Which three actions should you perform in sequence to meet the security requirements for Webapp1?

AZ-800 1 Comment

DRAG DROP

Which three actions should you perform in sequence to meet the security requirements for Webapp1? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation:

Graphical user interface, text, application

Description automatically generated

Latest AZ-800 Dumps Valid Version with 54 Q&As

Latest And Valid Q&A | Instant Download | Once Fail, Full Refund

Instant Download AZ-800 PDF     AZ-800 Questions Online Training
Subscribe
Notify of
guest
1 Comment
Inline Feedbacks
View all comments
Mike
Mike
2 years ago

Explanation:

There are 3 steps to provision an gMSA for running On-Demand Assessments:

1. Create the Key Distribution Services KDS Root Key within Active Directory using Add-KDSRootKey
2. Create the gMSA and authorize data collection machine to obtain the password for the gMSA using New-ADServiceAccount PowerShell cmdlet.
3. Grant the gMSA the required access to the environment being assessed per the prerequisite documentation for the relevant assessment being configured.

1. Provision KDS Root Key

The KDS root key must first be created if it has never been created in the Active Directory forest.
To create the KDS root key execute the following command within a PowerShell session from a domain controller or domain member with the Windows PowerShell Active Directory module installed using an account with necessary permissions to create accounts in Active Directory (Enterprise Administrators and Domain Administrators in the forest root domain by default have the necessary permissions).

Add-KdsRootKey -EffectiveImmediately

Add-KdsRootKey -EffectiveImmediately allows creation of gMSAs after 10hrs to ensure replication has converged to all DCs.

2. Create Group Managed Service Account

To create the gMSA, execute the following command within a PowerShell session from a domain controller or domain member with the Windows PowerShell Active Directory module installed using an account with necessary permissions to create accounts in Active Directory (Account Operators or Domain Administrators by default have the necessary permissions).

New-ADServiceAccount -Name  -DNSHostname -PrincipalsAllowedToRetrieveManagedPassword “data collection machine samaccountname”

For example: PS C:> New-ADServiceAccount -Name gMSA-SVC -DNSHostName gMSA-SVC.contoso.local -PrincipalsAllowedToRetrieveManagedPassword “oms-ad-tools$”

3. Install gMSA on Data Collection Machine

Pre-caching the gMSA on the data collection machine serves an important validation step to ensure the account is provisioned correctly and the data collection machine can successfully retrieve the gMSA password and use the account. From the data collection machine with the Active Directory Powershell module installed, run the following.

Install-ADServiceAccount -Identity “gMSA samaccountname”

For example: Install-ADServiceAccount -Identity “gMSA-SVC$”

Reference:

https://docs.microsoft.com/en-us/services-hub/health/kb-running-assessments-with-msas

0
Reply