HOTSPOT - You have an Azure Active Directory (Azure AD) tenant that contains two users named User1 and User2 and a registered app named App1. You create an app-specific role named Role1. You need to assign Role1 to User1 and enable User2 to request access to App1. Which two settings should you modify? To answer, select the appropriate settings in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: Roles and administrators - Here you will find Role1 and be able to assign User1 to the role. Box 2: Self Service - Under Self Service, there is an option to "Allow users to request access to this application".
Question 112
You have an Azure subscription that contains the resources shown in the following table. You plan to deploy the virtual machines shown in the following table. You need to assign managed identities to the virtual machines. The solution must meet the following requirements: - Assign each virtual machine the required roles. - Use the principle of least privilege. What is the minimum number of managed identities required?
A. 1
B. 2
C. 3
D. 4
We have two different sets of required permissions. VM1 and VM2 have the same permission requirements. VM3 and VM4 have the same permission requirements. A user-assigned managed identity can be assigned to one or many resources. By using user-assigned managed identities, we can create just two managed identities: one with the permission requirements for VM1 and VM2 and the other with the permission requirements for VM3 and VM4. Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
Question 113
SIMULATION - You need to ensure that a user named user2-12345678 can manage the properties of the virtual machines in the RG1lod12345678 resource group. The solution must use the principle of least privilege. To complete this task, sign in to the Azure portal.
1. Sign in to the Azure portal. 2. Browse to Resource Groups. 3. Select the RG1lod12345678 resource group. 4. Select Access control (IAM). 5. Select Add > role assignment. 6. Select Virtual Machine Contributor (you can filter the list of available roles by typing 'virtual' in the search box) then click Next. 7. Select the +Select members option and select user2-12345678 then click the Select button. 8. Click the Review + assign button twice. Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current
Question 114
SIMULATION - You need to create a new Azure Active Directory (Azure AD) directory named 12345678.onmicrosoft.com. The new directory must contain a new user named [email protected]. To complete this task, sign in to the Azure portal.
The first step is to create the Azure Active Directory tenant. 1. Sign in to the Azure portal. 2. From the Azure portal menu, select Azure Active Directory. 3. On the overview page, select Manage tenants. 4. Select +Create. 5. On the Basics tab, select Azure Active Directory. 6. Select Next: Configuration to move on to the Configuration tab. 7. For Organization name, enter 12345678. 8. For the Initial domain name, enter 12345678. 9. Leave the Country/Region as the default. The next step is to create the user. 1. From the Azure portal menu, select Azure Active Directory. 2. Select Users then select New user. 3. Enter User1 in the User name and Name fields. 4. Leave the default option of Auto-generate password. 5. Click the Create button. Reference: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-access-create-new-tenant https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory
Question 115
HOTSPOT - You have an Azure subscription that contains a resource group named RG1. RG1 contains a storage account named storage1. You have two custom Azure roles named Role1 and Role2 that are scoped to RG1. The permissions for Role1 are shown in the following JSON code. The permissions for Role2 are shown in the following JSON code. You assign the roles to the users shown in the following table. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
You have an Azure subscription that contains a storage account named storage1 and two web apps named app1 and app2. Both apps will write data to storage1. You need to ensure that each app can read only the data that it has written. What should you do?
A. Provide each app with a system-assigned identity and configure storage1 to use Azure AD User account authentication.
B. Provide each app with a separate Storage account key and configure the app to send the key with each request.
C. Provide each app with a user-managed identity and configure storage1 to use Azure AD User account authentication.
D. Provide each app with a unique Base64-encoded AES-256 encryption key and configure the app to send the key with each request.
A user-assigned identity is a standalone Azure resource that can be assigned to your app. An app can have multiple user-assigned identities. Incorrect: Not A: A system-assigned identity is tied to your application and is deleted if your app is deleted. An app can only have one system-assigned identity. Reference: https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity
Question 117
You have an Azure subscription that contains an Azure Files share named share1 and a user named User1. Identity-based authentication is configured for share1. User1 attempts to access share1 from a Windows 10 device by using SMB. Which type of token will Azure Files use to authorize the request?
A. OAuth 2.0
B. JSON Web Token (JWT)
C. SAML
D. Kerberos
Azure Files"‰supports identity-based authentication over Server Message Block (SMB) through"‰two types of Domain Services: on-premises Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (Azure AD DS). Supported scenarios and restrictions include: Supports Kerberos authentication with AD with AES 256 encryption (recommended) and RC4-HMAC. Note: Kerberos is an authentication protocol that is used to verify the identity of a user or host. Reference: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable
Question 118
DRAG DROP - You have an Azure subscription. You plan to create two custom roles named Role1 and Role2. The custom roles will be used to perform the following tasks: • Members of Role1 will manage application security groups. • Members of Role2 will manage Azure Bastion. You need to add permissions to the custom roles. Which resource provider should you use for each role? To answer, drag the appropriate resource providers to the correct roles. Each resource provider may be used, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.
Question 119
You have an Azure subscription linked to an Azure Active Directory Premium Plan 1 tenant. You plan to implement Azure Active Directory (Azure AD) Identity Protection. You need to ensure that you can configure a user risk policy and a sign-in risk policy. What should you do first?
A. Purchase Azure Active Directory Premium Plan 2 licenses for all users.
B. Register all users for Azure Multi-Factor Authentication (MFA).
C. Enable security defaults for Azure Active Directory.
D. Enable enhanced security features in Microsoft Defender for Cloud.
Question 120
HOTSPOT - You have an Azure subscription that contains the resources shown in the following table. You perform the following tasks: • Create a managed identity named Managed1. • Create a Microsoft 365 group named Group1. • Register an enterprise application named App1. • Enable a system-assigned managed identity for VM1. You need to identify which service principals were created and which identities can be assigned the Reader role for RG1. What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
