Identities And Governance


  1. If you delete a user account by mistake, can it be restored?
  • When a user account is deleted, it’s gone forever and can’t be restored.
  • The user account can be restored, but only when it’s created within the last 30 days.
  • The user account can be restored, but only when it’s deleted within the last 30 days.
  1. What kind of account would you create to allow an external organization easy access?
  • A guest user account for each member of the external team.
  • An external account for each member of the external team.
  • An administrator account for each member of the external team.
  1. An Azure subscription is a ___.
  • Billing entity and security boundary
  • Container that holds users
  • Monthly charge for Azure services
  1. Which of the following best describes the relationship between a subscription and an Azure AD directory?
  • An Azure AD directory has a 1:1 relationship with a subscription.
  • An Azure AD directory can be associated with multiple subscriptions, but a subscription is always tied to a single directory.
  • An Azure AD directory is associated with a single subscription, but a subscription can trust multiple directories.
  1. True or False, an organization can have more than one Azure AD directory.
  • True
  • False

Keep in mind that you can only work with a single directory at a time – but you can use the Directory + Subscription panel to switch directories. The dashboard also has a Switch directory button in the toolbar which makes it easy to switch to another available directory.

Typically, Azure AD defines users in 3 ways

Cloud Identities – These users exist only in Azure AD. Examples are administrator accounts and users that you manage yourself. Their source is Azure Active Directory or External Azure Active Directory if the user is defined in another Azure AD instance but needs access to subscription resources controlled by this directory. When these accounts are removed from the primary directory, they are deleted.

Directory-Synchronized Identities – These users exist in an on-premises Active Directory. A synchronization activity that occurs via Azure AD Connect brings these users in to Azure. Their source is Windows Server AD.

Guest Users – These users exist outside Azure. Examples are accounts from other cloud providers and Microsoft accounts such as an Xbox LIVE account. Their source is Invited user. This type of account is useful when external vendors or contractors need access to your Azure resources. Once their help is no longer necessary, you can remove the account and all of their access.

Azure AD Connect is a separate service that allows you to synchronize a traditional Active Directory with your Azure AD instance. This is how most enterprise customers add users to the directory. The advantage to this approach is users can use single-sign-on (SSO) to access local and cloud-based resources.

Creating a new role can be done through several mechanisms:

Azure portal. You can use the Azure portal to create a custom role – Azure Active Directory > Roles and administrators > New custom role.
Azure PowerShell. You can use the New-AzureADMSRoleDefinition cmdlet to define a new role.
Azure Graph API. You can use a REST call to the Graph API to programmatically create a new role.

  1. What information does an Action provide in a role definition?
  • An Action provides the allowed management capabilities for the role.
  • An Action determines what data the role can manipulate.
  • An Action decides what resource the role is applied to.
  1. Which of the following sets the scope of a role to be the resource group myResourceGroup?
  • /subscriptions/de324015-0284-4582-9d9c-6f1e52a30471
  • /subscriptions/{ef67bd4f-d0f2-4845-b6dd-6cba225b4f10}/resourceGroups/myResourceGroup/backupvm1
  • /subscriptions/{ef67bd4f-d0f2-4845-b6dd-6cba225b4f10}/resourceGroups/myResourceGroup
  1. How are NotActions used in a role definition?
  • NotActions are subtracted from the Actions to define the list of permissible operations.
  • NotActions are consulted after Actions to deny access to a specific operation.
  • NotActions allow you to specify a single operation that is not allowed.

Companies that use an on-premises Windows Server Active Directory solution can integrate their existing users and groups with Azure Active Directory with Azure AD Connect. This is a free tool you can download and install to synchronize your local AD with your Azure directory.With Azure AD Connect, you can provide your users with a common identity for Microsoft 365, Azure, and SaaS applications integrated with Azure AD in a hybrid identity environment.

Azure AD Connect provides several components that you can install to create a hybrid identity system.

SYNC SERVICES: This component is responsible for creating users, groups, and other objects. It also makes sure that identity information for your on-premises users and groups matches that in the cloud.
HEALTH MONITORING: Azure AD Connect Health supplies robust monitoring and a central location in the Azure portal for viewing this activity.
AD FS. Federation is an optional part of Azure AD Connect that you can use to configure a hybrid environment via an on-premises AD FS infrastructure. Organizations can use this to address complex deployments, such as domain join SSO, enforcement of the Active Directory sign-in policy, and smart card or third-party multi-factor authentication.
PASSWORD HASH SYNCHRONIZATION: This feature is a sign-in method that synchronizes a hash of a user’s on-premises Active Directory password with Azure AD.
Pass-through authentication. This allows users to sign in to both on-premises and cloud-based applications using the same passwords. This reduces IT helpdesk costs because users are less likely to forget how to sign in. This feature provides an alternative to Password hash synchronization that allows organizations to enforce their security and password complexity policies.

Installing and configuring Azure AD Connect is not a trivial task and requires some initial planning and decisions before you begin.

Provide a nonmobile phone number. You receive an automated call to this number and press #. In free and trial Azure AD organizations, phone call options aren’t supported.

The mobile phone method isn’t a recommended method because it’s possible to send fraudulent SMS messages.
The security question option is the least recommended method because the answers to the security questions might be known to other people. Only use the security question method in combination with at least one other method.

SSPR (Self Service Password Reset) isn’t available in the free edition of Azure AD.

  1. When is a user considered registered for SSPR?
  • When they’ve registered at least one of the permitted authentication methods.
  • When they’ve registered at least the number of methods that you’ve required to reset a password.
  • When they’ve set up the minimum number of security questions.
  1. When you enable SSPR for your Azure AD organization…
  • Users can change their password when they’re signed in.
  • Admins can reset their password by using one authentication method.
  • Users can reset their passwords when they can’t sign in.

You control access to resources using RBAC by creating role assignments, which control how permissions are enforced. To create a role assignment, you need three elements: a security principal, a role definition, and a scope. You can think of these elements as “who”, “what”, and “where”.

Once you have determined the who, what, and where, you can combine those elements to grant access. A role assignment is the process of binding a role to a security principal at a particular scope, for the purpose of granting access. To grant access, you create a role assignment. To revoke access, you remove a role assignment.

RBAC is an allow model. What this means is that when you are assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete. So, if one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you will have read and write permissions on that resource group.

RBAC has something called NotActions permissions. Use NotActions to create a set of allowed permissions. The access granted by a role, the effective permissions, is computed by subtracting the NotActions operations from the Actions operations. For example, the Contributor role has both Actions and NotActions. The wildcard (*) in Actions indicates that it can perform all operations on the control plane. Then you subtract the following operations in NotActions to compute the effective permissions:

  • Delete roles and role assignments.
  • Create roles and role assignments.
  • Grants the caller User Access Administrator access at the tenant scope
  • Create or update any blueprint artifacts
  • Delete any blueprint artifacts
  1. True or false: A role definition in Azure is a collection of permissions?
  • True
  1. Suppose you want to assign a role to allow a user to create and manage Azure resources but not be able to grant access to others. Which of the following built-in roles would support this?
  • Owner
  • Contributor
  • Reader
  • User Access Administrator
  1. What is the inheritance order for scope in Azure?
  • Management group, Resource group, Subscription, Resource
  • Management group, Subscription, Resource group, Resource
  • Subscription, Management group, Resource group, Resource
  • Subscription, Resource group, Management group, Resource
  1. True or false: To grant a user access to Azure resources, you create a role assignment?
  • True
  • False
  1. Suppose a developer needs full access to a resource group. If you are following least-privilege best practices, what scope should you specify?
  • Resource
  • Resource group
  • Subscription

Management Group -> Subscription -> Resource Group -> Resource

Users, groups, service principles, Managed Identities

  1. What’s included in a custom Azure role definition?
  • Operations allowed for Azure resources and the scope of permissions
  • The assignment of the custom role
  • Actions and DataActions operations that you can scope to the tenant level
  1. What commands help you determine what operations to add to a custom role definition?
  • Use ‘az provider show’ to find resource provider operations.
  • Use ‘List-AzRoleDefinition’ to view a built-in role.
  • Use ‘az role definition list’ to view a built-in role.
  1. What is the Azure PowerShell cmdlet to update a custom role?
  • New-AzRoleDefinition
  • Set-AzRoleDefinition
  • az role definition create
  1. What are the steps to remove a custom role?
  • Delete the custom role and then remove the role assignments.
  • Set the role definition status to retired.
  • Delete the role assignments and then delete the custom role.

A resource can have up to 50 tags. The name is limited to 512 characters for all types of resources except storage accounts, which have a limit of 128 characters. The tag value is limited to 256 characters for all types of resources. Tags aren’t inherited from parent resources. Not all resource types support tags, and tags can’t be applied to classic resources.Tags can be added and manipulated through the Azure portal, Azure CLI, Azure PowerShell, Resource Manager templates, and through the REST API.

Resource locks are a setting that can be applied to any resource to block modification or deletion. Resource locks can set to either Delete or Read-only. Delete will allow all operations against the resource but block the ability to delete it. Read-only will only allow read activities to be performed against it, blocking any modification or deletion of the resource. Resource locks can be applied to subscriptions, resource groups, and to individual resources, and are inherited when applied at higher levels.
Applying Read-only can lead to unexpected results because some operations that seem like read operations actually require additional actions. For example, placing a Read-only lock on a storage account prevents all users from listing the keys. The list keys operation is handled through a POST request because the returned keys are available for write operations. Resource locks apply regardless of RBAC permissions. Even if you are an owner of the resource, you must still remove the lock before you’ll actually be able to perform the blocked activity.

  1. Tags can be applied to any type of resource on Azure
  • True
  • False
  1. Tags applied at a resource group level are propagated to resources within the resource group.
  • True
  • False
  1. Which of the following features does not apply to resource groups?
  • Resources can be in only one resource group.
  • Resources can be moved from one resource group to another resource group.
  • Role-based access control can be applied to the resource group.
  • Resource groups can be nested.
  1. Which of the following approaches might be a good usage of tags?
  • Using tags to associate a cost center with resources for internal chargeback
  • Using tags in conjunction with Azure Automation to schedule maintenance windows
  • Using tags to store environment and department association
  • All of the above are good ways to use tags
  1. Which of the following approaches would be the most efficient way to ensure a naming convention was followed across your subscription?
  • Send out an email with the details of your naming conventions and hope it is followed
  • Create a policy with your naming requirements and assign it to the scope of your subscription
  • Give all other users except for yourself read-only access to the subscription. Have all requests to create resources sent to you so you can review the names being assigned to resources, and then create them.
  1. Which of the following items would be good use of a resource lock?
  • A non-production virtual machine used to test occasional application builds
  • A storage account used to temporarily store images processed in a development environment
  • An ExpressRoute circuit with connectivity back to your on-premises network

Answer Keys

  1. A user account can be restored when it’s deleted within the last 30 days. Go to the deleted user list to see the list of all of the deleted users.
  2. A guest user account restricts users to just the access they need.
  3. Azure subscriptions manage resources, limits, and provide the charges billed to the account owner.
  4. Azure subscriptions can only trust a single directory, but multiple subscriptions can be associated to a single Azure AD instance.
  5. While a single directory is created for the organization initially, more can be created to divide the security across boundaries.
  6. Hint: Correct. The Action defines what the role can do.
  7. c
  8. a
  9. The operations under NotActions are subtracted from Actions. In the case of the Contributor role, NotActions removes this role’s ability to manage access to resources and also assign access to resources.
  10. If the user passes the authentication tests, then they can reset their password.
  11. A role definition in Azure is a collection of permissions with a name that you can assign to a user, group, or application.
  12. A contributor can create and manage all types of Azure resources, but they can’t grant access to other users.
  13. The inheritance order for scope is Management group, Subscription, Resource group, Resource. For example, if you assigned a Contributor role to a group at the Subscription scope level, it will be inherited by all Resource groups and Resources.
  14. A role assignment is the process of binding a role to a security principal at a particular scope for the purpose of granting access.
  15. Following least-privilege best practices, you grant only the access the user needs to do their job. In this case, you should set the scope to the resource group.
  16. A custom role definition includes the operations allowed such as read, write, and delete for Azure resources and the scope of those permissions.
  17. Use ‘az role definition list’ to view a built-in role in Azure CLI.
  18. Use ‘Set-AzRoleDefinition’ to update a custom role by using Azure PowerShell.
  19. Before you can delete the custom role, you must delete any role assignments.
  20. false (
  21. false (Tags aren’t inherited hierarchically from resource group to resource)
  22. D
  23. D
  24. B
  25. C

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s