[Q132-Q147] Best Quality Microsoft AZ-500 Exam Questions ExamcollectionPass Realistic Practice Exams [2021]

Share

Best Quality Microsoft AZ-500 Exam Questions ExamcollectionPass Realistic Practice Exams [2021]

Critical Information To Microsoft Azure Security Technologies Pass the First Time


Exam AZ-500: Microsoft Azure Security Technologies

The content of this exam was updated on August 2, 2021.

Candidates for this exam should have subject matter expertise implementing security controls and threat protection, managing identity and access, and protecting data, applications, and networks.

Responsibilities for an Azure Security Engineer include maintaining the security posture, identifying and remediating vulnerabilities by using a variety of security tools, implementing threat protection, and responding to security incident escalations.

Azure Security Engineers often serve as part of a larger team dedicated to cloud-based management and security and may also secure hybrid environments as part of an end-to-end infrastructure.

A candidate for this exam should be familiar with scripting and automation, and should have a deep understanding of networking and virtualization. A candidate should also have a strong familiarity with cloud capabilities, Azure products and services, and other Microsoft products and services.

Part of the requirements for: Microsoft Certified: Azure Security Engineer Associate

Download exam skills outline

 

NEW QUESTION 132
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.

From Azure AD Privileged Identity Management (PIM), you configure the settings for the Security Administrator role as shown in the following exhibit.

From PIM, you assign the Security Administrator role to the following groups:
* Group1: Active assignment type, permanently assigned
* Group2: Eligible assignment type, permanently eligible
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Explanation

Box 1: Yes
Eligible Type: A role assignment that requires a user to perform one or more actions to use the role. If a user has been made eligible for a role, that means they can activate the role when they need to perform privileged tasks. There's no difference in the access given to someone with a permanent versus an eligible role assignment. The only difference is that some people don't need that access all the time.
You can choose from two assignment duration options for each assignment type (eligible and active) when you configure settings for a role. These options become the default maximum duration when a user is assigned to the role in Privileged Identity Management.
Use the Activation maximum duration slider to set the maximum time, in hours, that a role stays active before it expires. This value can be from one to 24 hours.
Box 2: Yes
Active Type: A role assignment that doesn't require a user to perform any action to use the role. Users assigned as active have the privileges assigned to the role Box 3: Yes User3 is member of Group2.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
https://docs.microsoft.com/bs-cyrl-ba/azure/active-directory/privileged-identity-management/pim-resource-roles

 

NEW QUESTION 133
Your company has an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
The company develops an application named App1. App1 is registered in Azure AD.
You need to ensure that App1 can access secrets in Azure Key Vault on behalf of the application users.
What should you configure?

  • A. a delegated permission without admin consent
  • B. an application permission without admin consent
  • C. a delegated permission that requires admin consent
  • D. an application permission that requires admin consent

Answer: A

Explanation:
Delegated permissions - Your client application needs to access the web API as the signed-in user, but with access limited by the selected permission. This type of permission can be granted by a user unless the permission requires administrator consent.
Incorrect Answers:
A, D: Application permissions - Your client application needs to access the web API directly as itself (no user context). This type of permission requires administrator consent and is also not available for public (desktop and mobile) client applications.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis

 

NEW QUESTION 134
You have an Azure subscription named Sub1.
In Azure Security Center, you have a security playbook named Play1. Play1 is configured to send an email message to a user named User1.
You need to modify Play1 to send email messages to a distribution group named Alerts.
What should you use to modify Play1?

  • A. Azure Monitor
  • B. Azure Application Insights
  • C. Azure Logic Apps Designer
  • D. Azure DevOps

Answer: C

Explanation:
You can change an existing playbook in Security Center to add an action, or conditions. To do that you just need to click on the name of the playbook that you want to change, in the Playbooks tab, and Logic App Designer opens up.
References:
https://docs.microsoft.com/en-us/azure/security-center/security-center-playbooks

 

NEW QUESTION 135
You are configuring just in time (JIT) VM access to a set of Azure virtual machines.
You need to grant users PowerShell access to the virtual machine by using JIT VM access.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

 

NEW QUESTION 136
You are evaluating the effect of the application security groups on the network communication between the virtual machines in Sub2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Explanation

Box 1: No. VM4 is in Subnet13 which has NSG3 attached to it.
VM1 is in ASG1. NSG3 would only allow ICMP pings from ASG2 but not ASG1. Only TCP traffic is allowed from ASG1.
NSG3 has the inbound security rules shown in the following table.

Box 2: Yes.
VM2 is in ASG2. Any protocol is allowed from ASG2 so ICMP ping would be allowed.
Box3. VM1 is in ASG1. TCP traffic is allowed from ASG1 so VM1 could connect to the web server as connections to the web server would be on ports TCP 80 or TCP 443.

 

NEW QUESTION 137
You have an Azure subscription.
You create an Azure web app named Contoso1812 that uses an S1 App service plan.
You create a DNS record for www.contoso.com that points to the IP address of Contoso1812.
You need to ensure that users can access Contoso1812 by using the https://www.contoso.com URL.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. Add a deployment slot to Contoso1812.
  • B. Add a hostname to Contoso1812.
  • C. Scale out the App Service plan of Contoso1812.
  • D. Scale up the App Service plan of Contoso1812.
  • E. Turn on the system-assigned managed identity for Contoso1812.

Answer: B,D

Explanation:
Explanation
B: You can configure Azure DNS to host a custom domain for your web apps. For example, you can create an Azure web app and have your users access it using either www.contoso.com or contoso.com as a fully qualified domain name (FQDN).
To do this, you have to create three records:
A root "A" record pointing to contoso.com
A root "TXT" record for verification
A "CNAME" record for the www name that points to the A record
E: To map a custom DNS name to a web app, the web app's App Service plan must be a paid tier (Shared, Basic, Standard, Premium or Consumption for Azure Functions). I Scale up the App Service plan: Select any of the non-free tiers (D1, B1, B2, B3, or any tier in the Production category).
References:
https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain

 

NEW QUESTION 138
You are configuring network connectivity for two Azure virtual networks named VNET1 and VNET2.
You need to implement VPN gateways for the virtual networks to meet the following requirements:
* VNET1 must have six site-to-site connections that use BGP.
* VNET2 must have 12 site-to-site connections that use BGP.
* Costs must be minimized.
Which VPN gateway SKI) should you use for each virtual network? To answer, drag the appropriate SKUs to the correct networks. Each SKU may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point

Answer:

Explanation:

Explanation:
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways#gwsku

 

NEW QUESTION 139
Which virtual networks in Sub1 can User2 modify and delete in their current state? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Explanation:
Box 1: VNET4 and VNET1 only
RG1 has only Delete lock, while there are no locks on RG4.
RG2 and RG3 both have Read-only locks.
Box 2: VNET4 only
There are no locks on RG4, while the other resource groups have either Delete or Read-only locks.
Note: As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.
CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Scenario:
User2 is a Security administrator.
Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User2 creates the virtual networks shown in the following table.

Sub1 contains the locks shown in the following table.

References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources

 

NEW QUESTION 140
You plan to use Azure Disk Encryption for several virtual machine disks.
You need to ensure that Azure Disk Encryption can retrieve secrets from the KeyVault11641655 Azure key vault.
To complete this task, sign in to the Azure portal and modify the Azure resources.
See the explanation below.

Answer:

Explanation:
Explanation
1. In the Azure portal, type Key Vaults from the search results then select KeyVault11641655. Alternatively, browse to in the left navigation pane.
2. In the Key Vault properties, scroll down to the Access Policies.
3. Select the Azure Disk Encryption for volume encryption

4. Click Save to save the changes.

 

NEW QUESTION 141
You need to configure a virtual network named VNET2 to meet the following requirements:
* Administrators must be prevented from deleting VNET2 accidentally.
* Administrators must be able to add subnets to VNET2 regularly.
To complete this task, sign in to the Azure portal and modify the Azure resources.
See the explanation below.

Answer:

Explanation:
Explanation
Locking prevents other users in your organization from accidentally deleting or modifying critical resources, such as Azure subscription, resource group, or resource.
Note: In Azure, the term resource refers to an entity managed by Azure. For example, virtual machines, virtual networks, and storage accounts are all referred to as Azure resources.
1. In the Azure portal, type Virtual Networks Virtual Networks from the search results then select VNET2. Alternatively, browse to in the left navigation pane.
2. In the Settings blade for virtual network VNET2, select

3. To add a lock, select Add.

4. For Lock type select Delete lock
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources

 

NEW QUESTION 142
You have a Azure subscription that contains an Azure Container Registry named Registry1. The subscription uses the Standard use tier of Azure Security Center.
You upload several container images to Register1.
You discover that vulnerability security scans were not performed
You need to ensured that the images are scanned for vulnerabilities when they are uploaded to Registry1.
What should you do?

  • A. Upload the container images by using AzCopy
  • B. From the Azure portal modify the Pricing tier settings.
  • C. From Azure CLI, lock the container images.
  • D. Push the container images to Registry1 by using Docker

Answer: A

 

NEW QUESTION 143
You have an Azure Storage account named storage1 that has a container named container1.
You need to prevent the blobs in container1 from being modified.
What should you do?

  • A. From container1, modify the Access Control (IAM) settings.
  • B. From container1, add an access policy.
  • C. From container1, change the access level.
  • D. From storage1, enable soft delete for blobs.

Answer: B

Explanation:
Explanation/Reference:
References:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-immutable-storage?tabs=azure-portal

 

NEW QUESTION 144
You have an Azure subscription that contains the following resources:
A network virtual appliance (NVA) that runs non-Microsoft firewall software and routes all outbound traffic from the virtual machines to the internet An Azure function that contains a script to manage the firewall rules of the NVA Azure Security Center standard tier enabled for all virtual machines An Azure Sentinel workspace
30 virtual machines
You need to ensure that when a high-priority alert is generated in Security Center for a virtual machine, an incident is created in Azure Sentinel and then a script is initiated to configure a firewall rule for the NVA.
How should you configure Azure Sentinel to meet the requirements? To answer, drag the appropriate components to the correct requirements. Each component may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/sentinel/create-incidents-from-alerts
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-security-center

 

NEW QUESTION 145
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to implement an application that will consist of the resources shown in the following table.

Users will authenticate by using their Azure AD user account and access the Cosmos DB account by using resource tokens.
You need to identify which tasks will be implemented in CosmosDB1 and WebApp1.
Which task should you identify for each resource? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:
Explanation

CosmosDB1: Create database users and generate resource tokens.
Azure Cosmos DB resource tokens provide a safe mechanism for allowing clients to read, write, and delete specific resources in an Azure Cosmos DB account according to the granted permissions.
WebApp1: Authenticate Azure AD users and relay resource tokens
A typical approach to requesting, generating, and delivering resource tokens to a mobile application is to use a resource token broker. The following diagram shows a high-level overview of how the sample application uses a resource token broker to manage access to the document database data:

References:
https://docs.microsoft.com/en-us/xamarin/xamarin-forms/data-cloud/cosmosdb/authentication

 

NEW QUESTION 146
You have the Azure Information Protection conditions shown in the following table.

You need to identify how Azure Information Protection will label files.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

References:
https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-classification

 

NEW QUESTION 147
......


Implementing platform protection

  • Customizing compute advanced security: the applicants are required to prove their skills in customizing endpoint protection; customizing and verifying VMs system updates; configuring authentication for Azure Container Registry; customizing security for various container types; executing vulnerability management; customizing AKS isolation; customizing container registry security; executing Azure Disk Encryption; customizing Azure App Service authentication and security; customizing SSL/TLS certs; customizing authentication for Azure Kubernetes Service; customizing automatic updates.
  • Implementing advanced network security: this covers the skills, such as securing VPN authentication and Express Route encryption connectivity; customizing Network Security Groups and Application Security Groups; designing and customizing Azure Firewall; customizing Azure Front Door service as an Application Gateway; customize Azure Bastion; customize Web Application Firewall within Azure Application Gateway; customize a firewall within a storage account, KeyVault, Azure SQL, or App Service; customize Service Endpoints; perform DDoS protection.

 

AZ-500 EXAM DUMPS WITH GUARANTEED SUCCESS: https://www.examcollectionpass.com/Microsoft/AZ-500-practice-exam-dumps.html

Best Quality Microsoft AZ-500 Exam Questions: https://drive.google.com/open?id=1QM2-rv84AoZwhnknDlM8J0yaP4MyKQPr