Latest AZ-500 Study Guides 2022 - With Test Engine PDF [Q152-Q167]

Share

Latest AZ-500 Study Guides 2022 - With Test Engine PDF

Get New AZ-500 Practice Test Questions Answers 


Conclusion

Having a Microsoft badge will undoubtedly characterize you as skilled in Azure security technologies. Prove your skills and hands-on experience by passing AZ-500 Microsoft exam, as all the tools you need for this are available to you. Find the best books that cover all exam objectives, enroll in the official online course and be the winner in the exam battle.

 

NEW QUESTION 152
You have five Azure subscriptions linked to a single Azure Active Directory (Azure AD) tenant.
You create an Azure Policy initiative named SecurityPolicyInitiative1.
You identify which standard role assignments must be configured on all new resource groups.
You need to enforce SecurityPolicyInitiative1 and the role assignments when a new resource group is created.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation:

Explanation

Reference:
https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-portal
https://docs.microsoft.com/en-us/azure/azure-australia/azure-policy

 

NEW QUESTION 153
You are configuring just in time (JIT) VM access to a set of Azure virtual machines.
You need to grant users PowerShell access to the virtual machine by using JIT VM access.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

 

NEW QUESTION 154
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to implement an application that will consist of the resources shown in the following table.

Users will authenticate by using their Azure AD user account and access the Cosmos DB account by using resource tokens.
You need to identify which tasks will be implemented in CosmosDB1 and WebApp1.
Which task should you identify for each resource? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Explanation

CosmosDB1: Create database users and generate resource tokens.
Azure Cosmos DB resource tokens provide a safe mechanism for allowing clients to read, write, and delete specific resources in an Azure Cosmos DB account according to the granted permissions.
WebApp1: Authenticate Azure AD users and relay resource tokens
A typical approach to requesting, generating, and delivering resource tokens to a mobile application is to use a resource token broker. The following diagram shows a high-level overview of how the sample application uses a resource token broker to manage access to the document database data:

References:
https://docs.microsoft.com/en-us/xamarin/xamarin-forms/data-cloud/cosmosdb/authentication

 

NEW QUESTION 155
You are securing access to the resources in an Azure subscription.
A new company policy states that all the Azure virtual machines in the subscription must use managed disks.
You need to prevent users from creating virtual machines that use unmanaged disks.
What should you do?

  • A. Azure Policy
  • B. Azure Monitor
  • C. Azure Security Center
  • D. Azure Service Health

Answer: A

Explanation:
Section: [none]

 

NEW QUESTION 156
HOTSPOT
Which virtual networks in Sub1 can User2 modify and delete in their current state? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Explanation

Box 1: VNET4 and VNET1 only
RG1 has only Delete lock, while there are no locks on RG4.
RG2 and RG3 both have Read-only locks.
Box 2: VNET4 only
There are no locks on RG4, while the other resource groups have either Delete or Read-only locks.
Note: As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.
* CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
* ReadOnly means authorized users can read a resource, but they can't delete or update the resource.
Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Scenario:
User2 is a Security administrator.
Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User2 creates the virtual networks shown in the following table.

Sub1 contains the locks shown in the following table.
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources

 

NEW QUESTION 157
You have an Azure subscription that contains 100 virtual machines and has Azure Security Center Standard tier enabled.
You plan to perform a vulnerability scan of each virtual machine.
You need to deploy the vulnerability scanner extension to the virtual machines by using an Azure Resource Manager template.
Which two values should you specify in the code to automate the deployment of the extension to the virtual machines? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. the user-assigned managed identity
  • B. the system-assigned managed identity
  • C. the Key Vault managed storage account key
  • D. the primary shared key
  • E. the workspace ID
  • F. the Azure Active Directory (Azure AD) ID

Answer: A,F

 

NEW QUESTION 158
You need to meet the identity and access requirements for Group1.
What should you do?

  • A. Modify the membership rule of Group1.
  • B. Add a membership rule to Group1.
  • C. Delete Group1. Create a new group named Group1 that has a membership type of Office 365. Add users and devices to the group.
  • D. Change the membership type of Group1 to Assigned. Create two groups that have dynamic memberships. Add the new groups to Group1.

Answer: D

Explanation:
Explanation
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership Scenario:
Litware identifies the following identity and access requirements: All San Francisco users and their devices must be members of Group1.
The tenant currently contain this group:

References:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-porta

 

NEW QUESTION 159
You have a file named File1.yaml that contains the following contents.

You create an Azure container instance named container1 by using File1.yaml.
You need to identify where you can access the values of Variable1 and Variable2.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Explanation

Reference:
https://docs.microsoft.com/en-us/azure/container-instances/container-instances-environment-variables

 

NEW QUESTION 160
You have an Azure subscription that contains a virtual network. The virtual network contains the subnets shown in the following table.

The subscription contains the virtual machines shown in the following table.

You enable just in time (JIT) VM access for all the virtual machines.
You need to identify which virtual machines are protected by JIT.
Which virtual machines should you identify?

  • A. VM4 only
  • B. VM1, VM2, VM3, and VM4
  • C. VM1 and VM3 only
  • D. VM1, VM3 and VM4 only

Answer: D

Explanation:
An NSG needs to be enabled, either at the VM level or the subnet level.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time

 

NEW QUESTION 161
You have an Azure subscription that contains the resources shown in the following table.

Transparent Data Encryption (TDE) is disabled on SQL1.
You assign polices to the resource groups as shown in the following table.

You plan to deploy Azure SQL databases by using an Azure Resource Manager (ARM) template. The databases will be configured as shown in the following table.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

 

NEW QUESTION 162
You are testing an Azure Kubernetes Service (AKS) cluster. The cluster is configured as shown in the exhibit.
(Click the Exhibit tab.)

You plan to deploy the cluster to production. You disable HTTP application routing.
You need to implement application routing that will provide reverse proxy and TLS termination for AKS services by using a single IP address.
What should you do?

  • A. Create an AKS Ingress controller.
  • B. Create an Azure Basic Load Balancer.
  • C. Install the container network interface (CNI) plug-in.
  • D. Create an Azure Standard Load Balancer.

Answer: A

Explanation:
Explanation
An ingress controller is a piece of software that provides reverse proxy, configurable traffic routing, and TLS termination for Kubernetes services.
References:
https://docs.microsoft.com/en-us/azure/aks/ingress-tls
Topic 1, Contoso
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question on this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next sections of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question on this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The company hosts its entire server infrastructure in Azure.
Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
Technical requirements
Contoso identifies the following technical requirements:
* Deploy Azure Firewall to VNetWork1 in Sub2.
* Register an application named App2 in contoso.com.
* Whenever possible, use the principle of least privilege.
* Enable Azure AD Privileged Identity Management (PIM) for contoso.com
Existing Environment
Azure AD
Contoso.com contains the users shown in the following table.

Contoso.com contains the security groups shown in the following table.

Sub1
Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User2 creates the virtual networks shown in the following table.

Sub1 contains the locks shown in the following table.

Sub1 contains the Azure policies shown in the following table.

Sub2

Sub2 contains the virtual machines shown in the following table.

All virtual machines have the public IP addresses and the Web Server (IIS) role installed. The firewalls for each virtual machine allow ping requests and web requests.
Sub2 contains the network security groups (NSGs) shown in the following table.

NSG1 has the inbound security rules shown in the following table.

NSG2 has the inbound security rules shown in the following table.

NSG3 has the inbound security rules shown in the following table.

NSG4 has the inbound security rules shown in the following table.

NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table.

Contoso identifies the following technical requirements:
* Deploy Azure Firewall to VNetwork1 in Sub2.
* Register an application named App2 in contoso.com.
* Whenever possible, use the principle of least privilege.
* Enable Azure AD Privileged Identity Management (PIM) for contoso.com.

 

NEW QUESTION 163
You have Azure virtual machines that have Update Management enabled. The virtual machines are configured as shown in the following table.

You schedule two update deployments named Update1 and Update2. Update1 updates VM3. Update2 updates VM6.
Which additional virtual machines can be updated by using Update1 and Update2? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Explanation

Update1: VM1 and VM2 only
VM3: Windows Server 2016 West US RG2
Update2: VM4 and VM5 only
VM6: CentOS 7.5 East US RG1
For Linux, the machine must have access to an update repository. The update repository can be private or public.
References:
https://docs.microsoft.com/en-us/azure/automation/automation-update-management

 

NEW QUESTION 164
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.

You create and enforce an Azure AD Identity Protection sign-in risk policy that has the following settings:
Assignments: Include Group1, exclude Group2
Conditions: Sign-in risk level: Medium and above
Access Allow access, Require multi-factor authentication
You need to identify what occurs when the users sign in to Azure AD.
What should you identify for each user? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

References:
http://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-policies/
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks

 

NEW QUESTION 165
Use the following login credentials as needed:
To enter your username, place your cursor in the Sign in box and click on the username below.
To enter your password, place your cursor in the Enter password box and click on the password below.
Azure Username: [email protected]
Azure Password: Ag1Bh9!#Bd
The following information is for technical support purposes only:
Lab Instance: 10598168




You need to perform a full malware scan every Sunday at 02:00 on a virtual machine named VM1 by using Microsoft Antimalware for Virtual Machines.
To complete this task, sign in to the Azure portal.

Answer:

Explanation:
See the explanation below.
Explanation
Deploy the Microsoft Antimalware Extension using the Azure Portal for single VM deployment
1. In Azure Portal, go to the Azure VM1's blade, navigate to the Extensions section and press Add.

2. Select the Microsoft Antimalware extension and press Create.
3. Fill the "Install extension" form as desired and press OK. Scheduled: EnableScan type: FullScan day:
Sunday

Reference:
https://www.e-apostolidis.gr/microsoft/azure/azure-vm-antimalware-extension-management/

 

NEW QUESTION 166
You have an Azure Active Din-dory (Azure AD) tenant named contoso.com that contains a user named User1.
You plan to publish several apps in the tenant.
You need to ensure that User1 can grant admin consent for the published apps.
Which two possible user roles can you assign to User! to achieve this goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

  • A. Application developer
  • B. Security administrator
  • C. User administrator
  • D. Cloud application administrator
  • E. Application administrator

Answer: A,C

 

NEW QUESTION 167
......


Books and a Training Course for Exam Preparation

The following are books that cover all the topics of Microsoft AZ-500, with essential information and realistic practice questions to help you be up in arms on the real exam.

  • ‘Exam Ref AZ-500 Microsoft Azure Security Technologies 1st Edition’ by Yuri Diogenes and Orin Thomas

    This official study guide written by a team of leading Microsoft experts will explain to you all the objectives of Microsoft AZ-500 and will help you demonstrate your real-world knowledge of Microsoft Azure security technologies. In addition, you’ll deepen your skills in working with threat protection, security controls, operating access, and will be a real professional in securing assets in hybrid environment as well as in cloud. The authors guide students through many “what if” scenarios and give up-to-date exam preparation tips to pass the exam successfully. This printed edition will prepare you for associate-level roles where you will need to demonstrate your real-world knowledge of Microsoft Azure security. So, the paperback version of this guide is available on Amazon.

  • Mastering Azure Security (Safeguard your Azure workload with innovative cloud security measures) by M. Toroman, T. Janetscheck

    This book deserves your attention because it will help you learn cloud security concepts and get the gist of how to operate cloud identities. You will be proficient in working with Azure security cloud infrastructure and have a solid understanding of how to secure cloud resources. In addition, you’ll know all about security polices and rules and how to implement them in your daily work. To add more, you’ll sharpen your knowledge in using Azure Security Center, as well as other Azure security features. As a result, you’ll grow as a security professional and work more effectively.

If the candidate wants to improve his/her odds, to close the knowledge gaps, or to systematize the material before taking the actual exam, s/he can use Microsoft's official tools and enroll in Instructor-led training - Course AZ-500T00: Microsoft Azure Security Technologies. Classes are offered both in virtual classrooms and offline. The upcoming dates and prices can be found on the Microsoft webpage. Potential learners should be familiar with Azure security protocols and workload deployment, have experience with Windows and Linux operating systems, and know Security advanced practices and industry security requirements. Prior completion of the free online training will be an advantage to the candidate, and a chance for him/her to succeed in this course. Each of the 4 modules corresponds to the exam program and focuses on security for identity and access, data and applications protection, and security operations. Unequivocally, the 4 days of training will benefit Azure security engineers and candidates for the relevant exam to gain and practice skills they can apply in their day-to-day work.

 

AZ-500 Dumps and Exam Test Engine: https://www.examcollectionpass.com/Microsoft/AZ-500-practice-exam-dumps.html

Microsoft AZ-500 DUMPS WITH REAL EXAM QUESTIONS: https://drive.google.com/open?id=1QM2-rv84AoZwhnknDlM8J0yaP4MyKQPr