AZ-500: Microsoft Azure Security Technologies Practice Questions Part 2

You have an Azure subscription that contains a user named User1 and an Azure Container Registry named ConReg1.You enable content trust for ContReg1.You need to ensure that User1 can create trusted images in ContReg1. The solution must use the principle of least privilege.Which two roles should you assign to User1? Each correct answer presents part of the solution.

Your company has an Azure subscription named Sub1 that is associated to an Azure Active Directory Azure (Azure AD) tenant named ips.com. The company develops a mobile application named App1. App1 uses the OAuth 2 implicit grant type to acquire Azure AD access tokens. You need to register App1 in Azure AD.
What information should you obtain from the developer to register the application?

You have an Azure SQL Database server named SQL1.You plan to turn on Advanced Threat Protection for SQL1 to detect all threat detection types
Which action will Advanced Threat Protection detect as a threat?

A company has a set of Azure subscriptions. They want to transfer the ownership of a subscription to another Azure AD tenant. What should be the role of the user who would be able to transfer the subscription?

A company has a set of Azure subscription. They want to transfer billing ownership of a subscription to another Azure Account owner. Which of the following can be used to transfer the billing ownership of the subscription?

A company currently has an on-premise setup and an Azure AD subscription. They have deployed an HDInsigh cluster within an Azure virtual network. They need to allow users to use their on-premise Active. Directory credentials to authenticate to the cluster. You need to configure the environment to ensure the authentication is made possible. You decide to deploy an on-premise data gateway. Would this fulfill the requirement?

A company currently has an on-premise setup and an Azure AD subscription. They have deployed an HDInsight cluster within an Azure Virtual network. They need to allow users to use their on-premise Active Directory credentials to authenticate the cluster.
You need to configure the environment to ensure the authentication is made possible.
You decide to deploy a site-to-site VPN connection.
Would this fulfill the requirement?

A company currently has an on-premise setup and an Azure AD subscription. They have deployed an HDInsight cluster within an Azure Virtual network. They need to allow users to use their on-premise Active Directory credentials to authenticate the cluster.
You need to configure the environment to ensure the authentication is made possible.
You decide to implement Role-Based Access Control.
Would this fulfill the requirement?

A company currently has an on-premise forest defined via Active Directory. The forest contains a domain named ips.com. They have setup an Azure subscription. They want to deploy Azure AD Connect to integrate their on-premise Active Directory domain with Azure AD. They need to prevent users who have a givenName attribute that starts with “TST” from being synced to Azure AD.
Which of the following should they use to fulfill this requirement?

A company has an Azure AD tenant named”ips.com”. The Azure AD tenant has the following users defined.

The company creates and enforces an Azure AD identify Protection user risk policy that has the following settings-
• The risk policy is applied to include group “ipsgroupA” and exclude “ipsgroupB”.
• The conditions use a sign-in risk of Meduim or above.
• The access is mentiones to “Allow access” and requires a password change.
If the user “ipslabA” signs in from an unfamiliar location, would the user be required to change the password?

A company has an Azure AD tenant named ”ips.com”. The Azure AD tenant has the following users defined.

The company creates and enforces an Azure AD identify Protection user risk policy that has the following settings-
• The risk policy is applied to include group “ipsgroupA” and exclude “ipsgroupB”.
• The conditions use a sign-in risk of Medium or above.
• The access is mentioned to “Allow access” and requires a password change.
If the user “ipslabB” signs in from an anonymous IP address, would the user be required to change the password?

A company has an Azure AD tenant named ”ips.com”. The Azure AD tenant has the following users defined.

The company creates and enforces an Azure AD identify Protection user risk policy that has the following settings-
• The risk policy is applied to include group “ipsgroupA” and exclude “ipsgroupB”.
• The conditions use a sign-in risk of Medium or above.
• The access is mentioned to “Allow access” and requires a password change.
If the user “ipslabC” signs in from a computer that contains malware,, would the user be required to change the password?

You have to configure access reviews for a company. You have to configure a review that would be assigned to a new collection of reviews. The reviews would be evaluated by resource owners. Which of the following three options would you implement for this requirement?

A company has an Azure AD subscription. They need to use Privilleged identity Management to secure Azure AD roles.
Which of the following steps need to be implemented for this requirement?
Choose three answers from the options given below

A company has two offices and all users are defined in active Directory Domain service running at Ohio office Data Center these offices connects to the internet via NAT devices. The offices use the following IP address.

The company has two users defines in their Azure AD tenant, as shown below.

The user ipslabB is trying signs into Azure portal from the Ohio office. Will the user ipslabB be prompted to authenticated by MFA devices?

A company has two offices. These offices connects to the internet via NAT devices. The offices use the following IP address.

The company has two users defines in their Azure AD tenant, as shown below

If the user ipslabusrB signs into Azure from the North Virginia office, then the user must be authenticated by using a phone

Your team has an Azure Container registry named ipslabregistry. The following role assignments have been put in place.

User Role
ipslabusrA AcrPush
ipslabusrB Acrpull
ipslabusrC AcrImageSigner
ipslabusrD Contributor

Which of the following users can upload images to the container registry?

Your team has an Azure Container registry named ipslabregistry. The following role assignments have been put in place.

User Role
ipslabusrA AcrPush
ipslabusrB Acrpull
ipslabusrC AcrImageSigner
IpslabusrD Contributor

Which of the following users can download images from the conatainer registry?

A company has two offices. These offices connects to the internet via NAT devices. The offices use the following IP address.

Location IP address space Public NAT segment
Ohio 10.112.0.0/16 180.10.1.0/24
North Virginia 172.16.0.0/16 190.20.2.0/24

The company has two users defines in their Azure AD tenant,as shown below
Name Multi-factor authentication status
ipslabusrA Enabled
ipslabusrB Enforced

If the user ipslabusrB signs into Azure from the North Virginia office, then the user must be authenticated by using a phone

A company has a set of virtual machines defined in Azure. The company wants to use the Update Management solution for Azure.
The virtual machines defined in Azure are given below.

Two update deployments named ipslabupdate1 and ipslabupdate2 have been created ipslabupdate ipsupdate1 is being used to update ipslabvm3 ipslabupdate2 is being used to update ipslabvm6.
Which of the following additional virtual machines can be updated with the help of ipslabupdate6?

A company has a virtual network defined in Azure. The network contains one subnet. On the subnet, the following virtual machines have been provisioned.

Currently there are no networks security groups. Network security groups now need to be implemented with the following requirements-
• Allow traffic from the internet to ipslamvm1 and ipslabvm2 only
• Allow traffic to ipslabvm3 from ipslabvm4
• Minimize the number of network security groups and network security rules

What is the minimum number of network security groups required?

A company has a virtual network defined in Azure. The network contains one subnet. On the subnet, the following virtual machines have been provisioned.

Currently ther are no networks security groups. Network security groups now need to be implemented with the following requirements-
• Allow traffic from the internet to ipslamvm1 and ipslabvm2 only
• Allow traffic to ipslabvm3 from ipslabvm4
• Minimize the number of network security groups and network security rules
What is the minimum number of network security groups required?

Your company has created an Azure Key Vault named ”ipslabvault”. They want to delegate administrative access to the key vault. The access has to follow the below requirements for a set of users.
User Type Of Access
IpslabusrA Allow the user to set advanced access policies for the key vault.
IpslabusrB Allow the user to add and delete certificates in the key vault.

You have to choose the right implementation method to provide the required access to the users. You also have to choose the principle pf least privilege.
Which of the following would you use to ensure that the right level of access is provided to the user “ipslabusrA”.

Your company has created an Azure Key Vault named ”ipslabvault”. They want to delegate administrative access to the key vault. The access has to follow the below requirements for a set of users.
User Type Of Access
IpslabusrA Allow the user to set advanced access policies for the key vault.
IpslabusrB Allow the user to add and delete certificates in the key vault.
You have to choose the right implementation method to provide the required access to the users. You also have to choose the principle pf least privilege.
Which of the following would you use to ensure that the right level of access is provided to the user “ipslabusrA”.

A company has the following two virtual machines defined in Azure.
Name Window Operating Systems Type Tier Region
Ipslabvm1 Systems Server 2008 R2 A3 Standard East US
Ipslabvm2 Ubuntu 16.04-DAILY-LTS L4s Basic West US

The company wants to enable Azure disk encryption on both virtual machines. They go ahead and deploy an Azure Key Vault for this purpose.
Which of the following needs to be done on ipslabvm1 to enable Azure disk encryption?

A company has the following two virtual machines defined in Azure.
Name Window Operating Systems Type Tier Region
Ipslabvm1 Systems Server 2008 R2 A3 Standard East US
Ipslabvm2 Ubuntu 16.04-DAILY-LTS L4s Basic West US

The company wants to enable Azure disk encryption on both virtual machines. They go ahead and deploy an Azure Key Vault for this purpose.
Which of the following needs to be done on ipslabvm1 to enable Azure disk encryption?

A team has deployed a Kubernetes cluster to Azure in a staging environment. The cluster now needs to be deployed to a production environment. You have to implement application routing that would provide reverse proxy and TLS termination for Azure Kubernetes services using a single IP address.
Which of the following would you implement for this requirement?

Your company has a set of 50 Windows Azure virtual machines. They all run Windows Server 2016. You have to automate the deployment of the Log Analystic virtual machines extension on the virtual machines. You have to complete the below Azure Resource Manager template snippet for requirement.
Which of the following would go into Slot 1?

Your company has a set of 50 Windows Azure virtual machines. They all run Windows Sever 2016. You have to automate the deployment of the Log Analytics virtual machine extension on the virtual machines. You have to complete the below Azure Resource Manager template snippet for requirement?
Which of the following would go into Slot 1?

A company needs to create a custom alert rule in Azure Sentinel. Which of the following actions needs to be performed for this requirement?

A company has an Azure subscription with a log analytic workspace named “ipslabworkspace”. This workspace has been configured to collect security-related performance counters from around 20 on premise servers. The servers run either Windows Server 2012 R2 or Windows Server 2016. You have to configure alerts based on the data collected in the workspace. The solution must fulfill the following requirements.

• All alerts rules must supports dimension
• Alert notification should be generated only once
• The time required to generate an alert should be minimized
Which of the following would you use as the single type for the alert rules?

A company has an azure subscription. They have around 50 virtual machines defined as part of the subscription. Azure Diagnostic have been enabled on all of the virtual machines. You have to get following details with regard to the virtual machines
• Identity the user who stopped the virtual machine the previous week.
• Query the security events for the virtual machines.
Which of the following would you use in Azure Monitor for the following requirements?

A company has an azure subscription. They have around 50 virtual machines defined as part of the subscription. Azure Diagnostic have been enabled on all of the virtual machines.
You have to get following details with regard to the virtual machines
• Identity the user who stopped the virtual machine the previous week.
• Query the security events for the virtual machines.
Which of the following would you use in Azure Monitor for the following requirements?

Your company=y is developing an application is currently registered in Azure AD. You have to ensure that the application can access secrets in Azure key vault on behalf of the application user. How should you configure the application access in Azure AD?

A company needs to set up an Azure Kubernetes cluster. This cluster would interact with the Azure container registry to download the container images. You need to ensure that Azure Active Directory Identity Protection. Would this fulfil the requirements?

A company need to det up an Azure Kuberneted cluster. This cluster would interact with the Azure container registry to download the container images. You need to ensure that Azure Kubernetes cluster can interact with the Azure container registry. You decide to create an Azure AD service principal. Would you fulfil the requirements?

A company has a set of virtual machines defined in Azure. The company wants to use the Update Management solution for Azure.
The virtual machines defined in Azure are given below.
Name Operating System Region Resource Group
Ipslabvm1 Windows Server 2012 East Ipsgrp1
Ipslabvm2 Windows server 2012 R2 West Ipsgrp2
Ipslabvm3 Windows Server 2016 West Ipsgrp2
Ipslabvm4 Ubuntu Server 18.04 LTS East Ipsgrp1
Ipslabvm5 Red Hat Enterprise Linux 7.4 East Ipsgrp1
Ipslabvm6 CentOS 7.5 West Ipsgrp2

Two update deployments named ipslabupdate1 and ipslabupdate2 have been created. Ipslabupdate is being used to update ipslabvm3 and ipslabupdate2 is being used to update ipslabvm6.
Which of the following additional virtual machines can be updated with the help of ipslabupdate2?

A company need to set up an Azure Kubernetes cluster. This cluster would interact with the Azure container registry to download the container images. You need to ensure that Azure Kubernetes cluster can interact with the Azure container registry. You decide to create an Azure AD service principal. Would you fulfil the requirements?

Your company wants to implement an Azure policy that would used to enforce a tag and its value on resource groups.
you have to complete the below snippet of the policy.
Which of the following would go into Slot 1?

Your company wants to implement an Azure policy that would used to enforce a tag and its value on resource groups. You have to complete the below snippet of the policy.
Which of the following 2ould go into slot 1?

A company has a resource group that contains Virtual Machines, Virtual Networks and storage accounts. You have to delegate access to a use with the following privileges to the resource group.
• Ability to manage the virtual machine
• Not have access to the virtual machine themselves
• Not have access to virtual network or storage accounts in the source group.
You need to assign the least privilege principle role for the user. Which of the following could be assigned to the user?

Your company has an Azure subscription that has the following vaults defined.
Name Region Resource Group
Ipslabvault1 West Europe Ipslab-rg
Ipslabvault2 East US Ipslab-rg
Ipslabvault3 West Europe Ipslab-staging
Ipslabvault4 East US Ipslab-taging
You need to enable disk encryption on the Azure virtual machine. Which of the following vaults could e used for the encryption process?

You have an Azure subscription that contains an Azure key vault named Vault1.In Vault1, you create a secret named Secret1.An application developer registers an application in Azure Active Directory (Azure AD).You need to ensure that the application can use Secret1.
What should you do?

You have an Azure SQL database. You implement Always Encrypted.
You need to ensure that application developers can retrieve and decrypt data in the database.
Which two pieces of information should you provide to the developers? Each correct answer presents part of the solution.

You have a hybrid configuration of Azure Active Directory (Azure AD).
All users have computers that run Windows 10 and are hybrid Azure AD joined.
You have an Azure SQL database that is configured to support Azure AD authentication.
Database developers must connect to the SQL database by using Microsoft SQL Server Management Studio (SSMS) and authenticate by using their on-premises Active Directory account.
You need to tell the developers which authentication method to use to connect to the SQL database from SSMS. The solution must minimize authentication prompts.
Which authentication method should you instruct the developers to use?

You have 10 virtual machines on a single subnet that has a single network security group (NSG).
You need to log the network traffic to an Azure Storage account.
Which two actions should you perform?

You have an Azure subscription named Sub1 that contains an Azure Log Analytics workspace named LAW1. You have 100 on-premises servers that run Windows Server 2012 R2 and Windows Server 2016. The servers connect to LAW1. LAW1 is configured to collect security-related performance counters from the connected servers.
You need to configure alerts based on the data collected by LAW1. The solution must meet the following requirements:
– Alert rules must support dimensions.
– The time it takes to generate an alert must be minimized.
– Alert notifications must be generated only once when the alert is generated and once when the alert is resolved.
Which signal type should you use when you create the alert rules?

You create a new Azure subscription. You need to ensure that you can create custom alert rules in Azure Security Center. Which two actions should you perform?

You use Azure Security Center for the centralized policy management of three Azure subscriptions.
You use several policy definitions to manage the security of the subscriptions.
You need to deploy the policy definitions as a group to all three subscriptions.
Solution: You create a policy initiative and assignments that are scoped to resource groups.
Does this meet the goal?

From Azure Security Center, you create a custom alert rule.
You need to configure which users will receive an email message when the alert is triggered. What should you do?

A team is planning to deploy a virtual machine named ipsvm to an azure subscription. The virtual machine will be created in a virtual network named “ipvm-network”. The virtual network contains a subset named “default”. A service endpoint has been created for the subset. The azure virtual machine will be used in host Docker containers. You have to ensure that the containers can access Azure Storage resources and azure SQL databases using the service endpoint. Which of the be done to fulfill this requirement?

A company currently uses Azure Resources Manager templates to deploy Azure virtual machines. They want to ensure that all unused Windows features are automatically disabled on the provisioned virtual machines. Which of the following would you use to fulfil this requirement?

A company has the following virtual networks defined in Azure.

The virtual machines created in SubnetB can communicate with computers on the on-premise network. Peering has been successfully established VNet ipspecialistVM and VNet ipspecialistVnet.
The company now wants to deploy Azure firewall to ipspelistVM. The following route tables have been created.
• Ipslab1- this includes a user defined route that points tonthe private IP address of the Azure Firewall as the next-hop address.
• Ipslab2- this disables “Propogate gateway routes” and defines the private IP address of the Azure Firewall as the default gateway.
You have to ensure that traffic from SubnetB and on-premise network flows through the Azure firewall.
Which of the following would you associate the route table “ipslab1”?

A company has the following virtual networks defined in Azure.

Thw virtual machines created in SubnetB can communicate with computers on the on-premise network. Peering has been successfully established between VNet ipspecialistVM and VNet ipspecialistVnet.
The company now wants to deploy Azure firewall to ipspelistVM. The following route tables have been created.
• Ipslab1- this includes a user defined route that points to the private IP address of the Azure Firewall as the next-hop address.
• Ipslab2- This disables BGP rpute propagation and defines the private IP address of the Azure Firewall as the default gateway.
You have to ensure that traffic from SubnetB and on-premise network flows through the Azure firewall.
Which of the following would you associate the route table “ipslab2”?

You have to deploy a policy that ensures that the Microsoft Iaas Antimalware extension is installed on all Windows Servers. Below are snippets of the policy.

Which of the following goes into Slot1?

A company has an azure subscription in place. They have a storage account name ipspecialist2020 in the Azure subscription. They decide to provide the access to the storage account with the use of shared Access Signatures and Stored Access policies. They create several shared access signatures and provide access to the users to use the file and blob services via these signatures. Then they find that unauthorized users can use both the file and blob services. They need to revoke all access in storage account. They decide to generate new Access Storage Signatures. Would this resolve the underlying issue?

In Azure Security Center, a playbook has been configured. The playbook needs to be modified to send email messages to a distribution group named “ipspecialist”. Which of the following would you need to modify in the playbook for this requirement.

You have to deploy a policy that ensures that the Microsoft Iaas Antimalware extension is installed on all Windows Servers. Below are snippets of the policy.

Which of the following goes into Slot2?

A company has an Azure tenant in place named ipspecialist.com. the company wants to deploy a service named “ipslab” that would run on a virtual machine running Windows Server 2016. The service needs to authenticate to the tenant and access Microsoft Graph to read the directory data. You need to delegate the minimum required permissions for the service.
Which of the following steps would you perform in Azure?
Choose 3 answers from the below options.

A company is planning to develop a mobile application. The application will be using the OAuth2 implicit grant type to get Azure AD access tokens.
The application needs to be registered in Azure AD.
Which of the following is required to register the application in Azure AD?