Handwritten

Question 1

Service Endpoint

Answer 1

• routing control per Pool
• bind to subnets, no “peering”
• No - on Premesis
• When using NSG, use Service-Tags

Question 2

Resource Policy Contributor

Answer 2

• create / modify resource policy
• create support ticket
• read resources + hierarchy

Question 3

User Access Administrator

Answer 3

• Grant Microsoft.Authorization/roleDef/write
• Manage User Authorization

Question 4

SQL Managed Instance Subnet

Answer 4

• No resource connected => does not mean empty

Question 5

HSM-Protected KeyVault Fips-140 level

Answer 5

level 2
Key Vault => Level 1
Managed HSM => Level 3

Question 6

Cloud App Security Administrator

Answer 6

Manages Defender for Cloud Apps

Question 7

Application Developer

Answer 7

• create new App Registration
• Manage App Registrations that are owned

Question 8

Azure Storage Access Queue

Answer 8

• Shared Key
• Azure RBAC
• Account und Service SAS

Question 9

Azure Storage Access Tables

Answer 9

• Entra ID Roles
• Account SAS
• Service SAS
• Shared Key

Question 10

Azure Storage Access Files / share

Answer 10

SMB Access
- AD DS (Kerberos)
- Entra Domain Services
- Entra Kerberos
- shared Key
Rest
- over API with RBAC
- Account and Service SAS
- Shared Key

Question 11

Azure Storage Access Blob

Answer 11

• Entra ID
• Shared Access Signatures
  
  • User Delegated SAS
  • Service SAS
  • Account SAS
• Shared Key
• Anonymous Public

Question 12

Azure AKS Kubenet vs CNI

Answer 12

Kubenet Replaced by CNI-Overlay
CNI-Overlay
Private Overlay CIDR
low IP consumption
NAT
CNI
Direct VNet Subnet
High IP consumption
Native

Question 13

Azure SQL Groups and Entra ID

Answer 13

1. Create Group or User
   CREATE USER [group] FROM EXTERNAL PROVIDER;
2. Assign Role
   ALTER ROLE db_datareader ADD MEMBER [group];
3. Limitations
   -> no default schema
   -> no user context

Question 14

Customer-Managed Encryption for Log-Analytics

Answer 14

1) Create AKV
2) Create a Log-Analytics dedicated Cluster
3) Configure Key Vault
Get, Unwrap, Wrap
or
Cryptic Service Encryption Use
4) Assign Key to Cluster
5) link Cluster with Log-Analytics

Question 15

Managed vs Dedicated HSM

Answer 15

AKV select dedicated HSM if:
1) legacy app
2) appliance level control
3) Migration from on-prem

Question 16

What types of B2B Collaboration exist?

Answer 16

B2B Collaboration
-> invite external as guest
-> internal guest user
B2B Direct Connect
-> Mutual trust, share resources
-> trust external tenant

Question 17

User - Signin - Risk levels

Answer 17

high: strong evidence of compromise
medium: suspicious and abnormal behaviour
low: minor anomaly

Question 18

Vnet - Manager Configuration - Routing

Answer 18

• Create Vnet - Manage UDR
  -> Overwrite existing
  -> Preserve old ones

Question 19

How to invite B2B users?

Answer 19

• Add Guest User
  Manual Provisioning
  (Guest Inviter/Admin is Default allows)
• Self Service Sign Up
  
  • External Identities User-Flow

Question 20

What to change for fast onboarding?

Answer 20

• Restrict Guest invite capabilities
• Restrict Guest Access to Directory Data
• MFA for Guests
• Use ID Governance
• Use Tenant Restriction

Question 21

When to use: - Private Endpoint - Vnet Peering - Service Endpoint

Answer 21

• Vnet: Multiple Resources, no sec required
• Service Endpoint: Cost reduction, Public IP usage
• Private Endpoint: Security, On-Premise

Question 22

OAuth Authorization Flows

Answer 22

• Authorization Code Flow with PKCE (SPA)
• implicit Grant Flow (legacy)
• Authorization Code Flow without PKCE => Server App

Question 23

Vnet Manager Features

Answer 23

• Connectivity
• Security Admin
• User Defined Routing

Question 24

Azure Function Networking

Answer 24

Inbound
- IP Restriction
- IP/Vnet/Service Endpoint
- deploy is Vnet
- Private Endpoint
- Service Endpoint
Outbound
- Vnet Integration
Routes outbound through Vnet
- Hybrid Connection
- Agent connects to Azure (outbound)

Question 25

App Gateway

Answer 25

Features: - WAF - TLS Termination - End-To-End TLS - Key Vault integration - Requires Subnet - Private / Public IP - Private Link Support - Layer 7 Routing (Backend health) - Zone-Redundant (only special needs force)

Question 26

Azure Front Door active-active active-passive

Answer 26

active-active => Load Balancing active-passive => failover

Question 27

Azure Front Door Standard - Premium

Answer 27

Standard 1) Only Custom WAF 2) No Bot Protection 3) No Private Link

Question 28

Azure WAF Policy Levels

Answer 28

Policy levels - Global - Per-Site - Per-URI

Question 29

Azure WAF Rule Types

Answer 29

1) OWASP Top 10 2) DRS / Threat intelligence 3) Custom Rules (max 100) (Match Rule or Rate limit Rule) 4) Bot Protection (Bot Manager Rules) - Good, Bad, Unknown 5) Geo-Filtering 6) IP-Restriction

Question 30

Azure Container Registry auth (ACR)

Answer 30

1) Entra ID User Pull, Push, Sign, Contributor 2) Service Principal 3) Admin User one account, normally disabled with full data plane access

Question 31

Security Recommendation for Azure API Management

Answer 31

1) Use Oauth, OpenID, mTLS 2) Deploy WAF in front of APIM 3) Use Azure Key Vault 4) Use System Assigned Managed Identity 5) Use HTTPS

Question 32

Azure SQL Entra Auth Steps

Answer 32

1) Assign Entra Admin to Server or Instance 2) Create SQL Principals in Database that are mapped to Entra Identities 3) Configure Client to use Azure Identity Library

Question 33

Vnet - Manager Configuration - Security Admin

Answer 33

- overwriting NSG -> Allow (can be denied) -> denie (endgültig) -> Always Allow

Question 34

Vnet - Manager Configuration - Connectivity

Answer 34

- Hub-Spoke -> select Hub -> Enforce Peering -> Allow high scale priv endpoints - Mesh -> across regions -> High scale Private Endpoints -> Prevent overlapping Address

Question 35

Azure Policy Types Resource-Manager-Modes

Answer 35

- all default - indexed -> only resource types that support tags + location