Microsoft Azure Certified Security Engineer AZ-500 Part 2
Question #: 41
Topic #: 5
HOTSPOT –
You have an Azure key vault named KeyVault1 that contains the items shown in the following table.
In KeyVault1, the following events occur in sequence:
✑ Item1 is deleted.
✑ Item2 and Policy1 are deleted.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 42
Topic #: 13
You need to meet the technical requirements for VNetwork1.
What should you do first?
A. Create a new subnet on VNetwork1.
B. Remove the NSGs from Subnet11 and Subnet13.
C. Associate an NSG to Subnet12.
D. Configure DDoS protection for VNetwork1.
Selected Answer: A
Question #: 43
Topic #: 1
Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has an Active Directory forest with a single domain, named weylandindustries.com. They also have an Azure Active Directory (Azure AD) tenant with the same name.
You have been tasked with integrating Active Directory and the Azure AD tenant. You intend to deploy Azure AD Connect.
Your strategy for the integration must make sure that password policies and user logon limitations affect user accounts that are synced to the Azure AD tenant, and that the amount of necessary servers are reduced.
Solution: You recommend the use of password hash synchronization and seamless SSO.
Does the solution meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 44
Topic #: 11
You plan to implement JIT VM access.
Which virtual machines will be supported?
A. VM2, VM3, and VM4 only
B. VM1, VM2, VM3, and VM4
C. VM1 and VM3 only
D. VM1 only
Selected Answer: A
Question #: 45
Topic #: 4
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to create several security alerts by using Azure Monitor.
You need to prepare the Azure subscription for the alerts.
What should you create first?
A. an Azure Storage account
B. an Azure Log Analytics workspace
C. an Azure event hub
D. an Azure Automation account
Selected Answer: B
Question #: 46
Topic #: 2
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain.
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to deploy Azure AD Connect and to integrate Active Directory and the Azure AD tenant.
You need to recommend an integration solution that meets the following requirements:
✑ Ensures that password policies and user logon restrictions apply to user accounts that are synced to the tenant
✑ Minimizes the number of servers required for the solution.
Which authentication method should you include in the recommendation?
A. federated identity with Active Directory Federation Services (AD FS)
B. password hash synchronization with seamless single sign-on (SSO)
C. pass-through authentication with seamless single sign-on (SSO)
Selected Answer: C
Question #: 47
Topic #: 13
HOTSPOT –
You are evaluating the security of VM1, VM2, and VM3 in Sub2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 48
Topic #: 2
Your network contains an on-premises Active Directory domain named corp.contoso.com.
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
You sync all on-premises identities to Azure AD.
You need to prevent users who have a givenName attribute that starts with TEST from being synced to Azure AD. The solution must minimize administrative effort.
What should you use?
A. Synchronization Rules Editor
B. Web Service Configuration Tool
C. the Azure AD Connect wizard
D. Active Directory Users and Computers
Selected Answer: A
Question #: 49
Topic #: 1
Your company has an Active Directory forest with a single domain, named weylandindustries.com. They also have an Azure Active Directory (Azure AD) tenant with the same name.
After syncing all on-premises identities to Azure AD, you are informed that users with a givenName attribute starting with LAB should not be allowed to sync to
Azure AD.
Which of the following actions should you take?
A. You should make use of the Synchronization Rules Editor to create an attribute-based filtering rule.
B. You should configure a DNAT rule on the Firewall.
C. You should configure a network traffic filtering rule on the Firewall.
D. You should make use of Active Directory Users and Computers to create an attribute-based filtering rule.
Selected Answer: A
Question #: 50
Topic #: 6
You have an Azure subscription that contains a web app named App1. App1 provides users with product images and videos. Users access App1 by using a URL of HTTPS://app1.contoso.com.
You deploy two server pools named Pool1 and Pool2. Pool1 hosts product images. Pool2 hosts product videos.
You need to optimize the performance of App1. The solution must meet the following requirements:
• Minimize the performance impact of TLS connections on Pool1 and Pool2.
• Route user requests to the server pools based on the requested URL path.
What should you include in the solution?
A. Azure Bastion
B. Azure Front Door
C. Azure Traffic Manager
D. Azure Application Gateway
Selected Answer: D
Question #: 51
Topic #: 4
You company has an Azure subscription named Sub1. Sub1 contains an Azure web app named WebApp1 that uses Azure Application Insights. WebApp1 requires users to authenticate by using OAuth 2.0 client secrets.
Developers at the company plan to create a multi-step web test app that preforms synthetic transactions emulating user traffic to Web App1.
You need to ensure that web tests can run unattended.
What should you do first?
A. In Microsoft Visual Studio, modify the .webtest file.
B. Upload the .webtest file to Application Insights.
C. Register the web test app in Azure AD.
D. Add a plug-in to the web test app.
Selected Answer: B
Question #: 52
Topic #: 5
You have an Azure SQL Database server named SQL1.
For SQL1, you turn on Azure Defender for SQL to detect all threat detection types.
Which action will Azure Defender for SQL detect as a threat?
A. A user updates more than 50 percent of the records in a table.
B. A user attempts to sign in as SELECT * FROM table1.
C. A user is added to the db_owner database role.
D. A user deletes more than 100 records from the same table.
Selected Answer: B
Question #: 53
Topic #: 6
HOTSPOT
–
You have an Azure subscription that is linked to an Azure AD tenant and contains the virtual machines shown in the following table.
The subnets of the virtual networks have the service endpoints shown in the following table.
You create the resources shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 54
Topic #: 7
HOTSPOT
–
You have an Azure subscription that contains the virtual machines shown in the following table.
You have an Azure Cosmos DB account named cosmos1 configured as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 55
Topic #: 2
DRAG DROP –
You are implementing conditional access policies.
You must evaluate the existing Azure Active Directory (Azure AD) risk events and risk levels to configure and implement the policies.
You need to identify the risk level of the following risk events:
✑ Users with leaked credentials
✑ Impossible travel to atypical locations
✑ Sign-ins from IP addresses with suspicious activity
Which level should you identify for each risk event? To answer, drag the appropriate levels to the correct risk events. Each level may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Suggestion Answer:
Question #: 56
Topic #: 5
HOTSPOT –
You have the Azure Information Protection labels as shown in the following table.
You have the Azure Information Protection policies as shown in the following table.
You need to identify how Azure Information Protection will label files.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 57
Topic #: 4
You have an Azure subscription named Subscription1.
You deploy a Linux virtual machine named VM1 to Subscription1.
You need to monitor the metrics and the logs of VM1.
What should you use?
A. the AzurePerformanceDiagnostics extension
B. Azure HDInsight
C. Linux Diagnostic Extension (LAD) 3.0
D. Azure Analysis Services
Selected Answer: C
Question #: 58
Topic #: 1
You have been tasked with applying conditional access policies for your company’s current Azure Active Directory (Azure AD).
The process involves assessing the risk events and risk levels.
Which of the following is the risk level that should be configured for users that have leaked credentials?
A. None
B. Low
C. Medium
D. High
Selected Answer: D
Question #: 59
Topic #: 2
HOTSPOT –
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.
You create and enforce an Azure AD Identity Protection user risk policy that has the following settings:
✑ Assignment: Include Group1, Exclude Group2
✑ Conditions: Sign-in risk of Medium and above
✑ Access: Allow access, Require password change
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 60
Topic #: 1
You have been tasked with applying conditional access policies for your company’s current Azure Active Directory (Azure AD).
The process involves assessing the risk events and risk levels.
Which of the following is the risk level that should be configured for sign ins that originate from IP addresses with dubious activity?
A. None
B. Low
C. Medium
D. High
Selected Answer: C
Question #: 61
Topic #: 6
You have an Azure subscription that contains an instance of Azure Firewall Standard named AzFW1.
You need to identify whether you can use the following features with AzFW1:
• TLS inspection
• Threat intelligence
• The network intrusion detection and prevention systems (IDPS)
What can you use?
A. TLS inspection only
B. threat intelligence only
C. TLS inspection and the IDPS only
D. threat intelligence and the IDPS only
E. TLS inspection, threat intelligence, and the IDPS
Selected Answer: B
Question #: 62
Topic #: 4
You onboard Azure Sentinel. You connect Azure Sentinel to Azure Security Center.
You need to automate the mitigation of incidents in Azure Sentinel. The solution must minimize administrative effort.
What should you create?
A. an alert rule
B. a playbook
C. a function app
D. a runbook
Selected Answer: B
Question #: 63
Topic #: 5
Your company uses Azure DevOps.
You need to recommend a method to validate whether the code meets the company’s quality standards and code review standards.
What should you recommend implementing in Azure DevOps?
A. branch folders
B. branch permissions
C. branch policies
D. branch locking
Selected Answer: C
Question #: 64
Topic #: 7
You are troubleshooting a security issue for an Azure Storage account.
You enable Azure Storage Analytics logs and archive it to a storage account.
What should you use to retrieve the diagnostics logs?
A. Azure Cosmos DB explorer
B. Azure Monitor
C. AzCopy
D. Microsoft Defender for Cloud
Selected Answer: C
Question #: 65
Topic #: 2
DRAG DROP –
You need to configure an access review. The review will be assigned to a new collection of reviews and reviewed by resource owners.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Suggestion Answer:
Question #: 66
Topic #: 1
You have been tasked with configuring an access review, which you plan to assigned to a new collection of reviews. You also have to make sure that the reviews can be reviewed by resource owners.
You start by creating an access review program and an access review control.
You now need to configure the Reviewers.
Which of the following should you set Reviewers to?
A. Selected users.
B. Members (Self).
C. Group Owners.
D. Anyone.
Selected Answer: C
Question #: 67
Topic #: 7
You have an Azure subscription that contains an Azure Blob storage account named blob1.
You need to configure attribute-based access control (ABAC) for blob1.
Which attributes can you use in access conditions?
A. blob index tags only
B. blob index tags and container names only
C. file extensions and container names only
D. blob index tags, file extensions, and container names
Selected Answer: B
Question #: 68
Topic #: 4
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You need to configure diagnostic settings for contoso.com. The solution must meet the following requirements:
✑ Retain logs for two years.
✑ Query logs by using the Kusto query language.
✑ Minimize administrative effort.
Where should you store the logs?
A. an Azure event hub
B. an Azure Log Analytics workspace
C. an Azure Storage account
Selected Answer: B
Question #: 69
Topic #: 2
HOTSPOT –
You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.
You configure an access review named Review1 as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 70
Topic #: 3
HOTSPOT –
You create resources in an Azure subscription as shown in the following table.
VNET1 contains two subnets named Subnet1 and Subnet2. Subnet1 has a network ID of 10.0.0.0/24. Subnet2 has a network ID of 10.1.1.0/24.
Contoso1901 is configured as shown in the exhibit. (Click the Exhibit tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 71
Topic #: 1
Your company recently created an Azure subscription. You have, subsequently, been tasked with making sure that you are able to secure Azure AD roles by making use of Azure Active Directory (Azure AD) Privileged Identity Management (PIM).
Which of the following actions should you take FIRST?
A. You should sign up Azure Active Directory (Azure AD) Privileged Identity Management (PIM) for Azure AD roles.
B. You should consent to Azure Active Directory (Azure AD) Privileged Identity Management (PIM).
C. You should discover privileged roles.
D. You should discover resources.
Selected Answer: D
Question #: 72
Topic #: 4
You are troubleshooting a security issue for an Azure Storage account.
You enable the diagnostic logs for the storage account.
What should you use to retrieve the diagnostics logs?
A. the Security & Compliance admin center
B. Azure Security Center
C. Azure Cosmos DB explorer
D. AzCopy
Selected Answer: D
Question #: 73
Topic #: 7
You have an Azure subscription that contains a storage account and an Azure web app named App1.
App1 connects to an Azure Cosmos DB database named Cosmos1 that uses a private endpoint named Endpoint1. Endpoint1 has the default settings.
You need to validate the name resolution to Cosmos1.
Which DNS zone should you use?
A. endpoint1.privatelink.documents.azure.com
B. endpoint1.privatelink.blob.core.windows.net
C. endpoint1.privatelink.azurewebsites.net
D. endpoint1.privatelink.database.azure.com
Selected Answer: A
Question #: 74
Topic #: 5
You have an Azure web app named WebApp1.
You upload a certificate to WebApp1.
You need to make the certificate accessible to the app code of WebApp1.
What should you do?
A. Add a user-assigned managed identity to WebApp1.
B. Add an app setting to the WebApp1 configuration.
C. Enable system-assigned managed identity for WebApp1.
D. Configure the TLS/SSL binding for WebApp1.
Selected Answer: B
Question #: 75
Topic #: 6
HOTSPOT
–
You have an Azure Subscription that is connected to an on-premises datacenter and contains the resources shown in the following table.
You need to configure virtual network service endpoints for VNet1 and VNet2. The solution must meet the following requirements:
• The virtual machines that connect to the subnet of VNet1 must access storage1, storage2, and Azure AD by using the Microsoft backbone network.
• The virtual machines that connect to the subnet of VNet2 must access storage1 and KeyVault1 by using the Microsoft backbone network.
• The virtual machines must use the Microsoft backbone network to communicate between VNet1 and VNet2.
How many service endpoints should you configure for each virtual network? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 76
Topic #: 5
HOTSPOT –
You have the Azure key vaults shown in the following table.
KV1 stores a secret named Secret1 and a key for a managed storage account named Key1.
You back up Secret1 and Key1.
To which key vaults can you restore each backup? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 77
Topic #: 2
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
An administrator named Admin1 has access to the following identities:
✑ An OpenID-enabled user account
✑ A Hotmail account
✑ An account in contoso.com
✑ An account in an Azure AD tenant named fabrikam.com
You plan to use Azure Account Center to transfer the ownership of Sub1 to Admin1.
To which accounts can you transfer the ownership of Sub1?
A. contoso.com only
B. contoso.com, fabrikam.com, and Hotmail only
C. contoso.com and fabrikam.com only
D. contoso.com, fabrikam.com, Hotmail, and OpenID-enabled user account
Selected Answer: A
Question #: 78
Topic #: 1
You need to consider the underlined segment to establish whether it is accurate.
You have been tasked with creating a different subscription for each of your company’s divisions. However, the subscriptions will be linked to a single Azure Active
Directory (Azure AD) tenant.
You want to make sure that each subscription has identical role assignments.
You make use of Azure AD Privileged Identity Management (PIM).
Select `No adjustment required` if the underlined segment is accurate. If the underlined segment is inaccurate, select the accurate option.
A. No adjustment required
B. Azure Blueprints
C. Conditional access policies
D. Azure DevOps
Selected Answer: B
Question #: 79
Topic #: 3
You have an Azure subscription that contains the virtual machines shown in the following table.
All the virtual networks are peered.
You deploy Azure Bastion to VNET2.
Which virtual machines can be protected by the bastion host?
A. VM1, VM2, VM3, and VM4
B. VM1, VM2, and VM3 only
C. VM2 and VM4 only
D. VM2 only
Selected Answer: A
Question #: 80
Topic #: 4
You have an Azure subscription that contains the virtual machines shown in the following table.
From Azure Security Center, you turn on Auto Provisioning.
You deploy the virtual machines shown in the following table.
On which virtual machines is the Microsoft Monitoring Agent installed?
A. VM3 only
B. VM1 and VM3 only
C. VM3 and VM4 only
D. VM1, VM2, VM3, and VM4
Selected Answer: D
