Azure AZ-500 Security Technologies Practice Test Set 4

Which of the following are valid Azure policy effects? Choose 5.


Options are :

  • Scope
  • Deny
  • Allow
  • Initiate
  • Audit
  • AuditIfNotExists
  • DeployIfNotExists
  • DeleteIfNotComply
  • Append

Answer : Deny Audit AuditIfNotExists DeployIfNotExists Append

What users or groups does the AIP global policy apply to?


Options are :

  • Azure AD Global Admins
  • Azure RBAC Owners
  • Everyone in the organisation
  • All users and/or groups configured in the AIP global policy

Answer : Everyone in the organisation

Azure AZ-500 Security Technologies Practice Test Set 5

You successfully created a new information protection label in AIP, but the new label is not available to the targeted user. Which of the following would make the label available to the user?


Options are :

  • Reinstall Azure Information Protection Client
  • Get the user to log out and back in
  • Get the user to close and reopen the document
  • Create a new AIP policy

Answer : Create a new AIP policy

User1 is assigned a AAD identity protection user risk policy and enabled for "medium and above" risk. The user signs in from an anonymous IP. Is the policy applied to the user?


Options are :

  • Yes
  • No
  • Maybe
  • It depends

Answer : Yes

A user is configured for MFA in the Azure portal.

The user has not been assigned a Azure AD Premium license, or any other license and is not an administrator.

There are no unassigned Azure AD Premium licenses available in the tenant.

The user attempts to log in to myapps.microsoft.com.

Which of the following happens?


Options are :

  • The user cannot log in
  • The user is permitted to log in using username and password without MFA
  • The user is prompted for MFA and the subscription where Azure AD is configured is charged using per-user consumption-based billing
  • The user is prompted for MFA without charge and the subscription owner is notified of the license issue
  • The user is prompted for MFA without charge for 10 logins, after which the user is blocked

Answer : The user is prompted for MFA and the subscription where Azure AD is configured is charged using per-user consumption-based billing

Azure AZ-500 Security Technologies Practice Test Set 4

Which of the following Azure resources allows the configuration of a resource firewall? Choose 3.


Options are :

  • Azure Virtual Machine
  • Azure Storage Account
  • Azure SQL Database
  • Azure SQL Server
  • Azure Virtual Network
  • Azure Resource Group
  • Azure Firewall

Answer : Azure Storage Account Azure SQL Database Azure SQL Server

You have the following built-in Azure policies applied.

Policy1: RG1: AllowedResourcesTypes: virtualMachines

Policy2: RG2: NotAllowedResourceTypes: virtualMachines

Policy3: RG3: NotAllowedResourceTypes: virtualNetworks/subnets

Which of the following actions can you perform?


Options are :

  • Add a VM to RG1
  • Add a VNet to RG1
  • Add a VM to RG2
  • Add a VM to RG3
  • Add a VNet to RG3
  • Add a subnet to RG3

Answer : Add a VM to RG1 Add a VM to RG3 Add a VNet to RG3

You create a new Azure Key Vault and want to ensure that accidental deletions of key vault items can be recovered for 90 days. What at a minimum would you have to enable on the Key Vault?


Options are :

  • Soft-delete
  • Purge protection
  • Soft-delete and purge protection
  • Delete lock
  • Read-only lock

Answer : Soft-delete

Azure AZ-500 Security Technologies Practice Test Set 8

Where would you configure a custom condition in AIP?


Options are :

  • Azure Information Protection Label
  • Azure Information Protection Policy
  • Azure Information Protection Client
  • Azure Active Directory

Answer : Azure Information Protection Label

How long is metrics data stored for?


Options are :

  • 90 days
  • 93 days
  • 60 days
  • 120 days
  • 30 days

Answer : 93 days

A user is registered with Azure AD MFA and have configured SMS text message as the authentication mode. The user browses to myapps.microsoft.com and supplies his username and password. What does the user have to do after the MFA message is received?


Options are :

  • Reply to the text message with #
  • Reply to the text message with the user's MFA PIN
  • Type the OTP into the browser page
  • Type the OTP and the user's MFA PIN into the browser page

Answer : Type the OTP into the browser page

Azure AZ-500 Security Technologies Practice Test Set 1

Which three of the following features are not included in MFA for O365 license?


Options are :

  • Phone call as second factor
  • On-premises MFA server
  • PIN mode
  • Fraud alert
  • Mobile app as second factor
  • SMS as second factor

Answer : On-premises MFA server PIN mode Fraud alert

You are configuring Azure Policy. Which one of the following policy effects requires you to assign a managed identity for the assignment?


Options are :

  • Append
  • Audit
  • AuditIfNotExists
  • Deny
  • DeployIfNotExists
  • Disabled

Answer : DeployIfNotExists

You enable soft-delete and purge protection on your company's Azure Key Vault. A malicious user deletes your company's key vault thereby preventing decryption of most of your Azure data.

T/F: The malicious user - having the owner RBAC role at the subscription level removes the purge protection from the vault and purges (permanently deletes) the vault. You start looking for a new job...


Options are :

  • True
  • False

Answer : False

Azure AZ-500 Security Technologies Practice Test Set 8

How many keys are required as part of an Azure SQL Database AlwaysEncrypted architecture?


Options are :

  • 1
  • 2
  • 3
  • 4
  • Unlimited

Answer : 2

T/F: RBAC in Azure determines if a user is given access to a system when he/she provides his/her username and password. 


Options are :

  • True
  • False
  • It depends

Answer : False

See the outbound NSG in the exhibit.

The NSG is assigned to a VM NIC.

Which of the following is true?


Options are :

  • The VM has connectivity to the internet
  • The VM has connectivity to other VMs on the same subnet
  • The VM can resolve DNS names
  • The VM has connectivity to other VMs on the same Vnet

Answer : The VM has connectivity to other VMs on the same subnet The VM can resolve DNS names The VM has connectivity to other VMs on the same Vnet

Azure AZ-500 Security Technologies Practice Test Set 5

See the PowerShell output in the exhibit.

What RBAC role is being represented here?


Options are :

  • Contributor
  • Reader
  • Owner
  • Security Reader
  • Read-only
  • Custom role with read-only permissions

Answer : Reader

You create a new Azure subscription and deploy a Windows VM. You want to query the event logs of the Azure VM using Azure Monitor. Which of the following do you have to do. Each option represents part of the solution and is not in order.


Options are :

  • In Log Analytics Workspace, advanced settings, add Windows event logs
  • Create a Log Analytics Workspace
  • In Azure Monitor, Logs, run query
  • In the VM, add the Log Analytics agent extension
  • In the Log Analytics Workspace, connect the VM
  • In Azure Monitor, connect the VM

Answer : In Log Analytics Workspace, advanced settings, add Windows event logs Create a Log Analytics Workspace In Azure Monitor, Logs, run query In the Log Analytics Workspace, connect the VM

When registering an app with Azure AD to use modern authentication, what three fields are configurable when first registering the app?


Options are :

  • Display name
  • App ID
  • App Secret
  • Supported account types
  • Redirect URI

Answer : Display name Supported account types Redirect URI

Azure AZ-500 Security Technologies Practice Test Set 8

See the structure in the exhibit.


The following assignements are made:

Service principle / Scope / Role definition

- User1 / ITSub / Reader

- User1 / ITServersRg / Contributor

- User1 / DefaultMg1 / Reader

What is the effective role definition for User1 at the following scopes:


Options are :

  • MarketingServer1: Reader
  • MarketingServer1: Contributor
  • MarketingServer1: None
  • ITKv1: Reader
  • ITKv1: Contributor
  • ITKv1: None
  • MarketingSub: Reader
  • MarketingSub: Contributor
  • MarketingSub: None
  • LabServer2: Reader
  • LabServer2: Contributor
  • LabServer2: None

Answer : MarketingServer1: Reader ITKv1: Reader MarketingSub: Reader LabServer2: Contributor

What are the three alert states in Azure Monitor?


Options are :

  • New
  • Fired
  • Assigned
  • Acknowledged
  • Resolved
  • Closed

Answer : New Acknowledged Closed

You have a hybrid Azure AD deployment and have just deployed an Azure SQL Database. You have deployed a custom application to a newly created VM (VM1) and you want the application to use the VM's system-assigned managed identity to access the Azure SQL Database. You have a user named User1 that wants to use the application.  What steps do you perform to accomplish your goal?


Options are :

  • Create a Azure AD user account that will serve as the SQL server administrator and assign the AD role of user
  • Create a Azure AD user account that will serve as the SQL server administrator and assign the AD role of limited administrator
  • Create a Azure AD user account that will serve as the SQL server administrator and assign the AD role of: global administrator
  • Enable AD authentication on the Access control (IAM) blade of the SQL server
  • Enable AD authentication on the Active Directory Admin blade of the SQL server
  • Enable the system assigned managed identity for the VM using the Azure Active Directory blade
  • Enable the system assigned managed identity for the VM using the VM Identity blade
  • Create a contained database user specifying the VM managed identity in the database using CREATE USER [VM1] FROM EXTERNAL PROVIDER
  • Create a contained database user specifying the VM managed identity in the database using CREATE USER [VM1] FROM EXTERNAL AZURE
  • Give the user permissions in the database using ALTER ROLE db_datareader ADD MEMBER [VM1]
  • Give the user permissions in the database using ALTER ROLE db_datareader ADD MEMBER [User1]
  • The application connects to the SQL server using the Access token
  • The application connects to the SQL server using the VM user account

Answer : Create a Azure AD user account that will serve as the SQL server administrator and assign the AD role of user Enable AD authentication on the Active Directory Admin blade of the SQL server Enable the system assigned managed identity for the VM using the VM Identity blade Create a contained database user specifying the VM managed identity in the database using CREATE USER [VM1] FROM EXTERNAL PROVIDER Give the user permissions in the database using ALTER ROLE db_datareader ADD MEMBER [VM1] The application connects to the SQL server using the Access token

Azure AZ-500 Security Technologies Practice Test Set 7

What are the four MFA modes?


Options are :

  • Phone call
  • SMS text message
  • MS Authenticator App
  • Google Authenticator App
  • OATH token code
  • PKI Certificate
  • Self-signed certificate
  • Enabled
  • Disabled
  • Enforced

Answer : Phone call SMS text message MS Authenticator App OATH token code

The exhibit shows the AAD conditional access configuration screen.

You're configuring conditional access that will require a user named Isabella to be required to undergo MFA by using the authenticator app only when accessing the Azure portal.


Options are :

  • Under Assignments select Users and Groups and select Global Administrator
  • Under Assignments select Users and Groups and select Isabella
  • Under Assignments select Users and Groups and select the Azure Users group you created
  • Under Assignments select Cloud apps and select Microsoft Azure Management
  • Under Assignments select Cloud apps and select Azure Portal
  • Under Assignments select Cloud apps and select the Microsoft provider
  • Under Access controls select Grant and check Require multi-factor authentication
  • Under Access controls select Grant and check Notification through mobile app
  • Under Access controls select Grant and check Text message to phone

Answer : Under Assignments select Users and Groups and select Isabella Under Assignments select Cloud apps and select Microsoft Azure Management Under Access controls select Grant and check Require multi-factor authentication

When creating a new AIP label, what four areas can be configured?


Options are :

  • General
  • Common
  • Header
  • Marking
  • Protection
  • Encryption
  • Conditions

Answer : Common Marking Protection Conditions

Azure AZ-500 Security Technologies Practice Test Set 7

See the exhibit.

You have a corporate compliance requirement that mandates bring your own key for all storage accounts for data at rest encryption. Which area would you use to configure this?


Options are :

  • Access control (IAM)
  • Data transfer
  • Access keys
  • Encryption
  • Shared access signature

Answer : Encryption

What are the four focus areas of Azure Security Center policy?


Options are :

  • Identity
  • VMs
  • Compute and apps
  • Storage
  • Data
  • Network
  • Just in Time (JIT) VM Access
  • Vulnerability management

Answer : Identity Compute and apps Data Network

Which two of the following options are not valid exclusion assignments when creating an Azure policy assignment?


Options are :

  • Resource group
  • Resource
  • Initiative
  • Subscription
  • Tenant
  • Management group

Answer : Initiative Tenant

Azure AZ-500 Security Technologies Practice Test Set 5

Which of the following cannot be used to create a custom RBAC role in Azure?


Options are :

  • Azure CLI
  • Azure Portal
  • Azure PowerShell
  • Azure Cloud Shell
  • REST API

Answer : Azure Portal

You have to ensure the principle of least privilege.  Which Azure RBAC role is required to configure a lock on an Azure resource?


Options are :

  • Owner
  • Contributor
  • User Access Administrator
  • User Administrator
  • Security Administrator

Answer : User Access Administrator

Which option in the exhibit would you choose to configure VM hardening?


Options are :

  • Networking
  • Security
  • Extensions
  • Configuration
  • Identity
  • Locks

Answer : Security

AZ-300 Microsoft Azure Architect Practice Exam Questions NEW Set 4

In Azure Information Protection there are three types of key scenarios. Match the key scenario with the technology used to create and maintain the keys.  Choose 3.


Options are :

  • Key managed by Microsoft: Microsoft
  • Key managed by Microsoft: Key Vault
  • Key managed by Microsoft: AD RMS
  • Key managed by Microsoft: HSM
  • Bring your own key (BYOK): Microsoft
  • Bring your own key (BYOK): Key Vault
  • Bring your own key (BYOK): AD RMS
  • Bring your own key (BYOK): HSM
  • Hold your own key (HYOK): Microsoft
  • Hold your own key (HYOK): Key Vault
  • Hold your own key (HYOK): AD RMS
  • Hold your own key (HYOK): HSM

Answer : Key managed by Microsoft: Microsoft Bring your own key (BYOK): Key Vault Hold your own key (HYOK): AD RMS

A user is enrolled for MFA but loses his mobile device, but the company is not doing mobile device management. He gets a new mobile device with the same phone number. You must ensure that his lost device cannot be used to gain unwanted access to his account . Each option below represents part of the solution and are not in order. Select all options that you should perform:


Options are :

  • Revoke and reassign the user's AAD P2 license
  • From MFA settings portal, choose service settings and disable "Allow users to remember multi-factor authentication on devices they trust"
  • From MFA settings portal, choose user settings, enable "Require selected users to provide contact methods again"
  • From MFA settings portal, choose user settings, enable "Delete all existing app passwords..."
  • From MFA settings portal, choose user settings, enable "Restore multi-factor authentication on all remembered devices"
  • Disable and re-enable the user's user account

Answer : From MFA settings portal, choose user settings, enable "Delete all existing app passwords..." From MFA settings portal, choose user settings, enable "Restore multi-factor authentication on all remembered devices"

When doing an app registration in Azure AD, which three of the following are options for application permission scopes (supported account types) can be assigned?


Options are :

  • Default Azure AD directory
  • Any Azure AD directory
  • Any Azure AD directory and Personal MS accounts
  • Any Google account
  • Any Facebook account
  • Any federated B2B account

Answer : Default Azure AD directory Any Azure AD directory Any Azure AD directory and Personal MS accounts

Azure AZ-500 Security Technologies Practice Test Set 6

You have an existing dynamic group in AAD. You want the group to contain users and their devices. What should you configure?


Options are :

  • Create two membership rules that select the users and devices respectively
  • Delete and recreate the group, manually add users and devices
  • Create a membership rule that selects the users. Manually add the devices to the group
  • Create two dynamic groups, one for devices and one for users. Create an assigned group and add the two dynamic groups to it
  • Create a membership rule that selects the devices. Manually add the users to the group

Answer : Delete and recreate the group, manually add users and devices

When assigning an Azure policy, when is it necessary to assign a managed identity?


Options are :

  • When the policy is assigned to a management group and will have effect on multiple subscriptions
  • For any security policy
  • For any policy that includes the DeployIfNotExists policy action
  • For any policy that includes any policy action
  • All policies require a managed identity assigned in order to assess (read) the Azure resources to be assessed

Answer : For any policy that includes the DeployIfNotExists policy action

Which three of the following options are valid scope assignments when creating an Azure policy assignment?


Options are :

  • Resource group
  • Resource
  • Initiative
  • Subscription
  • Tenant
  • Management group

Answer : Resource group Subscription Management group

AZ-900 Microsoft Azure Fundamentals Original Practice Tests Set 4

You create an Azure Policy assignment to a subscription. Which two of the following are valid scope exclusions?


Options are :

  • Resource group
  • Resource
  • Initiative
  • Subscription
  • Tenant
  • Management group

Answer : Resource group Resource

What are the two Azure Monitor alert conditions?


Options are :

  • New
  • Fired
  • Assigned
  • Acknowledged
  • Resolved
  • Closed

Answer : Fired Resolved

As part of an Azure SQL Database AlwaysEncrypted configuration, where are the encryption keys stored?


Options are :

  • Column Master Key: AKV
  • Column Master Key: SQL
  • Column Master Key: Client
  • Column Encryption Key: AKV
  • Column Encryption Key: SQL
  • Column Encryption Key: Client

Answer : Column Master Key: AKV Column Encryption Key: SQL

Azure AZ-500 Security Technologies Practice Test Set 7

You have an Azure HDInsights cluster on a Azure VNet. You need to secure communication between the cluster and your on-premises network, establish name resolution and use on-premises AD credentials to administer the cluster. You have to minimise costs. What do you deploy?


Options are :

  • Deploy an on-premises data gateway
  • Deploy AD Connect
  • Deploy a site-to-site VPN
  • Deploy a custom DNS server on the Vnet
  • Deploy network security groups on the Vnet

Answer : Deploy a site-to-site VPN Deploy a custom DNS server on the Vnet Deploy network security groups on the Vnet

Check out the exhibit.

You have an Azure SQL database that you want to secure access to the database from your web application using a Managed Service Identity (MSI). You create an app registration for your application in AAD and now need to give permission to the app on the Azure SQL Database server. Which option do you choose?


Options are :

  • Active Directory admin
  • SQL databases
  • Properties
  • Locks
  • Advanced Data Security

Answer : Active Directory admin

In OAuth 2.0 / OpenID Connect, what does the authentication provider return to the browser after a successful authentication?


Options are :

  • Certificate
  • ID Token
  • Session Key
  • Session Secret
  • Azure Key Vault

Answer : ID Token

Azure AZ-500 Security Technologies Practice Test Set 5

Review the exhibit.

What option do you choose to configure MFA authentication methods?


Options are :

  • Overview
  • Security
  • Users
  • Groups
  • Identity Governance
  • User settings

Answer : Users

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions