AZ-500: Microsoft Azure Security Technologies

Practice Test - 4 - Results

Return to review

Attempt 1
All questions
Question 1: Skipped
You have an Azure Key Vault named KeyVault1. You have configured a network service endpoint for
KeyVault1 as shown below. You have a virtual machine VM1 in vnet1. A user named User1 has Owner
access on KeyVault1.

Larger image

User1 is trying to create a certificate in KeyVault1 from his laptop. Can User1 successfully create a
certificate?

 ​
Yes

 ​
No
(Correct)

Explanation
KeyVault1 is configured with service endpoint. So, you will be able to managed Key Vault certificates,
secrets and keys from the virtual machines in Vnet1.
 https://docs.microsoft.com/en-us/azure/key-vault/general/overview-security

Question 2: Skipped
You have an Azure Key Vault named KeyVault1. You have configured a network service endpoint for
KeyVault1 as shown below. You have a virtual machine VM1 in vnet1. A user named User1 has Owner
access on KeyVault1.
Larger image

User1 is trying to create a certificate in KeyVault1 from VM1. Can User1 successfully create a certificate?
 ​
Yes
(Correct)

 ​
No

Explanation
KeyVault1 is configured with service endpoint. So, you will be able to managed Key Vault certificates,
secrets and keys from the virtual machines in Vnet1.

https://docs.microsoft.com/en-us/azure/key-vault/general/overview-security

Question 3: Skipped
You have an Azure Key Vault named KeyVault1. You have configured a network service endpoint for
KeyVault1 as shown below. You have a virtual machine VM1 in vnet1. A user named User1 has Owner
access on KeyVault1.

Larger image
 User1 is trying to create an access policy from his laptop. Can User1 successfully create an access policy?

 ​
Yes
(Correct)

 ​
No

Explanation
You can create access policies from outside vnet1.

https://docs.microsoft.com/en-us/azure/key-vault/general/overview-security

Question 4: Skipped
You have an Azure subscription named Subscription1. You have created Resource groups and Storage
Accounts as shown below.

Storage Account Name Resource Group Location

Storageaccount1 RG1 East US

Storageaccount2 RG2 East US

Storageaccount3 RG3 North Europe

You have created an Azure SQL database named SQLDatabase1 in the East US region.
 You are configuring SQLDatabase1 diagnostics settings to archive Timeouts, Blocks and Deadlocks. Which
storage accounts can be used as a destination?

 ​
Storageaccount1
(Correct)

 ​
Storageaccount2
(Correct)

 ​
Storageaccount3

Explanation
Storage accounts must be in same location as database server. So, Storageaccount1 and storageaccount2
can be used as destination.
Question 5: Skipped
You have an Azure subscription named Subscription1. You have created Resource groups and Storage
Accounts as shown below.

Storage Account Name Resource Group Location

Storageaccount1 RG1 East US

Storageaccount2 RG2 East US

Storageaccount3 RG3 North Europe

You have created an Azure SQL database named SQLDatabase1 in the East US region.

You are enabling auditing on SQLDatabase1. Which storage accounts can be used as audit log
destinations?

 ​
Storageaccount1
(Correct)

 ​
 Storageaccount2
(Correct)

 ​
Storageaccount3

Explanation
Storage accounts must be in same location as database server. So, Storageaccount1 and storageaccount2
can be used as destination.
Question 6: Skipped
You are creating custom rules to detect threats with Azure Sentinel. Which language should you use to
write query rules?
 ​
T-SQL

 ​
Kusto
(Correct)

 ​
PowerShell Scripts

Explanation
Once you have connected your data sources to Azure Sentinel, you can create custom rules that can
search for specific criteria across your environment and generate incidents when the criteria are matched
so that you can investigate them. , Azure Sentinel provides out-of-the-box detection queries that leverage
the Machine Learning capabilities of Kusto query language that can detect suspicious behaviors in such as
abnormal traffic in firewall data, suspicious authentication patterns, and resource creation anomalies. You
can also write your own queries in Kusto query language.

https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom

Question 7: Skipped
Which Azure service allows to group virtual machines and define network security policies based on those
groups?

 ​
Application Insights

 ​
Application Security Groups (ASGs)
(Correct)

 ​
Network Security Groups (NSGs)
 ​
Application Gateway

Explanation
Application security groups enable you to configure network security as a natural extension of an
application's structure, allowing you to group virtual machines and define network security policies based
on those groups. You can reuse your security policy at scale without manual maintenance of explicit IP
addresses.

https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups

Question 8: Skipped
You are planning to deploy an Azure Firewall in a subscription named Subscriptio1. What is the name of
the subnet that must be created in order to deploy Azure Firewall?

 ​
default

 ​
DMZsubnet

 ​
AzureFirewallSubnet
(Correct)

 ​
FirewallSubnet

Explanation
https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal
Question 9: Skipped
You have an Azure Container Registry named Registry1. Your development team is planning to push
images from CI/CD pipeline and pull it to other Azure services.

Which authentication method should you recommend to your development team?

 ​
Individual AD identity

 ​
AD service principal
(Correct)

 ​
Repository-scoped access token
 ​
Managed identity for Azure resources
(Correct)

 ​
Admin user

Explanation
 https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication

Question 10: Skipped

Which of the below statements are TRUE with respect to Privileged Identity Management (PIM)?

 ​
PIM provides just in time access to Azure and on-premise resources

 ​
Sends notification when privileged roles are activated
(Correct)

 ​
Provides time bound access to resources with an end date and time.
(Correct)

 ​
Conducts access reviews
(Correct)

Explanation
Here are some of the key features of Privileged Identity Management:

Provide just-in-time privileged access to Azure AD and Azure resources

Assign time-bound access to resources using start and end dates

Require approval to activate privileged roles

Enforce multi-factor authentication to activate any role

Use justification to understand why users activate

Get notifications when privileged roles are activated

Conduct access reviews to ensure users still need roles

Download audit history for internal or external audit

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

Question 11: Skipped

 Your organization has an Azure Subscription named Subscription1. You have deployed several Line of
Business (LOB) applications in Subscription1. Your organization has branch offices across the globe – New
York, London, Mumbai, Tokyo, Sydney, and Dubai.

Employees are expected to work from various branch offices on short-term assignments. Some of the
applications hosted in Subscription1 should be accessible only for London and New York office employees
including both short and long term assignments.

You need to recommend a way to manage user access for the applications accessible only to London and
New York office employees. What should you consider in your recommendation? The solution must
minimize the administrative activities.

 ​
Assign users directly to Azure resources

 ​
Use Group Assignment

 ​
Use Rule based assignment
(Correct)

 ​
Conditional access policy

Explanation
Create a rule based on user’s current work location and use Rule-based assignment - The resource owner
creates a group and uses a rule to define which users are assigned to a specific resource. The rule is based
on attributes that are assigned to individual users. The resource owner manages the rule, determining
which attributes and values are required to allow access the resource.

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-manage-groups

Question 12: Skipped

You are the global admin for your organization’s Azure Active Directory tenant named
PreparationLabs.com. Your organization has an application, which reads user’s profile and calendar events.
The development team has requested to design and configure App registration in Azure active directory.
The operations team has created an App registration and added permissions.

What should you consider doing before rolling out the application for better user experience?
 ​
Consent requested permissions in admin consent flow

 ​
Consent requested permissions in user consent flow

 ​
Consent requested permissions on behalf of your organization
(Correct)

Explanation
You can consent as an admin for your organizations users. So that users won’t need to consent.

Admins will see an additional control on the traditional consent prompt that will allow them consent on
behalf of the entire tenant. The control will be defaulted to off, so only when admins explicitly check the
box will consent be granted on behalf of the entire tenant. As of today, this check box will only show for
the Global Admin role

https://docs.microsoft.com/en-us/azure/active-directory/develop/application-consent-experience

Question 13: Skipped

You are creating a Single page application (SPA) that is planned to authenticate users using your
organizations Azure Active Directory (AAD) only. The application is expected to roll out globally with users
accessing via the internet.

What account type option should you consider while creating app registration for your application?

 ​
Accounts in any organizational directory

 ​
Accounts in any organizational directory and personal Microsoft accounts

 ​
Accounts in this organizational directory only
(Correct)

 ​
Accounts in this organizational global directory only
 Explanation
Accounts in this organizational directory only - Select this option if you're building a line-of-business (LOB)
application. This option is not available if you're not registering the application in a directory.

This option maps to Azure AD only single-tenant.

This is the default option unless you're registering the app outside of a directory. In cases where the app
is registered outside of a directory, the default is Azure AD multi-tenant and personal Microsoft accounts.

https://docs.microsoft.com/en-us/graph/auth-register-app-v2

Question 14: Skipped

From Azure Security Center, you enable Azure Container Registry vulnerability scanning of the images in
Registry1.

You perform the following actions:

Push a Windows image named Image1 to Registry1.

Push a Linux image named Image2 to Registry1.

Push a Windows image named Image3 to Registry1.

Modify Image1 and push the new image as Image4 to Registry1.

Modify Image2 and push the new image as Image5 to Registry1.

Which two images will be scanned for vulnerabilities?

 ​
Image4

 ​
Image2
(Correct)

 ​
Image1

 ​
 Image3

 ​
Image5
(Correct)

Explanation
Security Center scans the image using a scanner from the industry-leading vulnerability scanning vendor,
Qualys. This native solution is seamlessly integrated by default. The Azure-native vulnerability scanning is
supported only for all pushed Linux images

https://docs.microsoft.com/en-us/azure/security-center/azure-container-registry-integration

Question 15: Skipped

You have an Azure Active Directory (Azure AD) tenant named PreparationLabs.com.

You need to configure diagnostic settings for PreparationLabs.com. The solution must meet the following
requirements:

Retain logs for two years.

Query logs by using the Kusto query language.

Minimize administrative effort.

Where should you store the logs?

 ​
an Azure event hub

 ​
an Azure Log Analytics workspace
(Correct)

 ​
an Azure Storage account

Explanation
Azure Monitor stores log data in a Log Analytics workspace, which is an Azure resource and a container
where data is collected, aggregated, and serves as an administrative boundary.
 You can configure retention period, use Kusto query to query logs.

Question 16: Skipped

You onboard Azure Sentinel. You connect Azure Sentinel to Azure Security Center. You need to automate
the mitigation of incidents in Azure Sentinel.

The solution must minimize administrative effort.

What should you create?

 ​
an alert rule

 ​
a playbook
(Correct)

 ​
a function app

 ​
a runbook

Explanation
Automate your common tasks and simplify security orchestration with playbooks that integrate with
Azure services as well as your existing tools.

You can use security playbooks in Azure Sentinel to set automated threat responses to security-related
issues detected by Azure Sentinel

https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook

Question 17: Skipped

You have an Azure Active Directory (Azure AD) tenant named PreparationLabs.onmicrosoft.com.

The User administrator role is assigned to a user named Admin1.

An external partner has a Microsoft account that uses the [email protected] sign in.

Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the
following error message: "Unable to invite user [email protected] Generic authorization exception."

You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.
 What should you do?

 ​
Create a new Azure AD tenant

 ​
add an identity provider

 ​
add a custom domain.

 ​
From the Users blade, modify the External collaboration settings.
(Correct)

Explanation
By default, all users and guests in your directory can invite guests even if they're not assigned to an admin
role. External collaboration settings let you turn guest invitations on or off for different types of users in
your organization.

https://docs.microsoft.com/en-us/azure/active-directory/external-identities/delegate-invitations

Question 18: Skipped

You have an Azure web app named WebApp1. You uploaded a certificate to WebApp1.

You need to make the certificate accessible to the app code of WebApp1.

What should you do?

 ​
Add a user-assigned managed identity to WebApp1.

 ​
Add an app setting to the WebApp1 configuration.
(Correct)

 ​
Enable system-assigned managed identity for the WebApp1.

 ​
 Configure the TLS/SSL binding for WebApp1.

Explanation
In your application code, you can access the public or private certificates you add to App Service. Your
app code may act as a client and access an external service that requires certificate authentication, or it
may need to perform cryptographic tasks.

The WEBSITE_LOAD_CERTIFICATES app setting makes the specified certificates accessible to your Windows
hosted app in the Windows certificate store,

https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code

Question 19: Skipped

You have an Azure Log Analytics workspace named LogAnalytics1. You have 100 on-premises servers that
run Windows Server 2012 R2 and Windows Server 2016. The servers connect to LogAnalytics1.
LogAnalytics1 is configured to collect security-related performance counters from the connected servers.
You need to configure alerts based on the data collected by LogAnalytics1.

The solution must meet the following requirements:

Alert rules must support dimensions.

Alert notifications must be generated only once when the alert is generated and once when the alert is
resolved.

Which signal type should you use when you create the alert rules?

 ​
Log

 ​
Metric
(Correct)

 ​
Activity Log

Explanation
 Metric alerts in Azure Monitor provide a way to get notified when one of your metrics crosses a threshold.
Metric alerts work on a range of multi-dimensional platform metrics, custom metrics, and Application
Insights standard and custom metrics.

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-metric

Question 20: Skipped

Your network contains an on-premises Active Directory domain named corp.preparationlabs.com.

You have an Azure subscription named Subscription1 that is associated to an Azure Active Directory
(Azure AD) tenant named preparationlabs.com.

You sync all on-premises identities to Azure AD.

You need to prevent users who have a givenName attribute that starts with HELLO from being synced to
Azure AD. The solution must minimize administrative effort.

What should you use?

 ​
Web Service Configuration Tool

 ​
Synchronization Rules Editor
(Correct)

 ​
the Azure AD Connect wizard

 ​
Active Directory Users and Computers

Explanation
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-
configuration
Question 21: Skipped
 You have an Azure subscription named Subscription1 that contains the Azure key vaults as shown in the
following table:
Larger image

In Subscription1, you create a virtual machine that has the following configurations:

Name: VM1

Size: DS2v2

Resource group: RG1

Region: West Europe

Operating system: Windows Server 2016

You plan to enable Azure Disk Encryption on VM1.

In which key vaults can you store the encryption key for VM1?

 ​
Vault1, Vault2, Vault3, or Vault4

 ​
Vault1 only

 ​
Vault1 or Vault3 only
(Correct)

 ​
Vault1 or Vault2 only

Explanation
Your key vault and VMs must be in the same subscription. Also, to ensure that encryption secrets don't
cross regional boundaries, Azure Disk Encryption requires the Key Vault and the VMs to be co-located in
the same region. Create and use a Key Vault that is in the same subscription and region as the VMs to be
encrypted.
 https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault#create-a-
key-vault

Question 22: Skipped

You have an Azure subscription named Subscription1 that contains the virtual machines as shown below.

Name Resource Group Status

VM1 RG1 Stopped (Deallocated)

VM2 RG2 Stopped (Deallocated)

You have created below Azure polices

Policy Definition Resource Type Scope

Not allowed resource types VirtualMachines RG1

Allowed resource types VirtualMachines RG2

You have created resource locks as below

Name Type Created on

Lock1 Read-only VM1

Lock2 Read-only RG2

Can you start VM1?

 ​
Yes

 ​
No
(Correct)

Explanation
You cannot start VM1 because of read only lock on VM1. Virtual machine prevents all users from starting
or restarting the virtual machine because these operations require a POST request.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources

Question 23: Skipped

You have an Azure subscription named Subscription1 that contains the virtual machines as shown below.

Name Resource Group Status

VM1 RG1 Stopped (Deallocated)

VM2 RG2 Stopped (Deallocated)

You have created below Azure polices

Policy Definition Resource Type Scope

Not allowed resource types VirtualMachines RG1

Allowed resource types VirtualMachines RG2

You have created resource locks as below

Name Type Created on

Lock1 Read-only VM1

Lock2 Read-only RG2

Can you start VM2?

 ​
Yes

 ​
No
(Correct)

Explanation
A ReadOnly lock on a resource group that contains a virtual machine prevents all users from starting or
restarting the virtual machine. These operations require a POST request.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources

Question 24: Skipped

You have an Azure subscription named Subscription1 that contains the virtual machines as shown below.

Name Resource Group Status

VM1 RG1 Stopped (Deallocated)

VM2 RG2 Stopped (Deallocated)

You have created below Azure polices

Policy Definition Resource Type Scope

Not allowed resource types VirtualMachines RG1

Allowed resource types VirtualMachines RG2

You have created resource locks as below

Name Type Created on

Lock1 Read-only VM1

Lock2 Read-only RG2

 Can you create a virtual machine in RG2?

 ​
Yes

 ​
No
(Correct)

Explanation
You cannot create a new VM in RG2 because of read only lock on RG2.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources

Question 25: Skipped

You are configuring an Azure policy. You plan to assign policies that use the DeployIfNotExist,
AuditIfNotExist, Append, and Deny effects.

Which effect requires a managed identity for the assignment?

 ​
AuditIfNotExist

 ​
Append

 ​
DeployIfNotExist
(Correct)

 ​
Deny

Explanation
When Azure Policy runs the template in the deployIfNotExists policy definition, it does so using a
managed identity. Azure Policy creates a managed identity for each assignment, but must have details
about what roles to grant the managed identity. If the managed identity is missing roles, this error is
displayed during the assignment of the policy or an initiative.
 https://docs.microsoft.com/bs-latn-ba/azure/governance/policy/how-to/remediate-resources

Question 26: Skipped

You have an Azure subscription named Subscription1 that contains the virtual machines shown below.

Name Resource Group

VM1 RG1

VM2 RG2

VM3 RG1

VM4 RG2

You need to ensure that the virtual machines in RG1 have the Remote Desktop port closed until an
authorized user requests access.

What should you configure?

 ​
Azure Active Directory (Azure AD) Privileged Identity Management (PIM)

 ​
an application security group

 ​
Azure Active Directory (Azure AD) conditional access

 ​
just in time (JIT) VM access
(Correct)

Explanation
Lock down inbound traffic to your Azure Virtual Machines with Azure Security Center's just-in-time (JIT)
virtual machine (VM) access feature. This reduces exposure to attacks while providing easy access when
you need to connect to a VM.
 https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-
asc%2Cjit-request-asc

Question 27: Skipped

You have created a custom alert rule in Azure Monitor. You need to configure the users who will receive
an email message when the alert is triggered. What should you do?
 ​
Modify the Security policy settings of the Azure subscription.

 ​
Create an action group.
(Correct)

 ​
Modify the members of the Security Reader role group.

 ​
Modify the alert rule.

Explanation
An action group is a collection of notification preferences defined by the owner of an Azure subscription.
Azure Monitor and Service Health alerts use action groups to notify users that an alert has been triggered.
Various alerts may use the same action group or different action groups depending on the user's
requirements.

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups

Question 28: Skipped

You have a hybrid deployment of Azure Active Directory (Azure AD).

You plan to deploy Azure AD Connect and integrate Active Directory and the Azure AD tenant.

You need to recommend an integration solution that meets the following requirements:

Ensures that password policies and user logon restrictions apply to user accounts that are synced to the
tenant

Minimizes the number of servers required for the solution.

 Which authentication method should you include in the recommendation?

 ​
federated identity with Active Directory Federation Services (AD FS)

 ​
password hash synchronization with seamless single sign-on (SSO)

 ​
pass-through authentication with seamless single sign-on (SSO)
(Correct)

Explanation
Azure AD Pass-through Authentication. Provides a simple password validation for Azure AD
authentication services by using a software agent that runs on one or more on-premises servers. The
servers validate the users directly with your on-premises Active Directory, which ensures that the
password validation doesn't happen in the cloud.

Companies with a security requirement to immediately enforce on-premises user account states,
password policies, and sign-in hours might use this authentication method.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn

Question 29: Skipped

Your company is planning to develop a mobile application named MobileApp1. MobileApp1 uses the
OAuth 2 implicit grant type to acquire Azure AD access tokens. You need to register MobileApp1 in Azure
AD.

What information should you obtain to register the application?

 ​
a reply URL

 ​
a key

 ​
a redirect URI
(Correct)

 ​
an application ID
 Explanation
Register your application with your Azure Active Directory (Azure AD) tenant. This will give you an
Application ID for your application, as well as enable it to receive tokens.

At the time of registration, Provide the Redirect URI. For web applications, this is the base URL of your app
where users can sign in. For example, http://localhost:12345. For public client (mobile & desktop), Azure
AD uses it to return token responses. Enter a value specific to your application. For example,
http://MyFirstAADApp

https://docs.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-protocols-oauth-code#register-
your-application-with-your-ad-tenant

Question 30: Skipped

You have an Azure Container Registry named Registry1. You add role assignment for Registry1 as shown
in the following table.

User Role

User1 AcrPush

User2 AcrPull

User3 AcrImageSigner

User4 Contributor

Which users can upload images to Registry1?

 ​
User1

 ​
User4

 ​
User4 and User1
(Correct)

 ​
User4, User3 and User1

 ​
All Users

Explanation
The Azure Container Registry service supports a set of built-in Azure roles that provide different levels of
permissions to an Azure container registry. Use Azure role-based access control (Azure RBAC) to assign
specific permissions to users, service principals, or other identities that need to interact with a registry.

https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles
Question 31: Skipped
You have an Azure Container Registry named Registry1. You add role assignment for Registry1 as shown
in the following table.
 User Role

User1 AcrPush

User2 AcrPull

User3 AcrImageSigner

User4 Contributor

Which users can download images from Registry1?

 ​
User1

 ​
User2

 ​
User4 and User1

 ​
User4, User2 and User1
(Correct)

 ​
All Users

Explanation
The Azure Container Registry service supports a set of built-in Azure roles that provide different levels of
permissions to an Azure container registry. Use Azure role-based access control (Azure RBAC) to assign
specific permissions to users, service principals, or other identities that need to interact with a registry.
https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles
Question 32: Skipped
You have a business critical application which must be highly available.

You need to ensure the application meets the following requirements:

Ensure users continue to have access to back-end resources in the event that one fails

Protect against common web exploits

Minimize costs where possible

Which items do you include in your design to meet the above requirements?
 ​
SSL Offload on Azure Application Gateway.

 ​
Traffic Manager.

 ​
Web Application Firewall on Azure Application Gateway.
(Correct)

 ​
Load Balancer.

Explanation
An Application Gateway configured with a Web Application Firewall will protect against web exploits.

https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview

Question 33: Skipped

You have an application named application1 which processes confidential information. You planned to
use an Azure Storage account to store project attachments application1. The web tier of the application1
is planned to deploy in several Azure Virtual Machines. The virtual machines are deployed in a virtual
network named VNet1.

You need to recommend a solution to limit access to Azure storage account to only the Virtual machines
hosted in VNet1. The solution must keep costs minimal. Which solution should you recommend?

 ​
Azure Private Endpoint

 ​
Azure Service Endpoint
(Correct)

 ​
Azure Firewall

 ​
Azure Network Security Groups

Explanation
Virtual network service endpoints enable you to limit network access to some Azure service resources to a
virtual network subnet. You can also remove internet access to the resources. Service endpoints provide
 direct connection from your virtual network to supported Azure services, allowing you to use your virtual
network's private address space to access the Azure services.

Both Azure private endpoint and service endpoint can be used, however to keep costs minimal service
endpoint is better solution in this scenario.

https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-restrict-network-access-to-resources

Question 34: Skipped

You have an application deployed in Azure Virtual Machines (VMs). The application interfaces with
external services which are authenticated using a secret key. You are considering Azure Key Vault to store
secret keys.

What authentication method you must consider to read secrets from Key Vault from Azure Virtual
Machines (VMs)?

 ​
Managed Identity
(Correct)

 ​
Service principal and certificate

 ​
Service principal and secret

Explanation
Managed identities for Azure resources: When you deploy an app on a virtual machine in Azure, you can
assign an identity to your virtual machine that has access to Key Vault. You can also assign identities to
other Azure resources. The benefit of this approach is that the app or service isn't managing the rotation
of the first secret. Azure automatically rotates the identity. We recommend this approach as a best
practice.

https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts#authentication

Question 35: Skipped

You are working for a service provider company which manages Azure environments for multiple
customers. You have made below recommendations for your customers.

Use service endpoints Allow only https traffic to several Azure PaaS services.
 Your customers agreed to audit and implement your recommendations.

What solutions should you consider to implement your recommendations for all of your customers with
minimal effort?

 ​
Azure Monitor

 ​
Azure Policy
(Correct)

 ​
Azure Lighthouse
(Correct)

 ​
Create PowerShell script and re-use

Explanation
As a service provider, you may have onboarded multiple customer tenants to Azure Lighthouse. Azure
Lighthouse allows service providers to perform operations at scale across several tenants at once, making
management tasks more efficient.

Use Azure Policy to deploy a policy definition and policy assignment across multiple tenants using
PowerShell commands.

https://docs.microsoft.com/en-us/azure/lighthouse/how-to/policy-at-scale

Question 36: Skipped

Your company has deployed business critical applications to Microsoft Azure. The application owners are
concerned about cyber-attack risks that may happen in cloud environments against commonly used
management ports. Considering the criticality and sensitivity of data processed in these applications, your
security administrator wants to implement time based access to the Operations team to perform
maintenance activities.

Your legal team wants a log of activities for auditing purposes.

 What solutions should you consider?

 ​
Azure Firewall & Logs generated by Azure Firewall

 ​
Network Security Groups (NSG) & Flow logs

 ​
Just-in-time (JIT) access & activity logs
(Correct)

 ​
Azure Policy & Azure Activity logs

Explanation
Just-in-time (JIT) access dramatically reduces the attack footprint against commonly used management
ports by blocking traffic to these ports by default.

Ports are only opened upon submitting an access request using the Azure Portal, PowerShell or the REST
API.

Anybody who requires management port access to an Azure VM and has the appropriate Role Based
Access Control (RBAC) permissions.

As an example, an operator may require Remote Desktop Protocol (RDP) access to perform maintenance
tasks on an Azure VM. In this scenario when JIT is enabled, the port would be blocked by default. The
operator would submit an access request for the Azure VM and the port would be opened for the
operator for a specific time frame.

https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-
asc%2Cjit-request-asc

Question 37: Skipped

You have designed an application named myapplication1 for a company named company1. Your
application wants to extend myapplication1 to the users who are not part of company1. However, your
security administrator wants to restrict the invitations to a specific company named company2 due to
security compliance issues with company2.

What solution should you consider?

 ​
Development to deny authentication for company2 users
 ​
Add company2 to deny list in Azure active directory
(Correct)

 ​
Add allow list for all other companies and explicit deny to company2 in Azure active directory

Explanation
You can use an allow list or a deny list to allow or block invitations to B2B users from specific
organizations. For example, if you want to block personal email address domains, you can set up a deny
list that contains domains like Gmail.com and Outlook.com. Or, if your business has a partnership with
other businesses like Contoso.com, Fabrikam.com, and Litware.com, and you want to restrict invitations to
only these organizations, you can add Contoso.com, Fabrikam.com, and Litware.com to your allow list.

https://docs.microsoft.com/en-us/azure/active-directory/b2b/allow-deny-list

Question 38: Skipped

Your customer is planning to migrate on-premise data center to Microsoft Azure. You have the following
requirements.

Your customer wanted to ensure that employees can use their current credentials to access both on-
premise hosted applications and cloud hosted applications.

Your customer is concerned about recent cyber-attacks on various organizations. Your customer wanted
to ensure that there should not be any outage for user authentication though there is an on-premise
outage or cyber-attacks

Which authentication should you consider?

 ​
Password hash synchronization + Seamless SSO
(Correct)

 ​
Pass-through Authentication + Seamless SSO

 ​
Federation with AD FS

Explanation
 Pass-through Authentication and federation rely on on-premises infrastructure. For pass-through
authentication, the on-premises footprint includes the server hardware and networking the Pass-through
Authentication agents require. For federation, the on-premises footprint is even larger. It requires servers
in your perimeter network to proxy authentication requests and the internal federation servers.

To avoid single points of failure, deploy redundant servers. Then authentication requests will always be
serviced if any component fails. Both pass-through authentication and federation also rely on domain
controllers to respond to authentication requests, which can also fail. Many of these components need
maintenance to stay healthy. Outages are more likely when maintenance isn't planned and implemented
correctly. Avoid outages by using password hash synchronization because the Microsoft Azure AD cloud
authentication service scales globally and is always available.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn#recommendations

Question 39: Skipped

Your customer is planning to migrate on-premise data center to Microsoft Azure. Your customer wanted
to ensure that employees can use their current credentials to access both on-premise hosted applications
and cloud hosted applications. As applications are planned to migrate to cloud, your security
administrator is concerned about possibilities of compromised credentials. Your security administrator
expects that, security admin team must be informed as quickly as possible in case of compromised
credentials.

Which authentication should you consider?

 ​
Pass-through Authentication + Seamless SSO

 ​
Password hash synchronization + Seamless SSO
(Correct)

 ​
Federation with AD FS

Explanation
To find out leaked credentials, you have to consider Identity Protection feature. Some premium features
of Azure AD, like Identity Protection and Azure AD Domain Services, require password hash
synchronization, no matter which authentication method you choose.
 https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection

Question 40: Skipped

Your customer is planning to migrate on-premise data center to Microsoft Azure. Your customer wanted
to make sure that company employees should be able to use the same username and password that they
are using in on-premise environment. Your security administrator likes to automate the detection of
identity-based risks.

Which authentication should you recommend?

 ​
Azure AD password hash synchronization
(Correct)

 ​
Active Directory Federation Services (AD FS)

 ​
Azure AD Pass-through Authentication

Explanation
Azure AD password hash synchronization is the simplest way to enable authentication for on-premises
directory objects in Azure AD. Users can use the same username and password that they use on-premises
without having to deploy any additional infrastructure. Some premium features of Azure AD, like Identity
Protection and Azure AD Domain Services, require password hash synchronization, no matter which
authentication method you choose.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn

Question 41: Skipped

Your customer is planning to migrate on-premise data center to Microsoft Azure. You need a secure
private connection between the on-premises networks and the Azure virtual networks. The connection
must offer a redundant pair of cross connections for high availability.

What should you recommend?

 ​
VPN Gateway

 ​
Azure Load Balancer
 ​
virtual network peering

 ​
ExpressRoute
(Correct)

Explanation
ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private
connection facilitated by a connectivity provider. With ExpressRoute, you can establish connections to
Microsoft cloud services, such as Microsoft Azure and Office 365.

Connectivity can be from any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual
cross-connection through a connectivity provider at a co-location facility. ExpressRoute connections do
not go over the public Internet. This allows ExpressRoute connections to offer more reliability, faster
speeds, consistent latencies, and higher security than typical connections over the Internet.

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction

Question 42: Skipped

You have an Azure Active Directory (Azure AZD) tenant named PreparationLabs.com. The tenant contains
a group called Group1. Group1 contains all the administrative user accounts. You discover several login
attempts to the Azure portal from countries where administrative users do not work.

You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-
Factor Authentication (MFA).

Solution: Implement Azure AD Privileged Identity Management.

Does this solution meet the goal?

 ​
Yes

 ​
No
(Correct)

Explanation
 You can configure conditional access policies in Azure Active Directory to achieve this scenario.
Question 43: Skipped
You have an Azure Active Directory (Azure AZD) tenant named PreparationLabs.com. The tenant contains
a group called Group1. Group1 contains all the administrative user accounts. You discover several login
attempts to the Azure portal from countries where administrative users do not work.

You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-
Factor Authentication (MFA).

Solution: Create an Access Review for Group1.

Does this solution meet the goal?

 ​
Yes

 ​
No
(Correct)

Explanation
You can configure conditional access policies in Azure Active Directory.
Question 44: Skipped
You have an Azure Active Directory (Azure AZD) tenant named PreparationLabs.com. The tenant contains
a group called Group1. Group1 contains all the administrative user accounts. You discover several login
attempts to the Azure portal from countries where administrative users do not work.

You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-
Factor Authentication (MFA).

Solution: You implement an access package.

Does this solution meet the goal?

 ​
Yes

 ​
No
 (Correct)

Explanation
You can configure conditional access policies in Azure Active Directory.
Question 45: Skipped
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. You
add the users in the following table.

User Role

User1 Owner

User2 Security Admin

User3 Network Contributor

You need to identify which user can add a subnet to VNet1

 ​
User1 Only

 ​
User1 and User2 Only

 ​
User1, User2 and User3 Only

 ​
User1 and User3 Only
(Correct)

Explanation
The Owner Role lets you manage everything.

The Network Contributor role lets you manage networks including creation of subnets

Question 46: Skipped

ou have an Azure subscription named Subscription1 that contains a virtual network named VNet1. You
add the users in the following table.

User Role

User1 Owner
 User2 Security Admin

User3 Network Contributor

You need to identify which user can assign a user the Reader role to VNet1.

 ​
User1 Only
(Correct)

 ​
User1 and User2 Only

 ​
User1, User2 and User3 Only

 ​
User1 and User3 Only

Explanation
The Owner Role lets you manage everything.

The Network Contributor and Security admin roles does not let you manage users.

Question 47: Skipped

You are the owner for an Azure subscription named Subscription1. You are asked to check the access for a
user named User1. What steps should you follow in Azure portal?
 ​
Navigate to Subscriptions
Click on check access
Enter user1 and search

 ​
Navigate to Subscriptions
Click on access control (IAM)
Click on check access
Enter user1 and search
(Correct)

 ​
Navigate to Azure Active Directory
Search for User1
Click on check access

Explanation
 In the Azure portal, click All services and then Subscriptions.

Click your subscription.

Click Access control (IAM).

Click the Check access tab.

In the Find list, select the type of security principal you want to check access for.

In the search box, enter a string to search the directory for display names, email addresses, or object
identifiers.

https://docs.microsoft.com/en-us/azure/role-based-access-control/check-access

Question 48: Skipped

You are the administrator of a Microsoft Azure environment. You must ensure that whenever an employee
joins in the organization, access must be provided for the employee and whenever the employee moves
to a different role, you must assess the employee access.

You need to utilize the Azure Active Directory (Azure AD) features to reduce administrator effort. Which
feature should you consider?

 ​
Implement Azure Policy

 ​
Implement Azure Monitoring

 ​
Create access reviews in Azure AD
(Correct)

Explanation
Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group
memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a
regular basis to make sure only the right people have continued access.
 https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview

Question 49: Skipped

Which of the below rules should you configure in Azure firewall to allow incoming internet connections?

 ​
Application rules

 ​
Network rules

 ​
NAT rules
(Correct)

Explanation
There are three types of rule collections:

Application rules: Configure fully qualified domain names (FQDNs) that can be accessed from a subnet.

Network rules: Configure rules that contain source addresses, protocols, destination ports, and destination
addresses.

NAT rules: Configure DNAT rules to allow incoming Internet connections.

https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-are-some-azure-firewall-concepts

Question 50: Skipped

You are designing an application which is allowed to access from specific locations. The users who access
the application from all other locations must be blocked. Which Azure Active Directory (Azure AD) license
should you use keeping license costs minimal to fulfill the above mentioned requirement?

 ​
Free

 ​
Basic

 ​
Premium P1
(Correct)
 ​
Premium P2

Explanation
Both Premium P1 and Premium P2 license supports to use the advanced features of Conditional Access,
including location based policies. The Premium P1 license is lower cost than Premium P2, Although Azure
AD Conditional Access baseline policies can be used in the Free and Basic tiers, they do not include
setting location based policies.

https://azure.microsoft.com/en-us/pricing/details/active-directory/

Question 51: Skipped

You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant.
When a developer attempts to register an app named App1 in the tenant, the developer receives the error
message shown in the following exhibit.
Larger image
 You need to ensure that the developer can register App1 in the tenant.

What should you do for the tenant?

 ​
Modify the Directory properties.
 ​
Set Enable Security defaults to Yes

 ​
Configure the Consent and permissions settings for enterprise applications.

 ​
Modify the User settings.
(Correct)

Explanation
To allow users from registering their own applications:

In the Azure portal, go to the User settings section under Azure Active Directory

Change Users can register applications to Yes

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-
added#who-has-permission-to-add-applications-to-my-azure-ad-instance

Question 52: Skipped

This is a case study. Case studies are not timed separately. You can use as much exam time as you would
like to complete each case. However, there may be additional case studies and sections on this exam. You
must manage your time to ensure that you are able to complete all questions included on this exam in the
time provided.
To answer the questions included in a case study, you will need to reference information that is provided
in the case study. Case studies might contain exhibits and other resources that provide more information
about the scenario that is described in the case study. Each question is independent of the other
questions in this case study.

Overview -
PreparationLabs, Ltd. is a consulting company that has a main office in Montreal and two branch offices in
Seattle and New York.
The company hosts its entire server infrastructure in Azure.
PreparationLabs has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to
an Azure Active Directory (Azure AD) tenant named PreparationLabs.com.

Existing Environment -

Azure AD -
PreparationLabs.com contains the users shown in the following table.
Larger image
PreparationLabs.com contains the security groups shown in the following table.

Name Membership type Dynamic membership rule

Group1 Dynamic user user.city –contains “ON”

Group2 Dynamic user user.city –match “.*on”

Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User9 creates the virtual networks shown in the following table.

Larger image

Sub1 contains the locks shown in the following table.

Larger image

Sub1 contains the Azure policies shown in the following table.

Larger image

Sub2 contains the virtual networks shown in the following table.

Larger image

Sub2 contains the virtual machines shown in the following table.

Larger image
All virtual machines have public IP addresses and the Web Server (IIS) role installed. The firewalls for each
virtual machine allow ping requests and web requests.

Sub2 contains the network security groups (NSGs) shown in the following table.

Larger image

NSG1 has the inbound security rules shown in the following table.

Larger image

NSG2 has the inbound security rules shown in the following table.

Larger image

NSG3 has the inbound security rules shown in the following table.

Larger image
NSG4 has the inbound security rules shown in the following table.

Larger image

NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table.

Larger image

Technical requirements -

PreparationLabs identifies the following technical requirements:

Deploy Azure Firewall to VNetwork1 in Sub2.

Register an application named App2 in PreparationLabs.com.

Whenever possible, use the principle of least privilege.

Enable Azure AD Privileged Identity Management (PIM) for PreparationLabs.com.

Question
 You assign User8 the Owner role for RG4, RG5, and RG6.

In which resource groups can User8 create virtual networks?

 ​
RG4 only

 ​
RG6 only

 ​
RG5 and RG6 only
(Correct)

 ​
RG4, RG5 and RG6

Explanation
Virtual networks are not allowed in RG4 as per the policy applied on RG4.

In RG5, subnets are not allowed as per the policy. We can create a VNet without a subnet through Azure
CLI.

So, User8 can create Virtual networks on RG5 & RG6.

Question 53: Skipped

This is a case study. Case studies are not timed separately. You can use as much exam time as you would
like to complete each case. However, there may be additional case studies and sections on this exam. You
must manage your time to ensure that you are able to complete all questions included on this exam in the
time provided.
To answer the questions included in a case study, you will need to reference information that is provided
in the case study. Case studies might contain exhibits and other resources that provide more information
about the scenario that is described in the case study. Each question is independent of the other
questions in this case study.

Overview -
PreparationLabs, Ltd. is a consulting company that has a main office in Montreal and two branch offices in
Seattle and New York.
The company hosts its entire server infrastructure in Azure.
PreparationLabs has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to
an Azure Active Directory (Azure AD) tenant named PreparationLabs.com.

Existing Environment -
Azure AD -
PreparationLabs.com contains the users shown in the following table.
Larger image

PreparationLabs.com contains the security groups shown in the following table.

Name Membership type Dynamic membership rule

Group1 Dynamic user user.city –contains “ON”

Group2 Dynamic user user.city –match “.*on”

Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User9 creates the virtual networks shown in the following table.

Larger image
Sub1 contains the locks shown in the following table.

Larger image

Sub1 contains the Azure policies shown in the following table.

Larger image

Sub2 contains the virtual networks shown in the following table.

Larger image

Sub2 contains the virtual machines shown in the following table.

Larger image
All virtual machines have public IP addresses and the Web Server (IIS) role installed. The firewalls for each
virtual machine allow ping requests and web requests.

Sub2 contains the network security groups (NSGs) shown in the following table.

Larger image

NSG1 has the inbound security rules shown in the following table.

Larger image

NSG2 has the inbound security rules shown in the following table.

Larger image
NSG3 has the inbound security rules shown in the following table.

Larger image

NSG4 has the inbound security rules shown in the following table.

Larger image

NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table.

Larger image

Technical requirements -

PreparationLabs identifies the following technical requirements:

 Deploy Azure Firewall to VNetwork1 in Sub2.

Register an application named App2 in PreparationLabs.com.

Whenever possible, use the principle of least privilege.

Enable Azure AD Privileged Identity Management (PIM) for PreparationLabs.com.

Question

You assign User8 the Owner role for RG4, RG5, and RG6.

In which resource groups can User8 create NSGs?

 ​
RG4 only

 ​
RG6 only

 ​
RG4 and RG6 only
(Correct)

 ​
RG4, RG5 and RG6

Explanation
Network security groups are not allowed in RG5 as per the policy applied on RG5.

So, User8 can create network security groups in RG4 & RG6

Question 54: Skipped

This is a case study. Case studies are not timed separately. You can use as much exam time as you would
like to complete each case. However, there may be additional case studies and sections on this exam. You
must manage your time to ensure that you are able to complete all questions included on this exam in the
time provided.
To answer the questions included in a case study, you will need to reference information that is provided
in the case study. Case studies might contain exhibits and other resources that provide more information
about the scenario that is described in the case study. Each question is independent of the other
questions in this case study.

Overview -
PreparationLabs, Ltd. is a consulting company that has a main office in Montreal and two branch offices in
Seattle and New York.
The company hosts its entire server infrastructure in Azure.
PreparationLabs has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to
an Azure Active Directory (Azure AD) tenant named PreparationLabs.com.

Existing Environment -

Azure AD -
PreparationLabs.com contains the users shown in the following table.
Larger image

PreparationLabs.com contains the security groups shown in the following table.

Name Membership type Dynamic membership rule

Group1 Dynamic user user.city –contains “ON”

Group2 Dynamic user user.city –match “.*on”

Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User9 creates the virtual networks shown in the following table.
Larger image

Sub1 contains the locks shown in the following table.

Larger image

Sub1 contains the Azure policies shown in the following table.

Larger image

Sub2 contains the virtual networks shown in the following table.

Larger image

Sub2 contains the virtual machines shown in the following table.

Larger image
All virtual machines have public IP addresses and the Web Server (IIS) role installed. The firewalls for each
virtual machine allow ping requests and web requests.

Sub2 contains the network security groups (NSGs) shown in the following table.

Larger image

NSG1 has the inbound security rules shown in the following table.

Larger image

NSG2 has the inbound security rules shown in the following table.

Larger image
NSG3 has the inbound security rules shown in the following table.

Larger image

NSG4 has the inbound security rules shown in the following table.

Larger image

NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table.

Larger image

Technical requirements -

PreparationLabs identifies the following technical requirements:

 Deploy Azure Firewall to VNetwork1 in Sub2.

Register an application named App2 in PreparationLabs.com.

Whenever possible, use the principle of least privilege.

Enable Azure AD Privileged Identity Management (PIM) for PreparationLabs.com.

Question

You are evaluating the effect of the application security groups on the network communication between
the virtual machines in Sub2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

1. From VM1, you can successfully ping the private IP address of VM4

2. From VM2, you can successfully ping the private IP address of VM4

3. From VM1, you can connect to the web server on VM4

 ​
Yes, Yes, No

 ​
Yes, No, Yes

 ​
No, Yes, Yes
(Correct)

 ​
No, No, No

Explanation
1. VM1 is associated with NSG2 and ASG1. VM4 is associated with NSG3 and ASG1.

Outbound traffic from VM1 is allowed.

NSG3 allows only TCP traffic from ASG1 to ASG1. Ping is not a TCP traffic. So, answer is No

2. VM2 is associated with NSG2, NSG1 and ASG2. VM4 is associated with NSG3 and ASG1.

Outbound traffic from VM1 is allowed.

NSG3 allows any traffic from ASG2. So, answer is Yes

3. VM1 is associated with NSG2 and ASG1. VM4 is associated with NSG3 and ASG1.

Outbound traffic from VM1 is allowed.

NSG3 allows TCP traffic from ASG1 to ASG1. So, answer is Yes

https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

Question 55: Skipped

This is a case study. Case studies are not timed separately. You can use as much exam time as you would
like to complete each case. However, there may be additional case studies and sections on this exam. You
must manage your time to ensure that you are able to complete all questions included on this exam in the
time provided.
To answer the questions included in a case study, you will need to reference information that is provided
in the case study. Case studies might contain exhibits and other resources that provide more information
about the scenario that is described in the case study. Each question is independent of the other
questions in this case study.

Overview -
PreparationLabs, Ltd. is a consulting company that has a main office in Montreal and two branch offices in
Seattle and New York.
The company hosts its entire server infrastructure in Azure.
PreparationLabs has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to
an Azure Active Directory (Azure AD) tenant named PreparationLabs.com.

Existing Environment -

Azure AD -
PreparationLabs.com contains the users shown in the following table.
Larger image
PreparationLabs.com contains the security groups shown in the following table.

Name Membership type Dynamic membership rule

Group1 Dynamic user user.city –contains “ON”

Group2 Dynamic user user.city –match “.*on”

Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User9 creates the virtual networks shown in the following table.

Larger image

Sub1 contains the locks shown in the following table.

Larger image

Sub1 contains the Azure policies shown in the following table.

Larger image

Sub2 contains the virtual networks shown in the following table.

Larger image

Sub2 contains the virtual machines shown in the following table.

Larger image
All virtual machines have public IP addresses and the Web Server (IIS) role installed. The firewalls for each
virtual machine allow ping requests and web requests.

Sub2 contains the network security groups (NSGs) shown in the following table.

Larger image

NSG1 has the inbound security rules shown in the following table.

Larger image

NSG2 has the inbound security rules shown in the following table.

Larger image

NSG3 has the inbound security rules shown in the following table.

Larger image
NSG4 has the inbound security rules shown in the following table.

Larger image

NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table.

Larger image

Technical requirements -

PreparationLabs identifies the following technical requirements:

Deploy Azure Firewall to VNetwork1 in Sub2.

Register an application named App2 in PreparationLabs.com.

Whenever possible, use the principle of least privilege.

Enable Azure AD Privileged Identity Management (PIM) for PreparationLabs.com.

Question
 What is the membership of Group2?

 ​
No members

 ​
Only User3
(Correct)

 ​
Only User1 and User3

 ​
Use1, User2, User3 and User4

Explanation
The -match operator is used for matching any regular expression. For Example:

user.displayName -match "Da.*" will be evaluated as true for Da, Dav, David; whereas aDa evaluates to
false.

Match ".*on" is only true for London (User3) as “London” is the only word that ends with "on'.

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

Question 56: Skipped

This is a case study. Case studies are not timed separately. You can use as much exam time as you would
like to complete each case. However, there may be additional case studies and sections on this exam. You
must manage your time to ensure that you are able to complete all questions included on this exam in the
time provided.
To answer the questions included in a case study, you will need to reference information that is provided
in the case study. Case studies might contain exhibits and other resources that provide more information
about the scenario that is described in the case study. Each question is independent of the other
questions in this case study.

Overview -
PreparationLabs, Ltd. is a consulting company that has a main office in Montreal and two branch offices in
Seattle and New York.
The company hosts its entire server infrastructure in Azure.
PreparationLabs has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to
an Azure Active Directory (Azure AD) tenant named PreparationLabs.com.

Existing Environment -
Azure AD -
PreparationLabs.com contains the users shown in the following table.
Larger image

PreparationLabs.com contains the security groups shown in the following table.

Name Membership type Dynamic membership rule

Group1 Dynamic user user.city –contains “ON”

Group2 Dynamic user user.city –match “.*on”

Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6.
User9 creates the virtual networks shown in the following table.

Larger image
Sub1 contains the locks shown in the following table.

Larger image

Sub1 contains the Azure policies shown in the following table.

Larger image

Sub2 contains the virtual networks shown in the following table.

Larger image

Sub2 contains the virtual machines shown in the following table.

Larger image
All virtual machines have public IP addresses and the Web Server (IIS) role installed. The firewalls for each
virtual machine allow ping requests and web requests.

Sub2 contains the network security groups (NSGs) shown in the following table.

Larger image

NSG1 has the inbound security rules shown in the following table.

Larger image

NSG2 has the inbound security rules shown in the following table.

Larger image
NSG3 has the inbound security rules shown in the following table.

Larger image

NSG4 has the inbound security rules shown in the following table.

Larger image

NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table.

Larger image

Technical requirements -

PreparationLabs identifies the following technical requirements:

 Deploy Azure Firewall to VNetwork1 in Sub2.

Register an application named App2 in PreparationLabs.com.

Whenever possible, use the principle of least privilege.

Enable Azure AD Privileged Identity Management (PIM) for PreparationLabs.com.

Question

What is the membership of Group1?

 ​
No members

 ​
Only User2

 ​
Only User2 and User4

 ​
Use1, User2, User3 and User4
(Correct)

Explanation
Contains is a regular expression, it is not case sensitive. So, Contains "ON" is true for Montreal (User1),
MONTREAL (User2), London (User 3), and Ontario (User4).

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

Question 57: Skipped

You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
Larger image

The tenant contains the named locations shown in the following table.
Larger image
 You create the conditional access policies for a cloud app named App1 as shown in the following table.
Larger image

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

1. User1 can access App1 from an IP address of 154.12.18.10

2. User2 can access App1 from an IP address of 193.77.10.15

3. User2 can access App1 from an IP address of 154.12.18.34

 ​
Yes, No, No

 ​
No, Yes, Yes

 ​
Yes, Yes, No
(Correct)

 ​
No, No, No

Explanation
Providing access to user while conditional access policies are present are executed as per below diagram
 1. User1 is part of Group1 and Group2 and trying to access App1 from Boston IP range. Policy1 blocks the
requests from Boston location for the user’s part of Group1. However, the Policy1 excludes the users part
of Group2.

2. User2 is part of Group2 and trying to access App1 from Seattle. So, User2 will be allowed to access
App1. However, user2 will be prompted for MFA due to Policy4.

3. User2 is part of Group2 and trying to access App1 from Boston location. Policy3 will block the user from
accessing the App1.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access

Question 58: Skipped

You create an Azure web app named webapp1 that uses an S1 App Service plan.

You plan to create a CNAME DNS record for ww.preparationlabs.com that points to webapp1. You need
to ensure that users can access webapp1 by using the https://www.preparationlabs .com URL.

Which two actions should you perform?

 ​
Enable managed identity for webapp1.
 ​
Add a hostname to webapp1.
(Correct)

 ​
Scale out the App Service plan of webapp1.

 ​
Add a deployment slot to webapp1.

 ​
Scale up the App Service plan of webapp1.

 ​
Upload a PFX file to webap
(Correct)

Explanation
https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
Question 59: Skipped
You need to create an Azure key vault. The solution must ensure that any object deleted from the key
vault be retained for 90 days.
Which two parameters should you add to complete below command?

New-AzKeyVault -Name MyKeyVault -ResourceGroupName RG1 -Location westus

 ​
-EnableSoftDelete
(Correct)

 ​
–EnablePurgeProtection
(Correct)

 ​
-SKU

 ​
-Tag

 ​
-EnabledForDeployment

Explanation
-EnablePurgeProtection
 If specified, protection against immediate deletion is enabled for this vault; requires soft delete to be
enabled as well.

-EnableSoftDelete

Specifies that the soft-delete functionality is enabled for this key vault. When soft-delete is enabled, for a
grace period, you can recover this key vault and its contents after it is deleted.

https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/new-
azurermkeyvault?view=azurermps-6.13.0#parameters

Question 60: Skipped

You have an Azure subscription that contains four Azure SQL managed instances.
You need to evaluate the vulnerability of the managed instances to SQL injection attacks.
What should you do first?
 ​
Create an Azure Sentinel workspace.

 ​
Enable Advanced Data Security.
(Correct)

 ​
Add the SQL Health Check solution to Azure Monitor.

 ​
Create an Azure Advanced Threat Protection (ATP) instance.

Explanation
The Enable-AzSqlServerAdvancedDataSecurity cmdlet enables Advanced Data Security on a server.
Advanced Data Security is a unified security package that includes Data Classification, Vulnerability
Assessment and Advanced Threat Protection for your server.

https://docs.microsoft.com/en-us/powershell/module/az.sql/enable-
azsqlserveradvanceddatasecurity?view=azps-5.4.0

Continue
Retake test
Fullscreen