You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" Microsoft Azure Security Technologies (AZ-500) Practice Test No 11 "
0 of 50 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
Microsoft Azure Security Technologies (AZ-500)
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking on “View Answers” option. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Answered
Review
Question 1 of 50
1. Question
You have several databases deployed in Azure SQL Database. You need to receive an alert if there are any harmful attempts to exploit your databases. What should you do?
Correct
Advanced Threat Protection for an Azure SQL detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Advanced Threat Protection can identify Potential SQL injection, Access from unusual location or data center, Access from unfamiliar principal or potentially harmful application, and Brute force SQL credentials – see more details in Advanced Threat Protection alerts. You can receive notifications about the detected threats via email notifications or Azure portal https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-configure Wrong Answers: Enable transparent data encryption – Transparent data encryption (TDE) helps protect Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. Enable Log Analytics – Log Analytics is a tool in the Azure portal to edit and run log queries from data collected by Azure Monitor Logs and interactively analyze their results. Configure Activity log alerts – The Activity log alerts in Azure provides insight into subscription-level events. Activity log alerts includes when a resource is modified or when a virtual machine is started.
Incorrect
Advanced Threat Protection for an Azure SQL detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Advanced Threat Protection can identify Potential SQL injection, Access from unusual location or data center, Access from unfamiliar principal or potentially harmful application, and Brute force SQL credentials – see more details in Advanced Threat Protection alerts. You can receive notifications about the detected threats via email notifications or Azure portal https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-configure Wrong Answers: Enable transparent data encryption – Transparent data encryption (TDE) helps protect Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. Enable Log Analytics – Log Analytics is a tool in the Azure portal to edit and run log queries from data collected by Azure Monitor Logs and interactively analyze their results. Configure Activity log alerts – The Activity log alerts in Azure provides insight into subscription-level events. Activity log alerts includes when a resource is modified or when a virtual machine is started.
Unattempted
Advanced Threat Protection for an Azure SQL detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Advanced Threat Protection can identify Potential SQL injection, Access from unusual location or data center, Access from unfamiliar principal or potentially harmful application, and Brute force SQL credentials – see more details in Advanced Threat Protection alerts. You can receive notifications about the detected threats via email notifications or Azure portal https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-configure Wrong Answers: Enable transparent data encryption – Transparent data encryption (TDE) helps protect Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. Enable Log Analytics – Log Analytics is a tool in the Azure portal to edit and run log queries from data collected by Azure Monitor Logs and interactively analyze their results. Configure Activity log alerts – The Activity log alerts in Azure provides insight into subscription-level events. Activity log alerts includes when a resource is modified or when a virtual machine is started.
Question 2 of 50
2. Question
Which of the below rules should you configure in Azure firewall to allow incoming internet connections?
Correct
There are three types of rule collections: Application rules: Configure fully qualified domain names (FQDNs) that can be accessed from a subnet. Network rules: Configure rules that contain source addresses, protocols, destination ports, and destination addresses. NAT rules: Configure DNAT rules to allow incoming Internet connections. https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-are-some-azure-firewall-concepts Wrong Answers: Application rules – Configure fully qualified domain names (FQDNs) that can be accessed from a subnet. Network rules – Configure rules that contain source addresses, protocols, destination ports, and destination addresses.
Incorrect
There are three types of rule collections: Application rules: Configure fully qualified domain names (FQDNs) that can be accessed from a subnet. Network rules: Configure rules that contain source addresses, protocols, destination ports, and destination addresses. NAT rules: Configure DNAT rules to allow incoming Internet connections. https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-are-some-azure-firewall-concepts Wrong Answers: Application rules – Configure fully qualified domain names (FQDNs) that can be accessed from a subnet. Network rules – Configure rules that contain source addresses, protocols, destination ports, and destination addresses.
Unattempted
There are three types of rule collections: Application rules: Configure fully qualified domain names (FQDNs) that can be accessed from a subnet. Network rules: Configure rules that contain source addresses, protocols, destination ports, and destination addresses. NAT rules: Configure DNAT rules to allow incoming Internet connections. https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-are-some-azure-firewall-concepts Wrong Answers: Application rules – Configure fully qualified domain names (FQDNs) that can be accessed from a subnet. Network rules – Configure rules that contain source addresses, protocols, destination ports, and destination addresses.
Question 3 of 50
3. Question
You are the global administrator for an Azure Active Directory (Azure AD) tenant named Healthengine.com. You need to enable two-step verification for Azure users. What should you do?
Correct
Azure Multi-Factor Authentication (MFA) helps safeguard access to data and applications. It provides an additional layer of security using a second form of authentication. Organizations can use Conditional Access to make the solution fit their specific needs https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted Wrong Answers: Enable Azure AD Privileged Identity Management – Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. Install an MFA Server – Microsoft no longer offers MFA Server for new deployments.
Incorrect
Azure Multi-Factor Authentication (MFA) helps safeguard access to data and applications. It provides an additional layer of security using a second form of authentication. Organizations can use Conditional Access to make the solution fit their specific needs https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted Wrong Answers: Enable Azure AD Privileged Identity Management – Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. Install an MFA Server – Microsoft no longer offers MFA Server for new deployments.
Unattempted
Azure Multi-Factor Authentication (MFA) helps safeguard access to data and applications. It provides an additional layer of security using a second form of authentication. Organizations can use Conditional Access to make the solution fit their specific needs https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted Wrong Answers: Enable Azure AD Privileged Identity Management – Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. Install an MFA Server – Microsoft no longer offers MFA Server for new deployments.
Question 4 of 50
4. Question
You generate a shared access signature (SAS) to connect to the blob service and the file service. Which tool can you use to access the contents in Container1 by using the SAS?
Correct
Microsoft Azure Storage Explorer is a standalone app that makes it easy to work with Azure Storage data on Windows, macOS, and Linux. https://docs.microsoft.com/en-us/azure/vs-azure-tools-storage-manage-with-storage-explorer?tabs=windows Wrong Answers: RoboCopy – Copies file data from one location to another. This does not support Azure Storage accounts. Windows Explorer – This does not support Azure Storage accounts.
Incorrect
Microsoft Azure Storage Explorer is a standalone app that makes it easy to work with Azure Storage data on Windows, macOS, and Linux. https://docs.microsoft.com/en-us/azure/vs-azure-tools-storage-manage-with-storage-explorer?tabs=windows Wrong Answers: RoboCopy – Copies file data from one location to another. This does not support Azure Storage accounts. Windows Explorer – This does not support Azure Storage accounts.
Unattempted
Microsoft Azure Storage Explorer is a standalone app that makes it easy to work with Azure Storage data on Windows, macOS, and Linux. https://docs.microsoft.com/en-us/azure/vs-azure-tools-storage-manage-with-storage-explorer?tabs=windows Wrong Answers: RoboCopy – Copies file data from one location to another. This does not support Azure Storage accounts. Windows Explorer – This does not support Azure Storage accounts.
Question 5 of 50
5. Question
You have an Azure Active Directory tenant named HealthEngine.com. An application developer is planning to register applications in the HealthEngine.com Azure AD tenant. What role should you provide to the application developer?
Correct
Application Developer – Users in this role can create application registrations when the “Users can register applications“ setting is set to No. This role also grants permission to consent on one‘s own behalf when the “Users can consent to apps accessing company data on their behalf“ setting is set to No. Users assigned to this role are added as owners when creating new application registrations or enterprise applications. https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles Wrong Answers: Global Administrator Does not adhere to principle of least privilege. Application Administrator – Can create and manage all aspects of app registrations and enterprise apps. Does not adhere to principle of least privilege. Cloud Application Administrator – Can create and manage all aspects of app registrations and enterprise apps except App Proxy. Does not adhere to principle of least privilege.
Incorrect
Application Developer – Users in this role can create application registrations when the “Users can register applications“ setting is set to No. This role also grants permission to consent on one‘s own behalf when the “Users can consent to apps accessing company data on their behalf“ setting is set to No. Users assigned to this role are added as owners when creating new application registrations or enterprise applications. https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles Wrong Answers: Global Administrator Does not adhere to principle of least privilege. Application Administrator – Can create and manage all aspects of app registrations and enterprise apps. Does not adhere to principle of least privilege. Cloud Application Administrator – Can create and manage all aspects of app registrations and enterprise apps except App Proxy. Does not adhere to principle of least privilege.
Unattempted
Application Developer – Users in this role can create application registrations when the “Users can register applications“ setting is set to No. This role also grants permission to consent on one‘s own behalf when the “Users can consent to apps accessing company data on their behalf“ setting is set to No. Users assigned to this role are added as owners when creating new application registrations or enterprise applications. https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles Wrong Answers: Global Administrator Does not adhere to principle of least privilege. Application Administrator – Can create and manage all aspects of app registrations and enterprise apps. Does not adhere to principle of least privilege. Cloud Application Administrator – Can create and manage all aspects of app registrations and enterprise apps except App Proxy. Does not adhere to principle of least privilege.
Question 6 of 50
6. Question
You have an Azure subscription named Subscription1 that contains a virtual machine named VM1. You create an Azure key vault named KeyVault1. You need to use KeyVault1 to enable Azure Disk Encryption on VM1. The solution must support backing up VM1 by using Azure Backup. Which key vault settings should you configure?
Correct
The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the VM for booting and decrypting the volumes. If you did not enable your key vault for disk encryption, deployment, or template deployment at the time of creation (as demonstrated in the previous step), you must update its advanced access policies. https://docs.microsoft.com/en-us/azure//virtual-machines/windows/disk-encryption-key-vault#set-key-vault-advanced-access-policies Wrong Answers: Secrets It is a secure storage of secrets, such as passwords and database connection strings. Keys This is used to store keys. Locks Locks are used to prevent other users in your organization from accidentally deleting or modifying critical resources.
Incorrect
The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the VM for booting and decrypting the volumes. If you did not enable your key vault for disk encryption, deployment, or template deployment at the time of creation (as demonstrated in the previous step), you must update its advanced access policies. https://docs.microsoft.com/en-us/azure//virtual-machines/windows/disk-encryption-key-vault#set-key-vault-advanced-access-policies Wrong Answers: Secrets It is a secure storage of secrets, such as passwords and database connection strings. Keys This is used to store keys. Locks Locks are used to prevent other users in your organization from accidentally deleting or modifying critical resources.
Unattempted
The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the VM for booting and decrypting the volumes. If you did not enable your key vault for disk encryption, deployment, or template deployment at the time of creation (as demonstrated in the previous step), you must update its advanced access policies. https://docs.microsoft.com/en-us/azure//virtual-machines/windows/disk-encryption-key-vault#set-key-vault-advanced-access-policies Wrong Answers: Secrets It is a secure storage of secrets, such as passwords and database connection strings. Keys This is used to store keys. Locks Locks are used to prevent other users in your organization from accidentally deleting or modifying critical resources.
Question 7 of 50
7. Question
You have an Azure subscription named Subscription1. You deploy a Linux virtual machine named VM1 to Subscription1. You need to monitor the metrics and the logs of VM1. What should you use?
Correct
The Linux Diagnostic Extension helps a user monitor the health of a Linux VM running on Microsoft Azure https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux Wrong Answers: The AzurePerformanceDiagnostics extension – Azure Performance Diagnostics VM Extension helps collect performance diagnostic data from Windows VMs. Azure HDInsight – Azure HDInsight is a managed, full-spectrum, open-source analytics service in the cloud for enterprises. With HDInsight, you can use open-source frameworks such as Hadoop, Apache Spark, Apache Hive, LLAP, Apache Kafka, Apache Storm, R, and more, in your Azure environment. Azure Analysis Services – Azure Analysis Services is a fully managed platform as a service (PaaS) that provides enterprise-grade data models in the cloud
Incorrect
The Linux Diagnostic Extension helps a user monitor the health of a Linux VM running on Microsoft Azure https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux Wrong Answers: The AzurePerformanceDiagnostics extension – Azure Performance Diagnostics VM Extension helps collect performance diagnostic data from Windows VMs. Azure HDInsight – Azure HDInsight is a managed, full-spectrum, open-source analytics service in the cloud for enterprises. With HDInsight, you can use open-source frameworks such as Hadoop, Apache Spark, Apache Hive, LLAP, Apache Kafka, Apache Storm, R, and more, in your Azure environment. Azure Analysis Services – Azure Analysis Services is a fully managed platform as a service (PaaS) that provides enterprise-grade data models in the cloud
Unattempted
The Linux Diagnostic Extension helps a user monitor the health of a Linux VM running on Microsoft Azure https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux Wrong Answers: The AzurePerformanceDiagnostics extension – Azure Performance Diagnostics VM Extension helps collect performance diagnostic data from Windows VMs. Azure HDInsight – Azure HDInsight is a managed, full-spectrum, open-source analytics service in the cloud for enterprises. With HDInsight, you can use open-source frameworks such as Hadoop, Apache Spark, Apache Hive, LLAP, Apache Kafka, Apache Storm, R, and more, in your Azure environment. Azure Analysis Services – Azure Analysis Services is a fully managed platform as a service (PaaS) that provides enterprise-grade data models in the cloud
Question 8 of 50
8. Question
You onboard Microsoft Sentinel. You need to automate the mitigation of incidents in Microsoft Sentinel. The solution must minimize administrative effort. What should you create?
Correct
Playbooks are collections of procedures that can be run from Microsoft Sentinel in response to an alert or incident. A playbook can help automate and orchestrate your response, and can be set to run automatically when specific alerts or incidents are generated, by being attached to an analytics rule or an automation rule, respectively. It can also be run manually on-demand. https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook Wrong Answers: an alert rule – Alert rules are separated from alerts and the actions taken when an alert fires. The alert rule captures the target and criteria for alerting. a function app – Playbooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps
Incorrect
Playbooks are collections of procedures that can be run from Microsoft Sentinel in response to an alert or incident. A playbook can help automate and orchestrate your response, and can be set to run automatically when specific alerts or incidents are generated, by being attached to an analytics rule or an automation rule, respectively. It can also be run manually on-demand. https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook Wrong Answers: an alert rule – Alert rules are separated from alerts and the actions taken when an alert fires. The alert rule captures the target and criteria for alerting. a function app – Playbooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps
Unattempted
Playbooks are collections of procedures that can be run from Microsoft Sentinel in response to an alert or incident. A playbook can help automate and orchestrate your response, and can be set to run automatically when specific alerts or incidents are generated, by being attached to an analytics rule or an automation rule, respectively. It can also be run manually on-demand. https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook Wrong Answers: an alert rule – Alert rules are separated from alerts and the actions taken when an alert fires. The alert rule captures the target and criteria for alerting. a function app – Playbooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps
Question 9 of 50
9. Question
You have an Azure subscription named Sub1 that contains an Azure Log Analytics workspace named LAW1. You have 500 Azure virtual machines that run Windows Server 2016 and are enrolled in LAW1. You plan to add the System Update Assessment solution to LAW1. You need to ensure that System Update Assessment-related logs are uploaded to LAW1 from 100 of the virtual machines only. Which three actions should you perform in sequence?
Correct
When you add a monitoring solution to your subscription, its automatically deployed by default to all Windows and Linux agents connected to your Log Analytics workspace. You may want to manage your costs and limit the amount of data collected for a solution by limiting it to a particular set of agents. There are three steps to targeting a solution Create a computer group Create a scope configuration Apply the scope configuration to the solution https://docs.microsoft.com/en-us/azure/azure-monitor/insights/solution-targeting
Incorrect
When you add a monitoring solution to your subscription, its automatically deployed by default to all Windows and Linux agents connected to your Log Analytics workspace. You may want to manage your costs and limit the amount of data collected for a solution by limiting it to a particular set of agents. There are three steps to targeting a solution Create a computer group Create a scope configuration Apply the scope configuration to the solution https://docs.microsoft.com/en-us/azure/azure-monitor/insights/solution-targeting
Unattempted
When you add a monitoring solution to your subscription, its automatically deployed by default to all Windows and Linux agents connected to your Log Analytics workspace. You may want to manage your costs and limit the amount of data collected for a solution by limiting it to a particular set of agents. There are three steps to targeting a solution Create a computer group Create a scope configuration Apply the scope configuration to the solution https://docs.microsoft.com/en-us/azure/azure-monitor/insights/solution-targeting
Question 10 of 50
10. Question
You have an Azure subscription that contains several storage accounts as shown below. Storageaccount1 – A blob service and a table service Storageaccount2 – A blob service and a file service Storageaccount3 – A queue service Storageaccount4 – A file service and a queue service Storageaccount5 – A table service You enable Microsoft Defender for all the storage accounts. You need to identify which storage accounts will generate Azure Security alerts. Which three storage accounts should you identify?
Correct
Microsoft Defender for Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts. This layer of protection allows you to address threats without being a security expert or managing security monitoring systems. Microsoft Defender for Storage is currently available for Blob storage, Azure Files, and Azure Data Lake Storage Gen2. Account types that support Microsoft Defender for Storage include general-purpose v2, block blob, and Blob storage accounts. https://docs.microsoft.com/en-us/azure/storage/common/azure-defender-storage-configure?tabs=azure-portal Wrong Answers: Storageaccount3 Microsoft Defender does not support queue storage. Storageaccount5 Microsoft Defender does not support table storage.
Incorrect
Microsoft Defender for Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts. This layer of protection allows you to address threats without being a security expert or managing security monitoring systems. Microsoft Defender for Storage is currently available for Blob storage, Azure Files, and Azure Data Lake Storage Gen2. Account types that support Microsoft Defender for Storage include general-purpose v2, block blob, and Blob storage accounts. https://docs.microsoft.com/en-us/azure/storage/common/azure-defender-storage-configure?tabs=azure-portal Wrong Answers: Storageaccount3 Microsoft Defender does not support queue storage. Storageaccount5 Microsoft Defender does not support table storage.
Unattempted
Microsoft Defender for Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts. This layer of protection allows you to address threats without being a security expert or managing security monitoring systems. Microsoft Defender for Storage is currently available for Blob storage, Azure Files, and Azure Data Lake Storage Gen2. Account types that support Microsoft Defender for Storage include general-purpose v2, block blob, and Blob storage accounts. https://docs.microsoft.com/en-us/azure/storage/common/azure-defender-storage-configure?tabs=azure-portal Wrong Answers: Storageaccount3 Microsoft Defender does not support queue storage. Storageaccount5 Microsoft Defender does not support table storage.
Question 11 of 50
11. Question
You have an Azure subscription named Subscription1 and an Azure AD tenant named HealthEngine.com. You have created an AzureSQL database named AzureSQLDatabase1 in Subscription1. You have configured AzureSQLDatabase1 users to login using Azure Active Directory (Azure AD). You have configured database-level auditing on AzureSQLDatabase1. You need to generate a report of failed logins on AzureSQLDatabase1. Where can you find the details of failed logins?
Correct
When using AAD Authentication for AzureSQL, failed logins records will not appear in the SQL audit log. To view failed login audit records, you need to visit the Azure Active Directory portal, which logs details of these events. https://docs.microsoft.com/en-us/azure/azure-sql/database/auditing-overview#production-practices Wrong Answers: SQL Audit log files Audit logs track database events. Azure SQL Database Activity log – Activity log includes such information as when a resource is modified.
Incorrect
When using AAD Authentication for AzureSQL, failed logins records will not appear in the SQL audit log. To view failed login audit records, you need to visit the Azure Active Directory portal, which logs details of these events. https://docs.microsoft.com/en-us/azure/azure-sql/database/auditing-overview#production-practices Wrong Answers: SQL Audit log files Audit logs track database events. Azure SQL Database Activity log – Activity log includes such information as when a resource is modified.
Unattempted
When using AAD Authentication for AzureSQL, failed logins records will not appear in the SQL audit log. To view failed login audit records, you need to visit the Azure Active Directory portal, which logs details of these events. https://docs.microsoft.com/en-us/azure/azure-sql/database/auditing-overview#production-practices Wrong Answers: SQL Audit log files Audit logs track database events. Azure SQL Database Activity log – Activity log includes such information as when a resource is modified.
Question 12 of 50
12. Question
You have an Azure Active Directory (Azure AD) tenant named HealthEngine.com. You have configured multifactor authentication (MFA). Users are not happy to perform MFA from the same device every time they login. What should you configure to enhance usability?
Correct
The remember Multi-Factor Authentication feature lets users can bypass subsequent verifications for a specified number of days, after they‘ve successfully signed-in to a device by using Multi-Factor Authentication. The feature enhances usability by minimizing the number of times a user has to perform MFA on the same device. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#remember-multi-factor-authentication Wrong Answers: Disable multi factor authentication This option affects security posture of your environment. Not a recommended solution. Create a conditional access policy for untrusted devices – Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Add trusted IPs – The trusted IPs feature of Azure AD Multi-Factor Authentication bypasses multi-factor authentication prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments. When users are in one of these locations, there‘s no Azure AD Multi-Factor Authentication prompt.
Incorrect
The remember Multi-Factor Authentication feature lets users can bypass subsequent verifications for a specified number of days, after they‘ve successfully signed-in to a device by using Multi-Factor Authentication. The feature enhances usability by minimizing the number of times a user has to perform MFA on the same device. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#remember-multi-factor-authentication Wrong Answers: Disable multi factor authentication This option affects security posture of your environment. Not a recommended solution. Create a conditional access policy for untrusted devices – Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Add trusted IPs – The trusted IPs feature of Azure AD Multi-Factor Authentication bypasses multi-factor authentication prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments. When users are in one of these locations, there‘s no Azure AD Multi-Factor Authentication prompt.
Unattempted
The remember Multi-Factor Authentication feature lets users can bypass subsequent verifications for a specified number of days, after they‘ve successfully signed-in to a device by using Multi-Factor Authentication. The feature enhances usability by minimizing the number of times a user has to perform MFA on the same device. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#remember-multi-factor-authentication Wrong Answers: Disable multi factor authentication This option affects security posture of your environment. Not a recommended solution. Create a conditional access policy for untrusted devices – Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Add trusted IPs – The trusted IPs feature of Azure AD Multi-Factor Authentication bypasses multi-factor authentication prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments. When users are in one of these locations, there‘s no Azure AD Multi-Factor Authentication prompt.
Question 13 of 50
13. Question
You have an Azure SQL Database instance. Database management is performed by an external company. You must ensure that the external company cannot access the data in the SSN column of the Person Table. All cryptographic keys are stored in an Azure Key Vault. Does the below protection method meet the requirement?
You have an Azure SQL Database instance. Database management is performed by an external company. You must ensure that the external company cannot access the data in the SSN column of the Person Table. All cryptographic keys are stored in an Azure Key Vault. Does the below protection method meet the requirement?
Correct
Always Encrypted is a feature designed to protect sensitive data stored in specific database columns from access (for example, credit card numbers, national identification numbers, or data on a need to know basis). This includes database administrators or other privileged users who are authorized to access the database to perform management tasks, but have no business need to access the particular data in the encrypted columns https://docs.microsoft.com/en-us/azure/azure-sql/database/security-overview
Incorrect
Always Encrypted is a feature designed to protect sensitive data stored in specific database columns from access (for example, credit card numbers, national identification numbers, or data on a need to know basis). This includes database administrators or other privileged users who are authorized to access the database to perform management tasks, but have no business need to access the particular data in the encrypted columns https://docs.microsoft.com/en-us/azure/azure-sql/database/security-overview
Unattempted
Always Encrypted is a feature designed to protect sensitive data stored in specific database columns from access (for example, credit card numbers, national identification numbers, or data on a need to know basis). This includes database administrators or other privileged users who are authorized to access the database to perform management tasks, but have no business need to access the particular data in the encrypted columns https://docs.microsoft.com/en-us/azure/azure-sql/database/security-overview
Question 15 of 50
15. Question
You have an Azure Subscription. The subscription contains 50 virtual machines that run Windows Server 2016. You need to deploy Microsoft Antimalware to the virtual machines Solution: You connect to each virtual machine and add a Windows feature. Does this meet the goal?
You have an Azure Subscription. The subscription contains 50 virtual machines that run Windows Server 2016. You need to deploy Microsoft Antimalware to the virtual machines Solution: You add an extension to each virtual machine. Does this meet the goal?
You have an on-premises Active Directory forest and an Azure Active Directory (Azure AD) tenant. All Azure AD users are assigned a Premium P1 license. You deploy Azure AD Connect. Which two features can reduce operational overhead for your company‘s helpdesk?
Correct
P1 lets your hybrid users access both on-premises and cloud resources. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager (an on-premises identity and access management suite) and cloud write-back capabilities, which allow self-service password reset for your on-premises users. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses Wrong Answers: Azure AD Privileged Identity Management (PIM) policies PIM requires Azure AD Premium P2 license. Access reviews Access reviews requires Azure AD Premium P2 license. Conditional access policies – Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. This feature increases security posture of your environment.
Incorrect
P1 lets your hybrid users access both on-premises and cloud resources. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager (an on-premises identity and access management suite) and cloud write-back capabilities, which allow self-service password reset for your on-premises users. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses Wrong Answers: Azure AD Privileged Identity Management (PIM) policies PIM requires Azure AD Premium P2 license. Access reviews Access reviews requires Azure AD Premium P2 license. Conditional access policies – Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. This feature increases security posture of your environment.
Unattempted
P1 lets your hybrid users access both on-premises and cloud resources. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager (an on-premises identity and access management suite) and cloud write-back capabilities, which allow self-service password reset for your on-premises users. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses Wrong Answers: Azure AD Privileged Identity Management (PIM) policies PIM requires Azure AD Premium P2 license. Access reviews Access reviews requires Azure AD Premium P2 license. Conditional access policies – Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. This feature increases security posture of your environment.
Question 18 of 50
18. Question
You have the Azure virtual machines shown in the following table.
For which virtual machine can you enable Update Management?
Correct
Virtual machines must be in Running mode to enable Update Management.
The below error will be shown otherwise.
You are creating a Single page application (SPA) that is planned to authenticate users using your organizations Azure Active Directory (AAD) only. The application is expected to roll out globally with users accessing via the internet. What account type option should you consider while creating app registration for your application?
Correct
Accounts in this organizational directory only – Select this option if you‘re building a line-of-business (LOB) application. This option is not available if you‘re not registering the application in a directory. This option maps to Azure AD only single-tenant. This is the default option unless you‘re registering the app outside of a directory. In cases where the app is registered outside of a directory, the default is Azure AD multi-tenant and personal Microsoft accounts. https://docs.microsoft.com/en-us/graph/auth-register-app-v2 Wrong Answers: Accounts in any organizational directory – Select this option if you would like to target all business and educational customers. This option maps to an Azure AD only multi-tenant. Accounts in any organizational directory and personal Microsoft accounts – Select this option to target the widest set of customers. This option maps to Azure AD multi-tenant and personal Microsoft accounts.
Incorrect
Accounts in this organizational directory only – Select this option if you‘re building a line-of-business (LOB) application. This option is not available if you‘re not registering the application in a directory. This option maps to Azure AD only single-tenant. This is the default option unless you‘re registering the app outside of a directory. In cases where the app is registered outside of a directory, the default is Azure AD multi-tenant and personal Microsoft accounts. https://docs.microsoft.com/en-us/graph/auth-register-app-v2 Wrong Answers: Accounts in any organizational directory – Select this option if you would like to target all business and educational customers. This option maps to an Azure AD only multi-tenant. Accounts in any organizational directory and personal Microsoft accounts – Select this option to target the widest set of customers. This option maps to Azure AD multi-tenant and personal Microsoft accounts.
Unattempted
Accounts in this organizational directory only – Select this option if you‘re building a line-of-business (LOB) application. This option is not available if you‘re not registering the application in a directory. This option maps to Azure AD only single-tenant. This is the default option unless you‘re registering the app outside of a directory. In cases where the app is registered outside of a directory, the default is Azure AD multi-tenant and personal Microsoft accounts. https://docs.microsoft.com/en-us/graph/auth-register-app-v2 Wrong Answers: Accounts in any organizational directory – Select this option if you would like to target all business and educational customers. This option maps to an Azure AD only multi-tenant. Accounts in any organizational directory and personal Microsoft accounts – Select this option to target the widest set of customers. This option maps to Azure AD multi-tenant and personal Microsoft accounts.
Question 20 of 50
20. Question
Accounts in this organizational directory only – Select this option if you‘re building a line-of-business (LOB) application. This option is not available if you‘re not registering the application in a directory. This option maps to Azure AD only single-tenant. This is the default option unless you‘re registering the app outside of a directory. In cases where the app is registered outside of a directory, the default is Azure AD multi-tenant and personal Microsoft accounts. https://docs.microsoft.com/en-us/graph/auth-register-app-v2 Wrong Answers: Accounts in any organizational directory – Select this option if you would like to target all business and educational customers. This option maps to an Azure AD only multi-tenant. Accounts in any organizational directory and personal Microsoft accounts – Select this option to target the widest set of customers. This option maps to Azure AD multi-tenant and personal Microsoft accounts.
Correct
Azure Blueprints – Azure Blueprints makes it possible for development teams to rapidly build and stand up new environments with trust they‘re building within organizational compliance with a set of built-in components, such as networking, to speed up development and delivery. Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as: Role Assignments Policy Assignments Azure Resource Manager templates (ARM templates) Resource Groups https://docs.microsoft.com/en-us/azure/governance/blueprints/overview Wrong Answers: Azure AD Privileged Identity Management (PIM) – Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. Azure Policy – Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management.
Incorrect
Azure Blueprints – Azure Blueprints makes it possible for development teams to rapidly build and stand up new environments with trust they‘re building within organizational compliance with a set of built-in components, such as networking, to speed up development and delivery. Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as: Role Assignments Policy Assignments Azure Resource Manager templates (ARM templates) Resource Groups https://docs.microsoft.com/en-us/azure/governance/blueprints/overview Wrong Answers: Azure AD Privileged Identity Management (PIM) – Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. Azure Policy – Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management.
Unattempted
Azure Blueprints – Azure Blueprints makes it possible for development teams to rapidly build and stand up new environments with trust they‘re building within organizational compliance with a set of built-in components, such as networking, to speed up development and delivery. Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as: Role Assignments Policy Assignments Azure Resource Manager templates (ARM templates) Resource Groups https://docs.microsoft.com/en-us/azure/governance/blueprints/overview Wrong Answers: Azure AD Privileged Identity Management (PIM) – Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. Azure Policy – Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management.
Question 21 of 50
21. Question
You plan to migrate on-premise data center to Microsoft Azure. You need to ensure that employees should be able to use the same username and password that they are using in the on-premise environment to access Azure resources. You must not to store passwords in any format in the cloud environment. You need to enforce multi-factor authentication (MFA) when users access Azure applications. Which authentication method should you consider?
Correct
Azure AD Pass-through Authentication – Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. When users sign in using Azure AD, this feature validates users‘ passwords directly against your on-premises Active Directory. The feature works seamlessly with Conditional Access features such as Multi-Factor Authentication (MFA) to help secure your users. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta Wrong Answers: Azure AD password hash synchronization This authentication method stores password hashes in Azure AD. Active Directory Federation Services (AD FS) Though it supports MFA using 3rd party services, it add additional complexity.
Incorrect
Azure AD Pass-through Authentication – Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. When users sign in using Azure AD, this feature validates users‘ passwords directly against your on-premises Active Directory. The feature works seamlessly with Conditional Access features such as Multi-Factor Authentication (MFA) to help secure your users. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta Wrong Answers: Azure AD password hash synchronization This authentication method stores password hashes in Azure AD. Active Directory Federation Services (AD FS) Though it supports MFA using 3rd party services, it add additional complexity.
Unattempted
Azure AD Pass-through Authentication – Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. When users sign in using Azure AD, this feature validates users‘ passwords directly against your on-premises Active Directory. The feature works seamlessly with Conditional Access features such as Multi-Factor Authentication (MFA) to help secure your users. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta Wrong Answers: Azure AD password hash synchronization This authentication method stores password hashes in Azure AD. Active Directory Federation Services (AD FS) Though it supports MFA using 3rd party services, it add additional complexity.
Question 22 of 50
22. Question
You have uploaded content into an Azure Storage account. Due to regulatory compliance requirements, the data in Storage accounts should not be modified or deleted by any user including administrators and Subscription owners. Which feature of storage account should you consider?
Correct
Immutable storage for Azure Blob storage enables users to store business-critical data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified interval. For the duration of the retention interval, blobs can be created and read, but cannot be modified or deleted. Immutable storage is available for general-purpose v1, general-purpose v2, BlobStorage, and BlockBlobStorage accounts in all Azure regions. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-immutable-storage#about-immutable-blob-storage Wrong Answers: Resource lock Resource locks prevents accidental modification or deletion of resources. It cannot prevent data modification in a resource. Configure Microsoft Defender for Storage – Microsoft Defender for Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts.
Incorrect
Immutable storage for Azure Blob storage enables users to store business-critical data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified interval. For the duration of the retention interval, blobs can be created and read, but cannot be modified or deleted. Immutable storage is available for general-purpose v1, general-purpose v2, BlobStorage, and BlockBlobStorage accounts in all Azure regions. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-immutable-storage#about-immutable-blob-storage Wrong Answers: Resource lock Resource locks prevents accidental modification or deletion of resources. It cannot prevent data modification in a resource. Configure Microsoft Defender for Storage – Microsoft Defender for Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts.
Unattempted
Immutable storage for Azure Blob storage enables users to store business-critical data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified interval. For the duration of the retention interval, blobs can be created and read, but cannot be modified or deleted. Immutable storage is available for general-purpose v1, general-purpose v2, BlobStorage, and BlockBlobStorage accounts in all Azure regions. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-immutable-storage#about-immutable-blob-storage Wrong Answers: Resource lock Resource locks prevents accidental modification or deletion of resources. It cannot prevent data modification in a resource. Configure Microsoft Defender for Storage – Microsoft Defender for Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts.
Question 23 of 50
23. Question
You have an Azure subscription named Subscription1 that contains the Azure key vaults as shown in the following table
In Subscription1, you create a virtual machine that has the following configurations
Name: VM1
Size: DS2v2
Resource group: RG1
Region: West Europe
Operating system: Windows Server 2016
You plan to enable Azure Disk Encryption on VM1.
In which key vaults can you store the encryption key for VM1?
Correct
Your key vault and VMs must be in the same subscription. Also, to ensure that encryption secrets don‘t cross regional boundaries, Azure Disk Encryption requires the Key Vault and the VMs to be co-located in the same region. Create and use a Key Vault that is in the same subscription and region as the VMs to be encrypted. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault#create-a-key-vault
Wrong Answers:
Vault2 and Vault4 are not in the same region as virtual machine VM1.
Incorrect
Your key vault and VMs must be in the same subscription. Also, to ensure that encryption secrets don‘t cross regional boundaries, Azure Disk Encryption requires the Key Vault and the VMs to be co-located in the same region. Create and use a Key Vault that is in the same subscription and region as the VMs to be encrypted. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault#create-a-key-vault
Wrong Answers:
Vault2 and Vault4 are not in the same region as virtual machine VM1.
Unattempted
Your key vault and VMs must be in the same subscription. Also, to ensure that encryption secrets don‘t cross regional boundaries, Azure Disk Encryption requires the Key Vault and the VMs to be co-located in the same region. Create and use a Key Vault that is in the same subscription and region as the VMs to be encrypted. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault#create-a-key-vault
Wrong Answers:
Vault2 and Vault4 are not in the same region as virtual machine VM1.
Question 24 of 50
24. Question
Your network contains an on-premises Active Directory domain named corp.healthengine.com.
You have an Azure subscription named Subscription1 that is associated to an Azure Active Directory (Azure AD) tenant named healthengine.com.
You sync all on-premises identities to Azure AD.
You need to prevent users who have a givenName attribute that starts with HELLO from being synced to Azure AD.
The solution must minimize administrative effort.
What should you use?
Correct
You need to create a rule in synchronization rules editor.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-configuration
Wrong Answers:
Web Service Configuration Tool – The Web Service connector integrates identities through Web Service operations with Microsoft Identity Manager (MIM).
the Azure AD Connect wizard – Azure AD Connect is a tool for connecting on-premises identity infrastructure to Microsoft Azure AD. The wizard deploys and configures prerequisites and components required for the connection, including sync and sign on. The synchronization options (editor) is part of Azure AD Connect. If synchronization rules editor option is not present in the options list, then Azure AD Connect can be a correct answer.
Active Directory Users and Computers Not a valid option.
Incorrect
You need to create a rule in synchronization rules editor.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-configuration
Wrong Answers:
Web Service Configuration Tool – The Web Service connector integrates identities through Web Service operations with Microsoft Identity Manager (MIM).
the Azure AD Connect wizard – Azure AD Connect is a tool for connecting on-premises identity infrastructure to Microsoft Azure AD. The wizard deploys and configures prerequisites and components required for the connection, including sync and sign on. The synchronization options (editor) is part of Azure AD Connect. If synchronization rules editor option is not present in the options list, then Azure AD Connect can be a correct answer.
Active Directory Users and Computers Not a valid option.
Unattempted
You need to create a rule in synchronization rules editor.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-configuration
Wrong Answers:
Web Service Configuration Tool – The Web Service connector integrates identities through Web Service operations with Microsoft Identity Manager (MIM).
the Azure AD Connect wizard – Azure AD Connect is a tool for connecting on-premises identity infrastructure to Microsoft Azure AD. The wizard deploys and configures prerequisites and components required for the connection, including sync and sign on. The synchronization options (editor) is part of Azure AD Connect. If synchronization rules editor option is not present in the options list, then Azure AD Connect can be a correct answer.
Active Directory Users and Computers Not a valid option.
Question 25 of 50
25. Question
You create an Azure web app named webapp1 that uses an S1 App Service plan. You plan to create a CNAME DNS record for ww.healthengine.com that points to webapp1. You need to ensure that users can access webapp1 by using the https://www.healthengine.com URL. Which two actions should you perform?
Correct
You must have your custom domain registered and add the custom domain to your app. You need to verify your ownership of the domain by adding a verification ID as a TXT record with your domain provider. You also need to create TLS binding to the corresponding custom domain. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain?tabs=a%2Cazurecli https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings Wrong Answers: Enable managed identity for webapp1 Managed identity is used to authenticate between Azure services. Scale out the App Service plan of webapp1 Scale out is used to increase number of instances of your application to handle incoming requests. Add a deployment slot to webapp1. – Deployment slots are live apps with their own host names. These are used as staging or test environments of your application. Scale up the App Service plan of webapp1. S1 app service plan supports the custom domains and TLS bindings. Scaling up to next tier is not required.
Incorrect
You must have your custom domain registered and add the custom domain to your app. You need to verify your ownership of the domain by adding a verification ID as a TXT record with your domain provider. You also need to create TLS binding to the corresponding custom domain. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain?tabs=a%2Cazurecli https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings Wrong Answers: Enable managed identity for webapp1 Managed identity is used to authenticate between Azure services. Scale out the App Service plan of webapp1 Scale out is used to increase number of instances of your application to handle incoming requests. Add a deployment slot to webapp1. – Deployment slots are live apps with their own host names. These are used as staging or test environments of your application. Scale up the App Service plan of webapp1. S1 app service plan supports the custom domains and TLS bindings. Scaling up to next tier is not required.
Unattempted
You must have your custom domain registered and add the custom domain to your app. You need to verify your ownership of the domain by adding a verification ID as a TXT record with your domain provider. You also need to create TLS binding to the corresponding custom domain. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain?tabs=a%2Cazurecli https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings Wrong Answers: Enable managed identity for webapp1 Managed identity is used to authenticate between Azure services. Scale out the App Service plan of webapp1 Scale out is used to increase number of instances of your application to handle incoming requests. Add a deployment slot to webapp1. – Deployment slots are live apps with their own host names. These are used as staging or test environments of your application. Scale up the App Service plan of webapp1. S1 app service plan supports the custom domains and TLS bindings. Scaling up to next tier is not required.
Question 26 of 50
26. Question
You plan to use Azure Resource Manager templates to perform multiple deployments of identically configured Azure virtual machines. The password for the administrator account of each deployment is stored as a secret in different Azure key vaults. You need to identify a method to dynamically construct a resource ID that will designate the key vault containing the appropriate secret during each deployment. The name of the key vault and the name of the secret will be provided as inline parameters. What should you use to construct the resource ID?
Correct
a linked template – In some scenarios, you need to reference a key vault secret that varies based on the current deployment. Or, you may want to pass parameter values to the template rather than create a reference parameter in the parameter file. In either case, you can dynamically generate the resource ID for a key vault secret by using a linked template. https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-keyvault-parameter Wrong Answers: a key vault access policy – A Key Vault access policy determines whether a given security principal, namely a user, application or user group, can perform different operations on Key Vault secrets, keys, and certificates. a parameters file Parameters file is used to send input parameters to ARM templates. an automation account Automation accounts are used to automate your Azure management tasks.
Incorrect
a linked template – In some scenarios, you need to reference a key vault secret that varies based on the current deployment. Or, you may want to pass parameter values to the template rather than create a reference parameter in the parameter file. In either case, you can dynamically generate the resource ID for a key vault secret by using a linked template. https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-keyvault-parameter Wrong Answers: a key vault access policy – A Key Vault access policy determines whether a given security principal, namely a user, application or user group, can perform different operations on Key Vault secrets, keys, and certificates. a parameters file Parameters file is used to send input parameters to ARM templates. an automation account Automation accounts are used to automate your Azure management tasks.
Unattempted
a linked template – In some scenarios, you need to reference a key vault secret that varies based on the current deployment. Or, you may want to pass parameter values to the template rather than create a reference parameter in the parameter file. In either case, you can dynamically generate the resource ID for a key vault secret by using a linked template. https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-keyvault-parameter Wrong Answers: a key vault access policy – A Key Vault access policy determines whether a given security principal, namely a user, application or user group, can perform different operations on Key Vault secrets, keys, and certificates. a parameters file Parameters file is used to send input parameters to ARM templates. an automation account Automation accounts are used to automate your Azure management tasks.
Question 27 of 50
27. Question
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
The tenant contains the named locations shown in the following table.
You create the conditional access policies for a cloud app named App1 as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
1. User1 can access App1 from an IP address of 154.12.18.10
2. User2 can access App1 from an IP address of 193.77.10.15
3. User2 can access App1 from an IP address of 154.12.18.34
Correct
Providing access to user while conditional access policies are present are executed as per below diagram
1. User1 is part of Group1 and trying to access App1 from Boston IP range. Policy1 blocks the requests from Boston location for the users part of Group1. However, User1 is also part of Group2 which is excluded.
2. User2 is part of Group2 and trying to access App1 from Seattle. So, User2 will be allowed to access App1. However, user2 will be prompted for MFA due to Policy4.
3. User2 is part of Group2 and trying to access App1 from Boston location. Policy3 will block the user from accessing the App1. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access
Incorrect
Providing access to user while conditional access policies are present are executed as per below diagram
1. User1 is part of Group1 and trying to access App1 from Boston IP range. Policy1 blocks the requests from Boston location for the users part of Group1. However, User1 is also part of Group2 which is excluded.
2. User2 is part of Group2 and trying to access App1 from Seattle. So, User2 will be allowed to access App1. However, user2 will be prompted for MFA due to Policy4.
3. User2 is part of Group2 and trying to access App1 from Boston location. Policy3 will block the user from accessing the App1. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access
Unattempted
Providing access to user while conditional access policies are present are executed as per below diagram
1. User1 is part of Group1 and trying to access App1 from Boston IP range. Policy1 blocks the requests from Boston location for the users part of Group1. However, User1 is also part of Group2 which is excluded.
2. User2 is part of Group2 and trying to access App1 from Seattle. So, User2 will be allowed to access App1. However, user2 will be prompted for MFA due to Policy4.
3. User2 is part of Group2 and trying to access App1 from Boston location. Policy3 will block the user from accessing the App1. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access
Question 28 of 50
28. Question
You create an Azure subscription that is associated to an Azure Active Directory (Azure AD) tenant.
You created a conditional access policy named policy1.
Policy1 is used to provide access to the Microsoft Azure Management cloud app.
The Conditions settings for Management Access Policy are configured as shown below.
Grant settings
Does users from the London named location must use multi-factor authentication (MFA) to access the Azure Portal?
You create an Azure subscription that is associated to an Azure Active Directory (Azure AD) tenant.
You created a conditional access policy named Policy1.
Policy1 is used to provide access to the Microsoft Azure Management cloud app.
The Conditions settings for Management Access Policy are configured as shown below.
Grant settings
Does users from the London named location must use multi-factor authentication (MFA) to access the web services hosted in the Azure subscription?
You create an Azure subscription that is associated to an Azure Active Directory (Azure AD) tenant.
You created a conditional access policy named Policy1.
Policy1 is used to provide access to the Microsoft Azure Management cloud app.
The Conditions settings for Management Access Policy are configured as shown below.
Grant settings
Does users outside of the London named location must use multi-factor authentication (MFA) to access the web services hosted in the Azure subscription?
You have 10 virtual machines in a subnet that has a single network security group (NSG). You need to log the network traffic to an Azure Storage account. Which two actions should you perform?
Correct
A network security group (NSG) enables you to filter inbound traffic to, and outbound traffic from, a virtual machine (VM). You can log network traffic that flows through an NSG with Network Watcher‘s NSG flow log capability. https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal Wrong Answers: Install the Network Performance Monitor solution – Network Performance Monitor detects network issues like traffic blackholing, routing errors, and issues that conventional network monitoring methods aren‘t able to detect. Enable diagnostic logging for the NSG – When you enable logging for an NSG, you can gather the following types of resource log information: Event: Entries are logged for which NSG rules are applied to VMs, based on MAC address. Rule counter: Contains entries for how many times each NSG rule is applied to deny or allow traffic. The status for these rules is collected every 300 seconds. Create an Azure Log Analytics workspace – Log Analytics workspace is a unique environment for Azure Monitor log data. Each workspace has its own data repository and configuration, and data sources and solutions are configured to store their data in a particular workspace.Log analytics workspace is not required to capture network traffic logs into a storage account.
Incorrect
A network security group (NSG) enables you to filter inbound traffic to, and outbound traffic from, a virtual machine (VM). You can log network traffic that flows through an NSG with Network Watcher‘s NSG flow log capability. https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal Wrong Answers: Install the Network Performance Monitor solution – Network Performance Monitor detects network issues like traffic blackholing, routing errors, and issues that conventional network monitoring methods aren‘t able to detect. Enable diagnostic logging for the NSG – When you enable logging for an NSG, you can gather the following types of resource log information: Event: Entries are logged for which NSG rules are applied to VMs, based on MAC address. Rule counter: Contains entries for how many times each NSG rule is applied to deny or allow traffic. The status for these rules is collected every 300 seconds. Create an Azure Log Analytics workspace – Log Analytics workspace is a unique environment for Azure Monitor log data. Each workspace has its own data repository and configuration, and data sources and solutions are configured to store their data in a particular workspace.Log analytics workspace is not required to capture network traffic logs into a storage account.
Unattempted
A network security group (NSG) enables you to filter inbound traffic to, and outbound traffic from, a virtual machine (VM). You can log network traffic that flows through an NSG with Network Watcher‘s NSG flow log capability. https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal Wrong Answers: Install the Network Performance Monitor solution – Network Performance Monitor detects network issues like traffic blackholing, routing errors, and issues that conventional network monitoring methods aren‘t able to detect. Enable diagnostic logging for the NSG – When you enable logging for an NSG, you can gather the following types of resource log information: Event: Entries are logged for which NSG rules are applied to VMs, based on MAC address. Rule counter: Contains entries for how many times each NSG rule is applied to deny or allow traffic. The status for these rules is collected every 300 seconds. Create an Azure Log Analytics workspace – Log Analytics workspace is a unique environment for Azure Monitor log data. Each workspace has its own data repository and configuration, and data sources and solutions are configured to store their data in a particular workspace.Log analytics workspace is not required to capture network traffic logs into a storage account.
Question 32 of 50
32. Question
You use Defender for Cloud for the centralized policy management of three Azure subscriptions. You use several policy definitions to manage the security of the subscriptions. You need to deploy the policy definitions as a group to all three subscriptions. Solution: You create a policy definition and assignments that are scoped to resource groups. Does this meet the goal?
Correct
You need to use an initiative to bundle the policy definitions into a group that can be applied to the management group.
Incorrect
You need to use an initiative to bundle the policy definitions into a group that can be applied to the management group.
Unattempted
You need to use an initiative to bundle the policy definitions into a group that can be applied to the management group.
Question 33 of 50
33. Question
You use Defender for Cloud for the centralized policy management of three Azure subscriptions. You use several policy definitions to manage the security of the subscriptions. You need to deploy the policy definitions as a group to all three subscriptions. Solution: You create a resource graph and an assignment that is scoped to a management group. Does this meet the goal?
Correct
You need to use an initiative, not a resource graph to bundle the policy definitions into a group that can be applied to the management group.
Incorrect
You need to use an initiative, not a resource graph to bundle the policy definitions into a group that can be applied to the management group.
Unattempted
You need to use an initiative, not a resource graph to bundle the policy definitions into a group that can be applied to the management group.
Question 34 of 50
34. Question
You use Defender for Cloud for the centralized policy management of three Azure subscriptions. You use several policy definitions to manage the security of the subscriptions. You need to deploy the policy definitions as a group to all three subscriptions. Solution: You create a policy initiative and assignments that are scoped to resource groups. Does this meet the goal?
Correct
Policy initiative is used to group policies. However, the assignment scope to resource groups is not an ideal way of achieving the solution. We can use Management groups instead.
Incorrect
Policy initiative is used to group policies. However, the assignment scope to resource groups is not an ideal way of achieving the solution. We can use Management groups instead.
Unattempted
Policy initiative is used to group policies. However, the assignment scope to resource groups is not an ideal way of achieving the solution. We can use Management groups instead.
Question 35 of 50
35. Question
You use Defender for Cloud for the centralized policy management of three Azure subscriptions. You use several policy definitions to manage the security of the subscriptions. You need to deploy the policy definitions as a group to all three subscriptions. Solution: You create an initiative and an assignment that is scoped to a management group. Does this meet the goal?
Correct
Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. These business rules, described in JSON format, are known as policy definitions. To simplify management, several business rules can be grouped together to form a policy initiative (sometimes called a policySet). Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. https://docs.microsoft.com/en-us/azure/governance/policy/overview
Incorrect
Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. These business rules, described in JSON format, are known as policy definitions. To simplify management, several business rules can be grouped together to form a policy initiative (sometimes called a policySet). Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. https://docs.microsoft.com/en-us/azure/governance/policy/overview
Unattempted
Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. These business rules, described in JSON format, are known as policy definitions. To simplify management, several business rules can be grouped together to form a policy initiative (sometimes called a policySet). Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. https://docs.microsoft.com/en-us/azure/governance/policy/overview
Question 36 of 50
36. Question
You use Defender for Cloud for the centralized policy management of three Azure subscriptions. You use several policy definitions to manage the security of the subscriptions. You need to deploy the policy definitions as a group to all three subscriptions. Solution: You create a policy initiative and an assignment that is scoped to the Tenant Root Group management group. Does this meet the goal?
Correct
Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. These business rules, described in JSON format, are known as policy definitions. To simplify management, several business rules can be grouped together to form a policy initiative (sometimes called a policySet). Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. https://docs.microsoft.com/en-us/azure/governance/policy/overview
Incorrect
Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. These business rules, described in JSON format, are known as policy definitions. To simplify management, several business rules can be grouped together to form a policy initiative (sometimes called a policySet). Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. https://docs.microsoft.com/en-us/azure/governance/policy/overview
Unattempted
Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. These business rules, described in JSON format, are known as policy definitions. To simplify management, several business rules can be grouped together to form a policy initiative (sometimes called a policySet). Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. https://docs.microsoft.com/en-us/azure/governance/policy/overview
Question 37 of 50
37. Question
You have uploaded content into an Azure Storage account. Due to regulatory compliance requirements, the data in Storage accounts should not be modified or deleted by any user including administrators and Subscription owners. Which feature of storage account should you consider?
Correct
Immutable storage for Azure Blob storage enables users to store business-critical data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified interval. For the duration of the retention interval, blobs can be created and read, but cannot be modified or deleted. Immutable storage is available for general-purpose v1, general-purpose v2, BlobStorage, and BlockBlobStorage accounts in all Azure regions. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-immutable-storage#about-immutable-blob-storage Wrong Answers: Resource lock Resource locks prevents accidental modification or deletion of resources. It cannot prevent data modification in a resource. Configure Microsoft Defender for Storage – Microsoft Defender for Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts.
Incorrect
Immutable storage for Azure Blob storage enables users to store business-critical data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified interval. For the duration of the retention interval, blobs can be created and read, but cannot be modified or deleted. Immutable storage is available for general-purpose v1, general-purpose v2, BlobStorage, and BlockBlobStorage accounts in all Azure regions. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-immutable-storage#about-immutable-blob-storage Wrong Answers: Resource lock Resource locks prevents accidental modification or deletion of resources. It cannot prevent data modification in a resource. Configure Microsoft Defender for Storage – Microsoft Defender for Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts.
Unattempted
Immutable storage for Azure Blob storage enables users to store business-critical data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified interval. For the duration of the retention interval, blobs can be created and read, but cannot be modified or deleted. Immutable storage is available for general-purpose v1, general-purpose v2, BlobStorage, and BlockBlobStorage accounts in all Azure regions. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-immutable-storage#about-immutable-blob-storage Wrong Answers: Resource lock Resource locks prevents accidental modification or deletion of resources. It cannot prevent data modification in a resource. Configure Microsoft Defender for Storage – Microsoft Defender for Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts.
Question 38 of 50
38. Question
You have registered an app named HealthEngine in Azure Active Directory (AAD) with delegated permissions to Users.ReadWrite.All. A User Administrator named Admin1 logged into the HealthEngine application. Can Admin1 update AAD profiles of every user in the organization?
Correct
For delegated permissions, the effective permissions of your app will be the intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user can be determined by policy or by membership in one or more administrator roles. For example, assume your app has been granted the User.ReadWrite.All delegated permission. This permission nominally grants your app permission to read and update the profile of every user in an organization. If the signed-in user is a global administrator, your app will be able to update the profile of every user in the organization. However, if the signed-in user is not in an administrator role, your app will be able to update only the profile of the signed-in user. It will not be able to update the profiles of other users in the organization because the user that it has permission to act on behalf of does not have those privileges. https://docs.microsoft.com/en-us/graph/auth/auth-concepts
Incorrect
For delegated permissions, the effective permissions of your app will be the intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user can be determined by policy or by membership in one or more administrator roles. For example, assume your app has been granted the User.ReadWrite.All delegated permission. This permission nominally grants your app permission to read and update the profile of every user in an organization. If the signed-in user is a global administrator, your app will be able to update the profile of every user in the organization. However, if the signed-in user is not in an administrator role, your app will be able to update only the profile of the signed-in user. It will not be able to update the profiles of other users in the organization because the user that it has permission to act on behalf of does not have those privileges. https://docs.microsoft.com/en-us/graph/auth/auth-concepts
Unattempted
For delegated permissions, the effective permissions of your app will be the intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user can be determined by policy or by membership in one or more administrator roles. For example, assume your app has been granted the User.ReadWrite.All delegated permission. This permission nominally grants your app permission to read and update the profile of every user in an organization. If the signed-in user is a global administrator, your app will be able to update the profile of every user in the organization. However, if the signed-in user is not in an administrator role, your app will be able to update only the profile of the signed-in user. It will not be able to update the profiles of other users in the organization because the user that it has permission to act on behalf of does not have those privileges. https://docs.microsoft.com/en-us/graph/auth/auth-concepts
Question 39 of 50
39. Question
You have registered an app named HealthEngine in Azure Active Directory (AAD) with delegated permissions to Users.ReadWrite.All. A user named User1 logged into the HealthEngine application. Can User1 update AAD profiles of every user in the organization?
Correct
For delegated permissions, the effective permissions of your app will be the intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user can be determined by policy or by membership in one or more administrator roles. For example, assume your app has been granted the User.ReadWrite.All delegated permission. This permission nominally grants your app permission to read and update the profile of every user in an organization. If the signed-in user is a global administrator, your app will be able to update the profile of every user in the organization. However, if the signed-in user is not in an administrator role, your app will be able to update only the profile of the signed-in user. It will not be able to update the profiles of other users in the organization because the user that it has permission to act on behalf of does not have those privileges. https://docs.microsoft.com/en-us/graph/auth/auth-concepts
Incorrect
For delegated permissions, the effective permissions of your app will be the intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user can be determined by policy or by membership in one or more administrator roles. For example, assume your app has been granted the User.ReadWrite.All delegated permission. This permission nominally grants your app permission to read and update the profile of every user in an organization. If the signed-in user is a global administrator, your app will be able to update the profile of every user in the organization. However, if the signed-in user is not in an administrator role, your app will be able to update only the profile of the signed-in user. It will not be able to update the profiles of other users in the organization because the user that it has permission to act on behalf of does not have those privileges. https://docs.microsoft.com/en-us/graph/auth/auth-concepts
Unattempted
For delegated permissions, the effective permissions of your app will be the intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user can be determined by policy or by membership in one or more administrator roles. For example, assume your app has been granted the User.ReadWrite.All delegated permission. This permission nominally grants your app permission to read and update the profile of every user in an organization. If the signed-in user is a global administrator, your app will be able to update the profile of every user in the organization. However, if the signed-in user is not in an administrator role, your app will be able to update only the profile of the signed-in user. It will not be able to update the profiles of other users in the organization because the user that it has permission to act on behalf of does not have those privileges. https://docs.microsoft.com/en-us/graph/auth/auth-concepts
Question 40 of 50
40. Question
You have registered an app named HealthEngine in Azure Active Directory (AAD) with delegated permissions to Users.ReadWrite.All. A user named User1 logged into the HealthEngine application. Can User1 update User1s AAD user profile?
Correct
For delegated permissions, the effective permissions of your app will be the intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user can be determined by policy or by membership in one or more administrator roles. For example, assume your app has been granted the User.ReadWrite.All delegated permission. This permission nominally grants your app permission to read and update the profile of every user in an organization. If the signed-in user is a global administrator, your app will be able to update the profile of every user in the organization. However, if the signed-in user is not in an administrator role, your app will be able to update only the profile of the signed-in user. It will not be able to update the profiles of other users in the organization because the user that it has permission to act on behalf of does not have those privileges. https://docs.microsoft.com/en-us/graph/auth/auth-concepts
Incorrect
For delegated permissions, the effective permissions of your app will be the intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user can be determined by policy or by membership in one or more administrator roles. For example, assume your app has been granted the User.ReadWrite.All delegated permission. This permission nominally grants your app permission to read and update the profile of every user in an organization. If the signed-in user is a global administrator, your app will be able to update the profile of every user in the organization. However, if the signed-in user is not in an administrator role, your app will be able to update only the profile of the signed-in user. It will not be able to update the profiles of other users in the organization because the user that it has permission to act on behalf of does not have those privileges. https://docs.microsoft.com/en-us/graph/auth/auth-concepts
Unattempted
For delegated permissions, the effective permissions of your app will be the intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user can be determined by policy or by membership in one or more administrator roles. For example, assume your app has been granted the User.ReadWrite.All delegated permission. This permission nominally grants your app permission to read and update the profile of every user in an organization. If the signed-in user is a global administrator, your app will be able to update the profile of every user in the organization. However, if the signed-in user is not in an administrator role, your app will be able to update only the profile of the signed-in user. It will not be able to update the profiles of other users in the organization because the user that it has permission to act on behalf of does not have those privileges. https://docs.microsoft.com/en-us/graph/auth/auth-concepts
Question 41 of 50
41. Question
You have an application deployed in Azure Virtual Machines (VMs). The application interfaces with external services which are authenticated using a secret key. You plan to use Azure Key Vault to store secret keys. Which authentication method should you consider to read secrets from Key Vault?
Correct
Managed Identity – Managed identities for Azure resources: When you deploy an app on a virtual machine in Azure, you can assign an identity to your virtual machine that has access to Key Vault. You can also assign identities to other Azure resources. The benefit of this approach is that the app or service isn‘t managing the rotation of the first secret. Azure automatically rotates the identity. We recommend this approach as a best practice. https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts#authentication Wrong Answers: Service principal and certificate – You can use a service principal and an associated certificate that has access to Key Vault. We don‘t recommend this approach because the application owner or developer must rotate the certificate. Service principal and secret -Although you can use a service principal and a secret to authenticate to Key Vault, we don‘t recommend it. It‘s hard to automatically rotate the bootstrap secret that‘s used to authenticate to Key Vault.
Incorrect
Managed Identity – Managed identities for Azure resources: When you deploy an app on a virtual machine in Azure, you can assign an identity to your virtual machine that has access to Key Vault. You can also assign identities to other Azure resources. The benefit of this approach is that the app or service isn‘t managing the rotation of the first secret. Azure automatically rotates the identity. We recommend this approach as a best practice. https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts#authentication Wrong Answers: Service principal and certificate – You can use a service principal and an associated certificate that has access to Key Vault. We don‘t recommend this approach because the application owner or developer must rotate the certificate. Service principal and secret -Although you can use a service principal and a secret to authenticate to Key Vault, we don‘t recommend it. It‘s hard to automatically rotate the bootstrap secret that‘s used to authenticate to Key Vault.
Unattempted
Managed Identity – Managed identities for Azure resources: When you deploy an app on a virtual machine in Azure, you can assign an identity to your virtual machine that has access to Key Vault. You can also assign identities to other Azure resources. The benefit of this approach is that the app or service isn‘t managing the rotation of the first secret. Azure automatically rotates the identity. We recommend this approach as a best practice. https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts#authentication Wrong Answers: Service principal and certificate – You can use a service principal and an associated certificate that has access to Key Vault. We don‘t recommend this approach because the application owner or developer must rotate the certificate. Service principal and secret -Although you can use a service principal and a secret to authenticate to Key Vault, we don‘t recommend it. It‘s hard to automatically rotate the bootstrap secret that‘s used to authenticate to Key Vault.
Question 42 of 50
42. Question
You have an application named Application1 that is deployed in Azure Virtual Machines. The Azure virtual machines are deployed in a virtual network named VNet1. Application1 reads and writes data to an Azure storage account. You need to recommend a solution to limit access to Azure storage account to Virtual machines deployed in VNet1. The solution must keep costs minimal. What solution should you recommend?
Correct
Azure Service Endpoint – Virtual network service endpoints enable you to limit network access to some Azure service resources to a virtual network subnet. You can also remove internet access to the resources. Service endpoints provide direct connection from your virtual network to supported Azure services, allowing you to use your virtual network‘s private address space to access the Azure services. https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-restrict-network-access-to-resources Wrong Answers: Azure Private Endpoint You can achieve the requirement using private endpoints. However, this option incurs additional costs. Azure Firewall It is an intelligent network firewall security service to protect your cloud workloads. Azure Network Security Groups – You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
Incorrect
Azure Service Endpoint – Virtual network service endpoints enable you to limit network access to some Azure service resources to a virtual network subnet. You can also remove internet access to the resources. Service endpoints provide direct connection from your virtual network to supported Azure services, allowing you to use your virtual network‘s private address space to access the Azure services. https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-restrict-network-access-to-resources Wrong Answers: Azure Private Endpoint You can achieve the requirement using private endpoints. However, this option incurs additional costs. Azure Firewall It is an intelligent network firewall security service to protect your cloud workloads. Azure Network Security Groups – You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
Unattempted
Azure Service Endpoint – Virtual network service endpoints enable you to limit network access to some Azure service resources to a virtual network subnet. You can also remove internet access to the resources. Service endpoints provide direct connection from your virtual network to supported Azure services, allowing you to use your virtual network‘s private address space to access the Azure services. https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-restrict-network-access-to-resources Wrong Answers: Azure Private Endpoint You can achieve the requirement using private endpoints. However, this option incurs additional costs. Azure Firewall It is an intelligent network firewall security service to protect your cloud workloads. Azure Network Security Groups – You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
Question 43 of 50
43. Question
You have an Azure Storage account named storageaccount1. Users and applications access the blob service and the file service in storageaccount1 by using shared access signatures (SASs) and stored access policies. You discover that unauthorized user accessed both file service and blob service. You need to revoke all access to storageaccount1. To achieve the requirement, you generate new SAS keys. Did you achieve the requirement?
Correct
Instead you should revoke or delete stored access policy. To revoke a stored access policy, you can delete it, rename it by changing the signed identifier, or change the expiry time to a value in the past. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Changing the expiry time to a value in the past causes any associated signatures to expire. Deleting or modifying the stored access policy immediately affects all of the shared access signatures associated with it. https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
Incorrect
Instead you should revoke or delete stored access policy. To revoke a stored access policy, you can delete it, rename it by changing the signed identifier, or change the expiry time to a value in the past. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Changing the expiry time to a value in the past causes any associated signatures to expire. Deleting or modifying the stored access policy immediately affects all of the shared access signatures associated with it. https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
Unattempted
Instead you should revoke or delete stored access policy. To revoke a stored access policy, you can delete it, rename it by changing the signed identifier, or change the expiry time to a value in the past. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Changing the expiry time to a value in the past causes any associated signatures to expire. Deleting or modifying the stored access policy immediately affects all of the shared access signatures associated with it. https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
Question 44 of 50
44. Question
You have an Azure Storage account named storageaccount1. Users and applications access the blob service and the file service in storageaccount1 by using shared access signatures (SASs) and stored access policies. You discover that unauthorized user accessed both file service and blob service. To achieve the requirement, you create a new stored access policy. Did you achieve the requirement?
Correct
Instead you should revoke or delete stored access policy. To revoke a stored access policy, you can delete it, rename it by changing the signed identifier, or change the expiry time to a value in the past. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Changing the expiry time to a value in the past causes any associated signatures to expire. Deleting or modifying the stored access policy immediately affects all of the shared access signatures associated with it. https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
Incorrect
Instead you should revoke or delete stored access policy. To revoke a stored access policy, you can delete it, rename it by changing the signed identifier, or change the expiry time to a value in the past. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Changing the expiry time to a value in the past causes any associated signatures to expire. Deleting or modifying the stored access policy immediately affects all of the shared access signatures associated with it. https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
Unattempted
Instead you should revoke or delete stored access policy. To revoke a stored access policy, you can delete it, rename it by changing the signed identifier, or change the expiry time to a value in the past. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Changing the expiry time to a value in the past causes any associated signatures to expire. Deleting or modifying the stored access policy immediately affects all of the shared access signatures associated with it. https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
Question 45 of 50
45. Question
You have an Azure Storage account named storageaccount1. Users and applications access the blob service and the file service in storageaccount1 by using shared access signatures (SASs) and stored access policies. You discover that unauthorized user accessed both file service and blob service. To achieve the requirement, you create a lock on storageaccount1. Did you achieve the requirement?
Correct
Instead you should revoke or delete stored access policy. To revoke a stored access policy, you can delete it, rename it by changing the signed identifier, or change the expiry time to a value in the past. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Changing the expiry time to a value in the past causes any associated signatures to expire. Deleting or modifying the stored access policy immediately affects all of the shared access signatures associated with it. https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
Incorrect
Instead you should revoke or delete stored access policy. To revoke a stored access policy, you can delete it, rename it by changing the signed identifier, or change the expiry time to a value in the past. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Changing the expiry time to a value in the past causes any associated signatures to expire. Deleting or modifying the stored access policy immediately affects all of the shared access signatures associated with it. https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
Unattempted
Instead you should revoke or delete stored access policy. To revoke a stored access policy, you can delete it, rename it by changing the signed identifier, or change the expiry time to a value in the past. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Changing the expiry time to a value in the past causes any associated signatures to expire. Deleting or modifying the stored access policy immediately affects all of the shared access signatures associated with it. https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
Question 46 of 50
46. Question
You have an Azure Container Registry named Registry1.
You add role assignment for Registry1 as shown in the following table.
Which users can upload images to Registry1?
Correct
The Azure Container Registry service supports a set of built-in Azure roles that provide different levels of permissions to an Azure container registry. Use Azure role-based access control (Azure RBAC) to assign specific permissions to users, service principals, or other identities that need to interact with a registry.
The below table provides the different actions that can be performed by Azure RBAC roles.
The Azure Container Registry service supports a set of built-in Azure roles that provide different levels of permissions to an Azure container registry. Use Azure role-based access control (Azure RBAC) to assign specific permissions to users, service principals, or other identities that need to interact with a registry.
The below table provides the different actions that can be performed by Azure RBAC roles.
The Azure Container Registry service supports a set of built-in Azure roles that provide different levels of permissions to an Azure container registry. Use Azure role-based access control (Azure RBAC) to assign specific permissions to users, service principals, or other identities that need to interact with a registry.
The below table provides the different actions that can be performed by Azure RBAC roles.
You have an Azure Container Registry named Registry1.
You add role assignment for Registry1 as shown in the following table.
Which users can download images from Registry1?
Correct
The Azure Container Registry service supports a set of built-in Azure roles that provide different levels of permissions to an Azure container registry. Use Azure role-based access control (Azure RBAC) to assign specific permissions to users, service principals, or other identities that need to interact with a registry.
The below table provides the different actions that can be performed by Azure RBAC roles.
The Azure Container Registry service supports a set of built-in Azure roles that provide different levels of permissions to an Azure container registry. Use Azure role-based access control (Azure RBAC) to assign specific permissions to users, service principals, or other identities that need to interact with a registry.
The below table provides the different actions that can be performed by Azure RBAC roles.
The Azure Container Registry service supports a set of built-in Azure roles that provide different levels of permissions to an Azure container registry. Use Azure role-based access control (Azure RBAC) to assign specific permissions to users, service principals, or other identities that need to interact with a registry.
The below table provides the different actions that can be performed by Azure RBAC roles.
You have two virtual machines named VM1 and VM2 in a resource group named RG1.
You have configured time-bound access for Azure resources.
Your need to generate a report that contains list of activities performed on VM1 and VM2.
What should you do to generate the report?
Correct
Resource audit gives you a view of all role activity for a resource.
1. Open Azure AD Privileged Identity Management.
2. Select Azure resources.
3. Select the resource you want to view audit history for.
4. Select Resource audit.
5. Filter the history using a predefined date or custom range.
Resource audit gives you a view of all role activity for a resource.
1. Open Azure AD Privileged Identity Management.
2. Select Azure resources.
3. Select the resource you want to view audit history for.
4. Select Resource audit.
5. Filter the history using a predefined date or custom range.
Resource audit gives you a view of all role activity for a resource.
1. Open Azure AD Privileged Identity Management.
2. Select Azure resources.
3. Select the resource you want to view audit history for.
4. Select Resource audit.
5. Filter the history using a predefined date or custom range.
You need to store hundreds of x509 certificates in a secured service. You need to ensure that if a certificate is nearing expiration, a specified contact must be informed. You need to ensure that certificates must be auto-renewed. What should you consider to implement?
Correct
Key Vault certificates support provides for management of your x509 certificates. Key Vault Supports automatic renewal with selected issuers – Key Vault partner X509 certificate providers / certificate authorities. Allows certificate owners to provide contact information for notification about life-cycle events of expiration and renewal of certificate. https://docs.microsoft.com/en-us/azure/key-vault/certificates/about-certificates Wrong Answers: Azure Blob Storage Blob storage is used to store blobs. Though you can upload certificates as files, it does not provide options like auto renewal or sending notifications to certificate owners in the event of expiration. Azure DevOps Repo Repo is used to store source code.
Incorrect
Key Vault certificates support provides for management of your x509 certificates. Key Vault Supports automatic renewal with selected issuers – Key Vault partner X509 certificate providers / certificate authorities. Allows certificate owners to provide contact information for notification about life-cycle events of expiration and renewal of certificate. https://docs.microsoft.com/en-us/azure/key-vault/certificates/about-certificates Wrong Answers: Azure Blob Storage Blob storage is used to store blobs. Though you can upload certificates as files, it does not provide options like auto renewal or sending notifications to certificate owners in the event of expiration. Azure DevOps Repo Repo is used to store source code.
Unattempted
Key Vault certificates support provides for management of your x509 certificates. Key Vault Supports automatic renewal with selected issuers – Key Vault partner X509 certificate providers / certificate authorities. Allows certificate owners to provide contact information for notification about life-cycle events of expiration and renewal of certificate. https://docs.microsoft.com/en-us/azure/key-vault/certificates/about-certificates Wrong Answers: Azure Blob Storage Blob storage is used to store blobs. Though you can upload certificates as files, it does not provide options like auto renewal or sending notifications to certificate owners in the event of expiration. Azure DevOps Repo Repo is used to store source code.
Question 50 of 50
50. Question
You are configuring an Azure Kubernetes Service (AKS) cluster that will connect to an Azure Container Registry. You need to use the auto-generated service principal to authenticate to the Azure Container Registry. What should you create?
Correct
When you create an AKS cluster in the Azure portal or using the az aks create command, Azure can automatically generate a service principal. When you‘re using Azure Container Registry (ACR) with Azure Kubernetes Service (AKS), an authentication mechanism needs to be established. You need to assigns the AcrPull role to the service principal associated to the AKS Cluster. https://docs.microsoft.com/bs-latn-ba/azure/aks/cluster-container-registry-integration https://docs.microsoft.com/bs-latn-ba/azure/aks/kubernetes-service-principal#automatically-create-and-use-a-service-principal Wrong Answers: an Azure Active Directory (Azure AD) group Azure AD group is not required to authenticate with ACR. an Azure Active Directory (Azure AD) user Azure AD user is not required since it uses service principal. a secret in Azure Key Vault The authentication is for auto-generated service principal, it does not need a secret to authenticate.
Incorrect
When you create an AKS cluster in the Azure portal or using the az aks create command, Azure can automatically generate a service principal. When you‘re using Azure Container Registry (ACR) with Azure Kubernetes Service (AKS), an authentication mechanism needs to be established. You need to assigns the AcrPull role to the service principal associated to the AKS Cluster. https://docs.microsoft.com/bs-latn-ba/azure/aks/cluster-container-registry-integration https://docs.microsoft.com/bs-latn-ba/azure/aks/kubernetes-service-principal#automatically-create-and-use-a-service-principal Wrong Answers: an Azure Active Directory (Azure AD) group Azure AD group is not required to authenticate with ACR. an Azure Active Directory (Azure AD) user Azure AD user is not required since it uses service principal. a secret in Azure Key Vault The authentication is for auto-generated service principal, it does not need a secret to authenticate.
Unattempted
When you create an AKS cluster in the Azure portal or using the az aks create command, Azure can automatically generate a service principal. When you‘re using Azure Container Registry (ACR) with Azure Kubernetes Service (AKS), an authentication mechanism needs to be established. You need to assigns the AcrPull role to the service principal associated to the AKS Cluster. https://docs.microsoft.com/bs-latn-ba/azure/aks/cluster-container-registry-integration https://docs.microsoft.com/bs-latn-ba/azure/aks/kubernetes-service-principal#automatically-create-and-use-a-service-principal Wrong Answers: an Azure Active Directory (Azure AD) group Azure AD group is not required to authenticate with ACR. an Azure Active Directory (Azure AD) user Azure AD user is not required since it uses service principal. a secret in Azure Key Vault The authentication is for auto-generated service principal, it does not need a secret to authenticate.
Use Page numbers below to navigate to other practice tests