| Question.41 Your company has the divisions shown in the following table.  Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1. You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate to App1. What should you recommend? (A) Configure Azure AD join. (B) Configure Azure AD Identity Protection. (C) Configure a Conditional Access policy. (D) Configure Supported account types in the application registration and update the sign-in endpoint. |
41. Click here to View Answer
Answer: D
Verified Answer
Explanation:
Configure Supported account types in the application registration and update the sign-in endpoint.
Reference:
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-modify-supported-accounts
| Question.42 You have an Azure AD tenant named contoso.com that has a security group named Group1. Group1 is configured for assigned memberships. Group1 has 50 members, including 20 guest users. You need to recommend a solution for evaluating the membership of Group1. The solution must meet the following requirements: • The evaluation must be repeated automatically every three months. • Every member must be able to report whether they need to be in Group1. • Users who report that they do not need to be in Group1 must be removed from Group1 automatically. • Users who do not report whether they need to be in Group1 must be removed from Group1 automatically. What should you include in the recommendation? (A) Implement Azure AD Identity Protection. (B) Change the Membership type of Group1 to Dynamic User. (C) Create an access review. (D) Implement Azure AD Privileged Identity Management (PIM). |
42 Click here to View Answer
Answer: C
Verified Answer
Explanation:
Based on the requirements below:
The evaluation must be repeated automatically every three months.
• Every member must be able to report whether they need to be in Group1.
• Users who report that they do not need to be in Group1 must be removed from Group1 automatically.
• Users who do not report whether they need to be in Group1 must be removed from Group1 automatically.
The correct answer should be – C. Create an access. review.
https://learn.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
| Question.43 HOTSPOT – You have an Azure subscription named Sub1 that is linked to an Azure AD tenant named contoso.com. You plan to implement two ASP.NET Core apps named App1 and App2 that will be deployed to 100 virtual machines in Sub1. Users will sign in to App1 and App2 by using their contoso.com credentials. App1 requires read permissions to access the calendar of the signed-in user. App2 requires write permissions to access the calendar of the signed-in user. You need to recommend an authentication and authorization solution for the apps. The solution must meet the following requirements: • Use the principle of least privilege. • Minimize administrative effort. What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.  |
43. Click here to View Answer
Answer:
Explanation:
Box 1: A user-assigned managed identity
Box 2: Delegated permissions
The question states that we have to minimize the administrative effort and managed identities do just that. Additionally we have 100 VMs so user-assigned managed identity can be used as it can be shared unlike system-assigned one. I researched a bit and found one helpful article which contains this sentence:
“Previously, when we did not have managed identities, we created an application registration for the resource. Using a secret or certificate to authenticate with Azure. This created a lot of overhead, as it required secret management, key rotation, etc. With managed identities, Azure takes care of this for us.”
although app registration could be used, it wouldn’t reduce admin effort as much as Managed Identity.
| Question.44 Your company has the divisions shown in the following table.  Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1. You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate to App1. What should you recommend? (A) Enable Azure AD pass-through authentication and update the sign-in endpoint. (B) Use Azure AD entitlement management to govern external users. (C) Configure assignments for the fabrikam.com users by using Azure AD Privileged Identity Management (PIM). (D) Configure Azure AD Identity Protection. |
44. Click here to View Answer
Answer: B
Explanation:
Here are some of capabilities of entitlement management:
– Select connected organizations whose users can request access. When a user who isn’t yet in your directory requests access, and is approved, they’re automatically invited into your directory and assigned access. When their access expires, if they have no other access package assignments, their B2B account in your directory can be automatically removed.
| Question.45 Your company has the divisions shown in the following table.  Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1. You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate to App1. What should you recommend? (A) Configure the Azure AD provisioning service. (B) Enable Azure AD pass-through authentication and update the sign-in endpoint. (C) Configure Supported account types in the application registration and update the sign-in endpoint. (D) Configure Azure AD join. |
45. Click here to View Answer
Answer: C
Explanation:
Reference:
https://learn.microsoft.com/en-us/security/zero-trust/develop/identity-supported-account-types