[Jan 02, 2022] Valid AZ-500 Test Answers & AZ-500 Exam PDF [Q30-Q48]

[Jan 02, 2022] Valid AZ-500 Test Answers & AZ-500 Exam PDF

Valid Microsoft Azure Security Engineer Associate AZ-500 Dumps Ensure Your Passing

Topics for AZ-500 Test

It is important to keep in mind that before taking this exam, you must form a strong knowledge and understanding of the basic IT security principles. Also, if you want to nail the Microsoft AZ-500 exam at the first attempt, you should explore the four main topic areas listed below:

Identity and Access Management;
Security Operation Management;
Data and App Security.
Platform Protection Implementation;

Within the Identity and Access Management domain, the abilities being looked at include managing identities for Azure Active Directory, where the focus is on service principals security, groups for AD directory, AD users, configuring password writeback, authentication methods, and Azure subscriptions. The next item is about using Azure-based AD in configuring secure access. This encompasses technical issues such as Azure AD PIM (Privileged Identity Management), access reviews, activating and configuring PIM, conditional policies for access, and identity protection for Azure AD. Again, managing access for apps is another field to be studied in this first topic. Here, candidates build their capacity in aspects like app registration and API access. The final part involves managing access control where it is broken down into permissions for subscribing and resources, group permissions for resources, custom RBAC roles, interpreting permissions, and checking access.

Within the AZ-500 segment of Platform Protection Implementation, candidates must begin by implementing advanced security for networks. This covers VPN, groups for network security, Azure Firewall, application gateway called Azure Front Door, web apps firewall, Azure Bastion, service endpoints, and DDoS protection. The final step involves configuring compute advanced security. In this section, applicants learn about endpoint protection, carrying out VMs system updates, authentication, security configuration, vulnerability management, configuring SSL/TLS certs, and performing automation updates among others. And as far as the Security Operations Management objective is concerned, the areas of study include the use of Azure Monitor in security monitoring. With this, learning encompasses alerts, security logs, and diagnostic logging as well as log retention. It is followed by the area where security is monitored with the help of Azure Security Center. This concerns vulnerability scans, VM access, centralized management of policy, configuring compliance policies, and evaluating for compliance with the help of Azure Security Center. Also, to be covered is monitoring security with the help of Azure Sentinel. Learners will consider aspects such as creating and customizing alerts, configuring data sources, evaluating data sources and results coming from Azure Sentinel, and configuring workflow automation. Finally, candidates will get to cover the configuration of security policies, which includes configuring security settings and a playbook.

The final AZ-500 exam topic talking about Data and App Security begins by looking at configuring storage security. Here, exam-takers look at access control, key management, authentication of Azure AD, Azure AD Domain Services, Signatures for Shared Access, policy for shared access, and encryption of storage service. The second part involves configuring database security. This covers database authentication and auditing, advanced threat defence for Azure SQL, database encryption, and implementing encryption for the Azure database. Lastly is configuring and managing Key Vault. This touches Key Vault access, managing permissions to certificates, keys, and secrets, RBAC configuration, managing certificates, and secrets, configuring key rotation, and backing up and restoring items for Key Vault.

NEW QUESTION 30
You have been tasked with applying conditional access policies for your company's current Azure Active Directory (Azure AD).
The process involves assessing the risk events and risk levels.
Which of the following is the risk level that should be configured for users that have leaked credentials?

A. High
B. Low
C. Medium
D. None

Answer: A

Explanation:
Explanation
These six types of events are categorized in to 3 levels of risks - High, Medium & Low:
Table Description automatically generated

Reference:
http://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-policies/

NEW QUESTION 31
You have an Azure subscription that contains the Azure virtual machines shown in the following table.
https://www.fast2test.com/AZ-500-practice-test.html 43
Valid Fast2test AZ-500 Exam PDF Dumps - New AZ-500 Real Exam Questions

You create an MDM Security Baseline profile named Profile1.
You need to identify to which virtual machines Profile1 can be applied.
Which virtual machines should you identify?

A. VM1 only
B. VM1, VM2, and VM3 only
C. VM1 and VM3 only
D. VM1, VM2, VM3, and VM4

Answer: A

Explanation:
Explanation/Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/security-baselines

NEW QUESTION 32
You have a management group named Group1 that contains an Azure subscription named sub1. Sub1 has a subscription ID of 11111111-1234-1234-1234-1111111111.
You need to create a custom Azure role-based access control (RBAC) role that will delegate permissions to manage the tags on all the objects in Group1.
What should you include in the role definition of Role1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Note: Assigning a custom RBAC role as the Management Group level is currently in preview only. So, for now the answer to the assignable scope is the subscription level.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal#step-5-assignable-scopes

NEW QUESTION 33
You have five Azure subscriptions linked to a single Azure Active Directory (Azure AD) tenant.
You create an Azure Policy initiative named SecurityPolicyInitiative1.
You identify which standard role assignments must be configured on all new resource groups.
You need to enforce SecurityPolicyInitiative1 and the role assignments when a new resource group is created.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation:

Explanation

Reference:
https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-portal
https://docs.microsoft.com/en-us/azure/azure-australia/azure-policy
Topic 2, Litware, inc
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question on this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next sections of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question on this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
Litware, Inc. is a digital media company that has 500 employees in the Chicago area and 20 employees in the San Francisco area.
Existing Environment
Litware has an Azure subscription named Sub1 that has a subscription ID of
43894a43-17c2-4a39-8cfc-3540c2653ef4.
Sub1 is associated to an Azure Active Directory (Azure AD) tenant named litwareinc.com. The tenant contains the user objects and the device objects of all the Litware employees and their devices. Each user is assigned an Azure AD Premium P2 license. Azure AD Privileged Identity Management (PIM) is activated.
The tenant contains the groups shown in the following table.

The Azure subscription contains the objects shown in the following table.

Azure Security Center is set to the Free tier.
Planned changes
Litware plans to deploy the Azure resources shown in the following table.

Litware identifies the following identity and access requirements:
* All San Francisco users and their devices must be members of Group1.
* The members of Group2 must be assigned the Contributor role to Resource Group2 by using a permanent eligible assignment.
* Users must be prevented from registering applications in Azure AD and from consenting to applications
* that access company information on the users' behalf.
Platform Protection Requirements
Litware identifies the following platform protection requirements:
* Microsoft Antimalware must be installed on the virtual machines in Resource Group1.
* The members of Group2 must be assigned the Azure Kubernetes Service Cluster Admin Role.
* Azure AD users must be to authenticate to AKS1 by using their Azure AD credentials.
* Following the implementation of the planned changes, the IT team must be able to connect to VM0 by using JIT VM access.
* A new custom RBAC role named Role1 must be used to delegate the administration of the managed disks in Resource Group1. Role1 must be available only for Resource Group1.
Security Operations Requirements
Litware must be able to customize the operating system security configurations in Azure Security Center.

NEW QUESTION 34
You need to ensure that the Azure AD application registration and consent configurations meet the identity and access requirements.
What should you use in the Azure portal? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent

NEW QUESTION 35
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com.
The company is developing an application named App1. App1 will run as a service on server that runs Windows Server 2016. App1 will authenticate to contoso.com and access Microsoft Graph to read directory data.
You need to delegate the minimum required permissions to App1.
Which three actions should you perform in sequence from the Azure portal? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation:

Explanation

Step 1: Create an app registration
First the application must be created/registered.
Step 2: Add an application permission
Application permissions are used by apps that run without a signed-in user present.
Step 3: Grant permissions

NEW QUESTION 36
You have the Azure virtual machines shown in the following table.

Each virtual machine has a single network interface.
You add the network interface of VM1 to an application security group named ASG1.
You need to identify the network interfaces of which virtual machines you can add to ASG1.
What should you identify?

A. VM2, VM3, and VM5 only
B. Vm2 and Vm3 only
C. VM2 only
D. VM2, VM3, VM4, and VM5

Answer: B

NEW QUESTION 37
You need to ensure that connections from the Internet to VNET1\subnet0 are allowed only over TCP port
7777. The solution must use only currently deployed resources.
To complete this task, sign in to the Azure portal.
See the explanation below.

Answer:

Explanation:
Explanation
You need to configure the Network Security Group that is associated with subnet0.
* In the Azure portal, type Virtual Networks in the search box, select Virtual Networks from the search results then select VNET1. Alternatively, browse to Virtual Networks in the left navigation pane.
* In the properties of VNET1, click on Subnets. This will display the subnets in VNET1 and the Network Security Group associated to each subnet. Note the name of the Network Security Group associated to Subnet0.
* Type Network Security Groups into the search box and select the Network Security Group associated with Subnet0.
* In the properties of the Network Security Group, click on Inbound Security Rules.
* Click the Add button to add a new rule.
* In the Source field, select Service Tag.
* In the Source Service Tag
* Leave the Source port ranges field as the default values (* and All).
* In the Destination port ranges
* Change the Protocol to TCP.
* Leave the Action option as
* Change the Priority to 100.
* Change the Name from the default to something more descriptive such as Allow_TCP_7777_from_Internet.
* Click the Add button to save the new rule.

NEW QUESTION 38
Use the following login credentials as needed:
To enter your username, place your cursor in the Sign in box and click on the username below.
To enter your password, place your cursor in the Enter password box and click on the password below.
Azure Username: [email protected]
Azure Password: Ag1Bh9!#Bd
The following information is for technical support purposes only:
Lab Instance: 10598168

You need to prevent administrative users from accidentally deleting a virtual network named VNET1. The administrative users must be allowed to modify the settings of VNET1.
To complete this task, sign in to the Azure portal.

Answer:

Explanation:
See the explanation below.
Explanation
Locking prevents other users in your organization from accidentally deleting or modifying critical resources, such as Azure subscription, resource group, or resource.
Note: In Azure, the term resource refers to an entity managed by Azure. For example, virtual machines, virtual networks, and storage accounts are all referred to as Azure resources.
1. In the Settings blade for virtual network VNET, select Locks.

2. To add a lock, select Add.

3. For Lock type select Delete lock, and click OK
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources

NEW QUESTION 39
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Azure Security Center for the centralized policy management of three Azure subscriptions.
You use several policy definitions to manage the security of the subscriptions.
You need to deploy the policy definitions as a group to all three subscriptions.
Solution: You create a policy initiative and assignments that are scoped to resource groups.
Does this meet the goal?

A. No
B. Yes

Answer: A

Explanation:
Explanation
Instead use a management group.
Management groups in Microsoft Azure solve the problem of needing to impose governance policy on more than one Azure subscription simultaneously.
Reference:
https://4sysops.com/archives/apply-governance-policy-to-multiple-azure-subscriptions-with-managementgroup

NEW QUESTION 40
You have an Azure subscription named Sub1.
In Azure Security Center, you have a security playbook named Play1. Play1 is configured to send an email
message to a user named User1.
You need to modify Play1 to send email messages to a distribution group named Alerts.
What should you use to modify Play1?

A. Azure Monitor
B. Azure Application Insights
C. Azure Logic Apps Designer
D. Azure DevOps

Answer: C

Explanation:
You can change an existing playbook in Security Center to add an action, or conditions. To do that you just
need to click on the name of the playbook that you want to change, in the Playbooks tab, and Logic App
Designer opens up.
References:
https://docs.microsoft.com/en-us/azure/security-center/security-center-playbooks

NEW QUESTION 41
Your company has two offices in Seattle and New York. Each office connects to the Internet by using a NAT device. The offices use the IP addresses shown in the following table.

The company has an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.

The MFA service settings are configured as shown in the exhibit. (Click the Exhibit tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Explanation

Box 2: No
Use of Microsoft Authenticator is not required.
Note: Microsoft Authenticator is a multifactor app for mobile devices that generates time-based codes used during the Two-Step Verification process.
Box 3: No
The New York IP address subnet is included in the "skip multi-factor authentication for request.
References:
https://www.cayosoft.com/difference-enabling-enforcing-mfa/

NEW QUESTION 42
SIMULATION
A user named Debbie has the Azure app installed on her mobile device.
You need to ensure that [email protected] is alerted when a resource lock is deleted.
To complete this task, sign in to the Azure portal.

A. You need to configure an alert rule in Azure Monitor.
* Type Monitor into the search box and select Monitor from the search results.
* Click on Alerts.
* Click on +New Alert Rule.
* In the Scope section, click on the Select resource link.
* In the Filter by resource type box, type locks and select Management locks (locks) from the filtered results.
* Select the subscription then click the Done button.
* In the Condition section, click on the Select condition link.
* In the Notification type box, select the Email/SMS message/Push/Voice option.
* In the Email/SMS message/Push/Voice window, tick the Azure app Push Notifications checkbox and enter [email protected] in the Azure account email field.
* Click the OK button to close the window.
* Enter a name such as Debbie Mobile App in the notification name box.
* Click the Review & Create button then click the Create button to create the action group.
* Back in the Create alert rule window, in the Alert rule details section, enter a name such as Management lock deletion in the Alert rule name field.
* Click the Create alert rule button to create the alert rule.
B. You need to configure an alert rule in Azure Monitor.
* Type Monitor into the search box and select Monitor from the search results.
* Click on Alerts.
* Click on +New Alert Rule.
* In the Scope section, click on the Select resource link.
* In the Filter by resource type box, type locks and select Management locks (locks) from the filtered results.
* Select the subscription then click the Done button.
* In the Condition section, click on the Select condition link.
* Select the Delete management locks condition the click the Done button.
* In the Notification type box, select the Email/SMS message/Push/Voice option.
* In the Email/SMS message/Push/Voice window, tick the Azure app Push Notifications checkbox and enter [email protected] in the Azure account email field.
* Click the OK button to close the window.
* Enter a name such as Debbie Mobile App in the notification name box.
* Click the Review & Create button then click the Create button to create the action group.
* Back in the Create alert rule window, in the Alert rule details section, enter a name such as Management lock deletion in the Alert rule name field.
* Click the Create alert rule button to create the alert rule.
C. You need to configure an alert rule in Azure Monitor.
* Type Monitor into the search box and select Monitor from the search results.
* Click on Alerts.
* Click on +New Alert Rule.
* In the Scope section, click on the Select resource link.
* In the Filter by resource type box, type locks and select Management locks (locks) from the filtered results.
* Select the subscription then click the Done button.
* In the Condition section, click on the Select condition link.
* Select the Delete management locks condition the click the Done button.
* In the Action group section, click on the Select action group link.
* Click the Create action group button to create a new action group.
* Give the group a name such as Debbie Mobile App (it doesn't matter what name you enter for the exam) then click the Next: Notifications > button.
* In the Notification type box, select the Email/SMS message/Push/Voice option.
* In the Email/SMS message/Push/Voice window, tick the Azure app Push Notifications checkbox and enter [email protected] in the Azure account email field.
* Click the OK button to close the window.
* Enter a name such as Debbie Mobile App in the notification name box.
* Click the Review & Create button then click the Create button to create the action group.
* Back in the Create alert rule window, in the Alert rule details section, enter a name such as Management lock deletion in the Alert rule name field.
* Click the Create alert rule button to create the alert rule.

Answer: C

NEW QUESTION 43
You need to ensure that you can meet the security operations requirements.
What should you do first?

A. Upgrade the pricing tier of Security Center to Standard.
B. Turn on Auto Provisioning in Security Center.
C. Integrate Security Center and Microsoft Cloud App Security.
D. Modify the Security Center workspace configuration.

Answer: A

Explanation:
The Standard tier extends the capabilities of the Free tier to workloads running in private and other public
clouds, providing unified security management and threat protection across your hybrid cloud workloads. The
Standard tier also adds advanced threat detection capabilities, which uses built-in behavioral analytics and
machine learning to identify attacks and zero-day exploits, access and application controls to reduce exposure
to network attacks and malware, and more.
Scenario: Security Operations Requirements
Litware must be able to customize the operating system security configurations in Azure Security Center.
References:
https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing
Manage security operations
Question Set 3

NEW QUESTION 44
You have the Azure key vaults shown in the following table.

KV1 stores a secret named Secret1 and a key for a managed storage account named Key1.
You back up Secret1 and Key1.
To which key vaults can you restore each backup? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Explanation:
The backups can only be restored to key vaults in the same subscription and same geography. You can restore to a different region in the same geography.

NEW QUESTION 45
You have an Azure Sentinel workspace that contains an Azure Active Directory (Azure AD) connector, an Azure Log Analytics query named Query1 and a playbook named Playbook1.
Query1 returns a subset of security events generated by Azure AD.
You plan to create an Azure Sentinel analytic rule based on Query1 that will trigger Playbook1.
You need to ensure that you can add Playbook1 to the new rule.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Explanation

Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook

NEW QUESTION 46
Your company has an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
The company develops an application named App1. App1 is registered in Azure AD.
You need to ensure that App1 can access secrets in Azure Key Vault on behalf of the application users.
What should you configure?

A. a delegated permission without admin consent
B. an application permission without admin consent
C. a delegated permission that requires admin consent
D. an application permission that requires admin consent

Answer: A

Explanation:
Delegated permissions - Your client application needs to access the web API as the signed-in user, but with access limited by the selected permission. This type of permission can be granted by a user unless the permission requires administrator consent.
Incorrect Answers:
A, D: Application permissions - Your client application needs to access the web API directly as itself (no user context). This type of permission requires administrator consent and is also not available for public (desktop and mobile) client applications.
References:
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis

NEW QUESTION 47
You have an Azure subscription named Sub1.
You have an Azure Active Directory (Azure AD) group named Group1 that contains all the members of your IT team.
You need to ensure that the members of Group1 can stop, start, and restart the Azure virtual machines in Sub1. The solution must use the principle of least privilege.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.