Microsoft Azure Security Technologies EXAM AZ-500 STUDY GUIDE & EXAM PREP (IN PROGRESS)

Hey gang – I have another “nights and weekends” project in the works.



As of right now, I am finished with Module 1 which is the following break down of the domains and all the subtopics:

Manage identity and access (30-35%)

  • Manage Azure Active Directory identities
    • Configure security for service principals
    • Manage Azure AD directory groups
    • Manage Azure AD users
    • Configure password writeback
    • Configure authentication methods including password hash and Pass Through Authentication (PTA), OAuth, and passwordless (not ADFS)
    • Transfer Azure subscriptions between Azure AD tenants
  • Configure secure access by using Azure AD
    • Monitor privileged access for Azure AD Privileged Identity Management (PIM)
    • Configure Access Reviews
    • Activate and configure PIM
    • Implement Conditional Access policies including Multi-Factor Authentication (MFA)
    • Configure Azure AD identity protection
  • Manage application access
    • Create App Registration
    • Configure App Registration permission scopes
    • Manage App Registration permission consent
    • Manage API access to Azure subscriptions and resources
  • Manage access control
    • Configure subscription and resource permissions
    • Configure resource group permissions
    • Configure custom RBAC roles
    • Identify the appropriate role
    • Apply principle of least privilege
    • Interpret permissions
    • Check access

These are for the NEW requirements as laid out in the updated skills outline for the end of July 2020.

Here is a snip from the introduction of the book – it’ll give you an idea of what to expect from the finished product:

HOW TO BEST USE THIS STUDY GUIDE

With direct respect to the overview and reference content provided for review study, the materials here align with the main domain objectives for the certification. As much as possible, the topic references and outlines are also followed up with direct links to articles and whitepapers on the Microsoft website that dive deeper into the summary content.

The content has been provided, at least in summary format, for every domain topic and sub item for that topic. In some cases, additional editorial content and technical details are offered to dive down into the item. In other cases, there may be less details, but in all cases, links back to technical documentation has been offered back to a Microsoft Docs page.

All of the supplied information, review links, and notes are meant as a final review as opposed to full, robust information.

If you follow the hyperlinked topics and review the reference pages for the detailed information, you should be able to fill in many of the blanks you might have on the topics and the overall domain objectives.

With direct respect to the practice questions, this book’s style and format is written to partially simulate some of the content and question approach that you might see in an official Microsoft exam.

The questions and the answer choices are provided for you on one page so you can read everything in its entirety.

On the very next page is the same question, with the solution / answer provided, along with the answer explanation and reference information.

This format was chosen so that the solution was not immediately exposed – that allows the reader the ability to think about an answer to select before being presented with the solution.

Additionally, the entire question repeated, with the answer and references being provided on the very next page eliminates the need for searching / flipping through the book.

The practice questions, and the answers, explanations, and reference links, are another direct opportunity to learn additional information on the domain topics; it is a suggested best practice for using this study guide to read everything included it its entirety.  

Stay tuned – I am hoping to have this wrapped up and release for late August 2020.



Introduction to the differences between Azure Front Door Service and Traffic Manager

Azure Front Door enables Azure owners to configure the global routing for their web traffic by allowing them to setup and optimize for best performance as well as to configure high availability through instant global fail-over.

Azure Front Door allows Azure administrators to transform their global, multi-regional consumer and enterprise solutions into high-performance solutions.

Azure Front Door works at Layer 7 of the OSI stack via the HTTP/HTTPS layer using the anycast protocol with split TCP and Microsoft’s global network backbone to better ensure global connectivity.

Based on your application setup and the configuration for your routing method solution, your client requests are directed to the fastest and most available application back-end.

Azure Front Door provides a range of traffic-routing methods and backend health monitoring options to suit different application needs and automatic fail-over models.

Similar to Traffic Manager, Front Door is resilient to failures, including the failure of an entire Azure region.

There are some differences between the two services and a couple of similarities.

Author iamashishsharma at https://iamashishsharma.com/ recently posted on their blog the post titled Difference between Azure Front Door Service and Traffic ManagerI highly recommend you read it; it is a very compact overview expressly outlining a couple of the similarities between the services and then the divergence of the two and what each offers.

Azure Certification Question of the Day (QOTD) – AZ-500 Q001 – ANSWERED

To use Azure Active Directory (Azure AD) Privileged Identity Management (PIM), your directory must have a valid license.

Which licenses will you require? (Make three selections – each answer is a complete solution).

A) Azure AD Premium P1
B) Azure AD Premium P2
C) Enterprise Mobility + Security (EMS) E3
D) Enterprise Mobility + Security (EMS) E5
E) Microsoft 365 F1
F) Microsoft 365 M3
G) Microsoft 365 M5

CORRECT ANSWERS:
B) Azure AD Premium P2
D) Enterprise Mobility + Security (EMS) E5
G) Microsoft 365 M5

Licensing requirements

To use Privileged Identity Management, your directory must have one of the following paid or trial licenses:

  • Azure AD Premium P2
  • Enterprise Mobility + Security (EMS) E5
  • Microsoft 365 M5

Deploy Azure AD Privileged Identity Management (PIM)

License requirements to use Privileged Identity Management

Azure Certification Question of the Day (QOTD) – AZ-103 002 – ANSWERED

Your enterprise environment is presently using Active Directory Domain Services (AD DS).

You have been tasked with configuring directory synchronization with your Office 365 E5 subscription.

You need to set up support for Single Sign-on (SSO) and you want to confirm that all of the domain user names in use meet the formatting standard and will not cause any issues with the synchronization.

What should you do? (Choose the best option)

A) Make changes to the default configuration of Azure Active Directory (Azure AD) Connect sync
B) Confirm the synchronization settings in the Synchronization Rules Editor
C) Run Azure AD Connect sync with the defaults
D) Run the IdFix tool
E) Run the Synchronization Rules Editor and create a custom rule

Correct answer: D

The correct answer is (D) Run the Office 365 IdFix tool – the tool is used to search for problems in your directory and then fix the errors in the GUI.

Common errors detected by IdFix include illegal characters, duplicate entries / values, format violations, length limitations, to name a few.

While you can make changes to the default configuration in Azure Active Directory (Azure AD) Connect sync and / or run Azure Active Directory (Azure AD) Connect sync with the default settings, neither of these options would address any potential issues that might be found where there are the formatting exceptions and where these may cause issues with the synchronization.

The Synchronization Rules Editor is used to see and change the default configuration. It is configured with the default rules and you can add custom changes to the rules, such as flow, precedence, scoping, and so on, but this will not address the issue with any potential issues that might be found where there are the formatting exceptions and where these may cause issues with the synchronization.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-configuration

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-service-manager-ui

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-whatis

Azure Certification Question of the Day (QOTD) – AZ-500 Q001

To use Azure Active Directory (Azure AD) Privileged Identity Management (PIM), your directory must have a valid license.

Which licenses will you require? (Make three selections – each answer is a complete solution).

A) Azure AD Premium P1
B) Azure AD Premium P2
C) Enterprise Mobility + Security (EMS) E3
D) Enterprise Mobility + Security (EMS) E5
E) Microsoft 365 F1
F) Microsoft 365 M3
G) Microsoft 365 M5

And here is the updated blog post with the answer – Azure Certification Question of the Day (QOTD) – AZ-500 Q001 – ANSWERED

Azure Certification Question of the Day (QOTD) – AZ-900 001 – ANSWERED

When looking at using a cloud service, what expenditure type are cloud services based on?

A) Capital Expenditure (CapEx)
B) Friendly expenditure
C) Maximum expense
D) Operational Expenditure (OpEx) CORRECT ANSWER

Explanation

Operational Expenditure (OpEx) is the correct answer. Cloud services operate on an Operational Expenditure model. It is regular, repeated expenditure that you pay for using cloud services.

Capital Expenditure (CapEx) is not the correct answer. Capital Expenditure (CapEx) is not required to be paid upfront when looking to start using a cloud services. There are no up-front costs to use cloud services. You pay for what you consume, under a consumption-based model.

Friendly expenditure and Maximum expense are not defined expenditure types.

https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/strategy/financial-models

Azure Certification Question of the Day (QOTD) – AZ-103 002

Your enterprise environment is presently using Active Directory Domain Services (AD DS).

You have been tasked with configuring directory synchronization with your Office 365 E5 subscription.

You need to set up support for Single Sign-on (SSO) and you want to confirm that all of the domain user names in use meet the formatting standard and will not cause any issues with the synchronization.

What should you do? (Choose the best option)

A) Make changes to the default configuration of Azure Active Directory (Azure AD) Connect sync
B) Confirm the synchronization settings in the Synchronization Rules Editor
C) Run Azure AD Connect sync with the defaults
D) Run the IdFix tool
E) Run the Synchronization Rules Editor and create a custom rule

And here is the updated blog post with the answer – Azure Certification Question of the Day (QOTD) – AZ-103 002 – ANSWERED

Azure Certification Question of the Day (QOTD) – AZ-900 001

When looking at using a cloud service, what expenditure type are cloud services based on?

A) Capital Expenditure (CapEx)
B) Friendly expenditure
C) Maximum expense
D) Operational Expenditure (OpEx)

And here is the updated blog post with the answer – Azure Certification Question of the Day (QOTD) – AZ-900 001 – ANSWERED

Certification QOTD – AZ-103 001 – ANSWERED

QUESTION 1 – ANSWERED

You’re running your environment in Azure and you review the following resources

Resource Group – rgmain001

Storage Account – samain001

Azure File Sync – afs001

samain001 contains a file share called IMAGES that contains 1,000 image files.

You need to synchronize the files in Azure to an on-premises Windows server named IMGSYS001.

Which three actions should you perform? Each correct answer presents part of the solution.

A) Mount the current Blob storage in state as a file system

B) Transfer data with the AzCopy

C) Create a sync group and a cloud endpoint

D) Register IMGSYS001
E) Install the Azure File Sync agent on IMGSYS001

Correct answer:

C, D, E

Step 1 (E): Install the Azure File Sync agent on IMGSYS001 – The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share

Step 2 (D): Register IMGSYS001.

Register Windows Server with Storage Sync Service – establishes a trust relationship between your physical server (or cluster) and the Storage Sync Service.

Step 3 (C): Create a sync group and a cloud endpoint – defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on registered server.

AzCopy is a command-line utility designed for copying data to/from Microsoft Azure Blob, File, and Table storage, using simple commands designed for optimal performance. You can copy data between a file system and a storage account, or between storage accounts but it is not the best answer to fully synchronize files in Azure to an on-premises server.

You can mount Blob storage as a file system with blobfuse, but this is only available through the Linux file system. Blobfuse is a virtual file system driver for Azure Blob storage.

Certification Question of the Day [QOTD]

As part of getting back into regular blogging, I would like to announce that the Certification Question of the Day is going to be making its return.

I did this in the past for prior MCSE and MCSA certifications on my old blog (from many, many moons ago) and I thought it might be cool to give it another go now under the mantle of Azure certifications and the new role based training that I am involved with.

As I did prior, I will put “QOTD” in the category field for easier searching here on the site as well as the certification it applies to (e.g. “AZ-103” or “AZ-500” – etc.)

A day after a post, I will re-post the question with the accompanying answer.