Microsoft Entra ID
The two main identity objects used to assign permissions and access in Entra ID.
What are users and groups?
This Azure authorization system provides fine-grained access management by assigning roles to users/groups/identities at a scope.
What is Azure RBAC (Role-Based Access Control)
This Azure service is used when you need centralized outbound filtering and egress control for VNets.
What is Azure Firewall?
This Azure key management service stores and manages keys (and is commonly used for encryption at rest scenarios).
What is Azure Key Vault?
These risk signals can be evaluated to automatically respond to suspicious authentication behavior (for example, requiring MFA or blocking).
What are user risk and sign-in risk (from Entra ID Protection signals)?
An Azure RBAC assignment is always made of these three components.
What are security principal, role definition, and scope?
NSG rules are evaluated in order by this setting—lower numbers are processed before higher numbers.
What is rule priority?
This Azure SQL encryption option allows customers to control the TDE protector using their own keys.
What is customer‑managed TDE (Bring Your Own Key / BYOK)?
The Entra ID feature that enforces access decisions based on signals like user, device, location, and risk.
What is Conditional Access?
In Azure RBAC, permissions assigned at this scope apply to all child resource groups and resources.
What is the subscription scope (or management group scope)?
In AZ-500 labs, “Web Servers” and “Management Servers” are grouped using this construct so NSG rules don’t rely on individual IPs for each VM
What is an Application Security Group (ASG)?
This encrypts Azure SQL data files, backups, and logs at rest without application changes and is enabled by default for new Azure SQL databases
What is Transparent Data Encryption (TDE)?
Conditional Access policies are enforced after this step is completed, meaning it’s not your “frontline” against DoS but can react using signals.
What is first-factor authentication (primary authentication) completion?
This Entra governance feature reduces “standing admin access” by making privileged roles eligible and activated just-in-time.
What is Privileged Identity Management (PIM)?
This option places a PaaS resource into your VNet with a private IP, unlike Service Endpoints where the service still uses a public endpoint but restricts allowed subnets.
What is a Private Endpoint (Azure Private Link)?
This SQL security feature records database events such as logins, queries, and data modifications.
What is SQL Auditing?