The latest Microsoft AZ-500 Azure Security Technologies certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-500 Azure Security Technologies exam and earn Microsoft AZ-500 Azure Security Technologies certification.
Table of Contents
- AZ-500 Question 301
- Question
- Answer
- Reference
- AZ-500 Question 302
- Question
- Answer
- Explanation
- AZ-500 Question 303
- Question
- Answer
- AZ-500 Question 304
- Question
- Answer
- AZ-500 Question 305
- Question
- Answer
- AZ-500 Question 306
- Question
- Answer
- AZ-500 Question 307
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 308
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 309
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 310
- Question
- Answer
- Reference
AZ-500 Question 301
Question
You have an Azure subscription.
You plan to create a workflow automation in Azure Security Center that will automatically remediate a security vulnerability.
What should you create first?
A. a managed identity
B. an automation account
C. an Azure function app
D. an alert rule
E. an Azure logic app
Answer
E. an Azure logic app
Reference
- Azure > Security > Microsoft Defender for Cloud > Automate responses to Microsoft Defender for Cloud triggers
AZ-500 Question 302
Question
HOTSPOT –
You have the Azure key vaults shown in the following table.
| Name | Location | Azure subscription name |
|---|---|---|
| KV1 | West US | Subscription1 |
| KV2 | West US | Subscription1 |
| KV3 | East US | Subscription1 |
| KV4 | West US | Subscription2 |
| KV5 | East US | Subscription2 |
KV1 stores a secret named Secret1 and a key for a managed storage account named Key1.
You back up Secret1 and Key1.
To which key vaults can you restore each backup? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
You can restore the Secret1 backup to:
- KV1 only
- KV1 and KV2 only
- KV1, KV2 and KV3 only
- KV1, KV2 and KV4 only
- KV1, KV2, KV3, KV4, and KV5
You can restore the Key1 backup to:
- KV1 only
- KV1 and KV2 only
- KV1, KV2 and KV3 only
- KV1, KV2 and KV4 only
- KV1, KV2, KV3, KV4, and KV5
Answer
You can restore the Secret1 backup to: KV1, KV2 and KV3 only
You can restore the Key1 backup to: KV1, KV2 and KV3 only
Explanation
The backups can only be restored to key vaults in the same subscription and same geography. You can restore to a different region in the same geography.
AZ-500 Question 303
Question
You have an Azure subscription that contains a resource group named RG1 and a security group serverless RG1 contains 10 virtual machine, a virtual network VNET1, and a network security group (NSG) named NSG1. ServerAdmins can access the virtual machines by using RDP.
You need to ensure that NSG1 only RDP connections to the virtual for a maximum of 60 minutes when a member of ServerAdmins requests access.
What should you configure?
A. an Azure Active Directory (Azure AD) Privileged identity Management (PIM) role assignment.
B. a just in time (JIT) VM access policy in Azure Security Center
C. an azure policy assigned to RG1.
D. an Azure Bastion host on VNET1.
Answer
A. an Azure Active Directory (Azure AD) Privileged identity Management (PIM) role assignment.
AZ-500 Question 304
Question
You have an Azure subscription that contains an Azure key vault and an Azure Storage account. The key vault contains customer-managed keys. The storage account is configured to use the customer-managed keys stored In the key vault.
You plan to store data in Azure by using the following services:
- Azure Files
- Azure Blob storage
- Azure Log Analytics
- Azure Table storage
- Azure Queue storage
Which two services data encryption by using the keys stored in the key vault? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
A. Queue storage
B. Table storage
C. Azure Files
D. Blob storage
Answer
A. Queue storage
D. Blob storage
AZ-500 Question 305
Question
You have a Azure subscription that contains an Azure Container Registry named Registry1. The subscription uses the Standard use tier of Azure Security Center.
You upload several container images to Register1.
You discover that vulnerability security scans were not performed
You need to ensured that the images are scanned for vulnerabilities when they are uploaded to Registry1.
What should you do?
A. From the Azure portal modify the Pricing tier settings.
B. From Azure CLI, lock the container images.
C. Upload the container images by using AzCopy
D. Push the container images to Registry1 by using Docker
Answer
C. Upload the container images by using AzCopy
AZ-500 Question 306
Question
You have an Azure Active Directory (Azure AD) tenant.
You need to prevent nonprivileged Azure AD users from creating service principals in Azure AD.
What should you do in the Azure Active Directory admin center of the tenant?
A. From the Properties Wade, set Enable Security defaults to Yes.
B. From the Properties blade, set Access management fen Azure resources to No
C. From the User settings blade, set Users can register applications to No
D. From the User settings blade, set Restrict access to Azure AD administration portal to Yes.
Answer
D. From the User settings blade, set Restrict access to Azure AD administration portal to Yes.
AZ-500 Question 307
Question
HOTSPOT
You assign User8 the Owner role for RG4, RG5, and RG6.
In which resource groups can User8 create virtual networks and NSGs? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
User8 can create virtual networks in:
- RG4 only
- RG6 only
- RG4 and RG6 only
- RG4, RG5, and RG6
User8 can create NSGs in:
- RG4 only
- RG4 and RG5 only
- RG4 and RG6 only
- RG4, RG5, and RG6
Answer
User8 can create virtual networks in: RG4 only
User8 can create NSGs in: RG4, RG5, and RG6
Explanation
Box 1: RG4 only
Virtual Networks are not allowed for Rg5 and Rg6.
Box 2: Rg4, Rg5, and Rg6
Scenario:
Contoso has two Azure subscriptions named Sub1 and Sub2.
Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
You assign User8 the Owner role for RG4, RG5, and RG6
User8 city Sidney, Role: None
Note: A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager).
Reference
- Azure > Governance > Policy > What is Azure Policy?
AZ-500 Question 308
Question
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain.
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to deploy Azure AD Connect and to integrate Active Directory and the Azure AD tenant.
You need to recommend an integration solution that meets the following requirements:
Ensures that password policies and user logon restrictions apply to user accounts that are synced to the tenant Minimizes the number of servers required for the solution.
Which authentication method should you include in the recommendation?
A. federated identity with Active Directory Federation Services (AD FS)
B. password hash synchronization with seamless single sign-on (SSO)
C. pass-through authentication with seamless single sign-on (SSO)
Answer
B. password hash synchronization with seamless single sign-on (SSO)
Explanation
Password hash synchronization requires the least effort regarding deployment, maintenance, and infrastructure. This level of effort typically applies to organizations that only need their users to sign in to Office 365, SaaS apps, and other
Azure AD-based resources. When turned on, password hash synchronization is part of the Azure AD Connect sync process and runs every two minutes.
Incorrect Answers:
A: A federated authentication system relies on an external trusted system to authenticate users. Some companies want to reuse their existing federated system investment with their Azure AD hybrid identity solution. The maintenance and management of the federated system falls outside the control of Azure AD. It’s up to the organization by using the federated system to make sure it’s deployed securely and can handle the authentication load.
C: For pass-through authentication, you need one or more (we recommend three) lightweight agents installed on existing servers. These agents must have access to your on-premises Active Directory Domain Services, including your onpremises AD domain controllers. They need outbound access to the Internet and access to your domain controllers. For this reason, it’s not supported to deploy the agents in a perimeter network.
Pass-through Authentication requires unconstrained network access to domain controllers. All network traffic is encrypted and limited to authentication requests.
Reference
- Azure > Active Directory > Hybrid identity > User sign-in with Azure Active Directory Pass-through Authentication
AZ-500 Question 309
Question
DRAG DROP
You have an Azure subscription that contains 100 virtual machines. Azure Diagnostics is enabled on all the virtual machines.
You are planning the monitoring of Azure services in the subscription.
You need to retrieve the following details:
Identify the user who deleted a virtual machine three weeks ago.
Query the security events of a virtual machine that runs Windows Server 2016.
What should you use in Azure Monitor? To answer, drag the appropriate configuration settings to the correct details. Each configuration setting may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Settings:
- Activity log
- Logs
- Metrics
- Service Health
Answer Area:
- Identify the user who deleted a virtual machine three weeks ago.
- Query the security events of a virtual machine that runs Windows Server 2016.
Answer
- Identify the user who deleted a virtual machine three weeks ago: Activity Log
- Query the security events of a virtual machine that runs Windows Server 2016: Logs
Explanation
Box1: Activity log
Azure activity logs provide insight into the operations that were performed on resources in your subscription. Activity logs were previously known as “audit logs” or “operational logs,” because they report control-plane events for your subscriptions.
Activity logs help you determine the “what, who, and when” for write operations (that is, PUT, POST, or DELETE).
Box 2: Logs
Log Integration collects Azure diagnostics from your Windows virtual machines, Azure activity logs, Azure Security Center alerts, and Azure resource provider logs. This integration provides a unified dashboard for all your assets, whether they’re on-premises or in the cloud, so that you can aggregate, correlate, analyze, and alert for security events.
Reference
- Azure > Security > Fundamentals > Azure security logging and auditing
AZ-500 Question 310
Question
HOTSPOT
You plan to use Azure Monitor Logs to collect logs from 200 servers that run Windows Server 2016.
You need to automate the deployment of the Log Analytics Agent to all the servers by using an Azure Resource Manager template.
How should you complete the template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer
Reference
- Microsoft Docs > Blog Archive > The Manageability Guys > Enabling the Microsoft Monitoring Agent in Windows JSON Templates