100% Real Microsoft Certified: Azure Solutions Architect Expert Certification Exams Questions & Answers, Accurate & Verified By IT Experts
Instant Download, Free Fast Updates, 99.6% Pass Rate.
Designing Microsoft Azure Infrastructure Solutions
Includes 267 Questions & Answers
Microsoft Certified: Azure Solutions Architect Expert Certification Exams Screenshots
Download Free Microsoft Certified: Azure Solutions Architect Expert Practice Test Questions VCE Files
TitleMicrosoft Azure Architect Technologies
TitleDesigning Microsoft Azure Infrastructure Solutions
Microsoft Certified: Azure Solutions Architect Expert Certification Exam Dumps & Practice Test Questions
Prepare with top-notch Microsoft Certified: Azure Solutions Architect Expert certification practice test questions and answers, vce exam dumps, study guide, video training course from ExamCollection. All Microsoft Certified: Azure Solutions Architect Expert certification exam dumps & practice test questions and answers are uploaded by users who have passed the exam themselves and formatted them into vce file format.
Alright, so what we're going to talk about in this video is creating a brand new Active Directory account. Now, for myself, when I go into Active Directory, I already have an account. But it's quite possible, if you're just starting out, that you don't have an account. If you go into this Active Directory service and you don't have an account, it's going to prompt you to create one. There is a Create a Directory Link even within existing Active Directories if you already have an account and want to go through and create a second account. So I'm going to say to create a directory. Now, we do need to give the organisation a name. So let's call this TestAD Two. This simply has to be an organisation name that you're going to identify with this directory. Now, Active Directory does create a domain name, and this domain name is actually used when connecting with it. So create an Active Directory domain name that is something that, if you're going to have external people connecting to your Active Directory, this is something that they're going to see. So I'm going to put Azid SJD test ad two as my domain name, and you can see that it fully qualifies for it. I chose my region. So I am located in Canada. I'm going to scroll up to there, and I'm going to click Create. It says here that directory creation will take about 1 minute. So I'm going to click this button. I'm going to pause the video. When we come back, we're going to have a brand new Active Directory account that we can start playing with and creating user roles, assigning permissions to, etc. and having our applications use its authentication service. So I'll pause the video and we'll come back. We'll have an Active Directory to work with.
In this video, we're going to talk about the various self-service options that end users have to manage their accounts. If I go down to the password reset option of this active directory, you will see that there is a self-service password reset option. This is not enabled by default, and it's not even available for free accounts. When you upgrade to a Premium account, you will be able to allow end users to manage their own passwords, which includes the ability to recover a lost password via SMS or email. But like I said, we do need to enable this, and we do need to be on a Premium account in order for this to work. Without this enabled, then people are going to have problems with their passwords. They're going to have to come to you or, more likely, your support line in order to say, "I'm having trouble logging in." Can you reset my password? So this is a way of reducing costs by allowing users to reset their own password. Also, it's obviously incredibly convenient to be able to change your password. Even if you feel like it's time to change your password, you can change it without having to talk to someone. Again, this is a Helpdesk system, with people doing their password management through Helpdesk. It's a cost and a volume issue, right? So again, this is not available for the free account. If we wanted to, we could go and set this to a free trial. So we have a couple of options here. The Enterprise Mobility and Security option or the Azure Ad Premium P2 option? So if I want to activate the free trial, then it's going to activate. Now this is included; it's a 30-day access, and it gets you up to 100 users and applications within your account. So let's activate the free trial on this account. Now, this activated fairly quickly, almost instantly, actually. I had to switch directories to a different directory and then switch back in order for it to recognise it. But it does say "Azure Ads for Office 365" instead of "Azure Ads Free." So now I should have access to a few more things that we're going to need to talk about in this section. If we go back to the password reset, we can see that we have the option. Now, to enable password reset options, I can select it for a particular group. We don't even have any groups in this account. Or I can say I want password resets available to all users. And so this, again, is for end users. These are the people for whom you've created accounts under the Users tab or have invited as guest users to manage their passwords. So click "Save." And now it's going to allow users to manage their own passwords. Now, in order for users to change their passwords, we're basically going to allow them to validate by email or by SMS message. We can have a mobile app. So there's a Microsoft mobile app that basically will let them have a code that they can approve for some type of security question where they give their mother's maiden name and the street they grew up on in order to validate. That's a bit of an insecure method, but if you allow them to validate their email through email and a mobile phone, then they can modify their passwords once they've gone through that. So by default those are the authentication methods, and you can obviously set them up for that. Of course, if you are turning this on, then you might want users to be forced to sign up with an email address or a phone number when they create their account in order to have that ready for them when they forget their password. So there's no point in not having an email, not having a phone number, losing your password, and then basically forcing them to go through support to change their password at that point. There's also the ability for them to revalidate and confirm that their phone numbers and email addresses are still correct every X number of days. This is another security precaution under "notifications." When the password does change, it's a good idea to send the user an email to say, "Oh, we just changed your password." That way, if there's a hacking attempt or something's happened, there's at least an audit trail, and users will be notified that somebody has modified their password most of the time. Hopefully they expect it. Now, you can also set this up to notify admins when other admins reset their password. So that's another security point where an administrative account has a password reset? Maybe we do want the other admins to know that Bob's account didn't get hacked, and Bob's an admin, so that's a pretty serious violation. So I would turn that on. If you want to allow people to go through a Help Desk, there's a "Contact your administrator" link. You can sort of customise that and add a contact portal. Maybe you've got a Help Desk account and they can create things, etc. So we don't have on-premises integration, which means imagining you have an Active Directory within your network and synchronising those accounts to the Internet through Microsoft Azure Active Directory. person changes their password through Azure Active Directory. Do you want to write back those passwords to the on-premises server? That allows users to change their Windows login through a password switch on the Internet. So those are the options if you've got Ad Connect enabled. So setting a password reset, it's a smart ideafrom saving money, from allowing users to manage it. Again, you do have to be on a premiumaccount for that, but once you've done that, it'sa pretty good idea to enable it.
So in this section of the course, we're going to be talking about authentication. Now one of the key concepts of the exam in terms of identity is understanding the difference between authentication and authorization. Now authentication proves who you are. So if you are able to show your driver's licence and the picture matches you, then you are authenticated. In the case of a computer system, obviously you're going to provide what is usually a user ID and password. Typically, you're going to have to have some type of password policy in place so that passwords are not easily guessable. Maybe the password has to be changed from time to time because of its complexity, the reusing of the password, etc. types of policies for an extra layer of authentication. Sometimes companies require multifactor authentication. Now, multifactor authentication is a feature of Azure Active Directory. And what that is is basically proving that you have access to something else, whether it's access to your email account, an SMS message, or an application installed on your phone. It's basically another factor that is going to prove that you are who you say you are in addition to your user ID and password. Now, sometimes you don't do the authentication where your application is. You basically do what is known as "federating" that to an external service. So, if you've ever used an application that requires you to log in with Facebook but isn't Facebook, or if you use Google LinkedIn, Microsoft has its own authentication as well. Any third-party application that makes use of one of these other services is said to befederate the identity to that other service. So the application developer is trusting that the other service will prove that you are who you say you are. They return a token or some other way to approve that you are, and then they trust that token. Now that's authentication. Now, authorization is related, but it has to do with what level of access you are authorised to get access to.So within Microsoft Azure, we're typically talking about three levels of access. at the top level. Now, authorization can be so complicated. There are literally dozens and hundreds of built-in roles that you can assign, and you can even create custom roles. But at the top level, the core of it all is that you're either going to have read-only access to something, you're going to have contributor access, or you're going to have owner access. What you've read so far is fairly self explanatory.You are able to view the resource and check on its status, but you're not able to modify, delete, or otherwise change the resource in any way. With contributor access, you basically have full rights to start, stop, delete, or create within that resource. But the owner is the person who is able to grant rights to other people. So a contributor can't create other contributors, but an owner can create other owners and also create other contributors. Now, like I said, there are literally 100 plus built-in rules, and we're going to see that in a second within Azure. So, for each of the top-level resources within Azure, such as storage accounts, virtual machines, and networks, as well as all of the hundreds of resources that Azure provides access to, there are built-in roles for read-only access and contributor/owner level access to those individual resources. Now, when you're setting up users, let's say, outside of Azure in your own systems, how detailed do you want to get in terms of granting someone access? Now, many applications simply treat all users with the same level of access. So once you have logged into an application, the application accepts your credentials, you are in, and there's no further credential check in.There's no level of access within the application. That's quite common. But some applications do grant special permissions to some people but not to others. There might be an administrative section in your app. There may be those who have their own system, such as a reporting system. You're going to see some granularity to that. And that's basically a decision you're making based on design. And I briefly mentioned that Microsoft has an authentication service called Azure Active Directory. So instead of building your own user ID and password system within your applications, you can allow Azure Active Directory to manage your users and their passwords. And you don't have to have that code. Now, if you need a profile or you need an about page, you would still have to do that part. But in terms of collecting a user ID and password, letting them change their password, letting them register for an account if they don't have one, and handling the issues of people trying to log in that are not authorised to count blockouts, all of these things are handled within Azure Active Directory. So that saves you a lot of development time and gives you more features than you might otherwise have. We could look at Azure Active Directory. This is a very high-level look at Azure Active Directory. Basically, you can enforce these sophisticated password complexity levels. so it has to be a minimum length. It has to have certain characters, letters, numbers, and upper- and lower-case symbols. It also synchronises with your corporate Active Directory. So if you already have an existing store of users, then you simply synchronise with Active Directory. And all of those users now have cloud authentication available to them. What that does is allow single sign-on to exist, which means your application can use the same corporate user ID and password that the users use to log in to their desktop at work, and so they don't have to memorise additional passwords. We briefly talked about multifactor authentication, and Azure Active Directory does allow you to enforce multifactor authentication. Now, you can do this quite selectively. Maybe only administrative users have it, or maybe certain users or users who are exhibiting strange, unusual login habits like logging in from outside your office or even logging in from outside your country have it. one of the central tenets of the authorization element. So we've talked about authentication. Authorization is role-based access control. role-based access control. Is that a reader-contributor-owner model where you have roles assigned to people? Azure Active Directory also supports this external federation, effectively working with social media accounts. And so there are quite a number of external systems, such as LinkedIn, Microsoft, Facebook, and Google Plus, that it supports. And it's also particularly good if you have partners that you don't want to add to your own Active Directory. So if you have contractors, partners, or agencies that you don't want to be part of your organization but you still need to give them selective access to some of your applications, you can use Azure Active Directory to synchronise with them.
So we're continuing to talk about authentication. And in this video, we're going to talk more about the feature of Azure that we talked about in the last video, called Single Sign On. To recap, single sign-on allows users who already have corporate user IDs and passwords to use those same accounts to login to your custom Azure application. This works by synchronising your user IDs and passwords between your on-premises Active Directory and Microsoft Azure Active Directory. And this is done through a piece of software called Ad Connect. Ad Connect is effectively an agent that you download onto your corporate network. You authorise it and connect it to your OnPremID, and it will synchronise the selected user IDs and hashes of their passwords into Microsoft Azure AD. You set up the filters so that not all the information is synchronised if you don't need it to be. As a result, your corporate users can use their username and password everywhere, including on their workstations and in the cloud. What's even cooler is if the password changes. So let's say you have a password policy and the user has to change their password. There's basically a synchronisation that happens every 15 minutes or so where those updated passwords will get pushed out to the cloud as well. The same happens when users are deauthorized. So if you have a user who departs your organization, you simply deactivate their account within your on-premises Active Directory. And again, as long as your synchronisation is working within those 15 minutes or so, you can basically assure that they no longer have access to their online apps as well. So, as you can see, there are a lot of advantages to single sign on.Something you should look into if you're implementing app locations in Azure.
So one of the new requirements added to the AZ Three or four exam is tounderstand Azure Ad Connect Cloud Sync. So Azure Ad Connect still exists and now there isa companion product called Cloud Sync, which doesn't a lotof the same features for slightly different purposes. So in this video, we're going to examine AdConnect Cloud Sync and examine the differences with Ad Connect. Now. Ad Connect Cloud Sync is really a cloud-hosted version of Azure Ad Connect. As you know, Ad Connect is a piece of software. It's an agent that you download and install inside of your premises, and it can connect to your premises' Active Directory and synchronise those users and groups into the cloud. The Ad Connects cloud sync service operates in the cloud. So all of the configuration and the work, if you will, happen in the cloud, and there's a very lightweight agent that's required to connect to your on-premises ad, but all it does is facilitate the communication. It's a bridge. So, if we look at the Azure documentation for AdConnect and Ad Connect Cloud Sync, we can see that there is a lot of overlap, with Ad Connect Cloud Sync shining in connecting with multiple on-premises ad forests. So instead of having to install Active Directory Connect on each of them and then having to worry about connectivity and how you're going to get these things all centralized, you are just basically doing that all centrally. So that makes sense—that the logic and the work are done in a central location, and you basically have your spokes going out to various AV forces. It does have the lightweight model, so the installation isn't too heavy, and it does support multiple active agents. And so you can have multiple conversations going on at once, with synchronisation for all of them happening at the same time. And so this is really where the cloud part of it shines. It still synchronises single on-premises ads as well. It can handle multiple on-premises ads. It does not work well with LDAP alone, obviously, over the Internet. LDAP does not work outside of the corporate firewall. And so, that's going to be a miss on the cloud element. But it handles users, groups, and contacts; it does not handle devices. As we go down, we can see there's a lot of overlap still. There's some customization around directory extensions. On the traditional Ad Connect side, the Ad Cloud does not support pass-through. Authentication. As you know, pass-through is where a user logs into an application, and instead of the cloud's Active Directory handling that authentication, it actually just passes the request over the wire down to your on-premises server. Cloud Sync happens in more of a disconnected manner and not so much in terms of real-time logins. So now we can see things like password writeback, group writeback, and things like that going down. Also not used in the Cloud Sync model. Ads aren't supported, but the limits are pretty much the same in terms of 1500 objects and 500 users, and there are some pros and cons. So obviously the on-premises model has a lot more features, but you do have to do more of that work on premises, whereas the cloud model is a little lighter but can handle multiple threads. A lot of stuff happening at atime disconnected ad forests from other organizations. Even so, that is the difference between AD Cloud Sync and AD Connect. Now, if you want to explore this a little bit more, you go into your Azure Ad Tenant, and on the left you go under Azure Ad Connect, and this is where you can find the agent. and you can also set up your Azure ad. Cloud sync So both the ad connect sync and the cloud sync are managed within the ad connect blade of your Azure AD tenant.
ExamCollection provides the complete prep materials in vce files format which include Microsoft Certified: Azure Solutions Architect Expert certification exam dumps, practice test questions and answers, video training course and study guide which help the exam candidates to pass the exams quickly. Fast updates to Microsoft Certified: Azure Solutions Architect Expert certification exam dumps, practice test questions and accurate answers vce verified by industry experts are taken from the latest pool of questions.
Microsoft Microsoft Certified: Azure Solutions Architect Expert Video Courses
Top Microsoft Certification Exams
SPECIAL OFFER: GET 10% OFF
Pass your Exam with ExamCollection's PREMIUM files!
SPECIAL OFFER: GET 10% OFF
Use Discount Code:
A confirmation link was sent to your e-mail.
Please check your mailbox for a message from email@example.com and follow the directions.
Download Free Demo of VCE Exam Simulator
Experience Avanset VCE Exam Simulator for yourself.
Simply submit your e-mail address below to get started with our interactive software demo of your free trial.