Azure AZ-500 Security Technologies Practice Test Set 3

You are configuring Azure Policy. Which one of the following policy effects requires you to assign a managed identity for the assignment?


Options are :

  • Append
  • Audit
  • AuditIfNotExists
  • Deny
  • DeployIfNotExists
  • Disabled

Answer : DeployIfNotExists

You enable soft-delete and purge protection on your company's Azure Key Vault. A malicious user deletes your company's key vault thereby preventing decryption of most of your Azure data.

T/F: The malicious user - having the owner RBAC role at the subscription level removes the purge protection from the vault and purges (permanently deletes) the vault. You start looking for a new job...


Options are :

  • True
  • False

Answer : False

Azure AZ-500 Security Technologies Practice Test Set 3

How many keys are required as part of an Azure SQL Database AlwaysEncrypted architecture?


Options are :

  • 1
  • 2
  • 3
  • 4
  • Unlimited

Answer : 2

T/F: RBAC in Azure determines if a user is given access to a system when he/she provides his/her username and password. 


Options are :

  • True
  • False
  • It depends

Answer : False

See the outbound NSG in the exhibit.

The NSG is assigned to a VM NIC.

Which of the following is true?


Options are :

  • The VM has connectivity to the internet
  • The VM has connectivity to other VMs on the same subnet
  • The VM can resolve DNS names
  • The VM has connectivity to other VMs on the same Vnet

Answer : The VM has connectivity to other VMs on the same subnet The VM can resolve DNS names The VM has connectivity to other VMs on the same Vnet

AZ-300 Microsoft Azure Architect Practice Exam Questions NEW Set 4

See the PowerShell output in the exhibit.

What RBAC role is being represented here?


Options are :

  • Contributor
  • Reader
  • Owner
  • Security Reader
  • Read-only
  • Custom role with read-only permissions

Answer : Reader

You create a new Azure subscription and deploy a Windows VM. You want to query the event logs of the Azure VM using Azure Monitor. Which of the following do you have to do. Each option represents part of the solution and is not in order.


Options are :

  • In Log Analytics Workspace, advanced settings, add Windows event logs
  • Create a Log Analytics Workspace
  • In Azure Monitor, Logs, run query
  • In the VM, add the Log Analytics agent extension
  • In the Log Analytics Workspace, connect the VM
  • In Azure Monitor, connect the VM

Answer : In Log Analytics Workspace, advanced settings, add Windows event logs Create a Log Analytics Workspace In Azure Monitor, Logs, run query In the Log Analytics Workspace, connect the VM

You have an existing AD Connect implementation. You have to prevent users from a certain department to be synchronised to AAD. What tool do you use?


Options are :

  • AAD Connect wizard on the AD Connect server
  • Synchronization Rules Editor on the AD Connect server
  • AAD Connect in the Azure portal
  • AD Users and Computers on the local DC

Answer : Synchronization Rules Editor on the AD Connect server

AZ-900 Microsoft Azure Fundamentals Original Practice Tests Set 4

What format is an OpenID Connect token?


Options are :

  • XML
  • SAML
  • JWT
  • Java

Answer : JWT

Which two of the following are objects you can configure to apply AAD PIM to?


Options are :

  • Access Reviews
  • AAD Roles
  • ADD Groups
  • Azure Resources
  • AAD Dynamic Groups

Answer : AAD Roles Azure Resources

In Azure SQL Database AlwaysEncrypted, two types of column encryption is supported. Match the requirement with the appropriate column encryption type.  Plaintext data values always produce the same cyphertext:


Options are :

  • Deterministic
  • Randomized

Answer : Deterministic

Azure AZ-500 Security Technologies Practice Test Set 8

In Azure SQL Database AlwaysEncrypted, two types of column encryption is supported. Match the requirement with the appropriate column encryption type.  SQL Server can use the encrypted columns in joins and lookups:


Options are :

  • Deterministic
  • Randomized

Answer : Deterministic

In Azure SQL Database AlwaysEncrypted, two types of column encryption is supported. Match the requirement with the appropriate column encryption type.  Highest level of security:


Options are :

  • Deterministic
  • Randomized

Answer : Randomized

In Azure SQL Database AlwaysEncrypted, two types of column encryption is supported. Match the requirement with the appropriate column encryption type.  Not suitable for columns containing boolean data:


Options are :

  • Deterministic
  • Randomized

Answer : Deterministic

Azure AZ-500 Security Technologies Practice Test Set 6

You create a new Azure Key Vault and want to ensure that malicious permanent deletions of key vault items can be recovered for 90 days. What at a minimum would you have to enable on the Key Vault?


Options are :

  • Soft-delete only
  • Purge protection only
  • Soft-delete and purge protection
  • Delete lock only
  • Read-only lock only

Answer : Soft-delete only

Review the exhibit.

Which option would you choose to adjust the log data retention settings for this Azure Log Analytics Workspace? 


Options are :

  • Advanced Settings
  • Logs
  • Pricing tier
  • Usage and estimated costs
  • Properties

Answer : Usage and estimated costs

Which of the following are default rules created with a network security group?


Options are :

  • DenyAllInBound
  • DenyAllOutBound
  • DenyVnetInBound
  • DenyVnetOutBound

Answer : DenyAllInBound

Azure AZ-500 Security Technologies Practice Test Set 6

You must minimise costs. What is the minimum license required to configure Azure AD MFA?


Options are :

  • Azure AD Premium P1
  • Azure AD Premium P2
  • No license is required
  • Any Office 365 license
  • No license is required, but the user must be an Azure AD Global Administrator

Answer : No license is required, but the user must be an Azure AD Global Administrator

When configuring AAD conditional access policies, which of the following are mandatory requirements?


Options are :

  • User / group
  • Cloud Apps
  • Sign-in risk
  • Device platforms
  • Device state
  • Location
  • Client apps
  • Access controls

Answer : User / group Cloud Apps Access controls

Which option in the exhibit would you choose to configure endpoint security?



Options are :

  • Networking
  • Security
  • Extensions
  • Configuration
  • Identity
  • Locks

Answer : Extensions

AZ-900 Microsoft Azure Fundamentals Original Practice Tests Set 4

You are deploying Azure Firewall as in the exhibit.


You want to ensure all traffic from Workload-SN going to www.google.com is routed through the Azure Firewall

What do you have to create in Workload-SN in to ensure that Test-FW01 will inspect outgoing traffic?


Options are :

  • NSG
  • Route Table
  • Firewall Rule

Answer : Route Table

You are deploying Azure Firewall as in the exhibit.

You want to ensure all traffic from Workload-SN going to www.google.com is routed through the Azure Firewall

How should the next hop in Workload-SN be configured as?


Options are :

  • FW Public IP
  • FW Name
  • FW Internal IP
  • Blank

Answer : FW Internal IP

You are deploying Azure Firewall as in the exhibit.

You want to ensure all traffic from Workload-SN going to www.google.com is routed through the Azure Firewall

What address prefix should you configure in Workload-SN?


Options are :

  • 0.0.0.0/0
  • 255.255.255.255/255
  • Blank
  • FW Internal IP

Answer : 0.0.0.0/0

Azure AZ-500 Security Technologies Practice Test Set 8

You are deploying Azure Firewall as in the exhibit.

You want to ensure all traffic from Workload-SN going to www.google.com is routed through the Azure Firewall

What should you configure on Test-FW01?


Options are :

  • Network rule
  • Route Table
  • Application rule
  • Nothing

Answer : Application rule

You are deploying Azure Firewall as in the exhibit.

You want to ensure all traffic from Workload-SN going to www.google.com is routed through the Azure Firewall

What should you configure on Test-FW01 to ensure successful DNS resolution from Workload-SN?


Options are :

  • Network rule
  • Route Table
  • Application rule
  • Nothing

Answer : Network rule

You are configuring AIP policies. You specify two labels:

Label1: matches "Word1"

Label2: matches "Word2"

You create a document in MS Word that contains both words, which label is applied?


Options are :

  • Label1
  • Label2
  • Label1 and Label2
  • No label

Answer : Label2

Azure AZ-500 Security Technologies Practice Test Set 4

What tools are available to you for changing the key scenario in AIP (from Microsoft managed to BYOK for example)?


Options are :

  • Azure portal
  • O365 management portal
  • Security and Compliance Centre
  • Windows PowerShell
  • Azure CLI

Answer : Windows PowerShell

You must minimise costs. What is the minimum license required to configure Azure AD Conditional Access?


Options are :

  • Azure AD Premium P1
  • Azure AD Premium P2
  • No license is required
  • Any Office 365 license
  • No license is required, but the user must be an Azure AD Global Administrator

Answer : Azure AD Premium P1

When configuring an privileged access review what are the three available settings when an assigned reviewer does not complete the review before the configured review ends?


Options are :

  • Do nothing
  • Take recommendations
  • Remove Access
  • Approve Access
  • Prompt owner

Answer : Take recommendations Remove Access Approve Access

AZ-900 Microsoft Azure Fundamentals Original Practice Tests Set 4

When you configure Azure AD PIM for the first time, what are the three things you must do?


Options are :

  • Consent to PIM; verify your identity with MFA; sign-up PIM for AD roles
  • Consent to PIM; verify your identity with MFA; discover AD roles; sign-up PIM for AD roles
  • Verify your identity with MFA; consent to PIM; discover AD roles; sign-up PIM for AD roles
  • Verify your identity with MFA; consent to PIM; sign-up PIM for AD roles

Answer : Consent to PIM; verify your identity with MFA; sign-up PIM for AD roles

You deploy several VMs in Azure. You need to ensure that all the VMs have a consistent OS configuration including registry settings. Which of the following options would you configure?


Options are :

  • ARM templates
  • Desired State Configuration
  • Application Security Groups
  • Device configuration policies

Answer : Desired State Configuration

You're like the most awesome SQL DBA ever. You connect to your Azure SQL Database using SSMS and authenticate using the dialog as in the exhibit.

Which user account credentials do you supply?


Options are :

  • Your Azure AD account credentials
  • Your on-premises AD account credentials (your Windows workstation is joined to a different AD domain)
  • The same user account you are signed-into your Windows workstation as
  • Your on-premises AD account credentials (your Windows workstation is joined to the same AD domain)
  • Your database user account

Answer : Your on-premises AD account credentials (your Windows workstation is joined to a different AD domain)

Azure AZ-500 Security Technologies Practice Test Set 5

Which of the following will generate an alert from SQL ATP?


Options are :

  • A user updates more than half of the content of a table in a single procedure
  • "password' OR 1=1" entered into a password field
  • A user is added to the db_owner database role
  • A user deletes more than 50% of the content of a table in a single procedure

Answer : "password' OR 1=1" entered into a password field

You need to ensure that data is secured in transit for a web application on your Azure subscription. Which of the following is required? Each answer is part of the solution and you have to minimise costs. Choose 4.


Options are :

  • Upload a certificate to Azure Key Vault
  • Obtain a custom domain name
  • Purchase an app service certificate
  • Purchase a certificate from a CA
  • Create a self-signed certificate
  • Create SSL bindings
  • Deploy Azure Application Gateway

Answer : Upload a certificate to Azure Key Vault Obtain a custom domain name Purchase an app service certificate Create SSL bindings

Your organisation has a new regulatory requirement that all cloud VM deployments must meet the Center for Internet Security Hardened Benchmarks. How can you ensure that this requirement is met while minimising costs, downtime and administrative effort? Each option represents part of the solution and is not listed in order.  Select each of the options that you should do. 



Options are :

  • Assign a built-in Azure Policy
  • Choose a CIS VM image when creating new VMs
  • Download CIS-compliant VM images from www.cisecurity.org
  • Assign a custom Azure Policy
  • Review compliance against Azure Policy
  • Redeploy non-compliant VMs
  • Create a separate compliance Resource Group
  • Create an application security group

Answer : Choose a CIS VM image when creating new VMs Assign a custom Azure Policy Review compliance against Azure Policy Redeploy non-compliant VMs

Azure AZ-500 Security Technologies Practice Test Set 8

You create an Azure Policy assignment as in the exhibit.


For each of the following, select all the statements which are true. 


Options are :

  • Creating new non-compliant resources are blocked
  • Creating new non-compliant resources are allowed but generates a validation warning
  • Creating new non-compliant resources are allowed but requires Owner RBAC role on the resource containter (resource group)
  • Non-compliant resources are reported on the Azure Policy compliance blade
  • Non-compliant resources are stopped
  • Non-compliant resources are deleted

Answer : Creating new non-compliant resources are blocked Non-compliant resources are reported on the Azure Policy compliance blade

What standard is used for 3rd-party MFA hardware token authentication?


Options are :

  • OATH
  • OAuth
  • AD Connect
  • OpenID Connect
  • JSON Web Token (JWT)

Answer : OATH

You create an AAD conditional access policy that block the "Developers" group from accessing the Azure portal.

Another administrator configures an additional AAD conditional access policy that blocks the "Developers" group from accessing the Azure portal unless they supply MFA.

T/F: A user that is member of the "Developers" group attempts to access the Azure portal and is prompted for MFA before being allowed access.


Options are :

  • True
  • False

Answer : False

Azure AZ-500 Security Technologies Practice Test Set 8

You are deploying VMs using JSON templates. You want to include enrolment into Azure Log Analytics as part of the deployment. Which two parameters must you include in the JSON template?


Options are :

  • StarageAccountKey
  • WorkspaceKey
  • WorkspaceName
  • WorkspaceURL
  • WorkspaceID

Answer : WorkspaceKey WorkspaceID

Choose one correct answer to indicated the object for each of the listed RBAC assignment properties.   


Options are :

  • Role Definition = Resource Group
  • Role Definition = Owner
  • Role Definition = Group
  • Role Definition = Domain Administrator
  • Scope = Resource Group
  • Scope = Owner
  • Scope = Group
  • Scope = Tenant
  • Security Principle = Resource group
  • Security Principle = Owner
  • Security Principle = Group
  • Security Principle = Subscription

Answer : Role Definition = Owner Scope = Resource Group Security Principle = Group

You have a custom-written Web app and already-deployed Azure SQL Database. You are configuring security using Managed Service Identity (MSI). Which of the following must you do? Each selection represents part of the solution.


Options are :

  • Create and configure Azure Key Vault
  • Create a secret in AKV
  • Create an app registration in Azure Active Directory
  • Create a client secret for the registered app
  • Configure Active Directory admin in Azure SQL Database server

Answer : Create an app registration in Azure Active Directory Configure Active Directory admin in Azure SQL Database server

Azure AZ-500 Security Technologies Practice Test Set 4

Having which two of these roles will allow you to create a custom RBAC role?


Options are :

  • Owner
  • Contributor
  • User Access Administrator
  • Security Admin
  • User Administrator

Answer : Owner User Access Administrator

Which of the following describes credential stuffing?


Options are :

  • An attacker attempts to crack a password using every possible character combination
  • An attacker uses a database of pre-calculated password hashes against a security accounts database
  • An attacker attempts to replay intercepted authentication traffic
  • An attacker uses a database of breached credentials against public web services

Answer : An attacker uses a database of breached credentials against public web services

User1, User2 and User3 has the role of owner in a subscription.

You create an AAD PIM access review and specify the reviewers as "Members (self)".

For which users can User3 perform the access review?


Options are :

  • User1, User2 and User3
  • User3 only

Answer : User3 only

Azure AZ-500 Security Technologies Practice Test Set 1

Which of the following is possible if a user has been granted the Contributor role for a specific virtual machine in Azure?


Options are :

  • Delete the virtual machine
  • Stop the virtual machine
  • Change the virtual machine size
  • RDP to the virtual machine
  • Create a lock on the virtual machine

Answer : Delete the virtual machine Stop the virtual machine Change the virtual machine size

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions