Azure Management & Security Scenarios

Questions and Answers

Does the solution of using Active Directory Sites and Services to force replication of the Global Catalog meet the goal of replicating user information to Azure AD?

• Yes
• No (correct)

What is the best method to associate each virtual machine in RG1 with its respective department?

• Modify the settings of the virtual machines
• Create Azure Management Groups for each department
• Create a resource group for each department
• Assign tags to the virtual machines (correct)

Does accessing the multi-factor authentication page to alter user settings satisfy the requirement for implementing a conditional access policy for Global Administrators?

• No (correct)
• Yes

What would be an appropriate next step after accessing the Azure portal for modifying the session control of the Azure AD conditional access policy?

Implement network location requirements (C)

What is the primary purpose of assigning tags to virtual machines in an Azure resource group?

To easily identify and sort resources by department (C)

What aspect did the solution lack when aiming to require Multi-Factor Authentication for Global Administrators from untrusted locations?

Restricting access based on location (C)

What is the outcome of modifying the Azure AD conditional access policy if only the session control is altered?

Requirements for device compliance are ignored (C)

Which of the following actions is directly required to implement an Azure AD conditional access policy?

Enable MFA and configure device compliance (A)

What is required for members of the Global Administrators group when connecting from untrusted locations?

An Azure AD-joined device and Multi-Factor Authentication (B)

Which cmdlet should you use to create a virtual machine that includes a specific trusted root CA?

The Create-AzVM cmdlet (B)

What configuration is necessary for ensuring Multi-Factor Authentication for new employees in Azure AD?

Enable Multi-Factor Authentication for all Azure AD users (A)

Which parameter is used with az vm create command to add cloud-init.txt file?

--custom-data (B)

When using the grant control in Azure AD conditional access policy, what is the consequence of changing it?

It potentially restricts access to authorized devices only (B)

What should be the primary consideration when configuring Multi-Factor Authentication for all employees?

Consistent policy application across all users (C)

What is a characteristic of the Per Authentication usage model in Multi-Factor Authentication?

It requires MFA for every sign-in session (C)

Which aspect of setting up the Azure AD conditional access policy is crucial for compliance?

The use of specific locations for access requests (A)

What is the best method to associate virtual machines with their respective departments in a resource group?

Assign tags to the virtual machines. (A)

If you want to ensure members of the Global Administrators group use Multi-Factor Authentication from untrusted locations, what is insufficient to meet this requirement?

Accessing the multi-factor authentication page to alter user settings. (D)

Which solution will not meet the goal of requiring Azure AD members to use an Azure AD-joined device when accessing from untrusted locations?

Accessing the MFA user settings directly. (D)

Can the existing usage model be reconfigured directly through the Azure portal?

No, you need to create a new usage model instead. (B)

Which action should be taken to enhance security for Azure Active Directory users in untrusted locations?

Require MFA and device compliance on the conditional access policy. (B)

What setting must be changed to enable the new employees to use Multi-Factor Authentication?

Per Enabled User setting must be set. (A)

What is a crucial step that has to be part of a conditional access policy for Global Administrators accessing Azure AD from untrusted locations?

Require an Azure AD-joined device for authentication. (A)

What is the immediate action needed after acquiring a new business to incorporate its employees into Azure Active Directory?

Create a new usage model and reactivate the server with new credentials. (B)

Which of the following is not a feature of Azure AD conditional access policies?

Enabling single sign-on for all applications. (D)

Which approach will not enable the new staff to use Multi-Factor Authentication?

Using the Azure CLI to modify the existing usage model. (B)

When implementing security policies for Azure resources, which strategy is effective for organizing resources by department?

Creating tags for resource identification. (C)

What does the current model prevent regarding existing service providers?

It does not permit changing the usage model for an existing provider. (B)

What is the primary purpose of accessing the Azure portal to modify session control in conditional access policy?

To establish requirements for MFA in access scenarios. (D)

How should the existing server be reactivated after creating a new usage model?

Using the activation credentials from the new provider. (A)

What is the main implication of configuring a usage model as 'Per Authentication'?

It requires every user to be enabled for Multi-Factor Authentication. (C)

What action reflects best practice for integrating acquired staff into existing Azure systems?

Implementing a new usage model specific to the acquired employees. (D)

What must be enabled for new employees in Azure Active Directory to use Multi-Factor Authentication?

Per Enabled User setting (D)

What action is necessary when the existing Multi-Factor Authentication provider cannot have its usage model changed?

Create a new Multi-Factor Authentication provider (A)

Which PowerShell cmdlet is used to immediately replicate user information from on-premises Active Directory to Azure AD?

Start-ADSyncSyncCycle -PolicyType Initial (D)

What is the main function of the DirSync server in a hybrid Azure AD configuration?

Synchronize user accounts from on-premises to Azure AD (B)

Which component cannot be modified after a Multi-Factor Authentication provider is created?

Usage model (C)

In a hybrid coexistence scenario, what must happen after creating a new user account in on-premises Active Directory?

Run a sync cycle to transfer the user information (D)

What happens if the activation credentials are not set up correctly for a new Multi-Factor Authentication provider?

The new provider cannot be activated (D)

After performing an initial synchronization, what is the expectation regarding Azure AD and on-premises Active Directory?

They will share user account information (C)

Flashcards are hidden until you start studying

Study Notes

Azure Management & Security Scenarios

• Managing Multiple Departments and VMs:
  • Within a company, various departments and VMs need organization.
  • Assign tags to VMs to associate them with specific departments.

Azure Active Directory Conditional Access Policies

• Global Administrator MFA and Device Requirements:
  • Require Multi-Factor Authentication (MFA) and Azure AD-joined devices for Global Administrators.
  • Implement from untrusted locations to enforce security measures.
  • Important: Modifying the session control within the Azure portal does not achieve this goal.

Multi-Factor Authentication (MFA) and Usage Models

• Changing Usage Models:
  • Azure MFA usage models are not easily changed.
  • Creating a new MFA provider with a backup of the existing data is needed to switch models.

Azure AD Connect & Hybrid Coexistence

• Hybrid Coexistence and the Azure Portal:
  • Replicate user information from on-premises Active Directory to Azure AD.
  • Run Start-ADSyncSyncCycle -PolicyType Initial to force immediate replication.