SIMULATION
Task 10
You need to create a group named Audit. The solution must ensure that the members of Audit can activate the Security Reader role.
Answer : A
To create a group named ''Audit'' and ensure that its members can activate the Security Reader role, follow these steps:
Open the Microsoft Entra admin center:
Sign in with an account that has the Security Administrator or Global Administrator role.
Navigate to Groups:
Go to Teams & groups > Active teams and groups1.
Create the security group:
Select Add a security group.
On the Set up the basics page, enter ''Audit'' as the group name.
Add a description if necessary and choose Next1.
Edit settings:
Assign roles:
After creating the group, go to Roles > All roles.
Find and select the Security Reader role.
Under Assignments, choose Assign.
Select the ''Audit'' group to assign the role to its members2.
Review and finish:
Review the settings to ensure the ''Audit'' group is created with the ability for its members to activate the Security Reader role.
Finish the setup and save the changes.
By following these steps, you will have created the ''Audit'' group and enabled its members to activate the Security Reader role, which allows them to view security-related information without having permissions to change it. Remember to communicate the new group and role assignment to the relevant stakeholders in your organization.
SIMULATION
Task 9
You need to ensure that when users in the Sg-Operations group go to the My Apps portal a tab named Operations appears that contains only the following applications:
* Unkedln
* Box
Answer : A
To ensure that users in the Sg-Operations group see a tab named ''Operations'' containing only LinkedIn and Box applications in the My Apps portal, you can create a collection with these specific applications. Here's how to do it:
Sign in to the Microsoft Entra admin center:
Make sure you have one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
Navigate to App launchers:
Go to Identity > Applications > Enterprise applications.
Under Manage, select App launchers.
Create a new collection:
Click on New collection.
Enter ''Operations'' as the Name for the collection.
Provide a Description if necessary.
Add applications to the collection:
Select the Applications tab within the new collection.
Click on + Add application.
Search for and select LinkedIn and Box applications.
Click Add to include them in the collection.
Assign the collection to the Sg-Operations group:
Select the Users and groups tab.
Click on + Add users and groups.
Search for and select the Sg-Operations group.
Click Select to assign the collection to the group.
Review and create the collection:
Select Review + Create to check the configuration.
If everything is correct, click Create to finalize the collection.
SIMULATION
Task 8
You need to prevent all users from using legacy authentication protocols when authenticating to Microsoft Entra ID.
Answer : A
To prevent all users from using legacy authentication protocols when authenticating to Microsoft Entra ID, you can create a Conditional Access policy that blocks legacy authentication. Here's how to do it:
Sign in to the Microsoft Entra admin center:
Ensure you have the role of Global Administrator or Conditional Access Administrator.
Navigate to Conditional Access:
Go to Security > Conditional Access.
Create a new policy:
Select + New policy.
Give your policy a name that reflects its purpose, like ''Block Legacy Auth''.
Set users and groups:
Under Assignments, select Users or workload identities.
Under Include, select All users.
Target resources:
Under Cloud apps or actions, select All cloud apps.
Set conditions:
Under Conditions > Client apps, set Configure to Yes.
Check only the boxes for Exchange ActiveSync clients and Other clients.
Configure access controls:
Under Access controls > Grant, select Block access.
Enable policy:
Confirm your settings and set Enable policy to Report-only initially to understand the impact.
By following these steps, you will block legacy authentication protocols for all users, enhancing the security posture of your organization by requiring modern authentication methods. Remember to monitor the impact of this policy and adjust as necessary to ensure business continuity.
SIMULATION
Task 7
You need to lock out accounts for five minutes when they have 10 failed sign-in attempts.
Answer : A
To configure the account lockout settings so that accounts are locked out for five minutes after 10 failed sign-in attempts, you can follow these steps:
Open the Microsoft Entra admin center:
Sign in with an account that has the Security Administrator or Global Administrator role.
Navigate to the lockout settings:
Go to Security > Authentication methods > Password protection.
Adjust the Smart Lockout settings:
Set the Lockout threshold to 10 failed sign-in attempts.
Set the Lockout duration (in minutes) to 5.
SIMULATION
Task 6
You need to implement additional security checks before the members of the Sg-Executive can access any company apps. The members must meet one of the following conditions:
* Connect by using a device that is marked as compliant by Microsoft Intune.
* Connect by using client apps that are protected by app protection policies.
Answer : A
To implement additional security checks for the Sg-Executive group members before they can access any company apps, you can use Conditional Access policies in Microsoft Entr
a. Here's a step-by-step guide:
Sign in to the Microsoft Entra admin center:
Ensure you have the role of Global Administrator or Security Administrator.
Navigate to Conditional Access:
Go to Security > Conditional Access.
Create a new policy:
Select + New policy.
Name the policy appropriately, such as ''Sg-Executive Security Checks''.
Assign the policy to the Sg-Executive group:
Under Assignments, select Users and groups.
Choose Select users and groups and then Groups.
Search for and select the Sg-Executive group.
Define the application control conditions:
Under Cloud apps or actions, select All cloud apps to apply the policy to any company app.
Set the device compliance requirement:
Under Conditions > Device state, configure the policy to include devices marked as compliant by Microsoft Intune.
Set the app protection policy requirement:
Under Conditions > Client apps, configure the policy to include client apps that are protected by app protection policies.
Configure the access controls:
Under Access controls > Grant, select Grant access.
Choose Require device to be marked as compliant and Require approved client app.
Ensure that the option Require one of the selected controls is enabled.
Enable the policy:
Set Enable policy to On.
Review and save the policy:
Review all settings to ensure they meet the requirements.
Click Create to save and implement the policy.
By following these steps, you will ensure that the Sg-Executive group members can only access company apps if they meet one of the specified conditions, either by using a compliant device or a protected client app. This enhances the security posture of your organization by enforcing stricter access controls for executive-level users.
You have an Azure subscription that contains a storage account named storage1 and a web app named WebApp1. WebApp1 uses a system-assigned managed identity.
You need to ensure that WebApp1 can read and write files to storage1 by using the system-assigned managed identity.
What should you configure for storage1 in the Azure portal?
Answer : B
You have an Azure subscription.
You are evaluating enterprise software as a service (SaaS) apps.
You need to ensure that the apps support automatic provisioning of Microsoft Entra users.
Which specification should the apps support?
Answer : B