The latest Microsoft AZ-500 Azure Security Technologies certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-500 Azure Security Technologies exam and earn Microsoft AZ-500 Azure Security Technologies certification.
Table of Contents
- AZ-500 Question 61
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 62
- Question
- Answer
- Reference
- AZ-500 Question 63
- Question
- Answer
- Explanation
- AZ-500 Question 64
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 65
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 66
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 67
- Question
- Answer
- Explanation
- AZ-500 Question 68
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 69
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 70
- Question
- Answer
- Explanation
- Reference
AZ-500 Question 61
Question
You have Azure Resource Manager templates that you use to deploy Azure virtual machines.
You need to disable unused Windows features automatically as instances of the virtual machines are provisioned.
What should you use?
A. device configuration policies in Microsoft Intune
B. Azure Automation State Configuration
C. security policies in Azure Security Center
D. device compliance policies in Microsoft Intune
Answer
B. Azure Automation State Configuration
Explanation
You can use Azure Automation State Configuration to manage Azure VMs (both Classic and Resource Manager), on-premises VMs, Linux machines, AWS VMs, and on-premises physical machines.
Note: Azure Automation State Configuration provides a DSC pull server similar to the Windows Feature DSC-Service so that target nodes automatically receive configurations, conform to the desired state, and report back on their compliance. The built-in pull server in Azure Automation eliminates the need to set up and maintain your own pull server. Azure Automation can target virtual or physical Windows or Linux machines, in the cloud or on-premises.
Reference
- Azure > Automation > Get started with Azure Automation State Configuration
AZ-500 Question 62
Question
You have an Azure subscription that contains the virtual machines shown in the following table.
| Name | Location | Virtual network name |
|---|---|---|
| VM1 | East US | VNET1 |
| VM2 | West US | VNET2 |
| VM3 | East US | VNET1 |
| VM4 | West US | VNET3 |
All the virtual networks are peered.
You deploy Azure Bastion to VNET2.
Which virtual machines can be protected by the bastion host?
A. VM1, VM2, VM3, and VM4
B. VM1, VM2, and VM3 only
C. VM2 and VM4 only
D. VM2 only
Answer
A. VM1, VM2, VM3, and VM4
Reference
- Azure > Networking > Bastion > VNet peering and Azure Bastion
AZ-500 Question 63
Question
HOTSPOT –
You create resources in an Azure subscription as shown in the following table.
| Name | Type | Region |
|---|---|---|
| RG1 | Resource group | West Europe |
| VNET1 | Azure virtual network | West Europe |
| Contoso1901 | Azure Storage account | West Europe |
VNET1 contains two subnets named Subnet1 and Subnet2. Subnet1 has a network ID of 10.0.0.0/24. Subnet2 has a network ID of 10.1.1.0/24.
Contoso1901 is configured as shown in the exhibit. (Click the Exhibit tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Statements:
- An Azure virtual machine on Subnet1 can access data in Contoso1901.
- An Azure virtual machine on Subnet2 can access data in Contoso1901.
- A computer on the Internet that has an IP address of 193.77.10.2 can access data in Contoso1901.
Answer
- An Azure virtual machine on Subnet1 can access data in Contoso1901: Yes
- An Azure virtual machine on Subnet2 can access data in Contoso1901: No
- A computer on the Internet that has an IP address of 193.77.10.2 can access data in Contoso1901: Yes
Explanation
Box 1: Yes –
Access from Subnet1 is allowed.
Box 2: No –
No access from Subnet2 is allowed.
Box 3: Yes –
Access from IP address 193.77.10.2 is allowed.
AZ-500 Question 64
Question
SIMULATION –
You need to ensure that only devices connected to a 131.107.0.0/16 subnet can access data in the rg1lod10598168 Azure Storage account.
To complete this task, sign in to the Azure portal.
Answer
See the explanation below.
Explanation
Step 1:
- In Azure portal go to the storage account you want to secure. Here: rg1lod10598168
- Click on the settings menu called Firewalls and virtual networks.
- To deny access by default, choose to allow access from Selected networks. To allow traffic from all networks, choose to allow access from All networks.
- Click Save to apply your changes.
Step 2:
- Go to the storage account you want to secure. Here: rg1lod10598168
- Click on the settings menu called Firewalls and virtual networks.
- Check that you’ve selected to allow access from Selected networks.
- To grant access to a virtual network with a new network rule, under Virtual networks, click Add existing virtual network, select Virtual networks and Subnets options. Enter the 131.107.0.0/16 subnet and then click Add.
Note: When network rules are configured, only applications requesting data over the specified set of networks can access a storage account. You can limit access to your storage account to requests originating from specified IP addresses, IP ranges or from a list of subnets in an Azure Virtual Network (VNet).
Reference
- Azure > Storage > Configure Azure Storage firewalls and virtual networks
AZ-500 Question 65
Question
SIMULATION –
You need to grant the required permissions to a user named User2-11641655 to manage the virtual networks in the RG1lod11641655 resource group. The solution must use the principle of least privilege.
To complete this task, sign in to the Azure portal.
Answer
See the explanation below.
Explanation
1. In Azure portal, locate and select the RG1lod10598168 resource group.
2. Click Access control (IAM).
3. Click the Role assignments tab to view all the role assignments at this scope.
4. Click Add > Add role assignment to open the Add role assignment pane.
- Azure > Role-based access control > Assign Azure roles using the Azure portal
- Azure > Role-based access control > Azure built-in roles > Virtual Machine Contributor
AZ-500 Question 66
Question
SIMULATION –
You need to prevent administrative users from accidentally deleting a virtual network named VNET1. The administrative users must be allowed to modify the settings of VNET1.
To complete this task, sign in to the Azure portal.
Answer
See the explanation below.
Explanation
Locking prevents other users in your organization from accidentally deleting or modifying critical resources, such as Azure subscription, resource group, or resource.
Note: In Azure, the term resource refers to an entity managed by Azure. For example, virtual machines, virtual networks, and storage accounts are all referred to as Azure resources.
1. In the Settings blade for virtual network VNET, select Locks.
2. To add a lock, select Add.
3. For Lock type select Delete lock, and click OK
Reference
- Azure > Resource Manager > Management > Lock resources to prevent unexpected changes
AZ-500 Question 67
Question
SIMULATION –
You need to perform a full malware scan every Sunday at 02:00 on a virtual machine named VM1 by using Microsoft Antimalware for Virtual Machines.
To complete this task, sign in to the Azure portal.
Answer
See the explanation below.
Explanation
Deploy the Microsoft Antimalware Extension using the Azure Portal for single VM deployment
1. In Azure Portal, go to the Azure VM1″s blade, navigate to the Extensions section and press Add.
2. Select the Microsoft Antimalware extension and press Create.
3. Fill the “Install extension” form as desired and press OK.
Scheduled: Enable –
Scan type: Full –
Scan day: Sunday –
AZ-500 Question 68
Question
SIMULATION –
You need to add the network interface of a virtual machine named VM1 to an application security group named ASG1.
To complete this task, sign in to the Azure portal.
Answer
See the explanation below.
Explanation
1. In the Search resources, services, and docs box at the top of the portal, begin typing the name of a virtual machine, VM1 that has a network interface that you want to add to, or remove from, an application security group.
2. When the name of your VM appears in the search results, select it.
3. Under SETTINGS, select Networking. Select Configure the application security groups, select the application security groups that you want to add the network interface to, or unselect the application security groups that you want to remove the network interface from, and then select Save.
Reference
- Azure > Networking > Virtual Network > Create, change, or delete a network interface
AZ-500 Question 69
Question
SIMULATION –
You need to configure Azure to allow RDP connections from the Internet to a virtual machine named VM1. The solution must minimize the attack surface of VM1.
To complete this task, sign in to the Azure portal.
Answer
See the explanation below.
Explanation
To enable the RDP port in an NSG, follow these steps:
1. Sign in to the Azure portal.
2. In Virtual Machines, select VM1
3. In Settings, select Networking.
4. In Inbound port rules, check whether the port for RDP is set correctly. The following is an example of the configuration:
Priority: 300 –
Name: Port_3389 –
Port(Destination): 3389 –
Protocol: TCP –
Source: Any –
Destinations: Any –
Action: Allow –
Reference
- Microsoft Docs > Troubleshoot > Azure > Virtual Machines > Windows > Cannot connect remotely to a VM because RDP port is not enabled in NSG
AZ-500 Question 70
Question
You have an Azure Container Registry named ContReg1 that contains a container image named image1.
You enable content trust for ContReg1.
After content trust is enabled, you push two images to ContReg1 as shown in the following table.
| Name | Details |
|---|---|
| image2 | Image was pushed with client content trust enabled. |
| image3 | Image was pushed with client content trust disabled. |
Which images are trusted images?
A. image1 and image2 only
B. image2 only
C. image1, image2, and image3
Answer
B. image2 only
Explanation
Azure Container Registry implements Docker’s content trust model, enabling pushing and pulling of signed images.
To push a trusted image tag to your container registry, enable content trust and push the image with docker push.
To work with trusted images, both image publishers and consumers need to enable content trust for their Docker clients. As a publisher, you can sign the images you push to a content trust-enabled registry.
Reference
- Azure > Container Registry > Content trust in Azure Container Registry