AZ-500 Exam Questions Flashcards
You manage external guest users in an Azure AD tenant. The tenant uses the default settings.
Which capability is available to the guest users? Select only one answer. A. Invite other guests. B. Read all directory information. C. Register new applications. D. Read subscriptions.
A
By default guest users can invite other guests. They are unable to read all directory information, register new applications, or read subscriptions.
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
2.
You are configuring Azure AD risk policies.
You need to configure a policy that minimizes the impact on user experience while following the Zero Trust architecture.
Your users are not registered for multi-factor authentication (MFA), and self-service password reset (SSPR) is disabled.
What should you do?
A. Set the user risk policy threshold to high
B. Set the user risk policy threshold to low
C. Allow self -remediation options
D. Set the sign-in risk policy to low
A
Choosing a high threshold reduces the number of times a policy is triggered and minimizes the impact on users. Setting the sign-in risk policy to low introduces more user interrupts. Self-remediation requires MFA and SSPR. As they are unavailable, administrator interventions is required. Settings the user risk policy to low introduces more users interrupts.
3.
You manage Azure AD for a retail company.
You need to ensure that employees using shared Android tablets can use passwordless authentication when accessing the Azure portal.
Which authentication method should you use?
A. The Microsoft Authenticator App
B. Windows Hello for Business
C. Security Keys
D. Windows Hello
A
You can only use the Microsoft Authenticator app or one-time password login on shared devices. Windows Hello can only be used for Windows Devices. You cannot use security keys on shared devices.
https://learn.microsoft.com/en-us/training/modules/azure-active-directory/12-passwordless
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-deployment
You need to configure passwordless authentication. The solution must follow the principal of least privilege. Which role should you assign to complete the task?
A. Global Administrator B. Security Administrator C. Authentication Policy Administrator D. Authentications Administrator
A.
Configuring authentication methods requires Global Administrator privileges. Security Administrators have permissions to manage other security-related features. Authentication policy administrators can configure the authentication methods policy, tenant-wide multi-factor authentication settings, and password protection policy. Authentications administrators can set or reset any authentication methods including passwords for non- administrators and some roles.
You have an Azure AD tenant.
You need to recommend a password less authentication solution.
Which three authentication methods should you include in the recommendation? Each Correct answer presents a complete solution.
A. Windows Hello For Business B. OATH Software Tokens C. FIDO2 Security Keys D. SMS verification E. The Microsoft Authenticator app F. Voice call verification
A C E
Windows Hello for Business, Security keys, and the Microsoft Authenticator app all support password less authentication. The remaining options do not support password less authentication.
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-deployment
https://learn.microsoft.com/en-us/training/modules/manage-user-authentication/
6.
You have an Azure subscription that contains the following resources:
Two virtual networks
VNet1: Contains two subnets
VNet2: Contains three subnets
Virtual machines: Connected to all the subnets on VNet1 and VNet2
A storage account named storage1
You need to identify the minimal number of service endpoints that are required to meet the following requirements:
Virtual machines that are connected to the subnets of VNet1 must be able to access storage1 over the Azure backbone.
Virtual machines that are connected to the subnets of VNet2 must be able to access Azure AD over the Azure backbone.
How many service endpoints should you recommend?
A. 2 B. 3 C. 4 D. 5
D.
A service endpoint is configured for a specific server at the subnet level. Based of the requirements, you need to configure two service endpoints for Microsoft.Storage on VNet1 because Vnet1 has two subnets and three service endpoints for Microsfot.AzureActiveDirectory on VNet2 because Vnet2 has three subnets. The minimum number of service endpoints that you must configure is 5.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
You have a workload in Azure that uses a virtual machine named VM1. VM1 is in a resource group named RG1.
You need to create and assign an identity to VM1 that will be used to access Azure resources. Other virtual machines must be able to use the same identity.
Which PowerShell script should you run?
A. New-AzUserAssignedIdentity -ResourceGroupName RG1 -Name VMID $vm = Get-AzVM -ResourceGroupName RG1 -Name VM1 Update-AzVM -ResourceGroupName RG1 -VM $vm -IdentityType UserAssigned -IdentityID “/subscriptions/<SUBSCRIPTION>/resourcegroups/RG1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/VMID"</SUBSCRIPTION>
B. New-AzUserAssignedIdentity -ResourceGroupName RG1 -Name VMID $vm = Get-AzVM -ResourceGroupName RG1 -Name VM1 Update-AzVM -ResourceGroupName RG1 -VM $vm -IdentityType UserAssigned -IdentityID “/subscriptions/<SUBSCRIPTION>/resourcegroups/RG1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/VM1"</SUBSCRIPTION>
C. $vm = Get-AzVM -ResourceGroupName RG1 -Name VM1 Update-AzVM -ResourceGroupName RG1 -VM $vm -IdentityType SystemAssigned
D. $vm = Get-AzVM -ResourceGroupName RG1 -Name VM1 Update-AzVM -ResourceGroupName RG1 -VM $vm -IdentityType SystemAssignedUserAssigned
A.
Only user-assigned managed identities can be shared by different Azure resources. Once a managed identity is created, you need to update the virtual machines to use the identity by passing its resource ID.
https://learn.microsoft.com/en-us/training/modules/application-security/6-managed-identities
https://learn.microsoft.com/en-us/powershell/module/az.compute/update-azvm?view=azps-10.0.0&viewFallbackFrom=azps-9.2.0
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-powershell-windows-vm#code-try-9
You have an Azure AD tenant. All the users in the tenant have Windows devices that are Azure AD-joined.
You need to implement Azure AD Multi-Factor Authentication (MFA). The solution must ensure that Azure MFA can be used without internet access or mobile network availability.
Which authentication method should you use? A. Windows Hello for Business B. OATH software tokens C. Voice call verification D. Windows Hello for Business
A, D
FIDO2 incorporates the web authentication (WebAuthn) specification. User can register, and then select a FIDO2 security key at sign-in as their main means of authentication. FIDO2 security keys are typically USB devices but can also Bluetooth or NFC. OATH software tokens and voice call verification is unsupported as a primary authentication method. Windows Hello for business can be used as a primary authentication method and can be installed on a device that uses NFC.
https://learn.microsoft.com/en-us/training/modules/manage-user-authentication/2-administer-fido2-passwordless-authentication-methods
You create an access review for a select number of groups in Azure AD for all users that have access to your tenant. You configure the review to automatically apply results to resources.
After running the review, you notice that a user that should have been removed from a group is still part of the group.
Why is the user still in the group?
A. The user is a part of the Compliance Administrator role.
B. The user is a guest user.
C. The group is a Windows AD group.
D. The group is an Azure AD group.
C.
The group is a Windows AD group and access reviews can only manage Azure AD groups. Guest users and users that are part of the Compliance Administrator role can be removed, and access reviews can manage Azure AD groups.
https://learn.microsoft.com/azure/active-directory/governance/create-access-review
You need to ensure that users signing in to the Azure portal are prompted to sign in every 48 hours.
What should you configure?
A. Coniditional Access Sign-in frequency
B. Conditional Access App Control
C. Conditional Access Persistent browser session
D. Azure AD Privileged Identity Management (PIM)
A.
Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource. Conditional Access App Control and PIM do not allow the control of authentication session management. A persistent browser session allows users to remain signed in after closing and reopening their browser window.
https://learn.microsoft.com/en-us/training/modules/azure-ad-identity-protection/10-conditional-access-conditions
You create a role by using the following JSON.
{
“Name”: “Virtual Machine Operator”,
“Id”: “88888888-8888-8888-8888-888888888888”,
“IsCustom”: true,
“Description”: “Can monitor and restart virtual machines.”,
“Actions”: [
“Microsoft.Storage//read”,
“Microsoft.Network//read”,
“Microsoft.Compute/virtualMachines/start/action”,
“Microsoft.Compute/virtualMachines/restart/action”,
“Microsoft.Authorization//read”,
“Microsoft.ResourceHealth/availabilityStatuses/read”,
“Microsoft.Resources/subscriptions/resourceGroups/read”,
“Microsoft.Insights/alertRules/”,
“Microsoft.Insights/diagnosticSettings/”,
“Microsoft.Support/”
],
“NotActions”: [],
“DataActions”: [],
“NotDataActions”: [],
“AssignableScopes”: [“/subscriptions/*”]
}
A user that is part of the new role reports that they are unable to restart a virtual machine by using a PowerShell script.
What should you do to ensure that the user can restart the virtual machine?
Select only one answer:
A. Instruct the user to sign out and back in to their account. B. Ask the user to restart the virtual machine by using the Azure portal. C. Add Microsoft.Compute/*/read to the list of Actions in the role. D. Add Microsoft.Computer/virtualMachines/login/action to the list of DataActions in the custom role.
C.
The role needs read access to virtual machines to restart them. The user does not need to authenticate again for the role to be in effect, and the user will not be able to access the virtual machine from the portal. Adding Microsoft.Compute/virtualMachines/login/action to the list of DataActions in the role allows the user to sign in as a user, but not to restart the virtual machine.
https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles
You have an Azure virtual machine named VM1 the runs Windows Server 2022.
A programmer is writing code to run on VM1. The code will use the system-assigned managed identity assigned to VM1 to access Azure resources.
Which endpoint should the programmer use to request the authentication token required to access the Azure resources?
A. Azure AD v1.0 B. AzureAD v2.0 C. Azure Instance Metadata Service D. Azure Resource Manager (ARM)
C.
Azure Instance Metadata Service is a REST endpoint accessible to all IaaS virtual machines created via Azure Resource Manager (ARM). The endpoint is available at a well-known non-routable IP address (169.254.169.254) that can be accessed only from the virtual machines. The endpoint is used to request the authentication token required to gain access to the Azure resources. Azure AD v1.0 and Azure AD v2.0 endpoints are used to authenticate work and school accounts, not managed identities. The ARM endpoint is where the authentication token is sent by the code once it is obtained from the Azure Instance Metadata Service.
https://learn.microsoft.com/en-us/training/modules/application-security/2-microsoft-identity-platform
https://learn.microsoft.com/en-us/training/modules/application-security/6-managed-identities
13.
You create a web API and register the API as an Azure AD application.
You need to expose a function in the API to ensure that administrators must provide consent to apps that use the API.
What should you add to your app registration?
A. A scope
B. An application ID URI
C. A permission
D. client application
A.
A scope is used to request content to run a given function in an API. An application ID URI does not handle permissions, a permission is used to allow an application to access the scope created in another app, and a client application allows an application to use the API.
https://learn.microsoft.com/en-us/training/modules/application-security/
You create an Azure AD app registration.
You need to consent to the use of a given API in your app for all users.
What should you add to your app registration?
A. a scope B. an application ID URI C. a permission D. a client application
C.
A permission allows the application to use a given API. A scope is used to request consent to run a given function on an API. An application ID URI does not handle permissions.
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis
15.
You have Azure web apps named App1 and App2.
You need to ensure that App1 and App2 use the same identity.
Which identity type should you use?
A. A user-assigned managed identity
B. A system-assigned managed identity
C. A service principal with password-based authentication
D. A service principal with certificate-based authentication
A.
A user-assigned managed identity can be associated with more than one Azure resource. Creating a system-assigned managed identity cannot be pre-authorized. Creating a service principal with password-based authentication or certificate-based authentication involves the use of credentials.
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
You have an Azure storage account named sa1 that has a container named container1.
You create an Azure AD user named User1.
You need to ensure that User1 can create data in container1.
Which role should you assign to User1?
A. Storage Blob Data Contributor
B. Storage Blob Delegator
C. Storage Account Contributor
D. Classic Storage Account Contributor
A.
Storage Blob Data Contributor can write to containers. Storage Blob Delegator allows the delegation of access keys. Storage Account Contributor allows the management of storage accounts, but not access to the data. Classic Storage Account Contributor allows the management of classic storage accounts, but not the access to the data.
https://learn.microsoft.com/azure/role-based-access-control/custom-roles
You have a resource group named RG1 that contains an Azure virtual network named VNet1. A user named User1 is assigned the Contributor role for RG1.
You need to prevent User1 from modifying the properties of VNet1.
What should you do?
A. Apply a read-only lock to the RG1 scope
B. Remove the Contributor role assignment from VM2
C. Add a deny assignment for Microsoft.Compute/virtualMachines/* in the VM1 scope.
D. Assign User1 the Virtual Machine User Login role in the RG1 scope.
A.
A read-only lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine. The RBAC assignment is set at the resource group level and inherited by the resource. The assignment needs to be edited at the original scope (level). You cannot directly create your own deny assignments. Assigning User1 the Virtual Machine User Login role in the RG1 scope will still allow User1 to have access as a contributor to restart VM1.
https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json#considerations-before-applying-locks
You have an Azure subscription named Sub1 that is linked to an Azure AD tenant. The tenant contains a user named Admin1.
Sub1 contains an Azure Policy definition assignment named Assignment1. The definition includes the deployIfNotExists effect.
You need to grant Admin1 permission to include a remediation task for Assignment1. The solution must use the principle of least privilege.
Which role should you assign to Admin1?
A. Contributor
B. Owner
C. Resource Policy Contributor
D. Compliance Administrator
C.
Resource Policy Contributor grants permissions to create and modify resource policy, create support ticket, and read resources and hierarchy. The Owner grants full rights, which violates the principle of least privilege. Contributor does not have sufficient permissions. Compliance Administrator is an Azure AD role, not an Azure RBAC role.
https://learn.microsoft.com/training/modules/enterprise-governance/7-azure-rbac-vs-azure-policies
19.
You create an application named App1 in an Azure tenant.
You need to host the application as a multitenant application for any users in Azure, while restricting non-Azure accounts.
You need to allow administrators in other Azure tenants to add the application to their gallery.
Which CLI command should you run?
A. az ad app create –display-name app1 –sign-in-audience AzureADandPersonalMicrosoftAccount
B. az ad app create –display-name app1–sign-in-audience AzureADMultipleOrgs
C. az webapp auth openid-connect add -r rg1 -n app1 –provider-name p1
D. az webapp auth-classic update -r rg1 -n app1 –action LoginWithAzureActiveDirectory
B.
The correct CLI command allows the application to provide SSO for Azure AD users in any tenant. The CLI commands requiring a web app do not create a gallery entry for the application and configuring the sign-in audience to Azure AD and personal Microsoft accounts does not restrict users to only Azure accounts.
https://learn.microsoft.com/cli/azure/ad/app?view=azure-cli-latest#az-ad-app-create
You have an Azure virtual network named VNet1. VNet1 is in a resource group named RG1. VNet1 contains the following two subnets:
Subnet1: 10.0.1.0/24
Subnet2: 10.0.2.0/24
You need to configure access to a storage account named sa1 in a resource group named RG2. The solution must ensure that sa1 can only be accessed from Subnet2.
What should you run?
A. az storage account network-rule add –resource-group “RG1” –account-name “SA1” –ip-address “10.0.2.0”
B. az storage account network-rule add –resource-group “RG2” –account-name “SA1” –ip-address “10.0.2.0/24” az storage account update –default-action deny –name sa1 –resource-group RG2
C. az network nsg rule create -g RG1 –nsg-name NSG1 -n RULE1 –priority 400 –source-address-prefixes VirtualNetwork –destination-address-prefixes Storage –destination-port-ranges ‘*’ –direction Outbound –access Allow –protocol Tcp
D. az network nsg rule create -g RG1 –nsg-name NSG1 -n RULE1 –priority 400 –source-address-prefixes VirtualNetwork –destination-address-prefixes Storage –destination-port-ranges ‘*’ –direction Outbound –access Allow –protocol Udp
B.
The correct CLI command adds a rule to allow access from the 10.0.2.0/24 subnet to the storage account. The resource group should be for RG2, not RG1. The CLI commands that create network security group (NSG) rules simply allow the entire virtual network to send requests to all storage endpoints.
https://learn.microsoft.com/training/modules/network-security/
21.
You have a workload in Azure that uses multiple virtual machines and Azure functions to access data in a storage account.
You need to ensure that all access to the storage account is done by using a single identity. The solution must reduce the overhead of managing the identity.
Which type of identity should you use?
A. user
B. Group
C. user-assigned managed identity
D. system-assigned managed identity
C.
A user assigned managed identity can be shared across Azure resources, and its password changes are handled by Azure. An user needs to manually handle password changes. You cannot use a group as a service principle. Multiple Azure resources cannot share system-assigned managed identities.
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
Your company opens a new office.
You need to allow a user named Admin1 to manage user and group accounts for the new office only.
Which type of resource should you create?
A. Resource Group
B. Management Group
C. Administrative Unit
D. Security Group
C.
An administrative unit can contain only users, groups, and devices. You can also give role management rights to the resources in an administrative unit. Resource groups cannot contain users, groups, or devices. Management groups can only contain other management groups or subscriptions. Departments are used for billing.
https://learn.microsoft.com/training/modules/azure-active-directory/8-azure-active-directory-administrative-units
You configure Azure AD to use multi-factor authentication (MFA) by using the Microsoft Authenticator app.
You need to ensure that users are required to use the Microsoft Authenticator app when accessing Azure from new devices or locations.
Which type of Azure AD Identity Protection policy should you create?
A. user risk policy with self-remediation
B. user risk policy with administrator remediation
C. sign-in risk policy with self-remediation
D. sign-in risk policy with administrator remediation
C.
By using a sign-in risk policy with self-remediation, a sign-in risk is detected when users access their account from a different device or location, and self-remediation forces MFA to be required, whereas administer remediation requires admin intervention. User risk policies are triggered for users that have specific risk levels due to issues such as password leaks.
https://learn.microsoft.com/training/modules/azure-ad-identity-protection/5-sign-risk-policy?ns-enrollment-type=learningpath&ns-enrollment-id=learn.wwl.manage-identity-access
You need to delegate the ability to configure sign-in risk policies. The solution must follow the principle of least privilege.
Which role should you assign?
A. Conditional Access Administrator
B. Security Administrator
C. Authentication Policy Administrator
D. Authentication Administrator
B.
Security administrators have permissions to manage security-related features in the Microsoft 365 Defender portal, Azure AD Identity Protection, Azure AD authentication, Azure Information Protection (AIP), and Office 365 Security & Compliance Center.
https://learn.microsoft.com/azure/active-directory/roles/delegate-by-task
