1

When registering an app with Azure AD to use modern authentication, what three fields are configurable when first registering the app?
•
Display name
•
App ID
•
App Secret
•
Supported account types
•
Redirect URI

Display name , Redirect URI , Supported account types

2

What are the three alert states in Azure Monitor?
•
New
•
Fired
•
Assigned
•
Acknowledged
•
Resolved
•
Closed

New ,Acknowledged , Closed

Explanation
Alert states: New, Acknowledged, Closed are set by the user.
Alert conditions: Fired or Resolved (underlying condition that caused the alert has been resolved) are set by Azure Monitor.
Know the difference between alert states and alert conditions and who sets them (system or user).

3

You have a hybrid Azure AD deployment and have just deployed an Azure SQL Database. You have deployed a custom application to a newly created VM (VM1) and you want the application to use the VM’s system-assigned managed identity to access the Azure SQL Database. You have a user named User1 that wants to use the application. What steps do you perform to accomplish your goal?
•
Create a Azure AD user account that will serve as the SQL server administrator and assign the AD role of user
•
Create a Azure AD user account that will serve as the SQL server administrator and assign the AD role of limited administrator
•
Create a Azure AD user account that will serve as the SQL server administrator and assign the AD role of: global administrator
•
Enable AD authentication on the Access control (IAM) blade of the SQL server
•
Enable AD authentication on the Active Directory Admin blade of the SQL server
•
Enable the system assigned managed identity for the VM using the Azure Active Directory blade
•
Enable the system assigned managed identity for the VM using the VM Identity blade
•
Create a contained database user specifying the VM managed identity in the database using CREATE USER [VM1] FROM EXTERNAL PROVIDER
•
Create a contained database user specifying the VM managed identity in the database using CREATE USER [VM1] FROM EXTERNAL AZURE
•
Give the user permissions in the database using ALTER ROLE db_datareader ADD MEMBER [VM1]
•
Give the user permissions in the database using ALTER ROLE db_datareader ADD MEMBER [User1]
•
The application connects to the SQL server using the Access token
•
The application connects to the SQL server using the VM user account

Create a Azure AD user account that will serve as the SQL server administrator and assign the AD role of user•
Enable AD authentication on the Active Directory Admin blade of the SQL server•
Enable the system assigned managed identity for the VM using the VM Identity blade•
Create a contained database user specifying the VM managed identity in the database using CREATE USER [VM1] FROM EXTERNAL PROVIDER•
Give the user permissions in the database using ALTER ROLE db_datareader ADD MEMBER [VM1]•
The application connects to the SQL server using the Access token

4

What are the four MFA modes?
•
Phone call
•
SMS text message
•
MS Authenticator App
•
Google Authenticator App
•
OATH token code
•
PKI Certificate
•
Self-signed certificate
•
Enabled
•
Disabled
•
Enforced

Phone call
•
SMS text message
•
MS Authenticator App

OATH token code

Explanation

Authentication modes, also known as authentication methods are all the second factors selectable in Azure MFA. There are more methods selectable when you use the on-premises Azure MFA server. Know the differences, especially the more obscure combinations when using on-premises MFA. Enabled, disabled and Enforced are the MFA states for each user – don’t confuse terminology like modes and states like the question is trying to do.

5

When creating a new AIP label, what four areas can be configured?
•
General
•
Common
•
Header
•
Marking
•
Protection
•
Encryption
•
Conditions

Common ,Marking , Protection , Conditions

Explanation
Common: Name and description
Marking: Visual marking, header, footer, watermark
Protection: Encryption key selection, permissions, expiration
Conditions: Built-in or custom REGEX pattern matching

6

What are the four focus areas of Azure Security Center policy?
•
Identity
•
VMs
•
Compute and apps
•
Storage
•
Data
•
Network
•
Just in Time (JIT) VM Access
•
Vulnerability management

Identity , Compute and apps Data ,Network

Explanation
VMs are included in Compute, Storage is included in data.

7

Which two of the following options are not valid exclusion assignments when creating an Azure policy assignment?
•
Resource group
•
Resource
•
Initiative
•
Subscription
•
Tenant
•
Management group

Initiative ,Tenant

Explanation
Policy scope exclusions allow Management group, Subscription, Resource group and Resource selection

8

Which of the following cannot be used to create a custom RBAC role in Azure?
•
Azure CLI
•
Azure Portal
•
Azure PowerShell
•
Azure Cloud Shell
•
REST API

Azure Portal

Explanation
Azure portal cannot be used to create a custom RBAC role, you must use one of the command-line or scripting interfaces.

9

You have to ensure the principle of least privilege. Which Azure RBAC role is required to configure a lock on an Azure resource?
•
Owner
•
Contributor
•
User Access Administrator
•
User Administrator
•
Security Administrator

User Access Administrator

Explanation
Only User Access Administrator and Owner has the RBAC permissions to create or delete resource locks. Lease privilege means you need to assign the fewest permissions to accomplish the task. Expect to see a focus on this principle throughout the exam. Know the difference between Azure AD roles and Azure resource (RBAC) roles. Azure AD roles allow you different permissions (AKA rights) to administer Azure identities. Azure resource roles allow you different permissions mainly for managing the configuration of Azure resources. There are roles with similar names in each category – User administrator (Azure AD) and User access administrator (Azure RBAC).

10

In Azure Information Protection there are three types of key scenarios. Match the key scenario with the technology used to create and maintain the keys. Choose 3.
•
Key managed by Microsoft: Microsoft
•
Key managed by Microsoft: Key Vault
•
Key managed by Microsoft: AD RMS
•
Key managed by Microsoft: HSM
•
Bring your own key (BYOK): Microsoft
•
Bring your own key (BYOK): Key Vault
•
Bring your own key (BYOK): AD RMS
•
Bring your own key (BYOK): HSM
•
Hold your own key (HYOK): Microsoft
•
Hold your own key (HYOK): Key Vault
•
Hold your own key (HYOK): AD RMS
•
Hold your own key (HYOK): HSM

Key managed by Microsoft: Microsoft , Bring your own key (BYOK): Key Vault , Hold your own key (HYOK): AD RMS

Explanation
Azure Key Vault standard is a software-based HSM; Azure Key Vault Premium is a hardware-backed cloud HSM.

11

A user is enrolled for MFA but loses his mobile device, but the company is not doing mobile device management. He gets a new mobile device with the same phone number. You must ensure that his lost device cannot be used to gain unwanted access to his account . Each option below represents part of the solution and are not in order. Select all options that you should perform:
•
Revoke and reassign the user’s AAD P2 license
•
From MFA settings portal, choose service settings and disable “Allow users to remember multi-factor authentication on devices they trust”
•
From MFA settings portal, choose user settings, enable “Require selected users to provide contact methods again”
•
From MFA settings portal, choose user settings, enable “Delete all existing app passwords…”
•
From MFA settings portal, choose user settings, enable “Restore multi-factor authentication on all remembered devices”
•
Disable and re-enable the user’s user account

From MFA settings portal, choose user settings, enable “Delete all existing app passwords…”
•
From MFA settings portal, choose user settings, enable “Restore multi-factor authentication on all remembered devices”

Explanation
Revoke and reassign the user’s AAD P2 license
No – this will have no effect on the user’s MFA settings or lost device
From MFA settings portal, choose service settings and disable “Allow users to remember multi-factor authentication on devices they trust”
No – this changes the setting for all users, you only want to change this for a specific user
From MFA settings portal, choose user settings, enable “Require selected users to provide contact methods again”
No – since the user has the same phone number, re-enrolment is not required
From MFA settings portal, choose user settings, enable “Delete all existing app passwords…”
Yes – this ensures that any apps on the user’s mobile device that required an app password will no longer have access
From MFA settings portal, choose user settings, enable “Restore multi-factor authentication on all remembered devices”
Yes – this will revoke all remembered MFA on the user’s devices, requiring MFA to be supplied again to get access
Disable and re-enable the user’s user account
No – This will have no effect on the MFA settings for the user account

12

When doing an app registration in Azure AD, which three of the following are options for application permission scopes (supported account types) can be assigned?
•
Default Azure AD directory
•
Any Azure AD directory
•
Any Azure AD directory and Personal MS accounts
•
Any Google account
•
Any Facebook account
•
Any federated B2B account

Default Azure AD directory
•
Any Azure AD directory
•
Any Azure AD directory and Personal MS accounts

13

You have an existing dynamic group in AAD. You want the group to contain users and their devices. What should you configure?
•
Create two membership rules that select the users and devices respectively
•
Delete and recreate the group, manually add users and devices
•
Create a membership rule that selects the users. Manually add the devices to the group
•
Create two dynamic groups, one for devices and one for users. Create an assigned group and add the two dynamic groups to it
•
Create a membership rule that selects the devices. Manually add the users to the group

Delete and recreate the group, manually add users and devices

Explanation
This is a gotcha-question typical of recent MS exams… You must know the limitations of the features in Azure. Look out for less common usage scenarios.
You cannot have a dynamic group that contain both users and devices.
You cannot add dynamic groups to assigned groups.

14

When assigning an Azure policy, when is it necessary to assign a managed identity?
•
When the policy is assigned to a management group and will have effect on multiple subscriptions
•
For any security policy
•
For any policy that includes the DeployIfNotExists policy action
•
For any policy that includes any policy action
•
All policies require a managed identity assigned in order to assess (read) the Azure resources to be assessed

For any policy that includes the DeployIfNotExists policy action

Explanation
Permission to deploy resources into the subscription must have a managed identity to deploy resources.

15

Which three of the following options are valid scope assignments when creating an Azure policy assignment?
•
Resource group
•
Resource
•
Initiative
•
Subscription
•
Tenant
•
Management group

Resource group , Subscription , Management group

Explanation
Policies can be scoped to the management group, subscription and optionally the resource group level and will be applied to all resources within the scope.
You can perform a policy assignment or initiative assignment (multiple policies at the same time) at the selected scope.
You can also assign policies or initiatives to hierarchical management groups which are groups of subscriptions. The assignment is inherited by all child objects.

16

You create an Azure Policy assignment to a subscription. Which two of the following are valid scope exclusions?
•
Resource group
•
Resource
•
Initiative
•
Subscription
•
Tenant
•
Management group

Resource group
•
Resource

Explanation
Resource group and resource are valid exclusion scopes if the policy assignment scope is at the subscription level. If you had scoped the assignment to a management group, you could select individual subscriptions within that management group as exclusions, in addition to child resource groups and resources.

17

What are the two Azure Monitor alert conditions?
•
New
•
Fired
•
Assigned
•
Acknowledged
•
Resolved
•
Closed

Fired , Resolved

Explanation
Alert states: New, Acknowledged, Closed are set by the userAlert conditions: Fired or Resolved (underlying condition that caused the alert has been resolved) are set by Azure Monitor

18

As part of an Azure SQL Database AlwaysEncrypted configuration, where are the encryption keys stored?
•
Column Master Key: AKV
•
Column Master Key: SQL
•
Column Master Key: Client
•
Column Encryption Key: AKV
•
Column Encryption Key: SQL
•
Column Encryption Key: Client

Column Master Key: AKV , Column Encryption Key: SQL

19

You have an Azure HDInsights cluster on a Azure VNet. You need to secure communication between the cluster and your on-premises network, establish name resolution and use on-premises AD credentials to administer the cluster. You have to minimise costs. What do you deploy?
•
Deploy an on-premises data gateway
•
Deploy AD Connect
•
Deploy a site-to-site VPN
•
Deploy a custom DNS server on the Vnet
•
Deploy network security groups on the Vnet

Deploy a site-to-site VPN
•
Deploy a custom DNS server on the Vnet
•
Deploy network security groups on the Vnet

Explanation
Deploy an on-premises data gateway – no.
Deploy AD Connect – no, local AD credentials used with HDInsight does not need synchronisation with AAD.
Deploy a site-to-site VPN – yes, you need to establish network connectivity.
Deploy a custom DNS server on the Vnet – yes, you need to establish name resolution for the solution. On-premises DNS integration requires you to set up a custom DNS server for the VNet.
Deploy network security groups on the Vnet – yes, you need to secure the communication between the Vnet and the OPE network.

20

In OAuth 2.0 / OpenID Connect, what does the authentication provider return to the browser after a successful authentication?
•
Certificate
•
ID Token
•
Session Key
•
Session Secret
•
Azure Key Vault

ID Token

Explanation
ID Token in JSON Web Token (JWT) format

21

What is the difference between OpenID Connect and OAuth 2.0?
•
OAuth 2.0 is a protocol used for authentication
•
OAuth 2.0 is a protocol used for authorisation
•
OAuth 2.0 is a protocol used for security assertion
•
OpenID Connect is a protocol used for authentication
•
OpenID Connect is a protocol used for authorisation
•
OpenID Connect is a protocol used for security assertion
•
OAuth 2.0 is an extension of OpenID Connect
•
OpenID Connect is an extension of OAuth 2.0

OAuth 2.0 is a protocol used for authorisation , OpenID Connect is a protocol used for authentication , OpenID Connect is an extension of OAuth 2.0

Explanation
OAuth 2.0 is an industry-standard authorisation protocol. OpenID Connect is an authentication standard built on OAuth 2.0. The exam might sometimes explore the differences between authentication and authorisation by using the standard names instead of the terms.

22

When doing an app registration in Azure AD, what are two methods to ensure application security?
•
Application Certificate
•
Application key
•
Application secret
•
Azure Key Vault
•
Azure Security Center

Application Certificate ,Application secret

23

T/F: MFA can be implemented by requiring a primary “system access” username and password, and a secondary “application access” username and password.
•
True
•
False
•
Don’t know

False

Explanation
MFA requires more than one factor of authentication at the same time
Something you know (password)
Something you have (token / device / certificate)
Something you are (biometrics)
Using two passwords is just using the same factor twice and is not considered true MFA

24

When a user is enabled for MFA in AAD, when would an app password be required?
•
When the user doesn’t have a license that enables MFA
•
When the user is using an OS other than Windows
•
When the user is using an Android-based mobile device
•
When the user is using an IOS-based mobile device
•
All of the options are correct
•
None of the options are correct

None of the options are correct

Explanation
A user will be required to have an app password for apps that don’t support modern authentication like older versions of Office apps (Office 2010 or Office 2013) and native mail apps on mobile devices.
Modern Office apps for IOS and Android support modern authentication and don’t need an app password.

25

Which of the following authentication methods are not supported for Azure MFA?
•
Password
•
Security questions
•
Email address
•
MS authenticator app
•
OATH hardware token
•
SMS
•
Voice call
•
App passwords

Security questions
•
Email address

Explanation
Security questions and email address are not supported for MFA. All the others are valid configurable authentication methods for both MFA and SSPR. App passwords are only applicable to MFA and not to SSPR.

26

Match the Azure RBAC terms and definitions
•
Group of users: assignment
•
Group of users: scope
•
Group of users: role
•
Group of users: principal
•
Group of permissions: assignment
•
Group of permissions: scope
•
Group of permissions: role
•
Group of permissions: principal
•
Group of resources: assignment
•
Group of resources: scope
•
Group of resources: role
•
Group of resources: principal
•
Group of access: assignment
•
Group of access: scope
•
Group of access: role

Group of users: principal , Group of permissions: role ,Group of resources: scope , Group of access: assignment

27

You are creating a custom RBAC role and want to restrict all but a few allowable actions to the new role. What section of the role definition JSON file do you configure?
•
Actions
•
NotActions
•
DataActions
•
NotDataActions
•
AssignableScopes

Actions

Explanation
You will configure the allowable actions in the Actions section of the file. Configuring items in allowable excludes everything not listed. Configuring items in NotActions only prevents the listed items.

28

You want to ensure the use of trusted container images in your organisation. Which two of the following options should you choose?
•
Docker hub
•
Azure container registry
•
Docker trusted registry
•
Azure container instances
•
Azure Kubernetes Service
•
Azure Key Vault

Azure container registry
•
Docker trusted registry

Explanation
Azure container registry and Docker trusted registry are ways to ensure the use of trusted container images

29

You are configuring Azure Update Management. You onboarded several VMs that have been deployed to different resource groups and regions. You have configured the following update deployments:

• Item1: VM1, EastUS, RG1, Windows 2008R2
• Item2: VM2, WestUS, RG2, CentOS 6
  You want to add additional VMs to the update deployments. Which of the following can you do?
  •
  Add VM3, EastUS, RG2, Windows 2016 to Item1
  •
  Add VM4, WestEurope, RG1, Windows 2016 to Item1
  •
  Add VM5, EastUS, RG1, CentOS 6 to Item1
  •
  Add VM6, EastUS, RG2, CentOS 6 to Item2
• Add VM3, EastUS, RG2, Windows 2016 to Item1
• •
• Add VM4, WestEurope, RG1, Windows 2016 to Item1 Add VM6, EastUS, RG2, CentOS 6 to Item2
• 
  Explanation
  A favourite trope of the exam – knowing the limitations of adding instances with different properties (region, resource group, OS, etc.) to Azure services once you’ve already configured the service.
  You can add any VM from and RG or Region to a Update Management deployment schedule as long as the new VM is also Windows or Linux respectively.

30

Which of the following options would you deploy and configure if you wanted to protect a Azure SQL Database against the OWASP-defined threat of SQL Injection?
•
Azure Application Gateway with Web Application Firewall
•
Azure SQL Server Advanced Threat Protection
•
Azure Firewall
•
Network Security Group
•
Application Security Group
•
Azure Security Center Standard

Azure SQL Server Advanced Threat Protection

Explanation
Azure SQL Server Advanced Threat Protection protects agains SQL injection. If you wanted to secure a web app against SQL injection you would deploy Azure Application Gateway with Web Application Firewall.

31

You are using Azure Key Vault to provide protection for a custom application your organisation is using. Match the application security issue with the appropriate Key Vault object to be used to secure it.
•
The connection string to REDIS cache is stored in the web application configuration file: Secret
•
The connection string to REDIS cache is stored in the web application configuration file: Key
•
The connection string to REDIS cache is stored in the web application configuration file: Certificate
•
SQL AlwaysEncrypted will be configured: Secret
•
SQL AlwaysEncrypted will be configured: Key
•
SQL AlwaysEncrypted will be configured: Certificate
•
Database connection string with username and password is stored in clear text in the web application configuration file: Secret
•
Database connection string with username and password is stored in clear text in the web application configuration file: Key
•
Database connection string with username and password is stored in clear text in the web application configuration file: Certificate
•
Connecting to the web application will be restricted to HTTPS only: Secret
•
Connecting to the web application will be restricted to HTTPS only: Key
•
Connecting to the web application will be restricted to HTTPS only: Certificate

The connection string to REDIS cache is stored in the web application configuration file: Secret , SQL AlwaysEncrypted will be configured: Key , Database connection string with username and password is stored in clear text in the web application configuration file: Secret , Connecting to the web application will be restricted to HTTPS only: Certificate

32

You are configuring BYOK for a storage account you manage. Which of the following are not prerequisites for the deployment.
•
Azure Key Vault deployed in the same region
•
Azure Key Vault deployed in the same resource group
•
Azure Key Valut deployed in the same subscription
•
Azure Key Vault access policy enabled for volume encryption

Azure Key Vault deployed in the same resource group
•
Azure Key Valut deployed in the same subscription
•
Azure Key Vault access policy enabled for volume encryption

Explanation
AKV and storage account must be in the same region for BYOK, but need not be in the same RG or sub. AKV volume encryption access policy is for Azure Disk Encryption (BitLocker) and not used as part of BYOK storage.

33

T/F: Azure SQL Database encrypts sensitive data using the column encryption key (CEK) in a AlwaysEncrypted deployment.
•
True
•
False
•
Tralse

False

Explanation
The Always Encrypted enabled client driver running on the client is responsible for encryption and decryption of data before it is sent to the database.

34

You are securing your web application by removing connection strings to Azure SQL Database from the web.config configuration file. What two options do you have in Azure to accomplish your goal?
•
Azure Key Vault secret
•
Azure Active Directory Managed Service Identity (MSI)
•
Azure Active Directory Application Registration
•
Azure SQL Database server Active Directory admin
•
Azure SQL Database AlwaysEncrypted
•
Azure SQL Database Transparent Data Encryption (TDE)

Azure Key Vault secret
•
Azure Active Directory Managed Service Identity (MSI)

35

You’re configuring AIP and want to help your users find more information about the information protection policies and classifications. What would you use to provide this information to users?
•
Custom tooltip
•
Custom URL
•
Custom label
•
Custom policy

Custom URL

Explanation
Custom URL for “tell me more”

36

From what interface can you launch a previously-configured security playbook?
•
Azure Security Center
•
Security Alert
•
Azure Monitor
•
Azure Logic App

Security Alert

Explanation
Playbooks can be launched from the investigation screen of a security alert or security incident in Azure Security Center

37

Match the following datasets with the Azure Monitor data store.
•
Trace data: Logs
•
Trace data: Telemetry
•
Trace data: Metrics
•
Trace data: Store
•
Point in time resource property: Logs
•
Point in time resource property: Telemetry
•
Point in time resource property: Metrics
•
Point in time resource property: Store
•
Access record: Logs
•
Access record: Telemetry
•
Access record: Metrics
•
Access record: Store

Trace data: Logs ,Point in time resource property: Metrics ,Access record: Logs

Explanation
Azure Monitor uses only two kinds of data: logs and metrics. Logs are multi-dimensional records, metrics are key-value pairs.

38

Match the following datasets with the Azure Monitor data store.
•
Telemetry data: Logs
•
Telemetry data: Telemetry
•
Telemetry data: Metrics
•
Telemetry data: Store
•
OS events: Logs
•
OS events: Telemetry
•
OS events: Metrics
•
OS events: Store
•
Lightweight performance indicator: Logs
•
Lightweight performance indicator: Telemetry
•
Lightweight performance indicator: Metrics
•
Lightweight performance indicator: Store

Telemetry data: Logs , OS events: Logs ,Lightweight performance indicator: Metrics

Explanation
Azure Monitor uses only two kinds of data: logs and metrics. Logs are multi-dimensional records, metrics are key-value pairs.

39

Match the following datasets with the Azure Monitor data store.
•
Key / value pair: Logs
•
Key / value pair: Telemetry
•
Key / value pair: Metrics
•
Key / value pair: Store
•
Multi-dimensional object property: Logs
•
Multi-dimensional object property: Telemetry
•
Multi-dimensional object property: Metrics
•
Multi-dimensional object property: Store

Key / value pair: Metrics , Multi-dimensional object property: Logs

Explanation
Azure Monitor uses only two kinds of data: logs and metrics. Logs are multi-dimensional records, metrics are key-value pairs.

40

Which of these cannot be used to create AAD conditional access policies?
•
Azure Portal
•
Windows PowerShell
•
Azure Cloud Shell
•
PowerShell Core
•
Azure CLI
•
REST API

Windows PowerShell
•
Azure Cloud Shell
•
PowerShell Core
•
Azure CLI
•
REST API

Explanation
AAD conditional access policies can only be created using the Azure portal

41

What is the minimum license that is required to configure AAD Identity Protection?
•
Azure AD Premium P1
•
Azure AD Premium P2
•
No license is required
•
Any Office 365 license
•
No license is required, but the user must be an Azure AD Global Administrator

Azure AD Premium P2

Explanation
Azure AD Premium P2
No other license option provides AAD Identity Protection

42

You have the following resource groups containing the listed resources:

• RG1; VM1 (stopped)
• RG2; VM2 (stopped)
• RG3; VM3 (stopped)

You have locks configured as follows:

• Lock1; Read-only; RG1
• Lock2; Delete; RG1
• Lock3; Delete; RG2
• Lock4; Read-only; RG3

Which of the following actions can you perform?
•
You can start VM1
•
You can start VM2
•
You can delete VM1
•
You can delete VM2
•
You can delete VM3

You can start VM2

Explanation
You can start VM1 [No] Start is considered a change and is prevented by RO Lock1 inherited from RG1.
You can start VM2 [Yes] No-delete Lock3 inherited from RG2 does not prevent changes (including start/stop) to VM2.
You can delete VM1 [No] Delete is prevented by RO locks. RO Lock1 inherited from RG1 prevents delete. No-delete Lock2 inherited from RG1 also prevents delete.
You can delete VM2 [No] No-delete Lock3 inherited from RG2 prevents delete.
You can delete VM3 [No] Delete is prevented by RO locks. RO Lock4 inherited from RG3 prevents delete.

43

You have an Azure container registry. You have users with these roles.

• User1: Contributor
• User2: Reader
• User3: AcrPush
• User4: AcrPull

Select what each user can do?
•
User1 can sign an image
•
User2 can pull an image
•
User3 can pull an image
•
User4 can pull an image

User3 can pull an image
•
User4 can pull an image

Explanation
User1 can sign an image [No] Only AcrSign can do that, not even owner can.
User2 can pull an image [No] Reader can only do ARM things.
User3 can pull an image [Yes] AcrPush can also pull.
User4 can pull an image [Yes] Obviously.

44

What are the three types of keys in AIP?
•
Tenant Key
•
Document Key
•
Classification Key
•
Label Key
•
Content Key
•
User Key

Tenant Key ,Content Key
•
User Key

Explanation
Tenant key: used as the root key to secure all other keys.
Content key: used to secure information.
User key: Used by the user to get access (and varying permissions) to content.

45

You have an existing AD Connect implementation. You have to prevent users from a certain department to be synchronised to AAD. What tool do you use?
•
AAD Connect wizard on the AD Connect server
•
Synchronization Rules Editor on the AD Connect server
•
AAD Connect in the Azure portal
•
AD Users and Computers on the local DC

Synchronization Rules Editor on the AD Connect server

Explanation
Synchronization Rules Editor on the AD Connect server is used to change the users to be synced.

46

What format is an OpenID Connect token?
•
XML
•
SAML
•
JWT
•
Java

JWT

Explanation
JSON Web Token (JWT)

47

Which two of the following are objects you can configure to apply AAD PIM to?
•
Access Reviews
•
AAD Roles
•
ADD Groups
•
Azure Resources
•
AAD Dynamic Groups

AAD Roles , Azure Resources

Explanation
AAD Roles and Azure resources

48

In Azure SQL Database AlwaysEncrypted, two types of column encryption is supported. Match the requirement with the appropriate column encryption type. Plaintext data values always produce the same cyphertext:
•
Deterministic
•
Randomized

Deterministic

49

In Azure SQL Database AlwaysEncrypted, two types of column encryption is supported. Match the requirement with the appropriate column encryption type. SQL Server can use the encrypted columns in joins and lookups:
•
Deterministic
•
Randomized

Deterministic

50

In Azure SQL Database AlwaysEncrypted, two types of column encryption is supported. Match the requirement with the appropriate column encryption type. Highest level of security:
•
Deterministic
•
Randomized

Randomized