In the following pages, we will review all of the practice questions from each of the chapters in this book and provide the correct answers.

1. False – Cloud security is a responsibility that both the Cloud provider (Microsoft) and the Cloud customers (us) share.
2. a. Infrastructure as a Service (IaaS). If we are using an IaaS service such as a virtual machine, we have more security responsibilities to take care of.
3. True – The principles of digital security are the same whether our workload sits in a traditional on-premises data center or in a cloud environment such as Microsoft Azure. The way we apply those principles is what differs.
4. c. Physical security. The cloud provider is solely responsible for physical security.

1. False – Azure AD is Microsoft's cloud-based identity and access management service that supports modern authentication/authorization protocols.
2. d. Internal user imported from ADFS. Users cannot be imported from ADFS. It is a federation service. Other answer options are valid.
3. c. Basic. The basic edition of Azure AD has been deprecated.
4. c. Change the membership type of "London-Group" to Assigned. Create two new groups that have dynamic memberships. Add the new groups to "London-Group". A dynamic group assignment can be either for devices or users, but not for both. The membership type will need to be modified and two dynamic groups added to it.

1. d. Instant authentication. There is no hybrid authentication method called instant authentication. Other answer options are valid.
2. d. Pass-through authentication with seamless single sign-on. With pass through authentication, authentication requests are fulfilled on-premises and it does not have the server management overhead of ADFS.
3. c. The Synchronization Rules Editor - The Synchronization Rules Editor can be used to configure complex synchronization rules like preventing users with certain attributes from being synchronized to Azure AD.
4. False. Passwords stores in Azure AD are NOT stored with a reversible encryption algorithm.
5. c and d. The Global administrator role in Azure AD and the Enterprise Admins group in Active Directory.

1. b. Applying policies to "all users" and "all cloud apps". This is not a best practice. As a minimum, break-glass accounts should be excluded from policies that have block access control.

1. b. The user's access will be revoked and removed. The option to "Take recommendation" is based on usage (whether a user has signed in recently within the past month). If the user has not signed in within the past month, the recommendation will be to revoke access.
2. b. It means that the user can request to be assigned the role by PIM whenever they need it to perform a task. Eligible assignment type means that the user has to go through a request process in PIM.

1. a. Create a new subnet in the virtual network. We need to create a subnet called AzureFirewallSubnet.
2. a. Deploy Azure Front Door. Azure Front Door is one of the services in Azure with WAF integration.
3. a. A user-defined route. A user-defined route is used to send traffic to a customer specified route path in Azure.

1. b. No, it will not be allowed as the rule with the lowest priority will be the first to be matched.

1. a. Win-VM1 only. Win-VM2 cannot be protected with Azure Disk Encryption as it is an A-Series VM.
2. b. Add an extension to each VM using an automation script. The Microsoft anti-malware agent can be deployed to Azure virtual machines using a VM extension.

1. b. The Linux image only. Azure Defender currently only supports Linux image scans in the registry.
2. a. Update the settings of AKS1 to enable Azure AD integration. In order for users to authenticate using their Azure AD credentials, Azure AD integration will need to be enabled.
3. a. From the Azure portal, modify the pricing tier settings of Security Center. Azure Defender for Container Registry is an option that can be enabled in the Azure Defender plan of Security Center.

1. a. Regenerate the storage account keys. Regenerating the storage account keys will invalidate any token that has been signed with the keys.

1. c. Implement column-level encryption with Always Encrypted.

1. c. In Azure Key Vault, create an access policy. There are two options to grant access to objects in a Key Vault resource. Using an access policy or applying a role assignment using RBAC

1. a. Analytics. Using an Analytics rule, Sentinel can automatically create an incident when a threat is detected.
2. c. Playbooks. Using a playbook, we can trigger a response to an incident including raising a ticket in a service management platform.

• Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals
• Improve your learning with Skill Plans built especially for you
• Get a free eBook or video every month
• Fully searchable for easy access to vital information
• Copy and paste, print, and bookmark content

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at customercare@packtpub.com for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.