AZ500 Flashcards
You have a workload in Azure that uses a virtual machine named VM1. VM1 is in a resource group named RG1.
You need to create and assign an identity to VM1 that will be used to access Azure resources. Other virtual machines must be able to use the same identity.
Which PowerShell script should you run?
New-AzUserAssignedIdentity -ResourceGroupName RG1 -Name VMID $vm = Get-AzVM -ResourceGroupName RG1 -Name VM1 Update-AzVM -ResourceGroupName RG1 -VM $vm -IdentityType UserAssigned -IdentityID “/subscriptions/<SUBSCRIPTION>/resourcegroups/RG1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/VMID"</SUBSCRIPTION>
You have an Azure subscription that is used for training purposes.
You need to allow external users to create resources in the subscription.
Which two identity providers can be used to access the subscription? Each correct answer presents a complete solution.
You manage external guest users in a Microsoft Entra tenant. The tenant uses the default settings.
Which capability is available to the guest users?
Invite other guests.
You need to delegate the ability to configure sign-in risk policies. The solution must follow the principle of least privilege.
Which role should you assign?
Security Administrator
You manage Microsoft Entra tenant for a retail company.
You need to ensure that employees using shared Android tablets can use passwordless authentication when accessing the Azure portal.
Which authentication method should you use?
the Microsoft Authenticator app
You need to configure passwordless authentication. The solution must follow the principle of least privilege.
Which role should assign to complete the task?
Global Administrator
You have a Microsoft Entra tenant.
You need to recommend a passwordless authentication method. The solution must support near-field communication (NFC) devices.
Which two authentication methods should you recommend? Each correct answer presents a complete solution.
FIDO2 security keys
Windows Hello for Business
You have an Azure subscription.
You plan to deploy Microsoft Entra Verified ID.
You need to identify which administrative roles are required for the solution. The solution must follow the principle of least privilege.
Which three roles should you identify? Each correct answer presents part of the solution.
Application Administrator
Authentication Policy Administrator
Contributor
You have a Microsoft Entra tenant.
You need to recommend a passwordless authentication solution.
Which three authentication methods should you include in the recommendation? Each correct answer presents a complete solution.
FIDO2 security keys
the Microsoft Authenticator app
Windows Hello for Business
You need to provide an administrator with the ability to configure access reviews in Microsoft Entra Privileged Identity Management (PIM). The solution must follow the principle of least privilege.
Which role should you assign to the administrator?
Privileged Role Administrator
You create a web API and register the API as a Microsoft Entra application.
You need to expose a function in the API to ensure that administrators must provide consent to apps that use the API.
What should you add to your app registration?
a scope
You are managing permission consent for Microsoft Entra app registration.
Which component displays the publisher domain?
publisher name and verification
You are creating a Microsoft Entra app registration. You are configuring credentials for the app registration and have the following requirements:
Ensure that the credentials are not transmitted during authentication.
Ensure that the credentials are stored securely.
Ensure that credential usage follows the principle of least privilege.
What should you do?
Use certificate credentials.
You have a Microsoft Entra tenant that uses the default setting.
You need to prevent users from a domain named contoso.com from being invited to the tenant.
What should you do?
Edit the Collaboration restrictions settings.
You need to provide an administrator with the ability to manage custom RBAC roles. The solution must follow the principle of least privilege.
Which role should you assign to the administrator?
User Access Administrator
You have the following security policy deployed to an Azure subscription.
{
“policyRule”: {
“if”: {
“allOf”: [
{
“field”: “type”,
“equals”: “Microsoft.Storage/storageAccounts”
},
{
“field”: “Microsoft.Storage/storageAccounts/allowSharedKeyAccess”,
“equals”: “true”
}
]
},
“then”: {
“effect”: “Deny”
}
}
}
You successfully deploy a new storage account.
Which statements is true?
Usage of Microsoft Entra authentication is enforced.
You are configuring an Azure Policy in your environment.
You need to ensure that any resources that are missing a tag named CostCenter inherit a value from a resource group.
You create a custom policy that uses the following snippet.
{
“policyRule”: {
“if”: {
“field”: “tags[‘CostCenter’]”,
“exists”: “false”
},
“then”: {
“effect”: “modify”,
“details”: {
“roleDefinitionIds”: [
“/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c”
],
“operations”: [
{
“operation”: “addOrReplace”,
“field”: “tags[‘CostCenter’]”,
“value”: “[resourceGroup().tags[‘CostCenter’]]”
}
]
}
}
}
}
Which policy mode should you use?
Indexed
You have an Azure subscription that contains a user named Admin1.
You need to ensure that Admin1 can access the Regulatory compliance dashboard in Microsoft Defender for Cloud. The solution must follow the principle of least privilege.
Which two roles should you assign to Admin1? Each correct answer presents part of the solution.
Resource Policy Contributor
Security Admin
You have an Azure subscription that contains a user named Admin1.
You need to ensure that Admin1 can create and assign custom security initiatives in Microsoft Defender for Cloud. The solution must follow the principle of least privilege.
Which role should you assign to Admin1?
Owner (Subscription)
You have an Azure subscription.
You need to recommend a solution that uses crawling technology of Microsoft to discover and actively scan assets within an online infrastructure. The solution must also discover new connections over time.
What should you include in the recommendation?
Microsoft Defender External Attack Surface Management (EASM)
You set Periodic recurring scans to ON while implementing a Microsoft Defender for SQL vulnerability assessment.
How often will the scan be triggered?
once a week
You are implementing a Microsoft Defender for SQL vulnerability assessments.
Where are the scan results stored?
an Azure Storage account
You have an Azure subscription and the following SQL deployments:
An Azure SQL database named DB1
An Azure SQL Server named sqlserver1
An instance of SQL Server on Azure Virtual Machines named VM1 that has Microsoft SQL Server 2022 installed
An on-premises server named Server1 that has SQL Server 2019 installed
Which deployments can be protected by using Microsoft Defender for Cloud?
DB1, sqlserver1, VM1, and Server1
You have an Azure subscription that contains an Azure Kubernetes Service (AKS) cluster named AKS1.
You need to protect AKS1 by using Microsoft Defender for Cloud.
Which Defender plan should you use?
Microsoft Defender for Containers
You have custom alert rules in Microsoft Sentinel. The rules exceed the query length limitations.
You need to resolve the issue.
Which function should you use for the rule?
user-defined functions
You have a data connector for Microsoft Sentinel.
You need to configure the connector to collect logs from Conditional Access in Microsoft Entra.
Which log should you connect to Microsoft Sentinel?
sign-in logs
You are designing an Azure solution that stores encrypted data in Azure Storage.
You need to ensure that the keys used to encrypt the data cannot be permanently deleted until 60 days after they are deleted. The solution must minimize costs.
What should you do?
Store keys in a software-protected key vault that has soft delete and purge protection enabled.
You are configuring automatic key rotation for an encryption key stored in Azure Key Vault.
You need to implement an alert to be triggered five days before the keys are rotated.
What should you use?
Azure Event Grid
You need to implement a key management solution that supports importing keys generated in an on-premises environment. The solution must ensure that the keys stay within a single Azure region.
What should you do?
Implement Azure Key Vault Managed HSM.
You need to grant an application access to read connection strings stored in Azure Key Vault. The solution must follow the principle of least privilege.
Which role assignment should you use?
Key Vault Secrets User
You have an Azure subscription that contains an Azure container registry named ACR1 and a user named User1.
You need to ensure that User1 can administer images in ACR1. The solution must follow the principle of least privilege.
Which two roles should you assign to User1? Each correct answer presents part of the solution.
AcrDelete
AcrPush
Your company has an Azure subscription and an Amazon Web Services (AWS) account.
You plan to deploy Kubernetes to AWS.
You need to ensure that you can use Azure Monitor Container insights to monitor container workload performance.
What should you deploy first?
Azure Arc-enabled Kubernetes
You have an Azure subscription that contains a virtual machine named VM1. VM1 is configured with just-in-time (JIT) VM access.
You need to request access to VM1.
Which PowerShell cmdlet should you run?
Start-AzJitNetworkAccessPolicy
You have a storage account that contains multiple containers, blobs, queues, and tables.
You need to create a key to allow an application to access only data from a given table in the storage account.
Which authentication method should you use for the application?
service SAS
You need to implement access control for Azure Files. The solution must provide the highest level of security.
What should you use?
Microsoft Entra
You need to allow only Microsoft Entra-authenticated principals to access an existing Azure SQL database.
Which three actions should you perform? Each correct answer presents part of the solution.
Add a Microsoft Entra administrator.
Assign your account the SQL Security Manager built-in role.
Connect to the database by using the Azure portal.
You have an Azure SQL Database server.
You enable Microsoft Entra authentication for Azure SQL.
You need to prevent other authentication methods from being used.
Which command should you run?
az sql server ad-only-auth enable
You have an Azure SQL Database server named Server1 that contains a database named DB1.
You create an auditing policy for DB1.
After a few weeks, you create five more databases in Server1. You then create a new auditing policy for Server1.
You notice that auditing entries for DB1 are duplicated.
You need to ensure that auditing entries for all existing and future databases are not duplicated.
What should you do?
Disable auditing for DB1.
You have an application that securely shares files hosted in Azure Blob storage to external users by using an account SAS.
One of the SAS tokens is compromised.
How should you stop the compromised SAS token from being used?
Regenerate the storage account access keys.
