Microsoft Certified: Azure Security Engineer Associate - (AZ-500) Exam Questions

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription named Sub1.

You have an Azure Storage account named sa1 in a resource group named RG1.

Users and applications access the blob service and the file service in sa1 by using several shared access signatures (SASs) and stored access policies.

You discover that unauthorized users accessed both the file service and the blob service.

You need to revoke all access to sa1.

Solution: You create a new stored access policy.

Does this meet the goal?

You have an Azure Active Directory (Azure AD) tenant.

You need to prevent nonprivileged Azure AD users from creating service principles in Azure AD.

What should you do in the Azure Active Directory admin center of the tenant?

You have an Azure environment.

You need to identify any Azure configurations and workloads that are non-compliant with ISO 27001:2013 standards.

What should you use?

You have an Azure web app named WebApp1.

You upload a certificate to WebApp1.

You need to make the certificate accessible to the app code of WebApp1.

What should you do?

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has an Azure subscription linked to their Azure Active Directory (Azure AD) tenant.

As a Global administrator for the tenant, part of your responsibilities involves managing Azure Security Center settings.

You are currently preparing to create a custom sensitivity label.

Solution: You start by integrating Security Center and Microsoft Cloud App Security.

Does the solution meet the goal?

You have an Azure subscription named Sub1 that contains the virtual machines shown in the following table.

You need to ensure that the virtual machines in RG1 have the Remote Desktop port closed until an authorized user requests access.

What should you configure?

You have an Azure subscription that uses Azure Active Directory (Azure AD) Privileged Identity Management (PIM).

A PIM user who is assigned the User Access Administrator role reports receiving an authorization error when performing a role assignment or viewing the list of assignments.

You need to resolve the issue by ensuring that the PIM service principal has the correct permissions for the subscription. The solution must use the principle of least privilege.

Which role should you assign to the PIM service principle?

You have an Azure subscription that is associated with an Azure Active Directory (Azure AD) tenant.

When a developer attempts to register an app named App1 in the tenant, the developer receives the error message shown in the following exhibit.

You need to ensure that the developer can register App1 in the tenant.

What should you do for the tenant?

You have an Azure subscription that contains the resources shown in the following table.

You need to ensure that ServerAdmins can perform the following tasks:

1. Create virtual machines in RG1 only.

2. Connect the virtual machines to the existing virtual networks in RG2 only.

The solution must use the principle of least privilege.

Which two role-based access control (RBAC) roles should you assign to ServerAdmins? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

You have an Azure subscription that contains a managed identity named Identity1 and the Azure key vaults shown in the following table.

KeyVault1 contains an access policy that grants Identity1 the following key permissions:

• Get

• List

• Wrap

• Unwrap

You need to provide Identity1 with the same permissions for KeyVault2. The solution must use the principle of least privilege.

Which role should you assign to Identity1?