AZ-500 Exam Questions Flashcards

Question 1

Q

You manage external guest users in an Azure AD tenant. The tenant uses the default settings.

Which capability is available to the guest users?

Select only one answer.

A. Invite other guests.

B. Read all directory information.

C. Register new applications.

D. Read subscriptions.

Answer

A

By default guest users can invite other guests. They are unable to read all directory information, register new applications, or read subscriptions.

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions

Question 2

Q

2.

You are configuring Azure AD risk policies.

You need to configure a policy that minimizes the impact on user experience while following the Zero Trust architecture.

Your users are not registered for multi-factor authentication (MFA), and self-service password reset (SSPR) is disabled.

What should you do?

A. Set the user risk policy threshold to high 

B. Set the user risk policy threshold to low

C. Allow self -remediation options

    D. Set the sign-in risk policy to low

Answer

A

Choosing a high threshold reduces the number of times a policy is triggered and minimizes the impact on users. Setting the sign-in risk policy to low introduces more user interrupts. Self-remediation requires MFA and SSPR. As they are unavailable, administrator interventions is required. Settings the user risk policy to low introduces more users interrupts.

Question 3

Q

3.

You manage Azure AD for a retail company.

You need to ensure that employees using shared Android tablets can use passwordless authentication when accessing the Azure portal.

Which authentication method should you use?

A. The Microsoft Authenticator App

B. Windows Hello for Business

C. Security Keys

    D. Windows Hello

Answer

A

You can only use the Microsoft Authenticator app or one-time password login on shared devices. Windows Hello can only be used for Windows Devices. You cannot use security keys on shared devices.

https://learn.microsoft.com/en-us/training/modules/azure-active-directory/12-passwordless

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-deployment

Question 4

Q

You need to configure passwordless authentication. The solution must follow the principal of least privilege. Which role should you assign to complete the task?

A. Global Administrator 

B. Security Administrator

C. Authentication Policy Administrator

D. Authentications Administrator

Answer

A

A.

Configuring authentication methods requires Global Administrator privileges. Security Administrators have permissions to manage other security-related features. Authentication policy administrators can configure the authentication methods policy, tenant-wide multi-factor authentication settings, and password protection policy. Authentications administrators can set or reset any authentication methods including passwords for non- administrators and some roles.

Question 5

Q

You have an Azure AD tenant.

You need to recommend a password less authentication solution.

Which three authentication methods should you include in the recommendation? Each Correct answer presents a complete solution.

A. Windows Hello For Business

B. OATH Software Tokens 

C. FIDO2 Security Keys

D. SMS verification

E. The Microsoft Authenticator app

F. Voice call verification

Answer

A

A C E

Windows Hello for Business, Security keys, and the Microsoft Authenticator app all support password less authentication. The remaining options do not support password less authentication.

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-deployment

https://learn.microsoft.com/en-us/training/modules/manage-user-authentication/

Question 6

Q

6.

You have an Azure subscription that contains the following resources:

Two virtual networks

VNet1: Contains two subnets
VNet2: Contains three subnets

Virtual machines: Connected to all the subnets on VNet1 and VNet2
A storage account named storage1

You need to identify the minimal number of service endpoints that are required to meet the following requirements:

Virtual machines that are connected to the subnets of VNet1 must be able to access storage1 over the Azure backbone.
Virtual machines that are connected to the subnets of VNet2 must be able to access Azure AD over the Azure backbone.
How many service endpoints should you recommend?

A. 2

B. 3

C. 4

D. 5

Answer

A

D.

A service endpoint is configured for a specific server at the subnet level. Based of the requirements, you need to configure two service endpoints for Microsoft.Storage on VNet1 because Vnet1 has two subnets and three service endpoints for Microsfot.AzureActiveDirectory on VNet2 because Vnet2 has three subnets. The minimum number of service endpoints that you must configure is 5.

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

Question 7

Q

You have a workload in Azure that uses a virtual machine named VM1. VM1 is in a resource group named RG1.

You need to create and assign an identity to VM1 that will be used to access Azure resources. Other virtual machines must be able to use the same identity.

Which PowerShell script should you run?

A. New-AzUserAssignedIdentity -ResourceGroupName RG1 -Name VMID $vm = Get-AzVM -ResourceGroupName RG1 -Name VM1 Update-AzVM -ResourceGroupName RG1 -VM $vm -IdentityType UserAssigned -IdentityID “/subscriptions/<SUBSCRIPTION>/resourcegroups/RG1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/VMID"</SUBSCRIPTION>

B. New-AzUserAssignedIdentity -ResourceGroupName RG1 -Name VMID $vm = Get-AzVM -ResourceGroupName RG1 -Name VM1 Update-AzVM -ResourceGroupName RG1 -VM $vm -IdentityType UserAssigned -IdentityID “/subscriptions/<SUBSCRIPTION>/resourcegroups/RG1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/VM1"</SUBSCRIPTION>

C. $vm = Get-AzVM -ResourceGroupName RG1 -Name VM1 Update-AzVM -ResourceGroupName RG1 -VM $vm -IdentityType SystemAssigned

D. $vm = Get-AzVM -ResourceGroupName RG1 -Name VM1 Update-AzVM -ResourceGroupName RG1 -VM $vm -IdentityType SystemAssignedUserAssigned

Answer

A

A.

Only user-assigned managed identities can be shared by different Azure resources. Once a managed identity is created, you need to update the virtual machines to use the identity by passing its resource ID.

https://learn.microsoft.com/en-us/training/modules/application-security/6-managed-identities

https://learn.microsoft.com/en-us/powershell/module/az.compute/update-azvm?view=azps-10.0.0&viewFallbackFrom=azps-9.2.0

https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-powershell-windows-vm#code-try-9

Question 8

Q

You have an Azure AD tenant. All the users in the tenant have Windows devices that are Azure AD-joined.

You need to implement Azure AD Multi-Factor Authentication (MFA). The solution must ensure that Azure MFA can be used without internet access or mobile network availability.

Which authentication method should you use?


A. Windows Hello for Business

B. OATH software tokens

C. Voice call verification

D. Windows Hello for Business

Answer

A

A, D

FIDO2 incorporates the web authentication (WebAuthn) specification. User can register, and then select a FIDO2 security key at sign-in as their main means of authentication. FIDO2 security keys are typically USB devices but can also Bluetooth or NFC. OATH software tokens and voice call verification is unsupported as a primary authentication method. Windows Hello for business can be used as a primary authentication method and can be installed on a device that uses NFC.

https://learn.microsoft.com/en-us/training/modules/manage-user-authentication/2-administer-fido2-passwordless-authentication-methods

Question 9

Q

You create an access review for a select number of groups in Azure AD for all users that have access to your tenant. You configure the review to automatically apply results to resources.

After running the review, you notice that a user that should have been removed from a group is still part of the group.

Why is the user still in the group?

A. The user is a part of the Compliance Administrator role.

B. The user is a guest user.

C. The group is a Windows AD group.

D. The group is an Azure AD group.

Answer

A

C.

The group is a Windows AD group and access reviews can only manage Azure AD groups. Guest users and users that are part of the Compliance Administrator role can be removed, and access reviews can manage Azure AD groups.

https://learn.microsoft.com/azure/active-directory/governance/create-access-review

Question 10

Q

You need to ensure that users signing in to the Azure portal are prompted to sign in every 48 hours.

What should you configure?

A. Coniditional Access Sign-in frequency
B. Conditional Access App Control
C. Conditional Access Persistent browser session
D. Azure AD Privileged Identity Management (PIM)

Answer

A

A.

Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource. Conditional Access App Control and PIM do not allow the control of authentication session management. A persistent browser session allows users to remain signed in after closing and reopening their browser window.

https://learn.microsoft.com/en-us/training/modules/azure-ad-identity-protection/10-conditional-access-conditions

Question 11

Q

You create a role by using the following JSON.

{
“Name”: “Virtual Machine Operator”,
“Id”: “88888888-8888-8888-8888-888888888888”,
“IsCustom”: true,
“Description”: “Can monitor and restart virtual machines.”,
“Actions”: [
“Microsoft.Storage//read”,
“Microsoft.Network//read”,
“Microsoft.Compute/virtualMachines/start/action”,
“Microsoft.Compute/virtualMachines/restart/action”,
“Microsoft.Authorization//read”,
“Microsoft.ResourceHealth/availabilityStatuses/read”,
“Microsoft.Resources/subscriptions/resourceGroups/read”,
“Microsoft.Insights/alertRules/”,
“Microsoft.Insights/diagnosticSettings/”,
“Microsoft.Support/”
],
“NotActions”: [],
“DataActions”: [],
“NotDataActions”: [],
“AssignableScopes”: [“/subscriptions/*”]
}

A user that is part of the new role reports that they are unable to restart a virtual machine by using a PowerShell script.

What should you do to ensure that the user can restart the virtual machine?

Select only one answer:

A. Instruct the user to sign out and back in to their account.

B. Ask the user to restart the virtual machine by using the Azure portal.

C. Add Microsoft.Compute/*/read to the list of Actions in the role. 

D. Add Microsoft.Computer/virtualMachines/login/action to the list of DataActions in the custom role.

Answer

A

C.

The role needs read access to virtual machines to restart them. The user does not need to authenticate again for the role to be in effect, and the user will not be able to access the virtual machine from the portal. Adding Microsoft.Compute/virtualMachines/login/action to the list of DataActions in the role allows the user to sign in as a user, but not to restart the virtual machine.

https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles

Question 12

Q

You have an Azure virtual machine named VM1 the runs Windows Server 2022.

A programmer is writing code to run on VM1. The code will use the system-assigned managed identity assigned to VM1 to access Azure resources.

Which endpoint should the programmer use to request the authentication token required to access the Azure resources?

A. Azure AD v1.0

B. AzureAD v2.0

C. Azure Instance Metadata Service

D. Azure Resource Manager (ARM)

Answer

A

C.

Azure Instance Metadata Service is a REST endpoint accessible to all IaaS virtual machines created via Azure Resource Manager (ARM). The endpoint is available at a well-known non-routable IP address (169.254.169.254) that can be accessed only from the virtual machines. The endpoint is used to request the authentication token required to gain access to the Azure resources. Azure AD v1.0 and Azure AD v2.0 endpoints are used to authenticate work and school accounts, not managed identities. The ARM endpoint is where the authentication token is sent by the code once it is obtained from the Azure Instance Metadata Service.

https://learn.microsoft.com/en-us/training/modules/application-security/2-microsoft-identity-platform

https://learn.microsoft.com/en-us/training/modules/application-security/6-managed-identities

Question 13

Q

13.

You create a web API and register the API as an Azure AD application.

You need to expose a function in the API to ensure that administrators must provide consent to apps that use the API.

What should you add to your app registration?

A. A scope

B. An application ID URI

C. A permission

D. client application

Answer

A

A.

A scope is used to request content to run a given function in an API. An application ID URI does not handle permissions, a permission is used to allow an application to access the scope created in another app, and a client application allows an application to use the API.

https://learn.microsoft.com/en-us/training/modules/application-security/

Question 14

Q

You create an Azure AD app registration.

You need to consent to the use of a given API in your app for all users.

What should you add to your app registration?

A. a scope

B. an application ID URI


C. a permission

D. a client application

Answer

A

C.

A permission allows the application to use a given API. A scope is used to request consent to run a given function on an API. An application ID URI does not handle permissions.

https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis

Question 15

Q

15.

You have Azure web apps named App1 and App2.

You need to ensure that App1 and App2 use the same identity.

Which identity type should you use?

A. A user-assigned managed identity

B. A system-assigned managed identity

C. A service principal with password-based authentication

D. A service principal with certificate-based authentication

Answer

A

A.

A user-assigned managed identity can be associated with more than one Azure resource. Creating a system-assigned managed identity cannot be pre-authorized. Creating a service principal with password-based authentication or certificate-based authentication involves the use of credentials.

https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

Question 16

Q

You have an Azure storage account named sa1 that has a container named container1.

You create an Azure AD user named User1.

You need to ensure that User1 can create data in container1.

Which role should you assign to User1?

A. Storage Blob Data Contributor

B. Storage Blob Delegator

C. Storage Account Contributor

D. Classic Storage Account Contributor

Answer

A

A.

Storage Blob Data Contributor can write to containers. Storage Blob Delegator allows the delegation of access keys. Storage Account Contributor allows the management of storage accounts, but not access to the data. Classic Storage Account Contributor allows the management of classic storage accounts, but not the access to the data.

https://learn.microsoft.com/azure/role-based-access-control/custom-roles

Question 17

Q

You have a resource group named RG1 that contains an Azure virtual network named VNet1. A user named User1 is assigned the Contributor role for RG1.

You need to prevent User1 from modifying the properties of VNet1.

What should you do?

A. Apply a read-only lock to the RG1 scope

B. Remove the Contributor role assignment from VM2

C. Add a deny assignment for Microsoft.Compute/virtualMachines/* in the VM1 scope.

D. Assign User1 the Virtual Machine User Login role in the RG1 scope.

Answer

A

A.

A read-only lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine. The RBAC assignment is set at the resource group level and inherited by the resource. The assignment needs to be edited at the original scope (level). You cannot directly create your own deny assignments. Assigning User1 the Virtual Machine User Login role in the RG1 scope will still allow User1 to have access as a contributor to restart VM1.

https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json#considerations-before-applying-locks

Question 18

Q

You have an Azure subscription named Sub1 that is linked to an Azure AD tenant. The tenant contains a user named Admin1.

Sub1 contains an Azure Policy definition assignment named Assignment1. The definition includes the deployIfNotExists effect.

You need to grant Admin1 permission to include a remediation task for Assignment1. The solution must use the principle of least privilege.

Which role should you assign to Admin1?

A. Contributor

B. Owner

C. Resource Policy Contributor

D. Compliance Administrator

Answer

A

C.

Resource Policy Contributor grants permissions to create and modify resource policy, create support ticket, and read resources and hierarchy. The Owner grants full rights, which violates the principle of least privilege. Contributor does not have sufficient permissions. Compliance Administrator is an Azure AD role, not an Azure RBAC role.

https://learn.microsoft.com/training/modules/enterprise-governance/7-azure-rbac-vs-azure-policies

Question 19

Q

19.

You create an application named App1 in an Azure tenant.

You need to host the application as a multitenant application for any users in Azure, while restricting non-Azure accounts.

You need to allow administrators in other Azure tenants to add the application to their gallery.

Which CLI command should you run?

A. az ad app create –display-name app1 –sign-in-audience AzureADandPersonalMicrosoftAccount

B. az ad app create –display-name app1–sign-in-audience AzureADMultipleOrgs

C. az webapp auth openid-connect add -r rg1 -n app1 –provider-name p1

D. az webapp auth-classic update -r rg1 -n app1 –action LoginWithAzureActiveDirectory

Answer

A

B.

The correct CLI command allows the application to provide SSO for Azure AD users in any tenant. The CLI commands requiring a web app do not create a gallery entry for the application and configuring the sign-in audience to Azure AD and personal Microsoft accounts does not restrict users to only Azure accounts.

https://learn.microsoft.com/cli/azure/ad/app?view=azure-cli-latest#az-ad-app-create

Question 20

Q

You have an Azure virtual network named VNet1. VNet1 is in a resource group named RG1. VNet1 contains the following two subnets:

Subnet1: 10.0.1.0/24
Subnet2: 10.0.2.0/24
You need to configure access to a storage account named sa1 in a resource group named RG2. The solution must ensure that sa1 can only be accessed from Subnet2.

What should you run?

A. az storage account network-rule add –resource-group “RG1” –account-name “SA1” –ip-address “10.0.2.0”

B. az storage account network-rule add –resource-group “RG2” –account-name “SA1” –ip-address “10.0.2.0/24” az storage account update –default-action deny –name sa1 –resource-group RG2

C. az network nsg rule create -g RG1 –nsg-name NSG1 -n RULE1 –priority 400 –source-address-prefixes VirtualNetwork –destination-address-prefixes Storage –destination-port-ranges ‘*’ –direction Outbound –access Allow –protocol Tcp

D. az network nsg rule create -g RG1 –nsg-name NSG1 -n RULE1 –priority 400 –source-address-prefixes VirtualNetwork –destination-address-prefixes Storage –destination-port-ranges ‘*’ –direction Outbound –access Allow –protocol Udp

Answer

A

B.

The correct CLI command adds a rule to allow access from the 10.0.2.0/24 subnet to the storage account. The resource group should be for RG2, not RG1. The CLI commands that create network security group (NSG) rules simply allow the entire virtual network to send requests to all storage endpoints.

https://learn.microsoft.com/training/modules/network-security/

Question 21

Q

21.

You have a workload in Azure that uses multiple virtual machines and Azure functions to access data in a storage account.

You need to ensure that all access to the storage account is done by using a single identity. The solution must reduce the overhead of managing the identity.

Which type of identity should you use?

A. user

B. Group

C. user-assigned managed identity

D. system-assigned managed identity

Answer

A

C.

A user assigned managed identity can be shared across Azure resources, and its password changes are handled by Azure. An user needs to manually handle password changes. You cannot use a group as a service principle. Multiple Azure resources cannot share system-assigned managed identities.

https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

Question 22

Q

Your company opens a new office.

You need to allow a user named Admin1 to manage user and group accounts for the new office only.

Which type of resource should you create?

A. Resource Group

B. Management Group

C. Administrative Unit

D. Security Group

Answer

A

C.

An administrative unit can contain only users, groups, and devices. You can also give role management rights to the resources in an administrative unit. Resource groups cannot contain users, groups, or devices. Management groups can only contain other management groups or subscriptions. Departments are used for billing.

https://learn.microsoft.com/training/modules/azure-active-directory/8-azure-active-directory-administrative-units

Question 23

Q

You configure Azure AD to use multi-factor authentication (MFA) by using the Microsoft Authenticator app.

You need to ensure that users are required to use the Microsoft Authenticator app when accessing Azure from new devices or locations.

Which type of Azure AD Identity Protection policy should you create?

A. user risk policy with self-remediation

B. user risk policy with administrator remediation

C. sign-in risk policy with self-remediation

D. sign-in risk policy with administrator remediation

Answer

A

C.

By using a sign-in risk policy with self-remediation, a sign-in risk is detected when users access their account from a different device or location, and self-remediation forces MFA to be required, whereas administer remediation requires admin intervention. User risk policies are triggered for users that have specific risk levels due to issues such as password leaks.

https://learn.microsoft.com/training/modules/azure-ad-identity-protection/5-sign-risk-policy?ns-enrollment-type=learningpath&ns-enrollment-id=learn.wwl.manage-identity-access

Question 24

Q

You need to delegate the ability to configure sign-in risk policies. The solution must follow the principle of least privilege.

Which role should you assign?

A. Conditional Access Administrator

B. Security Administrator

C. Authentication Policy Administrator

D. Authentication Administrator

Answer

A

B.

Security administrators have permissions to manage security-related features in the Microsoft 365 Defender portal, Azure AD Identity Protection, Azure AD authentication, Azure Information Protection (AIP), and Office 365 Security & Compliance Center.

https://learn.microsoft.com/azure/active-directory/roles/delegate-by-task

Question 25

Q

25.

You are creating an Azure AD app registration. You are configuring credentials for the app registration and have the following requirements:

Ensure that the credentials are not transmitted during authentication.
Ensure that the credentials are stored securely.
Ensure that credential usage follows the principle of least privilege.
What should you do?

A. Use certificate credentials

B. Use password credentials

C. User multiple credentials in one app

D. commit credentials using code

Answer

A

A.

Using certificate credentials ensures that the credentials are not transmitted during authentication, that they are stored securely, and that the credential usage follows the principle of least privilege.

https://learn.microsoft.com/azure/active-directory/develop/security-best-practices-for-app-registration

Question 26

Q

26.

You have an Azure AD tenant that uses the default settings.

You are configuring the Azure AD External collaboration settings.

You need to ensure that only users that are assigned Azure AD administrative roles can invite guests.

What should you do?

A. Enable Security Defaults

B. Set Admins and users in the guest inviter role can invite to Yes

C. Set Guest user access restrictions to Guest user access is restricted to properties and memberships of their own directory objects.

D. In User Permissions, set members can invite to No.

Answer

A

B.

Setting Admins and users in the guest inviter role can invite to Yes allows users to invite guests. Security defaults do not affect guest invitation privileges. The Guest user access is restricted to properties and memberships of their own directory objects setting does not affect guests’ permissions to invite guests. Setting Members can invite to Yes allows non-admin members of your directory to invite guests. Another setting can still override this one.

https://learn.microsoft.com/azure/active-directory/fundamentals/users-default-permissions

Question 27

Q

27.

You have an Azure SQL database, an Azure key vault, and an Azure App Service web app.

You plan to encrypt SQL data at rest by using Bring Your Own Key (BYOK).

You need to create a managed identity to authenticate without storing any credentials in the code. The managed identity must share the lifecycle with the Azure resource it is used for.

What should you implement?

A. a system-assigned managed identity for an Azure SQL logical server

B. a system-assigned managed identity for Azure Key Vault

C. a system-assigned managed identity for an Azure web app

D. a user-assigned managed identity

Answer

A

C.

To use the managed identity for accessing the encryption key in Key Vault, the identity needs to be set at the Azure SQL logical server level. The managed identity needs to be granted access to the key vault, not vice versa. The web app having a managed identity does not enable encryption at rest by using BYOK. The user-assigned managed identity has an independent lifecycle and must be deleted explicitly.

https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-identity?view=azuresql

Question 28

Q

28.

You have Azure web apps named App1 and App2.

You need to ensure that App1 and App2 use the same identity.

Which identity type should you use?

A. a user-assigned managed identity

B. a system-assigned managed identity

C. a service principal with password-based authentication

D. a service principal with certificate-based authentication

Answer

A

A.

A user-assigned managed identity can be associated with more than one Azure resource. Creating a system-assigned managed identity cannot be pre-authorized. Creating a service principal with password-based authentication or certificate-based authentication involves the use of credentials.

https://learn.microsoft.com/azure/active-directory/develop/app-objects-and-service-principals

Question 29

Q

29.

You have an Azure AD tenant that uses the default setting.

You need prevent users from a domain named contoso.com from being invited to the tenant.

What should you do?

A. Edit the Collaboration restrictions settings.

B. Enable security defaults.

C. Deploy Azure AD Privileged Identity Management (PIM).

D. Edit the Access review settings.

Answer

A

A.

After you edit the Collaboration restrictions settings, if you try to invite a user from a blocked domain, you cannot. Security defaults and PIM do not affect guest invitation privileges. By default, the Allow invitations to be sent to any domain (most inclusive) setting is enabled. In this case, you can invite B2B users from any organization.

https://learn.microsoft.com/azure/active-directory/external-identities/allow-deny-list

Question 30

Q

You plan to provide connectivity between Azure and your company’s datacenter.

You need to define how to establish the connection. The solution must meet the following requirements:

All traffic between the datacenter and Azure must be encrypted
Bandwidth must be between 10 and 100 Gpbs

A. ExpressRoute with a provider

B. ExpressRoute Direct

C. Azure VPN Gateway

D. VPN Gateway with Azure virtual WAN

Answer

A

B.

ExpressRoute Direct can have up to 100 Gpbs and use MACSec for Layer 2 encryption. ExpressRoute with a provider does not allow for MACSec encryption and can only use up to 10 Gbps. VPN Gateway and VPN Gateway with Virtual WAN cannot support a bandwidth over 1 Gbps.

https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about

Question 31

Q

You have an Azure subscription that contains a network security group (NSG) named NSG1.

You plan to add a security rule named Rule1 to NSG1 that will allow incoming RDP traffic.

You need to ensure that the other security rules of NSG1 cannot override Rule1.

Which priority setting should you use for Rule1?

A. 0

B. 1

C. 100

D. 1000

E. 65000

Answer

A

C.

The priority setting for a security rule can be a number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, which results in lower numbers having a higher priority. Once traffic matches a rule, processing stops. To ensure that other rules cannot override Rule1, you must configure Rule1 to have the highest priority, which means that it must be configured with a priority of 100.

https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview

Question 32

Q

You have an Azure subscription that contains the following resources:

A virtual machine named VM1 that has a network interface named NIC1
A virtual network named VNet1 that has a subnet named Subnet1
A public IP address named PubIP1

-A load balancer named LB1

You create a network security group (NSG) named NSG1.

To which two resources can you associate NSG1? Each correct answer presents a complete solution.

A. VM1

B. NIC1

C. VNet1

D. Subnet1

E. PublP1

F. LB1

Answer

A

B, D

You can associate an NSG to a virtual network subnet and network interface only. You can associate zero or one NSGs to each virtual network subnet and network interface on a virtual machine. The same NSG can be associated to as many subnets and network interfaces as you choose.

https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works

Question 33

Q

You have an Azure subscription that contains the following resources:

An web app named WebApp1 in the West US Azure region
A virtual network named VNet1 in the West US 3 Azure region
You need to integrate WebApp1 with VNet1.

What should you implement first?

A. peering

B. Azure Front door

C. a service endpoint

D. a VPN gateway

Answer

A

D.

WebApp1 and VNet1 are in different regions and cannot use regional integration; you can use only gateway-required virtual network integration. To be able to implement this type of integration, you must first deploy a virtual network gateway in VNet1.

https://learn.microsoft.com/azure/app-service/overview-vnet-integration

Question 34

Q

You have an Azure subscription that contains a virtual network named VNet1.

VNet1 contains the following subnets:

Subnet1: Has a connected virtual machine
Subnet2: Has a Microsoft.Storage service endpoint
Subnet3: Has subnet delegation to the Microsoft.Web/serverFarms service
Subnet: Has no additional configurations
You need to deploy an Azure SQL managed instance named managed1 to VNet1.

To which subnets can you connect managed1?

A. Subnet4 only

B. Subnet2 and Subnet4 only

C. Subnet3 and Subnet4 only

D. Subnet2, Subnet3, and Subnet4 only

E. Subnet1, Subnet2, Subnet3, and Subnet4

Answer

A

D.

You can deploy an SQL managed instance to a dedicated virtual network subnet that does not have any resource connected. The subnet can have a service endpoint or can be delegated for a different service. For this scenario, you can deploy managed1 to Subnet2, Subnet3, and Subnet4 only. You cannot deploy managed1 to Subnet1 because Subnet1 has a connected virtual machine.

https://learn.microsoft.com/azure/azure-sql/managed-instance/connectivity-architecture-overview?view=azuresql&tabs=current

Question 35

Q

35.

You have an Azure subscription that contains a virtual machine named VM1. VM1 runs a web app named App1.

You need to protect App1 by implementing Web Application Firewall (WAF).

What resource should you deploy?

A. Azure Firewall

B. Azure Application Gateway

C. Azure Traffic Manager

D. Azure Front Door

Answer

A

B.

WAF is a tier of Application Gateway. If you want to deploy WAF, you must deploy Application Gateway and select the WAF or WAF V2 tier.

https://learn.microsoft.com/training/modules/network-security/8-azure-application-gateway

Question 36

Q

36.

You are evaluating the Azure Policy configurations to identify any required custom initiatives and policies.

You need to run workloads in Azure that are compliant with the following regulations:

FedRAMP High
PCI DSS 3.2.1
GDPR
ISO 27001:2013
For which regulation should you create custom initiatives?

Select only one answer.

A. FedRAMP High

B. PCI DSS 3.2.1

C. GPDR

D. ISO 27001:2013

Answer

A

C.

To run workloads that are compliant with GPDR, custom initiatives should be to be created. GPDR compliance initiatives are not yet available in Azure. Azure has existing initiatives for ISO, PCI DDS 3.2.1, and FedRAMP High.

https://learn.microsoft.com/training/modules/enterprise-governance/

Question 37

Q

37.

You have the following security policy deployed to an Azure subscription.

policyRule: {
if: {
allOf: [
{
field: “type”,
equals: “Microsoft.Storage/storageAccounts”
},
{
field: “Microsoft.Storage/storageAccounts/allowSharedKeyAccess”,
equals: “true”
}
]
},
then: {
effect: “Deny”
}
}
You successfully deploy a new storage account.

Which statements is true?

Select only one answer.

A. Usage of Azure AD authentication is enforced.

B. Usage of the storage account shared key is allowed.

C. Accessing the data in the storage account is enabled for users that have the Storage Account Contributor role.

D. Accessing the data by using SAS tokens is disabled.

Answer

A

A.

Enforcing Azure AD authentication prevents using shared keys, and leaves only data plane RBAC as an authentication option. The policy prevents account shared keys for storage accounts. The Storage Account Contributor role is not a data plane RBAC role, but leverages shared keys. SAS tokens can still be created by using a delegated SAS model (Azure AD).

https://learn.microsoft.com/azure/governance/policy/concepts/effects

Question 38

Q

38.

You are configuring an Azure Policy in your environment.

You need to ensure that any resources that are missing a tag named CostCenter inherit a value from a resource group.

You create a custom policy that uses the following snippet.

“policyRule”: {
“if”: {
“field”: “tags[‘CostCenter’]”,
“exists”: “false”
},
“then”: {
“effect”: “modify”,
“details”: {
“roleDefinitionIds”: [
“/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c”
],
“operations”: [{
“operation”: “addOrReplace “,
“field”: “tags[‘CostCenter’]”,
“value”: “[resourcegroup().tags[‘CostCenter’]]”
}]
}
}
}
Which policy mode should you use?

Select only one answer.

A. indexed

B. all

C. Append

D. DeployIfNotExists

Answer

A

A.

indexed mode ensures that the policy skips resource groups. all includes resource groups, which cannot be nested. Append and DeployIfNotExists are policy effects.

https://learn.microsoft.com/azure/governance/policy/concepts/definition-structure#resource-manager-modes

Question 39

Q

39.

You have an Azure subscription that contains a user named Admin1.

You need to ensure that Admin1 can access the Regulatory compliance dashboard in Microsoft Defender for Cloud. The solution must follow the principle of least privilege.

Which two roles should you assign to Admin1? Each correct answer presents part of the solution.

A. Global Reader

B. Security Reader

C. Resources Policy Contributor

D. Security Admin

Answer

A

C,D

To use the Regulatory compliance dashboard in Defender for Cloud, you must have sufficient permissions. At a minimum, you must be assigned the Resource Policy Contributor and Security Admin roles.

https://learn.microsoft.com/training/modules/azure-security-center/

Question 40

Q

Your company has a multi-cloud online environment.

You plan to use Microsoft Defender for Cloud to protect all supported online environments.

Which three environments support Defender for Cloud? Each correct answer presents a complete solution.

A. Amazon Web Services (AWS)

B. Oracle Cloud

C. GitHub

D. Azure DevOps

E. Alibaba Cloud

Answer

A

A, C, D

Defender for Cloud protects workloads in Azure, AWS, GitHub, and Azure DevOps. Oracle Cloud and Alibaba Cloud are unsupported by Defender for Cloud.

https://learn.microsoft.com/training/modules/azure-security-center/

Question 41

Q

41.

You have an Azure subscription.

You need to recommend a solution that uses crawling technology of Microsoft to discover and actively scan assets within an online infrastructure. The solution must also discover new connections over time.

What should you include in the recommendation?

A. Microsoft Defender External Attack Surface Management (EASM)

B. Microsoft Defender for Server

C. The Microsoft cloud security benchmark (MCSB)

D. a Microsoft Defender for Cloud custom initiative

Answer

A

A.

Defender EASM applies the crawling technology of Microsoft to discover assets that are related to your known online infrastructure and actively scans these assets to discover new connections over time. Attack Surface Insights are generated by applying vulnerability and infrastructure data to showcase the key areas of concern for your organization.

https://learn.microsoft.com/azure/defender-for-cloud/concept-easm

Question 42

Q

You have Azure SQL databases that contain credit card information.

You need to identify and label columns that contain credit card numbers.

Which Microsoft Defender for Cloud feature should you use?

A. hash reputation analysis

B. SQL Servers on machines

C. SQL information protection

D. inventory filters

Answer

A

C.

SQL information protection allows you to identify and label data. Hash reputation analysis prevents suspicious files from being stored in Azure Storage, inventory filters are used to filter resources protected by Defender, and SQL Servers on machines protects Microsoft SQL Server running on virtual machines or on-premise machines.

https://learn.microsoft.com/azure/defender-for-cloud/sql-information-protection-policy?tabs=sqlip-azuresql

Question 43

Q

43.

You have an Azure subscription that contains an Azure Kubernetes Service (AKS) cluster named AKS1.

You need to protect AKS1 by using Microsoft Defender for Cloud.

Which Defender plan should you use?

A. Microsoft Defender for Containers

B. Microsoft Defender for Servers

C. Microsoft Defender for App Service

D. Microsoft Defender for Resource Manager

Answer

A

A.

Defender for Containers is a cloud-native solution used to secure your containers so that you can improve, monitor, and maintain the security of your clusters, containers, and their applications. AKS clusters run containers, and because of this, they can be protected by using Defender for Containers.

https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes

Question 44

Q

You configure a Linux virtual machine to send Syslog data to Microsoft Sentinel.

You notice that events for the virtual machine are duplicated in Microsoft Sentinel.

You need to ensure that the events are not duplicated.

Which two actions should you perform? Each correct answer presents part of the solution.

A. Remove the entry used to send CEF messages from the Syslog configuration file for the virtual machine.

B. Stop the Syslog daemon on the virtual machine.

C. Disable the synchronization of the Log Analytics agent with the Syslog configuration in Microsoft Sentinel.

D. Enable the Syslog daemon to listen to network messages.

E. Disable the Syslog daemon from listening to network messages.

Answer

A

A,C

You must disable CEF messages on the virtual machine and prevent the setting to send CEF messages from being readded. Stopping the Syslog daemon on the virtual machine will stop the virtual machine from sending both Syslog and CEF messages. Enabling the Syslog daemon to listen and disabling the Syslog daemon from listening to network messages does not handle the duplication of events.

https://learn.microsoft.com/training/modules/azure-sentinel/

Question 45

Q

45.

You have an Azure solution that uses a key in Azure Key Vault to encrypt data stored in an Azure SQL database.

You need to design a solution that automatically generates a new key in SQL and stores it in the key vault whenever the key vault requires a key rotation. The solution must minimize costs.

What should you include in the solution?

A. Azure Event Grid and Azure Functions

B. Azure Event Grid and a web app

C. Log Analytics and Azure Functions

D. Log Analytics and a web app

Answer

A

Event Grid can capture key rotation events from Key Vault and trigger an Azure function to generate a new key in SQL and store it in Key Vault. A web app can get events from Event Grid to create and rotate a key, but it costs more than using a Azure Functions. Log Analytics cannot trigger a function.

https://learn.microsoft.com/azure/key-vault/secrets/tutorial-rotation

Question 46

Q

46.

You are designing an Azure solution that stores encrypted data in Azure Storage.

You need to ensure that the keys used to encrypt the data cannot be permanently deleted until 60 days after they are deleted. The solution must minimize costs.

What should you do?

A. Store keys in an HSM-protected key vault that has soft delete enabled.

B. Store keys in an HSM-protected key vault that has soft delete and purge protection enabled.

C. Store keys in a software-protected key vault that has soft delete enabled and purge protection disabled.

D. Store keys in a software-protected key vault that has soft delete and purge protection enabled.

Answer

A

D

Purge protection prevents keys from being permanently deleted for a certain number of days, and software-protected key vaults are less expensive than HSM-protected key vaults. Without purge protection, the keys are not protected from being permanently deleted for 60 days. An HSM-protected key vault is more expensive than a software-backed key vault.

https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview

Question 47

Q

47.

You are designing a solution that must meet FIPS 140-2 Level 3 compliance in Azure.

Where should the solution maintain encryption keys?

A. an Azure SQL Manage Instance database

B. a software-protected Azure key vault

C. an HSM-protected Azure key vault

D. a managed HSM

Answer

A

D

A managed HSM is level 3-compliant. An HSM-protected key vault is level 2-compliant. A software-protected key vault is level 1-complaint. SQL is not FIPS 104-2 level 3 compliant.

https://learn.microsoft.com/azure/key-vault/keys/about-keys

Question 48

Q

48.

You need to implement a key management solution that supports importing keys generated in an on-premises environment. The solution must ensure that the keys stay within a single Azure region.

What should you do?

A. Implement Azure Key Vault Managed HSM.

B. Implement Azure Key Vault Firewall.

C. Apply the Keys should be the specified cryptographic type RSA or EC Azure policy.

D. Disable the Allow trusted services option.

Answer

A

Key Vault Managed HSM supports importing keys generated in an on-premise HSM. Also, managed HSM does not store or process customer data outside the Azure region in which the customer deploys the HSM instance. On-premises-generated keys are still managed, after implementing Key Vault Firewall. Enforcing HSM-backed keys does not enforce them to be imported. Disabling the Allow trusted services option does not have a direct impact on key importing.

https://learn.microsoft.com/azure/key-vault/managed-hsm/hsm-protected-keys-byok

Question 49

Q

49.

You need to grant an application access to read connection strings stored in Azure Key Vault. The solution must follow the principle of least privilege.

Which role assignment should you use?

A. Key Vault Secrets User

B. Key Vault Crypto Officer

C. Key Vault Reader

D. Key Vault Secrets Officer

Answer

A

A.

Key Vault Secrets User allows read access to secret content. Key Vault Crypto Officer allows the user to perform actions on encryption keys, not secrets. Key Vault Reader allows the user to read the metadata of key vaults and its certificates, keys, and secrets, but not to read sensitive values, such as secret contents or key material. Key Vault Secrets Officer does not follow the principle of least privilege.

https://learn.microsoft.com/training/modules/azure-key-vault/

Question 50

Q

50.

You are implementing an Azure Kubernetes Service (AKS) cluster for a production workload.

You need to ensure that the cluster meets the following requirements:

Provides the highest networking performance possible
Manages ingress traffic by using Kubernetes tools
What should you use?

A. Kubenet networking with Azure load balancers

B. Kubenet networking with ingress resources and controllers

C. CNI networking with Azure load balancers

D. CNI networking with ingress resources and controllers

Answer

A

D

CNI networking provides the best performance since it does not require IP forwarding and UDR, and ingress controllers can be managed from within Kuberbetes. Kubenet networking requires defined routes and IP forwarding, making the network slower. Azure load balancers cannot be managed by using Kubernetes tools.

https://learn.microsoft.com/azure/aks/operator-best-practices-network

Question 51

Q

51.

Your company has an Azure subscription and an Amazon Web Services (AWS) account.

You plan to deploy Kubernetes to AWS.

You need to ensure that you can use Azure Monitor Container insights to monitor container workload performance.

What should you deploy first?

Select only one answer.

A. Azure Kubernetes Service (AKS)

B. AKS Engine

C. Azure Container Instances

D. Azure Stack HCI

E. Azure Arc-enabled Kubernetes

Answer

A

E

Azure Arc-enabled Kubernetes is the only configuration that includes Kubernetes and can be deployed to AWS.

https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-overview

Question 52

Q

52.

You have an Azure subscription.

You plan to use the az aks create command to deploy an Azure Kubernetes Service (AKS) cluster named AKS1 that has Azure AD integration.

You need to ensure that local accounts cannot be used on AKS1.

Which flag should you use with the command?

A. disable-local-accounts

B. kubelet-config

C. generate-ssh-keys

D. windows-admin-username

Answer

A

When deploying an AKS cluster, local accounts are enabled by default. Even when enabling RBAC or Azure AD integration, –admin access still exists essentially as a non-auditable backdoor option. To disable local accounts on an AKS cluster, you should use the –disable-local-accounts flag with the az aks create command. The remaining options do not remove local accounts.

https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts

Question 53

Q

53.

You have a storage account that contains multiple containers, blobs, queues, and tables.

You need to create a key to allow an application to access only data from a given table in the storage account.

Which authentication method should you use for the application?

Select only one answer.

A. shared

B. SAS

C. service SAS

D. user delegation SAS

Answer

A

C

A SAS service is the only type of authentication that provides control at the table level. User delegation SAS is only available for Blob storage. SAS and shared allow access to the entire storage account.

https://learn.microsoft.com/rest/api/storageservices/create-service-sas

Question 54

Q

54.

You need to implement access control for Azure Files. The solution must provide the highest level of security.

What should you use?

Select only one answer.

A. SAS

B. a storage account key

C. Azure AD

Answer

A

C

Azure AD is supported by Azure Files and follows the principle of least privilege. SAS is unsupported by Azure Files. A storage account key is supported by Azure Files, but it does not follow the principle of least privilege.

Question 55

Q

55.

You have an Azure Storage account.

You plan to prevent the use of shared keys by using Azure Policy.

Which two access methods will continue to work? Each correct answer presents a complete solution.

A. user delegation SAS

B. service SAS

C. account SAS

D. Storage Blob Data Reader role

Answer

A

A,D

The Storage Blob Data Reader role uses Azure AD to authenticate. User delegation SAS is a method that uses Azure AD to generate a SAS. Both methods work whether the shared keys are allowed or prevented. Service SAS and account SAS use shared keys to generate.

https://learn.microsoft.com/training/modules/storage-security/

Question 56

Q

56.

You enable Always Encrypted for an Azure SQL database.

Which scenario is supported?

Select only one answer.

A. copying data from one column to another

B. encrypting existing data

C. creating columns that have the XML data type

D. using dynamic data masking

Answer

A

B

Encrypting existing data is supported. Always Encrypted uses the client driver to encrypt and decrypt data. This means that some actions that only occur on the server side will not work.

https://learn.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver15

Question 57

Q

57.

You need to allow only Azure AD-authenticated principals to access an existing Azure SQL database.

Which three actions should you perform? Each correct answer presents part of the solution.

A. Add an Azure AD administrator.

B. Assign your account the SQL Security Manager built-in role.

C. Select Support only Azure Active Directory authentication for this server.

D. Connect to the database by using Microsoft SQL Server Management Studio (SSMS).

E. Connect to the database using the Azure portal.

Answer

A

A, B, C

Adding an Azure AD administrator and assigning your account the SQL Security Manager built-in role are prerequisites for enabling Azure AD-only authentication. Selecting Support only Azure AD authentication for this server enforces the Azure SQL logical server to use Azure AD authentication. A connection to the data plane of the logical server is not needed.

https://learn.microsoft.com/training/modules/sql-database-security/

Question 58

Q

58.

You have an Azure SQL database that contains sensitive information.

You need to ensure that when sensitive information is queried by operators, the data is not fully displayed.

What should you enable for the database?

A. Transparent Data Encryption (TDE)

B. dynamic data masking

C. Always Encrypted

D. symmetric key encryption

Answer

A

B.

Dynamic data masking masks the data from users. TDE still allows users managing the database to see data. Always Encrypted saves the encrypted data and only the client driver can decrypt it. Symmetric key encryption uses keys stored in a SQL database, not the client application.

https://learn.microsoft.com/azure/azure-sql/database/dynamic-data-masking-configure-portal?view=azuresql

Question 59

Q

59.

You implement dynamic data masking for an Azure Synapse Analytics workspace.

You need to provide only a user named User1 with the ability to see the data.

What should you do?

A. Create a Conditional Access policy for Azure SQL Database, and then grant access.

B. Use the ALTER TABLE statement to edit the masking function.

C. Use the ALTER TABLE statement to drop the masking function.

D. Grant the UNMASK permission to User1.

Answer

A

D

Granting the UNMASK permission to User1 removes the mask from User1 only. Creating a Conditional Access policy for Azure SQL Database, and then granting access is not enough for User1 to see the data, only to sign in. Using the ALTER TABLE statement to edit the masking function affects all users. Using the ALTER TABLE statement to drop the masking function removes the mask altogether.

https://learn.microsoft.com/azure/azure-sql/database/dynamic-data-masking-overview?view=azuresql

Question 60

Q

60.

You have an application that will securely share files hosted in Azure Blob storage to external users. The external users will not use Azure AD to authenticate.

You plan to share more than 1,000 files.

You need to restrict access to only a single IP address for each file.

What should you do?

A. Generate a service SAS that include the signedIP field.

B. Configure a storage account firewall.

C. Set the Allow public anonymous access to setting for the storage account.

D. Set the Secure transfer required setting for the storage account.

Answer

A

Using the Generate a service SAS that include the signedIP field allows a SAS to be generated by using an account key, and each SAS can be configured with an allowed IP address. Configuring the storage account firewall does not allow for more than 200 IP address rules. Setting the Allow public anonymous access to setting for the storage account does not prevent access by an IP address. Setting the Secure transfer required property for the storage account prevents HTTP access, but it does not limit where the access request originates from.

https://learn.microsoft.com/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-from-an-internet-ip-range

Question 61

Q

You hire a new administrator and you create a new Azure AD user account for them. The new hire must be able to:

● Read/write resource deployments they are responsible for.
●Read Azure AD access permissions

They should not be able to view Azure subscription information. What should you do?

Select one:

A. Assign the user the Contributor role at the resource group level.

B. Assign the user the Owner role at the resource level.

C. Assign the user the Global Administrator role.

D. Assign the user the Virtual Machine contributor role at the subscription level.

Answer

A

A.

Assign the user the Contributor role at the resource group level. The contributor role is a built in RBAC role in Azure. The contributor role grants full access to manage all resources, but does not allow you to assign Roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Question 62

Q

Which of the following would be good example of when to use a resource lock?

Select one:

A. An ExpressRoute circuit with connectivity back to your on-premises network.

B. A virtual machine used to test occasional application builds.

C. A storage account used to store images processed in a development environment.

D. A resource group for a new branch office that is just starting up.

A. An ExpressRoute circuit with connectivity back to your on-premises network. This would be considered a critical resource. Applying a resource lock would prevent other users from accidently deleting or modifying critical resources.

Answer

A

A.

An ExpressRoute circuit with connectivity back to your on-premises network. This would be considered a critical resource. Applying a resource lock would prevent other users from accidently deleting or modifying critical resources.

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json

Question 63

Q

You have three virtual machines (VM1, VM2, and VM3) in a resource group. The Helpdesk hires a new employee. The new employee must be able to modify the settings on VM3, but not on VM1 and VM2. Your solution must minimize administrative overhead. What should you do?

A. Assign the user to the Contributor role on the resource group.

B. Assign the user to the Contributor role on VM3.

C. Move VM3 to a new resource group and assign the user to the Contributor role on VM3.

D. Assign the user to the Contributor role on the resource group, then assign the user to the Owner role on VM3.

Answer

A

B.

Assign the user to the Contributor role on VM3. This means the user will not have access to VM1 or VM2. By assigning the Contributor role to the current resource group is incorrect, as it would allow the new hire to change the settings on VM1 and VM2 and therefore would meet the requirements.

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Question 64

Q

You need to target policies and review spend budgets across several subscriptions you manage. What should you create for the subscriptions?

A. A billing group

B. A management group

C. A nested resource group

D. A policy initiative

Answer

A

B.

A management group can be used to organize and manage subscriptions.

Answer 65

A

C.

Resource groups can be nested. Resource groups cannot be nested this statement would be false.

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal

Answer 66

A

A.

Access reviews. Access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User’s access can be reviewed on a regular basis to make sure only the right people have continued access.

https://learn.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview

Answer 67

A

D.

Required is not valid. MFA has three user states: Enabled, Enforced, and Disabled.

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing

Answer 68

A

B.

Configure IP addresses outside the company intranet that should be blocked. Trusted IPs is a feature to allow federated users or IP address ranges to bypass two-step authentication. The Trusted IPs bypass works only from inside of the company intranet. Azure Conditional Access provides additional options if needed.

https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa

Answer 69

A

A.

Global administrator. Only the global administrator can manage groups across tenants and assign other administrator roles.

https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

Answer 70

A

D.

Microsoft 365 User. When you create an Azure AD group you can select: Assigned, Dynamic device, or Dynamic user. Assigned lets you add members directly to the group. Dynamic device uses rules to automatically add and remove devices. Dynamic user uses rules to automatically add and remove members.

https://learn.microsoft.com/en-us/microsoft-365/community/all-about-groups

Answer 71

A

A.

Identity Protection helps you configure risk-based conditional access for your applications to protect them from identity-based risks.

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection

Answer 72

A

D.

Global Admin. Of the options listed only the Global Admin role has the permission to enable PIM

https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

Answer 73

A

B.

Assign the new hire the Eligible role membership type. When someone is Eligible for role membership, they must request activation before they can use the role

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection

Answer 74

A

C, D

https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

Answer 75

A

B.

Make the manager Permanent Active in the role. This type of role assignment doesn’t require a user to perform any action to use the role.

https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings

Answer 76

A

B.

Pass-through authentication

Pass-through authentication. Pass-through Authentication (PTA) allows your users to sign-in to both on-premises and cloud-based applications by using the same passwords. PTA signs users in by validating their passwords directly against on-premises Active Directory. PTA does not provide Azure AD Identity Protection leaked credential reports.

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-pta

Answer 77

A

A.

Configure the Bastion service. The Azure Bastion service provides secure and seamless RDP and SSH connectivity to your virtual machines directly in the Azure portal over SSL. When you connect via Azure Bastion, your virtual machines do not need a public IP address.

Answer 78

A

D.

Update Management only pertains to cloud deployed virtual machines. Update Management pertains to virtual machines in on-premises environments, and in other cloud environments

Answer 79

A

B.

Install endpoint protection solution on virtual machines. This is a Medium severity recommendation.

Answer 80

A

A.

Advanced Threat Protection. Advanced Threat Protection is an Advanced Data Security feature for databases. The feature provides alerts when a potential attack, like SQL injection, occurs.

Answer 81

A

C.

Dynamic Data Masking. Dynamic data masking limits sensitive data exposure by masking it to non-privileged users. This feature enables customers to designate how much of the sensitive data to reveal.

Answer 82

A

A.

Always Encrypted. Always Encrypted helps protect sensitive data at rest on the server, during movement between client and server, and while the data is in use. Always Encrypted ensures that sensitive data never appears as plaintext inside the database system. After you configure data encryption, only client applications or app servers that have access to the keys can access plaintext data. Always Encrypted uses the AEAD_AES_256_CBC_HMAC_SHA_256 algorithm to encrypt data in the database.

Answer 83

A

C.

Create users in the Master db. You could not create users in the Master db. Instead, contained users should be created on each database.

Answer 84

A

B E

Server-level firewall rules, Database-level firewall rules. Server-level IP firewall rules enable clients to access your entire Azure SQL Database—that is, all the databases within the same SQL Database server. These rules are stored in the master database. Database-level IP firewall rules enable clients to access certain secure databases within the same SQL Database server. You can create these rules for each database (including the master database), and they are stored in the individual databases

Answer 85

A

B.

You should generate a SAS token for the container. The SAS can provide read-only access.

Answer 86

A

A D

Shared access signatures provide a way to provide more granular storage access than access keys. For example, you can limit access to “read only” and you can limit the services and types of resources. Shared access signatures can be configured for a specified amount of time, which meets the scenario’s requirements. Access keys provide unrestricted access to the storage resources, which is the requirement for production apps in this scenario.

Answer 87

A

B C

Add legal hold retention policy to the blob container. Identify a tag for the items that are being protected. If the retention interval is not known, users can set legal holds to store immutable data until the legal hold is cleared. When a legal hold policy is set, blobs can be created and read, but not modified or deleted. Each legal hold is associated with a user-defined alphanumeric tag (such as a case ID, event name, etc.) that is used as an identifier string.

Answer 88

A

C.

Azure Files can use RBAC for share-level or directory/file permissions. Only share-level permissions can use RBAC. Directory or file level permissions can use Windows DACLs, or not.

Answer 89

A

A.

Requests to storage can be HTTPS or HTTP. When Secure transfer required is enabled all requests must be HTTPS.

Answer 90

A

D

In the given scenario, you would enable just-in-time (JIT) access on the VMs for a set number of hours. JIT allows a user to access a VM only when user access is required, only on the required ports, and only for the necessary duration. You can enable JIT for VMs using the Azure portal, Azure PowerShell, or REST API. You can specify the time for which access is required. The default period is three hours. The choice has JIT enabled for four hours which is different than the default, but the default setting would work in this scenario.

You would not enable JIT on Azure Bastion for three hours of access in the given scenario. JIT is enabled on VMs, not on Azure Bastion. Azure Bastion is a service that lets you access VMs using the browser and the Azure portal or via the SSH or RDP client installed on your workstation.

In the given scenario, you would not add a public IP address to be shared among the VMs. Using a private IP address, you can connect to VMs in the virtual network via SSH or RDP via Bastion. Connecting to a VM does not require a public IP address, client software agent, or unique configuration.

You would not apply an NSG to the Azure Bastion subnet in the given scenario. The NSGs applied to the VMs can only be configured to allow RDP/SSH from Azure Bastion.

Objective:
Secure compute, storage, and databases

Sub-Objective:
Plan and implement advanced security for compute

References:

Microsoft Learn > Azure > Security > Microsoft Defender for Cloud > Secure your management ports with just-in-time access

Microsoft Learn > Azure > Networking > What is Azure Bastion?

Microsoft Learn > Azure > Networking > Tutorial: Deploy Bastion using specified settings

Answer 91

A

You should use Azure AD B2C because Azure AD B2C provides business-to-customer identity as a service, using social, enterprise, or local account identities to authenticate and login to applications. Azure AD B2C is a cloud identity management solution for web and mobile apps that supports OpenID Connect, OAuth 2.0, and SAML. Users can register with their e-mail ID or by using social media providers such as Google, Facebook, Twitter, and LinkedIn.

You should not choose Microsoft Entra ID, because Microsoft Entra ID is a directory service that serves organizations and their needs for identity management in the cloud. You can develop authentication and authorization against Microsoft Entra ID. Microsoft Entra ID does not directly integrate with social media providers unless you use Azure AD B2C.

You would not choose Azure AD B2B because that is only a feature of Microsoft Entra ID. It allows an organization to grant users from other tenants’ access to the organization’s own applications and services.

You would not choose ASP.NET Identity. Although it supports logging in with Facebook, the requirement is that user identities are to be managed by Azure.

Objective:
Manage identity and access

Sub-Objective:
Manage Microsoft Entra identities

References:

What is Azure Active Directory B2C? | Microsoft Learn

Answer 92

A

You should add the developers to the Cloud Application Administrator role because this role has the required permissions to create and manage enterprise applications and application registrations and excludes the ability to manage application proxies.

You should not add the developers to the Application Administrator role because users in this role can create and manage enterprise applications and application registrations and can also manage application proxies.

You should not add the developers to the Application Developer role because users in this role can only create application registrations.

You should not create a custom role because there is no need for one. The Cloud Application Administrator role fulfills the requirements of the scenario. Creating a custom role could meet the requirements, but custom roles are for scenarios where the default roles do not meet the requirements.

Objective:
Manage identity and access

Sub-Objective:
Manage Microsoft Entra authorization

References:

Azure AD built-in roles - Microsoft Entra | Microsoft Learn

Answer 93

A

You should choose to enable a system-assigned managed identity because App Service needs to authenticate when accessing Key Vault. A system-managed identity is only associated with the respective Azure resource and is deleted when the resource is deleted. It cannot be shared.

You should not enable a user-assigned managed identity because it can be shared and associated with multiple resources. Thus, it cannot be associated with the App Service only.

You should not enable Private Endpoints. A private endpoint could be associated with a single or multiple resources. In this scenario, we do not have any requirement for virtual network integration of resources.

You should not enter the IP address of App Service in the Key Vault firewall because the key vault is public in PaaS by default, and the scenario has to do with authentication issues, not with accessing the IP address of the App Service.

Objective:
Manage identity and access

Sub-Objective:
Manage Microsoft Entra identities

References:

Managed identities for Azure resources - Microsoft Entra | Microsoft Learn

Answer 94

A

D.

You should create network address translation (NAT) rules with Azure Firewall Destination Network Address Translation (DNAT) to translate the public IP address and port to a private IP address and port. A NAT allows you to use private IP addresses behind a firewall. A user uses a private address on the subnet behind a firewall, but that private address is translated to a public address to connect to the Internet. A NAT may make a one-to-one translation from a private IP address to a public address, but typically all private IP addresses use a single public address to connect to the Internet. Each VM behind the NAT will use a unique source port along with the public IP address. You can use a NAT rule to allow RDP, SSH, or non-HTTP/S applications from the Internet to connect to VMs behind the firewall.

You would not choose a service tag. A service tag can be used with a network security group (NSG), which filters network traffic to and from Azure resources in an Azure virtual network. A service tag minimizes complexity with rules in an NSG by representing IP address prefixes from a given Azure service.

You would not choose network rules because they are used to enable communication for any non-HTTP/S traffic through subnets.

You would not choose application rules because they are used to define fully qualified domain names that can be accessed from a subnet.

Objective:
Secure networking

Sub-Objective:
Plan and implement security for virtual networks

References:

Filter inbound Internet traffic with Azure Firewall DNAT using the portal | Microsoft Learn

Answer 95

A

B.

In the given scenario, you would create an AKS cluster with a user-assigned managed identity. You can use the following Azure CLI command to create the cluster named AKSCluster:

az aks create \
–resource-group AKSResourceGrp \
–name AKSCluster \
–network-plugin kubenet \
–vnet-subnet-id $SUBNET_ID
–enable-managed-identity \
–assign-identity <identity-resource-id></identity-resource-id>

You should have a user-assigned managed identity to create a VNet and use a routing table with the kubenet network plugin. Either a user-assigned managed identity or a system-assigned managed identity is supported if you need to use your own route table with the kubenet network plugin. Still, Microsoft highly recommends a user-assigned managed identity for bring-your-own (BYO) scenarios such as creating your own VNets and route tables.

You would not create an AKS cluster with a system-assigned identity in the given scenario. Microsoft highly recommends a user-assigned managed identity when creating and using your own VNet and route table with the kubenet network plugin. When creating an AKS cluster using a system-managed identity, the Network Contributor role is automatically assigned to the system identity by the Azure CLI once the AKS cluster has been created.

You would not create an ingress resource in the given scenario. Ingress controllers route HTTP traffic to different applications on the inbound URL. You have to create an ingress resource in AKS, but you have to create the AKS cluster first. When HTTP application routing is enabled for the AKS cluster, Azure creates the ingress and external DNS controllers.

You would not create an Azure Load Balancer resource in the given scenario. You would configure a load balancer to distribute traffic to the pods in your service on a given port.

Objective:
Secure compute, storage, and databases

Sub-Objective:
Plan and implement advanced security for compute

https://learn.microsoft.com/en-us/azure/aks/concepts-network?_ga=2.123233419.1429678643.1710276818-1086817825.1705706131

https://learn.microsoft.com/en-us/azure/aks/configure-kubenet?_ga=2.123233419.1429678643.1710276818-1086817825.1705706131

Answer 96

A

B.

You would first generate the installation script. You can use the Azure portal to create a script that will automate the Azure Connected Machine agent download and installation and establish connectivity with Azure Arc. You would follow the following steps for generating the script:

From the Azure portal, go to the Add servers with Azure Arc page, click the Add a single server tile, and then click Generate Script (as shown in the exhibit).

On the Prerequisites page, ensure that you read and meet the requirements. Click Next.
Provide details such as the region to store the server’s metadata, the operating system of the server, and the connectivity method to the Internet of the Azure Connected Machine agent on the Resource details page. Then click Next.
Review the default Physical location tags and enter the value on the Tags page, and then click Next.
In the Download or copy the following script section, read the script, make any necessary changes, and save the script file by clicking Download.
Registering the Microsoft.HybridCompute and Microsoft.HybridConnectivity resource providers with your Azure subscription is not the first step. This action is a prerequisite that must be met before you start the configuration for connecting hybrid machines with Azure Arc-enabled servers. You must ensure the Microsoft.HybridCompute, Microsoft.GuestConfiguration, Microsoft.HybridConnectivity, and Microsoft.AzureArcData resource providers are registered on your subscription.

Installing the agent on the business-critical server is not the first step you would perform. You would install the agent using the script on the business-critical server post-generation of the script. After running the script, the Connected Machine agent will download from the Microsoft Download Center and the agent will install it on the server. In this process, the Azure Arc-enabled server resource is created and associated with the agent.

Verifying the connection with Azure Arc is not the first step you would perform. This step is performed post-installing the agent on the business-critical on-premises server. You would configure the agent to connect to Azure Arc-enabled servers, then verify the connection status of the server from the Azure portal (as shown in the exhibit).

Objective:
Manage security operations

Sub-Objective:
Manage security posture by using Microsoft Defender for Cloud

References:

https://learn.microsoft.com/en-us/azure/defender-for-cloud/update-regulatory-compliance-packages

https://learn.microsoft.com/en-us/azure/azure-arc/servers/learn/quick-enable-hybrid-vm?_ga=2.103916544.1429678643.1710276818-1086817825.1705706131

Answer 97

A

D. E. G.

The solution is to use Multifactor Authentication (MFA). To enable MFA, you need to provision a Microsoft Entra ID administrator for your managed SQL instance, and then you need to create logins to each database.

To provision a Microsoft Entra ID administrator for your managed instance in the Azure portal, you need to find the appropriate SQL managed instance. Select the banner on the top of the Active Directory admin page and grant permission to the current user. You can also perform this action via PowerShell.

You cannot create a script that uses a CREATE ADUSER statement for the 50 databases. There is a T-SQL statement named CREATE USER that can create a login for an Active Directory account, but there is not a T-SQL statement named CREATE ADUSER.

You should not enable auditing. This action will allow you to track transactions, logins, and updates, but will not resolve the issue of adding a SQL administrator to a database.

You should not enable Advanced Data Security. This action will detect unusual activities, but will not resolve the issue of adding a SQL administrator to a database.

You should not add a global masking rule in Dynamic Data Masking. This action will protect data, but will not resolve the issue of adding a SQL administrator to a database.

Objective:
Secure networking

Sub-Objective:
Plan and implement security for private access to Azure resources

https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-mfa-ssms-overview?view=azuresql&_ga=2.94922908.1429678643.1710276818-1086817825.1705706131

Answer 98

A

D

You would disable specific findings by creating a rule to ignore the “Low” severity findings and findings that are non-patchable. When you want to skip the findings rather than remediating them, you can choose to disable them. Disabling the findings will not impact your secure score or generate unnecessary noise. The following lists typical findings that are disabled:

Low severity findings.
Non-patchable findings.
Findings with a CVSS score of 6.5 or below.
Findings with specific text in the security check (such as RedHat).
To create the disable-finding rule, you must have permission to edit a policy in Azure Policy. You can create a Disable Rule from the Azure portal. From the recommendations detail page, Click on Disable rule, select the relevant subscription scope, provide the necessary information (as shown in the exhibit), and click Apply rule.

You cannot filter the findings to ignore the “Low” severity findings and findings that are non-patchable. You can use the filter option to view findings for specific machines, but it will not let you ignore the findings.

The Log Analytics agent does not filter the data it collects. You would install the Log Analytics agent on the machines to collect logs and performance data from the Azure virtual machines or hybrid machines hosted outside Azure.

Azure Arc-enabled servers do not filter data. Azure Arc is a control plane that allows you to centrally manage your entire IT environment, including non-Azure and on-premises resources, from Azure Resource Manager. You can also manage virtual machines, Kubernetes clusters, and databases as if running in Azure.

Objective:
Manage security operations

Sub-Objective:
Configure and manage threat protection by using Microsoft Defender for Cloud

References:

https://learn.microsoft.com/en-us/azure/defender-for-cloud/remediate-vulnerability-findings-vm?_ga=2.80959569.73553426.1711489630-1086817825.1705706131

Azure Arc - Training | Microsoft Learn

Answer 99

A

In the given scenario, you have an on-premises network and will be deploying VNet1. You must perform the following tasks in sequence to establish ExpressRoute connectivity with an ExpressRoute circuit and private peering, and establish the VPN connectivity:

Create a virtual WAN and hub with gateways.
Create a site for the on-premises network.
Update the VPN connection setting to use ExpressRoute.
Get the private IP addresses for the hub VPN gateway.|
View the virtual WAN and monitor the connection.

For the given scenario, below is the complete diagram post-implementation:

Routing configuration is very important between OnPremNet and VNet1 over both the ExpressRoute and VPN paths.

VPN device configuration is downloaded to get the private IP addresses for the hub VPN gateway. The hub VPN gateway’s private IP address is needed to configure the on-premises VPN device.

Creating a local network gateway is not required to be set up in the given scenario.

Objective:
Secure networking

Sub-Objective:
Plan and implement security for virtual networks

References:

https://learn.microsoft.com/en-us/azure/virtual-wan/vpn-over-expressroute?_ga=2.80959569.73553426.1711489630-1086817825.1705706131

Answer 100

A

B.

To lessen the threat of attacks on Azure Container Instances, you would configure it to store and retrieve images from a private registry. Images can be stored in a single or multiple repositories. Containers are built on these images. These repositories can be associated with a public or private registry. Container images have numerous layers, and several vulnerabilities may be associated with them. To lessen the threat of attacks on these vulnerabilities, you should store and fetch images from a private registry such as Docker Trusted Registry or Azure Container Registry.

In the given scenario, you would not configure Azure Container Instances to store and retrieve images from a public registry. A publicly stored container instance will not ensure security. Therefore, using a public registry for container images is not recommended.

Identifying potential vulnerabilities by scanning the container images will not help lessen the threat of attacks on Azure Container Instances. Identifying vulnerabilities will help you understand the depth of threat detection, therefore you should monitor and scan container images to identify potential vulnerabilities regularly. You can optionally integrate Azure Container Registry with Microsoft Defender for Cloud to scan Linux images pushed to a registry automatically.

Configuring Azure Key Vault for Azure Container Instances will not help lessen the threat of attacks on Azure Container Instances. Azure Key Vault is used to control and store encryption keys and secrets. Vaults and hardware security modules (HSMs) are the two types of containers supported by Azure Key Vault.

Microsoft provides security recommendations for Azure Container Instances, which include:

Using a private registry for container images.

Monitoring and scanning container images.

Securing credentials used to access container images.

Confirming only approved container images for use in your
environment.

Allowing only approved registries.

Ensuring the integrity of images throughout the lifecycle.
Implementing the least privileges at runtime.

Lessening the container attack surface by removing unneeded privileges.

Creating a safelist of pre-approved files that the container can access or run.

Implementing network segmentation on running containers.
Monitoring container activity and user access.

Monitoring container resource activity.

Logging all container administrative user access for auditing.

Objective:
Secure compute, storage, and databases

Sub-Objective:
Plan and implement advanced security for compute

References:

https://learn.microsoft.com/en-us/azure/container-instances/container-instances-image-security?_ga=2.174200676.73553426.1711489630-1086817825.1705706131

https://learn.microsoft.com/en-us/azure/aks/operator-best-practices-cluster-security?tabs=azure-cli

https://learn.microsoft.com/en-us/azure/key-vault/general/basic-concepts?_ga=2.174200676.73553426.1711489630-1086817825.1705706131

Answer 101

A

C.

Retrieving the public key of the KEK would be the next step.

You would perform the following actions to perform a key transfer:

Generate KEK.
Locate the public key of the KEK.
Import the KEK into the target HSM and exports the Target Key protected by the KEK using HSM vendor provided Bring Your Own Key tool.
Import the protected Target Key to Azure Key Vault.
To transfer a key, you would begin by generating the KEK. The az keyvault key create Azure CLI command creates a KEK with key operations set to import. The following creates a KEK named NutexKEKforBYOK for the vault NutexKeyVaultHSM:

az keyvault key create –kty RSA-HSM –size 4096 –name NutexKEKforBYOK –ops import –vault-name NutexKeyVaultHSM

Next, you would retrieve the public key portion of the KEK by using the az keyvault key download Azure CLI command. The following command writes the public key portion to a file with a .PEM extension:

az keyvault key download –name KEKforBYOK –vault-name NutexKeyVaultHSM –file KEKforBYOK.publickey.pem

Next, you would create a key transfer blob using the Bring Your Own Key (BYOK) tool provided by the HSM provider, which is stored as a file with a BYOK extension. You will need the .PEM file that contains the public key portion of the KEK as one of the inputs to the BYOK tool to create the transfer blob.

The next step is to import the key transfer blob as a new HSM-backed key into Azure Key Vault. You would use an online workstation to transfer the .byok file to the online workstation. From the workstation, you would run the Azure CLI az keyvault key import command to import the blob as a new HSM-backed key into Azure Key Vault.

You would not run the Set-AzKeyVaultAccessPolicy cmdlet because it is used to enable key authorization and grant permissions to the Azure Rights Management service principal. You can also enable key authorization using the Azure portal.

Objective:
Secure compute, storage, and databases

Sub-Objective:
Plan and implement security for storage

References:

https://learn.microsoft.com/en-us/azure/key-vault/keys/byok-specification

https://learn.microsoft.com/en-us/azure/information-protection/byok-price-restrictions

Answer 102

A

You should choose the following:

Create an automation rule.
Create a playbook.
Add actions to the playbook.
Attach the playbook to an automation rule to automate the threat response.
You would first create an automation rule. An automation rule helps automate assignments or make automatic changes to incidents.

You would then create a playbook. A playbook is a logic app that will respond to alerts or incidents. The playbook automates your response to an incident. It can be triggered by Microsoft Sentinel or run manually on-demand.

You must add actions to a playbook; this means adding actions in the logic app that will react to the alert or incident.

You would then attach the playbook to an automation rule to automate the threat response. The automation rule is the glue that will run when a new incident is generated.

Although playbooks can be run as a response to an alert, you do not need an alert for a playbook to be run. Playbooks are based on an incident trigger that is called by an automation rule. That incident trigger can be based on an alert or an incident creation rule.

Objective:
Manage security operations

Sub-Objective:
Configure and manage security monitoring and automation solutions

References:

https://learn.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=AZ-MVP-4039827&tabs=LAC%2Cincidents&_ga=2.116047040.73553426.1711489630-1086817825.1705706131

Brainscape's Knowledge GenomeTM

AZ-500 Exam Questions Flashcards

Brainscape's Knowledge Genome^TM