AZ-500 MS Learning Path Practice Test Questions - 1 Flashcards

1
Q

You plan to provide connectivity between Azure and your company’s datacenter. You need to define how to establish the connection. The solution must meet the following requirements:

  • All traffic between the datacenter and Azure must be encrypted.
  • Bandwidth must be between 10 and 100 Gbps.

What should you use for the connection?

A. Azure VPN Gateway
B. ExpressRoute Direct
C. ExpressRoute with a provider
D. VPN Gateway with Azure Virtual WAN

A

B. ExpressRoute Direct

ExpressRoute Direct can have up to 100 Gbps and use MACSec for Layer 2 encryption. ExpressRoute with a provider does not allow for MACSec encryption and can only use up to 10 Gbps. VPN Gateway and VPN Gateway with Virtual WAN cannot support a bandwidth over 1 Gbps.

About Azure ExpressRoute Direct | Microsoft Learn

Plan and implement security for virtual networks - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You are operating in a cloud-only environment. Users have computers that run either Windows 10 or 11. The users are located across the globe. You need to secure access to a point-to-site (P2S) VPN by using multi-factor authentication (MFA).

Which authentication method should you implement?

A. Authenticate by using Active Directory Domain Services (AD DS).
B. Authenticate by using native Microsoft Entra authentication.
C. Authenticate by using native Azure certificate-based authentication.
D. Authenticate by using RADIUS.

A

B) Authenticate by using native Microsoft Entra authentication.

With Microsoft Entra authentication, you can configure a Conditional Access policy that grants access and requires MFA. During authentication, Azure VPN Gateway acts as a pass-through and forwards authentication messages back and forth between the authentication server and the connecting device. Azure certificate-based authentication does not include interactive authentication.

About Azure Point-to-Site VPN connections - Azure VPN Gateway | Microsoft Learn

Conditional access for VPN connectivity using Azure AD | Microsoft Learn

Deploy Azure AD identity protection - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You have an Azure subscription that contains the following resources:

  • A virtual machine named VM1 that has a network interface named NIC1
  • A virtual network named VNet1 that has a subnet named Subnet1
  • A public IP address named PubIP1
  • A load balancer named LB1

You create a network security group (NSG) named NSG1.

To which two resources can you associate NSG1? Each correct answer presents a complete solution.

A) LB1
B) NIC1
C) PubIP1
D) Subnet1
E) VM1
F) VNet1

A

B) NIC1
D) Subnet1

You can associate an NSG to a virtual network subnet and network interface only. You can associate zero or one NSGs to each virtual network subnet and network interface on a virtual machine. The same NSG can be associated to as many subnets and network interfaces as you choose.

Network security group - how it works | Microsoft Learn

Plan and implement security for virtual networks - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You have an Azure subscription that contains the following resources:
* Storage accounts
* Virtual machines
* Azure Firewall
* Azure Key Vault
* Azure SQL databases
Which three resources support service endpoints? Each correct answer presents a complete solution.

A) Azure Firewall
B) Azure Key Vault
C) Azure SQL databases
D) storage accounts
E) virtual machines

A

B) Azure Key Vault
C) Azure SQL databases
D) storage accounts

You can configure service endpoints for Azure Storage, Key Vault, and Azure SQL Database. You cannot configure service endpoints for virtual machines and Azure Firewall.

Azure virtual network service endpoints | Microsoft Learn

Plan and implement security for virtual networks - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You have an Azure subscription that contains two Azure Key Vault resources.

You need to ensure that all the secrets in any key vault in the subscription meet the following requirements:

  • Secrets can be active for up to 365 days.
  • Secrets must have an expiration date set.
  • Secrets must have a content type set.
  • The solution must minimize administrative effort.

A) Create custom policies for Key Vault secrets and link an initiative to the Key Vault resources.
B) Create custom policies for Key Vault secrets and link an initiative to the subscription.
C) Use built-in policies and link an initiative to the Key Vault resources.
D) Use built-in policies and link an initiative to the subscription.

A

D) Use built-in policies and link an initiative to the subscription.

Using built-in policies and linking an initiative to the subscription will apply to all the Key Vault resources in the subscription. You do not need use custom policies, and linking to the resources will not affect new key vaults.

Integrate Azure Key Vault with Azure Policy | Microsoft Learn

Deploy and secure Azure Key Vault - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

You are evaluating the Azure Policy configurations to identify any required custom initiatives and policies. You need to run workloads in Azure that are compliant with the following regulations:

  • FedRAMP High
  • PCI DSS 3.2.1
  • GDPR
  • ISO 27001:2013
    For which regulation should you create custom initiatives?

A) FedRAMP High
B) GDPR
C) ISO 27001:2013
D) PCI DSS 3.2.1

A

B) GDPR

To run workloads that are compliant with GDPR, custom initiatives should be to be created. GDPR compliance initiatives are not yet available in Azure. Azure has existing initiatives for ISO, PCI DSS 3.2.1, and FedRAMP High.

Regulatory Compliance details for Australian Government ISM PROTECTED - Azure Policy | Microsoft Learn

Design an enterprise governance strategy - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You have an Azure subscription that contains a user named Admin1. You need to ensure that Admin1 can create and assign custom security initiatives in Microsoft Defender for Cloud. The solution must follow the principle of least privilege.

Which role should you assign to Admin1?

A) Global Administrator
B) Owner (Subscription)
C) Security Admin
D) Security Assessment Contributor

A

B) Owner (Subscription)

The Subscription Owner role is the only role that has permissions to create and assign custom security initiatives in Defender for Cloud.

Create custom Azure security policies in Microsoft Defender for Cloud | Microsoft Learn

Enable and manage Microsoft Defender for Cloud - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You set Periodic recurring scans to ON while implementing a Microsoft Defender for SQL vulnerability assessment. How often will the scan be triggered?

A) at a recurrence that you configure
B) once a day
C) once a month
D) once a week

Recurring scans will be triggered once a week. This value cannot be changed and is set by Microsoft.

A

D) once a week

Microsoft Defender for SQL - Azure SQL Database | Microsoft Learn

Scan your Azure SQL databases for vulnerabilities using Microsoft Defender for Cloud | Microsoft Learn

Configure and manage SQL database security - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You have a resource group named RG1 that contains 10 virtual machines. You need to raise an alert any time the average CPU time for RG1 exceeds 80 percent. How should you configure the alert?

A) Create an alert rule for each virtual machine and set the number of violations to 10.
B) Create an alert rule for each virtual machine and split by dimension on the VM name.
C) Create an individual alert rule and split by dimension on the resource group name.
D) Create an individual alert rule for CPU time and set the number of violations to 10.

A

C) Create an individual alert rule and split by dimension on the resource group name.

Creating an individual alert rule and splitting by dimension on the resource group name will use the alert for the entire resource group instead of individual virtual machines. Setting the number of violations to 10, creating an alert rule for each virtual machine, and splitting by dimension on the virtual machine name will not fire the alert at the appropriate time.

Create Azure Monitor alert rules - Azure Monitor | Microsoft Learn

Configure and manage Azure Monitor - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You have a data connector for Microsoft Sentinel. You need to configure the connector to collect logs from Conditional Access in Microsoft Entra. Which log should you connect to Microsoft Sentinel?

A) activity logs
B) audit logs
C) provisioning logs
D) sign-in logs

A

D) sign-in logs

Sign-in logs include information about sign-ins and how resources are used by your users. Audit logs include information about changes applied to your tenant, such as user and group management or updates applied to your tenant’s resources. Activity logs include subscription-level events, not tenant-level activity. Provisioning logs include activities performed by the provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday.

Connect Azure Active Directory data to Microsoft Sentinel | Microsoft Learn

Sign-in logs (preview) in Azure Active Directory - Microsoft Entra | Microsoft Learn

Azure activity log - Azure Monitor | Microsoft Learn

Configure and monitor Microsoft Sentinel - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You are configuring retention for Azure activity logs in Azure Monitor logs. The retention period for the Azure Monitor logs is set to 30 days. You need to meet the following compliance requirements:

  • Store the Azure activity logs for 90 days.
  • Encrypt the logs by using your own encryption keys.
  • Use the most cost-efficient storage solution for the logs.

What should you do?

A) Configure a workspace retention policy.
B) Configure diagnostic settings and send the logs to Azure Event Hubs Standard.
C) Configure diagnostic settings and send the logs to Azure Storage.
D) Leave the default settings as they are.

A

C) Configure diagnostic settings and send the logs to Azure Storage.

Configuring diagnostic settings and sending the logs to Azure Storage meets both the retention time and encryption requirements. Activity log data type is kept for 90 days by default, but the logs are stored by using Microsoft-managed keys. Configuring a workspace retention policy is not the most cost-efficient solution for this. Event Hubs is a real-time event stream engine and is not designed to be used instead of a database or as a permanent store for indefinitely held event streams.

Azure activity log - Azure Monitor | Microsoft Learn

Configure data retention and archive in Azure Monitor Logs - Azure Monitor | Microsoft Learn

Configure and manage Azure Monitor - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You need to implement a key management solution that supports importing keys generated in an on-premises environment. The solution must ensure that the keys stay within a single Azure region.

What should you do?

A) Apply the Keys should be the specified cryptographic type RSA or EC Azure policy.
B) Disable the Allow trusted services option.
C) Implement Azure Key Vault Firewall.
D) Implement Azure Key Vault Managed HSM.

A

D) Implement Azure Key Vault Managed HSM.

Key Vault Managed HSM supports importing keys generated in an on-premise HSM. Also, managed HSM does not store or process customer data outside the Azure region in which the customer deploys the HSM instance. On-premises-generated keys are still managed, after implementing Key Vault Firewall. Enforcing HSM-backed keys does not enforce them to be imported. Disabling the Allow trusted services option does not have a direct impact on key importing.

How to generate and transfer HSM-protected keys for Azure Key Vault Managed HSM - Azure Key Vault | Microsoft Learn

Azure Managed HSM Overview - Azure Managed HSM | Microsoft Learn

Deploy and secure Azure Key Vault - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You have an Azure key vault that is configured with Azure role-based access control permission model. You need to ensure that a user can read and write keys to the Key Vault. The solution must follow the principle of least privilege.

Which role should you assign to the user?

A) Key Vault Certificates Officer
B) Key Vault Crypto Officer
C) Key Vault Crypto Service Encryption User
D) Key Vault Secrets Officer

A

B) Key Vault Crypto Officer

Key Vault Crypto Officer has all the permissions to the secrets in Key Vault. Key Vault Certificates Officer has all the permissions to certificates only, not keys. Key Vault Crypto Service Encryption User can only read keys. Key Vault Secrets Officer has all the permissions to secrets only.

Migrate to Azure role-based access control | Microsoft Learn

Deploy and secure Azure Key Vault - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You need to grant an application access to read connection strings stored in Azure Key Vault. The solution must follow the principle of least privilege.

Which role assignment should you use?

A) Key Vault Crypto Officer
B) Key Vault Reader
C) Key Vault Secrets Officer
D) Key Vault Secrets User

A

D) Key Vault Secrets User

Key Vault Secrets User allows read access to secret content. Key Vault Crypto Officer allows the user to perform actions on encryption keys, not secrets. Key Vault Reader allows the user to read the metadata of key vaults and its certificates, keys, and secrets, but not to read sensitive values, such as secret contents or key material. Key Vault Secrets Officer does not follow the principle of least privilege.

Grant permission to applications to access an Azure key vault using Azure RBAC | Microsoft Learn

Deploy and secure Azure Key Vault – Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You are implementing an Azure Kubernetes Service (AKS) cluster for a production workload. You need to ensure that the cluster meets the following requirements:
* Provides the highest networking performance possible
* Manages ingress traffic by using Kubernetes tools

What should you use?

A) CNI networking with Azure load balancers
B) CNI networking with ingress resources and controllers
C) Kubenet networking with Azure load balancers
D) Kubenet networking with ingress resources and controllers

A

B) CNI networking with ingress resources and controllers

Kubenet networking with ingress resources and controllers
CNI networking provides the best performance since it does not require IP forwarding and UDR, and ingress controllers can be managed from within Kuberbetes. Kubenet networking requires defined routes and IP forwarding, making the network slower. Azure load balancers cannot be managed by using Kubernetes tools.

Best practices for network resources - Azure Kubernetes Service | Microsoft Learn

Plan and implement advanced security for compute - Training | Microsoft Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You have an Azure subscription that contains an Azure container registry named ACR1 and a user named User1. You need to ensure that User1 can administer images in ACR1. The solution must follow the principle of least privilege.

Which two roles should you assign to User1? Each correct answer presents part of the solution.

A) AcrDelete
B) AcrImageSigner
C) AcrPull
D) AcrPush
E) Contributor
F) Reader

A

A) AcrDelete
D) AcrPush

To administer images in ACR1, a user must be able to push and pull images to ACR1 and delete images from ACR1. The AcrPush and AcrDelete roles are required to push, pull, and delete images in ACR1. AcrPull only allows the Push image permission, not pull. Contributor can also perform these operations, however it also has many additional permissions, which means that it does not follow the principle of least privilege. Reader and AcrImageSigner do not have adequate permissions.

Registry roles and permissions - Azure Container Registry | Microsoft Learn

Plan and implement advanced security for compute - Training | Microsoft Learn

17
Q

Your company has an Azure subscription and an Amazon Web Services (AWS) account. You plan to deploy Kubernetes to AWS. You need to ensure that you can use Azure Monitor Container insights to monitor container workload performance.

What should you deploy first?

A) AKS Engine
B) Azure Arc-enabled Kubernetes
C) Azure Container Instances
D) Azure Kubernetes Service (AKS)
E) Azure Stack HCI

A

B) Azure Arc-enabled Kubernetes

Azure Arc-enabled Kubernetes is the only configuration that includes Kubernetes and can be deployed to AWS.

Overview of Container insights in Azure Monitor - Azure Monitor | Microsoft Learn

Configure and manage Azure Monitor - Training | Microsoft Learn

18
Q

You have an application that runs on-premises on a Linux virtual machine. The application uses a connection string to connect to an Azure storage account. You need to test the application by using data from the storage account. The solution must ensure that the application can only access the storage account during a five-day test period.

Which authentication method should you use to access the storage account?

A) a SAS
B) a storage account access key
C) Microsoft Entra
D) on-premises Active Directory Domain Services (AD DS)

A

A) a SAS

You can specify a policy with expiration time by using a SAS key. A shared key, Microsoft Entra, and on-premises AD DS does not allow you to specify a time period.

Choose how to authorize access to blob data in the Azure portal - Azure Storage | Microsoft Learn

Plan and implement security for storage - Training | Microsoft Learn

19
Q

You have an Azure SQL Database server. You enable Microsoft Entra authentication for Azure SQL. You need to prevent other authentication methods from being used.

Which command should you run?

A) az sql mi ad-admin create
B) az sql mi ad-only-auth enable
C) az sql server ad-admin create
D) az sql server ad-only-auth enable

A

D) az sql server ad-only-auth enable

az sql server ad-only-auth enable enables authentication only through Microsoft Entra. az sql server ad-admin create and az sql mi ad-admin create do not stop other authentication methods. az sql mi ad-only-auth enable enables Microsoft Entra-only authentication for Azure SQL Managed Instance, not Microsoft SQL Server.

Azure Active Directory-only authentication - Azure SQL Database & Azure SQL Managed Instance | Microsoft Learn

Plan and implement security for Azure SQL Database and Azure SQL Managed Instance - Training | Microsoft Learn

20
Q

You have an Azure SQL Database server named Server1 that contains a database named DB1. You create an auditing policy for DB1.

After a few weeks, you create five more databases in Server1. You then create a new auditing policy for Server1. You notice that auditing entries for DB1 are duplicated. You need to ensure that auditing entries for all existing and future databases are not duplicated.

What should you do?

A) Configure the policy used in DB1 with the same settings as the policy on Server1.
B) Configure the policy used on Server1 with the same settings as the policy in DB1.
C) Create a policy for each of the five new databases.
D) Disable auditing for DB1.

A

D) Disable auditing for DB1.

Disabling auditing for DB1 will stop duplication. Creating a policy for each of the five new databases or configuring the policy used on Server1 with the same settings as the policy in DB1 will duplicate entries for all databases. Configuring the policy used in DB1 with the same settings as the policy on Server1 will still duplicate entries.

Azure SQL Auditing for Azure SQL Database and Azure Synapse Analytics - Azure SQL Database | Microsoft Learn

Plan and implement security for Azure SQL Database and Azure SQL Managed Instance - Training | Microsoft Learn

21
Q

You have an application that runs on-premises and stores data in an Azure SQL database.

You need to ensure that certain columns stored in the database can only be decrypted by the application and cannot be accessed by users managing Azure SQL.

What should you enable for the database?

A) Always Encrypted
B) dynamic data masking
C) symmetric key encryption
D) Transparent Data Encryption (TDE)

A

A) Always Encrypted

Enabling Always Encrypted saves the encrypted data and only the client driver can decrypt it. TDE still allows users managing the database to see data. Dynamic data masking does not encrypt anything, it just masks data and still allows users to unmask it at the database level if they have UNMASK permissions. Symmetric key encryption uses keys stored in a SQL database, not the client application.

Always Encrypted - SQL Server | Microsoft Learn

Plan and implement security for Azure SQL Database and Azure SQL Managed Instance - Training | Microsoft Learn

21
Q

You have an Azure SQL database that contains sensitive information.

You need to ensure that when sensitive information is queried by operators, the data is not fully displayed.

What should you enable for the database?

A) Always Encrypted
B) dynamic data masking
C) symmetric key encryption
D) Transparent Data Encryption (TDE)

A

B) dynamic data masking

Dynamic data masking masks the data from users. TDE still allows users managing the database to see data. Always Encrypted saves the encrypted data and only the client driver can decrypt it. Symmetric key encryption uses keys stored in a SQL database, not the client application.

Azure portal: Dynamic data masking - Azure SQL Database | Microsoft Learn

Plan and implement security for Azure SQL Database and Azure SQL Managed Instance - Training | Microsoft Learn

22
Q

You need to provide public anonymous access to a file in an Azure Storage account. The solution must follow the principle of least privilege.

Which two actions should you perform? Each correct answer presents part of the solution.

Select all answers that apply.

A) For the container, set Public access level to Blob.

B) For the container, set Public access level to Container.

C) For the storage account, set Blob public access to Disabled.

D) For the storage account, set Blob public access to Enabled.

A

A) For the container, set Public access level to Blob.
D) For the storage account, set Blob public access to Enabled.

Unless prevented by another setting, setting Public access level to Blob allows public access to the blob only. Setting Blob public access to Enabled is a prerequisite for setting the access level of container or blob. Setting Blob public access to Disabled prevents any public access and setting Public access level to Container also allows any current and future blobs in the container, which does not follow the principle of least privilege.

Configure anonymous public read access for containers and blobs - Azure Storage | Microsoft Learn

Plan and implement security for storage - Training | Microsoft Learn

22
Q

You need to configure passwordless authentication. The solution must follow the principle of least privilege.

Which role should assign to complete the task?

Select only one answer.

A) Authentication Administrator
B) Authentication Policy Administrator
C) Global Administrator
D) Security Administrator

A

C) Global Administrator

Configuring authentication methods requires Global Administrator privileges. Security administrators have permissions to manage other security-related features. Authentication policy administrators can configure the authentication methods policy, tenant-wide multi-factor authentication (MFA) settings, and password protection policy. Authentication administrators can set or reset any authentication methods, including passwords, for non-administrators and some roles.

Create an access review of Azure resource and Azure AD roles in PIM - Azure AD - Microsoft Entra | Microsoft Learn

Least privileged roles by task - Azure Active Directory - Microsoft Entra | Microsoft Learn

Investigate roles in Azure AD - Training | Microsoft Learn

23
Q

You have a workload in Azure that uses multiple virtual machines and Azure functions to access data in a storage account. You need to ensure that all access to the storage account is done by using a single identity. The solution must reduce the overhead of managing the identity.

Which type of identity should you use?

A) system-assigned managed identity
B) user-assigned managed identity

A

B) user-assigned managed identity

A user assigned managed identity can be shared across Azure resources, and its password changes are handled by Azure. An user needs to manually handle password changes. You cannot use a group as a service principle. Multiple Azure resources cannot share system-assigned managed identities.

Managed identities for Azure resources - Microsoft Entra | Microsoft Learn

Enable managed identities - Training | Microsoft Learn

Additional Notes
There are two types of managed identities:

System-assigned. Some Azure resources, such as virtual machines allow you to enable a managed identity directly on the resource. When you enable a system-assigned managed identity:

A service principal of a special type is created in Microsoft Entra ID for the identity. The service principal is tied to the lifecycle of that Azure resource. When the Azure resource is deleted, Azure automatically deletes the service principal for you.
By design, only that Azure resource can use this identity to request tokens from Microsoft Entra ID.
You authorize the managed identity to have access to one or more services.
The name of the system-assigned service principal is always the same as the name of the Azure resource it is created for. For a deployment slot, the name of its system-assigned identity is <app-name>/slots/<slot-name>.
User-assigned. You may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more Azure Resources. When you enable a user-assigned managed identity:</slot-name></app-name>

A service principal of a special type is created in Microsoft Entra ID for the identity. The service principal is managed separately from the resources that use it.
User-assigned identities can be used by multiple resources.
You authorize the managed identity to have access to one or more services.