microsoft az-500 practice test
Microsoft Azure Security Technologies
Note: Test Case questions are at the end of the exam
Last exam update: Nov 30 ,2023
Question 1 Topic 9, Mixed Questions
DRAG DROP
You have an Azure subscription that contains a Microsoft SQL server named Server1 and an Azure key vault named vault1.
Server1 hosts a database named DB1. Vault1 contains an encryption key named key1.
You need to ensure that you can enable Transparent Data Encryption (TDE) on DB1 by using key1.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the
answer area and arrange them in the correct order.
Select and Place:
Answer:
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-
configure?tabs=azure-powershell
Question 2 Topic 9, Mixed Questions
SIMULATION
You need to create a web app named Intranet12345678 and enable users to authenticate to the web app by using Azure
Active Directory (Azure AD).
To complete this task, sign in to the Azure portal.
Answer:
See the explanation below.
Explanation:
1. In the Azure portal, type App services in the search box and select App services from the search results.
2. Click the Create app service button to create a new app service.
3. In the Resource Group section, click the Create new link to create a new resource group.
4. Give the resource group a name such as Intranet12345678RG and click OK.
5. In the Instance Details section, enter Intranet12345678 in the Name field.
6. In the Runtime stack field, select any runtime stack such as .NET Core 3.1.
7. Click the Review + create button.
8. Click the Create button to create the web app.
9. Click the Go to resource button to open the properties of the new web app.
10.In the Settings section, click on Authentication / Authorization.
11.Click the App Service Authentication slider to set it to On.
12.In the Action to take when request is not authentication box, select Log in with Azure Active Directory.
13.Click Save to save the changes.
Question 3 Topic 9, Mixed Questions
SIMULATION
You need to ensure that connections through an Azure Application Gateway named Homepage-AGW are inspected for
malicious requests.
To complete this task, sign in to the Azure portal.
You do not need to wait for the task to complete.
Answer:
See the explanation below.
Explanation:
You need to enable the Web Application Firewall on the Application Gateway.
1. In the Azure portal, type Application gateways in the search box, select Application gateways from the search results then
select the gateway named Homepage-AGW. Alternatively, browse to Application Gateways in the left navigation pane.
2. In the properties of the application gateway, click on Web application firewall.
3. For the Tier setting, select WAF V2.
4. In the Firewall status section, click the slider to switch to Enabled.
5. In the Firewall mode section, click the slider to switch to Prevention.
6. Click Save to save the changes.
Question 4 Topic 9, Mixed Questions
You have an Azure subscription that contains as Azure key vault and an Azure Storage account. The key vault contains
customer-managed keys. The storage account is configured to use the customermanaged keys stored in the key vault.
You plan to store data in Azure by using the following services:
Azure Files
Azure Blob storage
Azure Table storage
Azure Queue storage
Which two services support data encryption by using the keys stored in the key vault? Each correct answer presents a
complete solution.
NOTE: Each correct selection is worth one point.
- A. Table storage
- B. Azure Files
- C. Blob storage
- D. Queue storage
Answer:
B C
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
Question 5 Topic 9, Mixed Questions
HOTSPOT
You have an Azure subscription that contains the storage accounts shown in the following table.
You enable Azure Defender for Storage.
Which storage services of storage5 are monitored by Azure Defender for Storage, and which storage accounts are protected
by Azure Defender for Storage? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/storage/common/azure-defender-storage-configure?tabs=azuresecurity-
center
Question 6 Topic 9, Mixed Questions
SIMULATION
You need to ensure that when administrators deploy resources by using an Azure Resource Manager template, the
deployment can access secrets in an Azure key vault named KV12345678.
To complete this task, sign in to the Azure portal.
Answer:
See the explanation below.
Explanation:
You need to configure an option in the Advanced Access Policy of the key vault.
1. In the Azure portal, type Azure Key Vault in the search box, select Azure Key Vault from the search results then select the
key vault named KV12345678. Alternatively, browse to Azure Key Vault in the left navigation pane.
2. In the properties of the key vault, click on Advanced Access Policies.
3. Tick the checkbox labelled Enable access to Azure Resource Manager for template deployment.
4. Click Save to save the changes.
Question 7 Topic 9, Mixed Questions
SIMULATION
You need to configure a weekly backup of an Azure SQL database named Homepage. The backup must be retained for
eight weeks.
To complete this task, sign in to the Azure portal.
Answer:
See the explanation below.
Explanation:
You need to configure the backup policy for the Azure SQL database.
1. In the Azure portal, type Azure SQL Database in the search box, select Azure SQL Database from the search results then
select Homepage. Alternatively, browse to Azure SQL Database in the left navigation pane.
2. Select the server hosting the Homepage database and click on Manage backups.
3. Click on Configure policies.
4. Ensure that the Weekly Backups option is ticked.
5. Configure the How long would you like weekly backups to be retained option to 8 weeks.
6. Click Apply to save the changes.
Question 8 Topic 9, Mixed Questions
SIMULATION
You need to enable Advanced Data Security for the SQLdb1 Azure SQL database. The solution must ensure that Azure
Advanced Threat Protection (ATP) alerts are sent to [email protected].
To complete this task, sign in to the Azure portal and modify the Azure resources.
Answer:
See the explanation below.
Explanation:
1. In the Azure portal, type SQL in the search box, select SQL databases from the search results then select SQLdb1.
Alternatively, browse to SQL databases in the left navigation pane.
2. In the properties of SQLdb1, scroll down to the Security section and select Advanced data security.
3. Click on the Settings icon.
4. Tick the Enable Advanced Data Security at the database level checkbox.
5. Click Yes at the confirmation prompt.
6. In the Storage account select a storage account if one isnt selected by default.
7. Under Advanced Threat Protection Settings, enter [email protected] in the Send alerts to box.
8. Click the Save button to save the changes.
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/advanced-data-security
Question 9 Topic 9, Mixed Questions
DRAG DROP
You have an Azure Storage account named storage1 and an Azure virtual machine named VM1. VM1 has a premium SSD
managed disk.
You need to enable Azure Disk Encryption for VM1.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the
answer area and arrange then in the correct order.
Select and Place:
Answer:
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault
Question 10 Topic 9, Mixed Questions
HOTSPOT
You have an Azure subscription that contains the storage accounts shown in the following table.
You need to configure authorization access.
Which authorization types can you use for each storage account? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/storage/common/authorize-data-access
0CB84EF020870C137158A568970423A4
Question 11 Topic 9, Mixed Questions
HOTSPOT
You have an Azure subscription that contains the following resources:
An Azure key vault
An Azure SQL database named Database1
Two Azure App Service web apps named AppSrv1 and AppSrv2 that are configured to use system-assigned managed
identities and access Database1
You need to implement an encryption solution for Database1 that meets the following requirements:
The data in a column named Discount in Database1 must be encrypted so that only AppSrv1 can decrypt the data.
AppSrv1 and AppSrv2 must be authorized by using managed identities to obtain cryptographic keys.
How should you configure the encryption settings for Database1? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/always-encrypted-azure-key-vault-configure?tabs=azure-
powershell
Question 12 Topic 9, Mixed Questions
DRAG DROP
You have an Azure subscription.
You plan to create a storage account.
You need to use customer-managed keys to encrypt the tables in the storage account.
From Azure Cloud Shell, which three cmdlets should you run in sequence? To answer, move the appropriate cmdlets from
the list of cmdlets to the answer area and arrange them in the correct order.
Select and Place:
Answer:
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-key-vault?tabs=powershell
Question 13 Topic 9, Mixed Questions
You have an Azure subscription that contains an Azure SQL database named sql1.
You plan to audit sql1.
You need to configure the audit log destination. The solution must meet the following requirements:
Support querying events by using the Kusto query language. Minimize administrative effort.
What should you configure?
- A. an event hub
- B. a storage account
- C. a Log Analytics workspace
Answer:
C
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/tutorial-log-analytics-wizard
Question 14 Topic 9, Mixed Questions
You have a web app named WebApp1.
You create a web application firewall (WAF) policy named WAF1.
You need to protect WebApp1 by using WAF1.
What should you do first?
- A. Deploy an Azure Front Door.
- B. Add an extension to WebApp1.
- C. Deploy Azure Firewall.
Answer:
A
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/frontdoor/quickstart-create-front-door
Question 15 Topic 9, Mixed Questions
SIMULATION
You need to ensure that the rg1lod1234578n1 Azure Storage account is encrypted by using a key stored in the
KeyVault12345678 Azure key vault.
To complete this task, sign in to the Azure portal.
Answer:
See the explanation below.
Explanation:
Step 1: To enable customer-managed keys in the Azure portal, follow these steps:
1. Navigate to your storage account rg1lod1234578n1
2. On the Settings blade for the storage account, click Encryption. Select the Use your own key option, as shown in the
following figure.
Step 2: Specify a key from a key vault
To specify a key from a key vault, first make sure that you have a key vault that contains a key. To specify a key from a key
vault, follow these steps:
4. Choose the Select from Key Vault option.
5. Choose the key vault KeyVault1234578 containing the key you want to use.
6. Choose the key from the key vault.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-encryption-keys-portal