Free AZ-500 Sample Questions — Microsoft Azure Security Technologies

You have multiple development teams that will create apps in Azure. You plan to create a standard development environment that will be deployed for each team. You need to recommend a solution that will enforce resource locks across the development environments and ensure that the locks are applied in a consistent manner. What should you include in the recommendation?

• A. an Azure policy
• B. an Azure Resource Manager template
• C. a management group
• D. an Azure blueprint

You have an Azure subscription that contains a storage account named storage1 and a virtual machine named VM1. VM1 is connected to a virtual network named VNet1 that contains one subnet and uses Azure DNS. You need to ensure that VM1 connects to storage1 by using a private IP address. The solution must minimize administrative effort. What should you do?

• A. For storage1, disable public network access
• B. On VNet1, create a new subnet
• C. For storage1, create a new private endpoint
• D. Create an Azure Private DNS zone

You have an Azure subscription. You enable Azure Active Directory (Azure AD) Privileged Identity Management (PIM). Your company's security policy for administrator accounts has the following conditions: ✑ The accounts must use multi-factor authentication (MFA). ✑ The accounts must use 20-character complex passwords. ✑ The passwords must be changed every 180 days. ✑ The accounts must be managed by using PIM. You receive multiple alerts about administrators who have not changed their password during the last 90 days. You need to minimize the number of generated alerts. Which PIM alert should you modify?

• A. Roles are being assigned outside of Privileged Identity Management
• B. Roles don't require multi-factor authentication for activation
• C. Administrators aren't using their privileged roles
• D. Potential stale accounts in a privileged role

You are configuring and securing a network environment. You deploy an Azure virtual machine named VM1 that is configured to analyze network traffic. You need to ensure that all network traffic is routed through VM1. What should you configure?

• A. a system route
• B. a network security group (NSG)
• C. a user-defined route

You have an Azure subscription that contains a web app named App1. App1 provides users with product images and videos. Users access App1 by using a URL of HTTPS://app1.contoso.com. You deploy two server pools named Pool1 and Pool2. Pool1 hosts product images. Pool2 hosts product videos. You need to optimize the performance of App1. The solution must meet the following requirements: • Minimize the performance impact of TLS connections on Pool1 and Pool2. • Route user requests to the server pools based on the requested URL path. What should you include in the solution?

• A. Azure Bastion
• B. Azure Front Door
• C. Azure Traffic Manager
• D. Azure Application Gateway

You have been tasked with delegate administrative access to your company's Azure key vault. You have to make sure that a specific user is able to add and delete certificates in the key vault. You also have to make sure that access is assigned based on the principle of least privilege. Which of the following options should you use to achieve your goal?

• A. key vault access policy
• B. Azure policy
• C. Azure AD Privileged Identity Management (PIM)
• D. Azure DevOps

Your company has an Active Directory forest with a single domain, named weylandindustries.com. They also have an Azure Active Directory (Azure AD) tenant with the same name. After syncing all on-premises identities to Azure AD, you are informed that users with a givenName attribute starting with LAB should not be allowed to sync to Azure AD. Which of the following actions should you take?

• A. You should make use of the Synchronization Rules Editor to create an attribute-based filtering rule
• B. You should configure a DNAT rule on the Firewall
• C. You should configure a network traffic filtering rule on the Firewall
• D. You should make use of Active Directory Users and Computers to create an attribute-based filtering rule

You have an Azure subscription. You plan to create a workflow automation in Azure Security Center that will automatically remediate a security vulnerability. What should you create first?

• A. an automation account
• B. a managed identity
• C. an Azure logic app
• D. an Azure function app
• E. an alert rule

You have Azure Resource Manager templates that you use to deploy Azure virtual machines. You need to disable unused Windows features automatically as instances of the virtual machines are provisioned. What should you use?

• A. device configuration policies in Microsoft Intune
• B. Azure Automation State Configuration
• C. security policies in Azure Security Center
• D. device compliance policies in Microsoft Intune

You have an Azure subscription that contains a storage account named storage1 and two web apps named app1 and app2. Both apps will write data to storage1. You need to ensure that each app can read only the data that it has written. What should you do?

• A. Provide each app with a system-assigned identity and configure storage1 to use Azure AD User account authentication
• B. Provide each app with a separate Storage account key and configure the app to send the key with each request
• C. Provide each app with a user-managed identity and configure storage1 to use Azure AD User account authentication
• D. Provide each app with a unique Base64-encoded AES-256 encryption key and configure the app to send the key with each request

You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains a user named User1. You plan to publish several apps in the tenant. You need to ensure that User1 can grant admin consent for the published apps. Which two possible user roles can you assign to User1 to achieve this goal? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

• A. Security administrator
• B. Cloud application administrator
• C. Application administrator
• D. User administrator
• E. Application developer

From the Azure portal, you are configuring an Azure policy. You plan to assign policies that use the DeployIfNotExist, AuditIfNotExist, Append, and Deny effects. Which effect requires a managed identity for the assignment?

• A. AuditIfNotExist
• B. Append
• C. DeployIfNotExist
• D. Deny

You have an Azure subscription. You configure the subscription to use a different Azure Active Directory (Azure AD) tenant. What are two possible effects of the change? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

• A. Role assignments at the subscription level are lost
• B. Virtual machine managed identities are lost
• C. Virtual machine disk snapshots are lost
• D. Existing Azure resources are deleted

You have an Azure subscription that contains a Microsoft Defender External Attack Surface Management (Defender EASM) resource named EASM1. EASM1 has discovery enabled and contains several inventory assets. You need to identify which inventory assets are vulnerable to the most critical web app security risks. Which Defender EASM dashboard should you use?

• A. Security Posture
• B. OWASP Top 10
• C. Attack Surface Summary
• D. GDPR Compliance

You have a sneaking suspicion that there are users trying to sign in to resources which are inaccessible to them. You decide to create an Azure Log Analytics query to confirm your suspicions. The query will detect unsuccessful user sign-in attempts from the last few days. You want to make sure that the results only show users who had failed to sign-in more than five times. Which of the following should be included in your query?

• A. The EventID and CountIf() parameters
• B. The ActivityID and CountIf() parameters
• C. The EventID and Count() parameters
• D. The ActivityID and Count() parameters

Your network contains an on-premises Active Directory domain named corp.contoso.com. You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com. You sync all on-premises identities to Azure AD. You need to prevent users who have a givenName attribute that starts with TEST from being synced to Azure AD. The solution must minimize administrative effort. What should you use?

• A. Synchronization Rules Editor
• B. Web Service Configuration Tool
• C. the Azure AD Connect wizard
• D. Active Directory Users and Computers

You have an Azure subscription that contains an Azure key vault named Vault1 and a virtual machine named VM1. VM1 has the Key Vault VM extension installed. For Vault1, you rotate the keys, secrets, and certificates. What will be updated automatically on VM1?

• A. the keys only
• B. the secrets only
• C. the certificates only
• D. the keys and secrets only
• E. the secrets and certificates only
• F. the keys, secrets, and certificates

You have an Azure subscription that contains a resource group named RG1 and a security group named ServerAdmins. RG1 contains 10 virtual machines, a virtual network named VNET1, and a network security group (NSG) named NSG1. ServerAdmins can access the virtual machines by using RDP. You need to ensure that NSG1 only allows RDP connections to the virtual machines for a maximum of 60 minutes when a member of ServerAdmins requests access. What should you configure?

• A. an Azure policy assigned to RG1
• B. a just in time (JIT) VM access policy in Microsoft Defender for Cloud
• C. an Azure Active Directory (Azure AD) Privileged Identity Management (PIM) role assignment
• D. an Azure Bastion host on VNET1

You have an Azure environment. You need to identify any Azure configurations and workloads that are non-compliant with ISO 27001:2013 standards. What should you use?

• A. Azure Sentinel
• B. Azure Active Directory (Azure AD) Identity Protection
• C. Microsoft Defender for Cloud
• D. Microsoft Defender for Identity

You have three on-premises servers named Server1, Server2, and Server3 that run Windows Server 2019. Server1 and Server2 are located on the internal network. Server3 is located on the perimeter network. All servers have access to Azure. From Azure Sentinel, you install a Windows firewall data connector. You need to collect Microsoft Defender Firewall data from the servers for Azure Sentinel. What should you do?

• A. Create an event subscription from Server1, Server2, and Server3
• B. Install the On-premises data gateway on each server
• C. Install the Microsoft Monitoring Agent on each server
• D. Install the Microsoft Monitoring Agent on Server1 and Server2. Install the On-premises data gateway on Server3