AZ-301 Identity & Security Solutions

Question 1

A company wants to implement zero-trust network access for their Azure resources and require that all service-to-service authentication uses managed identities. Which type of managed identity should be used when multiple VMs need to share the same identity?

Accepted Answer

User-assigned managed identity

Answer

User-assigned managed identities are standalone Azure resources that can be shared across multiple VMs or services, unlike system-assigned which are tied to a single resource.

Question 2

An architect needs to implement privileged access management for Azure resources, requiring just-in-time access with approval workflows and access reviews. Which Azure AD feature should be used?

Accepted Answer

Azure AD Privileged Identity Management

Answer

Azure AD Privileged Identity Management (PIM) provides just-in-time privileged access with approval workflows, time-bound assignments, and access reviews.

Question 3

A security architect must ensure that Azure AD sign-ins from risky locations or flagged users automatically require MFA or are blocked. Which Azure AD feature implements this risk-based policy?

Accepted Answer

Azure AD Identity Protection with Conditional Access

Answer

Azure AD Identity Protection detects sign-in risks and integrates with Conditional Access to automatically enforce MFA or block access based on risk level.

Question 4

An organization needs to provide external partners with access to their Azure resources using the partners' own Azure AD credentials without creating guest accounts. Which Azure AD feature enables this?

Accepted Answer

Azure AD B2B Collaboration

Answer

Azure AD B2B Collaboration allows external partners to access your resources using their own organizational credentials via trust relationships.

Question 5

When designing RBAC for Azure resources, an architect needs to create a custom role that allows reading and writing to Azure Storage blobs but not deleting them. Which scope should minimize the blast radius?

Accepted Answer

Resource scope

Answer

Assigning the custom role at the resource scope (specific storage account) minimizes the blast radius by limiting permissions to only that specific resource.

AZ-301 - Microsoft Azure Solutions Architect Expert Practice Test

AZ-301 - Microsoft Azure Solutions Architect Expert Practice Test

AZ-301 Identity & Security Solutions