The latest Microsoft AZ-500 Azure Security Technologies certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-500 Azure Security Technologies exam and earn Microsoft AZ-500 Azure Security Technologies certification.
Table of Contents
- AZ-500 Question 311
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 312
- Question
- Answer
- Explanation
- AZ-500 Question 313
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 314
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 315
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 316
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 317
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 318
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 319
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 320
- Question
- Answer
- Explanation
- Reference
AZ-500 Question 311
Question
HOTSPOT
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to implement an application that will consist of the resources shown in the following table.
| Name | Type | Description |
|---|---|---|
| CosmosDBAccount1 | Azure Cosmos DB account | A Cosmos DB account containing a database named CosmosDB1 that serves as a back-end tier of the application. |
| WebApp1 | Azure web app | A web app configured to serve as the middle tier of the application. |
Users will authenticate by using their Azure AD user account and access the Cosmos DB account by using resource tokens.
You need to identify which tasks will be implemented in CosmosDB1 and WebApp1.
Which task should you identify for each resource? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
CosmosDB1:
- Authenticate Azure AD users and generate resource tokens.
- Authenticate Azure AD users and relay resource tokens.
- Create database users and generate resource tokens.
WebApp1:
- Authenticate Azure AD users and generate resource tokens.
- Authenticate Azure AD users and relay resource tokens.
- Create database users and generate resource tokens.
Answer
CosmosDB1: Create database users and generate resource tokens.
WebApp1: Authenticate Azure AD users and relay resource tokens.
Explanation
CosmosDB1: Create database users and generate resource tokens.
Azure Cosmos DB resource tokens provide a safe mechanism for allowing clients to read, write, and delete specific resources in an Azure Cosmos DB account according to the granted permissions.
WebApp1: Authenticate Azure AD users and relay resource tokens
A typical approach to requesting, generating, and delivering resource tokens to a mobile application is to use a resource token broker. The following diagram shows a high-level overview of how the sample application uses a resource token broker to manage access to the document database data:
Reference
- Data & Azure Cloud Services > Authentication > Authenticate Users with an Azure Cosmos DB Document Database and Xamarin.Forms
AZ-500 Question 312
Question
You have a hybrid configuration of Azure Active Directory (Azure AD).
All users have computers that run Windows 10 and are hybrid Azure AD joined.
You have an Azure SQL database that is configured to support Azure AD authentication.
Database developers must connect to the SQL database by using Microsoft SQL Server Management Studio (SSMS) and authenticate by using their on-premises Active Directory account.
You need to tell the developers which authentication method to use to connect to the SQL database from SSMS. The solution must minimize authentication prompts.
Which authentication method should you instruct the developers to use?
A. SQL Login
B. Active Directory – Universal with MFA support
C. Active Directory – Integrated
D. Active Directory – Password
Answer
C. Active Directory – Integrated
Explanation
Azure AD can be the initial Azure AD managed domain. Azure AD can also be an on-premises Active Directory Domain Services that is federated with the Azure AD.
Using an Azure AD identity to connect using SSMS or SSDT
The following procedures show you how to connect to a SQL database with an Azure AD identity using SQL Server Management Studio or SQL Server Database Tools.
Active Directory integrated authentication
Use this method if you are logged in to Windows using your Azure Active Directory credentials from a federated domain.
1. Start Management Studio or Data Tools and in the Connect to Server (or Connect to Database Engine) dialog box, in the Authentication box, select Active Directory – Integrated. No password is needed or can be entered because your existing credentials will be presented for the connection.
2. Select the Options button, and on the Connection Properties page, in the Connect to database box, type the name of the user database you want to connect to. (The AD domain name or tenant ID” option is only supported for Universal with MFA connection options, otherwise it is greyed out.)
AZ-500 Question 313
Question
You have an Azure subscription that contains an Azure key vault named Vault1.
In Vault1, you create a secret named Secret1.
An application developer registers an application in Azure Active Directory (Azure AD).
You need to ensure that the application can use Secret1.
What should you do?
A. In Azure AD, create a role.
B. In Azure Key Vault, create a key.
C. In Azure Key Vault, create an access policy.
D. In Azure AD, enable Azure AD Application Proxy.
Answer
A. In Azure AD, create a role.
Explanation
Azure Key Vault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault to retrieve them.
Managed identities for Azure resources overview make solving this problem simpler, by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD). You can use this identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without having any credentials in your code.
Example: How a system-assigned managed identity works with an Azure VM
After the VM has an identity, use the service principal information to grant the VM access to Azure resources. To call Azure Resource Manager, use role-based access control (RBAC) in Azure AD to assign the appropriate role to the VM service principal. To call Key Vault, grant your code access to the specific secret or key in Key Vault.
Reference
- Azure > Security > Key Vault > Secrets > Quickstart: Azure Key Vault secret client library for .NET (SDK v4)
- Managed identities for Azure resources > What are managed identities for Azure resources?
AZ-500 Question 314
Question
From the Azure portal, you are configuring an Azure policy.
You plan to assign policies that use the DeployIfNotExist, AuditIfNotExist, Append, and Deny effects.
Which effect requires a managed identity for the assignment?
A. AuditIfNotExist
B. Append
C. DeployIfNotExist
D. Deny
Answer
C. DeployIfNotExist
Explanation
When Azure Policy runs the template in the deployIfNotExists policy definition, it does so using a managed identity.
Reference
- Azure > Governance > Policy > Remediate non-compliant resources with Azure Policy
AZ-500 Question 315
Question
DRAG DROP
You need to configure SQLDB1 to meet the data and application requirements.
Which three actions should you recommend be performed in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Actions:
- From the Azure portal, create an Azure AD administrator for LitwareSQLServer1.
- In SQLDB1, create contained database users.
- Connect to SQLDB1 by using Microsoft SQL Server Management Studio (SSMS).
- In Azure AD, create a system-assigned managed identity.
- In Azure AD, create a user-assigned managed identity.
Answer
- Connect to SQLDB1 by using Microsoft SQL Server Management Studio (SSMS).
- In SQLDB1, create contained database users.
- In Azure AD, create a system-assigned managed identity.
Explanation
Step 1: Connect to SQLDB1 by using Microsoft SQL Server Management Studio (SSMS)
Step 2: In SQLDB1, create contained database users.
Create a contained user in the database that represents the VM’s system-assigned identity.
Step 3: In Azure AD,create a system-assigned managed identity.
A system-assigned identity for a Windows virtual machine (VM) can be used to access an Azure SQL server. Managed Service Identities are automatically managed by Azure and enable you to authenticate to services that support Azure
AD authentication, without needing to insert credentials into your code.
Reference
- Managed identities for Azure resources > Tutorial: Use a Windows VM system-assigned managed identity to access Azure SQL
AZ-500 Question 316
Question
Your company has an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
The company develops an application named App1. App1 is registered in Azure AD.
You need to ensure that App1 can access secrets in Azure Key Vault on behalf of the application users.
What should you configure?
A. an application permission without admin consent
B. a delegated permission without admin consent
C. a delegated permission that requires admin consent
D. an application permission that requires admin consent
Answer
B. a delegated permission without admin consent
Explanation
Delegated permissions – Your client application needs to access the web API as the signed-in user, but with access limited by the selected permission. This type of permission can be granted by a user unless the permission requires administrator consent.
Incorrect Answers:
A, D: Application permissions – Your client application needs to access the web API directly as itself (no user context). This type of permission requires administrator consent and is also not available for public (desktop and mobile) client applications.
Reference
- Azure > Active Directory > Develop > Quickstart: Configure a client application to access a web API
AZ-500 Question 317
Question
You have 10 virtual machines on a single subnet that has a single network security group (NSG).
You need to log the network traffic to an Azure Storage account.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Install the Network Performance Monitor solution.
B. Enable Azure Network Watcher.
C. Enable diagnostic logging for the NSG.
D. Enable NSG flow logs.
E. Create an Azure Log Analytics workspace.
Answer
B. Enable Azure Network Watcher.
D. Enable NSG flow logs.
Explanation
A network security group (NSG) enables you to filter inbound traffic to, and outbound traffic from, a virtual machine (VM). You can log network traffic that flows through an NSG with Network Watcher’s NSG flow log capability. Steps include:
- Create a VM with a network security group
- Enable Network Watcher and register the Microsoft.Insights provider
- Enable a traffic flow log for an NSG, using Network Watcher’s NSG flow log capability
- Download logged data
- View logged data
Reference
- Azure > Networking > Network Watcher > Tutorial: Log network traffic to and from a virtual machine using the Azure portal
AZ-500 Question 318
Question
You have an Azure subscription named Sub1 that contains the virtual machines shown in the following table.
| Name | Resource group |
|---|---|
| VM1 | RG1 |
| VM2 | RG2 |
| VM3 | RG1 |
| VM4 | RG1 |
You need to ensure that the virtual machines in RG1 have the Remote Desktop port closed until an authorized user requests access.
What should you configure?
A. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)
B. an application security group
C. Azure Active Directory (Azure AD) conditional access
D. just in time (JIT) VM access
Answer
D. just in time (JIT) VM access
Explanation
Just-in-time (JIT) virtual machine (VM) access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.
Note: When just-in-time is enabled, Security Center locks down inbound traffic to your Azure VMs by creating an NSG rule. You select the ports on the VM to which inbound traffic will be locked down. These ports are controlled by the justin- time solution.
When a user requests access to a VM, Security Center checks that the user has Role-Based Access Control (RBAC) permissions that permit them to successfully request access to a VM. If the request is approved, Security Center automatically configures the Network Security Groups (NSGs) and Azure Firewall to allow inbound traffic to the selected ports and requested source IP addresses or ranges, for the amount of time that was specified. After the time has expired, Security Center restores the NSGs to their previous states. Those connections that are already established are not being interrupted, however.
Reference
- Azure > Security > Microsoft Defender for Cloud > Secure your management ports with just-in-time access
AZ-500 Question 319
Question
DRAG DROP
You have an Azure subscription named Sub1 that contains an Azure Log Analytics workspace named LAW1.
You have 500 Azure virtual machines that run Windows Server 2016 and are enrolled in LAW1.
You plan to add the System Update Assessment solution to LAW1.
You need to ensure that System Update Assessment-related logs are uploaded to LAW1 from 100 of the virtual machines only.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Actions:
- Create a new workspace.
- Apply the scope configuration to the solution.
- Create a scope configuration.
- Create a computer group.
- Create a data source.
Answer
- Create a computer group.
- Create a scope configuration.
- Apply the scope configuration to the solution.
Explanation
Note: Choose 3 boxes, not all
Reference
- Azure > Azure Monitor > Targeting monitoring solutions in Azure Monitor (Preview)
AZ-500 Question 320
Question
HOTSPOT
You have an Azure subscription that contains the resources shown in the following table.
| Name | Type | Resource group |
|---|---|---|
| RG1 | Resource group | Not applicable |
| VM1 | Virtual machine | RG1 |
| VM2 | Virtual machine | RG1 |
| ActionGroup1 | Action group | RG1 |
VM1 and VM2 are stopped.
You create an alert rule that has the following settings:
- Resource: RG1
- Condition: All Administrative operations
- Actions: Action groups configured for this alert rule: ActionGroup1
- Alert rule name: Alert1
You create an action rule that has the following settings:
- Scope: VM1
- Filter criteria: Resource Type = “Virtual Machines”
- Define on this scope: Suppression
- Suppression config: From now (always)
- Name: ActionRule1
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Note: Each correct selection is worth one point.
Hot Area:
Statements:
- If you start VM1, an alert is triggered.
- If you start VM2, an alert is triggered.
- If you add a tag to RG1, an alert is triggered.
Answer
- If you start VM1, an alert is triggered: No
- If you start VM2, an alert is triggered: Yes
- If you add a tag to RG1, an alert is triggered: No
Explanation
Box 1: The scope for the action rule is set to VM1 and is set to suppress alerts indefinitely.
Box 2: The scope for the action rule is not set to VM2.
Box 3: Adding a tag is not an administrative operation.
Reference
- Azure > Azure Monitor > Create, view, and manage activity log alerts by using Azure Monitor
- Azure > Azure Monitor > Alert processing rules