Here are some practice questions for the Microsoft Azure Security Technologies AZ-500 certification exam with an explanation at the end.
Answer 10 multiple-choice questions and verify the correct answer at the end. A study guide to help you pass the AZ-500 Microsoft Security Technologies preparation is available to get you started.
Here goes the Quiz:
- Your organization has implemented Azure Multi-Factor Authentication. You need to provide a status report by user account. Which of the following is NOT a valid MFA status? Select one.
- You are creating an Azure AD security group. All the following are ways you can assign group membership, except? Select one.
b. Dynamic Device
c. Dynamic User
d. Office 365 User
- Identity Protection has reported that a user’s credentials have been leaked. According to the policy, the user’s password must be reset. Which Azure AD role can reset the password? Select one.
a. Global Administrator
b. Security Administrator
c. Security Operator
d. Security Reader
- You have three virtual machines (VM1, VM2, and VM3) in a resource group. The Helpdesk hires a new employee. The new employee must be able to modify the settings on VM3, but not on VM1 and VM2. Your solution must minimize administrative overhead. What should you do? Select one.
a. Assign the user to the Contributor role on the resource group, then assign the user to the Owner
role on VM
b. Move VM3 to a new resource group and assign the user to the Contributor role on VM3.
c. Assign the user to the Contributor role on VM3.
d. Assign the user to the Contributor role on the resource group.
- You wish to enable Azure AD PIM for your directory. What Azure AD Role do you need to enable PIM? Select one.
a. Office 365 Admin
b. PIM Administrator
c. Global Admin
- You are using Azure Kubernetes Service (AKS) and need to control the flow of traffic between pods and block traffic directly to the backend application. What should you do? Select one.
a. Create an application gateway
b. Create an Azure firewall
c. Create an AKS network policy
d. Create a network security group
- How does Azure Key Vault help protect your secrets after they have been loaded by your app? Select one.
a. The Azure Key Vault client library protects regions of memory used by your application to prevent accidental secret exposure.
b. Azure Key Vault double-encrypts secrets, requiring your app to decrypt them locally every time they are used.
c. It does not protect your secrets. Secrets are unprotected once they are loaded by your application.
d. Azure Key Vault automatically generates a new secret after every use.
- You are using Sentinel to investigate an incident. When you view the incident detailed information you see all of the following, except? Select one.
a. Incident ID
b. Number of entities involved
c. Raw events that triggered the incident
e. Incident owner
- Your Azure Security Centre dashboard presents a Secure Score. How would you describe that score? Select one.
a. The Secure Score changes only when premium features are purchased.
b. The Secure Score is a calculation based on the ratio of healthy resources vs. total resources.
c. The Secure Score is a machine-learning-based prediction of how likely your resources are to be infiltrated by a hacker.
d. The Secure Score is a count of recommendations made against your monitored resources.
- Lab scenario:
You have been asked to create a proof of concept for monitoring virtual machine performance.
Specifically, you want to:
- Configure a virtual machine such that telemetry and logs can be collected.
- Show what telemetry and logs can be collected.
- Show how the data can be used and queried.
Lab Exercise: Collect data from an Azure virtual machine with Azure Monitor.
Explanation: Required is not valid. MFA has three user states: Enabled, Enforced, and Disabled.
Explanation: Office 365 User. When you create an Azure AD group you can select: Assigned, Dynamic device, or Dynamic user. Assigned lets you add members directly to the group. A dynamic device uses rules to automatically add and remove devices. The dynamic user uses rules to automatically add and remove members.
Explanation: Global Administrator. To use Identity Protection a user must be in one of these roles. Each role has different privileges but only the Global Administrator can reset a user’s password.
Explanation: Assign the user to the Contributor role on VM3. This means the user will not have access to VM1 or VM2. By assigning the Contributor role to the current resource group is incorrect, as it would the new hire to change the settings on VM1 and VM2 and therefore would meet the requirements.
Explanation: Global Admin. Of the options listed only the Global Admin role has the permission to enable PIM.
Explanation: Create an AKS network policy. The principle of least privilege should be applied to how traffic can flow between pods in an Azure Kubernetes Service (AKS) cluster. The Network Policy feature in Kubernetes lets you define rules for ingress and egress traffic between pods in a cluster.
Explanation: It does not protect your secrets. Once secrets have been loaded by an app, they are unprotected. Make sure to not log them, store them, or return them in client responses.
Explanation: Incident owner. The incident detailed information includes its severity, a summary of the number of entities involved, the raw events that triggered this incident, and the incident’s unique ID. All incidents start as unassigned. For each incident, you can assign an owner, by setting the Incident owner field. You can also add comments so that other analysts will be able to understand what you investigated and what your concerns are around the incident.
Explanation: The Secure Score is a calculation based on the ratio of healthy resources vs. total resources. Security Center reviews your security recommendations across all workloads, uses algorithms to determine how critical each recommendation is, and calculates a Secure Score which is displayed on the Overview page.
- Enroll here to access hands-on labs: https://testprep.cloudthat.com/enrol/index.php?id=38
Enroll for an instructor-led training course for AZ-500 Microsoft Azure Security Technologies offered by CloudThat.
Check out the TestPrep material for the exam preparation.
These questions are NOT appearing in the certification exam. I personally or CloudThat do not have any official tie-up with Microsoft regarding the certification or the kind of questions asked. These are my best guesses for the kind of questions to expect with Microsoft in general and with the examination.
Feel free to drop any questions in the comment box, I would love to address them. I hope you enjoyed the article. Best of luck!