Skip to Content

AZ-500 Microsoft Azure Security Technologies Exam Questions and Answers – 5

The latest Microsoft AZ-500 Azure Security Technologies certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-500 Azure Security Technologies exam and earn Microsoft AZ-500 Azure Security Technologies certification.

AZ-500 Microsoft Azure Security Technologies Exam Questions and Answers

AZ-500 Question 311

Question

HOTSPOT
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to implement an application that will consist of the resources shown in the following table.

Name Type Description
CosmosDBAccount1 Azure Cosmos DB account A Cosmos DB account containing a database named CosmosDB1 that serves as a back-end tier of the application.
WebApp1 Azure web app A web app configured to serve as the middle tier of the application.

Users will authenticate by using their Azure AD user account and access the Cosmos DB account by using resource tokens.
You need to identify which tasks will be implemented in CosmosDB1 and WebApp1.
Which task should you identify for each resource? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

CosmosDB1:

  • Authenticate Azure AD users and generate resource tokens.
  • Authenticate Azure AD users and relay resource tokens.
  • Create database users and generate resource tokens.

WebApp1:

  • Authenticate Azure AD users and generate resource tokens.
  • Authenticate Azure AD users and relay resource tokens.
  • Create database users and generate resource tokens.

Answer

CosmosDB1: Create database users and generate resource tokens.
WebApp1: Authenticate Azure AD users and relay resource tokens.

Explanation

CosmosDB1: Create database users and generate resource tokens.
Azure Cosmos DB resource tokens provide a safe mechanism for allowing clients to read, write, and delete specific resources in an Azure Cosmos DB account according to the granted permissions.
WebApp1: Authenticate Azure AD users and relay resource tokens
A typical approach to requesting, generating, and delivering resource tokens to a mobile application is to use a resource token broker. The following diagram shows a high-level overview of how the sample application uses a resource token broker to manage access to the document database data:

The following diagram shows a high-level overview of how the sample application uses a resource token broker to manage access to the document database data.

Reference

AZ-500 Question 312

Question

You have a hybrid configuration of Azure Active Directory (Azure AD).
All users have computers that run Windows 10 and are hybrid Azure AD joined.
You have an Azure SQL database that is configured to support Azure AD authentication.
Database developers must connect to the SQL database by using Microsoft SQL Server Management Studio (SSMS) and authenticate by using their on-premises Active Directory account.
You need to tell the developers which authentication method to use to connect to the SQL database from SSMS. The solution must minimize authentication prompts.
Which authentication method should you instruct the developers to use?

A. SQL Login
B. Active Directory – Universal with MFA support
C. Active Directory – Integrated
D. Active Directory – Password

Answer

C. Active Directory – Integrated

Explanation

Azure AD can be the initial Azure AD managed domain. Azure AD can also be an on-premises Active Directory Domain Services that is federated with the Azure AD.
Using an Azure AD identity to connect using SSMS or SSDT
The following procedures show you how to connect to a SQL database with an Azure AD identity using SQL Server Management Studio or SQL Server Database Tools.
Active Directory integrated authentication
Use this method if you are logged in to Windows using your Azure Active Directory credentials from a federated domain.
1. Start Management Studio or Data Tools and in the Connect to Server (or Connect to Database Engine) dialog box, in the Authentication box, select Active Directory – Integrated. No password is needed or can be entered because your existing credentials will be presented for the connection.

No password is needed or can be entered because your existing credentials will be presented for the connection.

2. Select the Options button, and on the Connection Properties page, in the Connect to database box, type the name of the user database you want to connect to. (The AD domain name or tenant ID” option is only supported for Universal with MFA connection options, otherwise it is greyed out.)

AZ-500 Question 313

Question

You have an Azure subscription that contains an Azure key vault named Vault1.
In Vault1, you create a secret named Secret1.
An application developer registers an application in Azure Active Directory (Azure AD).
You need to ensure that the application can use Secret1.
What should you do?

A. In Azure AD, create a role.
B. In Azure Key Vault, create a key.
C. In Azure Key Vault, create an access policy.
D. In Azure AD, enable Azure AD Application Proxy.

Answer

A. In Azure AD, create a role.

Explanation

Azure Key Vault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault to retrieve them.
Managed identities for Azure resources overview make solving this problem simpler, by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD). You can use this identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without having any credentials in your code.
Example: How a system-assigned managed identity works with an Azure VM
After the VM has an identity, use the service principal information to grant the VM access to Azure resources. To call Azure Resource Manager, use role-based access control (RBAC) in Azure AD to assign the appropriate role to the VM service principal. To call Key Vault, grant your code access to the specific secret or key in Key Vault.

Reference

AZ-500 Question 314

Question

From the Azure portal, you are configuring an Azure policy.
You plan to assign policies that use the DeployIfNotExist, AuditIfNotExist, Append, and Deny effects.
Which effect requires a managed identity for the assignment?

A. AuditIfNotExist
B. Append
C. DeployIfNotExist
D. Deny

Answer

C. DeployIfNotExist

Explanation

When Azure Policy runs the template in the deployIfNotExists policy definition, it does so using a managed identity.

Reference

AZ-500 Question 315

Question

DRAG DROP
You need to configure SQLDB1 to meet the data and application requirements.
Which three actions should you recommend be performed in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:

Actions:

  • From the Azure portal, create an Azure AD administrator for LitwareSQLServer1.
  • In SQLDB1, create contained database users.
  • Connect to SQLDB1 by using Microsoft SQL Server Management Studio (SSMS).
  • In Azure AD, create a system-assigned managed identity.
  • In Azure AD, create a user-assigned managed identity.

Answer

  • Connect to SQLDB1 by using Microsoft SQL Server Management Studio (SSMS).
  • In SQLDB1, create contained database users.
  • In Azure AD, create a system-assigned managed identity.

Explanation

Step 1: Connect to SQLDB1 by using Microsoft SQL Server Management Studio (SSMS)
Step 2: In SQLDB1, create contained database users.
Create a contained user in the database that represents the VM’s system-assigned identity.
Step 3: In Azure AD,create a system-assigned managed identity.
A system-assigned identity for a Windows virtual machine (VM) can be used to access an Azure SQL server. Managed Service Identities are automatically managed by Azure and enable you to authenticate to services that support Azure
AD authentication, without needing to insert credentials into your code.

Reference

AZ-500 Question 316

Question

Your company has an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
The company develops an application named App1. App1 is registered in Azure AD.
You need to ensure that App1 can access secrets in Azure Key Vault on behalf of the application users.
What should you configure?

A. an application permission without admin consent
B. a delegated permission without admin consent
C. a delegated permission that requires admin consent
D. an application permission that requires admin consent

Answer

B. a delegated permission without admin consent

Explanation

Delegated permissions – Your client application needs to access the web API as the signed-in user, but with access limited by the selected permission. This type of permission can be granted by a user unless the permission requires administrator consent.
Incorrect Answers:
A, D: Application permissions – Your client application needs to access the web API directly as itself (no user context). This type of permission requires administrator consent and is also not available for public (desktop and mobile) client applications.

Reference

AZ-500 Question 317

Question

You have 10 virtual machines on a single subnet that has a single network security group (NSG).
You need to log the network traffic to an Azure Storage account.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Install the Network Performance Monitor solution.
B. Enable Azure Network Watcher.
C. Enable diagnostic logging for the NSG.
D. Enable NSG flow logs.
E. Create an Azure Log Analytics workspace.

Answer

B. Enable Azure Network Watcher.
D. Enable NSG flow logs.

Explanation

A network security group (NSG) enables you to filter inbound traffic to, and outbound traffic from, a virtual machine (VM). You can log network traffic that flows through an NSG with Network Watcher’s NSG flow log capability. Steps include:

  • Create a VM with a network security group
  • Enable Network Watcher and register the Microsoft.Insights provider
  • Enable a traffic flow log for an NSG, using Network Watcher’s NSG flow log capability
  • Download logged data
  • View logged data

Reference

AZ-500 Question 318

Question

You have an Azure subscription named Sub1 that contains the virtual machines shown in the following table.

Name Resource group
VM1 RG1
VM2 RG2
VM3 RG1
VM4 RG1

You need to ensure that the virtual machines in RG1 have the Remote Desktop port closed until an authorized user requests access.
What should you configure?

A. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)
B. an application security group
C. Azure Active Directory (Azure AD) conditional access
D. just in time (JIT) VM access

Answer

D. just in time (JIT) VM access

Explanation

Just-in-time (JIT) virtual machine (VM) access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.
Note: When just-in-time is enabled, Security Center locks down inbound traffic to your Azure VMs by creating an NSG rule. You select the ports on the VM to which inbound traffic will be locked down. These ports are controlled by the justin- time solution.
When a user requests access to a VM, Security Center checks that the user has Role-Based Access Control (RBAC) permissions that permit them to successfully request access to a VM. If the request is approved, Security Center automatically configures the Network Security Groups (NSGs) and Azure Firewall to allow inbound traffic to the selected ports and requested source IP addresses or ranges, for the amount of time that was specified. After the time has expired, Security Center restores the NSGs to their previous states. Those connections that are already established are not being interrupted, however.

Reference

AZ-500 Question 319

Question

DRAG DROP
You have an Azure subscription named Sub1 that contains an Azure Log Analytics workspace named LAW1.
You have 500 Azure virtual machines that run Windows Server 2016 and are enrolled in LAW1.
You plan to add the System Update Assessment solution to LAW1.
You need to ensure that System Update Assessment-related logs are uploaded to LAW1 from 100 of the virtual machines only.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:

Actions:

  • Create a new workspace.
  • Apply the scope configuration to the solution.
  • Create a scope configuration.
  • Create a computer group.
  • Create a data source.

Answer

  • Create a computer group.
  • Create a scope configuration.
  • Apply the scope configuration to the solution.

Explanation

Note: Choose 3 boxes, not all

Reference

AZ-500 Question 320

Question

HOTSPOT
You have an Azure subscription that contains the resources shown in the following table.

Name Type Resource group
RG1 Resource group Not applicable
VM1 Virtual machine RG1
VM2 Virtual machine RG1
ActionGroup1 Action group RG1

VM1 and VM2 are stopped.
You create an alert rule that has the following settings:

  • Resource: RG1
  • Condition: All Administrative operations
  • Actions: Action groups configured for this alert rule: ActionGroup1
  • Alert rule name: Alert1

You create an action rule that has the following settings:

  • Scope: VM1
  • Filter criteria: Resource Type = “Virtual Machines”
  • Define on this scope: Suppression
  • Suppression config: From now (always)
  • Name: ActionRule1

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Note: Each correct selection is worth one point.
Hot Area:

Statements:

  • If you start VM1, an alert is triggered.
  • If you start VM2, an alert is triggered.
  • If you add a tag to RG1, an alert is triggered.

Answer

  • If you start VM1, an alert is triggered: No
  • If you start VM2, an alert is triggered: Yes
  • If you add a tag to RG1, an alert is triggered: No

Explanation

Box 1: The scope for the action rule is set to VM1 and is set to suppress alerts indefinitely.
Box 2: The scope for the action rule is not set to VM2.
Box 3: Adding a tag is not an administrative operation.

Reference

    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.