The latest Microsoft AZ-500 Azure Security Technologies certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-500 Azure Security Technologies exam and earn Microsoft AZ-500 Azure Security Technologies certification.
Question 211
Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case stud
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The company hosts its entire server infrastructure in Azure.
Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
Existing Environment
Azure AD
Contoso.com contains the users shown in the following table.
| Name | City | Role |
|---|---|---|
| User1 | Montreal | Global administrator |
| User2 | MONTREAL | Security administrator |
| User3 | London | Privileged role administrator |
| User4 | Ontario | Application administrator |
| User5 | Seattle | Cloud application administrator |
| User6 | Seattle | User administrator |
| User7 | Sydney | Reports reader |
| User8 | Sydney | None |
| User9 | Sydney | Owner |
Contoso.com contains the security groups shown in the following table.
| Name | Membership type | Dynamic membership rule |
|---|---|---|
| Group1 | Dynamic user | user.city -contain “ON” |
| Group2 | Dynamic user | user.city -match “*on” |
Sub1
Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User9 creates the virtual networks shown in the following table.
| Name | Resource group |
|---|---|
| VNET1 | RG1 |
| VNET2 | RG2 |
| VNET3 | RG3 |
| VNET4 | RG4 |
Sub1 contains the locks shown in the following table.
| Name | Set on | Lock type |
|---|---|---|
| Lock1 | RG1 | Delete |
| Lock2 | RG2 | Read-only |
| Lock3 | RG3 | Delete |
| Lock4 | RG4 | Read-only |
Sub1 contains the Azure policies shown in the following table.
| Policy definition | Resource type | Scope |
|---|---|---|
| Allowed resource types | networkSecurityGroups | RG4 |
| Not allowed resource types | virtualNetworks/subnets | RG5 |
| Not allowed resource types | networkSecurityGroups | RG5 |
| Not allowed resource types | virtualNetworks/virtualNetworkPeerings | RG6 |
Sub2
Sub2 contains the virtual networks shown in the following table.
| Name | Subnet |
|---|---|
| VNetwork1 | Subnet11, Subnet12, and Subnet13 |
| VNetwork2 | Subnet21 |
Sub2 contains the virtual machines shown in the following table.
| Name | Network interface | Application security group | Connected to |
|---|---|---|---|
| VM1 | NIC1 | ASG1 | Subnet11 |
| VM2 | NIC2 | ASG2 | Subnet11 |
| VM3 | NIC3 | None | Subnet12 |
| VM4 | NIC4 | ASG1 | Subnet13 |
| VM5 | NIC5 | None | Subnet21 |
All virtual machines have public IP addresses and the Web Server (IIS) role installed. The firewalls for each virtual machine allow ping requests and web requests.
Sub2 contains the network security groups (NSGs) shown in the following table.
| Name | Associated to |
|---|---|
| NSG1 | NIC2 |
| NSG2 | Subnet11 |
| NSG3 | Subnet13 |
| NSG4 | Subnet21 |
NSG1 has the inbound security rules shown in the following table.
| Priority | Port | Protocol | Source | Destination | Action |
|---|---|---|---|---|---|
| 65000 | Any | Any | VirtualNetwork | VirtualNetwork | Allow |
| 65001 | Any | Any | AzureLoadBalancer | Any | Allow |
| 65500 | Any | Any | Any | Any | Deny |
NSG2 has the inbound security rules shown in the following table.
| Priority | Port | Protocol | Source | Destination | Action |
|---|---|---|---|---|---|
| 100 | 80 | TCP | Internet | VirtualNetwork | Allow |
| 65000 | Any | Any | VirtualNetwork | VirtualNetwork | Allow |
| 65001 | Any | Any | AzureLoadBalancer | Any | Allow |
| 65500 | Any | Any | Any | Any | Deny |
NSG3 has the inbound security rules shown in the following table.
| Priority | Port | Protocol | Source | Destination | Action |
|---|---|---|---|---|---|
| 100 | Any | TCP | ASG1 | ASG1 | Allow |
| 150 | Any | Any | ASG2 | VirtualNetwork | Allow |
| 200 | Any | Any | Any | Any | Deny |
| 65000 | Any | Any | VirtualNetwork | VirtualNetwork | Allow |
| 65001 | Any | Any | AzureLoadBalancer | Any | Allow |
| 65500 | Any | Any | Any | Any | Deny |
NSG4 has the inbound security rules shown in the following table.
| Priority | Port | Protocol | Source | Destination | Action |
|---|---|---|---|---|---|
| 100 | Any | Any | Any | Any | Allow |
| 65000 | Any | Any | VirtualNetwork | VirtualNetwork | Allow |
| 65001 | Any | Any | AzureLoadBalancer | Any | Allow |
| 65500 | Any | Any | Any | Any | Deny |
NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table.
| Priority | Port | Protocol | Source | Destination | Action |
|---|---|---|---|---|---|
| 65000 | Any | Any | VirtualNetwork | VirtualNetwork | Allow |
| 65001 | Any | Any | Any | Internet | Allow |
| 65500 | Any | Any | Any | Any | Deny |
Technical Requirements
Contoso identifies the following technical requirements:
- Deploy Azure Firewall to VNetwork1 in Sub2.
- Register an application named App2 in contoso.com.
- Whenever possible, use the principle of least privilege.
- Enable Azure AD Privileged Identity Management (PIM) for contoso.com.
HOTSPOT –
You are evaluating the security of VM1, VM2, and VM3 in Sub2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
- From the Internet, you can connect to the web server on VM1 by using HTTP.
- From the Internet, you can connect to the web server on VM2 by using HTTP.
- From the Internet, you can connect to the web server on VM3 by using HTTP.
Answer
- From the Internet, you can connect to the web server on VM1 by using HTTP: Yes
- From the Internet, you can connect to the web server on VM2 by using HTTP: No
- From the Internet, you can connect to the web server on VM3 by using HTTP: Yes
Explanation
VM1: Yes. NSG2 applies to VM1 and this allows inbound traffic on port 80.
VM2: No. NSG2 and NSG1 apply to VM2. NSG2 allows the inbound traffic on port 80 but NSG1 does not allow it.
VM3: Yes. There are no NSGs applying to VM3 so all ports will be open.
Question 212
SIMULATION –
You need to ensure that a user named Danny1234578 can sign in to any SQL database on a Microsoft SQL server named web1234578 by using SQL Server
Management Studio (SSMS) and Azure Active Directory (Azure AD) credentials.
To complete this task, sign in to the Azure portal.
Explanation
You need to provision an Azure AD Admin for the SQL Server.
- In the Azure portal, type SQL Server in the search box, select SQL Server from the search results then select the server named web1234578. Alternatively, browse to SQL Server in the left navigation pane.
- In the SQL Server properties page, click on Active Directory Admin.
- Click the Set Admin button.
- In the Add Admin window, search for and select Danny1234578.
- Click the Select button to add Danny1234578.
- Click the Save button to save the changes.
Question 213
SIMULATION –
You need to ensure that a user named user2-12345678 can manage the properties of the virtual machines in the RG1lod12345678 resource group. The solution must use the principle of least privilege.
To complete this task, sign in to the Azure portal.
Explanation
- Sign in to the Azure portal.
- Browse to Resource Groups.
- Select the RG1lod12345678 resource group.
- Select Access control (IAM).
- Select Add > role assignment.
- Select Virtual Machine Contributor (you can filter the list of available roles by typing ‘virtual’ in the search box) then click Next.
- Select the +Select members option and select user2-12345678 then click the Select button.
- Click the Review + assign button twice.AZ-500 Question 214
Question 214
You have an Azure subscription that contains an app named App1. App1 has the app registration shown in the following table.
| API | Permisssion | Type | Admin consent required | Status |
|---|---|---|---|---|
| Microsoft.Graph | User.Read | Delegated | No | None |
| Microsoft.Graph | Calendars.Read | Delegated | No | None |
You need to ensure that App1 can read all user calendars and create appointments. The solution must use the principle of least privilege.
What should you do?
* A. Add a new Delegated API permission for Microsoft.Graph Calendars.ReadWrite.
B. Add a new Application API permission for Microsoft.Graph Calendars.ReadWrite.
C. Select Grant admin consent.
D. Add a new Delegated API permission for Microsoft.Graph Calendars.ReadWrite.Shared.
Question 215
You have an Azure subscription that contains several Azure SQL databases and an Azure Sentinel workspace.
You need to create a saved query in the workspace to find events reported by Advanced Threat Protection for Azure SQL Database.
What should you do?
A. From Azure CLI run the Get-AzOperationalInsightsworkspace cmdlet.
B. From the Azure SQL Database query editor, create a Transact-SQL query.
* C. From the Azure Sentinel workspace, create a Kusto Query Language query.
D. From Microsoft SQL Server Management Studio (SSMS), create a Transact-SQL query.
Question 216
SIMULATION –
You need to create a new Azure Active Directory (Azure AD) directory named 12345678.onmicrosoft.com. The new directory must contain a new user named [email protected].
To complete this task, sign in to the Azure portal.
Explanation
- The first step is to create the Azure Active Directory tenant.
- Sign in to the Azure portal.
- From the Azure portal menu, select Azure Active Directory.
- On the overview page, select Manage tenants.
- Select +Create.
- On the Basics tab, select Azure Active Directory.
- Select Next: Configuration to move on to the Configuration tab.
- For Organization name, enter 12345678.
- For the Initial domain name, enter 12345678.
- Leave the Country/Region as the default.
- The next step is to create the user.
- From the Azure portal menu, select Azure Active Directory.
- Select Users then select New user.
- Enter User1 in the User name and Name fields.
- Leave the default option of Auto-generate password.
- Click the Create button.
Question 217
You have an Azure subscription that contains the virtual machines shown in the following table.
| Name | Operating system |
|---|---|
| VM1 | Windows Server 2016 |
| VM2 | Ubuntu Server 18.04 LTS |
From Azure Security Center, you turn on Auto Provisioning.
You deploy the virtual machines shown in the following table.
| Name | Operating system |
|---|---|
| VM3 | Windows Server 2016 |
| VM4 | Ubuntu Server 18.04 LTS |
On which virtual machines is the Log Analytics agent installed?
A. VM3 only
B. VM1 and VM3 only
C. VM3 and VM4 only
* D. VM1, VM2, VM3, and VM4
Explanation
When automatic provisioning is On, Security Center provisions the Log Analytics Agent on all supported Azure VMs and any new ones that are created.
Supported Operating systems include: Ubuntu 14.04 LTS (x86/x64), 16.04 LTS (x86/x64), and 18.04 LTS (x64) and Windows Server 2008 R2, 2012, 2012 R2, 2016, version 1709 and 1803
Question 218
You have an Azure subscription that contains a user named Admin1 and a resource group named RG1.
In Azure Monitor, you create the alert rules shown in the following table.
| Name | Resource | Condition |
|---|---|---|
| Rule1 | RG1 | All security operations |
| Rule2 | RG1 | All administrative operations |
| Rule3 | Azure subscription | All security operations by Admin1 |
| Rule4 | Azure subscription | All administrative operations by Admin1 |
Admin1 performs the following actions on RG1:
- Adds a virtual network named VNET1
- Adds a Delete lock named Lock1
Which rules will trigger an alert as a result of the actions of Admin1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Adding VNET1:
- Rule2 only
- Rule4 only
- Rule2 and Rule4 only
- Rule3 and Rule4 only
- Rule1, Rule2, Rule3, and Rule4
Adding Lock1:
- Rule2 only
- Rule4 only
- Rule2 and Rule4 only
- Rule3 and Rule4 only
- Rule1, Rule2, Rule3, and Rule4
Answer
Adding VNET1: Rule2 and Rule4 only
Adding Lock1: Rule2 and Rule4 only
Question 219
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Azure Security Center for the centralized policy management of three Azure subscriptions.
You use several policy definitions to manage the security of the subscriptions.
You need to deploy the policy definitions as a group to all three subscriptions.
Solution: You create a policy initiative and assignments that are scoped to resource groups.
Does this meet the goal?
A. Yes
* B. No
Explanation
Instead use a management group.
Management groups in Microsoft Azure solve the problem of needing to impose governance policy on more than one Azure subscription simultaneously.
Question 220
Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has an Active Directory forest with a single domain, named weylandindustries.com. They also have an Azure Active Directory (Azure AD) tenant with the same name.
You have been tasked with integrating Active Directory and the Azure AD tenant. You intend to deploy Azure AD Connect.
Your strategy for the integration must make sure that password policies and user logon limitations affect user accounts that are synced to the Azure AD tenant, and that the amount of necessary servers are reduced.
Solution: You recommend the use of pass-through authentication and seamless SSO with password hash synchronization.
Does the solution meet the goal?
* A. Yes
B. No