Cert Prep: Microsoft Azure Security Technologies (AZ-500)

Question 1

You manage IT for an office of 300 employees, as well as 20-30 employees who work remotely. All employees are registered within the company’s Azure Active Directory tenant. The remote employees access Azure from external IP addresses outside of the office intranet.

You would like all employees, whether they work in the office or remotely, to be able to skip MFA when they log in on their assigned company devices.

Assuming your office would take all the necessary steps to configure the solution properly, in the end you want to set up all office employees who sign in through Azure Active Directory as federated users, and managed Trusted IP addresses for your remote employees’ specific IP addresses.

Would this approach allow all employees to skip the MFA when logging in on their assigned devices?
Select one answer

A. No, only office employees would be able to log in without completing MFA in this scenario.
B. No, neither office employees would be able to log in without completing MFA in this scenario.
C. Yes, all employees would be able to log in without completing MFA in this scenario.
D. Yes, but with conditions. Remote employees’ Trusted IP address would need to be updated frequently.

Answer 1

A. No, only office employees would be able to log in without completing MFA in this scenario.

Explanation:
The Trusted IP address feature only works when users sign in through an organization’s company intranet. Users that sign in via the internet cannot bypass MFA through the Trusted IP address feature.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted-ips

Question 2

You are a Privileged Role Administrator within Azure Privileged Identity Management (PIM). You need to expedite numerous role requests, and have just assigned an Azure Active Directory user a Designated Approver role.

You need the designated user to begin her newly assigned role as soon as possible.

How can this be accomplished?

A. Override the required justification for the role.
B. As a privileged role administrator, you can override a required approval.
C. Tell the user to invalidate their current token via the Application Access pane in PIM.
D. When approving the role, check the ‘Approve immediately’ box within the ‘Approve Requests’ pane in PIM.

Answer 2

C. Tell the user to invalidate their current token via the Application Access pane in PIM.

Explanation:
The “Application access” pane allows you to limit possible delays and use a role immediately after activation.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role#use-a-role-immediately-after-activation

Question 3

You skipped the question, recorded as incorrect.

When comparing network security options, which of the following actions can Azure Firewall perform that a network security group cannot?

A. Allow or deny inbound and outbound traffic to or from specific IP addresses
B. Allow or deny inbound and outbound traffic to or from IP address ranges
C. Allow or deny inbound traffic to or from specific domain names
D. Control traffic in and out of an entire virtual network

Answer 3

C. Allow or deny inbound traffic to or from specific domain names

Explanation:
Network security groups, or NSGs for short, are an Azure firewall technology that implements a stateful packet inspection with some simple inbound and outbound rules to deny or allow connections, based on a few properties. These include the source IP address and port, the destine IP address and port, and the protocol, whether it’s TCP or UDP. The source IPs and destination IPs can either be individual IPs, or they can be ranges of IPs. You can attach a network security group to a virtual network, or to a NIC card, a network interface card.

The advantage of using Azure Firewall is that it’s more feature-rich. For example, you can tell it to allow outbound traffic only to certain domain names. NSGs can’t do that. They only allow you to specify IP addresses, not entire domains. An Azure Firewall is centralized, so it works across virtual networks and even across subscriptions.
Bookmark
Learn more: /course/az-900-exam-prep-additional-topics/additional-topics/

Question 4

INCORRECT
You skipped the question, recorded as incorrect.

Which of the following security validation methods is available through the implementation of Application Insights?

A. custom telemetry tests
B. URL ping tests
C. playback of recorded web requests
D. custom attack surface reviews

Answer 4

A. custom telemetry tests

Explanation:
Within the Microsoft.ApplicationInsights namespace, you can use the TelemeteryClient TrackAvailibity method. These tests are created in the context of an application insights resource. An Application Insights resource has the capacity to host up to 100 availability tests.
Bookmark
Learn more: /course/configuring-azure-application-and-data-security/implementing-security-validations-for-application-development/

Question 5

INCORRECT
You skipped the question, recorded as incorrect.

You want to connect the Azure VNets for three separate branch offices. You are designing a hub and spoke model network topology to do this. The central hub will serve as a firewall between the different locations during backend communication, and also a central location for disaster recovery backup storage.

Now you are considering whether to connect your hub-and-spoke model with VNet peering connections or Azure VPN Gateways. Each option has its own benefits.

Which statements comparing VNet peering and VPN Gateways in a hub-and-spoke model are correct? (Choose 3 answers)

A. If you implement the model with Azure VPN Gateways, all VNets can be cross-region.
If you implement the model with VNet peering connections, the VNets can be cross-region with Global VNet Peering.
B. Whether the connections are made with Azure VPN Gateways or VNet peering connections, the VNets can be within different Azure subscriptions and associated with separate Azure AD tenants.
C. If you implement the model with Azure VPN Gateways, all VNets can be in different regions.
If you implement the model with VNet peering connections, the VNets must be in the same region.
D. If you implement the model with Azure VPN Gateways, the VNets can be within different Azure subscriptions that are associated with the same Azure tenant.
If you implement the VNets with VNet peering connections, the VNets can be within different Azure subscriptions and associated with separate Azure AD tenants.

Answer 5

A. If you implement the model with Azure VPN Gateways, all VNets can be cross-region.
If you implement the model with VNet peering connections, the VNets can be cross-region with Global VNet Peering.
B. Whether the connections are made with Azure VPN Gateways or VNet peering connections, the VNets can be within different Azure subscriptions and associated with separate Azure AD tenants.

D. If you implement the model with Azure VPN Gateways, the VNets can be within different Azure subscriptions that are associated with the same Azure tenant.
If you implement the VNets with VNet peering connections, the VNets can be within different Azure subscriptions and associated with separate Azure AD tenants.

Explanation:
You could accomplish this network topology using VNet peering or Azure VPN Gateways, but each option has its requirements and limitations.

Connecting via VNet peering would require a router to be deployed in the central hub VNet, but this is not required for VNG connections.
VNet peering works both across separate tenants and subscriptions.
Hostname resolution is not possible for VMs connecting from different VNets through a peering connection. Azure DNS is required for these VMs to connect. However, name resolution is possible through a VNG connection.
VNets must be connected via Global VNet Peering.

Bookmark
Learn more: /course/azure-network-connectivity-name-resolution/virtual-network-peering/

Question 6

You have just launched an update for your multi-language translation mobile app, hosted on App Service. You receive multiple complaints that customer submissions of text translations are not being processed, and did not receive HTTP 4xx or 5xx error code responses. You want to know which App service components may have caused the issue.

What log type should you enable?

A. Failed Request Tracing
B. Web Server Logging
C. Detailed Error Messaging
D. Application Logging

Answer 6

A. Failed Request Tracing

Explanation:
Detailed information on failed requests, including a trace of the IIS components used to process the request and the time taken in each component. It’s useful if you want to improve site performance or isolate a specific HTTP error.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs

Question 7

What role do you assign to the Authorized Managed Identity to secure your HDInsight installation?

A. HDInsight Cluster Administrator
B. HDInsight Domain Services Contributor
C. HDInsight AD-DS Admin
D. HDInsight Services Admin

Answer 7

B. HDInsight Domain Services Contributor

Explanation:
You can use a user-assigned managed identity to simplify and help secure domain services operations. When you assign the HDInsight Domain Services Contributor role to the managed identity, it can read, create, modify, and delete domain services operations.

Certain domain services operations, such as creating OUs and service principals, are needed for HDInsight Enterprise Security Package. You can create managed identities in any subscription
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-configure-using-azure-adds#create-and-authorize-a-managed-identity

Question 8

The CIS Microsoft Azure Foundations Benchmark provides two levels of recommended security implementation. Which two statements apply to Level 1 recommendations? (Choose two answers)

A. They should be implemented within all systems.
B. They should be implemented within highly secure environments only.
C. They will cause little to no service interruption.
D. They can reduce service functionality.

Answer 8

A. They should be implemented within all systems.
C. They will cause little to no service interruption.

Explanation:
There are two different implementation levels that CIS bases their recommendations on. There are also several different categories of recommendations that are made. The two levels are called Level 1 and Level 2. I know, very original.
Level 1 recommendations are the minimum recommended security settings that should be configured on ALL systems.

Level 1 recommendations typically cause little or no interruption of services, nor do they usually result in reduce functionality.
Level 2 recommendations are designed for highly secure environments. That being the case, they can sometimes result in reduced functionality of the systems they are implemented on.

Bookmark
Learn more: https://azure.microsoft.com/en-us/blog/cis-azure-security-foundations-benchmark-open-for-comment/

Question 9

INCORRECT
You skipped the question, recorded as incorrect.

A company currently has an on-premise setup which consists of Active Directory for their on-premise identity store. They want to extend their on-premise solution to Azure. They also want to implement single-sign on from their on-premise environment.

Which of the following can be used to achieve this?

A. Use a Windows 2019 server with Active Directory and IIS installed. Create a custom web application to carry out the single sign-on process.
B. Register with a third-party vendor to carry out the single sign-on process with Azure.
C. Use a Windows 2019 server with Active Directory Federation services installed. Ensure that a web proxy server is also set up. Make sure the Azure Active Directory Connect tool is also set up for synchronization between the on-premise Active Directory and Azure Active Directory.
D. Use a Windows 2019 server with Remote Administration tools installed. This will provide the ability to implement single-sign on with Azure.

Answer 9

C. Use a Windows 2019 server with Active Directory Federation services installed. Ensure that a web proxy server is also set up. Make sure the Azure Active Directory Connect tool is also set up for synchronization between the on-premise Active Directory and Azure Active Directory.

Explanation:
Active Directory Federation services can provide single sign-on for users when the identity store is located on-premise. The Active Directory Federation service is available as an installable role on a Windows Server, which includes version 2019. The Web proxy role can also be installed on a separate server, to enable web applications to pre-authenticate access using Active Directory Federation Services (AD FS)
Bookmark
Learn more: https://msdn.microsoft.com/en-us/library/aa479079.aspx

Question 10

A company hosts a web-based .Net application in Azure. They require that whenever an abnormal activity occurs, such as high page request rate, a custom application is notified so that it can be handled accordingly. Which option below meets this requirement?

A. Create an alert in the Azure dashboard and configure the email alert. Ensure the custom application consumes the email alerts.
B. Create a custom powershell utility to check the the application request rate and then alerts the custom application accordingly.
C. Create an alert and use the Webhook functionality to send the notification to the custom application.
D. Create a custom utility that monitors and checks the application request rate and then sends the alert to the custom application.

Answer 10

C. Create an alert and use the Webhook functionality to send the notification to the custom application.

Explanation:
Webhooks allow one to route an Azure alert notification to other systems for post-processing or custom actions. A lot of custom systems support webhooks, hence this is the ideal implementation to alert third party systems to any irregularities generated by alerts in Azure.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/insights-webhooks-alerts

Question 11

You are binding a certificate with IP SSL for your Azure App Service web app.

What additional step is required to successfully bind a certificate with IP SSL that is unnecessary for binding other types of SSL certificates with an App Service web app?

A. Re-map your A record to the new custom domain IP address
B. Enforce HTTPS
C. Ensure your app deployed on the basic level tier or higher
D. Provide the certificate password

Answer 11

A. Re-map your A record to the new custom domain IP address

Explanation:
Only one IP SSL binding may be added. This option allows only one SSL certificate to secure a dedicated public IP address. The other steps, enforcing HTTPS and providing the certificate password, are required for all SSL certificate types. The other potential answer is required for other SSL certificates - at least a basic level tier for your app service. For IP SSL, you actually are required to use either the production or isolated tier.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#remap-a-record-for-ip-ssl

Question 12

Which Azure-managed storage encryption feature encrypts data within an Azure Storage account, and decrypts it on read without requiring key management or additional configuration steps?

A. Shared Access Signatures
B. Shared Key Authentication
C. Client-side Encryption (CSE) for Data at rest
D. Service-Side Encryption for Data at Rest

Answer 12

D. Service-Side Encryption for Data at Rest

Explanation:
Server-side encryption is performed by the Azure Storage service, and is enabled by default for all managed disks. This type of encryption provides encryption at rest for your data. Server-side encryption is also enabled by default for snapshots and images in regions where managed disks are available.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/storage/storage-service-encryption

Question 13

As your company’s IT security administrator, you need to assign credentials to project teams for application development and testing. Team A needs a new Cosmos DB database to support an application currently being developed. This team includes:

Dev/Test members who will need to create Cosmos DB containers and modify the Cosmos DB database settings to fine-tune them.
Project Administrators who will need to manage provisioning and governance of the Cosmos DB resources, to ensure they align with company policy. They will deploy the resources necessary, but will not have read or write access to these resources or their data once deployed.

As the IT security administrator, you will also need to ensure the correct type of application credentials are implemented to be in accordance with company policy. The application being tested will be deployed using Azure App Service web apps. These App Service web apps will connect with the database to upload, modify and read data to fulfill typical client requests. To align with company policy, the application credentials should be deleted whenever the associated dev resources are deleted.

To follow security best practices of least privilege and efficiency, how should you provide the necessary access credentials to your team members and Azure resources?

A. Create an Azure AD group for your Project Administrators assigned to this project, and assign the Cosmos DB Operator role to the Project Administrators group. Create an Azure AD group for the Dev/Test members assigned to this project and assign the Cosmos DB Account Contributor role to the Dev/Test group. Implement system-assigned managed identities for the applications hosted on Azure App Service web apps.

B. Create an Azure AD group for your Project Administrators and Dev/Test members, and assign the Cosmos DB Operator role to that group. In addition, provide your Dev/Test team with the Cosmos DB account’s primary read-write master key. Include the Cosmos DB account’s secondary read-write master key within the Azure App Service web app code.

C. Provide the Cosmos DB account’s primary read-only master key to the Project Administrators. Provide the Cosmos DB account’s primary read-write master key to the Dev/Test members. Implement user-assigned managed identities for the applications hosted on Azure App Service web apps.

D. Assign the Cosmos DB Operator role to each Project Administrator’s Azure AD user identity. Assign the Cosmos DB Account Contributor role to each Dev/Test member’s Azure AD user identity. Implement system-assigned managed identities for the applications hosted on Azure App Service web apps.

Answer 13

A. Create an Azure AD group for your Project Administrators assigned to this project, and assign the Cosmos DB Operator role to the Project Administrators group. Create an Azure AD group for the Dev/Test members assigned to this project and assign the Cosmos DB Account Contributor role to the Dev/Test group. Implement system-assigned managed identities for the applications hosted on Azure App Service web apps.

Explanation:
Cosmos DB master keys are essentially root access keys that should not be shared with other users, or used in code. In this case, creating a group for the project administrators and dev/test team members and assigned the correct permissions is the best choice and most efficient option.

System-assigned managed identities do not persist after the associated resources have been deleted, so they would be the best choice to follow policy in this case.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/cosmos-db/database-security

Question 14

You recently implemented a new security and cost management policy. This implementation included the following tasks:

Azure AD records were synced with on-premises Active Directory records;
Resource owners implemented "Read Only" and "CanNotDelete" resource locks.
All resources have been tagged based according to their project, environment, and cost center.

Now you are running into the following problem:

Employees and Azure services with correctly configured read and write access permissions in Azure AD can no longer perform certain actions, such as listing relevant files in a storage container.

Based on the new security policy implementations, where would you check first?

A. Review the resource policies in Azure Portal.
B. Review the most recent updates in Azure Active Directory.
C. Review the resource tags in Azure Portal.
D. Review the resource locks in Azure Portal.

Answer 14

D. Review the resource locks in Azure Portal.

Explanation:
Each of the issues is documented directly in connection with Azure Resource Locks, so this would be the first place to check.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources#how-locks-are-applied

Question 15

A company is using Azure Active Directory (Azure AD). The company has an assigned Global administrator and does not want someone else to have that level of access in Azure AD.

However, they want to allow a new employee to manage groups, user accounts, and service requests. Which of the following roles should be assigned to the new employee?

A. Resource administrator
B. Billing administrator
C. Service administrator
D. User administrator

Answer 15

D. User administrator

Explanation:
Azure Active Directory has the following roles available:

Global administrator - This role has access to all administrative features.
Billing administrator - This role allows a user to manage subscriptions.
Service administrator - The service administrator manages requests and monitors the health of designated services.
User administrator - This role manages groups, user accounts, and service requests. 

Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles

Question 16

ou have a two-tier application hosted within VNet-01 with an IP address range of 10.0.1.0/16 and the following resource configurations:

A web application front end hosted on an IaaS virtual machine named VM_Front within a public subnet with an IP address range of 10.0.2.0/24. VM_Front has a private IP address of 10.0.2.5, and a public IP address of 192.168.50.2.
A web application backend hosted on a second IaaS virtual machine named VM_Back within a private subnet with an IP address range of 10.0.3.0/24. VM_Back has a private IP address of 10.0.3.4.
A public-facing load balancer with a private IP address of 10.0.1.6 and a public IP address of 172.16.50.35.

You are configuring the network security group for VM_Front, and want it to receive encrypted HTTP traffic from the load balancer, and want this to be one of the first rules the NSG processes against all incoming traffic. How would you configure a rule to allow this?

A. Inbound Rule
Source: 10.0.1.6
Source Port: *
Destination: 10.0.2.5
Destination Port: 443
Protocol: TCP
Priority: 100
Action: Allow

B. Inbound Rule
Source: 10.0.2.5
Source Port: 80
Destination: 172.16.50.35
Destination Port: *
Protocol: UDP
Priority: 100
Action: Allow

C. Inbound Rule
Source: 10.0.1.6
Source Port: *
Destination: 10.0.3.4
Destination Port: 8080
Protocol: TCP
Priority 5000
Action: Allow

D. Inbound Rule
Source: 10.0.2.5
Source Port: *
Destination: 10.0.3.4
Destination Port: 443
Protocol: HTTPS
Priority: 9999
Action: Allow

Answer 16

A. Inbound Rule
Source: 10.0.1.6
Source Port: *
Destination: 10.0.2.5
Destination Port: 443
Protocol: TCP
Priority: 100
Action: Allow

Explanation:
The correct rule parameters are:

Inbound Rule
Source: 10.0.1.6
Source Port: *
Destination: 10.0.2.5
Destination Port: 443
Protocol: TCP
Priority 100
Action: Allow

Bookmark
Learn more: /course/implementing-azure-network-security/configuring-security-rules-in-an-nsg/

Question 17

Roles created within Azure Role-Based Access Controls (RBAC) can be scoped to all of the following levels except which one?

A. Tenant
B. Subscription
C. Resource Group
D. Resource

Answer 17

A. Tenant

Explanation:
Azure AD tenant is separate from the Azure RBAC, which is built within Azure Resource Manager. This may be why Azure RBAC roles cannot be scoped to the tenant level.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles?context=azure/active-directory/users-groups-roles/context/ugr-context

Question 18

You have a microservice application hosted on Azure App Services named Azure Service Environment 1. The application communicates with on-premise database servers and data analysis applications. You need to find an effective monitoring solution to do the following:

Monitor performance of Azure Service Environment 1 and the on-premise database servers.
Provide alerts when communication between the on-premise database and Azure Service Environment 1 is disrupted.
Provide quantitative data regarding customer usage.

What Azure services or features within Azure App Service can meet all your requirements?

A. Azure Application Insights
B. Azure Monitor
C. Azure App Service Diagnostic Logs
D. Azure App Service Metrics

Answer 18

A. Azure Application Insights

Explanation:
Application Insights can collect data from applications in Azure, running on-premise, or on other clouds. The integration with Azure Web Apps makes it exceptionally easy to use in Azure.

Bookmark
Learn more: /lab/deploying-monitoring-azure-app-service-web-apps/monitoring-azure-web-apps-application-insights/

Question 19

Container A in Resource Group 1 in your Azure Storage Account contains multiple blobs with highly confidential information for multiple customers. Your company’s legal team needs read access to a specific set of customers’ confidential information, in relation to an ongoing legal matter.

To prevent further legal complications, you must provide access to the customers’ information from Container A, but no access to other customer information. How can you accomplish this in the most secure and efficient manner?

A. Create a new container named Container B. Copy the specific resources in question to Container B, and provide the legal team read access to Container B by scoping RBAC to the container level.

B. Provide the legal team read access to the specific blobs in question in Container A, but deny them access to other resources in Container A by scoping the RBAC to the blob level.

C. Create a new resource group, Resource Group 2. Create a new container, Container B, and copy the relevant resources from Container A to Container B. Provide the legal team read access to Resource Group 2 by scoping RBAC to the resource group level.

D. Create a new resource group, Resource Group 2. Create a new container, Container B, and copy the relevant resources from Container A to Container B. Provide the legal team read access to Container B by scoping RBAC to the container level.

Answer 19

A. Create a new container named Container B. Copy the specific resources in question to Container B, and provide the legal team read access to Container B by scoping RBAC to the container level.

Explanation:
Azure controls access to resources, such as storage and queues, using role-based access control or RBAC. An Azure AD security principle, which can be a user, a group, an application service principle, or a managed identity for Azure resources, can be granted access to resources at the level of subscription, resource group, storage account or an individual container or queue. Before assigning to a user or group, you need to determine the scope of access required. It is best to allow only the absolutely necessary scope of access to resources.

Starting with the narrowest, the levels of scope are:

An individual container: at this scope, a role assignment applies to all of the blobs in the container as well as container properties and metadata.

An individual queue: at this scope, a role assignment applies to messages in the queue as well as queue properties and metadata.

The storage account: at this scope, a role assignment applies to all containers and their blobs or to all queues and their messages.

The resource group: at this scope, a role assignment applies to all of the containers or queues, and all of the storage accounts in the resource group.

The subscription: at this scope, a role assignment applies to all of the containers or queues, all the storage accounts, and all the resource groups in the subscription.
Bookmark
Learn more: /course/configuring-azure-application-and-data-security/configuring-access-control-for-storage-accounts/

Question 20

You are working as an Azure administrator for a company. A development team has a requirement to develop an application. Part of the application requires the following functionality:

Listing the current Azure Active Directory Users
Determining the user's group in Azure Active Directory
Check the user's subscribed services in Azure.

What is the recommended solution for creating the application?

A. Use Powershell to execute the required commands against the Azure Active Directory Users
B. Set up an Azure Virtual machine, connect it to the domain and run their application from this machine
C. Use Microsoft Graph API to get the relevant information from Azure Active Directory
D. Use a third party connector to get the required information

Answer 20

C. Use Microsoft Graph API to get the relevant information from Azure Active Directory

Explanation:
The Microsoft Graph API allows one to access the data from Azure Active Directory services via REST API endpoints .This service provides support for the various HTTP verbs, which allows you to perform the various CRUD operations on the data stored in Azure Active Directory services. This would be the ideal approach for the development team.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api

Question 21

Your company is being audited, and an external accountant needs access to review a blob container in the Blob service within one specific Azure storage account.

You currently use Azure Active Directory to control access to the blob storage resources in question. However, you have been told you need to provide the accountant with immediate access to review the blob container in the storage account without any further information.

How can you provide necessary access, but also limit it to the container in question?

A. Provide the accountant with read-only access to the specific Azure Blob container with a service-level shared access signature token to expire at the end of the business day. Specify the HTTPS protocol is required to accept requests.
B. Assign the accountant a guest role in Azure Active Directory with read-only access to the specific Azure Blob storage service in the Azure Storage account.
C. Provide the accountant with read-only access to the specific Azure Blob container with a user-delegation shared access signature token to expire at the end of the business day. Allow all read requests but limit write requests to LIST and GET. Specify the HTTPS protocol is required to accept requests.
D. Provide the accountant with contributor role access to the storage account using Azure AD role-based access control (RBAC).

Answer 21

A. Provide the accountant with read-only access to the specific Azure Blob container with a service-level shared access signature token to expire at the end of the business day. Specify the HTTPS protocol is required to accept requests.

Explanation:
In this case, Azure Storage’s Shared Access Signature (SAS) is the best tool to provide limited, authorized access to the necessary blob resources. Remember, SAS allows two levels of access: service-level, which limits access to one type of storage within the Azure storage account, such as Blob, Table, Queue or File storage, and account level, which provides access to all storage types in a single account. The service level also allows you to limit access to specific containers, or even specific blobs, and control the actions that can be performed on the blobs by selecting approved common permission types such as read, write, list, or process.

You cannot provide a user-delegated SAS in this case because you do not know if the accountant has Azure AD credentials, which are required for this type of SAS.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1#shared-access-signature-parameters

Question 22

Azure SQL advanced threat protection can alert you about which of the following potential threats?

A. SQL injection
B. Access from an unknown location
C. Access from an unfamiliar principal
D. ATP can protect you from all these threats

Answer 22

D. ATP can protect you from all these threats

Explanation:
Vulnerability to SQL injection: This alert is triggered when an application generates a faulty SQL statement in the database. This alert may indicate a possible vulnerability to SQL injection attacks. There are two possible reasons for the generation of a faulty statement:

A defect in application code that constructs the faulty SQL statement
Application code or stored procedures don’t sanitize user input when constructing the faulty SQL statement, which may be exploited for SQL Injection
Potential SQL injection: This alert is triggered when an active exploit happens against an identified application vulnerability to SQL injection. This means the attacker is trying to inject malicious SQL statements using the vulnerable application code or stored procedures.

Access from unusual location: This alert is triggered when there is a change in the access pattern to SQL server, where someone has logged on to the SQL server from an unusual geographical location. In some cases, the alert detects a legitimate action (a new application or developer maintenance). In other cases, the alert detects a malicious action (former employee, external attacker).

Access from unusual Azure data center: This alert is triggered when there is a change in the access pattern to SQL server, where someone has logged on to the SQL server from an unusual Azure data center that was seen on this server during the recent period. In some cases, the alert detects a legitimate action (your new application in Azure, Power BI, Azure SQL Query Editor). In other cases, the alert detects a malicious action from an Azure resource/service (former employee, external attacker).

Access from unfamiliar principal: This alert is triggered when there is a change in the access pattern to SQL server, where someone has logged on to the SQL server using an unusual principal (SQL user). In some cases, the alert detects a legitimate action (new application, developer maintenance). In other cases, the alert detects a malicious action (former employee, external attacker).

Access from a potentially harmful application: This alert is triggered when a potentially harmful application is used to access the database. In some cases, the alert detects penetration testing in action. In other cases, the alert detects an attack using common attack tools.

Brute force SQL credentials: This alert is triggered when there is an abnormal high number of failed logins with different credentials. In some cases, the alert detects penetration testing in action. In other cases, the alert detects brute force attack.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-advanced-data-security

Question 23

You have a two-tier application hosted within VNet-01 with an CIDR block of 10.0.0.0/16 and the following resource configurations:

The front end is hosted on a VM named "VM_Front" within a public subnet. The public subnet has an IP address range of 10.0.2.0/24. VM_Front has a private IP address of 10.0.2.5, and a public IP address of 192.168.50.2.
The backend is hosted on a second VM named VM_Back within a private subnet. The private subnet has an IP address range of 10.0.3.0/24. VM_Back has a private IP address of 10.0.3.4.
A public load balancer with a private IP address of 10.0.1.6 and a public IP address of 172.16.50.35.

You are configuring a final rule for a network security group (NSG) associated with resources in the private subnet where VM_Back is deployed. This final rule should block all traffic from the public subnet. Traffic from the public subnet that does not meet any of the NSG Allow rules would be processed by this rule.

Which NSG rule parameters below would meet the requirements for this NSG rule?

A. Inbound Rule
Source: 10.0.2.0/24
Source Port: 0-65535
Destination: 10.0.3.4
Destination Port: 0-65535
Protocol: ANY
Priority: 4096
Action: Deny
B. Outbound Rule
Source: 10.0.2.0/24
Source Port: 0-65535
Destination: 10.0.3.4
Destination Port: 0-65535
Protocol: ANY
Priority: 20
Action: Deny
C. Inbound Rule
Source: 10.0.0.0/16
Source Port: *
Destination: 10.0.3.4
Destination Port: *
Protocol: ANY
Priority: 4096
Action: Deny
D. Outbound Rule
Source: 0.0.0.0/0
Source Port: *
Destination: 10.0.3.4
Destination Port: *
Protocol: ANY
Priority: 20
Action: Deny

Answer 23

A. Inbound Rule
Source: 10.0.2.0/24
Source Port: 0-65535
Destination: 10.0.3.4
Destination Port: 0-65535
Protocol: ANY
Priority: 4096
Action: Deny

Explanation:
The correct NSG rule configuration is:

Inbound Rule
Source: 10.0.2.0/24
Source Port: 0-65535
Destination: 10.0.3.4
Destination Port: 0-65535
Protocol: ANY
Priority: 4096
Action: Deny

Bookmark
Learn more: /course/implementing-azure-network-security/configuring-security-rules-in-an-nsg/

Question 24

You are configuring security settings for your Azure Data Lake, and want to integrate a Data Lake service endpoint within an existing VNet. Which steps should you implement to configure this? (Choose 2 answers)

A. Configure your Azure Data Lake in the same resource group as your VNet
B. Configure a Microsoft Azure Active Directory Service endpoint
C. Deploy the endpoint in your selected VNET
D. Disable connectivity from Azure services outside of the selected VNET

Answer 24

B. Configure a Microsoft Azure Active Directory Service endpoint
C. Deploy the endpoint in your selected VNET

Explanation:
To use virtual network integration with data lake storage gen1, you must create a virtual network in the same region as your data lake storage account. You need to configure a service endpoint with the Microsoft Azure Active Directory as the service. After creating your virtual network in the same region as your data lake, you need to go to your data lake and click on Firewall and virtual networks. Choose the Selected network radio button and then Add existing virtual network. In the Add networks blade, select your virtual network and the subnet and click Add. Below the firewall section under exceptions, you can enable connectivity from Azure services outside of your selected network.
Bookmark
Learn more: /course/configuring-azure-application-and-data-security/securing-azure-data-lake-storage-with-virtual-network-integration/

Question 25

How does Just in Time Virtual Machine Access reduce attack exposure?

A. Turning VMs off when they’re not in use
B. Blocking outbound access to VMs
C. Controlling the applications that can be run
D. Reducing access to VMs

Answer 25

D. Reducing access to VMs

Explanation:
Just in time virtual machine access reduces your attack exposure by allowing you to deny persistent access to VMs.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time

Question 26

INCORRECT
You skipped the question, recorded as incorrect.

In configuring your Azure Kubernetes cluster, you have specific requirements regarding the operations the cluster will perform and the Azure services with which it will interact. You would like to configure the AKS clusters permissions before assigning it to any AKS resources. What parameters complete the following command to create an Azure AD entity for AKS clusters to which you can assign permissions without associating it with a new or existing AKS cluster?

az ________________________ –skip-assignment –name [entityname]

A. ad sp create-for-rbac
B. aks create
C. role assignment create
D. aks get-credentials

Answer 26

A. ad sp create-for-rbac

Explanation:
Now, if you want to manually create a service principal, using the Azure CLI, you can use this next command that you see on your screen.

az ad sp create-for-rbac –skip-assignment –name myAKSClusterSP

In this example, we are using the az ad sp create-for-rbac command. The –skip-assignment parameter in this example command prevents any additional default assignments from being assigned.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal#manually-create-a-service-principal

Question 27

Your team is spending too much time recovering from unplanned events, specifically when small resource updates occur that disrupt service operations, or noncompliant resources are created.

You want to automate a process to review log data related to resource updates. You also need to design specific queries and potentially alerts related to these kinds of noncompliant resource updates.

What type of logs would you analyze, and with what Azure service?

A. Analyze activity logs with Log Analytics
B.Analyze diagnostic logs with Event Grid
C. Analyze application logs with Stream Analytics
D. Analyze diagnostic logs with Event Hub

Answer 27

A. Analyze activity logs with Log Analytics

Explanation:
There are three types of logs we need to be aware of: activity logs, diagnostic logs, and application logs, or guest OS logs. Let’s take a look at where these logs exist within an Azure subscription in relation to the resources they are monitoring. Here we have a Non-Compute Resource, which is tightly integrated and delivered through Azure providers, for example a network security group. Next to this, we have a Compute Resource.

This is a virtual machine with a guest OS, like Windows or Linux, and it has an application installed like IIS or Apache. Activity logs provide a record of operations from a subscription level, executed against the resource. For example, when administrative tasks are performed on the resource, like creating a resource or updating the properties of an existing resource, this will generate an event in the activity log. Diagnostic logs are collected within a subscription at an Azure resource level for services like VPN gateways or network security groups. Not all Azure services have an option for diagnostic logging, and the level of detail you can capture varies. You can view a full list of resources that support diagnostic logging from the Microsoft Azure website. Application logs are logs generated by applications or services within a guest OS. These logs are collected from within the operating system through an agent. Application logs can be collected from core services, like Windows Event logs, or from applications like IIS. Diagnostic logging can be enabled in a couple of ways: using the Azure portal, PowerShell, Azure CLI or the REST API via Azure Resource Manager.
Bookmark
Learn more: /course/designing-for-azure-operations/designing-for-azure-operations-section1-3-log-analytics/

Question 28

If you don’t know how long to retain data when setting a retention period for immutable blob storage, what kind of policy can you put in place?

A. Elastic
B. LTR
C. Legal
D. Fluid

Answer 28

C. Legal

Explanation:
Immutable storage supports the following features:

Time-based retention policy support: Users can set policies to store data for a specified interval. When a time-based retention policy is set, blobs can be created and read, but not modified or deleted. After the retention period has expired, blobs can be deleted but not overwritten.

Legal hold policy support: If the retention interval is not known, users can set legal holds to store immutable data until the legal hold is cleared. When a legal hold policy is set, blobs can be created and read, but not modified or deleted. Each legal hold is associated with a user-defined alphanumeric tag (such as a case ID, event name, etc.) that is used as an identifier string.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-immutable-storage

Question 29

Which of the following tools can be used to extend on-premise Windows Server Active Directory to Azure AD?

A. Azure AD Connect
B. Azure AD Sync
C. Azure AD
D. Azure AD Premium

Answer 29

A. Azure AD Connect

Explanation:
Azure AD Connect is a tool to simplify the extension of on-premise AD to Azure AD.
Bookmark
Learn more: https://azure.microsoft.com/en-us/documentation/articles/active-directory-whatis/

Question 30

When configuring Azure Firewall, which type of rule is specific to Azure Firewall and contains source addresses, protocols, destination ports, and destination addresses?

A. Application rules
B. Network rules
C. Application Security Group rules
D. Network Security Group Rules

Answer 30

B. Network rules

Explanation:
Azure Firewall supports rules and rule collections. A rule collection is a set of rules that share the same order and priority. Rule collections are executed in order of their priority. Network rule collections are higher priority than application rule collections, and all rules are terminating.

There are three types of rule collections:

Application rules: Configure fully qualified domain names (FQDNs) that can be accessed from a subnet.
Network rules: Configure rules that contain source addresses, protocols, destination ports, and destination addresses.
NAT rules: Configure DNAT rules to allow incoming connections.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-are-some-azure-firewall-concepts

Question 31

You are creating a new custom role using role-based access controls. The custom role is similar to an existing role. Using PowerShell’s integrated scripting environment (ISE), you are editing the existing “custom contributor” role to create the new custom role, “custom administrator”.

You need to completely update the actions allowed for the new custom role.

When editing the script of the “custom contributor” role, how could you clear all the granted permissions from the code? (Check all that apply)

A. Store the ‘custom contributor’ role as variable “$role”
B. Run the script $role.Actions = null
C. Run the script $role.Actions.Clear()
D. Store the ‘custom administrator role’ as a variable “$role”

Answer 31

A. Store the ‘custom contributor’ role as variable “$role”
C. Run the script $role.Actions.Clear()

Explanation:
You would need to store the custom contributor role as a variable, and then run the script $role.Actions.Clear().
Bookmark
Learn more: /lab/manage-access-azure-role-based-access-control/creating-custom-role-powershell/

Question 32

Microsoft Defender for Cloud’s endpoint protection feature provides recommendations and monitoring related to which area of IT security?

A. Anti-malware security
B. Operating System configuration settings
C. Data encryption
D. Software patching

Answer 32

A. Anti-malware security

Explanation:
Microsoft Defender for Cloud endpoint protection provides anti-malware security monitoring and recommendations.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-services?tabs=features-windows

Question 33

What actions does the following Azure Blob Storage lifecycle policy implement?

{
“rules”: [
{
“name”: “agingRule”,
“enabled”: true,
“type”: “Lifecycle”,
“definition”: {
“filters”: {
“blobTypes”: [ “blockBlob” ],
“prefixMatch”: [ “container1/sample” ]
},
“actions”: {
“baseBlob”: {
“tierToCool”: { “daysAfterModificationGreaterThan”: 30 },
“tierToArchive”: { “daysAfterModificationGreaterThan”: 90 }
}
}
}
}
]
}

A. It moves block blobs in a container1 with object names starting with “sample” to the cool tier after 30 days since the last update, and to the archive tier after 90 days since the last update.

B. It moves all block blobs in the container named “container1/sample” to cool tier after 30 days since the last update, and to the archive tier after 120 days since the last update.

C. It moves all blobs in container1 with object name starting “sample” to the cools tier after 30 days since the last update, and to the archive tier after 90 days since the last update.

D. It moves block blobs in container1 with object names starting with “sample” to the cool tier after 30 days since the last update, and to the archive tier after 120 days since the last update.

Answer 33

A. It moves block blobs in a container1 with object names starting with “sample” to the cool tier after 30 days since the last update, and to the archive tier after 90 days since the last update.

Explanation:
Reviewing the lifecycle policy, it deals with block blobs in container1 with an object name starting with “sample”. The lifecycle rules move the objects to cool and then archive after 30 or 90 days since the object was last updated, not since it was originally uploaded.

The actions, moving to cool or archive, are implemented after the stated amount of time has passed, and the time period for one action also counts toward the time period for any subsequent actions. This means after the object is moved to the cool tier, the 30-day duration also counts toward moving the object to archive, so only 60 additional days would need to pass without an update for a given object to be moved to the archive tier. So only 90 days have to pass without an update, not 120, for any object affected by this policy to move to the archive tier.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-lifecycle-management-concepts?tabs=azure-portal#policy

Question 34

Which of the following statements is incorrect regarding a resource policy created using Azure Policy?

A. Azure Policy scans Azure resources for noncompliance with defined resource policies.
B. It applies to Azure resources, not Azure subscribers or users.
C. Once a policy is created, it applies to both new and existing resources.
D. Users can search through Azure policy with custom policy queries.

Answer 34

D. Users can search through Azure policy with custom policy queries.

Explanation:
Azure Policy creates policies to define Azure resources only. Once a policy is created, it applies to new, updated and existing resources. The service scans hourly to detect noncompliance, but it does not support custom policy queries.
Bookmark
Learn more: /course/managing-azure-subscriptions-resource-groups/resource-policies

Question 35

As a security administrator for your organization, you have been asked to create an Azure Resource Manager (ARM) template that includes a policy requiring all resources to have a particular tag. You are familiar with traditional role-based access control (RBAC) concepts; however, you know there are a few key differences between policy and RBAC. Which statement describes a key feature of policy that is different from RBAC?

A. To use policies, no additional authentication is needed.
B. Resource policy is a default deny and explicit allow system.
C. Resource policies focus on the properties of the resource itself.
D. Resource policies focus on user actions at different scopes.

Answer 35

C. Resource policies focus on the properties of the resource itself.

Explanation:
There are a few key differences between policy and role-based access control (RBAC). RBAC focuses on user actions at different scopes. Policy focuses on resource properties during deployment. Unlike RBAC, policy is a default allow and explicit deny system. Also, to use policies, you must be authenticated through RBAC.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-policy#how-is-it-different-from-rbac

Question 36

Jeremy will manage security for all applications within two subscriptions, named Subscription 1 and Subscription 2. Jeremy needs to be assigned the appropriate role to manage these resources.

This new role has the following requirements:

Jeremy needs to be able to assign employees he manages permanent roles within PIM.
With his potential ability to assign other employees resource access in PIM, his role assignment will need administrative review.
Before management activates his assignment, they would like Jeremy to complete MFA.

What Azure resource role assignment within PIM will meet these requirements?

A. Permanent eligible assignment
B. Permanent active assignment
C. An eligible assignment with expiration
D. An active assignment with expiration

Answer 36

A. Permanent eligible assignment

Explanation:
Permanent assignments allow users to assign other users permanent roles within PIM. Eligible assignments require the user to complete an action, which could be a justification for the role or MFA, before activating the role. Active role assignments do not need to be justified or require MFA.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-eligible-visibility

Question 37

Which cluster types can Enterprise Security Package enable for in HDInsight?

A. Hadoop, Spark, Interactive Query
B. Hadoop, Storm, R-Server
C. Interactive Query, Spark, R-Server
D. Spark, R-Server

Answer 37

A. Hadoop, Spark, Interactive Query

Explanation:
Enterprise Security Package (previously known as HDInsight Premium) provides multi-user access to the cluster, where authentication is done by Active Directory and authorization by Apache Ranger and Storage ACLs (ADLS ACLs). Authorization provides secure boundaries among multiple users and allows only privileged users to have access to the data based on authorization policies.

Security and user isolation are important for an HDInsight cluster with EnterpriseSecurity Package.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-manage

Question 38

When access to a virtual machine with Just-in-Time VM Access enabled, you provide all of the following except which choice?

A. Approved Azure AD users
B. Approved IP addresses
C. Approved port number
D. Approved time of access

Answer 38

A. Approved Azure AD users

Explanation:
When configuring Just in Time VM Access, the approved ports, IP addresses and time to access can all be set. However, you are not creating a policy to apply to Azure AD users. This is applied to specific resources, so at no point do you allocate access to specific users. The users gain access for each approved request.
Bookmark
Learn more: /course/managing-azure-data-protection-and-security-compliance/manage-vm-access/

Question 39

Which of the following is not a feature of Azure AD Connect?

A. Content Monitoring
B. Filtering
C. Password synchronization
D. Password writeback

Answer 39

A. Content Monitoring

Explanation:
Content Monitoring is not a feature of Azure AD Connect. The following is a list of Azure AD Connect features: Filtering, Password synchronization, Password writeback, Device writeback, Prevent accidental deletes, Automatic upgrade. Monitoring is provided through Azure AD Connect Health.
Bookmark
Learn more: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect

Question 40

You want to assign a role-based access control (RBAC) role to a user in the Azure Portal. Consider the following steps listed below:

Select the user
Open Access Control (IAM) and select 'Add Role Assignment'
Open Azure Resource Manager and select 'Add Role Assignment'
Provide Reason for Assignment
Select the role
Save
Select Eligible or Permanent

Assuming you have the necessary permissions, which answer lists the necessary steps to assign an RBAC role to a user in the correct order?

A. 2 - 1 - 5 - 6
B. 3 - 1 - 5 - 6
C. 3 - 1 - 5 - 7 - 4 - 6
D. 2 - 1 - 5 - 7 - 4 - 6

Answer 40

A. 2 - 1 - 5 - 6

Explanation:
In Access control (IAM), you can Add permissions to the resources. To assign a role to a user, you simply select the desired Role, Assign access to an Azure AD user, group, or application, Select the user from the list, and click Save.
Bookmark
Learn more: /lab/manage-access-azure-role-based-access-control/simulating-custom-role-user-experience