70-534 Architecting Microsoft Azure Solutions 1

Question 1

With reference to the Case Study given below. You need to assign permissions for the Virtual Machine workloads that you migrate to Azure. The solution must use the principal of least privileges. What should you do?

Case Study : VanArsdel, Ltd.
VanArsdel, Ltd. builds skyscrapers, subways, and bridges. VanArsdel is a leader in using
technology to do construction better.

VanArsdel employees are able to use their own mobile devices for work activities because the
company recognizes that this usage enables employee productivity. Employees also access
Software as a Service (SaaS) applications, including DocuSign, Dropbox, and Citrix. The company
continues to evaluate and adopt more SaaS applications for its business. VanArsdel uses Azure
Active Directory (AD) to authenticate its employees, as well as Multi-Factor Authentication (MFA).
Management enjoys the ease with which MFA can be enabled and disabled for employees who
use cloud-based services. VanArsdel's on-premises directory contains a single forest.

VanArsdel creates a helpdesk group to assist its employees. The company sends email messages
to all its employees about the helpdesk group and how to contact it. Configuring employee access
for SaaS applications is often a time-consuming task. It is not always obvious to the helpdesk group
which users should be given access to which SaaS applications. The helpdesk group must respond
to many phone calls and email messages to solve this problem, which takes up valuable time. The
helpdesk group is unable to meet the needs of VanArsdel's employees. However, many employees
do not work with the helpdesk group to solve their access problems. Instead, these employees
contact their co-workers or managers to find someone who can help them. Also, new employees
are not always told to contact the helpdesk group for access problems. Some employees report
that they cannot see all the applications in the Access Panel that they have access to. Some
employees report that they must re-enter their passwords when they access cloud applications,
even though they have already authenticated.
Bring your own device (BYOD)
VanArsdel wants to continue to support users and their mobile and personal devices, but the
company is concerned about how to protect corporate assets that are stored on these devices. The
company does not have a strategy to ensure that its data is removed from the devices when
employees leave the company.
Customer Support
VanArsdel wants a mobile app for customer profile registration and feedback. The company would
like to keep track of all its previous, current, and future customers worldwide. A profile system using New
third-party authentication is required as well as feedback and support sections for the mobile app.
VanArsdel plans to migrate several virtual machine (VM) workloads into Azure. They also plan to
extend their on-premises Active Directory into Azure for mobile app authentication.
Business Requirements
Hybrid Solution
A single account and credentials for both on-premises and cloud applications Certain applications
that are hosted both in Azure and on-site must be accessible to both VanArsdel employees and
partners The service level agreement (SLA) for the solution requires an uptime of 99.9% The
partners all use Hotmail.com email addresses
Mobile App
VanArsdel requires a mobile app for project managers on construction job sites. The mobile app
has the following requirements:
- The app must display partner information.
- The app must alert project managers when changes to the partner information occur.
- The app must display project information including an image gallery to view pictures of
construction projects.
- Project managers must be able to access the information remotely and securely.
VanArsdel must control access to its resources to ensure sensitive services and information are
accessible only by authorized users and/or managed devices. Employees must be able to securely
share data, based on corporate policies, with other VanArsdel employees and with partners who
are located on construction job sites. VanArsdel management does NOT want to create and
manage user accounts for partners.
Technical Requirements
VanArsdel requires a non-centralized stateless architecture fonts data and services where
application, data, and computing power are at the logical extremes of the network. VanArsdel
requires separation of CPU storage and SQL services.
Data Storage
VanArsdel needs a solution to reduce the number of operations on the contractor information table.
Currently, data transfer rates are excessive, and queue length for read/write operations affects
performance. A mobile service that is used to access contractor information must have
automatically scalable, structured storage Images must be stored in an automatically scalable,
unstructured form.
Mobile Apps
VanArsdel mobile app must authenticate employees to the company's Active Directory. Eventtriggered alerts must be pushed to mobile apps by using a custom Node.js script. The customer
support app should use an identity provider that is configured by using the Access Control Service
for current profile registration and authentication. The customer support team will adopt future
identity providers that are configured through Access Control Service.
Active Directory Federated Server (AD FS) will be used to extend AD into Azure. Helpdesk
administrators must have access to only the groups of Azure resources they are responsible for.
Azure administration will be performed by a separate group. IT administrative overhead must be
minimized. Permissions must be assigned by using Role Based Access Control (RBAC). Line of
business applications must be accessed securely

Page 1 out of 20