Microsoft Azure Certified Security Engineer AZ-500 Part 7
Question #: 245
Topic #: 3
HOTSPOT –
You have a network security group (NSG) bound to an Azure subnet.
You run Get-AzNetworkSecurityRuleConfig and receive the output shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 246
Topic #: 4
DRAG DROP –
You have an Azure Sentinel workspace that has an Azure Active Directory (Azure AD) data connector.
You are threat hunting suspicious traffic from a specific IP address.
You need to annotate an intermediate event stored in the workspace and be able to reference the IP address when navigating through the investigation graph.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Suggestion Answer:
Question #: 247
Topic #: 4
HOTSPOT –
You have 20 Azure subscriptions and a security group named Group1. The subscriptions are children of the root management group.
Each subscription contains a resource group named RG1.
You need to ensure that for each subscription RG1 meets the following requirements:
✑ The members of Group1 are assigned the Owner role.
✑ The modification of permissions to RG1 is prevented.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 248
Topic #: 2
You have an Azure subscription named Subcription1 that contains an Azure Active Directory (Azure AD) tenant named contoso.com and a resource group named
RG1.
You create a custom role named Role1 for contoso.com.
Where you can use Role1 for permission delegation?
A. contoso.com only
B. contoso.com and RG1 only
C. contoso.com and Subscription1 only
D. contoso.com, RG1, and Subscription1
Selected Answer: A
Question #: 249
Topic #: 3
You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the virtual machines shown in the following table.
On NIC1, you configure an application security group named ASG1.
On which other network interfaces can you configure ASG1?
A. NIC2 only
B. NIC2, NIC3, NIC4, and NIC5
C. NIC2 and NIC3 only
D. NIC2, NIC3, and NIC4 only
Selected Answer: C
Question #: 250
Topic #: 5
DRAG DROP –
You have an Azure subscription that contains a Microsoft SQL server named Server1 and an Azure key vault named vault1. Server1 hosts a database named
DB1. Vault1 contains an encryption key named key1.
You need to ensure that you can enable Transparent Data Encryption (TDE) on DB1 by using key1.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Suggestion Answer:
Question #: 251
Topic #: 3
You have 15 Azure virtual machines in a resource group named RG1.
All the virtual machines run identical applications.
You need to prevent unauthorized applications and malware from running on the virtual machines.
What should you do?
A. Apply an Azure policy to RG1.
B. From Azure Security Center, configure adaptive application controls.
C. Configure Azure Active Directory (Azure AD) Identity Protection.
D. Apply a resource lock to RG1.
Selected Answer: B
Question #: 252
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Microsoft Defender for Cloud for the centralized policy management of three Azure subscriptions.
You use several policy definitions to manage the security of the subscriptions.
You need to deploy the policy definitions as a group to all three subscriptions.
Solution: You create a policy initiative and an assignment that is scoped to the Tenant Root Group management group.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 253
Topic #: 5
HOTSPOT –
You have an Azure subscription that contains an Azure key vault named KeyVault1 and the virtual machines shown in the following table.
You set the Key Vault access policy to Enable access to Azure Disk Encryption for volume encryption.
KeyVault1 is configured as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 254
Topic #: 3
You have a web app hosted on an on-premises server that is accessed by using a URL of https://www.contoso.com.
You plan to migrate the web app to Azure. You will continue to use https://www.contoso.com.
You need to enable HTTPS for the Azure web app.
What should you do first?
A. Export the public key from the on-premises server and save the key as a P7b file.
B. Export the private key from the on-premises server and save the key as a PFX file that is encrypted by using TripleDES.
C. Export the public key from the on-premises server and save the key as a CER file.
D. Export the private key from the on-premises server and save the key as a PFX file that is encrypted by using AES256.
Selected Answer: B
Question #: 255
Topic #: 2
Your network contains an on-premises Active Directory domain named adatum.com that syncs to Azure Active Directory (Azure AD). Azure AD Connect is installed on a domain member server named Server1.
You need to ensure that a domain administrator for the adatum.com domain can modify the synchronization options. The solution must use the principle of least privilege.
Which Azure AD role should you assign to the domain administrator?
A. Security administrator
B. Global administrator
C. User administrator
Selected Answer: B
Question #: 256
Topic #: 4
You have an Azure environment.
You need to identify any Azure configurations and workloads that are non-compliant with ISO 27001:2013 standards.
What should you use?
A. Azure Sentinel
B. Azure Active Directory (Azure AD) Identity Protection
C. Microsoft Defender for Cloud
D. Microsoft Defender for Identity
Selected Answer: C
Question #: 257
Topic #: 4
DRAG DROP –
You have an Azure subscription that contains 100 virtual machines. Azure Diagnostics is enabled on all the virtual machines.
You are planning the monitoring of Azure services in the subscription.
You need to retrieve the following details:
✑ Identify the user who deleted a virtual machine three weeks ago.
✑ Query the security events of a virtual machine that runs Windows Server 2016.
What should you use in Azure Monitor? To answer, drag the appropriate configuration settings to the correct details. Each configuration setting may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Suggestion Answer:
Question #: 258
Topic #: 2
You have an Azure subscription that contains the users shown in the following table.
Which users can enable Azure AD Privileged Identity Management (PIM)?
A. User2 and User3 only
B. User1 and User2 only
C. User2 only
D. User1 only
Selected Answer: A
Question #: 259
Topic #: 5
You have an Azure subscription that contains an Azure SQL database named DB1 in the East US Azure region.
You create the storage accounts shown in the following table.
You plan to enable auditing for DB1.
Which storage accounts can you use as the auditing destination for DB1?
A. storage1 and storage4 only
B. storage1 only
C. storage1, storage2, storage3, and storage4
D. storage1, storage2, and storage3 only
E. storage2 and storage3 only
Selected Answer: A
Question #: 260
Topic #: 3
You plan to deploy Azure container instances.
You have a containerized application that is comprised of two containers: an application container and a validation container. The application container is monitored by the validation container. The validation container performs security checks by making requests to the application container and waiting for responses after every transaction.
You need to ensure that the application container and the validation container are scheduled to be deployed together. The containers must communicate to each other only on ports that are not externally exposed.
What should you include in the deployment?
A. application security groups
B. network security groups (NSGs)
C. management groups
D. container groups
Selected Answer: D
Question #: 261
Topic #: 3
DRAG DROP –
You are configuring network connectivity for two Azure virtual networks named VNET1 and VNET2.
You need to implement VPN gateways for the virtual networks to meet the following requirements:
✑ VNET1 must have six site-to-site connections that use BGP.
✑ VNET2 must have 12 site-to-site connections that use BGP.
✑ Costs must be minimized.
Which VPN gateway SKU should you use for each virtual network? To answer, drag the appropriate SKUs to the correct networks. Each SKU may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Suggestion Answer:
Question #: 262
Topic #: 4
HOTSPOT –
You have an Azure subscription that contains the resources shown in the following table.
VM1 and VM2 are stopped.
You create an alert rule that has the following settings:
✑ Resource: RG1
✑ Condition: All Administrative operations
✑ Actions: Action groups configured for this alert rule: ActionGroup1
✑ Alert rule name: Alert1
You create an action rule that has the following settings:
✑ Scope: VM1
✑ Filter criteria: Resource Type = “Virtual Machines”
✑ Define on this scope: Suppression
✑ Suppression config: From now (always)
✑ Name: ActionRule1
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Note: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 263
Topic #: 5
DRAG DROP –
You have an Azure subscription that contains an Azure SQL database named SQLDB1. SQLDB1 contains the columns shown in the following table.
For the Email and Birthday columns, you implement dynamic data masking by using the default masking function.
Which value will the users see in each column? To answer, drag the appropriate values to the correct columns. Each value may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Suggestion Answer:
Question #: 264
Topic #: 2
You have an Azure subscription.
You plan to create a custom role-based access control (RBAC) role that will provide permission to read the Azure Storage account.
Which property of the RBAC role definition should you configure?
A. NotActions [] B. DataActions [] C. AssignableScopes [] D. Actions []
Selected Answer: D
Question #: 265
Topic #: 2
HOTSPOT –
You have a Microsoft Entra tenant named contoso.com.
You collaborate with a partner organization that has a Microsoft Entra tenant named fabrikam.com. Fabrikam.com has multi-factor authentication (MFA) enabled for all users.
Contoso.com has the Cross-tenant access settings configured as shown in the Cross-tenant access settings exhibit. (Click the Cross-tenant access settings tab.)
Contoso.com has the External collaboration settings configured as shown in the External collaboration settings exhibit. (Click the External collaboration settings tab.)
You create a Conditional Access policy that has the following settings:
• Name: CAPolicy1
• Assignments
o Guest or external users: B2B collaboration guest users
o Target resources
– Include: All cloud apps
• Access controls
– Grant access
• Require device to be marked as compliant
• Require multi-factor authentication
– Enable policy: On
For each of the following statements, select Yes if the statement is true, otherwise select No.
NOTE: Each correct section is worth one point.
Suggestion Answer:
Question #: 266
Topic #: 5
HOTSPOT –
You have a hybrid Azure Active Directory (Azure AD) tenant named contoso.com that contains a user named User1 and the servers shown in the following table.
The tenant is linked to an Azure subscription that contains a storage account named storage1. The storage1 account contains a file share named share1.
User1 is assigned the Storage File Data SMB Share Contributor role for storage1.
The Security protocol settings for the file shares of storage1 are configured as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 267
Topic #: 4
DRAG DROP –
You have an Azure subscription named Sub1 that contains an Azure Log Analytics workspace named LAW1.
You have 500 Azure virtual machines that run Windows Server 2016 and are enrolled in LAW1.
You plan to add the System Update Assessment solution to LAW1.
You need to ensure that System Update Assessment-related logs are uploaded to LAW1 from 100 of the virtual machines only.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Suggestion Answer:
Question #: 268
Topic #: 3
You are securing access to the resources in an Azure subscription.
A new company policy states that all the Azure virtual machines in the subscription must use managed disks.
You need to prevent users from creating virtual machines that use unmanaged disks.
What should you use?
A. Azure Monitor
B. Azure Policy
C. Azure Security Center
D. Azure Service Health
Selected Answer: B
Question #: 269
Topic #: 2
HOTSPOT –
You have the hierarchy of Azure resources shown in the following exhibit.
RG1, RG2, and RG3 are resource groups.
RG2 contains a virtual machine named VM2.
You assign role-based access control (RBAC) roles to the users shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 270
Topic #: 3
HOTSPOT –
You have an Azure subscription that contains a storage account named storage1 and several virtual machines. The storage account and virtual machines are in the same Azure region. The network configurations of the virtual machines are shown in the following table.
The virtual network subnets have service endpoints defined as shown in the following table.
You configure the following Firewall and virtual networks settings for storage1:
✑ Allow access from: Selected networks
✑ Virtual networks: VNET3\Subnet3
Firewall `” Address range: 52.233.129.0/24
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 271
Topic #: 5
You have an on-premises network and an Azure subscription.
You have the Microsoft SQL Server instances shown in the following table.
You plan to implement Microsoft Defender for SQL.
Which SQL Server instances will be protected by Microsoft Defender for SQL?
A. sql1 and sql2 only
B. sql1, sql2, and sql3 only
C. sql1, sql2, and sql4 only
D. sql1, sql2, sql3, and sql4
Selected Answer: D
Question #: 272
Topic #: 2
HOTSPOT –
You plan to implement an Azure function named Function1 that will create new storage accounts for containerized application instances.
You need to grant Function1 the minimum required privileges to create the storage accounts. The solution must minimize administrative effort.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 273
Topic #: 5
HOTSPOT
–
You have a Microsoft Sentinel deployment.
You need to connect a third-party security solution to the deployment. The third-party solution will send Common Event Format (CEF)-formatted messages.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 274
Topic #: 3
You plan to create an Azure Kubernetes Service (AKS) cluster in an Azure subscription.
The manifest of the registered server application is shown in the following exhibit.
You need to ensure that the AKS cluster and Azure Active Directory (Azure AD) are integrated.
Which property should you modify in the manifest?
A. accessTokenAcceptedVersion
B. keyCredentials
C. groupMembershipClaims
D. acceptMappedClaims
Selected Answer: C
Question #: 275
Topic #: 3
HOTSPOT –
You have the Azure virtual networks shown in the following table.
You have the Azure virtual machines shown in the following table.
The firewalls on all the virtual machines allow ping traffic.
NSG1 is configured as shown in the following exhibit.
Inbound security rules –
Outbound security rules –
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 276
Topic #: 2
You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant.
From the Azure portal, you register an enterprise application.
Which additional resource will be created in Azure AD?
A. a service principal
B. an X.509 certificate
C. a managed identity
D. a user account
Selected Answer: A
Question #: 277
Topic #: 5
You have an Azure subscription that contains an Azure SQL Database logic server named SQL1 and an Azure virtual machine named VM1. VM1 uses a private IP address only.
The Firewall and virtual networks settings for SQL1 are shown in the following exhibit.
You need to ensure that VM1 can connect to SQL1. The solution must use the principle of least privilege.
What should you do?
A. Set Connection Policy to Proxy.
B. Set Allow Azure services and resources to access this server to Yes.
C. Add an existing virtual network.
D. Create a new firewall rule.
Selected Answer: C
Question #: 278
Topic #: 2
HOTSPOT –
You have an Azure Active Directory (Azure AD) tenant that contains the resources shown in the following table.
User2 is the owner of Group2.
The user and group settings for App1 are configured as shown in the following exhibit.
You enable self-service application access for App1 as shown in the following exhibit.
User3 is configured to approve access to App1.
After you enable self-service application access for App1, who will be configured as the Group2 owner and who will be configured as the App1 users? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 279
Topic #: 3
You have multiple development teams that will create apps in Azure.
You plan to create a standard development environment that will be deployed for each team.
You need to recommend a solution that will enforce resource locks across the development environments and ensure that the locks are applied in a consistent manner.
What should you include in the recommendation?
A. an Azure policy
B. an Azure Resource Manager template
C. a management group
D. an Azure blueprint
Selected Answer: D
Question #: 280
Topic #: 4
You have an Azure subscription that uses Microsoft Defender for Cloud.
You have an Amazon Web Services (AWS) account.
You need to add the AWS account to Defender for Cloud.
What should you do first?
A. From Defender for Cloud, configure the Environment settings.
B. From the AWS account, enable a security hub.
C. From Defender for Cloud, configure the Security solutions settings.
D. From the Azure portal, add the AWS enterprise application.
Selected Answer: A
Question #: 281
Topic #: 5
You have an Azure Active Directory (Azure AD) tenant that contains a group named Group1.
You need to ensure that the members of Group1 sign in by using passwordless authentication.
What should you do?
A. Configure the sign-in risk policy.
B. Create a Conditional Access policy.
C. Configure the Microsoft Authenticator authentication method policy.
D. Configure the certificate-based authentication (CBA) policy.
Selected Answer: C
Question #: 282
Topic #: 2
HOTSPOT –
You have a management group named Group1 that contains an Azure subscription named sub1. Sub1 has a subscription ID of 11111111-1234-1234-1234-
1111111111.
You need to create a custom Azure role-based access control (RBAC) role that will delegate permissions to manage the tags on all the objects in Group1.
What should you include in the role definition of Role1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 283
Topic #: 4
You are troubleshooting a security issue for an Azure Storage account.
You enable the diagnostic logs for the storage account.
What should you use to retrieve the diagnostics logs?
A. Azure Security Center
B. Azure Monitor
C. the Security admin center
D. Azure Storage Explorer
Selected Answer: B
Question #: 284
Topic #: 5
You have an Azure subscription that contains the resources shown in the following table.
You need to configure storage1 to regenerate keys automatically every 90 days.
Which cmdlet should you run?
A. Add-AzKeyVaultflanagedStorageAccount
B. Set-AzStorageAccountManagementPolicy
C. Set-AzStorageAccount
D. Add-AzStorageAccountManagementPolicyAction
Selected Answer: A
Question #: 285
Topic #: 3
You have an Azure Kubernetes Service (AKS) cluster that will connect to an Azure Container Registry.
You need to use the automatically generated service principal for the AKS cluster to authenticate to the Azure Container Registry.
What should you create?
A. a secret in Azure Key Vault
B. a role assignment
C. an Azure Active Directory (Azure AD) user
D. an Azure Active Directory (Azure AD) group
Selected Answer: B
Question #: 286
Topic #: 5
HOTSPOT
–
You have an Azure subscription that contains the key vaults shown in the following table.
The subscription contains the users shown in the following table.
On June 1, you perform the following actions:
• Delete a key named key1 from KeyVault1.
• Delete a secret named secret1 from KeyVault2.
For each of the following statements, select Yes If the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 287
Topic #: 2
HOTSPOT –
You have an Azure subscription that contains the custom roles shown in the following table.
In the Azure portal, you plan to create new custom roles by cloning existing roles. The new roles will be configured as shown in the following table.
Which roles can you clone to create each new role? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 288
Topic #: 3
You have an Azure subscription that contains two virtual machines named VM1 and VM2 that run Windows Server 2019.
You are implementing Update Management in Azure Automation.
You plan to create a new update deployment named Update1.
You need to ensure that Update1 meets the following requirements:
✑ Automatically applies updates to VM1 and VM2.
✑ Automatically adds any new Windows Server 2019 virtual machines to Update1.
What should you include in Update1?
A. a security group that has a Membership type of Assigned
B. a security group that has a Membership type of Dynamic Device
C. a dynamic group query
D. a Kusto query language query
Selected Answer: C
Question #: 289
Topic #: 4
You have an Azure subscription that contains the resources shown in the following table.
You plan to enable Azure Defender for the subscription.
Which resources can be protected by using Azure Defender?
A. VM1, VNET1, storage1, and Vault1
B. VM1, VNET1, and storage1 only
C. VM1, storage1, and Vault1 only
D. VM1 and VNET1 only
E. VM1 and storage1 only
Selected Answer: A
Question #: 290
Topic #: 2
HOTSPOT –
You have an Azure subscription that contains the Azure Active Directory (Azure AD) resources shown in the following table.
You create the groups shown in the following table.
Which resources can you add to Group5 and Group6? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
