az-500 exam questions part II

Question 1

Your customer is planning to migrate on-premise data center to Microsoft Azure. Your customer wanted to make sure that company employees should be able to use the same username and password that they are using in on-premise environment. Your security administrator likes to automate the detection of identity-based risks.

Which authentication should you recommend?

Answer 1

Azure AD password hash synchronization is the simplest way to enable authentication for on-premises directory objects in Azure AD. Users can use the same username and password that they use on-premises without having to deploy any additional infrastructure. Some premium features of Azure AD, like Identity Protection and Azure AD Domain Services, require password hash synchronization, no matter which authentication method you choose.

Question 2

Which of the below rules should you configure in Azure firewall to allow incoming internet connections?

Answer 2

There are three types of rule collections:

Application rules: Configure fully qualified domain names (FQDNs) that can be accessed from a subnet.

Network rules: Configure rules that contain source addresses, protocols, destination ports, and destination addresses.

NAT rules: Configure DNAT rules to allow incoming Internet connections.

Question 3

You are designing an application which is allowed to access from specific locations. The users who access the application from all other locations must be blocked. Which Azure Active Directory (Azure AD) license should you use keeping license costs minimal to fulfill the above mentioned requirement?

Answer 3

Premium P1

Question 4

nsg: is ping TCP traffic?

Answer 4

no

Question 5

What is the minimum number of rules and action groups that you require?

Answer 5

3 rules and 1 action group

Question 6

Security department wants to protect Azure SQL database connection string, which solution should they use

Answer 6

azure ad managed identity

Question 7

f SSPR is enabled, you must select at least one of the following options

Answer 7

Mobile app notification

Mobile app code

Email

Mobile phone

Office phone

Security questions

Question 8

ou have an Azure SQL database named Db1 that runs on an Azure SQL server named SQLserver1.

You need to ensure that your team members can use the query editor on the Azure portal to query Db1.

What should you do?

Answer 8

The query editor uses ports 443 and 1443 to communicate. Ensure you have enabled outbound HTTPS traffic on these ports. You also need to add your outbound IP address to the server’s allowed firewall rules to access your databases.

Question 9

Are Tags administrative operations?

Answer 9

No

Question 10

What type of access i needed to get secret out of the key vault?

Answer 10

GET

Question 11

A company has an Azure subscription and an Azure AD directory. They want to ensure an Azure AD user has the privilege to stop and start Azure virtual machines in the subscription. The solution must use the principle of least privilege.

Which of the following would you implement for this requirement?

Answer 11

You first create a JSON file that has the custom role definition. Then create the role with the New-AzRoleDefinition cmdlet. And then assign the role to the user using the New-AzRoleAssignment cmdlet.

Question 12

Which tool can you use to connect to the container via the Shared access signature

Answer 12

You can use the Azure storage explorer to work with both the blob and file service

Question 13

Which tool can you use to connect to the file share via the Shared access signature?

Answer 13

You can use the Azure storage explorer to work with both the blob and file service

Question 14

You need to configure auditing for the Azure SQL database. Which of the following storage accounts can be used as the audit log destination?

Answer 14

Audit data can be stored in blob storage or general-purpose storage accounts. They just need to be in the same region as the SQL database.

Question 15

You need to configure auditing for the Azure SQL database. Which of the following Log Analytics Workspaces can be used as the audit log destination?

Answer 15

The Log Analytics workspace can be in any region to store the audit data.

Question 16

JIT: Which of the following is the minimum permission that needs to be granted to the users for the virtual machine?

Answer 16

Read

Question 17

What port is powershell?

Answer 17

For powershell access , the port number is 5986

Question 18

For which of the following network interfaces can you configure Appsecurity?

Answer 18

Application Security Groups are a region-specific resource. It can only be associated with NICs in the same region as the application security group. And once you associate an application security group with one network interface in an Azure virtual network, the application security group can only be associated with network interfaces in the same Azure virtual network.

Question 19

Your company is planning on using Azure Resource Manager templates to deploy Azure virtual machines. The company wants to ensure that unused Windows features are automatically disabled as instances are being provisioned.

Which feature should you use for this requirement?

Answer 19

You can use Azure Security Policies to ensure this requirement is met

Question 20

What are the three steps of PIM?

Answer 20

First you need to Consent to using PIM. During this process you will need to verify your identity by using multi-factor authentication.

You then need to Sign up PIM for Azure AD roles.

Question 21

You decide to implement an Azure Automation runbook that would rotate the keys of the storage account and store them in the key vault.

Which of the following steps would you implement for this requirement? Choose 3 answers from the options given below

Answer 21

First you create the Automation Account. Then Import the required PowerShell modules to the Azure Automation Account. And then create a connection resource in the Azure Automation account.

Question 22

What are requirements to resture keys/secrets in AKV?

Answer 22

You can restore the secrets and keys in key vaults that are in the same Azure geography and subscription

Question 23

For JIM, what is requirements in terms of NSG?

Answer 23

A Network Security Group needs to be assigned at the subnet level or the network interface level for enabling Just In time access.

Question 24

A company has an Azure subscription and an Azure AD tenant. A developer develops an application named stagingapp. The application is registered in Azure AD. The application needs to access secrets in an Azure Key vault on behalf of the application users. Which of the following would you configure for the application?

Answer 24

Here since the permission is going to be based on the user’s permission for Azure resources, we need to use delegated permission. And we can ensure that admin consent is not required when accessing the key vault.

Question 25

You are planning on collecting events from Azure virtual machines onto a Log Analytics workspace. You have to create various alerts based on the collected events. Which of the following services can be used to create the alerts? Choose 2 answers from the options given below

Answer 25

You can create alerts in Azure Monitor based on the data collected in the Log Analytics workspace. You can also create alerts based on analytics rules available in Azure Sentinel

Question 26

You have a set of Azure subscriptions that are linked to a single Azure Active Directory tenant. You create an Azure policy initiative named SecurityInitiative. You also have a set of role assignments that need to be configured on all new resource groups. You have to enforce the security policy and the role assignments. Which of the following would you implement for this requirement? Choose 3 answers from the options given below

Answer 26

First create an Azure Blueprint definition. This will contain the policy and role assignments

Next publish the Azure Blueprints version

And then finally Assign the Azure Blueprint