Which three actions should you perform in sequence to meet the security requirements for Webapp1?
DRAG DROP
Which three actions should you perform in sequence to meet the security requirements for Webapp1? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Answer:
Explanation:
Graphical user interface, text, application
Description automatically generated
Latest AZ-800 Dumps Valid Version with 54 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund
Explanation:
There are 3 steps to provision an gMSA for running On-Demand Assessments:
1. Create the Key Distribution Services KDS Root Key within Active Directory using Add-KDSRootKey
2. Create the gMSA and authorize data collection machine to obtain the password for the gMSA using New-ADServiceAccount PowerShell cmdlet.
3. Grant the gMSA the required access to the environment being assessed per the prerequisite documentation for the relevant assessment being configured.
1. Provision KDS Root Key
The KDS root key must first be created if it has never been created in the Active Directory forest.
To create the KDS root key execute the following command within a PowerShell session from a domain controller or domain member with the Windows PowerShell Active Directory module installed using an account with necessary permissions to create accounts in Active Directory (Enterprise Administrators and Domain Administrators in the forest root domain by default have the necessary permissions).
Add-KdsRootKey -EffectiveImmediately
Add-KdsRootKey -EffectiveImmediately allows creation of gMSAs after 10hrs to ensure replication has converged to all DCs.
2. Create Group Managed Service Account
To create the gMSA, execute the following command within a PowerShell session from a domain controller or domain member with the Windows PowerShell Active Directory module installed using an account with necessary permissions to create accounts in Active Directory (Account Operators or Domain Administrators by default have the necessary permissions).
New-ADServiceAccount -Name -DNSHostname -PrincipalsAllowedToRetrieveManagedPassword “data collection machine samaccountname”
For example: PS C:> New-ADServiceAccount -Name gMSA-SVC -DNSHostName gMSA-SVC.contoso.local -PrincipalsAllowedToRetrieveManagedPassword “oms-ad-tools$”
3. Install gMSA on Data Collection Machine
Pre-caching the gMSA on the data collection machine serves an important validation step to ensure the account is provisioned correctly and the data collection machine can successfully retrieve the gMSA password and use the account. From the data collection machine with the Active Directory Powershell module installed, run the following.
Install-ADServiceAccount -Identity “gMSA samaccountname”
For example: Install-ADServiceAccount -Identity “gMSA-SVC$”
Reference:
https://docs.microsoft.com/en-us/services-hub/health/kb-running-assessments-with-msas