New 2022 AZ-500 exam questions Welcome to download the newest Prep4King AZ-500 PDF dumps (295 Q&As)
P.S. Free 2022 Microsoft Azure Security Engineer Associate AZ-500 dumps are available on Google Drive shared by Prep4King
NEW QUESTION 27
You need to ensure that the AzureBackupReport log for the Vault1 Recovery Services vault is stored in the WS11641655 Azure Log Analytics workspace.
To complete this task, sign in to the Azure portal and modify the Azure resources.
See the explanation below.
Answer:
Explanation:
Explanation
1. In the Azure portal, type Recovery Services Vaults in the search box, select Recovery Services Vaults from the search results then select Vault1. Alternatively, browse to Recovery Services Vaults in the left navigation pane.
2. In the properties of Vault1, scroll down to the Diagnostic Settings.
3. Click the Add a diagnostic setting
4. Enter a name in the Diagnostic settings name
5. In the Log section, select AzureBackupReport.
6. In the Destination details section, select Send to log analytics
7. Select the WS11641655 Azure Log Analytics workspace.
8. Click the Save button to save the changes.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-diagnostic-events
NEW QUESTION 28
Which virtual networks in Sub1 can User2 modify and delete in their current state? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Explanation
Box 1: VNET4 and VNET1 only
RG1 has only Delete lock, while there are no locks on RG4.
RG2 and RG3 both have Read-only locks.
Box 2: VNET4 only
There are no locks on RG4, while the other resource groups have either Delete or Read-only locks.
Note: As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.
* CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
* ReadOnly means authorized users can read a resource, but they can't delete or update the resource.
Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Scenario:
User2 is a Security administrator.
Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User2 creates the virtual networks shown in the following table.
Sub1 contains the locks shown in the following table.
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources
NEW QUESTION 29
You are configuring just in time (JIT) VM access to a set of Azure virtual machines.
You need to grant users PowerShell access to the virtual machine by using JIT VM access.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Explanation
NEW QUESTION 30
You create a new Azure subscription that is associated to a new Azure Active Directory (Azure AD) tenant.
You create one active conditional access policy named Portal Policy. Portal Policy is used to provide access to the Microsoft Azure Management cloud app.
The Conditions settings for Portal Policy are configured as shown in the Conditions exhibit. (Click the Conditions tab.)
The Grant settings for Portal Policy are configured as shown in the Grant exhibit. (Click the Grant tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Explanation
Box 1: No
The Contoso location is excluded
Box 2: Yes
Box 3: Yes
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
NEW QUESTION 31
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
You create and enforce an Azure AD Identity Protection sign-in risk policy that has the following settings:
Assignments: Include Group1, exclude Group2
Conditions: Sign-in risk level: Medium and above
Access Allow access, Require multi-factor authentication
You need to identify what occurs when the users sign in to Azure AD.
What should you identify for each user? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
References:
http://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-policies/
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
NEW QUESTION 32
You have an Azure subscription that contains a storage account named storage1 and several virtual machines. The storage account and virtual machines are in the same Azure region. The network configurations of the virtual machines are shown in the following table.
The virtual network subnets have service endpoints defined as shown in the following table.
You configure the following Firewall and virtual networks settings for storage1:
Allow access from: Selected networks
Virtual networks: VNET3\Subnet3
Firewall - Address range: 52.233.129.0/24
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
NEW QUESTION 33
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant.
When a developer attempts to register an app named App1 in the tenant, the developer receives the error message shown in the following exhibit.
You need to ensure that the developer can register App1 in the tenant.
What should you do for the tenant?
- A. Set Enable Security defaults to Yes.
- B. Configure the Consent and permissions settings for enterprise applications.
- C. Modify the User settings.
- D. Modify the Directory properties.
Answer: C
Explanation:
Explanation/Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added
NEW QUESTION 34
You suspect that users are attempting to sign in to resources to which they have no access.
You need to create an Azure Log Analytics query to identify failed user sign-in attempts from the last three days. The results must only show users who had more than five failed sign-in attempts.
How should you configure the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Explanation
The following example identifies user accounts that failed to log in more than five times in the last day, and when they last attempted to log in.
let timeframe = 1d;
SecurityEvent
| where TimeGenerated > ago(1d)
| where AccountType == 'User' and EventID == 4625 // 4625 - failed log in
| summarize failed_login_attempts=count(), latest_failed_login=arg_max(TimeGenerated, Account) by Account
| where failed_login_attempts > 5
| project-away Account1
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/examples
NEW QUESTION 35
You have a web app hosted on an on-premises server that is accessed by using a URL of https:// www.contoso.com.
You plan to migrate the web app to Azure. You will continue to use https://www.contoso.com.
You need to enable HTTPS for the Azure web app.
What should you do first?
- A. Export the public key from the on-premises server and save the key as a CER file.
- B. Export the private key from the on-premises server and save the key as a PFX file that is encrypted by using AES256.
- C. Export the public key from the on-premises server and save the key as a P7b file.
- D. Export the private key from the on-premises server and save the key as a PFX file that is encrypted by using TripleDES.
Answer: D
Explanation:
Explanation/Reference:
https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate#private-certificate-requirements
https://www.fast2test.com/AZ-500-practice-test.html 53
Valid Fast2test AZ-500 Exam PDF Dumps - New AZ-500 Real Exam Questions
NEW QUESTION 36
You have an Azure subscription that contains the users shown in the following table.
Which users can enable Azure AD Privileged Identity Management (PIM)?
- A. User1 and User2 only
- B. User2 only
- C. User2 and User3 only
- D. User1 only
Answer: A
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-deployment-plan
NEW QUESTION 37
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Subscription named Sub1. Sub1 contains an Azure virtual machine named VM1 that runs Windows Server 2016.
You need to encrypt VM1 disks by using Azure Disk Encryption.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Answer:
Explanation:
Explanation
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/encrypt-disks
NEW QUESTION 38
You have an Azure subscription that contains several Azure SQL databases and an Azure Sentinel workspace.
You need to create a saved query in the workspace to find events reported by Advanced Threat Protection for Azure SQL Database.
What should you do?
- A. From the Azure SQL Database query editor, create a Transact-SQL query.
- B. From the Azure Sentinel workspace, create a Kusto Query Language query.
- C. From Microsoft SQL Server Management Studio (SSMS), create a Transact-SQL query.
- D. From Azure CLI run the Get-AzOperationalInsightsworkspace cmdlet.
Answer: B
NEW QUESTION 39
You need to ensure that users can access VM0. The solution must meet the platform protection requirements.
What should you do?
- A. On Firewall, configure a DNAT rule.
- B. Move VM0 to Subnet1.
- C. On Firewall, configure a network traffic filtering rule.
- D. Assign RT1 to AzureFirewallSubnet.
Answer: A
Explanation:
Explanation
https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat
NEW QUESTION 40
You have an Azure subscription named Sub1 that contains the Azure key vaults shown in the following table:
In Sub1, you create a virtual machine that has the following configurations:
* Name: VM1
* Size: DS2v2
* Resource group: RG1
* Region: West Europe
* Operating system: Windows Server 2016
You plan to enable Azure Disk Encryption on VM1.
In which key vaults can you store the encryption key for VM1?
- A. Vault1 only
- B. Vault1 or Vault2 only
- C. Vault1 or Vault3 only
- D. Vault1, Vault2, Vault3, or Vault4
Answer: C
Explanation:
Explanation
In order to make sure the encryption secrets don't cross regional boundaries, Azure Disk Encryption needs the Key Vault and the VMs to be co-located in the same region. Create and use a Key Vault that is in the same region as the VM to be encrypted.
Reference:
https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-prerequisites
NEW QUESTION 41
Your company has an Azure subscription named Sub1 that is associated to an Azure Active Directory Azure (Azure AD) tenant named contoso.com.
The company develops a mobile application named App1. App1 uses the OAuth 2 implicit grant type to acquire Azure AD access tokens.
You need to register App1 in Azure AD.
What information should you obtain from the developer to register the application?
- A. a reply URL
- B. a key
- C. a redirect URI
- D. an application ID
Answer: C
Explanation:
For Native Applications you need to provide a Redirect URI, which Azure AD will use to return token responses.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code
NEW QUESTION 42
You have an Azure SQL database.
You implement Always Encrypted.
You need to ensure that application developers can retrieve and decrypt data in the database.
Which two pieces of information should you provide to the developers? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
- A. the column master key
- B. a shared access signature (SAS)
- C. the column encryption key
- D. user credentials
- E. a stored access policy
Answer: A,C
Explanation:
Section: [none]
Explanation:
Always Encrypted uses two types of keys: column encryption keys and column master keys. A column encryption key is used to encrypt data in an encrypted column. A column master key is a key-protecting key that encrypts one or more column encryption keys.
Reference:
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database- engine
NEW QUESTION 43
You have Azure virtual machines that have Update Management enabled. The virtual machines are configured as shown in the following table.
You schedule two update deployments named Update1 and Update2. Update1 updates VM3. Update2 updates VM6.
Which additional virtual machines can be updated by using Update1 and Update2? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Explanation
Update1: VM1 and VM2 only
VM3: Windows Server 2016 West US RG2
Update2: VM4 and VM5 only
VM6: CentOS 7.5 East US RG1
For Linux, the machine must have access to an update repository. The update repository can be private or public.
References:
https://docs.microsoft.com/en-us/azure/automation/automation-update-management
NEW QUESTION 44
You have an Azure subscription that contains the following resources:
* A virtual network named VNET1 that contains two subnets named Subnet1 and Subnet2.
* A virtual machine named VM1 that has only a private IP address and connects to Subnet1.
You need to ensure that Remote Desktop connections can be established to VM1 from the internet.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange then in the correct order.
Answer:
Explanation:
Explanation
NEW QUESTION 45
Your company has two offices in Seattle and New York. Each office connects to the Internet by using a NAT device. The offices use the IP addresses shown in the following table.
The company has an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.
The MFA service settings are configured as shown in the exhibit. (Click the Exhibit tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
References:
https://www.cayosoft.com/difference-enabling-enforcing-mfa/
NEW QUESTION 46
You are testing an Azure Kubernetes Service (AKS) cluster. The cluster is configured as shown in the exhibit. (Click the Exhibit tab.)
You plan to deploy the cluster to production. You disable HTTP application routing.
You need to implement application routing that will provide reverse proxy and TLS termination for AKS services by using a single IP address.
What should you do?
- A. Create an AKS Ingress controller.
- B. Create an Azure Basic Load Balancer.
- C. Install the container network interface (CNI) plug-in.
- D. Create an Azure Standard Load Balancer.
Answer: A
Explanation:
Explanation
An ingress controller is a piece of software that provides reverse proxy, configurable traffic routing, and TLS termination for Kubernetes services.
References:
https://docs.microsoft.com/en-us/azure/aks/ingress-tls
NEW QUESTION 47
You have the Azure Information Protection conditions shown in the following table.
You need to identify how Azure Information Protection will label files.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Explanation
Box 1: Label 2 only
How multiple conditions are evaluated when they apply to more than one label
* The labels are ordered for evaluation, according to their position that you specify in the policy: The label positioned first has the lowest position (least sensitive) and the label positioned last has the highest position (most sensitive).
* The most sensitive label is applied.
* The last sublabel is applied.
Box 2: No Label
Automatic classification applies to Word, Excel, and PowerPoint when documents are saved, and apply to Outlook when emails are sent. Automatic classification does not apply to Microsoft Notepad.
References:
https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-classification
NEW QUESTION 48
......
AZ-500 exam questions from Prep4King dumps: https://www.prep4king.com/AZ-500-exam-prep-material.html (295 Q&As)
Free 2022 Microsoft Azure Security Engineer Associate AZ-500 dumps are available on Google Drive shared by Prep4King: https://drive.google.com/open?id=1DEG-OY6vF-tVYMcf-PuG2cQCj1oLdztx
