AZ-900 : Microsoft Azure Fundamentals : Part 10
-
HOTSPOT
To complete the sentence, select the appropriate option in the answer area.
Explanation:You can configure a lock on a resource group to prevent the accidental deletion of the resource group. The lock applies to everyone, including global administrators. If you want to delete the resource group, the lock must be removed first.
As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.
– CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
– ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role. -
This question requires that you evaluate the underlined text to determine if it is correct.
Azure Germany can be used by legal residents of Germany only.
Instructions: Review the underlined text. If it makes the statement correct, select “No change is needed”. If the statement is incorrect, select the answer choice that makes the statement correct.
- no change is needed
- only enterprises that are registered in Germany
- only enterprises that purchase their azure licenses from a partner based in Germany
- any user or enterprise that requires its data to reside in Germany
Explanation:Azure Germany is available to eligible customers and partners globally who intend to do business in the EU/EFTA, including the United Kingdom.
Azure Germany offers a separate instance of Microsoft Azure services from within German datacenters. The datacenters are in two locations, Frankfurt/Main and Magdeburg. This placement ensures that customer data remains in Germany and that the datacenters connect to each other through a private network. All customer data is exclusively stored in those datacenters. A designated German company–the German data trustee–controls access to customer data and the systems and infrastructure that hold customer data.
-
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Explanation:Box 1: Yes
The tool you would use to sync the accounts is Azure AD Connect. The Azure Active Directory Connect synchronization services (Azure AD Connect sync) is a main component of Azure AD Connect. It takes care of all the operations that are related to synchronize identity data between your on-premises environment and Azure AD.Box 2: Yes
As described above, third-party cloud services and on-premises Active Directory can be used to access Azure resources. This is known as ‘federation’.
Federation is a collection of domains that have established trust. The level of trust may vary, but typically includes authentication and almost always includes authorization. A typical federation might include a number of organizations that have established trust for shared access to a set of resources.Box 3: Yes
Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. This is the primary built-in authentication and authorization service to provide secure access to Azure resources. -
HOTSPOT
To complete the sentence, select the appropriate option in the answer area.
Explanation:The advanced monitoring capabilities in Security Center lets you track and manage compliance and governance over time. The overall compliance provides you with a measure of how much your subscriptions are compliant with policies associated with your workload.
-
What should you use to evaluate whether your company’s Azure environment meets regulatory requirements?
- Azure Service Health
- Azure Knowledge Center
- Azure Security Center
- Azure Advisor
Explanation:
The advanced monitoring capabilities in Security Center lets you track and manage compliance and governance over time. The overall compliance provides you with a measure of how much your subscriptions are compliant with policies associated with your workload. -
HOTSPOT
To complete the sentence, select the appropriate option in the answer area.
Explanation:Azure Information Protection is used to automatically add a watermark to Microsoft Word documents that contain credit card information.
You use Azure Information Protection labels to apply classification to documents and emails. When you do this, the classification is identifiable regardless of where the data is stored or with whom it’s shared. The labels can include visual markings such as a header, footer, or watermark.
Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations. In this question, we would configure a label to be automatically applied to Microsoft Word documents that contain credit card information. The label would then add the watermark to the documents.
-
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Explanation:Box 1: No
Azure Active Directory (Azure AD) is a cloud-based service. It does not require domain controllers on virtual machines.Box 2: Yes
Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. This is the primary built-in authentication and authorization service to provide secure access to Azure resources and Microsoft 365.Box 3: No
User accounts in Azure Active Directory can be assigned multiple licenses for different Azure or Microsoft 365 services. -
Which two types of customers are eligible to use Azure Government to develop a cloud solution? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
- a Canadian government contractor
- a European government contractor
- a United States government entity
- a United States government contractor
- a European government entity
Explanation:Azure Government is a cloud environment specifically built to meet compliance and security requirements for US government. This mission-critical cloud delivers breakthrough innovation to U.S. government customers and their partners. Azure Government applies to government at any level – from state and local governments to federal agencies including Department of Defense agencies.
The key difference between Microsoft Azure and Microsoft Azure Government is that Azure Government is a sovereign cloud. It’s a physically separated instance of Azure, dedicated to U.S. government workloads only. It’s built exclusively for government agencies and their solution providers.
-
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Explanation:Box 1: No
It is not true that you must deploy a federation solution or sync on-premises identities to the cloud. You can have a cloud-only environment and use MFA.Box 2: No
Picture identification and passport numbers are not valid MFA authentication methods. Valid methods include: Password, Microsoft Authenticator App, SMS and Voice call.Box 3:
You can configure MFA to be required for administrator accounts only or you can configure MFA for any user account. -
You need to ensure that when Azure Active Directory (Azure AD) users connect to Azure AD from the Internet by using an anonymous IP address, the users are prompted automatically to change their password.
Which Azure service should you use?
- Azure AD Connect Health
- Azure AD Privileged Identity Management
- Azure Advanced Threat Protection (ATP)
- Azure AD Identity Protection
Explanation:Azure AD Identity Protection includes two risk policies: sign-in risk policy and user risk policy. A sign-in risk represents the probability that a given authentication request isn’t authorized by the identity owner.
There are several types of risk detection. One of them is Anonymous IP Address. This risk detection type indicates sign-ins from an anonymous IP address (for example, Tor browser or anonymous VPN). These IP addresses are typically used by actors who want to hide their login telemetry (IP address, location, device, etc.) for potentially malicious intent.
You can configure the sign-in risk policy to require that users change their password.
-
DRAG DROP
Match the term to the correct definition.
Instructions: To answer, drag the appropriate term from the column on the left to its description on the right. Each term may be used once, more than once, or not at all.
NOTE: Each correct match is worth one point.
Explanation:Box 1: ISO
ISO is the International Organization for Standardization. Companies can be certified to ISO standards, for example ISO 9001 or 27001 are commonly used in IT companies.Box 2: NIST
The National Institute of Standards and Technology (NIST) is a physical sciences laboratory, and a non-regulatory agency of the United States Department of Commerce.Box 3: GDPR
GDPR is the General Data Protection Regulations. This standard was adopted across Europe in May 2018 and replaces the now deprecated Data Protection Directive.
The General Data Protection Regulation (EU) (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.Box 4: Azure Government
US government agencies or their partners interested in cloud services that meet government security and compliance requirements, can be confident that Microsoft Azure Government provides world-class security, protection, and compliance services. Azure Government delivers a dedicated cloud enabling government agencies and their partners to transform mission-critical workloads to the cloud. Azure Government services handle data that is subject to certain government regulations and requirements, such as FedRAMP, NIST 800.171 (DIB), ITAR, IRS 1075, DoD L4, and CJIS. In order to provide you with the highest level of security and compliance, Azure Government uses physically isolated datacenters and networks (located in U.S. only). -
To what should an application connect to retrieve security tokens?
- an Azure Storage account
- Azure Active Directory (Azure AD)
- a certificate store
- an Azure key vault
Explanation:Key Vault is designed to store configuration secrets for server apps.
Incorrect Answers:
A: An Azure Storage account is used to store data. It is not used to store secrets for applications.
B: Azure Active Directory (Azure AD) is a centralized identity provider in the cloud that authenticates users and provides access tokens to them. It is not used for applications. -
Your network contains an Active Directory forest. The forest contains 5,000 user accounts.
Your company plans to migrate all network resources to Azure and to decommission the on-premises data center.
You need to recommend a solution to minimize the impact on users after the planned migration.
What should you recommend?
- Implement Azure Multi-Factor Authentication (MFA)
- Sync all the Active Directory user accounts to Azure Active Directory (Azure AD)
- Instruct all users to change their password
- Create a guest user account in Azure Active Directory (Azure AD) for each user
Explanation:
To migrate to Azure and decommission the on-premises data center, you would need to create the 5,000 user accounts in Azure Active Directory. The easy way to do this is to sync all the Active Directory user accounts to Azure Active Directory (Azure AD). You can even sync their passwords to further minimize the impact on users.
The tool you would use to sync the accounts is Azure AD Connect. The Azure Active Directory Connect synchronization services (Azure AD Connect sync) is a main component of Azure AD Connect. It takes care of all the operations that are related to synchronize identity data between your on-premises environment and Azure AD. -
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Explanation:Box 1: Yes
You can send Azure AD activity logs to Azure Monitor logs to enable rich visualizations, monitoring and alerting on the connected data.
All data collected by Azure Monitor fits into one of two fundamental types, metrics and logs (including Azure AD activity logs). Activity logs record when resources are created or modified. Metrics tell you how the resource is performing and the resources that it’s consuming.Box 2: Yes
Azure Monitor can consolidate log entries from multiple Azure resources, subscriptions, and tenants into one location for analysis together.Box 3: Yes
You can create alerts in Azure Monitor.
Alerts in Azure Monitor proactively notify you of critical conditions and potentially attempt to take corrective action. Alert rules based on metrics provide near real time alerting based on numeric values, while rules based on logs allow for complex logic across data from multiple sources. -
HOTSPOT
You create a resource group named RG1 in Azure Resource Manager.
You need to prevent the accidental deletion of the resources in RG1.
Which setting should you use? To answer, select the appropriate setting in the answer area.
Explanation:You can configure a lock on a resource group to prevent the accidental deletion.
As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.
– CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
– ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role. -
You have a resource group named RG1.
You need to prevent the creation of virtual machines in RG1. The solution must ensure that other objects can be created in RG1.
What should you use?
- a lock
- an Azure role
- a tag
- an Azure policy
Explanation:Azure policies can be used to define requirements for resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources.
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
In this question, we would create an Azure policy assigned to the resource group that denies the creation of virtual machines in the resource group.
You could place a read-only lock on the resource group. However, that would prevent the creation of any resources in the resource group, not virtual machines only. Therefore, an Azure Policy is a better solution.
-
You have an Azure subscription and 100 Windows 10 devices.
You need to ensure that only users whose devices have the latest security patches installed can access Azure Active Directory (Azure AD)-integrated applications.
What should you implement?
- a conditional access policy
- Azure Bastion
- Azure Firewall
- Azure Policy
-
What can Azure Information Protection encrypt?
- network traffic
- documents and email messages
- an Azure Storage account
- an Azure SQL database
Explanation:Azure Information Protection can encrypt documents and emails.
Azure Information Protection is a cloud-based solution that helps an organization to classify and optionally, protect its documents and emails by applying labels. Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations.The protection technology uses Azure Rights Management (often abbreviated to Azure RMS). This technology is integrated with other Microsoft cloud services and applications, such as Office 365 and Azure Active Directory.
This protection technology uses encryption, identity, and authorization policies. Similarly to the labels that are applied, protection that is applied by using Rights Management stays with the documents and emails, independently of the location – inside or outside your organization, networks, file servers, and applications.
-
What should you use to evaluate whether your company’s Azure environment meets regulatory requirements?
- the Knowledge Center website
- the Advisor blade from the Azure portal
- Compliance Manager from the Service Trust Portal
- the Solutions blade from the Azure portal
Explanation:
Compliance Manager in the Service Trust Portal is a workflow-based risk assessment tool that helps you track, assign, and verify your organization’s regulatory compliance activities related to Microsoft Cloud services, such as Microsoft 365, Dynamics 365, and Azure. -
HOTSPOT
To complete the sentence, select the appropriate option in the answer area.