AZ-204 Implement Azure security • Complete Question Bank
Complete AZ-204 Implement Azure security question bank — all 0 questions with answers and detailed explanations.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Automated identity for Azure resources without secrets
Identity for applications to access Azure resources
Delegated access token with limited permissions
Identity service for customer-facing applications
Drag a concept onto its matching description — or click a concept then click the description.
IaaS with full OS control
PaaS for web and API apps
Serverless event-driven compute
Managed job scheduling for parallel workloads
{
"type": "Microsoft.Authorization/policyDefinitions",
"properties": {
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
"equals": "Allow"
}
]
},
"then": {
"effect": "Audit"
}
}
}
}{
"roleName": "Custom Storage Blob Data Reader",
"assignableScopes": ["/subscriptions/12345-.../resourceGroups/ProdRG"],
"permissions": [
{
"actions": ["Microsoft.Storage/storageAccounts/blobServices/containers/read"],
"notActions": [],
"dataActions": ["Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"],
"notDataActions": []
}
]
}{
"properties": {
"mode": "Indexed",
"parameters": {
"allowedLocations": {
"type": "array",
"defaultValue": [
"eastus",
"westus"
]
}
},
"policyRule": {
"if": {
"not": {
"field": "location",
"in": "[parameters('allowedLocations')]"
}
},
"then": {
"effect": "deny"
}
}
}
}{
"type": "Microsoft.Authorization/roleDefinitions",
"properties": {
"roleName": "Custom SQL DB Reader",
"description": "Read-only access to Azure SQL Database",
"permissions": [
{
"actions": [
"Microsoft.Sql/servers/databases/read"
],
"notActions": []
}
],
"assignableScopes": [
"/subscriptions/12345678-1234-1234-1234-123456789abc"
]
}
}Refer to the exhibit.
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(resourceGroup().id, 'Storage Blob Data Contributor')]",
"properties": {
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
"principalId": "[reference(resourceId('Microsoft.Web/sites', 'myapp'), '2022-03-01', 'Full').identity.principalId]",
"scope": "[resourceId('Microsoft.Storage/storageAccounts', 'mystorageacct')]"
}
}Refer to the exhibit.
{
"type": "Microsoft.Web/sites/config",
"apiVersion": "2022-03-01",
"name": "[concat(parameters('siteName'), '/authsettingsV2')]",
"properties": {
"platform": {
"enabled": true
},
"globalValidation": {
"requireAuthentication": true,
"unauthenticatedClientAction": "RedirectToLoginPage"
},
"identityProviders": {
"azureActiveDirectory": {
"enabled": true,
"registration": {
"openIdIssuer": "https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0",
"clientId": "11111111-1111-1111-1111-111111111111"
}
}
}
}
}Refer to the exhibit.
{
"type": "Microsoft.Authorization/roleDefinitions",
"name": "Custom Storage Blob Contributor",
"properties": {
"roleName": "Custom Storage Blob Contributor",
"description": "Grants full access to storage blob containers and data",
"type": "CustomRole",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/delete"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete"
],
"notDataActions": []
}
],
"assignableScopes": [
"/subscriptions/12345678-1234-1234-1234-123456789abc"
]
}
}Refer to the exhibit.
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2023-01-01",
"name": "mystorageaccount",
"location": "eastus",
"kind": "StorageV2",
"sku": {
"name": "Standard_LRS"
},
"properties": {
"minimumTlsVersion": "TLS1_2",
"supportsHttpsTrafficOnly": true,
"networkAcls": {
"bypass": "AzureServices",
"defaultAction": "Deny",
"ipRules": [
{
"value": "192.168.1.0/24",
"action": "Allow"
}
],
"virtualNetworkRules": []
}
}
}Refer to the exhibit.
{
"properties": {
"keyType": "RSA",
"keySize": 2048,
"keyOps": ["encrypt", "decrypt"],
"rotationPolicy": {
"lifetimeActions": [
{
"trigger": {
"timeAfterCreate": "P90D"
},
"action": {
"type": "Rotate"
}
}
]
}
}
}Refer to the exhibit.
{
"roleName": "CustomRole",
"actions": [
"Microsoft.KeyVault/vaults/read",
"Microsoft.KeyVault/vaults/secrets/read"
],
"notActions": [],
"assignableScopes": ["/subscriptions/sub1/resourceGroups/rg1"]
}{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2022-07-01",
"properties": {
"sku": {
"family": "A",
"name": "standard"
},
"tenantId": "[subscription().tenantId]",
"accessPolicies": [],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 90,
"enableRbacAuthorization": true,
"networkAcls": {
"defaultAction": "Deny",
"bypass": "AzureServices",
"ipRules": [],
"virtualNetworkRules": []
}
}
}Refer to the exhibit.
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2023-11-01",
"name": "nsg-app",
"properties": {
"securityRules": [
{
"name": "AllowSSH",
"properties": {
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "22",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 100,
"direction": "Inbound"
}
},
{
"name": "DenyAll",
"properties": {
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 200,
"direction": "Inbound"
}
}
]
}
}