LearnMicrosoft - AZ 500 Practice Exam

Question 1

Your company has an Azure subscription and an Amazon Web Services (AWS) account. You plan to deploy Kubernetes to AWS. You need to ensure that you can use Azure Monitor insights to monitor container workload performance. What should you deploy first?

A. AKS Engine
B. Azure Arc-enabled Kubernetes
C. Azure Container Instances
D. Azure Kubernetes Service (AKS)
E. Azure Stack HCI

Answer 1

B. Azure Arc-enabled Kubernetes

Explanation:
Azure Arc-enabled Kubernetes is the only configuration that includes Kubernetes and can be deployed to AWS.

Question 2

You have an Azure subscription that contains a virtual machine named VM1. VM1 is configured with just-in-time (JIT) VM access.

You need to request access to VM1.

Which PowerShell cmdlet should you run?

Select only one answer.

A. Add-AzNetworkSecurityRuleConfig
B. Get-AzJitNetworkAccessPolicy
C. Set-AzJitNetworkAccessPolicy
D. Start-AzJitNetworkAccessPolicy

Answer 2

D. Start-AzJitNetworkAccessPolicy

Explanation:
The start-AzJitNetworkAccesspolicy PowerShell cmdlet is used to request access to a JIT-enabled virtual machine. Set-AzJitNetworkAccessPolicy is used to enable JIT on a virtual machine. Get-AzJitNetworkAccessPolicy and Add-AzNetworkSecurityRuleConfig are not used to start a request access.

Question 3

You have an Azure subscription.

You plan to use the az aks create command to deploy an Azure Kubernetes Service (AKS) cluster named AKS1 that has Microsoft Entra integration.

You need to ensure that local accounts cannot be used on AKS1.

Which flag should you use with the command?

Select only one answer.

A. disable-local-accounts
B. generate-ssh-keys
C. kubelet-config
D. windows-admin-username

Answer 3

A. disable-local-accounts

Explanation:
When deploying an AKS cluster, local accounts are enabled by default. Even when enabling RBAC or Microsoft Entra integration, –admin access still exists essentially as a non-auditable backdoor option. To disable local accounts on an AKS cluster, you should use the –disable-local-accounts flag with the az aks create command. The remaining options do not remove local accounts.

Question 4

You need to enable encryption at rest by using customer-managed keys (CMKs).

Which two services support CMKs? Each correct answer presents a complete solution.

Select all answers that apply.

A. Azure Blob storage
B. Azure Disk Storage
C. Azure Files
D. Azure NetApp Files
E. Log Analytics workspace

Answer 4

A. Azure Blob storage
C. Azure Files

Explanation:
Blob storage and Azure Files both support customer managed keys. Azure Disk Storage, Azure NetApp Files and Data Lake Storage do not support customer managed keys

Question 5

You have a storage account that contains multiple containers, blobs, queues, and tables.

You need to create a key to allow an application to access only data from a given table in the storage account.

Which authentication method should you use for the application?

Select only one answer.

A. SAS
B. shared
C. service SAS
D. user delegation SAS

Answer 5

C. service SAS

Explanation:
A SAS service is the only type of authentication that provides control at the table level. User delegation SAS is only available for Blob storage. SAS and shared allow access to the entire storage account.

Question 6

You have a Microsoft Entra tenant that syncs with the on-premises Active Directory Domain Service (AD DS) domain and uses Microsoft Entra Domain Services.

You have an application that runs on user devices by using the credentials of the signed-in user. The application accesses data in Azure Files by using REST calls.

You need to configure authentication for the application in Azure Files by using the most secure authentication method.

Which authentication method should you use?

Select only one answer.

A. Microsoft Entra
B. SAS
C. shared key
D. on-premises Active Directory Domain Service (AD DS)

Answer 6

B. SAS

Explanation:
A SAS is the most secure way to access Azure Files by using REST calls. A shared key allows any user with the key to access data. Microsoft Entra and Active Directory Domain Service (AD DS) are unsupported for REST calls.

Question 7

You need to implement access control for Azure Files. The solution must provide the highest level of security.

What should you use?

Select only one answer.

A. Microsoft Entra
B. a storage account key
C. SAS

Answer 7

A. Microsoft Entra

Explanation:
Entra is supported by Azure Files and follows the principle of least privilege. SAS is unsupported by Azure Files. A storage account key is supported by Azure Files, but it does not follow the principle of least privilege

Question 8

You have an Azure Storage account.

You plan to prevent the use of shared keys by using Azure Policy.

Which two access methods will continue to work? Each correct answer presents a complete solution.

Select all answers that apply.

A. SAS account SAS
B. service SAS
C. Storage Blob Data Reader role
D. user delegation

Answer 8

C. Storage Blob Data Reader role
D. user delegation

Explanation:
The Storage Blob Data Reader role uses Microsoft Entra to authenticate. User delegation SAS is a method that uses Entra to generate a SAS. Both methods work whether the shared keys are allowed or prevented. Service SAS and account SAS use shared keys to generate

Question 9

You need to allow only Microsoft Entra-authenticated principals to access an existing Azure SQL database.

Which three actions should you perform? Each correct answer presents part of the solution.

Select all answers that apply.

A. Add a Microsoft Entra administrator.
B. Assign your account the SQL Security Manager built-in role.
C. Connect to the database by using Microsoft SQL Server Management Studio (SSMS).
D. Connect to the database by using the Azure portal.
E, Select Support only Microsoft Entra authentication for this server.

Answer 9

A. Add a Microsoft Entra administrator.
B. Assign your account the SQL Security Manager built-in role.
D. Connect to the database by using the Azure portal.

Explanation:
Adding a Microsoft Entra administrator and assigning your account the SQL Security Manager built-in role are prerequisites for enabling Microsoft Entra-only authentication. Selecting Support only Microsoft Entra authentication for this server enforces the Azure SQL logical server to use Microsoft Entra authentication. A connection to the data plane of the logical server is not needed.

Question 10

You have an Azure SQL database that contains sensitive information.

You need to ensure that when sensitive information is queried by operators, the data is not fully displayed.

What should you enable for the database?

Select only one answer.

A. Always Encrypted
B. dynamic data masking
C. symmetric key encryption
D. Transparent Data Encryption (TDE)

Answer 10

B. dynamic data masking

Explanation:
Dynamic data masking masks the data from users. TDE still allows users managing the database to see the data. Always Encrypted saves the encrypted data and only the client driver can decrypt it. Symmetric key encryption uses keys stored in a SQL database, not the client application

Question 11

You plan to provide connectivity between Azure and your company’s datacenter.

You need to define how to establish the connection. The solution must meet the following requirements:

All traffic between the datacenter and Azure must be encrypted.
Bandwidth must be between 10 and 100 Gbps.
What should you use for the connection?

Select only one answer.

A. Azure VPN Gateway
B. ExpressRoute Direct
C. ExpressRoute with a provider
D. VPN Gateway with Azure Virtual WAN

Answer 11

B. ExpressRoute Direct

Explanation:
ExpressRoute Direct can have up to 100 Gbps and use MACSec for Layer 2 encryption. ExpressRoute with a provider does not allow for MACSec encryption and can only use up to 10 Gbps. VPN Gateway and VPN Gateway with Virtual WAN cannot support a bandwidth over 1 Gbps.

Question 12

You have an Azure virtual network named VNet1. VNet1 is in a resource group named RG1. VNet1 contains the following two subnets:

Subnet1: 10.0.1.0/24
Subnet2: 10.0.2.0/24
You need to configure access to a storage account named sa1 in a resource group named RG2. The solution must ensure that sa1 can only be accessed from Subnet2.

What should you run?

Select only one answer.

A. az network nsg rule create -g RG1 –nsg-name NSG1 -n RULE1 –priority 400 –source-address-prefixes VirtualNetwork –destination-address-prefixes Storage –destination-port-ranges ‘’ –direction Outbound –access Allow –protocol Tcp
B. az network nsg rule create -g RG1 –nsg-name NSG1 -n RULE1 –priority 400 –source-address-prefixes VirtualNetwork –destination-address-prefixes Storage –destination-port-ranges ‘’ –direction Outbound –access Allow –protocol Udp
C. az storage account network-rule add –resource-group “RG1” –account-name “SA1” –ip-address “10.0.2.0”
D. az storage account network-rule add –resource-group “RG2” –account-name “SA1” –ip-address “10.0.2.0/24” az storage account update –default-action deny –name sa1 –resource-group RG2

Answer 12

D. az storage account network-rule add –resource-group “RG2” –account-name “SA1” –ip-address “10.0.2.0/24” az storage account update –default-action deny –name sa1 –resource-group RG2

Explanation:
The correct CLI command adds a rule to allow access from the 10.0.2.0/24 subnet to the storage account. The resource group should be for RG2, not RG1. The CLI commands that create network security group (NSG) rules simply allow the entire virtual network to send requests to all storage endpoints.

Question 13

You are operating in a cloud-only environment. Users have computers that run either Windows 10 or 11. The users are located across the globe.

You need to secure access to a point-to-site (P2S) VPN by using multi-factor authentication (MFA).

Which authentication method should you implement?

Select only one answer.

A. Authenticate by using Active Directory Domain Services (AD DS).
B. Authenticate by using native Microsoft Entra authentication.
C. Authenticate by using native Azure certificate-based authentication.
D. Authenticate by using RADIUS.

Answer 13

B. Authenticate by using native Microsoft Entra authentication.

Explanation:
With Microsoft Entra authentication, you can configure a Conditional Access policy that grants access and requires MFA. During authentication, Azure VPN Gateway acts as a pass-through and forwards authentication messages back and forth between the authentication server and the connecting device. Azure certificate-based authentication does not include interactive authentication.

Question 14

You have an Azure subscription that contains the following resources:

A virtual machine named VM1 that has a network interface named NIC1
A virtual network named VNet1 that has a subnet named Subnet1
A public IP address named PubIP1
A load balancer named LB1
You create a network security group (NSG) named NSG1.

To which two resources can you associate NSG1? Each correct answer presents a complete solution.

Select all answers that apply.

A. LB1
B. NIC1
C. PubIP1
D. Subnet1
E. VM1
F. VNet1

Answer 14

B. NIC1
D. Subnet1

Explanation:
You can associate an NSG to a virtual network subnet and network interface only. You can associate zero or one NSGs to each virtual network subnet and network interface on a virtual machine. The same NSG can be associated to as many subnets and network interfaces as you choose.

Question 15

You have an Azure subscription that contains the following resources:

Storage accounts
Virtual machines
Azure Firewall
Azure Key Vault
Azure SQL databases
Which three resources support service endpoints? Each correct answer presents a complete solution.

Select all answers that apply.

A. Azure Firewall
B. Azure Key Vault
C. Azure SQL databases
D. storage accounts
E. virtual machines

Answer 15

B. Azure Key Vault
C. Azure SQL databases
D. storage accounts

Explanation:
You can configure service endpoints for Azure Storage, Key Vault, and Azure SQL Database. You cannot configure service endpoints for virtual machines and Azure Firewall.

Question 16

ou have an Azure subscription that contains the following resources:

Two virtual networks
VNet1: Contains two subnets
VNet2: Contains three subnets
Virtual machines: Connected to all the subnets on VNet1 and VNet2
A storage account named storage1
You need to identify the minimal number of service endpoints that are required to meet the following requirements:

Virtual machines that are connected to the subnets of VNet1 must be able to access storage1 over the Azure backbone.
Virtual machines that are connected to the subnets of VNet2 must be able to access Microsoft Entra tenant over the Azure backbone.
How many service endpoints should you recommend?

Select only one answer.

A. 2
B. 3
C. 4
D. 5

Answer 16

D. 5

Explanation:
A service endpoint is configured for a specific server at the subnet level. Based on the requirements, you need to configure two service endpoints for Microsoft.Storage on VNet1 because VNet1 has two subnets and three service endpoints for Microsoft.AzureActiveDirectory on VNet2 because VNet2 has three subnets. The minimum number of service endpoints that you must configure is five.

Question 17

You have an Azure subscription that contains a virtual machine named VM1 and a storage account named storage1.

You need to ensure that VM1 can access storage1 over the Azure backbone network.

What should you implement?

Select only one answer.

A. a subnet
B. a VPN gateway
C. private endpoints
D. service endpoints

Answer 17

D. service endpoints

Explanation:
Service endpoints route the traffic inside of Azure backbone, allowing access to the entire service, for example, all Microsoft SQL servers or the storage accounts of all customers. Private endpoints provide access to a specific instance. A subnet does not allow isolation or route traffic to the Azure backbone. A VPN gateway does not allow traffic isolation to all resources.

Question 18

You have an Azure subscription that contains the following resources:

A web app named WebApp1 in the West US Azure region
A virtual network named VNet1 in the West US 3 Azure region
You need to integrate WebApp1 with VNet1.

What should you implement first?

Select only one answer.

A. a service endpoint
B. a VPN gateway
C. Azure Front door
D. peering

Answer 18

B. a VPN gateway

Explanation:
WebApp1 and VNet1 are in different regions and cannot use regional integration; you can use only gateway-required virtual network integration. To be able to implement this type of integration, you must first deploy a virtual network gateway in VNet1.

Question 19

You have an Azure App Service web app named App1.

You need to configure network controls for App1. App1 must only allow user access through Azure Front Door.

Which two components should you implement? Each correct answer presents part of the solution.

Select all answers that apply.

A. access restrictions based on service tag
B. access restrictions based on the IP address of Azure Front Door
C. application security groups
D. header filters

Answer 19

A. access restrictions based on service tag
D. header filters

Explanation:
Traffic from Front Door to the app originates from a well-known set of IP ranges defined in the AzureFrontDoor.Backend service tag. This includes every Front Door. To ensure traffic only originates from your specific instance, you will need to further filter the incoming requests based on the unique HTTP header that Front Door sends.

Question 20

You have an Azure subscription that contains a user named Admin1.

You need to ensure that Admin1 can access the Regulatory compliance dashboard in Microsoft Defender for Cloud. The solution must follow the principle of least privilege.

Which two roles should you assign to Admin1? Each correct answer presents part of the solution.

Select all answers that apply.

A. Global Reader
B. Resource Policy Contributor
C. Security Admin
D. Security Reader

Answer 20

B. Resource Policy Contributor
C. Security Admin

Explanation:
To use the Regulatory compliance dashboard in Defender for Cloud, you must have sufficient permissions. At a minimum, you must be assigned the Resource Policy Contributor and Security Admin roles.

Question 21

Your company has a multi-cloud online environment.

You plan to use Microsoft Defender for Cloud to protect all supported online environments.

Which three environments support Defender for Cloud? Each correct answer presents a complete solution.

Select all answers that apply.

A. Alibaba Cloud
B. Amazon Web Services (AWS)
C. Azure DevOps
D. GitHub
E. Oracle Cloud

Answer 21

B. Amazon Web Services (AWS)
C. Azure DevOps
D. GitHub

Explanation:
Defender for Cloud protects workloads in Azure, AWS, GitHub, and Azure DevOps. Oracle Cloud and Alibaba Cloud are unsupported by Defender for Cloud.

Question 22

You have an Azure subscription that contains a user named Admin1.

You need to ensure that Admin1 can create and assign custom security initiatives in Microsoft Defender for Cloud. The solution must follow the principle of least privilege.

Which role should you assign to Admin1?

Select only one answer.

A. Global Administrator
B. Owner (Subscription)
C. Security Admin
D. Security Assessment Contributor

Answer 22

B. Owner (Subscription)

Explanation:
The Subscription Owner role is the only role that has permissions to create and assign custom security initiatives in Defender for Cloud.

Question 23

You have an Azure subscription.

You need to implement UK OFFICIAL and UK NHS standards for the subscription.

Which Microsoft Defender for Cloud setting should you use?

Select only one answer.

A. Recommendations
B. Regulatory compliance
C. Security Posture
D. Workload protections

Answer 23

B. Regulatory compliance

Explanation:
You must use Regulatory compliance in Defender for Cloud to add a new standard. The remaining answers are valid options from Defender for Cloud, but they do not allow you to add a new standard.

Question 24

You plan to scan all the virtual machines in an Azure subscription for vulnerabilities by using Microsoft Defender for Cloud.

You need to deploy the necessary agents by using the least amount of administrative effort.

What should you do?

Select only one answer.

A.. Assign a custom Azure policy that uses a DeployIfNotExists rule to the subscription.
B. Enable the Microsoft Defender for Cloud plans option in the Environment settings of Defender for Cloud.
C. Execute the remediation steps from the Machines should have vulnerability findings resolved recommendation in the Recommendations settings of Defender for Cloud.
D. Turn on the vulnerability assessment for machines in the Environment settings of Defender for Cloud.

Answer 24

D. Turn on the vulnerability assessment for machines in the Environment settings of Defender for Cloud.

Explanation:
Turn on the vulnerability assessment for machines automatically deploys the agent to all the virtual machines in the subscription. Assigning a custom Azure policy requires more administrative effort. Enabling the Microsoft Defender for Cloud plans option does not deploy the agents to the virtual machines and executing the remediation steps from the Machines should have vulnerability findings resolved recommendation requires the agent to be installed already.

Question 25

You have Azure SQL databases that contain credit card information.

You need to identify and label columns that contain credit card numbers.

Which Microsoft Defender for Cloud feature should you use?

Select only one answer.

A. hash reputation analysis
B. inventory filters
C. SQL information protection
D. SQL Servers on machines

Answer 25

C. SQL information protection

Explanation:
SQL information protection allows you to identify and label data. Hash reputation analysis prevents suspicious files from being stored in Azure Storage, inventory filters are used to filter resources protected by Defender, and SQL Servers on machines protects Microsoft SQL Server running on virtual machines or on-premises machines.

Question 26

You are implementing a Microsoft Defender for SQL vulnerability assessments.

Where are the scan results stored?

Select only one answer.

A. an Azure Monitor workspace
B. an Azure Storage account
C. Azure SQL Database
D. Microsoft Sentinel

Answer 26

B. an Azure Storage account

Explanation:
The scan results must be stored in an Azure Storage account. The results can be sent to the Azure Monitor workspace or Microsoft Sentinel from the initial location. The results are stored outside of the database.

Question 27

You have an Azure subscription and the following SQL deployments:

An Azure SQL database named DB1
An Azure SQL Server named sqlserver1
An instance of SQL Server on Azure Virtual Machines named VM1 that has Microsoft SQL Server 2022 installed
An on-premises server named Server1 that has SQL Server 2019 installed
Which deployments can be protected by using Microsoft Defender for Cloud?

Select only one answer.

A. DB1 and sqlserver1 only
B. DB1, sqlserver1, and VM1 only
C. DB1, sqlserver1, VM1, and Server1
D. sqlserver1 only
E. sqlserver1 and VM1 only

Answer 27

C. DB1, sqlserver1, VM1, and Server1

Explanation:
Defender for Cloud includes Microsoft Defender for SQL. Defender for SQL can protect Azure SQL Database, Azure SQL Server, SQL Server on Azure Virtual Machines, and SQL servers installed on on-premises servers.

Question 28

You have an Azure subscription that contains an Azure Kubernetes Service (AKS) cluster named AKS1.

You need to protect AKS1 by using Microsoft Defender for Cloud.

Which Defender plan should you use?

Select only one answer.

A. Microsoft Defender for App Service
B. Microsoft Defender for Containers
C. Microsoft Defender for Resource Manager
D. Microsoft Defender for Servers

Answer 28

B. Microsoft Defender for Containers

Explanation:
Defender for Containers is a cloud-native solution used to secure your containers so that you can improve, monitor, and maintain the security of your clusters, containers, and their applications. AKS clusters run containers, and because of this, they can be protected by using Defender for Containers.

Question 29

You have a resource group named RG1 that contains 10 virtual machines.

You need to raise an alert any time the average CPU time for RG1 exceeds 80 percent.

How should you configure the alert?

Select only one answer.

A. Create an alert rule for each virtual machine and set the number of violations to 10.
B. Create an alert rule for each virtual machine and split by dimension on the virtual machine name.
C. Create an individual alert rule and split by dimension on the resource group name.
D. Create an individual alert rule for CPU time and set the number of violations to 10.

Answer 29

C. Create an individual alert rule and split by dimension on the resource group name.

Explanation:
Creating an individual alert rule and splitting by dimension on the resource group name will use the alert for the entire resource group instead of individual virtual machines. Setting the number of violations to 10, creating an alert rule for each virtual machine, and splitting by dimension on the virtual machine name will not fire the alert at the appropriate time.

Question 30

You configure Microsoft Sentinel to connect to different data sources.

You are unable to configure a connector that uses an Azure Functions API connection.

Which permissions should you change?

Select only one answer.

A. read and write permissions for Azure Functions
B. read and write permissions for the workspaces used by Microsoft Sentinel
C. read permissions for Azure Functions
D. read permissions for the workspaces used by Microsoft Sentinel

Answer 30

A. read and write permissions for Azure Functions

Explanation:
You need to have read and write permissions to Azure Functions to configure a connector that uses an Azure Functions API connection. You were able to add other connectors, which proves that you have access to the workspace. Read permissions for the workspaces used by Microsoft Sentinel allow you to read data in Microsoft Sentinel. Read permissions to Azure Functions allows you to run functions, not create them.

Question 31

You have custom alert rules in Microsoft Sentinel. The rules exceed the query length limitations.

You need to resolve the issue.

Which function should you use for the rule?

Select only one answer.

A. ADX functions
B. Azure functions with a timer trigger
C. stored procedures
D. user-defined functions

Answer 31

D. user-defined functions

Explanation:
You can use user defined functions to overcome the query length limitations. Timer trigger runs in a scheduled manner (pull, not push). Using ADX functions to create Azure Data Explorer queries inside the Log Analytics query windows is unsupported. Stored procedures are unsupported by Azure Data Explorer

Question 32

You need to implement a key management solution that supports importing keys generated in an on-premises environment. The solution must ensure that the keys stay within a single Azure region.

What should you do?

Select only one answer.

A. Apply the Keys should be the specified cryptographic type RSA or EC Azure policy.
B. Disable the Allow trusted services option.
C. Implement Azure Key Vault Firewall.
D. Implement Azure Key Vault Managed HSM.

Answer 32

D. Implement Azure Key Vault Managed HSM.

Explanation:
Key Vault Managed HSM supports importing keys generated in an on premise HSM. Also, managed HSM does not store or process customer data outside the Azure region in which the customer deploys the HSM instance. On premises generated keys are still managed, after implementing Key Vault Firewall. Enforcing HSM backed keys does not enforce them to be imported. Disabling the Allow trusted services option does not have a direct impact on key importing

Question 33

You need to grant an application access to read connection strings stored in Azure Key Vault. The solution must follow the principle of least privilege.

Which role assignment should you use?

Select only one answer.

A. Key Vault Crypto Officer
B. Key Vault Reader
C. Key Vault Secrets Officer
D. Key Vault Secrets User

Answer 33

D. Key Vault Secrets User

Explanation:
Key Vault Secrets User allows read access to secret content. Key Vault Crypto Officer allows the user to perform actions on encryption keys, not secrets. Key Vault Reader allows the user to read metadata of key vaults and its certificates, keys, and secrets but not to read sensitive values, such as secret contents or key material.

Question 34

You configure Microsoft Entra to use multi-factor authentication (MFA) by using the Microsoft Authenticator app.

You need to ensure that users are required to use the Microsoft Authenticator app when accessing Azure from new devices or locations.

Which type of Microsoft Entra ID Protection policy should you configure?

Select only one answer.

A. sign-in risk policy with administrator remediation
B. sign-in risk policy with self-remediation
C. user risk policy with administrator remediation
D. user risk policy with self-remediation

Answer 34

B. sign-in risk policy with self-remediation

Explanation:
By using a sign in risk policy with self remediation, a sign in risk is detected when users access their account from a different device or location, and self remediation forces MFA to be required, whereas administer remediation requires admin intervention. User risk policies are triggered for users that have specific risk levels due to issues such as password leaks

Question 35

You manage Microsoft Entra tenant for a retail company.

You need to ensure that employees using shared Android tablets can use passwordless authentication when accessing the Azure portal.

Which authentication method should you use?

Select only one answer.

A. the Microsoft Authenticator app
B. security keys
C. Windows Hello
D. Windows Hello for Business

Answer 35

A. the Microsoft Authenticator app

Explanation:
You can only use the Microsoft Authenticator app or one-time password login on shared devices. Windows Hello can only be used for Windows devices. You cannot use security keys on shared devices.

Question 36

You need to configure passwordless authentication. The solution must follow the principle of least privilege.

Which role should assign to complete the task?

Select only one answer.

A. Authentication Administrator
B. Authentication Policy Administrator
C. Global Administrator
D. Security Administrator

Answer 36

C. Global Administrator

Explanation:
Configuring authentication methods requires Global Administrator privileges. Security administrators have permissions to manage other security-related features. Authentication policy administrators can configure the authentication methods policy, tenant-wide multi-factor authentication (MFA) settings, and password protection policy. Authentication administrators can set or reset any authentication methods, including passwords, for non-administrators and some roles.

Question 37

You have an Azure subscription.

You plan to deploy Microsoft Entra Verified ID.

You need to identify which administrative roles are required for the solution. The solution must follow the principle of least privilege.

Which three roles should you identify? Each correct answer presents part of the solution.

Select all answers that apply.

A. Application Administrator
B. Authentication Policy Administrator
C. Contributor
D. Global Administrator
E. Privileged Authentication Administrator
F. User Administrator

Answer 37

A. Application Administrator
B. Authentication Policy Administrator
C. Contributor

Explanation:
The Authentication Policy Administrator role can configure policies and create and manage verified credentials. The Application Administrator role is used to complete app registrations, including granting admin consent. The Contributor role is required to manage all the resources in the subscription. The Global Administrator role does not meet the requirements of least privilege. The User Administrator role only manages users. The Privileged Authentication Administrator role cannot create and manage verified credentials.

Question 38

You have a Microsoft Entra tenant that synchronizes with an on-premises Active Directory Domain Services (AD DS) domain.

You create an access review for a select number of Microsoft Entra groups for all users that have access to your tenant. You configure the review to automatically apply results to resources.

After running the review, you notice that a user that should have been removed from a group is still part of the group.

Why is the user still in the group?

Select only one answer.

A. The group is a Windows AD group.
B. The group is a Microsoft Entra group.
C. The user is a guest user.
D. The user is part of the Compliance Administrator role.

Answer 38

A. The group is a Windows AD group.

Explanation:
The group is a Windows AD group and access reviews can only manage Microsoft Entra groups. Guest users and users that are part of the Compliance Administrator Role can be removed, and access reviews can manage Microsoft Entra groups

Question 39

You manage Microsoft Entra tenant.

You disable the Users can register applications option in Microsoft Entra.

A user reports that they are unable to register an application.

You need to ensure that that the user can register applications. The solution must follow the principle of least privilege.

What should you do?

Select only one answer.

A. Assign the Application Developer role to the user.
B. Assign the Authentication Administrator role to the user.
C. Assign the Cloud App Security Administrator role to the user.
D. Enable the Users can register applications option.

Answer 39

A. Assign the Application Developer role to the user.

Explanation:
The Application Developer role has permissions to register an application even if the Users can register applications option is disabled. The Users can register applications option allows any user to register an application. The Authentication Administrator role and the Cloud App Security Administrator role do not follow the principle of least privilege.

Question 40

You have an Azure subscription named Sub1 that contains the following resources:

A resource group RG1 that contains a virtual machine named VM1
A resource group named RG2 that has an Azure App Service plan named ASP1 and a web app named App1
You need to provide a user with the ability to perform the following tasks:

List web apps hosted in ASP1.
Create new virtual machines in RG1.
Which two actions should you perform? Each correct answer presents part of the solution.

Select all answers that apply.

A. Add a deny assignment for RG2.
B. Assign the user the Contributor role in the RG1 scope.
C. Assign the user the Reader role for ASP1.
D. Assign the user the Reader role for Sub1.

Answer 40

B. Assign the user the Contributor role in the RG1 scope.
D. Assign the user the Reader role for Sub1.

Explanation:
Assigning the user the Reader role for sub1 will grant the Reader role to ASP2 and ASP3 when they are added. Assigning the Contributor role in the RG1 scope allows the user to create new resources within the resource group. Assigning the user the Reader role for ASP1 will not grant the user access to list apps hosted in ASP2 and ASP3. You cannot directly create your own deny assignments.

Question 41

You create a web API and register the API as a Microsoft Entra application.

You need to expose a function in the API to ensure that administrators must provide consent to apps that use the API.

What should you add to your app registration?

Select only one answer.

A. a client application
B. a permission
C. a scope
D. an application ID URI

Answer 41

C. a scope

Explanation:
A scope is used to request content to run a given function in an API. An application ID URI does not handle permissions, a permission is used to allow an application to access the scope created in another app, and a client application allows an application to use the API.

Question 42

You have a Microsoft Entra tenant that contains a user named User1.

You are configuring Microsoft Entra External collaboration settings.

You select the Only users assigned to specific admin roles can invite guest users Guest invite settings option.

You need to permit User1 the ability to invite guest users. The solution must use the principle of least privilege.

To which administrative role should you assign User1?

Select only one answer.

A. Helpdesk Administrator
B. Privileged Role Administrator
C. Service Support Administrator
D. User Administrator

Answer 42

D. User Administrator

Explanation:
When you select the Only users assigned to specific admin roles can invite guest users option, only those users with User Administrator or Guest Inviter roles will be able to invite guests.

Question 43

You have an Azure SQL database, an Azure key vault, and an Azure App Service web app.

You plan to encrypt SQL data at rest by using Bring Your Own Key (BYOK).

You need to create a managed identity to authenticate without storing any credentials in the code. The managed identity must share the lifecycle with the Azure resource it is used for.

What should you implement?

Select only one answer.

A. a system-assigned managed identity for an Azure SQL logical server
B. a system-assigned managed identity for an Azure web app
C. a system-assigned managed identity for Azure Key Vault
D. a user-assigned managed identity

Answer 43

B. a system-assigned managed identity for an Azure web app

Explanation:
To use the managed identity for accessing the encryption key in Key Vault, the identity needs to be set at the Azure SQL logical server level. The managed identity needs to be granted access to the key vault, not vice versa. The web app having a managed identity does not enable encryption at rest by using BYOK. The user-assigned managed identity has an independent lifecycle and must be deleted explicitly.

Question 44

You have Azure web apps named App1 and App2.

You need to ensure that App1 and App2 use the same identity.

Which identity type should you use?

Select only one answer.

A. a service principal with certificate-based authentication
B. a service principal with password-based authentication
C. a system-assigned managed identity
D. a user-assigned managed identity

Answer 44

D. a user-assigned managed identity

Explanation:
A user-assigned managed identity can be associated with more than one Azure resource. Creating a system-assigned managed identity cannot be pre-authorized. Creating a service principal with password-based authentication or certificate-based authentication involves the use of credentials.

Question 45

You have a Microsoft Entra tenant that uses the default setting.

You need to prevent users from a domain named contoso.com from being invited to the tenant.

What should you do?

Select only one answer.

A. Deploy Microsoft Entra Privileged Identity Management (PIM).
B. Edit the Access review settings.
C. Edit the Collaboration restrictions settings.
D. Enable security defaults.

Answer 45

C. Edit the Collaboration restrictions settings.

Explanation:
After you edit the Collaboration restrictions settings, if you try to invite a user from a blocked domain, you cannot. Security defaults and PIM do not affect guest invitation privileges. By default, the Allow invitations to be sent to any domain (most inclusive) setting is enabled. In this case, you can invite B2B users from any organization.

Question 46

You have a resource group named RG1 that contains an Azure virtual machine named VM1. A user named User1 is assigned the Contributor role for RG1.

You need to prevent User1 from modifying the properties of VM1.

What should you do?

Select only one answer.

A. Add a deny assignment for Microsoft.Compute/virtualMachines/* in the VM1 scope.
B. Apply a read-only lock to the RG1 scope.
C. Assign User1 the Virtual Machine User Login role in the RG1 scope.
D. Remove the Contributor role assignment from VM1.

Answer 46

B. Apply a read-only lock to the RG1 scope.

Explanation:
A read-only lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine. The RBAC assignment is set at the resource group level and inherited by the resource. The assignment needs to be edited at the original scope (level). You cannot directly create your own deny assignments. Assigning User1 the Virtual Machine User Login role in the RG1 scope will still allow User1 to have access as a contributor to restart VM1.

Question 47

You have an Azure subscription named Sub1 that is linked to a Microsoft Entra tenant. The tenant contains a user named Admin1.

Sub1 contains an Azure Policy definition assignment named Assignment1. The definition includes the deployIfNotExists effect.

You need to grant Admin1 permission to include a remediation task for Assignment1. The solution must use the principle of least privilege.

Which role should you assign to Admin1?

Select only one answer.

A. Compliance Administrator
B. Contributor
C. Owner
D. Resource Policy Contributor

Answer 47

D. Resource Policy Contributor

Explanation:
Resource Policy Contributor grants permissions to create and modify resource policy, create support ticket, and read resources and hierarchy. The Owner grants full rights, which violates the principle of least privilege. Contributor does not have sufficient permissions. Compliance Administrator is a Microsoft Entra role, not an Azure RBAC role.

Question 48

You have an Azure subscription that contains a Microsoft Entra tenant and an Azure web app named App1.

A user named User1 needs permission to manage App1. The solution must follow the principle of least privilege.

Which role should you assign to User1?

Select only one answer.

A. Application Administrator
B. Application Developer
C. Cloud App Security Administrator
D. Cloud Application Administrator

Answer 48

D. Cloud Application Administrator

Explanation:
Correct: Cloud Application Administrator – Since App1 is an app in Azure, this role provides administrative permissions to App1 and follows the principle of least privilege.

Incorrect: Application Administrator – This role provides administrative permissions to App1 but also provides additional permissions to the app proxy for on-premises applications.

Incorrect: Cloud App Security Administrator – This role is specific to the Microsoft Defender for Cloud Apps solution.

Incorrect: Application Developer – This role allows the user to create registrations but not manage applications.