Correct Answer:

Box 1: Azure AD administrative units

Implement delegated management of users and groups in the Azure AD tenant of Litware, including support for:

* The delegation of user management based on business units

Without Azure AD administrative units, assigning a user to the User Administrator role in Azure AD gives them rights to manage all Azure AD users. With administrative units, the user is delegated the same role, User Administrator, but that role only applies to the specified administrative unit. The administrative unit contains the users and groups that are under the scope of management. Box 2: Enable password hash synchronization in the Azure AD Connect deployment Existing environment: Azure AD Connect is used to implement pass-through authentication. Password hash synchronization

Risk detections like leaked credentials require the presence of password hashes for detection to occur.

Reference: https://4sysops.com/archives/an-introduction-to-azure-ad-administrative-units/

https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-hash-synchronization

Correct Answer:

Box 1: Microsoft defender for cloud

Scenario: Prevent AD DS user accounts from being locked out by brute force attacks that target Azure AD user accounts.

When Microsoft Defender for Cloud detects a Brute-force attack, it triggers an alert to bring you awareness that a brute force attack took place. The automation uses this alert as a trigger to block the traffic of the IP by creating a security rule in

the NSG attached to the VM to deny inbound traffic from the IP addresses attached to the alert. In the alerts of this type, you can find the attacking IP address appearing in the 'entities' field of the alert.

Box 2: An account lockout policy in AD DS

Scenario:

Detect brute force attacks that directly target AD DS user accounts.

Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute-force methods to get in. Smart lockout can recognize sign-ins that come from valid users and treat them differently than ones of attackers and other

unknown sources. Attackers get locked out, while your users continue to access their accounts and be productive.

Verify on-premises account lockout policy

To verify your on-premises AD DS account lockout policy, complete the following steps from a domain-joined system with administrator privileges:

1.

Open the Group Policy Management tool.

2.

Edit the group policy that includes your organization's account lockout policy, such as, the Default Domain Policy.

3.

Browse to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy.

4.

Verify your Account lockout threshold and Reset account lockout counter after values.

Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/automation-to-block-brute-force-attacked-ip-detected-by/ba-p/1616825 https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout#verify-on-premises-account-lockout-policy

Correct Answer: AB

Correct Answer: D

Microsoft Security Compliance Toolkit 1.0, Policy Analyzer.

The Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). Its main features include:

Highlight when a set of Group Policies has redundant settings or internal inconsistencies.

Highlight the differences between versions or sets of Group Policies.

Compare GPOs against current local policy and local registry settings

Export results to a Microsoft Excel spreadsheet

Policy Analyzer lets you treat a set of GPOs as a single unit. This treatment makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a

baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.

Note: The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft

products.

The SCT enables administrators to effectively manage their enterprise's Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit

them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy.

Security Compliance Toolkit Tools:

Policy Analyzer

Local Group Policy Object (LGPO)

Set Object Security

GPO to Policy Rules

Incorrect:

Not B: Local Group Policy Object (LGPO)

What is the Local Group Policy Object (LGPO) tool?

LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy. Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-

domain-joined systems. LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted “LGPO text” files. It can export local policy to a GPO

backup. It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.

Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10

Correct Answer: B

Correct Solution: You recommend access restrictions based on HTTP headers that have the Front Door ID.

Restrict access to a specific Azure Front Door instance.

Traffic from Azure Front Door to your application originates from a well-known set of IP ranges defined in the AzureFrontDoor.Backend service tag. Using a service tag restriction rule, you can restrict traffic to only originate from Azure Front

Door. To ensure traffic only originates from your specific instance, you will need to further filter the incoming requests based on the unique http header that Azure Front Door sends.

Reference: https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#managing-access-restriction-rules

Correct Answer: A

Microsoft Defender for Cloud Apps Activity policies.

Activity policies allow you to enforce a wide range of automated processes using the app provider's APIs. These policies enable you to monitor specific activities carried out by various users, or follow unexpectedly high rates of one certain

type of activity.

After you set an activity detection policy, it starts to generate alerts - alerts are only generated on activities that occur after you create the policy.

Each policy is composed of the following parts:

Activity filters – Enable you to create granular conditions based on metadata.

Activity match parameters – Enable you to set a threshold for the number of times an activity repeats to be considered to match the policy.

Actions – The policy provides a set of governance actions that can be automatically applied when violations are detected.

Incorrect:

Not C: Azure AD Conditional Access policies applies to users, not to applications.

Note: Blocking user logins by location can be an added layer of security to your environment. The following process will use Azure Active Directory conditional access to block access based on geographical location. For example, you are

positive that nobody in your organization should be trying to login to select cloud applications from specific countries.

Reference: https://docs.microsoft.com/en-us/defender-cloud-apps/user-activity-policies https://cloudcompanyapps.com/2019/04/18/block-users-by-location-in-azure-o365/

Correct Answer: C

Explanation:

Azure Policy helps to enforce organizational standards and to assess compliance at-scale.

Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. Policy definitions for these common use cases are already available in your Azure

environment as built-ins to help you get started.

Specifically, some useful governance actions you can enforce with Azure Policy include:

Ensuring your team deploys Azure resources only to allowed regions

Enforcing the consistent application of taxonomic tags

Requiring resources to send diagnostic logs to a Log Analytics workspace

Note: Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. The

assignment applies to all resources within the Resource Manager scope of that assignment.

Reference:

https://learn.microsoft.com/en-us/azure/governance/policy/overview

Correct Answer: B

Explanation:

Windows Defender Application Control is designed to protect devices against malware and other untrusted software. It prevents malicious code from running by ensuring that only approved code, that you know, can be run.

Application Control is a software-based security layer that enforces an explicit list of software that is allowed to run on a PC.

Incorrect:

Not C: A Cloud Discovery anomaly detection policy enables you to set up and configure continuous monitoring of unusual increases in cloud application usage. Increases in downloaded data, uploaded data, transactions, and users are

considered for each cloud application. Each increase is compared to the normal usage pattern of the application as learned from past usage. The most extreme increases trigger security alerts.

Reference:

https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager

Correct Answer: D

ExpressRoute provides direct connectivity to Azure cloud services and connecting Microsoft's global network. All transferred data is not encrypted, and do not go over the public Internet. VPN Gateway provides secured connectivity to Azure

cloud services over public Internet.

Note:

Litware identifies the following landing zone requirements:

1.

Route all internet-bound traffic from landing zones through Azure Firewall in a dedicated Azure subscription.

2.

Provide a secure score scoped to the landing zone.

3.

Ensure that the Azure virtual machines in each landing zone communicate with Azure App Service web apps in the same zone over the Microsoft backbone network, rather than over public endpoints.

4.

Minimize the possibility of data exfiltration.

5.

Maximize network bandwidth.

Litware identifies the following business requirements:

1.

Minimize any additional on-premises infrastructure.

2.

Minimize the operational costs associated with administrative overhead.

Reference: https://medium.com/awesome-azure/azure-difference-between-azure-expressroute-and-azure-vpn-gateway-comparison-azure-hybrid-connectivity-5f7ce02044f3

Correct Answer: B

Requirements. Application Development Requirements

Fabrikam identifies the following requirements for application development:

*

All the application code must be stored in GitHub Enterprise.

*

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.

A GitHub Advanced Security license provides the following additional features:

Code scanning - Search for potential security vulnerabilities and coding errors in your code.

Secret scanning - Detect secrets, for example keys and tokens, that have been checked into the repository. If push protection is enabled, also detects secrets when they are pushed to your repository.

Dependency review - Show the full impact of changes to dependencies and see details of any vulnerable versions before you merge a pull request.

Security overview - Review the security configuration and alerts for an organization and identify the repositories at greatest risk.

Incorrect:

Not C:

Scenario: Azure DevTest labs will be used by developers for testing.

Azure DevTest Labs is a service for easily creating, using, and managing infrastructure-as-a-service (IaaS) virtual machines (VMs) and platform-as-a-service (PaaS) environments in labs. Labs offer preconfigured bases and artifacts for

creating VMs, and Azure Resource Manager (ARM) templates for creating environments like Azure Web Apps or SharePoint farms.

Lab owners can create preconfigured VMs that have tools and software lab users need. Lab users can claim preconfigured VMs, or create and configure their own VMs and environments. Lab policies and other methods track and control lab

usage and costs.

Reference: https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security