Answer:-2. No

To configure Manifest to include Group Claims in Auth Token

1. Go to Azure Active Directory to configure the Manifest. Click on Azure Active Directory, and go to App registrations to find your application:
2. Click on your application (or search for it if you have a lot of apps) and edit the Manifest by clicking on it.
3. Locate the ג€groupMembershipClaimsג€ setting. Set its value to either ג€SecurityGroupג€ or ג€Allג€. To help you decide which:

• ג€SecurityGroupג€ - groups claim will contain the identifiers of all security groups of which the user is a member.
• ג€Allג€ - groups claim will contain the identifiers of all security groups and all distribution lists of which the user is a member

Now your application will include group claims in your manifest and you can use this fact in your code.
Reference:-https://blogs.msdn.microsoft.com/waws/2017/03/13/azure-app-service-authentication-aad-groups/

Answer:-


Box 1: Soft delete -
When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default). The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion.

Box 2: Purge protection -
Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled.
When purge protection is on, a vault or an object in the deleted state cannot be purged until the retention period has passed. Soft-deleted vaults and objects can still be recovered, ensuring that the retention policy will be followed.

Reference:-https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview

Answer:-(3) and (4)

Most of the people choose option (1) and (3) as there answer

Answer:-

Box 1: user_impersonation -

Box 2: delegated -
Example:
1. Select the API permissions section
2. Click the Add a permission button and then:
Ensure that the My APIs tab is selected
3. In the list of APIs, select the API TodoListService-aspnetcore.
4. In the Delegated permissions section, ensure that the right permissions are checked:
user_impersonation.
5. Select the Add permissions button.

Box 3: delegated -

Example -
1. Select the API permissions section
2. Click the Add a permission button and then,
Ensure that the Microsoft APIs tab is selected
3. In the Commonly used Microsoft APIs section, click on Microsoft Graph
4. In the Delegated permissions section, ensure that the right permissions are checked: User.Read. Use the search box if necessary.
5. Select the Add permissions button

Reference:-https://docs.microsoft.com/en-us/samples/azure-samples/active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore/calling-a-web-api-in-an-aspnet-core- web-application-using-azure-ad/

Answer:-

Box 1: UseAuthentication -
Need to validate users before users are allowed access to secure resources.
UseAuthentication adds the AuthenticationMiddleware to the specified IApplicationBuilder, which enables authentication capabilities.

Box 2: UseAuthorization -
Need to permit users to access secure resources.
UseAuthorization adds the AuthorizationMiddleware to the specified IApplicationBuilder, which enables authorization capabilities.

Box 3: UseStaticFiles -
Need to use the Export feature in the app without requiring a restart of the app.
UseStaticFiles enables static file serving for the current request path

Reference:-https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.builder.iapplicationbuilder?view=aspnetcore-5.0

Answer:-3. Create a system assigned Managed Identity in each App Service with permission to access Key Vault.

Use Key Vault references for App Service and Azure Functions.
Key Vault references currently only support system-assigned managed identities. User-assigned identities cannot be used.

Reference:-https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references

Answer:-1. Yes

Answer:-2. No

Note:-
Instead use an Azure Key vault and public key encryption. Store the encrypted from in Azure Storage Blob storage.

Answer:-2. No

Note:-
Instead use an Azure Key vault and public key encryption. Store the encrypted from in Azure Storage Blob storage.
Reference:-https://blogs.msdn.microsoft.com/waws/2017/03/13/azure-app-service-authentication-aad-groups/

Answer:- Box 1: keyvault -
Create an Azure Key Vault with az keyvault create and enable the Key Vault for use with disk encryption. Specify a unique Key Vault name for keyvault_name as follows: keyvault_name=myvaultname$RANDOM az keyvault create \
--name $keyvault_name \
--resource-group $resourcegroup \
--location eastus \
--enabled-for-disk-encryption True

Box 2: keyvault key -
The Azure platform needs to be granted access to request the cryptographic keys when the VM boots to decrypt the virtual disks. Create a cryptographic key in your Key Vault with az keyvault key create. The following example creates a key named myKey: az keyvault key create \
--vault-name $keyvault_name \
--name myKey \
--protection software

Box 3: vm -
Create a VM with az vm create. Only certain marketplace images support disk encryption. The following example creates a VM named myVM using an Ubuntu 16.04 LTS image:
az vm create \
--resource-group $resourcegroup \
--name myVM \
--image Canonical:UbuntuServer:16.04-LTS:latest \
--admin-username azureuser \
--generate-ssh-keys \

Box 4: vm encryption -
Encrypt your VM with az vm encryption enable:
az vm encryption enable \
--resource-group $resourcegroup \
--name myVM \
--disk-encryption-keyvault $keyvault_name \
--key-encryption-key myKey \
--volume-type all
Note: seems to an error in the question. Should have enable instead of create.

Box 5: all -
Encrypt both data and operating system.

Reference:-https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-cli-quickstart