Last Updated on November 1, 2021 by Admin 2

AZ-500 : Microsoft Azure Security Technologies : Part 03

  1. SIMULATION

    The developers at your company plan to publish an app named App11641655 to Azure.

    You need to ensure that the app is registered to Azure Active Directory (Azure AD). The registration must use the sign-on URLs of https://app.contoso.com.

    To complete this task, sign in to the Azure portal and modify the Azure resources.

    • See the explanation below.
    Explanation:

    Step 1: Register the Application
    1. Sign in to your Azure Account through the Azure portal.
    2. Select Azure Active Directory.
    3. Select App registrations.
    4. Select New registration.
    5. Name the application App11641655. Select a supported account type, which determines who can use the application. Under Redirect URI, select Web for the type of application you want to create. Enter the URI: https://app.contoso.com , where the access token is sent to.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q01 084
    AZ-500 Microsoft Azure Security Technologies Part 03 Q01 084

    6. Click Register

  2. You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.

    The User administrator role is assigned to a user named Admin1.

    An external partner has a Microsoft account that uses the user1@outlook.com sign in.

    Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: “Unable to invite user user1@outlook.com Generic authorization exception.”

    You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.

    What should you do?

    • From the Roles and administrators blade, assign the Security administrator role to Admin1.
    • From the Organizational relationships blade, add an identity provider.
    • From the Custom domain names blade, add a custom domain.
    • From the Users blade, modify the External collaboration settings.
    Explanation:
    You need to allow guest invitations in the External collaboration settings.
  3. You have an Azure Active Directory (Azure AD) tenant.

    You have the deleted objects shown in the following table.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q03 085
    AZ-500 Microsoft Azure Security Technologies Part 03 Q03 085

    On May 4, 2020, you attempt to restore the deleted objects by using the Azure Active Directory admin center.

    Which two objects can you restore? Each correct answer presents a complete solution.

    NOTE: Each correct selection is worth one point.

    • Group1
    • Group2
    • User2
    • User1
    Explanation:
    Deleted users and deleted Office 365 groups are available for restore for 30 days.
    You cannot restore a deleted security group.
  4. HOTSPOT

    You have an Azure subscription named Subscription1 that contains the resources shown in the following table.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q04 086
    AZ-500 Microsoft Azure Security Technologies Part 03 Q04 086

    You create an Azure role by using the following JSON file.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q04 087
    AZ-500 Microsoft Azure Security Technologies Part 03 Q04 087

    You assign Role1 to User1 for RG1.

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q04 088 Question
    AZ-500 Microsoft Azure Security Technologies Part 03 Q04 088 Question
    AZ-500 Microsoft Azure Security Technologies Part 03 Q04 088 Answer
    AZ-500 Microsoft Azure Security Technologies Part 03 Q04 088 Answer
  5. You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains a user named User1.

    You plan to publish several apps in the tenant.

    You need to ensure that User1 can grant admin consent for the published apps.

    Which two possible user roles can you assign to User1 to achieve this goal? Each correct answer presents a complete solution.

    NOTE: Each correct selection is worth one point.

    • Security administrator
    • Cloud application administrator
    • Application administrator
    • User administrator
    • Application developer
  6. You have an Azure subscription that is associated with an Azure Active Directory (Azure AD) tenant.

    When a developer attempts to register an app named App1 in the tenant, the developer receives the error message shown in the following exhibit.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q06 089
    AZ-500 Microsoft Azure Security Technologies Part 03 Q06 089

    You need to ensure that the developer can register App1 in the tenant.

    What should you do for the tenant?

    • Modify the Directory properties.
    • Set Enable Security defaults to Yes.
    • Configure the Consent and permissions settings for enterprise applications.
    • Modify the User settings.
  7. You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant and a user named User1.

    The App registrations settings for the tenant are configured as shown in the following exhibit.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q07 090
    AZ-500 Microsoft Azure Security Technologies Part 03 Q07 090

    You plan to deploy an app named App1.

    You need to ensure that User1 can register App1 in Azure AD. The solution must use the principle of least privilege.

    Which role should you assign to User1?

    • App Configuration Data Owner for the subscription
    • Managed Application Contributor for the subscription
    • Cloud application administrator in Azure AD
    • Application developer in Azure AD
  8. You have the Azure virtual machines shown in the following table.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q08 091
    AZ-500 Microsoft Azure Security Technologies Part 03 Q08 091

    Each virtual machine has a single network interface.

    You add the network interface of VM1 to an application security group named ASG1.

    You need to identify the network interfaces of which virtual machines you can add to ASG1.

    What should you identify?

    • VM2 only
    • VM2 and VM3 only
    • VM2, VM3, VM4, and VM5
    • VM2, VM3, and VM5 only
  9. SIMULATION

    You need to create a new Azure Active Directory (Azure AD) directory named 10317806.onmicrosoft.com. The new directory must contain a user named user10317806 who is configured to sign in by using Azure Multi-Factor Authentication (MFA).

    • See the explanation below.
    Explanation:

    To create a new Azure AD tenant:
    1. Browse to the Azure portal and sign in with an account that has an Azure subscription.
    2. Select the plus icon (+) and search for Azure Active Directory.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q09 092
    AZ-500 Microsoft Azure Security Technologies Part 03 Q09 092

    3. Select Azure Active Directory in the search results.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q09 093
    AZ-500 Microsoft Azure Security Technologies Part 03 Q09 093

    4. Select Create.
    5. Provide an Organization name (10317806) and an Initial domain name (10317806). Then select Create. This will create the directory named
    10317806.onmicrosoft.com.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q09 094
    AZ-500 Microsoft Azure Security Technologies Part 03 Q09 094

    6. After directory creation is complete, select the information box to manage your new directory.

    To create the user:
    1. In the Azure portal, make sure you are on the Azure Active Directory fly out.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q09 095
    AZ-500 Microsoft Azure Security Technologies Part 03 Q09 095

    If not, select the Azure Active Directory icon from the left services navigation.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q09 096
    AZ-500 Microsoft Azure Security Technologies Part 03 Q09 096

    2. Under Manage, select Users.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q09 097
    AZ-500 Microsoft Azure Security Technologies Part 03 Q09 097

    3. Select All users and then select + New user.
    4. Provide a Name and User name (user10317806) for the user. When you’re done, select Create.

    To enable MFA:
    1. In the Azure portal, make sure you are on the Azure Active Directory fly out.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q09 098
    AZ-500 Microsoft Azure Security Technologies Part 03 Q09 098

    If not, select the Azure Active Directory icon from the left services navigation.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q09 099
    AZ-500 Microsoft Azure Security Technologies Part 03 Q09 099

    2. Under Manage, select Users.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q09 100
    AZ-500 Microsoft Azure Security Technologies Part 03 Q09 100

    3. Click on the Multi-Factor Authentication link.
    4. Tick the checkbox next to the user’s name and click the Enable link.

  10. You have an Azure subscription named Subcription1 that contains an Azure Active Directory (Azure AD) tenant named contoso.com and a resource group named RG1.

    You create a custom role named Role1 for contoso.com.

    Where you can use Role1 for permission delegation?

    • contoso.com only
    • contoso.com and RG1 only
    • contoso.com and Subscription1 only
    • contoso.com, RG1, and Subscription1
  11. You have an Azure subscription.

    You enable Azure Active Directory (Azure AD) Privileged Identity Management (PIM).

    Your company’s security policy for administrator accounts has the following conditions:

    – The accounts must use multi-factor authentication (MFA).
    – The accounts must use 20-character complex passwords.
    – The passwords must be changed every 180 days.
    – The accounts must be managed by using PIM.

    You receive multiple alerts about administrators who have not changed their password during the last 90 days.

    You need to minimize the number of generated alerts.

    Which PIM alert should you modify?

    • Roles are being assigned outside of Privileged Identity Management
    • Roles don’t require multi-factor authentication for activation
    • Administrators aren’t using their privileged roles
    • Potential stale accounts in a privileged role
  12. Your network contains an on-premises Active Directory domain named adatum.com that syncs to Azure Active Directory (Azure AD). Azure AD Connect is installed on a domain member server named Server1.

    You need to ensure that a domain administrator for the adatum.com domain can modify the synchronization options. The solution must use the principle of least privilege.

    Which Azure AD role should you assign to the domain administrator?

    • Security administrator
    • Global administrator
    • User administrator
  13. You have an Azure subscription that contains the users shown in the following table.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q13 101
    AZ-500 Microsoft Azure Security Technologies Part 03 Q13 101

    Which users can enable Azure AD Privileged Identity Management (PIM)?

    • User2 and User3 only
    • User1 and User2 only
    • User2 only
    • User1 only
  14. You have an Azure subscription.

    You plan to create a custom role-based access control (RBAC) role that will provide permission to read the Azure Storage account.

    Which property of the RBAC role definition should you configure?

    • NotActions []
    • DataActions []
    • AssignableScopes []
    • Actions []
    Explanation:
    To ‘Read a storage account’, ie. list the blobs in the storage account, you need an ‘Action’ permission.
    To read the data in a storage account, ie. open a blob, you need a ‘DataAction’ permission.
  15. You have an Azure subscription linked to an Azure Active Directory Premium Plan 1 tenant.

    You plan to implement Azure Active Directory (Azure AD) Identity Protection.

    You need to ensure that you can configure a user risk policy and a sign-in risk policy.

    What should you do first?

    • Purchase Azure Active Directory Premium Plan 2 licenses for all users.
    • Register all users for Azure Multi-Factor Authentication (MFA).
    • Enable security defaults for Azure AD.
    • Upgrade Azure Security Center to the standard tier.
  16. HOTSPOT

    You have the hierarchy of Azure resources shown in the following exhibit.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q16 102
    AZ-500 Microsoft Azure Security Technologies Part 03 Q16 102

    RG1, RG2, and RG3 are resource groups.

    RG2 contains a virtual machine named VM2.

    You assign role-based access control (RBAC) roles to the users shown in the following table.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q16 103
    AZ-500 Microsoft Azure Security Technologies Part 03 Q16 103

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q16 104 Question
    AZ-500 Microsoft Azure Security Technologies Part 03 Q16 104 Question
    AZ-500 Microsoft Azure Security Technologies Part 03 Q16 104 Answer
    AZ-500 Microsoft Azure Security Technologies Part 03 Q16 104 Answer
  17. HOTSPOT

    You plan to implement an Azure function named Function1 that will create new storage accounts for containerized application instances.

    You need to grant Function1 the minimum required privileges to create the storage accounts. The solution must minimize administrative effort.

    What should you do? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q17 105 Question
    AZ-500 Microsoft Azure Security Technologies Part 03 Q17 105 Question
    AZ-500 Microsoft Azure Security Technologies Part 03 Q17 105 Answer
    AZ-500 Microsoft Azure Security Technologies Part 03 Q17 105 Answer
  18. You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant.

    From the Azure portal, you register an enterprise application.

    Which additional resource will be created in Azure AD?

    • a service principal
    • an X.509 certificate
    • a managed identity
    • a user account
  19. HOTSPOT

    You have an Azure Active Directory (Azure AD) tenant that contains the resources shown in the following table.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q19 106
    AZ-500 Microsoft Azure Security Technologies Part 03 Q19 106

    User2 is the owner of Group2.

    The user and group settings for App1 are configured as shown in the following exhibit.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q19 107
    AZ-500 Microsoft Azure Security Technologies Part 03 Q19 107

    You enable self-service application access for App1 as shown in the following exhibit.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q19 108
    AZ-500 Microsoft Azure Security Technologies Part 03 Q19 108

    User3 is configured to approve access to App1.

    You need to identify the owners of Group2 and the users of App1.

    What should you identify? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q19 109 Question
    AZ-500 Microsoft Azure Security Technologies Part 03 Q19 109 Question
    AZ-500 Microsoft Azure Security Technologies Part 03 Q19 109 Answer
    AZ-500 Microsoft Azure Security Technologies Part 03 Q19 109 Answer
  20. HOTSPOT

    You have a management group named Group1 that contains an Azure subscription named sub1. Sub1 has a subscription ID of 11111111-1234-1234-1234-1111111111.

    You need to create a custom Azure role-based access control (RBAC) role that will delegate permissions to manage the tags on all the objects in Group1.

    What should you include in the role definition of Role1? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    AZ-500 Microsoft Azure Security Technologies Part 03 Q20 110 Question
    AZ-500 Microsoft Azure Security Technologies Part 03 Q20 110 Question
    AZ-500 Microsoft Azure Security Technologies Part 03 Q20 110 Answer
    AZ-500 Microsoft Azure Security Technologies Part 03 Q20 110 Answer

    Explanation:
    Note: Assigning a custom RBAC role as the Management Group level is currently in preview only. So, for now the answer to the assignable scope is the subscription level.