Microsoft Azure Certified Security Engineer AZ-500 Part 4
Question #: 121
Topic #: 4
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
You are assigned the Global administrator role for the tenant. You are responsible for managing Azure Security Center settings.
You need to create a custom sensitivity label.
What should you do?
A. Create a custom sensitive information type.
B. Elevate access for global administrators in Azure AD.
C. Upgrade the pricing tier of the Security Center to Standard.
D. Enable integration with Microsoft Cloud App Security.
Selected Answer: A
Question #: 122
Topic #: 4
HOTSPOT –
You have the hierarchy of Azure resources shown in the following exhibit.
You create the Azure Blueprints definitions shown in the following table.
To which objects can you assign Blueprint1 and Blueprint2? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 123
Topic #: 6
DRAG DROP
–
You have an Azure subscription.
You plan to implement Azure DDoS Protection. The solution must meet the following requirements:
• Provide access to DDoS rapid response support during active attacks.
• Protect Basic SKU public IP addresses.
You need to recommend which type of DDoS Protection to use for each requirement.
What should you recommend? To answer, drag the appropriate DDoS Protection types to the correct requirements. Each DDoS Protection type may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 124
Topic #: 2
DRAG DROP –
You create an Azure subscription with Azure AD Premium P2.
You need to ensure that you can use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to secure Azure AD roles.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Suggestion Answer:
Question #: 125
Topic #: 5
HOTSPOT –
You need to create an Azure key vault. The solution must ensure that any object deleted from the key vault be retained for 90 days.
How should you complete the command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 126
Topic #: 1
Your company makes use of Azure Active Directory (Azure AD) in a hybrid configuration. All users are making use of hybrid Azure AD joined Windows 10 computers.
You manage an Azure SQL database that allows for Azure AD authentication.
You need to make sure that database developers are able to connect to the SQL database via Microsoft SQL Server Management Studio (SSMS). You also need to make sure the developers use their on-premises Active Directory account for authentication. Your strategy should allow for authentication prompts to be kept to a minimum.
Which of the following is the authentication method the developers should use?
A. Azure AD token.
B. Azure Multi-Factor authentication.
C. Active Directory integrated authentication.
Selected Answer: C
Question #: 127
Topic #: 1
You have been tasked with enabling Advanced Threat Protection for an Azure SQL Database server.
Advanced Threat Protection must be configured to identify all types of threat detection.
Which of the following will happen if when a faulty SQL statement is generate in the database by an application?
A. A Potential SQL injection alert is triggered.
B. A Vulnerability to SQL injection alert is triggered.
C. An Access from a potentially harmful application alert is triggered.
D. A Brute force SQL credentials alert is triggered.
Selected Answer: B
Question #: 128
Topic #: 6
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains a single subnet. The subscription contains a virtual machine named VM1 that is connected to VNet1.
You plan to deploy an Azure SQL managed instance named SQL1.
You need to ensure that VM1 can access SQL1.
Which three components should you create? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. a subnet
B. a network security perimeter
C. a virtual network gateway
D. a network security group (NSG)
E. a route table
Selected Answer: ADE
Question #: 129
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a hybrid configuration of Azure Active Directory (Azure AD).
You have an Azure HDInsight cluster on a virtual network.
You plan to allow users to authenticate to the cluster by using their on-premises Active Directory credentials.
You need to configure the environment to support the planned authentication.
Solution: You deploy an Azure AD Application Proxy.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 130
Topic #: 5
You have an Azure subscription that contains an Azure key vault named Vault1.
In Vault1, you create a secret named Secret1.
An application developer registers an application in Azure Active Directory (Azure AD).
You need to ensure that the application can use Secret1.
What should you do?
A. In Azure AD, create a role.
B. In Azure Key Vault, create a key.
C. In Azure Key Vault, create an access policy.
D. In Azure AD, enable Azure AD Application Proxy.
Selected Answer: C
Question #: 131
Topic #: 4
You have an Azure subscription that contains the Azure Log Analytics workspaces shown in the following table.
You create the virtual machines shown in the following table.
You plan to use Azure Sentinel to monitor Windows Defender Firewall on the virtual machines.
Which virtual machines you can connect to Azure Sentinel?
A. VM1 only
B. VM1 and VM3 only
C. VM1, VM2, VM3, and VM4
D. VM1 and VM2 only
Selected Answer: C
Question #: 132
Topic #: 6
HOTSPOT
–
You are implementing an Azure Application Gateway web application firewall (WAF) named WAF1.
You have the following Bicep code snippet.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 133
Topic #: 1
Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
You are in the process of creating an Azure Kubernetes Service (AKS) cluster. The Azure Kubernetes Service (AKS) cluster must be able to connect to an Azure
Container Registry.
You want to make sure that Azure Kubernetes Service (AKS) cluster authenticates to the Azure Container Registry by making use of the auto-generated service principal.
Solution: You create an Azure Active Directory (Azure AD) role assignment.
Does the solution meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 134
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Sub1.
You have an Azure Storage account named sa1 in a resource group named RG1.
Users and applications access the blob service and the file service in sa1 by using several shared access signatures (SASs) and stored access policies.
You discover that unauthorized users accessed both the file service and the blob service.
You need to revoke all access to sa1.
Solution: You regenerate the Azure storage account access keys.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 135
Topic #: 5
You have an Azure SQL database.
You implement Always Encrypted.
You need to ensure that application developers can retrieve and decrypt data in the database.
Which two pieces of information should you provide to the developers? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. a stored access policy
B. a shared access signature (SAS)
C. the column encryption key
D. user credentials
E. the column master key
Selected Answer: CE
Question #: 136
Topic #: 2
HOTSPOT –
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.
Azure AD Privileged Identity Management (PIM) is used in contoso.com.
In PIM, the Password Administrator role has the following settings:
✑ Maximum activation duration (hours): 2
✑ Send email notifying admins of activation: Disable
✑ Require incident/request ticket number during activation: Disable
✑ Require Azure Multi-Factor Authentication for activation: Enable
✑ Require approval to activate this role: Enable
✑ Selected approver: Group1
You assign users the Password Administrator role as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 137
Topic #: 6
HOTSPOT
–
You have an Azure subscription that contains the virtual networks shown in the following table.
NSG1 and NSG2 both have default rules only.
The subscription contains the virtual machines shown in the following table.
The subscription contains the web apps shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 138
Topic #: 4
You have an Azure subscription that contains 100 virtual machines and has Azure Defender enabled.
You plan to perform a vulnerability scan of each virtual machine.
You need to deploy the vulnerability scanner extension to the virtual machines by using an Azure Resource Manager template.
Which two values should you specify in the code to automate the deployment of the extension to the virtual machines? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. the user-assigned managed identity
B. the workspace ID
C. the Azure Active Directory (Azure AD) ID
D. the Key Vault managed storage account key
E. the system-assigned managed identity
F. the primary shared key
Selected Answer: AC
Question #: 139
Topic #: 1
Your company has an Azure subscription that includes two virtual machines, named VirMac1 and VirMac2, which both have a status of Stopped (Deallocated).
The virtual machines belong to different resource groups, named ResGroup1 and ResGroup2.
You have also created two Azure policies that are both configured with the virtualMachines resource type. The policy configured for ResGroup1 has a policy definition of Not allowed resource types, while the policy configured for ResGroup2 has a policy definition of Allowed resource types.
You then create a Read-only resource lock on VirMac1, as well as a Read-only resource lock on ResGroup2.
Which of the following is TRUE with regards to the scenario? (Choose all that apply.)
A. You will be able to start VirMac1.
B. You will NOT be able to start VirMac1.
C. You will be able to create a virtual machine in ResGroup2.
D. You will NOT be able to create a virtual machine in ResGroup2.
Selected Answer: BD
Question #: 140
Topic #: 5
You have a hybrid configuration of Azure Active Directory (Azure AD).
All users have computers that run Windows 10 and are hybrid Azure AD joined.
You have an Azure SQL database that is configured to support Azure AD authentication.
Database developers must connect to the SQL database by using Microsoft SQL Server Management Studio (SSMS) and authenticate by using their on-premises
Active Directory account.
You need to tell the developers which authentication method to use to connect to the SQL database from SSMS. The solution must minimize authentication prompts.
Which authentication method should you instruct the developers to use?
A. SQL Login
B. Active Directory ג€” Universal with MFA support
C. Active Directory ג€” Integrated
D. Active Directory ג€” Password
Selected Answer: C
Question #: 141
Topic #: 6
DRAG DROP
–
You have an Azure subscription.
You create an Azure Firewall policy that has the rules shown in the following table.
In which order should the rules be processed? To answer, move all rules from the list of rules to the answer area and arrange them in the correct order.
Suggestion Answer:
Question #: 142
Topic #: 5
DRAG DROP –
You have an Azure subscription named Sub1 that contains an Azure Storage account named contosostorage1 and an Azure key vault named Contosokeyvault1.
You plan to create an Azure Automation runbook that will rotate the keys of contosostorage1 and store them in Contosokeyvault1.
You need to implement prerequisites to ensure that you can implement the runbook.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Suggestion Answer:
Question #: 143
Topic #: 1
You have been tasked with delegate administrative access to your company’s Azure key vault.
You have to make sure that a specific user can set advanced access policies for the key vault. You also have to make sure that access is assigned based on the principle of least privilege.
Which of the following options should you use to achieve your goal?
A. Azure Information Protection B. RBAC
C. Azure AD Privileged Identity Management (PIM)
D. Azure DevOps
Selected Answer: C
Question #: 144
Topic #: 4
You have an Azure subscription that contains a user named Admin1 and a virtual machine named VM1. VM1 runs Windows Server 2019 and was deployed by using an Azure Resource Manager template. VM1 is the member of a backend pool of a public Azure Basic Load Balancer.
Admin1 reports that VM1 is listed as Unsupported on the Just in time VM access blade of Azure Security Center.
You need to ensure that Admin1 can enable just in time (JIT) VM access for VM1.
What should you do?
A. Create and configure a network security group (NSG).
B. Create and configure an additional public IP address for VM1.
C. Replace the Basic Load Balancer with an Azure Standard Load Balancer.
D. Assign an Azure Active Directory Premium Plan 1 license to Admin1.
Selected Answer: A
Question #: 145
Topic #: 3
You have Azure Resource Manager templates that you use to deploy Azure virtual machines.
You need to disable unused Windows features automatically as instances of the virtual machines are provisioned.
What should you use?
A. device configuration policies in Microsoft Intune
B. an Azure Desired State Configuration (DSC) virtual machine extension
C. security policies in Azure Security Center
D. Azure Logic Apps
Selected Answer: B
Question #: 146
Topic #: 3
HOTSPOT –
You have an Azure subscription that contains the virtual machines shown in the following table.
You create the Azure policies shown in the following table.
You create the resource locks shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 147
Topic #: 6
You have an Azure subscription that contains the resources shown in the following table.
You create an Azure DDoS Protection plan named DDoS1 in the West US Azure region.
Which resources can you add to DDoS1?
A. VNetl1only
B. WebApp1 only
C. VNet1 and VNet2 only
D. VNet1 and WebApp1 only
E. VNet1, VNet2, and WebApp1
Selected Answer: C
Question #: 148
Topic #: 1
You have been tasked with delegate administrative access to your company’s Azure key vault.
You have to make sure that a specific user is able to add and delete certificates in the key vault. You also have to make sure that access is assigned based on the principle of least privilege.
Which of the following options should you use to achieve your goal?
A. A key vault access policy
B. Azure policy
C. Azure AD Privileged Identity Management (PIM)
D. Azure DevOps
Selected Answer: A
Question #: 149
Topic #: 2
You plan to use Azure Resource Manager templates to perform multiple deployments of identically configured Azure virtual machines. The password for the administrator account of each deployment is stored as a secret in different Azure key vaults.
You need to identify a method to dynamically construct a resource ID that will designate the key vault containing the appropriate secret during each deployment.
The name of the key vault and the name of the secret will be provided as inline parameters.
What should you use to construct the resource ID?
A. a key vault access policy
B. a linked template
C. a parameters file
D. an automation account
Selected Answer: B
Question #: 150
Topic #: 6
DRAG DROP
–
You have an Azure subscription that contains the resources shown in the following table.
You need to configure network connectivity to meet the following requirements:
• Communication from VM1 to storage1 must traverse an optimized Microsoft backbone network.
• All the outbound traffic from VM1 to the internet must be denied.
• The solution must minimize costs and administrative effort.
What should you configure for VNet1 and NSG1? To answer, drag the appropriate components to the correct resources. Each component may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 151
Topic #: 4
HOTSPOT –
You have an Azure subscription that contains the resources shown in the following table.
An IP address of 10.1.0.4 is assigned to VM5. VM5 does not have a public IP address.
VM5 has just in time (JIT) VM access configured as shown in the following exhibit.
You enable JIT VM access for VM5.
NSG1 has the inbound rules shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 152
Topic #: 3
HOTSPOT –
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.
You create a resource group named RG1.
Which users can modify the permissions for RG1 and which users can create virtual networks in RG1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 153
Topic #: 5
HOTSPOT –
You have an Azure subscription that contains an Azure key vault named ContosoKey1.
You create users and assign them roles as shown in the following table.
You need to identify which users can perform the following actions:
✑ Delegate permissions for ContosoKey1.
✑ Configure network access to ContosoKey1.
Which users should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 154
Topic #: 2
HOTSPOT –
You create a new Azure subscription that is associated to a new Azure Active Directory (Azure AD) tenant.
You create one active conditional access policy named Portal Policy. Portal Policy is used to provide access to the Microsoft Azure Management cloud app.
The Conditions settings for Portal Policy are configured as shown in the Conditions exhibit. (Click the Conditions tab.)
The Grant settings for Portal Policy are configured as shown in the Grant exhibit. (Click the Grant tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 155
Topic #: 1
You have an Azure virtual machine that runs Windows Server R2.
You plan to deploy and configure an Azure Key vault, and enable Azure Disk Encryption for the virtual machine.
Which of the following is TRUE with regards to Azure Disk Encryption for a Windows VM?
A. It is supported for basic tier VMs.
B. It is supported for standard tier VMs.
C. It is supported for VMs configured with software-based RAID systems.
D. It is supported for VMs configured with Storage Spaces Direct (S2D).
Selected Answer: B
Question #: 156
Topic #: 2
HOTSPOT –
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
The tenant contains the named locations shown in the following table.
You create the conditional access policies for a cloud app named App1 as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 157
Topic #: 6
HOTSPOT
–
You have an Azure subscription that contains an Azure firewall named AzFW1. AzFW1 has a firewall policy named FWPolicy1.
You need to add rule collections to FWPolicy1 to meet the following requirements:
• Allow traffic based on the FQDN of the destination.
• Allow TCP traffic.
Which types of rule collections should you add for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 158
Topic #: 5
You have an Azure subscription that contains four Azure SQL managed instances.
You need to evaluate the vulnerability of the managed instances to SQL injection attacks.
What should you do first?
A. Create an Azure Sentinel workspace.
B. Enable Advanced Data Security.
C. Add the SQL Health Check solution to Azure Monitor.
D. Create an Azure Advanced Threat Protection (ATP) instance.
Selected Answer: B
Question #: 159
Topic #: 1
You have an Azure virtual machine that runs Ubuntu 16.04-DAILY-LTS.
You plan to deploy and configure an Azure Key vault, and enable Azure Disk Encryption for the virtual machine.
Which of the following is TRUE with regards to Azure Disk Encryption for a Linux VM?
A. It is NOT supported for basic tier VMs.
B. It is NOT supported for standard tier VMs.
C. OS drive encryption for Linux virtual machine scale sets is supported.
D. Custom image encryption is supported.
Selected Answer: A
Question #: 160
Topic #: 4
You have an Azure Active Directory (Azure AD) tenant and a root management group.
You create 10 Azure subscriptions and add the subscriptions to the root management group.
You need to create an Azure Blueprints definition that will be stored in the root management group.
What should you do first?
A. Modify the role-based access control (RBAC) role assignments for the root management group.
B. Add an Azure Policy definition to the root management group.
C. Create a user-assigned identity.
D. Create a service principal.
Selected Answer: A
