Download Microsoft Azure Security Technologies.AZ-500.PrepAway.2021-03-02.228q.vcex

Incorrect Answers:A, C: You can create a dynamic group for devices or for users, but you can't create a rule that contains both users and devices. D: For assigned group you can only add individual members.Scenario: Litware identifies the following identity and access requirements: All San Francisco users and their devices must be members of Group1. The tenant currently contain this group:      References:https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membershiphttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal 

Reference:https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent

To start using PIM in your directory, you must first enable PIM. 1. Sign in to the Azure portal as a Global Administrator of your directory. You must be a Global Administrator with an organizational account (for example, @yourdomain.com), not a Microsoft account (for example, @outlook.com), to enable PIM for a directory. Scenario: Technical requirements include: Enable Azure AD Privileged Identity Management (PIM) for contoso.com References:https://docs.microsoft.com/bs-latn-ba/azure/active-directory/privileged-identity-management/pim-getting-started Manage identity and access

Box 2: NoUse of Microsoft Authenticator is not required. Note: Microsoft Authenticator is a multifactor app for mobile devices that generates time-based codes used during the Two-Step Verification process. Box 3: NoThe New York IP address subnet is included in the "skip multi-factor authentication for request. References:https://www.cayosoft.com/difference-enabling-enforcing-mfa/

Creating a new (additional) stored access policy with have no effect on the existing policy or the SAS’s linked to it. To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately effects all of the shared access signatures associated with it. Reference:https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy

Instead, you connect HDInsight to your on-premises network by using Azure Virtual Networks and a VPN gateway. Note: To allow HDInsight and resources in the joined network to communicate by name, you must perform the following actions:Create Azure Virtual Network. Create a custom DNS server in the Azure Virtual Network. Configure the virtual network to use the custom DNS server instead of the default Azure Recursive Resolver. Configure forwarding between the custom DNS server and your on-premises DNS server. References:https://docs.microsoft.com/en-us/azure/hdinsight/connect-on-premises-network

You can connect HDInsight to your on-premises network by using Azure Virtual Networks and a VPN gateway. Note: To allow HDInsight and resources in the joined network to communicate by name, you must perform the following actions:Create Azure Virtual Network. Create a custom DNS server in the Azure Virtual Network. Configure the virtual network to use the custom DNS server instead of the default Azure Recursive Resolver. Configure forwarding between the custom DNS server and your on-premises DNS server. References:https://docs.microsoft.com/en-us/azure/hdinsight/connect-on-premises-network

Password hash synchronization requires the least effort regarding deployment, maintenance, and infrastructure. This level of effort typically applies to organizations that only need their users to sign in to Office 365, SaaS apps, and other Azure AD-based resources. When turned on, password hash synchronization is part of the Azure AD Connect sync process and runs every two minutes. Incorrect Answers:A: A federated authentication system relies on an external trusted system to authenticate users. Some companies want to reuse their existing federated system investment with their Azure AD hybrid identity solution. The maintenance and management of the federated system falls outside the control of Azure AD. It's up to the organization by using the federated system to make sure it's deployed securely and can handle the authentication load. C: For pass-through authentication, you need one or more (we recommend three) lightweight agents installed on existing servers. These agents must have access to your on-premises Active Directory Domain Services, including your on-premises AD domain controllers. They need outbound access to the Internet and access to your domain controllers. For this reason, it's not supported to deploy the agents in a perimeter network. Pass-through Authentication requires unconstrained network access to domain controllers. All network traffic is encrypted and limited to authentication requests. References:https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta

Use the Synchronization Rules Editor and write attribute-based filtering rule. References:https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-configuration

Azure AD Identity protection can detect six types of suspicious sign-in activities:Users with leaked credentials Sign-ins from anonymous IP addresses Impossible travel to atypical locations Sign-ins from infected devices Sign-ins from IP addresses with suspicious activity Sign-ins from unfamiliar locations These six types of events are categorized in to 3 levels of risks – High, Medium & Low:      References:http://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-policies/