AZ-500 Azure Security Engineer
This practice exam is designed to assess your readiness for the AZ-500 Azure Security Engineer Associate exam. This quiz is NOT intended to simulate the actual exam. It is intended to test your knowledge of the concepts covered on the exam.
1 / 79
A resource forest in Azure AD Domain Services will sync accounts from on-premises as well as Azure.
Only a user forest synchronizes accounts from on-premises AD.
2 / 79
Azure HDInsight supports Azure AD authentication for service access.
HDInsight supports Azure AD at both the resource level and data level.
3 / 79
Azure Security Center (ASC) uses Azure Policy to configure default monitoring and remediation behaviors.
It is true that the ASC includes a default Azure policy containing a number of default settings that control monitoring and remediation behavior.
4 / 79
You can use Azure AD authentication to secure Key Vault at the management plane.
You can secure a Key Vault instance using Azure AD authentication.
5 / 79
You can limit operations on a key in Azure Key Vault by configuring the settings under Permitted operations.
You can limit a variety of operations under Permitted operations, like Encrypt, Decrypt, Sign, and Verify.
6 / 79
When automating key rotation, Azure Automation runbooks require the use of the AzureRM module with key rotation for Azure Storage.
Azure Automation runbooks require the legacy AzureRM module for authentication, Azure Storage interactions, and some other operations.
7 / 79
The Free tier of Azure Security Center (ASC) allows you to change the default policy to disable checks that you wish to ignore.
The free tier of ASC does identify configurations that deviate from best practices for network resources, as well as storage, compute, and other services.
8 / 79
VMs included in an Application Security Group cannot be located in different Azure regions.
Members of an Application Security Group must be located in the same Azure region.
9 / 79
Advanced Threat Protection in Security Center can be enabled for an App Service plan only if the plan is associated with dedicated machines.
Only App Services associated with dedicated machines can be enabled for advanced threat protection. Security Center doesn't support the Free, Shared, or Consumption plans.
10 / 79
Azure Disk Encryption uses Bitlocker to encrypt OS and data volumes.
Azure Disk Encryption does utilize Bitlocker for Windows VMs.
11 / 79
SAS tokens can be configured to restrict access by IP address.
SAS tokens can restrict access to specific IPs or IP ranges.
12 / 79
SAS tokens provide root access to an Azure Storage account until the key is revoked or rolled.
This describes Shared Keys. SAS tokens are limited to a specific span of time.
13 / 79
You can configure Transparent Data Encryption for individual database columns containing your sensitive data.
TDE encrypts the storage of an entire database by using a symmetric key called the database encryption key (DEK).
14 / 79
You cannot configure Always Encrypted for individual database columns containing your sensitive data.
You can encrypt individual database columns.
15 / 79
Azure Data Lake supports Azure AD identities in data ACLs.
Azure Data Lake does support Azure AD identities in data ACLs.
16 / 79
Logic Apps created for use in the Security Playbooks feature of Azure Sentinel may use any of the triggers available to the Logic Apps Premium SKU.
Only Azure Sentinel product-specific triggers may be used.
17 / 79
Security Center recommendations are listed in descending order of the severity of the security vulnerabilities they address.
Alerts are listed in descending order of the point value to the Security Score.
18 / 79
Azure Container Registry (ACR) supports Kubernetes and Docker running on third-party cloud platforms.
ACR is a Docker container registry, and does not disallow access from clouds other than Azure, with proper authentication.
19 / 79
Physical isolation in AKS provides the highest pod density for running workloads.
Separate physical nodes result in lower pod density and greater management overhead.
20 / 79
To provide full access to the resources in an Azure resource group, you should grant only the Contributor role for the subscription.
There is no need to grant permissions at the subscription level. Respect the rule of least privilege.
21 / 79
SSH is disabled on AKS nodes by default.
AKS allows SSH from private IPs by default.
22 / 79
Security Groups and Microsoft 365 groups can both be used to secure Azure resources.
Microsoft 365 groups (formerly called Office 365 groups) can be used to secure resources, just like Security groups. Office 365 groups also include additional functionality.
23 / 79
You can rotate keys in Azure Key Vault without affecting behavior of your application.
You can rotate keys in Key Vault manually, with the REST API, with Azure Automation, or other automation platforms.
24 / 79
You can bind client certificates to which App Service Plan tiers?
App Service supports client certificates on Basic, Standard, Premium, or Isolated tiers.
25 / 79
Azure Storage accounts are encrypted by default.
All Azure Storage accounts are always encrypted by default. Customers can choose to manage their own keys for encrypting the storage service.
26 / 79
You need to implement security in SQL server to ensure database admins never see sensitive customer financial information, such as credit card data, in databases they manage. Which SQL data security option should you choose?
Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the Database Engine (SQL Database or SQL Server). As a result, Always Encrypted provides a separation between those who own the data and manage it.
27 / 79
Microsoft recommends Shared Keys should be rolled automatically using which of the following?
Microsoft recommends automating rolling of storage account keys exclusively with Key Vault.
28 / 79
You need to grant access for an application to Azure Storage. You need to set access to read and ensure that access is automatically revoked 90 days from today. Which option should you choose?
SAS tokens offer a variety of controls to limit time and scope of access, where shared keys off the equivalent of root access forever.
29 / 79
Azure Defender for SQL can scan your databases weekly to identify vulnerabilities.
Optionally, Azure Defender for SQL will scan your databases for vulnerabilities weekly.
30 / 79
With Azure SQL, you can configure Azure AD Domain Services authentication.
Azure SQL supports Azure AD authentication, but not Azure AD Domain Services at this time.
31 / 79
When you don't know how long you need to retain data in a blob, you can configure a legal hold.
A legal hold remains in place until you release it, preventing the blob from being deleted.
32 / 79
Which of the following solutions features automated security investigations?
Only Microsoft Defender for Endpoint includes an automated investigation feature.
33 / 79
What are the options for configuring a custom RBAC role in Azure AD? (choose the best answer)
Custom RBAC roles can be configured both in the Azure portal and programmatically.
34 / 79
Just-in-Time VM access allows the requester to specify duration of access up to the configured maximum.
The requester is able to specify how much time is needed, up to the maximum the service has been configured to allow for the specific VM.
35 / 79
The VM vulnerability scanning feature in Security Center can also scan for vulnerabilities in open source databases on Azure VMs.
Only Microsoft SQL on Azure VMs is available.
36 / 79
Azure Monitor was previously named Security Management Suite.
Azure Monitor was previously named Operations Management Suite (OMS).
37 / 79
Playbooks in Azure Sentinel use a special _____ to instantiate an automated response using an Azure Logic App.
Security playbooks are Azure Logic Apps that use a special trigger designed for Azure Sentinel.
38 / 79
You need to provide the user access to download the digital content from your Storage Account. You need to ensure that the download is only available for 24 hours. What should you choose?
39 / 79
You need to periodically rotate access keys on your Azure Storage accounts. What is Microsoft’s recommended approach for automating this task?
While you can rotate storage account keys manually or with PowerShell, Microsoft recommends always using the native integration for storage account key rotation feature they've built into Key Vault.
40 / 79
You configure access to secrets in Azure Key Vault with:
Both Access policies and RBAC can be used to control access to the contents of the key vault (the data plane). RBAC is how you control access to the Key Vault instance (the management plane)
41 / 79
You can send activity and audit logs to Event Grid.
Audit data may be sent to Azure Storage, Log Analytics, or Event Hub.
42 / 79
You can grant access to a key vault for:
You can grant key vault access to an Azure AD user, group, or an application.
43 / 79
You can enforce data residency and sovereignty using which of the following?
Azure Policy enables you to configure an "allowed locations" policy to limit deployment to your approved Azure regions only.
44 / 79
With Azure Information Protection Premium Plan 1, classifications can be recommended automatically during authoring.
Auto-classification is only available in AIP Premium Plan 2.
45 / 79
When rolling keys in Cosmos DB, the secondary key ensures
The secondary key enables you to update your client apps to avoid downtime.
46 / 79
You can configure Azure AD authentication for which of the following?
Only Azure Storage queues and blobs support Azure AD authentication.
47 / 79
Just-in-Time VM access is only available for Windows VMs.
JIT access is also possible for Linux VMs. JIT is simply gating access to the listening port.
48 / 79
You notice that when you attempt to investigate an incident created from your custom rule in Azure Sentinel that the investigation graph is empty. What is the most likely cause?
You'll only be able to investigate the incident if you used the entity mapping fields when you set up your analytics rule. The investigation graph requires that your original incident includes entities.
49 / 79
Network Security Groups (NSG) can be associated with which of the following Azure network elements?
NSGs can be associated to Azure subnets or VM NICs.
50 / 79
Diagnostic logs for Azure resources can be forwarded to Log Analytics, Azure Storage, or Event Grid.
Logs may be forwarded to Log Analytics, Azure Storage, or Event Hub.
51 / 79
Azure Monitor can be used to alert on events of interest to Security Operations (SecOps).
Events from the Administrative and Security categories of the Activity Log are definitely of interest to SecOps.
52 / 79
You can configure the following scanning options for your container images for Azure Kubernetes Service?
Scanning of both the ACR and AKS runtime are possible to identify vulnerabilities related to your containerized services.
53 / 79
The service principal required by Azure Kubernetes Service can be created by the following methods?
The service principal required by AKS can be configured manually prior to deployment or automatically as part of the deployment process.
54 / 79
To achieve high availability for VMs within an Azure region, which of the following options are available?
Both Availability Sets and Availability Zones enable VM high availability within an Azure region.
55 / 79
Azure Firewall requires you to specify the number of network virtual appliances according to your expected scale.
High availability and auto-scale are built into the service. There is no NVA count necessary.
56 / 79
Azure VMs can communicate across VNETs by default.
VMs on subnets within the same VNET have connectivity. Communication across VNETs requires VNET peering or VPN connectivity.
57 / 79
You will configure a separate Front Door instance to route requests by URL path to different backend pools.
URL Path Based Routing allows you to route traffic to backend pools based on URL paths of the request. One of the scenarios is to route requests for different content types to different backend pools, so this can be accommodated from a single Front Door instance.
58 / 79
You can configure Azure policies to target the following levels:
Azure policies can be applied to Management Groups, subscriptions, resource groups, and resources.
59 / 79
Which of the following can be used to connect your on-premises datacenter to an Azure site?
Both Site-to-Site VPN and ExpressRoute can connect your on-premises network to an Azure VNET.
60 / 79
The Standard tier of Azure Security Center (ASC) is required to capture data on resource security hygiene.
The ASC Free tier also captures data by providing the continuous assessment and recommendations. An upgrade to the standard tier includes adaptive network controls, compliance dashboard, threat protection for non-Azure VMs as well.
61 / 79
The following resources support Azure resource firewall: (choose the best answer)
Azure SQL Servers and Databases, as well as Azure Storage Accounts support resource firewall. Several other Azure PaaS services also support resource firewall.
62 / 79
The following are the available types of Azure resource locks: (choose the best answer)
The two resource lock types are CanNotDelete and ReadOnly.
63 / 79
The Azure Virtual Network Container Network Interface (CNI) enables advanced networking for the following container solutions. (choose the best answer)
Azure Virtual Network CNI supports AKS, AKS Engine, as well as Docker.
64 / 79
Network Security Groups include a rule to allow RDP access on which port by default?
No rule is configured to enable remote access by default.
65 / 79
Azure Update Management can patch both Windows and Linux VMs.
Azure Update Management supports patching both supported Windows and several Linux distributions.
66 / 79
Transferring a subscription to a new Azure AD tenant will cause Azure VMs to stop running.
VMs will not stop running, but you will have to re-enable any managed identities associated with the VMs.
67 / 79
You can configure access reviews in Privileged Identity Management to be self-completed by the eligible members of the privileged roles.
Yes, you can assign designated reviewers, owners, or eligible role members.
68 / 79
Conditional access policies can be configured to target:
Conditional Access policies can be configured to target or exclude individual users, groups of users, and to ignore users in trusted locations.
69 / 79
Azure AD Connect is used to configure which of the following identity models?
Both the Synchronized and Federated models leverage Azure AD Connect. Both the Synchronized and Federated models leverage Azure AD Connect.
70 / 79
Admin consent grants consent on behalf of:
Admin consent grants consent on behalf of all users.
71 / 79
Microsoft Azure AD Identity Protection evaluates risk associated with:
Azure AD Identity Protection evaluates risk associated to users and sign-in attempts.
72 / 79
You can create new users in Azure AD with the Create-AzureADUser cmdlet.
This is false. The New-AzureADUser cmdlet is used to create new users in Azure AD.
73 / 79
You can activate an eligible privileged identity profile
Activating a profile is performed within the Azure AD PIM app in the Azure portal.
74 / 79
With Azure AD MFA, you can automatically block authentication for users who report fraud via email to a support address.
Users can report fraud using a code via phone (0 by default).
75 / 79
Which of the following identities eliminate the need for credentials in code?
Managed Identities eliminate the need to manage credentials. Managed identities are service principals of a special type, which are associated to specific Azure resources.
76 / 79
Passthrough authentication (PTA) is associated with which of the following identity models?
PTA is associated with the Synchronized identity model because it validates the password with on-premises Active Directory.
77 / 79
In the OAuth Code Grant flow, the user confirms consent by:
In the OAuth Code Grant flow, the user confirms consent by entering a code into a textbox provided.
78 / 79
Azure APIs can be protected by configuration of permission scopes to limit access to a 3rd party web app, even when users consent
Admins can configure permission scopes ahead of any user consent.
79 / 79
Azure AD Privileged Identity Management (PIM) supports which of the following features when users request to activate a privileged identity profile?
Azure AD Privileged Identity Management supports all three of these options, alone or in any combination.
Your score is