Q01. You have an Azure subscription that is used for training purposes
Download 3.48 Mb. View original pdf
|
1 2
AZ 500 ESI Practice Questionsown directory objects. In User Permissions, set Members can invite to No. Setting Admins and users in the guest inviter role can invite to Yes allows users to invite guests. Security defaults do not affect guest invitation privileges. The Guest user access is restricted to properties and memberships of their own directory objects setting does not affect guests’ permissions to invite guests. Setting Members can invite to Yes allows non-admin members of your directory to invite guests. Another setting can still override this one. Default user permissions – Azure Active Directory – Microsoft Entra | Microsoft Learn Secure Azure solutions with Azure Active Directory – Training | Microsoft Learn Q71. You have an Azure SQL database, an Azure key vault, and an Azure App Service web app. You plan to encrypt SQL data at rest by using encryption keys you are managing yourself, such as Bring Your Own Key (BYOK). You need to create a managed identity to authenticate without storing any credentials in the code. The managed identity must share the lifecycle with the Azure resource it is used for. What should you implement? a system-assigned managed identity for an Azure SQL logical server a system-assigned managed identity for Azure Key Vault a system-assigned managed identity for an Azure web app a user-assigned managed identity To use the managed identity for accessing the encryption key in Key Vault, the identity needs to be set at the Azure SQL logical server level. The managed identity needs to be granted access to the key vault, not vice versa. The web app having a managed identity does not enable encryption at rest by using BYOK. The user-assigned managed identity has an independent lifecycle and must be deleted explicitly. Managed identities for Azure resources - Microsoft Entra | Microsoft Learn Customer-managed keys with transparent data encryption using user-assigned managed identity - Azure SQL Database | Microsoft Learn Deploy and secure Azure Key Vault - Training | Microsoft Learn Q72. You have an Azure AD tenant that uses the default setting. You need to prevent users from a domain named contoso.com from being invited to the tenant. What should you do? Edit the Collaboration restrictions settings. Enable security defaults. Deploy Azure AD Privileged Identity Management (PIM). Edit the Access review settings. After you edit the Collaboration restrictions settings, if you try to invite a user from a blocked domain, you cannot. Security defaults and PIM do not affect guest invitation privileges. By default, the Allow invitations to be sent to any domain (most inclusive) setting is enabled. In this case, you can invite B2B users from any organization. Default user permissions - Azure Active Directory - Microsoft Entra | Microsoft Learn Allow or block invites to specific organizations - Azure AD - Microsoft Entra | Microsoft Learn Secure Azure solutions with Azure Active Directory - Training | Microsoft Learn Q73. You are evaluating the Azure Policy configurations to identify any required custom initiatives and policies. You need to run workloads in Azure that are compliant with the following regulations: • FedRAMP High • PCI DSS 3.2.1 • GDPR • ISO 27001:2013 For which regulation should you create custom initiatives? FedRAMP High PCI DSS 3.2.1 GPDR ISO 27001:2013 To run workloads that are compliant with GPDR, custom initiatives should be to be created. GPDR compliance initiatives are not yet available in Azure. Azure has existing initiatives for ISO, PCI DDS 3.2.1, and FedRAMP High. Regulatory Compliance details for Australian Government ISM PROTECTED - Azure Policy | Microsoft Learn Design an enterprise governance strategy - Training | Microsoft Learn Q74. You need to implement an Azure Policy initiative to monitor and enforce compliance for a payment processing service. Which policy initiative should you use? Azure Security Benchmark CIS controls NIST SP 800-53 PCI DSS The PCI DSS standard covers credit card payment processing. Azure Security Benchmark controls are part of generic Azure Security Benchmark and are not industry specific. The CIS and NIST controls are not industry specific. Azure Policy Regulatory Compliance controls for Azure Virtual Machines - Azure Virtual Machines | Microsoft Learn Microsoft cloud security benchmark introduction | Microsoft Learn Configure and manage host security - Training | Microsoft Learn Q75. You have an Azure subscription that contains a user named Admin1. You need to ensure that Admin1 can create and assign custom security initiatives in Microsoft Defender for Cloud. The solution must follow the principle of least privilege. Which role should you assign to Admin1? Global Administrator Owner (Subscription) Security Admin Security Assessment Contributor The Subscription Owner role is the only role that has permissions to create and assign custom security initiatives in Defender for Cloud. Create custom Azure security policies in Microsoft Defender for Cloud | Microsoft Learn Enable and manage Microsoft Defender for Cloud - Training | Microsoft Learn Q76. You have an Azure subscription. You need to implement UK OFFICIAL and UK NHS standards for the subscription. Which Microsoft Defender for Cloud setting should you use? Regulatory compliance Security Posture Workload protections Recommendations You must use Regulatory compliance in Defender for Cloud to add a new standard. The remaining answers are valid options from Defender for Cloud, but they do not allow you to add a new standard. The regulatory compliance dashboard in Microsoft Defender for Cloud | Microsoft Learn Enable and manage Microsoft Defender for Cloud - Training | Microsoft Learn Q77. You plan to scan all the virtual machines in an Azure subscription for vulnerabilities by using Microsoft Defender for Cloud. You need to deploy the necessary agents by using the least amount of administrative effort. What should you do? Assign a custom Azure policy that uses a DeployIfNotExists rule to the subscription. Turn on the vulnerability assessment for machines in the Environment settings of Defender for Cloud. Execute the remediation steps from the Machines should have vulnerability findings resolved recommendation in the Recommendations settings of Defender for Cloud. Enable the Microsoft Defender for Cloud plans option in the Environment settings of Defender for Cloud. Turn on the vulnerability assessment for machines automatically deploys the agent to all the virtual machines in the subscription. Assigning a custom Azure policy requires more administrative effort. Enabling the Microsoft Defender for Cloud plans option does not deploy the agents to the virtual machines and executing the remediation steps from the Machines should have vulnerability findings resolved recommendation requires the agent to be installed already. Configure Microsoft Defender for Cloud to automatically assess machines for vulnerabilities | Microsoft Learn Enable and manage Microsoft Defender for Cloud - Training | Microsoft Learn Q78. You have an Azure subscription and the following SQL deployments: • An Azure SQL database named DB1 • An Azure SQL Server named sqlserver1 • An instance of SQL Server on Azure Virtual Machines named VM1 that has Microsoft SQL Server 2022 installed • An on-premises server named Server1 that has SQL Server 2019 installed Which deployments can be protected by using Microsoft Defender for Cloud? sqlserver1 only DB1 and sqlserver1 only sqlserver1 and VM1 only DB1, sqlserver1, and VM1 only DB1, sqlserver1, VM1, and Server1 Defender for Cloud includes Microsoft Defender for SQL. Defender for SQL can protect Azure SQL Database, Azure SQL Server, SQL Server on Azure Virtual Machines, and SQL servers installed on on-premises servers. How to enable Microsoft Defender for SQL servers on machines | Microsoft Learn Microsoft Defender for Azure SQL - the benefits and features | Microsoft Learn Configure and manage SQL database security - Training | Microsoft Learn Q79. You are designing an Azure solution that stores encrypted data in Azure Storage. You need to ensure that the keys used to encrypt the data cannot be permanently deleted until 60 days after they are deleted. The solution must minimize costs. What should you do? Store keys in an HSM-protected key vault that has soft delete enabled. Store keys in an HSM-protected key vault that has soft delete and purge protection enabled. Store keys in a software-protected key vault that has soft delete enabled and purge protection disabled. Store keys in a software-protected key vault that has soft delete and purge protection enabled. Purge protection prevents keys from being permanently deleted for a certain number of days, and software-protected key vaults are less expensive than HSM-protected key vaults. Without purge protection, the keys are not protected from being permanently deleted for 60 days. An HSM-protected key vault is more expensive than a software-backed key vault. Azure Key Vault soft-delete | Microsoft Learn Deploy and secure Azure Key Vault - Training | Microsoft Learn Q80. You are designing a solution that must meet FIPS 140-2 Level 3 compliance in Azure. Where should the solution maintain encryption keys? an Azure SQL Manage Instance database a software-protected Azure key vault an HSM-protected Azure key vault a managed HSM A managed HSM is level 3-compliant. An HSM-protected key vault is level 2-compliant. A software-protected key vault is level 1-complaint. SQL is not FIPS 104-2 level 3 compliant. About keys - Azure Key Vault | Microsoft Learn Deploy and secure Azure Key Vault - Training | Microsoft Learn Q81. You need to implement a key management solution that supports importing keys generated in an on-premises environment. The solution must ensure that the keys stay within a single Azure region. What should you do? Implement Azure Key Vault Managed HSM. Implement Azure Key Vault Firewall. Apply the Keys should be the specified cryptographic type RSA or EC Azure policy. Disable the Allow trusted services option. Key Vault Managed HSM supports importing keys generated in an on-premise HSM. Also, managed HSM does not store or process customer data outside the Azure region in which the customer deploys the HSM instance. On-premises-generated keys are still managed, after implementing Key Vault Firewall. Enforcing HSM-backed keys does not enforce them to be imported. Disabling the Allow trusted services option does not have a direct impact on key importing. How to generate and transfer HSM-protected keys for Azure Key Vault Managed HSM - Azure Key Vault | Microsoft Learn Azure Managed HSM Overview - Azure Managed HSM | Microsoft Learn Deploy and secure Azure Key Vault - Training | Microsoft Learn Q82. You have an Azure subscription that contains an Azure Kubernetes Service (AKS) cluster named AKS1 and a user named User1. You need to ensure that User1 has access to AKS1 secrets. The solution must follow the principle of least privilege. Which role should you assign to User1? Azure Kubernetes Service RBAC Reader Azure Kubernetes Service RBAC Writer Azure Kubernetes Service RBAC Admin Azure Kubernetes Service RBAC Cluster Admin Azure Kubernetes Service RBAC Writer has access to secrets. Azure Kubernetes Service RBAC Reader does not have access to secrets. Azure Kubernetes Service RBAC Cluster Admin and Azure Kubernetes Service RBAC Admin do not follow the principle of least privilege. Concepts - Access and identity in Azure Kubernetes Services (AKS) - Azure Kubernetes Service | Microsoft Learn Enable Containers security - Training | Microsoft Learn Q83. You have an Azure Storage account. You plan to prevent the use of shared keys by using Azure Policy. Which two access methods will continue to work? Each correct answer presents a complete solution. user delegation SAS service SAS account SAS Storage Blob Data Reader role The Storage Blob Data Reader role uses Azure AD to authenticate. User delegation SAS is a method that uses Azure AD to generate a SAS. Both methods work whether the shared keys are allowed or prevented. Service SAS and account SAS use shared keys to generate. Prevent authorization with Shared Key - Azure Storage | Microsoft Learn Implement storage security - Training | Microsoft Learn Q84. You have an Azure SQL Database server named Server1 that contains a database named DB1. You create an auditing policy for DB1. After a few weeks, you create five more databases in Server1. You then create a new auditing policy for Server1. You notice that auditing entries for DB1 are duplicated. You need to ensure that auditing entries for all existing and future databases are not duplicated. What should you do? Configure the policy used in DB1 with the same settings as the policy on Server1. Create a policy for each of the five new databases. Disable auditing for DB1. Configure the policy used on Server1 with the same settings as the policy in DB1. Disabling auditing for DB1 will stop duplication. Creating a policy for each of the five new databases or configuring the policy used on Server1 with the same settings as the policy in DB1 will duplicate entries for all databases. Configuring the policy used in DB1 with the same settings as the policy on Server1 will still duplicate entries. Azure SQL Auditing for Azure SQL Database and Azure Synapse Analytics - Azure SQL Database | Microsoft Learn Configure and manage SQL database security - Training | Microsoft Learn Q85. You implement dynamic data masking for an Azure Synapse Analytics workspace. You need to provide only a user named User1 with the ability to see the data. What should you do? Create a Conditional Access policy for Azure SQL Database, and then grant access. Use the ALTER TABLE statement to edit the masking function. Use the ALTER TABLE statement to drop the masking function. Grant the UNMASK permission to User1. Granting the UNMASK permission to User1 removes the mask from User1 only. Creating a Conditional Access policy for Azure SQL Database, and then granting access is not enough for User1 to see the data, only to sign in. Using the ALTER TABLE statement to edit the masking function affects all users. Using the ALTER TABLE statement to drop the masking function removes the mask altogether. Dynamic data masking - Azure SQL Database | Microsoft Learn Conditional Access - Azure SQL Database & SQL Managed Instance & Azure Synapse Analytics | Microsoft Learn Configure and manage SQL database security - Training | Microsoft Learn Q86. You have an Azure subscription that contains two Azure Key Vault resources. You need to ensure that all the secrets in any key vault in the subscription meet the following requirements: • Secrets can be active for up to 365 days. • Secrets must have an expiration date set. • Secrets must have a content type set. • The solution must minimize administrative effort. What should you do? Create custom policies for Key Vault secrets and link an initiative to the subscription. Use built-in policies and link an initiative to the subscription. Create custom policies for Key Vault secrets and link an initiative to the Key Vault resources. Use built-in policies and link an initiative to the Key Vault resources. Using built-in policies and linking an initiative to the subscription will apply to all the Key Vault resources in the subscription. You do not need use custom policies, and linking to the resources will not affect new key vaults. Integrate Azure Key Vault with Azure Policy | Microsoft Learn Deploy and secure Azure Key Vault - Training | Microsoft Learn Q87. Your company has a multi-cloud online environment. You plan to use Microsoft Defender for Cloud to protect all supported online environments. Which three environments support Defender for Cloud? Each correct answer presents a complete solution. Amazon Web Services (AWS) Oracle Cloud GitHub Azure DevOps Alibaba Cloud Defender for Cloud protects workloads in Azure, AWS, GitHub, and Azure DevOps. Oracle Cloud and Alibaba Cloud are unsupported by Defender for Cloud. Connect your non-Azure machines to Microsoft Defender for Cloud | Microsoft Learn Enable and manage Microsoft Defender for Cloud - Training | Microsoft Learn Q88. You are implementing Microsoft Defender for SQL vulnerability assessments. In which two locations can users view the results? Each correct answer presents a complete solution. an Azure Blob storage account Microsoft Defender for Cloud Microsoft Teams an Azure Event Grid instance Defender for Cloud is the default and mandatory location to view the results, while a Blob storage account is a mandatory destination and a prerequisite for enabling the scan. The Teams option is unavailable out of the box. A scan completion event is not sent to Event Grid. Microsoft Defender for SQL - Azure SQL Database | Microsoft Learn Scan your Azure SQL databases for vulnerabilities using Microsoft Defender for Cloud | Microsoft Learn Configure and manage SQL database security - Training | Microsoft Learn Q89. You have an Azure subscription that contains an Azure Kubernetes Service (AKS) cluster named AKS1. You need to protect AKS1 by using Microsoft Defender for Cloud. Which Defender plan should you use? Microsoft Defender for Containers Microsoft Defender for Servers Microsoft Defender for App Service Microsoft Defender for Resource Manager Defender for Containers is a cloud-native solution used to secure your containers so that you can improve, monitor, and maintain the security of your clusters, containers, and their applications. AKS clusters run containers, and because of this, they can be protected by using Defender for Containers. Container security with Microsoft Defender for Cloud | Microsoft Learn Learn Azure Policy for Kubernetes - Azure Policy | Microsoft Learn Enable and manage Microsoft Defender for Cloud - Training | Microsoft Learn Q90. You need to enable encryption at rest by using customer-managed keys (CMKs). Which two services support CMKs? Each correct answer presents a complete solution. Azure Blob storage Azure Files Azure Disk Storage Azure NetApp Files Log Analytics workspace Blob storage and Azure Files both support customer-managed keys. Azure Disk Storage, Azure NetApp Files, and Data Lake Storage do not support customer-managed keys. Azure Storage encryption for data at rest | Microsoft Learn Deploy and secure Azure Key Vault - Training | Microsoft Learn Q91. You have an Azure SQL Database server. You enable Azure AD authentication for Azure SQL. You need to prevent other authentication methods from being used. Which command should you run? az sql server ad-admin create az sql server ad-only-auth enable az sql mi ad-admin create az sql mi ad-only-auth enable az sql server ad-only-auth enable enables authentication only through Azure AD. az sql server ad-admin create and az sql mi ad-admin create do not stop other authentication methods. az sql mi ad-only-auth enable enables Azure AD-only authentication for Azure SQL Managed Instance, not Microsoft SQL Server. Azure Active Directory-only authentication - Azure SQL Database & Azure SQL Managed Instance | Microsoft Learn Configure and manage SQL database security - Training | Microsoft Learn Q92. Your company opens a new office. You need to allow a user named Admin1 to manage user and group accounts for the new office only. Which type of resource should you create? resource group management group administrative unit security group An administrative unit can contain only users, groups, and devices. You can also give role management rights to the resources in an administrative unit. Resource groups cannot contain users, groups, or devices. Management groups can only contain other management groups or subscriptions. Departments are used for billing. Administrative units in Azure Active Directory - Microsoft Entra | Microsoft Learn Configure Azure AD administrative units - Training | Microsoft Learn Q93. You have an Azure AD tenant. You need to recommend a passwordless authentication solution. Which three authentication methods should you include in the recommendation? Each correct answer presents a complete solution. Windows Hello for Business OATH software tokens FIDO2 security keys SMS verification the Microsoft Authenticator app voice call verification Windows Hello for Business, security keys, and the Microsoft Authenticator app all support passwordless authentication. The remaining options do not support passwordless authentication. Plan a passwordless authentication deployment in Azure Active Directory - Microsoft Entra | Microsoft Learn Manage user authentication - Training | Microsoft Learn Q94. You are managing permission consent for Azure AD app registration. Which component displays the publisher domain? publisher name and verification publisher information Microsoft 365 certification app name The publisher displays more app info as it becomes available, including the publisher name, publisher domain, date created, certification details, and reply URLs. Publisher information, Microsoft 365 certification, and app name do not display publisher domain information. Azure AD app consent experiences - Microsoft Entra | Microsoft Learn Configure application security features - Training | Microsoft Learn Q95. You have a virtual network that contains an Azure Kubernetes Service (AKS) workload and an internal load balancer. Multiple virtual networks are managed by multiple teams. You are unable to change any of the IP addresses. You need to ensure that clients from virtual networks in your Azure subscription can access the AKS cluster by using the internal load balancer. What should you do? Create a private link service on the virtual network and instruct users to access the cluster by using a private link endpoint in their virtual networks. Create a private link endpoint on the virtual network and instruct users to access the cluster by using a private link endpoint on their virtual network. Create virtual network peering between the virtual networks to allow connectivity. Create VPN site-to-site (S2S) connections between the virtual networks to allow connectivity. A private link service will allow access from outside the virtual network to an endpoint by using NAT. Since you do not control the IP addressing for other virtual networks, this ensures connectivity even if IP addresses overlap. Once a private link service is used in the load balancer, other users can create a private endpoint on virtual networks to access the load balancer. Quickstart - Create an Azure Private Link service using Azure CLI | Microsoft Learn Deploy private links - Training | Microsoft Learn Q96. You configure Azure AD to use multi-factor authentication (MFA) by using the Microsoft Authenticator app. You need to ensure that users are required to use the Microsoft Authenticator app when accessing Azure from new devices or locations. Which type of Azure AD Identity Protection policy should you create? user risk policy with self-remediation user risk policy with administrator remediation sign-in risk policy with self-remediation sign-in risk policy with administrator remediation By using a sign-in risk policy with self-remediation, a sign-in risk is detected when users access their account from a different device or location, and self-remediation forces MFA to be required, whereas administer remediation requires admin intervention. User risk policies are triggered for users that have specific risk levels due to issues such as password leaks. User experiences with Azure AD Identity Protection – Microsoft Entra | Microsoft Learn Implement sign-in risk policy – Training | Microsoft Learn Q97. You create a web API and register the API as an Azure AD application. You need to expose a function in the API to ensure that administrators must provide consent to apps that use the API. What should you add to your app registration? a scope an application ID URI a permission a client application A scope is used to request content to run a given function in an API. An application ID URI does not handle permissions, a permission is used to allow an application to access the scope created in another app, and a client application allows an application to use the API. Quickstart: Register and expose a web API - Microsoft Entra | Microsoft Learn Configure application security features - Training | Microsoft Learn Q98. You have an Azure storage account named sa1 that has a container named container1. You create an Azure AD user named User1. You need to ensure that User1 can create data in container1. Which role should you assign to User1? Storage Blob Data Contributor Storage Blob Delegator Storage Account Contributor Classic Storage Account Contributor Storage Blob Data Contributor can write to containers. Storage Blob Delegator allows the delegation of access keys. Storage Account Contributor allows the management of storage accounts, but not access to the data. Classic Storage Account Contributor allows the management of classic storage accounts, but not the access to the data. Azure custom roles - Azure RBAC | Microsoft Learn Design an enterprise governance strategy - Training | Microsoft Learn Secure Azure solutions with Azure Active Directory - Training | Microsoft Learn Q99. You need to provide an administrator with the ability to manage custom RBAC roles. The solution must follow the principle of least privilege. Which role should you assign to the administrator? User Access Administrator Owner Contributor Privileged Role Administrator Q100. You have a resource group named RG1 that contains an Azure virtual network named VNet1. A user named User1 is assigned the Contributor role for RG1. You need to prevent User1 from modifying the properties of VNet1. What should you do? Apply a read-only lock to the RG1 scope. Remove the Contributor role assignment from VM1. Add a deny assignment for Microsoft.Compute/virtualMachines/* in the VM1 scope. Assign User1 the Virtual Machine User Login role in the RG1 scope. A read-only lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine. The RBAC assignment is set at the resource group level and inherited by the resource. The assignment needs to be edited at the original scope (level). You cannot directly create your own deny assignments. Assigning User1 the Virtual Machine User Login role in the RG1 scope will still allow User1 to have access as a contributor to restart VM1. Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn Understand Azure deny assignments - Azure RBAC | Microsoft Learn Design an enterprise governance strategy - Training | Microsoft Learn Q101. You have an Azure key vault. You need to ensure that a user can read and write keys to the Key Vault. The solution must follow the principle of least privilege. Which role should you assign to the user? Key Vault Crypto Officer Key Vault Certificates Officer Key Vault Crypto Service Encryption User Key Vault Secrets Officer Key Vault Crypto Officer has all the permissions to the secrets in Key Vault. Key Vault Certificates Officer has all the permissions to certificates only, not keys. Key Vault Crypto Service Encryption User can only read keys. Key Vault Secrets Officer has all the permissions to secrets only. Migrate to Azure role-based access control | Microsoft Learn Deploy and secure Azure Key Vault - Training | Microsoft Learn Q102. You have an Azure key vault. You need to prevent the accidental deletion of encryption keys stored in Key Vault. What should you use? purge protection failover to a secondary region soft delete Azure Backup Soft delete is designed to prevent the accidental deletion of your key vault and the keys, secrets, and certificates stored in the key vault. Purge protection is designed to prevent the deletion of your key vault, keys, secrets, and certificates by a malicious insider. Failover to a secondary region provides the availability to read keys during primary region downtime. Azure Backup does not back up Key Vault content. Azure Key Vault recovery overview | Microsoft Learn Back up a secret, key, or certificate stored in Azure Key Vault | Microsoft Learn Deploy and secure Azure Key Vault - Training | Microsoft Learn Q103. You need to grant an application access to read connection strings stored in Azure Key Vault. The solution must follow the principle of least privilege. Which role assignment should you use? Key Vault Secrets User Key Vault Crypto Officer Key Vault Reader Key Vault Secrets Officer Key Vault Secrets User allows read access to secret content. Key Vault Crypto Officer allows the user to perform actions on encryption keys, not secrets. Key Vault Reader allows the user to read the metadata of key vaults and its certificates, keys, and secrets, but not to read sensitive values, such as secret contents or key material. Key Vault Secrets Officer does not follow the principle of least privilege. Grant permission to applications to access an Azure key vault using Azure RBAC | Microsoft Learn Deploy and secure Azure Key Vault – Training | Microsoft Learn Q104. You have an Azure Kubernetes Service (AKS) cluster named AKS1. You are configuring network isolation for AKS1. You need to limit which IP addresses can access the Kubernetes control plane. What should you do? Configure API server authorized IP ranges. Customize CoreDNS for AKS. Implement Open Service Mesh AKS add-on. Configure Azure Front Door. To secure access to the otherwise publicly accessible AKS control plane/API server, you can enable and use authorized IP ranges. These authorized IP ranges only allow defined IP address ranges to communicate with the API server. Customizing CoreDNS for AKS, implementing the Open Service Mesh AKS add-on, and configuring Front Door applies to the cluster, not the Kubernetes control plane. API server authorized IP ranges in Azure Kubernetes Service (AKS) - Azure Kubernetes Service | Microsoft Learn Enable Containers security - Training | Microsoft Learn Q105. You have an Azure AD tenant that syncs with the on-premises Active Directory Domain Service (AD DS) domain and uses Azure Active Directory Domain Services (Azure AD DS). You have an application that runs on user devices by using the credentials of the signed-in user The application accesses data in Azure Files by using REST calls. You need to configure authentication for the application in Azure Files by using the most secure authentication method. Which authentication method should you use? shared key SAS Azure AD on-premises Active Directory Domain Service (AD DS) A SAS is the most secure way to access Azure Files by using REST calls. A shared key allows any user with the key to access data. Azure AD and Active Directory Domain Service (AD DS) are unsupported for REST calls. Authorize operations for data access – Azure Storage | Microsoft Learn Implement storage security – Training | Microsoft Learn Q106. You enable Always Encrypted for an Azure SQL database. Which scenario is supported? copying data from one column to another encrypting existing data creating columns that have the XML data type using dynamic data masking Encrypting existing data is supported. Always Encrypted uses the client driver to encrypt and decrypt data. This means that some actions that only occur on the server side will not work. Always Encrypted - SQL Server | Microsoft Learn Configure and manage SQL database security - Training | Microsoft Learn Q107. You have an application that will securely share files hosted in Azure Blob storage to external users. The external users will not use Azure AD to authenticate. You plan to share more than 1,000 files. You need to restrict access to only a single IP address for each file. What should you do? Generate a service SAS that include the signedIP field. Configure a storage account firewall. Set the Allow public anonymous access to setting for the storage account. Set the Secure transfer required setting for the storage account. Using the Generate a service SAS that include the signedIP field allows a SAS to be generated by using an account key, and each SAS can be configured with an allowed IP address. Configuring the storage account firewall does not allow for more than 200 IP address rules. Setting the Allow public anonymous access to setting for the storage account does not prevent access by an IP address. Setting the Secure transfer required property for the storage account prevents HTTP access, but it does not limit where the access request originates from. Grant limited access to data with shared access signatures (SAS) - Azure Storage | Microsoft Learn Configure Azure Storage firewalls and virtual networks | Microsoft Learn Configure anonymous public read access for containers and blobs - Azure Storage | Microsoft Learn Implement storage security - Training | Microsoft Learn Q108. You have an Azure subscription that contains a user named Admin1. You need to ensure that Admin1 can access the Regulatory compliance dashboard in Microsoft Defender for Cloud. The solution must follow the principle of least privilege. Which two roles should you assign to Admin1? Each correct answer presents part of the solution. Global Reader Security Reader Resource Policy Contributor Security Admin To use the Regulatory compliance dashboard in Defender for Cloud, you must have sufficient permissions. At a minimum, you must be assigned the Resource Policy Contributor and Security Admin roles. Tutorial: Regulatory compliance checks - Microsoft Defender for Cloud | Microsoft Learn Enable and manage Microsoft Defender for Cloud - Training | Microsoft Learn Q109. You configure a Linux virtual machine to send Syslog data to Microsoft Sentinel. You notice that events for the virtual machine are duplicated in Microsoft Sentinel. You need to ensure that the events are not duplicated. Which two actions should you perform? Each correct answer presents part of the solution. Remove the entry used to send CEF messages from the Syslog configuration file for the virtual machine. Stop the Syslog daemon on the virtual machine. Disable the synchronization of the Log Analytics agent with the Syslog configuration in Microsoft Sentinel. Enable the Syslog daemon to listen to network messages. Disable the Syslog daemon from listening to network messages. You must disable CEF messages on the virtual machine and prevent the setting to send CEF messages from being readded. Stopping the Syslog daemon on the virtual machine will stop the virtual machine from sending both Syslog and CEF messages. Enabling the Syslog daemon to listen and disabling the Syslog daemon from listening to network messages does not handle the duplication of events. Connect Syslog data to Microsoft Sentinel | Microsoft Learn Configure and monitor Microsoft Sentinel - Training | Microsoft Learn Q110. You have a data connector for Microsoft Sentinel. You need to configure the connector to collect logs from Conditional Access in Azure AD. What should you select for the connector? sign-in logs audit logs activity logs provisioning logs Sign-in logs include information about sign-ins and how resources are used by your users. Audit logs include information about changes applied to your tenant, such as user and group management or updates applied to your tenant’s resources. Activity logs include subscription-level events, not tenant-level activity. Provisioning logs include activities performed by the provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday. Connect Azure Active Directory data to Microsoft Sentinel | Microsoft Learn Sign-in logs (preview) in Azure Active Directory - Microsoft Entra | Microsoft Learn Azure activity log - Azure Monitor | Microsoft Learn Configure and monitor Microsoft Sentinel - Training | Microsoft Learn Q111. You create an access review for a select number of groups in Azure AD for all users that have access to your tenant. You configure the review to automatically apply results to resources. After running the review, you notice that a user that should have been removed from a group is still part of the group. Why is the user still in the group? The user is part of the Compliance Administrator role. The user is a guest user. The group is a Windows AD group. The group is an Azure AD group. The group is a Windows AD group and access reviews can only manage Azure AD groups. Guest users and users that are part of the Compliance Administrator role can be removed, and access reviews can manage Azure AD groups. Create an access review of groups and applications - Azure AD - Microsoft Entra | Microsoft Learn Complete an access review of groups & applications - Microsoft Entra | Microsoft Learn Manage users with Azure AD groups - Training | Microsoft Learn Q112. You have an Azure subscription named Sub1 that contains the following resources: • A resource group RG1 that contains a virtual machine named VM1 • A resource group named RG2 that has an Azure App Service plan named ASP1 and a web app named App1 You need to provide a user with the ability to perform the following tasks: • List web apps hosted in ASP1. • Create new virtual machines in RG1. Which two actions should you perform? Each correct answer presents part of the solution. Assign the user the Reader role for Sub1. Add a deny assignment for RG2. Assign the user the Contributor role in the RG1 scope. Assign the user the Reader role for ASP1. Assigning the user the Reader role for sub1 will grant the Reader role to ASP2 and ASP3 when they are added. Assigning the Contributor role in the RG1 scope allows the user to create new resources within the resource group. Assigning the user the Reader role for ASP1 will not grant the user access to list apps hosted in ASP2 and ASP3. You cannot directly create your own deny assignments. Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn Understand Azure deny assignments - Azure RBAC | Microsoft Learn Design an enterprise governance strategy - Training | Microsoft Learn Q113. You are managing permission consent for an Azure AD app registration. You already know all the permissions that an application will need. You also know which resources the application will access. You need to choose the consent type for the application. The solution must follow the principle of least privilege. Which type of consent should you choose? static user consent incremental user consent dynamic user consent admin consent In a static user consent scenario, you must specify all required permissions in the app's configuration in the Azure portal. With incremental user consent and dynamic user consent, you can ask for a bare minimum set of permissions upfront and request more over time as the customer uses additional app features. Admin consent is required when your app needs access to certain high-privilege permissions, but it does not follow the principle of least privilege in this scenario. Overview of permissions and consent in the Microsoft identity platform - Microsoft Entra | Microsoft Learn Configure application security features - Training | Microsoft Learn Q114. You have Azure web apps named App1 and App2. You need to ensure that App1 and App2 use the same identity. Which identity type should you use? a user-assigned managed identity a system-assigned managed identity a service principal with password-based authentication a service principal with certificate-based authentication A user-assigned managed identity can be associated with more than one Azure resource. Creating a system-assigned managed identity cannot be pre-authorized. Creating a service principal with password-based authentication or certificate- based authentication involves the use of credentials. Managed identities for Azure resources - Microsoft Entra | Microsoft Learn Apps & service principals in Azure AD - Microsoft Entra | Microsoft Learn Enable managed identities - Training | Microsoft Learn Q115. You have an application that runs on-premises and stores data in an Azure SQL database. You need to ensure that certain columns stored in the database can only be decrypted by the application and cannot be accessed by users managing Azure SQL. What should you enable for the database? Transparent Data Encryption (TDE) dynamic data masking Always Encrypted symmetric key encryption Enabling Always Encrypted saves the encrypted data and only the client driver can decrypt it. TDE still allows users managing the database to see data. Dynamic data masking does not encrypt anything, it just masks data and still allows users to unmask it at the database level if they have UNMASK permissions. Symmetric key encryption uses keys stored in a SQL database, not the client application. Always Encrypted - SQL Server | Microsoft Learn Configure and manage SQL database security - Training | Microsoft Learn Q116. You have an Azure subscription that contains a virtual network named VNet1. You plan to deploy an Azure App Service web app named Web1. You need to be able to deploy Web1 to the subnet of VNet1. The solution must minimize costs. Which pricing plan should you use for Web1? Shared Basic Premium Isolated Only the Isolated pricing plan (tier) can be deployed to a virtual network subnet. With other pricing plans, inbound traffic is always routed to the public IP address of the web app, while web app outbound traffic can reach the endpoints on a virtual network. App Service Environment networking - Azure App Service Environment | Microsoft Learn Implement perimeter security - Training | Microsoft Learn Q117. You plan to provide connectivity between Azure and your company’s datacenter. You need to define how to establish the connection. The solution must meet the following requirements: • All traffic between the datacenter and Azure must be encrypted. • Bandwidth must be between 10 and 100 Gpbs. What should you use for the connection? ExpressRoute with a provider ExpressRoute Direct Azure VPN Gateway VPN Gateway with Azure Virtual WAN ExpressRoute Direct can have up to 100 Gpbs and use MACSec for Layer 2 encryption. ExpressRoute with a provider does not allow for MACSec encryption and can only use up to 10 Gbps. VPN Gateway and VPN Gateway with Virtual WAN cannot support a bandwidth over 1 Gbps. About Azure ExpressRoute Direct | Microsoft Learn Configure network security - Training | Microsoft Learn Q118. You have an Azure subscription that is used for training purposes. You need to allow external users to create resources in the subscription. Which two identity providers can be used to access the subscription? Each correct answer presents a complete solution. Amazon Web Services (AWS) You can enable Facebook or Google accounts to be used to access Azure subscriptions, but only Google identities can be used for B2B, which is required for resource management. You cannot use Twitter or AWS accounts to access Azure resources. Identity providers for External Identities - Azure AD - Microsoft Entra | Microsoft Learn Deploy Federation with Azure AD - Training | Microsoft Learn Q119. You have an Azure AD tenant. All the users in the tenant have Windows devices that are Azure AD-joined. You need to implement Azure AD Multi-Factor Authentication (MFA). The solution must ensure that Azure MFA can be used without internet access or mobile network availability. Which authentication method should you use? Windows Hello for Business the Microsoft Authenticator app text messages calls to a phone When you configure Azure AD MFA, you can configure authentication to use Windows Hello for Business. With this method, users will sign in by using a biometric factor such as a fingerprint or require a PIN to be entered on the device. With Windows Hello for Business, validation is performed locally. Internet access or a mobile network are not needed nor required. The remaining options require a mobile network or a network connection to provide authentication. Plan your multi-factor authentication deployment - Training | Microsoft Learn Q120. You are managing permission scopes for an Azure AD app registration. What are three OpenID Connect scopes that you can use? Each correct answer presents a complete solution. phone openID email offline_access address The openID scope appears on the work account consent page as the Sign you in permission. The email scope gives the app access to a user's primary email address in the form of the email claim. The offline_access scope gives your app access to resources on behalf of a user for an extended time. On the consent page, this scope appears as the Maintain access to data you have given it access to permission. Overview of permissions and consent in the Microsoft identity platform - Microsoft Entra | Microsoft Learn Configure application security features - Training | Microsoft Learn Q121. You create an application named App1 in an Azure tenant. You need to host the application as a multitenant application for any users in Azure, while restricting non-Azure accounts. You need to allow administrators in other Azure tenants to add the application to their gallery. Which CLI command should you run? az ad app create –display-name app1 –sign-in-audience AzureADandPersonalMicrosoftAccount az ad app create –display-name app1--sign-in-audience AzureADMultipleOrgs az webapp auth openid-connect add -r rg1 -n app1 --provider-name p1 az webapp auth-classic update -r rg1 -n app1 --action LoginWithAzureActiveDirectory The correct CLI command allows the application to provide SSO for Azure AD users in any tenant. The CLI commands requiring a web app do not create a gallery entry for the application and configuring the sign-in audience to Azure AD and personal Microsoft accounts does not restrict users to only Azure accounts. az ad app | Microsoft Learn Single and multi-tenant apps in Azure AD - Microsoft Entra | Microsoft Learn Configure application security features - Training | Microsoft Learn Q122. You have a storage account that contains multiple containers, blobs, queues, and tables. You need to create a key to allow an application to access only data from a given table in the storage account. Which authentication method should you use for the application? shared SAS service SAS user delegation SAS A SAS service is the only type of authentication that provides control at the table level. User delegation SAS is only available for Blob storage. SAS and shared allow access to the entire storage account. Create a service SAS - Azure Storage | Microsoft Learn Authorize operations for data access - Azure Storage | Microsoft Learn Deploy shared access signatures - Training | Microsoft Learn Q123. You have an Azure virtual machine named VM1 the runs Windows Server 2022. A programmer is writing code to run on VM1. The code will use the system-assigned managed identity assigned to VM1 to access Azure resources. Which endpoint should the programmer use to request the authentication token required to access the Azure resources? Azure AD v1.0 Azure AD v2.0 Azure Instance Metadata Service Azure Resource Manager (ARM) Azure Instance Metadata Service is a REST endpoint accessible to all IaaS virtual machines created via Azure Resource Manager (ARM). The endpoint is available at a well-known non-routable IP address (169.254.169.254) that can be accessed only from the virtual machines. The endpoint is used to request the authentication token required to gain access to the Azure resources. Azure AD v1.0 and Azure AD v2.0 endpoints are used to authenticate work and school accounts, not managed identities. The ARM endpoint is where the authentication token is sent by the code once it is obtained from the Azure Instance Metadata Service. Enable managed identities - Training | Microsoft Learn Review the Microsoft identity platform - Training | Microsoft Learn Q124. You deploy Azure AD Privileged Identity Management (PIM). You need to ensure that users assigned a role named role1 are required to request approval whenever they perform an action allowed by the role. Which type of assignment should you configure for role1? eligible and permanent eligible and time-bound active and permanent active and time-bound Eligible assignments mean that users must perform an action, in this case an approval request, to use the role. Temporary ensures that the users must do that every time they need to use the role. Permanent assignments do not require an approval request every time users use the role. An active membership does not require an approval request. Assign Azure AD roles in PIM - Azure Active Directory - Microsoft Entra | Microsoft Learn Configure privileged identity management scope - Training | Microsoft Learn Q125. You have an Azure subscription named Sub1 that is linked to an Azure AD tenant. The tenant contains a user named Admin1. Sub1 contains an Azure Policy definition assignment named Assignment1. The definition includes the deployIfNotExists effect. You need to grant Admin1 permission to include a remediation task for Assignment1. The solution must use the principle of least privilege. Which role should you assign to Admin1? Contributor Owner Resource Policy Contributor Compliance Administrator Resource Policy Contributor grants permissions to create and modify resource policy, create support ticket, and read resources and hierarchy. The Owner grants full rights, which violates the principle of least privilege. Contributor does not have sufficient permissions. Compliance Administrator is an Azure AD role, not an Azure RBAC role. Compare and contrast Azure RBAC vs Azure policies - Training | Microsoft Learn Azure AD built-in roles - Azure Active Directory - Microsoft Entra | Microsoft Learn Azure built-in roles - Azure RBAC | Microsoft Learn Q126. You have a workload in Azure that uses multiple virtual machines and Azure functions to access data in a storage account. You need to ensure that all access to the storage account is done by using a single identity. The solution must reduce the overhead of managing the identity. Which type of identity should you use? user group user-assigned managed identity system-assigned managed identity A user assigned managed identity can be shared across Azure resources, and its password changes are handled by Azure. An user needs to manually handle password changes. You cannot use a group as a service principle. Multiple Azure resources cannot share system-assigned managed identities. Managed identities for Azure resources - Microsoft Entra | Microsoft Learn Enable managed identities - Training | Microsoft Learn Download 3.48 Mb. Share with your friends:
|
1 2