The latest Microsoft AZ-500 Azure Security Technologies certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-500 Azure Security Technologies exam and earn Microsoft AZ-500 Azure Security Technologies certification.
Table of Contents
- AZ-500 Question 91
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 92
- Question
- Answer
- Reference
- AZ-500 Question 93
- Question
- Answer
- Reference
- AZ-500 Question 94
- Question
- Answer
- Reference
- AZ-500 Question 95
- Question
- Answer
- AZ-500 Question 96
- Question
- Answer
- Reference
- AZ-500 Question 97
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 98
- Question
- Answer
- Reference
- AZ-500 Question 99
- Question
- Answer
- Reference
- AZ-500 Question 100
- Question
- Answer
- Reference
AZ-500 Question 91
Question
HOTSPOT –
You have a management group named Group1 that contains an Azure subscription named sub1. Sub1 has a subscription ID of 11111111-1234-1234-1234-1111111111.
You need to create a custom Azure role-based access control (RBAC) role that will delegate permissions to manage the tags on all the objects in Group1.
What should you include in the role definition of Role1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Resource provider:
- Microsoft.Authorization
- Microsoft.Resources
- Microsoft.Support
Assignable scope:
- /
- /Group1
- /Subscriptions/11111111-1234-1234-1234-1111111111
Answer
Resource provider: Microsoft.Resources
Assignable scope: /Subscriptions/11111111-1234-1234-1234-1111111111
Explanation
Note: Assigning a custom RBAC role as the Management Group level is currently in preview only. So, for now the answer to the assignable scope is the subscription level.
Reference
- Azure > Role-based access control > Azure resource provider operations
- Azure > Role-based access control > Azure custom roles
- Azure > Role-based access control > Create or update Azure custom roles using the Azure portal > Step 5: Assignable scopes
AZ-500 Question 92
Question
HOTSPOT –
You have an Azure Active Directory (Azure AD) tenant that contains the resources shown in the following table.
| Name | Type |
|---|---|
| User1 | User |
| User2 | User |
| User3 | User |
| Group1 | Security group |
| Group2 | Security group |
| App1 | Enterprise application |
User2 is the owner of Group2.
The user and group settings for App1 are configured as shown in the following exhibit.
You enable self-service application access for App1 as shown in the following exhibit.
User3 is configured to approve access to App1.
After you enable self-service application access for App1, who will be configured as the Group2 owner and who will be configured as the App1 users? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Group2 owners:
- User2 only
- User3 only
- User1 and User2 only
- User2 and User3 only
- User1, User2, and User3
App1 users:
- Group1 members only
- Group2 members only
- Group1 and Group2 members only
- Group1 and Group2 members and User1 only
- Group1 and Group2 members, User1, and User3 only
Answer
Group2 owners: User2 only
App1 users: Group1 and Group2 members only
Reference
- Azure > Active Directory > Application management > Enable self-service application assignment
AZ-500 Question 93
Question
You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant.
From the Azure portal, you register an enterprise application.
Which additional resource will be created in Azure AD?
A. a service principal
B. an X.509 certificate
C. a managed identity
D. a user account
Answer
A. a service principal
Reference
- Azure > Active Directory > Develop > How and why applications are added to Azure AD
AZ-500 Question 94
Question
HOTSPOT –
You plan to implement an Azure function named Function1 that will create new storage accounts for containerized application instances.
You need to grant Function1 the minimum required privileges to create the storage accounts. The solution must minimize administrative effort.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Assign role to:
- A group account
- A system-assigned managed identity
- A user account
- A user-assigned managed identity
Role assignment to create:
- Built-in role assignment
- Classic administrator role assignment
- Custom role-based access control (RBAC) role assignment
Answer
Assign role to: A system-assigned managed identity
Role assignment to create: Custom role-based access control (RBAC) role assignment
Reference
- Azure > Active Directory > Managed identities for Azure resources > What are managed identities for Azure resources?
- Azure > Active Directory > Managed identities for Azure resources > Assign a managed identity access to a resource by using the Azure portal
AZ-500 Question 95
Question
HOTSPOT –
You have the hierarchy of Azure resources shown in the following exhibit.
RG1, RG2, and RG3 are resource groups.
RG2 contains a virtual machine named VM2.
You assign role-based access control (RBAC) roles to the users shown in the following table.
| Name | Role | Added to resource |
|---|---|---|
| User1 | Contributor | Tenant Root Group |
| User2 | Virtual Machine Contributor | Subscription2 |
| User3 | Virtual Machine Administrator Login | RG2 |
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Statements:
- User1 can deploy virtual machines to RG1.
- User2 can delete VM2.
- User3 can reset the password of the built-in Administrator account of VM2.
Answer
- User1 can deploy virtual machines to RG1: Yes
- User2 can delete VM2: Yes
- User3 can reset the password of the built-in Administrator account of VM2: No
AZ-500 Question 96
Question
You have an Azure subscription linked to an Azure Active Directory Premium Plan 1 tenant.
You plan to implement Azure Active Directory (Azure AD) Identity Protection.
You need to ensure that you can configure a user risk policy and a sign-in risk policy.
What should you do first?
A. Purchase Azure Active Directory Premium Plan 2 licenses for all users.
B. Register all users for Azure Multi-Factor Authentication (MFA).
C. Enable security defaults for Azure AD.
D. Upgrade Azure Security Center to the standard tier.
Answer
A. Purchase Azure Active Directory Premium Plan 2 licenses for all users.
Reference
- Azure > Active Directory > Authentication > Tutorial: Use risk detections for user sign-ins to trigger Azure AD Multi-Factor Authentication or password changes
AZ-500 Question 97
Question
You have an Azure subscription.
You plan to create a custom role-based access control (RBAC) role that will provide permission to read the Azure Storage account.
Which property of the RBAC role definition should you configure?
A. NotActions []
B. DataActions []
C. AssignableScopes []
D. Actions []
Answer
D. Actions []
Explanation
To “Read a storage account”, ie. list the blobs in the storage account, you need an “Action” permission.
To read the data in a storage account, ie. open a blob, you need a “DataAction” permission.
Reference
- Azure > Role-based access control > Understand Azure role definitions
AZ-500 Question 98
Question
You have an Azure subscription that contains the users shown in the following table.
| Name | Subscription role | Azure Active Directory (Azure AD) user role | Multi-factor authentication (MFA) status |
|---|---|---|---|
| User1 | Owner | Authentication administrator | Enabled |
| User2 | None | Global administrator | Enforced |
| User3 | None | Global administrator | Disabled |
Which users can enable Azure AD Privileged Identity Management (PIM)?
A. User2 and User3 only
B. User1 and User2 only
C. User2 only
D. User1 only
Answer
D. User1 only
Reference
- Azure > Active Directory > Privileged Identity Management > Plan a Privileged Identity Management deployment
AZ-500 Question 99
Question
Your network contains an on-premises Active Directory domain named adatum.com that syncs to Azure Active Directory (Azure AD). Azure AD Connect is installed on a domain member server named Server1.
You need to ensure that a domain administrator for the adatum.com domain can modify the synchronization options. The solution must use the principle of least privilege.
Which Azure AD role should you assign to the domain administrator?
A. Security administrator
B. Global administrator
C. User administrator
Answer
B. Global administrator
Reference
- Azure > Active Directory > Hybrid identity > Azure AD Connect: Accounts and permissions
AZ-500 Question 100
Question
You have an Azure subscription.
You enable Azure Active Directory (Azure AD) Privileged Identity Management (PIM).
Your company’s security policy for administrator accounts has the following conditions:
- The accounts must use multi-factor authentication (MFA).
- The accounts must use 20-character complex passwords.
- The passwords must be changed every 180 days.
- The accounts must be managed by using PIM.
You receive multiple alerts about administrators who have not changed their password during the last 90 days.
You need to minimize the number of generated alerts.
Which PIM alert should you modify?
A. Roles are being assigned outside of Privileged Identity Management
B. Roles don’t require multi-factor authentication for activation
C. Administrators aren’t using their privileged roles
D. Potential stale accounts in a privileged role
Answer
D. Potential stale accounts in a privileged role
Reference
Azure > Active Directory > Privileged Identity Management > Configure security alerts for Azure AD roles in Privileged Identity Management