[Jan-2022] Updated Microsoft Azure Security Engineer Associate AZ-500 Exam Questions BUNDLE PACK
Master The Microsoft Content AZ-500 EXAM DUMPS WITH GUARANTEED SUCCESS!
NEW QUESTION 25
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
An administrator named Admin1 has access to the following identities:
* An OpenID-enabled user account
* A Hotmail account
* An account in contoso.com
* An account in an Azure AD tenant named fabrikam.com
You plan to use Azure Account Center to transfer the ownership of Sub1 to Admin1.
To which accounts can you transfer the ownership of Sub1?
- A. contoso.com, fabrikam.com, Hotmail, and OpenID-enabled user account
- B. contoso.com only
- C. contoso.com and fabrikam.com only
- D. contoso.com, fabrikam.com, and Hotmail only
Answer: C
Explanation:
Explanation
https://www.fast2test.com/AZ-500-practice-test.html 13
Valid Fast2test AZ-500 Exam PDF Dumps - New AZ-500 Real Exam Questions
Explanation:
When you transfer billing ownership of your subscription to an account in another Azure AD tenant, you can move the subscription to the new account's tenant. If you do so, all users, groups, or service principals who had role based access (RBAC) to manage subscriptions and its resources lose their access. Only the user in the new account who accepts your transfer request will have access to manage the resources.
Reference:
https://docs.microsoft.com/en-us/azure/billing/billing-subscription-transfer
https://docs.microsoft.com/en-us/azure/billing/billing-subscription-transfer#transferring-subscription-to-an- account-in-another-azure-ad-tenant
NEW QUESTION 26
You need to ensure that users can access VM0. The solution must meet the platform protection requirements.
What should you do?
- A. On Firewall, configure a network traffic filtering rule.
- B. On Firewall, configure a DNAT rule.
- C. Assign RT1 to AzureFirewallSubnet.
- D. Move VM0 to Subnet1.
Answer: D
Explanation:
Explanation
Azure Firewall has the following known issue:
Conflict with Azure Security Center (ASC) Just-in-Time (JIT) feature.
If a virtual machine is accessed using JIT, and is in a subnet with a user-defined route that points to Azure Firewall as a default gateway, ASC JIT doesn't work. This is a result of asymmetric routing - a packet comes in via the virtual machine public IP (JIT opened the access), but the return path is via the firewall, which drops the packet because there is no established session on the firewall.
Solution: To work around this issue, place the JIT virtual machines on a separate subnet that doesn't have a user-defined route to the firewall.
Scenario:
Following the implementation of the planned changes, the IT team must be able to connect to VM0 by using JIT VM access.
References:
https://docs.microsoft.com/en-us/azure/firewall/overview
Topic 1, Litware, inc
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case.
However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question on this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next sections of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question on this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
Litware, Inc. is a digital media company that has 500 employees in the Chicago area and 20 employees in the San Francisco area.
Existing Environment
Litware has an Azure subscription named Sub1 that has a subscription ID of 43894a43-17c2-4a39-8cfc-3540c2653ef4.
Sub1 is associated to an Azure Active Directory (Azure AD) tenant named litwareinc.com. The tenant contains the user objects and the device objects of all the Litware employees and their devices. Each user is assigned an Azure AD Premium P2 license. Azure AD Privileged Identity Management (PIM) is activated.
The tenant contains the groups shown in the following table.
The Azure subscription contains the objects shown in the following table.
Azure Security Center is set to the Free tier.
Planned changes
Litware plans to deploy the Azure resources shown in the following table.
Litware identifies the following identity and access requirements:
* All San Francisco users and their devices must be members of Group1.
* The members of Group2 must be assigned the Contributor role to Resource Group2 by using a permanent eligible assignment.
* Users must be prevented from registering applications in Azure AD and from consenting to applications
* that access company information on the users' behalf.
Platform Protection Requirements
Litware identifies the following platform protection requirements:
* Microsoft Antimalware must be installed on the virtual machines in Resource Group1.
* The members of Group2 must be assigned the Azure Kubernetes Service Cluster Admin Role.
* Azure AD users must be to authenticate to AKS1 by using their Azure AD credentials.
* Following the implementation of the planned changes, the IT team must be able to connect to VM0 by using JIT VM access.
* A new custom RBAC role named Role1 must be used to delegate the administration of the managed disks in Resource Group1. Role1 must be available only for Resource Group1.
Security Operations Requirements
Litware must be able to customize the operating system security configurations in Azure Security Center.
NEW QUESTION 27
You have an Azure subscription that contains an Azure key vault named Vault1.
In Vault1, you create a secret named Secret1.
An application developer registers an application in Azure Active Directory (Azure AD).
You need to ensure that the application can use Secret1.
What should you do?
- A. In Azure Key Vault, create an access policy.
- B. In Azure AD, create a role.
- C. In Azure AD, enable Azure AD Application Proxy.
- D. In Azure Key Vault, create a key.
Answer: A
Explanation:
"You may need to configure the target resource to allow access from your application. For example, if you request a token to Key Vault, you need to make sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault will be rejected, even if they include the token" https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet
NEW QUESTION 28
You have an Azure key vault named KeyVault1 that contains the items shown in the following table.
In KeyVault, the following events occur in sequence:
Item1 is deleted
Administrator enables soft delete
Item2 and Policy1 are deleted.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview
NEW QUESTION 29
Your company has an Azure subscription named Subscription1 that contains the users shown in the following table.
The company is sold to a new owner.
The company needs to transfer ownership of Subscription1.
Which user can transfer the ownership and which tool should the user use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Explanation
Box 1; User2
Billing Administrator
Select Transfer billing ownership for the subscription that you want to transfer.
Enter the email address of a user who's a billing administrator of the account that will be the new owner for the subscription.
Box 2: Azure Account Center
Azure Account Center can be used.
Reference:
https://docs.microsoft.com/en-us/azure/billing/billing-subscription-transfer#transfer-billing-ownership-of-an-azu
NEW QUESTION 30
Your company uses Azure DevOps.
You need to recommend a method to validate whether the code meets the company's quality standards and code review standards.
What should you recommend implementing in Azure DevOps?
- A. branch folders
- B. branch locking
- C. branch permissions
- D. branch policies
Answer: D
Explanation:
Explanation
Branch policies help teams protect their important branches of development. Policies enforce your team's code quality and change management standards.
References:
https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azuredevops& viewFallbackFrom=vsts
NEW QUESTION 31
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
The tenant contains the named locations shown in the following table.
You create the conditional access policies for a cloud app named App1 as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
NEW QUESTION 32
You company has an Azure subscription named Sub1. Sub1 contains an Azure web app named WebApp1 that uses Azure Application Insights. WebApp1 requires users to authenticate by using OAuth 2.0 client secrets.
Developers at the company plan to create a multi-step web test app that preforms synthetic transactions emulating user traffic to Web App1.
You need to ensure that web tests can run unattended.
What should you do first?
- A. Register the web test app in Azure AD.
- B. Upload the .webtest file to Application Insights.
- C. Add a plug-in to the web test app.
- D. In Microsoft Visual Studio, modify the .webtest file.
Answer: B
NEW QUESTION 33
You have an Azure subscription named Sub1 that contains the Azure key vaults shown in the following table.
In Sub1, you create a virtual machine that has the following configurations:
* Name:VM1
* Size: DS2v2
* Resource group: RG1
* Region: West Europe
* Operating system: Windows Server 2016
You plan to enable Azure Disk Encryption on VM1.
In which key vaults can you store the encryption key for VM1?
- A. Vault1, Vault2, Vault3, or Vault4
- B. Vault1 or Vault3 only
- C. Vault1 or Vault2 only
- D. Vault1 only
Answer: B
Explanation:
Explanation
"Your key vault and VMs must be in the same subscription. Also, to ensure that encryption secrets don't cross regional boundaries, Azure Disk Encryption requires the Key Vault and the VMs to be co-located in the same region." https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault
NEW QUESTION 34
You network contains an on-premises Active Directory domain that syncs to an Azure Active Directory (Azure AD) tenant. The tenant contains the users shown in the following table.
The tenant contains the groups shown in the following table.
You configure a multi-factor authentication (MFA) registration policy that and the following settings:
* Assignments:
* Include: Group1
* Exclude Group2
* Controls: Require Azure MFA registration
* Enforce Policy: On
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Answer:
Explanation:
NEW QUESTION 35
SIMULATION
You need to ensure that connections from the Internet to VNET1\subnet0 are allowed only over TCP port 7777. The solution must use only currently deployed resources.
To complete this task, sign in to the Azure portal.
- A. You need to configure the Network Security Group that is associated with subnet0.
* In the Azure portal, type Virtual Networks in the search box, select Virtual Networks from the search results then select VNET1. Alternatively, browse to Virtual Networks in the left navigation pane.
* In the properties of VNET1, click on Subnets. This will display the subnets in VNET1 and the Network Security Group associated to each subnet. Note the name of the Network Security Group associated to Subnet0.
* Type Network Security Groups into the search box and select the Network Security Group associated with Subnet0.
* In the properties of the Network Security Group, click on Inbound Security Rules.
* Click the Add button to add a new rule.
* In the Source field, select Service Tag.
* In the Source Service Tag field, select Internet.
* Leave the Source port ranges and Destination field as the default values (* and All).
* In the Destination port ranges field, enter 7777.
* Change the Protocol to TCP.
* Leave the Action option as Allow.
* Change the Priority to 100.
* Change the Name from the default Port_8080 to something more descriptive such as Allow_TCP_7777_from_Internet. The name cannot contain spaces.
* Click the Add button to save the new rule. - B. You need to configure the Network Security Group that is associated with subnet0.
* In the Azure portal, type Virtual Networks in the search box, select Virtual Networks from the search results then select VNET1. Alternatively, browse to Virtual Networks in the left navigation pane.
* In the properties of VNET1, click on Subnets. This will display the subnets in VNET1 and the Network Security Group associated to each subnet. Note the name of the Network Security Group associated to Subnet0.
* Type Network Security Groups into the search box and select the Network Security Group associated with Subnet0.
* In the properties of the Network Security Group, click on Inbound Security Rules.
* In the Destination port ranges field, enter 7777.
* Change the Protocol to TCP.
* Leave the Action option as Allow.
* Change the Priority to 100.
* Change the Name from the default Port_8080 to something more descriptive such as Allow_TCP_7777_from_Internet. The name cannot contain spaces.
* Click the Add button to save the new rule.
Answer: A
NEW QUESTION 36
You have an Azure subscription that contains virtual machines.
You enable just in time (JIT) VM access to all the virtual machines.
You need to connect to a virtual machine by using Remote Desktop.
What should you do first?
- A. From Azure Active Directory (Azure AD) Privileged Identity Management (PIM), activate the Owner role for the virtual machine.
- B. From the Azure portal, select the virtual machine, select Connect, and then select Request access.
- C. From the Azure portal, select the virtual machine and add the Network Watcher Agent virtual machine extension.
- D. From Azure Directory (Azure AD) Privileged Identity Management (PIM), activate the Security administrator user role.
Answer: B
Explanation:
Section: [none]
Explanation/Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/connect-logon
NEW QUESTION 37
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains a user named User1.
You plan to publish several apps in the tenant.
You need to ensure that User1 can grant admin consent for the published apps.
Which two possible user roles can you assign to User1 to achieve this goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
- A. Application administrator
- B. Application developer
- C. Cloud application administrator
- D. Security administrator
- E. User administrator
Answer: A,C
Explanation:
Explanation/Reference:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent
https://www.fast2test.com/AZ-500-practice-test.html 22
Valid Fast2test AZ-500 Exam PDF Dumps - New AZ-500 Real Exam Questions
NEW QUESTION 38
You have an Azure subscription that contains the resources shown in the following table.
User1 is a member of Group1. Group1 and User2 are assigned the Key Vault Contributor role for Vault1.
On January 1, 2019, you create a secret in Vault1. The secret is configured as shown in the exhibit. (Click the Exhibit tab.)
User2 is assigned an access policy to Vault1. The policy has the following configurations:
* Key Management Operations: Get, List, and Restore
* Cryptographic Operations: Decrypt and Unwrap Key
* Secret Management Operations: Get, List, and Restore
Group1 is assigned an access to Vault1. The policy has the following configurations:
* Key Management Operations: Get and Recover
* Secret Management Operations: List, Backup, and Recover
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Answer:
Explanation:
Explanation
NEW QUESTION 39
SIMULATION
A user named Debbie has the Azure app installed on her mobile device.
You need to ensure that [email protected] is alerted when a resource lock is deleted.
To complete this task, sign in to the Azure portal.
- A. You need to configure an alert rule in Azure Monitor.
* Type Monitor into the search box and select Monitor from the search results.
* Click on Alerts.
* Click on +New Alert Rule.
* In the Scope section, click on the Select resource link.
* In the Filter by resource type box, type locks and select Management locks (locks) from the filtered results.
* Select the subscription then click the Done button.
* In the Condition section, click on the Select condition link.
* Select the Delete management locks condition the click the Done button.
* In the Notification type box, select the Email/SMS message/Push/Voice option.
* In the Email/SMS message/Push/Voice window, tick the Azure app Push Notifications checkbox and enter [email protected] in the Azure account email field.
* Click the OK button to close the window.
* Enter a name such as Debbie Mobile App in the notification name box.
* Click the Review & Create button then click the Create button to create the action group.
* Back in the Create alert rule window, in the Alert rule details section, enter a name such as Management lock deletion in the Alert rule name field.
* Click the Create alert rule button to create the alert rule. - B. You need to configure an alert rule in Azure Monitor.
* Type Monitor into the search box and select Monitor from the search results.
* Click on Alerts.
* Click on +New Alert Rule.
* In the Scope section, click on the Select resource link.
* In the Filter by resource type box, type locks and select Management locks (locks) from the filtered results.
* Select the subscription then click the Done button.
* In the Condition section, click on the Select condition link.
* In the Notification type box, select the Email/SMS message/Push/Voice option.
* In the Email/SMS message/Push/Voice window, tick the Azure app Push Notifications checkbox and enter [email protected] in the Azure account email field.
* Click the OK button to close the window.
* Enter a name such as Debbie Mobile App in the notification name box.
* Click the Review & Create button then click the Create button to create the action group.
* Back in the Create alert rule window, in the Alert rule details section, enter a name such as Management lock deletion in the Alert rule name field.
* Click the Create alert rule button to create the alert rule. - C. You need to configure an alert rule in Azure Monitor.
* Type Monitor into the search box and select Monitor from the search results.
* Click on Alerts.
* Click on +New Alert Rule.
* In the Scope section, click on the Select resource link.
* In the Filter by resource type box, type locks and select Management locks (locks) from the filtered results.
* Select the subscription then click the Done button.
* In the Condition section, click on the Select condition link.
* Select the Delete management locks condition the click the Done button.
* In the Action group section, click on the Select action group link.
* Click the Create action group button to create a new action group.
* Give the group a name such as Debbie Mobile App (it doesn't matter what name you enter for the exam) then click the Next: Notifications > button.
* In the Notification type box, select the Email/SMS message/Push/Voice option.
* In the Email/SMS message/Push/Voice window, tick the Azure app Push Notifications checkbox and enter [email protected] in the Azure account email field.
* Click the OK button to close the window.
* Enter a name such as Debbie Mobile App in the notification name box.
* Click the Review & Create button then click the Create button to create the action group.
* Back in the Create alert rule window, in the Alert rule details section, enter a name such as Management lock deletion in the Alert rule name field.
* Click the Create alert rule button to create the alert rule.
Answer: C
NEW QUESTION 40
You need to deploy Microsoft Antimalware to meet the platform protection requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Explanation
1. DeployifNotExists
2. Scope
NEW QUESTION 41
You have a management group named Group1 that contains an Azure subscription named sub1. Sub1 has a subscription ID of 11111111-1234-1234-1234-1111111111.
You need to create a custom Azure role-based access control (RBAC) role that will delegate permissions to manage the tags on all the objects in Group1.
What should you include in the role definition of Role1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Explanation
Text, application Description automatically generated
Note: Assigning a custom RBAC role as the Management Group level is currently in preview only. So, for now the answer to the assignable scope is the subscription level.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal#step-5-assignable-scopes
NEW QUESTION 42
You plan to deploy Azure container instances.
You have a containerized application that validates credit cards. The application is comprised of two containers:
an application container and a validation container.
The application container is monitored by the validation container. The validation container performs security checks by making requests to the application container and waiting for responses after every transaction.
You need to ensure that the application container and the validation container are scheduled to be deployed together. The containers must communicate to each other only on ports that are not externally exposed.
What should you include in the deployment?
- A. application security groups
- B. container groups
- C. management groups
- D. network security groups (NSGs)
Answer: B
Explanation:
Section: [none]
Explanation:
Azure Container Instances supports the deployment of multiple containers onto a single host using a container group. A container group is useful when building an application sidecar for logging, monitoring, or any other configuration where a service needs a second attached process.
Reference:
https://docs.microsoft.com/en-us/azure/container-instances/container-instances-container-groups
NEW QUESTION 43
You have an Azure subscription that contains the virtual machines shown in the following table.
From Azure Security Center, you turn on Auto Provisioning.
You deploy the virtual machines shown in the following table.
On which virtual machines is the Log Analytics agent installed?
- A. VM1, VM2, VM3, and VM4
- B. VM3 only
- C. VM3 and VM4 only
- D. VM1 and VM3 only
Answer: A
Explanation:
Explanation
When automatic provisioning is On, Security Center provisions the Log Analytics Agent on all supported Azure VMs and any new ones that are created.
Supported Operating systems include: Ubuntu 14.04 LTS (x86/x64), 16.04 LTS (x86/x64), and 18.04 LTS (x64) and Windows Server 2008 R2, 2012, 2012 R2, 2016, version 1709 and 1803 Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
NEW QUESTION 44
You have the Azure key vaults shown in the following table.
KV1 stores a secret named Secret1 and a key for a managed storage account named Key1.
You back up Secret1 and Key1.
To which key vaults can you restore each backup? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Explanation
The backups can only be restored to key vaults in the same subscription and same geography. You can restore to a different region in the same geography.
https://docs.microsoft.com/en-us/azure/key-vault/general/backup?tabs=azure-cli
NEW QUESTION 45
You have a hybrid configuration of Azure Active Directory (Azure AD).
All users have computers that run Windows 10 and are hybrid Azure AD joined.
You have an Azure SQL database that is configured to support Azure AD authentication.
Database developers must connect to the SQL database by using Microsoft SQL Server Management Studio (SSMS) and authenticate by using their on-premises Active Directory account.
You need to tell the developers which authentication method to use to connect to the SQL database from SSMS. The solution must minimize authentication prompts.
Which authentication method should you instruct the developers to use?
- A. Active Directory - Integrated
- B. Active Directory - Universal with MFA support
- C. SQL Login
- D. Active Directory - Password
Answer: A
Explanation:
Azure AD can be the initial Azure AD managed domain. Azure AD can also be an on-premises Active Directory Domain Services that is federated with the Azure AD.
Using an Azure AD identity to connect using SSMS or SSDT
The following procedures show you how to connect to a SQL database with an Azure AD identity using SQL Server Management Studio or SQL Server Database Tools.
Active Directory integrated authentication
Use this method if you are logged in to Windows using your Azure Active Directory credentials from a federated domain.
1. Start Management Studio or Data Tools and in the Connect to Server (or Connect to Database Engine) dialog box, in the Authentication box, select Active Directory - Integrated. No password is needed or can be entered because your existing credentials will be presented for the connection.
2. Select the Options button, and on the Connection Properties page, in the Connect to database box, type the name of the user database you want to connect to. (The AD domain name or tenant ID" option is only supported for Universal with MFA connection options, otherwise it is greyed out.) Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure- powershell
NEW QUESTION 46
You need to deploy Microsoft Antimalware to meet the platform protection requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Explanation
Scenario: Microsoft Antimalware must be installed on the virtual machines in RG1.
RG1 is a resource group that contains Vnet1, VM0, and VM1.
Box 1: DeployIfNotExists
DeployIfNotExists executes a template deployment when the condition is met.
Azure policy definition Antimalware
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects
NEW QUESTION 47
You have an Azure subscription. The subscription contains Azure virtual machines that run Windows Server
2016.
You need to implement a policy to ensure that each virtual machine has a custom antimalware virtual machine extension installed.
How should you complete the policy? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Explanation
Box 1: DeployIfNotExists
DeployIfNotExists executes a template deployment when the condition is met.
Box 2: Template
The details property of the DeployIfNotExists effects has all the subproperties that define the related resources to match and the template deployment to execute.
Deployment [required]
This property should include the full template deployment as it would be passed to the Microsoft.Resources/deployment References:
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects
NEW QUESTION 48
......
Why Choose AZ-500?
This test is attributed to Microsoft Azure technologies associated with security. Only by acing it, the students can prove their abilities in the proper implementation of security control, identification, and access management, as well as in maintaining the security framework. What is more, this test is also associated with the Microsoft Certified: Azure Security Engineer Associate certification.
Pass Microsoft AZ-500 Exam – Experts Are Here To Help You: https://validdumps.actual4test.com/AZ-500_examcollection.html