Microsoft - MD-102: Endpoint Administrator

Sample Questions

Explanation:

The Microsoft Defender for Cloud Apps integration with Microsoft Defender for Endpoint provides a seamless Shadow IT visibility and control solution. Our integration enables Defender for Cloud Apps administrators to block access of end users to cloud apps, by natively integrating Defender for Cloud Apps app governance controls with Microsoft Defender for Endpoint's network protection. Alternatively, administrators can take a gentler approach of warning users when they access risky cloud apps.

Defender for Cloud Apps uses the built-in Unsanctioned app tag to mark cloud apps as prohibited for use, available in both the Cloud Discovery and Cloud App Catalog pages. By enabling the integration with Defender for Endpoint, you can seamlessly block access to unsanctioned apps with a single click in Defender for Cloud Apps.

Apps marked as Unsanctioned in Defender for Cloud Apps are automatically synced to Defender for Endpoint. More specifically, the domains used by these unsanctioned apps are propagated to endpoint devices to be blocked by Microsoft Defender Antivirus within the Network Protection SLA.

Admins have the option to warn users when they access risky apps. Rather than blocking users, they're prompted with a message providing a custom redirect link to a company page listing apps approved for use. The prompt provides options for users to bypass the warning and continue to the app. Admins are also able to monitor the number of users that bypass the warning message.

Use the following steps to enable access control for cloud apps:

In the Microsoft Defender Portal, select Settings. Then choose Cloud Apps. Under Cloud Discovery, select Microsoft Defender for Endpoint, and then select Enforce app access.

Reference: Govern discovered apps using Microsoft Defender for Endpoint

Explanation:

Security baselines are standardized documents for Azure product offerings, describing the available security capabilities and the optimal security configurations to help you strengthen security through improved tooling, tracking, and security features.

Security baselines for Azure focus on cloud-centric control areas in Azure environments. These controls are consistent with well-known industry standards such as: Center for Internet Security (CIS) or National Institute for Standards in Technology (NIST).

Each baseline consists of the following components:

• How does a service behave?
• Which security features are available?
• What configurations are recommended to secure the service?

References:

Security baselines for Azure

Security baselines assessment

Explanation:

Authentication strength is a Conditional Access control that specifies which combinations of authentication methods can be used to access a resource. Users can satisfy the strength requirements by authenticating with any of the allowed combinations.

For example, an authentication strength can require that only phishing-resistant authentication methods be used to access a sensitive resource. To access a nonsensitive resource, administrators can create another authentication strength that allows less secure multifactor authentication (MFA) combinations, such as password + text message.

The Passwordless MFA strength includes authentication methods that satisfy MFA but don't require a password.

Windows Azure Service Management API

When you target the Windows Azure Service Management API application, policy is enforced for tokens issued to a set of services closely bound to the portal. This grouping includes the application IDs of:

• Azure Resource Manager
• Azure portal, which also covers the Microsoft Entra admin center
• Azure Data Lake
• Application Insights API
• Log Analytics API

Because the policy is applied to the Azure management portal and API, any services or clients that depend on the Azure API can be indirectly affected. For example:

• Azure CLI
• Azure Data Factory portal
• Azure DevOps
• Azure Event Hubs
• Azure PowerShell
• Azure Service Bus
• Azure SQL Database
• Azure Synapse
• Classic deployment model APIs
• Microsoft 365 admin center
• Microsoft IoT Central
• SQL Managed Instance
• Visual Studio subscriptions administrator portal

References:

Conditional Access authentication strength

Conditional Access: Target resources

Explanation:

Admin1 has the Help Desk Operator role assigned. The role grants all four Remote Help app permissions, which include:

• Elevation
• View screen
• Unattended control
• Take full control

Admin2 has the Remote Help Tier 1 role assigned. The role does not grant the Take full control Remote Help app permisson. Admin2 can't take full control of Device1.

Admin2 has the Remote Help Tier 1 role assigned. The role does not grant the Unattended control Remote Help app permisson. Admin2 can't take unattended control of Device3.

Remote Help app - Elevation
For Windows devices, elevation allows the helper to enter UAC credentials when prompted on the sharer’s device when remote help is enabled. Enabling elevation also allows the helper to view and control the sharer’s device when the sharer grants the helper access.

Explanation:

When you have a large number of discovered apps, you'll find it useful to filter and query them.

In Microsoft Defender for Cloud Apps you can create custom app tags. These tags can then be used as filters for deeper diving into specific types of apps that you want to investigate. For example, custom watch list, assignment to a specific business unit, or custom approvals, such as "approved by legal". App tags can be also used in app discovery policies in filters or by applying tags to apps as part of the policy governance actions.

Reference: Filter and query discovered apps in Microsoft Defender for Cloud Apps