Governance & compliance
⏱ ~3-min readAceMark GuideWhat this topic is really about
Azure DDoS Protection is designed to safeguard applications from distributed denial-of-service attacks by monitoring traffic and mitigating malicious spikes. It does not protect against phishing, which is an email-based social engineering threat requiring identity and email security solutions.
Under the shared responsibility model, customers always retain responsibility for securing their own data, identities, and endpoints. In contrast, physical datacenter security is managed entirely by Microsoft, making any claim that the customer must secure physical infrastructure incorrect.
See the mechanism
Azure Active Directory (Entra ID) is used to manage user identities and access to Azure resources, providing a secure way to authenticate and authorize users. A diagram for this topic isn't available yet — the worked example below walks the same reasoning step by step.
An exam-style question, fully explained
Azure Active Directory (Entra ID) is:
- Identify what the question tests: Azure Active Directory (Entra ID) is:.
- Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity and access management service that secures user logins and permissions.
- It is not a storage product (Option A) or a messaging queue, which are handled by services like Azure Blob Storage and Service Bus.
- Why it matters: Azure Active Directory (Entra ID) is used to manage user identities and access to Azure resources, providing a secure way to authenticate and authorize users. It is not related to storage or messaging, which are handled by other Azure services. This distinction is crucial for managing access and security in Azure environments.
Traps the examiner sets
- Many people confuse Azure Active Directory with other Azure services, such as storage or messaging services, due to the broad range of services offered by Azure. However, its primary function is to provide identity and access management capabilities.
- A common confusion is that Microsoft is responsible for all aspects of security, or that the customer is responsible for physical datacenter security, which is not the case. The shared responsibility model is often misunderstood, leading to incorrect assumptions about security roles and responsibilities.
- In contrast, physical datacenter security is managed entirely by Microsoft, making any claim that the customer must secure physical infrastructure incorrect.
- They do not block user authentication or login, which is managed through identity and access control systems like Microsoft Entra ID.
Test your recall
Answer each from memory — you'll see instantly whether you're right and why.
Run a focused 10-question mini-mock on Governance & compliance and see it stick.
Practice more of this topic →