AZ-304 : Microsoft Azure Architect Design : Part 03

AZ-304 : Microsoft Azure Architect Design : Part 03

1. You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains two administrative user accounts named Admin1 and Admin2.

   You create two Azure virtual machines named VM1 and VM2.

   You need to ensure that Admin1 and Admin2 are notified when more than five events are added to the security log of VM1 or VM2 during a period of 120 seconds. The solution must minimize administrative tasks.

   What should you create?

   • two action groups and two alert rules
   • one action group and one alert rule
   • five action groups and one alert rule
   • two action groups and one alert rule

2. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts.

   You discover several login attempts to the Azure portal from countries where administrative users do NOT work.

   You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA).

   Solution: Create an Access Review for Group1.

   Does this solution meet the goal?

   • Yes
   • No

   Explanation:

   Instead implement Azure AD Privileged Identity Management.

   Note: Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization.

3. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts.

   You discover several login attempts to the Azure portal from countries where administrative users do NOT work.

   You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA).

   Solution: Implement Azure AD Identity Protection for Group1.

   Does this solution meet the goal?

   • Yes
   • No
   Explanation:

   Implement Azure AD Privileged Identity Management for everyone.

   Note: Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization.

4. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts.

   You discover several login attempts to the Azure portal from countries where administrative users do NOT work.

   You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA).

   Solution: You implement an access package.

   Does this meet the goal?

   • Yes
   • No
   Explanation:

   Instead implement Azure AD Privileged Identity Management.

   Note: Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization.

5. HOTSPOT

   Your company has the divisions shown in the following table.

   

   You plan to deploy a custom application to each subscription. The application will contain the following:

   – A resource group
   – An Azure web app
   – Custom role assignments
   – An Azure Cosmos DB account

   You need to use Azure Blueprints to deploy the application to each subscription.

   What is the minimum number of objects required to deploy the application? To answer, select the appropriate options in the answer area.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   Box 1: 2
   One management group for East, and one for West.

   When creating a blueprint definition, you’ll define where the blueprint is saved. Blueprints can be saved to a management group or subscription that you have Contributor access to. If the location is a management group, the blueprint is available to assign to any child subscription of that management group.

   Box 2: 1
   One definition as the you plan to deploy a custom application to each subscription.

   With Azure Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved.

   Box 3: 4
   One assignment for each subscription.

6. You have an Azure Active Directory (Azure AD) tenant.

   You plan to deploy Azure Cosmos DB databases that will use the SQL API.

   You need to recommend a solution to provide specific Azure AD user accounts with read access to the Cosmos DB databases.

   What should you include in the recommendation?

   • shared access signatures (SAS) and conditional access policies
   • certificates and Azure Key Vault
   • a resource token and an Access control (IAM) role assignment
   • master keys and Azure Information Protection policies
   Explanation:

   The Access control (IAM) pane in the Azure portal is used to configure role-based access control on Azure Cosmos resources. The roles are applied to users, groups, service principals, and managed identities in Active Directory. You can use built-in roles or custom roles for individuals and groups. The following screenshot shows Active Directory integration (RBAC) using access control (IAM) in the Azure portal:

   

7. You deploy an Azure virtual machine that runs an ASP.NET application. The application will be accessed from the internet by the users at your company.

   You need to recommend a solution to ensure that the users are pre-authenticated by using their Azure Active Directory (Azure AD) account before they can connect to the ASP.NET application.

   What should you include in the recommendation?

   • a public Azure Load Balancer
   • Azure Application Gateway
   • Azure Traffic Manager
   • an Azure AD enterprise application
   Explanation:
   You can manage service principals in the Azure portal through the Enterprise Applications experience. Service principals are what govern an application connecting to Azure AD and can be considered the instance of the application in your directory.

8. HOTSPOT

   You have an Azure blueprint named BP1.

   The properties of BP1 are shown in the Properties exhibit. (Click the Properties tab.)

   

   The basic configuration of the blueprint is shown in the Basics exhibit. (Click the Basics tab.)

   

   The artifacts attached to BP1 are shown in the Artifacts exhibit. (Click the Artifacts tab.)

   

   For each of the following statements, select Yes if the statement is true. Otherwise, select No.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   Box 1: No
   BP1 is in draft mode.
   When a blueprint is first created, it’s considered to be in Draft mode. When it’s ready to be assigned, it needs to be Published.

   Box 2: No
   The BP1 artifacts include one Policy assignment and a Resource group, but no Role assignments.

   Note: Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:

   Role Assignments
   Policy Assignments
   Azure Resource Manager templates (ARM templates)
   Resource Groups

   Box 3: Yes
   Yes, the BP1 artifacts include a Resource group.

9. Your company wants to use an Azure Active Directory (Azure AD) hybrid identity solution.

   You need to ensure that users can authenticate if the internet connection to the on-premises Active Directory is unavailable. The solution must minimize authentication prompts for the users.

   What should you include in the solution?

   • password hash synchronization and Azure AD Seamless Single Sign-On (Azure AD Seamless SSO)
   • pass-through authentication and Azure AD Seamless Single Sign-On (Azure AD Seamless SSO)
   • an Active Directory Federation Services (AD FS) server
   Explanation:

   With Password hash synchronization + Seamless SSO the authentication is in the cloud.

   Incorrect Answers:
   Pass-through Authentication and federation rely on on-premises infrastructure.

10. HOTSPOT

    You need to design an Azure policy that will implement the following functionality:

    – For new resources, assign tags and values that match the tags and values of the resource group to which the resources are deployed.
    – For existing resources, identify whether the tags and values match the tags and values of the resource group that contains the resources.
    – For any non-compliant resources, trigger auto-generated remediation tasks to create missing tags and values.

    The solution must use the principle of least privilege.

    What should you include in the design? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: Modify
    Modify is used to add, update, or remove properties or tags on a resource during creation or update. A common example is updating tags on resources such as costCenter. Existing non-compliant resources can be remediated with a remediation task. A single Modify rule can have any number of operations.

    Incorrect Answers:
    – The following effects are deprecated: EnforceOPAConstraint, EnforceRegoPolicy

    – Append is used to add additional fields to the requested resource during creation or update. A common example is specifying allowed IPs for a storage resource.

    Box 2: A managed identity with the Contributor role
    – Managed identity
    How remediation security works: When Azure Policy runs the template in the deployIfNotExists policy definition, it does so using a managed identity. Azure Policy creates a managed identity for each assignment, but must have details about what roles to grant the managed identity.

    – Contributor role
    The Contributor role grants the required access to apply tags to any entity.

11. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

    Your company has an on-premises Active Directory Domain Services (AD DS) domain and an established Azure Active Directory (Azure AD) environment.

    Your company would like users to be automatically signed in to cloud apps when they are on their corporate desktops that are connected to the corporate network.

    You need to enable single sign-on (SSO) for company users.

    Solution: Install and configure an Azure AD Connect server to use password hash synchronization and select the “Enable single sign-on” option.

    Does the solution meet the goal?

    • Yes
    • No
    Explanation:

    Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don’t need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames. This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components.

    Seamless SSO can be combined with either the Password Hash Synchronization or Pass-through Authentication sign-in methods.

12. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

    Your company has an on-premises Active Directory Domain Services (AD DS) domain and an established Azure Active Directory (Azure AD) environment.

    Your company would like users to be automatically signed in to cloud apps when they are on their corporate desktops that are connected to the corporate network.

    You need to enable single sign-on (SSO) for company users.

    Solution: Install and configure an Azure AD Connect server to use pass-through authentication and select the “Enable single sign-on” option.

    Does the solution meet the goal?

    • Yes
    • No
    Explanation:

    Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don’t need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames. This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components.

    Seamless SSO can be combined with either the Password Hash Synchronization or Pass-through Authentication sign-in methods.

13. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

    Your company has an on-premises Active Directory Domain Services (AD DS) domain and an established Azure Active Directory (Azure AD) environment.

    Your company would like users to be automatically signed in to cloud apps when they are on their corporate desktops that are connected to the corporate network.

    You need to enable single sign-on (SSO) for company users.

    Solution: Configure an AD DS server in an Azure virtual machine (VM). Configure bidirectional replication.

    Does the solution meet the goal?

    • Yes
    • No
    Explanation:
    Instead install and configure an Azure AD Connect server.

14. You are designing an Azure web app that will use Azure Active Directory (Azure AD) for authentication.

    You need to recommend a solution to provide users from multiple Azure AD tenants with access to App1. The solution must ensure that the users use Azure Multi-Factor Authentication (MFA) when they connect to App1.

    Which two types of objects should you include in the recommendation? Each correct answer presents part of the solution.

    NOTE: Each correct selection is worth one point.

    • Azure AD conditional access policies
    • Azure AD managed identities
    • an Identity Experience Framework policy
    • an Azure application security group
    • an Endpoint Manager app protection policy
    • Azure AD guest accounts
    Explanation:

    A: The Conditional Access feature in Azure Active Directory (Azure AD) offers one of several ways that you can use to secure your app and protect a service. Conditional Access enables developers and enterprise customers to protect services in a multitude of ways including:
    – Multi-factor authentication
    – Allowing only Intune enrolled devices to access specific services
    – Restricting user locations and IP ranges

    Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policy:
    – Service accounts and service principals.
    If your organization has these accounts in use in scripts or code, consider replacing them with managed identities.

    Incorrect Answers:
    B: Managed Identity does not support cross-directory scenarios.

    E: Application security groups enable you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups.

    Note: The correct options should be application registration with Azure, this will allow the authentication of users on the AD to access the application. A default application registration validates that the user has valid login credentials. This can be your Active Directory or in case of a multi-tenant application the directory where the user is originated from.

15. You need to create an Azure Storage account that uses a custom encryption key.

    What do you need to implement the encryption?

    • a certificate issued by an integrated certification authority (CA) and stored in Azure Key Vault
    • a managed identity that is configured to access the storage account
    • an Azure Active Directory Premium subscription
    • an Azure key vault in the same Azure region as the storage account
    Explanation:

    You can use your own encryption key to protect the data in your storage account. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data.

    You must use either Azure Key Vault or Azure Key Vault Managed Hardware Security Model (HSM) (preview) to store your customer-managed keys.

16. HOTSPOT

    You plan to create an Azure environment that will have a root management group and five child management groups. Each child management group will contain five Azure subscriptions. You plan to have between 10 and 30 resource groups in each subscription.

    You need to design a solution for the planned environment. The solution must meet the following requirements:

    – Prevent users who are assigned the Owner role for the subscriptions from deleting the resource groups from their respective subscription.
    – Ensure that you can update RBAC role assignments across all the subscriptions and resource groups.
    – Minimize administrative effort.

    What should you include in the solution? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: Azure Blueprints
    Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:

    Role Assignments
    Policy Assignments
    Azure Resource Manager templates (ARM templates)
    Resource Groups

    Incorrect:
    A policy is a default allow and explicit deny system focused on resource properties during deployment and for already existing resources.

    Box 2: Resource locks at the subscription level
    To minimize administrative effort lock at the subscription level.

    Note: As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.

17. Your company has the divisions shown in the following table.

    

    Sub1 contains an Azure web app that runs an ASP.NET application named App1. App1 uses the Microsoft identity platform (v2.0) to handle user authentication. Users from east.contoso.com can authenticate to App1.

    You need to recommend a solution to allow users from west.contoso.com to authenticate to App1.

    What should you recommend for the west.contoso.com Azure AD tenant?

    • a conditional access policy
    • pass-through authentication
    • guest accounts
    • an app registration
    Explanation:
    There are several components that make up the Microsoft identity platform:
    – OAuth 2.0 and OpenID Connect standard-compliant authentication service
    – Application management portal: A registration and configuration experience in the Azure portal, along with the other Azure management capabilities.
    You register an application using the App registrations experience in the Azure portal so that your app can be integrated with the Microsoft identity platform and call Microsoft Graph.

18. You have an Azure Active Directory (Azure AD) tenant named contoso.com that has a security group named Group1. Group1 is configured for assigned membership. Group1 has 50 members, including 20 guest users.

    You need to recommend a solution for evaluating the membership of Group1. The solution must meet the following requirements:

    The evaluation must be repeated automatically every three months.
    Every member must be able to report whether they need to be in Group1.
    Users who report that they do not need to be in Group1 must be removed from Group1 automatically.
    Users who do not report whether they need to be in Group1 must be removed from Group1 automatically.

    What should you include in the recommendation?

    • Change the Membership type of Group1 to Dynamic User.
    • Implement Azure AD Privileged Identity Management.
    • Implement Azure AD Identity Protection.
    • Create an access review.
    Explanation:

    In Azure Active Directory (Azure AD), you can create complex attribute-based rules to enable dynamic memberships for groups. Dynamic group membership reduces the administrative overhead of adding and removing users.

    When any attributes of a user or device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they are added as a member of that group. If they no longer satisfy the rule, they are removed.

19. Your company purchases an app named App1.

    You need to recommend a solution to ensure that App1 can read and modify access reviews.

    What should you recommend?

    • From API Management services, publish the API of App1, and then delegate permissions to the Microsoft Graph API.
    • From the Azure Active Directory admin center, register App1. From the Access control (IAM) blade, delegate permissions.
    • From the Azure Active Directory admin center, register App1, and then delegate permissions to the Microsoft Graph API.
    • From API Management services, publish the API of App1. From the Access control (IAM) blade, delegate permissions.
    Explanation:

    The app must be registered. You can register the application in the Azure Active Directory admin center.

    The Azure AD access reviews feature has an API in the Microsoft Graph endpoint.
    You can register an Azure AD application and set it up for permissions to call the access reviews API in Graph.

20. You have 200 resource groups across 20 Azure subscriptions.

    Your company’s security policy states that the security administrator must verify all assignments of the Owner role for the subscriptions and resource groups once a month. All assignments that are not approved by the security administrator must be removed automatically. The security administrator must be prompted every month to perform the verification.

    What should you use to implement the security policy?

    • Identity Secure Score in Azure Security Center
    • Access reviews in Identity Governance
    • the user risk policy in Azure Active Directory (Azure AD) Identity Protection
    • role assignments in Azure Active Directory (Azure AD) Privileged Identity Management (PIM)
    Explanation:
    Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User’s access can be reviewed on a regular basis to make sure only the right people have continued access.