Free AZ-305 Exam Braindumps (page: 13)

Page 12 of 67

Your company has the divisions shown in the following table.



Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1.

You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate to App1.

What should you recommend?

  1. Configure Azure AD join.
  2. Use Azure AD entitlement management to govern external users.
  3. Enable Azure AD pass-through authentication and update the sign-in endpoint.
  4. Configure assignments for the fabrikam.com users by using Azure AD Privileged Identity Management (PIM).

Answer(s): B

Explanation:

Govern access for external users in Azure AD entitlement management
Azure AD entitlement management uses Azure AD business-to-business (B2B) to share access so you can collaborate with people outside your organization. With Azure AD B2B, external users authenticate to their home directory, but have a representation in your directory. The representation in your directory enables the user to be assigned access to your resources.

Note: Entitlement management is an identity governance capability that enables organizations to manage identity and access lifecycle at scale by automating access request workflows, access assignments, reviews, and expiration. Entitlement management allows delegated non-admins to create access packages that external users from other organizations can request access to. One and multi-stage approval workflows can be configured to evaluate requests, and provision users for time-limited access with recurring reviews. Entitlement management enables policy-based provisioning and deprovisioning of external accounts.

Note: Access Packages
An access package is the foundation of entitlement management. Access packages are groupings of policy-governed resources a user needs to collaborate on a project or do other tasks. For example, an access package might include:
access to specific SharePoint sites.
enterprise applications including your custom in-house and SaaS apps like Salesforce.
Microsoft Teams.
Microsoft 365 Groups.


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-external-users



Your company has the divisions shown in the following table.



Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1.

You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate to App1.

What should you recommend?

  1. Configure Azure AD join.
  2. Configure Azure AD Identity Protection.
  3. Use Azure AD entitlement management to govern external users.
  4. Configure assignments for the fabrikam.com users by using Azure AD Privileged Identity Management (PIM).

Answer(s): C

Explanation:

Govern access for external users in Azure AD entitlement management
Azure AD entitlement management uses Azure AD business-to-business (B2B) to share access so you can collaborate with people outside your organization. With Azure AD B2B, external users authenticate to their home directory, but have a representation in your directory. The representation in your directory enables the user to be assigned access to your resources.

Note: Entitlement management is an identity governance capability that enables organizations to manage identity and access lifecycle at scale by automating access request workflows, access assignments, reviews, and expiration. Entitlement management allows delegated non-admins to create access packages that external users from other organizations can request access to. One and multi-stage approval workflows can be configured to evaluate requests, and provision users for time-limited access with recurring reviews. Entitlement management enables policy-based provisioning and deprovisioning of external accounts.

Note: Access Packages
An access package is the foundation of entitlement management. Access packages are groupings of policy-governed resources a user needs to collaborate on a project or do other tasks. For example, an access package might include:
access to specific SharePoint sites.
enterprise applications including your custom in-house and SaaS apps like Salesforce.
Microsoft Teams.
Microsoft 365 Groups.


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-external-users



You need to recommend a solution to generate a monthly report of all the new Azure Resource Manager (ARM) resource deployments in your Azure subscription.

What should you include in the recommendation?

  1. Azure Activity Log
  2. Azure Arc
  3. Azure Analysis Services
  4. Azure Monitor metrics

Answer(s): A

Explanation:

Activity logs are kept for 90 days. You can query for any range of dates, as long as the starting date isn’t more than 90 days in the past.

Through activity logs, you can determine:
-what operations were taken on the resources in your subscription
-who started the operation
-when the operation occurred
-the status of the operation
-the values of other properties that might help you research the operation


Reference:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs



HOTSPOT (Drag and Drop is not supported)
You have an Azure subscription that contains an Azure key vault named KV1 and a virtual machine named VM1. VM1 runs Windows Server 2022: Azure Edition.

You plan to deploy an ASP.Net Core-based application named App1 to VM1.

You need to configure App1 to use a system-assigned managed identity to retrieve secrets from KV1. The solution must minimize development effort.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Client Credentials flow
Client Credentials flow — The only flow that does not require immediate user interaction, usually used when the OAuth client is acting on-behalf of itself, when user-consent doesn’t make sense, or when authorization primitives could be configured out-of-band (for instance via Azure AD)

Note: Authenticating to Azure Services
Local machines don't support managed identities for Azure resources. As a result, the Microsoft.Azure.Services.AppAuthentication library uses your developer credentials to run in your local development environment. When the solution is deployed to Azure, the library uses a managed identity to switch to an OAuth 2.0 client credential grant flow. This approach means you can test the same code locally and remotely without worry.

Incorrect:
* Authorization code flow — Requires user interaction and consent, typically via the web browser, to get a code which is then used to issue an access token.

* Implicit grant flow — Created for single page web / mobile webview apps, where token creation and handling is done entirely from the front end.

Box 2: OAuth 2.0 access token endpoint of Azure AD

Example: Issuing & inspecting our first OAuth token
At this stage, we should be able to issue tokens to Service A, on behalf of Service B — let’s see that in action.

1. In Azure AD application registration blade, go to Service B (as shown in previous steps)
2. In the Overview blade, Click on the ‘Endpoints’ button at the command bar
3. In the opened Endpoints blade, copy the OAuth 2.0 token endpoint (v2) URL
4. Issue a HTTP POST call for the given URL with the following parameters
$> curl -s -XPOST <token-v2-endpoint> \
-d grant_type=client_credentials \
-d client_id=<service-b-app-id> \
-d client_secret=<service-b-client-secret> \
-d scope=<service-a-application-id-uri>/.default

5. Etc.


Reference:

https://medium.com/@dany74q/service-to-service-auth-with-azure-ad-msi-oauth-2-0-step-by-step-a1aed196b1e1
https://learn.microsoft.com/en-us/dotnet/api/overview/azure/service-to-service-authentication






Post your Comments and Discuss Microsoft AZ-305 exam with other Community members:

AZ-305 Discussions & Posts