You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" Microsoft Azure Security Technologies (AZ-500) Practice Test No 9 "
0 of 65 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
Microsoft Azure Security Technologies (AZ-500)
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking on “View Answers” option. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Answered
Review
Question 1 of 65
1. Question
You plan to implement self-service password reset (SSPR) and multifactor authentication (MFA) in an Azure Active Directory (Azure AD).
You need to select authentication methods that can be used for both MFA and SSPR.
Which two authentication methods should you use?
Correct
SMS-based sign-in is great for front-line workers. With SMS-based sign-in, users don‘t need to know a username and password to access applications and services. The user instead enters their registered mobile phone number, receives a text message with a verification code, and enters that in the sign-in interface.
Users can also verify themselves using a mobile phone or office phone as secondary form of authentication used during Azure Multi-Factor Authentication or self-service password reset (SSPR).
The Authenticator app provides an additional level of security to your Azure AD work or school account or your Microsoft account and is available for Android, iOS, and Windows Phone. With the Microsoft Authenticator app, users can authenticate in a passwordless way during sign-in, or as an additional verification option during self-service password reset (SSPR) or Azure Multi-Factor Authentication events. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods
Wrong Answers:
Email addresses Not a valid authentication method.
Security questions Not a valid authentication method.
App passwords Passwords cannot be used as secondary authentication for MFA & SSPR.
Incorrect
SMS-based sign-in is great for front-line workers. With SMS-based sign-in, users don‘t need to know a username and password to access applications and services. The user instead enters their registered mobile phone number, receives a text message with a verification code, and enters that in the sign-in interface.
Users can also verify themselves using a mobile phone or office phone as secondary form of authentication used during Azure Multi-Factor Authentication or self-service password reset (SSPR).
The Authenticator app provides an additional level of security to your Azure AD work or school account or your Microsoft account and is available for Android, iOS, and Windows Phone. With the Microsoft Authenticator app, users can authenticate in a passwordless way during sign-in, or as an additional verification option during self-service password reset (SSPR) or Azure Multi-Factor Authentication events. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods
Wrong Answers:
Email addresses Not a valid authentication method.
Security questions Not a valid authentication method.
App passwords Passwords cannot be used as secondary authentication for MFA & SSPR.
Unattempted
SMS-based sign-in is great for front-line workers. With SMS-based sign-in, users don‘t need to know a username and password to access applications and services. The user instead enters their registered mobile phone number, receives a text message with a verification code, and enters that in the sign-in interface.
Users can also verify themselves using a mobile phone or office phone as secondary form of authentication used during Azure Multi-Factor Authentication or self-service password reset (SSPR).
The Authenticator app provides an additional level of security to your Azure AD work or school account or your Microsoft account and is available for Android, iOS, and Windows Phone. With the Microsoft Authenticator app, users can authenticate in a passwordless way during sign-in, or as an additional verification option during self-service password reset (SSPR) or Azure Multi-Factor Authentication events. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods
Wrong Answers:
Email addresses Not a valid authentication method.
Security questions Not a valid authentication method.
App passwords Passwords cannot be used as secondary authentication for MFA & SSPR.
Question 2 of 65
2. Question
You are designing an application that uses Azure App Service Web and API services. The application uses an Azure SQL Database to store and retrieve data. You need to enable the application to retrieve x.509 certificates, stored in an Azure AD-protected resource, by using access token. You need to recommend the appropriate Azure service. What should you recommend?
Correct
Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other secrets. https://docs.microsoft.com/en-us/azure/key-vault/certificates/quick-create-portal https://docs.microsoft.com/en-us/azure/key-vault/certificates/about-certificates Wrong Answers: Azure AD Privileged Identity Management – Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Azure AD Managed Service Identity – Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications may use the managed identity to obtain Azure AD tokens.
Incorrect
Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other secrets. https://docs.microsoft.com/en-us/azure/key-vault/certificates/quick-create-portal https://docs.microsoft.com/en-us/azure/key-vault/certificates/about-certificates Wrong Answers: Azure AD Privileged Identity Management – Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Azure AD Managed Service Identity – Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications may use the managed identity to obtain Azure AD tokens.
Unattempted
Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other secrets. https://docs.microsoft.com/en-us/azure/key-vault/certificates/quick-create-portal https://docs.microsoft.com/en-us/azure/key-vault/certificates/about-certificates Wrong Answers: Azure AD Privileged Identity Management – Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Azure AD Managed Service Identity – Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications may use the managed identity to obtain Azure AD tokens.
Question 3 of 65
3. Question
You have an Azure subscription that contains the virtual machines shown in the following table.
Subnet1 and Subnet2 have a Microsoft.Storage service endpoint configured.
You have an Azure Storage account named storageaccount1 that is configured as shown below.
Select Yes if the below statement is true. Otherwise, select No.
1. From VM1, you can upload a blob to storageaccount1
2. From VM2, you can upload a blob to storageaccount1
3. From VM3, you can upload a blob to storageaccount1
You have an Azure resource group that contains 100 virtual machines.
You have an initiative named Initiative1 that contains multiple policy definitions.
Initiative1 is assigned to the resource group.
You need to identify which resources do NOT match the policy definitions.
What should you do?
Correct
The Azure portal showcases a graphical experience of visualizing and understanding the state of compliance in your environment. On the Policy page, the Overview option provides details for available scopes on the compliance of both policies and initiatives. Along with the compliance state and count per assignment, it contains a chart showing compliance over the last seven days. The Compliance page contains much of this same information (except the chart), but provide additional filtering and sorting options.
Since a policy or initiative can be assigned to different scopes, the table includes the scope for each assignment and the type of definition that was assigned. The number of non-compliant resources and non-compliant policies for each assignment are also provided. Selecting on a policy or initiative in the table provides a deeper look at the compliance for that particular assignment.
https://docs.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data#portal
Wrong Answers:
From Microsoft Defender for Cloud, view the Regulatory compliance assessment – The regulatory compliance dashboard provides insights into your compliance posture based on how you‘re meeting specific compliance requirements.
From Microsoft Defender for Cloud, view the Secure Score – Defender for Cloud continually assesses your resources, subscriptions, and organization for security issues. It then aggregates all the findings into a single score so that you can tell, at a glance, your current security situation: the higher the score, the lower the identified risk level.
From the Policy blade, select Assignments This lists down the number of assignments and its details.
Incorrect
The Azure portal showcases a graphical experience of visualizing and understanding the state of compliance in your environment. On the Policy page, the Overview option provides details for available scopes on the compliance of both policies and initiatives. Along with the compliance state and count per assignment, it contains a chart showing compliance over the last seven days. The Compliance page contains much of this same information (except the chart), but provide additional filtering and sorting options.
Since a policy or initiative can be assigned to different scopes, the table includes the scope for each assignment and the type of definition that was assigned. The number of non-compliant resources and non-compliant policies for each assignment are also provided. Selecting on a policy or initiative in the table provides a deeper look at the compliance for that particular assignment.
https://docs.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data#portal
Wrong Answers:
From Microsoft Defender for Cloud, view the Regulatory compliance assessment – The regulatory compliance dashboard provides insights into your compliance posture based on how you‘re meeting specific compliance requirements.
From Microsoft Defender for Cloud, view the Secure Score – Defender for Cloud continually assesses your resources, subscriptions, and organization for security issues. It then aggregates all the findings into a single score so that you can tell, at a glance, your current security situation: the higher the score, the lower the identified risk level.
From the Policy blade, select Assignments This lists down the number of assignments and its details.
Unattempted
The Azure portal showcases a graphical experience of visualizing and understanding the state of compliance in your environment. On the Policy page, the Overview option provides details for available scopes on the compliance of both policies and initiatives. Along with the compliance state and count per assignment, it contains a chart showing compliance over the last seven days. The Compliance page contains much of this same information (except the chart), but provide additional filtering and sorting options.
Since a policy or initiative can be assigned to different scopes, the table includes the scope for each assignment and the type of definition that was assigned. The number of non-compliant resources and non-compliant policies for each assignment are also provided. Selecting on a policy or initiative in the table provides a deeper look at the compliance for that particular assignment.
https://docs.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data#portal
Wrong Answers:
From Microsoft Defender for Cloud, view the Regulatory compliance assessment – The regulatory compliance dashboard provides insights into your compliance posture based on how you‘re meeting specific compliance requirements.
From Microsoft Defender for Cloud, view the Secure Score – Defender for Cloud continually assesses your resources, subscriptions, and organization for security issues. It then aggregates all the findings into a single score so that you can tell, at a glance, your current security situation: the higher the score, the lower the identified risk level.
From the Policy blade, select Assignments This lists down the number of assignments and its details.
Question 6 of 65
6. Question
You plan to create an alert in Alerts. You need to configure the users who will receive an email message when the alert is triggered. What should you do?
Correct
An action group is a collection of notification preferences defined by the owner of an Azure subscription. Azure Monitor and Service Health alerts use action groups to notify users that an alert has been triggered. Various alerts may use the same action group or different action groups depending on the user‘s requirements. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups Wrong Answers: Modify the members of the Security Reader role group It is not required to be part of Security reader role group to receive alerts. Modify the alert rule – The alert rule captures the target and criteria for alerting.
Incorrect
An action group is a collection of notification preferences defined by the owner of an Azure subscription. Azure Monitor and Service Health alerts use action groups to notify users that an alert has been triggered. Various alerts may use the same action group or different action groups depending on the user‘s requirements. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups Wrong Answers: Modify the members of the Security Reader role group It is not required to be part of Security reader role group to receive alerts. Modify the alert rule – The alert rule captures the target and criteria for alerting.
Unattempted
An action group is a collection of notification preferences defined by the owner of an Azure subscription. Azure Monitor and Service Health alerts use action groups to notify users that an alert has been triggered. Various alerts may use the same action group or different action groups depending on the user‘s requirements. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups Wrong Answers: Modify the members of the Security Reader role group It is not required to be part of Security reader role group to receive alerts. Modify the alert rule – The alert rule captures the target and criteria for alerting.
Question 7 of 65
7. Question
You have an Azure subscription named Subscription1 that contains the virtual machines shown below.
You need to ensure that the virtual machines in RG1 have the Remote Desktop port closed until an authorized user requests access.
What should you configure?
Correct
Just in time (JIT) VM access – Lock down inbound traffic to your Azure Virtual Machines with Microsoft Defender for Cloud‘s just-in-time (JIT) virtual machine (VM) access feature. This reduces exposure to attacks while providing easy access when you need to connect to a VM. https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc
Wrong Answers:
Azure Active Directory (Azure AD) Privileged Identity Management (PIM) – Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about.
an application security group – Application security groups enable you to configure network security as a natural extension of an application‘s structure, allowing you to group virtual machines and define network security policies based on those groups.
Azure Active Directory (Azure AD) conditional access – Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to do multi-factor authentication to access it.
Incorrect
Just in time (JIT) VM access – Lock down inbound traffic to your Azure Virtual Machines with Microsoft Defender for Cloud‘s just-in-time (JIT) virtual machine (VM) access feature. This reduces exposure to attacks while providing easy access when you need to connect to a VM. https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc
Wrong Answers:
Azure Active Directory (Azure AD) Privileged Identity Management (PIM) – Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about.
an application security group – Application security groups enable you to configure network security as a natural extension of an application‘s structure, allowing you to group virtual machines and define network security policies based on those groups.
Azure Active Directory (Azure AD) conditional access – Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to do multi-factor authentication to access it.
Unattempted
Just in time (JIT) VM access – Lock down inbound traffic to your Azure Virtual Machines with Microsoft Defender for Cloud‘s just-in-time (JIT) virtual machine (VM) access feature. This reduces exposure to attacks while providing easy access when you need to connect to a VM. https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc
Wrong Answers:
Azure Active Directory (Azure AD) Privileged Identity Management (PIM) – Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about.
an application security group – Application security groups enable you to configure network security as a natural extension of an application‘s structure, allowing you to group virtual machines and define network security policies based on those groups.
Azure Active Directory (Azure AD) conditional access – Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to do multi-factor authentication to access it.
Question 8 of 65
8. Question
You are configuring an Azure policy. You plan to assign policies that use the DeployIfNotExist, AuditIfNotExist, Append, and Deny effects. Which effect requires a managed identity for the assignment?
Correct
When Azure Policy runs the template in the deployIfNotExists policy definition, it does so using a managed identity. Azure Policy creates a managed identity for each assignment, but must have details about what roles to grant the managed identity. If the managed identity is missing roles, this error is displayed during the assignment of the policy or an initiative. https://docs.microsoft.com/bs-latn-ba/azure/governance/policy/how-to/remediate-resources
Incorrect
When Azure Policy runs the template in the deployIfNotExists policy definition, it does so using a managed identity. Azure Policy creates a managed identity for each assignment, but must have details about what roles to grant the managed identity. If the managed identity is missing roles, this error is displayed during the assignment of the policy or an initiative. https://docs.microsoft.com/bs-latn-ba/azure/governance/policy/how-to/remediate-resources
Unattempted
When Azure Policy runs the template in the deployIfNotExists policy definition, it does so using a managed identity. Azure Policy creates a managed identity for each assignment, but must have details about what roles to grant the managed identity. If the managed identity is missing roles, this error is displayed during the assignment of the policy or an initiative. https://docs.microsoft.com/bs-latn-ba/azure/governance/policy/how-to/remediate-resources
Question 9 of 65
9. Question
You have a Microsoft Sentinel workspace that has an Azure Active Directory (Azure AD) data connector. You are threat hunting suspicious traffic from a specific IP address. You need to annotate an intermediate event stored in the workspace and be able to reference the IP address when navigating through the investigation graph. Which three actions should you perform in sequence?
Correct
Threat hunting typically requires reviewing mountains of log data looking for evidence of malicious behavior. During this process, investigators find events that they want to remember, revisit, and analyze as part of validating potential hypotheses and understanding the full story of a compromise. Hunting bookmarks in Microsoft Sentinel help you do this, by preserving the queries you ran in Microsoft Sentinel – Logs, along with the query results that you deem relevant. https://docs.microsoft.com/en-us/azure/sentinel/bookmarks
Incorrect
Threat hunting typically requires reviewing mountains of log data looking for evidence of malicious behavior. During this process, investigators find events that they want to remember, revisit, and analyze as part of validating potential hypotheses and understanding the full story of a compromise. Hunting bookmarks in Microsoft Sentinel help you do this, by preserving the queries you ran in Microsoft Sentinel – Logs, along with the query results that you deem relevant. https://docs.microsoft.com/en-us/azure/sentinel/bookmarks
Unattempted
Threat hunting typically requires reviewing mountains of log data looking for evidence of malicious behavior. During this process, investigators find events that they want to remember, revisit, and analyze as part of validating potential hypotheses and understanding the full story of a compromise. Hunting bookmarks in Microsoft Sentinel help you do this, by preserving the queries you ran in Microsoft Sentinel – Logs, along with the query results that you deem relevant. https://docs.microsoft.com/en-us/azure/sentinel/bookmarks
Question 10 of 65
10. Question
You have 20 Azure subscriptions and a security group named Group1. The subscriptions are child items of the root management group. Each subscription contains a resource group named RG1. You need to ensure that for each subscription RG1 meets the following requirements: The members of Group1 are assigned the Owner role. The modification of permissions to RG1 is prevented. What should you use to configure role-based access control (RBAC) role assignments?
Correct
Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as: Role Assignments Policy Assignments Azure Resource Manager templates (ARM templates) Resource Groups https://docs.microsoft.com/en-us/azure/governance/blueprints/overview Wrong Answers: Azure Policy – Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Defender for Cloud – Defender for Cloud is a tool for security posture management and threat protection.
Incorrect
Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as: Role Assignments Policy Assignments Azure Resource Manager templates (ARM templates) Resource Groups https://docs.microsoft.com/en-us/azure/governance/blueprints/overview Wrong Answers: Azure Policy – Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Defender for Cloud – Defender for Cloud is a tool for security posture management and threat protection.
Unattempted
Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as: Role Assignments Policy Assignments Azure Resource Manager templates (ARM templates) Resource Groups https://docs.microsoft.com/en-us/azure/governance/blueprints/overview Wrong Answers: Azure Policy – Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Defender for Cloud – Defender for Cloud is a tool for security posture management and threat protection.
Question 11 of 65
11. Question
You have an Azure environment. You need to identify configurations and workloads in your Azure environment that are non-compliant with ISO 27001 standards. What should you use?
Correct
Microsoft Defender for Cloud helps streamline the process for meeting regulatory compliance requirements, using the regulatory compliance dashboard. Defender for Cloud continuously assesses your hybrid cloud environment to analyze the risk factors according to the controls and best practices in the standards that you‘ve applied to your subscriptions. The dashboard reflects the status of your compliance with these standards. When you enable Defender for Cloud on an Azure subscription, the Azure Security Benchmark is automatically assigned to that subscription. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. https://docs.microsoft.com/en-us/azure/defender-for-cloud/regulatory-compliance-dashboard Wrong Answers: Microsoft Sentinel – Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Azure Active Directory (Azure AD) Identity Protection – Identity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure AD, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. The signals generated by and fed to Identity Protection, can be further fed into tools like Conditional Access to make access decisions, or fed back to a security information and event management (SIEM) tool for further investigation based on your organization‘s enforced policies. Microsoft Defender for Identity – Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Incorrect
Microsoft Defender for Cloud helps streamline the process for meeting regulatory compliance requirements, using the regulatory compliance dashboard. Defender for Cloud continuously assesses your hybrid cloud environment to analyze the risk factors according to the controls and best practices in the standards that you‘ve applied to your subscriptions. The dashboard reflects the status of your compliance with these standards. When you enable Defender for Cloud on an Azure subscription, the Azure Security Benchmark is automatically assigned to that subscription. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. https://docs.microsoft.com/en-us/azure/defender-for-cloud/regulatory-compliance-dashboard Wrong Answers: Microsoft Sentinel – Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Azure Active Directory (Azure AD) Identity Protection – Identity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure AD, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. The signals generated by and fed to Identity Protection, can be further fed into tools like Conditional Access to make access decisions, or fed back to a security information and event management (SIEM) tool for further investigation based on your organization‘s enforced policies. Microsoft Defender for Identity – Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Unattempted
Microsoft Defender for Cloud helps streamline the process for meeting regulatory compliance requirements, using the regulatory compliance dashboard. Defender for Cloud continuously assesses your hybrid cloud environment to analyze the risk factors according to the controls and best practices in the standards that you‘ve applied to your subscriptions. The dashboard reflects the status of your compliance with these standards. When you enable Defender for Cloud on an Azure subscription, the Azure Security Benchmark is automatically assigned to that subscription. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. https://docs.microsoft.com/en-us/azure/defender-for-cloud/regulatory-compliance-dashboard Wrong Answers: Microsoft Sentinel – Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Azure Active Directory (Azure AD) Identity Protection – Identity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure AD, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. The signals generated by and fed to Identity Protection, can be further fed into tools like Conditional Access to make access decisions, or fed back to a security information and event management (SIEM) tool for further investigation based on your organization‘s enforced policies. Microsoft Defender for Identity – Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Question 12 of 65
12. Question
You have an Azure Active Directory (Azure AD) tenant named healthengine.com that contains a user named User1. You plan to publish several apps in the tenant. You need to ensure that User1 can grant admin consent for the published apps. Which two possible user roles can you assign to User1?
Correct
Granting tenant-wide admin consent requires you to sign in as Global Administrator, an Application Administrator, or a Cloud Application Administrator. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent Wrong Answers: Security administrator – Users with this role have full permissions in Cloud App Security. They can add administrators, add Microsoft Cloud App Security (MCAS) policies and settings, upload logs, and perform governance actions. User administrator – Users with this role can create users, and manage all aspects of users with some restrictions, and can update password expiration policies. Application developer – Users in this role can create application registrations when the “Users can register applications“ setting is set to No.
Incorrect
Granting tenant-wide admin consent requires you to sign in as Global Administrator, an Application Administrator, or a Cloud Application Administrator. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent Wrong Answers: Security administrator – Users with this role have full permissions in Cloud App Security. They can add administrators, add Microsoft Cloud App Security (MCAS) policies and settings, upload logs, and perform governance actions. User administrator – Users with this role can create users, and manage all aspects of users with some restrictions, and can update password expiration policies. Application developer – Users in this role can create application registrations when the “Users can register applications“ setting is set to No.
Unattempted
Granting tenant-wide admin consent requires you to sign in as Global Administrator, an Application Administrator, or a Cloud Application Administrator. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent Wrong Answers: Security administrator – Users with this role have full permissions in Cloud App Security. They can add administrators, add Microsoft Cloud App Security (MCAS) policies and settings, upload logs, and perform governance actions. User administrator – Users with this role can create users, and manage all aspects of users with some restrictions, and can update password expiration policies. Application developer – Users in this role can create application registrations when the “Users can register applications“ setting is set to No.
Question 13 of 65
13. Question
Your network contains an on-premises Active Directory domain named healthengine.com that syncs to Azure Active Directory (Azure AD). Azure AD Connect is installed on a domain member server named Server1. You need to ensure that a domain administrator for the healthengine.com domain can modify the synchronization options. The solution must use the principle of least privilege. Which Azure AD role should you assign to the domain administrator?
You have an Azure subscription. You plan to create a custom role-based access control (RBAC) role. The role will provide permissions to read an Azure Storage account. Which property should you configure in the RBAC role definition?
Correct
To read a storage account, for example, list the blobs in the storage account, you need an “Action“ permission. To read the data in a storage account that is open a blob, you need a DataAction“ permission. https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions#management-and-data-operations Wrong Answers: NotActions [] – An array of strings that specifies the control plane actions that are excluded from the allowed Actions. DataActions [] – An array of strings that specifies the data plane actions that the role allows to be performed to your data within that object. AssignableScopes [] – An array of strings that specifies the scopes that the role is available for assignment.
Incorrect
To read a storage account, for example, list the blobs in the storage account, you need an “Action“ permission. To read the data in a storage account that is open a blob, you need a DataAction“ permission. https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions#management-and-data-operations Wrong Answers: NotActions [] – An array of strings that specifies the control plane actions that are excluded from the allowed Actions. DataActions [] – An array of strings that specifies the data plane actions that the role allows to be performed to your data within that object. AssignableScopes [] – An array of strings that specifies the scopes that the role is available for assignment.
Unattempted
To read a storage account, for example, list the blobs in the storage account, you need an “Action“ permission. To read the data in a storage account that is open a blob, you need a DataAction“ permission. https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions#management-and-data-operations Wrong Answers: NotActions [] – An array of strings that specifies the control plane actions that are excluded from the allowed Actions. DataActions [] – An array of strings that specifies the data plane actions that the role allows to be performed to your data within that object. AssignableScopes [] – An array of strings that specifies the scopes that the role is available for assignment.
Question 15 of 65
15. Question
You have the hierarchy of Azure resources shown below.
RG1, RG2, and RG3 are resource groups.
RG2 contains a virtual machine named VM1.
You assign role-based access control (RBAC) roles to the users shown below.
Select Yes if the statement is true. Otherwise, select No.
1. User1 can deploy virtual machines to RG1.
2. User2 can delete VM2.
3. User3 can reset the password of the built-in Administrator account of VM2.
Correct
User1 has contributor role inherited from root management group. So, User1 can create a virtual machine.
User2 is Virtual machine contributor, so user2 can delete the VM2.
The Virtual machine administrator login roles allows to view virtual machines in Azure portal and login as administrator.
Incorrect
User1 has contributor role inherited from root management group. So, User1 can create a virtual machine.
User2 is Virtual machine contributor, so user2 can delete the VM2.
The Virtual machine administrator login roles allows to view virtual machines in Azure portal and login as administrator.
Unattempted
User1 has contributor role inherited from root management group. So, User1 can create a virtual machine.
User2 is Virtual machine contributor, so user2 can delete the VM2.
The Virtual machine administrator login roles allows to view virtual machines in Azure portal and login as administrator.
Question 16 of 65
16. Question
You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant. From the Azure portal, you register an enterprise application. Which additional resource will be created in Azure AD?
Correct
When you register your application with Azure AD, you‘re creating an identity configuration for your application that allows it to integrate with Azure AD. When you‘ve completed the app registration, you have a globally unique instance of the app (the application object) which lives within your home tenant or directory. When you register an application in the portal, an application object as well as a service principal object are automatically created in your home tenant. https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals#application-registration Wrong Answers: an X.509 certificate No certificates will be created during application registration. a managed identity – A managed identity is a service principal of a special type that may only be used with Azure resources. Applications may use the managed identity to obtain Azure AD tokens. a user account User accounts will not be created as part of application registration.
Incorrect
When you register your application with Azure AD, you‘re creating an identity configuration for your application that allows it to integrate with Azure AD. When you‘ve completed the app registration, you have a globally unique instance of the app (the application object) which lives within your home tenant or directory. When you register an application in the portal, an application object as well as a service principal object are automatically created in your home tenant. https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals#application-registration Wrong Answers: an X.509 certificate No certificates will be created during application registration. a managed identity – A managed identity is a service principal of a special type that may only be used with Azure resources. Applications may use the managed identity to obtain Azure AD tokens. a user account User accounts will not be created as part of application registration.
Unattempted
When you register your application with Azure AD, you‘re creating an identity configuration for your application that allows it to integrate with Azure AD. When you‘ve completed the app registration, you have a globally unique instance of the app (the application object) which lives within your home tenant or directory. When you register an application in the portal, an application object as well as a service principal object are automatically created in your home tenant. https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals#application-registration Wrong Answers: an X.509 certificate No certificates will be created during application registration. a managed identity – A managed identity is a service principal of a special type that may only be used with Azure resources. Applications may use the managed identity to obtain Azure AD tokens. a user account User accounts will not be created as part of application registration.
Question 17 of 65
17. Question
You have an Azure Active Directory (Azure AD) tenant that contains the resources shown in the following table.
User2 is the owner of Group2.
The user and group settings for App1 are configured as shown below.
You enable self-service application access for App1 as shown below.
User3 is configured to approve access to App1.
You need to identify the owners of Group2.
What should you identify?
Correct
If you add an explicit user to approve the access requests, it resets the owners in the group with selected approvers. You will get a warning as shown below.
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-self-service-access
Wrong Answers:
User2 Only Group owner will be replaced with the selected approvers.
User1 and User2 Only User1 is not part of any groups or approvers.
User2 and User3 Only – Group owner will be replaced with the selected approvers. So User2 cannot be a group owner.
User1, User2 and User3 User1 is not part of any groups or approvers.
Incorrect
If you add an explicit user to approve the access requests, it resets the owners in the group with selected approvers. You will get a warning as shown below.
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-self-service-access
Wrong Answers:
User2 Only Group owner will be replaced with the selected approvers.
User1 and User2 Only User1 is not part of any groups or approvers.
User2 and User3 Only – Group owner will be replaced with the selected approvers. So User2 cannot be a group owner.
User1, User2 and User3 User1 is not part of any groups or approvers.
Unattempted
If you add an explicit user to approve the access requests, it resets the owners in the group with selected approvers. You will get a warning as shown below.
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-self-service-access
Wrong Answers:
User2 Only Group owner will be replaced with the selected approvers.
User1 and User2 Only User1 is not part of any groups or approvers.
User2 and User3 Only – Group owner will be replaced with the selected approvers. So User2 cannot be a group owner.
User1, User2 and User3 User1 is not part of any groups or approvers.
Question 18 of 65
18. Question
You have an Azure Active Directory (Azure AD) tenant that contains the resources shown below.
User2 is the owner of Group2.
The user and group settings for App1 are configured as shown below.
You enable self-service application access for App1 as shown below.
User3 is configured to approve access to App1.
You need to identify the users of App1.
What should you identify?
Correct
Group1 users has been added manually to the App1 and the requested users will be added to Group2. So Group2 users will have permissions. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-self-service-access
Wrong Answers:
Group1 members only – The requested users will be added to Group2. So Group2 users will have permissions.
Group2 members only Group1 users has been added manually. Group1 will also have access.
Group1, Group2 members and User1 only If User1 is not part of either Group1 or Group2, then User1 will not have access.
Group1, Group2 members, User1 and User3 only If User1 is not part of either Group1 or Group2, then User1 will not have access.
Incorrect
Group1 users has been added manually to the App1 and the requested users will be added to Group2. So Group2 users will have permissions. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-self-service-access
Wrong Answers:
Group1 members only – The requested users will be added to Group2. So Group2 users will have permissions.
Group2 members only Group1 users has been added manually. Group1 will also have access.
Group1, Group2 members and User1 only If User1 is not part of either Group1 or Group2, then User1 will not have access.
Group1, Group2 members, User1 and User3 only If User1 is not part of either Group1 or Group2, then User1 will not have access.
Unattempted
Group1 users has been added manually to the App1 and the requested users will be added to Group2. So Group2 users will have permissions. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-self-service-access
Wrong Answers:
Group1 members only – The requested users will be added to Group2. So Group2 users will have permissions.
Group2 members only Group1 users has been added manually. Group1 will also have access.
Group1, Group2 members and User1 only If User1 is not part of either Group1 or Group2, then User1 will not have access.
Group1, Group2 members, User1 and User3 only If User1 is not part of either Group1 or Group2, then User1 will not have access.
Question 19 of 65
19. Question
You have deployed a web app to an app service named appservice1. You need to prevent all connections from an IP address of 11.0.0.11. You need to modify appservice1 to successfully prevent the connections from the IP address. The solution must minimize Azure-related costs. What should you do from the Azure portal?
Correct
Access restrictions enable you to define a priority ordered allow/deny list that controls network access to your app. The list can include IP addresses or Azure Virtual Network subnets. When there are one or more entries, there is then an implicit “deny all“ that exists at the end of the list. https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#adding-ip-address-rules Wrong Answers: Configure Service EndPoint – Service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. It does not prevent connections from an IP address. Change App Service plan to Premium Premium tier is not required to configure IP restrictions. Configure Azure CDN – Azure Content Delivery Network (CDN) is a global CDN solution for delivering high-bandwidth content.
Incorrect
Access restrictions enable you to define a priority ordered allow/deny list that controls network access to your app. The list can include IP addresses or Azure Virtual Network subnets. When there are one or more entries, there is then an implicit “deny all“ that exists at the end of the list. https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#adding-ip-address-rules Wrong Answers: Configure Service EndPoint – Service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. It does not prevent connections from an IP address. Change App Service plan to Premium Premium tier is not required to configure IP restrictions. Configure Azure CDN – Azure Content Delivery Network (CDN) is a global CDN solution for delivering high-bandwidth content.
Unattempted
Access restrictions enable you to define a priority ordered allow/deny list that controls network access to your app. The list can include IP addresses or Azure Virtual Network subnets. When there are one or more entries, there is then an implicit “deny all“ that exists at the end of the list. https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#adding-ip-address-rules Wrong Answers: Configure Service EndPoint – Service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. It does not prevent connections from an IP address. Change App Service plan to Premium Premium tier is not required to configure IP restrictions. Configure Azure CDN – Azure Content Delivery Network (CDN) is a global CDN solution for delivering high-bandwidth content.
Question 20 of 65
20. Question
You manage an Azure account with a subscription named Sub1 for your company. Sub1 has three Azure virtual machines (VMs) named SERVER01, SERVER02 and SERVER03.
SERVER01 and SERVER02 are used by the sales team, and SERVER03 is used by the development team. All servers are in a resource group named RG1 in Sub1.
The development team regularly makes changes to SERVER03 including adding memory and additional storage. They also need the ability to create new VMs in the future.
You need to limit access to the development team and perform the necessary tasks using the least privilege model. The solution should not increase the administrative effort required to maintain the Azure account.
Which three actions should you perform? To answer, move the appropriate actions from the list of possible actions to the answer area and arrange then-k? any order.
Correct
You should perform the following actions:
Create a new resource group named RG2.
Move SERVER03 to RG2.
Assign the development team the Virtual Machine Contributor role scoped to RG2.
Access to objects in Azure is controlled via role-based access control (RBAC). When configuring access to objects, roles are assigned to resources. A role consists of three elements:
A security principal – the development team user account
A role definition – Virtual Machine Contributor
A scope – the resource group
You can specify a scope at multiple levels: management group, subscription, resource group, or resource. Scopes are structured in a parent-child relationship. Therefore, in this example, the development team will have access to all objects in the new resource group. They will also be able to create new VMs in the resource group in the future.
You should not create a new subscription named Sub2, assign the development team the Virtual Machine Contributor role scoped to Sub2, and move SERVER03 to it. The development team will have limited access to perform only the required tasks in Sub2. However, managing an Azure account with multiple subscriptions increases the administration effort compared to an account with a 4gle subscription.
You should not assign the development team the Virtual Machine Contributors role scoped to Sub1. By assigning the Virtual Machine Contributors role scoped to the existing subscription, you grant full access to all resources within the subscription. That would grant more access than is required for the development team.
Incorrect
You should perform the following actions:
Create a new resource group named RG2.
Move SERVER03 to RG2.
Assign the development team the Virtual Machine Contributor role scoped to RG2.
Access to objects in Azure is controlled via role-based access control (RBAC). When configuring access to objects, roles are assigned to resources. A role consists of three elements:
A security principal – the development team user account
A role definition – Virtual Machine Contributor
A scope – the resource group
You can specify a scope at multiple levels: management group, subscription, resource group, or resource. Scopes are structured in a parent-child relationship. Therefore, in this example, the development team will have access to all objects in the new resource group. They will also be able to create new VMs in the resource group in the future.
You should not create a new subscription named Sub2, assign the development team the Virtual Machine Contributor role scoped to Sub2, and move SERVER03 to it. The development team will have limited access to perform only the required tasks in Sub2. However, managing an Azure account with multiple subscriptions increases the administration effort compared to an account with a 4gle subscription.
You should not assign the development team the Virtual Machine Contributors role scoped to Sub1. By assigning the Virtual Machine Contributors role scoped to the existing subscription, you grant full access to all resources within the subscription. That would grant more access than is required for the development team.
Unattempted
You should perform the following actions:
Create a new resource group named RG2.
Move SERVER03 to RG2.
Assign the development team the Virtual Machine Contributor role scoped to RG2.
Access to objects in Azure is controlled via role-based access control (RBAC). When configuring access to objects, roles are assigned to resources. A role consists of three elements:
A security principal – the development team user account
A role definition – Virtual Machine Contributor
A scope – the resource group
You can specify a scope at multiple levels: management group, subscription, resource group, or resource. Scopes are structured in a parent-child relationship. Therefore, in this example, the development team will have access to all objects in the new resource group. They will also be able to create new VMs in the resource group in the future.
You should not create a new subscription named Sub2, assign the development team the Virtual Machine Contributor role scoped to Sub2, and move SERVER03 to it. The development team will have limited access to perform only the required tasks in Sub2. However, managing an Azure account with multiple subscriptions increases the administration effort compared to an account with a 4gle subscription.
You should not assign the development team the Virtual Machine Contributors role scoped to Sub1. By assigning the Virtual Machine Contributors role scoped to the existing subscription, you grant full access to all resources within the subscription. That would grant more access than is required for the development team.
Question 21 of 65
21. Question
You work as an administrator of an international company which has recently migrated some of their infrastructure from on-premises to Azure Infrastructure-as-a service (laaS).
You need to ensure that Microsoft Defender for Cloud performs regular vulnerability checks on your virtual machines (VMs) busing its integrated vulnerability scanner.
Which four initial actions should you perform in sequence? To answer, move the appropriate actions from the list of possible actions to the answer area and arrange them in the correct order.
Correct
You should perform the following steps in order: 1. Connect to Azure Portal. 2. Open Defender for Cloud. 3. Select the Recommendations page. i 4. Select ‘A vulnerability assessment solution should be enabled on your virtual machines‘. To deploy Microsoft Defender for Cloud‘s built-in vulnerability scanner you should first connect to Azure Portal and open Defender for Cloud.
Next, you should open the Recommendations page from the Defender for Cloud menu.
Finally, should select the option ‘A vulnerability assessment solution should be enabled on your virtual machines‘.
You should not select Remediate security configurations nor Apply system updates. These steps are not the initial steps for the deployment of Defender‘s built-in vulnerability scanner. These steps need to be performed as soon as the vulnerability scanner runs and you receive an evaluation of your environment.
Incorrect
You should perform the following steps in order: 1. Connect to Azure Portal. 2. Open Defender for Cloud. 3. Select the Recommendations page. i 4. Select ‘A vulnerability assessment solution should be enabled on your virtual machines‘. To deploy Microsoft Defender for Cloud‘s built-in vulnerability scanner you should first connect to Azure Portal and open Defender for Cloud.
Next, you should open the Recommendations page from the Defender for Cloud menu.
Finally, should select the option ‘A vulnerability assessment solution should be enabled on your virtual machines‘.
You should not select Remediate security configurations nor Apply system updates. These steps are not the initial steps for the deployment of Defender‘s built-in vulnerability scanner. These steps need to be performed as soon as the vulnerability scanner runs and you receive an evaluation of your environment.
Unattempted
You should perform the following steps in order: 1. Connect to Azure Portal. 2. Open Defender for Cloud. 3. Select the Recommendations page. i 4. Select ‘A vulnerability assessment solution should be enabled on your virtual machines‘. To deploy Microsoft Defender for Cloud‘s built-in vulnerability scanner you should first connect to Azure Portal and open Defender for Cloud.
Next, you should open the Recommendations page from the Defender for Cloud menu.
Finally, should select the option ‘A vulnerability assessment solution should be enabled on your virtual machines‘.
You should not select Remediate security configurations nor Apply system updates. These steps are not the initial steps for the deployment of Defender‘s built-in vulnerability scanner. These steps need to be performed as soon as the vulnerability scanner runs and you receive an evaluation of your environment.
Question 22 of 65
22. Question
You are a Global Security Administrator for an Azure Active Directory (Azure AD) tenant. You need to delegate the creation and management of Azure Key vaults to your colleague administrator. You must adhere to the principle of least privilege. Which Azure AD built-in role-based access control (RBAC) role should you use?
Correct
You should use the Key Vault Contributor role. This role manages plane operations that provide permissions to manage Azure key vaults. It does not allow access to Azure key vault content, such as keys, secrets, and certificates. To be able to adhere to the principle of least privilege, you should only provide permissions to delegate the creation and management of Azure key vault resources, which makes Key Vault Contributor the right role for this scenario. You should not use the Key Vault Reader role. This role provides permissions to read metadata of key vaults, certificates, keys, and secrets, not to create and manage key vaults. You should not use the Security Admin role. This role provides permissions to manage Microsoft 365 Defender, Azure AD Identity Protection, Azure AD Authentication, Azure Information Protection, and the Office 365 Security & Compliance Center. These permissions are not required in the scenario and do not adhere to the principle of least privilege. You should not use the Key Vault Administrator rf. This role provides permissions to manage data plane operations on key vaults, certificates, keys, and secrets. This role does not allow you to manage, create or delete key vault resources or manage role assignments.
Incorrect
You should use the Key Vault Contributor role. This role manages plane operations that provide permissions to manage Azure key vaults. It does not allow access to Azure key vault content, such as keys, secrets, and certificates. To be able to adhere to the principle of least privilege, you should only provide permissions to delegate the creation and management of Azure key vault resources, which makes Key Vault Contributor the right role for this scenario. You should not use the Key Vault Reader role. This role provides permissions to read metadata of key vaults, certificates, keys, and secrets, not to create and manage key vaults. You should not use the Security Admin role. This role provides permissions to manage Microsoft 365 Defender, Azure AD Identity Protection, Azure AD Authentication, Azure Information Protection, and the Office 365 Security & Compliance Center. These permissions are not required in the scenario and do not adhere to the principle of least privilege. You should not use the Key Vault Administrator rf. This role provides permissions to manage data plane operations on key vaults, certificates, keys, and secrets. This role does not allow you to manage, create or delete key vault resources or manage role assignments.
Unattempted
You should use the Key Vault Contributor role. This role manages plane operations that provide permissions to manage Azure key vaults. It does not allow access to Azure key vault content, such as keys, secrets, and certificates. To be able to adhere to the principle of least privilege, you should only provide permissions to delegate the creation and management of Azure key vault resources, which makes Key Vault Contributor the right role for this scenario. You should not use the Key Vault Reader role. This role provides permissions to read metadata of key vaults, certificates, keys, and secrets, not to create and manage key vaults. You should not use the Security Admin role. This role provides permissions to manage Microsoft 365 Defender, Azure AD Identity Protection, Azure AD Authentication, Azure Information Protection, and the Office 365 Security & Compliance Center. These permissions are not required in the scenario and do not adhere to the principle of least privilege. You should not use the Key Vault Administrator rf. This role provides permissions to manage data plane operations on key vaults, certificates, keys, and secrets. This role does not allow you to manage, create or delete key vault resources or manage role assignments.
Question 23 of 65
23. Question
Your company uses Azure Active Directory (Azure AD) Privileged Identity Management (PIM). You need to ensure that a user, Abby Brown, requests administrative role elevation prior to her taking any administrative action in Azure. What should you do? Choose the correct answer
Correct
To meet the requirement that Abby requests administrative role elevation, you must assign Abby the Eligible role membership type in Azure AD PIM. By default, Azure AD users have permanent role assignments. With PIM, you can force users to run with standard privileges and request elevation for high-privilege Azure AD and Azure resource roles. You can also optionally require this role elevation to occur in a request approval cycle. You should not invite Abby to an access review. Access reviews in Azure AD PIM enable PIM administrators to determine whether Azure AD users should remain associated with high-privilege roles. An access review in itself would not meet the scenario‘s configuration requirement. You should not require Abby to use Azure MFA. Azure MFA does integrate with Azure AD PIM. Although it is not a requirement, Microsoft strongly recommends to activate MFA with Azure PIM. Having only MFA activated is not enough to perform any administrative tasks. Abby also has to be assigned the Eligible role membership type to meet the goal. You should not perform a resource audit on Abby. Doing so would reveal Abby‘s role membership changes, but this does not meet the scenario‘s configuration goal.
Incorrect
To meet the requirement that Abby requests administrative role elevation, you must assign Abby the Eligible role membership type in Azure AD PIM. By default, Azure AD users have permanent role assignments. With PIM, you can force users to run with standard privileges and request elevation for high-privilege Azure AD and Azure resource roles. You can also optionally require this role elevation to occur in a request approval cycle. You should not invite Abby to an access review. Access reviews in Azure AD PIM enable PIM administrators to determine whether Azure AD users should remain associated with high-privilege roles. An access review in itself would not meet the scenario‘s configuration requirement. You should not require Abby to use Azure MFA. Azure MFA does integrate with Azure AD PIM. Although it is not a requirement, Microsoft strongly recommends to activate MFA with Azure PIM. Having only MFA activated is not enough to perform any administrative tasks. Abby also has to be assigned the Eligible role membership type to meet the goal. You should not perform a resource audit on Abby. Doing so would reveal Abby‘s role membership changes, but this does not meet the scenario‘s configuration goal.
Unattempted
To meet the requirement that Abby requests administrative role elevation, you must assign Abby the Eligible role membership type in Azure AD PIM. By default, Azure AD users have permanent role assignments. With PIM, you can force users to run with standard privileges and request elevation for high-privilege Azure AD and Azure resource roles. You can also optionally require this role elevation to occur in a request approval cycle. You should not invite Abby to an access review. Access reviews in Azure AD PIM enable PIM administrators to determine whether Azure AD users should remain associated with high-privilege roles. An access review in itself would not meet the scenario‘s configuration requirement. You should not require Abby to use Azure MFA. Azure MFA does integrate with Azure AD PIM. Although it is not a requirement, Microsoft strongly recommends to activate MFA with Azure PIM. Having only MFA activated is not enough to perform any administrative tasks. Abby also has to be assigned the Eligible role membership type to meet the goal. You should not perform a resource audit on Abby. Doing so would reveal Abby‘s role membership changes, but this does not meet the scenario‘s configuration goal.
Question 24 of 65
24. Question
You are the Azure administrator for your company. You create two virtual machines (VMs) named VM01 and VMO2. Both are stored in the production-rg resource group.
The IT support team has the Contributor role at the subscription level.
You create a new VM named VM03 and deploy it to a new resource group named development-rg.
You need to allow the development team access to the new VM. They must be able to deploy new resources to the development-rg resource group only. They should not be allowed to grant access to any other users.
Which role should you assign to each resource to support the requirements? To answer, select the appropriate roles from the drop-down menus.
Correct
You should assign the Contributor role to the development team but only to the development-rg resource group. You should not assign any other roles to any other resources.
Resources within Azure are protected using role-based access control (RBAC), and applied permissions are inherited from any parent object to its children. In this case, you want to grant the development team the ability to modify any existing resources create new resources in the development-rg resource group. You should not apply the Owner role. This would allow the development team the ability to grant other users access to resources.
You should not apply role permissions at any other level because you would not be using the least privilege model. Any other level of permissions would grant the development team more access than they require.
Incorrect
You should assign the Contributor role to the development team but only to the development-rg resource group. You should not assign any other roles to any other resources.
Resources within Azure are protected using role-based access control (RBAC), and applied permissions are inherited from any parent object to its children. In this case, you want to grant the development team the ability to modify any existing resources create new resources in the development-rg resource group. You should not apply the Owner role. This would allow the development team the ability to grant other users access to resources.
You should not apply role permissions at any other level because you would not be using the least privilege model. Any other level of permissions would grant the development team more access than they require.
Unattempted
You should assign the Contributor role to the development team but only to the development-rg resource group. You should not assign any other roles to any other resources.
Resources within Azure are protected using role-based access control (RBAC), and applied permissions are inherited from any parent object to its children. In this case, you want to grant the development team the ability to modify any existing resources create new resources in the development-rg resource group. You should not apply the Owner role. This would allow the development team the ability to grant other users access to resources.
You should not apply role permissions at any other level because you would not be using the least privilege model. Any other level of permissions would grant the development team more access than they require.
Question 25 of 65
25. Question
You are the Azure administrator for your company. Your company has several Azure Enterprise applications configured. Some of the applications are run interactively and some are not.
You need to recommend the permissions of the following Azure Enterprise applications:
APP1 – Available to all users to input expense claims using their mobile devices.
APP2 – Used to synchronize identities to a third-party system.
APP3 – Available to select power users to modify custom user attributes in Azure Active Directory
(Azure AD).
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Correct
APP1 should be assigned delegated permissions because it is used interactively by users to input their expense claims. Delegated permissions are used by applications when the user signed in is present. In this case, the user is signed in and is using the application. By using delegated permissions, the application acts as the signed-in user and uses the permissions the user has already been assigned.
APP2 should be assigned application permissions, not delegated permissions, because it is used to synchronize identities to a third party. It is not interactive and therefore does not have a signed-in user present. Application permissions are used when an application is running without a user sign-in and usually when explicit, high-level permissions are required.
APPS should not be assigned application permissions. It is used interactively by power users to modify a custom Azure AD attribute. It should be assigned delegated permissions.
Incorrect
APP1 should be assigned delegated permissions because it is used interactively by users to input their expense claims. Delegated permissions are used by applications when the user signed in is present. In this case, the user is signed in and is using the application. By using delegated permissions, the application acts as the signed-in user and uses the permissions the user has already been assigned.
APP2 should be assigned application permissions, not delegated permissions, because it is used to synchronize identities to a third party. It is not interactive and therefore does not have a signed-in user present. Application permissions are used when an application is running without a user sign-in and usually when explicit, high-level permissions are required.
APPS should not be assigned application permissions. It is used interactively by power users to modify a custom Azure AD attribute. It should be assigned delegated permissions.
Unattempted
APP1 should be assigned delegated permissions because it is used interactively by users to input their expense claims. Delegated permissions are used by applications when the user signed in is present. In this case, the user is signed in and is using the application. By using delegated permissions, the application acts as the signed-in user and uses the permissions the user has already been assigned.
APP2 should be assigned application permissions, not delegated permissions, because it is used to synchronize identities to a third party. It is not interactive and therefore does not have a signed-in user present. Application permissions are used when an application is running without a user sign-in and usually when explicit, high-level permissions are required.
APPS should not be assigned application permissions. It is used interactively by power users to modify a custom Azure AD attribute. It should be assigned delegated permissions.
Question 26 of 65
26. Question
You are a security administrator in an Azure cloud hybrid environment. You want to activate Microsoft Defender for servers to all your Azure Cloud and on-premises servers and configure the Microsoft Defender for Cloud enhanced security features as shown in the exhibit. You need to deploy Microsoft Monitoring Agent (MMA) to the on-premises services to extend their visibility and Defender for Cloud capabilities, such as continuous assessment, up-to-date security recommendations, etc. Which two values should you specify? Each correct answer presents a part of the solution. Choose the correct answers
Correct
You should specify a workspace secret key and a workspace ID. To be able to onboard on-premises servers into Microsoft Defender for Cloud you have to install Microsoft Monitoring Agent (MMA). MMA collects the required logs and performance metrics and sends them to Microsoft Defender for Cloud. Microsoft Defender for Cloud then evaluates the logs and provides recommendations about the servers‘ health and security status; e.g. missing security updates. You have to provide a workspace secret key and workspace ID during MMA installation and configuration to provide the MMA with information about your Azure tenant and where to save the collected data within your tenant. You should not specify either a user-assigned managed identity or an Azure AD ID. These two values are needed when you install Microsoft Defender for Cloud‘s integrated Qualys vulnerability scanner. The Qualys vulnerability scanner is an intrusion detection solution (1a4that is integrated into Microsoft Defender for Cloud.
Incorrect
You should specify a workspace secret key and a workspace ID. To be able to onboard on-premises servers into Microsoft Defender for Cloud you have to install Microsoft Monitoring Agent (MMA). MMA collects the required logs and performance metrics and sends them to Microsoft Defender for Cloud. Microsoft Defender for Cloud then evaluates the logs and provides recommendations about the servers‘ health and security status; e.g. missing security updates. You have to provide a workspace secret key and workspace ID during MMA installation and configuration to provide the MMA with information about your Azure tenant and where to save the collected data within your tenant. You should not specify either a user-assigned managed identity or an Azure AD ID. These two values are needed when you install Microsoft Defender for Cloud‘s integrated Qualys vulnerability scanner. The Qualys vulnerability scanner is an intrusion detection solution (1a4that is integrated into Microsoft Defender for Cloud.
Unattempted
You should specify a workspace secret key and a workspace ID. To be able to onboard on-premises servers into Microsoft Defender for Cloud you have to install Microsoft Monitoring Agent (MMA). MMA collects the required logs and performance metrics and sends them to Microsoft Defender for Cloud. Microsoft Defender for Cloud then evaluates the logs and provides recommendations about the servers‘ health and security status; e.g. missing security updates. You have to provide a workspace secret key and workspace ID during MMA installation and configuration to provide the MMA with information about your Azure tenant and where to save the collected data within your tenant. You should not specify either a user-assigned managed identity or an Azure AD ID. These two values are needed when you install Microsoft Defender for Cloud‘s integrated Qualys vulnerability scanner. The Qualys vulnerability scanner is an intrusion detection solution (1a4that is integrated into Microsoft Defender for Cloud.
Question 27 of 65
27. Question
You are the Azure administrator for your company. You are asked to design the appropriate access permissions for the finance, IT support, and development teams.
Your company‘s tenant contains a single management group named Group IT. Within the management group, there are two subscriptions named Production and Development.
The finance team needs Read access to all subscriptions across the tenant. The IT support team needs full access to the Production subscription. The team should not be able to grant access to any resources. The development team needs full access to the Development subscription only, including the ability to grant other users access to resources.
Which role should you assign to each resource to support the requirements? To answer, select the appropriate roles from the drop-down menus.
Correct
Permissions in Azure are inherited, and permissions that are granted on a parent item are inherited by any of its children.
You should add the Finance team to the Reader role scoped td the Group IT Management group because it contains all subscriptions in the tenant. Adding the finance team to the Readers role will grant read access to the management group, and all objects within it.
You should grant the IT Support team Contributor access to the Production subscription. The Contributor role allows full access to the object and any children without the ability to grant other users access.
Finally, you should grant the Development team Owner access to the Development subscription. The Owner role is the only built-in role that allows full access to a resource and also the ability to grant other users access.
Incorrect
Permissions in Azure are inherited, and permissions that are granted on a parent item are inherited by any of its children.
You should add the Finance team to the Reader role scoped td the Group IT Management group because it contains all subscriptions in the tenant. Adding the finance team to the Readers role will grant read access to the management group, and all objects within it.
You should grant the IT Support team Contributor access to the Production subscription. The Contributor role allows full access to the object and any children without the ability to grant other users access.
Finally, you should grant the Development team Owner access to the Development subscription. The Owner role is the only built-in role that allows full access to a resource and also the ability to grant other users access.
Unattempted
Permissions in Azure are inherited, and permissions that are granted on a parent item are inherited by any of its children.
You should add the Finance team to the Reader role scoped td the Group IT Management group because it contains all subscriptions in the tenant. Adding the finance team to the Readers role will grant read access to the management group, and all objects within it.
You should grant the IT Support team Contributor access to the Production subscription. The Contributor role allows full access to the object and any children without the ability to grant other users access.
Finally, you should grant the Development team Owner access to the Development subscription. The Owner role is the only built-in role that allows full access to a resource and also the ability to grant other users access.
Question 28 of 65
28. Question
You are the Azure administrator for your company. The company has a subscription named Production in your existing tenant and activity logging is set to default. You need to ensure that Azure activity logs are retained for 180 days. You must implement the most cost-effective solution. Which two actions should you perform? Each correct answer presents part of the solution. Choose the correct answers
Correct
You should archive the activity logs to a storage account. By default, Azure activity logs are stored for 90 days. This may be acceptable in some organizations, but if you need a longer period retention you should add a diagnostic setting and send the activity logs to a storage account, log analytics, or event hub. In this case, storing in a storage account is the most cost-effective option. You should create a delete lifecycle rule. You can configure this lifecycle rule in a storage account to delete files older than 180 days, removing unnecessary logs and minimizing costs. You should not stream the activity logs to an ei4t hub. Activity logs can be streamed in real-time by Event Hub and consumed by other services like Azure Stream Analytics or Azure Functions. However, Event Hub does not store activity logs for the desired retention of 180 days. You should not send the activity logs to Log Analytics. Log Analytics can centralize activity logs and logs from other Azure services. You can create a log query to correlate the logs stored in Log Analytics and create alerts based on these queries. You can store the activity logs for 180 days. However, a storage account is more cost-effective in this scenario. You should not create an archive lifecycle rule. This could move the activity logs to a storage account. However, in the long term, the logs will be retained longer than necessary, unnecessarily increasing costs.
Incorrect
You should archive the activity logs to a storage account. By default, Azure activity logs are stored for 90 days. This may be acceptable in some organizations, but if you need a longer period retention you should add a diagnostic setting and send the activity logs to a storage account, log analytics, or event hub. In this case, storing in a storage account is the most cost-effective option. You should create a delete lifecycle rule. You can configure this lifecycle rule in a storage account to delete files older than 180 days, removing unnecessary logs and minimizing costs. You should not stream the activity logs to an ei4t hub. Activity logs can be streamed in real-time by Event Hub and consumed by other services like Azure Stream Analytics or Azure Functions. However, Event Hub does not store activity logs for the desired retention of 180 days. You should not send the activity logs to Log Analytics. Log Analytics can centralize activity logs and logs from other Azure services. You can create a log query to correlate the logs stored in Log Analytics and create alerts based on these queries. You can store the activity logs for 180 days. However, a storage account is more cost-effective in this scenario. You should not create an archive lifecycle rule. This could move the activity logs to a storage account. However, in the long term, the logs will be retained longer than necessary, unnecessarily increasing costs.
Unattempted
You should archive the activity logs to a storage account. By default, Azure activity logs are stored for 90 days. This may be acceptable in some organizations, but if you need a longer period retention you should add a diagnostic setting and send the activity logs to a storage account, log analytics, or event hub. In this case, storing in a storage account is the most cost-effective option. You should create a delete lifecycle rule. You can configure this lifecycle rule in a storage account to delete files older than 180 days, removing unnecessary logs and minimizing costs. You should not stream the activity logs to an ei4t hub. Activity logs can be streamed in real-time by Event Hub and consumed by other services like Azure Stream Analytics or Azure Functions. However, Event Hub does not store activity logs for the desired retention of 180 days. You should not send the activity logs to Log Analytics. Log Analytics can centralize activity logs and logs from other Azure services. You can create a log query to correlate the logs stored in Log Analytics and create alerts based on these queries. You can store the activity logs for 180 days. However, a storage account is more cost-effective in this scenario. You should not create an archive lifecycle rule. This could move the activity logs to a storage account. However, in the long term, the logs will be retained longer than necessary, unnecessarily increasing costs.
Question 29 of 65
29. Question
You are the Azure administrator for your company. The company migrated to Office 365 last year and is synchronizing identities to Azure via Azure AD Connect. All users have an Office 365 E5 license. You need to activate and configure Azure AD Privileged Identity Management (PIM) for your tenant. PIM be configured to ensure the following: Any assigned roles should only be active for 1 hour. Users must authenticate with multi-factor authentication (MFA) before using their roles. it should you do? Choose the correct answer
Correct
You should set activations to 1 hour in PIM and enable MFA in PIM. When configuring PIM, roles can either be permanently assigned or eligible for assignment. Eligible roles can be set to expire between 1 and 72 hours after activation. If MFA is enabled in PIM, then a user must authenticate using MFA before they can start to use their roles. You should not enable MFA for all users because that is not required. PIM will only prompt for MFA if MFA is enabled in PIM. You should not enable PIM on each of the privileged accounts. Once PIM has been enabled, you can enable it for roles. You do not enable PIM on accounts. You should not create a conditional access rule for PIM. Conditional access is used to enforce organization policies and rules based on how and where the user is authenticating from, among other things. For example, you could configure a conditional access rule to enforce an MFA prompt if a user authenticates from any location other than the corporate network.
Incorrect
You should set activations to 1 hour in PIM and enable MFA in PIM. When configuring PIM, roles can either be permanently assigned or eligible for assignment. Eligible roles can be set to expire between 1 and 72 hours after activation. If MFA is enabled in PIM, then a user must authenticate using MFA before they can start to use their roles. You should not enable MFA for all users because that is not required. PIM will only prompt for MFA if MFA is enabled in PIM. You should not enable PIM on each of the privileged accounts. Once PIM has been enabled, you can enable it for roles. You do not enable PIM on accounts. You should not create a conditional access rule for PIM. Conditional access is used to enforce organization policies and rules based on how and where the user is authenticating from, among other things. For example, you could configure a conditional access rule to enforce an MFA prompt if a user authenticates from any location other than the corporate network.
Unattempted
You should set activations to 1 hour in PIM and enable MFA in PIM. When configuring PIM, roles can either be permanently assigned or eligible for assignment. Eligible roles can be set to expire between 1 and 72 hours after activation. If MFA is enabled in PIM, then a user must authenticate using MFA before they can start to use their roles. You should not enable MFA for all users because that is not required. PIM will only prompt for MFA if MFA is enabled in PIM. You should not enable PIM on each of the privileged accounts. Once PIM has been enabled, you can enable it for roles. You do not enable PIM on accounts. You should not create a conditional access rule for PIM. Conditional access is used to enforce organization policies and rules based on how and where the user is authenticating from, among other things. For example, you could configure a conditional access rule to enforce an MFA prompt if a user authenticates from any location other than the corporate network.
Question 30 of 65
30. Question
You are an internal auditor for a large retail company. The company has a number of Azure virtual machines (VMs) that run critical business processes with customers and partners around the world. The last audit performed on your Azure infrastructure identified missing security controls on these VMs according to ISO/IEC 27001:2013 Information Security Management Standards (ISMS). To satisfy this requirement you assign Azure built-in policy initiative ISO/IEC 27001:2013 to Subscription1, as shown in the exhibit. Your next audit report shows that only newly created VMs satisfy the ISMS. You need to remediate all VMs. Which two actions should you perform? Each correct answer presents part of the solution.
Correct
You should modify the ISO/IEC 27001:2013 initiative assignment. During the assignment process you have to set the option Create a remediation task to Yes. Your existing vulnerable resources will only be evaluated if this is set to Yes. Newly created resources are always evaluated. The assigned policy initiative then evaluates your existing Azure resources according to the business rules defined in the policy initiative and creates a remediation task in Microsoft Defender for Cloud‘s recommendations. You should also review security recommendations in Microsoft Defender for Cloud and remediate your vulnerable resources. You should not create a custom Policy initiative definition. To simplify management, multiple security policies can be grouped together into an Initiative. After an Initiative is defined, it has to be assigned to a resource. Only Initiative assignment enforces the defined rules on a resource. Creating an Initiative definition does not meet the goal. You should not create a custom security Policy definition. Security policy definitions are definitions of business rules, described in JSON format. After a Policy is defined, it has to be assigned to a resource. Only the assignment enforces the policy (business rules) on the respective resource. Creating a custom Policy definition does not meet the goal.
Incorrect
You should modify the ISO/IEC 27001:2013 initiative assignment. During the assignment process you have to set the option Create a remediation task to Yes. Your existing vulnerable resources will only be evaluated if this is set to Yes. Newly created resources are always evaluated. The assigned policy initiative then evaluates your existing Azure resources according to the business rules defined in the policy initiative and creates a remediation task in Microsoft Defender for Cloud‘s recommendations. You should also review security recommendations in Microsoft Defender for Cloud and remediate your vulnerable resources. You should not create a custom Policy initiative definition. To simplify management, multiple security policies can be grouped together into an Initiative. After an Initiative is defined, it has to be assigned to a resource. Only Initiative assignment enforces the defined rules on a resource. Creating an Initiative definition does not meet the goal. You should not create a custom security Policy definition. Security policy definitions are definitions of business rules, described in JSON format. After a Policy is defined, it has to be assigned to a resource. Only the assignment enforces the policy (business rules) on the respective resource. Creating a custom Policy definition does not meet the goal.
Unattempted
You should modify the ISO/IEC 27001:2013 initiative assignment. During the assignment process you have to set the option Create a remediation task to Yes. Your existing vulnerable resources will only be evaluated if this is set to Yes. Newly created resources are always evaluated. The assigned policy initiative then evaluates your existing Azure resources according to the business rules defined in the policy initiative and creates a remediation task in Microsoft Defender for Cloud‘s recommendations. You should also review security recommendations in Microsoft Defender for Cloud and remediate your vulnerable resources. You should not create a custom Policy initiative definition. To simplify management, multiple security policies can be grouped together into an Initiative. After an Initiative is defined, it has to be assigned to a resource. Only Initiative assignment enforces the defined rules on a resource. Creating an Initiative definition does not meet the goal. You should not create a custom security Policy definition. Security policy definitions are definitions of business rules, described in JSON format. After a Policy is defined, it has to be assigned to a resource. Only the assignment enforces the policy (business rules) on the respective resource. Creating a custom Policy definition does not meet the goal.
Question 31 of 65
31. Question
You are the Azure administrator for your company. Users are assigned an Azure Active Directory (Azure AD) P1 license. Changes to Azure AD accounts are currently only being stored for 90 days. You need to ensure that changes to user accounts are logged and kept for 180 days. The solution should be the most cost-effective and efficient. What should you do? Choose the correct answer
Correct
You should create a Log Analytics workspace with a retention of 180 days and configure the export data settings for Azure AD to send audit logs to the Log Analytics workspace. By default, audit logs for Azure AD are stored for 90 days. If you want to keep data longer, you can export them automatically to a Log Analytics workspace. IN You should not use the Set-MsolUser cmdlet. There are no user activity log retention settings configurable for user accounts. You should not assign users an Azure AD P2 license. There is no additional logging functionality over an Azure AD P1 license. You should not create an Azure Function that writes any changes to Table storage when any changes are made and set the Table storage retention to 180 days. You could write a function to perform the task, but it would require additional development knowledge and cost. Also, Table storage does not have a retention period setting.
Incorrect
You should create a Log Analytics workspace with a retention of 180 days and configure the export data settings for Azure AD to send audit logs to the Log Analytics workspace. By default, audit logs for Azure AD are stored for 90 days. If you want to keep data longer, you can export them automatically to a Log Analytics workspace. IN You should not use the Set-MsolUser cmdlet. There are no user activity log retention settings configurable for user accounts. You should not assign users an Azure AD P2 license. There is no additional logging functionality over an Azure AD P1 license. You should not create an Azure Function that writes any changes to Table storage when any changes are made and set the Table storage retention to 180 days. You could write a function to perform the task, but it would require additional development knowledge and cost. Also, Table storage does not have a retention period setting.
Unattempted
You should create a Log Analytics workspace with a retention of 180 days and configure the export data settings for Azure AD to send audit logs to the Log Analytics workspace. By default, audit logs for Azure AD are stored for 90 days. If you want to keep data longer, you can export them automatically to a Log Analytics workspace. IN You should not use the Set-MsolUser cmdlet. There are no user activity log retention settings configurable for user accounts. You should not assign users an Azure AD P2 license. There is no additional logging functionality over an Azure AD P1 license. You should not create an Azure Function that writes any changes to Table storage when any changes are made and set the Table storage retention to 180 days. You could write a function to perform the task, but it would require additional development knowledge and cost. Also, Table storage does not have a retention period setting.
Question 32 of 65
32. Question
You are an Azure tenant administrator. You are preparing an Azure landing zone for lift and shift migration. You create a virtual network (VNnet), virtual machines (VMs), and file share storage as shown in the Landing Zone Information exhibit.
You set up storage configuration to serve server message block (SMB) file share, as shown in the Storage Configuration exhibit. You need to test access to the az500store2 file share storage. From which devices should you access the az500store2 storage?
Choose the correct answer
Correct
You should access the storage from az500VM1 and the device with IP address 83.135.179.76. According to the storage firewall (FW) configuration, all the devices from the VNet az500Sub1 and internet devices with the IP addresses 83.135.179.76 and 85.115.58.180 can access the storage. The VM az500VAM can access the storage because it resides in the az500Sub1 VNet.
All the other options are invalid, because they include device az500VM, which resides in subnet az500Sub2. A configured firewall does not allow access from the az500Sub2 subnet.
Incorrect
You should access the storage from az500VM1 and the device with IP address 83.135.179.76. According to the storage firewall (FW) configuration, all the devices from the VNet az500Sub1 and internet devices with the IP addresses 83.135.179.76 and 85.115.58.180 can access the storage. The VM az500VAM can access the storage because it resides in the az500Sub1 VNet.
All the other options are invalid, because they include device az500VM, which resides in subnet az500Sub2. A configured firewall does not allow access from the az500Sub2 subnet.
Unattempted
You should access the storage from az500VM1 and the device with IP address 83.135.179.76. According to the storage firewall (FW) configuration, all the devices from the VNet az500Sub1 and internet devices with the IP addresses 83.135.179.76 and 85.115.58.180 can access the storage. The VM az500VAM can access the storage because it resides in the az500Sub1 VNet.
All the other options are invalid, because they include device az500VM, which resides in subnet az500Sub2. A configured firewall does not allow access from the az500Sub2 subnet.
Question 33 of 65
33. Question
You are a security engineer at your company. A company-designed application is registered in your Azure Active Directory (Azure AD) Tenant as secureApp and is used by users in your organization. You need to ensure that secureApp can read secrets from an Azure Key Vault in a subscription associated with the your company‘s Azure AD tenant on behalf of the application users. What should you configure? Choose the correct answer
Correct
You should configure a delegated permission without admin consent. You need to delegate the permission because the app is using the permissions of a user to access the key vault. Since you want to limit access by the selected permission based on the application user, the use of a delegated permission is appropriate. For permissions that use the user‘s authorization to access the key vault, Azure AD does not require you to provide admin consent. You should not select a delegated permission requiring admin consent. Since the delegation request is for read permissions, admin consent would not be required. Admin consent is required for elevated access to the API in situations where you do not want access based on the user context. In this case, you do want access based on the user context. You should not select application permission with or without admin consent. Application permissions are provided when the client application needs to access the key vault web API directly without the user context. These kinds of permissions should not be provided to client applications.
Incorrect
You should configure a delegated permission without admin consent. You need to delegate the permission because the app is using the permissions of a user to access the key vault. Since you want to limit access by the selected permission based on the application user, the use of a delegated permission is appropriate. For permissions that use the user‘s authorization to access the key vault, Azure AD does not require you to provide admin consent. You should not select a delegated permission requiring admin consent. Since the delegation request is for read permissions, admin consent would not be required. Admin consent is required for elevated access to the API in situations where you do not want access based on the user context. In this case, you do want access based on the user context. You should not select application permission with or without admin consent. Application permissions are provided when the client application needs to access the key vault web API directly without the user context. These kinds of permissions should not be provided to client applications.
Unattempted
You should configure a delegated permission without admin consent. You need to delegate the permission because the app is using the permissions of a user to access the key vault. Since you want to limit access by the selected permission based on the application user, the use of a delegated permission is appropriate. For permissions that use the user‘s authorization to access the key vault, Azure AD does not require you to provide admin consent. You should not select a delegated permission requiring admin consent. Since the delegation request is for read permissions, admin consent would not be required. Admin consent is required for elevated access to the API in situations where you do not want access based on the user context. In this case, you do want access based on the user context. You should not select application permission with or without admin consent. Application permissions are provided when the client application needs to access the key vault web API directly without the user context. These kinds of permissions should not be provided to client applications.
Question 34 of 65
34. Question
Your company has an Azure subscription named Sub1 that is associated with an Azure Active Directory (Azure AD) tenant named company.com. You plan to configure Azure AD Privileged Identity Management (PIM) to enforce least-privilege administration for Azure AD and for Azure resources. You need a colleague, Pat Smith, to enable Azure AD PIM. Pat Smith currently has a Developer role assigned. What should you do first? Choose the correct answer
Correct
You should assign Pat Smith the Global Administrator role in your Azure AD tenant first. A user must be assigned the Global Administrator role to be able to enable Azure AD Privileged Identity Management (PIM). After this Global Administrator sets up Azure AD PIM, he or she can delegate Azure AD PIM management to others by assigning them the Privileged Role Administrator Azure AD role. You should not assign Pat Smith the Owner subscription role. Although Azure AD PIM manages both Azure AD and Azure resource role assignments, the PIM administrator need only be a Privileged Role Administrator to perform all PIM-related management tasks. You should not instruct Pat Smith to consent to PIM. Actually, consenting to PIM is the first step in using the service. However, Pat will be unable to do so unless and until he or she is assigned the Global Administrator Azure AD role. You should not instruct Pat Smith to discover resources to manage in PIM. Resource discovery is limited to Global Administrators or Privileged Role Administrators. Also , consent to PIM must be undertaken first before resource discovery can take place.
Incorrect
You should assign Pat Smith the Global Administrator role in your Azure AD tenant first. A user must be assigned the Global Administrator role to be able to enable Azure AD Privileged Identity Management (PIM). After this Global Administrator sets up Azure AD PIM, he or she can delegate Azure AD PIM management to others by assigning them the Privileged Role Administrator Azure AD role. You should not assign Pat Smith the Owner subscription role. Although Azure AD PIM manages both Azure AD and Azure resource role assignments, the PIM administrator need only be a Privileged Role Administrator to perform all PIM-related management tasks. You should not instruct Pat Smith to consent to PIM. Actually, consenting to PIM is the first step in using the service. However, Pat will be unable to do so unless and until he or she is assigned the Global Administrator Azure AD role. You should not instruct Pat Smith to discover resources to manage in PIM. Resource discovery is limited to Global Administrators or Privileged Role Administrators. Also , consent to PIM must be undertaken first before resource discovery can take place.
Unattempted
You should assign Pat Smith the Global Administrator role in your Azure AD tenant first. A user must be assigned the Global Administrator role to be able to enable Azure AD Privileged Identity Management (PIM). After this Global Administrator sets up Azure AD PIM, he or she can delegate Azure AD PIM management to others by assigning them the Privileged Role Administrator Azure AD role. You should not assign Pat Smith the Owner subscription role. Although Azure AD PIM manages both Azure AD and Azure resource role assignments, the PIM administrator need only be a Privileged Role Administrator to perform all PIM-related management tasks. You should not instruct Pat Smith to consent to PIM. Actually, consenting to PIM is the first step in using the service. However, Pat will be unable to do so unless and until he or she is assigned the Global Administrator Azure AD role. You should not instruct Pat Smith to discover resources to manage in PIM. Resource discovery is limited to Global Administrators or Privileged Role Administrators. Also , consent to PIM must be undertaken first before resource discovery can take place.
Question 35 of 65
35. Question
You need to configure periodic access reviews for your company for applications and groups. The access reviews should be routinely administered by the application teams. All team members for an application are part of the same Azure Active Directory (Azure AD) group. The owner of the group is responsible for ensuring that access is removed when a team member changes roles.
You need to configure the access review users and reviewers section shown in the exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Correct
For Users to review, you should select Members of a group. Since the application team members belong to an Azure AD group, you can select the group that has to review their access.
You should not select Guest users only as the Scope. The requirements are to review all user access. The scope should be set to Everyone, to ensure that access for all users that belong to the group is reviewed.
You should not select Selected users as the Reviewers. In this case, you want to make sure that the owner of the group is responsible for proper access for the application team. You should select Group Owners as the reviewers.
Incorrect
For Users to review, you should select Members of a group. Since the application team members belong to an Azure AD group, you can select the group that has to review their access.
You should not select Guest users only as the Scope. The requirements are to review all user access. The scope should be set to Everyone, to ensure that access for all users that belong to the group is reviewed.
You should not select Selected users as the Reviewers. In this case, you want to make sure that the owner of the group is responsible for proper access for the application team. You should select Group Owners as the reviewers.
Unattempted
For Users to review, you should select Members of a group. Since the application team members belong to an Azure AD group, you can select the group that has to review their access.
You should not select Guest users only as the Scope. The requirements are to review all user access. The scope should be set to Everyone, to ensure that access for all users that belong to the group is reviewed.
You should not select Selected users as the Reviewers. In this case, you want to make sure that the owner of the group is responsible for proper access for the application team. You should select Group Owners as the reviewers.
Question 36 of 65
36. Question
You are an Microsoft 365 Global administrator at an organization that has an Azure Active Directory (Azure AD) tenant with Microsoft Defender for Office 365 Plan 2. You need to allow some of your users to create and manage all aspects of attack simulation campaigns. Which role should you assign to those users? Choose the correct answer
Correct
You should assign the Attack Simulator Administrators role. This role allows to create and manage all aspects of attack simulation campaigns. You should not assign the Attack Simulator Payload Authors role. This role allows to create and manage attack payloads that can be deployed by attack simulator administrator. You should not assign the Compliance administrator role. Members assigned to this role can manage the settings for device management, data loss prevention, reports, and preservation. You should not assign the Compliance data administrator role. Members assigned to this role can manage the settings for device management, data protection, data loss prevention, reports, and preservation. You should not assign the Security operator role.\embers assigned to this role can manage security alerts and also view reports and settings of security fees.
Incorrect
You should assign the Attack Simulator Administrators role. This role allows to create and manage all aspects of attack simulation campaigns. You should not assign the Attack Simulator Payload Authors role. This role allows to create and manage attack payloads that can be deployed by attack simulator administrator. You should not assign the Compliance administrator role. Members assigned to this role can manage the settings for device management, data loss prevention, reports, and preservation. You should not assign the Compliance data administrator role. Members assigned to this role can manage the settings for device management, data protection, data loss prevention, reports, and preservation. You should not assign the Security operator role.\embers assigned to this role can manage security alerts and also view reports and settings of security fees.
Unattempted
You should assign the Attack Simulator Administrators role. This role allows to create and manage all aspects of attack simulation campaigns. You should not assign the Attack Simulator Payload Authors role. This role allows to create and manage attack payloads that can be deployed by attack simulator administrator. You should not assign the Compliance administrator role. Members assigned to this role can manage the settings for device management, data loss prevention, reports, and preservation. You should not assign the Compliance data administrator role. Members assigned to this role can manage the settings for device management, data protection, data loss prevention, reports, and preservation. You should not assign the Security operator role.\embers assigned to this role can manage security alerts and also view reports and settings of security fees.
Question 37 of 65
37. Question
You work at a retail organization operating in the European Union (EU). Your e-commerce Web solution collects and stores details of your customers on Microsoft Azure and Office 365 platforms, and thus is subject to the General Data Protection Regulation (GDPR).
When your customers raise Data Subject Requests (DSR), your organization should take a specific set of actions to fulfill its GDPR obligations.
You need to assign the right process to the relevant sets of actions.
Which process should you use for each set of actions? To answer, drag the appropriate process to each set of actions. A process may be used once, more than once, or not at all.
Correct
You should use Discover as the process that describes the use of search and discovery tools to more easily find customer data that may be the subject of a DSR. If a DSR meets your organization‘s guidelines on how to respond to it, then Discover is the first process to execute to find the requested personal data.
You should use Access as the process that describes retrieval of personal data that resides in the Microsoft cloud under your organization‘s control. If requested in DSR, your organization can make a copy of the personal data that can be shared back with the customer.
You should use Rectify as the process that describes making changes or implementing other requested actions on the personal data, for example, changing a customer‘s name or contact details.
You should use Export/Receive (Portability) as the a machine-readable format) of personal data or process that describes provision of an electronic copy (in al information to the data subject.
You should not use Restrict. It describes the process where you restrict the processing of personal data, either by removing licenses for various Azure services or turning them off, where possible. Your organization can also remove data from the Microsoft cloud and retain it on-premises or at another location.
You should not use Delete. It describes the process where you permanently remove customer‘s personal data that resided in the Microsoft cloud under your organization‘s control.
Incorrect
You should use Discover as the process that describes the use of search and discovery tools to more easily find customer data that may be the subject of a DSR. If a DSR meets your organization‘s guidelines on how to respond to it, then Discover is the first process to execute to find the requested personal data.
You should use Access as the process that describes retrieval of personal data that resides in the Microsoft cloud under your organization‘s control. If requested in DSR, your organization can make a copy of the personal data that can be shared back with the customer.
You should use Rectify as the process that describes making changes or implementing other requested actions on the personal data, for example, changing a customer‘s name or contact details.
You should use Export/Receive (Portability) as the a machine-readable format) of personal data or process that describes provision of an electronic copy (in al information to the data subject.
You should not use Restrict. It describes the process where you restrict the processing of personal data, either by removing licenses for various Azure services or turning them off, where possible. Your organization can also remove data from the Microsoft cloud and retain it on-premises or at another location.
You should not use Delete. It describes the process where you permanently remove customer‘s personal data that resided in the Microsoft cloud under your organization‘s control.
Unattempted
You should use Discover as the process that describes the use of search and discovery tools to more easily find customer data that may be the subject of a DSR. If a DSR meets your organization‘s guidelines on how to respond to it, then Discover is the first process to execute to find the requested personal data.
You should use Access as the process that describes retrieval of personal data that resides in the Microsoft cloud under your organization‘s control. If requested in DSR, your organization can make a copy of the personal data that can be shared back with the customer.
You should use Rectify as the process that describes making changes or implementing other requested actions on the personal data, for example, changing a customer‘s name or contact details.
You should use Export/Receive (Portability) as the a machine-readable format) of personal data or process that describes provision of an electronic copy (in al information to the data subject.
You should not use Restrict. It describes the process where you restrict the processing of personal data, either by removing licenses for various Azure services or turning them off, where possible. Your organization can also remove data from the Microsoft cloud and retain it on-premises or at another location.
You should not use Delete. It describes the process where you permanently remove customer‘s personal data that resided in the Microsoft cloud under your organization‘s control.
Question 38 of 65
38. Question
You manage five Azure Virtual Machines (VMs) and a virtual network (VNet) named VNet1. VNet1 has the following subnet configuration: subnet-1: empty subnet-2: 3 Azure VMs subnet-3: 2 Azure VMs You need to deploy an Azure Firewall to VNet1. Which two actions should you perform? Each correct answer presents pan of the solution. Choose the correct answers
Correct
Before you can deploy an Azure Firewall to VNet1, you must first create an empty subnet named AzureFirewallSubnet and an unused public IP address resource. Azure Firewall is a Microsoft-managed, stateful packet inspection firewall appliance. The value proposition is that you can protect your VNet resources with a robust firewall that requires minimal manual configuration and upkeep. You should not create an ASG. An ASG is an administrator-defined set of Azure resources that you reference as a group in NSG rules. You should not create an NSG. In this scenario, you need to implement Azure Firewall, which can completely replace the need for NSGs associated to the subnet or network interface level. You should not create a policy. Azure Policy IN governance solution that allows you to audit, enforce, and remediate security or compliance issues in your Azure environment. For example, you might deploy a policy that requires certain taxonomic tags to be added before any deployment can continue.
Incorrect
Before you can deploy an Azure Firewall to VNet1, you must first create an empty subnet named AzureFirewallSubnet and an unused public IP address resource. Azure Firewall is a Microsoft-managed, stateful packet inspection firewall appliance. The value proposition is that you can protect your VNet resources with a robust firewall that requires minimal manual configuration and upkeep. You should not create an ASG. An ASG is an administrator-defined set of Azure resources that you reference as a group in NSG rules. You should not create an NSG. In this scenario, you need to implement Azure Firewall, which can completely replace the need for NSGs associated to the subnet or network interface level. You should not create a policy. Azure Policy IN governance solution that allows you to audit, enforce, and remediate security or compliance issues in your Azure environment. For example, you might deploy a policy that requires certain taxonomic tags to be added before any deployment can continue.
Unattempted
Before you can deploy an Azure Firewall to VNet1, you must first create an empty subnet named AzureFirewallSubnet and an unused public IP address resource. Azure Firewall is a Microsoft-managed, stateful packet inspection firewall appliance. The value proposition is that you can protect your VNet resources with a robust firewall that requires minimal manual configuration and upkeep. You should not create an ASG. An ASG is an administrator-defined set of Azure resources that you reference as a group in NSG rules. You should not create an NSG. In this scenario, you need to implement Azure Firewall, which can completely replace the need for NSGs associated to the subnet or network interface level. You should not create a policy. Azure Policy IN governance solution that allows you to audit, enforce, and remediate security or compliance issues in your Azure environment. For example, you might deploy a policy that requires certain taxonomic tags to be added before any deployment can continue.
Question 39 of 65
39. Question
Your company deploys a new accounting web application in Azure. The web application uses an SSL certificate. The company has a small sales office in Los Angeles with five users. The main office is in New York with 200 users. The office networks are configured as shown in the exhibit.
Both sites are connected to Azure via a site-to-site VPN gateway connection. All resources are assigned to VNET1. The web application uses the standard service plan and the 10.30.0.1 address. Your company uses the least privilege model.
The IT team is informed that users from the sales office are able to access the web application. Only users who are physically located at the main office should be able to access the web application.
You need to limit access to the web application.
What should you do?
Choose the correct answer
Correct
You should create a new NSG and create a rule that allows traffic from the 10.20.0.0/24 network to the 10.30.0.1 address on TCP port 443. This is the only solution that will limit access to the web application to users who are physically at the main office.
An NSG contains a list of rules that are processed in ascending order. If traffic matches a rule, a particular action (Allow or Deny) will be taken. Rules are matched by using 5-tuple information (source/destination IP, source/destination port, protocol) and then either allowed or denied. When users are physically located at the main office, their traffic will originate from the 10.20.0.0/24 subnet with a destination address of 10.30.01 port 443 using the TCP protocol and as a result will be allowed. All other traffic that does not match a rule will be denied by default.
You should not create two new security groups, assign one group to the sales office users and one group to the main office users, and grant only the main office group access to the accounting web application. This does not meet the goal because groups are assigned to users and not to a physical location.
You should not create two new security groups, assign one group to the sales office users and one group to the main office users, create a new NSG, and create a rule to allow the main office group access to the 10.30.0.1 address on TCP port 443. You cannot configure a rule that applies to group membership.
You should not create a new NSG and create a rule that allows traffic from the 10/0.0.0/24 network to VNET1 on TCP port 443. Although this configuration would restrict traffic originating from the main office, it does not use the least privilege model. Traffic originating from the main office will be allowed to all resources within VNET1 on TCP port 443, not just the web application.
Incorrect
You should create a new NSG and create a rule that allows traffic from the 10.20.0.0/24 network to the 10.30.0.1 address on TCP port 443. This is the only solution that will limit access to the web application to users who are physically at the main office.
An NSG contains a list of rules that are processed in ascending order. If traffic matches a rule, a particular action (Allow or Deny) will be taken. Rules are matched by using 5-tuple information (source/destination IP, source/destination port, protocol) and then either allowed or denied. When users are physically located at the main office, their traffic will originate from the 10.20.0.0/24 subnet with a destination address of 10.30.01 port 443 using the TCP protocol and as a result will be allowed. All other traffic that does not match a rule will be denied by default.
You should not create two new security groups, assign one group to the sales office users and one group to the main office users, and grant only the main office group access to the accounting web application. This does not meet the goal because groups are assigned to users and not to a physical location.
You should not create two new security groups, assign one group to the sales office users and one group to the main office users, create a new NSG, and create a rule to allow the main office group access to the 10.30.0.1 address on TCP port 443. You cannot configure a rule that applies to group membership.
You should not create a new NSG and create a rule that allows traffic from the 10/0.0.0/24 network to VNET1 on TCP port 443. Although this configuration would restrict traffic originating from the main office, it does not use the least privilege model. Traffic originating from the main office will be allowed to all resources within VNET1 on TCP port 443, not just the web application.
Unattempted
You should create a new NSG and create a rule that allows traffic from the 10.20.0.0/24 network to the 10.30.0.1 address on TCP port 443. This is the only solution that will limit access to the web application to users who are physically at the main office.
An NSG contains a list of rules that are processed in ascending order. If traffic matches a rule, a particular action (Allow or Deny) will be taken. Rules are matched by using 5-tuple information (source/destination IP, source/destination port, protocol) and then either allowed or denied. When users are physically located at the main office, their traffic will originate from the 10.20.0.0/24 subnet with a destination address of 10.30.01 port 443 using the TCP protocol and as a result will be allowed. All other traffic that does not match a rule will be denied by default.
You should not create two new security groups, assign one group to the sales office users and one group to the main office users, and grant only the main office group access to the accounting web application. This does not meet the goal because groups are assigned to users and not to a physical location.
You should not create two new security groups, assign one group to the sales office users and one group to the main office users, create a new NSG, and create a rule to allow the main office group access to the 10.30.0.1 address on TCP port 443. You cannot configure a rule that applies to group membership.
You should not create a new NSG and create a rule that allows traffic from the 10/0.0.0/24 network to VNET1 on TCP port 443. Although this configuration would restrict traffic originating from the main office, it does not use the least privilege model. Traffic originating from the main office will be allowed to all resources within VNET1 on TCP port 443, not just the web application.
Question 40 of 65
40. Question
All IT staff in your company are members of the Global Administrators role. All users are assigned an Azure Active Directory (Azure AD) Premium P1 license. You are requested to minimize the number of administrators being able to access to secure resources by providing users just-in-time privileged access. You also have to be able to oversee what those users are doing with their privileged access. You need to activate Privileged Identity Management (PIM) while keeping costs to a minimum. Which two actions should you perform? Each correct answer presents part of the solution. Choose the correct answers
Correct
You should first assign an Azure AD Premium P2 license to the IT staff and then visit the Privileged Identity L I, Management configuration page in Azure portal. To implement PIM, you must be active in a privile ed role in an Azure AD organization (e.g. be member of the Global Administrators role as in this scenario) a you must have Azure AD Premium P2 license assigned. Once you are logged into the portal, you should search for the PIM service and open the configuration page once. Navigating to the PIM service by user with the Global Administrator role and Azure AD P2 license assigned triggers automatic activation of PIM for the organization. You should not Assign Azure AD Premium P2 licenses to all users. This is not requested in this scenario and would not be cost-effective. You should not consent to PIM via the Azure portal with any Global Administrator role assigned. The question states that all users, including those with Global Administrator role, are assigned Azure AD premium P1 license. To be able to activate PIM for the organization a user must be active in a privileged role in an Azure AD (e.g. be member of Global Administrators role) and have Azure AD P2 license assigned. Being Global Administrator only is not enough to activate of PIM for the organization.
Incorrect
You should first assign an Azure AD Premium P2 license to the IT staff and then visit the Privileged Identity L I, Management configuration page in Azure portal. To implement PIM, you must be active in a privile ed role in an Azure AD organization (e.g. be member of the Global Administrators role as in this scenario) a you must have Azure AD Premium P2 license assigned. Once you are logged into the portal, you should search for the PIM service and open the configuration page once. Navigating to the PIM service by user with the Global Administrator role and Azure AD P2 license assigned triggers automatic activation of PIM for the organization. You should not Assign Azure AD Premium P2 licenses to all users. This is not requested in this scenario and would not be cost-effective. You should not consent to PIM via the Azure portal with any Global Administrator role assigned. The question states that all users, including those with Global Administrator role, are assigned Azure AD premium P1 license. To be able to activate PIM for the organization a user must be active in a privileged role in an Azure AD (e.g. be member of Global Administrators role) and have Azure AD P2 license assigned. Being Global Administrator only is not enough to activate of PIM for the organization.
Unattempted
You should first assign an Azure AD Premium P2 license to the IT staff and then visit the Privileged Identity L I, Management configuration page in Azure portal. To implement PIM, you must be active in a privile ed role in an Azure AD organization (e.g. be member of the Global Administrators role as in this scenario) a you must have Azure AD Premium P2 license assigned. Once you are logged into the portal, you should search for the PIM service and open the configuration page once. Navigating to the PIM service by user with the Global Administrator role and Azure AD P2 license assigned triggers automatic activation of PIM for the organization. You should not Assign Azure AD Premium P2 licenses to all users. This is not requested in this scenario and would not be cost-effective. You should not consent to PIM via the Azure portal with any Global Administrator role assigned. The question states that all users, including those with Global Administrator role, are assigned Azure AD premium P1 license. To be able to activate PIM for the organization a user must be active in a privileged role in an Azure AD (e.g. be member of Global Administrators role) and have Azure AD P2 license assigned. Being Global Administrator only is not enough to activate of PIM for the organization.
Question 41 of 65
41. Question
You are a security administrator for an Azure environment. You are requested to protect all your virtual machines (VMs) with Microsoft Defender for servers. Microsoft Defender for Cloud (formerly, Azure Security Center) is activated, as shown in the exhibit.
You need to deploy a vulnerability assessment solution, but the integrated vulnerability scanner is not available as shown in the exhibit.
What should you do to fix this issue?
Choose the correct answer
Correct
You should switch on Microsoft Defender for servers. Microsoft Defender for servers is one of the enhanced security features of Microsoft Defender for Cloud. Microsoft Defender for servers discovers vulnerabilities and misconfigurations in near real-time. To enable an integrated vulnerability scanner on VMs, you should switch on Microsoft Defender for servers in your enhanced Microsoft Defender for Cloud plan.
You should not switch on VMs into running state. VMs must be in a running state for integrated vulnerability scanner deployment, after the scanner has been enabled. To enable the integrated vulnerability scanner, Microsoft Defender for servers must be switched on.
You should not activate Auto Provisioning Extensions. Defender for Cloud provides the possibility to automatically provision extensions (e.g. integrated vulnerability scanner). In this scenario neither manual nor automatic provisioning can be activated as long as Microsoft fender for servers is set to off.
You should not buy another Microsoft Defender plan that supports vulnerability assessments for VMs. Microsoft Defender is offered as a free and enhanced plan In this scenario the enhanced plan is already activated.
Incorrect
You should switch on Microsoft Defender for servers. Microsoft Defender for servers is one of the enhanced security features of Microsoft Defender for Cloud. Microsoft Defender for servers discovers vulnerabilities and misconfigurations in near real-time. To enable an integrated vulnerability scanner on VMs, you should switch on Microsoft Defender for servers in your enhanced Microsoft Defender for Cloud plan.
You should not switch on VMs into running state. VMs must be in a running state for integrated vulnerability scanner deployment, after the scanner has been enabled. To enable the integrated vulnerability scanner, Microsoft Defender for servers must be switched on.
You should not activate Auto Provisioning Extensions. Defender for Cloud provides the possibility to automatically provision extensions (e.g. integrated vulnerability scanner). In this scenario neither manual nor automatic provisioning can be activated as long as Microsoft fender for servers is set to off.
You should not buy another Microsoft Defender plan that supports vulnerability assessments for VMs. Microsoft Defender is offered as a free and enhanced plan In this scenario the enhanced plan is already activated.
Unattempted
You should switch on Microsoft Defender for servers. Microsoft Defender for servers is one of the enhanced security features of Microsoft Defender for Cloud. Microsoft Defender for servers discovers vulnerabilities and misconfigurations in near real-time. To enable an integrated vulnerability scanner on VMs, you should switch on Microsoft Defender for servers in your enhanced Microsoft Defender for Cloud plan.
You should not switch on VMs into running state. VMs must be in a running state for integrated vulnerability scanner deployment, after the scanner has been enabled. To enable the integrated vulnerability scanner, Microsoft Defender for servers must be switched on.
You should not activate Auto Provisioning Extensions. Defender for Cloud provides the possibility to automatically provision extensions (e.g. integrated vulnerability scanner). In this scenario neither manual nor automatic provisioning can be activated as long as Microsoft fender for servers is set to off.
You should not buy another Microsoft Defender plan that supports vulnerability assessments for VMs. Microsoft Defender is offered as a free and enhanced plan In this scenario the enhanced plan is already activated.
Question 42 of 65
42. Question
You are the Azure administrator for your company. The company has an Enterprise application that connects to the Microsoft Graph API. The application synchronizes profile data from Azure Active Directory (Azure AD) and must be able to read all user properties within the tenant.
You need to configure the application permissions using the least privilege principle.
How should you configure the workspace? To answer, drag the appropriate configuration value to each workspace property. A configuration value may be used once, more than once, or not at all.
Correct
You should use the Directory.Read.All permission scope because this will grant the application read access to all data in the directory, including users.
You should set the scope type to app-only. The app-only scopes offer the full set of permissions offered by the scope, in this case Directory.Read.All access to all objects in the directory. App-only scopes are used by apps that run as a service without a signed-in user being present.
Some permissions require administrativesent when they are assigned to the application. In this case, Directory.Read.All does require administrative consent.
You should not use the Directory.ReadWrite.All permission scope. This would allow write access to all data in the directory, and write access is not required. Using the least privilege model, this would grant unnecessary permission to the application.
You should not set the scope type to delegated. Delegated permission scopes are used when an application requires a user to be signed in and allow the application to use the privileges of the signed in user.
Incorrect
You should use the Directory.Read.All permission scope because this will grant the application read access to all data in the directory, including users.
You should set the scope type to app-only. The app-only scopes offer the full set of permissions offered by the scope, in this case Directory.Read.All access to all objects in the directory. App-only scopes are used by apps that run as a service without a signed-in user being present.
Some permissions require administrativesent when they are assigned to the application. In this case, Directory.Read.All does require administrative consent.
You should not use the Directory.ReadWrite.All permission scope. This would allow write access to all data in the directory, and write access is not required. Using the least privilege model, this would grant unnecessary permission to the application.
You should not set the scope type to delegated. Delegated permission scopes are used when an application requires a user to be signed in and allow the application to use the privileges of the signed in user.
Unattempted
You should use the Directory.Read.All permission scope because this will grant the application read access to all data in the directory, including users.
You should set the scope type to app-only. The app-only scopes offer the full set of permissions offered by the scope, in this case Directory.Read.All access to all objects in the directory. App-only scopes are used by apps that run as a service without a signed-in user being present.
Some permissions require administrativesent when they are assigned to the application. In this case, Directory.Read.All does require administrative consent.
You should not use the Directory.ReadWrite.All permission scope. This would allow write access to all data in the directory, and write access is not required. Using the least privilege model, this would grant unnecessary permission to the application.
You should not set the scope type to delegated. Delegated permission scopes are used when an application requires a user to be signed in and allow the application to use the privileges of the signed in user.
Question 43 of 65
43. Question
You are the Azure administrator for your company. Your company is developing a new web application that is ready for testing.
You need to ensure that:
Traffic is encrypted between the web app and the end client by using an SSL certificate.
A firewall is deployed in front of the web app.
Users connecting to the web app are authenticated using Azure Active Directory (Azure AD). You create the web app using the Basic service plan.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Correct
You can bind an SSL certificate to a web app using all service plans excluding the Free and Shared plans.
You can use either a Web Application Firewall (WAF) from the marketplace, or you can use Azure Application Gateway, regardless o the service plan configured.
You can authenticate using Azure AD using all service plans.
Incorrect
You can bind an SSL certificate to a web app using all service plans excluding the Free and Shared plans.
You can use either a Web Application Firewall (WAF) from the marketplace, or you can use Azure Application Gateway, regardless o the service plan configured.
You can authenticate using Azure AD using all service plans.
Unattempted
You can bind an SSL certificate to a web app using all service plans excluding the Free and Shared plans.
You can use either a Web Application Firewall (WAF) from the marketplace, or you can use Azure Application Gateway, regardless o the service plan configured.
You can authenticate using Azure AD using all service plans.
Question 44 of 65
44. Question
You are the Azure administrator for your company. Your company uses a third-party email scanning system that scans email before it enters or leaves Microsoft Office 365. The solution supports single sign-on (SSO) and has advanced mail scanning, reporting, and quarantine features. The third-party email scanning system has a recipient verification feature that connects to the tenant directory via a non-interactive Azure enterprise app. The application verifies the sending email address before allowing the email to be sent. You need to verify which permissions are configured on the Azure enterprise app. Which two actions should you perform? Each correct answer presents part of the solution.
Correct
You should review the Enterprise Applications in Active Directory and then verify that only the correct Admin consent permissions are configured. When assigning permissions to an Enterprise application, two types are supported: Delegated (User consent) or Application (Admin consent). Delegated permissions are used when an application is used interactively. Application consent applications are used non-interactively and usually have a high level of permission assigned to them. You should not verify that the correct user and admin consent permissions are configured. For delegated permissions, the effective permissions are the least restrictive of the permissions assigned to the application and the current signed-in user. For example, if the application is granted the User.ReadWrite.All permission and the user is a global administrator, they will be able to update all user properties in the environment. If the user is not a global administrator, they will only be able to update their own user properties. For application permissions, the effective permissions will be the full level of privileges implied by the permission. For example, an Azure Enterprise app that has been granted the application (Admin consent) permission User.ReadWrite.All can update the profile of all users in the organization. Although the required permissions are not explained in the 4stion, it does state that the Azure Enterprise app runs non-interactively, which implies a higher level of privileges. You should not review the Enterprise App in Microsoft Defender for Cloud (formerly, Azure Security Center). Microsoft Defender for Cloud is used to manage and strengthen your security posture. It cannot be used to manage Enterprise App permissions.
Incorrect
You should review the Enterprise Applications in Active Directory and then verify that only the correct Admin consent permissions are configured. When assigning permissions to an Enterprise application, two types are supported: Delegated (User consent) or Application (Admin consent). Delegated permissions are used when an application is used interactively. Application consent applications are used non-interactively and usually have a high level of permission assigned to them. You should not verify that the correct user and admin consent permissions are configured. For delegated permissions, the effective permissions are the least restrictive of the permissions assigned to the application and the current signed-in user. For example, if the application is granted the User.ReadWrite.All permission and the user is a global administrator, they will be able to update all user properties in the environment. If the user is not a global administrator, they will only be able to update their own user properties. For application permissions, the effective permissions will be the full level of privileges implied by the permission. For example, an Azure Enterprise app that has been granted the application (Admin consent) permission User.ReadWrite.All can update the profile of all users in the organization. Although the required permissions are not explained in the 4stion, it does state that the Azure Enterprise app runs non-interactively, which implies a higher level of privileges. You should not review the Enterprise App in Microsoft Defender for Cloud (formerly, Azure Security Center). Microsoft Defender for Cloud is used to manage and strengthen your security posture. It cannot be used to manage Enterprise App permissions.
Unattempted
You should review the Enterprise Applications in Active Directory and then verify that only the correct Admin consent permissions are configured. When assigning permissions to an Enterprise application, two types are supported: Delegated (User consent) or Application (Admin consent). Delegated permissions are used when an application is used interactively. Application consent applications are used non-interactively and usually have a high level of permission assigned to them. You should not verify that the correct user and admin consent permissions are configured. For delegated permissions, the effective permissions are the least restrictive of the permissions assigned to the application and the current signed-in user. For example, if the application is granted the User.ReadWrite.All permission and the user is a global administrator, they will be able to update all user properties in the environment. If the user is not a global administrator, they will only be able to update their own user properties. For application permissions, the effective permissions will be the full level of privileges implied by the permission. For example, an Azure Enterprise app that has been granted the application (Admin consent) permission User.ReadWrite.All can update the profile of all users in the organization. Although the required permissions are not explained in the 4stion, it does state that the Azure Enterprise app runs non-interactively, which implies a higher level of privileges. You should not review the Enterprise App in Microsoft Defender for Cloud (formerly, Azure Security Center). Microsoft Defender for Cloud is used to manage and strengthen your security posture. It cannot be used to manage Enterprise App permissions.
Question 45 of 65
45. Question
You work for a pharmaceutical company that regularly runs clinical trials on new drugs in development. Each new trial is worked on by several different teams who use a dedicated Azure Enterprise application to enter result data. When a trial starts, a new Enterprise application is created and access is granted to the application via Azure Active Directory (Azure AD) groups. Your company decides to implement access reviews to streamline the process and shorten the time needed to set up new clinical trials. All users are already assigned an Office 365 E3 license. You need to enable and configure an access review for a new Azure Enterprise application. You should also ensure that costs are kept to a minimum. What should you do? Choose the correct answer
Correct
You should first assign all users an Azure AD Premium P2 license. You should then select the Azure AD blade, select Identity Governance, and configure an access review policy. An Azure AD Premium P2 license is required for access reviews. You should not assign all users an Office 365 E5 license, then select the Azure AD blade, select Identity Governance, and configure an access review policy. The license would include additional enterprise features that cost more and are not required to implement the solution. This scenario requests to keep the costs to a minimum. All you would need is an Azure AD Premium P2 license for access reviews. You should not create a Conditional Access policy, assign the policy to the new Enterprise Application, and link the Conditional Access policy to a new access review. Conditional Access is a technology that is used to make decisions and enforce corporate organizational policies when accessing corporate resources.
Incorrect
You should first assign all users an Azure AD Premium P2 license. You should then select the Azure AD blade, select Identity Governance, and configure an access review policy. An Azure AD Premium P2 license is required for access reviews. You should not assign all users an Office 365 E5 license, then select the Azure AD blade, select Identity Governance, and configure an access review policy. The license would include additional enterprise features that cost more and are not required to implement the solution. This scenario requests to keep the costs to a minimum. All you would need is an Azure AD Premium P2 license for access reviews. You should not create a Conditional Access policy, assign the policy to the new Enterprise Application, and link the Conditional Access policy to a new access review. Conditional Access is a technology that is used to make decisions and enforce corporate organizational policies when accessing corporate resources.
Unattempted
You should first assign all users an Azure AD Premium P2 license. You should then select the Azure AD blade, select Identity Governance, and configure an access review policy. An Azure AD Premium P2 license is required for access reviews. You should not assign all users an Office 365 E5 license, then select the Azure AD blade, select Identity Governance, and configure an access review policy. The license would include additional enterprise features that cost more and are not required to implement the solution. This scenario requests to keep the costs to a minimum. All you would need is an Azure AD Premium P2 license for access reviews. You should not create a Conditional Access policy, assign the policy to the new Enterprise Application, and link the Conditional Access policy to a new access review. Conditional Access is a technology that is used to make decisions and enforce corporate organizational policies when accessing corporate resources.
Question 46 of 65
46. Question
Your company creates and runs a Docker image in Azure to support a custom ASP.NET application. The container is running on a Windows 2019 Server virtual machine (VM) named VM01. The development team wants to create three additional Docker images to run on VM01. You need to ensure that the docker images are isolated from each other and that they do not share the same kernel. You also need to keep costs to a minimum.
How should you configure the Windows containers? To answer, drag the appropriate configuration value to each Windows container property. A configuration value may be used once, more than once, or not at all.
Correct
You should use the Hyper-V isolation mode. By default, a Windows container will run in the process container mode. This means that they share the same kernel. The only way to guarantee that a container does not share the same kernel is to configure it to use the Hyper-V isolation mode, which ensures that the container has a dedicated kernel.
You should not create any additional VMs. Altho4 h creating three additional VMs will achieve the goal of the containers not sharing the same kernel, it would be a more expensive solution.
Incorrect
You should use the Hyper-V isolation mode. By default, a Windows container will run in the process container mode. This means that they share the same kernel. The only way to guarantee that a container does not share the same kernel is to configure it to use the Hyper-V isolation mode, which ensures that the container has a dedicated kernel.
You should not create any additional VMs. Altho4 h creating three additional VMs will achieve the goal of the containers not sharing the same kernel, it would be a more expensive solution.
Unattempted
You should use the Hyper-V isolation mode. By default, a Windows container will run in the process container mode. This means that they share the same kernel. The only way to guarantee that a container does not share the same kernel is to configure it to use the Hyper-V isolation mode, which ensures that the container has a dedicated kernel.
You should not create any additional VMs. Altho4 h creating three additional VMs will achieve the goal of the containers not sharing the same kernel, it would be a more expensive solution.
Question 47 of 65
47. Question
You are the Global Administrator for your Azure Active Directory (Azure AD) tenant of your company. Your company wants to assign newly added users to a specific group based on their attributes such as department and role, without increasing the workload for the Operations teams. You need to assign these users automatically to Azure AD groups. What should you use? Choose the correct answer
Correct
You should use dynamic membership rules. You can create dynamic membership rules in your Azure AD groups to automatically assign users to those groups based on the users‘ attributes, such as department or role. This also reduces the operational workload for helpdesk teams. To use dynamic membership rules you must have the Azure AD Premium P1 license at least. You should not use self-service group management. You can configure self-service group management to allow users to manage security groups or Microsoft 365 groups, with the moderation of a group owner. Self-service group management does not add new users to a specific group based on their attributes. You should not use group owners. A group owner is a user or service principal who is able to manage group membership. A group owner can also approve or deny membership requests if the group is configured with self-service group management. Although group owners would be able to manage membership of the groups they are responsible for, t would not meet the requirement not to increase the workload for the Operations teams. You should not use Groups Administrator. Groups Administrator is an Azure AD build-in role to create and manage groups and their settings, for example naming and expiration policies. Although users in this Azure AD role would be able to manage membership of the groups, this would not meet the requirement not to increase the workload for the Operations teams.
Incorrect
You should use dynamic membership rules. You can create dynamic membership rules in your Azure AD groups to automatically assign users to those groups based on the users‘ attributes, such as department or role. This also reduces the operational workload for helpdesk teams. To use dynamic membership rules you must have the Azure AD Premium P1 license at least. You should not use self-service group management. You can configure self-service group management to allow users to manage security groups or Microsoft 365 groups, with the moderation of a group owner. Self-service group management does not add new users to a specific group based on their attributes. You should not use group owners. A group owner is a user or service principal who is able to manage group membership. A group owner can also approve or deny membership requests if the group is configured with self-service group management. Although group owners would be able to manage membership of the groups they are responsible for, t would not meet the requirement not to increase the workload for the Operations teams. You should not use Groups Administrator. Groups Administrator is an Azure AD build-in role to create and manage groups and their settings, for example naming and expiration policies. Although users in this Azure AD role would be able to manage membership of the groups, this would not meet the requirement not to increase the workload for the Operations teams.
Unattempted
You should use dynamic membership rules. You can create dynamic membership rules in your Azure AD groups to automatically assign users to those groups based on the users‘ attributes, such as department or role. This also reduces the operational workload for helpdesk teams. To use dynamic membership rules you must have the Azure AD Premium P1 license at least. You should not use self-service group management. You can configure self-service group management to allow users to manage security groups or Microsoft 365 groups, with the moderation of a group owner. Self-service group management does not add new users to a specific group based on their attributes. You should not use group owners. A group owner is a user or service principal who is able to manage group membership. A group owner can also approve or deny membership requests if the group is configured with self-service group management. Although group owners would be able to manage membership of the groups they are responsible for, t would not meet the requirement not to increase the workload for the Operations teams. You should not use Groups Administrator. Groups Administrator is an Azure AD build-in role to create and manage groups and their settings, for example naming and expiration policies. Although users in this Azure AD role would be able to manage membership of the groups, this would not meet the requirement not to increase the workload for the Operations teams.
Question 48 of 65
48. Question
You manage an Azure subscription named Labs and an Azure Active Directory (Azure AD) tenant for a sales company. Your company is developing an application named Appl to provision resources on the Labs subscription. Appl provisions these resources using the Azure REST API under its own identity or under the identity of a signed-in user. You need to register Appl in Azure AD with the correct platform configuration and request the appropriate configuration information from the development team. Which platform configuration and configuration information should you use? To answer, select the appropriate options from the drop-down menus.
Correct
You should use the web platform configuration and request a Redirect URI from the development team as the configuration information. According to OAuth2 Authorization Framework you have to configure web platform to let the application create Azure resources using its own identity or the identity of a signed-in user. With this configuration, you can create an app registration in Azure AD to be used by Appl.
You should not use Public client/native (mobile & desktop) platform configuration. With such configuration the app is installed and run on a device. Resources are accessed only under delegated authorization. In this scenario the app has to access resources under its own identity or under the identity of a signed-in user. You should register Appl with the web platform configuration.
You should not use Single-page application (SPA). This type of application runs entirely in the browser and cannot use its own identity to access resources in Azure.
You should not use bundle ID and Signature Hash configuration information. These configurations are used to register iOS mobile applications and Android mobile applications, respectively. You should provide a Redirect URI for a web platform application.
Incorrect
You should use the web platform configuration and request a Redirect URI from the development team as the configuration information. According to OAuth2 Authorization Framework you have to configure web platform to let the application create Azure resources using its own identity or the identity of a signed-in user. With this configuration, you can create an app registration in Azure AD to be used by Appl.
You should not use Public client/native (mobile & desktop) platform configuration. With such configuration the app is installed and run on a device. Resources are accessed only under delegated authorization. In this scenario the app has to access resources under its own identity or under the identity of a signed-in user. You should register Appl with the web platform configuration.
You should not use Single-page application (SPA). This type of application runs entirely in the browser and cannot use its own identity to access resources in Azure.
You should not use bundle ID and Signature Hash configuration information. These configurations are used to register iOS mobile applications and Android mobile applications, respectively. You should provide a Redirect URI for a web platform application.
Unattempted
You should use the web platform configuration and request a Redirect URI from the development team as the configuration information. According to OAuth2 Authorization Framework you have to configure web platform to let the application create Azure resources using its own identity or the identity of a signed-in user. With this configuration, you can create an app registration in Azure AD to be used by Appl.
You should not use Public client/native (mobile & desktop) platform configuration. With such configuration the app is installed and run on a device. Resources are accessed only under delegated authorization. In this scenario the app has to access resources under its own identity or under the identity of a signed-in user. You should register Appl with the web platform configuration.
You should not use Single-page application (SPA). This type of application runs entirely in the browser and cannot use its own identity to access resources in Azure.
You should not use bundle ID and Signature Hash configuration information. These configurations are used to register iOS mobile applications and Android mobile applications, respectively. You should provide a Redirect URI for a web platform application.
Question 49 of 65
49. Question
You manage an Azure subscription that contains 40 Azure virtual machines (VMs). Azure Diagnostics is enabled on all Azure VMs.
You need to implement security monitoring for these VMs.
The monitoring solution should retrieve the following details to generate a security alert:
Identify the user who deleted an Azure VM up to six weeks ago. Query security events of an Azure VM running Windows Server 2012 R2.
Which monitoring solution should you use? To answer drag the appropriate tool to each security alert detail. A tool may be used once, more than once, or if& at all.
Correct
You should use an activity log to identify the user who deleted an Azure VM up to six weeks ago. Activity logs provide insights into operations that were performed on resources in your subscription, helping you to determine which user deleted an Azure VM. Azure stores activity logs by default for 90 days. For longer retention, you can send the activity log to Azure Log Analytics workspace.
You should use logs to query the security events of an Azure VM running Windows Server 2012 R2. Azure Monitor collects log data from a variety of sources, consolidating the data and providing querying capabilities. This log data includes the security events collected when Azure Diagnostics is enabled in an Azure VM.
You should not use Metrics. Metrics are numerical values tat represent a particular aspect from a resource at a particular point in time. Metrics for Azure VM include CPU usage, disk operations per second, and network usage.
You should not use Service Health. You can use Service Health to monitor the health of Azure services in a specific region and to be notified about ongoing service issues, planed maintenance, or region outages.
Incorrect
You should use an activity log to identify the user who deleted an Azure VM up to six weeks ago. Activity logs provide insights into operations that were performed on resources in your subscription, helping you to determine which user deleted an Azure VM. Azure stores activity logs by default for 90 days. For longer retention, you can send the activity log to Azure Log Analytics workspace.
You should use logs to query the security events of an Azure VM running Windows Server 2012 R2. Azure Monitor collects log data from a variety of sources, consolidating the data and providing querying capabilities. This log data includes the security events collected when Azure Diagnostics is enabled in an Azure VM.
You should not use Metrics. Metrics are numerical values tat represent a particular aspect from a resource at a particular point in time. Metrics for Azure VM include CPU usage, disk operations per second, and network usage.
You should not use Service Health. You can use Service Health to monitor the health of Azure services in a specific region and to be notified about ongoing service issues, planed maintenance, or region outages.
Unattempted
You should use an activity log to identify the user who deleted an Azure VM up to six weeks ago. Activity logs provide insights into operations that were performed on resources in your subscription, helping you to determine which user deleted an Azure VM. Azure stores activity logs by default for 90 days. For longer retention, you can send the activity log to Azure Log Analytics workspace.
You should use logs to query the security events of an Azure VM running Windows Server 2012 R2. Azure Monitor collects log data from a variety of sources, consolidating the data and providing querying capabilities. This log data includes the security events collected when Azure Diagnostics is enabled in an Azure VM.
You should not use Metrics. Metrics are numerical values tat represent a particular aspect from a resource at a particular point in time. Metrics for Azure VM include CPU usage, disk operations per second, and network usage.
You should not use Service Health. You can use Service Health to monitor the health of Azure services in a specific region and to be notified about ongoing service issues, planed maintenance, or region outages.
Question 50 of 65
50. Question
You are the administrator of a Microsoft Sentinel (formerly Azure Sentinel) workspace in your company. You should grant access to the following users in this workspace: UserA: security manager who needs to view incidents in the workspace UserB: security analyst responsible for managing analytics rules UserC: support analyst level I responsible for responding to incidents UserD: support analyst level II who needs to create automation playbooks You need to assign the Microsoft Sentinel Contributor built-in role for these users following the least privileges principle. Which two users should you assign this built-in role to? Each correct answer presents part of the solution.
Correct
You should assign the Microsoft Sentinel Contributor role to UserD and UserD. You should assign this role to users who need to create and edit workbooks, analytics rules, and other Microsoft Sentinel resources, as well as to manage incidents by assigning or dismissing them, and view Microsoft Sentinel resources. In addition to the Microsoft Sentinel Contributor, you need to assign the Logic App Contributor role to UserD in order to allow the user to create automation playbooks. You should not assign the Microsoft Sentinel Contributor role to UserA. You should assign this user the Microsoft Sentinel Reader role instead. This role has the permissions to view Microsoft Sentinel resources like incidents and workbooks. You should not assign the Microsoft Sentinel Contributor role to UserC. You should assign this user the Microsoft Sentinel Responder role instead. This role has permission to manage incidents by assigning or dismissing them. It also contains all the permissions from the Microsoft Sentinel Reader role.
Incorrect
You should assign the Microsoft Sentinel Contributor role to UserD and UserD. You should assign this role to users who need to create and edit workbooks, analytics rules, and other Microsoft Sentinel resources, as well as to manage incidents by assigning or dismissing them, and view Microsoft Sentinel resources. In addition to the Microsoft Sentinel Contributor, you need to assign the Logic App Contributor role to UserD in order to allow the user to create automation playbooks. You should not assign the Microsoft Sentinel Contributor role to UserA. You should assign this user the Microsoft Sentinel Reader role instead. This role has the permissions to view Microsoft Sentinel resources like incidents and workbooks. You should not assign the Microsoft Sentinel Contributor role to UserC. You should assign this user the Microsoft Sentinel Responder role instead. This role has permission to manage incidents by assigning or dismissing them. It also contains all the permissions from the Microsoft Sentinel Reader role.
Unattempted
You should assign the Microsoft Sentinel Contributor role to UserD and UserD. You should assign this role to users who need to create and edit workbooks, analytics rules, and other Microsoft Sentinel resources, as well as to manage incidents by assigning or dismissing them, and view Microsoft Sentinel resources. In addition to the Microsoft Sentinel Contributor, you need to assign the Logic App Contributor role to UserD in order to allow the user to create automation playbooks. You should not assign the Microsoft Sentinel Contributor role to UserA. You should assign this user the Microsoft Sentinel Reader role instead. This role has the permissions to view Microsoft Sentinel resources like incidents and workbooks. You should not assign the Microsoft Sentinel Contributor role to UserC. You should assign this user the Microsoft Sentinel Responder role instead. This role has permission to manage incidents by assigning or dismissing them. It also contains all the permissions from the Microsoft Sentinel Reader role.
Question 51 of 65
51. Question
You have an Azure virtual machine (VM) running Linux named linux1. The VM has the following properties: resource group: prod location: East US You have a Log Analytics workspace named prod-workspace with the following properties: resource group: prod location: Central US You need to enable the Update Management solution on linux1 What should you do first? Choose the correct answer
Correct
You need to connect linux1 to the prod-workspace. The VM has to be connected to the log analytics workspace before you can enable update management for the virtual machine. You do not need to deploy a second Log Analytics workspace. You can have the VM and the Log Analytics workspace in different regions and still be able to connect the VM to the workspace. You should not enable boot diagnostics on linux1 Doing so does not accomplish the goal. Boot diagnostics stores Serial Console log data and periodic screenshots of the VM‘s console screen. You should not define an Azure Automation runbook. This does not accomplish the goal of enabling Update Management for linux1
Incorrect
You need to connect linux1 to the prod-workspace. The VM has to be connected to the log analytics workspace before you can enable update management for the virtual machine. You do not need to deploy a second Log Analytics workspace. You can have the VM and the Log Analytics workspace in different regions and still be able to connect the VM to the workspace. You should not enable boot diagnostics on linux1 Doing so does not accomplish the goal. Boot diagnostics stores Serial Console log data and periodic screenshots of the VM‘s console screen. You should not define an Azure Automation runbook. This does not accomplish the goal of enabling Update Management for linux1
Unattempted
You need to connect linux1 to the prod-workspace. The VM has to be connected to the log analytics workspace before you can enable update management for the virtual machine. You do not need to deploy a second Log Analytics workspace. You can have the VM and the Log Analytics workspace in different regions and still be able to connect the VM to the workspace. You should not enable boot diagnostics on linux1 Doing so does not accomplish the goal. Boot diagnostics stores Serial Console log data and periodic screenshots of the VM‘s console screen. You should not define an Azure Automation runbook. This does not accomplish the goal of enabling Update Management for linux1
Question 52 of 65
52. Question
Your company has several development servers running in an Azure virtual network (VNet) named VNet1. Your developers have several Docker images stored in a private repository. The developers want to use Azure Container Instances (ACI) to deploy these container images in Azure. You need to restrict access to these containers to VNet1. What should you do? Choose the correct answer
Correct
You should deploy the container instances into the Azure VNet. This feature enables you to restrict connectivity to the containers from within your VNet. The VNet-bound containers must be deployed into a separate subnet that contains no other resources. You also should be careful not to associate a public IP address with the container instances. You should not add a DNS name label to each container instance. Doing so makes connections to the container easier if you are using a dynamic public IP address. However, this has nothing to do with the security goal outlined in the scenario. You should not modify the RBAC permissions on the container instances. Doing so would improve the security posture of your Azure Container Instance environment, but it does not meet the goal of restricting container access to VNet1-bound resources. You should not use a managed identity with the container resources. You would use a managed identity, which is analogous to a service account in on-premises Windows environments, to provide a security context for code running inside Docker container instances.
Incorrect
You should deploy the container instances into the Azure VNet. This feature enables you to restrict connectivity to the containers from within your VNet. The VNet-bound containers must be deployed into a separate subnet that contains no other resources. You also should be careful not to associate a public IP address with the container instances. You should not add a DNS name label to each container instance. Doing so makes connections to the container easier if you are using a dynamic public IP address. However, this has nothing to do with the security goal outlined in the scenario. You should not modify the RBAC permissions on the container instances. Doing so would improve the security posture of your Azure Container Instance environment, but it does not meet the goal of restricting container access to VNet1-bound resources. You should not use a managed identity with the container resources. You would use a managed identity, which is analogous to a service account in on-premises Windows environments, to provide a security context for code running inside Docker container instances.
Unattempted
You should deploy the container instances into the Azure VNet. This feature enables you to restrict connectivity to the containers from within your VNet. The VNet-bound containers must be deployed into a separate subnet that contains no other resources. You also should be careful not to associate a public IP address with the container instances. You should not add a DNS name label to each container instance. Doing so makes connections to the container easier if you are using a dynamic public IP address. However, this has nothing to do with the security goal outlined in the scenario. You should not modify the RBAC permissions on the container instances. Doing so would improve the security posture of your Azure Container Instance environment, but it does not meet the goal of restricting container access to VNet1-bound resources. You should not use a managed identity with the container resources. You would use a managed identity, which is analogous to a service account in on-premises Windows environments, to provide a security context for code running inside Docker container instances.
Question 53 of 65
53. Question
Your company develops an Azure App Service web application named InternalApp that uses Azure Active Directory (Azure AD) authentication. You need to prevent the app from prompting users for OAuth 2.0 approval. What should you do? Choose the correct answer
Correct
In Azure AD, you should gram admin consent. Your Azure AD-backed applications can make use of two types of OAuth 2.0 consent flow. User consent flow is when each user is prompted to consent to the application‘s data access. Admin consent flow is when an Azure AD administrator globally consents on behalf of the organization. In this latter case, the authenticated users never sees the OAuth 2.0 consent dialog. You should not configure application roles in Azure AD. Application roles simplify role-based access control (RBAC) authorization in your cloud application. You should not define an access policy in Azure Key Vault. Access policies define which actions an authorized user or service principal can take within Key Vault. In this scenario, you are concerned with the Azure AD OAuth 2.0 consent flow, not secret management. You should not configure Hardware Security Module (HSM )-protected keys in Azure Key Vault for the same reason that you should not define an access policy. OAuth 2.0 consent is unrelated to Key Vault. However, HSM is a premium Azure Key Vault feature that offers a higher degree of security assurance for stored secrets.
Incorrect
In Azure AD, you should gram admin consent. Your Azure AD-backed applications can make use of two types of OAuth 2.0 consent flow. User consent flow is when each user is prompted to consent to the application‘s data access. Admin consent flow is when an Azure AD administrator globally consents on behalf of the organization. In this latter case, the authenticated users never sees the OAuth 2.0 consent dialog. You should not configure application roles in Azure AD. Application roles simplify role-based access control (RBAC) authorization in your cloud application. You should not define an access policy in Azure Key Vault. Access policies define which actions an authorized user or service principal can take within Key Vault. In this scenario, you are concerned with the Azure AD OAuth 2.0 consent flow, not secret management. You should not configure Hardware Security Module (HSM )-protected keys in Azure Key Vault for the same reason that you should not define an access policy. OAuth 2.0 consent is unrelated to Key Vault. However, HSM is a premium Azure Key Vault feature that offers a higher degree of security assurance for stored secrets.
Unattempted
In Azure AD, you should gram admin consent. Your Azure AD-backed applications can make use of two types of OAuth 2.0 consent flow. User consent flow is when each user is prompted to consent to the application‘s data access. Admin consent flow is when an Azure AD administrator globally consents on behalf of the organization. In this latter case, the authenticated users never sees the OAuth 2.0 consent dialog. You should not configure application roles in Azure AD. Application roles simplify role-based access control (RBAC) authorization in your cloud application. You should not define an access policy in Azure Key Vault. Access policies define which actions an authorized user or service principal can take within Key Vault. In this scenario, you are concerned with the Azure AD OAuth 2.0 consent flow, not secret management. You should not configure Hardware Security Module (HSM )-protected keys in Azure Key Vault for the same reason that you should not define an access policy. OAuth 2.0 consent is unrelated to Key Vault. However, HSM is a premium Azure Key Vault feature that offers a higher degree of security assurance for stored secrets.
Question 54 of 65
54. Question
Your team is developing a new application that uses the Microsoft Identity Platform for user authentication. The application is a single-page application (SPA) developed with JavaScript. Users should be able to login by using their personal Microsoft accounts. You need to register the application in Azure Active Directory (Azure AD). Which grant flow and account type should you use? To answer, select the appropriate options from the drop-down menus.
Correct
You should use the Implicit grant flow. Single-page applications (SPAs) run directly in the client browser and have different security requirements compared to traditional server-based web applications. The Implicit grant flow allows the application to get tokens without performing a backend server credential exchange, making it possible for users to log in directly from the SPA.
You should use the personal account type. This account type allows users to log in with personal Microsoft accounts only. As an alternative, you can use the account type that combines both personal Microsoft accounts and multi-tenant, allowing accounts in any Azure AD directory as well as personal accounts to log in with the application.
You should not use the Authorization Code grant. This grant flow is used to perform authentication and authorization for server-based web applications It requires the application to provide a client secret or certificate to securely provide access tokens. You should not use the Authorization Code grant flow with SPAs because they cannot securely store client secrets.
You should not use a single tenant only or multi-tenant account type only. These account types are used to log in users that are present in the same Azure AD tenant where the application is registered, or any Azure AD accounts, respectively. These options do not allow personal Microsoft accounts to log in.
Incorrect
You should use the Implicit grant flow. Single-page applications (SPAs) run directly in the client browser and have different security requirements compared to traditional server-based web applications. The Implicit grant flow allows the application to get tokens without performing a backend server credential exchange, making it possible for users to log in directly from the SPA.
You should use the personal account type. This account type allows users to log in with personal Microsoft accounts only. As an alternative, you can use the account type that combines both personal Microsoft accounts and multi-tenant, allowing accounts in any Azure AD directory as well as personal accounts to log in with the application.
You should not use the Authorization Code grant. This grant flow is used to perform authentication and authorization for server-based web applications It requires the application to provide a client secret or certificate to securely provide access tokens. You should not use the Authorization Code grant flow with SPAs because they cannot securely store client secrets.
You should not use a single tenant only or multi-tenant account type only. These account types are used to log in users that are present in the same Azure AD tenant where the application is registered, or any Azure AD accounts, respectively. These options do not allow personal Microsoft accounts to log in.
Unattempted
You should use the Implicit grant flow. Single-page applications (SPAs) run directly in the client browser and have different security requirements compared to traditional server-based web applications. The Implicit grant flow allows the application to get tokens without performing a backend server credential exchange, making it possible for users to log in directly from the SPA.
You should use the personal account type. This account type allows users to log in with personal Microsoft accounts only. As an alternative, you can use the account type that combines both personal Microsoft accounts and multi-tenant, allowing accounts in any Azure AD directory as well as personal accounts to log in with the application.
You should not use the Authorization Code grant. This grant flow is used to perform authentication and authorization for server-based web applications It requires the application to provide a client secret or certificate to securely provide access tokens. You should not use the Authorization Code grant flow with SPAs because they cannot securely store client secrets.
You should not use a single tenant only or multi-tenant account type only. These account types are used to log in users that are present in the same Azure AD tenant where the application is registered, or any Azure AD accounts, respectively. These options do not allow personal Microsoft accounts to log in.
Question 55 of 65
55. Question
You have recently moved all your on-premises workloads to Azure Cloud and suffer vulnerability attacks on your on-premises SQL server. You need to enable Microsoft Defender for SQL for your Azure SQL database. Which three malicious activities does Microsoft Defender for SQL identify as a threat? Each correct answer presents a complete solution. Choose the correct answers
Correct
The following activities are identified as a threat by Microsoft Defender for SQL: Attempt to sign in as SELECT FROM products WHERE name =‘table or 1 = 1 –‘. This kind of threat is known as an SQL injection attack. In this scenario, an attacker inserts a T-SQL code in an input field. This code is executed at the backend, returning information which is not intended to be seen by end users. This way, an attacker can start reconnaissance of the backend environment to continue with lateral movements. A legitimate user accessing from a breached computer. In this scenario, the SQL database is accessed by remotely-controlled malicious software on a legitimate user computer. A high number of failed sign-in attempts. This is an example of anomalous database access and query patterns. Cross site scripting is not detected by Microsoft Defender for S This is a web application vulnerability attack, which is detected by Application Gateway Web Application Firewall. During this attack a web server gets compromised and malicious scripts are injected into trustworthy websites. Over 200 records deletions and over 70% updates in a table are not necessarily an attack. In big databases, it is not unusual that 200 records are deleted or numerous updates are performed. These actions are not considered as malicious activities by Microsoft Defender for SQL.
Incorrect
The following activities are identified as a threat by Microsoft Defender for SQL: Attempt to sign in as SELECT FROM products WHERE name =‘table or 1 = 1 –‘. This kind of threat is known as an SQL injection attack. In this scenario, an attacker inserts a T-SQL code in an input field. This code is executed at the backend, returning information which is not intended to be seen by end users. This way, an attacker can start reconnaissance of the backend environment to continue with lateral movements. A legitimate user accessing from a breached computer. In this scenario, the SQL database is accessed by remotely-controlled malicious software on a legitimate user computer. A high number of failed sign-in attempts. This is an example of anomalous database access and query patterns. Cross site scripting is not detected by Microsoft Defender for S This is a web application vulnerability attack, which is detected by Application Gateway Web Application Firewall. During this attack a web server gets compromised and malicious scripts are injected into trustworthy websites. Over 200 records deletions and over 70% updates in a table are not necessarily an attack. In big databases, it is not unusual that 200 records are deleted or numerous updates are performed. These actions are not considered as malicious activities by Microsoft Defender for SQL.
Unattempted
The following activities are identified as a threat by Microsoft Defender for SQL: Attempt to sign in as SELECT FROM products WHERE name =‘table or 1 = 1 –‘. This kind of threat is known as an SQL injection attack. In this scenario, an attacker inserts a T-SQL code in an input field. This code is executed at the backend, returning information which is not intended to be seen by end users. This way, an attacker can start reconnaissance of the backend environment to continue with lateral movements. A legitimate user accessing from a breached computer. In this scenario, the SQL database is accessed by remotely-controlled malicious software on a legitimate user computer. A high number of failed sign-in attempts. This is an example of anomalous database access and query patterns. Cross site scripting is not detected by Microsoft Defender for S This is a web application vulnerability attack, which is detected by Application Gateway Web Application Firewall. During this attack a web server gets compromised and malicious scripts are injected into trustworthy websites. Over 200 records deletions and over 70% updates in a table are not necessarily an attack. In big databases, it is not unusual that 200 records are deleted or numerous updates are performed. These actions are not considered as malicious activities by Microsoft Defender for SQL.
Question 56 of 65
56. Question
Correct
You should complement the section Actions with the permission Microsoft.Network//write. If Azure built-in roles do not satisfy your needs, you can create custom roles and assign them to users similar to the procedure as you do it with the built-in ones. With the custom roles you can provide only the level of permissions as required by the user to fulfil their work. To provide only the level of permissions as required by the user to fulfil their work is called the principle of least privilege. To create a virtual machine (VM), Used needs only Compute, Resourcegroups, and Network permissions. The custom role configuration can be defined in JSON configuration file in the Actions section to provide permissions and in the notActions section to remove them. In User1‘s custom role definition, the Microsoft.Network/*/write permission is missing, which prevents the creation of a virtual LAN (VLAN) and network interface card (NIC). The solution to add Microsoft.Networkr/write line satisfies both requirements: the principle of least privilege and least administrative effort.
You should not assign the Contributor role to User1 at the resource group level. A contributor role is an Azure built-in role, which provides the permission to create resources at the resource group level and, as such, provides a higher level of permissions than required. Although assigning the contributor role at the resource group level would solve the error, it would not satisfy the principle of least privilege.
You should not preconfigure the resource group af50Org. Preconfiguring the resource group cannot resolve the error, as in this case the Microsoft.Network/Wite permission is still missing.
You should not assign to the user the Virtual Machine contributor role at the subscription level. This Azure built-in role allows a user to create and manage virtual machines. This role does not provide the permission to manage a network, which is the main reason for the error in this case. This role could be useful, if you needed to provide permissions to an administrator to start/stop/reboot a VM or execute some other administrative tasks on the virtual machine. In this case, the requirement is to create a virtual machine, which requires additional permissions. This solution does not satisfy the requirement.
Incorrect
You should complement the section Actions with the permission Microsoft.Network//write. If Azure built-in roles do not satisfy your needs, you can create custom roles and assign them to users similar to the procedure as you do it with the built-in ones. With the custom roles you can provide only the level of permissions as required by the user to fulfil their work. To provide only the level of permissions as required by the user to fulfil their work is called the principle of least privilege. To create a virtual machine (VM), Used needs only Compute, Resourcegroups, and Network permissions. The custom role configuration can be defined in JSON configuration file in the Actions section to provide permissions and in the notActions section to remove them. In User1‘s custom role definition, the Microsoft.Network/*/write permission is missing, which prevents the creation of a virtual LAN (VLAN) and network interface card (NIC). The solution to add Microsoft.Networkr/write line satisfies both requirements: the principle of least privilege and least administrative effort.
You should not assign the Contributor role to User1 at the resource group level. A contributor role is an Azure built-in role, which provides the permission to create resources at the resource group level and, as such, provides a higher level of permissions than required. Although assigning the contributor role at the resource group level would solve the error, it would not satisfy the principle of least privilege.
You should not preconfigure the resource group af50Org. Preconfiguring the resource group cannot resolve the error, as in this case the Microsoft.Network/Wite permission is still missing.
You should not assign to the user the Virtual Machine contributor role at the subscription level. This Azure built-in role allows a user to create and manage virtual machines. This role does not provide the permission to manage a network, which is the main reason for the error in this case. This role could be useful, if you needed to provide permissions to an administrator to start/stop/reboot a VM or execute some other administrative tasks on the virtual machine. In this case, the requirement is to create a virtual machine, which requires additional permissions. This solution does not satisfy the requirement.
Unattempted
You should complement the section Actions with the permission Microsoft.Network//write. If Azure built-in roles do not satisfy your needs, you can create custom roles and assign them to users similar to the procedure as you do it with the built-in ones. With the custom roles you can provide only the level of permissions as required by the user to fulfil their work. To provide only the level of permissions as required by the user to fulfil their work is called the principle of least privilege. To create a virtual machine (VM), Used needs only Compute, Resourcegroups, and Network permissions. The custom role configuration can be defined in JSON configuration file in the Actions section to provide permissions and in the notActions section to remove them. In User1‘s custom role definition, the Microsoft.Network/*/write permission is missing, which prevents the creation of a virtual LAN (VLAN) and network interface card (NIC). The solution to add Microsoft.Networkr/write line satisfies both requirements: the principle of least privilege and least administrative effort.
You should not assign the Contributor role to User1 at the resource group level. A contributor role is an Azure built-in role, which provides the permission to create resources at the resource group level and, as such, provides a higher level of permissions than required. Although assigning the contributor role at the resource group level would solve the error, it would not satisfy the principle of least privilege.
You should not preconfigure the resource group af50Org. Preconfiguring the resource group cannot resolve the error, as in this case the Microsoft.Network/Wite permission is still missing.
You should not assign to the user the Virtual Machine contributor role at the subscription level. This Azure built-in role allows a user to create and manage virtual machines. This role does not provide the permission to manage a network, which is the main reason for the error in this case. This role could be useful, if you needed to provide permissions to an administrator to start/stop/reboot a VM or execute some other administrative tasks on the virtual machine. In this case, the requirement is to create a virtual machine, which requires additional permissions. This solution does not satisfy the requirement.
Question 57 of 65
57. Question
A manufacturing company has resources running in a single Azure region. Users connect to Azure from each of its offices via a site-to-site VPN connection and use a point-to-site VPN connection when working from home. A third-party contractor connects to a virtual machine (VM) named JumpHost01 via RDP. To meet the company‘s security policy, only outbound traffic from JumpHost01 to the supported application server is allowed, and all other traffic is blocked. The contractor needs to download a critical security update from the domain update.myapp.com, but he is unable to do so. The security team agrees to allow access to the domain update.myapp.com from JumpHost01 only. You need to allow the contractor to download the file from JumpHost01. What solution should you use?
Correct
You should use Azure Firewall. Azure Firewall can be used to limit access to a specific domain or URL as well as IP addresses or ports. In this scenario, you want to limit access to the domain update.myapp.com from the server JumpHost01 You should not use Azure Application Proxy. Application Proxy can be used to allow access to internal resources on your network and provides enhanced security including multi-factor authentication (MFA) and Conditional Access. You should not use an NSG. An NSG contains a list of rules that are processed in ascending order based on their assigned priority number. If traffic matches a rule, then particular action (Allow or Deny) will be taken. Rules are matched using 5-tuple information (source/destination IP, source/destination port, protocol) and then either allowed or denied. In this scenario, you want to limit access to the domain update.myapp.com from the server JumpHost01. An NSG cannot block traffic destined for a particular domain or URL. You should not use an Azure Private DNS Zone. An Azure Private DNS Zone uses your own custom domain names rather than the Azure-provided names and does not block or allow traffic.
Incorrect
You should use Azure Firewall. Azure Firewall can be used to limit access to a specific domain or URL as well as IP addresses or ports. In this scenario, you want to limit access to the domain update.myapp.com from the server JumpHost01 You should not use Azure Application Proxy. Application Proxy can be used to allow access to internal resources on your network and provides enhanced security including multi-factor authentication (MFA) and Conditional Access. You should not use an NSG. An NSG contains a list of rules that are processed in ascending order based on their assigned priority number. If traffic matches a rule, then particular action (Allow or Deny) will be taken. Rules are matched using 5-tuple information (source/destination IP, source/destination port, protocol) and then either allowed or denied. In this scenario, you want to limit access to the domain update.myapp.com from the server JumpHost01. An NSG cannot block traffic destined for a particular domain or URL. You should not use an Azure Private DNS Zone. An Azure Private DNS Zone uses your own custom domain names rather than the Azure-provided names and does not block or allow traffic.
Unattempted
You should use Azure Firewall. Azure Firewall can be used to limit access to a specific domain or URL as well as IP addresses or ports. In this scenario, you want to limit access to the domain update.myapp.com from the server JumpHost01 You should not use Azure Application Proxy. Application Proxy can be used to allow access to internal resources on your network and provides enhanced security including multi-factor authentication (MFA) and Conditional Access. You should not use an NSG. An NSG contains a list of rules that are processed in ascending order based on their assigned priority number. If traffic matches a rule, then particular action (Allow or Deny) will be taken. Rules are matched using 5-tuple information (source/destination IP, source/destination port, protocol) and then either allowed or denied. In this scenario, you want to limit access to the domain update.myapp.com from the server JumpHost01. An NSG cannot block traffic destined for a particular domain or URL. You should not use an Azure Private DNS Zone. An Azure Private DNS Zone uses your own custom domain names rather than the Azure-provided names and does not block or allow traffic.
Question 58 of 65
58. Question
Your company has configured a hybrid identity with an on-premises Active Directory (AD) domain and an Azure AD tenant. Azure AD Connect is deployed. User accounts are synchronized between the on-premises domain and the Azure AD domain. On-premises applications are deployed to enable the access from outside your company network. You need to configure prerequisites to provide multi-factor authentication (MFA) access to these applications. What should you deploy or implement? Choose the correct answer
Correct
You should deploy and implement Azure AD Application Proxy. This is required to support MFA authentication for on-premises applications that have been deployed for cloud access. Application Proxy provides remote access to on-premises applications. You should not implement an NPS. This is a prerequisite when configuring support for using Azure MFA with RADIUS authentication. This is not an issue in this scenario. You should not deploy an Office 365 service. Office 365 is not a requirement for on-premises application access from the Internet. You should not implement Azure AD Identity Protection. However, there may be other reasons to set up Identity Protection.
Incorrect
You should deploy and implement Azure AD Application Proxy. This is required to support MFA authentication for on-premises applications that have been deployed for cloud access. Application Proxy provides remote access to on-premises applications. You should not implement an NPS. This is a prerequisite when configuring support for using Azure MFA with RADIUS authentication. This is not an issue in this scenario. You should not deploy an Office 365 service. Office 365 is not a requirement for on-premises application access from the Internet. You should not implement Azure AD Identity Protection. However, there may be other reasons to set up Identity Protection.
Unattempted
You should deploy and implement Azure AD Application Proxy. This is required to support MFA authentication for on-premises applications that have been deployed for cloud access. Application Proxy provides remote access to on-premises applications. You should not implement an NPS. This is a prerequisite when configuring support for using Azure MFA with RADIUS authentication. This is not an issue in this scenario. You should not deploy an Office 365 service. Office 365 is not a requirement for on-premises application access from the Internet. You should not implement Azure AD Identity Protection. However, there may be other reasons to set up Identity Protection.
Question 59 of 65
59. Question
Your company wants to regularly review Azure Active Directory (Azure AD) group membership. All users have been assigned an Azure AD Premium P1 license.
You need to create a new access review for all users in the marketing group. Access review needs to be performed by the group owner every week.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of possible actions to the answer area arrange them in the correct order.
Correct
You should perform the following actions in order:
1. Assign the marketing group owner an Azure Premium P2 license.
2. Select the marketing group for access review.
3. Scope the access review users to All users.
4. Specify the recurrence of the review. First, you should assign the marketing group owner an Azure Premium P2 license. To perform a review in this scenario, only the group owner requires an Azure Premium P2 license.
Next, you should select the marketing group for access review. This will configure a new access review for members of the marketing group as is stated by the requirements.
Then, you should scope the access review users to All users. This will perform access reviews on all members of the marketing group, not only guest users.
Finally, you should specify the recurrence of the review. You specify the recurrence of the review by changing the frequency setting to one time, weekly, monthly, quarterly, semi-annually or annually. You should select weekly frequency for this access review, following the requirements.
You should not create a one-time access review. In this scenario you need to perform a weekly access review in the marketing group.
You should not scope the access review users to guests only. All users that are members of the marketing team need to have their access reviewed, not guest users only, as it is stated in the requirements.
You should not assign all users an Azure Premium P2 license. This is not required. Only the group owner requires the license.
You should not assign an Azure Premium P2 license to the marketing group. By assigning an Azure Premium P2 license to the marketing group, all members of the group will automatically be assigned the license, which is not required.
Incorrect
You should perform the following actions in order:
1. Assign the marketing group owner an Azure Premium P2 license.
2. Select the marketing group for access review.
3. Scope the access review users to All users.
4. Specify the recurrence of the review. First, you should assign the marketing group owner an Azure Premium P2 license. To perform a review in this scenario, only the group owner requires an Azure Premium P2 license.
Next, you should select the marketing group for access review. This will configure a new access review for members of the marketing group as is stated by the requirements.
Then, you should scope the access review users to All users. This will perform access reviews on all members of the marketing group, not only guest users.
Finally, you should specify the recurrence of the review. You specify the recurrence of the review by changing the frequency setting to one time, weekly, monthly, quarterly, semi-annually or annually. You should select weekly frequency for this access review, following the requirements.
You should not create a one-time access review. In this scenario you need to perform a weekly access review in the marketing group.
You should not scope the access review users to guests only. All users that are members of the marketing team need to have their access reviewed, not guest users only, as it is stated in the requirements.
You should not assign all users an Azure Premium P2 license. This is not required. Only the group owner requires the license.
You should not assign an Azure Premium P2 license to the marketing group. By assigning an Azure Premium P2 license to the marketing group, all members of the group will automatically be assigned the license, which is not required.
Unattempted
You should perform the following actions in order:
1. Assign the marketing group owner an Azure Premium P2 license.
2. Select the marketing group for access review.
3. Scope the access review users to All users.
4. Specify the recurrence of the review. First, you should assign the marketing group owner an Azure Premium P2 license. To perform a review in this scenario, only the group owner requires an Azure Premium P2 license.
Next, you should select the marketing group for access review. This will configure a new access review for members of the marketing group as is stated by the requirements.
Then, you should scope the access review users to All users. This will perform access reviews on all members of the marketing group, not only guest users.
Finally, you should specify the recurrence of the review. You specify the recurrence of the review by changing the frequency setting to one time, weekly, monthly, quarterly, semi-annually or annually. You should select weekly frequency for this access review, following the requirements.
You should not create a one-time access review. In this scenario you need to perform a weekly access review in the marketing group.
You should not scope the access review users to guests only. All users that are members of the marketing team need to have their access reviewed, not guest users only, as it is stated in the requirements.
You should not assign all users an Azure Premium P2 license. This is not required. Only the group owner requires the license.
You should not assign an Azure Premium P2 license to the marketing group. By assigning an Azure Premium P2 license to the marketing group, all members of the group will automatically be assigned the license, which is not required.
Question 60 of 65
60. Question
Your company has an Azure Active Directory (Azure AD) Premium (P2) tenant. Your company is requiring multi-factor authentication (MFA) for all users. You plan to use Azure Identity Protection to improve your company‘s security footprint and to configure an Azure MFA registration policy. You have not configured self-service password reset.
Whenever possible, users should be able to self-remediate when Identity Protection risk events occur. User risk policy should apply to administrative users only. Sign-in risk policy should apply to all users. You need to determine if Azure Identity Protection meets your requireml4s.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Correct
Users cannot self-remediate after user risk events. Self-service password reset is used for self-remediation in case of user risk events and therefor must be configured before the event.
Users can self-remediate after sign-in risk events. MFA is used to remediate after sign-in risk events. After remediation, the event is closed automatically.
You can choose the users and groups to which risk policies apply. This lets you customize your implementation of Identity Protection to meet your specific needs.
Incorrect
Users cannot self-remediate after user risk events. Self-service password reset is used for self-remediation in case of user risk events and therefor must be configured before the event.
Users can self-remediate after sign-in risk events. MFA is used to remediate after sign-in risk events. After remediation, the event is closed automatically.
You can choose the users and groups to which risk policies apply. This lets you customize your implementation of Identity Protection to meet your specific needs.
Unattempted
Users cannot self-remediate after user risk events. Self-service password reset is used for self-remediation in case of user risk events and therefor must be configured before the event.
Users can self-remediate after sign-in risk events. MFA is used to remediate after sign-in risk events. After remediation, the event is closed automatically.
You can choose the users and groups to which risk policies apply. This lets you customize your implementation of Identity Protection to meet your specific needs.
Question 61 of 65
61. Question
Your company has an Azure subscription, Sub1, that is associated with an Azure Active Directory (Azure AD) tenant named companyl.com. Your colleague Darla is a Global Administrator in the companyl.com tenant. You transfer Sub1 to a new Azure AD tenant named company2.com. You need to ensure that Dada access to Sub1 What action should you take? Choose the correct answer
Correct
To ensure that Dada maintains access to Subl resources, you should invite Darla into the company2.com Azure Active Directory (Azure AD) tenant by using Azure AD Business-to-Business (13213) collaboration. When you move a subscription to another Azure AD tenant, all role-based access control (RBAC) assignments are lost. This means you need to either create new accounts in the new tenant or use Azure AD B2B to invite them to join the new tenant. If you take no action, Dada will lose access to Su131 resources. You should not transfer the billing ownership of Sub1 to Darla. First, subscription billing ownership is not affected by a movement to another Azure AD tenant. Second, the scenario says that Darla is a Global Administrator but not the subscription‘s designated billing administrator. You should not update the Azure Key Vault‘s tenant ID. Although this action would be required if the subscription included a Key Vault, the scenario makes no mention of such a resource.
Incorrect
To ensure that Dada maintains access to Subl resources, you should invite Darla into the company2.com Azure Active Directory (Azure AD) tenant by using Azure AD Business-to-Business (13213) collaboration. When you move a subscription to another Azure AD tenant, all role-based access control (RBAC) assignments are lost. This means you need to either create new accounts in the new tenant or use Azure AD B2B to invite them to join the new tenant. If you take no action, Dada will lose access to Su131 resources. You should not transfer the billing ownership of Sub1 to Darla. First, subscription billing ownership is not affected by a movement to another Azure AD tenant. Second, the scenario says that Darla is a Global Administrator but not the subscription‘s designated billing administrator. You should not update the Azure Key Vault‘s tenant ID. Although this action would be required if the subscription included a Key Vault, the scenario makes no mention of such a resource.
Unattempted
To ensure that Dada maintains access to Subl resources, you should invite Darla into the company2.com Azure Active Directory (Azure AD) tenant by using Azure AD Business-to-Business (13213) collaboration. When you move a subscription to another Azure AD tenant, all role-based access control (RBAC) assignments are lost. This means you need to either create new accounts in the new tenant or use Azure AD B2B to invite them to join the new tenant. If you take no action, Dada will lose access to Su131 resources. You should not transfer the billing ownership of Sub1 to Darla. First, subscription billing ownership is not affected by a movement to another Azure AD tenant. Second, the scenario says that Darla is a Global Administrator but not the subscription‘s designated billing administrator. You should not update the Azure Key Vault‘s tenant ID. Although this action would be required if the subscription included a Key Vault, the scenario makes no mention of such a resource.
Question 62 of 65
62. Question
Your company is migrating an on-premises payroll solution to a cloud solution. Azure Active Directory (Azure AD) Connect is configured, and identities are synchronized from the AD domain to Azure. The domain functional level is Windows Server 2012 R2. Active Directory Federation Services (ADFS) is used for single sign-on. When users connect to the cloud solution, they are prompted to enter their credentials. You need to allow users to connect to the new payroll solution without being prompted for authentication. Which two actions should you perform? Each correct answer presents part of the solution.
Correct
You should create a new app registration in the Azure portal and send the SAML metadata file to the payroll provider. When you create an app registration in the Azure portal, there are a few different configuration settings you need to configure, such as the reply URL, which the authenticated token should be sent back to, or the terms of service URL, a URL containing any terms of service for the application. There are templates for many well-known applications, or you can create a custom configuration if required. Regardless of the method chosen, the supplier will need a copy of the SAML metadata file. The file is XML-formatted and contains, among other things, the public signing certificate. The certificate is used to sign the SAML token generated by Azure and verifies where the token was generated and that it has not been tampered with. The provider will configure its system to only allow tokens that were signed by the token-signing certificate configured in the Azure App registration. You should not add the payroll company as a relying party trust in the ADFS console. Although ADFS is an identity provider, it is not required when creating Azure Enterprise apps. You should not send the token-signing certificate to the payroll company. The certificate is used to sign the issued token. Although it is required for single-sign-on (SSO), additional data is needed to complete the SSO process. For example, the payroll provider would need the URLs of endpoints, information about supported bindings, identifiers, and public keys, none of which is contained in the certificate.
Incorrect
You should create a new app registration in the Azure portal and send the SAML metadata file to the payroll provider. When you create an app registration in the Azure portal, there are a few different configuration settings you need to configure, such as the reply URL, which the authenticated token should be sent back to, or the terms of service URL, a URL containing any terms of service for the application. There are templates for many well-known applications, or you can create a custom configuration if required. Regardless of the method chosen, the supplier will need a copy of the SAML metadata file. The file is XML-formatted and contains, among other things, the public signing certificate. The certificate is used to sign the SAML token generated by Azure and verifies where the token was generated and that it has not been tampered with. The provider will configure its system to only allow tokens that were signed by the token-signing certificate configured in the Azure App registration. You should not add the payroll company as a relying party trust in the ADFS console. Although ADFS is an identity provider, it is not required when creating Azure Enterprise apps. You should not send the token-signing certificate to the payroll company. The certificate is used to sign the issued token. Although it is required for single-sign-on (SSO), additional data is needed to complete the SSO process. For example, the payroll provider would need the URLs of endpoints, information about supported bindings, identifiers, and public keys, none of which is contained in the certificate.
Unattempted
You should create a new app registration in the Azure portal and send the SAML metadata file to the payroll provider. When you create an app registration in the Azure portal, there are a few different configuration settings you need to configure, such as the reply URL, which the authenticated token should be sent back to, or the terms of service URL, a URL containing any terms of service for the application. There are templates for many well-known applications, or you can create a custom configuration if required. Regardless of the method chosen, the supplier will need a copy of the SAML metadata file. The file is XML-formatted and contains, among other things, the public signing certificate. The certificate is used to sign the SAML token generated by Azure and verifies where the token was generated and that it has not been tampered with. The provider will configure its system to only allow tokens that were signed by the token-signing certificate configured in the Azure App registration. You should not add the payroll company as a relying party trust in the ADFS console. Although ADFS is an identity provider, it is not required when creating Azure Enterprise apps. You should not send the token-signing certificate to the payroll company. The certificate is used to sign the issued token. Although it is required for single-sign-on (SSO), additional data is needed to complete the SSO process. For example, the payroll provider would need the URLs of endpoints, information about supported bindings, identifiers, and public keys, none of which is contained in the certificate.
Question 63 of 65
63. Question
You are the Azure administrator for your company. Your company has resources on-premises as well as in Azure. All Azure resources are in the Europe West region in a single subscription. A third-party solution monitors the on-premises resources for suspicious activity and includes monitoring the security logs. You need to configure a similar solution for the Azure resources. You must monitor the security log and alert on any events with the EventlD 4648. What should you do? Choose the correct answer
Correct
You should create a new alert rule that uses the search query SecurityEvent I where EventlD == 4648. When you create a new alert rule, you should specify a workspace and use Kusto Query Language (KQL) to see if the workspace rules are evaluated over a time period, for example every hour. Any positive matches are then visible within Microsoft Defender for Cloud (formerly, Azure Security Center). You should not create a new alert rule, select the security event log, and filter for EventlD 4648. Alert rules are used to query a connected workspace and not an event log, in this case the security log. You should not create a runbook to export the Windows security log. Runbooks are used to automate and schedule code, for example PowerShell scripts, via a schedule. You should not export the security log to Log Analytics and filter for EventlD 4648. The Microsoft Graph API allows you to use REST calls to query Azure Active Directory (Azure AD), Office 365, and other Microsoft cloud resources. It does not allow you to export the security log to Log Analytics.
Incorrect
You should create a new alert rule that uses the search query SecurityEvent I where EventlD == 4648. When you create a new alert rule, you should specify a workspace and use Kusto Query Language (KQL) to see if the workspace rules are evaluated over a time period, for example every hour. Any positive matches are then visible within Microsoft Defender for Cloud (formerly, Azure Security Center). You should not create a new alert rule, select the security event log, and filter for EventlD 4648. Alert rules are used to query a connected workspace and not an event log, in this case the security log. You should not create a runbook to export the Windows security log. Runbooks are used to automate and schedule code, for example PowerShell scripts, via a schedule. You should not export the security log to Log Analytics and filter for EventlD 4648. The Microsoft Graph API allows you to use REST calls to query Azure Active Directory (Azure AD), Office 365, and other Microsoft cloud resources. It does not allow you to export the security log to Log Analytics.
Unattempted
You should create a new alert rule that uses the search query SecurityEvent I where EventlD == 4648. When you create a new alert rule, you should specify a workspace and use Kusto Query Language (KQL) to see if the workspace rules are evaluated over a time period, for example every hour. Any positive matches are then visible within Microsoft Defender for Cloud (formerly, Azure Security Center). You should not create a new alert rule, select the security event log, and filter for EventlD 4648. Alert rules are used to query a connected workspace and not an event log, in this case the security log. You should not create a runbook to export the Windows security log. Runbooks are used to automate and schedule code, for example PowerShell scripts, via a schedule. You should not export the security log to Log Analytics and filter for EventlD 4648. The Microsoft Graph API allows you to use REST calls to query Azure Active Directory (Azure AD), Office 365, and other Microsoft cloud resources. It does not allow you to export the security log to Log Analytics.
Question 64 of 65
64. Question
Your company uses Azure Container Registry (ACR) to store Docker images for internal development use. You need to configure the registry so that developers can log into the registry by using the registry name as the username and an access key as the password. What should you do? Choose the correct answer
Correct
You should enable the admin user in your Azure Container Registry (ACR) resources. In the Azure portal, browse to your registry, select the Access keys setting, and move the Admin user slider from Disable to Enable. Azure generates two interchangeable access keys. Developers can then run docker login to authenticate to the registry by supplying the registry name as the user name, and one of the access keys as the password. You should not create a system-defined managed identity. First, ACR is not yet enabled for system-assigned managed identities. Second, doing so would not support the login goal. A managed identity in Azure is analogous to a service account in a local Active Directory environment. You should not assign the developers to the AcrPull RBAC role because doing so does not accomplish the goal. However, it is true that Microsoft offers a number of sub-administrative roles for ACR access. Specifically, the AcrPull role grants users the ability to download (pull) Docker images hosted in the ACR instance. You should not define a service endpoint for the registry. Service endpoints enable you to associate certain Azure resources (including ACR) with one or more virtual networks (VNets) in your Azure subscriptions. Doing so denies internet access to the resource and therefore improves security. However, this action does not accomplish the goal.
Incorrect
You should enable the admin user in your Azure Container Registry (ACR) resources. In the Azure portal, browse to your registry, select the Access keys setting, and move the Admin user slider from Disable to Enable. Azure generates two interchangeable access keys. Developers can then run docker login to authenticate to the registry by supplying the registry name as the user name, and one of the access keys as the password. You should not create a system-defined managed identity. First, ACR is not yet enabled for system-assigned managed identities. Second, doing so would not support the login goal. A managed identity in Azure is analogous to a service account in a local Active Directory environment. You should not assign the developers to the AcrPull RBAC role because doing so does not accomplish the goal. However, it is true that Microsoft offers a number of sub-administrative roles for ACR access. Specifically, the AcrPull role grants users the ability to download (pull) Docker images hosted in the ACR instance. You should not define a service endpoint for the registry. Service endpoints enable you to associate certain Azure resources (including ACR) with one or more virtual networks (VNets) in your Azure subscriptions. Doing so denies internet access to the resource and therefore improves security. However, this action does not accomplish the goal.
Unattempted
You should enable the admin user in your Azure Container Registry (ACR) resources. In the Azure portal, browse to your registry, select the Access keys setting, and move the Admin user slider from Disable to Enable. Azure generates two interchangeable access keys. Developers can then run docker login to authenticate to the registry by supplying the registry name as the user name, and one of the access keys as the password. You should not create a system-defined managed identity. First, ACR is not yet enabled for system-assigned managed identities. Second, doing so would not support the login goal. A managed identity in Azure is analogous to a service account in a local Active Directory environment. You should not assign the developers to the AcrPull RBAC role because doing so does not accomplish the goal. However, it is true that Microsoft offers a number of sub-administrative roles for ACR access. Specifically, the AcrPull role grants users the ability to download (pull) Docker images hosted in the ACR instance. You should not define a service endpoint for the registry. Service endpoints enable you to associate certain Azure resources (including ACR) with one or more virtual networks (VNets) in your Azure subscriptions. Doing so denies internet access to the resource and therefore improves security. However, this action does not accomplish the goal.
Question 65 of 65
65. Question
Your company deploys three virtual machines (VMs) in Azure that are configured as shown in the exhibit.
You need to enable and configure updates for the VMs. You should use the minimum number of update deployments, and administrators shou d be notified when a deployment completes.
How should you configure Update Management? To answer, drag the appropriate configuration value to each update management property. A configuration value may be used once, more than once, or not at all.
Correct
You should create one update deployment. When creating a new update deployment, you can choose either Windows or Linux as a target operating system. You do not need to create a separate group for the individual operating system versions. Because the deployed VMs are running the Windows operating system, only a single update deployment is required.
You should use an action group to notify administrators when a deployment completes. Action groups are a collection of notification settings that can be used to notify users. Action groups are useful for grouping specific people together to ensure that they are consistently notified about the relevant events. In this example you would create an action group that contains the email addresses of all administrators.
You should not use an automation account to notify administrators. An4 automation account is used for update management, not for notifications.
You should not use a Post-script. When creating a new update deployment, you can specify a single Pre-script and Post-script. These are tasks that can be automatically executed before or after an update deployment runs.
Incorrect
You should create one update deployment. When creating a new update deployment, you can choose either Windows or Linux as a target operating system. You do not need to create a separate group for the individual operating system versions. Because the deployed VMs are running the Windows operating system, only a single update deployment is required.
You should use an action group to notify administrators when a deployment completes. Action groups are a collection of notification settings that can be used to notify users. Action groups are useful for grouping specific people together to ensure that they are consistently notified about the relevant events. In this example you would create an action group that contains the email addresses of all administrators.
You should not use an automation account to notify administrators. An4 automation account is used for update management, not for notifications.
You should not use a Post-script. When creating a new update deployment, you can specify a single Pre-script and Post-script. These are tasks that can be automatically executed before or after an update deployment runs.
Unattempted
You should create one update deployment. When creating a new update deployment, you can choose either Windows or Linux as a target operating system. You do not need to create a separate group for the individual operating system versions. Because the deployed VMs are running the Windows operating system, only a single update deployment is required.
You should use an action group to notify administrators when a deployment completes. Action groups are a collection of notification settings that can be used to notify users. Action groups are useful for grouping specific people together to ensure that they are consistently notified about the relevant events. In this example you would create an action group that contains the email addresses of all administrators.
You should not use an automation account to notify administrators. An4 automation account is used for update management, not for notifications.
You should not use a Post-script. When creating a new update deployment, you can specify a single Pre-script and Post-script. These are tasks that can be automatically executed before or after an update deployment runs.
Use Page numbers below to navigate to other practice tests