Exams > Microsoft > AZ-500: Microsoft Azure Security Technologies
AZ-500: Microsoft Azure Security Technologies
Page 2 out of 39 pages Questions 11-20 out of 388 questions
Question#11

You have an Azure subscription.
You enable Azure Active Directory (Azure AD) Privileged Identity Management (PIM).
Your company's security policy for administrator accounts has the following conditions:
✑ The accounts must use multi-factor authentication (MFA).
✑ The accounts must use 20-character complex passwords.
✑ The passwords must be changed every 180 days.
✑ The accounts must be managed by using PIM.
You receive multiple alerts about administrators who have not changed their password during the last 90 days.
You need to minimize the number of generated alerts.
Which PIM alert should you modify?

  • A. Roles are being assigned outside of Privileged Identity Management
  • B. Roles don't require multi-factor authentication for activation
  • C. Administrators aren't using their privileged roles
  • D. Potential stale accounts in a privileged role
Discover Answer Hide Answer

Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts?tabs=new

Question#12

Your network contains an on-premises Active Directory domain named adatum.com that syncs to Azure Active Directory (Azure AD). Azure AD Connect is installed on a domain member server named Server1.
You need to ensure that a domain administrator for the adatum.com domain can modify the synchronization options. The solution must use the principle of least privilege.
Which Azure AD role should you assign to the domain administrator?

  • A. Security administrator
  • B. Global administrator
  • C. User administrator
Discover Answer Hide Answer

Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions

Question#13

You have an Azure subscription that contains the users shown in the following table.

Which users can enable Azure AD Privileged Identity Management (PIM)?

  • A. User2 and User3 only
  • B. User1 and User2 only
  • C. User2 only
  • D. User1 only
Discover Answer Hide Answer

Answer: A
For Azure AD roles in PIM, only a user who is in the Privileged Role Administrator or Global Administrator role can manage assignments for other administrators.
Global Administrators, Security Administrators, Global Readers, and Security Readers can also view assignments to Azure AD roles in PIM.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-deployment-plan

Question#14

You have an Azure subscription.
You plan to create a custom role-based access control (RBAC) role that will provide permission to read the Azure Storage account.
Which property of the RBAC role definition should you configure?

  • A. NotActions []
  • B. DataActions []
  • C. AssignableScopes []
  • D. Actions []
Discover Answer Hide Answer

Answer: D
To 'Read a storage account', ie. list the blobs in the storage account, you need an 'Action' permission.
To read the data in a storage account, ie. open a blob, you need a 'DataAction' permission.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions

Question#15

You have an Azure subscription linked to an Azure Active Directory Premium Plan 1 tenant.
You plan to implement Azure Active Directory (Azure AD) Identity Protection.
You need to ensure that you can configure a user risk policy and a sign-in risk policy.
What should you do first?

  • A. Purchase Azure Active Directory Premium Plan 2 licenses for all users.
  • B. Register all users for Azure Multi-Factor Authentication (MFA).
  • C. Enable security defaults for Azure AD.
  • D. Enable Azure Defender in Azure Security Center.
Discover Answer Hide Answer

Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa

Question#16

HOTSPOT -
You have the hierarchy of Azure resources shown in the following exhibit.

RG1, RG2, and RG3 are resource groups.
RG2 contains a virtual machine named VM2.
You assign role-based access control (RBAC) roles to the users shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Discover Answer Hide Answer

Answer:

Question#17

HOTSPOT -
You plan to implement an Azure function named Function1 that will create new storage accounts for containerized application instances.
You need to grant Function1 the minimum required privileges to create the storage accounts. The solution must minimize administrative effort.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Discover Answer Hide Answer

Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/howto-assign-access-portal

Question#18

You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant.
From the Azure portal, you register an enterprise application.
Which additional resource will be created in Azure AD?

  • A. a service principal
  • B. an X.509 certificate
  • C. a managed identity
  • D. a user account
Discover Answer Hide Answer

Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added

Question#19

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains the resources shown in the following table.

User2 is the owner of Group2.
The user and group settings for App1 are configured as shown in the following exhibit.

You enable self-service application access for App1 as shown in the following exhibit.

User3 is configured to approve access to App1.
After you enable self-service application access for App1, who will be configured as the Group2 owner and who will be configured as the App1 users? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Discover Answer Hide Answer

Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-self-service-access

Question#20

HOTSPOT -
You have a management group named Group1 that contains an Azure subscription named sub1. Sub1 has a subscription ID of 11111111-1234-1234-1234-
1111111111.
You need to create a custom Azure role-based access control (RBAC) role that will delegate permissions to manage the tags on all the objects in Group1.
What should you include in the role definition of Role1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Discover Answer Hide Answer

Answer:
Note: Assigning a custom RBAC role as the Management Group level is currently in preview only. So, for now the answer to the assignable scope is the subscription level.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal#step-5-assignable-scopes

chevron rightPrevious Nextchevron right