AZ-500: Microsoft Azure Security Technologies Practice Questions Part 3

You have to deploy a policy that ensures that the Microsoft Iaas Antimalware extension is installed on all Windows Servers. Below are snippets of the policy.

Which of the following goes into Slot2?

You have to configure an Azure Kubernetes cluster to connect to an Azure container registory. You need to ensure that the auto-generated service principal is used to authenticate to the Azure container registry. Which of the following would you do to fulfill requirements?

You have to configure an Azure policy as part of your subscription. You have to assign policies that need to push out or more resources.
Which of the following type of effect would require a managed identify for assignment purpose?

A company has an Azure SQL database created as part of their subscription. They want to implement the Always Encrypted” feature to encrypt a column within a table of the database. You have to decide on the key provider that can be used to implement the “Always Encrypted” feature.
You decide to use the BLOB services in an Azure Storage account.
Would this satisfy the requirement?

A company has an azure subscription in place. They have a storage account name ipspecialist2020 in the Azure subscription. They decide to provide the access to the storage account with the use of shared Access Signatures and Stored Access policies. They create several shared access signatures and provide access to the users to use the file and blob services via these signatures. Then they find that some unauthorized users can use both the file and blob services. They need to revoke all access to the storage account. They decide to regenerate the key that was used to generate the shared access signature. Would this resolve the underlying issue?

A company has an Azure SQL database created as part of their subscription. They want to implement the Always Encrypted” feature to encrypt a column within a table of the database. You have to decide on the key provider that can be used to implement the “Always Encrypted” feature.
You decide to use a Windows Certificate Store.
Would this satisfy the requirement?

A company has an Azure SQL database created as part of their subscription. They want to implement the Always Encrypted” feature to encrypt a column within a table of the database. You have to decide on the key provider that can be used to implement the “Always Encrypted” feature.
You decide to use an Azure Key Vault.
Would this satisfy the requirement?

A company has an Azure subscription and an Azure tenant. The company is planning to deploy a web application that will work with a CosmosDB account. The CosmosDB account will consist of a database that will be the back-end tier for the application. The web application will be deployed using the Azure Web App service.
Users will need to authenticate using their Azure AD account and access the CosmosDB account by using resource tokens.
Which of the following task would you implement for the web application for authentication purposes?

A company is planning to use Azure DevOps. They need to implement a method that would ensure that the code meets the defined quality and code review standards of the company. Which of the following would you implement for this requirement?

A company has a hybrid environment. They have the following users defined in their on-premise environment.
Name Part of Group
ipslabA Domain Admins
ipslabB Security Admins
ipslabC Enterprise Admins
ipslabD User Admins
The following users have been defined in Azure AD.
User Name Role
ipslabadminA Security administrator
ipslabadminB Global administrator
ipslabadminC Billing Administrator
ipslabadminD User Administrator
The company now wants to implement Azure AD Connect. You have to decide on the users who could be part of the implementation of Azure AD Connect. The implementation must use the principle of least privilege.
Who would be chosen to perform the implementation from the on-premise Active Directory side.

A company has a hybrid environment. They have the following users defined in their on-premise environment.
Name Part of Group
ipslabA Domain Admins
ipslabB Security Admins
ipslabC Enterprise Admins
ipslabD User Admins
The following users have been defined in Azure AD.
User Name Role
ipslabadminA Security administrator
ipslabadminB Global administrator
ipslabadminC Billing Administrator
ipslabadminD User Administrator
The company now wants to implement Azure AD Connect. You have to decide on the users who could be part of the implementation of Azure AD Connect. The implementation must use the principle of least privilege.
Who would be chosen to perform the implementation from the Active Directory side?

You need to create an alert rule in Azure Monitor. You need to ensure a set of users receive an email messages when the alert is triggered. Which of the following would you need to implement to ensure the users receive the email notification?

Your company currently has around 100 virtual machines defined as part of their subscription. They also have an Azure Log Analytics workplace defined as part of your subscription. All of the virtual machines run Windows Server 2016. All of the virtual machines are enrolled in the Log Analytics workspace. You have to deploy a System update assessment solution to the Log Analytics workspace. You have to ensure that the System Update Assessment related logs are uploaded to the Log Analytics workspace from the virtual machines only. Which of the following steps do you need to implement for this requirement? Choose three answers from the options given below.

Your currently have two virtual machines defined in your Azure subscription named ipslabvm1 and ipslabvm2. You have defined an alert on “All Administrative operations” on the “ipslabalert1-rg” resource group. You have also defined a suppress action rule on “ipslabvm1”, as shown below.

If you stop the virtual machine “ipslabvm1”, would an alert be triggered?

You currently have two virtual machines defined in your Azure subscription named ipslabvm1 and ipslabvm2. You have defined an alert on “All Administrative operations” on the “ipslab-rg” resource group. You have also defined a suppress action rule on “ipslabvm1”, as shown below.

If you stop the virtual machine “ipslabvm2”, would an alert be triggered?

You currently have two virtual machines defined in your Azure subscription named ipslabvm1 and ipslabvm2. You have defined an alert on “All Administrative operations” on the “ipslabalert1-rg” resource group. You have also defined a suppress action rule on “ipslabvm1”, as shown in above question.
If you add a tag to the resource group “ipslab-rg”. Would it trigger an alert?

A company has an Azure subscription and an Azure tenant. The company is planning to deploy a web application that will work with a CosmosDB account. The CosmosDB account will consist of a database that will be the back-end tier for the application. The web application will be deployed using the Azure Web App service.
Users will need to authenticate using their Azure AD account and access the CosmosDB account by using resource tokens.
Which of the following task would you implement for the CosmosDB account for authentication purposes?

Your network contains an on-premises Active Directory domain named corp.contoso.com.
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
You sync all on-premises identities to Azure AD.
You need to prevent users who have a givenName attribute that starts with TEST from being synced to Azure AD. The solution must minimize administrative effort.
What should you use?

Your company plans to create separate subscriptions for each department. Each subscription will be associated to the same Azure Active Directory (Azure AD) tenant.
You need to configure each subscription to have the same role assignments.
What should you use?

You have a hybrid configuration of Azure Active Directory (Azure AD). You have an Azure SQL Database instance that is configured to support Azure AD authentication.
Database developers must connect to the database instance and authenticate by using their on-premises Active Directory account.
You need to ensure that developers can connect to the instance by using Microsoft SQL Server Management Studio. The solution must minimize authentication prompts.
Which authentication method should you recommend?

You plan to use Azure Resource Manager templates to perform multiple deployments of identically configured Azure virtual machines. The password for the administrator account of each deployment is stored as a secret in different Azure key vaults.
You need to identify a method to dynamically construct a resource ID that will designate the key vault containing the appropriate secret during each deployment.
The name of the key vault and the name of the secret will be provided as inline parameters.
What should you use to construct the resource ID?

You have Azure Resource Manager templates that you use to deploy Azure virtual machines.
You need to disable unused Windows features automatically as instances of the virtual machines are provisioned.
What should you use?

You are configuring an Azure Kubernetes Service (AKS) cluster that will connect to an Azure Container Registry.
You need to use the auto-generated service principal to authenticate to the Azure Container Registry.
What should you create?

From Azure Security Center, you create a custom alert rule.
You need to configure which users will receive an email message when the alert is triggered.
What should you do?

You have to create an Azure Key Vault as part of your company’s subscription. You are asked to ensure that protection against the immediate deletion of any object is deleted from the Key Vault. And deleted object from a KeyVaulue should be retained for 90 days.
You need to complete the below PowerShell cmdlet for this purpose.

Which of the following would go into Slot1?

You have to create an Azure Key Vault as part of your company’s subscription. You have to ensure that any object deleted from the Key Vault is retained for 90 days.
You need to complete the below PowerShell cmdlet for this purpose.

Which of the following would go into Slot2?

A company has an on-premise data center and an Azure subscription. An Azure SQL database is in place that supports Azure AD authentication. The database developers need to authenticate to the database using Microsoft SQL Server Management Studio. They need to authenticate using their on-premise Active Directory account. They also want to ensure that the solution minimizes the authentication prompts. Which of the following authentication type should they use in Microsoft SQL Server Management Studio to connect?

Your company has an Azure subscription. An Azure storage account and an Azure Keyvault have been created as part of the subscription. The company wants to use an Azure automation runbook. It would be used to rotate the keys of the storage account and store them in the key vault. You need to implement the pre-requisites to ensure that the runbook can be implemented. Which of the following actions would you need to perform for this?
Choose four answers from the options given below.

Your company I planning to implement conditional access policies. You have to implement the policies based on the existing risk events available for Azure AD. You have to identify the risk level for the following events defined for Azure AD.
• Users with leaked credentials
• Sign-ins from anonymous IP addresses
• Impossible travels to atypical locations
• Sign-in from unfamiliar locations
Which of the following is the risk level associated with the following risk event? “Sign-ins from anonymous IP addresses”.

A company has an azure subscription in place. They have a storage account name ipspecialist2020 in the Azure subscription. They decide to provide the access to the storage account with the use of shared Access Signatures and Stored Access policies. They create several shared access signatures and provide access to the users to use the file and blob services via these signatures. In the report, they can find some unauthorized users can use both the file and blob services. They decide to revoke all access to the storage account and deploy a new stored access policy. Would this resolve the underlying issue?

A company currently has an on-premise forest defined via Active Directory. The forest contain a domain named ipspecialist.com. they have set up an Azure subscription. They want to deploy Azure AD Connect to integrate their on-premise Active Directory domain with Azure AD. They have the following key requirements.
• Ensure that password policies are applied to user accounts that are synced to Azure AD.
• Ensure that login restrictions are applied to user accounts that are synced to Azure AD.
• Minimize the number of servers required for the entire implementation.
Which of the following would you consider for the implementation?

You have an AURE SQL Database created as part of your subscription. You decide to turn on Advanced Threat Protection for the DQL database instance, which of the following would be detected as a threat?

A company has an Azure AD tenant named “ipspecialist.com”. The tenant consist of the following users.

The following access review has been configured.

What will happen if the user ipspecialistC fails to complete a review by 30th November 2019?

Your company I planning to implement conditional access policies. You have to implement the policies based on the existing risk events available for Azure AD. You have to identify the risk level for the following events defined for Azure AD.
• Users with leaked credentials
• Sign-ins from anonymous IP addresses
• Impossible travels to atypical location
• Sign-in from unfamiliar locations
Which of the following is the risk level associated with the following risk event? “Impossible travels to atypical locations”.

Your company I planning to implement conditional access policies. You have to implement the policies based on the existing risk events available for Azure AD. You have to identify the risk level for the following events defined for Azure AD.
• Users with leaked credentials
• Sign-ins from anonymous IP addresses
• Impossible travels to atypical locations
• Sign-in from unfamiliar locations
• Which of the following is the risk level associated with the following risk event? “Sign-in from unfamiliar locations”.

A company has an Azure AD tenant named “ipspecialist.com”. The tenant consist of the following users.

The following access review has been configured.

For whom would ipspecialistA be able to perform a review?

A company has an Azure Subscription that has the following virtual machines.
Name Resource Group Status
ipsvm1 ipslab1 Running
ipsvm2 ipslab2 Running
The following policies are then added to the subscription.
Policy Definition Resource Type Scope
Not allowed resource types Virtual machines ipslab1
Allowed resource types Virtual machines ipslab2
You also create the following resource locks.
Name Type Created On
vmlock Read-onlysnip ipslab1
grouplock Read-only Ipslab2
Would you be able to stop ipsvm1?

A company has an Azure Subscription that has the following virtual machines.
Name Resource Group Status
ipsvm1 ipslab1 Running
ipsvm2 ipslab2 Running

The following policies are then added to the subscription.
Policy Definition Resource Type Scope
Not allowed resource types Virtual machines ipslab1
Allowed resource types Virtual machines ipslab2
You also create the following resource locks.

Name Type Created On
vmlock Read-only ipslab1
grouplock Read-only Ipslab2
Would you be able to stop ipsvm2?

A company has an Azure Subscription that has the following virtual machines.
Name Resource Group Status
ipsvm1 ipslab1 Running
ipsvm2 ipslab2 Running
The following policies are then added to the subscription.
Policy Definition Resource Type Scope
Not allowed resource types Virtual machines ipslab1
Allowed resource types Virtual machines ipslab2
You also create the following resource locks.
Name Type Created On
vmlock Read-only ipsvm1
grouplock Read-only Ipslab2
Would you be able to stop ipslab1?

A company has an Azure Subscription that has the following virtual machines.
Name Resource Group Status
ipsvm1 ipslab1 Running
ipsvm2 ipslab2 Running
The following policies are then added to the subscription.

Policy Definition Resource Type Scope
Not allowed resource types Virtual machines ipslab1
Allowed resource types Virtual machines ipslab2
You also create the following resource locks.
Name Type Created On
vmlock Read-only ipslab1
grouplock Read-only Ipslab2

Would you be able to stop iipslab2?

Your company currently has a subscription and an Azure AD tenant named ipspecialist.com. you are currently the global administrator for the tenant. You have been asked to create a custom sensitivity label in Azure Security Center. What would you need to do first to accomplish this requirement?

You are configuring and securing a network environment.
You deploy an Azure virtual machine named VM1 that is configured to analyze network traffic.
You need to ensure that all network traffic is routed through VM1.
What should you configure?

You have 15 Azure virtual machines in a resource group named RG1.
All virtual machines run identical applications.
You need to prevent unauthorized applications and malware from running on the virtual machines.
What should you do?

You have an Azure subscription named Sub1.In Azure Security Center, you have a security playbook named Play1. Play1 is configured to send an email message to a user named User1.
You need to modify Play1 to send email messages to a distribution group named Alerts.

A company has an azure subscription and an azure tenant. The company is planning to deploy a web application that will work with a CosmosDB account will consist of a database that will be the back-end tier for the application. The web application will be deployed sing the Azure Web App service.
Users will need to authenticate using their Azure AD Account and access the CosmosDB account by using resource tokens.
Which of the following task would you implement for the Cosmos DB account for authentication purposes?

Your company has created an Azure key vault named ”ipslabvault”. They want to delegate administrative access to the key vault. The access has to follow the below requirements for a set of users.
Users Types of access
ipslabA Allow the user to set advanced access policies for the key vault
iPSlabB Allow the user to add and delete certificates in the key vault.

You have to choose the right implementation method to provide the required access to the users. You also have to use the principle of least privilege.
Which of the following would you use to ensure that the right level of access is provided to the user “ipslabA”?

You have to configure an Azure policy as part of your subscription. You have to assign policies that need to push out one or more resources.
Which of the following type of effect would require a managed identity for assignment purpose?

How would you ensure that the following requirement is fulfilled?
“All users and devices located in the New York office must be members of ipslabgrp1.”

The company wants to implement just in time access for ips lab vm1. The company decide to upgrade the Azure Security Center.
Is this required implement just in time access for this VM?

You currently have two virtual machines defined in your Azure subscription as shown below.
You’ve defined an alert on ”all administrative operations” on the “ipslabs-rg” resource.
You also have defined a suppress action rule on “ipsvm1”.
If you add a tag to the resource group “ipslab-rg”, would it trigger an alert?

Your company has a set of 50 Windows Azure virtual machines. They all run Windows Server 2016. You have to automate the deployment of the Log Analytics virtual machine extension on the virtual machines.
You have to complete the below Azure Resources Manager template snipper for the requirement.
Which of the following would go into slot2?

A company has a resource group that contains Virtual Machines, Virtual Networks and storage accounts. You have to delegate access to a user with the following privileges to the resource group.
• Ability to manage the virtual machines
• Not have access to the virtual machines themselves.
• Not have access to virtual networks or storage accounts in the resource groups
You need to assign the least privilege principle role for the user. Which of the following could be assigned to the user?

Your company has defined a set of virtual machines as part of their subscription. The company currently has Azure P2 premium license for their users. They are using the Standard version of Azure Security center.
They went to enable Just in Time access for the virtual machines. They want to ensure that the solution minimizes costs.
Which of the following Role-Based Access actions need to be allowed for a user that would request for Just-in-Time access to a virtual machine? Choose to answer from the options below.

A company currently has several subscription. They are all associated with the same Azure AD tenant. You have to ensure that all subscriptions have the same role assignments. How can this be done effectively?

Your company has a set of virtual machines set up Azure. Thy want to ensure that IT administrators can request for access they want to connect to the virtual machine. Which of the following could be used to fulfill this equirement?

You need to fulfill the below requirement.
Users who log into the Azure Portal from untrusted locations need to authenticate using multi-factor authentication.
Which of the following would you use to fulfill the requirement?

You have an Azure storage account named ”ipsstore2020”. You go ahead and create the following shared access signature.
If key1 for the storage account is rotated, can a user using the Azure storage explorer from a workstation with an IP address of 12.10.10.100 on 10th September 2019 access the Blob service?

A company has an Azure subscription. They have around 50 virtual machines defined as part of the subscription. Azure Diagnostics have been enabled on all of the virtual machines.
• Identify the user who stopped the virtual machine the previous work
• Query the security events for the virtual machines.
Which of the following would you use in azure monitor for the following requirements?
“Query the security events for the virtual machines”.

A company has a set of Azure subscriptions. They want to transfer billing ownership of a subscription to another Azure Account owner.
Which of the following can be used to transfer the billing ownership of the subscription?

Your company has defined a set of virtual machines as part of their subscription. The company currently has Azure P2 Premium licenses for their users. They are using the Standard version of Azure Security Center.
They want to enable Just in time access for the virtual machines. They want to ensure that the solution minimizes costs.
Which of the following Role-Based Access actions need to be allowed for a user that would request for Just-in-time access to a virtual machine? Select two answers from the options given below.