Skip to Content

AZ-500 Microsoft Azure Security Technologies Exam Questions and Answers – 3

The latest Microsoft AZ-500 Azure Security Technologies certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-500 Azure Security Technologies exam and earn Microsoft AZ-500 Azure Security Technologies certification.

AZ-500 Microsoft Azure Security Technologies Exam Questions and Answers

Question 211

Question

Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case stud
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The company hosts its entire server infrastructure in Azure.
Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to an Azure Active Directory (Azure AD) tenant named contoso.com.

Existing Environment

Azure AD
Contoso.com contains the users shown in the following table.

Name City Role
User1 Montreal Global administrator
User2 MONTREAL Security administrator
User3 London Privileged role administrator
User4 Ontario Application administrator
User5 Seattle Cloud application administrator
User6 Seattle User administrator
User7 Sydney Reports reader
User8 Sydney None
User9 Sydney Owner

Contoso.com contains the security groups shown in the following table.

Name Membership type Dynamic membership rule
Group1 Dynamic user user.city -contain “ON”
Group2 Dynamic user user.city -match “*on”

Sub1
Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User9 creates the virtual networks shown in the following table.

Name Resource group
VNET1 RG1
VNET2 RG2
VNET3 RG3
VNET4 RG4

Sub1 contains the locks shown in the following table.

Name Set on Lock type
Lock1 RG1 Delete
Lock2 RG2 Read-only
Lock3 RG3 Delete
Lock4 RG4 Read-only

Sub1 contains the Azure policies shown in the following table.

Policy definition Resource type Scope
Allowed resource types networkSecurityGroups RG4
Not allowed resource types virtualNetworks/subnets RG5
Not allowed resource types networkSecurityGroups RG5
Not allowed resource types virtualNetworks/virtualNetworkPeerings RG6

Sub2
Sub2 contains the virtual networks shown in the following table.

Name Subnet
VNetwork1 Subnet11, Subnet12, and Subnet13
VNetwork2 Subnet21

Sub2 contains the virtual machines shown in the following table.

Name Network interface Application security group Connected to
VM1 NIC1 ASG1 Subnet11
VM2 NIC2 ASG2 Subnet11
VM3 NIC3 None Subnet12
VM4 NIC4 ASG1 Subnet13
VM5 NIC5 None Subnet21

All virtual machines have public IP addresses and the Web Server (IIS) role installed. The firewalls for each virtual machine allow ping requests and web requests.
Sub2 contains the network security groups (NSGs) shown in the following table.

Name Associated to
NSG1 NIC2
NSG2 Subnet11
NSG3 Subnet13
NSG4 Subnet21

NSG1 has the inbound security rules shown in the following table.

Priority Port Protocol Source Destination Action
65000 Any Any VirtualNetwork VirtualNetwork Allow
65001 Any Any AzureLoadBalancer Any Allow
65500 Any Any Any Any Deny

NSG2 has the inbound security rules shown in the following table.

Priority Port Protocol Source Destination Action
100 80 TCP Internet VirtualNetwork Allow
65000 Any Any VirtualNetwork VirtualNetwork Allow
65001 Any Any AzureLoadBalancer Any Allow
65500 Any Any Any Any Deny

NSG3 has the inbound security rules shown in the following table.

Priority Port Protocol Source Destination Action
100 Any TCP ASG1 ASG1 Allow
150 Any Any ASG2 VirtualNetwork Allow
200 Any Any Any Any Deny
65000 Any Any VirtualNetwork VirtualNetwork Allow
65001 Any Any AzureLoadBalancer Any Allow
65500 Any Any Any Any Deny

NSG4 has the inbound security rules shown in the following table.

Priority Port Protocol Source Destination Action
100 Any Any Any Any Allow
65000 Any Any VirtualNetwork VirtualNetwork Allow
65001 Any Any AzureLoadBalancer Any Allow
65500 Any Any Any Any Deny

NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table.

Priority Port Protocol Source Destination Action
65000 Any Any VirtualNetwork VirtualNetwork Allow
65001 Any Any Any Internet Allow
65500 Any Any Any Any Deny

Technical Requirements

Contoso identifies the following technical requirements:

  • Deploy Azure Firewall to VNetwork1 in Sub2.
  • Register an application named App2 in contoso.com.
  • Whenever possible, use the principle of least privilege.
  • Enable Azure AD Privileged Identity Management (PIM) for contoso.com.

HOTSPOT –
You are evaluating the security of VM1, VM2, and VM3 in Sub2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

  • From the Internet, you can connect to the web server on VM1 by using HTTP.
  • From the Internet, you can connect to the web server on VM2 by using HTTP.
  • From the Internet, you can connect to the web server on VM3 by using HTTP.

Answer

  • From the Internet, you can connect to the web server on VM1 by using HTTP: Yes
  • From the Internet, you can connect to the web server on VM2 by using HTTP: No
  • From the Internet, you can connect to the web server on VM3 by using HTTP: Yes

Explanation

VM1: Yes. NSG2 applies to VM1 and this allows inbound traffic on port 80.
VM2: No. NSG2 and NSG1 apply to VM2. NSG2 allows the inbound traffic on port 80 but NSG1 does not allow it.
VM3: Yes. There are no NSGs applying to VM3 so all ports will be open.

Question 212

Question

SIMULATION –
You need to ensure that a user named Danny1234578 can sign in to any SQL database on a Microsoft SQL server named web1234578 by using SQL Server
Management Studio (SSMS) and Azure Active Directory (Azure AD) credentials.
To complete this task, sign in to the Azure portal.

Answer

See the explanation below.

Explanation

You need to provision an Azure AD Admin for the SQL Server.

  1. In the Azure portal, type SQL Server in the search box, select SQL Server from the search results then select the server named web1234578. Alternatively, browse to SQL Server in the left navigation pane.
  2. In the SQL Server properties page, click on Active Directory Admin.
  3. Click the Set Admin button.
  4. In the Add Admin window, search for and select Danny1234578.
  5. Click the Select button to add Danny1234578.
  6. Click the Save button to save the changes.

Reference

Question 213

Question

SIMULATION –
You need to ensure that a user named user2-12345678 can manage the properties of the virtual machines in the RG1lod12345678 resource group. The solution must use the principle of least privilege.
To complete this task, sign in to the Azure portal.

Answer

See the explanation below.

Explanation

  1. Sign in to the Azure portal.
  2. Browse to Resource Groups.
  3. Select the RG1lod12345678 resource group.
  4. Select Access control (IAM).
  5. Select Add > role assignment.
  6. Select Virtual Machine Contributor (you can filter the list of available roles by typing ‘virtual’ in the search box) then click Next.
  7. Select the +Select members option and select user2-12345678 then click the Select button.
  8. Click the Review + assign button twice.

Reference

Question 214

Question

You have an Azure subscription that contains an app named App1. App1 has the app registration shown in the following table.

API Permisssion Type Admin consent required Status
Microsoft.Graph User.Read Delegated No None
Microsoft.Graph Calendars.Read Delegated No None

You need to ensure that App1 can read all user calendars and create appointments. The solution must use the principle of least privilege.
What should you do?

A. Add a new Delegated API permission for Microsoft.Graph Calendars.ReadWrite.
B. Add a new Application API permission for Microsoft.Graph Calendars.ReadWrite.
C. Select Grant admin consent.
D. Add a new Delegated API permission for Microsoft.Graph Calendars.ReadWrite.Shared.

Answer

A. Add a new Delegated API permission for Microsoft.Graph Calendars.ReadWrite.

Reference

Question 215

Question

You have an Azure subscription that contains several Azure SQL databases and an Azure Sentinel workspace.
You need to create a saved query in the workspace to find events reported by Advanced Threat Protection for Azure SQL Database.
What should you do?

A. From Azure CLI run the Get-AzOperationalInsightsworkspace cmdlet.
B. From the Azure SQL Database query editor, create a Transact-SQL query.
C. From the Azure Sentinel workspace, create a Kusto Query Language query.
D. From Microsoft SQL Server Management Studio (SSMS), create a Transact-SQL query.

Answer

C. From the Azure Sentinel workspace, create a Kusto Query Language query.

Question 216

Question

SIMULATION –
You need to create a new Azure Active Directory (Azure AD) directory named 12345678.onmicrosoft.com. The new directory must contain a new user named [email protected]
To complete this task, sign in to the Azure portal.

Answer

See the explanation below.

Explanation

  1. The first step is to create the Azure Active Directory tenant.
  2. Sign in to the Azure portal.
  3. From the Azure portal menu, select Azure Active Directory.
  4. On the overview page, select Manage tenants.
  5. Select +Create.
  6. On the Basics tab, select Azure Active Directory.
  7. Select Next: Configuration to move on to the Configuration tab.
  8. For Organization name, enter 12345678.
  9. For the Initial domain name, enter 12345678.
  10. Leave the Country/Region as the default.
  11. The next step is to create the user.
  12. From the Azure portal menu, select Azure Active Directory.
  13. Select Users then select New user.
  14. Enter User1 in the User name and Name fields.
  15. Leave the default option of Auto-generate password.
  16. Click the Create button.

Reference

Question 217

Question

You have an Azure subscription that contains the virtual machines shown in the following table.

Name Operating system
VM1 Windows Server 2016
VM2 Ubuntu Server 18.04 LTS

From Azure Security Center, you turn on Auto Provisioning.
You deploy the virtual machines shown in the following table.

Name Operating system
VM3 Windows Server 2016
VM4 Ubuntu Server 18.04 LTS

On which virtual machines is the Log Analytics agent installed?

A. VM3 only
B. VM1 and VM3 only
C. VM3 and VM4 only
D. VM1, VM2, VM3, and VM4

Answer

D. VM1, VM2, VM3, and VM4

Explanation

When automatic provisioning is On, Security Center provisions the Log Analytics Agent on all supported Azure VMs and any new ones that are created.
Supported Operating systems include: Ubuntu 14.04 LTS (x86/x64), 16.04 LTS (x86/x64), and 18.04 LTS (x64) and Windows Server 2008 R2, 2012, 2012 R2, 2016, version 1709 and 1803

Reference

Question 218

Question

You have an Azure subscription that contains a user named Admin1 and a resource group named RG1.
In Azure Monitor, you create the alert rules shown in the following table.

Name Resource Condition
Rule1 RG1 All security operations
Rule2 RG1 All administrative operations
Rule3 Azure subscription All security operations by Admin1
Rule4 Azure subscription All administrative operations by Admin1

Admin1 performs the following actions on RG1:

  • Adds a virtual network named VNET1
  • Adds a Delete lock named Lock1

Which rules will trigger an alert as a result of the actions of Admin1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Adding VNET1:

  • Rule2 only
  • Rule4 only
  • Rule2 and Rule4 only
  • Rule3 and Rule4 only
  • Rule1, Rule2, Rule3, and Rule4

Adding Lock1:

  • Rule2 only
  • Rule4 only
  • Rule2 and Rule4 only
  • Rule3 and Rule4 only
  • Rule1, Rule2, Rule3, and Rule4

Answer

Adding VNET1: Rule2 and Rule4 only
Adding Lock1: Rule2 and Rule4 only

Question 219

Question

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Azure Security Center for the centralized policy management of three Azure subscriptions.
You use several policy definitions to manage the security of the subscriptions.
You need to deploy the policy definitions as a group to all three subscriptions.
Solution: You create a policy initiative and assignments that are scoped to resource groups.
Does this meet the goal?

A. Yes
B. No

Answer

B. No

Explanation

Instead use a management group.
Management groups in Microsoft Azure solve the problem of needing to impose governance policy on more than one Azure subscription simultaneously.

Question 220

Question

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has an Active Directory forest with a single domain, named weylandindustries.com. They also have an Azure Active Directory (Azure AD) tenant with the same name.
You have been tasked with integrating Active Directory and the Azure AD tenant. You intend to deploy Azure AD Connect.
Your strategy for the integration must make sure that password policies and user logon limitations affect user accounts that are synced to the Azure AD tenant, and that the amount of necessary servers are reduced.
Solution: You recommend the use of pass-through authentication and seamless SSO with password hash synchronization.
Does the solution meet the goal?

A. Yes
B. No

Answer

A. Yes

Reference

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. We need money to operate the site, and almost all of it comes from online advertising. Please support us by disabling these ads blocker.

Please disable ad blocker