Microsoft Azure AZ-500 Security Technologies (Practice Exam #3) - Udemy Flashcards
Which of the following are valid access control options for Azure Data Lake? Choose 3
A. Role Based Access Control
B. Shared Access Key
C. Shared Access Signature
D. Service Key
E. Access Key
A. Role Based Access Control
C. Shared Access Signature
E. Access Key
Explanation:
Access keys, Azure AD RBAC and Shared Access Signatures are all valid access control methods for storage accounts - the underlying technology for Data Lake. Service key and shared access key are not valid names for storage account access controls. https://docs.microsoft.com/en-za/azure/storage/blobs/data-lake-storage-access-control
Your organization is planning on synchronizing their on premises identities to Azure via the AD Connect tool. You need to ensure that all domain user identities are properly formatted before they are synchronized as to not cause synchronization errors. What should you do?
A. Run the IdFix tool
B. Re-run the AD Connect application
C. Run synchronization service manager
D. Run synchronization rules editor
A. Run the IdFix tool
Explanation:
IdFix tool is correct as this free tool is used to isolate and remediate common errors reported by the AD Connect tool like formatting issues with domain user names. Re-running the AD Connect application will not resolve any sync issues. Running the synchronization service manager is incorrect as this tool is used to configure more advanced aspects of AD Connect like connectors and synchronization schedule. Running the synchronization rules editor is incorrect as this can only be run post-deployment of directory synchronization, this tool is used to customize user and group attributes synched between on-prem and Azure. https://docs.microsoft.com/en-us/office365/enterprise/install-and-run-idfix
Which of the following Azure tools can help mature the security baseline specific to securing virtual networks? Select all that apply.
A. Azure Monitor
B. Azure Security Center
C. Azure policy
D. Azure portal
E. Azure AD
F. Azure Key Vault
C. Azure policy
D. Azure portal
Explanation:
Azure portal is correct as you can use the portal to mature network policies and processes.
Azure policy is also correct as you can enforce policies that support security baselines.
Which of the following is not a technology that can be used to visualise Azure Monitor data?
A. Azure Monitor Workbooks
B. None of the answers are correct
C. Azure Monitor Views
D. All of the answers are correct
E. Azure Dashboards
F. Power BI
B. None of the answers are correct
Explanation:
All of the answers provided are valid ways to visualise Azure Monitor data. The question, however, asked which of the options can not be used to visualise Azure Monitor data. None of the answer option are therefore correct. It is doubtful that the official exam will use such double-negative tactics, but it is used here as a reminder to be aware of negative answers to negative questions. See: https://docs.microsoft.com/en-us/azure/azure-monitor/visualizations
True or false: you can configure multiple domains to sync with ADConnect.
TRUE
FALSE
TRUE
Explanation:
You can configure multiple domains to sync with Azure AD via AD connect
Which of the following is not a configuration step required to create an Azure Monitor Alert?
A. Define notification action
B. Define alert condition
C. Define alert details
D. Define action group
A. Define notification action
Explanation:
Creating an Azure Monitor Alert required defining alert conditions, alert details and the action group. Although specifying the alert action is part of defining the action group, there is no define notification action step. See: https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response
You are configuring security for data in transit for an Azure App Service. Which of the following security tasks should be performed? Choose all that apply, do not choose any that does not apply.
A. HTTPS enforced
B. Test HTTPS
C. Bind SSL Certificate
D. Minimum TLS version enforced
E. Upload SSL Certificate
A. HTTPS enforced
B. Test HTTPS
C. Bind SSL Certificate
D. Minimum TLS version enforced
E. Upload SSL Certificate
Explanation:
All the answer options should be configured for Azure App Service. See: https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl
Select all the answers that specify the technology and Azure resource prerequisites for Azure Disk Encryption.
A. DM-Crypt
B. BitLocker
C. Azure Key Vault
D. Azure Storage Service Encryption
E. Transparent Data Encryption
F. SSL/TLS 1.2
A. DM-Crypt
B. BitLocker
C. Azure Key Vault
Explanation:
Azure Disk Encryption uses BitLocker for Windows-based VMs and DM-Crypt for supported Linux-based VMs in Azure. It also requires Azure Key Vault to provide secure access to the encryption/decryption keys. https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview
Which of the following roles can make use of Azure Identity Protection in the portal?
Your selection is incorrect
A. Owner role
B. Global administrator
C. Security reader
D. Contributor role
E. Security Administrator
B. Global administrator
C. Security reader
E. Security Administrator
Explanation:
The following roles can make use of Identity Protection: Security reader, security admin and global admin. Contributor and owner roles are both incorrect as these are related to https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/faqs
What is the minimum Azure Active Directory built-in RBAC role required to manage Azure Key Vault?
A. Reader
B. Key Vault Reader
C. Security Admin
D. Key Vault Contributor
E. Key Vault Administrator
F. Owner
D. Key Vault Contributor
Explanation:
Key Vault Contributor is the built-in RBAC role required to manage Azure Key Vault. See: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
You are the administrator for the ACME banking group. You are responsible for managing the key vault in Azure called ACMEvault. You have decommissioned a production server which has its password stored in the key vault labelled “FinanceAdmin”. You need to remove the password from the vault by using an API call. Which API call is correct?
A. RECOVER https://ACMEvault.vault.azure.net/secrets/FinanceAdmin?api-version=7.0
B. PURGE https://ACMEvault.vault.azure.net/secrets/FinanceAdmin?api-version=7.0
C. 1. REMOVE https://ACMEvault.vault.azure.net/secrets/FinanceAdmin?api-version=7.0
D. DELETE https://ACMEvault.vault.azure.net/secrets/FinanceAdmin?api-version=7.0
D. DELETE https://ACMEvault.vault.azure.net/secrets/FinanceAdmin?api-version=7.0
Explanation:
DELETE is the correct operation name as it references the correct vault and secret name. REMOVE not a valid operation name. PURGE is used to remove the password irreversibly, almost the same as emptying the recycle bin on your desktop. RECOVER will not suffice as this is used to recover a deleted secret on soft-delete enabled vaults. https://docs.microsoft.com/en-us/rest/api/keyvault/deletesecret/deletesecret
ou are the administrator for the Contoso financial group. You are responsible for all storage accounts in Azure. You have been tasked to share limited access to the Blob files in storage account “Company_function” with another company for a limited time. The other company should only be able to list and read the data in the blob storage. The other company’s administrator is familiar with Azure Storage Explorer and want you to share secure access with him by using this tool. Which information should you configure and give the administrator?
A. Provide the administrator with the storage name and key
B. Create Shared Access Signature for “Company_function” and configure the following: read and list permissions, service access to Blobs. Send the administrator the SAS URI to be used in Storage Explorer
C. Create Shared Access Signature for “Company_function” and configure the following: start and expiry time, read and write permissions, service access to Blobs. Send the administrator the SAS URI to be used in Storage Explorer.
D. Create Shared Access Signature for “Company_function” and configure the following: start and expiry time, read and list permissions, service access to Blobs. Send the administrator the SAS URI to be used in Storage Explorer
D. Create Shared Access Signature for “Company_function” and configure the following: start and expiry time, read and list permissions, service access to Blobs. Send the administrator the SAS URI to be used in Storage Explorer
Explanation:
You need to create a Shared Access Signature for “Company_function” and configure start and expiry time as this is part of the time limitation request, list and read permissions are the least intrusive and blob storage is correct. The administrator should be able to use the SAS URI to configure access in Storage Explorer in their side. Option 1 is incorrect as there is write permissions assigned. Option 3 is incorrect as there is no time limitation set. Option 4 is incorrect as sending a storage name and key will not provide limited access as required. https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1
You are the administrator for the Contoso financial group. You are responsible for managing the key vault in Azure. You need to update a certificate that has become stale in the CONTOSOvault which is called “WebsiteCertificate” via an API call to the Key Vault. Which statement below is correct?
A. PATCH http://CONTOSOvault.vault.azure.net/certificates/WebsiteCertificate/3d31d7b36c942ad83ef36fc?api-version=7.0
B. POST http://CONTOSOvault.vault.azure.net/certificates/WebsiteCertificate/3d31d7b36c942ad83ef36fc?api-version=7.0
C. PATCH https://CONTOSOvault.vault.azure.net/certificates/WebsiteCertificate/3d31d7b36c942ad83ef36fc?api-version=7.0
D. POST https://CONTOSOvault.vault.azure.net/certificates/WebsiteCertificate/3d31d7b36c942ad83ef36fc?api-version=7.0
C. PATCH https://CONTOSOvault.vault.azure.net/certificates/WebsiteCertificate/3d31d7b36c942ad83ef36fc?api-version=7.0
Explanation:
PATCH is correct https://CONTOSOvault.vault.azure.net/certificates/WebsiteCertificate/3d31d7b36c942ad83ef36fc?api-version=7.0 is correct as this follows the correct way to update a specific certificate in the Azure Key Vault via API call. Here is the way the statement is used in general: PATCH {vaultBaseUrl}/certificates/{certificate-name}/{certificate-version}?api-version=7.0. using HTTP will not suffice as the Key Vaults use HTTPS by default and POST is not the correct action. https://docs.microsoft.com/en-us/rest/api/keyvault/updatecertificate/updatecertificate
Which of the following statements is true for Azure Policy initiatives?
A. A policy initiative is a policy parameter
B. A policy initiative is a collection of policies
C. A policy initiative is a policy assignment scope
D. A policy initiative is a policy assignment
E. A policy initiative is a policy definition
B. A policy initiative is a collection of policies
Explanation:
One can assign a built-in policy within a specific scope. Similarly, one can also define a custom policy for assignment. Policies can be parameterised to make them more generic. Lastly, one can define Policy Initiatives that are collections of policies that can be parameterised and assigned at the same time. See: https://docs.microsoft.com/en-us/azure/governance/policy/overview#initiative-definition
Azure backup can be configured to Azure VMs. What is used to ensure data is encrypted at rest?
A. Transparent Data Encryption
B. Azure Storage Service Encryption
C. Azure Recovery Vault
D. Azure Recovery Services
E. Passphrase
B. Azure Storage Service Encryption
Explanation:
When using Azure backup to backup Azure VMs, Azure Storage Service encryption is used to encrypt the backup. See: https://docs.microsoft.com/en-us/azure/backup/backup-azure-backup-faq#encryption
What is the default retention period for Azure Monitor logs?
A. 60 days
B. 3 years
C. 90 days
D. 30 days
E. 1 year
F. Indefinite
C. 90 days
Explanation:
Azure monitor retains logs for 90 days before starting to purge the oldest logs. You can set up log archival to a storage account if a longer retention is required. See: https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-archive-data