CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. AZ-305

Free AZ-305 Exam Braindumps (page: 14)

Page 13 of 67
PDF with 319 Questions

Your company has the divisions shown in the following table.



Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1.

You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate to App1.

What should you recommend?

  1. Configure Azure AD join.
  2. Configure Azure AD Identity Protection.
  3. Configure a Conditional Access policy.
  4. Configure Supported account types in the application registration and update the sign-in endpoint.

Answer(s): D

Explanation:

Identity and account types for single- and multi-tenant apps
You, as a developer, can choose if your app allows only users from your Azure Active Directory (Azure AD) tenant, any Azure AD tenant, or users with personal Microsoft accounts. You can configure your app to be either single tenant or multitenant during app registration in Azure.

Note: A required part of application registration in Azure AD is your selection of supported account types. While IT Pros in administrator roles decide who can consent to apps in their tenant, you, as a developer, specify who can use your app based on account type. When a tenant doesn't allow you to register your application in Azure AD, administrators will provide you with a way to communicate those details to them through another mechanism.

You'll choose from the following supported account type options when registering your application.

Accounts in this organizational directory only (O365 only - Single tenant)
Accounts in any organizational directory (Any Azure AD directory - Multitenant)
Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
Personal Microsoft accounts only

Incorrect:
* Configure Azure AD join.
Azure AD joined devices are signed in to using an organizational Azure AD account. Access to resources can be controlled based on Azure AD account and Conditional Access policies applied to the device.

* Configure Azure AD Identity Protection
Identity Protection allows organizations to accomplish three key tasks: Automate the detection and remediation of identity-based risks. Investigate risks using data in the portal. Export risk detection data to other tools.


Reference:

https://learn.microsoft.com/en-us/security/zero-trust/develop/identity-supported-account-types



You have an Azure AD tenant named contoso.com that has a security group named Group1. Group1 is configured for assigned memberships. Group1 has 50 members, including 20 guest users.

You need to recommend a solution for evaluating the membership of Group1. The solution must meet the following requirements:

-The evaluation must be repeated automatically every three months.
-Every member must be able to report whether they need to be in Group1.
-Users who report that they do not need to be in Group1 must be removed from Group1 automatically.
-Users who do not report whether they need to be in Group1 must be removed from Group1 automatically.

What should you include in the recommendation?

  1. Implement Azure AD Identity Protection.
  2. Change the Membership type of Group1 to Dynamic User.
  3. Create an access review.
  4. Implement Azure AD Privileged Identity Management (PIM).

Answer(s): C

Explanation:

Based on the requirements below:

The evaluation must be repeated automatically every three months.
•Every member must be able to report whether they need to be in Group1.
•Users who report that they do not need to be in Group1 must be removed from Group1 automatically.
•Users who do not report whether they need to be in Group1 must be removed from Group1 automatically.


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview



HOTSPOT (Drag and Drop is not supported)
You have an Azure subscription named Sub1 that is linked to an Azure AD tenant named contoso.com.

You plan to implement two ASP.NET Core apps named App1 and App2 that will be deployed to 100 virtual machines in Sub1. Users will sign in to App1 and App2 by using their contoso.com credentials.

App1 requires read permissions to access the calendar of the signed-in user. App2 requires write permissions to access the calendar of the signed-in user.

You need to recommend an authentication and authorization solution for the apps. The solution must meet the following requirements:

-Use the principle of least privilege.
-Minimize administrative effort.

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Application registration in Azure AD
To get an access token, your app must be registered with the Microsoft identity platform and be granted Microsoft Graph permissions by a user or administrator.

Note: Register your app with the Microsoft identity platform
Before your app can get a token from the Microsoft identity platform, it must be registered in the Azure portal. Registration integrates your app with the Microsoft identity platform and establishes the information that it uses to get tokens, including:

Application ID: A unique identifier assigned by the Microsoft identity platform.
Redirect URI/URL: One or more endpoints at which your app will receive responses from the Microsoft identity platform. (For native and mobile apps, the URI is assigned by the Microsoft identity platform.)
Client secret: A password or a public/private key pair that your app uses to authenticate with the Microsoft identity platform. (Not needed for native or mobile apps.)

Box 2: Delegated permissions
Access scenarios
The method that an app uses to authenticate with the Microsoft identity platform will depend on how you want the app to access the data. This access can be in one of two ways.

Delegated access, an app acting on behalf of a signed-in user.
App-only access, an app acting with its own identity.

Note: Calendars permissions
Delegated permissions
* Calendars.Read
Read user calendars - Allows the app to read events in user calendars.

* Calendars.ReadWrite
Have full access to user calendars - Allows the app to create, read, update, and delete events in user calendars.

Incorrect:
* Application permissions
Calendar Application permissions
* Calendars.Read
Read calendars in all mailboxes - Allows the app to read events of all calendars without a signed-in user.

* Calendars.ReadWrite
Read and write calendars in all mailboxes - Allows the app to create, read, update, and delete events of all calendars without a signed-in user.


Reference:

https://learn.microsoft.com/en-us/graph/auth/auth-concepts
https://learn.microsoft.com/en-us/graph/permissions-reference



Your company has the divisions shown in the following table.



Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1.

You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate to App1.

What should you recommend?

  1. Enable Azure AD pass-through authentication and update the sign-in endpoint.
  2. Use Azure AD entitlement management to govern external users.
  3. Configure assignments for the fabrikam.com users by using Azure AD Privileged Identity Management (PIM).
  4. Configure Azure AD Identity Protection.

Answer(s): B

Explanation:

Govern access for external users in Azure AD entitlement management
Azure AD entitlement management uses Azure AD business-to-business (B2B) to share access so you can collaborate with people outside your organization. With Azure AD B2B, external users authenticate to their home directory, but have a representation in your directory. The representation in your directory enables the user to be assigned access to your resources.


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-external-users






Post your Comments and Discuss Microsoft AZ-305 exam with other Community members:

AZ-305 Discussions & Posts