The latest Microsoft AZ-500 Azure Security Technologies certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-500 Azure Security Technologies exam and earn Microsoft AZ-500 Azure Security Technologies certification.
Table of Contents
- AZ-500 Question 41
- Question
- Answer
- Explanation
- AZ-500 Question 42
- Question
- Answer
- Explanation
- AZ-500 Question 43
- Question
- Answer
- AZ-500 Question 44
- Question
- Answer
- AZ-500 Question 45
- Question
- Answer
- Explanation
- AZ-500 Question 46
- Question
- Answer
- Explanation
- AZ-500 Question 47
- Question
- Answer
- Explanation
- AZ-500 Question 48
- Question
- Answer
- Explanation
- AZ-500 Question 49
- Question
- Answer
- AZ-500 Question 50
- Question
- Answer
- Explanation
AZ-500 Question 41
Question
HOTSPOT –
You have an Azure subscription that contains the virtual machines shown in the following table.
| Name | Connected to | Private IP address | Public IP address |
|---|---|---|---|
| VM1 | VNET1/Subnet1 | 10.1.1.4 | 13.80.73.87 |
| VM2 | VNET2/Subnet2 | 10.2.1.4 | 213.199.133.190 |
| VM3 | VNET2/Subnet2 | 10.2.1.5 | None |
Subnet1 and Subnet2 have a Microsoft.Storage service endpoint configured.
You have an Azure Storage account named storageacc1 that is configured as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Statements:
- From VM1, you can upload a blob to storageacc1.
- From VM2, you can upload a blob to storageacc1.
- From VM3, you can upload a blob to storageacc1.
Answer
- From VM1, you can upload a blob to storageacc1: Yes
- From VM2, you can upload a blob to storageacc1: No
- From VM3, you can upload a blob to storageacc1: No
Explanation
Box 1: Yes –
The public IP of VM1 is allowed through the firewall.
Box 2: No –
The allowed virtual network list is empty so VM2 cannot access storageacc1 directly. The public IP address of VM2 is not in the allowed IP list so VM2 cannot access storageacc1 over the Internet.
Box 3: No –
The allowed virtual network list is empty so VM3 cannot access storageacc1 directly. VM3 does not have a public IP address so it cannot access storageacc1 over the Internet.
AZ-500 Question 42
Question
You have an Azure subscription that contains a virtual network. The virtual network contains the subnets shown in the following table.
| Name | Has a network security group (NSG) associated to the virtual subnet |
|---|---|
| Subnet1 | Yes |
| Subnet1 | No |
The subscription contains the virtual machines shown in the following table.
| Name | Has an NSG associated to the network adaptor of the virtual machine | Connected to |
|---|---|---|
| VM1 | No | Subnet1 |
| VM2 | No | Subnet2 |
| VM3 | No | Subnet1 |
| VM4 | Yes | Subnet2 |
You enable just in time (JIT) VM access for all the virtual machines.
You need to identify which virtual machines are protected by JIT.
Which virtual machines should you identify?
A. VM4 only
B. VM1 and VM3 only
C. VM1, VM3 and VM4 only
D. VM1, VM2, VM3, and VM4
Answer
C. VM1, VM3 and VM4 only
Explanation
An NSG needs to be enabled, either at the VM level or the subnet level.
AZ-500 Question 43
Question
HOTSPOT –
You have a file named File1.yaml that contains the following contents.
You create an Azure container instance named container1 by using File1.yaml.
You need to identify where you can access the values of Variable1 and Variable2.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Variable 1:
- Cannot be accessed
- Can be accessed from the Azure portal only
- Can be accessed from inside container1 only
- Can be accessed from inside container1 and the Azure portal
Variable 2:
- Cannot be accessed
- Can be accessed from the Azure portal only
- Can be accessed from inside container1 only
- Can be accessed from inside container1 and the Azure portal
Answer
Variable 1: Can be accessed from inside container1 and the Azure portal
Variable 2: Can be accessed from inside container1 only
AZ-500 Question 44
Question
You have an Azure virtual machine named VM1.
From Azure Security Center, you get the following high-severity recommendation: “Install endpoint protection solutions on virtual machine”.
You need to resolve the issue causing the high-severity recommendation.
What should you do?
A. Add the Microsoft Antimalware extension to VM1.
B. Install Microsoft System Center Security Management Pack for Endpoint Protection on VM1.
C. Add the Network Watcher Agent for Windows extension to VM1.
D. Onboard VM1 to Microsoft Defender for Endpoint.
Answer
A. Add the Microsoft Antimalware extension to VM1.
AZ-500 Question 45
Question
SIMULATION –
You need to configure a virtual network named VNET2 to meet the following requirements:
- Administrators must be prevented from deleting VNET2 accidentally.
- Administrators must be able to add subnets to VNET2 regularly.
To complete this task, sign in to the Azure portal and modify the Azure resources.
Answer
See the explanation below.
Explanation
Locking prevents other users in your organization from accidentally deleting or modifying critical resources, such as Azure subscription, resource group, or resource.
Note: In Azure, the term resource refers to an entity managed by Azure. For example, virtual machines, virtual networks, and storage accounts are all referred to as Azure resources.
1. In the Azure portal, type Virtual Networks in the search box, select Virtual Networks from the search results then select VNET2. Alternatively, browse to Virtual Networks in the left navigation pane.
2. In the Settings blade for virtual network VNET2, select Locks.
3. To add a lock, select Add.
4. For Lock type select Delete lock, and click OK
AZ-500 Question 46
Question
SIMULATION –
You need to deploy an Azure firewall to a virtual network named VNET3.
To complete this task, sign in to the Azure portal and modify the Azure resources.
This task might take several minutes to complete. You can perform other tasks while the task completes.
Answer
See the explanation below.
Explanation
To add an Azure firewall to a VNET, the VNET must first be configured with a subnet named AzureFirewallSubnet (if it doesn’t already exist).
Configure VNET3.
- In the Azure portal, type Virtual Networks in the search box, select Virtual Networks from the search results then select VNET3. Alternatively, browse to Virtual Networks in the left navigation pane.
- In the Overview section, note the Location (region) and Resource Group of the virtual network. We’ll need these when we add the firewall.
- Click on Subnets.
- Click on + Subnet to add a new subnet.
- Enter AzureFirewallSubnet in the Name box. The subnet must be named AzureFirewallSubnet.
- Enter an appropriate IP range for the subnet in the Address range box.
- Click the OK button to create the subnet.
Add the Azure Firewall.
- In the settings of VNET3 click on Firewall.
- Click the Click here to add a new firewall link.
- The Resource group will default to the VNET3 resource group. Leave this default.
- Enter a name for the firewall in the Name box.
- In the Region box, select the same region as VNET3.
- In the Public IP address box, select an available public IP address if one exists, or click Add new to add a new public IP address.
- Click the Review + create button.
- Review the settings and click the Create button to create the firewall.
AZ-500 Question 47
Question
SIMULATION –
You need to configure network connectivity between a virtual network named VNET1 and a virtual network named VNET2. The solution must ensure that virtual machines connected to VNET1 can communicate with virtual machines connected to VNET2.
To complete this task, sign in to the Azure portal and modify the Azure resources.
Answer
See the explanation below.
Explanation
You need to configure VNet Peering between the two networks. The questions states, ג€The solution must ensure that virtual machines connected to VNET1 can communicate with virtual machines connected to VNET2ג€. It doesn’t say the VMs on VNET2 should be able to communicate with VMs on VNET1. Therefore, we need to configure the peering to allow just the one-way communication.
- In the Azure portal, type Virtual Networks in the search box, select Virtual Networks from the search results then select VNET1. Alternatively, browse to Virtual Networks in the left navigation pane.
- In the properties of VNET1, click on Peerings.
- In the Peerings blade, click Add to add a new peering.
- In the Name of the peering from VNET1 to remote virtual network box, enter a name such as VNET1-VNET2 (this is the name that the peering will be displayed as in VNET1)
- In the Virtual Network box, select VNET2.
- In the Name of the peering from remote virtual network to VNET1 box, enter a name such as VNET2-VNET1 (this is the name that the peering will be displayed as in VNET2). There is an option Allow virtual network access from VNET to remote virtual network. This should be left as Enabled.
- For the option Allow virtual network access from remote network to VNET1, click the slider button to Disabled.
- Click the OK button to save the changes.
AZ-500 Question 48
Question
HOTSPOT –
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.
| Name | Subscription role | Azure AD user role |
|---|---|---|
| User1 | Owner | None |
| User2 | Contributor | None |
| User3 | Security Admin | None |
| User4 | None | Service administrator |
You create a resource group named RG1.
Which users can modify the permissions for RG1 and which users can create virtual networks in RG1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Users who can modify the permissions for RG1:
- User1 only
- User1 and User2 only
- User1 and User3 only
- User, User2 and User3 only
- User1, User2, User3, and User4
Users who can create virtual networks in RG1:
- User1 only
- User1 and User2 only
- User1 and User3 only
- User, User2 and User3 only
- User1, User2, User3, and User4
Answer
Users who can modify the permissions for RG1: User1 only
Users who can create virtual networks in RG1: User1 and User2 only
Explanation
Box 1: Only an owner can change permissions on resources.
Box 2: A Contributor can create/modify/delete anything in the subscription but cannot change permissions.
AZ-500 Question 49
Question
HOTSPOT –
You have an Azure subscription that contains the virtual machines shown in the following table.
| Name | Resource group | Status |
|---|---|---|
| VM1 | RG1 | Stopped (Deallocated) |
| VM2 | RG2 | Stopped (Deallocated) |
You create the Azure policies shown in the following table.
| Policy definition | Resource type | Scope |
|---|---|---|
| Not allowed resource types | virtualMachines | RG1 |
| Allowed resource types | virtualMachines | RG2 |
You create the resource locks shown in the following table.
| Name | Type | Created on |
|---|---|---|
| Lock1 | Read-only | VM1 |
| Lock2 | Read-only | RG2 |
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Statements:
- You can start VM1.
- You can start VM2.
- You can create a virtual machine in RG2.
Answer
- You can start VM1: No
- You can start VM2: Yes
- You can create a virtual machine in RG2: Yes
AZ-500 Question 50
Question
You have Azure Resource Manager templates that you use to deploy Azure virtual machines.
You need to disable unused Windows features automatically as instances of the virtual machines are provisioned.
What should you use?
A. device configuration policies in Microsoft Intune
B. an Azure Desired State Configuration (DSC) virtual machine extension
C. security policies in Azure Security Center
D. Azure Logic Apps
Answer
B. an Azure Desired State Configuration (DSC) virtual machine extension
Explanation
The primary use case for the Azure Desired State Configuration (DSC) extension is to bootstrap a VM to the Azure Automation State Configuration (DSC) service.
The service provides benefits that include ongoing management of the VM configuration and integration with other operational tools, such as Azure Monitoring.
Using the extension to register VM’s to the service provides a flexible solution that even works across Azure subscriptions.