Microsoft Azure Certified Security Engineer AZ-500 Part 5
Question #: 161
Topic #: 6
HOTSPOT
–
You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the virtual machines shown in the following table.
All the virtual machines have only private IP addresses.
You deploy Azure Bastion to VNet1 as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 162
Topic #: 5
DRAG DROP –
You have an Azure subscription named Sub1. Sub1 contains an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to encrypt VM1 disks by using Azure Disk Encryption.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Suggestion Answer:
Question #: 163
Topic #: 2
HOTSPOT –
You have an Azure subscription named Sub 1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.
Each user is assigned an Azure AD Premium P2 license.
You plan to onboard and configure Azure AD Identity Protection.
Which users can onboard Azure AD Identity Protection, remediate users, and configure policies? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 164
Topic #: 1
You need to consider the underlined segment to establish whether it is accurate.
You have configured an Azure Kubernetes Service (AKS) cluster in your testing environment.
You are currently preparing to deploy the cluster to the production environment.
After disabling HTTP application routing, you want to replace it with an application routing solution that allows for reverse proxy and TLS termination for AKS services via a solitary IP address.
You must create an AKS Ingress controller.
Select `No adjustment required` if the underlined segment is accurate. If the underlined segment is inaccurate, select the accurate option.
A. No adjustment required.
B. a network security group
C. an application security group
D. an Azure Basic Load Balancer
Selected Answer: A
Question #: 165
Topic #: 2
HOTSPOT –
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
From Azure AD Privileged Identity Management (PIM), you configure the settings for the Security Administrator role as shown in the following exhibit.
From PIM, you assign the Security Administrator role to the following groups:
✑ Group1: Active assignment type, permanently assigned
✑ Group2: Eligible assignment type, permanently eligible
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 166
Topic #: 4
DRAG DROP –
You have five Azure subscriptions linked to a single Azure Active Directory (Azure AD) tenant.
You create an Azure Policy initiative named SecurityPolicyInitiative1.
You identify which standard role assignments must be configured on all new resource groups.
You need to enforce SecurityPolicyInitiative1 and the role assignments when a new resource group is created.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Suggestion Answer:
Question #: 167
Topic #: 6
HOTSPOT
–
You have an Azure subscription that contains the resources shown in the following table.
You plan to use service endpoints and service endpoint policies.
Which resources can be accessed by using a service endpoint, and which resources support service endpoint policies? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 168
Topic #: 1
You want to gather logs from a large number of Windows Server 2016 computers using Azure Log Analytics.
You are configuring an Azure Resource Manager template to deploy the Microsoft Monitoring Agent to all the servers automatically.
Which of the following should be included in the template? (Choose all that apply.)
A. WorkspaceID
B. AzureADApplicationID
C. WorkspaceKey
D. StorageAccountKey
Selected Answer: AC
Question #: 169
Topic #: 5
You have an Azure subscription that contains a virtual machine named VM1.
You create an Azure key vault that has the following configurations:
✑ Name: Vault5
✑ Region: West US
✑ Resource group: RG1
You need to use Vault5 to enable Azure Disk Encryption on VM1. The solution must support backing up VM1 by using Azure Backup.
Which key vault settings should you configure?
A. Access policies
B. Secrets
C. Keys
D. Locks
Selected Answer: A
Question #: 170
Topic #: 2
HOTSPOT –
Your company has an Azure subscription named Subscription1 that contains the users shown in the following table.
The company is sold to a new owner.
The company needs to transfer ownership of Subscription1.
Which user can transfer the ownership and which tool should the user use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 171
Topic #: 6
HOTSPOT
–
You have an Azure App Service web app named App1 as shown in the following exhibit.
Subnet 2 contains a virtual machine named VM1.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 172
Topic #: 3
You have an Azure virtual machine named VM1.
From Microsoft Defender for Cloud, you get the following high-severity recommendation: `Install endpoint protection solutions on virtual machine`.
You need to resolve the issue causing the high-severity recommendation.
What should you do?
A. Add the Microsoft Antimalware extension to VM1.
B. Install Microsoft System Center Security Management Pack for Endpoint Protection on VM1.
C. Add the Network Watcher Agent for Windows extension to VM1.
D. Onboard VM1 to Microsoft Defender for Endpoint.
Selected Answer: D
Question #: 173
Topic #: 1
Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has Azure subscription linked to their Azure Active Directory (Azure AD) tenant.
As a Global administrator for the tenant, part of your responsibilities involves managing Azure Security Center settings.
You are currently preparing to create a custom sensitivity label.
Solution: You start by altering the pricing tier of the Security Center.
Does the solution meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 174
Topic #: 4
You have three on-premises servers named Server1, Server2, and Server3 that run Windows Server 2019. Server1 and Server2 are located on the internal network. Server3 is located on the perimeter network. All servers have access to Azure.
From Azure Sentinel, you install a Windows firewall data connector.
You need to collect Microsoft Defender Firewall data from the servers for Azure Sentinel.
What should you do?
A. Create an event subscription from Server1, Server2, and Server3.
B. Install the On-premises data gateway on each server.
C. Install the Microsoft Monitoring Agent on each server.
D. Install the Microsoft Monitoring Agent on Server1 and Server2. Install the On-premises data gateway on Server3.
Selected Answer: C
Question #: 175
Topic #: 5
You have an Azure subscription named Sub1 that contains the resources shown in the following table.
You need to ensure that you can provide VM1 with secure access to a database on SQL1 by using a contained database user.
What should you do?
A. Enable a managed identity on VM1.
B. Create a secret in KV1.
C. Configure a service endpoint on SQL1.
D. Create a key in KV1.
Selected Answer: A
Question #: 176
Topic #: 6
HOTSPOT
–
You have an Azure subscription that contains a virtual machine named VM1.
You have a network security group (NSG) named NSG1 that is associated to the network interface of VM1 and is configured as shown in the following exhibit.
Just-in-time (JIT) VM access is enabled on VM1 and has the following configurations:
• Management ports: 3389, 22
• Maximum time range: 3 hours
• Allowed source IP addresses: Any
You activate the JIT rule and connect to VM1 by using SSH.
For each of the following statements, select Yes if the statement is true, otherwise select No.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 177
Topic #: 3
HOTSPOT –
You have a file named File1.yaml that contains the following contents.
You create an Azure container instance named container1 by using File1.yaml.
You need to identify where you can access the values of Variable1 and Variable2.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 178
Topic #: 1
Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has Azure subscription linked to their Azure Active Directory (Azure AD) tenant.
As a Global administrator for the tenant, part of your responsibilities involves managing Azure Security Center settings.
You are currently preparing to create a custom sensitivity label.
Solution: You start by integrating Security Center and Microsoft Cloud App Security.
Does the solution meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 179
Topic #: 4
You have an Azure subscription that contains several Azure SQL databases and an Azure Sentinel workspace.
You need to create a saved query in the workspace to find events reported by Azure Defender for SQL.
What should you do?
A. From Azure CLI, run the Get-AzOperationalInsightsWorkspace cmdlet.
B. From the Azure SQL Database query editor, create a Transact-SQL query.
C. From the Azure Sentinel workspace, create a Kusto query language query.
D. From Microsoft SQL Server Management Studio (SSMS), create a Transact-SQL query.
Selected Answer: C
Question #: 180
Topic #: 6
You have an on-premises network.
You have an Azure subscription that contains the resources shown in the following table.
You plan to deploy a Site-to-Site (S2S) VPN between the on-premises network and VNet1.
You need to recommend an Azure VPN Gateway SKU that meets the following requirements:
• Supports 1-Gbps throughput
• Minimizes costs
What should you recommend?
A. VpnGw1
B. VpnGw2
C. VpnGw1AZ
D. VpnGw2AZ
Selected Answer: B
Question #: 181
Topic #: 1
Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has Azure subscription linked to their Azure Active Directory (Azure AD) tenant.
As a Global administrator for the tenant, part of your responsibilities involves managing Azure Security Center settings.
You are currently preparing to create a custom sensitivity label.
Solution: You start by creating a custom sensitive information type.
Does the solution meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 182
Topic #: 3
HOTSPOT –
You have an Azure subscription that contains the virtual machines shown in the following table.
Subnet1 and Subnet2 have a Microsoft.Storage service endpoint configured.
You have an Azure Storage account named storageacc1 that is configured as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Suggestion Answer:
Question #: 183
Topic #: 6
HOTSPOT
–
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains the subnets shown in the following table.
The subscription contains the virtual machines shown in the following table.
VM3 contains a service that listens for connections on port 8080.
For VM1, you configure just-in-time (JIT) VM access as shown in the following exhibit.
For each of the following statement, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 184
Topic #: 2
HOTSPOT –
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
You create and enforce an Azure AD Identity Protection sign-in risk policy that has the following settings:
✑ Assignments: Include Group1, exclude Group2
✑ Conditions: Sign-in risk level: Medium and above
✑ Access: Allow access, Require multi-factor authentication
You need to identify what occurs when the users sign in to Azure AD.
What should you identify for each user? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 185
Topic #: 5
HOTSPOT –
You have an Azure Active Directory (Azure AD) tenant named contoso1812.onmicrosoft.com that contains the users shown in the following table.
You create an Azure Information Protection label named Label1. The Protection settings for Label1 are configured as shown in the exhibit. (Click the Exhibit tab.)
Label1 is applied to a file named File1.
For each of the following statements, select Yes if the statement is true, Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 186
Topic #: 1
You have a sneaking suspicion that there are users trying to sign in to resources which are inaccessible to them.
You decide to create an Azure Log Analytics query to confirm your suspicions. The query will detect unsuccessful user sign-in attempts from the last few days.
You want to make sure that the results only show users who had failed to sign-in more than five times.
Which of the following should be included in your query?
A. The EventID and CountIf() parameters.
B. The ActivityID and CountIf() parameters.
C. The EventID and Count() parameters.
D. The ActivityID and Count() parameters.
Selected Answer: C
Question #: 187
Topic #: 4
You are collecting events from Azure virtual machines to an Azure Log Analytics workspace.
You plan to create alerts based on the collected events.
You need to identify which Azure services can be used to create the alerts.
Which two services should you identify? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Azure Monitor
B. Azure Security Center
C. Azure Analysis Services
D. Azure Sentinel
E. Azure Advisor
Selected Answer: AD
Question #: 188
Topic #: 2
HOTSPOT –
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
In Azure AD Privileged Identity Management (PIM), the Role settings for the Contributor role are configured as shown in the exhibit. (Click the Exhibit tab.)
You assign users the Contributor role on May 1, 2019 as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 189
Topic #: 3
HOTSPOT –
You have Azure virtual machines that have Update Management enabled. The virtual machines are configured as shown in the following table.
You schedule two update deployments named Update1 and Update2. Update1 updates VM3. Update2 updates VM6.
Which additional virtual machines can be updated by using Update1 and Update2? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 190
Topic #: 1
Your company uses Azure DevOps with branch policies configured.
Which of the following is TRUE with regards to branch policies? (Choose all that apply.)
A. It enforces your team’s change management standards.
B. It controls who can read and update the code in a branch.
C. It enforces your team’s code quality.
D. It places a branch into a read-only state.
Selected Answer: AC
Question #: 191
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Microsoft Defender for Cloud for the centralized policy management of three Azure subscriptions.
You use several policy definitions to manage the security of the subscriptions.
You need to deploy the policy definitions as a group to all three subscriptions.
Solution: You create an initiative and an assignment that is scoped to a management group.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 192
Topic #: 2
HOTSPOT –
You work at a company named Contoso, Ltd. that has the offices shown in the following table.
Contoso has an Azure Active Directory (Azure AD) tenant named contoso.com. All contoso.com users have Azure Multi-Factor Authentication (MFA) enabled. The tenant contains the users shown in the following table.
The multi-factor authentication settings for contoso.com are configured as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 193
Topic #: 3
HOTSPOT –
You have an Azure subscription named Sub1.
You create a virtual network that contains one subnet. On the subnet, you provision the virtual machines shown in the following table.
Currently, you have not provisioned any network security groups (NSGs).
You need to implement network security to meet the following requirements:
✑ Allow traffic to VM4 from VM3 only.
✑ Allow traffic from the Internet to VM1 and VM2 only.
✑ Minimize the number of NSGs and network security rules.
How many NSGs and network security rules should you create? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 194
Topic #: 1
After creating a new Azure subscription, you are tasked with making sure that custom alert rules can be created in Azure Security Center.
You have created an Azure Storage account.
Which of the following is the action you should take?
A. You should make sure that Azure Active Directory (Azure AD) Identity Protection is removed.
B. You should create a DLP policy.
C. You should create an Azure Log Analytics workspace.
D. You should make sure that Security Center has the necessary tier configured.
Selected Answer: C
Question #: 195
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Microsoft Defender for Cloud for the centralized policy management of three Azure subscriptions.
You use several policy definitions to manage the security of the subscriptions.
You need to deploy the policy definitions as a group to all three subscriptions.
Solution: You create a policy initiative and assignments that are scoped to resource groups.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 196
Topic #: 3
HOTSPOT –
You have an Azure key vault.
You need to delegate administrative access to the key vault to meet the following requirements:
✑ Provide a user named User1 with the ability to set advanced access policies for the key vault.
✑ Provide a user named User2 with the ability to add and delete certificates in the key vault.
✑ Use the principle of least privilege.
What should you use to assign access to each user? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 197
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Microsoft Defender for Cloud for the centralized policy management of three Azure subscriptions.
You use several policy definitions to manage the security of the subscriptions.
You need to deploy the policy definitions as a group to all three subscriptions.
Solution: You create a policy definition and assignments that are scoped to resource groups.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 198
Topic #: 1
Your company’s Azure subscription includes an Azure Log Analytics workspace.
Your company has a hundred on-premises servers that run either Windows Server 2012 R2 or Windows Server 2016, and is linked to the Azure Log Analytics workspace. The Azure Log Analytics workspace is set up to gather performance counters associated with security from these linked servers.
You have been tasked with configuring alerts according to the information gathered by the Azure Log Analytics workspace.
You have to make sure that alert rules allow for dimensions, and that alert creation time should be kept to a minimum. Furthermore, a single alert notification must be created when the alert is created and when the alert is sorted out.
You need to make use of the necessary signal type when creating the alert rules.
Which of the following is the option you should use?
A. You should make use of the Activity log signal type.
B. You should make use of the Application Log signal type.
C. You should make use of the Metric signal type.
D. You should make use of the Audit Log signal type.
Selected Answer: C
Question #: 199
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Microsoft Defender for Cloud for the centralized policy management of three Azure subscriptions.
You use several policy definitions to manage the security of the subscriptions.
You need to deploy the policy definitions as a group to all three subscriptions.
Solution: You create a resource graph and an assignment that is scoped to a management group.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 200
Topic #: 1
Your company’s Azure subscription includes a hundred virtual machines that have Azure Diagnostics enabled.
You have been tasked with retrieving the identity of the user that removed a virtual machine fifteen days ago. You have already accessed Azure Monitor.
Which of the following options should you use?
A. Application Log
B. Metrics
C. Activity Log
D. Logs
Selected Answer: C
