Design Identity, Governance, and Monitoring Solutions Flashcards
You are working for a global company operating in East US, Central US, North Europe, West Europe, East Asia, and Southeast Asia. The company plans to use the Azure Monitor solution to centralize log storage. In order to store the log data in the Azure Monitor solution, the company has the following requirements:
- To minimize administrative overhead
- To minimize costs
- To conform to specific regional compliance requirements
- To provide regional data sovereignty
You need to identify the minimum number of log analytics workspaces to fulfill the requirements.
How many workspaces should you identify?
3 (One per geography to conform to regional compliance and data sovereignty)
Are tags on a resource group inherited to newly created resources?
No.
Can tags be applied to management groups?
No
At what levels can tags be applied?
Subscriptions, Resource Groups, Resources
You cannot apply tags at management group levels. You can apply Azure Policies that manage resource tags at management group levels.
How can you apply tags at the management group level?
By using Azure Policies that manage resource tags at the management group levels.
You decide to use tagging to organize your Azure resources.
You need to make sure that new resources are tagged as soon as possible and that manual tagging is not required.
What should you do?
You should create an Azure policy to apply tagging when you create new resources. An Azure policy can be predefined and applied to all new resources.
What is the impact to resources of unassigning a Blueprint?
All blueprint resource locking is removed when you unassign a blueprint.
This is the only impact to resources and resource groups in the blueprint’s scope. New resources will remain in place, updates to existing resources are maintained, and RBAC role assignments do not change. Resources remain in place, but they are no longer protected by the blueprint.
Can Azure AD sign-in logs be routed to Azure Storage for archiving?
Yes.
This is useful for storing logs longer than 90 days, which is the default numer of days Activity Log events are stored on the Azure platform.
What is required to enable Azure AD activity logs in Azure Monitor?
A Log Analytics workspace
What should you recommend to automatically remove users from groups that they no longer need to be in?
Access review
You should recommend access review. Access review can be performed once or periodically and you can configure who should perform the review, either the group owner or the group members themselves. At the end of the evaluation period, users who no longer need membership, can be automatically removed from the group. Based on the configuration, users for whom review is not performed can also be removed from the group automatically.
Is access granted to a VM passed on to applications run on the VM?
Yes
This can be useful when hosting several applications on the same VM to minimize management of access to cloud resources.
Can you specify managed identity as part of an ARM template?
Yes
You can specify managed identity assignments as part of an ARM template. You can assign a system-assigned managed identity, one or more user-assigned managed identities, or both. For example, you could include the following in your ARM template to create and assign a system-assigned managed identity:
“identity” : {
“type” : “SystemAssigned”
}
User-assigned managed identities must be explicitly created before they can be assigned to a resource.
How many system-assigned managed identifies can a VM have?
1
How many user-assigned managed identities can a VM have?
Multiple
our Azure organizational hierarchy has one management group with two subscriptions and four resource groups in each subscription. You plan to implement Azure policies to help you organize and manage resources in your organization.
You plan to implement a custom policy to:
- Restrict the types of virtual machines (VMs) that can be deployed.
- Apply any current tags on resource groups to new resources when they are created.
You need to determine the minimum number of custom policies and policy assignments required.
Minimum number of custom policies?
Minimum number of policy assignments?
1 & 1
To assign the custom policy to the management group, you need to create a minimum of one custom policy and make one policy assignment. Only one policy is needed because you can include multiple policy rules in the custom policy to meet the policy requirements. Policies applied at a hierarchical level are automatically inherited; therefore, applying the policy at the management group applies the policies to the subscriptions and resources groups.