Azure AZ-500 Security Technologies Practice Test Set 5

What is the difference between OpenID Connect and OAuth 2.0?


Options are :

  • OAuth 2.0 is a protocol used for authentication
  • OAuth 2.0 is a protocol used for authorisation
  • OAuth 2.0 is a protocol used for security assertion
  • OpenID Connect is a protocol used for authentication
  • OpenID Connect is a protocol used for authorisation
  • OpenID Connect is a protocol used for security assertion
  • OAuth 2.0 is an extension of OpenID Connect
  • OpenID Connect is an extension of OAuth 2.0

Answer : OAuth 2.0 is a protocol used for authorisation OpenID Connect is a protocol used for authentication OpenID Connect is an extension of OAuth 2.0

When doing an app registration in Azure AD, what are two methods to ensure application security?


Options are :

  • Application Certificate
  • Application key
  • Application secret
  • Azure Key Vault
  • Azure Security Center

Answer : Application Certificate Application secret

70-533 Implementing Microsoft Azure Infrastructure Solution Set 7

T/F: MFA can be implemented by requiring a primary "system access" username and password, and a secondary "application access" username and password.


Options are :

  • True
  • False
  • Don't know

Answer : False

When a user is enabled for MFA in AAD, when would an app password be required?


Options are :

  • When the user doesn't have a license that enables MFA
  • When the user is using an OS other than Windows
  • When the user is using an Android-based mobile device
  • When the user is using an IOS-based mobile device
  • All of the options are correct
  • None of the options are correct

Answer : None of the options are correct

Which of the following authentication methods are not supported for Azure MFA?


Options are :

  • Password
  • Security questions
  • Email address
  • MS authenticator app
  • OATH hardware token
  • SMS
  • Voice call
  • App passwords

Answer : Security questions Email address

AZ-203 Microsoft Certified Azure Developer practice exams Set 12

Match the Azure RBAC terms and definitions


Options are :

  • Group of users: assignment
  • Group of users: scope
  • Group of users: role
  • Group of users: principal
  • Group of permissions: assignment
  • Group of permissions: scope
  • Group of permissions: role
  • Group of permissions: principal
  • Group of resources: assignment
  • Group of resources: scope
  • Group of resources: role
  • Group of resources: principal
  • Group of access: assignment
  • Group of access: scope
  • Group of access: role

Answer : Group of users: principal Group of permissions: role Group of resources: scope Group of access: assignment

You are creating a custom RBAC role and want to restrict all but a few allowable actions to the new role. What section of the role definition JSON file do you configure?


Options are :

  • Actions
  • NotActions
  • DataActions
  • NotDataActions
  • AssignableScopes

Answer : Actions

You want to ensure the use of trusted container images in your organisation. Which two of the following options should you choose?


Options are :

  • Docker hub
  • Azure container registry
  • Docker trusted registry
  • Azure container instances
  • Azure Kubernetes Service
  • Azure Key Vault

Answer : Azure container registry Docker trusted registry

AZ-203 Microsoft Certified Azure Developer practice exams Set 1

You are configuring Azure Update Management. You onboarded several VMs that have been deployed to different resource groups and regions. You have configured the following update deployments:

- Item1: VM1, EastUS, RG1, Windows 2008R2

- Item2: VM2, WestUS, RG2, CentOS 6

You want to add additional VMs to the update deployments. Which of the following can you do?


Options are :

  • Add VM3, EastUS, RG2, Windows 2016 to Item1
  • Add VM4, WestEurope, RG1, Windows 2016 to Item1
  • Add VM5, EastUS, RG1, CentOS 6 to Item1
  • Add VM6, EastUS, RG2, CentOS 6 to Item2

Answer : Add VM3, EastUS, RG2, Windows 2016 to Item1 Add VM4, WestEurope, RG1, Windows 2016 to Item1 Add VM6, EastUS, RG2, CentOS 6 to Item2

Which of the following options would you deploy and configure if you wanted to protect a Azure SQL Database against the OWASP-defined threat of SQL Injection?


Options are :

  • Azure Application Gateway with Web Application Firewall
  • Azure SQL Server Advanced Threat Protection
  • Azure Firewall
  • Network Security Group
  • Application Security Group
  • Azure Security Center Standard

Answer : Azure SQL Server Advanced Threat Protection

You are using Azure Key Vault to provide protection for a custom application your organisation is using. Match the application security issue with the appropriate Key Vault object to be used to secure it.


Options are :

  • The connection string to REDIS cache is stored in the web application configuration file: Secret
  • The connection string to REDIS cache is stored in the web application configuration file: Key
  • The connection string to REDIS cache is stored in the web application configuration file: Certificate
  • SQL AlwaysEncrypted will be configured: Secret
  • SQL AlwaysEncrypted will be configured: Key
  • SQL AlwaysEncrypted will be configured: Certificate
  • Database connection string with username and password is stored in clear text in the web application configuration file: Secret
  • Database connection string with username and password is stored in clear text in the web application configuration file: Key
  • Database connection string with username and password is stored in clear text in the web application configuration file: Certificate
  • Connecting to the web application will be restricted to HTTPS only: Secret
  • Connecting to the web application will be restricted to HTTPS only: Key
  • Connecting to the web application will be restricted to HTTPS only: Certificate

Answer : The connection string to REDIS cache is stored in the web application configuration file: Secret SQL AlwaysEncrypted will be configured: Key Database connection string with username and password is stored in clear text in the web application configuration file: Secret Connecting to the web application will be restricted to HTTPS only: Certificate

70-533 Implementing Microsoft Azure Infrastructure Solution Set 7

You are configuring BYOK for a storage account you manage. Which of the following are not prerequisites for the deployment.


Options are :

  • Azure Key Vault deployed in the same region
  • Azure Key Vault deployed in the same resource group
  • Azure Key Valut deployed in the same subscription
  • Azure Key Vault access policy enabled for volume encryption

Answer : Azure Key Vault deployed in the same resource group Azure Key Valut deployed in the same subscription Azure Key Vault access policy enabled for volume encryption

T/F: Azure SQL Database encrypts sensitive data using the column encryption key (CEK) in a AlwaysEncrypted deployment.


Options are :

  • True
  • False
  • Tralse

Answer : False

You are securing your web application by removing connection strings to Azure SQL Database from the web.config configuration file. What two options do you have in Azure to accomplish your goal?


Options are :

  • Azure Key Vault secret
  • Azure Active Directory Managed Service Identity (MSI)
  • Azure Active Directory Application Registration
  • Azure SQL Database server Active Directory admin
  • Azure SQL Database AlwaysEncrypted
  • Azure SQL Database Transparent Data Encryption (TDE)

Answer : Azure Key Vault secret Azure Active Directory Managed Service Identity (MSI)

AZ-900 Microsoft Azure Fundamentals Original Practice Tests Set 4

You're configuring AIP and want to help your users find more information about the information protection policies and classifications. What would you use to provide this information to users?


Options are :

  • Custom tooltip
  • Custom URL
  • Custom label
  • Custom policy

Answer : Custom URL

From what interface can you launch a previously-configured security playbook?


Options are :

  • Azure Security Center
  • Security Alert
  • Azure Monitor
  • Azure Logic App

Answer : Security Alert

Match the following datasets with the Azure Monitor data store.


Options are :

  • Trace data: Logs
  • Trace data: Telemetry
  • Trace data: Metrics
  • Trace data: Store
  • Point in time resource property: Logs
  • Point in time resource property: Telemetry
  • Point in time resource property: Metrics
  • Point in time resource property: Store
  • Access record: Logs
  • Access record: Telemetry
  • Access record: Metrics
  • Access record: Store

Answer : Trace data: Logs Point in time resource property: Metrics Access record: Logs

Azure AZ-500 Security Technologies Practice Test Set 8

Match the following datasets with the Azure Monitor data store.


Options are :

  • Telemetry data: Logs
  • Telemetry data: Telemetry
  • Telemetry data: Metrics
  • Telemetry data: Store
  • OS events: Logs
  • OS events: Telemetry
  • OS events: Metrics
  • OS events: Store
  • Lightweight performance indicator: Logs
  • Lightweight performance indicator: Telemetry
  • Lightweight performance indicator: Metrics
  • Lightweight performance indicator: Store

Answer : Telemetry data: Logs OS events: Logs Lightweight performance indicator: Metrics

Match the following datasets with the Azure Monitor data store.


Options are :

  • Key / value pair: Logs
  • Key / value pair: Telemetry
  • Key / value pair: Metrics
  • Key / value pair: Store
  • Multi-dimensional object property: Logs
  • Multi-dimensional object property: Telemetry
  • Multi-dimensional object property: Metrics
  • Multi-dimensional object property: Store

Answer : Key / value pair: Metrics Multi-dimensional object property: Logs

You create a dynmaic group with the following dynamic membership rule:

(user.surname -contains "SS") or (user.surname -match "*we")

Which of the following users will be in the dynamic group?


Options are :

  • Peter Bless
  • Simon BLESS
  • Fargo Wells
  • Frank Lowe

Answer : Peter Bless Simon BLESS Frank Lowe

AZ-104 Real Azure Administrator Practice Test Set 1

Which of these cannot be used to create AAD conditional access policies?


Options are :

  • Azure Portal
  • Windows PowerShell
  • Azure Cloud Shell
  • PowerShell Core
  • Azure CLI
  • REST API

Answer : Windows PowerShell Azure Cloud Shell PowerShell Core Azure CLI REST API

What is the minimum license that is required to configure AAD Identity Protection?


Options are :

  • Azure AD Premium P1
  • Azure AD Premium P2
  • No license is required
  • Any Office 365 license
  • No license is required, but the user must be an Azure AD Global Administrator

Answer : Azure AD Premium P2

You have the following resource groups containing the listed resources:

- RG1; VM1 (stopped)

- RG2; VM2 (stopped)

- RG3; VM3 (stopped)


You have locks configured as follows:

- Lock1; Read-only; RG1

- Lock2; Delete; RG1

- Lock3; Delete; RG2

- Lock4; Read-only; RG3


Which of the following actions can you perform?


Options are :

  • You can start VM1
  • You can start VM2
  • You can delete VM1
  • You can delete VM2
  • You can delete VM3

Answer : You can start VM2

70-533 Implementing Microsoft Azure Infrastructure Solution Set 1

You have an Azure container registry. You have users with these roles.

- User1: Contributor

- User2: Reader

- User3: AcrPush

- User4: AcrPull


Select what each user can do?


Options are :

  • User1 can sign an image
  • User2 can pull an image
  • User3 can pull an image
  • User4 can pull an image

Answer : User3 can pull an image User4 can pull an image

What are the three types of keys in AIP?


Options are :

  • Tenant Key
  • Document Key
  • Classification Key
  • Label Key
  • Content Key
  • User Key

Answer : Tenant Key Content Key User Key

Which of the following describe logging of control-plane actions on your Azure subscription?


Options are :

  • Metrics
  • Diagnostic Log
  • Activity Log
  • Subscription Log
  • Tenant Log
  • Audit Log

Answer : Activity Log

AZ-300 Microsoft Azure Architect Technologies Prc. Tests Set 6

What is the minimum required RBAC role required to view Azure Monitor logs?


Options are :

  • Security Admin
  • Monitoring Contributor
  • Monitoring Administrator
  • Monitoring Reader
  • Security Reader

Answer : Monitoring Reader

To configure Azure Monitor log collection and analysis on an Azure VM several configuration steps are required as listed in the answer options. Identify the step that is not required.


Options are :

  • Create a Log Analytics Workspace
  • Enable a Log Analytics VM Extension
  • Select logs and metrics to collect
  • Provide the VM local administrator username and password

Answer : Provide the VM local administrator username and password

What are the destinations available for Azure SQL Server audit logs? Choose 3.


Options are :

  • SQL Data Warehouse
  • Storage
  • Event Hubs
  • SQL Database
  • Log Analytics
  • Service Bus

Answer : Storage Event Hubs Log Analytics

70-533 Implementing Microsoft Azure Infrastructure Solution Set 5

You configure Azure SQL Database auditing. You select Storage as the audit log destination and don't change the retention period setting. What is the effect on audit log retention in this scenario?


Options are :

  • A retention period must be specified, in days up to a maximum of 3285 days
  • Audit logs are kept indefinitely
  • Audit logs are kept for the default of 90 days
  • Audit logs are kept for the default of 120 days

Answer : Audit logs are kept indefinitely

Describe the steps required to ensure that writing Azure SQL Database audit logs to a storage destination are uninterrupted by a storage access key refresh.


Options are :

  • Switch the storage destination to an alternative storage account; refresh the primary and secondary storage keys in the storage configuration of the original storage account; optionally switch the storage destination back to the original storage account
  • Stop the Azure SQL Server associated with the Azure SQL Database; refresh the primary and secondary storage keys in the storage configuration; start the Azure SQL Server associated with the Azure SQL Database
  • No action is required - storage keys are automatically updated for SQL Data audit logs when Storage access keys are refreshed
  • Switch the storage access key in the audit configuration to secondary; refresh the primary storage key in the storage configuration; switch the storage access key in the audit configuration to primary; refresh the secondary storage access key in the storage configuration

Answer : Switch the storage access key in the audit configuration to secondary; refresh the primary storage key in the storage configuration; switch the storage access key in the audit configuration to primary; refresh the secondary storage access key in the storage configuration

You are planning on rolling out Privilege Identity Management (PIM) to the IT and Dev department. Which of the following licenses should be assigned to your directory to enable this functionality? Select all that apply.


Options are :

  • Azure AD P1
  • Azure AD P2
  • EMS E3
  • EMS E5
  • Microsoft 365 M5

Answer : Azure AD P2 EMS E5 Microsoft 365 M5

AZ-104 Real Azure Administrator Practice Test Set 4

True or false: a guest user in Azure AD can make use of the paid Azure AD features without having a member account in Azure AD.


Options are :

  • TRUE
  • FALSE

Answer : TRUE

Which of the following statements are true when transferring the subscription ownership to another user? Select all that apply.


Options are :

  • When transferring a subscription to a new Azure AD tenant, all RBAC assignments are permanently deleted from the source tenant and not migrated to the target tenant
  • Self-serve subscription transfer is only available for selected offers
  • When transferring a subscription to another administrator will cause downtime
  • The offer type can be changed during the transferring a subscription

Answer : When transferring a subscription to a new Azure AD tenant, all RBAC assignments are permanently deleted from the source tenant and not migrated to the target tenant Self-serve subscription transfer is only available for selected offers

Which of the following roles are required to manage assignments for other administrators in Privilege Identity Management (PIM) for Azure AD roles?


Options are :

  • Global administrators
  • Security administrators
  • Security readers
  • Privilege role administrator

Answer : Privilege role administrator

AZ-203 Microsoft Certified Azure Developer practice exams Set 7

Which of the following roles are required to manage assignments for other administrators in PIM for Azure Resource roles?


Options are :

  • Subscription administrator
  • Resource owner
  • Resource User Access Administrator
  • Security administrator
  • Security reader

Answer : Subscription administrator Resource owner Resource User Access Administrator

One of the developers needs API access to the "Dev" resource group. Which of the following roles do you need to assign to the developer?


Options are :

  • Owner role
  • Contributor role
  • API management contributor role
  • Reader role

Answer : API management contributor role

True or false: The API management gateway IP address is constant and can be used in firewall rules as a static IP.


Options are :

  • TRUE
  • FALSE

Answer : TRUE

AZ-203 Microsoft Certified Azure Developer practice exams Set 8

True or false: You can move an API Management service from one subscription to another.


Options are :

  • TRUE
  • FALSE

Answer : TRUE

Contoso Airways has adopted Azure as their cloud platform. Contoso has 2 offices: a head office in America and a secondary office in Japan. In Azure they have the following:

"US Subscription" which has 2 resource groups

* East US resource group which contains

   - Virtual network 1

*West US resource group which contains

   - Virtual network 4

"Japan Subscription" which has 1 resource group

* Japan resource group which contains

   - Virtual network 5



Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than once correct solution, while others might not have a correct solution.


You need to connect resources from VNet1 to Site 2 and Site 3. The connectivity solution must be encrypted and cost effective. Which of the following should you configure?


Options are :

  • Site-to-Site VPN connection
  • Express route
  • VNet peering
  • VNet-to-VNet connection

Answer : Site-to-Site VPN connection

Contoso Airways has adopted Azure as their cloud platform. Contoso has 2 offices: a head office in America and a secondary office in Japan. In Azure they have the following:

"US Subscription" which has 2 resource groups

* East US resource group which contains

   - Virtual network 1

*West US resource group which contains

   - Virtual network 4

"Japan Subscription" which has 1 resource group

* Japan resource group which contains

   - Virtual network 5



Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than once correct solution, while others might not have a correct solution.


You need to connect resources from VNet1 to VNet 5. The connectivity solution must be encrypted and cost effective with the least amount of effort to configure and maintain. Which of the following should you configure?


Options are :

  • Site-to-Site VPN connection
  • Express route
  • VNet peering
  • VNet-to-VNet connection

Answer : VNet-to-VNet connection

70-533 Implementing Microsoft Azure Infrastructure Solution Set 3

Contoso Airways has adopted Azure as their cloud platform. Contoso has 2 offices: a head office in America and a secondary office in Japan. In Azure they have the following:

"US Subscription" which has 2 resource groups

* East US resource group which contains

   - Virtual network 1

*West US resource group which contains

   - Virtual network 4

"Japan Subscription" which has 1 resource group

* Japan resource group which contains

   - Virtual network 5



Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than once correct solution, while others might not have a correct solution.


You need to connect resources from VNet1 to VNet 4. The connectivity solution must not route traffic over the public internet and the solution should be cost effective with the least amount of effort to configure and maintain. Which of the following should you configure?


Options are :

  • Site-to-Site VPN connection
  • Express route
  • VNet peering *
  • VNet-to-VNet connection

Answer : VNet peering *

Contoso Airways has adopted Azure as their cloud platform. Contoso has 2 offices: a head office in America and a secondary office in Japan. In Azure they have the following:

"US Subscription" which has 2 resource groups

* East US resource group which contains

   - Virtual network 1

   - "LOB VM" which is hosted on a Windows Server 2016 OS

*West US resource group which contains

   - Virtual network 4

"Japan Subscription" which has 1 resource group

* Japan resource group which contains

   - Virtual network 5



Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than once correct solution, while others might not have a correct solution.



You need to block the "LOB VM" from accessing the internet by using NSG rules, what is the easiest way to achieve this?


Options are :

  • Create inbound NSG rule with an Internet service tag and set the action to Deny
  • Create outbound NSG rule with an Internet service tag and set the action to Deny
  • Create inbound NSG rule with an ANY Destination and set the action to Deny
  • Create outbound NSG rule with an ANY Destination and set the action to Deny

Answer : Create outbound NSG rule with an Internet service tag and set the action to Deny

You need to manage inbound and outbound traffic rules at scale to specific VMs with minimum effort. You plan on creating separate inbound and outbound NSG rules with CIDR notation. Is this the easiest method to manage multiple VMs?


Options are :

  • TRUE
  • FALSE

Answer : FALSE

AZ-104 Real Azure Administrator Practice Test Set 5

You have a storage account named "BlobStore" and you have noticed that anyone can access this storage account over the internet. You need to secure this storage account so that only users from the Head Office with IP 197.145.42.202/32 can access this storage account, however you still require anonymous access over the internet to the storage metrics for this account. Which 2 options should you configure?


Options are :

  • Configure Allow access from selected networks and specify 197.145.42.202/32
  • Configure Allow access from all networks
  • Configure IP ranges under the firewall section and specify 197.145.42.202/32
  • Allow trusted Microsoft services to access this storage account
  • Allow read access to storage metrics from any network

Answer : Configure IP ranges under the firewall section and specify 197.145.42.202/32 Allow read access to storage metrics from any network

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions