exam questions

Exam AZ-304 All Questions

View all questions & answers for the AZ-304 exam

Exam AZ-304 topic 2 question 55 discussion

Actual exam question from Microsoft's AZ-304
Question #: 55
Topic #: 2
[All AZ-304 Questions]

HOTSPOT -
You are designing an access policy for your company.
Occasionally, the developers at the company must stop, start, and restart Azure virtual machines. The development team changes often.
You need to recommend a solution to provide the developers with the required access to the virtual machines. The solution must meet the following requirements:
✑ Provide permissions only when needed.
✑ Use the principle of least privilege.
✑ Minimize costs.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
AlanJP
Highly Voted 4 years, 1 month ago
I think answer is correct. JIT is for access to the VM, not access to the resource in the portal which is required to start/stop the VM
upvoted 54 times
somenick
4 years ago
Agree. See: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings
upvoted 6 times
...
rdemontis
3 years, 8 months ago
exactly, you are right!
upvoted 2 times
...
...
Nand0111
Highly Voted 4 years, 1 month ago
Second option should be Just in time vm access
upvoted 15 times
rjwolf82
3 years, 4 months ago
Not true, JIT is an option to enable RDP access for someone up to 24 hours, after that the access will be automatically disabled. Someone with JIT access can't start, stop VM's.
upvoted 1 times
...
norbitek
4 years, 1 month ago
For me answer is correct. just-in-time VM access do not implement user-based assignment. Better option is to use PIM and just-in-time role assignments See: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings
upvoted 20 times
BrettusMaximus
4 years ago
Agreed Answer is correct- In addition JIT needs the Defender licence.
upvoted 3 times
...
...
BoxGhost
3 years, 11 months ago
Please stop up voting this. The question clearly states they need to stop and start the VM. JIT is only for RDP access, thus it does not meet the requirements. https://azure.microsoft.com/en-gb/blog/just-in-time-vm-access-is-generally-available/
upvoted 71 times
us3r
3 years, 5 months ago
highly voted they said... upvote they said...
upvoted 1 times
...
Sathya22
3 years, 10 months ago
Yes JIT is only for access
upvoted 4 times
...
...
...
icedog
Most Recent 3 years, 6 months ago
You can't Start a VM with Just-In-Time access so it's an invalid answer P2 and PIM are the correct answers
upvoted 7 times
...
FinMessner
3 years, 6 months ago
For everyone saying JIT VM Access -- if JITVMA only allows RDP and SSH access then how will you start the VM once you've stopped it if you can't access the VM control panel?
upvoted 2 times
...
tomatosis
3 years, 7 months ago
I think should be JIT instead. The question clearly says that "You need to recommend a solution to provide the developers with the required access to the virtual machines", so the key is to "access" only. Once we have JIT in place, then developers can start/stop VM as necessary. Dont forget we have to minimize the cost as well.
upvoted 1 times
tomatosis
3 years, 7 months ago
To add, P2 is required for Just in Time https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing#available-versions-of-azure-ad-multi-factor-authentication
upvoted 1 times
...
...
waqas
3 years, 9 months ago
Mentioned Answers are correct.
upvoted 2 times
...
syu31svc
3 years, 10 months ago
To achieve the requirement, you need to implement Azure AD Privileged Identity Management (PIM). Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. Using PIM feature requires an Azure AD Premium P2 license. Answer is correct
upvoted 2 times
...
nkv
3 years, 10 months ago
came in exam on 20-sep-21, I passed, i choose second one as just in time access
upvoted 2 times
...
jamess
3 years, 11 months ago
PIM gives greater control including the ability to grant JIT. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure Fulfills requirements. Requires P2 lic.
upvoted 2 times
...
tita_tovenaar
4 years ago
Since developers change often, I guess PIM becomes a true hassle. Not just are their accounts temporary, but temp access to VMs have to be dealt with separately. And who is going to approve? another config headache. It's definitely cheaper, and probably easier, to just enable JIT access to the VMs. If developers had been stable, maybe PIM could work.
upvoted 1 times
tita_tovenaar
4 years ago
... and just to add, if JIT access is sufficient, then you don't need P2 either.
upvoted 1 times
examineezer
3 years, 7 months ago
But JIT isn't sufficient.
upvoted 1 times
...
...
...
sandeepreddytalla
4 years ago
p2 PIM JIT Need Azure defender, need to pay 15USD for every VM.
upvoted 5 times
...
vitol
4 years ago
100% answer is correct. (JIT is just a RDP rule in NSG nothing much)
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...