Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AZ500 > Kindle Practice Test 3 > Flashcards

Kindle Practice Test 3 Flashcards

1
Q

You have an existing AD Connect implementation. You have to prevent users from a certain department to be synchronised to AAD. What tool do you use?

A. AAD Connect wizard on the AD Connect server
B. Synchronization Rules Editor on the AD Connect server
C. AAD Connect in the Azure portal
D. AD Users and Computers on the local DC

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 57). Kindle Edition.

A

B. Synchronization Rules Editor on the AD Connect server

Explanation:
Synchronization Rules Editor on the AD Connect server is used to change the users to be synced. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-configuration

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 57). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What format is an OpenID Connect token?

A. XML
B. SAML
C. JWT
D. Java

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 57). Kindle Edition.

A

C. JWT

Explanation:
JSON Web Token (JWT)

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 57). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which two of the following are objects you can configure to apply AAD PIM to?

A. Access Reviews
B. AAD Roles
C. ADD Groups
D. Azure Resources
E. AAD Dynamic Groups

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 58). Kindle Edition.

A

B. AAD Roles
D. Azure Resources

Explanation:
AAD Roles and Azure resources https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure#who-can-do-what-in-pim

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 58). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

In Azure SQL Database AlwaysEncrypted, two types of column encryption is supported. Match the requirement with the appropriate column encryption type. Plaintext data values always produce the same cyphertext:

A. Deterministic
B. Randomized

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 58). Kindle Edition.

A

A. Deterministic

Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

In Azure SQL Database AlwaysEncrypted, two types of column encryption is supported. Match the requirement with the appropriate column encryption type. SQL Server can use the encrypted columns in joins and lookups:

A. Deterministic
B. Randomized

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 58-59). Kindle Edition.

A

B. Randomized

Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

In Azure SQL Database AlwaysEncrypted, two types of column encryption is supported. Match the requirement with the appropriate column encryption type. Not suitable for columns containing boolean data:

A. Deterministic
B. Randomized

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 59). Kindle Edition.

A

A. Deterministic

Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You create a new Azure Key Vault and want to ensure that malicious permanent deletions of key vault items can be recovered for 90 days. What at a minimum would you have to enable on the Key Vault?

A. Soft-delete only
B. Purge protection only
C. Soft-delete and purge protection
D. Delete lock only Read-only lock only

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 59-60). Kindle Edition.

A

C. Soft-delete and purge protection

Explanation:
Soft-delete will allow recovery of accidentally deleted key vault items (or the key vault itself) for 90 days. However a malicious user might purge soft-deleted items which will prevent their recovery despite soft-delete being enabled. To prevent purging of soft-deleted items you should enable purge protection which in turn requires soft-delete to be enabled. The best answer is Soft-delete and purge protection. https://docs.microsoft.com/en-za/azure/key-vault/key-vault-ovw-soft-delete

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 60). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following are default rules created with a network security group?

A. DenyAllInBound
B. DenyAllOutBound
C. DenyVnetInBound
D. DenyVnetOutBound

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 61). Kindle Edition.

A

A. DenyAllInBound

Explanation:
AllowVnetInBound, AllowAzureLoadBalancerInBound, DenyAllInBound, AllowVnetOutBound, AllowInternetOutBound, DenyAllOutBound, Are the default rules in all NSGs

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 61-62). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You must minimise costs. What is the minimum license required to configure Azure AD MFA?

A. Azure AD Premium P1
B. Azure AD Premium P2
C. No license is required
D. Any Office 365 license
E> No license is required, but the user must be an Azure AD Global Administrator

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 62). Kindle Edition.

A

E> No license is required, but the user must be an Azure AD Global Administrator

Explanation:
No license is required, but the user must be an Azure AD Global Administrator MFA is free if you are a AAD global administrator - reduced functionality You get MFA for all users with any O365 subscription - reduced functionality You get full-featured MFA with AAD P1 You get full-featured MFA with AAD P2 (all AAD P1 features is included in AAD P2) You can configure MFA for any user with no licenses and your subscription will be charged on a per-user consumption-based model https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 62). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

When configuring AAD conditional access policies, which of the following are mandatory requirements?

A. User / group
B. Cloud Apps
C. Sign-in risk
D. Device platforms
E. Device state
F. Location
G. Client apps
H. Access controls

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 62-63). Kindle Edition.

A

A. User / group
B. Cloud Apps
H. Access controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You are configuring AIP policies. You specify two labels: Label1: matches “Word1” Label2: matches “Word2” You create a document in MS Word that contains both words, which label is applied?

A. Label1
B. Label2
C. Label1 and Label2
D. No label

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 71). Kindle Edition.

A

B. Label2

Explanation:
Label 2 is applied. AIP labels are applied in the order they are listed in the policy with the last matching label (or sublable) winning. Only one label is applied to the document. Only Office documents are supported. https://docs.microsoft.com/en-us/azure/information-protection/faqs-infoprotect#can-a-file-have-more-than-one-classification

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 71). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What tools are available to you for changing the key scenario in AIP (from Microsoft managed to BYOK for example)?

A. Azure portal
B. O365 management portal
C. Security and Compliance Centre
D. Windows PowerShell

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 71). Kindle Edition.

A

D. Windows PowerShell

Explanation:
Windows PowerShell is currently the only option for key management in AIP.

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 72). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You must minimise costs. What is the minimum license required to configure Azure AD Conditional Access?

A. Azure AD Premium P1
B. Azure AD Premium P2
C. No license is required
D. Any Office 365 license
E. No license is required, but the user must be an Azure AD Global Administrator

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 72). Kindle Edition.

A

A. Azure AD Premium P1

Explanation:
Azure AD Premium P1 is required to configure and use Conditional Access Azure AD Premium P2 includes all the features of Azure Premium P1 (not minimum) You cannot configure or use conditional access if you don’t have at least AAD P1 Conditional access in not included in Azure AD for O365 - having an O365 license won’t help Being an Azure AD Global Administrator doesn’t permit configuring AAD Conditional access, you must have an AAD P1 license at least. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview#license-requirements

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 72). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When configuring an privileged access review what are the three available settings when an assigned reviewer does not complete the review before the configured review ends?

A. Do nothing
B. Take recommendations
C. Remove Access
D. Approve Access
E. Prompt owner

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 72-73). Kindle Edition.

A

B. Take recommendations
C. Remove Access
D. Approve Access

Explanation:
Do nothing - not an option Take recommendations - use the PIM access review recommended action Remove Access - revoke all access to the role Approve Access - approve all existing access to the role https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review#upon-completion-settings

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 73). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

When you configure Azure AD PIM for the first time, what are the three things you must do?

A. Consent to PIM; verify your identity with MFA; sign-up PIM for AD roles
B. Consent to PIM; verify your identity with MFA; discover AD roles; sign-up PIM for AD roles
C. Verify your identity with MFA; consent to PIM; discover AD roles; sign-up PIM for AD roles
D. Verify your identity with MFA; consent to PIM; sign-up PIM for AD roles

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 73-74). Kindle Edition.

A

A. Consent to PIM; verify your identity with MFA; sign-up PIM for AD roles

Explanation:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-discover-resources

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 74). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You deploy several VMs in Azure. You need to ensure that all the VMs have a consistent OS configuration including registry settings. Which of the following options would you configure?

A. ARM templates
B. Desired State Configuration
C. Application Security Groups
D. Device configuration policies

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 74). Kindle Edition.

A

B. Desired State Configuration

Explanation:
Desired State Configuration (DSC) is used to ensure consistent VM deployment. https://docs.microsoft.com/en-us/azure/automation/automation-dsc-getting-started

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 74). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following will generate an alert from SQL ATP?

A. A user updates more than half of the content of a table in a single procedure
B. “password’ OR 1=1” entered into a password field
C. A user is added to the db_owner database role
D. A user deletes more than 50% of the content of a table in a single procedure

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 76). Kindle Edition.

A

B. “password’ OR 1=1” entered into a password field

Explanation:
“password’ OR 1=1” entered into a password field is an attempt at SQL injection and SQL ATP will detect and alert on this. The following will also generate alerts: Login from an unusual location or Azure region. Login by an unfamiliar principle. Access from a potentially harmful application. Brute force attempt on SQL Authentication. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-threat-detection-overview#advanced-threat-protection-alerts

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 76). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

You need to ensure that data is secured in transit for a web application on your Azure subscription. Which of the following is required? Each answer is part of the solution and you have to minimise costs. Choose 4.

A. Upload a certificate to Azure Key Vault
B. Obtain a custom domain name
C. Purchase an app service certificate
D. Purchase a certificate from a CA
E. Create a self-signed certificate
F. Create SSL bindings
G. Deploy Azure Application Gateway

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 76-77). Kindle Edition.

A

A. Upload a certificate to Azure Key Vault
B. Obtain a custom domain name
C. Purchase an app service certificate
F. Create SSL bindings

Explanation:
Upload a certificate to Azure Key Vault - yes, use key vault to store and secure the private key. Obtain a custom domain name - yes, this is a prerequisite for obtaining a public certificate. Purchase an app service certificate - yes, this is required to enable TLS for the app service. Purchase a certificate from a CA - no, TLS certificates for Azure app service can be bought from the Azure portal. Create a self-signed certificate - no, this is not supported with app service. Create SSL bindings - yes, to ensure the all browser comms are encrypted to the web app. Deploy Azure Application Gateway - no, this is not required to enable TLS, but you might want to deploy it to provide additional layer of security.

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 77). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Your organisation has a new regulatory requirement that all cloud VM deployments must meet the Center for Internet Security Hardened Benchmarks. How can you ensure that this requirement is met while minimising costs, downtime and administrative effort? Each option represents part of the solution and is not listed in order. Select each of the options that you should do.

A. Assign a built-in Azure Policy
B. Choose a CIS VM image when creating new VMs
C. Download CIS-compliant VM images from www.cisecurity.org
D. Assign a custom Azure Policy
E. Review compliance against Azure Policy
F. Redeploy non-compliant VMs
G. Create a separate compliance Resource Group
H. Create an application security group

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 78). Kindle Edition.

A

B. Choose a CIS VM image when creating new VMs
D. Assign a custom Azure Policy
E. Review compliance against Azure Policy
F. Redeploy non-compliant VMs

Explanation:
Assign a built-in Azure Policy - no. Choose a CIS VM image when creating new VMs - yes. Download CIS-compliant VM images from www.cisecurity.org - no, they’re avaialble from the Azure marketplace directly. Assign a custom Azure Policy - yes, there are ones on GitHub. Review compliance against Azure Policy - yes, newly created VMs will only pass validation if the correct image is chosen; existing VMs will be reported on as being non-compliant. Redeploy non-compliant VMs - yes, to meet the regulatory requirement you will have to redeploy non-compliant VMs over time. Create a separate compliance Resource Group - no, not needed for the solution. The policy can be assigned at the management group, subscription or resource group scope level. Create an application security group - no, not relevant to this solution.

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 78-79). Kindle Edition.

20
Q

What standard is used for 3rd-party MFA hardware token authentication?

A. OATH
B. OAuth
C. AD Connect
D. OpenID Connect
E. JSON Web Token (JWT)

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 80-81). Kindle Edition.

A

A. OATH

Explanation:
OATH is the supported standard for Azure MFA authentication tokens OAuth is the authorisation protocol used by AAD AD Connect is the synchronisation tool used between AD and AAD OpenID Connect is the standard built on top of OAuth for authentication JSON WebToken (JWT) is the standard used by OpenID Connect to exchange authentication information

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 81). Kindle Edition.

21
Q

You create an AAD conditional access policy that block the “Developers” group from accessing the Azure portal. Another administrator configures an additional AAD conditional access policy that blocks the “Developers” group from accessing the Azure portal unless they supply MFA. T/F: A user that is member of the “Developers” group attempts to access the Azure portal and is prompted for MFA before being allowed access.

A. True
B. False

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 81). Kindle Edition.

A

B. False

Explanation:
False! The user is blocked. The most restrictive policy applies when overlapping policies are put in place. Block unless MFA is supplied is actually called Grant access, but require MFA in the configuration. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/best-practices#what-happens-if-i-have-multiple-policies-for-the-same-user-configured

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 81-82). Kindle Edition.

22
Q

You are deploying VMs using JSON templates. You want to include enrolment into Azure Log Analytics as part of the deployment. Which two parameters must you include in the JSON template?

A. StarageAccountKey
B. WorkspaceKey
C. WorkspaceName
D. WorkspaceURL
E. WorkspaceID

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 82). Kindle Edition.

A

B. WorkspaceKey
E. WorkspaceID

Explanation:
WorkspaceID and WorkspaceKey must be included. https://blogs.technet.microsoft.com/manageabilityguys/2015/11/19/enabling-the-microsoft-monitoring-agent-in-windows-json-templates/

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 82). Kindle Edition.

23
Q

Choose one correct answer to indicated the object for each of the listed RBAC assignment properties.

A. Role Definition = Resource Group Role Definition = Owner (Correct)
B. Role Definition = Group Role Definition = Domain Administrator Scope = Resource Group (Correct)
C. Scope = Owner Scope = Group Scope = Tenant Security Principle = Resource group Security Principle = Owner Security Principle = Group
D. Security Principle = Subscription

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 82-83). Kindle Edition.

A

A. Role Definition = Resource Group Role Definition = Owner (Correct)
B. Role Definition = Group Role Definition = Domain Administrator Scope = Resource Group (Correct)
C. Scope = Owner Scope = Group Scope = Tenant Security Principle = Resource group Security Principle = Owner Security Principle = Group

Explanation:
Role Definition: [Owner] Scope: [Resource group] Security Principle: [Group]

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 83). Kindle Edition.

24
Q

You have a custom-written Web app and already-deployed Azure SQL Database. You are configuring security using Managed Service Identity (MSI). Which of the following must you do? Each selection represents part of the solution.

A. Create and configure Azure Key Vault
B. Create a secret in AKV
C. Create an app registration in Azure Active Directory
D. Create a client secret for the registered app
E. Configure Active Directory admin in Azure SQL Database server

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 83-84). Kindle Edition.

A

E. Configure Active Directory admin in Azure SQL Database server

Explanation:
Create and configure Azure Key Vault - no, MSI doesn’t use AKV. Create a secret in AKV - no, MSI doesn’t use AKV. Create an app registration in Azure Active Directory - yes, you need to register the app in AAD in order to assign that identity to the SQL Database server. Create a client secret for the registered app - no, they Web app code does not need the app registration secret; it uses the autentication library to get an access token. Configure Active Directory admin in Azure SQL Database server - yes, this is where you assign the registered app (managed identity) access to the SQL Database server. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 84). Kindle Edition.

25
Q

Having which two of these roles will allow you to create a custom RBAC role?

A. Owner
B. Contributor
C. User Access Administrator
D. Security Admin
E. User Administrator

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 84). Kindle Edition.

A

A. Owner
C. User Access Administrator

Explanation:
Owner, User Access Administrator, is required to create custom RBAC roles Security Admin only has “Microsoft.Authorization//read” and needs “Microsoft.Authorization/” Contributor has “Microsoft.Authorization/*/Write” as one of the NotActions, so cannot create custom RBAC roles User Administrator is not an RBAC role, but rather an AAD role that is not relevant to Azure resource RBAC

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 85). Kindle Edition.

26
Q

Which of the following describes credential stuffing?

A. An attacker attempts to crack a password using every possible character combination
B. An attacker uses a database of pre-calculated password hashes against a security accounts database
C. An attacker attempts to replay intercepted authentication traffic
D. An attacker uses a database of breached credentials against public web services

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 85). Kindle Edition.

A

D. An attacker uses a database of breached credentials against public web services

Explanation:
Credential stuffing is when an attacker uses a database of breached credentials (usernames with passwords) against public web services in an attempt to access confidential information. An attacker attempts to crack a password using every possible character combination. This is called brute force. An attacker uses a database of pre-calculated password hashes against a security accounts database. This is called a rainbow-table attack. An attacker attempts to replay intercepted authentication traffic. This is called pass-the-hash attack. Credential stuffing is one of the attacks that is detected by AAD identity protection. https://docs.microsoft.com/en-za/azure/active-directory/reports-monitoring/concept-risk-events#leaked-credentials

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 85-86). Kindle Edition.

27
Q

User1, User2 and User3 has the role of owner in a subscription. You create an AAD PIM access review and specify the reviewers as “Members (self)”. For which users can User3 perform the access review?

A. User1, User2 and User3
B. User3 only

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 86). Kindle Edition.

A

B. User3 only

Explanation:
User3 only. The “Members (self)” reviewers asks members to only review their own access, not anyone else’s. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review?toc=%2fazure%2factive-directory%2fgovernance%2ftoc.json#create-one-or-more-access-reviews

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 86). Kindle Edition.

28
Q

Which of the following is possible if a user has been granted the Contributor role for a specific virtual machine in Azure?

A. Delete the virtual machine
B. Stop the virtual machine
C. Change the virtual machine size
D. RDP to the virtual machine
E. Create a lock on the virtual machine

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 86). Kindle Edition.

A

A. Delete the virtual machine
B. Stop the virtual machine
C. Change the virtual machine size

Explanation:
RDP to the virtual machine is not part of the privileges assigned as part of RBAC. You need the local Administrator username and password or if the VM is part of an ADDS domain, you need a user account that has been given remote access privileges like AD Global Domain Administrator. You must be owner or user access administrator to manipulate VM locks.

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 87). Kindle Edition.

29
Q

Which of the following are valid Azure policy effects? Choose 5.

A. Scope
B. Deny
C. Allow
D. Initiate
E. Audit
F. AuditIfNotExists
G. DeployIfNotExists
H. DeleteIfNotComply
I. Append

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 87). Kindle Edition.

A

B. Deny
E. Audit
F. AuditIfNotExists
G. DeployIfNotExists
I. Append

Explanation:
Valid policy efects are: Deny (prevent deployment). Audit (log if present / create warning if applicable). AuditIfNotExists (list if not present). DeployIfNotExists (deploy is not present). Append (add this property to a new deployment).

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 88). Kindle Edition.

30
Q

What users or groups does the AIP global policy apply to?

A. Azure AD Global Admins
B. Azure RBAC Owners
C. Everyone in the organisation
D. All users and/or groups configured in the AIP global policy

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 88). Kindle Edition.

A

C. Everyone in the organisation

Explanation:

31
Q

You successfully created a new information protection label in AIP, but the new label is not available to the targeted user. Which of the following would make the label available to the user?

A. Reinstall Azure Information Protection Client
B. Get the user to log out and back in
C. Get the user to close and reopen the document
D. Create a new AIP policy

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 88). Kindle Edition.

A

D. Create a new AIP policy

Explanation:
Create a new AIP policy is the correct answer. You must make a newly created label part of an existing or new policy applied to the target user for the label to become available to the user.

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 89). Kindle Edition.

32
Q

User1 is assigned a AAD identity protection user risk policy and enabled for “medium and above” risk. The user signs in from an anonymous IP. Is the policy applied to the user?

A. Yes
B. No
C. Maybe
D. It depends

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 89). Kindle Edition.

A

A. Yes

Explanation:
Yes. Login from anonymous IP is considered medium risk and therefore the policy applies. All risks are medium except for leaked credentials which is high and malware infected device which is low. https://docs.microsoft.com/en-za/azure/active-directory/reports-monitoring/concept-risk-events#risk-level

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 89). Kindle Edition.

33
Q

A user is configured for MFA in the Azure portal. The user has not been assigned a Azure AD Premium license, or any other license and is not an administrator. There are no unassigned Azure AD Premium licenses available in the tenant. The user attempts to log in to myapps.microsoft.com. Which of the following happens?

A. The user cannot log in
B. The user is permitted to log in using username and password without MFA
C. The user is prompted for MFA and the subscription where Azure AD is configured is charged using per-user consumption-based billing
D. The user is prompted for MFA without charge and the subscription owner is notified of the license issue
E. The user is prompted for MFA without charge for 10 logins, after which the user is blocked

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 89-90). Kindle Edition.

A

C. The user is prompted for MFA and the subscription where Azure AD is configured is charged using per-user consumption-based billing

Explanation:
The user is prompted for MFA and the subscription where Azure AD is configured is charged using per-user consumption-based billing. If an unassigned license is available, the MFA will go through without charge (no notification) There is no blocking the user or grace logins

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 90). Kindle Edition.

34
Q

Which of the following Azure resources allows the configuration of a resource firewall? Choose 3.

A. Azure Virtual Machine
B. Azure Storage Account
C. Azure SQL Database
D. Azure SQL Server
E. Azure Virtual Network
F. Azure Resource Group
G. Azure Firewall

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 90-91). Kindle Edition.

A

B. Azure Storage Account
C. Azure SQL Database
D. Azure SQL Server

Explanation:
Azure Storage Account, Azure SQL Database, Azure SQL Server, allows the configuration of a resource firewall - these resources has built-in firewall configuration settings.

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 91). Kindle Edition.

35
Q

You have the following built-in Azure policies applied. Policy1: RG1: AllowedResourcesTypes: virtualMachines Policy2: RG2: NotAllowedResourceTypes: virtualMachines Policy3: RG3: NotAllowedResourceTypes: virtualNetworks/subnets Which of the following actions can you perform?

A. Add a VM to RG1
B. Add a VNet to RG1
C. Add a VM to RG2
D. Add a VM to RG3
E. Add a VNet to RG3
F. Add a subnet to RG3

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 91). Kindle Edition.

A

A. Add a VM to RG1
D. Add a VM to RG3
E. Add a VNet to RG3

Explanation:
Add a VM to RG1 [Yes] Allowed by Policy1. Add a VNet to RG1 [No] Denied by Policy1. AllowedResourceTypes built-in policy denies deployment of all resources not selected in the Allowed Resource Types parameter. Add a VM to RG2 [No] Denied by Policy2. NotAllowedResourceTypes allows any resource except those selected in the Not Allowed Resource Types parameter. Add a VM to RG3 [Yes] VMs are not blocked by Policy3; only subnets are. Add a VNet to RG3 [Yes] VNets aren’t blocked by Policy3; only subnets are. The parent class of the subclass specified is not prevented by policy. In fact, part of a new VNet deployment is the deployment of a default subnet - this isn’t blocked either… Go try it out - I’m telling you… Add a subnet to RG3 [No] Denied by Policy3. https://docs.microsoft.com/en-us/azure/governance/policy/samples/allowed-resource-types https://docs.microsoft.com/en-us/azure/governance/policy/samples/not-allowed-resource-types

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 92). Kindle Edition.

36
Q

You create a new Azure Key Vault and want to ensure that accidental deletions of key vault items can be recovered for 90 days. What at a minimum would you have to enable on the Key Vault?

A. Soft-delete
B. Purge protection
C. Soft-delete and purge protection
D. Delete lock
E. Read-only lock

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 92). Kindle Edition.

A

A. Soft-delete

Explanation:
Soft-delete will allow recovery of accidentally deleted key vault items (or the key vault itself) for 90 days. However a malitious user might purge soft-deleted items which will prevent their recovery despite soft-delete being enabled. https://docs.microsoft.com/en-za/azure/key-vault/key-vault-ovw-soft-delete

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 93). Kindle Edition.

37
Q

Where would you configure a custom condition in AIP?

A. Azure Information Protection Label
B. Azure Information Protection Policy
C. Azure Information Protection Client
D. Azure Active Directory

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 93). Kindle Edition.

A

A. Azure Information Protection Label

Explanation:
Conditions are configured as part of the Label configuration, but must be made part of an existing or new policy to become available to users.

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 93). Kindle Edition.

38
Q

How long is metrics data stored for?

A. 90 days
B. 93 days
C. 60 days
D. 120 days
E. 30 days

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 93). Kindle Edition.

A

B. 93 days

Explanation:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform-metrics#retention-of-metrics

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 94). Kindle Edition.

39
Q

A user is registered with Azure AD MFA and have configured SMS text message as the authentication mode. The user browses to myapps.microsoft.com and supplies his username and password. What does the user have to do after the MFA message is received?

A. Reply to the text message with #
B. Reply to the text message with the user’s MFA PIN
C. Type the OTP into the browser page
D. Type the OTP and the user’s MFA PIN into the browser page

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 94). Kindle Edition.

A

C. Type the OTP into the browser page

Explanation:
Type the OTP into the browser page Reply with # is used with phone call mode Reply to text message with PIN is not a supported option Type OTP and PIN into the browser is not a supported option Reply with OTP (and optionally PIN) is supported with two-way SMS text mode but requires on-premises MFA server to be deployed https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods#text-message

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 94). Kindle Edition.

40
Q

Which three of the following features are not included in MFA for O365 license?

A. Phone call as second factor
B. On-premises MFA server
C. PIN mode
D. Fraud alert
E. Mobile app as second factor
F. SMS as second factor

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 94-95). Kindle Edition.

A

B. On-premises MFA server
C. PIN mode
D. Fraud alert

Explanation:
PIN mode, fraud alert and OPE MFA are not provided with the reduced functionality of MFA in O365 Full-featured MFA is available as part of AAD P1 https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing#feature-comparison-of-versions

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 95). Kindle Edition.

41
Q

You are configuring Azure Policy. Which one of the following policy effects requires you to assign a managed identity for the assignment?

A. Append
B. Audit
C. AuditIfNotExists
D. Deny
E. DeployIfNotExists
F. Disabled

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 95-96). Kindle Edition.

A

E. DeployIfNotExists

Explanation:
DeployIfNotExists requires a managed identity to be provided to deploy resources on behalf of the policy. The policy assignment will automatically create the managed identity and assign the appropriate RBAC roles. https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources#how-remediation-security-works

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 96). Kindle Edition.

42
Q

You enable soft-delete and purge protection on your company’s Azure Key Vault. A malicious user deletes your company’s key vault thereby preventing decryption of most of your Azure data. T/F: The malicious user - having the owner RBAC role at the subscription level removes the purge protection from the vault and purges (permanently deletes) the vault. You start looking for a new job…

A. True
B. False

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 96). Kindle Edition.

A

B. False

Explanation:
False. Once purge protection is enabled for a vault, deleted items cannot be purged within 90 days of deletion regardless of RBAC role permissions. https://docs.microsoft.com/en-za/azure/key-vault/key-vault-ovw-soft-delete#purge-protection

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 96). Kindle Edition.

43
Q

How many keys are required as part of an Azure SQL Database AlwaysEncrypted architecture?

A. 1
B. 2
C. 3
D. 4
E. Unlimited

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 96-97). Kindle Edition.

A

B. 2

Explanation:
2 keys are involved. The Column Master Key (CMK) and the Column Encryption Key (CEK). https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-2017#how-it-works

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 97). Kindle Edition.

44
Q

T/F: RBAC in Azure determines if a user is given access to a system when he/she provides his/her username and password.

A. True ​
B. False
C. It depends

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 97). Kindle Edition.

A

B. False

Explanation:
RBAC is the authorisation (what can you access) model in Azure. Providing a username and password is part of authentication (prove who you are) model.

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 97). Kindle Edition.

45
Q

You create a new Azure subscription and deploy a Windows VM. You want to query the event logs of the Azure VM using Azure Monitor. Which of the following do you have to do. Each option represents part of the solution and is not in order.

A. In Log Analytics Workspace, advanced settings, add Windows event logs
B. Create a Log Analytics Workspace
C. In Azure Monitor, Logs, run query
D. In the VM, add the Log Analytics agent extension
E. In the Log Analytics Workspace, connect the VM

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 100). Kindle Edition.

A

A. In Log Analytics Workspace, advanced settings, add Windows event logs
B. Create a Log Analytics Workspace
C. In Azure Monitor, Logs, run query
E. In the Log Analytics Workspace, connect the VM

Explanation:
Create a Log Analytics Workspace - yes In the Log Analytics Workspace, connect the VM - yes In Log Analytics Workspace, advanced settings, add Windows event logs - yes, select all the logs you want to transfer to the log analytics workspace In Azure Monitor, Logs, run query - yes In the VM, add the Log Analytics agent extension - no, this is done automatically when you connect the VM in Log Analytics Workspace In Azure Monitor, connect the VM - no, this is not done in Azure Monitor for logs. Expect to have to arrange these in the correct order in the exam.

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 100). Kindle Edition.

AZ500 (19 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions