Pass Microsoft Azure Architect AZ-303 Exam in First Attempt Guaranteed!
Get 100% Latest Exam Questions, Accurate & Verified Answers to Pass the Actual Exam!
30 Days Free Updates, Instant Download!
AZ-303 Premium Bundle
- Premium File 213 Questions & Answers. Last update: Feb 09, 2023
- Training Course 93 Lectures
- Study Guide 926 Pages
Last Week Results!
|Download Free AZ-303 Exam Questions|
Size: 4.44 MB
Size: 3.77 MB
Size: 3.7 MB
Size: 2.88 MB
Size: 3.49 MB
Size: 2.45 MB
Size: 2.58 MB
Size: 2.07 MB
Size: 558.58 KB
Size: 436.6 KB
Microsoft Azure Architect AZ-303 Practice Test Questions and Answers, Microsoft Azure Architect AZ-303 Exam Dumps - PrepAway
All Microsoft Azure Architect AZ-303 certification exam dumps, study guide, training courses are Prepared by industry experts. PrepAway's ETE files povide the AZ-303 Microsoft Azure Architect Technologies practice test questions and answers & exam dumps, study guide and training courses help you study and pass hassle-free!
1. Security Introduction
So over the next few lectures, we're going to be examining policies, access reviews, and other general user management. So in order to do all that, I'm going to invite an additional external user into the organisation that we can start to apply some different restrictions to. So I'm going to go to Active Directory, I'm going to go to Users, and I'm going to say New Guest User.
So what we want to do is invite the user. This is the end user, and the email comes from the user guru. I'm not going to set any groups or anything just yet. I'm just going to invite the user. First of all, while I'm waiting for that to come through, the next thing I want to do is go ahead and create a group. Let's just make a new group and call it "end users." I'm going to start the group with the end user who created the service, and I'm going to add that end user as a member. So now I'm just going to go to my email where I've received my invitation, and I'm going to accept this link in a private window because I need to simulate this user logging in elsewhere.
So once my account is set up, I'm going to log into the portal using that user. And at the moment I don't have any subscriptions simply because I haven't been assigned any rights to anything. So the next thing I want to do is assign a licence to my user and grant some access. So, go to my customers. There are a couple of things I just need to change. The first is that we need to ensure that the profile has a usage location. If that hasn't been set, go ahead and set the usage location. If you don't set it, we won't be able to assign any licenses. Once that's set, go into licences and assign the P-2 license. This is important because without the Premium 2 license, we won't be able to do some of the things that we want to do, such as the access reviews.
Next, I want to go back to the home page, and I want to go into my subscription view. And in here, I want to go to access control and add a role assignment. We'll just go for the reader at the moment. Actually, I'm going to assign it to the end-user group. Now let's just go back to my user. Reload the page. I need to make sure I'm looking at the correct directory because I invited an external user, and the directory that it's put me in by default doesn't have to have any subscriptions. So I need to switch my default directory to the directory that I've just been invited to. And then if we go to subscriptions and I can see the teaching subscription I've set up, I now have read access to the resources within it. So we'll start using this user now to try out some of the other features of Azure or Active Directory.
2. Management Groups, Subscriptions And Roles
The service the first tractor is the first Coad subscription. or a subscripion. Like other co administrators, the servals managementator has management access to cloud reassure Porting the Azure Portal and other too Studio SDKs Visual Stud-sods and command PowerShell. such as PowerShell. The service admin add and or can also add a-administrators. co admin-stators. Other co admonish can't delete ever, can’t delete the administrator. ice administrator administrator cant administra assignment. ge the assignment. Within the account center, the serves the administrator authorized user author subscription associationiptions association with the director in the Assure Management Portal Beyond the administrator role, you can then define individual roles for users using role-based access control, or RBAC. Azure role-based access control allows you to grant appropriate access to Azure users, groups, and services by assigning roles to the members of a management group, subscription, or resource group within an individual resource level assignment.
Again, this slows down either the roles you set higher up, such as a management group or subscription level, or their flow down to the individual. Resources. The ultimate access to the end resource is a combination of all roles at all levels. The access role defines the level of access that the users, groups, or services have on that issue. Resource: The role defines a collection of actions that can be performed on that resource. The user or service is allowed to perform an action on an Azure resource if they have been assigned a role that contains that action. It's always best to assign roles based on the least privileged access, which means you should only grant the lowest-level role that is required to perform a user's duty.
As a result, one of our back roles is assigned to a security principle. However, security principles can apply to a user or individual with an Active Directory account. A group is a group within ActiveDirectory that contains one or more users. All users in the group get assigned to the roles assigned to the group. a service principle. This is a security identity used by applications or services to access specific Azure resources. You can think of it as the user identity of an application. Finally, we have a managed identity. A managed identity in Azure ActiveDirectory is automatically managed by Azure.
You typically use managed identities when developing cloud applications to manage the credentials for authenticating against other Azure services without having to manage usernames and passwords. Azure includes several built-in roles that you can use. The following are some of the most typical and wide-ranging. First, the owner role has full access to all resources, including the right to delegate access to others. Contributors can create and manage all types of resources, but they can't grant access to others. Reader provides read-only access to Azure resources, and the User Access Administrator lets you manage user access to Azure resources but not the resources themselves. For more granular access, Azure provides a whole range of resource-specific roles, or you can create your own custom role.
Custom roles are created by defining a set of actions, but what scope do they pertain to? And this is all done within a JSON document. You can use the built-in roles as a base; do you copy them or start from scratch? You would then assign the role just as you would with a normal built-in role. The mentioned routes are cumulative, which means they can come from a higher level and are therefore inherited, or they can come from multiple individual assignments. The total number of effective roles will be a combination of all the roles assigned. Also, where roles to a service are assigned at different levels of access, for example, if a user grants read access to one role and contributor access to another, the highest level in this example—contributor—would be the one that takes effect. You can, however, set deny rights, and deny rights always take precedence. So if one role assigns allow but another assigns deny, deny will always be the winner.
3. Management Groups Walkthrough
In this lecture, we're going to take a look at how we can set up management groups to better organise our subscriptions. The first thing we need to do is actually elevate the rights of our users that we are logged in to in order to be able to manage management groups because, by default, they are disabled enabled. So what we want to do is go to the Azure Active Directory and go to the Properties blade within Properties. We can see that, down at the bottom, we've got access management for Azure resources. So the first step is to check that box and then click Save. Once that's done, in our search box at the top, perform a search for "management groups" and choose the option for management groups. By default, we only have one management group, which is called the Tenant Group Management Group, and if we go to the details, we can see some basic information, such as what subscriptions were in place until we saw that at the next level up.
We can see what policies are assigned, the cost analysis at that level, and any deployments. So it's basically a level above the subscription, which is what we've been working on so far. We can also assign access controls to a management group. So any access controls we set for the management group will flow down automatically to any subscriptions that are in it. I'm just going to go back and navigate to our management groups. And if we wanted to create a structure in here, we would do this simply by clicking this Add Management Group button, and then we could give it a name. So the first is that we have a management group ID (which can't be changed) and a management group name. Now the actual ID can be something that makes sense. So, for example, I could have a teaching management group, and I'll set the display name to Teaching as well.
Now that the management group has been created, we can move subscriptions into it. Before we do that, we need to make sure that we have enough access to move the subscription around. We need to make sure we have owner rights at the subscription level and at the management group. The easiest way to do this is to make use of the hierarchical nature and make sure our user account that we're locked in as has owner rights at the tenant group level. So, on the tenant route, click Details, then go to Access Control, add a role assignment, select your own account, set the role to Owner, and then click Save. Once that's done, if we go to Role Assignments, we'll see that we've been added as the owner. And if we go to our subscription and again look at the access control and again role assignments, we now see that we have an owner on the subscription, and it's been inherited from the management group. With that in place, we can now go to our subscription, click the ellipse system, and click Move. Or we can go into the management group itself and its details and then click Add Subscription and select the subscription from there, and then click Save.
4. Role Based Access Controls Walkthrough
In this lecture, we're going to look at assigning different roles, and in particular, custom bank roles, to a user. In this window, I'm actually logged in as my user one account that we created earlier, and I'm looking at the Windows version virtual machine that is currently stopped. If I look at the access control for this virtual machine and the role assignments, we can see that we've got reader access on this End Users group, and if we look at the members of the user group, we can see that I'm a member of that group. So via that reader, if we click on the reader role itself to see what that role contains, this shows us all the different areas of access that it gives us.
In particular, if we scroll down to MicrosoftCompute, we can see that we've got read access to all these different components. But again, if we scroll right down to the bottom to "Virtual Machines" and click Virtual Machines, we can see in quite granular detail what access we have. So we have read access to obtain a virtual machine. However, we don't have any other actionable access. So for example, we can't power off virtual machines, and we can't start virtual machines if we just go back to the overview blade for our virtual machine and just put that to the test and click Start. We'll then get to narrow "failed Start virtual machine," and that's because this user doesn't have access to do that. So what we're going to do is create a custom role to grant this user the right to start and stop virtual machines.
So I'm going to switch to another browser window now, in which my administrative user is logged in, and I'm going to go into my subscription. I'm going to go to Access Control, and I'm going to say Add. And we have an option for adding custom roles, so I'm going to select that. So when creating custom roles, we have an array of ways we can do it. We can either clone an existing role that exists, start from scratch, or upload a JSON document. I'm going to do this manually from scratch here. So we'll give this a name first of all. So we'll call it "Virtual Machine Operator," and I'll just tell it that it's a custom role. I'll go with "Start from scratch." Then I'm going to click next. So the next thing I want to do is add the permissions I want.
So if we click "Add permissions," and the permissions I want are "virtual machine permissions" under the Microsoft computers, So I'll first search for "compute" and select Microsoft Compute, and then go to scroll down the list of permissions. As you can see, there's quite a lot that we can do with our computer. In particular, again, the one I want is right at the bottom under "Virtual Machines." Scroll all the way down to "Virtual Machines." Note that it's not virtual machine scale since we want virtual machines, and now we want to find out we want to start a virtual machine and de-allocate a virtual machine, which will give us the ability to power it off. Click Add. Once we've got the permissions we want, click Next, and then next we assign the scope so when we create custom roles, we can tell it what scope to do it under.
So, for example, the available scope for us at the moment is the subscription itself. You can actually set scope to resource groups or even components, but I'm going to assign this at the subscription level, so we'll just select that and click Next. This then shows us the resulting JSON, so we could actually download this and keep a copy of it or modify it manually. For example, if we wanted to add more actions, we could add them here. Once we're happy with that role, click Next, and then click Create. So if you still want the message there, it can take a few minutes for that to take effect. If we now go to add a new role, we should select our user one, and if we select the list of roles and scroll right to the bottom, we should see our virtual machine operator role. So then click Save, and now if we switch back to our browser where we're logged in as user one, we again look at the virtual machine and now go ahead and try and start it. It will now have to start the virtual machine because those extra roles have been applied.
5. Policies and Initiatives
On a platform as powerful, dynamic, and wide as Azure, with hundreds of different possible components covering scenarios ranging from purely external-facing applications to completely isolated and hybrid in between, it will be all too easy to deploy solutions that might be in conflict with the company's compliance policies. As an example, for some companies, the location of systems and data must be within the jurisdiction of the home country. While it may be possible to exert some control over this through rigorous reviews and checks, Azure actually provides an automated route known as Azure Policies and Initiatives.
Whereas role-based access control might limit what an individual can perform, an Azure policy constrains what is possible to configure on individual components. So, for example, this means we could create a policy that would restrict the locations to which any component could be deployed to.Like RBAC, policies can be applied at various levels, and like RBAC, policies flow down through the hierarchy of management groups, subscriptions, and resources to the components within them. And again, like RBAC roles, they combine and compound. However, whereas our back roles are typically denied by default, requiring you to explicitly grant access to users, policies are permitted by default and must be explicitly denied. In other words, unless you specifically deny an individual action, action will be allowed.
Zoo provides a number of built-in policies that can be leveraged, including allowed storage account SKUs, which determine if a storage account being deployed is within a set of sizes. Allowed Resource Type Again, you can deny resources that aren't part of a defined list. As previously stated, allowed locations limit the available locations for new resources to be deployed in. Virtual machine SKUs allow you to specify the type of virtual machine SKU you can deploy. For example, you might want to limit the more expensive options.
Add a tag to resources and, if not already specified, apply the required tag with a default value. Simply enforcing tags enforces required tags, and finally, not allowed resource types are the opposite of allowed resource types, which allow for the definition of a list of block resources. And again, as with our back roles, in addition to the built-in policies, you can also create your own custom policies.
When creating policies, you can include parameters in them. This is very similar to when we looked at Arm templates for deploying components rather than a hardcoded policy that restricts deployments to the US. For example, you would create a policy that restricts deployments but requires a parameter to be passed that defines the actual location to restrict it to.
Once the policies have been defined, they are then assigned, and it is at this point that you would supply those parameters. When assigned in a policy, you can also set the scope, such as a subscription or resource group. But unlike our bank roles, you can also set exclusions within that scope. So, for example, you may want to control access to prevent users from managing network components. In this scenario, you will create a policy that prevents users from creating or editing VNETs within a subscription.
But then you could set an exclusion resource group that will be used for those networking components. This way, networking components can only be created in the resource group that you've excluded. If you then combine that with an RBACpset to deny access to that resource group for all but eight specific users, you can effectively lock down the ability to manage networking.
Another important aspect of policies is that they don't necessarily prevent something from happening. You actually have to define what to do in the event that the component does not match the policy and the different effects are appended but the specified value is missing; you can make it append a defined value. So, for example, if there were no IP rules that had been set against the storage account, you could sell the policies to set that value for you. Audit and audit, if they do not exist, simply generate a warning in the activity log but don't actually fail the request.
Deny will generate an event in the activity log but will fail the request. I will prevent the resource from being deployed if it doesn't already exist. It's actually similar to the append effect, but it can be used to deploy certain resources rather than simply updating a field in a failed resource. Disable doesn't evaluate resources for compliance with the policy rule, and modify adds, updates, or removes defined tanks from a resource.
Because policies are hierarchical and compounded, it is generally preferable to audit them first to ensure they do not cause any unintended harm. After testing and using them and seeing how they behave in actual use, you can then amend those policies to be either preventative or remedial. It's quite possible to have lots of different policies, and in fact, you may need multiple policies to implement or report on a particular area of compliance. For this reason, you can group policies into initiatives and then assign the initiative instead.
Again, like policies, initiatives can use parameters so that they can be easier to reuse in different scenarios or use cases. There are a few best practises when working with policies. First, you should start with an audit effect instead of a deny effect. Track the impact of your policy definition. If your scripts are already in place to auto-scale your applications, setting a deny effect might hinder such automation tasks. You should consider organisational hierarchies when creating definitions and assignments. Create definitions at higher levels, such as the management group or subscription level. Create and assign initiative definitions even if they only contain a single policy. Once you've created an initiative assignment, any policy definitions added to the initiative also become part of that initiative's assignment. And when an initiative assignment is evaluated, all policies within the initiative are also evaluated. So if you need to evaluate a policy individually, it's better not to include it in that initiative.
Microsoft Azure Architect AZ-303 practice test questions and answers, training course, study guide are uploaded in ETE Files format by real users. Study and Pass AZ-303 Microsoft Azure Architect Technologies certification exam dumps & practice test questions and answers are to help students.
Comments * The most recent comment are at the top
IT Certification Tutorials
- Top Career Opportunities for Financial Certified Professionals
- Top Project Management Certifications to Improve Your CV
- Top 10 Computer Job Titles That Will Rule the Future
- Discontinuation of ITIL v3 in 2022 And New Technological Era
- GAQM CSM-001 Certified Scrum Master - Chapter 04 - Meetings in Scrum Part 3
- Python Institute PCAP - Modules; Packages and Object Oriented Programming in Python Part 3
- PMI PMP Project Management Professional - Introducing Project Risk Management Part 3
- CompTIA CASP+ CAS-004 - Chapter 01 - Understanding Risk Management Part 3
- DA-100 Microsoft Power BI - Part 2 Level 2 - Getting Multiple files
- CompTIA CASP+ CAS-004 - Chapter 04 - Implementing Security for Systems; Applications; and Storage Part 3
- IIBA CBAP - Tasks of Business Analysis Planning and Monitoring
- MB-210 Microsoft Dynamics 365 - Create and Manage Product and Product Catalog Part 2
- Salesforce Certified Platform App Builder - 5 - Business Logic and Process Automation Part 3
- Amazon AWS Certified Data Analytics Specialty - Domain 4: Analysis
- Google Professional Cloud Network Engineer - Designing; Planning; and Prototyping a GCP Network Part 3