Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

My Az-204 > Azure Security > Flashcards

Azure Security Flashcards

1
Q

What are the components of the Microsoft identity platform?

A
  1. OAuth 2.0 and OpenID Connect standard-compliant authentication service
  2. Open-source libraries (Microsoft Authentication Libraries (MSAL)
  3. Application management portal
  4. Application configuration API and PowerShell
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the 3 types of service principals?

A
  1. Managed identity
  2. Application
  3. Legacy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How do service principals relate to application objects?

A

The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant.
The application object serves as the template from which common and default properties are derived for use in creating corresponding service principal objects.

Service principal must be created in each tenant where the app is used to enable it to establish an identity for sign-in and/or access to resources being secured by the tenant.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How does conditional access impacts your application?

A

Most cases doesn’t change an app’s behaviour or changes from developer.
Scenarious that require code to handle Conditional Access:
1. Apps performing the on-behalf-of flow
2. Apps accessing multiple services/resources
3. Single-page apps using MSAL.js
4. Web apps calling a resource

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does the Microsoft identity platform help you with?

A

build apps your users/customers can sign in using their Microsoft identities or social accounts, and provide authorized access to your own APIs or Microsoft APIs like Microsoft Graph

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What’s OAuth 2.0 and OpenID Connect standard-compliant authentication service?

A

enable developers to authenticate several identity types including:
1. Work or school accounts, provisioned through Microsoft Entra ID
2. Personal Microsoft account, like Skype, Xbox, and Outlook.com
3. Social or local accounts, by using Azure Active Directory B2C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What’s Application management portal?

A

A registration and configuration experience in the Azure portal, along with the other Azure management capabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What’s Application configuration API and PowerShell?

A

Programmatic configuration of your applications through the Microsoft Graph API and PowerShell so you can automate your DevOps tasks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

When you register ur app with Microsoft Entra ID, what are the two tenant form you can use?

A
  1. Single tenant: only accessible in your tenant (group of users wth common access)
  2. Multi-tenant accessible in other tenants
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What do you need to access resource secured by a Microsoft Entra tenant?

A

security principal

for a user its called user principal.
for an application its called service principal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does the security principal define?

A

the access policy and permissions for the user/app in the Microsoft Entra tenant.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What’s the Application service principal?

A

it’s the local representation/ application instance of a global application object in a single tenant/directory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What’s Managed identity service principal?

A

This service principal is used to represent a managed identity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What’s Legacy service principal?

A

this represents a legacy app (app created before app registrations were introduced or an app created through legacy experiences.
This service principal can have:
credentials, service principal names, reply URLs, and other properties that an authorized user can edit, but doesn’t have an associated app registration.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What relationship does application object have?

A
  1. A one to one relationship with the software application
  2. A one to many relationship with its corresponding service principal object(s).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the two types of permissions the Microsoft identity platform support?

A
  1. Delegated permissions
  2. App- only access permissions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are Delegated persmission used for?

A

are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests. The app is delegated with the permission to act as a signed-in user when it makes calls to the target resource.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are App-only access permissions used for?

A

are used by apps that run without a signed-in user present, eg. apps that run as background services or daemons. Only an admin can consent to app-only access permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the 3 types of consent?

A
  1. Static user consent
  2. Incremental and dynamical user consent
  3. Admin consent
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What’s static user consent?

A

In static user consent scenario, you must specify all the permissions it needs in the app’s config in the Azure portal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What’s incremental and dynamic user consent?

A

you can ignore the static permissions defined in the app registraion info in Azure portal, and request permissions incrementally with Microsoft identity platform endpoint.

These consents only apply to delegated permissions and not app-only access permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are the possible issues with static permissions (static user consent) for developers?

A
  1. App needs to request all the permissions it would ever need upon the user’s first sign-in -> can lead to a long list of permissions that discourages end users from approving the app’s access on initial sign-in.
  2. App needs to know all the resources it would ever access ahead of time. It’s difficult to create apps that could access an arbitrary number of resources.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What’s Admin consent?

A

This consent is required when ur app need access to certain hight-privilege permissions.

Admin consent done on behalf of an organization still requires the static permissions registered for the app.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What’s the Conditional Access?

A

a feature in Microsoft Entra ID.
Offers one of several ways to secure an app and protect a service.
Include
1. Multifactor authentication
2. Allowing only Intune enrolled devices access specific services
3. Restricting user locations and IP ranges

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Conditional Access example
You're building a single-tenant iOS app and apply a Conditional Access policy. The app signs in a user and doesn't request access to an API. When the user signs in, the policy is automatically invoked and the user needs to perform multifactor authentication. You're building an app that uses a middle tier service to access a downstream API. An enterprise customer at the company using this app applies a policy to the downstream API. When an end user signs in, the app requests access to the middle tier and sends the token. The middle tier performs on-behalf-of flow to request access to the downstream API. At this point, a claims "challenge" is presented to the middle tier. The middle tier sends the challenge back to the app, which needs to comply with the Conditional Access policy.
25
What's the benefit of using Azure Key Vault?
1. Centralized application secrets 2. Securely store secrets and keys 3. Monitor access and use 4. Simplified administration of application secrets
26
How do you authenticate to Azure Key Vault?
3 ways 1. **Managed identities for Azure resources**: when deploy app on VM in Azure, you can assign an identity to the VM that has access to Key Vault. Benefit: app/service isn't managing the rotation of the first secret. Best practise. 2. **Service principal and certificate**: use service principal and associated certificate that has access to Key Vault. Not recommended cause app owner/developer must rotate the certificate. 3. **Service principal and secret**: Don't recommend cause hard to automatically rotate the bootstrap secret that's used to authenticate to Key Vault.
27
What two type of containers does the Azure Key Vault support?
1. Vaults 2. Managed hardware security module (HSM) pools
28
What does Vault store?
Vault = a logical group of secrets. Vaults store software and HSM-backed keys, secret and certificates
29
What does Managed HSM pools support?
HSM-backed keys.
30
What problems can Azure Key Vault help solving?
1. *Secret Management:* Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets 2. *Key Management:* easy to create and control the encryption keys used to encrypt your data 3. *Certificate Management:* easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.
31
What are the service tier in Azure Key Vault?
**Standard**: encrypt w/a software key **Premium** includes hardware security module (HSM)-protected keys
32
What's Azure Key Vault?
a tool for securely storing and accessing secrets.
33
What are the Azure Key Vault best practices ?
1. Use separate key vaults: vault per app/environment 2. Control access to your vault: allowing only authorized applications and users 3. Backup 4. Logging 5. Recovery options
34
What protocol does Azure Key Vault use when data travel between Azure Key Vault and clients?
Transport Layer Security (TLS)
35
What's the two types of managed identities?
1. system-assigned managed identity 2. user-assigned managed identity
36
What's the difference between the two types of managed identities?
1. system-assigned managed identity: enabled directly on Azure service instance. The lifecycle is directly tied to the Azure service instance that it's enabled on. If instance is deleted, Azure auto clean sup the credentials and the identity in Microsoft Entra ID. 2. user-assigned managed identity: created as a standalone Azure resource. After Azure creates an identity in the Microsoft Entra tenant, the identity can be assigned to one/more Azure service instances. The lifecycle is managed separately from the lifecycle of the Azure service instances to which it's assigned.
37
Describe the flows for system-assigned managed identities.
1. Azure Resource Manager receives a request to enable the system-assigned managed identity on a virtual machine. 2. Azure Resource Manager creates a service principal in Microsoft Entra ID for the identity of the virtual machine. The service principal is created in the Microsoft Entra tenant that's trusted by the subscription. 3. Azure Resource Manager configures the identity on the virtual machine by updating the Azure Instance Metadata Service identity endpoint with the service principal client ID and certificate. 4. After the virtual machine has an identity, use the service principal information to grant the virtual machine access to Azure resources. To call Azure Resource Manager, use role-based access control in Microsoft Entra ID to assign the appropriate role to the virtual machine service principal. To call Key Vault, grant your code access to the specific secret or key in Key Vault. 5. Your code that's running on the virtual machine can request a token from the Azure Instance Metadata service endpoint, accessible only from within the virtual machine: http://169.254.169.254/metadata/identity/oauth2/token 6. A call is made to Microsoft Entra ID to request an access token (as specified in step 5) by using the client ID and certificate configured in step 3. Microsoft Entra ID returns a JSON Web Token (JWT) access token. 7. Your code sends the access token on a call to a service that supports Microsoft Entra authentication.
38
What's the key difference between system-assigned and user-assigned managed identity?
*Creation:* System is created as part of an Azure resource. User-assigned is created as a standalone Azure resource. *Lifecycle:* System share lifecycle w/Azure resource that the managed identity is created with (when parent resource deleted, the managed identity is deleted too). User has independent lifecycle. *Sharing across Azure resources:* System can't be shared, can only be associated w/ a single Azure resource. User can be shared, the same user-assigned.. can be associated with more than one Azure resource
39
Describe the flows for user-assigned managed identities.
1. Azure Resource Manager receives a request to create a user-assigned managed identity. 2. Azure Resource Manager creates a service principal in Microsoft Entra ID for the user-assigned managed identity. The service principal is created in the Microsoft Entra tenant that's trusted by the subscription. 3. Azure Resource Manager receives a request to configure the user-assigned managed identity on a virtual machine and updates the Azure Instance Metadata Service identity endpoint with the user-assigned managed identity service principal client ID and certificate. 4. After the user-assigned managed identity is created, use the service principal information to grant the identity access to Azure resources. To call Azure Resource Manager, use role-based access control in Microsoft Entra ID to assign the appropriate role to the service principal of the user-assigned identity. To call Key Vault, grant your code access to the specific secret or key in Key Vault. *Note* You can also do this step before step 3. 5. Your code that's running on the virtual machine can request a token from the Azure Instance Metadata Service identity endpoint, accessible only from within the virtual machine: http://169.254.169.254/metadata/identity/oauth2/token 6. A call is made to Microsoft Entra ID to request an access token (as specified in step 5) by using the client ID and certificate configured in step 3. Microsoft Entra ID returns a JSON Web Token (JWT) access token. 7. Your code sends the access token on a call to a service that supports Microsoft Entra authentication.
40
What role do you need to create Azure VM w/ system-assigned managed identity?
Virtual Machine Contributor role assignment
41
What role do you need to create Azure VM w/ user-assigned managed identity?
Virtual Machine Contributor and Managed Identity Operator role assignments
42
A client app requests managed identities for an access token for a given resource. What's the token based on?
Service principal aka the managed identities for Azure resources service principal.
43
What's a filter?
A filter is a rule for evaluating the state of a feature flag. A user group, a device or browser type, a geographic location, and a time window are all examples of what a filter can represent.
44
What's feature flag?
a variable with a binary state of on or off. The feature flag also has an associated code block. The state of the feature flag triggers whether the code block runs or not.
45
What's feature manager?
an application package that handles the lifecycle of all the feature flags in an application. The feature manager typically provides extra functionality, such as caching feature flags and updating their states.
46
What are the 3 ways to secure your app configuration data?
1. Customer-managed keys: Azure App Configuration encrypts sensitive information at rest using a 256-bit AES encryption key provided by Microsoft 2. Private endpoints 3. Managed identities
47
What is Managed Identity?
It provides an identity for apps to use when connecting to resources that support Microsoft Entra ID authentication.
48
When is On-Behalf-Of flow used?
OAuth 2.0 On-Behalf-Of flow (OBO) is used when an application invokes a service or web API, which in turn needs to call another service or web API.
49
What does the Rotate operation in Azure CLI do?
The Rotate operation will generate a new version of the key based on the key policy.
50
What does the Rotation Policy operation in Azure CLI do?
The Rotation Policy operation updates the rotation policy of a key vault key.
51
What does the Purge Deleted Key operation in Azure CLI do?
The Purge Deleted Key operation is applicable for soft-delete enabled vaults or HSMs.
52
What does the Set Attributes operation in Azure CLI do?
The Set Attributes operation changes specified attributes of a stored key.
53
What's service principal?
an identity created for use with applications, hosted services, and automated tools to access Azure resources. Service principal is connected to a tenant. Can't have multiple tenants.
54
What are the best practices of SAS?
1. Always use HTTPS when creating or distributing an SAS 2. Use user delegation SAS whenever possible 3. Define a stored access policy for a service specific SAS 4. Use near-term expiration on ad hoc, service or account SAS 5. Follow least-privilege access for resources to be accessed (just give the access they need not more)
55
Working with App service which tier is not supporting Azure App Service Mutual TLS Auth?
Free or shared tiers
56
What are the steps/flow to integrate your app with Microsoft Graph?
1. Register an app with Azure AD 2. Use the Microsoft Identity Platform authorize endpoint w/ defined scope 3. User signs in with credentials and accepts the scopes 4. App receives an authorization code 5. Authorization code can be used to get a token from the token endpoint 6. Token can be used to access Microsoft Graph
57
what's purge protection?
purge = freeing up space when creating a key vault you configure the default retention period between 7-90 days, and if u have purge protection enabled, you're not able to purge that value from your key vault until after the retention period has expired.
58
what's soft-delete?
when we delete a value from our key vault, that value is kept around until we actually are able to purge (delete) it from our key vault. **Default in all Azure Key Vault**
59
what's the command to create a Key Vault in PowerShell and Azure CLI?
Powershell: **New-AzKeyVault** -Name 'Sample-Vault' -ResourceGroupName 'SampleResourceGroup' -Location 'East US' Azure CLI: **az keyvault create** --name "Sample-Vault2" --resource-group "SampleResourceGroup" --location eastus
60
What are the 3 ways to secure Azure Storage?
1. Keys (Storage Account Access Keys) 2. Shared Access Signature 3. Azure Active Directory (AD) aka **Microsoft Entra ID** using OpenID connection, access token, no key
61
What are shared access signatures (SAS)?
secure, delegated access, without sharing the key. Control what the client access, for how long etc.
62
What's the command to create a key in Azure Key Vault?
**az keyvault key create** --name "key1" --vault-name ""
63
What's the command to create a secret in Azure Key Vault?
**az keyvault secret set** --name "SQLPassword" --value "hVFkk965BuUv" --vault-name
64
What's Microsoft Graph?
use a single endpoint https://graph.microsoft.com, to access data and insights in the Microsoft Cloud
65
What are the different ways to configure Authentication for Azure Key Vault?
1. Use Azure AD App Registration 2. Use Managed Identity (system-assigned identity, user-assigned identity) 3. Use Key Vault Reference; only available if you intend to access Azure Key Vault from Azure Functions or App services
66
What's Azure Active Directory (AD)?
an Identity Provider. 2024, changed name to Microsoft Entra ID A user can get authenticated with Azure AD, then get access to azure resources
67
What is RBAC used for?
authorize, give access to resources based on roles. RBAC = Role Based Access Control
68
what does Managed Identities help Azure resources with?
Authenticate to services that support Azure AD authentication aka Microsoft Entra ID "Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication"
69
What's the different between service SAS, account SAS and user delegation SAS? (what do they use to sign in)
A service SAS or account SAS is signed with the **account key**, while the user delegation SAS is signed with **Microsoft Entra credentials** and applies to blobs only

My Az-204 (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions