Free AZ-305 Exam Braindumps (page: 15)

Page 14 of 67

Your company has the divisions shown in the following table.


Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1.

You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate to App1.

What should you recommend?

  1. Configure the Azure AD provisioning service.
  2. Enable Azure AD pass-through authentication and update the sign-in endpoint.
  3. Configure Supported account types in the application registration and update the sign-in endpoint.
  4. Configure Azure AD join.

Answer(s): C

Explanation:

Identity and account types for single- and multi-tenant apps
You, as a developer, can choose if your app allows only users from your Azure Active Directory (Azure AD) tenant, any Azure AD tenant, or users with personal Microsoft accounts. You can configure your app to be either single tenant or multitenant during app registration in Azure.

Note: A required part of application registration in Azure AD is your selection of supported account types. While IT Pros in administrator roles decide who can consent to apps in their tenant, you, as a developer, specify who can use your app based on account type. When a tenant doesn't allow you to register your application in Azure AD, administrators will provide you with a way to communicate those details to them through another mechanism.

You'll choose from the following supported account type options when registering your application.

Accounts in this organizational directory only (O365 only - Single tenant)
Accounts in any organizational directory (Any Azure AD directory - Multitenant)
Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
Personal Microsoft accounts only


Reference:

https://learn.microsoft.com/en-us/security/zero-trust/develop/identity-supported-account-types



HOTSPOT (Drag and Drop is not supported)
You have an Azure AD tenant that contains a management group named MG1.

You have the Azure subscriptions shown in the following table.


The subscriptions contain the resource groups shown in the following table.


The subscription contains the Azure AD security groups shown in the following table.


The subscription contains the user accounts shown in the following table.


You perform the following actions:

-Assign User3 the Contributor role for Sub1.
-Assign Group1 the Virtual Machine Contributor role for MG1.
-Assign Group3 the Contributor role for the Tenant Root Group.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Yes
User1 is member of Group1.
Group1 is assigned the Virtual Machine Contributor role for MG1.
MG1 is in Sub1.
RG1 is in Sub1.

Virtual Machine Contributor
Create and manage virtual machines, manage disks, install and run software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC.

Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. Create these containers to build an effective and efficient hierarchy that can be used with Azure Policy and Azure Role Based Access Controls.

If your organization has many subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called "management groups" and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group.

Box 2: No
User2 is a member of Group2.
User2 has no special permissions to Group2.

Box 3: Yes
User3 is a member of Group3.
Group3 is assigned the Contributor role for the Tenant Root Group.
As a member of the Tenant Root Group User3 can create storage accounts in RG2.

Note: Each Azure AD tenant is given a single top-level management group called the root management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This group allows global policies and Azure role assignments to be applied at the directory level.


Reference:

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
https://learn.microsoft.com/en-us/azure/governance/management-groups/manage
https://learn.microsoft.com/en-us/azure/defender-for-cloud/management-groups-roles



Your company has the divisions shown in the following table.


Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1.

You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate to App1.

What should you recommend?

  1. Configure Azure AD Identity Protection.
  2. Configure assignments for the fabrikam.com users by using Azure AD Privileged Identity Management (PIM).
  3. Configure Supported account types in the application registration and update the sign-in endpoint.
  4. Configure a Conditional Access policy.

Answer(s): C

Explanation:

Identity and account types for single- and multi-tenant apps
You, as a developer, can choose if your app allows only users from your Azure Active Directory (Azure AD) tenant, any Azure AD tenant, or users with personal Microsoft accounts. You can configure your app to be either single tenant or multitenant during app registration in Azure.

Note: A required part of application registration in Azure AD is your selection of supported account types. While IT Pros in administrator roles decide who can consent to apps in their tenant, you, as a developer, specify who can use your app based on account type. When a tenant doesn't allow you to register your application in Azure AD, administrators will provide you with a way to communicate those details to them through another mechanism.

You'll choose from the following supported account type options when registering your application.

Accounts in this organizational directory only (O365 only - Single tenant)
Accounts in any organizational directory (Any Azure AD directory - Multitenant)
Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
Personal Microsoft accounts only

Incorrect:

* Configure Azure AD Identity Protection
Identity Protection allows organizations to accomplish three key tasks: Automate the detection and remediation of identity-based risks. Investigate risks using data in the portal. Export risk detection data to other tools.


Reference:

https://learn.microsoft.com/en-us/security/zero-trust/develop/identity-supported-account-types



Your company has the divisions shown in the following table.


Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1.

You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate to App1.

What should you recommend?

  1. Use Azure AD entitlement management to govern external users.
  2. Enable Azure AD pass-through authentication and update the sign-in endpoint.
  3. Configure a Conditional Access policy.
  4. Configure assignments for the fabrikam.com users by using Azure AD Privileged Identity Management (PIM).

Answer(s): A

Explanation:

Govern access for external users in Azure AD entitlement management
Azure AD entitlement management uses Azure AD business-to-business (B2B) to share access so you can collaborate with people outside your organization. With Azure AD B2B, external users authenticate to their home directory, but have a representation in your directory. The representation in your directory enables the user to be assigned access to your resources.


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-external-users






Post your Comments and Discuss Microsoft AZ-305 exam with other Community members:

AZ-305 Discussions & Posts