Professional Documents
Culture Documents
Az 500 Exam - Free Actual QAs Page 1 Examtopics Practice For Cissp
Az 500 Exam - Free Actual QAs Page 1 Examtopics Practice For Cissp
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 1/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #1 Topic 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Subscription named Sub1.
You have an Azure Storage account named Sa1 in a resource group named RG1.
Users and applications access the blob service and the le service in Sa1 by using several shared access signatures (SASs) and stored access
policies.
You discover that unauthorized users accessed both the le service and the blob service.
You need to revoke all access to Sa1.
Solution: You generate new SASs.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Instead you should create a new stored access policy.
To revoke a stored access policy, you can either delete it, or rename it by changing the signed identi er. Changing the signed identi er breaks
the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately
affects all of the shared access signatures associated with it.
References:
https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 2/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
For Account Level SAS, regenerating the access key is the only possibility.
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 4/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Subscription named Sub1.
You have an Azure Storage account named Sa1 in a resource group named RG1.
Users and applications access the blob service and the le service in Sa1 by using several shared access signatures (SASs) and stored access
policies.
You discover that unauthorized users accessed both the le service and the blob service.
You need to revoke all access to Sa1.
Solution: You create a new stored access policy.
Does this meet the goal?
A. Yes
B. No
Correct Answer: A
To revoke a stored access policy, you can either delete it, or rename it by changing the signed identi er. Changing the signed identi er breaks
the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately
effects all of the shared access signatures associated with it.
References:
https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
Can you also revoke, delete, or modify an existing stored access policy? Sure, but that is not what this question is asking. Can access to a
SAS be revoked by creating a new stored access policy? Yes.
upvoted 11 times
Shared access signatures provides access to a particular resource such as blog. Stored access policies are a group of Shared Access
Signatures (SAS). In order to revoke access to a SAS you can either:
1. Rotate the Key1 or Key 2, that is the access keys used to sign the SAS. Rotating the access keys used to sign the SAS, invalidates
any previously signed SAS hence revoking the SAS issused before
2. Remove the stored access policy which an SAS is linked to. If a Stored Access Policy is removed, it also invalidates the SASs liked to
the Stored Access Policy.
Creating a new Stored Acccess Policy? Well it just creates a new Stored Access Policy and does nothing to existing SAS, and Stored
Access Policy.
So, the correct answer is 'No'.
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 5/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 6/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
B, for sure
upvoted 1 times
1. https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-polic
2. https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-storage-sharedaccesssignature-permissions
upvoted 1 times
So, you can add a new Stored Access Policy, gives an immediate expiration datetime. This will essentially revoke all SAS.
upvoted 2 times
Well, I searched for all possible solutions to this question and all others were a "No". There has to be one with a "Yes", right? So, despite
the fact that one can generate more stored access policies and creating a new stored access policy doesn't revoke an already existing one,
I tend to go to a "Yes". I think that the creator of this question wants to use the new stored access policy and remove the other. Yes, I
know it's not in the solution's answer, but there has to be one of the solutions with a correct answer, right?
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 7/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #3 Topic 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a hybrid con guration of Azure Active Directory (Azure AD).
You have an Azure HDInsight cluster on a virtual network.
You plan to allow users to authenticate to the cluster by using their on-premises Active Directory credentials.
You need to con gure the environment to support the planned authentication.
Solution: You deploy the On-premises data gateway to the on-premises network.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Instead, you connect HDInsight to your on-premises network by using Azure Virtual Networks and a VPN gateway.
Note: To allow HDInsight and resources in the joined network to communicate by name, you must perform the following actions:
✑ Create Azure Virtual Network.
✑ Create a custom DNS server in the Azure Virtual Network.
✑ Con gure the virtual network to use the custom DNS server instead of the default Azure Recursive Resolver.
✑ Con gure forwarding between the custom DNS server and your on-premises DNS server.
References:
https://docs.microsoft.com/en-us/azure/hdinsight/connect-on-premises-network
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 8/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #4 Topic 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a hybrid con guration of Azure Active Directory (Azure AD).
You have an Azure HDInsight cluster on a virtual network.
You plan to allow users to authenticate to the cluster by using their on-premises Active Directory credentials.
You need to con gure the environment to support the planned authentication.
Solution: You create a site-to-site VPN between the virtual network and the on-premises network.
Does this meet the goal?
A. Yes
B. No
Correct Answer: A
You can connect HDInsight to your on-premises network by using Azure Virtual Networks and a VPN gateway.
Note: To allow HDInsight and resources in the joined network to communicate by name, you must perform the following actions:
✑ Create Azure Virtual Network.
✑ Create a custom DNS server in the Azure Virtual Network.
✑ Con gure the virtual network to use the custom DNS server instead of the default Azure Recursive Resolver.
✑ Con gure forwarding between the custom DNS server and your on-premises DNS server.
References:
https://docs.microsoft.com/en-us/azure/hdinsight/connect-on-premises-network
HDInsight can authenticate to Active Directory directly and therefore the VPN is required.
upvoted 1 times
Creating a site to site VPN will simply just enabled connectivty between the on premise network and the HDInsight cluster but not fulfil the
authentifacation via on premises AD.
So without exact knowledge of the configuration of the Hybrid AD , any AD connect etc it is impossible to say for sure that would work.
You could take it further and say it is impossible to know as you dont know the config of the HD cluster, any NSGs etc. I always find this
ambiguous questions a bit annoying if I have the knowledge to answer them but the details are too blurry.
upvoted 8 times
Btw, this same question it is repeated without "Hybrid" AD scenario, where the S2S-VPN isn't the solution and the answer will be NO.
upvoted 1 times
upvoted 5 times
"HDInsight relies on a popular identity provider--Active Directory--in a managed way. By integrating HDInsight with Azure Active Directory
Domain Services (Azure AD DS), you can access the clusters by using your domain credentials."
I conclude that to join the HDInsights cluseter to your AD DS services (domain join) you need connectivity to your domain controllers. As
the environment is Hybrid we know there is almost certainly DC's on premise so even if there are DC's on tht vNet there needs to be a VPN
or Express route circuit to support AD integrated authentication. I don not believe HD insights supports AAD authentication so AD connect
is neither here nor there
Im reading:
Does a site-to-site VPN allow auth to the cluster on the vNET?
NO. VPN encrypts... auth is more like hash or PTA and not encryption. It is a step if it was a new configuration but it statess the cluster is all
ready on the vnet...
upvoted 2 times
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 11/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #5 Topic 1
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain.
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to deploy Azure AD Connect and to integrate Active Directory and the Azure AD tenant.
You need to recommend an integration solution that meets the following requirements:
✑ Ensures that password policies and user logon restrictions apply to user accounts that are synced to the tenant
Minimizes the number of servers required for the solution.
Correct Answer: B
Password hash synchronization requires the least effort regarding deployment, maintenance, and infrastructure. This level of effort typically
applies to organizations that only need their users to sign in to O ce 365, SaaS apps, and other Azure AD-based resources. When turned on,
password hash synchronization is part of the Azure AD Connect sync process and runs every two minutes.
Incorrect Answers:
A: A federated authentication system relies on an external trusted system to authenticate users. Some companies want to reuse their existing
federated system investment with their Azure AD hybrid identity solution. The maintenance and management of the federated system falls
outside the control of Azure AD. It's up to the organization by using the federated system to make sure it's deployed securely and can handle the
authentication load.
C: For pass-through authentication, you need one or more (we recommend three) lightweight agents installed on existing servers. These agents
must have access to your on-premises Active Directory Domain Services, including your on-premises AD domain controllers. They need
outbound access to the Internet and access to your domain controllers. For this reason, it's not supported to deploy the agents in a perimeter
network.
Pass-through Authentication requires unconstrained network access to domain controllers. All network tra c is encrypted and limited to
authentication requests.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta
1. AAD PW HASH Synchronization is the SIMPLEST (yes I literally bold that) way to enable authentication for on-premises directory objects
in Azure AD and use on-premises resources WITHOUT (yes I literally bold that too) having to deploy any additional infrastructure.
2. AAD PTA provides a SIMPLE (not simplest) password validation for Azure AD authentication services by using a software agent that runs
on ONE or MORE (yes I bold that one again) on-premises servers.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 12/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
This requirement means one that involves the least effort to implement
upvoted 1 times
C is correct.
upvoted 1 times
"Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours
might use this authentication method. For more information on the actual pass-through authentication process, see User sign-in with
Azure AD pass-through authentication."
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 13/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 14/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
account, password expired, account locked out, and sign-in hours on each user sign-in, Azure AD requires some on-premises
components."
So, PHS cannot be the answer and only PTA can do it. Req also says reduce servers so PTA meets that requirement too since you do not
need any additional infra and the agent installs on existing Domain Controllers.
upvoted 2 times
Quick note for me to remember: Password Hash can only deal with username / password, not for password policies.
upvoted 1 times
Anyone know?
upvoted 1 times
"Advanced scenarios:" Pass-through Authentication enforces the on-premises account policy at the time of sign-in. For example, access is
denied when an on-premises user’s account state is disabled, locked out, or their password expires or the logon attempt falls outside the
hours when the user is allowed to sign in."
but it does require having multiple agents but i think the reason they said least server use is beccause ADFS required a farm of server
" Federated systems typically require a load-balanced array of servers, known as a farm. This farm is configured in an internal network and
perimeter network topology to ensure high availability for authentication requests."
Ref : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 15/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
Source: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
The flow-chart on that page is confusing, and (frankly) sucks. Read through the details of each detailed authentication method. The
Advanced Scenarios (3rd bullet) underneath Pass-Through Authentication spells it out plainly.
upvoted 1 times
You need to recommend an integration solution that meets the following requirements:
✑ Ensures that password policies and user logon restrictions apply to user accounts that are synced to the tenant
Minimizes the number of servers required for the solution.
https://www.youtube.com/watch?v=PyeAC85Gm7w
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 16/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #6 Topic 1
Correct Answer: A
Use the Synchronization Rules Editor and write attribute-based ltering rule.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-con guration
Answer is correct
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 17/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #7 Topic 1
DRAG DROP -
You are implementing conditional access policies.
You must evaluate the existing Azure Active Directory (Azure AD) risk events and risk levels to con gure and implement the policies.
You need to identify the risk level of the following risk events:
✑ Users with leaked credentials
✑ Impossible travel to atypical locations
✑ Sign-ins from IP addresses with suspicious activity
Which level should you identify for each risk event? To answer, drag the appropriate levels to the correct risk events. Each level may be used once,
more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Correct Answer:
Azure AD Identity protection can detect six types of suspicious sign-in activities:
✑ Users with leaked credentials
✑ Sign-ins from anonymous IP addresses
✑ Impossible travel to atypical locations
✑ Sign-ins from infected devices
Sign-ins from IP addresses with suspicious activity
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 18/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
References:
http://www.rebeladmin.com/2018/09/step-step-guide-con gure-risk-based-azure-conditional-access-policies/
https://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-
policies/#:~:text=These%20six%2Dtypes%20of%20events,%E2%80%93%20High%2C%20Medium%20%26%20Low.&text=We%20can%20
use%20these%20risk,to%20protect%20sensitive%20application%20access.
upvoted 2 times
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events
upvoted 8 times
DOCS: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events#sign-ins-from-ip-addresses-with-
suspicious-activity
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 19/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Medium:
Sign-ins from anonymous IP addresses
Impossible travel to atypical locations
Sign-in from unfamiliar locations
Sign-ins from IP addresses with suspicious activity
Low:
Sign-ins from infected devices
upvoted 14 times
There is only one Low risk event type and that is Sign in from infected devices. Remember infected devices, infected devices, infected
devices, Low!
upvoted 7 times
upvoted 2 times
https://www.vansurksum.com/2020/04/07/azure-ad-identity-protection-deep-dive/
upvoted 1 times
"Microsoft's recommendation is to set the user risk policy threshold to High and the sign-in risk policy to Medium and above."
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies#choosing-
acceptable-risk-levels
upvoted 2 times
"Risk levels
Identity Protection categorizes risk into three tiers: low, medium, and high.
While Microsoft does not provide specific details about how risk is calculated, we will say that each level brings higher confidence that the
user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as
threatening as leaked credentials for another user."
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
upvoted 2 times
This page shows all the alerts and the serverity, strangely enough the only table without severity coloumn is "virtual machine".
Below i have copy-pasted the description for the same alert regarding storage account.
I do not see any reason for having different severity for virtual machine and storage-account, but this is no guarantee...
Alert
PREVIEW – Access from a Suspicious IP address
Description
Indicates that this storage account has been successfully accessed from an IP address that is considered suspicious. This alert is powered
by Microsoft Threat Intelligence.
Learn more about Microsoft's threat intelligence capabilities.
Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2
Severity
Medium
upvoted 1 times
Frankly speaking, the official page at Microsoft doesn't help much to settle this debate:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-levels
"While Microsoft does not provide specific details about how risk is calculated, we will say that each level brings higher confidence that the
user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as
threatening as leaked credentials for another user."
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 21/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
The answer is right. Seems the table was taken from here.
https://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-
policies/#:~:text=These%20six%2Dtypes%20of%20events,%E2%80%93%20High%2C%20Medium%20%26%20Low.&text=We%20can%20us
e%20these%20risk,to%20protect%20sensitive%20application%20access.
upvoted 1 times
Microsoft does not provide specific details about how risk is calculated
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 22/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #8 Topic 1
HOTSPOT -
You create and enforce an Azure AD Identity Protection user risk policy that has the following settings:
✑ Assignment: Include Group1, Exclude Group2
✑ Conditions: Sign-in risk of Medium and above
Access: Allow access, Require password change
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Box 2: Yes -
User2 is member of Group1. Sign in from anonymous IP address is risk level Medium.
Box 3: No -
Sign-ins from IP addresses with suspicious activity is low.
Note:
Azure AD Identity protection can detect six types of suspicious sign-in activities:
✑ Users with leaked credentials
✑ Sign-ins from anonymous IP addresses
✑ Impossible travel to atypical locations
✑ Sign-ins from infected devices
✑ Sign-ins from IP addresses with suspicious activity
✑ Sign-ins from unfamiliar locations
These six types of events are categorized in to 3 levels of risks "" High, Medium & Low:
References:
http://www.rebeladmin.com/2018/09/step-step-guide-con gure-risk-based-azure-conditional-access-policies/
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 23/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 14 times
Therefore the risk would be low and policy would not be triggered
Answer is therefore
Yes
No
No
Does anyone have a link from Microsoft that states exclusions from policies take precedence?
upvoted 8 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 24/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 3 times
"When organizations both include and exclude a user or group the user or group is excluded from the policy, as an exclude action
overrides an include in policy."
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 25/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
Source:
https://techcommunity.microsoft.com/t5/itops-talk-blog/what-s-the-difference-between-azure-active-directory-identity/ba-p/1320887
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 26/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
If User2 signs in from an anonymous IP address, she must change her password
If User3 signs in from a computer containing malware that is communicating with known bots servers, he must change his password
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 27/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #9 Topic 1
DRAG DROP -
You need to con gure an access review. The review will be assigned to a new collection of reviews and reviewed by resource owners.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:
Correct Answer:
References:
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review https://docs.microsoft.com/en-us/azure/active-
directory/governance/manage-programs-controls
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 28/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 29/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.
You con gure an access review named Review1 as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 30/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
I believe this is wrong and answer to the 2nd drop down is user2 will retain the Password admin role - this is because everything I can see
relating to smart recommendations (which are configured to take effect if the user doesnt complete the review in the alloted time)
suggest that the recommended action is Deny if the user hasnt logged in after 30 days - User 2 logs in bi-weekly so wouldnt trigger this
recommendation.
upvoted 18 times
I don't see how the User3 would receive a confirmation request, makes no sense to me.
upvoted 13 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 31/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
manually?
conclusion, User 2 will retain his privillage until himself or Global Admin takes actions. Policy just flags it as non compliance??
upvoted 4 times
Answer is correct.
The user2 will retain the role until the user3 made the decision to remove the access or leave the user's access unchanged. Since the "auto
apply results" is disabled, the user3 will receive mail notification on the decision of the access review.
upvoted 4 times
No change - Leave user's access unchanged (User 2 will retain the role)
Remove access - Remove user's access (role will be revoked)
Approve access - Approve user's access (no answer option)
Take recommendations - Take the system's recommendation on denying or approving the user's continued access (The current selected
option)
Since it's not set to explicit revoke, or unchanged we only have option 3 left, "retrieve a confirmation request"
upvoted 1 times
conclusion, User 2 will retain his privillage until himself or Global Admin takes actions
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 32/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 33/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP -
You create an Azure subscription.
You need to ensure that you can use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to secure Azure AD roles.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 34/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 35/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
PA 5 months ago
But after Consent to PIM , it requires you to verify your identity with MFA
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 36/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
"When a user who is active in a privileged role in an Azure AD organization with a Premium P2 license goes to Roles and administrators in
Azure AD and selects a role (or even just visits Privileged Identity Management): We automatically enable PIM for the organization..."
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 37/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
Your company has two o ces in Seattle and New York. Each o ce connects to the Internet by using a NAT device. The o ces use the IP
addresses shown in the following table.
The company has an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.
The MFA service settings are con gured as shown in the exhibit. (Click the Exhibit tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 2: No -
Use of Microsoft Authenticator is not required.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 38/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: Microsoft Authenticator is a multifactor app for mobile devices that generates time-based codes used during the Two-Step Veri cation
process.
Box 3: No -
The New York IP address subnet is included in the "skip multi-factor authentication for request.
References:
https://www.cayosoft.com/difference-enabling-enforcing-mfa/
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 39/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
For the first statement, because of the user1is Enabled and not Enforced, the MUST sounds wrong.
upvoted 5 times
right ones
upvoted 16 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 40/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Disabled
This is the default state for a new user not enrolled in multi-factor authentication.
Enabled
The user has been enrolled in multi-factor authentication, but has not completed the registration process. They will be prompted to
complete the process the next time they sign in.
Enforced
The user may or may not have completed registration. If they have completed the registration process then they are using multi-factor
authentication. Otherwise, the user will be prompted to completer the process at next sign-in
upvoted 2 times
In this case the public Ip address is already added to the excluded ips
upvoted 8 times
question 14
???
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 42/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Your company plans to create separate subscriptions for each department. Each subscription will be associated to the same Azure Active
Directory (Azure AD) tenant.
You need to con gure each subscription to have the same role assignments.
What should you use?
B. Azure Blueprints
D. Azure Policy
Correct Answer: C
The Azure AD Privileged Identity Management (PIM) service also allows Privileged Role Administrators to make permanent admin role
assignments.
References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user
Oz 12 months ago
the same question is answered later with Azure Blueprint and reference provided covers the question 100%
So correct answer is Azure Blueprint
upvoted 31 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 43/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Just as a blueprint allows an engineer or an architect to sketch a project's design parameters, Azure Blueprints enables cloud architects
and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an
organization's standards, patterns, and requirements.
Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:
Role Assignments
Policy Assignments
Azure Resource Manager templates
Resource Groups
upvoted 2 times
I don't pretend to know everything about Azure but the fierce discussions per questions makes me wonder if this platform is good enough
for my exam preparations.
I know this message is moderated before publishing. please do somthing about the quality.
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 44/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 45/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You have an Azure Container Registry named Registry1.
You add role assignment for Registry1 as shown in the following table.
Which users can upload images to Registry1 and download images from Registry1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 46/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
References:
https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles
upvoted 13 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 47/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 48/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer: BE
B: You can con gure Azure DNS to host a custom domain for your web apps. For example, you can create an Azure web app and have your
users access it using either www.contoso.com or contoso.com as a fully quali ed domain name (FQDN).
To do this, you have to create three records:
A root "A" record pointing to contoso.com
A root "TXT" record for veri cation
A "CNAME" record for the www name that points to the A record
E: To map a custom DNS name to a web app, the web app's App Service plan must be a paid tier (Shared, Basic, Standard, Premium or
Consumption for Azure
Functions). I -
Scale up the App Service plan: Select any of the non-free tiers (D1, B1, B2, B3, or any tier in the Production category).
References:
https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
As the second answer we could chose "adding deployment slot" for safety reason but again it is not a necessity for user to access the
website.
upvoted 1 times
There is no charge to use SNI-based SSL. Standard and Premium service plans include the right to use one IP SSL at no additional
charge. Free and shared service plans do not support SSL. You can purchase the right to use additional SSL connections for the rates
below. In all cases the SSL certificate itself must be purchased separately.
https://azure.microsoft.com/en-us/pricing/details/app-service/windows/
upvoted 1 times
Explanation:
B: You can configure Azure DNS to host a custom domain for your web apps. For example, you can create an Azure web app and have
your users access it
using either www.contoso.com or contoso.com as a fully qualified domain name (FQDN). To do this, you have to create three records:
A root "A" record pointing to contoso.com
A root "TXT" record for verification
A "CNAME" record for the www name that points to the A record
F: To use HTTPS, you need to upload a PFX file to the Azure Web App. The PFX file will contain the SSL certificate required for HTTPS.
References: https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-
domain
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 50/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 51/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Sub1.
You have an Azure Storage account named Sa1 in a resource group named RG1.
Users and applications access the blob service and the le service in Sa1 by using several shared access signatures (SASs) and stored access
policies.
You discover that unauthorized users accessed both the le service and the blob service.
You need to revoke all access to Sa1.
Solution: You create a lock on Sa1.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
To revoke a stored access policy, you can either delete it, or rename it by changing the signed identi er. Changing the signed identi er breaks
the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately
affects all of the shared access signatures associated with it.
References:
https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 52/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a hybrid con guration of Azure Active Directory (Azure AD).
You have an Azure HDInsight cluster on a virtual network.
You plan to allow users to authenticate to the cluster by using their on-premises Active Directory credentials.
You need to con gure the environment to support the planned authentication.
Solution: You deploy Azure Active Directory Domain Services (Azure AD DS) to the Azure subscription.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Instead, you connect HDInsight to your on-premises network by using Azure Virtual Networks and a VPN gateway.
Note: To allow HDInsight and resources in the joined network to communicate by name, you must perform the following actions:
✑ Create Azure Virtual Network.
✑ Create a custom DNS server in the Azure Virtual Network.
✑ Con gure the virtual network to use the custom DNS server instead of the default Azure Recursive Resolver.
✑ Con gure forwarding between the custom DNS server and your on-premises DNS server.
References:
https://docs.microsoft.com/en-us/azure/hdinsight/connect-on-premises-network
As they already have a hybrid environment setup I believe access to the existing DC's is required to satisfy the question. Enabling Azure
ADDS is really only recommended to be enabled for legacy applications that require ADDS when you do not already have domain services,
although it will replicate the users with a sync engine in the background I hesitantly say the suggested answer is correct in a
technicality.........
Additionally I agree that interpretation is certainly open to challenge and futher more these HDinsight questions seem to be well out of
scope of this exam and ambigous at best
upvoted 5 times
PA 5 months ago
just wanted to confirm ,if correct ans is B ?
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 54/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Your network contains an Active Directory forest named contoso.com. You have an Azure Directory (Azure AD) tenant named contoso.com.
You plan to con gure synchronization by using the Express Settings installation option in Azure AD Connect.
You need to identify which roles and groups are required to perform the planned con guration. The solution must use the principle of least
privilege.
Which two roles and groups should you identify? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Correct Answer: CE
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 55/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 56/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP -
You create an Azure subscription with Azure AD Premium P2.
You need to ensure that you can use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to secure Azure AD roles.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:
Correct Answer:
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 57/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Some persons argued in earlier posts that MFA comes before consenting to PIM
upvoted 1 times
Stuudent 2 weeks, 6 days ago
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 58/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Outdated?
When a user who is active in a privileged role in an Azure AD organization with a Premium P2 license goes to Roles and administrators in
Azure AD and selects a role (or even just visits Privileged Identity Management):
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started
upvoted 2 times
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a hybrid con guration of Azure Active Directory (Azure AD).
You have an Azure HDInsight cluster on a virtual network.
You plan to allow users to authenticate to the cluster by using their on-premises Active Directory credentials.
You need to con gure the environment to support the planned authentication.
Solution: You deploy an Azure AD Application Proxy.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Instead, you connect HDInsight to your on-premises network by using Azure Virtual Networks and a VPN gateway.
Note: To allow HDInsight and resources in the joined network to communicate by name, you must perform the following actions:
✑ Create Azure Virtual Network.
✑ Create a custom DNS server in the Azure Virtual Network.
✑ Con gure the virtual network to use the custom DNS server instead of the default Azure Recursive Resolver.
✑ Con gure forwarding between the custom DNS server and your on-premises DNS server.
Reference:
https://docs.microsoft.com/en-us/azure/hdinsight/connect-on-premises-network
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 59/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Subscription named Sub1.
You have an Azure Storage account named Sa1 in a resource group named RG1.
Users and applications access the blob service and the le service in Sa1 by using several shared access signatures (SASs) and stored access
policies.
You discover that unauthorized users accessed both the le service and the blob service.
You need to revoke all access to Sa1.
Solution: You regenerate the access keys.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Instead you should create a new stored access policy.
To revoke a stored access policy, you can either delete it, or rename it by changing the signed identi er. Changing the signed identi er breaks
the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately
affects all of the shared access signatures associated with it.
Reference:
https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
This states 4: the ACCOUNT key that was used to create the SAS was regenerated.
The answer states the "access" key - therefore I believe the answer to be correct as stated.
upvoted 12 times
This states 4: the ACCOUNT key that was used to create the SAS was regenerated.
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal
upvoted 2 times
faltu1985 6 months, 3 weeks ago
I just tested it also. Ans should be Yes
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 60/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 2 times
Regenerating access keys will invalidate the SAS signed by the access key.
So when presented with a Shared Access Signature, the signature will be verified by the signer. Who signed the SAS? Well, one of the
access keys was used to sign the SAS. Now that the access keys are regnerated, it renders the old SAS ineffective.
upvoted 7 times
Correct Answer: A
To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier. Changing the signed identifier
breaks the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy
immediately effects all of the shared access signatures associated with it.
References:
https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
upvoted 1 times
"A shared access signature URI is associated with the account key used to create the signature, and the associated stored access policy (if
any). If no stored access policy is specified, the only way to revoke a shared access signature is to change the account key."
Here is the link: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-storage-sharedaccesssignature-permissions#shared-access-
signatures
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 61/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 62/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.
You assign users the Password Administrator role as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Yes -
Active assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned to
the role at all times.
Box 2: No -
MFA is disabled for User2 and the setting Require Azure Multi-Factor Authentication for activation is enabled.
Note: Eligible assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor
authentication
(MFA) check, providing a business justi cation, or requesting approval from designated approvers.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 63/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Box 3: Yes -
User3 is Group1, which is a Selected Approver Group
Reference:
https://docs.microsoft.com/bs-latn-ba/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 64/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct answer is :
Yes
No
Yes
upvoted 9 times
YES - User1 Assignment type is Active which allows User1 to have Password Admin role with no action.
YES - User2 has MFA disabled but the "Require approval to aqctivate this role is Enabled. User2 can request an approval.
YES - User3 can activate a password role and approve their own request because User3 is part of Group1 which is the Selected Approver.
https://docs.microsoft.com/bs-latn-ba/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles
upvoted 6 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 65/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
ACTIVE assignment means you are made a member of the role directly forever or within specific timeframe without ever needing to
request for the role
ELIGIBLE assignment means you are always allowed to request membership of the role, or within specific timeframe. The role assignment
depends on the amount of time configured and if all required actions have been performed (mfa, approvals, etc)
When being a requester and approver for a role you cannot approve or deny. Call it segregation of duties
upvoted 4 times
upvoted 1 times
Y - Assignment is active
N - Activation requires MFA but user2 MFA is disabled.
N - Cannot self-approve even if user3 is part of the group of approver.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 67/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have a hybrid con guration of Azure Active Directory (Azure AD). You have an Azure SQL Database instance that is con gured to support
Azure AD authentication.
Database developers must connect to the database instance and authenticate by using their on-premises Active Directory account.
You need to ensure that developers can connect to the instance by using Microsoft SQL Server Management Studio. The solution must minimize
authentication prompts.
Which authentication method should you recommend?
Correct Answer: A
Use Active Directory password authentication when connecting with an Azure AD principal name using the Azure AD managed domain.
Use this method to authenticate to SQL DB/DW with Azure AD for native or federated Azure AD users. A native user is one explicitly created in
Azure AD and being authenticated using user name and password, while a federated user is a Windows user whose domain is federated with
Azure AD. The latter method
(using user & password) can be used when a user wants to use their windows credential, but their local machine is not joined with the domain
(for example, using a remote access). In this case, a Windows user can indicate their domain account and password and can authenticate to
SQL DB/DW using federated credentials.
Incorrect Answers:
D: Use Active Directory integrated authentication if you are logged in to Windows using your Azure Active Directory credentials from a federated
domain.
References:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-con gure
Use this method when connecting with an Azure AD principal name using the Azure AD managed domain. You can also use it for
federated accounts without access to the domain, for example when working remotely.
Use this method to authenticate to SQL DB/DW with Azure AD for native or federated Azure AD users. A native user is one explicitly
created in Azure AD and being authenticated using user name and password, while a federated user is a Windows user whose domain
is federated with Azure AD. The latter method (using user & password) can be used when a user wants to use their windows credential,
but their local machine is not joined with the domain (for example, using a remote access). In this case, a Windows user can indicate
their domain account and password and can authenticate to SQL DB/DW using federated credentials.
upvoted 16 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 68/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
anwer is D - based on two reasons: 1) Its mentioned as hybrid connectivity, Which means domains are already joined 2) With less
authentication prompts, with integrated, there wont be authentication prompts as it works based on windows ticket
upvoted 9 times
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure?tabs=azure-powershell#active-directory-
password-authentication
A IS CORRECT ANSWER
upvoted 1 times
AD – INTEGRATED: We use this method to connect SQL Database if you are logged in to Windows using your Azure Active Directory
credentials from a FEDERATED domain.
** AD PASSWORD and INTEGRATED are also known as non-interactive meaning no further verification is needed to connect unlike
Universal with MFA (interactive) does.
upvoted 8 times
Database developers must connect to the database instance and authenticate by using their on-premises Active Directory account so the
answer A is correct.
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure?tabs=azure-powershell
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 69/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
SO, since the question states this is hybrid Azure AD, the answer should be A: Password.
Ref:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure?tabs=azure-powershell
upvoted 5 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 70/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Active Directory integrated authentication Use this method if you are logged into Windows using your Azure Active Directory credentials
from a federated domain, or a managed domain that is configured for seamless single sign-on for pass-through and password hash
authentication.
https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#active-directory-
integrated-authentication
upvoted 3 times
"... those who use Azure AD hybrid identities, the Authentication keyword must be set to Active Directory Password."
https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#active-directory-
integrated-authentication
upvoted 6 times
"All users have computers that run Windows 10 and are hybrid Azure AD joined."
The answer to that question is Active Directory - Integrated due to it having a federated domain: the local credentials are validated against
Azure.
However this question asks to rely solely on on-prem credentials. So the answer to THIS question is A. Active Directory - Password.
upvoted 1 times
However, "Active Directory - Integrated" is used if you are logged in to Windows using your Azure Active Directory credentials from a
"FEDERATED DOMAIN".
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 71/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 72/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
You plan to use Azure Resource Manager templates to perform multiple deployments of identically con gured Azure virtual machines. The
password for the administrator account of each deployment is stored as a secret in different Azure key vaults.
You need to identify a method to dynamically construct a resource ID that will designate the key vault containing the appropriate secret during
each deployment.
The name of the key vault and the name of the secret will be provided as inline parameters.
What should you use to construct the resource ID?
B. a linked template
C. a parameters le
D. an automation account
Correct Answer: C
You reference the key vault in the parameter le, not the template. The following image shows how the parameter le references the secret and
passes that value to the template.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-keyvault-parameter
You can't dynamically generate the resource ID in the parameters file because template expressions aren't allowed in the parameters file."
upvoted 5 times
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli#reference-secrets-with-
dynamic-id
because, In either case, you can dynamically generate the resource ID for a key vault secret by using a linked template.
You can't dynamically generate the resource ID in the parameters file because template expressions aren't allowed in the parameters file.
In your parent template, you add the nested template and pass in a parameter that contains the dynamically generated resource ID. The
following image shows how a parameter in the linked template references the secret.
upvoted 2 times
e3rh 7 months, 3 weeks ago
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 73/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
This is useful if you don't want to put any secure value (like a password) in your template or parameter file.
The solution to this is to retrieve the value by referencing the Key Vault and secret in the parameter file. The secret itself is not exposed
because you only reference the Key Vault ID of the secret.
"parameters" : {
.....
"adminPassword" : {
"reference" : {
"keyVault" : {
"id" : "/subscriptions/<subscription-id>/resourceGroups/<re-name>/providers/Microsoft.KeyVault/vaults/<vaultname>"
},
"secretName" : "ExamplePassword"
}
}
You can also specify the version of the secret that needs to be retrieved using: "secretVersion"
upvoted 1 times
if you check the pictures in the link, you'll find that answer B, supports the dynamic solution and the picture used to describe it contains
"inline parameter" unlike the answer in the solution.
case closed
upvoted 9 times
You can't dynamically generate the resource ID in the parameters file because template expressions aren't allowed in the parameters file.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 74/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 2 times
B is the Answer
upvoted 3 times
I believe with many the correct solution is C. parameters file. I also asked a bunch of DevOps engineers and they all said parameters file.
upvoted 1 times
Microsoft directly states... "You can't dynamically generate the resource ID in the parameters file because template expressions aren't
allowed in the parameters file."
Why are folks trying to justify the wrong answer with no anecdotal evidence or links to support their answers. You are just confusing
people. Folks, please read the link below and do the lab. Then you will know the answer is B: Linked Template.
Link: https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-powershell
upvoted 3 times
Here requirements define: "password for the administrator account of each deployment is stored as a secret in different Azure key vaults."
In other words you need to reference a key vault secret that varies based on the current deployment.
Well then a static parameter file with single key vault id won't work.
On the other hand you can't dynamically generate the key vault ID in the parameters file because template expressions aren't allowed in
the parameters file.
But you can pass parameter values to a key vault ID generation template -> which in turn passes as output the dynamically generated key-
vault ID to a another linked template that does the actual VM deployment as its input parameters.
Parameter File with (current key vault info) -> Key Vault ID generating Template -> output: current KeyVaultID -> as inline parameters ->
VM deployment template.
See more detaile description and the diagram shown on the link:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli#reference-secrets-with-
dynamic-id
upvoted 1 times
DeepMoon 1 month, 3 weeks ago
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 75/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
But you can pass parameter values to a key vault ID generation template -> which in turn passes as output the dynamically generated key-
vault ID to a another linked template that does the actual VM deployment as its input parameters.
Parameter File with (current key vault info) -> Key Vault ID generating Template -> output: current KeyVaultID -> as inline parameters ->
VM deployment template.
See more detaile description and the diagram shown on the link:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli#reference-secrets-with-
dynamic-id
So the correct answer is: Linked Template
upvoted 1 times
SS
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 76/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You create a new Azure subscription that is associated to a new Azure Active Directory (Azure AD) tenant.
You create one active conditional access policy named Portal Policy. Portal Policy is used to provide access to the Microsoft Azure Management
cloud app.
The Conditions settings for Portal Policy are con gured as shown in the Conditions exhibit. (Click the Conditions tab.)
The Grant settings for Portal Policy are con gured as shown in the Grant exhibit. (Click the Grant tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 77/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
Box 1: No -
The Contoso location is excluded
Box 2: Yes -
Box 3: Yes -
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 78/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Its a No NO and NO
upvoted 32 times
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/technical-reference#approved-client-app-requirement
upvoted 1 times
See where it says Grant access? Require MFA and require approved client apps is checked. BUT.. it says require *one* of the selected
controls.
If you're within contoso, the word "must" doesnt apply to you since either of the grant conditions can apply so you don't have to have MFA
controls on your account.
If you're outside of contoso, you don't know whether you'd MFA apply to you since you're not within the specified location.
The web app thing is a no-brainer. That has to be a no, since the policy is only for people trying to access the Azure management portal.
so Answers are :
1) Yes (manage asses to azure portal) - https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-
management
2) No (web services are not defined in the list)
3) No (outside of contoso)
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 79/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Cloud Apps or Actions section includes Azure Management which means Azure Portal. Not web services.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#microsoft-cloud-
applications
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 80/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
PA 5 months ago
location is included . In case of exclude you will see only two options ..
upvoted 1 times
PA 5 months ago
Yes, No , NO
upvoted 2 times
Why?
1. Because Contoso is added to the selected location in the include tab under locations. I labbed it. if you think it is under exclude. Exclude
has only 2 options and include has 3 options.
Why the selection of client apps doesnt mater is because, in the Grant pane, it says REQUIRE ONE OF ......... Hopefully you all understand
2. No, we are not referring to any web services
3. NO. because it only scoped to contoso to staff in contoso to require MFA.
YES
NO
NO
upvoted 9 times
Since the conditional access policy is set only for the branch office location, the conditional access policy won’t apply to the external
users.
upvoted 2 times
Since there is a flexibility on using either control, users could either use MFA or use a Hybrid Azure AD joined device, it’s not
necessary that the user needs to use only MFA
Since the conditional access policy is set only for the branch office location, the conditional access policy won’t apply to the external
users.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 81/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
On the other hand if the first diagram is showing Locations - Exclud Contoso:
Ans1: No (because contoso) users are excluded from the insistence of MFA by the policy.
Ans2: No . Web Services are not targeted by this policy. In fact nothing is said about web services.
Ans3: Yes. This policy would only exclude anyone from the locaton: Contoso from having to use MFA to access the portal.
upvoted 3 times
So basically the grant access is what happens when you are granted access when you meet the conditional access policy the location
which is contoso!
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policies
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 82/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
On the other hand if the first diagram is showing Locations - 'Exclude Contoso' shows up on the test then it is
Ans1: No (because contoso) users are excluded from the insistence of MFA by the policy.
Ans2: No . Web Services are not targeted by this policy. In fact nothing is said about web services.
Ans3: Yes. This policy would only exclude anyone from the locaton: Contoso from having to use MFA to access the portal
upvoted 8 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 83/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
An administrator named Admin1 has access to the following identities:
✑ An OpenID-enabled user account
✑ A Hotmail account
✑ An account in contoso.com
✑ An account in an Azure AD tenant named fabrikam.com
You plan to use Azure Account Center to transfer the ownership of Sub1 to Admin1.
To which accounts can you transfer the ownership of Sub1?
A. contoso.com only
Correct Answer: C
When you transfer billing ownership of your subscription to an account in another Azure AD tenant, you can move the subscription to the new
account's tenant. If you do so, all users, groups, or service principals who had role based access (RBAC) to manage subscriptions and its
resources lose their access. Only the user in the new account who accepts your transfer request will have access to manage the resources.
Reference:
https://docs.microsoft.com/en-us/azure/billing/billing-subscription-transfer https://docs.microsoft.com/en-us/azure/billing/billing-
subscription-transfer#transferring-subscription-to-an-account-in-another-azure-ad-tenant
The target account must be a valid Azure Commerce account to be a valid target for transfers. For new accounts, you are asked to create
an Azure Commerce account when signing in to the Azure Enterprise portal. For existing accounts, you must first create a new Azure
subscription before the account is eligible.
You can't make a transfer from a work or school account to a Microsoft account.
When you complete a subscription transfer, Microsoft updates the account owner.
https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/ea-portal-get-started#change-account-owner
upvoted 1 times
upvoted 1 times
https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/billing-subscription-transfer#transfer-a-subscription-to-
another-azure-ad-tenant-account
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 85/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Your company plans to create separate subscriptions for each department. Each subscription will be associated to the same Azure Active
Directory (Azure AD) tenant.
You need to con gure each subscription to have the same role assignments.
What should you use?
B. Azure Policy
D. Azure Blueprints
Correct Answer: D
Just as a blueprint allows an engineer or an architect to sketch a project's design parameters, Azure Blueprints enables cloud architects and
central information technology groups to de ne a repeatable set of Azure resources that implements and adheres to an organization's
standards, patterns, and requirements.
Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:
✑ Role Assignments
✑ Policy Assignments
✑ Azure Resource Manager templates
✑ Resource Groups
Reference:
https://docs.microsoft.com/en-us/azure/governance/blueprints/overview
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 86/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 87/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #1 Topic 2
You have an Azure subscription named Sub1. Sub1 contains a virtual network named VNet1 that contains one subnet named Subnet1.
Subnet1 contains an Azure virtual machine named VM1 that runs Ubuntu Server 18.04.
You create a service endpoint for MicrosoftStorage in Subnet1.
You need to ensure that when you deploy Docker containers to VM1, the containers can access Azure Storage resources by using the service
endpoint.
What should you do on VM1 before you deploy the container?
Correct Answer: C
The Azure Virtual Network container network interface (CNI) plug-in installs in an Azure Virtual Machine. The plug-in supports both Linux and
Windows platform.
The plug-in assigns IP addresses from a virtual network to containers brought up in the virtual machine, attaching them to the virtual network,
and connecting them directly to other containers and virtual network resources. The plug-in doesn't rely on overlay networks, or routes, for
connectivity, and provides the same performance as virtual machines.
The following picture shows how the plug-in provides Azure Virtual Network capabilities to Pods:
References:
https://docs.microsoft.com/en-us/azure/virtual-network/container-networking-overview
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 88/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 89/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 2
You have Azure Resource Manager templates that you use to deploy Azure virtual machines.
You need to disable unused Windows features automatically as instances of the virtual machines are provisioned.
What should you use?
F. Azure Advisor
Correct Answer: B
You can use Azure Automation State Con guration to manage Azure VMs (both Classic and Resource Manager), on-premises VMs, Linux
machines, AWS VMs, and on-premises physical machines.
Note: Azure Automation State Con guration provides a DSC pull server similar to the Windows Feature DSC-Service so that target nodes
automatically receive con gurations, conform to the desired state, and report back on their compliance. The built-in pull server in Azure
Automation eliminates the need to set up and maintain your own pull server. Azure Automation can target virtual or physical Windows or Linux
machines, in the cloud or on-premises.
Reference:
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-getting-started
You can use Azure Security Policies to ensure this requirement is met
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 90/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
I choose B
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 91/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #3 Topic 2
DRAG DROP -
You have an Azure subscription that contains the virtual networks shown in the following table.
The Azure virtual machines on SpokeVNetSubnet0 can communicate with the computers on the on-premises network.
You plan to deploy an Azure rewall to HubVNet.
You create the following two routing tables:
✑ RT1: Includes a user-de ned route that points to the private IP address of the Azure rewall as a next hop address
✑ RT2: Disables BGP route propagation and de nes the private IP address of the Azure rewall as the default gateway
You need to ensure that tra c between SpokeVNetSubnet0 and the on-premises network ows through the Azure rewall.
To which subnet should you associate each route table? To answer, drag the appropriate subnets to the correct route tables. Each subnet may be
used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Correct Answer:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#do-i-need-a-gatewaysubnet
upvoted 4 times
including its subnet and its connected VNET SpokeVNet MUST leave the HubVNet through AzureFirewall (so it has to be STATIC default GW
> BGP disabled), so it must be sent to its private IP and then go through the VPN to reach the OnPremNet. This question refers to this
article : https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps
upvoted 9 times
PA 5 months ago
RT1 associated to HubVnetSubnet0
RT2 Associated to SpokeSubnet...
A route from the hub gateway subnet to the spoke subnet through the firewall IP address
A default route from the spoke subnet through the firewall IP address
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 93/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Ideally it should be
1. SpokeVNETsubnet0
2. Gateway Subnet
If you think i am wrong, take your time to go though this documentation https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-
portal
I will advise everyone to take a look at the microsoft documentation i linked to understand more
upvoted 20 times
When you enable gateway transit when configuring VNET peering, it means the the spokeVNET should use the HubSubnet Gateway to
route traffic. again. I advise you to take a look at the documentation and go through that Tutorial yourself to understand the
Networking between peered regions then on to ON-Prem and back.
upvoted 1 times
There are three key requirements for this scenario to work correctly:
- A User Defined Route (UDR) on the spoke subnet that points to the Azure Firewall IP address as the default gateway. Virtual network
gateway route propagation must be Disabled on this route table.
- A UDR on the hub gateway subnet must point to the firewall IP address as the next hop to the spoke networks.
No UDR is required on the Azure Firewall subnet, as it learns routes from BGP.
- Make sure to set AllowGatewayTransit when peering VNet-Hub to VNet-Spoke and UseRemoteGateways when peering VNet-Spoke to
VNet-Hub.
ref : https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps
upvoted 5 times
RT1: GatewaySubnet
RT2: SpokeVnetSubnet0
Link: https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 94/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
RT1 = HubVnetSubnet0
RT2 = SpokeVNetSubnet0
"Configure a UDR on the hub gateway subnet that points to the firewall IP address as the next hop to the spoke networks."
https://docs.microsoft.com/en-us/azure/firewall-manager/secure-hybrid-network
and https://aidanfinn.com/?p=21653
upvoted 3 times
Here you put the clause of the template which will be used to the extension resource.
upvoted 1 times
https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal
upvoted 2 times
Any packets coming from on-prem should first hit the VPNGateway (in the HubVNet/Gateway Subnet) , then be routed to the Azure
Firewall on (SpokeVNet/AzureFirewallSubnet) via RT1 on(in the HubVNet/Gateway Subnet) . Then go to the SpokeVNet/Subnet0 where the
clients are.
Anything exiting SpokeVNetSubnet0 should hit RT2 to be routed to AzureFirewall before it filtered and sent to the VPNGw (in the
HubVNet/Gateway Subnet).
upvoted 1 times
On the tutorial:
"To route the spoke subnet traffic through the hub firewall, you can use a User Defined route (UDR) that points to the firewall with the
Virtual network gateway route propagation option disabled. The Virtual network gateway route propagation disabled option prevents
route distribution to the spoke subnets. This prevents learned routes from conflicting with your UDR. If you want to keep Virtual network
gateway route propagation enabled, make sure to define specific routes to the firewall to override those that are published from on-
premises over BGP.
Configure a UDR on the hub gateway subnet that points to the firewall IP address as the next hop to the spoke networks. No UDR is
required on the Azure Firewall subnet, as it learns routes from BGP."
Only on the SpokeVnet they recommend disable route propagation, ...."with the Virtual network gateway route propagation option
disabled."
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 95/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #4 Topic 2
HOTSPOT -
You have an Azure subscription. The subscription contains Azure virtual machines that run Windows Server 2016.
You need to implement a policy to ensure that each virtual machine has a custom antimalware virtual machine extension installed.
How should you complete the policy? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 96/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
Box 1: DeployIfNotExists -
DeployIfNotExists executes a template deployment when the condition is met.
Box 2: Template -
The details property of the DeployIfNotExists effects has all the subproperties that de ne the related resources to match and the template
deployment to execute.
Deployment [required]
This property should include the full template deployment as it would be passed to the Microsoft.Resources/deployment
References:
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects
https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#compute
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMAntimalwareExtension_Deploy.json
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 97/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 98/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #5 Topic 2
You are con guring an Azure Kubernetes Service (AKS) cluster that will connect to an Azure Container Registry.
You need to use the auto-generated service principal to authenticate to the Azure Container Registry.
What should you create?
Correct Answer: B
When you create an AKS cluster, Azure also creates a service principal to support cluster operability with other Azure resources. You can use
this auto-generated service principal for authentication with an ACR registry. To do so, you need to create an Azure AD role assignment that
grants the cluster's service principal access to the container registry.
References:
https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-auth-aks
You can optionally modify the --role value in the az ad sp create-for-rbac command if you want to grant different permissions. For a
complete list of roles, see ACR roles and permissions.
upvoted 1 times
2. This service principal can already authenticate to AAD (since it was created in AAD by Azure).
3. But it needs to be RBAC permissions on the ACR Registry to pull images.
4. To do so, you need to create an Azure AD role assignment that grants the cluster's service principal access to the container registry.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 99/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #6 Topic 2
HOTSPOT -
You have an Azure subscription that contains the virtual machines shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
References:
https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 100/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
"A ReadOnly lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine.
These operations require a POST request."
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources
upvoted 17 times
ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to
restricting all authorized users to the permissions granted by the Reader role.
upvoted 6 times
2.) When creating a VM in a resource group with a Read Only lock an error is shown:
"The selected resource group is read only"
3.) Because of the read only lock virtual machines cannot be started nor stopped when the lock is added after the machine started. (not
part of this use case, but still good to know.
The article referenced in the answer states different because that is scoped to blueprints.
In the Lock Resources pages is states the following regarding starting VMs:
"A ReadOnly lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine.
These operations require a POST request."
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
upvoted 8 times
The effect of a locks applied to a resource group through an Azure blueprint is different
When I apply a read-only lock on my resource group via Azure Blueprint I cannot change the properties and tags of the resource group,
but I am still able to deploy resources and start/stop virtual machines.
upvoted 3 times
AtulS 6 months, 1 week ago
If the Lock is on RG the resources that are not locked can be changed or created. So answers are correct.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 101/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 2 times
Read Only-Resource group :- The resource group is read only and tags on the resource group can't be modified. Not Locked resources can
be added, moved, changed, or deleted from this resource group.
upvoted 2 times
Since there is a lock on the resource group, you can’t create a virtual machine in the resource group.
Since there is a lock on the resource group which has the virtual machine, the virtual machine would also have the lock and hence can’t be
started.
Since there is a read-only lock on the virtual machine, it is not possible to start the virtual machine.
upvoted 1 times
"A read-only lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine.
These operations require a POST request."
"https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources"
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 102/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
"A read-only lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine.
These operations require a POST request."
"https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources"
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 103/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #7 Topic 2
HOTSPOT -
You have Azure virtual machines that have Update Management enabled. The virtual machines are con gured as shown in the following table.
You schedule two update deployments named Update1 and Update2. Update1 updates VM3. Update2 updates VM6.
Which additional virtual machines can be updated by using Update1 and Update2? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 104/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
For Linux, the machine must have access to an update repository. The update repository can be private or public.
References:
https://docs.microsoft.com/en-us/azure/automation/automation-update-management
Hence both update management solutions applicable to all the machines provided they should not be in stopped state
upvoted 2 times
The list of virtual machines is filtered to show only the virtual machines that are in the same subscription and location. If your virtual
machines are in more than three resource groups, the first three resource groups are selected.
https://docs.microsoft.com/en-us/azure/automation/update-management/enable-from-portal
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 105/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 106/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #8 Topic 2
HOTSPOT -
You have an Azure subscription named Sub1.
You create a virtual network that contains one subnet. On the subnet, you provision the virtual machines shown in the following table.
Currently, you have not provisioned any network security groups (NSGs).
You need to implement network security to meet the following requirements:
✑ Allow tra c to VM4 from VM3 only.
✑ Allow tra c from the Internet to VM1 and VM2 only.
✑ Minimize the number of NSGs and network security rules.
How many NSGs and network security rules should you create? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
NSGs: 2 -
SO Box 2 is 3.
You still have 3 default rules that allow traffic from VNET, LoadBalancer and deny all other inbound traffic.
upvoted 41 times
so Answer is 1 and 3
upvoted 5 times
Does anyone know where the listed answer came from? I'm wondering how hard I should try to 'justify' it, or figure out why it's right
(assuming it reflects the actual test answer) or should I go with the answer we've figured out as technically correct if I encounter it on
the test?
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 108/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Unless you have a specific reason to, we recommended that you associate a network security group to a subnet, or a network interface,
but not both. Since rules in a network security group associated to a subnet can conflict with rules in a network security group
associated to a network interface, you can have unexpected communication problems that require troubleshooting.
hence it should be only 1 nsg, having another nsg at NIC level would cause a conflict
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 109/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Since all VMs are in same subnet, we have to apply NSG at NIC level. NSG at subnet level will only work if traffic needs to go out from
subnet.
Also, no need to worry about permits etc as we need to just cover 2 requirements mentioned.
1) Allow traffic to VM4 from VM3 only (In this case we can apply 1 NSG at NIC4 and allow 1 rule permit VM3, default will be implicit deny)
2) Allow traffic from the Internet to VM1 and VM2 only. (In this case we apply 1 NSG to both NICs NIC1 and NIC2 and add 1 rule Allow from
internet to AppGroup12 which will cover both VMs).
So my answer would be 2*NSGs and 2*Rules
upvoted 2 times
"It's important to note that security rules in an NSG associated to a subnet can affect connectivity between VM's within it. For example, if a
rule is added to NSG1 which denies all inbound and outbound traffic, VM1 and VM2 will no longer be able to communicate with each
other. Another rule would have to be added specifically to allow this"
one subnet level NSG (with two rules AppGroup3 as the source and AppGroup4 as destination ) is enough for controlling the connectivity
between VM3 and VM4.
The same NSG can be used for allowing traffic to VM1 and VM2 (AppGroup12 as the Allow destination)
So the answer is 1-3
upvoted 2 times
1- you need 1 NSG-1 for subnet to allow internet traffic to the ASG for VM1 & 2
2- you need 1 NSG-2 on the NIC level of VM4, if I didn't do so and I added the rule to NSG-1 it will not apply correctly as VM3 will be within
the same subnet of VM4, hence won't go through the NSG-1. That being said, NSG-2 would have a deny all rule & an allow rule for ASG3...
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 110/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 2 times
You can also deny intra-subnet traffic in NSG (applied to Subnet level) .
I wld go for 1 NSG on subnet, and 3 rules in the NSG.
1st rule - deny all traffic (refer to the link above)
2nd rule - allow Internet access to VM1 and VM2
3rd rule - allow VM3 to VM4 traffic.
upvoted 3 times
NSG1 for Subnet with rule1 - to allow traffic from internet to AppGroup12
NSG2 for NIC4 with rule2 - to allow traffic from AppGroup3 to AppGroup4 (priority 1000) and rule3 - to deny traffic from any to AppGroup4
(priority 1001)
PA 5 months ago
Box1 == 1
Box2=3
Please see below link...
https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 111/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 112/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Here we need to implement one rule at the subnet layer to allow traffic from the Internet onto demovm1 and demovm2. Next, we need to
add one network security group rule for NIC4 to allow traffic from only NIC3 via their private IP address. And then we need to add one
more rule to Deny all other traffic.
upvoted 2 times
Traffic from outside the subnet into the subnet should be filtered at the subnetlevel.
1 NSG assosiated with the subnet
1 Rule allowing traffic from internet to the application securitygroup containing VM1 and VM2 (default all traffic from Internet is Deny )
upvoted 5 times
Then that is all the traffic between vm4 and allowed by the default rule which is "AllowVNetInBound"
you cannot even delete them ( tested it )
pay attention to the "Destination Virtualnetwork" this means anything in the SAME VIRTUALNETWORK ...
upvoted 1 times
NSG's come with default rules. One is the implicit deny rule. So we don't have to create that.
We are asked "How many NSGs and network security rules should you create?"
We have to create 2 NSGs. (1 for VM3 Nic, other for the subnet).
We have to create a total of 3 rules.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 114/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Thank you :)
upvoted 1 times
1vnet
1subnet
1 NSG that is attached to four network interfaces
i created 1 rule for the incoming of internet traffic to vm1&2 that require it using application security group same as the question
"appgroup12" and it all works. app security group must be on the same vnet which they are all in this question.. the traffic between Vnets
is permitted by default.
1nsg
1rule
upvoted 1 times
By default all traffic in the virtual networks is allowed, but you need to deny VM1 and VM2 traffic to VM4. To let only allow from VM3. So,
here 1 rule to deny traffic from the AppGroup12
By default all the outbound traffic is allowed to Internet, but no inbound. For this, we need to add another rule to allow from internet to
AppGroup12.
Just 1 NSG with 2 rules should be the answer for this question.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 115/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #9 Topic 2
HOTSPOT -
You have an Azure key vault.
You need to delegate administrative access to the key vault to meet the following requirements:
✑ Provide a user named User1 with the ability to set advanced access policies for the key vault.
✑ Provide a user named User2 with the ability to add and delete certi cates in the key vault.
✑ Use the principle of least privilege.
What should you use to assign access to each user? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
User1: RBAC -
RBAC is used as the Key Vault access control mechanism for the management plane. It would allow a user with the proper identity to:
✑ set Key Vault access policies
✑ create, read, update, and delete key vaults
✑ set Key Vault tags
Note: Role-based access control (RBAC) is a system that provides ne-grained access management of Azure resources. Using RBAC, you can
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 116/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
segregate duties within your team and grant only the amount of access to users that they need to perform their jobs.
User2: A key vault access policy
A key vault access policy is the access control mechanism to get access to the key vault data plane. Key Vault access policies grant
permissions separately to keys, secrets, and certi cates.
References:
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault
You grant a user, group, or application access to execute specific operations for keys or secrets in a key vault. Key Vault supports up to
1,024 access policy entries for a key vault. To grant data plane access to several users, create an Azure AD security group and add users to
that group.
upvoted 1 times
Data plane and access policies: You grant data plane access by setting Key Vault access policies for a key vault.
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault
upvoted 3 times
To access a key vault in either plane, all callers (users or applications) must have proper authentication and authorization. Authentication
establishes the identity of the caller. Authorization determines which operations the caller can execute.
Both planes use Azure Active Directory (Azure AD) for authentication. For authorization, the management plane uses role-based access
control (RBAC) and the data plane uses a Key Vault access policy.
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 117/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You have two Azure virtual machines in the East US2 region as shown in the following table.
Correct Answer:
VM1: change type, doesn't support A-series and Basic VMs. (Windows VMs are available in a range of sizes. Azure Disk Encryption is not
available on Basic, A-series VMs, or on virtual machines with a less than 2 GB of memory.)
VM2: no idea, may be type. OS: Ubuntu 16.04-DAILY-LTS and Tier: Standard supported.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview#supported-vms-and-operating-systems
https://devblogs.microsoft.com/premier-developer/azure-storage-encryption-and-azure-disk-encryption-demystified/
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 119/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview#supported-vms
Azure Disk Encryption is not available on Generation 2 VMs) and Lsv2-series VMs).
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview#supported-vms-and-operating-systems
upvoted 7 times
Ubuntu 16.04 is a Generation 2 VM and therefore does not support Azure Disk Encryption.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/generation-2#generation-1-vs-generation-2-capabilities
upvoted 1 times
https://docs.microsoft.com/en-gb/azure/virtual-machines/linux/disk-encryption-overview
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 120/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
GL all!
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 121/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
You create an Azure Log Analytics workspace named Analytics1 in RG1 in the East US region.
Which virtual machines can be enrolled in Analytics1?
A. VM1 only
Correct Answer: A
Note: Create a workspace -
✑ In the Azure portal, click All services. In the list of resources, type Log Analytics. As you begin typing, the list lters based on your input.
Select Log Analytics.
Click Create, and then select choices for the following items:
Provide a name for the new Log Analytics workspace, such as DefaultLAWorkspace. OMS workspaces are now referred to as Log Analytics
workspaces.
Select a Subscription to link to by selecting from the drop-down list if the default selected is not appropriate.
For Resource Group, select an existing resource group that contains one or more Azure virtual machines.
Select the Location your VMs are deployed to. For additional information, see which regions Log Analytics is available in.
Incorrect Answers:
B, C: A Log Analytics workspace provides a geographic location for data storage. VM2 and VM3 are at a different location.
D: VM4 is a different resource group.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-access
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-collect-azurevm
Select the Location your VMs are deployed to.
upvoted 1 times
log analytics space is only relevant to a subscription. vms with different regions and resource groups can be assigned to a workspace in
different regions or resource groups.
upvoted 7 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 124/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Exhibit -
You are testing an Azure Kubernetes Service (AKS) cluster. The cluster is con gured as shown in the exhibit. (Click the tab.)
You plan to deploy the cluster to production. You disable HTTP application routing.
You need to implement application routing that will provide reverse proxy and TLS termination for AKS services by using a single IP address.
What should you do?
Correct Answer: A
An ingress controller is a piece of software that provides reverse proxy, con gurable tra c routing, and TLS termination for Kubernetes
services.
References:
https://docs.microsoft.com/en-us/azure/aks/ingress-tls
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 125/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Azure Security Center for the centralized policy management of three Azure subscriptions.
You use several policy de nitions to manage the security of the subscriptions.
You need to deploy the policy de nitions as a group to all three subscriptions.
Solution: You create a policy de nition and assignments that are scoped to resource groups.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
References:
https://4sysops.com/archives/apply-governance-policy-to-multiple-azure-subscriptions-with-management-groups/
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 126/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Azure Security Center for the centralized policy management of three Azure subscriptions.
You use several policy de nitions to manage the security of the subscriptions.
You need to deploy the policy de nitions as a group to all three subscriptions.
Solution: You create a resource graph and an assignment that is scoped to a management group.
Does this meet the goal?
A. Yes
B. No
Correct Answer: A
References:
https://4sysops.com/archives/apply-governance-policy-to-multiple-azure-subscriptions-with-management-groups/
correct solution is to "Create a Management Group and assign an initiative to the Management Group"
upvoted 5 times
gfhbox0083 4 months, 4 weeks ago
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 127/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
B, for sure.
Use Management Group
upvoted 3 times
The resource graph is used for querying resources and not for assigning policies.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 128/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Subscription. The subscription contains 50 virtual machines that run Windows Server 2012 R2 or Windows Server 2016.
You need to deploy Microsoft Antimalware to the virtual machines.
Solution: You add an extension to each virtual machine.
Does this meet the goal?
A. Yes
B. No
Correct Answer: A
You can use Visual Studio to enable and con gure the Microsoft Antimalware service. This entails selecting Microsoft Antimalware extension
from the dropdown list under Installed Extensions and click Add to con gure with default antimalware con guration.
References:
https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware
https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware#antimalware-deployment-scenarios
upvoted 4 times
Correct way to do this for 50 virtual machine should be using the below Policy Definition.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 129/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Subscription. The subscription contains 50 virtual machines that run Windows Server 2012 R2 or Windows Server 2016.
You need to deploy Microsoft Antimalware to the virtual machines.
Solution: You connect to each virtual machine and add a Windows feature.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Microsoft Antimalware is deployed as an extension and not a feature.
References:
https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 130/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
B. From Security Center, modify the Security policy settings of the Azure subscription.
C. From Azure Active Directory (Azure AD), modify the members of the Security Reader role group.
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 131/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
A. a system route
Correct Answer: C
Although the use of system routes facilitates tra c automatically for your deployment, there are cases in which you want to control the routing
of packets through a virtual appliance. You can do so by creating user de ned routes that specify the next hop for packets owing to a speci c
subnet to go to your virtual appliance instead, and enabling IP forwarding for the VM running as the virtual appliance.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 132/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You have a network security group (NSG) bound to an Azure subnet.
You run Get-AzureRmNetworkSecurityRuleCon g and receive the output shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 133/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
Box 2: allowed -
TCP Port 21 controls the FTP session. Contoso_FTP has SourceAddressPre x {1.2.3.4/32} and DestinationAddressPre x {10.0.0.5/32}
Note:
The Get-AzureRmNetworkSecurityRuleCon g cmdlet gets a network security rule con guration for an Azure network security group.
Security rules in network security groups enable you to lter the type of network tra c that can ow in and out of virtual network subnets and
network interfaces.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group
NSG is allow by default. that why it always us to define Allow and Deny rules. Firewall/Gateway are deny by default thats why you can
define only Allow rules in them.
upvoted 1 times
Source: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 134/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 135/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the virtual machines shown in the following table.
A. NIC2 only
Correct Answer: C
Only network interfaces in NVET1, which consists of Subnet11 and Subnet12, can be con gured in ASG1, as all network interfaces assigned to
an application security group have to exist in the same virtual network that the rst network interface assigned to the application security group
is in.
Reference:
https://azure.microsoft.com/es-es/blog/applicationsecuritygroups/
• All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface
assigned to the application security group is in. For example, if the first network interface assigned to an application security group
named AsgWeb is in the virtual network named VNet1, then all subsequent network interfaces assigned to ASGWeb must exist in VNet1.
You cannot add network interfaces from different virtual networks to the same application security group.
upvoted 11 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 136/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface
assigned to the application security group is in. For example, if the first network interface NIC1 assigned to an application security group
named ASG1 is in the virtual network named VNET1, then all subsequent network interfaces assigned to ASG1 must exist in VNET1. so
NIC2 and NIC3 (which is associated with Subnet11 and Subnet12 under VNET1) is the correct answer.
You cannot add network interfaces from different virtual networks to the same application security group
upvoted 5 times
Application Security Groups are a region-specific resource. It can only be associated with NICs in the same region as the application
security group. And once you associate an application security group with one network interface in an Azure virtual network, the
application security group can only be associated with network interfaces in the same Azure virtual network.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 137/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer: B
Adaptive application control is an intelligent, automated end-to-end application whitelisting solution from Azure Security Center. It helps you
control which applications can run on your Azure and non-Azure VMs (Windows and Linux), which, among other bene ts, helps harden your VMs
against malware. Security
Center uses machine learning to analyze the applications running on your VMs and helps you apply the speci c whitelisting rules using this
intelligence.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 138/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
C. management groups
D. container groups
Correct Answer: D
Azure Container Instances supports the deployment of multiple containers onto a single host using a container group. A container group is
useful when building an application sidecar for logging, monitoring, or any other con guration where a service needs a second attached
process.
Reference:
https://docs.microsoft.com/en-us/azure/container-instances/container-instances-container-groups
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 139/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You create resources in an Azure subscription as shown in the following table.
VNET1 contains two subnets named Subnet1 and Subnet2. Subnet1 has a network ID of 10.0.0.0/24. Subnet2 has a network ID of 10.1.1.0/24.
Contoso1901 is con gured as shown in the exhibit. (Click the Exhibit tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Yes -
Access from Subnet1 is allowed.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 140/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Box 2: No -
No access from Subnet2 is allowed.
Box 3: Yes -
Access from IP address 193.77.10.2 is allowed.
CIDR to IP Range
Result
CIDR Range 193.77.0.0/16
Netmask 255.255.0.0
Wildcard Bits 0.0.255.255
First IP 193.77.0.0
First IP (Decimal) 3243048960
Last IP 193.77.255.255
Last IP (Decimal) 3243114495
Total Host 65,536
CIDR
193.77.0.0/16
upvoted 7 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 141/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Here only one IP is allowed access from the Internet and that is 193.77.0.0/16
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 142/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Azure Security Center for the centralized policy management of three Azure subscriptions.
You use several policy de nitions to manage the security of the subscriptions.
You need to deploy the policy de nitions as a group to all three subscriptions.
Solution: You create a policy initiative and assignments that are scoped to resource groups.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Instead use a management group.
Management groups in Microsoft Azure solve the problem of needing to impose governance policy on more than one Azure subscription
simultaneously.
Reference:
https://4sysops.com/archives/apply-governance-policy-to-multiple-azure-subscriptions-with-management-groups/
So policies are grouped as initiatives and can be applied at a management group level to enforce policies on subscriptions that fall
under that management group.
In here, the suggessted flow is to create an initiative, which is correct, but assigning needs to be to a management group.
hence, no.
upvoted 5 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 143/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 144/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #1 Topic 3
HOTSPOT -
You plan to use Azure Monitor Logs to collect logs from 200 servers that run Windows Server 2016.
You need to automate the deployment of the Log Analytics Agent to all the servers by using an Azure Resource Manager template.
How should you complete the template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 145/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
References:
https://blogs.technet.microsoft.com/manageabilityguys/2015/11/19/enabling-the-microsoft-monitoring-agent-in-windows-json-templates/
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/oms-windows?toc=%2Fazure%2Fazure-
monitor%2Ftoc.json#extension-schema
upvoted 3 times
upvoted 2 times
Question #2 Topic 3
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
You are assigned the Global administrator role for the tenant. You are responsible for managing Azure Security Center settings.
You need to create a custom sensitivity label.
What should you do?
Correct Answer: A
First, you need to create a new sensitive information type because you can't directly modify the default rules.
References:
https://docs.microsoft.com/en-us/o ce365/securitycompliance/customize-a-built-in-sensitive-information-type
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 147/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #3 Topic 3
HOTSPOT -
You suspect that users are attempting to sign in to resources to which they have no access.
You need to create an Azure Log Analytics query to identify failed user sign-in attempts from the last three days. The results must only show users
who had more than ve failed sign-in attempts.
How should you con gure the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
The following example identi es user accounts that failed to log in more than ve times in the last day, and when they last attempted to log in.
let timeframe = 1d;
SecurityEvent -
| where TimeGenerated > ago(1d)
| where AccountType == 'User' and EventID == 4625 // 4625 - failed log in
| summarize failed_login_attempts=count(), latest_failed_login=arg_max(TimeGenerated, Account) by Account
| where failed_login_attempts > 5
| project-away Account1
References:
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 148/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/examples
Question #4 Topic 3
A. Azure DevOps
C. Azure Monitor
Correct Answer: D
You can change an existing playbook in Security Center to add an action, or conditions. To do that you just need to click on the name of the
playbook that you want to change, in the Playbooks tab, and Logic App Designer opens up.
References:
https://docs.microsoft.com/en-us/azure/security-center/security-center-playbooks
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 149/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #5 Topic 3
Correct Answer: BD
D: You need write permission in the workspace that you select to store your custom alert.
References:
https://docs.microsoft.com/en-us/azure/security-center/security-center-custom-alert
You need to upgrade the pricing tier of Azure Security Center to standard. You can also create a new Log Analytics workspace which can
be used by Azure Security Center to send data with regards to your Azure resources
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 150/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #6 Topic 3
You have an Azure subscription named Sub1 that contains an Azure Log Analytics workspace named LAW1.
You have 100 on-premises servers that run Windows Server 2012 R2 and Windows Server 2016. The servers connect to LAW1. LAW1 is con gured
to collect security-related performance counters from the connected servers.
You need to con gure alerts based on the data collected by LAW1. The solution must meet the following requirements:
✑ Alert rules must support dimensions.
✑ The time it takes to generate an alert must be minimized.
✑ Alert noti cations must be generated only once when the alert is generated and once when the alert is resolved.
Which signal type should you use when you create the alert rules?
A. Log
C. Metric
D. Activity Log
Correct Answer: C
Metric alerts in Azure Monitor provide a way to get noti ed when one of your metrics cross a threshold. Metric alerts work on a range of multi-
dimensional platform metrics, custom metrics, Application Insights standard and custom metrics.
Note: Signals are emitted by the target resource and can be of several types. Metric, Activity log, Application Insights, and Log.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-metric
Metric Alerts offer near-real time monitoring capability and Metric Alerts for Logs forks data from log source to ensure the same.
Metric Alerts are stateful - only notifying once when alert is fired and once when alert is resolved; as opposed to Log alerts, which are
stateless and keep firing at every interval if the alert condition is met.
Metric Alerts for Log provide multiple dimensions, allowing filtering to specific values like Computers, OS Type, etc. simpler; without the
need for penning query in analytics.
upvoted 8 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 151/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #7 Topic 3
DRAG DROP -
You have an Azure subscription that contains 100 virtual machines. Azure Diagnostics is enabled on all the virtual machines.
You are planning the monitoring of Azure services in the subscription.
You need to retrieve the following details:
✑ Identify the user who deleted a virtual machine three weeks ago.
✑ Query the security events of a virtual machine that runs Windows Server 2016.
What should you use in Azure Monitor? To answer, drag the appropriate con guration settings to the correct details. Each con guration setting
may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Correct Answer:
Box 2: Logs -
Log Integration collects Azure diagnostics from your Windows virtual machines, Azure activity logs, Azure Security Center alerts, and Azure
resource provider logs. This integration provides a uni ed dashboard for all your assets, whether they're on-premises or in the cloud, so that you
can aggregate, correlate, analyze, and alert for security events.
References:
https://docs.microsoft.com/en-us/azure/security/azure-log-audit
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 152/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 153/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #8 Topic 3
HOTSPOT -
You create an alert rule that has the following settings:
✑ Resource: RG1
✑ Condition: All Administrative operations
Actions: Action groups con gured for this alert rule: ActionGroup1
Correct Answer:
Box 1:
The scope for the action rule is set to VM1 and is set to suppress alerts inde nitely.
Box 2:
The scope for the action rule is not set to VM2.
Box 3:
Adding a tag is not an administrative operation.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-activity-log https://docs.microsoft.com/en-us/azure/azure-
monitor/platform/alerts-action-rules
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 154/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
XJ 5 months ago
I think it's No - Alert rule - Suppression VM1; Yes (if this is a mistake/type in the descriotion that VM2 is part of RG1); No - Adding a tag to
RG1 is NOT Administrative operation, so alert is NOT triggered and answer is NO
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 155/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Since there is a suppression rule specifically for the virtual machine, the alert rule would not be triggered.
Yes, since there is an alert rule at the resource group level, an alert would be generated.
Yes - starting VM2 will fire an alarm, startin a VM is an administrative task, and supression rule is only applied to VM1
In my oppinion answer is
YES,YES,YES
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 156/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
I setup the alert rule (except the action group) and the action rule, started both VMs and edited the tag of the R1. No alerts whatsoever....
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 157/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 158/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #9 Topic 3
DRAG DROP -
You have an Azure subscription named Sub1 that contains an Azure Log Analytics workspace named LAW1.
You have 500 Azure virtual machines that run Windows Server 2016 and are enrolled in LAW1.
You plan to add the System Update Assessment solution to LAW1.
You need to ensure that System Update Assessment-related logs are uploaded to LAW1 from 100 of the virtual machines only.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/solution-targeting
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 159/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription named Sub1 that contains the virtual machines shown in the following table.
You need to ensure that the virtual machines in RG1 have the Remote Desktop port closed until an authorized user requests access.
What should you con gure?
Correct Answer: D
Just-in-time (JIT) virtual machine (VM) access can be used to lock down inbound tra c to your Azure VMs, reducing exposure to attacks while
providing easy access to connect to VMs when needed.
Note: When just-in-time is enabled, Security Center locks down inbound tra c to your Azure VMs by creating an NSG rule. You select the ports
on the VM to which inbound tra c will be locked down. These ports are controlled by the just-in-time solution.
When a user requests access to a VM, Security Center checks that the user has Role-Based Access Control (RBAC) permissions that permit
them to successfully request access to a VM. If the request is approved, Security Center automatically con gures the Network Security Groups
(NSGs) and Azure Firewall to allow inbound tra c to the selected ports and requested source IP addresses or ranges, for the amount of time
that was speci ed. After the time has expired, Security
Center restores the NSGs to their previous states. Those connections that are already established are not being interrupted, however.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 160/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have 10 virtual machines on a single subnet that has a single network security group (NSG).
You need to log the network tra c to an Azure Storage account.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Correct Answer: BD
A network security group (NSG) enables you to lter inbound tra c to, and outbound tra c from, a virtual machine (VM). You can log network
tra c that ows through an NSG with Network Watcher's NSG ow log capability. Steps include:
✑ Create a VM with a network security group
✑ Enable Network Watcher and register the Microsoft.Insights provider
✑ Enable a tra c ow log for an NSG, using Network Watcher's NSG ow log capability
✑ Download logged data
✑ View logged data
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg- ow-logging-portal
~ https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 161/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription that contains the virtual machines shown in the following table.
A. VM3 only
Correct Answer: D
When automatic provisioning is On, Security Center provisions the Log Analytics Agent on all supported Azure VMs and any new ones that are
created.
Supported Operating systems include: Ubuntu 14.04 LTS (x86/x64), 16.04 LTS (x86/x64), and 18.04 LTS (x64) and Windows Server 2008 R2,
2012, 2012 R2,
2016, version 1709 and 1803
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 162/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #1 Topic 4
Your company has an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
The company develops an application named App1. App1 is registered in Azure AD.
You need to ensure that App1 can access secrets in Azure Key Vault on behalf of the application users.
What should you con gure?
Correct Answer: B
Delegated permissions - Your client application needs to access the web API as the signed-in user, but with access limited by the selected
permission. This type of permission can be granted by a user unless the permission requires administrator consent.
Incorrect Answers:
A, D: Application permissions - Your client application needs to access the web API directly as itself (no user context). This type of permission
requires administrator consent and is also not available for public (desktop and mobile) client applications.
References:
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-con gure-app-access-web-apis
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 163/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 164/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 4
DRAG DROP -
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com.
The company is developing an application named App1. App1 will run as a service on server that runs Windows Server 2016. App1 will
authenticate to contoso.com and access Microsoft Graph to read directory data.
You need to delegate the minimum required permissions to App1.
Which three actions should you perform in sequence from the Azure portal? To answer, move the appropriate actions from the list of actions to
the answer area and arrange them in the correct order.
Select and Place:
Correct Answer:
Delegated permission -
Delegated permissions are used by apps that have a signed-in user present.
Application Proxy:
Azure Active Directory's Application Proxy provides secure remote access to on-premises web applications.
References:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 165/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 166/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #3 Topic 4
Your company has an Azure subscription named Sub1 that is associated to an Azure Active Directory Azure (Azure AD) tenant named
contoso.com.
The company develops a mobile application named App1. App1 uses the OAuth 2 implicit grant type to acquire Azure AD access tokens.
You need to register App1 in Azure AD.
What information should you obtain from the developer to register the application?
A. a redirect URI
B. a reply URL
C. a key
D. an application ID
Correct Answer: A
For Native Applications you need to provide a Redirect URI, which Azure AD will use to return token responses.
References:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 167/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #4 Topic 4
From the Azure portal, you are con guring an Azure policy.
You plan to assign policies that use the DeployIfNotExist, AuditIfNotExist, Append, and Deny effects.
Which effect requires a managed identity for the assignment?
A. AuditIfNotExist
B. Append
C. DeployIfNotExist
D. Deny
Correct Answer: C
When Azure Policy runs the template in the deployIfNotExists policy de nition, it does so using a managed identity.
References:
https://docs.microsoft.com/bs-latn-ba/azure/governance/policy/how-to/remediate-resources
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 168/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #5 Topic 4
HOTSPOT -
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to implement an application that will consist of the resources shown in the following table.
Users will authenticate by using their Azure AD user account and access the Cosmos DB account by using resource tokens.
You need to identify which tasks will be implemented in CosmosDB1 and WebApp1.
Which task should you identify for each resource? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 169/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
References:
https://docs.microsoft.com/en-us/xamarin/xamarin-forms/data-cloud/cosmosdb/authentication
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 170/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 171/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #6 Topic 4
HOTSPOT -
You need to create an Azure key vault. The solution must ensure that any object deleted from the key vault be retained for 90 days.
How should you complete the command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: -EnablePurgeProtection -
If speci ed, protection against immediate deletion is enabled for this vault; requires soft delete to be enabled as well.
Box 2: -EnableSoftDelete -
Speci es that the soft-delete functionality is enabled for this key vault. When soft-delete is enabled, for a grace period, you can recover this key
vault and its contents after it is deleted.
References:
https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/new-azurermkeyvault
Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is
enabled. It can be turned on via CLI or PowerShell.
https://docs.microsoft.com/en-us/azure/key-vault/general/overview-soft-delete#purge-protection
az keyvault create --name ContosoVault --resource-group ContosoRG --location westus --enable-soft-delete true --enable-purge-protection
true
https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-cli#enabling-purge-protection
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 172/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
[-EnabledForDeployment]
[-EnabledForTemplateDeployment]
[-EnabledForDiskEncryption]
[-EnableSoftDelete]
[-EnablePurgeProtection]
[-Sku <SkuName>]
[-Tag <Hashtable>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/new-azurermkeyvault?view=azurermps-6.13.0
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 173/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #7 Topic 4
You have an Azure subscription that contains an Azure key vault named Vault1.
In Vault1, you create a secret named Secret1.
An application developer registers an application in Azure Active Directory (Azure AD).
You need to ensure that the application can use Secret1.
What should you do?
Correct Answer: A
Azure Key Vault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault to
retrieve them.
Managed identities for Azure resources overview makes solving this problem simpler, by giving Azure services an automatically managed
identity in Azure Active
Directory (Azure AD). You can use this identity to authenticate to any service that supports Azure AD authentication, including Key Vault,
without having any credentials in your code.
Example: How a system-assigned managed identity works with an Azure VM
After the VM has an identity, use the service principal information to grant the VM access to Azure resources. To call Azure Resource Manager,
use role-based access control (RBAC) in Azure AD to assign the appropriate role to the VM service principal. To call Key Vault, grant your code
access to the speci c secret or key in Key Vault.
References:
https://docs.microsoft.com/en-us/azure/key-vault/quick-create-net https://docs.microsoft.com/en-us/azure/active-directory/managed-
identities-azure-resources/overview
Oz 1 year ago
Ref: https://docs.microsoft.com/en-us/azure/key-vault/tutorial-net-create-vault-azure-web-app
The correct answer is "set access policy" to the managed identity that app will use.
Example:
az keyvault set-policy --name '<YourKeyVaultName>' --object-id <PrincipalId> --secret-permissions get list
This command gives the identity (MSI) of the app service permission to do get and list operations on your key vault.
upvoted 36 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 174/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 3 times
Key Vault access policies don't support granular, object-level permissions like a specific key, secret, or certificate.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 175/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
RBAC. In Key Vault, RBAC is only used for mediating management plane access.
https://docs.microsoft.com/en-us/azure/key-vault/general/overview-security#controlling-access-to-key-vault-data
To create the access policy the command is as follows:
Set-AzKeyVaultAccessPolicy
-VaultName <key-vault-name>
-ObjectId <Id>
-PermissionsToSecrets <secrets-permissions>
-PermissionsToKeys <keys-permissions>
-PermissionsToCertificates <certificate-permissions>
https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-powershell#assign-the-access-policy
upvoted 1 times
The management plane is where you manage Key Vault itself and it is the interface used to create and delete vaults. You can also read key
vault properties and manage access policies.
The data plane allows you to work with the data stored in a key vault. You can add, delete, and modify keys, secrets, and certificates.
To access a key vault in either plane, all callers (users or applications) must be authenticated and authorized. Both planes use Azure Active
Directory (Azure AD) for authentication. For authorization, the management plane uses role-based access control (RBAC) and the data
plane uses a Key Vault access policy.
https://docs.microsoft.com/en-us/azure/key-vault/general/overview-security#controlling-access-to-key-vault-data
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 176/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #8 Topic 4
D. user credentials
Correct Answer: CE
Always Encrypted uses two types of keys: column encryption keys and column master keys. A column encryption key is used to encrypt data in
an encrypted column. A column master key is a key-protecting key that encrypts one or more column encryption keys.
References:
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine
Stay Away From the Brahamins at Microsoft Doc For They Would Lead You Astray My Son
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-
ver15
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 177/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #9 Topic 4
You have a hybrid con guration of Azure Active Directory (Azure AD).
All users have computers that run Windows 10 and are hybrid Azure AD joined.
You have an Azure SQL database that is con gured to support Azure AD authentication.
Database developers must connect to the SQL database by using Microsoft SQL Server Management Studio (SSMS) and authenticate by using
their on-premises
Active Directory account.
You need to tell the developers which authentication method to use to connect to the SQL database from SSMS. The solution must minimize
authentication prompts.
Which authentication method should you instruct the developers to use?
A. SQL Login
Correct Answer: C
Azure AD can be the initial Azure AD managed domain. Azure AD can also be an on-premises Active Directory Domain Services that is federated
with the Azure
AD.
Using an Azure AD identity to connect using SSMS or SSDT
The following procedures show you how to connect to a SQL database with an Azure AD identity using SQL Server Management Studio or SQL
Server Database
Tools.
Active Directory integrated authentication
Use this method if you are logged in to Windows using your Azure Active Directory credentials from a federated domain.
1. Start Management Studio or Data Tools and in the Connect to Server (or Connect to Database Engine) dialog box, in the Authentication box,
select Active
Directory - Integrated. No password is needed or can be entered because your existing credentials will be presented for the connection.
2. Select the Options button, and on the Connection Properties page, in the Connect to database box, type the name of the user database you
want to connect to.
(The AD domain name or tenant ID" option is only supported for Universal with MFA connection options, otherwise it is greyed out.)
References:
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/sql-database/sql-database-aad-authentication-con gure.md
AS007 7 months, 1 week ago
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 178/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Ans
upvoted 7 times
Hybrid AD, and workstations are domain joined. Hence integrated authentication will use a kerberos ticket to authenticate itself to the SQL
server using the logged in user of the workstation.
upvoted 10 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 179/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP -
You have an Azure subscription named Sub1 that contains an Azure Storage account named Contosostorage1 and an Azure key vault named
Contosokeyvault1.
You plan to create an Azure Automation runbook that will rotate the keys of Contosostorage1 and store them in Contosokeyvault1.
You need to implement prerequisites to ensure that you can implement the runbook.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:
Correct Answer:
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 180/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Resource Manager resources with your runbooks. The AzureRunAsConnection is a connection asset automatically created when we created
"˜run as accounts' above. This can be found under Assets -> Connections. After the authentication code, run the same code above to get all the
keys from the vault.
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-Certi cateThumbprint $servicePrincipalConnection.Certi cateThumbprint
}
References:
https://www.rahulpnath.com/blog/accessing-azure-key-vault-from-azure-runbook/
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 181/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
D. A user deletes more than 100 records from the same table.
Correct Answer: B
Advanced Threat Protection can detect potential SQL injections: This alert is triggered when an active exploit happens against an identi ed
application vulnerability to SQL injection. This means the attacker is trying to inject malicious SQL statements using the vulnerable application
code or stored procedures.
References:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-threat-detection-overview
Advanced Threat Protection detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit your
database. It continuously monitors your database for suspicious activities, and it provides immediate security alerts on potential
vulnerabilities, Azure SQL injection attacks, and anomalous database access patterns. Advanced Threat Protection alerts provide details of
the suspicious activity and recommend action on how to investigate and mitigate the threat.
upvoted 1 times
DS 1 week ago
Answer is A SQL Injection, it inject more than 50%
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 182/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You have the Azure Information Protection conditions shown in the following table.
You have the Azure Information Protection policies shown in the following table.
You need to identify how Azure Information Protection will label les.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 2: No Label -
Automatic classi cation applies to Word, Excel, and PowerPoint when documents are saved, and apply to Outlook when emails are sent.
Automatic classi cation does not apply to Microsoft Notepad.
References:
https://docs.microsoft.com/en-us/azure/information-protection/con gure-policy-classi cation
"The labels are ordered for evaluation, according to their position that you specify in the policy: The label positioned first has the lowest
position (least sensitive) and the label positioned last has the highest position (most sensitive)"
and
So in this case label 2 is positioned last and is therefore the most sensitive.
(https://docs.microsoft.com/nl-nl/azure/information-protection/configure-policy-classification)
upvoted 13 times
upvoted 1 times
A. branch folders
B. branch permissions
C. branch policies
D. branch locking
Correct Answer: C
Branch policies help teams protect their important branches of development. Policies enforce your team's code quality and change
management standards.
References:
https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops&viewFallbackFrom=vsts
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 185/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP -
You have an Azure subscription named Sub1. Sub1 contains an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to encrypt VM1 disks by using Azure Disk Encryption.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/encrypt-disks
Source: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-powershell-quickstart
upvoted 2 times
The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the VM for booting and
decrypting the volumes.
If you did not enable your key vault for disk encryption, deployment, or template deployment at the time of creation (as demonstrated in
the previous step), you must update its advanced access policies.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 186/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
refer https://docs.microsoft.com/en-us/azure//virtual-machines/windows/disk-encryption-key-vault
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 187/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription that contains a virtual machine named VM1.
You create an Azure key vault that has the following con gurations:
✑ Name: Vault5
✑ Region: West US
✑ Resource group: RG1
You need to use Vault5 to enable Azure Disk Encryption on VM1. The solution must support backing up VM1 by using Azure Backup.
Which key vault settings should you con gure?
A. Access policies
B. Secrets
C. Keys
D. Locks
Correct Answer: A
References:
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 188/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription named Sub1 that contains the resources shown in the following table.
You need to ensure that you can provide VM1 with secure access to a database on SQL1 by using a contained database user.
What should you do?
Correct Answer: B
SQL server listed under Azure services that support Azure AD authentication (not in Azure services that support managed identities
for Azure resources)
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 189/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
However, wouldnt we also need a service endpoint to route traffic from the VM to SQL. Hmm. May be the SQL has public access and
does not need a service endpoint. Hmm, I answered myself while typing this.
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 190/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription named Sub1 that contains the Azure key vaults shown in the following table:
In Sub1, you create a virtual machine that has the following con gurations:
✑ Name: VM1
✑ Size: DS2v2
✑ Resource group: RG1
✑ Region: West Europe
✑ Operating system: Windows Server 2016
You plan to enable Azure Disk Encryption on VM1.
In which key vaults can you store the encryption key for VM1?
C. Vault1 only
Correct Answer: A
In order to make sure the encryption secrets don't cross regional boundaries, Azure Disk Encryption needs the Key Vault and the VMs to be co-
located in the same region. Create and use a Key Vault that is in the same region as the VM to be encrypted.
Reference:
https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-prerequisites
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-key-vault
states: Your key vault and VMs must be in the same subscription. Also, to ensure that encryption secrets don't cross regional boundaries,
Azure Disk Encryption requires the Key Vault and the VMs to be co-located in the same region. Create and use a Key Vault that is in the
same subscription and region as the VMs to be encrypted.
upvoted 3 times
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 192/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You have an Azure subscription that contains an Azure key vault named Vault1.
On January 1, 2019, Vault1 stores the following secrets.
Which can each secret be used by an application? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Never -
Password1 is disabled.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 193/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Reference:
https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/set-azurekeyvaultsecretattribute
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 194/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer: B
To use Azure Repos, make sure your Azure DevOps organization is linked to your Azure subscription.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-continuous-deployment
Topic 5 - Testlet 1
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 195/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #1 Topic 5
Introductory Info
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other question on this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next sections of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware, Inc. is a digital media company that has 500 employees in the Chicago area and 20 employees in the San Francisco area.
Existing Environment -
Litware has an Azure subscription named Sub1 that has a subscription ID of 43894a43-17c2-4a39-8cfc-3540c2653ef4.
Sub1 is associated to an Azure Active Directory (Azure AD) tenant named litwareinc.com. The tenant contains the user objects and the device
objects of all the
Litware employees and their devices. Each user is assigned an Azure AD Premium P2 license. Azure AD Privileged Identity Management (PIM) is
activated.
The tenant contains the groups shown in the following table.
The Azure subscription contains the objects shown in the following table.
Planned changes -
Litware plans to deploy the Azure resources shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 196/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
General Requirements -
Litware identi es the following general requirements:
Whenever possible, administrative effort must be minimized.
Whenever possible, use of automation must be minimized.
Question
You need to meet the identity and access requirements for Group1.
What should you do?
B. Delete Group1. Create a new group named Group1 that has a membership type of O ce 365. Add users and devices to the group.
D. Change the membership type of Group1 to Assigned. Create two groups that have dynamic memberships. Add the new groups to Group1.
Correct Answer: B
Incorrect Answers:
A, C: You can create a dynamic group for devices or for users, but you can't create a rule that contains both users and devices.
D: For assigned group you can only add individual members.
Scenario:
Litware identi es the following identity and access requirements: All San Francisco users and their devices must be members of Group1.
The tenant currently contain this group:
References:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership https://docs.microsoft.com/en-
us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal
Oz 1 year ago
I agree that D is a correct answer.
Here is the reference to support this.
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership
It states clearly that "You can create a dynamic group for devices or for users, but you can't create a rule that contains both users and
devices."
upvoted 13 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 197/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
When you create dynamic groups, they can either contain users or devices. Hence here we need to create two separate dynamic groups
and assign those groups to an Assigned group
upvoted 3 times
works#:~:text=The%20Azure%20AD%20user%20provisioning%20service%20can%27t%20read,group%20to%20manage%20access%20to%
20SaaS%20applications%20%29.
So, the answer is correct.
upvoted 1 times
Topic 6 - Testlet 2
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 199/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #1 Topic 6
Introductory Info
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other question on this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next sections of the exam. After you begin a new section, you cannot return to this section.
Overview -
Contoso, Ltd. is a consulting company that has a main o ce in Montreal and two branch o ces in Seattle and New York.
The company hosts its entire server infrastructure in Azure.
Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to an Azure Active Directory (Azure AD) tenant
named contoso.com.
Existing Environment -
Azure AD -
Contoso.com contains the users shown in the following table.
Sub1 -
Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User9 creates the virtual networks shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 200/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Sub2 -
Sub2 contains the virtual networks shown in the following table.
All virtual machines have public IP addresses and the Web Server (IIS) role installed. The rewalls for each virtual machine allow ping requests
and web requests.
Sub2 contains the network security groups (NSGs) shown in the following table.
NSG1 has the inbound security rules shown in the following table.
NSG2 has the inbound security rules shown in the following table.
NSG3 has the inbound security rules shown in the following table.
NSG4 has the inbound security rules shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 201/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table.
Technical requirements -
Contoso identi es the following technical requirements:
Deploy Azure Firewall to VNetwork1 in Sub2.
Register an application named App2 in contoso.com.
Whenever possible, use the principle of least privilege.
Enable Azure AD Privileged Identity Management (PIM) for contoso.com.
Question
You need to ensure that User2 can implement PIM.
What should you do rst?
Correct Answer: A
To start using PIM in your directory, you must rst enable PIM.
1. Sign in to the Azure portal as a Global Administrator of your directory.
You must be a Global Administrator with an organizational account (for example, @yourdomain.com), not a Microsoft account (for example,
@outlook.com), to enable PIM for a directory.
Scenario: Technical requirements include: Enable Azure AD Privileged Identity Management (PIM) for contoso.com
References:
https://docs.microsoft.com/bs-latn-ba/azure/active-directory/privileged-identity-management/pim-getting-started
I was thinking MFA, but then the question does not mention MFA, or MFA status it only mentions user 2 has Security Administrator Role.
So obviously if User2 needs to implement PIM, PIM needs to be enabled, and it requires Global Administrator role.
upvoted 12 times
First:
When a user who is active in a privileged role in an Azure AD organization with a Premium P2 license goes to Roles and administrators in
Azure AD and selects a role (or even just visits Privileged Identity Management):
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started
Secondly:
Sign in to the Azure portal with a user who is in the Privileged role administrator role.
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings?tabs=new
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 202/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 7 - Testlet 3
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 203/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #1 Topic 7
Introductory Info
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other question on this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next sections of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware, Inc. is a digital media company that has 500 employees in the Chicago area and 20 employees in the San Francisco area.
Existing Environment -
Litware has an Azure subscription named Sub1 that has a subscription ID of 43894a43-17c2-4a39-8cfc-3540c2653ef4.
Sub1 is associated to an Azure Active Directory (Azure AD) tenant named litwareinc.com. The tenant contains the user objects and the device
objects of all the
Litware employees and their devices. Each user is assigned an Azure AD Premium P2 license. Azure AD Privileged Identity Management (PIM) is
activated.
The tenant contains the groups shown in the following table.
The Azure subscription contains the objects shown in the following table.
Planned changes -
Litware plans to deploy the Azure resources shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 204/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
General Requirements -
Litware identi es the following general requirements:
Whenever possible, administrative effort must be minimized.
Whenever possible, use of automation must be minimized.
Question
You need to ensure that users can access VM0. The solution must meet the platform protection requirements.
What should you do?
Correct Answer: A
Azure Firewall has the following known issue:
Con ict with Azure Security Center (ASC) Just-in-Time (JIT) feature.
If a virtual machine is accessed using JIT, and is in a subnet with a user-de ned route that points to Azure Firewall as a default gateway, ASC
JIT doesn't work.
This is a result of asymmetric routing "" a packet comes in via the virtual machine public IP (JIT opened the access), but the return path is via
the rewall, which drops the packet because there is no established session on the rewall.
Solution: To work around this issue, place the JIT virtual machines on a separate subnet that doesn't have a user-de ned route to the rewall.
Scenario:
Following the implementation of the planned changes, the IT team must be able to connect to VM0 by using JIT VM access.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 205/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
References:
https://docs.microsoft.com/en-us/azure/ rewall/overview
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 206/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
There’s already another route assign to Subnet0 that is pointing to the Firewall1 as the Default Gateway, for that reason we need to move
VM0 to subnet1. Answer is A
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 207/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 7
Introductory Info
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other question on this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next sections of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware, Inc. is a digital media company that has 500 employees in the Chicago area and 20 employees in the San Francisco area.
Existing Environment -
Litware has an Azure subscription named Sub1 that has a subscription ID of 43894a43-17c2-4a39-8cfc-3540c2653ef4.
Sub1 is associated to an Azure Active Directory (Azure AD) tenant named litwareinc.com. The tenant contains the user objects and the device
objects of all the
Litware employees and their devices. Each user is assigned an Azure AD Premium P2 license. Azure AD Privileged Identity Management (PIM) is
activated.
The tenant contains the groups shown in the following table.
The Azure subscription contains the objects shown in the following table.
Planned changes -
Litware plans to deploy the Azure resources shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 208/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
General Requirements -
Litware identi es the following general requirements:
Whenever possible, administrative effort must be minimized.
Whenever possible, use of automation must be minimized.
Question
HOTSPOT -
You need to deploy Microsoft Antimalware to meet the platform protection requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 209/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
Box 1: DeployIfNotExists -
DeployIfNotExists executes a template deployment when the condition is met.
Azure policy de nition Antimalware
Incorrect Answers:
Append:
Append is used to add additional elds to the requested resource during creation or update. A common example is adding tags on resources
such as costCenter or specifying allowed IPs for a storage resource.
Deny:
Deny is used to prevent a resource request that doesn't match de ned standards through a policy de nition and fails the request.
Box 2: The Create a Managed Identity setting
When Azure Policy runs the template in the deployIfNotExists policy de nition, it does so using a managed identity. Azure Policy creates a
managed identity for each assignment, but must have details about what roles to grant the managed identity.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects
To satisfy the requirements you need to specify the the scope of the subscription and then RG
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 210/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
The question is that the AntiMalware must be installed on the virtual machines in RG1
If a scope was not set, the Antimalware would still be installed on these VM's
So I think the answer is D, assign scope so only RG1 VMs are affected.
upvoted 1 times
Good job!
Here we need to set the managed identity setting which would allow the policy to deploy the Antimalware extension onto the virtual
machines.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 211/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #3 Topic 7
Introductory Info
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other question on this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next sections of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware, Inc. is a digital media company that has 500 employees in the Chicago area and 20 employees in the San Francisco area.
Existing Environment -
Litware has an Azure subscription named Sub1 that has a subscription ID of 43894a43-17c2-4a39-8cfc-3540c2653ef4.
Sub1 is associated to an Azure Active Directory (Azure AD) tenant named litwareinc.com. The tenant contains the user objects and the device
objects of all the
Litware employees and their devices. Each user is assigned an Azure AD Premium P2 license. Azure AD Privileged Identity Management (PIM) is
activated.
The tenant contains the groups shown in the following table.
The Azure subscription contains the objects shown in the following table.
Planned changes -
Litware plans to deploy the Azure resources shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 212/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
General Requirements -
Litware identi es the following general requirements:
Whenever possible, administrative effort must be minimized.
Whenever possible, use of automation must be minimized.
Question
DRAG DROP -
You need to deploy AKS1 to meet the platform protection requirements.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
Select and Place:
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 213/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
Scenario: Azure AD users must be to authenticate to AKS1 by using their Azure AD credentials.
Litewire plans to deploy AKS1, which is a managed AKS (Azure Kubernetes Services) cluster.
Step 1: Create a server application
To provide Azure AD authentication for an AKS cluster, two Azure AD applications are created. The rst application is a server component that
provides user authentication.
Step 2: Create a client application
The second application is a client component that's used when you're prompted by the CLI for authentication. This client application uses the
server application for the actual authentication of the credentials provided by the client.
Step 3: Deploy an AKS cluster.
Use the az group create command to create a resource group for the AKS cluster.
Use the az aks create command to deploy the AKS cluster.
Step 4: Create an RBAC binding.
Before you use an Azure Active Directory account with an AKS cluster, you must create role-binding or cluster role-binding. Roles de ne the
permissions to grant, and bindings apply them to desired users. These assignments can be applied to a given namespace, or across the entire
cluster.
Reference:
https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration
The correct order is Create the server application, Create the client application, Deploy the AKS cluster, Create the RBAC binding
upvoted 1 times
Ref: https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration-cli
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 214/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 8 - Testlet 4
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 215/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #1 Topic 8
Introductory Info
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other question on this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next sections of the exam. After you begin a new section, you cannot return to this section.
Overview -
Contoso, Ltd. is a consulting company that has a main o ce in Montreal and two branch o ces in Seattle and New York.
The company hosts its entire server infrastructure in Azure.
Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to an Azure Active Directory (Azure AD) tenant
named contoso.com.
Existing Environment -
Azure AD -
Contoso.com contains the users shown in the following table.
Sub1 -
Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User9 creates the virtual networks shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 216/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Sub2 -
Sub2 contains the virtual networks shown in the following table.
All virtual machines have public IP addresses and the Web Server (IIS) role installed. The rewalls for each virtual machine allow ping requests
and web requests.
Sub2 contains the network security groups (NSGs) shown in the following table.
NSG1 has the inbound security rules shown in the following table.
NSG2 has the inbound security rules shown in the following table.
NSG3 has the inbound security rules shown in the following table.
NSG4 has the inbound security rules shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 217/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table.
Technical requirements -
Contoso identi es the following technical requirements:
Deploy Azure Firewall to VNetwork1 in Sub2.
Register an application named App2 in contoso.com.
Whenever possible, use the principle of least privilege.
Enable Azure AD Privileged Identity Management (PIM) for contoso.com.
Question
HOTSPOT -
What is the membership of Group1 and Group2? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
References:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership
upvoted 7 times
Group2: Fail syntax error but if it was ".*on" it would actually be same as the -contains. If it should be different then it should be
".*on$" like @Sizz also noticed.
Group2 should have no members (assuming there are no typos in the question), as the 'matches' operator uses Regex, and '*on' is invalid
(the '*' character matches zero or one of the preceding token, which is missing in this example). Again, this is not case sensitive, but
doesn't matter here anyway.
upvoted 1 times
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#using-the-underscore-_-syntax
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#using-the--match-operator
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 220/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
As others have mentioned... there is a typo in Box 2. *on is NOT a valid syntax. Azure will throw an error and will not save the rule. The
correct syntax should be .*on (thats 'dot' and 'asterisk' before 'on'). If this is the case on the exam, the answer for box 2 will be Users 1-4.
upvoted 5 times
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership
upvoted 1 times
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 221/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 222/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 8
Introductory Info
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other question on this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next sections of the exam. After you begin a new section, you cannot return to this section.
Overview -
Contoso, Ltd. is a consulting company that has a main o ce in Montreal and two branch o ces in Seattle and New York.
The company hosts its entire server infrastructure in Azure.
Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to an Azure Active Directory (Azure AD) tenant
named contoso.com.
Existing Environment -
Azure AD -
Contoso.com contains the users shown in the following table.
Sub1 -
Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User9 creates the virtual networks shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 223/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Sub2 -
Sub2 contains the virtual networks shown in the following table.
All virtual machines have public IP addresses and the Web Server (IIS) role installed. The rewalls for each virtual machine allow ping requests
and web requests.
Sub2 contains the network security groups (NSGs) shown in the following table.
NSG1 has the inbound security rules shown in the following table.
NSG2 has the inbound security rules shown in the following table.
NSG3 has the inbound security rules shown in the following table.
NSG4 has the inbound security rules shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 224/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table.
Technical requirements -
Contoso identi es the following technical requirements:
Deploy Azure Firewall to VNetwork1 in Sub2.
Register an application named App2 in contoso.com.
Whenever possible, use the principle of least privilege.
Enable Azure AD Privileged Identity Management (PIM) for contoso.com.
Question
HOTSPOT -
You are evaluating the security of the network communication between the virtual machines in Sub2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Yes -
NSG1 has the inbound security rules shown in the following table.
NSG2 has the inbound security rules shown in the following table.
Box 2: Yes. VM3 is on Subnet12. There is no NSG attached to Subnet12 so the tra c will be allowed by default.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 225/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 226/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Q2 = Yes as there is simply no NSG associated with VM3 and VM3 is in the same subnet
Q3 = No as VM 5 is in a different vNet so the NSG's are not even relevant, there is no route between the vNets in the absence of vNet
peering.
upvoted 5 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 227/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
No
Yes
Yes
upvoted 8 times
The network security group NSG2 attached to the subnet does not have a rule to allow incoming ping requests and neither does NSG1
which is attached to NIC2
upvoted 1 times
No, Yes, No. Please see VM1 and VM5 are on different VNETs.
This means, without peering, you cannot ping from VM1 to VM5 with private IP.
And there is no peering settings, so the packet sent from VM1 would be discarded.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 229/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #3 Topic 8
Introductory Info
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other question on this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next sections of the exam. After you begin a new section, you cannot return to this section.
Overview -
Contoso, Ltd. is a consulting company that has a main o ce in Montreal and two branch o ces in Seattle and New York.
The company hosts its entire server infrastructure in Azure.
Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to an Azure Active Directory (Azure AD) tenant
named contoso.com.
Existing Environment -
Azure AD -
Contoso.com contains the users shown in the following table.
Sub1 -
Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User9 creates the virtual networks shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 230/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Sub2 -
Sub2 contains the virtual networks shown in the following table.
All virtual machines have public IP addresses and the Web Server (IIS) role installed. The rewalls for each virtual machine allow ping requests
and web requests.
Sub2 contains the network security groups (NSGs) shown in the following table.
NSG1 has the inbound security rules shown in the following table.
NSG2 has the inbound security rules shown in the following table.
NSG3 has the inbound security rules shown in the following table.
NSG4 has the inbound security rules shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 231/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table.
Technical requirements -
Contoso identi es the following technical requirements:
Deploy Azure Firewall to VNetwork1 in Sub2.
Register an application named App2 in contoso.com.
Whenever possible, use the principle of least privilege.
Enable Azure AD Privileged Identity Management (PIM) for contoso.com.
Question
HOTSPOT -
You are evaluating the effect of the application security groups on the network communication between the virtual machines in Sub2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 2: Yes.
VM2 is in ASG2. Any protocol is allowed from ASG2 so ICMP ping would be allowed.
Box3. VM1 is in ASG1. TCP tra c is allowed from ASG1 so VM1 could connect to the web server as connections to the web server would be on
ports TCP 80 or
TCP 443.
barchetta 9 months, 3 weeks ago
q1: dont forget ping is not tcp.. I know better but forgot.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 232/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 21 times
and
This command is available only if the Internet Protocol (TCP/IP) is installed as a component in the properties of a network adapter in
Network Connections.
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ping
sounds to me like icmp is operating within TCP and therefore the answer to Q1 should be YES in my opinion.
upvoted 1 times
YES - Vm1 is on sNet11 and associated to NSG2. It allows port 80 TCP traffic.
YES - Vm2 is also on sNet11 and associated to NSG2. It allows port 80 TCP traffic.
YES - Vm3 is on sNet12. There is no NSG associated to it. Traffic is open to ALL ports.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 233/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
No, since there is a DENY rule with a priority of 200 that Deny allows type of traffic. The rule with Priority of 100 only allows the TCP
protocol and not the ICMP protocol.
Yes, there is a rule in NSG2 to allow traffic from ASG2. And this application security group is attached to NIC2 which is attached to the
prodvm2 virtual machine.
upvoted 2 times
Box 2: Yes.
VM2 is subnet 11. NSG1 allows pings out.
VM4 has a NSG3 setup. It allows any protocol from ASG2 into subnet 13(where VM4 is) so ICMP ping would be allowed.
VM2 is in ASG2 so pings from it are allowed through NSG3.
Box 2: Yes.
VM2 is subnet 11. NSG1 allows pings out.
VM4 has a NSG3 setup. It allows any protocol from ASG2 into subnet 13(where VM4 is) so ICMP ping would be allowed.
VM2 is in ASG2 so pings from it are allowed through NSG3.
Box3. Yes.
VM1 is in ASG1. TCP traffic is allowed from ASG1 so VM1 could connect to the web server as connections to the web server would be on
ports TCP 80 or TCP 443.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 234/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 235/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #4 Topic 8
Introductory Info
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other question on this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next sections of the exam. After you begin a new section, you cannot return to this section.
Overview -
Contoso, Ltd. is a consulting company that has a main o ce in Montreal and two branch o ces in Seattle and New York.
The company hosts its entire server infrastructure in Azure.
Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to an Azure Active Directory (Azure AD) tenant
named contoso.com.
Existing Environment -
Azure AD -
Contoso.com contains the users shown in the following table.
Sub1 -
Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User9 creates the virtual networks shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 236/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Sub2 -
Sub2 contains the virtual networks shown in the following table.
All virtual machines have public IP addresses and the Web Server (IIS) role installed. The rewalls for each virtual machine allow ping requests
and web requests.
Sub2 contains the network security groups (NSGs) shown in the following table.
NSG1 has the inbound security rules shown in the following table.
NSG2 has the inbound security rules shown in the following table.
NSG3 has the inbound security rules shown in the following table.
NSG4 has the inbound security rules shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 237/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table.
Technical requirements -
Contoso identi es the following technical requirements:
Deploy Azure Firewall to VNetwork1 in Sub2.
Register an application named App2 in contoso.com.
Whenever possible, use the principle of least privilege.
Enable Azure AD Privileged Identity Management (PIM) for contoso.com.
Question
You need to meet the technical requirements for VNetwork1.
What should you do rst?
Correct Answer: A
From scenario: Deploy Azure Firewall to VNetwork1 in Sub2.
Azure rewall needs a dedicated subnet named AzureFirewallSubnet.
References:
https://docs.microsoft.com/en-us/azure/ rewall/tutorial- rewall-deploy-portal
Topic 9 - Testlet 5
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 238/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #1 Topic 9
Introductory Info
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other question on this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next sections of the exam. After you begin a new section, you cannot return to this section.
Overview -
Contoso, Ltd. is a consulting company that has a main o ce in Montreal and two branch o ces in Seattle and New York.
The company hosts its entire server infrastructure in Azure.
Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to an Azure Active Directory (Azure AD) tenant
named contoso.com.
Existing Environment -
Azure AD -
Contoso.com contains the users shown in the following table.
Sub1 -
Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User9 creates the virtual networks shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 239/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Sub2 -
Sub2 contains the virtual networks shown in the following table.
All virtual machines have public IP addresses and the Web Server (IIS) role installed. The rewalls for each virtual machine allow ping requests
and web requests.
Sub2 contains the network security groups (NSGs) shown in the following table.
NSG1 has the inbound security rules shown in the following table.
NSG2 has the inbound security rules shown in the following table.
NSG3 has the inbound security rules shown in the following table.
NSG4 has the inbound security rules shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 240/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table.
Technical requirements -
Contoso identi es the following technical requirements:
Deploy Azure Firewall to VNetwork1 in Sub2.
Register an application named App2 in contoso.com.
Whenever possible, use the principle of least privilege.
Enable Azure AD Privileged Identity Management (PIM) for contoso.com.
Question
HOTSPOT -
You assign User8 the Owner role for RG4, RG5, and RG6.
In which resource groups can User8 create virtual networks and NSGs? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 241/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
References:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
https://docs.microsoft.com/en-us/azure/governance/policy/overview#policy-definition
Allowed Resource Type: Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this
defined list.
RG4 has a policy definition of allowed resource types or NSG - that means anything other than NSGs are denied from being created.
upvoted 22 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 242/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
BOX 1
RG5 & RG6
BOX2
RG4 & RG6
upvoted 12 times
Box 1: RG5 & RG6 (RG4 only allows resource types of NSG so you can't create vNet)
Box 2: RG4 & RG6 (RG5 does not allow resource types NSG so you cannot create NSG)
upvoted 2 times
Translation: Only allowed resource types of network security group is allowed in RG4. Nothing else. This means you cannot create
anything (including vNets) in RG4. Please do the labs.
upvoted 2 times
Box 2
RG4 and RG6 only (agree with answer)
upvoted 4 times
You can create virtual networks in all resource groups. Since there is no specific policy to deny the creation of the virtual network itself,
you can create virtual networks in all of these resources groups.
Since there is a policy to not allow network security groups in grp5, you can’t create network security groups in this resource group.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 244/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
We can create Vnet in RG6 only... (answer should be RG5 and RG6)
We can create NSG in RG4 and RG6
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 245/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 9
Introductory Info
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other question on this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next sections of the exam. After you begin a new section, you cannot return to this section.
Overview -
Contoso, Ltd. is a consulting company that has a main o ce in Montreal and two branch o ces in Seattle and New York.
The company hosts its entire server infrastructure in Azure.
Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to an Azure Active Directory (Azure AD) tenant
named contoso.com.
Existing Environment -
Azure AD -
Contoso.com contains the users shown in the following table.
Sub1 -
Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User9 creates the virtual networks shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 246/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Sub2 -
Sub2 contains the virtual networks shown in the following table.
All virtual machines have public IP addresses and the Web Server (IIS) role installed. The rewalls for each virtual machine allow ping requests
and web requests.
Sub2 contains the network security groups (NSGs) shown in the following table.
NSG1 has the inbound security rules shown in the following table.
NSG2 has the inbound security rules shown in the following table.
NSG3 has the inbound security rules shown in the following table.
NSG4 has the inbound security rules shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 247/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table.
Technical requirements -
Contoso identi es the following technical requirements:
Deploy Azure Firewall to VNetwork1 in Sub2.
Register an application named App2 in contoso.com.
Whenever possible, use the principle of least privilege.
Enable Azure AD Privileged Identity Management (PIM) for contoso.com.
Question
HOTSPOT -
Which virtual networks in Sub1 can User2 modify and delete in their current state? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 248/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources
"ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to
restricting all authorized users to the permissions granted by the Reader role." - therefore the user cannot modify vNet3 either as
RG3 has a read-only lock as well as a delete lock
upvoted 12 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 249/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
When you have multiple Locks, the most restrictive one is implemented, which means that for RG3 the Lock is Read-only
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?WT.mc_id=thomasmaurer-blog-
thmaure#who-can-create-or-delete-locks
upvoted 11 times
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
upvoted 1 times
upvoted 2 times
Do Not Delete * Cannot Delete The resources can be altered, but can't be deleted. Not Locked resources can be added, moved, changed,
or deleted from this resource group.
upvoted 1 times
Topic 10 - Testlet 6
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 251/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #1 Topic 10
Introductory Info
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other question on this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next sections of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware, Inc. is a digital media company that has 500 employees in the Chicago area and 20 employees in the San Francisco area.
Existing Environment -
Litware has an Azure subscription named Sub1 that has a subscription ID of 43894a43-17c2-4a39-8cfc-3540c2653ef4.
Sub1 is associated to an Azure Active Directory (Azure AD) tenant named litwareinc.com. The tenant contains the user objects and the device
objects of all the
Litware employees and their devices. Each user is assigned an Azure AD Premium P2 license. Azure AD Privileged Identity Management (PIM) is
activated.
The tenant contains the groups shown in the following table.
The Azure subscription contains the objects shown in the following table.
Planned changes -
Litware plans to deploy the Azure resources shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 252/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
General Requirements -
Litware identi es the following general requirements:
Whenever possible, administrative effort must be minimized.
Whenever possible, use of automation must be minimized.
Question
You need to ensure that you can meet the security operations requirements.
What should you do rst?
Correct Answer: C
The Standard tier extends the capabilities of the Free tier to workloads running in private and other public clouds, providing uni ed security
management and threat protection across your hybrid cloud workloads. The Standard tier also adds advanced threat detection capabilities,
which uses built-in behavioral analytics and machine learning to identify attacks and zero-day exploits, access and application controls to
reduce exposure to network attacks and malware, and more.
Scenario: Security Operations Requirements
Litware must be able to customize the operating system security con gurations in Azure Security Center.
References:
https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 253/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
We retired this preview feature. To reset your security configurations back to their default values after the retirement date, do so via the
API or Powershell using the following instructions.
upvoted 2 times
To be able to use features such as Adaptive Application controls or File Integrity monitoring which monitors the underlying virtual
machine, you need to use the Standard tier for Azure Security Center
upvoted 4 times
Topic 11 - Testlet 7
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 254/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #1 Topic 11
Introductory Info
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other question on this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next sections of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware, Inc. is a digital media company that has 500 employees in the Chicago area and 20 employees in the San Francisco area.
Existing Environment -
Litware has an Azure subscription named Sub1 that has a subscription ID of 43894a43-17c2-4a39-8cfc-3540c2653ef4.
Sub1 is associated to an Azure Active Directory (Azure AD) tenant named litwareinc.com. The tenant contains the user objects and the device
objects of all the
Litware employees and their devices. Each user is assigned an Azure AD Premium P2 license. Azure AD Privileged Identity Management (PIM) is
activated.
The tenant contains the groups shown in the following table.
The Azure subscription contains the objects shown in the following table.
Planned changes -
Litware plans to deploy the Azure resources shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 255/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
General Requirements -
Litware identi es the following general requirements:
Whenever possible, administrative effort must be minimized.
Whenever possible, use of automation must be minimized.
Question
You need to con gure WebApp1 to meet the data and application requirements.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Correct Answer: AC
A: To con gure Certi cates for use in Azure Websites Applications you need to upload a public Certi cate.
C: Over time, multiple versions of TLS have been released to mitigate different vulnerabilities. TLS 1.2 is the most current version available for
apps running on
Azure App Service.
Incorrect Answers:
B: We need support the http url as well.
Note:
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 256/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
References:
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-con gure-tls-mutual-auth https://azure.microsoft.com/en-
us/updates/app-service-and-functions-hosted-apps-can-now-update-tls-versions/
C. Set the minimum TLS version to 1.2: Very valid security setting, but is it a must in this case?
D. Change the pricing tier of the App Service plan: There is no indication of a pricing tier in question, so i might skip this choice
E. Turn on Incoming client certificates protocol setting: This is a must as the server needs to request a certificate from the browser.
So a definite answer.
E and ?
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth
"If you access your site over HTTP and not HTTPS, you will not receive any client certificate. So if your application requires client
certificates, you should not allow requests to your application over HTTP." -- that means you need to have HTTPS Only when
requesting incomving client certificatees.
So, E - turn on incoming client certificates, and make sure it works B - turn on HTTPS Only.
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 257/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
To set up your app to require client certificates, you can switch On the Require incoming certificate by selecting Configuration >
General Settings from the Azure Portal or you need to set the clientCertEnabled setting for your app to true.
So It should be HTTPS only and allow incoming. TLS1.2 is basic requirement in this case which is enabled by default
upvoted 1 times
Refer https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth
1. One way to do it is to request a client certificate when the client request is over TLS/SSL and validate the certificate. This mechanism is
called TLS mutual authentication or client certificate authentication
2. If you access your site over HTTP and not HTTPS, you will not receive any client certificate. So if your application requires client
certificates, you should not allow requests to your application over HTTP. --> Choice B. Turn on HTTPS Only
3. No info about pricing tier. Lets Assume App Service plan must be in the Basic, Standard, Premium, or Isolated tier.
4. Enable client certificates --> choice E. Turn on Incoming client certificates protocol setting
upvoted 6 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 258/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct answers: DE
https://azure.microsoft.com/en-us/pricing/details/security-center/
upvoted 1 times
Ensure to turn on the HTTPS only protocol setting. Also ensure to mark the Incoming client certificates protocol setting as turned on for
the Azure Web App
upvoted 1 times
For those suggesting B is correct, WebApp1 is accessible using https://litwireinc.com and http://www.litwareinc.com, restricting to HTTPS
only would prevent users from accessing using the http://www.litwareinc.com site.
A - Not needed, Azure doesnt complete mutual auth requests, it just passes them to the web app (Taken from the MS site - App Service
does not do anything with this client certificate other than forwarding it to your app. Your app code is responsible for validating the client
certificate.)
C - Although there is no requirement for TLS 1.2, this is a default setting and is best practice. It is also the only remaining valid option.
D - Pricing tier is key to deploying Mutual Auth, but details of the pricing tier are not available in this senario.
E- The Azure configuration should be updated to allow client certificates to pass through - https://docs.microsoft.com/en-us/azure/app-
service/app-service-web-configure-tls-mutual-auth#enable-client-certificates
upvoted 2 times
Link - https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth
upvoted 3 times
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 259/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 260/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 11
Introductory Info
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other question on this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next sections of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware, Inc. is a digital media company that has 500 employees in the Chicago area and 20 employees in the San Francisco area.
Existing Environment -
Litware has an Azure subscription named Sub1 that has a subscription ID of 43894a43-17c2-4a39-8cfc-3540c2653ef4.
Sub1 is associated to an Azure Active Directory (Azure AD) tenant named litwareinc.com. The tenant contains the user objects and the device
objects of all the
Litware employees and their devices. Each user is assigned an Azure AD Premium P2 license. Azure AD Privileged Identity Management (PIM) is
activated.
The tenant contains the groups shown in the following table.
The Azure subscription contains the objects shown in the following table.
Planned changes -
Litware plans to deploy the Azure resources shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 261/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
General Requirements -
Litware identi es the following general requirements:
Whenever possible, administrative effort must be minimized.
Whenever possible, use of automation must be minimized.
Question
HOTSPOT -
You need to create Role1 to meet the platform protection requirements.
How should you complete the role de nition of Role1? To answer, select the appropriate options in the answer area.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 262/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
Scenario: A new custom RBAC role named Role1 must be used to delegate the administration of the managed disks in Resource Group1. Role1
must be available only for Resource Group1.
Azure RBAC template managed disks "Microsoft.Storage/"
References:
https://blogs.msdn.microsoft.com/azureedu/2017/02/11/new-managed-disk-storage-option-for-your-azure-vms/
https://blogs.msdn.microsoft.com/azure4fun/2016/10/21/custom-azure-rbac-roles-and-how-to-extend-existing-role-de nitions-scope/
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 263/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Explaination:
A new custom RBAC role named Role1 must be used to delegate the administration of the managed disks in Resource Group1. Role1 must
be available only for Resource Group1.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 264/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Since we have to enable this only for the resource groups, we have to limit the scope to the resource groups
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 265/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #3 Topic 11
Introductory Info
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other question on this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next sections of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware, Inc. is a digital media company that has 500 employees in the Chicago area and 20 employees in the San Francisco area.
Existing Environment -
Litware has an Azure subscription named Sub1 that has a subscription ID of 43894a43-17c2-4a39-8cfc-3540c2653ef4.
Sub1 is associated to an Azure Active Directory (Azure AD) tenant named litwareinc.com. The tenant contains the user objects and the device
objects of all the
Litware employees and their devices. Each user is assigned an Azure AD Premium P2 license. Azure AD Privileged Identity Management (PIM) is
activated.
The tenant contains the groups shown in the following table.
The Azure subscription contains the objects shown in the following table.
Planned changes -
Litware plans to deploy the Azure resources shown in the following table.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 266/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
General Requirements -
Litware identi es the following general requirements:
Whenever possible, administrative effort must be minimized.
Whenever possible, use of automation must be minimized.
Question
DRAG DROP -
You need to con gure SQLDB1 to meet the data and application requirements.
Which three actions should you recommend be performed in sequence? To answer, move the appropriate actions from the list of actions to the
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 267/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
Step 1: Connect to SQLDB1 by using Microsoft SQL Server Management Studio (SSMS)
Step 2: In SQLDB1, create contained database users.
Create a contained user in the database that represents the VM's system-assigned identity.
Step 3: In Azure AD,create a system-assigned managed identity.
A system-assigned identity for a Windows virtual machine (VM) can be used to access an Azure SQL server. Managed Service Identities are
automatically managed by Azure and enable you to authenticate to services that support Azure AD authentication, without needing to insert
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 268/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
1. From the azure portal, create and AAD admin for the sql server => This corresponds to setting the admin account on the SQL server.
3. In SQLBD1, create contained db users => since we do not have a vm, there is not a way to create a system managed identity manually
as such identity is usually enabled for a resource that supports it through its settings. The contained user SQL command will rely on the
name of the user in AD. This is referenced from the article: "SQL DB requires unique AAD display names. With this, the AAD accounts such
as users, groups and Service Principals (applications) and VM names enabled for managed identity must be uniquely defined in AAD
regarding their display names.")
Ref: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql
upvoted 5 times
https://docs.microsoft.com/en-gb/azure/sql-database/sql-database-aad-authentication
upvoted 4 times
please note that the link provided in the solution doesn't meet the main ASK here.
upvoted 12 times
https://youtu.be/pEPyPsGEevw?t=632
starts at 10.30
The order makes sense, because to create a user in SQLDB1, you need to connect to it first using SSMS.
upvoted 18 times
But the popular recommended answer in this discussion does not really have anything to do with making sure Azure AD credentials can
be used. At least the proposed solution did mention managed identity which is found in Azure AD for token access to the DB.
Hence my hesitation and unease. If the question asks for 4 steps instead of 3, it will be much easier to answer this question.
upvoted 1 times
If you want me to clarify more. just say. i would check later to explain further and easier.
upvoted 10 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 270/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
D. Azure Advisor
Correct Answer: B
You can use Azure Automation State Con guration to manage Azure VMs (both Classic and Resource Manager), on-premises VMs, Linux
machines, AWS VMs, and on-premises physical machines.
Note: Azure Automation State Con guration provides a DSC pull server similar to the Windows Feature DSC-Service so that target nodes
automatically receive con gurations, conform to the desired state, and report back on their compliance. The built-in pull server in Azure
Automation eliminates the need to set up and maintain your own pull server. Azure Automation can target virtual or physical Windows or Linux
machines, in the cloud or on-premises.
References:
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-getting-started
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 271/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 12
HOTSPOT -
You suspect that users are attempting to sign in to resources to which they have no access.
You need to create an Azure Log Analytics query to identify failed user sign-in attempts from the last three days. The results must only show users
who had more than ve failed sign-in attempts.
How should you con gure the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
SecurityEvent -
| where TimeGenerated > ago(1d)
| where AccountType == 'User' and EventID == 4625 // 4625 - failed log in
| summarize failed_login_attempts=count(), latest_failed_login=arg_max(TimeGenerated, Account) by Account
| where failed_login_attempts > 5
| project-away Account1
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/examples
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 272/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #3 Topic 12
A. Azure Monitor
B. Azure Policy
Correct Answer: B
Question #4 Topic 12
You have an Azure Kubernetes Service (AKS) cluster that will connect to an Azure Container Registry.
You need to use automatically generated service principal for the AKS cluster to authenticate to the Azure Container Registry.
What should you create?
B. a role assignment
Correct Answer: B
References:
https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 273/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #5 Topic 12
D. AzCopy
Correct Answer: D
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
To view and analyze your log data, you should download the blobs that contain the log data you are interested in to a local machine. Many
storage-browsing tools enable you to download blobs from your storage account; you can also use the Azure Storage team provided
command-line Azure Copy Tool AzCopy to download your log data.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 274/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #6 Topic 12
You have an Azure Storage account named storage1 that has a container named container1.
You need to prevent the blobs in container1 from being modi ed.
What should you do?
Correct Answer: B
References:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-immutable-storage?tabs=azure-portal
B is correct
upvoted 3 times
PA 5 months ago
C....Storage Blob Data Reader: Use to grant read-only permissions to Blob storage resources.
upvoted 1 times
agreed, role-base is applicable for specific users/identities. While using resource policy (access policy) is ideal for resource itself. B is my
choice.
upvoted 3 times
Select *Access policy* in the container settings. Then select Add policy under Immutable blob storage.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 276/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #7 Topic 12
You company has an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to create several security alerts by using Azure Monitor.
You need to prepare the Azure subscription for the alerts.
What should you create rst?
Correct Answer: B
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 277/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 278/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #8 Topic 12
You company has an Azure subscription named Sub1. Sub1 contains an Azure web app named WebApp1 that uses Azure Application Insights.
WebApp1 requires users to authenticate by using OAuth 2.0 client secrets.
Developers at the company plan to create a multi-step web test app that preforms synthetic transactions emulating user tra c to Web App1.
You need to ensure that web tests can run unattended.
What should you do rst?
Correct Answer: B
https://www.bluey.com/2017/05/08/visual-studio-web-tests-oauth-taming-elusive-access-token/
"The most common one is to implement a WebTestPlugin with custom code to negotiate with the OAuth server, get the access token, and
set it to a Context Parameter in your test run."
upvoted 1 times
Bobo_Lee 4 months, 1 week ago
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 279/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://github.com/uglide/azure-content/blob/master/articles/application-insights/app-insights-monitor-web-app-availability.md#multi-
step-web-tests
I think the answer is A
upvoted 1 times
If you do this lab in the Azure portal, it does not ask you to upload anything. You just specify a URL for the location of your test web app.
Application Insights is the only valid answer out of the selection regardless.
Link: https://docs.microsoft.com/en-us/azure/azure-monitor/app/monitor-web-app-availability
upvoted 2 times
1. We are admins, not developers (We should not do anything with the app)
2. Developers plan to create an app (It does not yet exist, we should make it possible for them to create it in a way that it can run
unattended)
If we register the app in aad, we will get all the information needed to pass on to the developers...
In my oppinion only possible answer is to register the app
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 280/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #9 Topic 12
D. AzCopy
Correct Answer: D
A. Azure Monitor
B. Azure Policy
Correct Answer: B
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 281/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure Kubernetes Service (AKS) cluster that will connect to an Azure Container Registry.
You need to use automatically generated service principal for the AKS cluster to authenticate to the Azure Container Registry.
What should you create?
B. a role assignment
Correct Answer: B
References:
https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 282/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription that contains a user named User1 and an Azure Container Registry named ConReg1.
You enable content trust for ContReg1.
You need to ensure that User1 can create trusted images in ContReg1. The solution must use the principle of least privilege.
Which two roles should you assign to User1? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. AcrQuarantineReader
B. Contributor
C. AcrPush
D. AcrImageSigner
E. AcrQuarantineWriter
Correct Answer: CD
References:
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-content-trust https://docs.microsoft.com/en-us/azure/container-
registry/container-registry-roles
Manage security operations
Correct answer is
AcrPush
AcrImageSigner
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-content-trust
upvoted 7 times
Because the question states that we should follow the principle of least priviledge
upvoted 2 times
Here's why ::
"Sign images
The ability to sign images, usually assigned to an automated process, which would use a service principal. This permission is typically
combined with push image to allow pushing a trusted image to a registry. For details, see Content trust in Azure Container Registry."
~ https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles
This allows the user to Sign and Push trusted images, using least privilege.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 283/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
D. AzCopy
Correct Answer: D
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
You have an Azure Storage account named storage1 that has a container named container1.
You need to prevent the blobs in container1 from being modi ed.
What should you do?
Correct Answer: B
References:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-immutable-storage?tabs=azure-portal
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 284/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
You company has an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to create several security alerts by using Azure Monitor.
You need to prepare the Azure subscription for the alerts.
What should you create rst?
Correct Answer: B
You company has an Azure subscription named Sub1. Sub1 contains an Azure web app named WebApp1 that uses Azure Application Insights.
WebApp1 requires users to authenticate by using OAuth 2.0 client secrets.
Developers at the company plan to create a multi-step web test app that preforms synthetic transactions emulating user tra c to Web App1.
You need to ensure that web tests can run unattended.
What should you do rst?
Correct Answer: B
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 285/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
D. AzCopy
Correct Answer: D
Correct Answer: A
References:
https://docs.microsoft.com/en-us/azure/frontdoor/quickstart-create-front-door
https://docs.microsoft.com/nl-nl/azure/web-application-firewall/overview
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 286/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer: AB
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
Users that have been assigned roles using RBAC will lose their access
Service Administrator and Co-Administrators will lose access
If you have any key vaults, they'll be inaccessible and you'll have to fix them after association
If you have any managed identities for resources such as Virtual Machines or Logic Apps, you must re-enable or recreate them after the
association
If you have a registered Azure Stack, you'll have to re-register it after association
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
upvoted 7 times
A. From Azure Directory (Azure AD) Privileged Identity Management (PIM), activate the Security administrator user role.
B. From Azure Active Directory (Azure AD) Privileged Identity Management (PIM), activate the Owner role for the virtual machine.
C. From the Azure portal, select the virtual machine, select Connect, and then select Request access.
D. From the Azure portal, select the virtual machine and add the Network Watcher Agent virtual machine extension.
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/connect-logon
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 287/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
SIMULATION -
You need to con gure Azure to allow RDP connections from the Internet to a virtual machine named VM1. The solution must minimize the attack
surface of VM1.
To complete this task, sign in to the Azure portal.
Priority: 300 -
Name: Port_3389 -
Port(Destination): 3389 -
Protocol: TCP -
Source: Any -
Destinations: Any -
Action: Allow -
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-nsg-problem
Working on the NSG of the VM so you do not need to specify the private IP address of the VM
upvoted 1 times
SIMULATION -
You need to add the network interface of a virtual machine named VM1 to an application security group named ASG1.
To complete this task, sign in to the Azure portal.
2. Under SETTINGS, select Networking. Select Application Security Groups then Configure the application security groupselect the
application security groups that you want to add the network interface to, or unselect the application security groups that you want to
remove the network interface from, and then select Save. Only network interfaces that exist in the same virtual network can be added to
the same application security group. The application security group must exist in the same location as the network interface.
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 289/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
SIMULATION -
You need to ensure that only devices connected to a 131.107.0.0/16 subnet can access data in the rg1lod10598168 Azure Storage account.
To complete this task, sign in to the Azure portal.
SIMULATION -
You need to ensure that connections from the Internet to VNET1\subnet0 are allowed only over TCP port 7777. The solution must use only
currently deployed resources.
To complete this task, sign in to the Azure portal.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 290/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
SIMULATION -
You need to prevent administrators from performing accidental changes to the Homepage app service plan.
To complete this task, sign in to the Azure portal.
SIMULATION -
You need to ensure that a user named Danny11597200 can sign in to any SQL database on a Microsoft SQL server named web11597200 by using
SQL Server
Management Studio (SSMS) and Azure Active Directory (Azure AD) credentials.
To complete this task, sign in to the Azure portal.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 291/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
SIMULATION -
You need to con gure a Microsoft SQL server named Web11597200 only to accept connections from the Subnet0 subnet on the VNET01 virtual
network.
To complete this task, sign in to the Azure portal.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 292/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
SIMULATION -
You need to con gure network connectivity between a virtual network named VNET1 and a virtual network named VNET2. The solution must
ensure that virtual machines connected to VNET1 can communicate with virtual machines connected to VNET2.
To complete this task, sign in to the Azure portal and modify the Azure resources.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 293/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
SIMULATION -
You need to deploy an Azure rewall to a virtual network named VNET3.
To complete this task, sign in to the Azure portal and modify the Azure resources.
This task might take several minutes to complete. You can perform other tasks while the task completes.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 294/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
B. Install Microsoft System Center Security Management Pack for Endpoint Protection on VM1.
D. Onboard VM1 to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-endpoint-protection
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 295/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
SIMULATION -
You need to ensure that web11597200 is protected from malware by using Microsoft Antimalware for Virtual Machines and is scanned every
Friday at 01:00.
To complete this task, sign in to the Azure portal.
SIMULATION -
You need to ensure that the events in the NetworkSecurityGroupRuleCounter log of the VNET01-Subnet0-NSG network security group (NSG) are
stored in the logs11597200 Azure Storage account for 30 days.
To complete this task, sign in to the Azure portal.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 296/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
SIMULATION -
A user named Debbie has the Azure app installed on her mobile device.
You need to ensure that debbie@contoso.com is alerted when a resource lock is deleted.
To complete this task, sign in to the Azure portal.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 297/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
SIMULATION -
You need to con gure a weekly backup of an Azure SQL database named Homepage. The backup must be retained for eight weeks.
To complete this task, sign in to the Azure portal.
SIMULATION -
You need to ensure that when administrators deploy resources by using an Azure Resource Manager template, the deployment can access secrets
in an Azure key vault named KV11597200.
To complete this task, sign in to the Azure portal.
the box you need to check to enable access of the ARM templates is the 2nd of 3.
upvoted 6 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 298/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
SIMULATION -
You need to ensure that connections through an Azure Application Gateway named Homepage-AGW are inspected for malicious requests.
To complete this task, sign in to the Azure portal.
You do not need to wait for the task to complete.
SIMULATION -
You need to create a web app named Intranet11597200 and enable users to authenticate to the web app by using Azure Active Directory (Azure
AD).
To complete this task, sign in to the Azure portal.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 299/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
SIMULATION -
You need to enable Advanced Data Security for the SQLdb1 Azure SQL database. The solution must ensure that Azure Advanced Threat Protection
(ATP) alerts are sent to User1@contoso.com.
To complete this task, sign in to the Azure portal and modify the Azure resources.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 300/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
SIMULATION -
You need to ensure that User2-11641655 has all the key permissions for KeyVault11641655.
To complete this task, sign in to the Azure portal and modify the Azure resources.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 301/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/app-service/con gure-ssl-certi cate-in-code
https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code
upvoted 3 times
Under section "Make the certificate accessible", the Azure CLI command is as follows.
az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings
WEBSITE_LOAD_CERTIFICATES=<comma-separated-certificate-thumbprints>
The command makes the certificate available to the app code by adding the thumbprint of the certificate. The app setting is
WEBSITE_LOAD_CERTIFICATES, and it is configured
in the command using the parameter 'appsettings'.
To access a certificate in your app code, add its thumbprint to the WEBSITE_LOAD_CERTIFICATES app setting, by running the following
command in the Cloud Shell:
Azure CLI
Copy
Try It
az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings
WEBSITE_LOAD_CERTIFICATES=<comma-separated-certificate-thumbprints>
upvoted 8 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 302/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
The User administrator role is assigned to a user named Admin1.
An external partner has a Microsoft account that uses the user1@outlook.com sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: "Unable to invite user
user1@outlook.com Generic authorization exception."
You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.
What should you do?
A. From the Roles and administrators blade, assign the Security administrator role to Admin1.
Correct Answer: D
You need to allow guest invitations in the External collaboration settings.
B. Azure HDInsight
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 303/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
You onboard Azure Sentinel. You connect Azure Sentinel to Azure Security Center.
You need to automate the mitigation of incidents in Azure Sentinel. The solution must minimize administrative effort.
What should you create?
A. an alert rule
B. a playbook
C. a function app
D. a runbook
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 304/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain.
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to deploy Azure AD Connect and to integrate Active Directory and the Azure AD tenant.
You need to recommend an integration solution that meets the following requirements:
✑ Ensures that password policies and user logon restrictions apply to user accounts that are synced to the tenant
✑ Minimizes the number of servers required for the solution.
Which authentication method should you include in the recommendation?
Correct Answer: B
Password hash synchronization requires the least effort regarding deployment, maintenance, and infrastructure. This level of effort typically
applies to organizations that only need their users to sign in to O ce 365, SaaS apps, and other Azure AD-based resources. When turned on,
password hash synchronization is part of the Azure AD Connect sync process and runs every two minutes.
Incorrect Answers:
A: A federated authentication system relies on an external trusted system to authenticate users. Some companies want to reuse their existing
federated system investment with their Azure AD hybrid identity solution. The maintenance and management of the federated system falls
outside the control of Azure AD. It's up to the organization by using the federated system to make sure it's deployed securely and can handle the
authentication load.
C: For pass-through authentication, you need one or more (we recommend three) lightweight agents installed on existing servers. These agents
must have access to your on-premises Active Directory Domain Services, including your on-premises AD domain controllers. They need
outbound access to the Internet and access to your domain controllers. For this reason, it's not supported to deploy the agents in a perimeter
network.
Pass-through Authentication requires unconstrained network access to domain controllers. All network tra c is encrypted and limited to
authentication requests.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta
Source: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 305/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
The flow-chart on that page is confusing, and (frankly) sucks. Read through the details of each detailed authentication method. The
Advanced Scenarios (3rd bullet) underneath Pass-Through Authentication spells it out plainly.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 306/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
From Azure Security Center, you enable Azure Container Registry vulnerability scanning of the images in Registry1.
You perform the following actions:
✑ Push a Windows image named Image1 to Registry1.
✑ Push a Linux image named Image2 to Registry1.
✑ Push a Windows image named Image3 to Registry1.
✑ Modify Image1 and push the new image as Image4 to Registry1.
✑ Modify Image2 and push the new image as Image5 to Registry1.
Which two images will be scanned for vulnerabilities? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Image4
B. Image2
C. Image1
D. Image3
E. Image5
Correct Answer: BE
Only Linux images are scanned. Windows images are not scanned.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/azure-container-registry-integration
Manage security operations
When you turn on "Azure Defender for container registries"in ACR it scans images pushed/pulled or imported from other registries. It
then rescans the images within the last 30 days.
So any possible answer here is correct: Image 1, 2, & 3 are pushed. But we don't know when they were pushed. So ok may be more than
30 days.
But image 4 & 5 are pushed it seems recently. Yes they are modifications to old images. So what? they still would be considered new
images.
Since they are implying in the question only two images will be scanned, we can safely assume that would be Images 4 & 5.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 307/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
says that only Supported registries and images: Linux images in ACR registries accessible from the public internet with shell access.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You need to con gure diagnostic settings for contoso.com. The solution must meet the following requirements:
✑ Retain logs for two years.
✑ Query logs by using the Kusto query language.
✑ Minimize administrative effort.
Where should you store the logs?
Correct Answer: B
Secure data and applications
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 308/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain.
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to deploy Azure AD Connect and to integrate Active Directory and the Azure AD tenant.
You need to recommend an integration solution that meets the following requirements:
✑ Ensures that password policies and user logon restrictions apply to user accounts that are synced to the tenant
✑ Minimizes the number of servers required for the solution.
Which authentication method should you include in the recommendation?
Correct Answer: B
Password hash synchronization requires the least effort regarding deployment, maintenance, and infrastructure. This level of effort typically
applies to organizations that only need their users to sign in to O ce 365, SaaS apps, and other Azure AD-based resources. When turned on,
password hash synchronization is part of the Azure AD Connect sync process and runs every two minutes.
Incorrect Answers:
A: A federated authentication system relies on an external trusted system to authenticate users. Some companies want to reuse their existing
federated system investment with their Azure AD hybrid identity solution. The maintenance and management of the federated system falls
outside the control of Azure AD. It's up to the organization by using the federated system to make sure it's deployed securely and can handle the
authentication load.
C: For pass-through authentication, you need one or more (we recommend three) lightweight agents installed on existing servers. These agents
must have access to your on-premises Active Directory Domain Services, including your on-premises AD domain controllers. They need
outbound access to the Internet and access to your domain controllers. For this reason, it's not supported to deploy the agents in a perimeter
network.
Pass-through Authentication requires unconstrained network access to domain controllers. All network tra c is encrypted and limited to
authentication requests.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta
Source: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
The flow-chart on that page is confusing, and (frankly) sucks. Read through the details of each detailed authentication method. The
Advanced Scenarios (3rd bullet) underneath Pass-Through Authentication spells it out plainly.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 309/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain.
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to deploy Azure AD Connect and to integrate Active Directory and the Azure AD tenant.
You need to recommend an integration solution that meets the following requirements:
✑ Ensures that password policies and user logon restrictions apply to user accounts that are synced to the tenant
✑ Minimizes the number of servers required for the solution.
Which authentication method should you include in the recommendation?
Correct Answer: B
Password hash synchronization requires the least effort regarding deployment, maintenance, and infrastructure. This level of effort typically
applies to organizations that only need their users to sign in to O ce 365, SaaS apps, and other Azure AD-based resources. When turned on,
password hash synchronization is part of the Azure AD Connect sync process and runs every two minutes.
Incorrect Answers:
A: A federated authentication system relies on an external trusted system to authenticate users. Some companies want to reuse their existing
federated system investment with their Azure AD hybrid identity solution. The maintenance and management of the federated system falls
outside the control of Azure AD. It's up to the organization by using the federated system to make sure it's deployed securely and can handle the
authentication load.
C: For pass-through authentication, you need one or more (we recommend three) lightweight agents installed on existing servers. These agents
must have access to your on-premises Active Directory Domain Services, including your on-premises AD domain controllers. They need
outbound access to the Internet and access to your domain controllers. For this reason, it's not supported to deploy the agents in a perimeter
network.
Pass-through Authentication requires unconstrained network access to domain controllers. All network tra c is encrypted and limited to
authentication requests.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta
Source: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
The flow-chart on that page is confusing, and (frankly) sucks. Read through the details of each detailed authentication method. The
Advanced Scenarios (3rd bullet) underneath Pass-Through Authentication spells it out plainly.
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 310/311
27/11/2020 AZ-500 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-500/custom-view/ 311/311