The latest Microsoft AZ-500 Azure Security Technologies certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-500 Azure Security Technologies exam and earn Microsoft AZ-500 Azure Security Technologies certification.
Table of Contents
- AZ-500 Question 271
- Question
- Answer
- Reference
- AZ-500 Question 272
- Question
- Answer
- Reference
- AZ-500 Question 273
- Question
- Answer
- Explanation
- AZ-500 Question 274
- Question
- Answer
- Reference
- AZ-500 Question 275
- Question
- Answer
- Reference
- AZ-500 Question 276
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 277
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 278
- Question
- Answer
- Reference
- AZ-500 Question 279
- Question
- Answer
- AZ-500 Question 280
- Question
- Answer
AZ-500 Question 271
Question
You have an Azure subscription that contains the resources shown in the following table:
| Name | Type |
|---|---|
| VM1 | Virtual machine |
| VNET1 | Virtual network |
| storage1 | Storage account |
| Vault1 | Key vault |
You plan to enable Azure Defender for the subscription. Which resources can be protected by using Azure Defender?
A. VM1, VNET1, storage1, and Vault1.
B. VM1, VNET1, and storage1 only.
C. VM1, storage1, and Vault1 only.
D. VM1 and VNET1 only.
E. VM1 and storage1 only.
Answer
A. VM1, VNET1, storage1, and Vault1.
Reference
- Azure > Security > Microsoft Defender for Cloud > What is Microsoft Defender for Cloud?
AZ-500 Question 272
Question
You have an Azure subscription that contains a resource group named RG1 and a security group named ServerAdmins. RG1 contains 10 virtual machines, a virtual network named VNET1, and a network security group (NSG) named NSG1. ServerAdmins can access the virtual machines by using RDP. You need to ensure that NSG1 only allows RDP connections to the virtual machines for a maximum of 60 minutes when a member of ServerAdmins requests access. What should you configure?
A. an Azure policy assigned to RG1
B. a just in time (JIT) VM access policy in Azure Security Center
C. an Azure Active Directory (Azure AD) Privileged Identity Management (PIM) role assignment
D. an Azure Bastion host on VNET1
Answer
B. a just in time (JIT) VM access policy in Azure Security Center
Reference
- Azure > Security > Microsoft Defender for Cloud > Understanding just-in-time (JIT) VM access
AZ-500 Question 273
Question
You have a web app named WebApp1. You create a web application firewall (WAF) policy named WAF1. You need to protect WebApp1 by using WAF1. What should you do first?
A. Deploy an Azure Front Door.
B. Add an extension to WebApp1.
C. Deploy Azure Firewall.
Answer
A. Deploy an Azure Front Door.
Explanation
Azure > Networking > Front Door Service > Quickstart: Create a Front Door for a highly available global web application
AZ-500 Question 274
Question
You have an Azure subscription that contains an Azure SQL database named sql1. You plan to audit sql1. You need to configure the audit log destination. The solution must meet the following requirements:
- Support querying events by using the Kusto query language.
- Minimize administrative effort.
What should you configure?
A. an event hub
B. a storage account
C. a Log Analytics workspace
Answer
C. a Log Analytics workspace
Reference
- Azure > Active Directory > Reports and monitoring > Tutorial: Configure a log analytics workspace
AZ-500 Question 275
Question
Drag and Drop
You have an Azure subscription that contains the following resources:
- A network virtual appliance (NVA) that runs non-Microsoft firewall software and routes all outbound traffic from the virtual machines to the internet.
- An Azure function that contains a script to manage the firewall rules of the NVA.
- Azure Security Center standard tier enabled for all virtual machines.
- An Azure Sentinel workspace.
- 30 virtual machines.
You need to ensure that when a high-priority alert is generated in Security Center for a virtual machine, an incident is created in Azure Sentinel and then a script is initiated to configure a firewall rule for the NVA. How should you configure Azure Sentinel to meet the requirements? (To answer, drag the appropriate components to the correct requirements. Each component may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.)
Components:
- A data connector for Security Center
- A data connector for the firewall software
- A playbook
- A rule
- A Security Events connector
- A workbook
Answer Area:
- Enable alert notifications from Security Center
- Create an incident
- Initiate a script to configure the firewall rule
Answer
- Enable alert notifications from Security Center: A data connector for Security Center
- Create an incident: A rule
- Initiate a script to configure the firewall rule: A playbook
Reference
- Azure > Security > Microsoft Sentinel > Automatically create incidents from Microsoft security alerts
- Azure > Security > Microsoft Sentinel > Connect Microsoft Defender for Cloud alerts to Microsoft Sentinel
AZ-500 Question 276
Question
SIMULATION –
The developers at your company plan to create a web app named App12345678 and to publish the app to https://www.contoso.com.
You need to perform the following tasks:
- Ensure that App12345678 is registered to Azure Active Directory (Azure AD).
- Generate a password for App12345678.
To complete this task, sign in to the Azure portal.
Answer
See the explanation below.
Explanation
Step 1: Register the Application
1. Sign in to your Azure Account through the Azure portal.
2. Select Azure Active Directory.
3. Select App registrations.
4. Select New registration.
5. Name the application 12345678. Select a supported account type, which determines who can use the application. Under Redirect URI, select Web for the type of application you want to create. Enter the URI: https://www.contoso.com , where the access token is sent to.
6. Click Register
Step 2: Create a new application secret
If you choose not to use a certificate, you can create a new application secret.
7. Select Certificates & secrets.
8. Select Client secrets -> New client secret.
9. Provide a description of the secret, and a duration. When done, select Add.
After saving the client secret, the value of the client secret is displayed. Copy this value because you aren’t able to retrieve the key later. You provide the key value with the application ID to sign in as the application. Store the key value where your application can retrieve it.
Reference
- Azure > Active Directory > Develop > Use the portal to create an Azure AD application and service principal that can access resources
AZ-500 Question 277
Question
You have an Azure subscription that contains the resources shown in the following table.
| Name | Type |
|---|---|
| storage1 | Storage account |
| Vault1 | Azure Key vault |
| Vault2 | Azure Key vault |
You plan to deploy the virtual machines shown in the following table.
| Name | Role |
|---|---|
| VM1 | Storage Blob Data Reader for storage 1 Key Vault Reader for Vault1 |
| VM2 | Storage Blob Data Reader for storage 1 Key Vault Reader for Vault1 |
| VM3 | Storage Blob Data Reader for storage 1 Key Vault Reader for Vault1 Key Vault Reader for Vault2 |
| VM3 | Storage Blob Data Reader for storage 1 Key Vault Reader for Vault1 Key Vault Reader for Vault2 |
You need to assign managed identities to the virtual machines. The solution must meet the following requirements:
- Assign each virtual machine the required roles.
- Use the principle of least privilege.
What is the minimum number of managed identities required?
A. 1
B. 2
C. 3
D. 4
Answer
B. 2
Explanation
We have two different sets of required permissions. VM1 and VM2 have the same permission requirements. VM3 and VM4 have the same permission requirements.
A user-assigned managed identity can be assigned to one or many resources. By using user-assigned managed identities, we can create just two managed identities: one with the permission requirements for VM1 and VM2 and the other with the permission requirements for VM3 and VM4.
Reference
- Azure > Active Directory > Managed identities for Azure resources > What are managed identities for Azure resources?
AZ-500 Question 278
Question
You have an Azure subscription that contains a web app named App1 and an Azure key vault named Vault1.
You need to configure App1 to store and access the secrets in Vault1.
How should you configure App1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Configure App1 to authenticate by using a:
- Key
- Certificate
- Passphrase
- User-assigned managed identity
- System-assigned managed identity
Configure a Key Vault reference for App1 from the:
- Extensions blade
- General settings tab
- TLS/SSL settings tab
- Application settings tab
Answer
Configure App1 to authenticate by using a: System-assigned managed identity
Configure a Key Vault reference for App1 from the: Application settings tab
Reference
- Azure > App Service > Web Apps > How to use managed identities for App Service and Azure Functions
AZ-500 Question 279
Question
You have an Azure subscription that contains the resources shown in the following table.
| Name | Type | Resource group |
|---|---|---|
| RG1 | Resource group | Not applicable |
| RG2 | Resource group | Not applicable |
| RG3 | Resource group | Not applicable |
| SQL1 | Azure SQL Database | RG3 |
Transparent Data Encryption (TDE) is disabled on SQL1.
You assign polices to the resource groups as shown in the following table.
| Name | Condition | Effect if condition is false | Assignment |
|---|---|---|---|
| Policy1 | TDE enabled | Deny | RG1, RG2 |
| Policy2 | TDE enabled | DeployIfNotExists | RG2, RG3 |
| Policy3 | TDE enabled | Audit | RG1 |
You plan to deploy Azure SQL databases by using an Azure Resource Manager (ARM) template. The databases will be configured as shown in the following table.
NOTE: Each correct selection is worth one point.
Statements:
- SQL1 will have TDE enabled automatically.
- The deployment of SQL2 will fail.
- SQL3 will be deployed and marked as noncompliant.
Answer
- SQL1 will have TDE enabled automatically: No
- The deployment of SQL2 will fail: Yes
- SQL3 will be deployed and marked as noncompliant: Yes
AZ-500 Question 280
Question
You have an Azure subscription that contains the resources shown in the following Table.
| Name | Type |
|---|---|
| VM1 | Virtual machine |
| VNET1 | Virtual machine |
| storage1 | Storage account |
| Vault1 | Key vault |
You plan to enable Microsoft Defender for Cloud for the subscription. Which resources can be protected by using Microsoft Defender for Cloud?
A. VM1, VNET1, and storage1 only
B. VM1, storage1, and Vault1 only
C. VM1.VNET1, storage1, and Vault1
D. VM1 and storage1 only
E. VM1 and VNET only
Answer
C. VM1.VNET1, storage1, and Vault1