AZ500

Question 1

You have a workload in Azure that uses a virtual machine named VM1. VM1 is in a resource group named RG1.

You need to create and assign an identity to VM1 that will be used to access Azure resources. Other virtual machines must be able to use the same identity.

Which PowerShell script should you run?

Answer 1

New-AzUserAssignedIdentity -ResourceGroupName RG1 -Name VMID $vm = Get-AzVM -ResourceGroupName RG1 -Name VM1 Update-AzVM -ResourceGroupName RG1 -VM $vm -IdentityType UserAssigned -IdentityID “/subscriptions/<SUBSCRIPTION>/resourcegroups/RG1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/VMID"</SUBSCRIPTION>

Question 2

You have an Azure subscription that is used for training purposes.
You need to allow external users to create resources in the subscription.
Which two identity providers can be used to access the subscription? Each correct answer presents a complete solution.

Answer 2

Facebook

Google

Question 3

You manage external guest users in a Microsoft Entra tenant. The tenant uses the default settings.
Which capability is available to the guest users?

Answer 3

Invite other guests.

Question 4

You need to delegate the ability to configure sign-in risk policies. The solution must follow the principle of least privilege.

Which role should you assign?

Answer 4

Security Administrator

Question 5

You manage Microsoft Entra tenant for a retail company.

You need to ensure that employees using shared Android tablets can use passwordless authentication when accessing the Azure portal.

Which authentication method should you use?

Answer 5

the Microsoft Authenticator app

Question 6

You need to configure passwordless authentication. The solution must follow the principle of least privilege.

Which role should assign to complete the task?

Answer 6

Global Administrator

Question 7

You have a Microsoft Entra tenant.
You need to recommend a passwordless authentication method. The solution must support near-field communication (NFC) devices.
Which two authentication methods should you recommend? Each correct answer presents a complete solution.

Answer 7

FIDO2 security keys

Windows Hello for Business

Question 8

You have an Azure subscription.
You plan to deploy Microsoft Entra Verified ID.
You need to identify which administrative roles are required for the solution. The solution must follow the principle of least privilege.
Which three roles should you identify? Each correct answer presents part of the solution.

Answer 8

Application Administrator
Authentication Policy Administrator
Contributor

Question 9

You have a Microsoft Entra tenant.

You need to recommend a passwordless authentication solution.

Which three authentication methods should you include in the recommendation? Each correct answer presents a complete solution.

Answer 9

FIDO2 security keys
the Microsoft Authenticator app
Windows Hello for Business

Question 10

You need to provide an administrator with the ability to configure access reviews in Microsoft Entra Privileged Identity Management (PIM). The solution must follow the principle of least privilege.
Which role should you assign to the administrator?

Answer 10

Privileged Role Administrator

Question 11

You create a web API and register the API as a Microsoft Entra application.
You need to expose a function in the API to ensure that administrators must provide consent to apps that use the API.
What should you add to your app registration?

Answer 11

a scope

Question 12

You are managing permission consent for Microsoft Entra app registration.
Which component displays the publisher domain?

Answer 12

publisher name and verification

Question 13

You are creating a Microsoft Entra app registration. You are configuring credentials for the app registration and have the following requirements:

Ensure that the credentials are not transmitted during authentication.
Ensure that the credentials are stored securely.
Ensure that credential usage follows the principle of least privilege.
What should you do?

Answer 13

Use certificate credentials.

Question 14

You have a Microsoft Entra tenant that uses the default setting.
You need to prevent users from a domain named contoso.com from being invited to the tenant.
What should you do?

Answer 14

Edit the Collaboration restrictions settings.

Question 15

You need to provide an administrator with the ability to manage custom RBAC roles. The solution must follow the principle of least privilege.
Which role should you assign to the administrator?

Answer 15

User Access Administrator

Question 16

You have the following security policy deployed to an Azure subscription.

{
“policyRule”: {
“if”: {
“allOf”: [
{
“field”: “type”,
“equals”: “Microsoft.Storage/storageAccounts”
},
{
“field”: “Microsoft.Storage/storageAccounts/allowSharedKeyAccess”,
“equals”: “true”
}
]
},
“then”: {
“effect”: “Deny”
}
}
}

You successfully deploy a new storage account.
Which statements is true?

Answer 16

Usage of Microsoft Entra authentication is enforced.

Question 17

You are configuring an Azure Policy in your environment.
You need to ensure that any resources that are missing a tag named CostCenter inherit a value from a resource group.
You create a custom policy that uses the following snippet.

{
“policyRule”: {
“if”: {
“field”: “tags[‘CostCenter’]”,
“exists”: “false”
},
“then”: {
“effect”: “modify”,
“details”: {
“roleDefinitionIds”: [
“/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c”
],
“operations”: [
{
“operation”: “addOrReplace”,
“field”: “tags[‘CostCenter’]”,
“value”: “[resourceGroup().tags[‘CostCenter’]]”
}
]
}
}
}
}

Which policy mode should you use?

Answer 17

Indexed

Question 18

You have an Azure subscription that contains a user named Admin1.

You need to ensure that Admin1 can access the Regulatory compliance dashboard in Microsoft Defender for Cloud. The solution must follow the principle of least privilege.

Which two roles should you assign to Admin1? Each correct answer presents part of the solution.

Answer 18

Resource Policy Contributor
Security Admin

Question 19

You have an Azure subscription that contains a user named Admin1.

You need to ensure that Admin1 can create and assign custom security initiatives in Microsoft Defender for Cloud. The solution must follow the principle of least privilege.

Which role should you assign to Admin1?

Answer 19

Owner (Subscription)

Question 20

You have an Azure subscription.

You need to recommend a solution that uses crawling technology of Microsoft to discover and actively scan assets within an online infrastructure. The solution must also discover new connections over time.

What should you include in the recommendation?

Answer 20

Microsoft Defender External Attack Surface Management (EASM)

Question 21

You set Periodic recurring scans to ON while implementing a Microsoft Defender for SQL vulnerability assessment.

How often will the scan be triggered?

Answer 21

once a week

Question 22

You are implementing a Microsoft Defender for SQL vulnerability assessments.

Where are the scan results stored?

Answer 22

an Azure Storage account

Question 23

You have an Azure subscription and the following SQL deployments:

An Azure SQL database named DB1
An Azure SQL Server named sqlserver1
An instance of SQL Server on Azure Virtual Machines named VM1 that has Microsoft SQL Server 2022 installed
An on-premises server named Server1 that has SQL Server 2019 installed
Which deployments can be protected by using Microsoft Defender for Cloud?

Answer 23

DB1, sqlserver1, VM1, and Server1

Question 24

You have an Azure subscription that contains an Azure Kubernetes Service (AKS) cluster named AKS1.
You need to protect AKS1 by using Microsoft Defender for Cloud.
Which Defender plan should you use?

Answer 24

Microsoft Defender for Containers

Question 25

You have custom alert rules in Microsoft Sentinel. The rules exceed the query length limitations. You need to resolve the issue. Which function should you use for the rule?

Answer 25

user-defined functions

Question 26

You have a data connector for Microsoft Sentinel. You need to configure the connector to collect logs from Conditional Access in Microsoft Entra. Which log should you connect to Microsoft Sentinel?

Answer 26

sign-in logs

Question 27

You are designing an Azure solution that stores encrypted data in Azure Storage. You need to ensure that the keys used to encrypt the data cannot be permanently deleted until 60 days after they are deleted. The solution must minimize costs. What should you do?

Answer 27

Store keys in a software-protected key vault that has soft delete and purge protection enabled.

Question 28

You are configuring automatic key rotation for an encryption key stored in Azure Key Vault. You need to implement an alert to be triggered five days before the keys are rotated. What should you use?

Answer 28

Azure Event Grid

Question 29

You need to implement a key management solution that supports importing keys generated in an on-premises environment. The solution must ensure that the keys stay within a single Azure region. What should you do?

Answer 29

Implement Azure Key Vault Managed HSM.

Question 30

You need to grant an application access to read connection strings stored in Azure Key Vault. The solution must follow the principle of least privilege. Which role assignment should you use?

Answer 30

Key Vault Secrets User

Question 31

You have an Azure subscription that contains an Azure container registry named ACR1 and a user named User1. You need to ensure that User1 can administer images in ACR1. The solution must follow the principle of least privilege. Which two roles should you assign to User1? Each correct answer presents part of the solution.

Answer 31

AcrDelete AcrPush

Question 32

Your company has an Azure subscription and an Amazon Web Services (AWS) account. You plan to deploy Kubernetes to AWS. You need to ensure that you can use Azure Monitor Container insights to monitor container workload performance. What should you deploy first?

Answer 32

Azure Arc-enabled Kubernetes

Question 33

You have an Azure subscription that contains a virtual machine named VM1. VM1 is configured with just-in-time (JIT) VM access. You need to request access to VM1. Which PowerShell cmdlet should you run?

Answer 33

Start-AzJitNetworkAccessPolicy

Question 34

You have a storage account that contains multiple containers, blobs, queues, and tables. You need to create a key to allow an application to access only data from a given table in the storage account. Which authentication method should you use for the application?

Answer 34

service SAS

Question 35

You need to implement access control for Azure Files. The solution must provide the highest level of security. What should you use?

Answer 35

Microsoft Entra

Question 36

You need to allow only Microsoft Entra-authenticated principals to access an existing Azure SQL database. Which three actions should you perform? Each correct answer presents part of the solution.

Answer 36

Add a Microsoft Entra administrator. Assign your account the SQL Security Manager built-in role. Connect to the database by using the Azure portal.

Question 37

You have an Azure SQL Database server. You enable Microsoft Entra authentication for Azure SQL. You need to prevent other authentication methods from being used. Which command should you run?

Answer 37

az sql server ad-only-auth enable

Question 38

You have an Azure SQL Database server named Server1 that contains a database named DB1. You create an auditing policy for DB1. After a few weeks, you create five more databases in Server1. You then create a new auditing policy for Server1. You notice that auditing entries for DB1 are duplicated. You need to ensure that auditing entries for all existing and future databases are not duplicated. What should you do?

Answer 38

Disable auditing for DB1.

Question 39

You have an application that securely shares files hosted in Azure Blob storage to external users by using an account SAS. One of the SAS tokens is compromised. How should you stop the compromised SAS token from being used?

Answer 39

Regenerate the storage account access keys.