Microsoft Azure AZ-500 Certification Exam Practice Tests

Share
Microsoft AZ-500 Exam Practice Set -01 - Results

 Return to review

Attempt 2
All knowledge areas
All questions
Question 1: Skipped
Case Study
Overview -

Contoso, Ltd. is a consulting company that has a main office in Montreal and two
branch offices in Seattle and New York.
The company hosts its entire server infrastructure in Azure.
Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are
associated to an Azure Active Directory (Azure AD) tenant named contoso.com.

Existing Environment -

Azure AD -
Contoso.com contains the users shown in the following table.

Larger image
Contoso.com contains the security groups shown in the following table.

Larger image

Sub1 -
Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User9 creates the virtual networks shown in the following table.

Larger image

Sub1 contains the locks shown in the following table.

Larger image

Sub1 contains the Azure policies shown in the following table.

Larger image
Sub2 -
Sub2 contains the virtual networks shown in the following table.

Larger image

Sub2 contains the virtual machines shown in the following table.

Larger image

All virtual machines have public IP addresses and the Web Server (IIS) role installed.
The firewalls for each virtual machine allow ping requests and web requests.
Sub2 contains the network security groups (NSGs) shown in the following table.

Larger image

NSG1 has the inbound security rules shown in the following table.

Larger image
NSG2 has the inbound security rules shown in the following table.

Larger image

NSG3 has the inbound security rules shown in the following table.

Larger image

NSG4 has the inbound security rules shown in the following table.

Larger image

NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the
following table.

Larger image
 Technical requirements -

Contoso identifies the following technical requirements:

Deploy Azure Firewall to VNetwork1 in Sub2.
Register an application named App2 in contoso.com.
Whenever possible, use the principle of least privilege.
Enable Azure AD Privileged Identity Management (PIM) for contoso.com.

Question
You need to meet the technical requirements for VNetwork1.
What should you do first?

Create a new subnet on VNetwork1.

(Correct)

Remove the NSGs from Subnet11 and Subnet13.

Associate an NSG to Subnet12.

Configure DDoS protection for VNetwork1.

Explanation
Correct answer is A.
From scenario: Deploy Azure Firewall to VNetwork1 in Sub2.
-----------------
Azure firewall needs a dedicated subnet named AzureFirewallSubnet.
VNet1 don't have subnet for AzureFirewall. Create a new subnet for AzureFirewall named as
exactly as AzureFirewallSubnet.
For more info :
https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal
Question 2: Skipped
Case Study
Overview -

Contoso, Ltd. is a consulting company that has a main office in Montreal and two
branch offices in Seattle and New York.
The company hosts its entire server infrastructure in Azure.
Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are
associated to an Azure Active Directory (Azure AD) tenant named contoso.com.

Existing Environment -

Azure AD -
Contoso.com contains the users shown in the following table.

Larger image

Contoso.com contains the security groups shown in the following table.

Larger image
Sub1 -
Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User9 creates the virtual networks shown in the following table.

Larger image

Sub1 contains the locks shown in the following table.

Larger image

Sub1 contains the Azure policies shown in the following table.

Larger image

Sub2 -
Sub2 contains the virtual networks shown in the following table.

Larger image
Sub2 contains the virtual machines shown in the following table.

Larger image

All virtual machines have public IP addresses and the Web Server (IIS) role installed.
The firewalls for each virtual machine allow ping requests and web requests.
Sub2 contains the network security groups (NSGs) shown in the following table.

Larger image

NSG1 has the inbound security rules shown in the following table.

Larger image

NSG2 has the inbound security rules shown in the following table.

Larger image
NSG3 has the inbound security rules shown in the following table.

Larger image

NSG4 has the inbound security rules shown in the following table.

Larger image

NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the
following table.

Larger image

Technical requirements -

Contoso identifies the following technical requirements:

Deploy Azure Firewall to VNetwork1 in Sub2.
Register an application named App2 in contoso.com.
 Whenever possible, use the principle of least privilege.
Enable Azure AD Privileged Identity Management (PIM) for contoso.com.

Question
You assign User8 the Owner role for RG4, RG5, and RG6.
In which resource groups can User8 create virtual networks and NSGs? To answer,
select the appropriate options in the answer area.
Larger image

Dropdown1 : RG4 only

Dropdown2 : RG4, RG5 and RG6.

Dropdown1 : RG6 only

Dropdown2 : RG4 and RG6 only.

(Correct)


Dropdown1 : RG4 and RG6 only.

Dropdown2 : RG4 and RG5 only.

Dropdown1 : RG4 and RG6 only.

Dropdown2 : RG4 only.
Explanation
Correct answer is B.
Please keep a note of this :
Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is
to deny all resources that aren't part of this defined list.
Not allowed resource types (Deny): Prevents a list of resource types from being deployed.
For more info : https://docs.microsoft.com/en-us/azure/governance/policy/overview#azure-
policy-objects
Based on above understanding and given info in the question,  here is the conclusion -
RG4 ==>Only resource allowed is NSG , rest all resources (Including VNET) can be
deployed.
Hence VNET can't be created but NSG can be created in this resource group.
RG5==>NSG and Subnets are not allowed but rest all resources can be deployed. Strangely
we can create VNET in RG5 with the default subnet but cannot add subnet to the newly
created VNET or existing VNET.
Hence VNET can be created but NSG can't be created in this resource group.
RG6==> VNET peering's are not allowed but rest all resources can be deployed.
Hence VNET and NSG both can be created in this resource group.
Therefore the correct answer is -
Dropdown1 : RG6 only
Dropdown2 : RG4 and RG6 only.
Question 3: Skipped
Case Study
Overview -

Contoso, Ltd. is a consulting company that has a main office in Montreal and two
branch offices in Seattle and New York.
The company hosts its entire server infrastructure in Azure.
Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are
associated to an Azure Active Directory (Azure AD) tenant named contoso.com.

Existing Environment -

Azure AD -
Contoso.com contains the users shown in the following table.

Larger image

Contoso.com contains the security groups shown in the following table.

Larger image

Sub1 -
Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User9 creates the virtual networks shown in the following table.

Larger image
Sub1 contains the locks shown in the following table.

Larger image

Sub1 contains the Azure policies shown in the following table.

Larger image

Sub2 -
Sub2 contains the virtual networks shown in the following table.

Larger image

Sub2 contains the virtual machines shown in the following table.

Larger image
All virtual machines have public IP addresses and the Web Server (IIS) role installed.
The firewalls for each virtual machine allow ping requests and web requests.
Sub2 contains the network security groups (NSGs) shown in the following table.

Larger image

NSG1 has the inbound security rules shown in the following table.

Larger image

NSG2 has the inbound security rules shown in the following table.

Larger image
NSG3 has the inbound security rules shown in the following table.

Larger image

NSG4 has the inbound security rules shown in the following table.

Larger image

NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the
following table.

Larger image

Technical requirements -

Contoso identifies the following technical requirements:

Deploy Azure Firewall to VNetwork1 in Sub2.
Register an application named App2 in contoso.com.
Whenever possible, use the principle of least privilege.
Enable Azure AD Privileged Identity Management (PIM) for contoso.com.

Question
You are evaluating the security of the network communication between the virtual
machines in Sub2.
 For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
Larger image

Yes
Yes
Yes

No
No
Yes

No
Yes
No

No
Yes
Yes
(Correct)

Explanation
Correct answer is D.
Statement 1 : No
VM1 and VM2 are both in same Subnet11, so default rules allow them to communicate
within same VNET/Subnet using their PRIVATE IP addresses which is not same as pinging
through PUBLIC IP address.
Since the traffic would be coming from the INTERNET tag to VM2. VM2 has 2 NSG's
associated to it (1 at the NIC and one at the subnet) neither of those have a rule allowing
ICMP traffic so the traffic would be dropped at the subnet and not even reach the NSG
associated to the NIC.
For  be able to ping the public IP of a VM, that VM should have NSG with allowed ICMP
traffic from internet. Here Nsg2 doesn't have that. but NSG4 does have a rule to allow any
inbound traffic form anywhere including internet.
Statement 1 : Yes
VM1 and VM3 are both in same network but different subnet, so default rules allow them to
communicate within same VNET/Subnet using their PRIVATE IP addresses since as there is
no NSG associated with VM3.
Statement 1 : Yes
VM1 and VM5 are both in different Subnet and different network, so default rules doesn't
allow them to communicate using their PRIVATE IP /PUBLIC IP addresses. But since NSG4
is attached to VM5 , which allows everything i.e. that allows ALL traffic from any source to
any destination. This is like having no inbound NSG, thus traffic is allowed. Hence public IP
can be pinged from VM1 to VM5.
Question 4: Skipped
Case Study
Overview -

Contoso, Ltd. is a consulting company that has a main office in Montreal and two
branch offices in Seattle and New York.
The company hosts its entire server infrastructure in Azure.
Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are
associated to an Azure Active Directory (Azure AD) tenant named contoso.com.

Existing Environment -

Azure AD -
Contoso.com contains the users shown in the following table.

Larger image
Contoso.com contains the security groups shown in the following table.

Larger image

Sub1 -
Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User9 creates the virtual networks shown in the following table.

Larger image

Sub1 contains the locks shown in the following table.

Larger image
Sub1 contains the Azure policies shown in the following table.

Larger image

Sub2 -
Sub2 contains the virtual networks shown in the following table.

Larger image

Sub2 contains the virtual machines shown in the following table.

Larger image

All virtual machines have public IP addresses and the Web Server (IIS) role installed.
The firewalls for each virtual machine allow ping requests and web requests.
Sub2 contains the network security groups (NSGs) shown in the following table.

Larger image

NSG1 has the inbound security rules shown in the following table.

Larger image

NSG2 has the inbound security rules shown in the following table.

Larger image

NSG3 has the inbound security rules shown in the following table.

Larger image
NSG4 has the inbound security rules shown in the following table.

Larger image

NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the
following table.

Larger image

Technical requirements -

Contoso identifies the following technical requirements:

Deploy Azure Firewall to VNetwork1 in Sub2.
Register an application named App2 in contoso.com.
Whenever possible, use the principle of least privilege.
Enable Azure AD Privileged Identity Management (PIM) for contoso.com.

Question

You are evaluating the effect of the application security groups on the network
communication between the virtual machines in Sub2.
For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
Larger image


No
No
Yes

Yes
Yes
Yes

No
Yes
Yes

(Correct)

No
Yes
No
Explanation
Correct answer is C.
Statement 1 : No
 VM4 is in Subnet13 which has NSG3 attached to it.
VM1 is in ASG1. NSG3 would only allow ICMP pings from ASG2 but not ASG1. Only TCP
traffic is allowed from ASG1. Hence from VM1 you cant ping VM4
Statement 2 : Yes
VM2 is in ASG2. Any protocol is allowed from ASG2 so ICMP ping would be allowed.
Statement 3 : Yes
VM1 is in ASG1. TCP traffic is allowed from ASG1 so VM1 could connect to the web server
as connections to the web server would be on ports TCP 80 or TCP 443.
Question 5: Skipped
Your network contains an on-premises Active Directory domain named
corp.contoso.com.
You have an Azure subscription named Sub1 that is associated to an Azure Active
Directory (Azure AD) tenant named contoso.com.
You sync all on-premises identities to Azure AD.
You need to prevent users who have a givenName attribute that starts with TEST from
being synced to Azure AD. The solution must minimize administrative effort.
What should you use?

Synchronization Rules Editor

(Correct)

Web Service Configuration Tool

the Azure AD Connect wizard

Active Directory Users and Computers

Explanation
Correct answer is A.
Option A- CORRECT.
Use the Synchronization Rules Editor and write attribute-based filtering rule.
The Synchronization Rules Editor is used to see and change the default configuration. You
can find it on the Start menu under the Azure AD Connect group.

When you open the editor, you see the default out-of-box rules.
For more info :
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-
the-configuration
Option B-INCORRECT.
The Web Service Configuration Tool allows you to create a new . wsconfig project as well as
use the downloaded project template / default project from Microsoft Download Center.
These are the high level steps to create a new Web Service project.
 Option C-INCORRECT.
Azure AD Connect is a tool for connecting on premises identity infrastructure to Microsoft
Azure AD. The wizard deploys and configures pre-requisites and components required for
the connection, including sync and sign on.
Option D-INCORRECT.
Active Directory Users and Computers (ADUC) is a Microsoft Management Console snap-in
that you use to administer Active Directory (AD). You can manage objects (users,
computers), Organizational Units (OU), and attributes of each.
Question 6: Skipped
You have an Azure subscription that contains a user named User1 and an Azure
Container Registry named ConReg1.
You enable content trust for ContReg1.
You need to ensure that User1 can create trusted images in ContReg1.
The solution must use the principle of least privilege.
Which two roles should you assign to User1? Each correct answer presents part of the
solution.

AcrQuarantineReader

Contributor

AcrPush

(Correct)

AcrImageSigner

(Correct)

AcrQuarantineWriter
Explanation
Correct answer is CD.
The ability to sign images, usually assigned to an automated process, which would use a
service principal. This permission is typically combined with push image to allow pushing a
trusted image to a registry.
This allows the user to Sign and Push trusted images, using least privilege.
Only the users or systems you've granted permission can push trusted images to your registry.
To grant trusted image push permission to a user (or a system using a service principal), grant
their Azure Active Directory identities the  AcrImageSigner  role. This is in addition to
the  AcrPush  (or equivalent) role required for pushing images to the registry.

You can't grant trusted image push permission to the following administrative accounts:
1. the admin account of an Azure container registry
2. a user account in Azure Active Directory with the classic system administrator role.
For details, see Azure Container Registry roles and permissions.
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-content-trust
Question 7: Skipped
You have an Azure subscription that contains 100 virtual machines. Azure Diagnostics
is enabled on all the virtual machines.
You are planning the monitoring of Azure services in the subscription.
You need to retrieve the following details:
** Identify the user who deleted a virtual machine three weeks ago.
** Query the security events of a virtual machine that runs Windows Server 2016.
What should you use in Azure Monitor? To answer, choose the appropriate
configuration settings to the correct details.
Larger image


Box1 : Metrics
Box2 : Logs

Box1 : Activity log

Box2 : Service Health

Box1 : Activity log

Box2 : Logs

(Correct)

Box1 : Logs
Box2 : Metrics
Explanation
Correct answer is C.
Box1 : Activity log
Azure activity logs provide insight into the operations that were performed on resources in
your subscription. Activity logs were previously known as “audit logs” or “operational logs,”
because they report control-plane events for your subscriptions. Activity logs help you
determine the “what, who, and when” for write operations (that is, PUT, POST, or DELETE).
Box2 : Logs
Log Integration collects Azure diagnostics from your Windows virtual machines, Azure
activity logs, Azure Security Center alerts, and Azure resource provider logs. This integration
provides a unified dashboard for all your assets, whether they're on-premises or in the cloud,
so that you can aggregate, correlate, analyze, and alert for security events.
For more details: security/azure-log-audit
Question 8: Skipped
You have an Azure SQL database.
You implement Always Encrypted.
You need to ensure that application developers can retrieve and decrypt data in the
database.
Which two pieces of information should you provide to the developers? Each correct
answer presents part of the solution.


a stored access policy

a shared access signature (SAS)

the column encryption key

(Correct)

user credentials

the column master key

(Correct)

Explanation
Correct Answer is CE
Always Encrypted uses two types of keys: column encryption keys and column master keys.
A column encryption key is used to encrypt data in an encrypted column. A column master
key is a key-protecting key that encrypts one or more column encryption keys.
For more info :
introducing-always-encrypted-with-secure-enclaves-in-sql-server-2019-1
encryption/always-encrypted-database-engine
Question 9: Skipped
You create and enforce an Azure AD Identity Protection user risk policy that has the
following settings:
Assignment: Include Group1, Exclude Group2
Conditions: Sign-in risk of Medium and above
Access: Allow access, Require password change
 You have an Azure Active Directory (Azure AD) tenant named contoso.com that
contains the users shown in the following table.
Larger image

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
Larger image

No
No
No

Yes
Yes
No

Yes
No
No

(Correct)

Yes
No
Yes
Explanation
Correct answer is C.
The policy is to change the password if rated risk is medium or above.
 Statement 1 : Yes
Risk level for "Sign-ins from unfamiliar locations" is Medium and User1 belongs to Group1.
Hence this user is included in the scope of the policy.
Statement 2 : No
"Exclude users :  When organizations both include and exclude a user or group the user or
group is excluded from the policy, as an exclude action overrides an include in policy.
Exclusions are commonly used for emergency access or break-glass accounts. "
Sign in from anonymous IP address is risk level Medium and User2 belongs to both Group1
and Group 2. Group2 is excluded from the policy. Hence this user is not included in the scope
of the policy because an exclude action overrides an include in policy.
Statement 3 : No
Sign-ins from infected devices is low. Hence Use3 is NOT included in the scope of the
policy.
Question 10: Skipped
You have an Azure subscription that contains an Azure key vault named Vault1.
In Vault1, you create a secret named Secret1.
An application developer registers an application in Azure Active Directory (Azure
AD).
You need to ensure that the application can use Secret1.
What should you do?

In Azure AD, create a role.

In Azure Key Vault, create a key.



In Azure Key Vault, create an access policy.

(Correct)

In Azure AD, enable Azure AD Application Proxy.

Explanation
Correct answer is C.
Option A - INCORRECT.
RBAC are for management plane in the Key Vault.
Access to a key vault is controlled through two interfaces: the management plane and
the data plane.
The management plane is where you manage Key Vault itself. Operations in this plane
include creating and deleting key vaults, retrieving Key Vault properties, and updating access
policies. The data plane is where you work with the data stored in a key vault. You can add,
delete, and modify keys, secrets, and certificates.
Both planes use Azure Active Directory (Azure AD) for authentication. For authorization, the
management plane uses Azure role-based access control (RBAC) and the data plane uses
a Key Vault access policy.
Option B - INCORRECT.
Use Key Vault to create and maintain keys that access and encrypt your cloud resources,
apps, and solutions.
Option C - CORRECT.
A Key Vault access policy determines whether a given service principal, namely an
application or user group, can perform different operations on Key Vault secrets, keys,
and certificates.
Access policy is for data plane, which required here for accessing the secret.
You may need to configure the target resource to allow access from your application. For
example, if you request a token to Key Vault, you need to make sure you have added an
access policy that includes your application's identity. Otherwise, your calls to Key Vault will
be rejected, even if they include the token.
For more info : https://docs.microsoft.com/en-us/azure/app-service/overview-managed-
identity?tabs=dotnet#obtain-tokens-for-azure-resources
Option D - INCORRECT.
 Azure Active Directory (Azure AD) has an Application Proxy service that enables users to
access on-premises applications by signing in with their Azure AD account.
For more info :
https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault
https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-cli
Question 11: Skipped
You have an Azure subscription.
You configure the subscription to use a different Azure Active Directory (Azure AD)
tenant.
What are two possible effects of the change? Each correct answer presents a complete
solution.

Role assignments at the subscription level are lost.

(Correct)

Virtual machine managed identities are lost.

(Correct)

Virtual machine disk snapshots are lost.

Existing Azure resources are deleted.

Explanation
Correct answer is AB.
Before you can Associate or add an Azure subscription to your Azure Active Directory
tenant, do the following tasks:
Review the following list of changes that will occur after you associate or add your
subscription, and how you might be affected:
1. Users that have been assigned roles using Azure RBAC will lose their access.
2. Service Administrator and Co-Administrators will lose access
3. If you have any key vaults, they'll be inaccessible and you'll have to fix them after
association
4. If you have any managed identities for resources such as Virtual Machines or Logic
Apps, you must re-enable or recreate them after the association.
5. If you have a registered Azure Stack, you'll have to re-register it after association
For more info : active-directory-how-subscriptions-associated-directory#before-you-
begin
Question 12: Skipped
You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant
contains the users shown in the following table.
Larger image

You configure an access review named Review1 as shown in the following exhibit.
Larger image
 Use the drop-down menus to select the answer choice that completes each statement.
Larger image

User3 can perform Review1 for : User1 and User2 only

IF User2 fails to complete Review1 by March 20,2019 : User2 will retain the Password
administrator role.


 User3 can perform Review1 for : User3 only
IF User2 fails to complete Review1 by March 20,2019 : User3 will receive a confirmation
request.

(Correct)

User3 can perform Review1 for : User1, User2 , and User3

IF User2 fails to complete Review1 by March 20,2019 : User3 will receive a confirmation
request.

User3 can perform Review1 for : User3 only

IF User2 fails to complete Review1 by March 20,2019 : Password administrator role will be
revoked from User2.
Explanation
Correct answer is B.
User3 can perform Review1 for : User3 only
Use the Members (self) option to have the users review their own role assignments.
IF User2 fails to complete Review1 by March 20,2019 : User3 will receive a
confirmation request.
To specify what happens after a review completes, expand the Upon completion
settings section.

If you want to automatically remove access for denied users, set Auto apply results to
resource to Enable. If you want to manually apply the results when the review completes,
set the switch to Disable.
 Use the If reviewers don't respond list to specify what happens for users that are not
reviewed by the reviewer within the review period. This setting does not impact users who
have been reviewed by the reviewers manually. If the final reviewer's decision is Deny, then
the user's access will be removed.
No change - Leave user's access unchanged
Remove access - Remove user's access
Approve access - Approve user's access
Take recommendations - Take the system's recommendation on denying or approving the
user's continued access
Default Advanced settings
To specify additional settings, expand the Advanced settings section.

Set Mail notifications to Enable to have Azure AD send email notifications to reviewers

when an access review starts, and to administrators when a review completes.
For more info :
https://docs.microsoft.com/bs-latn-ba/azure/active-directory/privileged-identity-
management/pim-how-to-start-security-review
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
Question 13: Skipped
You are troubleshooting a security issue for an Azure Storage account.
You enable the diagnostic logs for the storage account.
What should you use to retrieve the diagnostics logs?

the Security & Compliance admin center



Azure Security Center

Azure Cosmos DB explorer

AzCopy

(Correct)

Explanation
Correct answer is D.
Option A - INCORRECT.
The Security & Compliance Center lets you grant permissions to people who perform
compliance tasks like device management, data loss prevention, eDiscovery, retention, and so
on.
Option B - INCORRECT.
Azure Security Center is a unified infrastructure security management system that
strengthens the security posture of your data centers, and provides advanced threat protection
across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on
premises.
Option C - INCORRECT.
Azure Cosmos DB explorer is a standalone web-based interface that allows you to view and
manage the data stored in Azure Cosmos DB. You can provide temporary or permanent read
or read-write access to your database account and its collections to other users who do not
have access to Azure portal or subscription.
Option D - CORRECT.
Storage Analytics logs detailed information about successful and failed requests to a storage
service. This information can be used to monitor individual requests and to diagnose issues
with a storage service. Requests are logged on a best-effort basis.
To view and analyze your log data, you should download the blobs that contain the log data
you are interested in to a local machine. Many storage-browsing tools enable you to
download blobs from your storage account; you can also use the Azure Storage team
provided command-line Azure Copy Tool AzCopy to download your log data.
AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage
account.
 For more info : https://docs.microsoft.com/en-us/azure/storage/common/storage-
analytics-logging?tabs=dotnet#download-storage-logging-log-data
Question 14: Skipped
You plan to use Azure Resource Manager templates to perform multiple deployments of
identically configured
Azure virtual machines. The password for the administrator account of each
deployment is stored as a secret in different Azure key vaults. You need to identify a
method to dynamically construct a resource ID that will designate the key
vault containing the appropriate secret during each deployment. The name of the key
vault and the name of the secret will be provided as inline parameters.
What should you use to construct the resource ID?

a key vault access policy

a linked template

(Correct)

a parameters file

an automation account
Explanation
Correct answer is B.
Option A - INCORRECT.
A Key Vault access policy determines whether a given service principal, namely an
application or user group, can perform different operations on Key Vault secrets, keys, and
certificates. You can assign access policies using the Azure portal, the Azure CLI , or Azure
PowerShell.
Option B - CORRECT.
Microsoft says - "You can dynamically generate the resource ID for a key vault secret by
using a linked template."
 Option C - INCORRECT.
Microsoft says -  "You can't dynamically generate the resource ID in the parameters file
because template expressions aren't allowed in the parameters file."
Option D - INCORRECT.
Azure Automation is a new service in Azure that allows you to automate your Azure
management tasks and to orchestrate actions across external systems from right within Azure.
In Automation they are a container for all your runbook, runbook executions (jobs), and the
assets that your runbooks depend on.
For more info :
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-
parameter?tabs=azure-powershell
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-
parameter?tabs=azure-cli#reference-secrets-with-dynamic-id
Question 15: Skipped
You use Azure Security Center for the centralized policy management of three Azure
subscriptions.
You use several policy definitions to manage the security of the subscriptions.
You need to deploy the policy definitions as a group to all three subscriptions.

Solution: You create an initiative and an assignment that is scoped to a management

group.

Does this meet the goal?

Yes

(Correct)


No
Explanation
Correct answer is A.
Management groups in Microsoft Azure solve the problem of needing to impose governance
policy on more than one Azure subscription simultaneously. You need to use an initiative to
bundle the policy definitions into a group that can be applied to the management group.
For more info :
https://4sysops.com/archives/apply-governance-policy-to-multiple-azure-subscriptions-
with-management-groups/
Question 16: Skipped
You use Azure Security Center for the centralized policy management of three Azure
subscriptions.
You use several policy definitions to manage the security of the subscriptions.
You need to deploy the policy definitions as a group to all three subscriptions.
Solution: You create a resource graph and an assignment that is scoped to a
management group.
Does this meet the goal?

Yes

No

(Correct)

Explanation
Correct answer is B.
Management groups in Microsoft Azure solve the problem of needing to impose governance
policy on more than one Azure subscription simultaneously. However, you need to use an
initiative, not a resource graph to bundle the policy definitions into a group that can be
applied to the management group. You bundle up policies into Initiatives and apply the
initiatives to the management groups. Not resource graphs.
Azure Resource Graph is a service in Azure that is designed to extend Azure Resource
Management by providing efficient and performant resource exploration with the ability to
 query at scale across a given set of subscriptions so that you can effectively govern your
environment. These queries provide the following features:
Ability to query resources with complex filtering, grouping, and sorting by resource
properties.
Ability to iteratively explore resources based on governance requirements.
Ability to assess the impact of applying policies in a vast cloud environment.
Ability to detail changes made to resource properties (preview).

For more info : https://docs.microsoft.com/en-us/azure/governance/resource-

graph/overview
Question 17: Skipped
You use Azure Security Center for the centralized policy management of three Azure
subscriptions.
You use several policy definitions to manage the security of the subscriptions.
You need to deploy the policy definitions as a group to all three subscriptions.

Solution: You create a policy definition and assignments that are scoped to resource
groups.

Does this meet the goal?

Yes

No

(Correct)

Explanation
Correct answer is B.
A resource group is a container that holds related resources for an Azure solution. The
resource group can include all the resources for the solution, or only those resources that you
want to manage as a group. You decide how you want to allocate resources to resource
groups based on what makes the most sense for your organization. Generally, add resources
that share the same lifecycle to the same resource group so you can easily deploy, update, and
delete them as a group.
Management groups in Microsoft Azure solve the problem of needing to impose
governance policy on more than one Azure subscription simultaneously.
 You can only group multiple subscriptions in a management groups, NOT in resource groups
which meant for multiple resources.
For more info :
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-
resource-groups-portal
https://4sysops.com/archives/apply-governance-policy-to-multiple-azure-subscriptions-with-
management-groups/
Question 18: Skipped
You need to create an Azure key vault. The solution must ensure that any object deleted
from the key vault be retained for 90 days.
How should you complete the command? To answer, select the appropriate options in
the answer area.
Larger image

-EnableForDeployment
-DefaultProfile

-EnablePurgeProtection
-EnableSoftDelete

(Correct)


-Tag
-SKU

-EnableForDeployment
-Confirm
Explanation
Correct answer is B.
Box 1: -EnablePurgeProtection -
Purge protection is an optional Key Vault behavior and is not enabled by default.
If specified, protection against immediate deletion is enabled for this vault; requires soft
delete to be enabled as well.
When purge protection is turned on, a vault or an object in deleted state cannot be purged
until the retention period of 90 days has passed. Such vault or object can still be recovered.
This feature gives added assurance that a vault or an object can never be permanently deleted
until the retention period has passed.
Box 2: -EnableSoftDelete -
Soft Delete is an optional Key Vault behavior and is not enabled by default
Specifies that the soft-delete functionality is enabled for this key vault. When soft-delete is
enabled, for a grace period, you can recover this key vault and its contents after it is deleted.
You enable "soft-delete" to allow recovery of a deleted key vault, or objects stored in a key
vault.
For more info :
https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/new-
azurermkeyvault
https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview#purge-
protection
Question 19: Skipped
You are implementing conditional access policies.
You must evaluate the existing Azure Active Directory (Azure AD) risk events and risk
levels to configure and implement the policies.
You need to identify the risk level of the following risk events:
** Users with leaked credentials
** Impossible travel to atypical locations
 **Sign-ins from IP addresses with suspicious activity
Which level should you identify for each risk event? Each level may be used once, more
than once, or not at all.
Larger image

Impossible travel to atypical locations : Medium

Users with leaked credentials : High
Sign-ins from IP addresses with suspicious activity : Medium

Impossible travel to atypical locations : High

Users with leaked credentials : Medium
Sign-ins from IP addresses with suspicious activity : Low

Impossible travel to atypical locations : Medium

Users with leaked credentials : High
Sign-ins from IP addresses with suspicious activity : High

Impossible travel to atypical locations : Medium

Users with leaked credentials : High
Sign-ins from IP addresses with suspicious activity : Low

(Correct)

Explanation
Correct answer is D.

For more info :

https://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-
conditional-access-policies/
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-
protection-risks
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-
protection
Question 20: Skipped
You have a hybrid configuration of Azure Active Directory (Azure AD).
All users have computers that run Windows 10 and are hybrid Azure AD joined.
You have an Azure SQL database that is configured to support Azure AD
 authentication.
Database developers must connect to the SQL database by using Microsoft SQL Server
Management Studio (SSMS) and authenticate by using their on-premises Active
Directory account.
You need to tell the developers which authentication method to use to connect to the
SQL database from SSMS. The solution must minimize authentication prompts.
Which authentication method should you instruct the developers to use?

SQL Login

Active Directory - Universal with MFA support

Active Directory - Integrated

(Correct)

Active Directory - Password

Explanation
Correct answer is C.
Option A - INCORRECT.
A login is an individual user account for logging in to SQL Database, SQL Managed
Instance, and Azure Synapse. This login is granted full administrative permissions on all
databases as a server-level principal. The login has all available permissions and can't be
limited.
Option B - INCORRECT.
Azure MFA helps safeguard access to data and applications while meeting user demand for a
simple sign-in process. It delivers strong authentication with a range of easy verification
options (phone call, text message, smart cards with pin, or mobile app notification), allowing
users to choose the method they prefer. Interactive MFA with Azure AD can result in a pop-
up dialog box for validation.
Option C -CORRECT.
Use this method if you are logged into Windows using your Azure Active Directory
credentials from a federated domain, or a managed domain that is configured for seamless
 single sign-on for pass-through and password hash authentication. No password is needed or
can be entered because your existing credentials will be presented for the connection.

Option D - INCORRECT.
Use this method when connecting with an Azure AD principal name using the Azure AD
managed domain. You can also use it for federated accounts without access to the domain,
for example, when working remotely.
Use this method to authenticate to the database in SQL Database or the SQL Managed
Instance with Azure AD cloud-only identity users, or those who use Azure AD hybrid
identities. This method supports users who want to use their Windows credential, but their
local machine is not joined with the domain (for example, using remote access). In this case,
a Windows user can indicate their domain account and password, and can authenticate to the
database in SQL Database, the SQL Managed Instance, or Azure Synapse.
For more info :
https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?
tabs=azure-powershell
https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-mfa-ssms-overview
Question 21: Skipped
Which AAD Connect service allow us to override the default synchronization behavior
by creating custom criteria?

Synchronization Service


 Synchronization Rules Editor

(Correct)

AAD Connect wizard

Start-ADSyncSyncCycle

Explanation
Correct answer is B.
Option A - INCORRECT.
The Azure Active Directory Connect synchronization services (Azure AD Connect sync) is a
main component of Azure AD Connect. It takes care of all the operations that are related to
synchronize identity data between your on-premises environment and Azure AD. Azure AD
Connect sync is the successor of DirSync, Azure AD Sync, and Forefront Identity Manager
with the Azure Active Directory Connector configured.
Option B - CORRECT.
To create custom rules that modify the behavior of AAD Connect object synchronization, we
can use Synchronization Rules Editor.
For more info : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-
connect-sync-change-the-configuration#synchronization-rules-editor
Option C - INCORRECT.
Azure AD Connect is a tool for connecting on premises identity infrastructure to Microsoft
Azure AD. The wizard deploys and configures pre-requisites and components required for
the connection, including sync and sign on.
Option D - INCORRECT.
It could be that you have an urgent change that must be synchronized immediately, which is
why you need to manually run a cycle.
If you need to manually run a sync cycle, then from PowerShell run  Start-ADSyncSyncCycle
-PolicyType Delta .

Question 22: Skipped
From Azure Security Center, you enable Azure Container Registry vulnerability
scanning of the images in Registry1.
You perform the following actions:

** Push a Windows image named Image1 to Registry1.

 ** Push a Linux image named Image2 to Registry1.
**Push a Windows image named Image3 to Registry1.
**Modify Image1 and push the new image as Image4 to Registry1.
**Modify Image2 and push the new image as Image5 to Registry1.

Which two images will be scanned for vulnerabilities? Each correct answer presents a
complete solution.

Image4

Image2

(Correct)

Image1

Image3

Image5

(Correct)

Explanation
Correct answer is BE.
Only Linux images are scanned. Windows images are not scanned.
Supported registries and images:
 Linux-hosted ACR registries that are accessible from the public internet and provide shell
access.
 Windows-hosted ACR registries.
 'Private' registries - Security Center requires your registries to be accessible from the
public internet. Security Center can't currently connect to, or scan, registries with access
 limited with a firewall, a service endpoint, or private endpoints such as Azure Private Link.
 Super minimalist images such as Docker scratch images, or "Distroless" images that only
contain an application and its runtime dependencies without a package manager, shell, or OS.
For more info : https://docs.microsoft.com/en-us/azure/security-center/defender-for-
container-registries-usage#availability
https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-
introduction
Question 23: Skipped
You plan on configuring your Azure SQL deployment such that users can authenticate
to it using their Azure AD credentials. What must be done first to allow this?

Set an Azure AD admin account for SQL

(Correct)

Register SQL as an Azure AD enterprise app

Configure Azure AD Connect.

Local Active Directory Domain synchronization with Azure AD Connect

Users must be configured to use MFA

Explanation
Correct answer is A.
In order to integrate Azure SQL servers with Azure Active Directory, an Active Directory
Admin must be assigned to the SQL server. This account can then log into the SQL server
using SMSS and assign other AD user and group principals to the server.
For more info :
https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-
configure?tabs=azure-powershell
 Question 24: Skipped
Which statement regarding multiple Azure AD tenants in the same Azure account are
true?
Instruction: Choose the option that best answers the question.

Switching to a different AD tenant shows the same deployed cloud resources

Switching to a different AD tenant shows different deployed cloud resources

(Correct)

Switching to a different AD tenant shows only a subset of deployed cloud resources

An Azure account can have only one Azure AD tenant.

Explanation
Correct answer is B.
Switching to a different AD tenant shows different deployed cloud resources under that
directory.
For more info :
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-
subscriptions-associated-directory
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/change-azure-ad-
connection?view=azure-devops
Question 25: Skipped
You have an Azure subscription named Sub1 that contains the virtual machines shown
in the following table.

Larger image
 You need to ensure that the virtual machines in RG1 have the Remote Desktop port
closed until an authorized user requests access.
What should you configure?.

Azure Active Directory (Azure AD) Privileged Identity Management (PIM)

an application security group

Azure Active Directory (Azure AD) conditional access

just in time (JIT) VM access

(Correct)

Explanation
Correct answer is D.
Option A - INCORRECT.
Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD)
that enables you to manage, control, and monitor access to important resources in your
organization. These resources include resources in Azure AD, Azure, and other Microsoft
Online Services such as Microsoft 365 or Microsoft Intune.
Option B - INCORRECT.
Application security groups enable you to configure network security as a natural extension
of an application's structure, allowing you to group virtual machines and define network
security policies based on those groups. You can reuse your security policy at scale without
manual maintenance of explicit IP addresses.
Option C - INCORRECT.
Conditional Access is the tool used by Azure Active Directory to bring signals together, to
make decisions, and enforce organizational policies. Conditional Access is at the heart of the
new identity driven control plane.
Option D - CORRECT.
Just-in-time (JIT) virtual machine (VM) access can be used to lock down inbound traffic to
your Azure VMs, reducing exposure to attacks while providing easy access to connect to
VMs when needed.
When just-in-time is enabled, Security Center locks down inbound traffic to your Azure VMs
by creating an NSG rule. You select the ports on the VM to which inbound traffic will be
locked down. These ports are controlled by the just-in-time solution.
When a user requests access to a VM, Security Center checks that the user has Role-Based
Access Control (RBAC) permissions that permit them to successfully request access to a VM.
If the request is approved, Security Center automatically configures the Network Security
Groups (NSGs) and Azure Firewall to allow inbound traffic to the selected ports and
requested source IP addresses or ranges, for the amount of time that was specified. After the
time has expired, Security Center restores the NSGs to their previous states. Those
connections that are already established are not being interrupted, however.
For more info :
security-center-just-in-time
just-in-time-explained
Question 26: Skipped
Your company has two offices in Seattle and New York. Each office connects to the
Internet by using a NAT device. The offices use the IP addresses shown in the following
table.
Larger image

The company has an Azure Active Directory (Azure AD) tenant named contoso.com.
The tenant contains the users shown in the following table.
Larger image

The MFA service settings are configured as shown below.

Larger image
 For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
Larger image

Yes
No
No

(Correct)

Yes
No
No

Yes
 No
Yes

No
No
No
Explanation
Correct answer is A.
Please remember below note :
The views have the following values based on the MFA state of the users:
Disabled
This is the default state for a new user not enrolled in multi-factor authentication.
Enabled
The user has been enrolled in multi-factor authentication, but has not completed the
registration process. They will be prompted to complete the process the next time they sign
in.
Enforced
The user may or may not have completed registration. If they have completed the registration
process then they are using multi-factor authentication. Otherwise, the user will be prompted
to completer the process at next sign-in
Statement 1 : Yes
Given IP is not included in trusted IP range and also MFA is enabled for User1.Verification
option "Call to phone" is checked .
Statement 2 : No
Authenticator App is not the available method for authenticating users in this case.
Note: Microsoft Authenticator is a multifactor app for mobile devices that generates time-
based codes used during the Two-Step Verification process.
Statement 3 : No
The New York IP address subnet (NAT segment IP ) is included in the exception list for
"skip multi-factor authentication for request.
Question 27: Skipped
You company has an Azure subscription named Sub1.
Sub1 contains an Azure web app named WebApp1 that uses Azure Application
Insights.
WebApp1 requires users to authenticate by using OAuth 2.0 client secrets.
Developers at the company plan to create a multi-step web test app that preforms
 synthetic transactions emulating user traffic to Web App1.
You need to ensure that web tests can run unattended.
What should you do first?

In Microsoft Visual Studio, modify the .webtest file.

Upload the .webtest file to Application Insights.

(Correct)

Register the web test app in Azure AD.

Add a plug-in to the web test app.

Explanation
Correct answer is B.
Option A - INCORRECT.
In Microsoft Visual Studio, modify the .webtest file - will not help in achieving the goal of
preforming synthetic transactions emulating user traffic to Web App1 and ensuring that web
tests can run unattended.
Option B - CORRECT.
You can monitor a recorded sequence of URLs and interactions with a website via multi-step
web tests.
For more info : https://docs.microsoft.com/en-us/azure/azure-monitor/app/availability-
multistep#upload-the-web-test
Option C - INCORRECT.
This is required so that your app can be integrated with the Microsoft identity platform and
call Microsoft Graph.
Option D - INCORRECT.
Web performance tests plug-ins enable you to isolate and reuse code outside the main
declarative statements in your web performance test. A customized web performance test
 plug-in offers you a way to call some code as the web performance test is run. The web
performance test plug-in is run one time for every test iteration.
Question 28: Skipped
You have an Azure subscription.
You create an Azure web app named Contoso1812 that uses an S1 App service plan.
You create a DNS record for www.contoso.com that points to the IP address of
Contoso1812.
You need to ensure that users can access Contoso1812 by using the
https://www.contoso.com URL.
Which two actions should you perform? Each correct answer presents part of the
solution.

Turn on the system-assigned managed identity for Contoso1812.

Add a hostname to Contoso1812.

(Correct)

Scale out the App Service plan of Contoso1812.

Add a deployment slot to Contoso1812.

Scale up the App Service plan of Contoso1812.

Upload a PFX file to Contoso1812.

(Correct)

Explanation
Correct answer is BF.
 Option A - INCORRECT.
When you enable a system-assigned managed identity an identity is created in Azure AD that
is tied to the lifecycle of that service instance. So when the resource is deleted, Azure
automatically deletes the identity for you. By design, only that Azure resource can use this
identity to request tokens from Azure AD.
This is not needed for user to access website.
Option B - CORRECT.
You can configure Azure DNS to host a custom domain for your web apps. For example, you
can create an Azure web app and have your users access it using either www.contoso.com or
contoso.com as a fully qualified domain name (FQDN). To do this, you have to create three
records:
A root "A" record pointing to contoso.com
A root "TXT" record for verification
A "CNAME" record for the www name that points to the A record.
For more info : https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
Option C - INCORRECT.
S1 Service plan already support Custom domains and SSL. So no need of scale out.
Option D - INCORRECT.
We could chose "adding deployment slot" for safety reason but it is not a necessity for user to
access the website.
Option E - INCORRECT.
S1 Service plan already support Custom domains and SSL. So no need of scale up.
Option F - CORRECT.
To use HTTPS, you need to upload a PFX file to the Azure Web App. The PFX file will
contain the SSL certificate required for HTTPS.
For more info : https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate
Question 29: Skipped
Which statement regarding SQL auditing configurations is correct?
Instruction: Choose the option that best answers the question.

Server-level Blob auditing flows down to databases

(Correct)


 After auditing is enabled, the server must be restarted

Server-level Blob auditing does not flow down to databases

Database auditing is enabled by default.

Explanation
Correct answer is A.
Question 30: Skipped
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You need to configure diagnostic settings for contoso.com. The solution must meet the
following requirements:

** Retain logs for two years.

** Query logs by using the Kusto query language.
**Minimize administrative effort.

Where should you store the logs?

an Azure event hub

an Azure Log Analytics workspace

(Correct)

an Azure Storage account

Explanation
Correct answer is B.
Use the Log Analytics workspaces menu to create a Log Analytics workspace using the
Azure portal. A Log Analytics workspace is a unique environment for Azure Monitor log
data. Each workspace has its own data repository and configuration, and data sources and
 solutions are configured to store their data in a particular workspace. You require a Log
Analytics workspace if you intend on collecting data from the following sources:
Azure resources in your subscription
On-premises computers monitored by System Center Operations Manager
Device collections from Configuration Manager
Diagnostics or log data from Azure storage
Hence Log Analytics workspaces meet all the requirements given in question.
For more info :
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/delete-workspace#permanent-
workspace-delete
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/get-started-queries
Question 31: Skipped
You have a hybrid configuration of Azure Active Directory (Azure AD).
You have an Azure HDInsight cluster on a virtual network.
You plan to allow users to authenticate to the cluster by using their on-premises Active
Directory credentials.
You need to configure the environment to support the planned authentication.

Solution: You deploy Azure Active Directory Domain Services (Azure AD DS) to the
Azure subscription.
Does this meet the goal?

Yes

(Correct)

No
Explanation
Correct answer is A.
Azure AD domain Services is the only supported way for HD Insight cluster integration
integration with active directory. so AAD connect to synchronize identities from an on-
premises active directory to Azure AD and then Azure AD domain services for the HD
Insights integration
 To summarize, you need to set up an environment with:
1. An Active Directory domain (managed by Azure AD DS). The domain name must be 39
characters or less to work with Azure HDInsight.
2. Secure LDAP (LDAPS) enabled in Azure AD DS.
3. Proper networking connectivity from the HDInsight virtual network to the Azure AD DS
virtual network, if you choose separate virtual networks for them. A VM inside the
HDInsight virtual network should have a line of sight to Azure AD DS through virtual
network peering. If HDInsight and Azure AD DS are deployed in the same virtual network,
the connectivity is automatically provided, and no further action is needed.
For more info : https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-
domain-joined-architecture
Question 32: Skipped
You have a web app named WebApp1.
You create a web application firewall (WAF) policy named WAF1.
You need to protect WebApp1 by using WAF1.
What should you do first?

Deploy an Azure Front Door.

(Correct)

Add an extension to WebApp1.

Deploy Azure Firewall.

Explanation
Correct answer is A.
Option A - CORRECT.
WAF can be deployed with Azure Application Gateway, Azure Front Door, and Azure
Content Delivery Network (CDN) service from Microsoft. WAF on Azure CDN is currently
under public preview.
WAF is supported by Application Gateway and Front Door both.
For more info :
https://docs.microsoft.com/nl-nl/azure/web-application-firewall/overview
 https://docs.microsoft.com/en-us/azure/frontdoor/quickstart-create-front-door
Option B - INCORRECT.
Extensions add additional functionality to WebApp.
For more info ( 58 sec video) : Azure WebApp Extension
Option C - INCORRECT.
Azure Firewall is a managed, cloud-based network security service that protects your Azure
Virtual Network resources.
Question 33: Skipped
You have an Azure subscription that contains the virtual machines shown in the
following table.

Larger image

From Azure Security Center, you turn on Auto Provisioning. You deploy the virtual
machines shown in the following table.

Larger image

On which virtual machines is the Log Analytics agent installed?

VM3 only

VM1 and VM3 only

VM3 and VM4 only



VM1, VM2, VM3, and VM4

(Correct)

Explanation
Correct Answer: D
When automatic provisioning is On, Security Center provisions the Log Analytics Agent on
all supported Azure VMs and any new ones that are created.
Supported Operating systems include:
Ubuntu 14.04 LTS (x86/x64), 16.04 LTS (x86/x64), and 18.04 LTS (x64)
Windows Server 2008 R2, 2012, 2012 R2, 2016, version 1709 and 1803

For more info :

https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
Question 34: Skipped
You have an Azure subscription named Sub1.
You have an Azure Storage account named Sa1 in a resource group named RG1.
Users and applications access the blob service and the file service in Sa1 by using
several shared access signatures (SASs) and stored access policies.
You discover that unauthorized users accessed both the file service and the blob service.
You need to revoke all access to Sa1.
Solution: You generate new SASs.
Does this meet the goal?

Yes

No

(Correct)

Explanation
Correct answer is B.
 As per the question, the SAS with a stored access policy, so this is a Service SAS and it can
be revoked only by modifying/deleting stored access policy. Creating new SAS has no affect
on already available SAS. For Account Level SAS, regenerating the access key is the only
possibility.
Just creating a new one does not effect the currently created SASs - so either delete, rename
as stated or you could also regenerate the KEY used to create the SAS which would have the
effect of disabling all SASs created with that previous generated key.
Instead you should create a new stored access policy.
To revoke a stored access policy, you can either delete it, or rename it by changing the signed
identifier. Changing the signed identifier breaks the associations between any existing
signatures and the stored access policy. Deleting or renaming the stored access policy
immediately affects all of the shared access signatures associated with it.
For more info :
https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy
Question 35: Skipped
You have an Azure Subscription named Sub1.
You have an Azure Storage account named Sa1 in a resource group named RG1.
Users and applications access the blob service and the file service in Sa1 by using
several shared access signatures (SASs) and stored access policies.
You discover that unauthorized users accessed both the file service and the blob service.
You need to revoke all access to Sa1.
Solution: You create a new stored access policy.
Does this meet the goal?

Yes

(Correct)

No
Explanation
Correct answer is A.
"A stored access policy provides an additional level of control over service-level shared
access signatures (SAS) on the server side. Establishing a stored access policy serves to
group shared access signatures and to provide additional restrictions for signatures that are
 bound by the policy. You can use a stored access policy to change the start time, expiry time,
or permissions for a signature, or to revoke it after it has been issued."
For more info : https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-
access-policy
Question 36: Skipped
You have an Azure subscription named Sub1.
You have an Azure Storage account named Sa1 in a resource group named RG1.
Users and applications access the blob service and the file service in Sa1 by using
several shared access signatures (SASs) and stored access policies.
You discover that unauthorized users accessed both the file service and the blob service.
You need to revoke all access to Sa1.
Solution: You create a lock on Sa1.
Does this meet the goal?

Yes

No

(Correct)

Explanation
Correct answer is B.
As an administrator, you may need to lock a subscription, resource group, or resource to
prevent other users in your organization from accidentally deleting or modifying critical
resources. You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks
are called Delete and Read-only respectively.
CanNotDelete means authorized users can still read and modify a resource, but they can't
delete the resource.
ReadOnly means authorized users can read a resource, but they can't delete or update the
resource. Applying this lock is similar to restricting all authorized users to the permissions
granted by the Reader role.
Hence lock can not revoke access.
For more info : https://docs.microsoft.com/en-us/azure/azure-resource-
manager/management/lock-resources
To revoke a stored access policy, you can either delete it, or rename it by changing the signed
identifier. Changing the signed identifier breaks the associations between any existing
 signatures and the stored access policy. Deleting or renaming the stored access policy
immediately affects all of the shared access signatures associated with it.
any lock doesn't revoke the access.
For more info :
https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-
Policy
Question 37: Skipped
For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
1. You can configure multiple AD Connect connectors for the same Active Directory
domain.
2. You can configure multiple domains to sync with AD Connect.
3. Azure firewall supports inbound and outbound filtering.

Yes
Yes
Yes

No
No
Yes

No
Yes
No

No
Yes
Yes

(Correct)

Explanation
Correct answer is D.
Statement 1 : No
False is correct, multiple connectors for the same AD domain are not supported. You can
however configure a secondary connector in staging mode for DR purposes.
For more info : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-
connect-faq
Statement 2 : Yes
True is correct, you can configure multiple domains to sync with Azure AD via AD Connect.
For more info : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-
connect-install-multiple-domains
Statement 3 : Yes
True is correct as the Azure firewall supports inbound and outbound filtering, however
inbound filtering is for non HTTP/S protocols i.e. RDP, SSH and FTP protocols are
supported.
For more info : https://docs.microsoft.com/en-us/azure/firewall/firewall-faq
Question 38: Skipped
You have an Azure Container Registry named Registry1.
You add role assignment for Registry1 as shown in the following table.
Larger image

Which users can upload images to Registry1 and download images from Registry1? To
answer, select the appropriate options in the answer area.
Larger image


Upload Images: User1 only

Download images: User1,User2 and User4

Upload Images: User1 and User4 only

Download images: User2 and User4 only

Upload Images: User1 and User4 only

Download images: User1,User2 and User4

(Correct)

Upload Images: User1,User2 and User4

Download images: User1 and User4 only
 Explanation
Correct answer is C.
The Azure Container Registry service supports a set of built-in Azure roles that provide
different levels of permissions to an Azure container registry. Use Azure role-based access
control (Azure RBAC) to assign specific permissions to users, service principals, or other
identities that need to interact with a registry. You can also define custom roles with fine-
grained permissions to a registry for different operations.

For more info : https://docs.microsoft.com/en-us/azure/container-registry/container-

registry-roles
Upload Images: User1 and User4 only
Owner, Contributor and AcrPush can push / upload images.
Download images: User1,User2 and User4
All, except AcrImagineSigner, can download/pull images.
Question 39: Skipped
You have an Azure virtual machine named VM1.
From Azure Security Center, you get the following high-severity recommendation:
"Install endpoint protection solutions on virtual machine".

You need to resolve the issue causing the high-severity recommendation.

What should you do?

Add the Microsoft Antimalware extension to VM1.

 (Correct)

Install Microsoft System Center Security Management Pack for Endpoint Protection on VM1.

Add the Network Watcher Agent for Windows extension to VM1.

Onboard VM1 to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
Explanation
Correct answer is A.
Option A- CORRECT.
Microsoft Antimalware for Azure is free real-time protection capability that helps identify
and remove viruses, spyware, and other malicious software, with configurable alerts when
known malicious or unwanted software attempts to install itself or run on your Azure
systems. The solution is built on the same antimalware platform as Microsoft Security
Essentials (MSE), Microsoft Forefront Endpoint Protection, Microsoft System Center
Endpoint Protection, Windows Intune, and Windows Defender for Windows 8.0 and higher.
Microsoft Antimalware for Azure is a single-agent solution for applications and tenant
environments, designed to run in the background without human intervention.
For more info :
https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/iaas-antimalware-
windows
Option B- INCORRECT.
The Management Pack for Windows Defender enables you to monitor the health of your
devices running Windows Defender.
Option C- INCORRECT.
Azure Network Watcher is a network performance monitoring, diagnostic, and analytics
service that allows monitoring of Azure networks. The Network Watcher Agent virtual
machine extension is a requirement for capturing network traffic on demand, and other
advanced functionality on Azure virtual machines.
Option D- INCORRECT.
Devices in your organization must be configured so that the Microsoft Defender ATP service
can get sensor data from them.Each onboarded device adds an additional endpoint detection
and response (EDR) sensor and increases visibility over breach activity in your network.
Onboarding also ensures that a device can be checked for vulnerable components as well
security configuration issues and can receive critical remediation actions during attacks.
Question 40: Skipped
You have an Azure subscription that contains an Azure key vault named Vault1.
On January 1, 2019, Vault1 stores the following secrets.
Larger image

Which can each secret be used by an application? To answer, select the appropriate
options in the answer area.
Larger image


Password1 : Never
Password2 : Always

Password1 : Only after May 1, 2019

Password2 : Always

Password1 : Only after May 1, 2019

Password2 : Only between March 1, 2019 and May 1, 2019

Password1 : Never
Password2 : Only between March 1, 2019 and May 1, 2019

(Correct)

Explanation
Correct answer is D.
 Password1 : Never
Password1 is disabled.
Password2 : Only between March 1, 2019 and May 1, 2019
Password2: From the given screenshot-

For more info :

https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/set-
azurekeyvaultsecretattribute
Question 41: Skipped
You onboard Azure Sentinel. You connect Azure Sentinel to Azure Security Center.
You need to automate the mitigation of incidents in Azure Sentinel. The solution must
minimize administrative effort.
What should you create?

an alert rule

a playbook

(Correct)

a function app

a runbook
Explanation
Correct answer is B.
Option A - INCORRECT.
You can create custom alert rules to help you search for the types of threats and anomalies
that are suspicious in your environment. The rule makes sure you are notified right away, so
that you can triage, investigate, and remediate the threats.
Option B - CORRECT.
 Use security playbooks in Azure Sentinel to set automated threat responses to security-related
issues detected by Azure Sentinel.
Many security alerts conform to recurring patterns that can be addressed by specific and
defined remediation actions. Azure Sentinel already enables you to define your remediation
in playbooks. It is also possible to set real-time automation as part of your playbook
definition to enable you to fully automate a defined response to particular security alerts.
Using real-time automation, response teams can significantly reduce their workload by fully
automating the routine responses to recurring types of alerts, allowing you to concentrate
more on unique alerts, analyzing patterns, threat hunting, and more.
For more info :
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
Option C - INCORRECT.
Azure Functions allows you to run small pieces of code (called "functions") without worrying
about application infrastructure. With Azure Functions, the cloud infrastructure provides all
the up-to-date servers you need to keep your application running at scale. A function is
"triggered" by a specific type of event.
Option D - INCORRECT.
Process automation in Azure Automation allows you to create and manage PowerShell,
PowerShell Workflow, and graphical runbooks. For details, see Azure Automation runbooks.
Question 42: Skipped
You have a hybrid configuration of Azure Active Directory (Azure AD).
You have an Azure HDInsight cluster on a virtual network.
You plan to allow users to authenticate to the cluster by using their on-premises Active
Directory credentials.
You need to configure the environment to support the planned authentication.
Solution: You create a site-to-site VPN between the virtual network and the on-
premises network.
Does this meet the goal?

Yes

(Correct)

No
Explanation
 Correct answer is A.
You can connect HDInsight to your on-premises network by using Azure Virtual Networks
and a VPN gateway.
HDInsight relies on a popular identity provider--Active Directory--in a managed way. By
integrating HDInsight with Azure Active Directory Domain Services (Azure AD DS), you
can access the clusters by using your domain credentials.
To  join the HDInsights cluseter to your AD DS services (domain join) you need connectivity
to your domain controllers. As the environment is Hybrid there is almost certainly DC's on
premise so even if there are DC's on that vNet there needs to be a VPN or Express route
circuit to support AD integrated authentication.
This way we can configure the environment to support the planned authentication as asked in
the question.
For more info :
https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-
architecture
Question 43: Skipped
You have a hybrid configuration of Azure Active Directory (Azure AD).
You have an Azure HDInsight cluster on a virtual network.
You plan to allow users to authenticate to the cluster by using their on-premises Active
Directory credentials.
You need to configure the environment to support the planned authentication.
Solution: You deploy the On-premises data gateway to the on-premises network.
Does this meet the goal?

Yes

No

(Correct)

Explanation
Correct answer is B.
The on-premises data gateway acts as a bridge. It provides quick and secure data transfer
between on-premises data, which is data that isn't in the cloud, and several Microsoft cloud
services. These services include Power BI, Power Apps, Power Automate, Azure Analysis
Services, and Azure Logic Apps.
 By using a gateway, organizations can keep databases and other data sources on their on-
premises networks while securely using that on-premises data in cloud services.
This is not used for authentication.
Instead, you connect HDInsight to your on-premises network by using Azure Virtual
Networks and a VPN gateway to achieve the stated goal.
For more info : https://docs.microsoft.com/en-us/data-integration/gateway/service-gateway-
onprem
Question 44: Skipped
You have a hybrid configuration of Azure Active Directory (Azure AD).
You have an Azure HDInsight cluster on a virtual network.
You plan to allow users to authenticate to the cluster by using their on-premises Active
Directory credentials.
You need to configure the environment to support the planned authentication.
Solution: You deploy an Azure AD Application Proxy.
Does this meet the goal?

Yes

No

(Correct)

Explanation
Correct answer is B.
Application Proxy is a feature of Azure AD that enables users to access on-premises web
applications from a remote client. Application Proxy includes both the Application Proxy
service which runs in the cloud, and the Application Proxy connector which runs on an on-
premises server. Azure AD, the Application Proxy service, and the Application Proxy
connector work together to securely pass the user sign-on token from Azure AD to the web
application.
Instead, you connect HDInsight to your on-premises network by using Azure Virtual
Networks and a VPN gateway to achieve the stated goal.
For more info : https://docs.microsoft.com/en-us/azure/active-directory/manage-
apps/application-proxy
Question 45: Skipped
 What must you select when configuring Azure Security Center file integrity
monitoring?
Instruction: Choose the option that best answers the question.

Log analytics workspace

(Correct)

Load balancer

Network security group

Policy
Explanation
Correct answer is A.
Option A- CORRECT.
File integrity monitoring (FIM), also known as change monitoring, examines operating
system files, Windows registries, application software, Linux system files, and more, for
changes that might indicate an attack.
For more info :  https://docs.microsoft.com/en-us/azure/security-center/security-center-file-
integrity-monitoring

Option B- INCORRECT.
An Azure load balancer is a Layer-4 (TCP, UDP) load balancer that provides high
availability by distributing incoming traffic among healthy VMs. A load balancer health
probe monitors a given port on each VM and only distributes traffic to an operational VM.
Option C- INCORRECT.
A network security group contains security rules that allow or deny inbound network traffic
to, or outbound network traffic from, several types of Azure resources. For each rule, you can
specify source and destination, port, and protocol.
Option D- INCORRECT.
 Azure Policy establishes conventions for resources. Policy definitions describe resource
compliance conditions and the effect to take if a condition is met. A condition compares a
resource property field to a required value. ... By defining conventions, you can control costs
and more easily manage your resources.
Question 46: Skipped
Which AAD authentication method allows for on-premises authentication without the
need for additional infrastructure (outside of agents)? The solution allows for a single
point of authentication.

Active Directory Federation Services

Pass-through Authentication

(Correct)

Seamless Single Sign-on (SSSO)

Password Hash Synchronization

Explanation
Correct answer is B.
Option A - INCORRECT.
Active Directory Federation Service (AD FS) enables Federated Identity and Access
Management by securely sharing digital identity and entitlements rights across security and
enterprise boundaries. AD FS extends the ability to use single sign-on functionality that is
available within a single security or enterprise boundary to Internet-facing applications to
enable customers, partners, and suppliers a streamlined user experience while accessing the
web-based applications of an organization.
Option B - CORRECT.
Pass-through Authentication (PTA) is an agent-based authentication method which allows
users to sign in to both on-premises and cloud-based applications using the same passwords.
Authentication occurs against local AD domain controllers. The PTA agent can be installed
on any server running Windows Server 2012 R2 or later.
 For more info : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-
connect-pta
Option C - INCORRECT.
Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically
signs users in when they are on their corporate devices connected to your corporate
network. .This feature provides your users easy access to your cloud-based applications
without needing any additional on-premises components.
Option D - INCORRECT.
Password hash synchronization is one of the sign-in methods used to accomplish hybrid
identity. Azure AD Connect synchronizes a hash, of the hash, of a user's password from an
on-premises Active Directory instance to a cloud-based Azure AD instance.
For more info :https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs
Question 47: Skipped
You are using the Point-in-time Restore (PiTR) feature to restore Azure SQL database.
Which statement regarding this scenario is correct?

Cross-region restore is supported

PiTR allows only restoration from weekly backups.

The restore can occur into a new database.

(Correct)

PiTR requires the SQL server to be down.

Explanation
Correct answer is C.
Use point-in-time restore (PITR) to create a database as a copy of another database from
some time in the past.
All Basic, Standard, and Premium databases are protected by automatic backups. Full
backups are taken every week, differential backups every day, and log backups every 5
minutes.
 When you're restoring from one instance of SQL Managed Instance to another, both instances
must be in the same subscription and region. Cross-region and cross-subscription restore
aren't currently supported.
Hence best answer is C and rest all answers are incorrect.
For more info : https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/point-in-
time-restore?tabs=azure-portal
Question 48: Skipped
What is required to authenticate to an Azure container registry?
Instruction: Choose the option that best answers the question.

username, encryption key

username, password, registry passphrase

username, PIN

server, username, password

(Correct)

Explanation
Correct answer is D.
server, username, password are required to authenticate Azure container registry.
For more info : https://docs.microsoft.com/en-us/azure/container-registry/container-registry-
authentication
Question 49: Skipped
You plan to use Azure Monitor Logs to collect logs from 200 servers that run Windows
Server 2016.
You need to automate the deployment of the Log Analytics Agent to all the servers by
using an Azure Resource Manager template.
How should you complete the template? To answer, select the appropriate options in the
answer area.
 Larger image

1st dropdown : "WorkspaceURL"

2nd dropdown : "WorkspaceID"

1st dropdown : "WorkspaceName"

2nd dropdown : "WorkspaceKey"


1st dropdown : "WorkspaceKey"

2nd dropdown : "WorkspaceID"

1st dropdown : "WorkspaceID"

2nd dropdown : "WorkspaceKey"

(Correct)

Explanation
Correct answer is D.
The following JSON shows the schema for the Log Analytics agent extension. The extension
requires the workspace ID and workspace key from the target Log Analytics workspace.
These can be found in the settings for the workspace in the Azure portal. Because the
workspace key should be treated as sensitive data, it should be stored in a protected setting
configuration. Azure VM extension protected setting data is encrypted, and only decrypted on
the target virtual machine. Note that workspaceId and workspaceKey are case-sensitive.
JSONCopy
{
"type": "extensions",
"name": "OMSExtension",
"apiVersion": "[variables('apiVersion')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
],
"properties": {
"publisher": "Microsoft.EnterpriseCloud.Monitoring",
"type": "MicrosoftMonitoringAgent",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true,
"settings": {
"workspaceId": "myWorkSpaceId"
},
"protectedSettings": {
 "workspaceKey": "myWorkspaceKey"
}
}
}

Therefore correct answer is :

1st dropdown : "WorkspaceID"
2nd dropdown : "WorkspaceKey"
For more info :
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/oms-windows?toc=
%2Fazure%2Fazure-monitor%2Ftoc.json#extension-schema
https://docs.microsoft.com/en-us/archive/blogs/manageabilityguys/enabling-the-microsoft-
monitoring-agent-in-windows-json-templates
Question 50: Skipped
You have 10 virtual machines on a single subnet that has a single network security
group (NSG).
You need to log the network traffic to an Azure Storage account.
Which two actions should you perform? Each correct answer presents part of the
solution.

Install the Network Performance Monitor solution.

Enable Azure Network Watcher.

(Correct)

Enable diagnostic logging for the NSG.

Enable NSG flow logs.

(Correct)


Create an Azure Log Analytics workspace.

Explanation
Correct Answer is BD
A network security group (NSG) enables you to filter inbound traffic to, and outbound traffic
from, a virtual machine (VM). You can log network traffic that flows through an NSG with
Network Watcher's NSG flow log capability.
Steps include:
1. Create a VM with a network security group
2.  Enable Network Watcher and register the Microsoft.Insights provider
3. Enable a traffic flow log for an NSG, using Network Watcher's NSG flow log capability
4. Download logged data
5. View logged data
For more info :
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-
logging-portal
Question 51: Skipped
Your company has an Azure subscription named Sub1 that is associated to an Azure
Active Directory (Azure AD) tenant named contoso.com.
The company develops an application named App1. App1 is registered in Azure AD.
You need to ensure that App1 can access secrets in Azure Key Vault on behalf of the
application users.
What should you configure?

A. an application permission without admin consent

a delegated permission without admin consent

(Correct)


 a delegated permission that requires admin consent

an application permission that requires admin consent

Explanation
Correct answer is B.
Option A - INCORRECT
Your client application needs to access the web API directly as itself (no user context). This
type of permission requires administrator consent and is also not available for public (desktop
and mobile) client applications.
Option B - CORRECT
Delegated permissions are used by apps that have a signed-in user present. For these apps,
either the user or an administrator consents to the permissions that the app requests, and the
app is delegated permission to act as the signed-in user when making calls to the target
resource. Some delegated permissions can be consented to by non-administrative users, but
some higher-privileged permissions require administrator consent.
Here we need just access to key vault , so no admin consent is needed.
Option C - INCORRECT
Same explanation as option B.
Option D - INCORRECT
Your client application needs to access the web API directly as itself (no user context). This
type of permission requires administrator consent and is also not available for public (desktop
and mobile) client applications.
For more info : https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-
permissions-and-consent
Question 52: Skipped
You have configured an Azure SQL Failover Group and executed a forced failover.
Which statement regarding this scenario is correct?

There could be some data loss

(Correct)

Databases in the group will be unavailable for the grace period.



All databases in the failover group will be restored to new databases.

There will not be any data loss since synchronization will occur first.
Explanation
Correct answer is A.
Forced failover of a failover group might result in data loss.
Unplanned or forced failover immediately switches the secondary to the primary role without
any synchronization with the primary. This operation will result in data loss. Unplanned
failover is used as a recovery method during outages when the primary is not accessible.
When the original primary is back online, it will automatically reconnect without
synchronization and become a new secondary.
For more info : https://docs.microsoft.com/en-us/azure/azure-sql/database/auto-failover-
group-overview?tabs=azure-powershell
Question 53: Skipped
You suspect that users are attempting to sign in to resources to which they have no
access.
You need to create an Azure Log Analytics query to identify failed user sign-in attempts
from the last three days. The results must only show users who had more than five
failed sign-in attempts.
How should you configure the query? To answer, select the appropriate options in the
answer area.
Larger image

DataType
Countif(),

ActivityID
Split(),


 EventID
Count(),

(Correct)

ActivityID
Count(),
Explanation
Correct answer is C.
The following example identifies user accounts that failed to log in more than five times in
the last
day, and when they last attempted to log in.
let timeframe = 1d;
SecurityEvent
| where TimeGenerated > ago(1d)
| where AccountType == 'User' and EventID == 4625 // 4625 - failed log in
| summarize failed_login_attempts=count(), latest_failed_login=arg_max(TimeGenerated,
Account)
by Account
| where failed_login_attempts > 5
| project-away Account1
For more info :
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/examples
Question 54: Skipped
You have an Azure subscription that contains virtual machines.
You enable just in time (JIT) VM access to all the virtual machines.
You need to connect to a virtual machine by using Remote Desktop.
What should you do first?

From Azure Directory (Azure AD) Privileged Identity Management (PIM), activate the Security
administrator user role.


 From Azure Active Directory (Azure AD) Privileged Identity Management (PIM), activate the
Owner role for the virtual machine.

From the Azure portal, select the virtual machine, select Connect, and then select Request access.

(Correct)

From the Azure portal, select the virtual machine and add the Network Watcher Agent virtual
machine extension.
Explanation
Correct answer is C.
Option A - INCORRECT.
Users with Security Administrator role have permissions to manage security-related
features in the Microsoft 365 security center, Azure Active Directory Identity Protection,
Azure Active Directory Authentication, Azure Information Protection, and Office 365
Security & Compliance Center. Nothing to do with JIT enabled VM connection with RDP.
Option B - INCORRECT.
Grants full access to manage all resources, including the ability to assign roles in Azure
RBAC. Nothing to do with JIT enabled VM connection with RDP.  Learn more
Option C - CORRECT.
On the Connect to virtual machine page, select RDP, and then select the appropriate IP
address and Port number. In most cases, the default IP address and port should be used.
Select Download RDP File.
If the VM has a just-in-time policy set, you first need to select the Request access button to
request access before you can download the RDP file. For more information about the just-in-
time policy, see Manage virtual machine access using the just in time policy.
For more info : https://docs.microsoft.com/en-us/azure/virtual-
machines/windows/connect-logon
Option D - INCORRECT.
The Network Watcher Agent virtual machine extension is a requirement for capturing
network traffic on demand, and other advanced functionality on Azure virtual machines. The
Network Watcher extension is used by features like Connection Monitor, Connection
Monitor (Preview), Connection Troubleshoot and Packet Capture. Nothing to do with JIT
enabled VM connection with RDP.
Question 55: Skipped
 Your network contains an Active Directory forest named contoso.com. The forest
contains a single domain.
You have an Azure subscription named Sub1 that is associated to an Azure Active
Directory (Azure AD) tenant named contoso.com.
You plan to deploy Azure AD Connect and to integrate Active Directory and the Azure
AD tenant.
You need to recommend an integration solution that meets the following requirements:

** Ensures that password policies and user logon restrictions apply to user accounts
that are synced to the tenant
** Minimizes the number of servers required for the solution.

Which authentication method should you include in the recommendation?

federated identity with Active Directory Federation Services (AD FS)

password hash synchronization with seamless single sign-on (SSO)

pass-through authentication with seamless single sign-on (SSO)

(Correct)

Explanation
Correct answer is C.
Option A - INCORRECT.
A federated authentication system relies on an external trusted system to authenticate users.
Some companies want to reuse their existing federated system investment with their Azure
AD hybrid identity solution. The maintenance and management of the federated system falls
outside the control of Azure AD. It's up to the organization by using the federated system to
make sure it's deployed securely and can handle the authentication load.
Option B - INCORRECT.
The simplest solution that allows for enforcing on-premise password policies and logon
restrictions is Pass-Through Authentication with Seamless SSO. The simplest overall solution
is B, but you can't enforce local password policies and logon restrictions using password hash
sync.
Option C - CORRECT.
The simplest solution that allows for enforcing on-premise password policies and logon
restrictions is Pass-Through Authentication with Seamless SSO. The simplest overall solution
is B, but you can't enforce local password policies and logon restrictions using password hash
sync.
For more info : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-
authn
 Question 56: Skipped
You have an Azure subscription named Sub1 that is associated to an Azure Active
Directory (Azure AD) tenant named contoso.com.
An administrator named Admin1 has access to the following identities:

** An OpenID-enabled user account

** A Hotmail account
** An account in contoso.com
** An account in an Azure AD tenant named fabrikam.com

You plan to use Azure Account Center to transfer the ownership of Sub1 to Admin1.
To which accounts can you transfer the ownership of Sub1?

contoso.com only

contoso.com, fabrikam.com, and Hotmail only

contoso.com and fabrikam.com only

(Correct)

contoso.com, fabrikam.com, Hotmail, and OpenID-enabled user account

Explanation
Correct answer is C.
We cannot pass a subscription to a Hotmail or OpenID account because they are not tenants.
A subscription is owned by a tenant. Hence only valid accounts are contoso.com and
fabrikam.com .
For more info : https://docs.microsoft.com/en-us/azure/cost-management-
billing/manage/billing-subscription-transfer#transfer-a-subscription-to-another-azure-ad-
tenant-accoun
Question 57: Skipped
You have an Azure web app named WebApp1.
You upload a certificate to WebApp1.
 You need to make the certificate accessible to the app code of WebApp1.
What should you do?

Add a user-assigned managed identity to WebApp1.

Add an app setting to the WebApp1 configuration.

(Correct)

Enable system-assigned managed identity for the WebApp1.

Configure the TLS/SSL binding for WebApp1.

Explanation
Correct answer is B.
Option A - INCORRECT.
 Option B - CORRECT.
To access a certificate in your app code, add its thumbprint to
the  WEBSITE_LOAD_CERTIFICATES  app setting, by running the following command in
the Cloud Shell:
az webapp config appsettings set --name <app-name> --resource-group <resource-
group-name> --settings WEBSITE_LOAD_CERTIFICATES=<comma-separated-
certificate-thumbprints>
The  WEBSITE_LOAD_CERTIFICATES  app setting makes the specified certificates accessible to
your Windows hosted app in the Windows certificate store, and the location depends on
the pricing tier.
The command makes the certificate available to the app code by adding the thumbprint of the
certificate. The app setting is WEBSITE_LOAD_CERTIFICATES, and it is configured in
the command using the parameter 'appsettings'. Hence, the answer is 'B'.
For more info : https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-
in-code
Option C - INCORRECT.
Same explanation as option A.
Option D - INCORRECT.
In your application code, you can access the public or private certificates you add to App
Service. Your app code may act as a client and access an external service that requires
certificate authentication, or it may need to perform cryptographic tasks.
This approach to using certificates in your code makes use of the TLS functionality in App
Service, which requires your app to be in Basic tier or above. If your app is
in Free or Shared tier, you can include the certificate file in your app repository. Default tier
for WebApp is free tier since nothing is being said about WebApp tier in question.
Question 58: Skipped
You have an Azure subscription named Subscription1.
You deploy a Linux virtual machine named VM1 to Subscription1.
You need to monitor the metrics and the logs of VM1.
What should you use?

the AzurePerformanceDiagnostics extension

Azure HDInsight


 Linux Diagnostic Extension (LAD) 3.0

(Correct)

Azure Analysis Services

Explanation
Correct answer is C.
Option A -  Azure Performance Diagnostics VM Extension helps collect performance
diagnostic data from Windows VMs. The extension performs analysis, and provides a report
of findings and recommendations to identify and resolve performance issues on the virtual
machine. This extension installs a troubleshooting tool called PerfInsights.  This extension
can be installed on Windows Server 2008 R2, Windows Server 2012, Windows Server 2012
R2, and Windows Server 2016. It can also be installed on Windows 8.1 and Windows 10.
Hence option A is incorrect.
For more info : https://docs.microsoft.com/en-us/azure/virtual-
machines/troubleshooting/performance-diagnostics-vm-extension#:~:text=Azure
%20Performance%20Diagnostics%20VM%20Extension%20helps%20collect
%20performance%20diagnostic%20data,issues%20on%20the%20virtual%20machine.
Option B - Azure HDInsight is a cloud distribution of Hadoop components. Azure
HDInsight makes it easy, fast, and cost-effective to process massive amounts of data. You
can use the most popular open-source frameworks such as Hadoop, Spark, Hive, LLAP,
Kafka, Storm, R, and more. Hence option B is incorrect.
Option C -  Use Linux Diagnostic Extension to monitor metrics and logs. The Linux
Diagnostic Extension helps a user monitor the health of a Linux VM running on Microsoft
Azure. It has the following capabilities:
Collects system performance metrics from the VM and stores them in a specific table in a
designated storage account.
Retrieves log events from syslog and stores them in a specific table in the designated storage
account.
Enables users to customize the data metrics that are collected and uploaded.
Enables users to customize the syslog facilities and severity levels of events that are collected
and uploaded.
Enables users to upload specified log files to a designated storage table.
Supports sending metrics and log events to arbitrary EventHub endpoints and JSON-
formatted blobs in the designated storage account.
Hence option C is correct.
For more info : https://docs.microsoft.com/en-us/azure/virtual-
machines/extensions/diagnostics-linux#:~:text=Introduction,in%20a%20designated
%20storage%20account.
 Option D - Azure Analysis Services is a new preview service in Microsoft Azure where you
can host semantic data models. Users in your organization can then connect to your data
models using tools like Excel, Power BI and many others to create reports and perform ad-
hoc data analysis. Hence option D is incorrect.
Question 59: Skipped
You have an Azure Storage account named storage1 that has a container named
container1.
You need to prevent the blobs in container1 from being modified.
What should you do?

From container1, change the access level.

From container1, add an access policy.

(Correct)

From container1, modify the Access Control (IAM) settings.

From storage1, enable soft delete for blobs.

Explanation
Correct answer is B.
Option A - INCORRECT.
When a container is configured for public access, any client can read data in that container.
Public access presents a potential security risk, so if your scenario does not require it,
Microsoft recommends that you disallow it for the storage account. For more information,
see Prevent anonymous public read access to containers and blobs.
Option B - CORRECT.
You can either set an immutable (read only) policy or a legal hold (cannot delete) policy.
Immutable storage for Azure Blob storage enables users to store business-critical data objects
in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-
modifiable for a user-specified interval.
 For more info : https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-
immutable-storage
Option C - INCORRECT.
you cant give RBAC role to whole organization and role-base is applicable for specific
users/identities. Assigning RBAC (Access Control IAM) to an entire organization (to each
individual) does not seem practical and extreme.
Option D - INCORRECT.
When turned on, soft delete enables you to save and recover your data where blobs or blob
snapshots are deleted. This protection extends to blob data that is erased as the result of an
overwrite.
Question 60: Skipped
You have an Azure Active Directory (Azure AD) tenant named
contoso.onmicrosoft.com.
The User administrator role is assigned to a user named Admin1.
An external partner has a Microsoft account that uses the [email protected] sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and
receives the following error message:
"Unable to invite user [email protected] Generic authorization exception."

You need to ensure that Admin1 can invite the external partner to sign in to the Azure
AD tenant.
What should you do?

From the Roles and administrators blade, assign the Security administrator role to Admin1.

From the Organizational relationships blade, add an identity provider.

From the Custom domain names blade, add a custom domain.

From the Users blade, modify the External collaboration settings.

(Correct)

Explanation
Correct answer is D.
"Generic Authorization error" means you don`t have the permission to invite. Change the
User settings option in the Azure AD Portal. Admins and users in Guest user role can
invite.
You need to allow guest invitations in the External collaboration settings.
By default, all users and guests in your directory can invite guests even if they're not assigned
to an admin role. External collaboration settings let you turn guest invitations on or off for
different types of users in your organization. You can also delegate invitations to individual
users by assigning roles that allow them to invite guests.
Azure AD allows you to restrict what external guest users can see in your Azure AD
directory.
Follow below steps in portal to achieve this:
search users on the portal
go to users
go to user settings
go to external collaboration settings
select yes for 2nd and third blades
save
For more info :
https://techcommunity.microsoft.com/t5/azure-active-directory/generic-authorization-
exception-inviting-azure-ad-gests/m-p/274742
https://docs.microsoft.com/en-us/azure/active-directory/b2b/delegate-invitations
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-
assign-admin-roles#guest-inviter
active-directory/external-identities/delegate-invitations
Continue
Retake test
Fullscreen
Default view
Course content
Course content
Overview
Q&AQuestions and answers
Notes
Announcements
About this course
Pass AZ-500 Certification Exam with 4 practice tests which includes 240 Questions
with latest exam 2020 pattern.
By the numbers
Skill level: All Levels
Students: 663
Languages: English
Captions: No
Description
This course is designed for students who want to attain the " Microsoft Azure
Security Technologies ( AZ-500 ) " certification.
This course has contents for the Exam AZ-500 ,which includes 4 practice tests each
contains (4x60 )=240 questions.
This practice tests questions are compiled on actual exam questions , actual exam
pattern, actual exam difficulty level with focus on to give clear and simple
understanding of each module / topics of AZURE required to pass AZ-500 exam.
TOP 10 REASONS WHY THESE PRACTICE EXAMS ARE YOUR BEST CHANCE TO
ACE YOUR AZURE EXAM:
1) 100% CONFORM WITH AZ-500 EXAM BLUEPRINT: All Practice Tests reflect the
latest Azure exam question/answer format.
2) SIMULATE THE ACTUAL CERTIFICATION EXAM: All Practice Tests are timed
(150 min to answer 55 questions) and scored (passing score is 80 %) mimicking the
real exam environment so you get familiar with the AZURE exam format.
3) DEEP DIVE REFERENCE LINKS: To help you understand the concepts, all answers
link to relevant sections of official document  - the most comprehensive collection of
exam-specific information for the Microsoft Azure Security Technologies Certified
exam.
4) DETAILED EXPLANATIONS FOR ALL ANSWERS: After completing the practice
test, you get to review and check your answers. Every question includes a detailed
explanation that explains why each answer is correct or incorrect, supporting your
understanding of AZURE Services / topics which are key to passing the exam.
5) Regular UPDATES OF QUESTION BANK: We're constantly improving and
updating the questions based on exam feedback from our students.
6) TEST REPORT: Upon completion of the Practice Test you are presented with a
report. This allows you to track your progress and highlights the AZURE knowledge
areas you need to focus on most in your studies.
7) Focus on to Complete Entire Syllabus of AZ-500 : Practice tests covers each
module and all topics of AZ-500 exam syllabus which are required to understand to
pass this exam.
8) RESPONSIVE INSTRUCTOR SUPPORT: We comprehensively respond to all of
your questions, concerns or feedback within 24 hours. You can contact your
instructor directly or via the course Q&A forum.
9) ACTIVE Q&A DISCUSSION BOARD: Join the discussion on Azure related topics in
our Q&A discussion board where our students share their recent exam experience
offering feedback on which topics were covered.
10) MOBILE ACCESS: Study on the go and access all practice questions from your
mobile phone -anywhere, anytime.
The objectives covered in this course are
 Module 1 : Manage identity and access (30-35%)
 Module 2 : Implement platform protection (15-20%)
 Module 3 : Manage security operations (25-30%)
 Module 4 : Secure data and applications (20-25%)

Who this course is for:

 Those who want to pursue the AZ-500 : Microsoft Azure Security
Technologies Certification.
 Those who want to pass AZ-500 : Microsoft Azure Security
Technologies exam in first sitting.
 Those who want to become Microsoft Azure Security Technologies.
What you’ll learn

 Students will be fully prepared for the AZ-500 certification exam.

 Students will learn the types of questions to be asked ,exam pattern and
topics aspects what is required to pass AZ 500 exam.
 Ability to understand how to start working with Azure as Microsoft Azure
Security Technologist.

Are there any course requirements or prerequisites?

 No

Who this course is for:

 Anyone who is willing to start career in Cloud and get certified in Microsoft
Azure.
 Anyone who is willing to pass AZ-500 certification exam in first attempt.
 Anyone who wants to become Microsoft Azure Security Engineer and Expert.
Instructor

Durga N Mondal
Software Development Technical MDM and Cloud Lead
A Software Development Technical MDM and Cloud Lead with over 10 years of
experience in IT and software field and Microsoft Certified Trainer (MCT).
Completed Certifications : AZ-900 , AZ-104, AZ-303,AZ-304.
My mission is to act as a stimulant to bring positive career change for everyone by
sharing my Technical knowledge on this forum. My study materials are made to help
the professionals to get certified, and thus achieve their career goals.
+ See more

Teach the world online

Create an online video course, reach students across the globe, and earn money
Teach on Udemy

Copyright © 2020 Udemy, Inc.

 Terms

 Privacy Policy and Cookie Policy

 Help and Support

 English

×Close alert