|
1 | 1 | ### YamlMime:ModuleUnit |
2 | 2 | uid: learn.wwl.design-solutions-identity-access-management.knowledge-check |
3 | | -title: Module assessment |
| 3 | +title: Knowledge check |
4 | 4 | metadata: |
5 | | - title: Module assessment |
6 | | - description: "Knowledge check for the module on design solutions for identity and access management." |
7 | | - ms.date: 09/26/2024 |
| 5 | + title: Knowledge check |
| 6 | + description: Knowledge check for identity and access management security design. |
| 7 | + ms.date: 01/30/2026 |
8 | 8 | author: ceperezb |
9 | 9 | ms.author: ceperezb |
10 | 10 | ms.topic: unit |
11 | 11 | module_assessment: true |
12 | 12 | durationInMinutes: 5 |
13 | | -########################################################################### |
14 | | -### |
15 | | -### General guidance (https://review.learn.microsoft.com/learn-docs/docs/id-guidance-knowledge-check) |
16 | | -### - Questions are complete sentences ending with a question mark |
17 | | -### - No true/false questions |
18 | | -### - 3 answers per question |
19 | | -### - All answers about the same length |
20 | | -### - Numeric answers listed in sorted order |
21 | | -### - No "All of the above" and/or "None of the above" as answer choices |
22 | | -### - No "Not" or "Except" in questions |
23 | | -### - No second person ("you") in the questions or answers |
24 | | -### - Provide a meaningful explanation for both correct and incorrect answers |
25 | | -### |
26 | | -########################################################################### |
27 | 13 | content: | |
28 | 14 | quiz: |
| 15 | + title: Check your knowledge |
29 | 16 | questions: |
30 | | - - content: "What is Conditional Access in Microsoft Entra ID?" |
31 | | - choices: |
32 | | - - content: "A feature that allows users to bypass security policies." |
33 | | - isCorrect: false |
34 | | - explanation: "Conditional Access applies controls based on specific conditions, including user, location, device, and application state. It restricts user access until they have met those conditions." |
35 | | - |
36 | | - - content: "An identity-based security model that enables customers to control access to applications and resources." |
37 | | - isCorrect: true |
38 | | - explanation: "Conditional Access grants or denies application access to users by requiring multifactor authentication or blocking access when the specified conditions are not met." |
39 | | - |
40 | | - - content: "A type of user authentication specific to external identities." |
41 | | - isCorrect: false |
42 | | - explanation: "Conditional Access is not a type of user authentication but a set of access controls designed to improve security." |
43 | | - |
44 | | - - content: "An automated tool for managing user privileges within an organization." |
45 | | - isCorrect: false |
46 | | - explanation: "Conditional Access defines user-specific access policies but does not manage user privileges." |
47 | | - |
48 | | - - content: "What is Continuous Access Evaluation in Microsoft Entra ID?" |
49 | | - choices: |
50 | | - - content: "A feature that automatically enforces Azure Key Vault key rotation policies." |
51 | | - isCorrect: false |
52 | | - explanation: "Continuous Access Evaluation constantly evaluates conditions specified in Conditional Access policies, ensuring continued compliance. It has no direct relationship with Key Vault." |
53 | | - |
54 | | - - content: "A security model designed to control user access to Microsoft Entra ID-managed services." |
55 | | - isCorrect: false |
56 | | - explanation: "Continuous Access Evaluation is one component of Microsoft's Zero Trust Strategy, which is designed to mitigate risks across all domains, including mobile devices." |
57 | | - |
58 | | - - content: "A mechanism for enforcing Conditional Access policies in almost real-time." |
59 | | - isCorrect: true |
60 | | - explanation: "Continuous Access Evaluation evaluates Conditional Access policies every time a request is made, allowing for swift and accurate responses to changes in the access control environment." |
61 | | - |
62 | | - - content: "A method for detecting rogue devices connecting to a network." |
63 | | - isCorrect: false |
64 | | - explanation: "Continuous Access Evaluation assesses whether user requests meet the specified conditions set forth in Conditional Access policies, but it does not detect rogue devices connecting to a network." |
65 | | - |
66 | | - - content: "What is External Identities in Microsoft Entra ID?" |
67 | | - choices: |
68 | | - - content: "A set of tools for managing conditional access policies for partners and customers." |
69 | | - isCorrect: false |
70 | | - explanation: "External Identity tools are designed to support B2B scenarios to simplify the management of policies related to guests, partners, and vendors accessing shared resources." |
71 | | - |
72 | | - - content: "A system for managing user accounts within an organization." |
73 | | - isCorrect: false |
74 | | - explanation: "External Identities offers the ability to create and manage identities for users outside an organization in order to provide partner and customer access to assigned resources." |
75 | | - |
76 | | - - content: "A set of tools for managing user accounts and access for non-employees or guests that need to access organizational assets." |
77 | | - isCorrect: true |
78 | | - explanation: "External identities enable secure collaboration between external users like customers, business partners, or vendors and internal teams while guarding against unauthorized data access." |
79 | | - |
80 | | - - content: "An automatic threat detection system that detects abnormal behavior patterns in user accounts." |
81 | | - isCorrect: false |
82 | | - explanation: "External Identities provides capabilities around governance, user access, authentication, and identity protection, but does not include an automatic threat detection system." |
83 | | - |
84 | | - - content: "What is Azure Key Vault?" |
85 | | - choices: |
86 | | - - content: "A password manager intended for personal use." |
87 | | - isCorrect: false |
88 | | - explanation: "Azure Key Vault is a cloud-based service that safeguards cryptographic keys and secrets used by cloud apps and services. It is an enterprise-level platform, not a password manager." |
89 | | - |
90 | | - - content: "A solution for automating data encryption in cloud environments." |
91 | | - isCorrect: false |
92 | | - explanation: "Azure Key Vault does provide encryption services, but its primary function is to protect cryptographic keys and sensitive information." |
93 | | - |
94 | | - - content: "A cloud service that stores secrets, such as passwords, connection strings, and API keys." |
95 | | - isCorrect: true |
96 | | - explanation: "Azure Key Vault provides secure storage for secret data and credentials avoiding the need to embed them in code or configuration file." |
97 | | - |
98 | | - - content: "A cloud service that manages Active Directories for organizations." |
99 | | - isCorrect: false |
100 | | - explanation: "Azure Key Vault does not manage Active Directories. It provides key and secret management services for cloud applications and services." |
| 17 | + - content: A security architect is designing identity infrastructure for an organization that has on-premises Active Directory and needs to enable single sign-on to Microsoft 365 and Azure resources. Which Microsoft Entra component should they implement? |
| 18 | + choices: |
| 19 | + - content: Microsoft Entra External ID |
| 20 | + isCorrect: false |
| 21 | + explanation: Microsoft Entra External ID is for external identities such as B2B guests and customers, not for synchronizing internal employee accounts from on-premises Active Directory. |
| 22 | + - content: Microsoft Entra Domain Services |
| 23 | + isCorrect: false |
| 24 | + explanation: Microsoft Entra Domain Services provides managed domain services in Azure but doesn't synchronize on-premises AD with Microsoft Entra ID. |
| 25 | + - content: Microsoft Entra Connect Sync |
| 26 | + isCorrect: true |
| 27 | + explanation: Microsoft Entra Connect Sync synchronizes on-premises Active Directory identities to Microsoft Entra ID, enabling single sign-on to cloud resources while maintaining on-premises AD as the authoritative source. |
| 28 | + - content: An organization is building a consumer-facing mobile application and needs to provide branded sign-in experiences with self-service registration for millions of users. These users should not appear in the organization's workforce directory. Which Microsoft Entra External ID configuration should the security architect recommend? |
| 29 | + choices: |
| 30 | + - content: B2B collaboration in the workforce tenant |
| 31 | + isCorrect: false |
| 32 | + explanation: B2B collaboration adds guest users to your workforce directory alongside employees. It's designed for partner collaboration, not consumer-scale applications with millions of users. |
| 33 | + - content: External tenant with CIAM capabilities |
| 34 | + isCorrect: true |
| 35 | + explanation: An external tenant is configured specifically for consumer and business customer scenarios. It isolates customer identities from your workforce directory, supports custom branding, and scales to millions of users. |
| 36 | + - content: Cross-tenant access settings with automatic redemption |
| 37 | + isCorrect: false |
| 38 | + explanation: Cross-tenant access settings control B2B collaboration between Microsoft Entra organizations, not consumer application scenarios requiring self-service registration and custom branding. |
| 39 | + - content: An organization wants to implement near real-time enforcement of access policy changes and immediate token revocation when user accounts are disabled. Which capability should the security architect recommend? |
| 40 | + choices: |
| 41 | + - content: Conditional Access with shorter token lifetimes |
| 42 | + isCorrect: false |
| 43 | + explanation: Shorter token lifetimes provide faster enforcement but still leave a gap between policy changes and enforcement. Continuous Access Evaluation provides near real-time enforcement. |
| 44 | + - content: Continuous Access Evaluation (CAE) |
| 45 | + isCorrect: true |
| 46 | + explanation: CAE enables near real-time enforcement when critical events occur, such as account disablement, password changes, or risk elevation, without waiting for token expiration. |
| 47 | + - content: Microsoft Entra Identity Protection risk policies |
| 48 | + isCorrect: false |
| 49 | + explanation: Identity Protection detects risky sign-ins and users but doesn't provide near real-time token revocation for critical events like account disablement. |
| 50 | + - content: A security architect is validating Conditional Access alignment with Zero Trust. Which of the following represents a violation of Zero Trust principles? |
| 51 | + choices: |
| 52 | + - content: MFA required only for users with administrative roles |
| 53 | + isCorrect: true |
| 54 | + explanation: Zero Trust's "verify explicitly" principle requires verifying all users, not just administrators. MFA should be required for all users to properly implement Zero Trust. |
| 55 | + - content: Device compliance required for corporate resource access |
| 56 | + isCorrect: false |
| 57 | + explanation: Requiring device compliance supports explicit verification by evaluating device state before granting access, which aligns with Zero Trust principles. |
| 58 | + - content: Risk-based policies that block access when user risk is elevated |
| 59 | + isCorrect: false |
| 60 | + explanation: Risk-based policies support the "assume breach" principle by responding to detected threats, which aligns with Zero Trust. |
| 61 | + - content: Which Microsoft solution provides threat detection for on-premises Active Directory Domain Services, including detection of credential theft attacks like pass-the-hash and golden ticket attacks? |
| 62 | + choices: |
| 63 | + - content: Microsoft Defender for Cloud |
| 64 | + isCorrect: false |
| 65 | + explanation: Microsoft Defender for Cloud focuses on cloud workload protection, not on-premises Active Directory threat detection. |
| 66 | + - content: Microsoft Entra Identity Protection |
| 67 | + isCorrect: false |
| 68 | + explanation: Microsoft Entra Identity Protection detects risky sign-ins and users in Microsoft Entra ID, not on-premises Active Directory threats. |
| 69 | + - content: Microsoft Defender for Identity |
| 70 | + isCorrect: true |
| 71 | + explanation: Microsoft Defender for Identity monitors on-premises Active Directory and detects credential theft attacks, lateral movement, and domain dominance attempts. |
| 72 | + - content: A security architect needs to store cryptographic keys for encrypting data in Azure Storage with customer-managed keys. The organization requires FIPS 140-2 Level 3 compliance and full control over the HSM. Which Azure Key Vault tier should they select? |
| 73 | + choices: |
| 74 | + - content: Standard tier with software-protected keys |
| 75 | + isCorrect: false |
| 76 | + explanation: Standard tier uses software-protected keys and doesn't meet FIPS 140-2 Level 3 compliance requirements. |
| 77 | + - content: Premium tier with HSM-protected keys |
| 78 | + isCorrect: false |
| 79 | + explanation: Premium tier provides HSM-protected keys with FIPS 140-2 Level 2 compliance, not Level 3. |
| 80 | + - content: Managed HSM |
| 81 | + isCorrect: true |
| 82 | + explanation: Managed HSM provides single-tenant HSM with FIPS 140-2 Level 3 compliance and full customer control over HSM administration. |
0 commit comments