AZ-500 MS Learning Path Practice Test Questions - 1 Flashcards
You plan to provide connectivity between Azure and your company’s datacenter. You need to define how to establish the connection. The solution must meet the following requirements:
- All traffic between the datacenter and Azure must be encrypted.
- Bandwidth must be between 10 and 100 Gbps.
What should you use for the connection?
A. Azure VPN Gateway
B. ExpressRoute Direct
C. ExpressRoute with a provider
D. VPN Gateway with Azure Virtual WAN
B. ExpressRoute Direct
ExpressRoute Direct can have up to 100 Gbps and use MACSec for Layer 2 encryption. ExpressRoute with a provider does not allow for MACSec encryption and can only use up to 10 Gbps. VPN Gateway and VPN Gateway with Virtual WAN cannot support a bandwidth over 1 Gbps.
About Azure ExpressRoute Direct | Microsoft Learn
Plan and implement security for virtual networks - Training | Microsoft Learn
You are operating in a cloud-only environment. Users have computers that run either Windows 10 or 11. The users are located across the globe. You need to secure access to a point-to-site (P2S) VPN by using multi-factor authentication (MFA).
Which authentication method should you implement?
A. Authenticate by using Active Directory Domain Services (AD DS).
B. Authenticate by using native Microsoft Entra authentication.
C. Authenticate by using native Azure certificate-based authentication.
D. Authenticate by using RADIUS.
B) Authenticate by using native Microsoft Entra authentication.
With Microsoft Entra authentication, you can configure a Conditional Access policy that grants access and requires MFA. During authentication, Azure VPN Gateway acts as a pass-through and forwards authentication messages back and forth between the authentication server and the connecting device. Azure certificate-based authentication does not include interactive authentication.
About Azure Point-to-Site VPN connections - Azure VPN Gateway | Microsoft Learn
Conditional access for VPN connectivity using Azure AD | Microsoft Learn
Deploy Azure AD identity protection - Training | Microsoft Learn
You have an Azure subscription that contains the following resources:
- A virtual machine named VM1 that has a network interface named NIC1
- A virtual network named VNet1 that has a subnet named Subnet1
- A public IP address named PubIP1
- A load balancer named LB1
You create a network security group (NSG) named NSG1.
To which two resources can you associate NSG1? Each correct answer presents a complete solution.
A) LB1
B) NIC1
C) PubIP1
D) Subnet1
E) VM1
F) VNet1
B) NIC1
D) Subnet1
You can associate an NSG to a virtual network subnet and network interface only. You can associate zero or one NSGs to each virtual network subnet and network interface on a virtual machine. The same NSG can be associated to as many subnets and network interfaces as you choose.
Network security group - how it works | Microsoft Learn
Plan and implement security for virtual networks - Training | Microsoft Learn
You have an Azure subscription that contains the following resources:
* Storage accounts
* Virtual machines
* Azure Firewall
* Azure Key Vault
* Azure SQL databases
Which three resources support service endpoints? Each correct answer presents a complete solution.
A) Azure Firewall
B) Azure Key Vault
C) Azure SQL databases
D) storage accounts
E) virtual machines
B) Azure Key Vault
C) Azure SQL databases
D) storage accounts
You can configure service endpoints for Azure Storage, Key Vault, and Azure SQL Database. You cannot configure service endpoints for virtual machines and Azure Firewall.
Azure virtual network service endpoints | Microsoft Learn
Plan and implement security for virtual networks - Training | Microsoft Learn
You have an Azure subscription that contains two Azure Key Vault resources.
You need to ensure that all the secrets in any key vault in the subscription meet the following requirements:
- Secrets can be active for up to 365 days.
- Secrets must have an expiration date set.
- Secrets must have a content type set.
- The solution must minimize administrative effort.
A) Create custom policies for Key Vault secrets and link an initiative to the Key Vault resources.
B) Create custom policies for Key Vault secrets and link an initiative to the subscription.
C) Use built-in policies and link an initiative to the Key Vault resources.
D) Use built-in policies and link an initiative to the subscription.
D) Use built-in policies and link an initiative to the subscription.
Using built-in policies and linking an initiative to the subscription will apply to all the Key Vault resources in the subscription. You do not need use custom policies, and linking to the resources will not affect new key vaults.
Integrate Azure Key Vault with Azure Policy | Microsoft Learn
Deploy and secure Azure Key Vault - Training | Microsoft Learn
You are evaluating the Azure Policy configurations to identify any required custom initiatives and policies. You need to run workloads in Azure that are compliant with the following regulations:
- FedRAMP High
- PCI DSS 3.2.1
- GDPR
- ISO 27001:2013
For which regulation should you create custom initiatives?
A) FedRAMP High
B) GDPR
C) ISO 27001:2013
D) PCI DSS 3.2.1
B) GDPR
To run workloads that are compliant with GDPR, custom initiatives should be to be created. GDPR compliance initiatives are not yet available in Azure. Azure has existing initiatives for ISO, PCI DSS 3.2.1, and FedRAMP High.
Regulatory Compliance details for Australian Government ISM PROTECTED - Azure Policy | Microsoft Learn
Design an enterprise governance strategy - Training | Microsoft Learn
You have an Azure subscription that contains a user named Admin1. You need to ensure that Admin1 can create and assign custom security initiatives in Microsoft Defender for Cloud. The solution must follow the principle of least privilege.
Which role should you assign to Admin1?
A) Global Administrator
B) Owner (Subscription)
C) Security Admin
D) Security Assessment Contributor
B) Owner (Subscription)
The Subscription Owner role is the only role that has permissions to create and assign custom security initiatives in Defender for Cloud.
Create custom Azure security policies in Microsoft Defender for Cloud | Microsoft Learn
Enable and manage Microsoft Defender for Cloud - Training | Microsoft Learn
You set Periodic recurring scans to ON while implementing a Microsoft Defender for SQL vulnerability assessment. How often will the scan be triggered?
A) at a recurrence that you configure
B) once a day
C) once a month
D) once a week
Recurring scans will be triggered once a week. This value cannot be changed and is set by Microsoft.
D) once a week
Microsoft Defender for SQL - Azure SQL Database | Microsoft Learn
Scan your Azure SQL databases for vulnerabilities using Microsoft Defender for Cloud | Microsoft Learn
Configure and manage SQL database security - Training | Microsoft Learn
You have a resource group named RG1 that contains 10 virtual machines. You need to raise an alert any time the average CPU time for RG1 exceeds 80 percent. How should you configure the alert?
A) Create an alert rule for each virtual machine and set the number of violations to 10.
B) Create an alert rule for each virtual machine and split by dimension on the VM name.
C) Create an individual alert rule and split by dimension on the resource group name.
D) Create an individual alert rule for CPU time and set the number of violations to 10.
C) Create an individual alert rule and split by dimension on the resource group name.
Creating an individual alert rule and splitting by dimension on the resource group name will use the alert for the entire resource group instead of individual virtual machines. Setting the number of violations to 10, creating an alert rule for each virtual machine, and splitting by dimension on the virtual machine name will not fire the alert at the appropriate time.
Create Azure Monitor alert rules - Azure Monitor | Microsoft Learn
Configure and manage Azure Monitor - Training | Microsoft Learn
You have a data connector for Microsoft Sentinel. You need to configure the connector to collect logs from Conditional Access in Microsoft Entra. Which log should you connect to Microsoft Sentinel?
A) activity logs
B) audit logs
C) provisioning logs
D) sign-in logs
D) sign-in logs
Sign-in logs include information about sign-ins and how resources are used by your users. Audit logs include information about changes applied to your tenant, such as user and group management or updates applied to your tenant’s resources. Activity logs include subscription-level events, not tenant-level activity. Provisioning logs include activities performed by the provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday.
Connect Azure Active Directory data to Microsoft Sentinel | Microsoft Learn
Sign-in logs (preview) in Azure Active Directory - Microsoft Entra | Microsoft Learn
Azure activity log - Azure Monitor | Microsoft Learn
Configure and monitor Microsoft Sentinel - Training | Microsoft Learn
You are configuring retention for Azure activity logs in Azure Monitor logs. The retention period for the Azure Monitor logs is set to 30 days. You need to meet the following compliance requirements:
- Store the Azure activity logs for 90 days.
- Encrypt the logs by using your own encryption keys.
- Use the most cost-efficient storage solution for the logs.
What should you do?
A) Configure a workspace retention policy.
B) Configure diagnostic settings and send the logs to Azure Event Hubs Standard.
C) Configure diagnostic settings and send the logs to Azure Storage.
D) Leave the default settings as they are.
C) Configure diagnostic settings and send the logs to Azure Storage.
Configuring diagnostic settings and sending the logs to Azure Storage meets both the retention time and encryption requirements. Activity log data type is kept for 90 days by default, but the logs are stored by using Microsoft-managed keys. Configuring a workspace retention policy is not the most cost-efficient solution for this. Event Hubs is a real-time event stream engine and is not designed to be used instead of a database or as a permanent store for indefinitely held event streams.
Azure activity log - Azure Monitor | Microsoft Learn
Configure data retention and archive in Azure Monitor Logs - Azure Monitor | Microsoft Learn
Configure and manage Azure Monitor - Training | Microsoft Learn
You need to implement a key management solution that supports importing keys generated in an on-premises environment. The solution must ensure that the keys stay within a single Azure region.
What should you do?
A) Apply the Keys should be the specified cryptographic type RSA or EC Azure policy.
B) Disable the Allow trusted services option.
C) Implement Azure Key Vault Firewall.
D) Implement Azure Key Vault Managed HSM.
D) Implement Azure Key Vault Managed HSM.
Key Vault Managed HSM supports importing keys generated in an on-premise HSM. Also, managed HSM does not store or process customer data outside the Azure region in which the customer deploys the HSM instance. On-premises-generated keys are still managed, after implementing Key Vault Firewall. Enforcing HSM-backed keys does not enforce them to be imported. Disabling the Allow trusted services option does not have a direct impact on key importing.
How to generate and transfer HSM-protected keys for Azure Key Vault Managed HSM - Azure Key Vault | Microsoft Learn
Azure Managed HSM Overview - Azure Managed HSM | Microsoft Learn
Deploy and secure Azure Key Vault - Training | Microsoft Learn
You have an Azure key vault that is configured with Azure role-based access control permission model. You need to ensure that a user can read and write keys to the Key Vault. The solution must follow the principle of least privilege.
Which role should you assign to the user?
A) Key Vault Certificates Officer
B) Key Vault Crypto Officer
C) Key Vault Crypto Service Encryption User
D) Key Vault Secrets Officer
B) Key Vault Crypto Officer
Key Vault Crypto Officer has all the permissions to the secrets in Key Vault. Key Vault Certificates Officer has all the permissions to certificates only, not keys. Key Vault Crypto Service Encryption User can only read keys. Key Vault Secrets Officer has all the permissions to secrets only.
Migrate to Azure role-based access control | Microsoft Learn
Deploy and secure Azure Key Vault - Training | Microsoft Learn
You need to grant an application access to read connection strings stored in Azure Key Vault. The solution must follow the principle of least privilege.
Which role assignment should you use?
A) Key Vault Crypto Officer
B) Key Vault Reader
C) Key Vault Secrets Officer
D) Key Vault Secrets User
D) Key Vault Secrets User
Key Vault Secrets User allows read access to secret content. Key Vault Crypto Officer allows the user to perform actions on encryption keys, not secrets. Key Vault Reader allows the user to read the metadata of key vaults and its certificates, keys, and secrets, but not to read sensitive values, such as secret contents or key material. Key Vault Secrets Officer does not follow the principle of least privilege.
Grant permission to applications to access an Azure key vault using Azure RBAC | Microsoft Learn
Deploy and secure Azure Key Vault – Training | Microsoft Learn
You are implementing an Azure Kubernetes Service (AKS) cluster for a production workload. You need to ensure that the cluster meets the following requirements:
* Provides the highest networking performance possible
* Manages ingress traffic by using Kubernetes tools
What should you use?
A) CNI networking with Azure load balancers
B) CNI networking with ingress resources and controllers
C) Kubenet networking with Azure load balancers
D) Kubenet networking with ingress resources and controllers
B) CNI networking with ingress resources and controllers
Kubenet networking with ingress resources and controllers
CNI networking provides the best performance since it does not require IP forwarding and UDR, and ingress controllers can be managed from within Kuberbetes. Kubenet networking requires defined routes and IP forwarding, making the network slower. Azure load balancers cannot be managed by using Kubernetes tools.
Best practices for network resources - Azure Kubernetes Service | Microsoft Learn
Plan and implement advanced security for compute - Training | Microsoft Learn