100% Real Microsoft Certified: Azure Security Engineer Associate Certification Exams Questions & Answers, Accurate & Verified By IT Experts
Instant Download, Free Fast Updates, 99.6% Pass Rate.
Microsoft Azure Security Technologies
Includes 374 Questions & Answers
Microsoft Certified: Azure Security Engineer Associate Certification Exams Screenshots
Download Free Microsoft Certified: Azure Security Engineer Associate Practice Test Questions VCE Files
TitleMicrosoft Azure Security Technologies
Microsoft Certified: Azure Security Engineer Associate Certification Exam Dumps & Practice Test Questions
Prepare with top-notch Microsoft Certified: Azure Security Engineer Associate certification practice test questions and answers, vce exam dumps, study guide, video training course from ExamCollection. All Microsoft Certified: Azure Security Engineer Associate certification exam dumps & practice test questions and answers are uploaded by users who have passed the exam themselves and formatted them into vce file format.
In this demonstration, we're now going to go about configuring Azure Privileged Identity Management. and we'll begin in the Azure Portal. So in the Azure Portal, I'm in my Azure Active Directory section. If you're not familiar with how to get there again, just click Azure Active Directory on the left. Or if you didn't favourite it, just go ahead and click All Services and type Azure Active Directory. But as you can see here, I've already got my trial enabled. I've got Azure AD Premium P two.And this is on my domain, Azxamdemo onmicrosoft.com.I'm going to go ahead and look at my users first of all. and we can see in here that I've got Bill Adama. That is my test user, which I will use later, as well as my account, which I will use to sign into this Azure ad. Well, first of all, I do need to make sure that I've got a location in the details for my particular user. So if I add my user and scroll down, I should have a location option. So you see the usage location, and I have to go in here and make sure that I have set this to my location, otherwise it won't let me continue on with assigning the license. So I've got my P-2 enabled on Azure Ad, but I do need to assign the licence to my account, and that's why I'm making sure that the usage location is listed there. If I go to Licenses now, it will let me assign an Azure Ad Premium license. You can see I don't have one assigned yet. I click "assign." I choose the product. I'll choose Azure Ad Premium P two.Click select, and then go ahead and click assign. Licenses have been assigned successfully. If you didn't have the location set, you would have gotten an error at that point. So if it does come up, that's why you're getting it. So now that a licence is assigned, I've decided, okay, I want to enable privileged identity management. To do so, we go to AllServices and type in Privileged. And it has already popped up. Azure ad privileged identity management You can favourite it now as well, if you want to, as we'll be coming back to it and clicking that. And this opens the door to privileged identity management. And to get started, I have to click Consent to PIM on the left-hand side. It'll now do an assessment and tell me inorder for me to do Pim, I do needto open up multifactor authentication to verify my identity. So go ahead and do that, and it will prompt you for various things as part of the MFA setup because you need to set that up on your account if you haven't already done that from previous work you did on MFA. So I'm going to go ahead and fill this in and then come back to you once it's all completed. after I've completed an MFA. You can see status checks that were completed. And I can now click "Consent" to basically continue that on.And we just click the "Play Consent" button at the top here to consent to privileged identity management. Now again, make sure you are doing this on a trial account. If you're actually doing this in your enterprise, you need to definitely talk to the team that manages your environment. This is purely something you want to be careful about and know what you're getting into before you continue. And now we can see some things on the left-hand side, like my role requests, application access, approvals, and review and access, and then I can manage my Azure AD roles. Remember in the lecture we talked about Azure AD roles and Azure resources? Those are the two different areas. We can manage that. And then I've got my audit history and any support I need from Microsoft at the bottom as well. So let's say I want to do something around Azure AD roles. I can click Azure AD roles here, and I can basically see: I can assign, I can activate, I can approve, and I can audit. But before I can do anything, you'll notice a sign-up pin for Azure Ad Roles on the left side. If I click this one, it now registers things here. If I click "play? Click yes. And now I can manage Azure roles with privileged identity management, which you'll see as discovering privileged role assignments such as Global Administrators in your tenant. So now that's completed. On the right, you can see eligible roles. There's nothing there right now. If I click active roles, you can see that I've got Security Administrator permanently assigned, Global Administrator permanently assigned, and the privileged role of Administrator permanently assigned to myself. Now if I go back to Azure AD roles, I can see that they have been assigned, and I can assign eligibility to different users. So I could say, "Let's look at the global administrator, see the members, and I can choose who I want to assign that to," so I can add a member to this as well at this point. So we'll choose our role for Bill. For Bill Adama, this is our test user. I can select Bill, click OK, and I've now added Bill to that role. So if I refresh, I can see Billadarma. But you see the difference here. My role is permanent. Amy's role is permanent. We were already Global Admins, and I've got Bill Odama, who is now eligible for that particular role. And if I click the three dots on the right, this is where I can make it permanent if I want to, or remove that assignment. Same for the other one. I could go to Amy's role now and change it from permanent to eligible because she was already a global administrator, or I could remove that. So you can see a lot of power now, because now we're at the point where I'm saying these are the users who are eligible for global admin. And as you can see at the top, these are Global Administrator members that I'm looking at right now. I can go back a level and see all of my Azure AD roles here; they will log in; all of their Azure AD roles are available to you, and you can choose who can be elevated into them or who has permanent access to those roles. So again, the difference between eligible and permanent is what you need to understand there. Now, before we move on, there are a few other things to be aware of as well. If we return to the overview for Azure Ad Roles, you'll notice that I've retained the concept of my view that we saw earlier on my roles, my eligible roles. Again. I've got permanent roles. I'm in active roles categoriespermanently Assigned security Admin, GlobalAdmin, Privilege, role Administrator. But I've got an admin view as well because I am the administrator of Privileged Identity Management, and I can see additional information here around the roles and views and directory activation history, etc. If I go down a little bit on the left hand side, I also have this wizard, which is a great place to start because the first thing you can do is discover the privileged roles, convert members to eligible, and then view changes to your members in privileged roles. If we do the first one, discover privileged roles, this will actually do a scan and say, "Okay, here are our global administrator, security administrator, and privileged role administrator" roles. And you can see there are two permanent assignments to Global Admin. One eligible. That's because Bill O'Dahmer is eligible. Nick and Amy are permanent right now. So I can click this Global Admin, and on the right hand side, it will show me exactly who has that permanent assignment and who is eligible. And then I can take some action on that. So I can click Next on this one to make those members eligible for one. So I don't want them to have global administrators all the time. It's telling me straight away, "Hey, these are the people in your environment that have Global Admin." And let's say I want to take Amy, click Next, and convert her to be eligible. It allows me to review those changes. Go ahead and click OK. And that's the same process that we did manually. But the wizard makes it really easy to go through and do it in bulk, especially when you're just getting started, as well. Another thing to be aware of are all the settings that you can apply to the different roles. So, if I click the settings button on the left and select roles, So if I go in here, select roles, and it'll say "Choose Global Admin," just find it here. There we go. Global Administrator. You can see how I can tweak various things like maximum activation hours if I wanted to send emails notifying administrators of activation, create incident tickets, and use multifactor authentication. Some roles require that to always be enabled, so it will be greyed out and then require approval. So approval is really interesting because I can click enable, scroll down, and then select an approval that needs to be approved by someone who can basically activate or authorise that activation of the role. And then I simply select them from my Azure Active Directories to see who those people are. You can also use groups there, but that's basically it for right now. For the setup in the next module, we willlook at how we go about assigning our backpermissions as opposed to just Azure Active Directory rolesthat we've been looking at here.
In this demonstration, we're now going to look at assigning resource roles with privileged identity management. So we'll continue on in the Azure Portal. in the portal. I'm back in Azure. privileged identity management. And on the left-hand side, I'm now going to select Azure Resources as the area I want to manage. When we select that, the first thing you'll see is nothing below. When it comes to resources, none are found yet because nothing has been managed by PIM. So what we have to do, first of all, is discover resources by clicking Discover Resources at the top, and then it will show us our subscriptions in our account. So I can select this one. This is my Visual Studio Enterprise subscription, and I can go ahead and select Manage Resource. And this will basically put management of the resources or the child objects in that subscription under PIM, and I have to confirm that I will do that as well. Again, make sure you're doing this in a trial, know what you're doing, or you're working with someone in your enterprise to basically do this. And now it says on the board, "Resource Succeeded." So if I go back to the main page and click Refresh, it's already there, actually, in Visual Studio Enterprise, and you can see 102 roles and four members there right now. and I can go ahead and click this one. And just like on the AzureAD side, you'll see various options. on the left-hand side. I've got my tasks, my roles, pending requests, approved requests, reviewed access, and then managed So again, I've got Roles member alerts, access to reviews, role settings, and I can do audits as well. at the bottom here. If I go to Roles, I'll see that this is where we manage the various roles that we assign out. So again, if I click my Contributor or Owner role, you can see here that they've got two active assignments in the Owner and one in the Contributor. We'll go ahead and select the owner role for right now, and I can actually add a member to this role. So if I click Add Member, I can select the role, which is Owner. Now I select the member, and I can choose that we'll pick Bill Adama again here. So there's Bill Adama. I'll test users. I'll select him. And now I choose the assignment type. So you need to understand the difference between these. I've got the eligible type and the active type. So let's start with "eligible." So eligible is when they elevate into that particular role, and then I can choose the allowed eligible duration. What is the maximum they're allowed to do that for? And that's where I choose my start and end times for that particular assignment type. Now, it's a little bit different when we select Active Assignment. If I choose Active, as you can see here, the maximum allowed assignment duration is one month. Now, we can go ahead and change that in the settings. I'm not actually able to make this a permanent assignment, as you can see here. But that is something we can look at, and I can show you where you can modify that. But we can choose when your assignment starts and ends. I previously selected a longer date in here, so that's saying, well, that violates our maximum-allowed assignment, which is one month. But now if I go back and we look at January 21, that's going to work. And I can put the user's need for access for contractor work on Project XYZ. That's just your justification there. And that's basically where I am assigning a time-based assignment for Billed Arma to that particular role. But I'm not going to sign that. Yeah, I'm going to close out of this for right now, and I'm going to go back to the default settings, which you can see here. There are two ways to get to this. I can click Roll Settings right here, or I can go back to that main screen and choose the settings for the role. And you can see I can edit the settings for this role. So here's my owner role: And I can choose things allow permanent eligible assignment." I can allow a permanent active assignment. This is where I can choose what we're allowing in those options. If I choose not to allow permanent, I can also choose this "Active Assignment" for one year, where we say it kind of just automatically goes away and requires multifactor authentication on Active Assignment as well if I want to save on activation. So these are all things I can tweak. I can add an approval, select this, then select my approvals. You know, plenty of options exist here in terms of the role. So just consider that you've got settings for each role. if we go back to the roles themselves. I'm just going to jump back a few blades here. Again, here are all my roles, which I've got by clicking Roles here. And I can select them in here and give various levels of access to members in these roles. Or I can go to the role settings. That's the other place where I can get into the settings for my role. So again, it's going to come up with my roles here in a second. Click the "owner" role. And this is where, again, the same settings that you saw from the different pane are the exact same thing. Role settings and assignments are the key things to keep in mind. But if we go back, let's go ahead and give Bill an eligible assignment. So if we go back to not the role settings but to the roles themselves, where I want to manage them, and I want to add a member to the owner role, I can again click Add Member right at the top here. Or I can click the role first of all and then add a member from there. And it will simply take over the role for me. You select a role. It says "Owner" there. Now I click on the member. Let's go ahead and choose Bill, Adama. Click select, and then choose the membership settings. And I'm just going to say this is an eligible activation that we want to do. Yes. We'll click. OK. Click Add. And now we know that Bill can amplify his rights to become an owner when he wants to. I can also examine the active role. So if I click "active roles" here, I can see that Amy Rouse is there. Subscription A. If I click this one here, it's actually a permanent role, basically assigned to subscription admins. So this is a group-based assignment that we have here. And that's basically where my end collier account is already. And that's a permanentassignment currently that exists. I can also look at expired roles if I want to as well. And again, I can choose between eligible and active roles that have expired. so much visibility into what's going on in the environment itself. Well, this now concludes our demonstration on pimp roles. And in the next demonstration, we'll log in as Bill Adama and show you some of the ways he elevates his rights.
This demonstration. We're now going to build upon what we did in the previous demos and activate a role using Billadarma. So we'll switch over to the Azure Portal, and you can see here that I'm actually logged in now as Bill Adama and logged in separately into his account, and everything is ready to go. Well, if we go over to Azure Active Directory, first of all, and we look in here, we'll see that a lot of things are just kind of greyed out for Bill, and that's because he's not a global admin. He's eligible to become a global admin, but right now he's simply not one. So the way we elevate those rights is we go to "All Services" and then we go over to "Privileged Identity Management." And once we're in there, we can see my roles on the left and eligible roles on the right. Global Administrator is one of the Azure AD roles. If we go to Azure Resource Roles, we should see that the owner role is eligible as well. And I can choose to activate either of these. We'll begin with the Azure Ad role. So we'll click "Azure AD roles." Look at our global administrator status. not in use; no pen or requests Simply click the Activate button on the righthand side, and you'll notice the first thing we have to do is verify our identity before proceeding. And that's because multifactor authentication is required for that global admin role. So we'll go ahead and set up MFA just like we did before. And I'll fast forward here as we do that. Okay, that verification is successful. And now I have the option to go ahead and click Activate, which I will do. Click Activate there, and choose my activation duration. Remember, the settings only allow a certain maximum time for activation, and that's something you can't tweak back in the settings as part of being a privileged role administrator. But for right now, I'm going to say I'm going to activate for 1 hour. I could start this one hour later if I wanted to, so I could start it in the future. I'm going to do some work at 8:00 p.m. That night. I could say, "Okay, 8:00, I want to start and I want to make sure that access is ready for me." That's where I do that. So, great feature there. But for right now, I'm just going to say no. I just want to activate it right now for 1 hour. I have work to do that requires global admin. And then simply go ahead and click "Activate" there. And it is now activating the role, indicating that it is processing the request and activating the role. It'll validate that it's successful, and then I'll get an activation completion once everything is completed. Okay, well, that is completed. Now I do have to sign out and sign back in to start using my role. So I'll go ahead and click-sign out and sign back in to Spilladama. And now if we go back over to Azure Active Directory, we can see everything is available to me now because I am now a global admin. And if I go ahead and select users on the left and select my name, Billadama, and click Directory role, we can see right now that role is Global Administrator. Okay, so that was for Azure Active Directory roles. But what about those Azure subscription-type roles? for resources running in Azure. We're going to select all services. Choose privileged identity management. go to my roles. In fact, if I look at my AzureAD role, you can see right now that it's showing this role as "access" until January. If I click Active Roles, you'll see that there as well. And I can also choose to deactivate manually when I'm done. If I switch back to the Azure AdResource role, we'll see that I'm eligible to become the owner of that subscription. So I will click Activate, choose the start time again, with the scope being that particular subscription, and how long do I want it for? Again, this is controlled by the settings for that particular RBAC role. Let's say I just want it for a couple hours. I need to do Azure work that requires owner permissions; I click Activate, and your request is queued for activation in a slightly different process. And once it's completed, if I go back here and refresh under Active Roles, we can see that I'm now the owner of that subscription, and I can deactivate it when I need to as well. Now, if I log back out and log back in and choose Subscriptions, I can now see that subscription. In fact, it just popped up to tell me how much credit I still had. But I now see it tied to my account. And I can go ahead and build resources. I can build virtual machines and other things now. In fact, we'll just show by creating a storage account very quickly, and you can see that I'm actually able to do it. If I didn't have elevated permissions, I'd just get one of the error messages saying that I don't even have a subscription in this account right now, because this is the only subscription he has access to. So it wouldn't let me provision any resources at all. And with that, this basically concludes the demonstration and hopefully gives you a great overview of PIM, how to set it up for Azure AD roles, RBAC roles, and then activate it with the user as well.
Let's now look at one of the security features that we highly recommend people implement in their organization. And it's known as "privileged identity management," also known as Pimfors Short. And the way it works is as follows: Essentially, you have your users in your environment, and they access various things. They could be accessing Azure AD for user administration or accessing Azure resources in your subscription. There's a whole bunch of things—SAS, apps, Office 365, etc. That is all tied to that identity. Well, the key thing with a privileged identity is that it's a user that essentially has some admin roles. They are a privileged user; they have a lot of access and essentially create a risk for the organization. And so privileged identity management is a way that we can manage these privileged users, put some control around them, and put some visibility around them so that we know what's going on with those users. Now, the primary features of Azure are as follows: It gives us visibility into users with privileged access. So the first time you turn it on, you can then do a discovery to see, well, who in the organisation has a lot of access? Who should I be concerned about? This can be for Azure resources or Azure ads. So we always make that distinction. Azure resources are things in your subscription where a lot of our back roles are applied, like subscription owner, Azure ads, or things like our global admin, for example, that has a lot of rights to administer our directory service. We can enable things like on-demand administrative access, and we can view administrative history. So that includes not just what they accessed, but the rights they gave out and things like that as well. We can set up alerts. And finally, we can also do something really cool, which is require approvals via workflow. So when somebody requests additional access, it can go to a workflow. Perhaps a certain person in security has to approve that access, review it, check the reason they submitted, and then things can move forward. The pimping procedure is now as follows: Essentially, again, you've got your user who has some level of access by default, but we don't give them full subscription owner or global admin rights. Initially out of the gate, they have to go through an activation process, and we can decide what's required as part of that activation. For example, they could be required to authenticate via multi-factor authentication. So a token comes to the phone that they will authorize, or perhaps they'll get a text message, et cetera. They could also go through an approval workflow. And this means, again, we could send that requirement to a manager or somebody in security for approval to say, Yeah, okay, I'm going to authorise this. and we can also put time restrictions on this. This might just be, "Hey, I need access for a couple of hours to do some work in Azure AD as a global admin, and then once I've completed that, that access can be removed." However, once the activation process is complete, I have an activated user who is ready to do their work, either in Azure with RBAC roles or in Azure AD, potentially as a global admin or some other role that they may require in Azure AD. Now, there are some PIN requirements you need to be aware of. Well, first of all, you do need an Azure AD P-2 license. Now, if you are following this through and trying to do this yourself, and you've got a trial account, you may have some different mileage depending on any restrictions on your account. However, if you have a standard trial account, you will be able to start a free trial in the portal itself. And then it will prompt for these two options: enterprise mobility and security. That includes the P-2 licence as well as additional features that Microsoft will let you try out. You can also try out Azure Ad Premium P2 for free. Either way is fine; you can click the more information pieces there, and that will give you more information on those different licencing models. But essentially, this is licencing that is related to Azure Active Directory that you need to be concerned with. Now you might be wondering, well, who needs a license? Because you are not required to assign a PTWO licence to every user, essentially anyone who will be assigned the privileged role administrator that you will learn more about. Anyone that's going to be assigned as an eligible administrator So, anyone who is going to use Justintime Access or Direct time-based assignment, or users who need to approve and reject PIN requests, can elevate into a role. Even if a user does not require elevated permissions but is part of the approval workflow, they will require the P2 license. So just something to keep in mind that nowwhen we look at the roles, there's two newroles essentially that you need to be aware of. You have a privileged role administrator; that person can manage role assignments in Azure AD and everything to do with privileged identity management. And then we have the security administrators as well, and they can read security information, reports, configuration, et cetera. Now, it's also key to remember that when you start this off, you have to be a global admin in order to set up PIM, which you'll see in the subsequent demonstration. Now that global admin will become the security admin and will inherit the privileged admin role as well, Now this account that enables PM is the only account that can manage PIM unless you give it out to other global administrators. So it is really important not to basically just create the PIM role and then forget about it in your organization. You want to make sure that you give this out to somebody else so they can manage PIM as well. Administrators can only manage privileged roles. Azure Ad Directory assignment of roles to users. So it's a very important role. We got a global admin today, and now we're adding this new role around PIM. We must also manage the people who can manage privileged role administration. Now, you've heard me mention a few times this concept of signed roles, and we have directory roles or resource roles. But why do we draw this distinction? Well, the directory roles are Azure Active Directory roles. These could be global administrators. These are roles pertaining to Azure AD, and they can be eligible or permanent roles. So an eligible role, again, is a role where somebody can be elevated to have that permission. Or a permanent role is you sign the role andyou make it permanent or potentially even timebased as well. Now, the resource roles are Azure RBAC roles. These can be your built-in roles such as subscription admin, virtual machine administrator, contributor role, etc. They can also be custom roles that you've defined in Azure RBAC that you want to allow users to have, and then you can have users be elevated into those particular roles as well. A very common one is obviously the subscription administrator. A lot of times people turn on PIM,and the very first step is to see,well, who has access to subscription admin. Same on the Directory role, howmany global admins are out there? These are the roles that you really want to get your hands around very, very quickly. Now, on the Microsoft documentation for Privileged Identity Management, they do have a recommended process that you follow when you're starting out with PIM. and that's essentially these four stages. Stage 124 to 48 hours: You want to take care of the critical items that you need to do right away. These are things like that subscription admin, globaladmin, doing an audit of accounts, getting some visibility into what's going on in your environment, taking care of anything critical, or you think, "Hey, I've got some major security holes here." Then we move on. Within the next two to four weeks, mitigate the most commonly used attack techniques, possibly begin expanding the number of users to whom you grant privileged identity management, and begin organising groups of users to whom you believe this applies. Stage three: for one to three months, continue to build visibility and full control of admin activity throughout your organization. And in stages four, six months, and beyond, simply keep building defences to harden your security platform. And this is just something, again, just to thinkabout a large enterprise, you might turn this onand find, I've got lots and lots of subscriptionadmins, lots and lots of global admins. I need to remediate those; I need to update all my processes around my enterprise to make sure that this is something that's built into security administration, user administration, helpdesk, et cetera. So think about the process as more ofa journey and something you will go throughto and run it successfully in your enterprise. And with that, that concludes the lecture on provisional identity management. And I encourage you to try it out and check out the demonstrations.
ExamCollection provides the complete prep materials in vce files format which include Microsoft Certified: Azure Security Engineer Associate certification exam dumps, practice test questions and answers, video training course and study guide which help the exam candidates to pass the exams quickly. Fast updates to Microsoft Certified: Azure Security Engineer Associate certification exam dumps, practice test questions and accurate answers vce verified by industry experts are taken from the latest pool of questions.
Microsoft Microsoft Certified: Azure Security Engineer Associate Video Courses
Top Microsoft Certification Exams
SPECIAL OFFER: GET 10% OFF
Pass your Exam with ExamCollection's PREMIUM files!
SPECIAL OFFER: GET 10% OFF
Use Discount Code:
A confirmation link was sent to your e-mail.
Please check your mailbox for a message from firstname.lastname@example.org and follow the directions.
Download Free Demo of VCE Exam Simulator
Experience Avanset VCE Exam Simulator for yourself.
Simply submit your e-mail address below to get started with our interactive software demo of your free trial.