AZ-104 Study Guide With Practice Exam Questions And Answers.

Multi-Tenant - correct answer Azure Tenants that access other services in a shared environment, across multiple organizations, are considered multi-tenant Azure AD directory - correct answer Each Azure tenant has a dedicated & trusted Azure AD directory. The Azure AD directory includes the tenant's users, groups, and apps and is used to perform Identity & Access management functions for tenant resources. Azure AD account - correct answer An identity created through Azure AD or another Microsoft cloud service, such as Office 365. Identities are stored in Azure AD and are accessible to an org's cloud service subscriptions. Account is also sometimes called a "Work" or "School" account. Custom Domain - correct answer Every new Azure AD directory comes with an initial domain name "". In addition to that initial name, you can also add your org's domain names. ie "" Account Administrator - correct answer CLASSIC azure subscription admin role that is conceptually the BILLING OWNER of a subscription. This role has access to the Azure Account Center and enables you to manage all subscriptions in an account. Service Administrator - correct answer CLASSIC azure subscription admin role that enables you to manage all Azure resources, including access. Role has the equivalent access of a user who is assigned Owner role at the subscription scope. Owner - correct answer This RBAC role helps t manage all Azure resources, including access. This is a new role built on the new Azure authorization system called "Role-Based Access Control" (RBAC) Azure AD Global admin - correct answer This admin role is automatically assigned to whomever created the Azure AD tenant. Global admins can perform all of the admin functions for Azure AD and any services that federate to Azure AD such as Exchange Online, SharePoint Online, and Skype for Business Online. Can have multiple Global Admins, but only Global admins can assign admin roles (including other Global admins) to users. NOTE: Called COMPANY ADMINISTRATOR in Azure PowerShell Microsoft Account (MSA) - correct answer Personal accounts that provide access to consumer-oriented Microsoft products & cloud services? A free account with Microsoft that gives the subscriber access to Microsoft services, such as Hotmail, Messenger, SkyDrive, Windows Phone, Xbox LIVE, and O. Application Management (AAD) - correct answer Manage cloud & on-prem apps using Application Proxy, single sign-on, the My Apps portal (aka Access panel), and SaaS apps. Authentication (AAD) - correct answer Manage Azure Active Directory self-service password reset, Multi-Factor Authentication, custom banned password list, and smart lockout. Business-to-business (B2B)(AAD) - correct answer Manage guest users & external partners, while maintaining control over corporate data. Business-to-consumer (B2C)(AAD) - correct answer Customize & control how users sign-up, sign-in, and manage their profiles when using your apps. Conditional Access (AAD) - correct answer Manage access to your cloud apps. Azure Active Directory for developers - correct answer Build apps that sign in all Microsoft identities, get tokens to call Microsoft Graph, other Microsoft APIs, or custom APIs Device Management (AAD) - correct answer Manage how your cloud or on-prem devices access your corporate data. Domain Services (AAD) - correct answer Join Azure VMs to a domain without using domain controllers. Enterprise Users (AAD) - correct answer Manage license assignment, access to apps, and set up delegates using groups and administrator roles Hybrid Identity (AAD) - correct answer Use Azure Active DIrectory Connect & Connect Health to provide a single user identify for authentication and authorization to all resources, regardless of location (cloud or on-premises) Identity Governance (AAD) - correct answer Manage your organization's identity through employee, business partner, vendor, service, and app access controls. Can also perform access reviews. Identity Protection (AAD) - correct answer Detect potential vulnerabilities affecting your organization's identities, configure policies to respond to suspicious actions, and then take appropriate action to resolve them. Managed Identities for Azure resources (AAD) - correct answer Provides your Azure services with an automatically managed identity in Azure AD that can authenticate any Azure AD-supported auth service, including Key Vault. Azure Key Vault - correct answer Azure Key Vault is a tool for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. A Vault is a logical group of secrets. Ways to Authenticate Azure Key Vault - correct answer 1 - using managed identities for Azure Resources (best practice). 2. Using Service Principal & Certificate - onus of rotating the cert is on the application owner or developer and is not recommended 3 - Using Service Principal &Secret (should not be used as it is difficult to auto rotate the bootstrap secret used to authenticate Key Vault) Privileged Identity Management (PIM) (AAD) - correct answer Manage, control, and monitor access within your organization. Feature includes access to resources in Azure AD, Azure Resources, and other Microsoft Online Services like O365 or Intune Reports & Monitoring (AAD) - correct answer Gain insights into the security and usage patterns in your environment. Key concepts to understand with Azure AD - correct answer Identity, Account, Azure AD Account, Azure subscription, Azure tenant/directory What is Identity? - correct answer An Object that can get authenticated. Can be a user with a username and password or other items like servers that require authentication through secret keys or certificates. What is Account? - correct answer An identity that had data associated with it. What is an Azure AD Account? - correct answer An identity created through Azure AD or another Microsoft cloud service, such as Microsoft 365, Sometimes called a work or school account. What is an Azure tenant/directory? - correct answer A dedicated and trusted instance of Azure AD, it is automatically created when your organization signs up for a Microsoft cloud service subscription. What are the four editions of Azure Active Directory? - correct answer Free, Microsoft 365 Apps, Premium P1 and Premium P2 What features are in Azure Active Directory Free? - correct answer Provides user and group management, on-premises directory synchronization, basic reports, and single sign-on across Azure, Microsoft 365, and many popular SaaS apps, limited to 500,000 directory objects What features are in Azure Active Directory Microsoft 365 Apps? - correct answer This edition is include with O365, In addition to the free features, this edition provides identity and access management for Microsoft 365 apps including branding, MFA, group access management, and self service password reset for cloud users. What features are in Azure Active Directory Premium P1? - correct answer In addition to the free features, P1 also lets your hybrid users access both on-premises and cloud resources. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager (an on-premises identity and access management suite) and cloud write-back capabilities, which allow self-service password reset for your on-premises users. What features are in Azure Active Directory Premium P2? - correct answer In addition to the free and P1 features, P2 also offers Azure Active Directory identity protection to help provide risk-based conditional access to your apps and critical company data. Privileged Identity Management is included to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed. What is Azure AD Join? - correct answer Its designed to provide access to organizational apps and resources and to simplify Windows deployments of work-owned devices. Single Sign On (SSO) Enterprise compliant roaming, Access to Microsoft store for business, Windows Hello, Restriction of Access, Seamless access to on-premises resources. How do you connect to Azure AD join? - correct answer To get a device under the control of Azure AD, you have two options. Registering a device to Azure AD enables you to manage a devices identity. Azure AD device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Azure AD. You can use the identity to enable or disable a device. Joining a device is an extension to registering a device. Joining provides the benefits of registering and changes the local state of a device. Changing the local state enables your users to sign in to a device using an organizational work or school account instead of a personal account. Configure Self-Service Password Reset - correct answer From your Azure AD tenant, on the Azure portal under Azure Active Directory (Users) select Password Reset You can set it to None, Selected, or All. Selected allows specific groups who have self service password reset enabled. Authentication methods You can pick the number of methods required to reset a password. This can be a notification, a test, a code sent to user's mobile or office phones, or a set of security questions What are Azure Regions? - correct answer Geographical areas that contain at leas one, but potentially multiple datacenters. What is an Azure Subscription? - correct answer Its a logical unit of Azure services that is linked to an Azure account. How do you obtain a Subscription? - correct answer Enterprise agreements, Resellers, Partners, Personal free account. How do you implement cost management? - correct answer You use Azure Cost Management and Billing features to conduct billing administrative tasks and manage billing access to costs. What are management groups? - correct answer If your organization has many subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions.