Microsoft Certified Azure Administrator Associate EXAM QUESTIONS AND ANSWERs

You are always responsible for: 1 Data 2 Endpoints 3 Accounts 4 Access Azure Security Center tiers: Free Standard - $15 a month per node Authentication (AuthN) Process of establishing identity of a person or service. Includes act of challenging party for their creds. Establishes they ARE who they say they are. Authorization (AuthZ) Establishes what access you are allowed Azure MFA for global admins is: Free Azure MFA for non-global admins is: Not free. Requires specific license Identity A thing that can be authenticated: Users, Servers, Services, Apps Principle An identity with certain roles: Sudo or CMD as an admin. Role changes even with identity staying the same. Groups are another example or principles Service Principle Identity used by a service or application. Can be assigned roles. Role-Based Access Control (RBAC) Roles are sets of permissions, users are assigned to roles; users are assigned to groups and the group are assigned to roles. Like editor or read only. Can be granted to access an Azure service instance Privileged Identity Management (PIM) A paid for service that provides oversight of role assignments, self-service and just in time role activation Symmetric encryption Uses a single key to encrypt and decrypt data. Asymmetric encryption Two keys are used; one key encodes the message, and the other key decodes the message. Used for Transport Layer Security (TLS) which is used for HTTPS and data signing Azure Storage Service Encryption Data at rest encryption. Used for Blob storage, Azure files, etc Azure Disk Encryption Encrypts windows or linux IaaS VM disks. Uses bitlocker feature of Windows and the dm-crypt feature of Linux to provide encryption for the OS and data disk. Integrated into Azure Key Vault Transport Data Encryption (TDE) Helps protect Azure SQL database and Azure Data Warehouse. Enabled by default. You can use Azure Key Vault key or bring your own key (BYOK) Azure Key Vault - Secret management, tokens, passwords, certs, API keys etc. - Key management, encryption keys - Certificate management, manage and use your SSL/TLS certs for your Azure and internally connected services - Store secrets backed by hardware security modules (HSM). Can use software or FIPS HSM Benefits of Azure Key Vault include - Centralized app secrets - Securely stored secrets and keys - Monitor access and use - Simplify admin of app secrets - Integrate with other Azure services X.509 v3 Certs used in Azure Firewall Grants access based on IP. Can check port and protocol also Azure Firewall Managed. Cloud based. Fully stateful. Built with high availability and unrestricted cloud scalability. Protects against inbound non-HTTP/S protocols like RDP, SSH and FTP. Also provides outbound network level protection for all ports and protocols and application level protection for outbound HTTP/S Azure App Gateway A load balancer that includes a Web App Firewall (WAF) that protects against common known vulnerabilities in websites. Designed for HTTP traffic Network Virtual Appliance (NVA) Ideal options for non-HTTP services on advanced configurations. Similar to hardware firewalls Azure DDoS protection Monitors traffic at the Azure network edge before it effects availability. It identifies DDoS traffic and blocks it while allowing legit traffic Azure DDoS Protection: Basic tier Auto enabled in Azure. Always on monitoring. Real time monitoring/mitigation of common network level attacks. Azure DDoS protection: Standard tier Additional mitigation capabilities tuned specifically to Azure Virtual Network resources. Requires no app changes. Dedicated traffic monitoring. Machine learning. Mitigate against: volumetric attacks, protocol attacks, resource