The latest Microsoft AZ-500 Azure Security Technologies certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-500 Azure Security Technologies exam and earn Microsoft AZ-500 Azure Security Technologies certification.
Table of Contents
- AZ-500 Question 321
- Question
- Answer
- Reference
- AZ-500 Question 322
- Question
- Answer
- AZ-500 Question 323
- Question
- Answer
- Reference
- AZ-500 Question 324
- Question
- Answer
- Explanation
- AZ-500 Question 325
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 326
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 327
- Question
- Answer
- Explanation
- AZ-500 Question 328
- Question
- Answer
- Reference
- AZ-500 Question 329
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 330
- Question
- Answer
- Explanation
AZ-500 Question 321
Question
HOTSPOT
You have a file named File1.yaml that contains the following contents.
You create an Azure container instance named container1 by using File1.yaml.
You need to identify where you can access the values of Variable1 and Variable2.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Variable1:
- Cannot be accessed
- Can be accessed from the Azure portal only
- Can be accessed from inside container1 only
- Can be accessed from inside container1 and the Azure portal
Variable2:
- Cannot be accessed
- Can be accessed from the Azure portal only
- Can be accessed from inside container1 only
- Can be accessed from inside container1 and the Azure portal
Answer
Variable1: Can be accessed from inside container1 and the Azure portal
Variable2: Can be accessed from inside container1 only
Reference
- Azure > Container Instances > Set environment variables in container instances
AZ-500 Question 322
Question
You have an Azure subscription named Sub1 that contains the resources shown in the following table.
| Name | Type | Region | Resource group |
|---|---|---|---|
| Sa1 | Azure Storage account | East US | RG1 |
| VM1 | Azure virtual machine | East US | RG2 |
| KV1 | Azure key vault | East US 2 | RG1 |
| SQL1 | Azure SQL database | East US 2 | RG2 |
You need to ensure that you can provide VM1 with secure access to a database on SQL1 by using a contained database user.
What should you do?
A. Enable a managed service identity on VM1.
B. Create a secret in KV1.
C. Configure a service endpoint on SQL1.
D. Create a key in KV1.
Answer
B. Create a secret in KV1.
AZ-500 Question 323
Question
You have an Azure subscription that contains a virtual machine named VM1.
You create an Azure key vault that has the following configurations:
- Name: Vault5
- Region: West US
- Resource group: RG1
You need to use Vault5 to enable Azure Disk Encryption on VM1. The solution must support backing up VM1 by using Azure Backup.
Which key vault settings should you configure?
A. Access policies
B. Secrets
C. Keys
D. Locks
Answer
A. Access policies
Reference
- Azure > Security > Key Vault > General > Azure Key Vault security
AZ-500 Question 324
Question
DRAG DROP
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Subscription named Sub1. Sub1 contains an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to encrypt VM1 disks by using Azure Disk Encryption.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Actions:
- Configure secrets for the Azure key vault.
- Create an Azure key vault.
- Run Set-AzureRmstorageAccount.
- Configure access policies for the Azure key vault.
- Run Set-AzureRmVmDiskEnscyptionExtension.
Answer
- Create an Azure key vault.
- Configure access policies for the Azure key vault.
- Run Set-AzureRmVmDiskEnscyptionExtension.
Explanation
- Azure > Virtual Machines > Windows > Azure Disk Encryption for Windows VMs
AZ-500 Question 325
Question
HOTSPOT
You have the Azure Information Protection conditions shown in the following table.
| Name | Pattern | Case sensitivity |
|---|---|---|
| Condition1 | White | On |
| Condition2 | Black | Off |
You have the Azure Information Protection labels shown in the following table.
| Name | Use condition | Label is applied |
|---|---|---|
| Label1 | Condition1 | Automatically |
| Label2 | Condition2 | Automatically |
You have the Azure Information Protection policies shown in the following table.
| Name | Applies to | Use label | Set the default label |
|---|---|---|---|
| Global | Not applicable | None | None |
| Policy1 | User1 | Label1 | None |
| Policy2 | User1 | Label2 | None |
You need to identify how Azure Information Protection will label files.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
If User1 creates a Microsoft Word file that includes the text “Black and White”, the file will be assigned:
- No label
- Label1 only
- Label2 only
- Label1 and Label2
If User1 creates a Microsoft Notepad file that includes the text “Black and white”, the file will be assigned:
- No label
- Label1 only
- Label2 only
- Label1 and Label2
Answer
If User1 creates a Microsoft Word file that includes the text “Black and White”, the file will be assigned: Label2 only
If User1 creates a Microsoft Notepad file that includes the text “Black and white”, the file will be assigned: No label
Explanation
Box 1: Label 2 only
How multiple conditions are evaluated when they apply to more than one label
1. The labels are ordered for evaluation, according to their position that you specify in the policy: The label positioned first has the lowest position (least sensitive) and the label positioned last has the highest position (most sensitive).
2. The most sensitive label is applied.
3. The last sublabel is applied.
Box 2: No Label
Automatic classification applies to Word, Excel, and PowerPoint when documents are saved, and apply to Outlook when emails are sent. Automatic classification does not apply to Microsoft Notepad.
Reference
- Microsoft Docs > Previous Versions > Azure Information Protection > How to configure conditions for automatic and recommended classification for Azure Information Protection
AZ-500 Question 326
Question
HOTSPOT
You need to create an Azure key vault. The solution must ensure that any object deleted from the key vault be retained for 90 days.
How should you complete the command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer
Explanation
Box 1: -EnablePurgeProtection
If specified, protection against immediate deletion is enabled for this vault; requires soft delete to be enabled as well.
Box 2: -EnableSoftDelete
Specifies that the soft-delete functionality is enabled for this key vault. When soft-delete is enabled, for a grace period, you can recover this key vault and its contents after it is deleted.
Reference
- Azure > Azure PowerShell > Reference > Key Vault > New-AzureRmKeyVault
AZ-500 Question 327
Question
DRAG DROP
You have an Azure subscription named Sub1 that contains an Azure Storage account named Contosostorage1 and an Azure key vault named Contosokeyvault1.
You plan to create an Azure Automation runbook that will rotate the keys of Contosostorage1 and store them in Contosokeyvault1.
You need to implement prerequisites to ensure that you can implement the runbook.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Actions:
- Run Set-AzureRmKeyVaultAccessPolicy
- Create an Azure Automation account.
- Import PowerShell modules to the Azure Automation account.
- Create a user-assigned managed identity.
- Create a connection resource in the Azure Automation account.
Answer
- Create an Azure Automation account.
- Import PowerShell modules to the Azure Automation account.
- Create a connection resource in the Azure Automation account.
Explanation
Step 1: Create an Azure Automation account
Runbooks live within the Azure Automation account and can execute PowerShell scripts.
Step 2: Import PowerShell modules to the Azure Automation account
Under ‘Assets’ from the Azure Automation account Resources section select ‘to add in Modules to the runbook. To execute key vault cmdlets in the runbook, we need to add AzureRM.profile and AzureRM.key vault.
Step 3: Create a connection resource in the Azure Automation account
You can use the sample code below, taken from the AzureAutomationTutorialScript example runbook, to authenticate using the Run As account to manage Resource Manager resources with your runbooks. The AzureRunAsConnection is a connection asset automatically created when we created ‘run as accounts’ above. This can be found under Assets -> Connections. After the authentication code, run the same code above to get all the keys from the vault.
$connectionName = “AzureRunAsConnection” try
{
# Get the connection “AzureRunAsConnection “
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
“Logging in to Azure…”
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint }
AZ-500 Question 328
Question
HOTSPOT
You plan to use Azure Log Analytics to collect logs from 200 servers that run Windows Server 2016.
You need to automate the deployment of the Microsoft Monitoring Agent to all the servers by using an Azure Resource Manager template.
How should you complete the template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer
Reference
- Microsoft Docs > Blog Archive > The Manageability Guys > Enabling the Microsoft Monitoring Agent in Windows JSON Templates
AZ-500 Question 329
Question
HOTSPOT
Which virtual networks in Sub1 can User9 modify and delete in their current state? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Virtual networks that User9 can modify:
- VNET4 only
- VNET4 and VNET1 only
- VNET4, VNET3, and VNET1 only
- VNET4, VNET3, VNET2, and VNET1
Virtual networks that User9 can delete:
- VNET4 only
- VNET4 and VNET1 only
- VNET4, VNET3, and VNET1 only
- VNET4, VNET3, VNET2, and VNET1
Answer
Virtual networks that User9 can modify: VNET4 and VNET1 only
Virtual networks that User9 can delete: VNET4 only
Explanation
Box 1: VNET4 and VNET1 only RG1 has only Delete lock, while there are no locks on RG4.
RG2 and RG3 both have Read-only locks.
Box 2: VNET4 only There are no locks on RG4, while the other resource groups have either Delete or Read-only locks.
Note: As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.
CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Scenario:
Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User9 creates the virtual networks shown in the following table.
| Name | Resource group |
|---|---|
| VNET1 | RG1 |
| VNET2 | RG2 |
| VNET3 | RG3 |
| VNET4 | RG4 |
Sub1 contains the locks shown in the following table.
| Name | Set on | Lock type |
|---|---|---|
| Lock1 | RG1 | Delete |
| Lock2 | RG2 | Read-only |
| Lock3 | RG3 | Delete |
| Lock4 | RG4 | Read-only |
Reference
- Azure > Resource Manager > Management > Lock resources to prevent unexpected changes
AZ-500 Question 330
Question
SIMULATION
You need to ensure that web11597200 is protected from malware by using Microsoft Antimalware for Virtual Machines and is scanned every Friday at 01:00.
To complete this task, sign in to the Azure portal.
Answer
See the explanation below.
Explanation
You need to install and configure the Microsoft Antimalware extension on the virtual machine named web11597200.
- In the Azure portal, type Virtual Machines in the search box, select Virtual Machines from the search results then select web11597200. Alternatively, browse to Virtual Machines in the left navigation pane.
- In the properties of web11597200, click on Extensions.
- Click the Add button to add an Extension.
- Scroll down the list of extensions and select Microsoft Antimalware.
- Click the Create button. This will open the settings pane for the Microsoft Antimalware Extension.
- In the Scan day field, select Friday.
- In the Scan time field, enter 60. The scan time is measured in minutes after midnight so 60 would be 01:00, 120 would be 02:00 etc.
- Click the OK button to save the configuration and install the extension.