Microsoft Certified: Azure Security Engineer Associate - (AZ-500) Exam Questions

The correct answer is Azure AD Password Protection.

Azure AD Password Protection is specifically designed to prevent users from using weak or compromised passwords, including those containing specific words or patterns. You can configure custom banned password lists to include variations of your company name (like "Contoso" in this case) and other undesirable terms.

The correct answer is:

Azure Logic Apps Designer

Here's why:

• In Azure Security Center (Microsoft Defender for Cloud), workflow automation is powered by Azure Logic Apps.

• WF1 is a workflow automation configured to send email alerts. Since workflow automations in Security Center are built using Azure Logic Apps, any modifications to the workflow (like changing the recipient from User1 to the Alerts distribution group) must be done using the Azure Logic Apps Designer.

• The Logic Apps Designer provides a visual editor to modify the email action in the workflow to update the recipient list.

https://docs.microsoft.com/en-us/azure/security-center/workflow-automation

https://docs.microsoft.com/en-us/learn/modules/resolve-threats-with-azure-security-center/6-exercise-configure-playbook

The key must be an asymmetric, RSA or RSA HSM key. The supported key lengths are 2048-bit and 3072-bit.

https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview

Yes, the solution meets the goal.

Here's why:

Creating a custom sensitive information type is a valid step in the process of creating a custom sensitivity label. In Azure Security Center (now known as Microsoft Defender for Cloud), sensitivity labels are used to classify and protect data. A custom sensitive information type helps define what specific types of information should be detected and protected under the sensitivity label.

Here’s how it aligns with the goal:

1. Custom Sensitive Information Type: This allows you to define specific patterns or keywords that identify sensitive data unique to your organization.

2. Sensitivity Label: After creating the sensitive information type, you can associate it with a custom sensitivity label to classify and protect data accordingly.

Therefore, starting with the creation of a custom sensitive information type is an appropriate action toward achieving the goal of creating a custom sensitivity label.

https://docs.microsoft.com/en-us/microsoft-365/compliance/create-sensitivity-labels

The two correct roles and groups required to configure Azure AD Connect using the Express Settings installation option while following the principle of least privilege are:

• The Global Administrator role in Azure AD

• The Enterprise Admins group in Active Directory

Explanation:

1. Global Administrator role in Azure AD

• This is required because Azure AD Connect needs to register the on-premises directory with Azure AD.

• It grants permissions for directory synchronization and configures Azure AD Connect settings.

• After the setup, the Global Admin role can be removed from the account to follow the principle of least privilege.

2. Enterprise Admins group in Active Directory (AD)

• This is required because Azure AD Connect needs to create and configure the service account in Active Directory.

• It also needs to enable password hash synchronization (PHS), which requires Enterprise Admin permissions in AD.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions

To deploy the vulnerability assessment scanner to your on-premises and multi-cloud machines, connect them to Azure first with Azure Arc as described in Connect your non-Azure machines to Defender for Cloud. Defender for Cloud's integrated vulnerability assessment solution works seamlessly with Azure Arc. When you've deployed Azure Arc, your machines will appear in Defender for Cloud and no Log Analytics agent is required.

https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm

No, this solution does not meet the goal.

Here's why:

Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, LDAP, Kerberos, and NTLM authentication. However, Azure AD DS does not support pass-through authentication or direct integration with on-premises Active Directory for hybrid authentication in the way required for Azure HDInsight clusters.

https://docs.microsoft.com/en-us/azure/hdinsight/connect-on-premises-network

The correct answers are:

• the workspace ID

• the system-assigned managed identity

Here's why:

• The Workspace ID is needed because the vulnerability scanner logs its findings to Azure Monitor Log Analytics. The workspace acts as the central repository where security data is collected.

• System-assigned managed identity is used for secure authentication to Microsoft Defender for Cloud services without needing explicit credentials like the primary shared key. This approach enhances security by avoiding the storage of static keys.

To allow application developers to access data in an Azure SQL database with Always Encrypted enabled, you need to make the following information available:

1. The column encryption key (CEK):
   This key is used to encrypt and decrypt data in the specified column. The application requires the CEK to perform encryption and decryption operations on the data.

2. The column master key (CMK):
   This key is used to encrypt and protect the column encryption key (CEK). The application must be able to access the CMK, either directly or through a key vault, to use the CEK.

https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine

One of the simplest ways to set/get an Azure Storage Blob's metadata is by using the cross-platform Microsoft Azure Storage Explorer, which is a standalone app from Microsoft that allows you to easily work with Azure Storage data on Windows, macOS, and Linux.

Note: All logs are stored in block blobs in a container named $logs, which is automatically created when Storage Analytics is enabled for a storage account.

If you use your storage-browsing tool to navigate to the container directly, you will see all the blobs that contain your logging data. Most storage browsing tools enable you to view the metadata of blobs; you can also read this information using PowerShell or programmatically.

https://azure.microsoft.com/en-us/features/storage-explorer/

https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging