Exam AZ-305 All QuestionsBrowse all questions from this exam
Go to Exam
Question 18

HOTSPOT -

You have several Azure App Service web apps that use Azure Key Vault to store data encryption keys.

Several departments have the following requests to support the web app:

Which service should you recommend for each department's request? To answer, configure the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

    Correct Answer:

    Box 1: Azure AD Privileged Identity Management

    Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:

    Provide just-in-time privileged access to Azure AD and Azure resources

    Assign time-bound access to resources using start and end dates

    Require approval to activate privileged roles

    Enforce multi-factor authentication to activate any role

    Use justification to understand why users activate

    Get notifications when privileged roles are activated

    Conduct access reviews to ensure users still need roles

    Download audit history for internal or external audit

    Prevents removal of the last active Global Administrator role assignment

    Box 2: Azure Managed Identity -

    Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication.

    Applications may use the managed identity to obtain Azure AD tokens. With Azure Key Vault, developers can use managed identities to access resources. Key

    Vault stores credentials in a secure manner and gives access to storage accounts.

    Box 3: Azure AD Privileged Identity Management

    Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:

    Provide just-in-time privileged access to Azure AD and Azure resources

    Assign time-bound access to resources using start and end dates

    Reference:

    https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

Discussion
mse89

PIM MI PIM answer is correct

One111

Non of security requirements can be accomplished by PIM. That's definitely not the right answer.

Ayboum

Access review is included on PIM

SilverFox22

To confirm: "You can use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to create access reviews for privileged access to Azure resource and Azure AD roles." https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review

KingHalik

yes it does: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure

One111

It should be 1 Identity Governance / Access Review - access based on groups and review periods. 2 Managed Identity - access with passwordless and no additional administration footprints. 3 Privileged Identity Management - temporary role activation. Answers are probably messed and lack option in first list.

ExamTopicsTST

@One111, since the option is not there, it is NOT an option as an answer. Under 'Identity Governance' is where PIM exists, and all the requirements can be met by what PIM provides. Answers provided ARE 100% correct: PIM, MI, PIM.

sexyt

look at examtopics reply to you and realize this is an architect test not an engineering test

romeconq1

that's obviously not ExamTopics themselves lol, if these guys actually cared they'd fix the wrong answers first.

FabrityDev

From documentation: Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management: Provide just-in-time privileged access to Azure AD and Azure resources Assign time-bound access to resources using start and end dates Require approval to activate privileged roles Enforce multi-factor authentication to activate any role Use justification to understand why users activate Get notifications when privileged roles are activated Conduct access reviews to ensure users still need roles Download audit history for internal or external audit Prevents removal of the last active Global Administrator and Privileged Role Administrator role assignments So PIM, MI, PIM https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

gdamascenom

It should be: Azure AD Identity Protection to get the access reviews Azure Managed Identity Azure AD PIM

Ahmedsaad1981

it was in the exam 24/2/2024

zellck

1. Azure AD PIM 2. Azure Managed ID 3. Azure AD PIM https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review The need for access to privileged Azure resource and Azure AD roles by employees changes over time. To reduce the risk associated with stale role assignments, you should regularly review access. You can use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to create access reviews for privileged access to Azure resource and Azure AD roles. You can also configure recurring access reviews that occur automatically. https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview While developers can securely store the secrets in Azure Key Vault, services need a way to access Azure Key Vault. Managed identities provide an automatically managed identity in Azure Active Directory (Azure AD) for applications to use when connecting to resources that support Azure AD authentication. Applications can use managed identities to obtain Azure AD tokens without having to manage any credentials.

zellck

https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure#terminology just-in-time (JIT) access - A model in which users receive temporary permissions to perform privileged tasks, which prevents malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it.

zellck

https://learn.microsoft.com/en-us/training/modules/design-authentication-authorization-solutions/9-one-design-managed-identities Managed identities provide an identity for apps to use when connecting to resources that support Azure AD authentication. Apps can use the managed identity to obtain Azure AD tokens. An app might use a managed identity to access resources like Azure Key Vault where developers can store credentials in a secure manner or to access storage accounts.

zellck

Got this in Feb 2023 exam.

iamhyumi

Got this on Sept. 5, 2023

MHguy

in the Exam April 2024

ply

This question appeared on my Exam today

jcxxxxx2020

This question didn't not appear on my exam today 10/22/2023

winy

this was on 4/1/23 exam

sankuro

Got this on 5/7/2023 exam.

akr1503

This was on 3/27/23 exam

Hannirac

on the exam 1/7/2024

23169fd

The given answers are correct. Azure AD Privileged Identity Management (PIM) Reason: PIM helps manage, control, and monitor access within Azure AD, Azure, and other Microsoft Online Services. It requires justifications for role assignments and provides alerts and history of changes. Development Department: Azure Managed Identity Reason: Managed Identity allows the application to access Azure Key Vault without needing to manage credentials. This provides secure access to the encryption keys needed by the applications. Quality Assurance Department: Azure AD Privileged Identity Management (PIM) Reason: PIM can provide temporary administrator access for creating and configuring additional web apps in the test environment, managing role assignments effectively.

23169fd

adding explanation for other options: Azure AD Connect: Reason: Used to synchronize on-premises directories with Azure AD, not for role management or auditing administrative activities. Azure AD Identity Protection: Reason: Focuses on detecting and responding to identity-based risks using signals from Azure AD. It does not provide role management or detailed auditing capabilities.

seedati

if each division has two subscriptions each, the minimum number of objects required to deploy the application using Azure Blueprints would be: 1 management group per division: You would need two management groups, one for each division. Each management group would act as a container for the respective division's subscriptions. 2 blueprint definitions: You would need one blueprint definition for each division's subscriptions. Each blueprint definition would specify the resource group, Azure web app, custom role assignments, and Azure Cosmos DB account required for the application. 4 blueprint assignments: You would need four blueprint assignments, two for each division's subscriptions. Each division's blueprint definition would be assigned to both of their respective subscriptions. In summary, the minimum number of objects required now would be: 2 management groups 2 blueprint definitions 4 blueprint assignments (2 assignments per division)

vali6969

This answer is for an other question ...

ZUMY

Given answers are correct

jj22222

AD PIM Azure Managed Identity AD PIM