Topic 3+4+5+6 Flashcards by F S

You have an Azure subscription that contains a user named User1 and an Azure Container Registry named ContReg1.
You enable content trust for ContReg1.
You need to ensure that User1 can create trusted images in ContReg1. The solution must use the principle of least privilege.
Which two roles should you assign to User1? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. AcrQuarantineReader
B. Contributor
C. AcrPush
D. AcrImageSigner
E. AcrQuarantineWriter

C. AcrPush
D. AcrImageSigner

How well did you know this?

Not at all

Perfectly

SIMULATION -
You need to configure Azure to allow RDP connections from the Internet to a virtual machine named VM1. The solution must minimize the attack surface of VM1.
To complete this task, sign in to the Azure portal.

To enable the RDP port in an NSG, follow these steps:
1. Sign in to the Azure portal.
2. In Virtual Machines, select VM1
3. In Settings, select Networking.
4. In Inbound port rules, check whether the port for RDP is set correctly. The following is an example of the configuration:

Priority: 300 -

Name: Port_3389 -

Port(Destination): 3389 -

Protocol: TCP -

Source: Any -

Destinations: Any -

Action: Allow -

How well did you know this?

Not at all

Perfectly

SIMULATION -
You need to add the network interface of a virtual machine named VM1 to an application security group named ASG1.
To complete this task, sign in to the Azure portal.

In the Search resources, services, and docs box at the top of the portal, begin typing the name of a virtual machine, VM1 that has a network interface that you want to add to, or remove from, an application security group.
When the name of your VM appears in the search results, select it.
Under SETTINGS, select Networking. Select Configure the application security groups, select the application security groups that you want to add the network interface to, or unselect the application security groups that you want to remove the network interface from, and then select Save.

How well did you know this?

Not at all

Perfectly

SIMULATION -
You need to perform a full malware scan every Sunday at 02:00 on a virtual machine named VM1 by using Microsoft Antimalware for Virtual Machines.
To complete this task, sign in to the Azure portal.

Deploy the Microsoft Antimalware Extension using the Azure Portal for single VM deployment
1. In Azure Portal, go to the Azure VM1’s blade, navigate to the Extensions section and press Add.

Select the Microsoft Antimalware extension and press Create.
Fill the ג€Install extensionג€ form as desired and press OK.

Scheduled: Enable -

Scan type: Full -

Scan day: Sunday -

How well did you know this?

Not at all

Perfectly

SIMULATION -
You need to prevent administrative users from accidentally deleting a virtual network named VNET1. The administrative users must be allowed to modify the settings of VNET1.
To complete this task, sign in to the Azure portal.

To add a lock, select Add.
For Lock type select Delete lock, and click OK

How well did you know this?

Not at all

Perfectly

SIMULATION -
You need to grant the required permissions to a user named User2-1234578 to manage the virtual networks in the RG1lod1234578 resource group. The solution must use the principle of least privilege.
To complete this task, sign in to the Azure portal.

In Azure portal, locate and select the RG1lod1234578 resource group.
Click Access control (IAM).
Click the Role assignments tab to view all the role assignments at this scope.
Click Add > Add role assignment to open the Add role assignment pane.
In the Role drop-down list, select the role Virtual Machine Contributor.
Virtual Machine Contributor lets you manage virtual machines, but not access to them, and not the virtual network or storage account they’re connected to.
In the Select list, select user User2-1234578
Click Save to assign the role.

How well did you know this?

Not at all

Perfectly

SIMULATION -
You need to ensure that only devices connected to a 131.107.0.0/16 subnet can access data in the rg1lod1234578 Azure Storage account.
To complete this task, sign in to the Azure portal.

Step 1:
1. In Azure portal go to the storage account you want to secure. Here: rg1lod1234578
2. Click on the settings menu called Firewalls and virtual networks.
3. To deny access by default, choose to allow access from Selected networks. To allow traffic from all networks, choose to allow access from All networks.
4. Click Save to apply your changes.
Step 2:
1. Go to the storage account you want to secure. Here: rg1lod1234578
2. Click on the settings menu called Firewalls and virtual networks.
3. Check that you’ve selected to allow access from Selected networks.
4. To grant access to a virtual network with a new network rule, under Virtual networks, click Add existing virtual network, select Virtual networks and Subnets options. Enter the 131.107.0.0/16 subnet and then click Add.
Note: When network rules are configured, only applications requesting data over the specified set of networks can access a storage account. You can limit access to your storage account to requests originating from specified IP addresses, IP ranges or from a list of subnets in an Azure Virtual Network (VNet).

How well did you know this?

Not at all

Perfectly

You have Azure Resource Manager templates that you use to deploy Azure virtual machines.
You need to disable unused Windows features automatically as instances of the virtual machines are provisioned.
What should you use?
A. device configuration policies in Microsoft Intune
B. Azure Automation State Configuration
C. security policies in Azure Security Center
D. device compliance policies in Microsoft Intune

B. Azure Automation State Configuration

How well did you know this?

Not at all

Perfectly

You have an Azure subscription named Sub1. Sub1 contains a virtual network named VNet1 that contains one subnet named Subnet1.
Subnet1 contains an Azure virtual machine named VM1 that runs Ubuntu Server 18.04.
You create a service endpoint for Microsoft.Storage in Subnet1.
You need to ensure that when you deploy Docker containers to VM1, the containers can access Azure Storage resources by using the service endpoint.
What should you do on VM1 before you deploy the container?
A. Create an application security group and a network security group (NSG).
B. Edit the docker-compose.yml file.
C. Install the container network interface (CNI) plug-in.

C. Install the container network interface (CNI) plug-in

How well did you know this?

Not at all

Perfectly

You have Azure Resource Manager templates that you use to deploy Azure virtual machines.
You need to disable unused Windows features automatically as instances of the virtual machines are provisioned.
What should you use?
A. device configuration policies in Microsoft Intune
B. an Azure Desired State Configuration (DSC) virtual machine extension
C. application security groups
D. device compliance policies in Microsoft Intune

B. an Azure Desired State Configuration (DSC) virtual machine extension

How well did you know this?

Not at all

Perfectly

You are configuring an Azure Kubernetes Service (AKS) cluster that will connect to an Azure Container Registry.
You need to use the auto-generated service principal to authenticate to the Azure Container Registry.
What should you create?
A. an Azure Active Directory (Azure AD) group
B. an Azure Active Directory (Azure AD) role assignment
C. an Azure Active Directory (Azure AD) user
D. a secret in Azure Key Vault

B. an Azure Active Directory (Azure AD) role assignment

How well did you know this?

Not at all

Perfectly

You have an Azure subscription that contains the Azure virtual machines shown in the following table.

VM1: Windows 10
VM2: Windows Server 2016
VM3: Windows Server 2019
VM4: Ubuntu SErvrer

You create an MDM Security Baseline profile named Profile1.
You need to identify to which virtual machines Profile1 can be applied.
Which virtual machines should you identify?

A. VM1 only

How well did you know this?

Not at all

Perfectly

SIMULATION -
You need to ensure that connections from the Internet to VNET1\subnet0 are allowed only over TCP port 7777. The solution must use only currently deployed resources.
To complete this task, sign in to the Azure portal.

You need to configure the Network Security Group that is associated with subnet0.
1. In the Azure portal, type Virtual Networks in the search box, select Virtual Networks from the search results then select VNET1. Alternatively, browse to
Virtual Networks in the left navigation pane.
2. In the properties of VNET1, click on Subnets. This will display the subnets in VNET1 and the Network Security Group associated to each subnet. Note the name of the Network Security Group associated to Subnet0.
3. Type Network Security Groups into the search box and select the Network Security Group associated with Subnet0.
4. In the properties of the Network Security Group, click on Inbound Security Rules.
5. Click the Add button to add a new rule.
6. In the Source field, select Service Tag.
7. In the Source Service Tag field, select Internet.
8. Leave the Source port ranges and Destination field as the default values (* and All).
9. In the Destination port ranges field, enter 7777.
10.Change the Protocol to TCP.
11.Leave the Action option as Allow.
12.Change the Priority to 100.
13.Change the Name from the default Port_8080 to something more descriptive such as Allow_TCP_7777_from_Internet. The name cannot contain spaces.
14.Click the Add button to save the new rule.

How well did you know this?

Not at all

Perfectly

You need to prevent administrators from performing accidental changes to the Homepage app service plan.
To complete this task, sign in to the Azure portal.

You need to configure a ‘lock’ for the app service plan. A read-only lock ensures that no one can make changes to the app service plan without first deleting the lock.
1. In the Azure portal, type App Service Plans in the search box, select App Service Plans from the search results then select Homepage. Alternatively, browse to App Service Plans in the left navigation pane.
2. In the properties of the app service plan, click on Locks.
3. Click the Add button to add a new lock.
4. Enter a name in the Lock name field. It doesn’t matter what name you provide for the exam.
5. For the Lock type, select Read-only.
6. Click OK to save the changes.

How well did you know this?

Not at all

Perfectly

SIMULATION -
You need to ensure that a user named Danny1234578 can sign in to any SQL database on a Microsoft SQL server named web1234578 by using SQL Server
Management Studio (SSMS) and Azure Active Directory (Azure AD) credentials.
To complete this task, sign in to the Azure portal.

ou need to provision an Azure AD Admin for the SQL Server.
1. In the Azure portal, type SQL Server in the search box, select SQL Server from the search results then select the server named web1234578. Alternatively, browse to SQL Server in the left navigation pane.
2. In the SQL Server properties page, click on Active Directory Admin.
3. Click the Set Admin button.
4. In the Add Admin window, search for and select Danny1234578.
5. Click the Select button to add Danny1234578.
6. Click the Save button to save the changes.

How well did you know this?

Not at all

Perfectly

SIMULATION -
You need to configure a Microsoft SQL server named Web1234578 only to accept connections from the Subnet0 subnet on the VNET01 virtual network.
To complete this task, sign in to the Azure portal

You need to allow access to Azure services and configure a virtual network rule for the SQL Server.
1. In the Azure portal, type SQL Server in the search box, select SQL Server from the search results then select the server named web1234578. Alternatively, browse to SQL Server in the left navigation pane.
2. In the properties of the SQL Server, click Firewalls and virtual networks.
3. In the Virtual networks section, click on Add existing. This will open the Create/Update virtual network rule window.
4. Give the rule a name such as Allow_VNET01-Subnet0 (it doesn’t matter what name you enter for the exam).
5. In the Virtual network box, select VNET01.
6. In the Subnet name box, select Subnet0.
7. Click the OK button to save the rule.
8. Back in the Firewall / Virtual Networks window, set the Allow access to Azure services option to On.

How well did you know this?

Not at all

Perfectly

You have Azure Resource Manager templates that you use to deploy Azure virtual machines.
You need to disable unused Windows features automatically as instances of the virtual machines are provisioned.
What should you use?
A. device configuration policies in Microsoft Intune
B. an Azure Desired State Configuration (DSC) virtual machine extension
C. security policies in Azure Security Center
D. Azure Logic Apps

B. an Azure Desired State Configuration (DSC) virtual machine extension

How well did you know this?

Not at all

Perfectly

SIMULATION -
You need to configure network connectivity between a virtual network named VNET1 and a virtual network named VNET2. The solution must ensure that virtual machines connected to VNET1 can communicate with virtual machines connected to VNET2.
To complete this task, sign in to the Azure portal and modify the Azure resources.

You need to configure VNet Peering between the two networks. The questions states, ג€The solution must ensure that virtual machines connected to VNET1 can communicate with virtual machines connected to VNET2ג€. It doesn’t say the VMs on VNET2 should be able to communicate with VMs on VNET1. Therefore, we need to configure the peering to allow just the one-way communication.
1. In the Azure portal, type Virtual Networks in the search box, select Virtual Networks from the search results then select VNET1. Alternatively, browse to
Virtual Networks in the left navigation pane.
2. In the properties of VNET1, click on Peerings.
3. In the Peerings blade, click Add to add a new peering.
4. In the Name of the peering from VNET1 to remote virtual network box, enter a name such as VNET1-VNET2 (this is the name that the peering will be displayed as in VNET1)
5. In the Virtual Network box, select VNET2.
6. In the Name of the peering from remote virtual network to VNET1 box, enter a name such as VNET2-VNET1 (this is the name that the peering will be displayed as in VNET2).
There is an option Allow virtual network access from VNET to remote virtual network. This should be left as Enabled.
7. For the option Allow virtual network access from remote network to VNET1, click the slider button to Disabled.
8. Click the OK button to save the changes.

How well did you know this?

Not at all

Perfectly

SIMULATION -
You need to deploy an Azure firewall to a virtual network named VNET3.
To complete this task, sign in to the Azure portal and modify the Azure resources.
This task might take several minutes to complete. You can perform other tasks while the task completes.

To add an Azure firewall to a VNET, the VNET must first be configured with a subnet named AzureFirewallSubnet (if it doesn’t already exist).
Configure VNET3.
1. In the Azure portal, type Virtual Networks in the search box, select Virtual Networks from the search results then select VNET3. Alternatively, browse to
Virtual Networks in the left navigation pane.
2. In the Overview section, note the Location (region) and Resource Group of the virtual network. We’ll need these when we add the firewall.
3. Click on Subnets.
4. Click on + Subnet to add a new subnet.
5. Enter AzureFirewallSubnet in the Name box. The subnet must be named AzureFirewallSubnet.
6. Enter an appropriate IP range for the subnet in the Address range box.
7. Click the OK button to create the subnet.
Add the Azure Firewall.
1. In the settings of VNET3 click on Firewall.
2. Click the Click here to add a new firewall link.
3. The Resource group will default to the VNET3 resource group. Leave this default.
4. Enter a name for the firewall in the Name box.
5. In the Region box, select the same region as VNET3.
6. In the Public IP address box, select an available public IP address if one exists, or click Add new to add a new public IP address.
7. Click the Review + create button.
8. Review the settings and click the Create button to create the firewall.

How well did you know this?

Not at all

Perfectly

SIMULATION -
You need to configure a virtual network named VNET2 to meet the following requirements:
✑ Administrators must be prevented from deleting VNET2 accidentally.
✑ Administrators must be able to add subnets to VNET2 regularly.
To complete this task, sign in to the Azure portal and modify the Azure resources.

Locking prevents other users in your organization from accidentally deleting or modifying critical resources, such as Azure subscription, resource group, or resource.
Note: In Azure, the term resource refers to an entity managed by Azure. For example, virtual machines, virtual networks, and storage accounts are all referred to as Azure resources.
1. In the Azure portal, type Virtual Networks in the search box, select Virtual Networks from the search results then select VNET2. Alternatively, browse to
Virtual Networks in the left navigation pane.
2. In the Settings blade for virtual network VNET2, select Locks.

To add a lock, select Add.
For Lock type select Delete lock, and click OK

How well did you know this?

Not at all

Perfectly

You have an Azure virtual machine named VM1.
From Microsoft Defender for Cloud, you get the following high-severity recommendation: Install endpoint protection solutions on virtual machine.
You need to resolve the issue causing the high-severity recommendation.
What should you do?
A. Add the Microsoft Antimalware extension to VM1.
B. Install Microsoft System Center Security Management Pack for Endpoint Protection on VM1.
C. Add the Network Watcher Agent for Windows extension to VM1.
D. Onboard VM1 to Microsoft Defender for Endpoint.

D: Onboard VM1 to Microsoft Defender for Endpoint.

How well did you know this?

Not at all

Perfectly

You have Azure Resource Manager templates that you use to deploy Azure virtual machines.
You need to disable unused Windows features automatically as instances of the virtual machines are provisioned.
What should you use?
A. device compliance policies in Microsoft Intune
B. Azure Automation State Configuration
C. application security groups
D. Azure Advisor

B. Azure Automation State Configuration

How well did you know this?

Not at all

Perfectly

You have an Azure Container Registry named Registry1.
From Azure Security Center, you enable Azure Container Registry vulnerability scanning of the images in Registry1.
You perform the following actions:
✑ Push a Windows image named Image1 to Registry1.
✑ Push a Linux image named Image2 to Registry1.
✑ Push a Windows image named Image3 to Registry1.
✑ Modify Image1 and push the new image as Image4 to Registry1.
Modify Image2 and push the new image as Image5 to Registry1.

Which two images will be scanned for vulnerabilities? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Image4
B. Image2
C. Image1
D. Image3
E. Image5

B. Image2
E. Image5

How well did you know this?

Not at all

Perfectly

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription. The subscription contains 50 virtual machines that run Windows Server 2012 R2 or Windows Server 2016.
You need to deploy Microsoft Antimalware to the virtual machines.
Solution: You add an extension to each virtual machine.
Does this meet the goal?
A. Yes
B. No

A. Yes

How well did you know this?

Not at all

Perfectly

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription. The subscription contains 50 virtual machines that run Windows Server 2012 R2 or Windows Server 2016. You need to deploy Microsoft Antimalware to the virtual machines. Solution: You connect to each virtual machine and add a Windows feature. Does this meet the goal? A. Yes B. No

B. No

You have an Azure Active Directory (Azure AD) tenant named Contoso.com and an Azure Kubernetes Service (AKS) cluster AKS1. You discover that AKS1 cannot be accessed by using accounts from Contoso.com. You need to ensure AKS1 can be accessed by using accounts from Contoso.com. The solution must minimize administrative effort. What should you do first? A. From Azure, recreate AKS1. B. From AKS1, upgrade the version of Kubernetes. C. From Azure AD, implement Azure AD Premium P2 D. From Azure AD, configure the User settings.

A. From Azure, recreate AKS1.

You have an Azure subscription that contains an Azure Container Registry named Registry1. Microsoft Defender for Cloud is enabled in the subscription. You upload several container images to Registry1. You discover that vulnerability security scans were not performed. You need to ensure that the container images are scanned for vulnerabilities when they are uploaded to Registry1. What should you do? A. From the Azure portal, modify the Pricing tier settings. B. From Azure CLI, lock the container images. C. Upload the container images by using AzCopy. D. Push the container images to Registry1 by using Docker.

A. From the Azure portal, modify the Pricing tier settings.

From Azure Security Center, you create a custom alert rule. You need to configure which users will receive an email message when the alert is triggered. What should you do? A. From Azure Monitor, create an action group. B. From Security Center, modify the Security policy settings of the Azure subscription. C. From Azure Active Directory (Azure AD), modify the members of the Security Reader role group. D. From Security Center, modify the alert rule.

A. From Azure Monitor, create an action group.

You are configuring and securing a network environment. You deploy an Azure virtual machine named VM1 that is configured to analyze network traffic. You need to ensure that all network traffic is routed through VM1. What should you configure? A. a system route B. a network security group (NSG) C. a user-defined route

C. a user-defined route

You have 15 Azure virtual machines in a resource group named RG1. All the virtual machines run identical applications. You need to prevent unauthorized applications and malware from running on the virtual machines. What should you do? A. Apply an Azure policy to RG1. B. From Azure Security Center, configure adaptive application controls. C. Configure Azure Active Directory (Azure AD) Identity Protection. D. Apply a resource lock to RG1.

B. From Azure Security Center, configure adaptive application controls.

You have a web app hosted on an on-premises server that is accessed by using a URL of https://www.contoso.com. You plan to migrate the web app to Azure. You will continue to use https://www.contoso.com. You need to enable HTTPS for the Azure web app. What should you do first? A. Export the public key from the on-premises server and save the key as a P7b file. B. Export the private key from the on-premises server and save the key as a PFX file that is encrypted by using TripleDES. C. Export the public key from the on-premises server and save the key as a CER file. D. Export the private key from the on-premises server and save the key as a PFX file that is encrypted by using AES256.

B. Export the private key from the on-premises server and save the key as a PFX file that is encrypted by using TripleDES.

Question #50Topic 3 You plan to deploy Azure container instances. You have a containerized application that is comprised of two containers: an application container and a validation container. The application container is monitored by the validation container. The validation container performs security checks by making requests to the application container and waiting for responses after every transaction. You need to ensure that the application container and the validation container are scheduled to be deployed together. The containers must communicate to each other only on ports that are not externally exposed. What should you include in the deployment? A. application security groups B. network security groups (NSGs) C. management groups D. container groups

D. container groups

You are securing access to the resources in an Azure subscription. A new company policy states that all the Azure virtual machines in the subscription must use managed disks. You need to prevent users from creating virtual machines that use unmanaged disks. What should you use? A. Azure Monitor B. Azure Policy C. Azure Security Center D. Azure Service Health

B. Azure Policy

You have multiple development teams that will create apps in Azure. You plan to create a standard development environment that will be deployed for each team. You need to recommend a solution that will enforce resource locks across the development environments and ensure that the locks are applied in a consistent manner. What should you include in the recommendation? A. an Azure policy B. an Azure Resource Manager template C. a management group D. an Azure blueprint

D. an Azure blueprint

You have an Azure Kubernetes Service (AKS) cluster that will connect to an Azure Container Registry. You need to use the automatically generated service principal for the AKS cluster to authenticate to the Azure Container Registry. What should you create? A. a secret in Azure Key Vault B. a role assignment C. an Azure Active Directory (Azure AD) user D. an Azure Active Directory (Azure AD) group

B. a role assignment

You have an Azure subscription that contains two virtual machines named VM1 and VM2 that run Windows Server 2019. You are implementing Update Management in Azure Automation. You plan to create a new update deployment named Update1. You need to ensure that Update1 meets the following requirements: ✑ Automatically applies updates to VM1 and VM2. ✑ Automatically adds any new Windows Server 2019 virtual machines to Update1. What should you include in Update1? A. a security group that has a Membership type of Assigned B. a security group that has a Membership type of Dynamic Device C. a dynamic group query D. a Kusto query language query

C. a dynamic group query

You have an Azure subscription that contains an Azure key vault. You need to configure the maximum number of days for which new keys are valid. The solution must minimize administrative effort. What should you use? A. Azure Purview B. Key Vault properties C. Azure Blueprints D. Azure Policy

D. Azure Policy

You have an Azure subscription that contains an Azure Data Lake Storage Gen2 account named storage1. You deploy an Azure Synapse Analytics workspace named synapsews1 to a managed virtual network. You need to enable access from synapsews1 to storage1. What should you configure? A. peering B. a private endpoint C. a network security group (NSG) D. a virtual network gateway

B. a private endpoint

You have an Azure Storage account named storage1 that has a container named container1. You need to prevent the blobs in container1 from being modified. What should you do? A. From container1, change the access level. B. From container1, add an access policy. C. From container1, modify the Access Control (IAM) settings. D. From storage1, enable soft delete for blobs.

B. From container1, add an access policy.

Your company has an Azure Active Directory (Azure AD) tenant named contoso.com. You plan to create several security alerts by using Azure Monitor. You need to prepare the Azure subscription for the alerts. What should you create first? A. an Azure Storage account B. an Azure Log Analytics workspace C. an Azure event hub D. an Azure Automation account

B. an Azure Log Analytics workspace

You company has an Azure subscription named Sub1. Sub1 contains an Azure web app named WebApp1 that uses Azure Application Insights. WebApp1 requires users to authenticate by using OAuth 2.0 client secrets. Developers at the company plan to create a multi-step web test app that preforms synthetic transactions emulating user traffic to Web App1. You need to ensure that web tests can run unattended. What should you do first? A. In Microsoft Visual Studio, modify the .webtest file. B. Upload the .webtest file to Application Insights. C. Register the web test app in Azure AD. D. Add a plug-in to the web test app.

C. Register the web test app in Azure AD

You have an Azure subscription named Subscription1. You deploy a Linux virtual machine named VM1 to Subscription1. You need to monitor the metrics and the logs of VM1. What should you use? A. the AzurePerformanceDiagnostics extension B. Azure HDInsight C. Linux Diagnostic Extension (LAD) 3.0 D. Azure Analysis Services

C. Linux Diagnostic Extension (LAD) 3.0

You onboard Azure Sentinel. You connect Azure Sentinel to Azure Security Center. You need to automate the mitigation of incidents in Azure Sentinel. The solution must minimize administrative effort. What should you create? A. an alert rule B. a playbook C. a function app D. a runbook

B. a playbook

You have an Azure Active Directory (Azure AD) tenant named contoso.com. You need to configure diagnostic settings for contoso.com. The solution must meet the following requirements: ✑ Retain logs for two years. ✑ Query logs by using the Kusto query language. ✑ Minimize administrative effort. Where should you store the logs? A. an Azure event hub B. an Azure Log Analytics workspace C. an Azure Storage account

B. an Azure Log Analytics workspace

You are troubleshooting a security issue for an Azure Storage account. You enable the diagnostic logs for the storage account. What should you use to retrieve the diagnostics logs? A. the Security & Compliance admin center B. Azure Security Center C. Azure Cosmos DB explorer D. AzCopy

D. AzCopy

SIMULATION - You need to email an alert to a user named admin1@contoso.com if the average CPU usage of a virtual machine named VM1 is greater than 70 percent for a period of 15 minutes. To complete this task, sign in to the Azure portal.

Create an alert rule on a metric with the Azure portal 1. In the portal, locate the resource, here VM1, you are interested in monitoring and select it. 2. Select Alerts (Classic) under the MONITORING section. The text and icon may vary slightly for different resources. 3. Select the Add metric alert (classic) button and fill in the fields as per below, and click OK. Metric: CPU Percentage - Condition: Greater than - Period: Over last 15 minutes - Notify via: email - Additional administrator email(s): admin1@contoso.com

SIMULATION - You need to collect all the audit failure data from the security log of a virtual machine named VM1 to an Azure Storage account. To complete this task, sign in to the Azure portal. This task might take several minutes to complete You can perform other tasks while the task completes.

Step 1: Create a workspace - Azure Monitor can collect data directly from your Azure virtual machines into a Log Analytics workspace for detailed analysis and correlation. 1. In the Azure portal, select All services. In the list of resources, type Log Analytics. As you begin typing, the list filters based on your input. Select Log Analytics workspaces. 2. Select Create, and then select choices for the following items: 3. After providing the required information on the Log Analytics workspace pane, select OK. While the information is verified and the workspace is created, you can track its progress under Notifications from the menu. Step 2: Enable the Log Analytics VM Extension Installing the Log Analytics VM extension for Windows and Linux allows Azure Monitor to collect data from your Azure VMs. 1. In the Azure portal, select All services found in the upper left-hand corner. In the list of resources, type Log Analytics. As you begin typing, the list filters based on your input. Select Log Analytics workspaces. 2. In your list of Log Analytics workspaces, select DefaultWorkspace (the name you created in step 1). 3. On the left-hand menu, under Workspace Data Sources, select Virtual machines. 4. In the list of Virtual machines, select a virtual machine you want to install the agent on. Notice that the Log Analytics connection status for the VM indicates that it is Not connected. 5. In the details for your virtual machine, select Connect. The agent is automatically installed and configured for your Log Analytics workspace. This process takes a few minutes, during which time the Status shows Connecting. After you install and connect the agent, the Log Analytics connection status will be updated with This workspace.

You have 10 virtual machines on a single subnet that has a single network security group (NSG). You need to log the network traffic to an Azure Storage account. What should you do? A. Install the Network Performance Monitor solution. B. Create an Azure Log Analytics workspace. C. Enable diagnostic logging for the NSG. D. Enable NSG flow logs.

D. Enable NSG flow logs.

You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com. You are assigned the Global administrator role for the tenant. You are responsible for managing Azure Security Center settings. You need to create a custom sensitivity label. What should you do? A. Create a custom sensitive information type. B. Elevate access for global administrators in Azure AD. C. Upgrade the pricing tier of the Security Center to Standard. D. Enable integration with Microsoft Cloud App Security.

A. Create a custom sensitive information type.

You have an Azure subscription that contains 100 virtual machines and has Azure Defender enabled. You plan to perform a vulnerability scan of each virtual machine. You need to deploy the vulnerability scanner extension to the virtual machines by using an Azure Resource Manager template. Which two values should you specify in the code to automate the deployment of the extension to the virtual machines? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. the user-assigned managed identity B. the workspace ID C. the Azure Active Directory (Azure AD) ID D. the Key Vault managed storage account key E. the system-assigned managed identity F. the primary shared key

B. the workspace ID E. the system-assigned managed identity

You have an Azure subscription that contains a user named Admin1 and a virtual machine named VM1. VM1 runs Windows Server 2019 and was deployed by using an Azure Resource Manager template. VM1 is the member of a backend pool of a public Azure Basic Load Balancer. Admin1 reports that VM1 is listed as Unsupported on the Just in time VM access blade of Azure Security Center. You need to ensure that Admin1 can enable just in time (JIT) VM access for VM1. What should you do? A. Create and configure a network security group (NSG). B. Create and configure an additional public IP address for VM1. C. Replace the Basic Load Balancer with an Azure Standard Load Balancer. D. Assign an Azure Active Directory Premium Plan 1 license to Admin1.

A. Create and configure a network security group (NSG).

You have an Azure Active Directory (Azure AD) tenant and a root management group. You create 10 Azure subscriptions and add the subscriptions to the root management group. You need to create an Azure Blueprints definition that will be stored in the root management group. What should you do first? A. Modify the role-based access control (RBAC) role assignments for the root management group. B. Add an Azure Policy definition to the root management group. C. Create a user-assigned identity. D. Create a service principal.

A. Modify the role-based access control (RBAC) role assignments for the root management group.

You have three on-premises servers named Server1, Server2, and Server3 that run Windows Server 2019. Server1 and Server2 are located on the internal network. Server3 is located on the perimeter network. All servers have access to Azure. From Azure Sentinel, you install a Windows firewall data connector. You need to collect Microsoft Defender Firewall data from the servers for Azure Sentinel. What should you do? A. Create an event subscription from Server1, Server2, and Server3. B. Install the On-premises data gateway on each server. C. Install the Microsoft Monitoring Agent on each server. D. Install the Microsoft Monitoring Agent on Server1 and Server2. Install the On-premises data gateway on Server3.

C. Install the Microsoft Monitoring Agent on each server.

You have an Azure subscription that contains several Azure SQL databases and an Azure Sentinel workspace. You need to create a saved query in the workspace to find events reported by Azure Defender for SQL. What should you do? A. From Azure CLI, run the Get-AzOperationalInsightsWorkspace cmdlet. B. From the Azure SQL Database query editor, create a Transact-SQL query. C. From the Azure Sentinel workspace, create a Kusto query language query. D. From Microsoft SQL Server Management Studio (SSMS), create a Transact-SQL query.

C. From the Azure Sentinel workspace, create a Kusto query language query.

You are collecting events from Azure virtual machines to an Azure Log Analytics workspace. You plan to create alerts based on the collected events. You need to identify which Azure services can be used to create the alerts. Which two services should you identify? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. A. Azure Monitor B. Azure Security Center C. Azure Analysis Services D. Azure Sentinel E. Azure Advisor

A. Azure Monitor D. Azure Sentinel

You use Microsoft Defender for Cloud for the centralized policy management of three Azure subscriptions. You use several policy definitions to manage the security of the subscriptions. You need to deploy the policy definitions as a group to all three subscriptions. Solution: You create an initiative and an assignment that is scoped to a management group. Does this meet the goal? A. Yes B. No

A. Yes

You use Microsoft Defender for Cloud for the centralized policy management of three Azure subscriptions. You use several policy definitions to manage the security of the subscriptions. You need to deploy the policy definitions as a group to all three subscriptions. Solution: You create a policy initiative and assignments that are scoped to resource groups. Does this meet the goal? A. Yes B. No

B. No

You use Microsoft Defender for Cloud for the centralized policy management of three Azure subscriptions. You use several policy definitions to manage the security of the subscriptions. You need to deploy the policy definitions as a group to all three subscriptions. Solution: You create a policy definition and assignments that are scoped to resource groups. Does this meet the goal? A. Yes B. No

B. No

You use Microsoft Defender for Cloud for the centralized policy management of three Azure subscriptions. You use several policy definitions to manage the security of the subscriptions. You need to deploy the policy definitions as a group to all three subscriptions. Solution: You create a resource graph and an assignment that is scoped to a management group. Does this meet the goal? A. Yes B. No

B. No

You create a new Azure subscription. You need to ensure that you can create custom alert rules in Azure Security Center. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. Onboard Azure Active Directory (Azure AD) Identity Protection. B. Create an Azure Storage account. C. Implement Azure Advisor recommendations. D. Create an Azure Log Analytics workspace. E. Upgrade the pricing tier of Security Center to Standard

D. Create an Azure Log Analytics workspace. E. Upgrade the pricing tier of Security Center to Standard.

You have an Azure subscription named Sub1 that contains an Azure Log Analytics workspace named LAW1. You have 100 on-premises servers that run Windows Server 2012 R2 and Windows Server 2016. The servers connect to LAW1. LAW1 is configured to collect security-related performance counters from the connected servers. You need to configure alerts based on the data collected by LAW1. The solution must meet the following requirements: ✑ Alert rules must support dimensions. ✑ The time it takes to generate an alert must be minimized. ✑ Alert notifications must be generated only once when the alert is generated and once when the alert is resolved. Which signal type should you use when you create the alert rules? A. Log B. Log (Saved Query) C. Metric D. Activity Log

C. Metric

You have an Azure resource group that contains 100 virtual machines. You have an initiative named Initiative1 that contains multiple policy definitions. Initiative1 is assigned to the resource group. You need to identify which resources do NOT match the policy definitions. What should you do? A. From Azure Security Center, view the Regulatory compliance assessment. B. From the Policy blade of the Azure Active Directory admin center, select Compliance. C. From Azure Security Center, view the Secure Score. D. From the Policy blade of the Azure Active Directory admin center, select Assignments.

B. From the Policy blade of the Azure Active Directory admin center, select Compliance.

You have an Azure subscription named Subscription1. You need to view which security settings are assigned to Subscription1 by default. Which Azure policy or initiative definition should you review? A. the Audit diagnostic setting policy definition B. the Enable Monitoring in Azure Security Center initiative definition C. the Enable Azure Monitor for VMs initiative definition D. the Azure Monitor solution 'Security and Audit' must be deployed policy definition

B. the Enable Monitoring in Azure Security Center initiative definition

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You use Microsoft Defender for Cloud for the centralized policy management of three Azure subscriptions. You use several policy definitions to manage the security of the subscriptions. You need to deploy the policy definitions as a group to all three subscriptions. Solution: You create a policy initiative and an assignment that is scoped to the Tenant Root Group management group. Does this meet the goal? A. Yes B. No

A. Yes

You have an Azure environment. You need to identify any Azure configurations and workloads that are non-compliant with ISO 27001:2013 standards. What should you use? A. Azure Sentinel B. Azure Active Directory (Azure AD) Identity Protection C. Microsoft Defender for Cloud D. Microsoft Defender for Identity

C. Microsoft Defender for Cloud

SIMULATION - You need to ensure that web1234578 is protected from malware by using Microsoft Antimalware for Virtual Machines and is scanned every Friday at 01:00. To complete this task, sign in to the Azure portal.

You need to install and configure the Microsoft Antimalware extension on the virtual machine named web1234578. 1. In the Azure portal, type Virtual Machines in the search box, select Virtual Machines from the search results then select web1234578. Alternatively, browse to Virtual Machines in the left navigation pane. 2. In the properties of web11597200, click on Extensions. 3. Click the Add button to add an Extension. 4. Scroll down the list of extensions and select Microsoft Antimalware. 5. Click the Create button. This will open the settings pane for the Microsoft Antimalware Extension. 6. In the Scan day field, select Friday. 7. In the Scan time field, enter 60. The scan time is measured in minutes after midnight so 60 would be 01:00, 120 would be 02:00 etc. 8. Click the OK button to save the configuration and install the extension.

SIMULATION - You need to ensure that the events in the NetworkSecurityGroupRuleCounter log of the VNET01-Subnet0-NSG network security group (NSG) are stored in the logs1234578 Azure Storage account for 30 days. To complete this task, sign in to the Azure portal.

You need to configure the diagnostic logging for the NetworkSecurityGroupRuleCounter log. 1. In the Azure portal, type Network Security Groups in the search box, select Network Security Groups from the search results then select VNET01- Subnet0-NSG. Alternatively, browse to Network Security Groups in the left navigation pane. 2. In the properties of the Network Security Group, click on Diagnostic Settings. 3. Click on the Add diagnostic setting link. 4. Provide a name in the Diagnostic settings name field. It doesn't matter what name you provide for the exam. 5. In the Log section, select NetworkSecurityGroupRuleCounter. 6. In the Destination details section, select Archive to a storage account. 7. In the Storage account field, select the logs1234578 storage account. 8. In the Retention (days) field, enter 30. 9. Click the Save button to save the changes.

You are troubleshooting a security issue for an Azure Storage account. You enable the diagnostic logs for the storage account. What should you use to retrieve the diagnostics logs? A. Azure Security Center B. Azure Monitor C. the Security admin center D. Azure Storage Explorer

D. Azure Storage Explorer

You have an Azure subscription that contains a resource group named RG1 and a security group named ServerAdmins. RG1 contains 10 virtual machines, a virtual network named VNET1, and a network security group (NSG) named NSG1. ServerAdmins can access the virtual machines by using RDP. You need to ensure that NSG1 only allows RDP connections to the virtual machines for a maximum of 60 minutes when a member of ServerAdmins requests access. What should you configure? A. an Azure policy assigned to RG1 B. a just in time (JIT) VM access policy in Microsoft Defender for Cloud C. an Azure Active Directory (Azure AD) Privileged Identity Management (PIM) role assignment D. an Azure Bastion host on VNET1

B. a just in time (JIT) VM access policy in Microsoft Defender for Cloud

You have an Azure Sentinel deployment. You need to create a scheduled query rule named Rule1. What should you use to define the query rule logic for Rule1? A. a Transact-SQL statement B. a JSON definition C. GraphQL D. a Kusto query

D. a Kusto query

You have 10 on-premises servers that run Windows Server 2019. You plan to implement Azure Security Center vulnerability scanning for the servers. What should you install on the servers first? A. the Azure Arc enabled servers Connected Machine agent B. the Microsoft Defender for Endpoint agent C. the Security Events data connector in Azure Sentinel D. the Microsoft Endpoint Configuration Manager client

A. the Azure Arc enabled servers Connected Machine agent

You have an Azure subscription name Sub1 that contains an Azure Policy definition named Policy1. Policy1 has the following settings: ✑ Definition location: Tenant Root Group ✑ Category: Monitoring You need to ensure that resources that are noncompliant with Policy1 are listed in the Azure Security Center dashboard. What should you do first? A. Change the Category of Policy1 to Security Center. B. Add Policy1 to a custom initiative. C. Change the Definition location of Policy1 to Sub1. D. Assign Policy1 to Sub1.

B. Add Policy1 to a custom initiative.

You have an Azure subscription. You plan to create a workflow automation in Azure Security Center that will automatically remediate a security vulnerability. What should you create first? A. an automation account B. a managed identity C. an Azure logic app D. an Azure function app E. an alert rule

C. an Azure logic app

SIMULATION - A user named Debbie has the Azure app installed on her mobile device. You need to ensure that debbie@contoso.com is alerted when a resource lock is deleted. To complete this task, sign in to the Azure portal.

You need to configure an alert rule in Azure Monitor. 1. Type Monitor into the search box and select Monitor from the search results. 2. Click on Alerts. 3. Click on +New Alert Rule. 4. In the Scope section, click on the Select resource link. 5. In the Filter by resource type box, type locks and select Management locks (locks) from the filtered results. 6. Select the subscription then click the Done button. 7. In the Condition section, click on the Select condition link. 8. Select the Delete management locks condition the click the Done button. 9. In the Action group section, click on the Select action group link. 10.Click the Create action group button to create a new action group. 11.Give the group a name such as Debbie Mobile App (it doesn't matter what name you enter for the exam) then click the Next: Notifications > button. 12.In the Notification type box, select the Email/SMS message/Push/Voice option. 13.In the Email/SMS message/Push/Voice window, tick the Azure app Push Notifications checkbox and enter debbie@contoso.com in the Azure account email field. 14.Click the OK button to close the window. 15.Enter a name such as Debbie Mobile App in the notification name box. 16.Click the Review & Create button then click the Create button to create the action group. 17.Back in the Create alert rule window, in the Alert rule details section, enter a name such as Management lock deletion in the Alert rule name field. 18.Click the Create alert rule button to create the alert rule.

SIMULATION - You plan to connect several Windows servers to the WS12345678 Azure Log Analytics workspace. You need to ensure that the events in the System event logs are collected automatically to the workspace after you connect the Windows servers. To complete this task, sign in to the Azure portal and modify the Azure resources.

Azure Monitor can collect events from the Windows event logs or Linux Syslog and performance counters that you specify for longer term analysis and reporting, and take action when a particular condition is detected. Follow these steps to configure collection of events from the Windows system log and Linux Syslog, and several common performance counters to start with. Data collection from Windows VM - 1. In the Azure portal, locate the WS12345678 Azure Log Analytics workspace then select Advanced settings. 2. Select Data, and then select Windows Event Logs. 3. You add an event log by typing in the name of the log. Type System and then select the plus sign +. 4. In the table, check the severities Error and Warning. (for this question, select all severities to ensure that ALL logs are collected). 5. Select Save at the top of the page to save the configuration.

SIMULATION - You need to ensure that the AzureBackupReport log for the Vault1 Recovery Services vault is stored in the WS12345678 Azure Log Analytics workspace. To complete this task, sign in to the Azure portal and modify the Azure resources.

1. In the Azure portal, type Recovery Services Vaults in the search box, select Recovery Services Vaults from the search results then select Vault1. Alternatively, browse to Recovery Services Vaults in the left navigation pane. 2. In the properties of Vault1, scroll down to the Monitoring section and select Diagnostic Settings. 3. Click the Add a diagnostic setting link. 4. Enter a name in the Diagnostic settings name box. 5. In the Log section, select AzureBackupReport. 6. In the Destination details section, select Send to log analytics 7. Select the WS12345678 Azure Log Analytics workspace. 8. Click the Save button to save the changes.

SIMULATION - You need to ensure that the audit logs from the SQLdb1 Azure SQL database are stored in the WS12345678 Azure Log Analytics workspace. To complete this task, sign in to the Azure portal and modify the Azure resources.

1. In the Azure portal, type SQL in the search box, select SQL databases from the search results then select SQLdb1. Alternatively, browse to SQL databases in the left navigation pane. 2. In the properties of SQLdb1, scroll down to the Security section and select Auditing. 3. Turn auditing on if it isn't already, tick the Log Analytics checkbox then click on Configure. 4. Select the WS12345678 Azure Log Analytics workspace. 5. Click Save to save the changes. Question #74

You are troubleshooting a security issue for an Azure Storage account. You enable the diagnostic logs for the storage account. What should you use to retrieve the diagnostics logs? A. Azure Storage Explorer B. SQL query editor in Azure C. File Explorer in Windows D. Azure Security Center

A. Azure Storage Explorer

You are troubleshooting a security issue for an Azure Storage account. You enable Azure Storage Analytics logs and archive it to a storage account. What should you use to retrieve the diagnostics logs? A. Azure Cosmos DB explorer B. SQL query editor in Azure C. AzCopy D. the Security admin center

C. AzCopy

You have an Azure Sentinel workspace. You need to create a playbook. Which two triggers will start the playbook? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. A. An Azure Sentinel scheduled query rule is executed. B. An Azure Sentinel data connector is added. C. An Azure Sentinel alert is generated. D. An Azure Sentinel hunting query result is returned. E. An Azure Sentinel incident is created.

C. An Azure Sentinel alert is generated. E. An Azure Sentinel incident is created.

You are troubleshooting a security issue for an Azure Storage account. You enable Azure Storage Analytics logs and archive it to a storage account. What should you use to retrieve the diagnostics logs? A. Azure Monitor B. SQL query editor in Azure C. File Explorer in Windows D. Azure Storage Explorer

D. Azure Storage Explorer

You have an Azure Active Directory (Azure AD) tenant that contains a user named User1. You plan to enable passwordless authentication for the tenant. You need to ensure that User1 can enable the combined registration experience. The solution must use the principle of least privilege. Which role should you assign to User1? A. Security administrator B. Privileged role administrator C. Authentication administrator D. Global administrator

C. Authentication administrator

You are troubleshooting a security issue for an Azure Storage account. You enable Azure Storage Analytics logs and archive it to a storage account. What should you use to retrieve the diagnostics logs? A. Azure Cosmos DB explorer B. Azure Monitor C. Microsoft Defender for Cloud D. Azure Storage Explorer

D. Azure Storage Explorer

You have an Azure Active Directory (Azure AD) tenant. You need to prevent nonprivileged Azure AD users from creating service principles in Azure AD. What should you do in the Azure Active Directory admin center of the tenant? A. From the User settings blade, set Users can register applications to No. B. From the Properties blade, set Access management for Azure resources to No. C. From the User settings blade, set Restrict access to Azure AD administration portal to Yes. D. From the Properties blade, set Enable Security defaults to Yes.

A. From the User settings blade, set Users can register applications to No.

You have an Azure subscription named Sub1. In Microsoft Defender for Cloud, you have a workflow automation named WF1. WF1 is configured to send an email message to a user named User1. You need to modify WF1 to send email messages to a distribution group named Alerts. What should you use to modify WF1? A. Azure Logic Apps Designer B. Azure Application Insights C. Azure DevOps D. Azure Monitor

A. Azure Logic Apps Designer

Your on-premises network contains a Hyper-V virtual machine named VM1. You need to use Azure Arc to onboard VM1 to Microsoft Defender for Cloud. What should you install first? A. the guest configuration agent B. the Azure Monitor agent C. the Log Analytics agent D. the Azure Connected Machine agent

D. the Azure Connected Machine agent

You have an Azure subscription that contains a Microsoft Defender External Attack Surface Management (Defender EASM) resource named EASM1. EASM1 has discovery enabled and contains several inventory assets. You need to identify which inventory assets are vulnerable to the most critical web app security risks. Which Defender EASM dashboard should you use? A. Security Posture B. OWASP Top 10 C. Attack Surface Summary D. GDPR Compliance

B. OWASP Top 10

You have an Azure subscription that uses Microsoft Defender for Cloud. You need to use Defender for Cloud to review regulatory compliance with the Azure CIS 1.4.0 standard. The solution must minimize administrative effort. What should you do first? A. Assign an Azure policy. B. Disable one of the Out of the box standards. C. Manually add the Azure CIS 1.4.0 standard. D. Add a custom initiative.

C. Manually add the Azure CIS 1.4.0 standard.

You have an Azure subscription that contains an Azure key vault named Vault1 and a virtual machine named VM1. VM1 is connected to a virtual network named VNet1. You need to allow access to Vault1 only from VM1. What should you do in the Networking settings of Vault1? A. From the Firewalls and virtual networks tab, add the IP address of VM1. B. From the Private endpoint connections tab, create a private endpoint for VM1. C. From the Firewalls and virtual networks tab, add VNet1. D. From the Firewalls and virtual networks tab, set Allow trusted Microsoft services to bypass this firewall to Yes for Vault1.

A. From the Firewalls and virtual networks tab, add the IP address of VM1.

You have an Azure subscription. You create a new virtual network named VNet1. You plan to deploy an Azure web app named App1 that will use VNet1 and will be reachable by using private IP addresses. The solution must support inbound and outbound network traffic. What should you do? A. Create an Azure App Service Hybrid Connection. B. Create an Azure application gateway. C. Create an App Service Environment. D. Configure regional virtual network integration.

C. Create an App Service Environment.

You have an Azure subscription that uses Microsoft Defender for Cloud. You have accounts for the following cloud services: * Alibaba Cloud * Amazon Web Services (AWS) * Google Cloud Platform (GCP) What can you add to Defender for Cloud? A. AWS only B. Alibaba Cloud and AWS only C. Alibaba Cloud and GCP only D. AWS and GCP only E. Alibaba Cloud, AWS, and GCP

D. AWS and GCP only

You have an Azure subscription. You plan to map an online infrastructure and perform vulnerability scanning for the following: * ASNs * Hostnames * IP addresses * SSL certificates What should you use? A. Microsoft Defender for Cloud B. Microsoft Defender External Attack Surface Management (Defender EASM) C. Microsoft Defender for Identity D. Microsoft Defender for Endpoint

B. Microsoft Defender External Attack Surface Management (Defender EASM)

C. AzCopy

You have an Azure subscription that uses Microsoft Defender for Cloud. You have an Amazon Web Services (AWS) account. You need to ensure that when you deploy a new AWS Elastic Compute Cloud (EC2) instance, the Microsoft Defender for Servers agent installs automatically. What should you configure first? A. the classic cloud connector B. the Azure Monitor agent C. the Log Analytics agent D. the native cloud connector

D. the native cloud connector

You have an Azure subscription that uses Microsoft Defender for Cloud. You have an Amazon Web Services (AWS) account named AWS1 that is connected to Defender for Cloud. You need to ensure that AWS1 uses AWS Foundational Security Best Practices. The solution must minimize administrative effort. What should you do in Defender for Cloud? A. Assign a built-in compliance standard. B. Create a new custom standard. C. Assign a built-in assessment. D. Create a new custom assessment

A. Assign a built-in compliance standard.

You are troubleshooting a security issue for an Azure Storage account. You enable Azure Storage Analytics logs and archive it to a storage account. What should you use to retrieve the diagnostics logs? A. the Microsoft 365 Defender portal B. SQL query editor in Azure C. Azure Monitor D. Azure Storage Explorer

D. Azure Storage Explorer

You have an Azure subscription that contains a Microsoft Defender External Attack Surface Management (Defender EASM) resource named EASM1. You review the Attack Surface Summary dashboard. You need to identify the following insights: * Deprecated technologies that are no longer supported * Infrastructure that will soon expire Which section of the dashboard should you review? A. Securing the Cloud B. Sensitive Services C. Attack Surface Priorities D. attack surface composition

C. Attack Surface Priorities

You have an Azure subscription. You plan to deploy Microsoft Defender External Attack Surface Management (Defender EASM) to identify and monitor externally facing assets. You create a new Defender EASM instance named EASM1. What should you do next? A. Create a custom attack surface. B. Add a Log Analytics workspace. C. Add a discovery group. D. Import seeds from an organization.

D. Import seeds from an organization.

You have an Azure subscription that contains an Azure Key Vault Standard key vault named Vault1. Vault1 hosts a 2048-bit RSA key named key1. You need to ensure that key1 is rotated every 90 days. What should you do first? A. Create a key rotation policy. B. Modify the Access policies settings of Vault1. C. Upgrade Vault1 to Key Vault Premium. D. Recreate key1 as an EC key.

A. Create a key rotation policy.

SIMULATION - You plan to use Azure Disk Encryption for several virtual machine disks. You need to ensure that Azure Disk Encryption can retrieve secrets from the KeyVault12345678 Azure key vault. To complete this task, sign in to the Azure portal and modify the Azure resources.

1. In the Azure portal, type Key Vaults in the search box, select Key Vaults from the search results then select KeyVault12345678. Alternatively, browse to Key Vaults in the left navigation pane. 2. In the Key Vault properties, scroll down to the Settings section and select Access Policies. 3. Select the Azure Disk Encryption for volume encryption 4. Click Save to save the changes.

You have an Azure SQL Database server named SQL1. For SQL1, you turn on Azure Defender for SQL to detect all threat detection types. Which action will Azure Defender for SQL detect as a threat? A. A user updates more than 50 percent of the records in a table. B. A user attempts to sign in as SELECT * FROM table1. C. A user is added to the db_owner database role. D. A user deletes more than 100 records from the same table.

B. A user attempts to sign in as SELECT * FROM table1.

Your company uses Azure DevOps. You need to recommend a method to validate whether the code meets the company's quality standards and code review standards. What should you recommend implementing in Azure DevOps? A. branch folders B. branch permissions C. branch policies D. branch locking

C. branch policies

SIMULATION - You need to ensure that User2-1234578 has all the key permissions for KeyVault1234578. To complete this task, sign in to the Azure portal and modify the Azure resources.

You need to assign the user the Key Vault Secrets Officer role. 1. In the Azure portal, type Key Vaults in the search box, select Key Vaults from the search results then select KeyVault1234578. Alternatively, browse to Key Vaults in the left navigation pane. 2. In the key vault properties, select Access control (IAM). 3. In the Add a role assignment section, click the Add button. 4. In the Role box, select the Key Vault Secrets Officer role from the drop-down list. 5. In the Select box, start typing User2-1234578 and select User2-1234578 from the search results. 6. Click the Save button to save the changes.

You have an Azure web app named WebApp1. You upload a certificate to WebApp1. You need to make the certificate accessible to the app code of WebApp1. What should you do? A. Add a user-assigned managed identity to WebApp1. B. Add an app setting to the WebApp1 configuration. C. Enable system-assigned managed identity for WebApp1. D. Configure the TLS/SSL binding for WebApp1.

B. Add an app setting to the WebApp1 configuration.

You have an Azure web app named webapp1. You need to configure continuous deployment for webapp1 by using an Azure Repo. What should you create first? A. an Azure Application Insights service B. an Azure DevOps organization C. an Azure Storage account D. an Azure DevTest Labs lab

B. an Azure DevOps organization

Your company has an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com. The company develops an application named App1. App1 is registered in Azure AD. You need to ensure that App1 can access secrets in Azure Key Vault on behalf of the application users. What should you configure? A. an application permission without admin consent B. a delegated permission without admin consent C. a delegated permission that requires admin consent D. an application permission that requires admin consent

B. a delegated permission without admin consent

Your company has an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com. The company develops a mobile application named App1. App1 uses the OAuth 2 implicit grant type to acquire Azure AD access tokens. You need to register App1 in Azure AD. What information should you obtain from the developer to register the application? A. a redirect URI B. a reply URL C. a key D. an application ID

A. a redirect URI

From the Azure portal, you are configuring an Azure policy. You plan to assign policies that use the DeployIfNotExist, AuditIfNotExist, Append, and Deny effects. Which effect requires a managed identity for the assignment? A. AuditIfNotExist B. Append C. DeployIfNotExist D. Deny

C. DeployIfNotExist

You have an Azure subscription that contains an Azure key vault named Vault1. In Vault1, you create a secret named Secret1. An application developer registers an application in Azure Active Directory (Azure AD). You need to ensure that the application can use Secret1. What should you do? A. In Azure AD, create a role. B. In Azure Key Vault, create a key. C. In Azure Key Vault, create an access policy. D. In Azure AD, enable Azure AD Application Proxy.

C. In Azure Key Vault, create an access policy.

You have an Azure SQL database. You implement Always Encrypted. You need to ensure that application developers can retrieve and decrypt data in the database. Which two pieces of information should you provide to the developers? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. a stored access policy B. a shared access signature (SAS) C. the column encryption key D. user credentials E. the column master key

C. the column encryption key E. the column master key

You have a hybrid configuration of Azure Active Directory (Azure AD). All users have computers that run Windows 10 and are hybrid Azure AD joined. You have an Azure SQL database that is configured to support Azure AD authentication. Database developers must connect to the SQL database by using Microsoft SQL Server Management Studio (SSMS) and authenticate by using their on-premises Active Directory account. You need to tell the developers which authentication method to use to connect to the SQL database from SSMS. The solution must minimize authentication prompts. Which authentication method should you instruct the developers to use? A. SQL Login B. Active Directory ג€" Universal with MFA support C. Active Directory ג€" Integrated D. Active Directory ג€" Password

C. Active Directory ג€" Integrated

You have an Azure subscription that contains four Azure SQL managed instances. You need to evaluate the vulnerability of the managed instances to SQL injection attacks. What should you do first? A. Create an Azure Sentinel workspace. B. Enable Advanced Data Security. C. Add the SQL Health Check solution to Azure Monitor. D. Create an Azure Advanced Threat Protection (ATP) instance.

B. Enable Advanced Data Security.

You have an Azure subscription that contains a virtual machine named VM1. You create an Azure key vault that has the following configurations: ✑ Name: Vault5 ✑ Region: West US ✑ Resource group: RG1 You need to use Vault5 to enable Azure Disk Encryption on VM1. The solution must support backing up VM1 by using Azure Backup. Which key vault settings should you configure? A. Access policies B. Secrets C. Keys D. Locks

A. Access policies

SIMULATION - You need to ensure that the rg1lod1234578n1 Azure Storage account is encrypted by using a key stored in the KeyVault12345678 Azure key vault. To complete this task, sign in to the Azure portal.

Step 1: To enable customer-managed keys in the Azure portal, follow these steps: 1. Navigate to your storage account rg1lod1234578n1 2. On the Settings blade for the storage account, click Encryption. Select the Use your own key option, as shown in the following figure. Step 2: Specify a key from a key vault To specify a key from a key vault, first make sure that you have a key vault that contains a key. To specify a key from a key vault, follow these steps: 4. Choose the Select from Key Vault option. 5. Choose the key vault KeyVault1234578 containing the key you want to use. 6. Choose the key from the key vault.

You have a web app named WebApp1. You create a web application firewall (WAF) policy named WAF1. You need to protect WebApp1 by using WAF1. What should you do first? A. Deploy an Azure Front Door. B. Add an extension to WebApp1. C. Deploy Azure Firewall.

A. Deploy an Azure Front Door.

You have an Azure subscription that contains an Azure SQL database named sql1. You plan to audit sql1. You need to configure the audit log destination. The solution must meet the following requirements: ✑ Support querying events by using the Kusto query language. ✑ Minimize administrative effort. What should you configure? A. an event hub B. a storage account C. a Log Analytics workspace

C. a Log Analytics workspace

SIMULATION - You need to enable Advanced Data Security for the SQLdb1 Azure SQL database. The solution must ensure that Azure Advanced Threat Protection (ATP) alerts are sent to User1@contoso.com. To complete this task, sign in to the Azure portal and modify the Azure resources.

1. In the Azure portal, type SQL in the search box, select SQL databases from the search results then select SQLdb1. Alternatively, browse to SQL databases in the left navigation pane. 2. In the properties of SQLdb1, scroll down to the Security section and select Advanced data security. 3. Click on the Settings icon. 4. Tick the Enable Advanced Data Security at the database level checkbox. 5. Click Yes at the confirmation prompt. 6. In the Storage account select a storage account if one isn't selected by default. 7. Under Advanced Threat Protection Settings, enter User1@contoso.com in the Send alerts to box. 8. Click the Save button to save the changes.

SIMULATION - You need to configure a weekly backup of an Azure SQL database named Homepage. The backup must be retained for eight weeks. To complete this task, sign in to the Azure portal.

You need to configure the backup policy for the Azure SQL database. 1. In the Azure portal, type Azure SQL Database in the search box, select Azure SQL Database from the search results then select Homepage. Alternatively, browse to Azure SQL Database in the left navigation pane. 2. Select the server hosting the Homepage database and click on Manage backups. 3. Click on Configure policies. 4. Ensure that the Weekly Backups option is ticked. 5. Configure the How long would you like weekly backups to be retained option to 8 weeks. 6. Click Apply to save the changes.

SIMULATION - You need to ensure that when administrators deploy resources by using an Azure Resource Manager template, the deployment can access secrets in an Azure key vault named KV12345678. To complete this task, sign in to the Azure portal.

You need to configure an option in the Advanced Access Policy of the key vault. 1. In the Azure portal, type Azure Key Vault in the search box, select Azure Key Vault from the search results then select the key vault named KV12345678. Alternatively, browse to Azure Key Vault in the left navigation pane. 2. In the properties of the key vault, click on Advanced Access Policies. 3. Tick the checkbox labelled Enable access to Azure Resource Manager for template deployment. 4. Click Save to save the changes.

You have an Azure subscription that contains as Azure key vault and an Azure Storage account. The key vault contains customer-managed keys. The storage account is configured to use the customer-managed keys stored in the key vault. You plan to store data in Azure by using the following services: ✑ Azure Files ✑ Azure Blob storage ✑ Azure Table storage ✑ Azure Queue storage Which two services support data encryption by using the keys stored in the key vault? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. A. Table storage B. Azure Files C. Blob storage D. Queue storage

B. Azure Files C. Blob storage

SIMULATION - You need to ensure that connections through an Azure Application Gateway named Homepage-AGW are inspected for malicious requests. To complete this task, sign in to the Azure portal. You do not need to wait for the task to complete.

You need to enable the Web Application Firewall on the Application Gateway. 1. In the Azure portal, type Application gateways in the search box, select Application gateways from the search results then select the gateway named Homepage-AGW. Alternatively, browse to Application Gateways in the left navigation pane. 2. In the properties of the application gateway, click on Web application firewall. 3. For the Tier setting, select WAF V2. 4. In the Firewall status section, click the slider to switch to Enabled. 5. In the Firewall mode section, click the slider to switch to Prevention. 6. Click Save to save the changes.

SIMULATION - You need to create a web app named Intranet12345678 and enable users to authenticate to the web app by using Azure Active Directory (Azure AD). To complete this task, sign in to the Azure portal.

1. In the Azure portal, type App services in the search box and select App services from the search results. 2. Click the Create app service button to create a new app service. 3. In the Resource Group section, click the Create new link to create a new resource group. 4. Give the resource group a name such as Intranet12345678RG and click OK. 5. In the Instance Details section, enter Intranet12345678 in the Name field. 6. In the Runtime stack field, select any runtime stack such as .NET Core 3.1. 7. Click the Review + create button. 8. Click the Create button to create the web app. 9. Click the Go to resource button to open the properties of the new web app. 10.In the Settings section, click on Authentication / Authorization. 11.Click the App Service Authentication slider to set it to On. 12.In the Action to take when request is not authentication box, select Log in with Azure Active Directory. 13.Click Save to save the changes.

You have an Azure Active Directory (Azure AD) tenant that contains a group named Group1. You need to ensure that the members of Group1 sign in by using passwordless authentication. What should you do? A. Configure the sign-in risk policy. B. Create a Conditional Access policy. C. Configure the Microsoft Authenticator authentication method policy. D. Configure the certificate-based authentication (CBA) policy

C. Configure the Microsoft Authenticator authentication method policy.

You have an Azure subscription that contains an Azure key vault named Vault1 and a virtual machine named VM1. VM1 has the Key Vault VM extension installed. For Vault1, you rotate the keys, secrets, and certificates. What will be updated automatically on VM1? A. the keys only B. the secrets only C. the certificates only D. the keys and secrets only E. the secrets and certificates only F. the keys, secrets, and certificates

C. the certificates only

You have an Azure AD tenant that contains a user named User1. You purchase an app named App1. User1 needs to publish App1 by using Azure AD Application Proxy. Which role should you assign to User1? A. Cloud application administrator B. Application administrator C. Hybrid identity administrator D. Cloud App Security Administrator

B. Application administrator

You have an Azure subscription that contains a storage account named storage1 and a virtual machine named VM1. VM1 is connected to a virtual network named VNet1 that contains one subnet and uses Azure DNS. You need to ensure that VM1 connects to storage1 by using a private IP address. The solution must minimize administrative effort. What should you do? A. For storage1, disable public network access. B. On VNet1, create a new subnet. C. For storage1, create a new private endpoint. D. Create an Azure Private DNS zone.

C. For storage1, create a new private endpoint.

You have an Azure subscription that contains a web app named App1. App1 provides users with product images and videos. Users access App1 by using a URL of HTTPS://app1.contoso.com. You deploy two server pools named Pool1 and Pool2. Pool1 hosts product images. Pool2 hosts product videos. You need to optimize the performance of App1. The solution must meet the following requirements: * Minimize the performance impact of TLS connections on Pool1 and Pool2. * Route user requests to the server pools based on the requested URL path. What should you include in the solution? A. Azure Bastion B. Azure Front Door C. Azure Traffic Manager D. Azure Application Gateway

B. Azure Front Door

You have an Azure subscription that contains an instance of Azure Firewall Standard named AzFW1. You need to identify whether you can use the following features with AzFW1: * TLS inspection * Threat intelligence * The network intrusion detection and prevention systems (IDPS) What can you use? A. TLS inspection only B. threat intelligence only C. TLS inspection and the IDPS only D. threat intelligence and the IDPS only E. TLS inspection, threat intelligence, and the IDPS

B. threat intelligence only

You have an Azure subscription. You need to deploy an Azure virtual WAN to meet the following requirements: * Create three secured virtual hubs located in the East US, West US, and North Europe Azure regions. * Ensure that security rules sync between the regions. What should you use? A. Azure Virtual Network Manager B. Azure Front Door C. Azure Network Function Manager D. Azure Firewall Manager

D. Azure Firewall Manager

You have an Azure subscription that contains an Azure web app named App1 and a virtual machine named VM1. VM1 runs Microsoft SQL Server and is connected to a virtual network named VNet1. App1, VM1, and VNet1 are in the US Central Azure region. You need to ensure that App1 can connect to VM1. The solution must minimize costs. What should you include in the solution? A. regional virtual network integration B. gateway-required virtual network integration C. Azure Front Door D. Azure Application Gateway integration E. NAT gateway integration

A. regional virtual network integration

You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains a single subnet. The subscription contains a virtual machine named VM1 that is connected to VNet1. You plan to deploy an Azure SQL managed instance named SQL1. You need to ensure that VM1 can access SQL1. Which three components should you create? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. a subnet B. a network security perimeter C. a virtual network gateway D. a network security group (NSG) E. a route table

A. a subnet D. a network security group (NSG) E. a route table