|
| 1 | +### YamlMime:ModuleUnit |
| 2 | +uid: learn.wwl.entra-ai-understand.knowledge-check |
| 3 | +title: Module assessment |
| 4 | +metadata: |
| 5 | + title: Module assessment |
| 6 | + description: Knowledge check. |
| 7 | + ms.date: 02/13/2026 |
| 8 | + author: wwlpublish |
| 9 | + ms.author: riswinto |
| 10 | + ms.topic: unit |
| 11 | + module_assessment: true |
| 12 | +durationInMinutes: 5 |
| 13 | +content: | |
| 14 | +quiz: |
| 15 | + title: Check your knowledge |
| 16 | + questions: |
| 17 | + - content: "An identity can deploy and delete AI resources but can't submit prompts to a model endpoint. Which boundary is limiting its access?" |
| 18 | + choices: |
| 19 | + - content: "Conditional Access policy enforcement" |
| 20 | + isCorrect: false |
| 21 | + explanation: "Incorrect: Conditional Access controls sign-in conditions, not management versus runtime permissions." |
| 22 | + - content: "Management plane access" |
| 23 | + isCorrect: false |
| 24 | + explanation: "Incorrect: Management plane access governs configuration actions such as deploying or deleting resources." |
| 25 | + - content: "Data plane access" |
| 26 | + isCorrect: true |
| 27 | + explanation: "Correct: Submitting prompts to a model endpoint is a data plane operation governed by runtime permissions." |
| 28 | + |
| 29 | + - content: "A web application running outside Azure calls an AI endpoint using a client secret without user interaction. Which identity type is being used?" |
| 30 | + choices: |
| 31 | + - content: "An application identity such as a service principal" |
| 32 | + isCorrect: true |
| 33 | + explanation: "Correct: Non-interactive authentication from an application uses an application identity." |
| 34 | + - content: "A human identity" |
| 35 | + isCorrect: false |
| 36 | + explanation: "Incorrect: Human identities require interactive sign-in." |
| 37 | + - content: "A delegated user session" |
| 38 | + isCorrect: false |
| 39 | + explanation: "Incorrect: Delegated sessions involve user interaction." |
| 40 | + |
| 41 | + - content: "A service principal is assigned Contributor at the subscription level to simplify deployment. What is the primary risk introduced by this decision?" |
| 42 | + choices: |
| 43 | + - content: "Management and data plane operations become merged." |
| 44 | + isCorrect: false |
| 45 | + explanation: "Incorrect: Management and data plane operations remain distinct even if scope is broad." |
| 46 | + - content: "The blast radius of a compromise extends across all resources in the subscription." |
| 47 | + isCorrect: true |
| 48 | + explanation: "Correct: Subscription-level scope expands the impact of misuse or compromise." |
| 49 | + - content: "The application might fail to authenticate." |
| 50 | + isCorrect: false |
| 51 | + explanation: "Incorrect: Broad scope doesn't prevent authentication." |
| 52 | + |
| 53 | + - content: "Why is it important to distinguish between management plane and data plane access when securing AI workloads?" |
| 54 | + choices: |
| 55 | + - content: "Because data plane access always requires broader permissions." |
| 56 | + isCorrect: false |
| 57 | + explanation: "Incorrect: Data plane access can be tightly scoped." |
| 58 | + - content: "Because both planes use different authentication protocols." |
| 59 | + isCorrect: false |
| 60 | + explanation: "Incorrect: Both planes rely on Microsoft Entra ID for authentication." |
| 61 | + - content: "Because configuration actions and runtime model usage introduce different categories of risk." |
| 62 | + isCorrect: true |
| 63 | + explanation: "Correct: Management and data plane permissions control different types of actions and risk." |
| 64 | + |
| 65 | + - content: "An organization enforces strong authentication but assigns broad role scope across environments. What issue remains?" |
| 66 | + choices: |
| 67 | + - content: "Conditional Access policies automatically fail." |
| 68 | + isCorrect: false |
| 69 | + explanation: "Incorrect: Conditional Access enforcement is separate from role scope design." |
| 70 | + - content: "Authorization boundaries are weakened despite strong authentication." |
| 71 | + isCorrect: true |
| 72 | + explanation: "Correct: Strong authentication doesn't compensate for excessive permissions or scope." |
| 73 | + - content: "Authentication tokens can't be validated." |
| 74 | + isCorrect: false |
| 75 | + explanation: "Incorrect: Token validation isn't affected by scope decisions." |
0 commit comments