You can specify an individual or range of ports. For example, you could specify 80 or 10000-10005. Specifying ranges enables you to create fewer security rules. You can’t specify multiple ports or port ranges in the same security rule in NSGs created through the classic deployment model.
Action: Finally, you need to decide what will happen when this rule is triggered. https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/2-describe-azure-network-security-groups
Azure DDoS protection – The Azure DDoS Protection service is designed to help protect your applications and servers by analyzing network traffic and discarding anything that looks like a DDoS attack. https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/3-describe-azure-ddos-protection
Incorrect
Key features of Azure Firewall
Azure Firewall comes with many features, including but not limited to:
Built-in high availability and availability zones: High availability is built in so there’s nothing to configure. Also, Azure Firewall can be configured to span multiple availability zones for increased availability.
Network and application level filtering: Use IP address, port, and protocol to support fully qualified domain name filtering for outbound HTTP(s) traffic and network filtering controls.
Outbound SNAT and inbound DNAT to communicate with internet resources: Translates the private IP address of network resources to an Azure public IP address (source network address translation) to identify and allow traffic originating from the virtual network to internet destinations. Similarly, inbound internet traffic to the firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses of resources on the virtual network.
Multiple public IP addresses: These addresses can be associated with Azure Firewall.
Threat intelligence: Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains.
Integration with Azure Monitor: Integrated with Azure Monitor to enable collecting, analyzing, and acting on telemetry from Azure Firewall logs.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/4-describe-what-azure-firewall
Incorrect answers:
Azure Bastion : Azure Bastion provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal using Transport Layer Security (TLS). When you connect via Azure Bastion, your virtual machines don’t need a public IP address, agent, or special client software. https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/5-describe-what-azure-bastion
Network Security Group -Each rule specifies one or more of the following properties:
Name: Every NSG rule needs to have a unique name that describes its purpose. For example, AdminAccessOnlyFilter.
Priority: A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers. When traffic matches a rule, processing stops. This means that any other rules with a lower priority (higher numbers) won’t be processed.
Source or destination: Specify either individual IP address or an IP address range, service tag (a group of IP address prefixes from a given Azure service), or application security group. Specifying a range, a service tag, or application security group, enables you to create fewer security rules.
Protocol: What network protocol will the rule check? The protocol can be any of: TCP, UDP, ICMP or Any.
Direction: Whether the rule should be applied to inbound or outbound traffic.
Port range: You can specify an individual or range of ports. For example, you could specify 80 or 10000-10005. Specifying ranges enables you to create fewer security rules. You can’t specify multiple ports or port ranges in the same security rule in NSGs created through the classic deployment model.
Action: Finally, you need to decide what will happen when this rule is triggered. https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/2-describe-azure-network-security-groups
Azure DDoS protection – The Azure DDoS Protection service is designed to help protect your applications and servers by analyzing network traffic and discarding anything that looks like a DDoS attack. https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/3-describe-azure-ddos-protection
Unattempted
Key features of Azure Firewall
Azure Firewall comes with many features, including but not limited to:
Built-in high availability and availability zones: High availability is built in so there’s nothing to configure. Also, Azure Firewall can be configured to span multiple availability zones for increased availability.
Network and application level filtering: Use IP address, port, and protocol to support fully qualified domain name filtering for outbound HTTP(s) traffic and network filtering controls.
Outbound SNAT and inbound DNAT to communicate with internet resources: Translates the private IP address of network resources to an Azure public IP address (source network address translation) to identify and allow traffic originating from the virtual network to internet destinations. Similarly, inbound internet traffic to the firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses of resources on the virtual network.
Multiple public IP addresses: These addresses can be associated with Azure Firewall.
Threat intelligence: Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains.
Integration with Azure Monitor: Integrated with Azure Monitor to enable collecting, analyzing, and acting on telemetry from Azure Firewall logs.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/4-describe-what-azure-firewall
Incorrect answers:
Azure Bastion : Azure Bastion provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal using Transport Layer Security (TLS). When you connect via Azure Bastion, your virtual machines don’t need a public IP address, agent, or special client software. https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/5-describe-what-azure-bastion
Network Security Group -Each rule specifies one or more of the following properties:
Name: Every NSG rule needs to have a unique name that describes its purpose. For example, AdminAccessOnlyFilter.
Priority: A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers. When traffic matches a rule, processing stops. This means that any other rules with a lower priority (higher numbers) won’t be processed.
Source or destination: Specify either individual IP address or an IP address range, service tag (a group of IP address prefixes from a given Azure service), or application security group. Specifying a range, a service tag, or application security group, enables you to create fewer security rules.
Protocol: What network protocol will the rule check? The protocol can be any of: TCP, UDP, ICMP or Any.
Direction: Whether the rule should be applied to inbound or outbound traffic.
Port range: You can specify an individual or range of ports. For example, you could specify 80 or 10000-10005. Specifying ranges enables you to create fewer security rules. You can’t specify multiple ports or port ranges in the same security rule in NSGs created through the classic deployment model.
Action: Finally, you need to decide what will happen when this rule is triggered. https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/2-describe-azure-network-security-groups
Azure DDoS protection – The Azure DDoS Protection service is designed to help protect your applications and servers by analyzing network traffic and discarding anything that looks like a DDoS attack. https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/3-describe-azure-ddos-protection
Question 39 of 62
39. Question
Which of the following provides XDR ( Extended Detection & Response) capabilities that helps to protect multi-cloud and hybrid workloads?
Correct
Azure Defender : Azure Defender is a built-in tool that provides threat protection for workloads running in Azure, on-premises, and other clouds. Azure Defender is the leading Microsoft extended detection and response (XDR) solution for threat protection. Integrated with Azure Security Center, Azure Defender protects your hybrid data, cloud-native services and servers, and integrates with your existing security workflows. https://docs.microsoft.com/en-us/learn/modules/describe-security-management-capabilities-of-azure/5-describe-benefit-use-cases-defender
Incorrect answers:
Azure Policy – Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources. https://docs.microsoft.com/en-us/azure/governance/policy/overview
Azure Blueprints – Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. Azure Blueprints makes it possible for development teams to rapidly build and stand up new environments with trust they’re building within organizational compliance with a set of built-in components, such as networking, to speed up development and delivery. https://docs.microsoft.com/en-us/azure/governance/blueprints/overview
Azure Identity Protection – Identity Protection is a tool that allows organizations to accomplish three key tasks:
Automate the detection and remediation of identity-based risks.
Investigate risks using data in the portal.
Export risk detection data to third-party utilities for further analysis. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
Incorrect
Azure Defender : Azure Defender is a built-in tool that provides threat protection for workloads running in Azure, on-premises, and other clouds. Azure Defender is the leading Microsoft extended detection and response (XDR) solution for threat protection. Integrated with Azure Security Center, Azure Defender protects your hybrid data, cloud-native services and servers, and integrates with your existing security workflows. https://docs.microsoft.com/en-us/learn/modules/describe-security-management-capabilities-of-azure/5-describe-benefit-use-cases-defender
Incorrect answers:
Azure Policy – Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources. https://docs.microsoft.com/en-us/azure/governance/policy/overview
Azure Blueprints – Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. Azure Blueprints makes it possible for development teams to rapidly build and stand up new environments with trust they’re building within organizational compliance with a set of built-in components, such as networking, to speed up development and delivery. https://docs.microsoft.com/en-us/azure/governance/blueprints/overview
Azure Identity Protection – Identity Protection is a tool that allows organizations to accomplish three key tasks:
Automate the detection and remediation of identity-based risks.
Investigate risks using data in the portal.
Export risk detection data to third-party utilities for further analysis. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
Unattempted
Azure Defender : Azure Defender is a built-in tool that provides threat protection for workloads running in Azure, on-premises, and other clouds. Azure Defender is the leading Microsoft extended detection and response (XDR) solution for threat protection. Integrated with Azure Security Center, Azure Defender protects your hybrid data, cloud-native services and servers, and integrates with your existing security workflows. https://docs.microsoft.com/en-us/learn/modules/describe-security-management-capabilities-of-azure/5-describe-benefit-use-cases-defender
Incorrect answers:
Azure Policy – Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources. https://docs.microsoft.com/en-us/azure/governance/policy/overview
Azure Blueprints – Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. Azure Blueprints makes it possible for development teams to rapidly build and stand up new environments with trust they’re building within organizational compliance with a set of built-in components, such as networking, to speed up development and delivery. https://docs.microsoft.com/en-us/azure/governance/blueprints/overview
Azure Identity Protection – Identity Protection is a tool that allows organizations to accomplish three key tasks:
Automate the detection and remediation of identity-based risks.
Investigate risks using data in the portal.
Export risk detection data to third-party utilities for further analysis. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
Question 40 of 62
40. Question
Can Microsoft Defender for Endpoint be used for Windows 2016-based Azure Virtual Machine?
Correct
Microsoft Defender for Endpoint, formerly Microsoft Defender Advanced Threat Protection, is a platform designed to help enterprise networks protect endpoints. It does so by preventing, detecting, investigating, and responding to advanced threats. Microsoft Defender for Endpoint embeds technology built into Windows 10 and MSFT cloud services.
Microsoft Defender for Endpoint, formerly Microsoft Defender Advanced Threat Protection, is a platform designed to help enterprise networks protect endpoints. It does so by preventing, detecting, investigating, and responding to advanced threats. Microsoft Defender for Endpoint embeds technology built into Windows 10 and MSFT cloud services.
Microsoft Defender for Endpoint, formerly Microsoft Defender Advanced Threat Protection, is a platform designed to help enterprise networks protect endpoints. It does so by preventing, detecting, investigating, and responding to advanced threats. Microsoft Defender for Endpoint embeds technology built into Windows 10 and MSFT cloud services.
Can Azure Bastion be used to restrict traffic from the Internet onto an Azure Virtual machine?
Correct
Protection against port scanning: Because you do not need to expose your virtual machines to public Internet, your VMs are protected against port scanning by rogue and malicious users located outside your virtual network.
Reference: https://docs.microsoft.com/en-us/azure/bastion/bastion-overview
Incorrect
Protection against port scanning: Because you do not need to expose your virtual machines to public Internet, your VMs are protected against port scanning by rogue and malicious users located outside your virtual network.
Reference: https://docs.microsoft.com/en-us/azure/bastion/bastion-overview
Unattempted
Protection against port scanning: Because you do not need to expose your virtual machines to public Internet, your VMs are protected against port scanning by rogue and malicious users located outside your virtual network.
Reference: https://docs.microsoft.com/en-us/azure/bastion/bastion-overview
Question 43 of 62
43. Question
Azure Sentinel provides intelligent security analytics across your enterprise. The data for this analysis is stored in ___________________ ?
Correct
Azure Sentinel provides intelligent security analytics across your enterprise. The data for this analysis is stored in an Azure Monitor Log Analytics workspace. Billing is based on the volume of data ingested for analysis in Azure Sentinel and stored in the Azure Monitor Log Analytics workspace. There are two ways to pay for the Azure Sentinel service: Capacity Reservations and Pay-As-You-Go.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-security-capabilities-of-azure-sentinel/4-understand-sentinel-costs
Incorrect
Azure Sentinel provides intelligent security analytics across your enterprise. The data for this analysis is stored in an Azure Monitor Log Analytics workspace. Billing is based on the volume of data ingested for analysis in Azure Sentinel and stored in the Azure Monitor Log Analytics workspace. There are two ways to pay for the Azure Sentinel service: Capacity Reservations and Pay-As-You-Go.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-security-capabilities-of-azure-sentinel/4-understand-sentinel-costs
Unattempted
Azure Sentinel provides intelligent security analytics across your enterprise. The data for this analysis is stored in an Azure Monitor Log Analytics workspace. Billing is based on the volume of data ingested for analysis in Azure Sentinel and stored in the Azure Monitor Log Analytics workspace. There are two ways to pay for the Azure Sentinel service: Capacity Reservations and Pay-As-You-Go.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-security-capabilities-of-azure-sentinel/4-understand-sentinel-costs
Question 44 of 62
44. Question
Which of the following are examples of Microsoft Trust principle?
Correct
The six privacy principles are:
Control: Putting you, the customer, in control of your privacy with easy-to-use tools and clear choices.
Transparency: Being transparent about data collection and use so that everyone can make informed decisions.
Security: Protecting the data that’s entrusted to Microsoft by using strong security and encryption.
Strong legal protections: Respecting local privacy laws and fighting for legal protection of privacy as a fundamental human right.
No content-based targeting: Not using email, chat, files, or other personal content to target advertising.
Benefits to you: When Microsoft does collect data, it’s used to benefit you, the customer, and to make your experiences better.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-microsoft-security-compliance-principles/2-describe-microsofts-privacy-principles
Incorrect
The six privacy principles are:
Control: Putting you, the customer, in control of your privacy with easy-to-use tools and clear choices.
Transparency: Being transparent about data collection and use so that everyone can make informed decisions.
Security: Protecting the data that’s entrusted to Microsoft by using strong security and encryption.
Strong legal protections: Respecting local privacy laws and fighting for legal protection of privacy as a fundamental human right.
No content-based targeting: Not using email, chat, files, or other personal content to target advertising.
Benefits to you: When Microsoft does collect data, it’s used to benefit you, the customer, and to make your experiences better.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-microsoft-security-compliance-principles/2-describe-microsofts-privacy-principles
Unattempted
The six privacy principles are:
Control: Putting you, the customer, in control of your privacy with easy-to-use tools and clear choices.
Transparency: Being transparent about data collection and use so that everyone can make informed decisions.
Security: Protecting the data that’s entrusted to Microsoft by using strong security and encryption.
Strong legal protections: Respecting local privacy laws and fighting for legal protection of privacy as a fundamental human right.
No content-based targeting: Not using email, chat, files, or other personal content to target advertising.
Benefits to you: When Microsoft does collect data, it’s used to benefit you, the customer, and to make your experiences better.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-microsoft-security-compliance-principles/2-describe-microsofts-privacy-principles
Question 45 of 62
45. Question
Which of the following Azure Active Directory license type provides ability to perform “self-service password reset” for both cloud and on-premise users?
Correct
Office 365 Apps. The Office 365 Apps edition allows you to do everything included in the free version, plus self-service password reset for cloud users, and device write-back, which offers two-way synchronization between on-premises directories and Azure AD. The Office 365 Apps edition of Azure Active Directory is included in subscriptions to Office 365 E1, E3, E5, F1, and F3.
Azure Active Directory Premium P1. The Premium P1 edition includes all the features in the free and Office 365 apps editions. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager (an on-premises identity and access management suite) and cloud write-back capabilities, which allow self-service password reset for your on-premises users.
Reference: https://docs.microsoft.com/en-us/learn/modules/explore-basic-services-identity-types/3-describe-available-editions
Incorrect
Office 365 Apps. The Office 365 Apps edition allows you to do everything included in the free version, plus self-service password reset for cloud users, and device write-back, which offers two-way synchronization between on-premises directories and Azure AD. The Office 365 Apps edition of Azure Active Directory is included in subscriptions to Office 365 E1, E3, E5, F1, and F3.
Azure Active Directory Premium P1. The Premium P1 edition includes all the features in the free and Office 365 apps editions. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager (an on-premises identity and access management suite) and cloud write-back capabilities, which allow self-service password reset for your on-premises users.
Reference: https://docs.microsoft.com/en-us/learn/modules/explore-basic-services-identity-types/3-describe-available-editions
Unattempted
Office 365 Apps. The Office 365 Apps edition allows you to do everything included in the free version, plus self-service password reset for cloud users, and device write-back, which offers two-way synchronization between on-premises directories and Azure AD. The Office 365 Apps edition of Azure Active Directory is included in subscriptions to Office 365 E1, E3, E5, F1, and F3.
Azure Active Directory Premium P1. The Premium P1 edition includes all the features in the free and Office 365 apps editions. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager (an on-premises identity and access management suite) and cloud write-back capabilities, which allow self-service password reset for your on-premises users.
Reference: https://docs.microsoft.com/en-us/learn/modules/explore-basic-services-identity-types/3-describe-available-editions
Question 46 of 62
46. Question
A lead admin for an organization is looking to protect against malicious threats posed by email messages, links (URLs), and collaboration tools. Which solution from the Microsoft 365 Defender suite is best suited for this purpose?
Correct
Correct. Microsoft Defender for Office 365 safeguards against malicious threats posed by email messages, links (URLs), and collaboration tools, including Microsoft Teams, SharePoint Online, OneDrive for Business, and other Office clients.
Incorrect. Microsoft Defender for Endpoint is a platform designed to help enterprise networks protect endpoints by preventing, detecting, investigating, and responding to advanced threats.
Incorrect. Microsoft Defender for Identity is a cloud-based security solution that uses on-premises Active Directory data to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at an organization.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-threat-protection-with-microsoft-365-defender/4-describe-defender-office
Incorrect
Correct. Microsoft Defender for Office 365 safeguards against malicious threats posed by email messages, links (URLs), and collaboration tools, including Microsoft Teams, SharePoint Online, OneDrive for Business, and other Office clients.
Incorrect. Microsoft Defender for Endpoint is a platform designed to help enterprise networks protect endpoints by preventing, detecting, investigating, and responding to advanced threats.
Incorrect. Microsoft Defender for Identity is a cloud-based security solution that uses on-premises Active Directory data to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at an organization.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-threat-protection-with-microsoft-365-defender/4-describe-defender-office
Unattempted
Correct. Microsoft Defender for Office 365 safeguards against malicious threats posed by email messages, links (URLs), and collaboration tools, including Microsoft Teams, SharePoint Online, OneDrive for Business, and other Office clients.
Incorrect. Microsoft Defender for Endpoint is a platform designed to help enterprise networks protect endpoints by preventing, detecting, investigating, and responding to advanced threats.
Incorrect. Microsoft Defender for Identity is a cloud-based security solution that uses on-premises Active Directory data to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at an organization.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-threat-protection-with-microsoft-365-defender/4-describe-defender-office
Question 47 of 62
47. Question
Which of the following describes what an admin would need to select to view security cards grouped by risk, detection trends, configuration, and health, among others?
Your new colleagues on the admin team are unfamiliar with the concept of shared controls in Compliance Manager. How would the concept of shared controls be explained?
Correct
Controls
A control is a requirement of a regulation, standard, or policy. It defines how to assess and manage system configuration, organizational process, and people responsible for meeting a specific requirement of a regulation, standard, or policy.
Compliance Manager tracks the following types of controls:
Microsoft-managed controls: controls for Microsoft cloud services, which Microsoft is responsible for implementing.
Your controls: sometimes referred to as customer-managed controls, these are implemented and managed by the organization.
Shared controls: responsibility for implementing these controls is shared by the organization and Microsoft.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-compliance-management-capabilities-microsoft/4-manager
Incorrect
Controls
A control is a requirement of a regulation, standard, or policy. It defines how to assess and manage system configuration, organizational process, and people responsible for meeting a specific requirement of a regulation, standard, or policy.
Compliance Manager tracks the following types of controls:
Microsoft-managed controls: controls for Microsoft cloud services, which Microsoft is responsible for implementing.
Your controls: sometimes referred to as customer-managed controls, these are implemented and managed by the organization.
Shared controls: responsibility for implementing these controls is shared by the organization and Microsoft.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-compliance-management-capabilities-microsoft/4-manager
Unattempted
Controls
A control is a requirement of a regulation, standard, or policy. It defines how to assess and manage system configuration, organizational process, and people responsible for meeting a specific requirement of a regulation, standard, or policy.
Compliance Manager tracks the following types of controls:
Microsoft-managed controls: controls for Microsoft cloud services, which Microsoft is responsible for implementing.
Your controls: sometimes referred to as customer-managed controls, these are implemented and managed by the organization.
Shared controls: responsibility for implementing these controls is shared by the organization and Microsoft.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-compliance-management-capabilities-microsoft/4-manager
Question 49 of 62
49. Question
Which part of the concept of know your data, protect your data, and prevent data loss addresses the need for organizations to automatically retain, delete, store data and records in a compliant manner?
Correct
Know your data: This component helps to address the need for organizations to understand their data landscape and identify important data across on-premises, cloud, and hybrid environments. Instead, govern your data to address the need to automatically retain, delete, store data, and records in a compliant manner.
Prevent data loss:This component helps to address the need for organizations to detect risky behavior and prevent accidental oversharing of sensitive information. Instead, govern your data to address the need to automatically retain, delete, store data, and records in a compliant manner.
Govern your data: Capabilities like retention policies, retention labels, and records management enable organizations to govern their data.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/2-know-your-data-protect-your-data-govern-your-data
Incorrect
Know your data: This component helps to address the need for organizations to understand their data landscape and identify important data across on-premises, cloud, and hybrid environments. Instead, govern your data to address the need to automatically retain, delete, store data, and records in a compliant manner.
Prevent data loss:This component helps to address the need for organizations to detect risky behavior and prevent accidental oversharing of sensitive information. Instead, govern your data to address the need to automatically retain, delete, store data, and records in a compliant manner.
Govern your data: Capabilities like retention policies, retention labels, and records management enable organizations to govern their data.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/2-know-your-data-protect-your-data-govern-your-data
Unattempted
Know your data: This component helps to address the need for organizations to understand their data landscape and identify important data across on-premises, cloud, and hybrid environments. Instead, govern your data to address the need to automatically retain, delete, store data, and records in a compliant manner.
Prevent data loss:This component helps to address the need for organizations to detect risky behavior and prevent accidental oversharing of sensitive information. Instead, govern your data to address the need to automatically retain, delete, store data, and records in a compliant manner.
Govern your data: Capabilities like retention policies, retention labels, and records management enable organizations to govern their data.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/2-know-your-data-protect-your-data-govern-your-data
Question 50 of 62
50. Question
Due to a certain regulation, your organization must now keep hold of all documents in a specific SharePoint site that contains customer information for five years.
How can this requirement be implemented?
Which tool can enable an organization’s development team to rapidly provision and run new resources, in a repeatable way that is in line with the organization’s compliance requirements?
Correct
You can’t use Azure Policy, Rapid build to provision resources. Instead, use Azure Blueprints.
Azure Blueprint will enable your development teams to define a repeatable set of Azure resources, and achieve shorter development times and faster delivery.
Azure Blueprints provide a way to define a repeatable set of Azure resources. Azure Blueprints enable development teams to rapidly provision and run new environments, with the knowledge that they’re in line with the organization’s compliance requirements. Teams can also provision Azure resources across several subscriptions simultaneously, meaning they can achieve shorter development times and quicker delivery.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-resource-governance-capabilities-azure/3-describe-use-azure-blueprints
Incorrect
You can’t use Azure Policy, Rapid build to provision resources. Instead, use Azure Blueprints.
Azure Blueprint will enable your development teams to define a repeatable set of Azure resources, and achieve shorter development times and faster delivery.
Azure Blueprints provide a way to define a repeatable set of Azure resources. Azure Blueprints enable development teams to rapidly provision and run new environments, with the knowledge that they’re in line with the organization’s compliance requirements. Teams can also provision Azure resources across several subscriptions simultaneously, meaning they can achieve shorter development times and quicker delivery.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-resource-governance-capabilities-azure/3-describe-use-azure-blueprints
Unattempted
You can’t use Azure Policy, Rapid build to provision resources. Instead, use Azure Blueprints.
Azure Blueprint will enable your development teams to define a repeatable set of Azure resources, and achieve shorter development times and faster delivery.
Azure Blueprints provide a way to define a repeatable set of Azure resources. Azure Blueprints enable development teams to rapidly provision and run new environments, with the knowledge that they’re in line with the organization’s compliance requirements. Teams can also provision Azure resources across several subscriptions simultaneously, meaning they can achieve shorter development times and quicker delivery.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-resource-governance-capabilities-azure/3-describe-use-azure-blueprints
Question 52 of 62
52. Question
A hold has been placed on content relevant to a case. The hold has not taken effect yet, what has happened?
To comply with corporate policies, the compliance admin needs to be able to identify and scan for offensive language across the organization.
What solution can the admin implement to address this need?
Correct
Correct. Communication compliance in Microsoft 365 compliance center helps minimize communication risks by enabling organizations to detect, capture, and take remediation actions for inappropriate messages. Predefined and custom policies in communication compliance make it possible to scan internal and external communications for policy matches so they can be examined by chosen reviewers.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-insider-risk-capabilities-microsoft-365/3-describe-communication-compliance
Incorrect
Correct. Communication compliance in Microsoft 365 compliance center helps minimize communication risks by enabling organizations to detect, capture, and take remediation actions for inappropriate messages. Predefined and custom policies in communication compliance make it possible to scan internal and external communications for policy matches so they can be examined by chosen reviewers.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-insider-risk-capabilities-microsoft-365/3-describe-communication-compliance
Unattempted
Correct. Communication compliance in Microsoft 365 compliance center helps minimize communication risks by enabling organizations to detect, capture, and take remediation actions for inappropriate messages. Predefined and custom policies in communication compliance make it possible to scan internal and external communications for policy matches so they can be examined by chosen reviewers.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-insider-risk-capabilities-microsoft-365/3-describe-communication-compliance
Question 54 of 62
54. Question
Select Yes/No
If a user uses incorrect credentials, it will not be flagged by Identity Protection since there is not of risk of credential compromise unless a bad actor uses the correct credentials.
Select Yes/No
Can Azure Policy service be used to check the compliance of existing resources?
Correct
Resources are evaluated at specific times during the resource lifecycle, the policy assignment lifecycle, and for regular ongoing compliance evaluation. The following are the times or events that cause a resource to be evaluated:
– A resource is created, updated, or deleted in a scope with a policy assignment.
– A policy or initiative is newly assigned to a scope.
– A policy or initiative already assigned to a scope is updated.
– During the standard compliance evaluation cycle, which occurs once every 24 hours. https://docs.microsoft.com/en-us/azure/governance/policy/overview
Incorrect
Resources are evaluated at specific times during the resource lifecycle, the policy assignment lifecycle, and for regular ongoing compliance evaluation. The following are the times or events that cause a resource to be evaluated:
– A resource is created, updated, or deleted in a scope with a policy assignment.
– A policy or initiative is newly assigned to a scope.
– A policy or initiative already assigned to a scope is updated.
– During the standard compliance evaluation cycle, which occurs once every 24 hours. https://docs.microsoft.com/en-us/azure/governance/policy/overview
Unattempted
Resources are evaluated at specific times during the resource lifecycle, the policy assignment lifecycle, and for regular ongoing compliance evaluation. The following are the times or events that cause a resource to be evaluated:
– A resource is created, updated, or deleted in a scope with a policy assignment.
– A policy or initiative is newly assigned to a scope.
– A policy or initiative already assigned to a scope is updated.
– During the standard compliance evaluation cycle, which occurs once every 24 hours. https://docs.microsoft.com/en-us/azure/governance/policy/overview
Question 57 of 62
57. Question
In the following situation, who is responsible for ensuring security and compliance?
“Operating system for a Platform as a service (PaaS) application’
Correct
The responsibility rests with Microsoft as shown in the below:
Which out of the following requires the least management by the cloud customer.
Correct
Software as a Service (SaaS)
SaaS is hosted and managed by the cloud provider, for the customer. It’s usually licensed through a monthly or annual subscription. Microsoft 365, Skype, and Dynamics CRM Online are all examples of SaaS software. SaaS requires the least amount of management by the cloud customer. The cloud provider is responsible for managing everything except data, devices, accounts, and identities.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/3-describe-shared-responsibility-model
Incorrect
Software as a Service (SaaS)
SaaS is hosted and managed by the cloud provider, for the customer. It’s usually licensed through a monthly or annual subscription. Microsoft 365, Skype, and Dynamics CRM Online are all examples of SaaS software. SaaS requires the least amount of management by the cloud customer. The cloud provider is responsible for managing everything except data, devices, accounts, and identities.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/3-describe-shared-responsibility-model
Unattempted
Software as a Service (SaaS)
SaaS is hosted and managed by the cloud provider, for the customer. It’s usually licensed through a monthly or annual subscription. Microsoft 365, Skype, and Dynamics CRM Online are all examples of SaaS software. SaaS requires the least amount of management by the cloud customer. The cloud provider is responsible for managing everything except data, devices, accounts, and identities.
Reference: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/3-describe-shared-responsibility-model
Question 59 of 62
59. Question
_______ attack attempts to exhaust an application’s resources, making the application unavailable to legitimate users.
An organization has deployed Microsoft 365 applications to all employees. Who is responsible for the security of the personal data relating to these employees?
Correct
Incorrect
Unattempted
Question 61 of 62
61. Question
The security perimeter can no longer be viewed as the on-premises network. It now extends to?