Manage identities and governance in Azure

Question 1

Administrator roles

Answer 1

Administrator roles in Azure AD allow users elevated access to control who is allowed to do what. You assign these roles to a limited group of users to manage identity tasks in an Azure AD organization. You can assign administrator roles that allow a user to create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and more

Question 2

Administrator roles Con’t

Answer 2

If your user account has the User Administrator or Global Administrator role, you can create a new user in Azure AD by using either the Azure portal, the Azure CLI, or PowerShell. In PowerShell, use the cmdlet New-AzureADUser. In the Azure CLI, use az ad user create

Question 3

Member users

Answer 3

A member user account is a native member of the Azure AD organization that has a set of default permissions like being able to manage their profile information. When someone new joins your organization, they typically have this type of account created for them

Question 4

Guest users

Answer 4

Guest users have restricted Azure AD organization permissions. When you invite someone to collaborate with your organization, you add them to your Azure AD organization as a guest user

Question 5

Account Deletion

Answer 5

When you delete a user, the account remains in a suspended state for 30 days. During that 30-day window, the user account can be restored

Question 6

Account Commands

Answer 6

powershell - New-AzureADUser
Azure CLI
az ad user create

Question 7

Azure AD roles

Answer 7

Use Azure AD roles to manage Azure AD-related resources like users, groups, billing, licensing, application registration, and more

Question 8

ole-based access control (RBAC) for Azure resources

Answer 8

se RBAC roles to manage access to Azure resources like virtual machines, SQL databases, or storage. For example, you could assign an RBAC role to a user to manage and delete SQL databases in a specific resource group or subscription

Question 9

Access rights through single user or group assignment

Answer 9

1. Direct assignment: Assign a user the required access rights by directly assigning a role that has those access rights.
2. Group assignment: Assign a group the required access rights, and members of the group will inherit those rights.
3. Rule-based assignment: Use rules to determine a group membership based on user or device properties. For a user account or device’s group membership to be valid, the user or device must meet the rules. If the rules aren’t met, the user account or device’s group membership is no longer valid. The rules can be simple. You can select prewritten rules or write your own advanced rules

Question 10

Azure AD

Answer 10

s Microsoft’s cloud-based identity and access management service which provides single sign-on and multi-factor authentication to help protect your users from 99.9 percent of cybersecurity attacks

Question 11

Tenant

Answer 11

A tenant represents the organization and the default directory assigned to it.

Question 12

Subscriptions

Answer 12

Resources such as virtual machines, web sites, and databases are always associated to a single subscription. Each subscription also has a single account owner who is responsible for any charges incurred by resources in that subscription. If your organization wants the subscription to be billed to another account, you can transfer ownership of the subscription. A given subscription is also associated to a single Azure AD directory. Multiple subscriptions can trust the same directory, but a subscription can only trust one directory

Question 13

Users and groups

Answer 13

an be added to multiple subscriptions - this allows the user to create, control, and access resources in the subscription. When you add a user to a subscription, the user must be known to the associated directory as shown in the following image

Question 14

Adding users

Answer 14

1. Syncing an on-premises Windows Server Active Directory

Azure AD Connect is a separate service that allows you to synchronize a traditional Active Directory with your Azure AD instance. This is how most enterprise customers add users to the directory. The advantage to this approach is users can use single-sign-on (SSO) to access local and cloud-based resources.

Question 15

Use the Azure portal

Answer 15

Use the Azure portal
You can manually add new users through the Azure portal. This is the easiest way to add a small set of users. You need to be in the User Administrator role to perform this function

Question 16

Security groups

Answer 16

These are the most common and are used to manage member and computer access to shared resources for a group of users

This option requires an Azure AD administrator

Question 17

Microsoft 365 groups

Answer 17

These groups provide collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and more.

This option also lets you give people outside of your organization access to the group. This option is available to users as well as admins

Question 18

Assigned Membership

Answer 18

Assigned. The group will contain specific users or groups that you select.

Question 19

Dynamic user Membership

Answer 19

You create rules based on characteristics to enable attribute-based dynamic memberships for groups. For example, if a user’s department is Sales, that user will be dynamically assigned to the Sales group. You can set up a rule for dynamic membership on security groups or on Office 365 groups. If the user’s department changes in the future, they are automatically removed from the group. This feature requires an Azure AD Premium P1 license

Question 20

Roles / intro

Answer 20

Azure AD provides several built-in roles to cover the most common security scenarios. To understand how the roles work, let’s examine three roles that apply to all resource types

Question 21

Owner / Contributor / Reader

Answer 21

1. Owner, which has full access to all resources, including the right to delegate access to others.
2. Contributor, which can create and manage all types of Azure resources but can’t grant access to others.
3. Reader, which can view existing Azure resources

Question 22

JSON NOTATIONS FOR PERMISSIONS

Answer 22

Owner (allow all actions) * -

Contributor (allow all actions except writing or deleting role assignments) * Microsoft.Authorization//Delete, Microsoft.Authorization//Write, Microsoft.Authorization/*/elevateAccess/Action

Reader (allow all read actions) */read -

Question 23

DataActions and NotDataActions

Answer 23

Data operations are specified in the DataActions and NotDataActions properties. This allows data operations to be specified separately from the management operations. This prevents current role assignments with wildcards (*) from suddenly having access to data. Here are some data operations that can be specified in DataActions and NotDataActions

Question 24

Custom Roles

Answer 24

Custom role creation requires Azure AD Premium P1 or P2 and cannot be done in the free tier.

Question 25

Azure AD Connect

Answer 25

This is a free tool you can download and install to synchronize your local AD with your Azure directory

Question 26

What’s included in Azure AD Connect?

Answer 26

Sync services. This component is responsible for creating users, groups, and other objects. It also makes sure that identity information for your on-premises users and groups matches that in the cloud.

Question 27

What’s included in Azure AD Connect? 1

Answer 27

Health monitoring. Azure AD Connect Health supplies robust monitoring and a central location in the Azure portal for viewing this activity.

Question 28

What’s included in Azure AD Connect? 2

Answer 28

AD FS. Federation is an optional part of Azure AD Connect that you can use to configure a hybrid environment via an on-premises AD FS infrastructure. Organizations can use this to address complex deployments, such as domain join SSO, enforcement of the Active Directory sign-in policy, and smart card or third-party multi-factor authentication

Question 29

What’s included in Azure AD Connect? 3

Answer 29

Password hash synchronization. This feature is a sign-in method that synchronizes a hash of a user’s on-premises Active Directory password with Azure AD.

Question 30

What’s included in Azure AD Connect? 4

Answer 30

Pass-through authentication. This allows users to sign in to both on-premises and cloud-based applications using the same passwords. This reduces IT helpdesk costs because users are less likely to forget how to sign in. This feature provides an alternative to Password hash synchronization that allows organizations to enforce their security and password complexity policies.

Question 31

RBAC ROLES

Answer 31

Owner: Has full access to all resources, including the ability to delegate access to other users.
Contributor: Can create and manage Azure resources.
Reader: Can view only existing Azure resources.
User Access Administrator: Can manage access to Azure resources.

Question 32

Identify the right scope

Answer 32

management groups, subscriptions, resource groups, and resources

Question 33

Azure AD roles

Answer 33

Global Administrator: Can manage access to administrative features in Azure AD. A person in this role can grant administrator roles to other users, and they can reset a password for any user or administrator. By default, whoever signs up for the directory is automatically assigned this role.

User Administrator: Can manage all aspects of users and groups, including support tickets, monitoring service health, and resetting passwords for certain types of users.

Billing Administrator: Can make purchases, manage subscriptions and support tickets, and monitor service health. Azure has detailed billing permissions in addition to RBAC permissions. The available billing permissions depend on the agreement you have with Microsoft.

Question 34

Azure roles

Answer 34

Manage access to Azure resources like VMs, storage, networks, and more

Multiple scope levels (management group, subscription, resource group, resource)

Role information accessible through Azure portal, Azure CLI, Azure PowerShell, Azure Resource Manager templates, REST API

Question 35

Azure AD roles

Answer 35

Manage access to Azure Active Directory resources like user accounts and passwords

Scope only at tenant level

Role information accessible in Azure admin portal, Microsoft 365 admin center, Microsoft Graph, Azure AD PowerShell

Question 36

What are resource groups?

Answer 36

Resource groups are a fundamental element of the Azure platform. A resource group is a logical container for resources deployed on Azure. These resources are anything you create in an Azure subscription like virtual machines, Application Gateways, and CosmosDB instances

Question 37

Logical grouping

Answer 37

Resource groups exist to help manage and organize your Azure resources. By placing resources of similar usage, type, or location, you can provide some order and organization to resources you create in Azure. Logical grouping is the aspect that you’re most interested in here, since there’s a lot of disorder among our resources.

Question 38

Authorization

Answer 38

Resource groups are also a scope for applying role-based access control (RBAC) permissions. By applying RBAC permissions to a resource group, you can ease administration and limit access to allow only what is needed

Question 39

What is Azure Policy?

Answer 39

Azure Policy is a service you can use to create, assign, and manage policies. These policies apply and enforce rules that your resources need to follow. These policies can enforce these rules when resources are created, and can be evaluated against existing resources to give visibility into compliance.

Question 40

RBAC

ROLE BASED ACCESS CONTROL

Answer 40

RBAC provides fine-grained access management for Azure resources, enabling you to grant users the specific rights they need to perform their jobs. RBAC is considered a core service and is included with all subscription levels at no cost

Question 41

How RBAC defines access

Answer 41

RBAC uses an allow model for access. When you are assigned to a role, RBAC allows you to perform specific actions, such as read, write, or delete. Therefore, if one role assignment grants you read permissions to a resource group, and a different role assignment grants you write permissions to the same resource group, you will have both read and write permissions on that resource group

Question 42

What are resource locks?

Answer 42

Resource locks are a setting that can be applied to any resource to block modification or deletion

Question 43

Types Of Resource locks

Answer 43

Resource locks can set to either Delete or Read-only. Delete will allow all operations against the resource but block the ability to delete it.

Read-only will only allow read activities to be performed against it, blocking any modification or deletion of the resource. Resource locks can be applied to subscriptions, resource groups, and to individual resources, and are inherited when applied at higher levels

Question 44

Removing Locks

Answer 44

When a resource lock is applied, you must first remove the lock in order to perform that activity. By putting an additional step in place before allowing the action to be taken on the resource, it helps protect resources from inadvertent actions, and helps protect your admins from doing something they may not have intended to do

Question 45

Azure subscriptions

Answer 45

First, remember that each Azure subscription is associated with a single Azure AD directory. Users, groups, and applications in that directory can manage resources in the Azure subscription. The subscriptions use Azure AD for single sign-on (SSO) and access management. You can extend your on-premises Active Directory to the cloud by using Azure AD Connect. This feature allows your employees to manage their Azure subscriptions by using their existing work identities. When you disable an on-premises Active Directory account, it automatically loses access to all Azure subscriptions connected with Azure AD

Question 46

What is RBAC?

Answer 46

Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of resources in Azure. With RBAC, you can grant the exact access that users need to do their jobs. For example, you can use RBAC to let one employee manage virtual machines in a subscription while another manages SQL databases within the same subscription

Question 47

scopes and roles

Answer 47

The scope of a role assignment can be a subscription, a resource group, or a single resource. A role assigned at a parent scope also grants access to the child scopes contained within it

Question 48

Security principal (who)

Answer 48

A security principal is just a fancy name for a user, group, or application that you want to grant access to.

Question 49

Role definition (what you can do)

Answer 49

A role definition is a collection of permissions. It’s sometimes just called a role. A role definition lists the permissions that can be performed, such as read, write, and delete. Roles can be high-level, like Owner, or specific, like Virtual Machine Contributor

Question 50

built in roles

Answer 50

Owner - Has full access to all resources, including the right to delegate access to others.

Contributor - Can create and manage all types of Azure resources, but can’t grant access to others.

Reader - Can view existing Azure resources.

User Access Administrator - Lets you manage user access to Azure resources

Question 51

Scope (where)

Answer 51

Scope is where the access applies to. This is helpful if you want to make someone a Website Contributor, but only for one resource group

Question 52

role assignment

Answer 52

A role assignment is the process of binding a role to a security principal at a particular scope, for the purpose of granting access. To grant access, you create a role assignment

Question 53

RBAC is an allow model

Answer 53

RBAC is an allow model. What this means is that when you are assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete. So, if one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you will have read and write permissions on that resource group

Question 54

billing zones

Answer 54

AZURE BILLING ZONES
Zone Areas
Zone 1 United States, US Government, Europe, Canada, UK, France, Switzerland
Zone 2 East Asia, Southeast Asia, Japan, Australia, India, Korea
Zone 3 Brazil, South Africa, UAE
DE Zone 1 Germany

Question 55

Azure Advisor

Answer 55

a free service built into Azure that provides recommendations on high availability, security, performance, operational excellence, and cost. Advisor analyzes your deployed services and looks for ways to improve your environment across each of these areas

Question 56

Azure Cost Management

Answer 56

built-in Azure tool that can be used to gain greater insights into where your cloud money is going. You can see historical breakdowns of what services you are spending your money on and how it is tracking against budgets that you have set. You can set budgets, schedule reports, and analyze your cost areas

Question 57

cost analysis

Answer 57

Make the most of it based on the findings gathered through planning and increasing cost visibility. You might consider purchase and licensing optimizations or infrastructure deployment changes based on your findings in the Cost Analysis tool

Question 58

Moving Resource Groups

Answer 58

You can move resources from one resource group to another resource group in a different subscription

Question 59

Tag Limitations

Answer 59

Always check whether your Azure resource supports tags. For example, you can’t set tags on generalized VMs.

You can apply tags on resource groups, but tags aren’t automatically inherited by resources from their resource group. If you want all the resources in a resource group to have a tag, you must do this manually.

You can apply a maximum of 50 tags to a single resource or resource group in Azure

Question 60

Moving Resource: Identify Type

Answer 60

First you need to identify the resource type of the resources you want to move. In the Azure portal, you can see the resource type for each resource on the All resources page. The same Type column is also included in the list of resources in a resource group

Question 61

Moving Resource: Check Limitations on the resource Type

Answer 61

After identifying the resource types of your resources, you must investigate whether they can be moved, and the restrictions that might be in place. Check your resource types against the move support for resources list. The list shows whether each resource type can be moved between resource groups or between subscriptions

Question 62

These resources can be moved

Answer 62

Azure Storage accounts
Azure virtual machines
Azure virtual networks

Question 63

These resources can’t be moved

Answer 63

Azure Active Directory domain services
Azure Backup vaults
Azure App Service gateways

Question 64

SSL Certificates

Answer 64

you can’t automatically move third-party SSL certificates

Question 65

Virtual Machines move

Answer 65

If you want to move a virtual machine, all of its dependents must go with it.

You can’t move virtual machines with certificates in Azure Key Vault between subscriptions.

You can’t move virtual machine scale sets with standard load balancers or a standard public IP.

You can’t move any managed disks that are in availability zones to different subscriptions.

Question 66

What happens when you move a resource group ?

Answer 66

When you start a move operation, the resource group holding your resources and the new destination resource group are locked. You can’t do write or delete operations on the resource groups until the move operation ends. Your resources aren’t affected, but you can’t add, delete, or update any resources in these resource groups

Question 67

Locations for Moves

Answer 67

Your moved resources don’t change location. For example, if you have a storage account in the East US region, and you move it to another resource group, it keeps its East US region location

Question 68

Move resources between subscriptions

Answer 68

Depending on the resource type, you can move your resources between subscriptions, or between resource groups within the same subscription

Question 69

Move guidance for networking resources

Answer 69

When moving a virtual network, you must also move its dependent resources

For VPN Gateways, you must move IP addresses, virtual network gateways, and all associated connection resources

Local network gateways can be in a different resource group

Question 70

Moving Network Components on a VM

Answer 70

To move a virtual machine with a network interface card to a new subscription, you must move all dependent resources. Move the virtual network for the network interface card, all other network interface cards for the virtual network, and the VPN gateways

Question 71

Peered virtual network

Answer 71

To move a peered virtual network, you must first disable the virtual network peering. Once disabled, you can move the virtual network. After the move, reenable the virtual network peering

Question 72

Subnet links

Answer 72

You can’t move a virtual network to a different subscription if the virtual network contains a subnet with resource navigation links. For example, if an Azure Cache for Redis resource is deployed into a subnet, that subnet has a resource navigation link

Question 73

Prepare to test your move

Answer 73

Before attempting to move a resource, you can test whether it will be successful by calling the validate move operation from the Azure REST API

Question 74

Basics of device identity

Answer 74

Device identity in Azure Active Directory (Azure AD) helps you control the devices that you add to your organization’s Azure AD instance

Question 75

azure AD registered

Answer 75

azure AD registered: These devices fall into the Bring Your Own Device (BYOD) category. They’re typically privately owned, or they use a personal Microsoft account or another local account. This method of device registration is the least restrictive because it supports devices running Windows 10, iOS, iPadOS, Android, and macOS. Device security is typically provided from a password, a PIN, a pattern, or Windows Hello

Question 76

Azure AD joined

Answer 76

These devices are owned by your organization. Users access your cloud-based Azure AD instance through their work account. Device identities exist only in the cloud. This option is available only to Windows 10 or Windows Server 2019 devices. Windows Server 2019 Server Core installation isn’t supported. Security for this option uses either a password or Windows Hello

Question 77

Hybrid Azure AD joined

Answer 77

Hybrid Azure AD joined: This option is similar to Azure AD joined. The devices are owned by the organization, and they’re signed in with an Azure AD account that belongs to that organization. Device identities exist in the cloud and on-premises. The hybrid option is better suited to organizations that need on-premises and cloud access. This option supports Windows 7, 8.1, and 10, and Windows Server 2008 or later

Question 78

Conditional access

Answer 78

Conditional access in Azure AD uses data from sources known as signals, validates them against a user-definable rule base, and chooses the best outcome to enforce your organization’s security policies

Question 79

Basics of Azure AD join

Answer 79

Azure AD join, you can join devices to your Azure Active Directory organization without needing to sync with an on-premises Active Directory instance

Question 80

Supported devices

Answer 80

Azure AD join works with Windows 10 or Windows Server 2019 devices. Windows Server 2019 Server Core installation isn’t supported

Question 81

Identity infrastructure: Managed environment

Answer 81

This environment uses pass-through authentication or password hash sync to provide single sign-on (SSO) to your devices

Question 82

Identity infrastructure: Federated environments

Answer 82

These environments require the use of an identity provider. That provider must support the WS-Trust and WS-Fed protocols for Azure AD join to work natively with Windows devices. WS-Fed is required to join a device to Azure AD. WS-Trust is needed to sign in to an Azure AD joined device

Question 83

Identity infrastructure:

Smart cards and certificate-based authentication

Answer 83

These methods aren’t valid ways to join devices to Azure AD. But, if you have Active Directory Federation Services configured, you can use smart cards to sign in to Azure AD joined devices. We recommend that you use a service like Windows Hello for Business, which supports passwordless authentication to Windows 10 devices

Question 84

Identity infrastructure:

Manual user configuration

Answer 84

Manual user configuration: If you create users in your on-premises Active Directory instance, you need to synchronize the accounts to Azure AD by using Azure AD Connect. If you create users in Azure AD, no additional setup is needed

Question 85

Device management

Answer 85

MDM provides a means to enforce organization-required configurations like requiring storage to be encrypted, password complexity, software installations, and software updates

Question 86

Azure AD joined devices, there are two approaches

Answer 86

MDM only: All joined devices are managed exclusively through an MDM provider, like Intune. If your organization uses group policies, you’ll need to review your MDM policy for support.

Co-management: All joined devices use a combination of a locally installed System Center Configuration Manager agent and your MDM provider. Microsoft Intune provides co-management capabilities through Configuration Manager. You use Configuration Manager to manage the device while MDM delivers user-management policies

Question 87

On-premises web applications

Answer 87

Access to those applications needs each user to add the app to their trusted sites or intranet zone, depending on where the app exists.

Question 88

Azure Data Box products

Answer 88

The Azure Data Box family can be divided into two groups, for offline and online data transfer. Offline data transfer allows you to move large amounts of data to Azure whenever you have time, network bandwidth, or cost constraints. Because your organization doesn’t want to tie up its network bandwidth while shifting the vehicle data to Azure, this solution might be ideal

Question 89

Offline data transfer

Answer 89

Data Box Disk: Provides one ~35-TB transfer to Azure. Connect and copy data over USB.
Data Box: Provides one ~80-TB transfer to Azure per order. Connect and copy data to the device over standard network interface protocols like SMB and NFS.
Data Box Heavy: Provides one ~800-TB transfer to Azure. Use high-throughput network interfaces to connect and copy data to the device. This process uses standard network interface protocols like SMB and NFS. Data Box Heavy is like two Data Boxes, each with an independent node

Question 90

Online data transfer

Answer 90

Online data transfer enables a link between your on-premises assets and Azure

Transferring huge amounts of data to Azure is similar to copying data to a networking share. Online data transfer is ideal when you need a continuous link to transfer a massive amount of data

Question 91

Data Box Edge

Answer 91

This device is a dedicated appliance with 12 TB of local SSD storage. It can preprocess and run machine learning on data before uploading it to Azure

Question 92

Data Box Gateway

Answer 92

This device is an entirely virtual appliance. It’s based on a virtual machine that you provision in your on-premises environment

Question 93

Azure Data Factory

Answer 93

Azure Data Factory is a service that enables you to organize, move, and transform large quantities of data from many different sources. In Data Factory, you create data pipelines that ingest data from relational databases, NoSQL databases, and other systems. You can use Azure Machine Learning, Hadoop, Spark, and other services to process and transform that data. Then, at the end of the pipeline, you can publish the transformed data to Azure SQL Data Warehouse, Azure SQL Database, Azure Cosmos DB, and Azure Storage.

Question 94

What is Azure File Sync?

Answer 94

Azure File Sync allows you to extend your on-premises file shares into Azure. It works with your existing on-premises file shares to expand your storage capacity and provide redundancy in the cloud. It requires Windows Server 2012 R2 or later. You can access your on-premises file share with any supported file sharing protocol that Windows Server supports, like SMB, NFS, or FTPS

Question 95

cloud tiering

Answer 95

n optional feature of Azure File Sync that allows frequently accessed files to be cached locally on the server. Files are cached or tiered according to the cloud tiering policy you create

Question 96

Storage Sync Service

Answer 96

is the high-level Azure resource for Azure File Sync. The service is a peer of the storage account, and it can also be deployed to Azure resource groups

Question 97

sync group

Answer 97

outlines the replication topology for a set of files or folders. All endpoints located in the same sync group are kept in sync with each other. If you have different sets of files that must be in sync and managed with Azure File Sync, you would create two sync groups and different endpoints

Question 98

registered server

Answer 98

represents the trust relationship between the on-premises server and the Storage Sync Service. You can register multiple servers to the Storage Sync Service. But a server can be registered with only one Storage Sync Service at a time

Question 99

Azure File Sync agent

Answer 99

a downloadable package that enables Windows Server to be synced with an Azure file share. The agent has three components:

FileSyncSvc.exe. Service that monitors changes on endpoints.
StorageSync.sys. Azure file system filter driver.
PowerShell management cmdlets.

Question 100

server endpoint

Answer 100

represents a specific location on a registered server, like a folder on a local disk. Multiple server endpoints can exist on the same volume if their paths don’t overlap

Question 101

cloud endpoint

Answer 101

the Azure file share that’s part of a sync group. The whole file share syncs and can be a member of only one cloud endpoint. An Azure file share can be a member of only one sync group at a time

Question 102

System requirements

Answer 102

Azure File Sync has these system requirements for your local file server:

Operating system: Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019, in either Datacenter or Standard edition in full or core deployments.
Memory: 2 GB of RAM or more.
Patches: Latest Windows patches applied.
Storage: Locally attached volume formatted in the NTFS file format. Remote storage connected by USB isn’t supported.

Question 103

ntfs

Answer 103

The supported features are:

Access control lists (ACLs): ACLs are preserved and enforced on Windows Server endpoints.
NTFS compression: Compressing files to save space is fully supported.
Sparse files: Sparse files are stored in a more efficient way than normal files. Sparse files are supported, but, during the sync to the cloud, they’re stored as normal full files.

Question 104

Storage account

Answer 104

The storage account is used to store the file share. In Azure, a storage account is where all Azure Storage data objects, like blobs, files, queues, and disks, are stored. There are some limitations on the kind of storage account that can be used. Select StorageV2 with a hot access tier

Question 105

File share

Answer 105

The file share is the cloud version of a normal on-premises file share. It will store all files and folders. You control the size of the file share by specifying a quota size. You can increase the quota later if you need to.

Question 106

Storage Sync Service

Answer 106

The Storage Sync Service is responsible for establishing trust between your company’s server and Azure. This service is where you connect the file share in Azure with the file directory on your server

Question 107

Sync group

Answer 107

The sync group must contain one cloud endpoint that represents an Azure file share and one or more server endpoints that map to a path on a registered Windows file server. The sync group manages the process by using metadata stored in a hidden folder: .SystemShareInformation. Don’t delete this folder