AZ-500

Your network contains an Active Directory forest named contoso.com. You have an Azure Directory (Azure AD) tenant named contoso.com.You plan to configure synchronization by using the Express Settings installation option in Azure AD Connect.You need to identify which roles and groups are required to perform the planned configuration. The solution must use the principle of least privilege. Which two roles and groups should you identify? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. the Domain Admins group in Active Directory B. the Security administrator role in Azure AD C. the Global administrator role in Azure AD D. the User administrator role in Azure AD E. the Enterprise Admins group in Active Directory

CE

Security playbook

Collection of procedures that can be run from azure sentinel in response to an alert. A security playbook can help automate and orchestrate your response and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in azure sentinel are based on azure logic apps.

Do you have an azure SQL database named azureSQL1. you have implemented always encrypted on azureSQL1. We need to ensure the application developers can retrieve and decrypt data in the database which two pieces of information should you provide the developers? A stored access policy a shared access signature the column encryption key user credentials the column master key

Column master key and the column encryption key.

Application security groups enable you to

Configure network security as a natural extension of an application structure allowing you to group virtual machines and defined network security policies based on those groups. You can re-years of security policy at scale without manual maintenance of explicit IP address is. The platform handles the complexity of explicit IP address is in multiple sets allowing you to focus on your business logic.

You have an azure virtual machine named VM1. The vM1 is in a resource group named RG one. The M1 runs services that will be used to deploy resources to group RG one. You need to ensure that his service running on the vM1 can manage the resources in our G1 using the identity of the vM1. What should you do first?

Modify the value of the manage service identity option for VM1

Just in time requires an ———— to be configured

NSG. VMs Without an nSG either at subnet or NIC level don't support the feature.

You are planning to develop a container his application application. The application is comprised Of two containers an application container and a validation container. You need to ensure that the application container in the validation container are scheduled to JP deploy together. The containers must communicate to each other only on ports that are not externally exposed. What did you include in the deployment? Application security groups network security groups management groups container groups

Container groups. A container group is a collection of containers that the schedules on the same host machine. The containers in a container group share of lifecycle, resources, local network, and storage volumes.

how do you connect to the VM using NAT facility which is available for Azure Firewall?

Network address translation rules, so you can connect to vms via azure firewall. Firewall > Rules> NAT rule collection create an application rule to allow traffic to the internet needs rule name, protocol (tcp/udp) source ip address (work station) destination ip (public ip of firewall) - vm is communicating data via private ip address. RDPing onto vm destination port will be set to azure firewall 4000 then translated port is 3389 for VM and private ip address for VM. use when trying to connect from a device via internet through firewall to VM.

You plan to use Azure Resource Manager templates to perform multiple deployments of identically configured Azure virtual machines. The password for the administrator account of each deployment is stored as a secret in different Azure key vaults.You need to identify a method to dynamically construct a resource ID that will designate the key vault containing the appropriate secret during each deployment.The name of the key vault and the name of the secret will be provided as inline parameters.What should you use to construct the resource ID? A. a key vault access policy B. a linked template C. a parameters file D. an automation account

Correct Answer: C You reference the key vault in the parameter file, not the template. The following image shows how the parameter file references the secret and passes that value to the template. template <--passes secret--Parameter file---references secret---> azure key valut.

To allow HDInsight and resources in the joined network to communicate by name, you must perform the following actions:

Create Azure Virtual Network Create a custom DNS server in the Azure Virtual Network. Configure the virtual network to use the custom DNS server instead of the default Azure Recursive Resolver Configure forwarding between the custom DNS server and your on-premises DNS server.

When you only need to install and I malware to a resource group only, what must you do? Create a custom policy definition that has affects set too deployifnotexists. Create policy assignment and modify scope Create a custom policy definition that has the effect sent to append. Modify create managed identity setting

Create a custom policy definition that has effect to deploy if not exist and create policy assignment and modify scope.

Scenario: Azure AD users must be able to authenticate to AKS1 by using their Azure AD credentials. what do you need to do?

Create a server application - To provide Azure AD authentication for an AKS cluster, two Azure AD applications are created. The first application is a server component that provides user authentication. Create a client application -The second application is a client component that's used when you're prompted by the CLI for authentication. This client application uses the server application for the actual authentication of the credentials provided by the client. Deploy an AKS cluster -Use the az group create command to create a resource group for the AKS cluster. Use the az aks create command to deploy the AKS cluster. Create an RBAC binding - Before you use an Azure Active Directory account with an AKS cluster, you must create role-binding or cluster role-binding. Roles define the permissions to grant, and bindings apply them to desired users. These assignments can be applied to a given namespace, or across the entire cluster.

Azure A.D. application developer role can do what?

Create application registrations when the users can register application setting is set to no. This role can also grant permission to consent on one's own behalf when the users can consent to apps accessing company data on the behalf setting is sad a no. Users assigned to this role are added as owners when creating new application registrations or enterprise applications.

Your company plans to create separate subscriptions for each department. Each subscription will be associated to the same Azure Active Directory (Azure AD) tenant.You need to configure each subscription to have the same role assignments.What should you use? A. Azure Security Center B. Azure Policy C. Azure AD Privileged Identity Management (PIM) D. Azure Blueprints

D. Just as a blueprint allows an engineer or an architect to sketch a project's design parameters, Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements. Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as: ✑ Role Assignments ✑ Policy Assignments ✑ Azure Resource Manager templates ✑ Resource Groups

Keep it soft delete feature allows recovery of the

Deleted vaults and deleted Kevil objects for example keys secrets and certificates. Soft delete is not applicable for access policies

You are designing the security for an application named Application1. The Application1 is expected to list all calendar events of users along with email addresses. Select the most appropriate scopes should you consider in your app registration. email profile calendars.Read calendars.Read.Shared

Email - Allows the app to read your users' primary email address Calendars.Read.Shared - Allows the app to read events in all calendars that the user can access, including delegate and shared calendars.

You plan to deploy and if you are using as you're a PA management. You need to recommend a solution to protect the API from distributed denial of service attack. What do you recommend

Enable azure ddos protection standard on the vina associated with your API management.

You have several azure virtual machines running windows server 2019. All virtual machines run identical applications. I need to prevent unauthorized applications in malware from running on the virtual machines. What should you do? Apply an azure policy to a resource group one. From azure security center, configure adaptive application controls. Configure azure active directory identity protection. Apply a resource lock to resource group one.

From Azure security center configure adaptive application controls. Adaptive application control is an automated end and solution from azure security center which helps you control which applications can run on your azure and non-azure machines (windows and Linux). That helps harden your machines against Mauer. Security center uses machine learning to analyze the applications running on your machines and creates and allow list from this intelligence.

Do you have an Asher storage account need storage account one and that has container name container one. You need to prevent the blobs and container one from being modified. What do you do? Do?

From container one, add an access policy. Immutable access policy. Immutable storage for azure blob storage enables users to store business critical data objects in a worm (write once read many )state the state makes the data non-erasable and non-modifiable for a user specified interval.

Do you have an Azure subscription that contains and azure container registry. The subscription uses the standard used hear of azure security center. You upload several container images to register one. You discover that the vulnerability security scans were not performed. You need to ensure that the images are scans on abilities when they're uploaded to registry one. What should you do? From the azure portal modify pricing tier settings. From azure CLI, lock the container images. Upload the container images using easy copy. Push the container images to register you one by using docker.

From the azure portal modify the pricing tier settings If you're on standard you need the container registry bundle. It brings deeper visibility into the Vona buddies of the images in your azure manager face registries. Enable or disable to bundle at the subscription level to cover all registries in the subscription. The features price per image.

Owner role has

Full access including the right to delegate access to others add or remove users.

Do you have an azure subscription named someone that is associate to as you're active directory tenant named preparationlabs.com. What types of user roles can remediate users and configure policies?

Global administrator and security administrator. They both have full access except security administrators can't reset passwords for a user.

You are the global administrator for an azure active directory tenant named preparationlabs.com. You need to enable two step verification for azure users what should you do?

Great and azure A.D. conditional access policy

IPSec

Increase data at the Internet protocol level or network three layer. You can use IPec to encrypt an end to end connection between your on premise network and your virtual network on azure

You have an Azure subscription named Sub1. You have an Azure Storage account named sa1 in a resource group named RG1. Users and applications access the blob service and the file service in sa1 by using several shared access signatures (SASs) and stored access policies. You discover that unauthorized users accessed both the file service and the blob service. You need to revoke all access to sa1.Solution: You create a new stored access policy.Does this meet the goal? Yes Or No

No Explanation: Creating a new (additional) stored access policy with have no effect on the existing policy or the SASג€™s linked to it.To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately effects all of the shared access signatures associated with i

You have a hybrid configuration of Azure Active Directory (Azure AD). You have an Azure HDInsight cluster on a virtual network. You plan to allow users to authenticate to the cluster by using their on-premises Active Directory credentials. You need to configure the environment to support the planned authentication. Solution: You deploy an Azure AD Application Proxy. Does this meet the goal?

No connect HDInsight to your on-premises network by using Azure Virtual Networks and a VPN gateway

You have an registered an app name preparation labs in azure A.D. with delegated permissions to users.readwrite.all My user name user one logged into preparation that application. Can use her one update AA D profiles of every user in the organization?

No. The user is not an admin role

When using AA D authentication for azure SQL failed login records will ——- In the SQL audit log.

Not appear. Review failed login audit records you need to visit the azure active directory portal with log details of these events. Azure A.D. logs

Who can on board azure identity protection

Only global administrators

As her vest on service is a fully ———- service That you provision inside your virtual network. What does it provide?

PaaS. It provide secure and seamless RDP/SSH connectivity to your virtual machines directly in azure portal over TLS when you connect via as your birthstone your virtual machines do not need public IP addresses.

Your company is planning to migrate on premise data centers to Microsoft azure. You have created an azure active directory tenant. During the migration process., Your company may have both on premise applications and cloud services running at the same time. You must ensure that all your users user on premise credentials to sign in and access club services. Which of the following identity methods should you consider.? Password hash synchronization Pass-through authentication Federation (AD FS) None of the above

Password hash synchronization, pass-through authentication and Federation

When Vnet peering is configured what don't you have to do for azure bastion in each peered vnet?

Deploy azure bastion. This means if you have an address for stone host configured in one virtual network it can be used to connect to VM supplied and appeared virtual network without deploying an additional Bastion host

When automatic provisioning is on security center deploys

The log analytics agent on all supported azure vms and any new ones that are created.

When I web app must enforce mutual authentication you need to

Turn on the HTtPS only protocol setting. Turn on incoming client certificates protocol setting.

Azcopy is used to

Upload or retrieve data from storage account. So if the logs stored in a storage account we must use az copy to retrieve the logs.

You have an Azure subscription named Sub1. You have an Azure Storage account named sa1 in a resource group named RG1.Users and applications access the blob service and the file service in sa1 by using several shared access signatures (SASs) and stored access policies. You discover that unauthorized users accessed both the file service and the blob service. You need to revoke all access to sa1.Solution: You regenerate the Azure storage account access keys. Does this meet the goal?

Yes Generating new storage account keys will invalidate all SASג€™s that were based on the previous keys.

You have a hybrid configuration of Azure Active Directory (Azure AD).You have an Azure HDInsight cluster on a virtual network. You plan to allow users to authenticate to the cluster by using their on-premises Active Directory credentials. You need to configure the environment to support the planned authentication.Solution: You create a site-to-site VPN between the virtual network and the on-premises network.Does this meet the goal?

Yes, You can connect HDInsight to your on-premises network by using Azure Virtual Networks and a VPN gateway.

you have a registered app named preparation lives in azure A.D. with delegating permissions to users.readwrite.all. User1 logged into preparation labs application. Can use or one update user1 a a D user profile?

Yes. This permission grants your app permission to read and update the profile of a user in organization. If admin they can do it all, if regular they can only do them selves.

You need to configure an access review. The review will be assigned to a new collection of reviews and reviewed by resource owners.Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. create an access review program set reviewers to selected users create an access review audit create an access review control set reviewers to group owners set reviewers to members

create an access review program create an access review control set reviewers to group owners

How do you revoke a stored access policy?

delete it or rename it by changing the signed identifier. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately affects all of the shared access signatures associated with it.

Your customer has uploaded content into an Azure Storage account. Due to regulatory compliance requirements, your customer wants to ensure that blobs in the storage accounts cannot be modified and deleted by any user including administrators and Subscription owners for a period of 365 days. You have configured a time based retention policy with 365 days as retention period to adhere to your customer requirements. The effective retention interval on some of the blobs has expired. Which of the below actions are permitted? delete the blobs which has expired retention interval modify the blocks which has expired retention interval delete container 1 upload new files to container 1

upload new files to container 1 delete the blobs which has expired retention interval explaination: Up on completion of retention period, data will continue to be in a non-modifiable state, but can be delete.

User Defined Routes

use when you want all the traffic to go through this machine first before going to others so software can inspect traffic. in the route you are saying that all traffic should through this subnet first before going to others in vnet.

You have a business critical application in Microsoft azure. The application owners are concerned about cyber attack rest that may happen in cloud environments against commonly use management ports. Your security administrator recommended implementing a solution didn't dynamically allow or block ports. What solution should you consider? Azure firewall, network security groups, just in time access, azure policy

Just in time access

Which of the following statements are TRUE with respect to Azure AD identity protection. 1. security administrator will have full access to identity protection 2. security operator can change policies 3. security operator can configure alerts 4. security operator cannot reset a password 5. security admin can reset a password.

1 & 4

You plan to use Azure Log Analytics to collect logs from 200 servers that run Windows Server 2016. You need to automate the deployment of the Log Analytics Agent to all the servers by using an Azure Resource Manager template. You have to complete the below template. What values should you replace with CodeSnippet1 and CodeSnippet2? settings: codesnip it1 protected settings code snip it 2 options: workspace id workspace url workspace name storage account key workspace key

1 Workspace ID 2 Work Space Key

You have an Azure key vault named keyvault1. You need to delegate administrative access to the key vault for a user named User2 with the ability to add and delete certificates in the keyvault1. What should you use to assign access to User1? The solution should use the principle of least privilege. key vault access policy azure information protection azure policy managed identity for azure resources RBAC

Key Vault Access Policy

You have an azure subscription that contain storage accounts below. Storage account one - A blob service and table service Storage account two - a blob service and a file service Storage account three - A queue service Storage account four - a file service and queue service Storage account 5 - a table service You enable enable azure defender for all the storage accounts. You need to identify which storage account will generate azure security alerts. Which three storage accounts should you identify?

1, 2 and 4.

You have an Azure subscription named Sub 1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table. User1 = global admin user 2 = security admin user 3 = security reader user 4 = license reader Each user is assigned an Azure AD Premium P2 license.You plan to onboard and configure Azure AD Identity Protection.Which users can onboard Azure AD Identity Protection, remediate users, and configure policies? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point. 1) users above who can onboard azure ad identity protection? 2) users above who can remediate users and configure policies

1. User 1 Only 2. User 1 and User 2

how to setup firewall where all traffic must go through it before going to internet.

1. create vnet and azure firewall appliance 2. create route table on resource group for firewall and attach route to subnet hosting the VMs you want to route through firewall. (create route in route table, next hop type - virtual appliance, home address must be private ip address of firewall resource) now all vm traffic will be routed through firewall service to internet.

When you use them in his stories account key feature consider the following points

Key values are never returned in response to a caller. Only key vault should manage your storage account to use. Don't manage the keys yourself and avoid interfering with kv processes. Only a single kv object should manage storage account keys. Don't allow key management from multiple objects. You can request key vault to manage your storage account with a user principal but not with a service principal. Generate keys were using Kiva only. Don't manually regenerate your storage account keys.

You have implemented multi factor authentication (MFA) in Azure Active Directory (Azure AD). Some of the users have reported that they received an authentication voice call though they have not tried to login at that time. As an administrator, you want your users to report if they receive a fraud alert. What options are available to deal with this scenario in Azure Active Directory? 1. Allow users to redirect the voice call to your cyber security helpdesk 2. automatically block users who report fraud 3. use your own code report fraud. 4. disable voice call authentication method and use authenticator app instead.

2 & 3 Automatically block users who report fraud: If a user reports fraud, their account is blocked for 90 days or until an administrator unblocks their account. An administrator can review sign-ins by using the sign-in report, and take appropriate action to prevent future fraud. An administrator can then unblock the user's account. Code to report fraud during initial greeting: When users receive a phone call to perform multi-factor authentication, they normally press # to confirm their sign-in. To report fraud, the user enters a code before pressing #. This code is 0 by default, but you can customize it.

You are an administrator for company named company one. you have inherited a user named user1 from company two to an application named my application one. You have configured your azure A.D. tenant with multi factor authentication. Which company MFA options user one can choose while setting up MFA? A Company one B Company two C either company one or company two D both company one and company two

A. The inviting tenancy is always responsible for MFA for users from the partner organization even if the partner organization has MFA capabilities.

Your network contains an on-premises Active Directory domain named corp.contoso.com.You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.You sync all on-premises identities to Azure AD.You need to prevent users who have a givenName attribute that starts with TEST from being synced to Azure AD. The solution must minimize administrative effort.What should you use? A. Synchronization Rules Editor B. Web Service Configuration Tool C. the Azure AD Connect wizard D. Active Directory Users and Computers

A. Use the Synchronization Rules Editor and write attribute-based filtering rule. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-configuration

Do you have an as your subscription that contains a user name user one and an add your container registry named containerregistry1. You need to ensure that user one can create trusted images in containerRegistry1. Which of the following rules should you assign to the user? Acr quarantine reader Contributor Acr push Acr image signer Acr quarantine writer

ACR push and ACR image signer. ACR push is it has the ability To docker push to push or pull image. or push another supported artifact such as a helm chart to the registry. ARC image signer has the ability to sign images usually a sign to an automated process which would use a service principal. The permission is typically combined with push image to our pushing a trusted image to a registry

You have a azuresubscription that contain several virtual machines. You need to retrieve the details of the user who deleted a virtual machine three weeks ago. What do you use in azure monitor?

Activity log

You have deployed several virtual machines running IS in and as your virtual network. No network security groups are assigned to the virtual machines or the sub it's in the virtual network. What is the expected network traffic flow?

All inbound and outbound traffic will be permitted. If no energies are associated to the VM network interface card or the subnet which it belongs to then all inbound and outbound access is permitted.

Can you can use privileged identity management art history to see

All role assignments and activations within the past 30 days for all privileged users. If you want to see a full on a history of activity in your azure active directory organization including administrator, end-user, and synchronization activity, you can use her as her active directory security and activity reports.

Advanced threat protection for as your storage provides

An additional layer of security intelligence that detects unusual and potentially harmful attempts to access exploit exploit storage accounts. Security lights are triggered in Azure security center when anomalies in activity occurred and are also sent via email to subscription administrators with details as your sisters activity and recommendations on how to investigate remediate the threats.

What do you consider and your desire to control our bank and connectivity with minimal administrative activities?

Application security groups.

Delegated permissions

Are used by apps that have sign in user present. For these apps either user or an administrator consents to the permissions at their app request and the app is dedicated permission to act as assigned and user when making calls to the target resources. Admin consent is required for operations like reading users profile reading directory groups etc.

Azure firewall

As your firewall provides inbound protection for non-httP/S protocols. Forced tunneling is supported in azure firewall. Stateful firewall as a service Built in high-availability with unrestricted cloud scalability FQDN filtering and tags network traffic filtering rules outbound SNAT support inbound DNAT support Centrally create enforce and log application and network connectivity policies across azure subscriptions and V-nets Fully integrated with azure monitor for logging and analytics

You need to recommend a solution to identify which administrative user accounts that have not signed in in the last 30 days in your azure ad tenant. What should be your recommendation? Azure A.D. Identityprotection, Azure activity log azure advisor azure A.D. privileged identity management

Azure A.D. privileged identity management

You have deployed business critical applications in azure. Is it 30 administrator advised to implement an approval process to get access for azure resources. Your legal team wants to view an audit of who access and as a resource and at what time and for what reason. Which solution do you consider to fulfill these requirements? Azure monitor, azure Sentinel, azure security azure A.D. privilege identity management

Azure A.D. privileged identity management. Since it allows you to manage control and monitor access to important resources in your organization.

You have a multi-layer web application deployed in your Azure subscription. You need to protect your web application from HTTP protocol violations, SQL injection and cross-site scripting attacks. What options should you consider to protect your web application? DDoS Protection Basic DDoS Protection Standard Azure Firewall Azure Application Gateway

Azure Application Gateway DDoS Protection Standard

You need to recommend azure services that can be used to store the data. The solution must meet the following requirements. Encrypt all data while at rest. Encrypt data only by using a key generated by the company. Which two possible services should you recommend? Azure table storage Azure Back up Azure Blob storage Azure queue storage Azure files.

Azure blob storage and azure files. Both support encryption at rest using customer own keys and can store file share data.

You are the owner for a subscription name subscription one. A New Team member named use your one join the security operations team. Use her one needs access to create dashboards, create and run playbooks. Which of the below built in as a Rosewood you at user one provisioning the least privileged access? Contributor azure sentinel contributor Logic app contributor Owner

Azure sentinel contributor and logic app contributor. Owner and contribute will have access however these roles do not meet the best practice of least privilege. Play books and logic apps come hand-in-hand

azure firewall service is linked onto a ______ and what must it have ?

Azure virtual network, must have its own subnet called AzureFirewallSubnet. you also want to make sure it has public ip address b/c it needs to be exposed on internet.

You have an azure subscription that contains 100 virtual machines. As your diagnosis is enabled on the virtual machines. You need to query the security vents of a virtual machine that runs Windows server 2016. What should you use in azure monitor

Logs

You need to automate threat responses in azure sentinel you must notify security admin's over an email as soon as the threats are detected which of the last step should you perform? A. Add a playbook in azure sentinel. Create a functions app with premium plan. Add response to azure sentinel alert trigger. Right logic to inform secure admits. B. Add a playbook in as azure Sentinel. Create a logic app. Add a response to azure sentinal alert trigger. Add send email action. C. Add a playbook and has her center. Create a functions app with consumption plan. Add response to an azure Sentinel alert trigger. Right logic to inform security admins

B

Which of the following statements are TRUE with respect to Express route encryption? MACsec encypts data at network 3 layer MACsec is available on express route direct only MACsec falls back to unencrypted connection if there is a mismatch in key IPSec end-to-end connection between on-prem and vnet IPSec Encrypts data at network layer 3.

MACsec is available on express route direct only IPSec end-to-end connection between on-prem and vnet IPSec Encrypts data at network layer 3.

Your network contains an Active Directory forest named contoso.com. The forest contains a single domain.You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.You plan to deploy Azure AD Connect and to integrate Active Directory and the Azure AD tenant.You need to recommend an integration solution that meets the following requirements :✑ Ensures that password policies and user logon restrictions apply to user accounts that are synced to the tenant ✑ Minimizes the number of servers required for the solution. Which authentication method should you include in the recommendation? A.federated identity with Active Directory Federation Services (AD FS) B.password hash synchronization with seamless single sign-on (SSO) C.pass-through authentication with seamless single sign-on (SSO)

B Password hash synchronization requires the least effort regarding deployment, maintenance, and infrastructure. This level of effort typically applies to organizations that only need their users to sign in to Office 365, SaaS apps, and other Azure AD-based resources. When turned on, password hash synchronization is part of the Azure AD Connect sync process and runs every two minutes. Incorrect Answers: A: A federated authentication system relies on an external trusted system to authenticate users. C.Pass-through Authentication requires unconstrained network access to domain controllers. All network traffic is encrypted and limited to authentication requests. References:https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta

You have an Azure Container Registry named Registry1.You add role assignments for Registry1 as shown in the following chart: User 1 Role: AcrPush user 2 Role: AcrPull User 3 Role: AcrImageSigner User 4 Role: Contributer Which users can upload images to Registry1 and download images from Registry1? To answer, select the appropriate options in the answer area. --- upload images: a. user 1 only b. user 1 and user 4 only c. user 1, 3, and 4 c. all users ----- download images a. user 2 only b. user 1 and user 2 only c. user 1, 2, and 4 c. all users

B) User1 and User4 only -Owner, Contributor and AcrPush can push images. C. User1, User2, and User4 -All, except AcrImagineSigner, can download/pull images.

Customer has created a storage account in azure and created service-level shared access signatures parentheses SAS parentheses for various users across the club to upload and download content. Your customer has noticed that security of the azure storage account is compromised and unable to find a compromised SAS key. Your customer has requested you suggest a way to group sas and build additional control. Which solution should you recommend? A Storage account key, you can re-create a new one if compromised B Store to access policy C Firewall to control traffic even if sas key is compromised as your firewall or protect incoming traffic D Implement resource lock

B.

You have an Azure subscription.You create an Azure web app named Contoso1812 that uses an S1 App Service plan.You plan to -create a CNAME DNS record for www.contoso.com that points to Contoso1812.You need to ensure that users can access Contoso1812 by using the https://www.contoso.com URL.Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. Turn on the system-assigned managed identity for Contoso1812. B. Add a hostname to Contoso1812. C. Scale out the App Service plan of Contoso1812. D. Add a deployment slot to Contoso1812. E. Scale up the App Service plan of Contoso1812. F. Upload a PFX file to Contoso1812.

BF B: You can configure Azure DNS to host a custom domain for your web apps. For example, you can create an Azure web app and have your users access it using either www.contoso.com or contoso.com as a fully qualified domain name (FQDN).To do this, you have to create three records:A root "A" record pointing to contoso.comA root "TXT" record for verificationA "CNAME" record for the www name that points to the A recordF: To use HTTPS, you need to upload a PFX file to the Azure Web App. The PFX file will contain the SSL certificate required for HTTPS.

Azure defender for storage detects unusual and potentially harmful attempts to access or exploit storage accounts. Which storage account is it currently available for?

Blob storage, azure files, and Azure data lake storage Gen2. Account types that support azure defender include general purpose V2, block blob, and blob storage accounts. As your defender is available in all public clouds and US government clouds but not other sovereign or azure government cloud regions.

Security centers machine learning allows you to analyze applications running on your machines and creates an allow list from this intelligence. This capability greatly in simplifies the process of configuring in maintaining application allowlist is enabling you to

Block or alert on attempts to run malicious applications including those that might otherwise be missed by anti-malware solutions. Avoid unwanted software to be using your environment. Prevent specific software tools that are not allowed in your organization. Avoid old and unsupported apps to run. Enable IT to control the access to sensitive data through app usage.

You have an Azure key vault named keyvault1. You need to delegate administrative access to the key vault for a user named User1 with the ability to set advanced access policies for the keyvault1. What should you use to assign access to User1? The solution should use the principle of least privilege. key vault access policy azure information protection azure policy managed identity for azure resources RBAC

RBAC Access to vaults takes place through two interfaces or planes. These planes are the management plane and the data plane. The management plane is where you manage Key Vault itself and it is the interface used to create and delete vaults. You can also read key vault properties and manage access policies. The data plane allows you to work with the data stored in a key vault. You can add, delete, and modify keys, secrets, and certificates. To access a key vault in either plane, all callers (users or applications) must be authenticated and authorized. Both planes use Azure Active Directory (Azure AD) for authentication. For authorization, the management plane uses role-based access control (RBAC) and the data plane uses a Key Vault access policy.

Service and points enable private IP addresses in the vnet to

Reach the endpoint of an azure service without needing a public IP address on the Vnet.

How's your blueprint enables con architects in central information technology groups to define

Repeatable set of as a resources is that implements and adheres to Oregon organization standards patterns and requirements. As your blueprints make it possible for development teams to rapidly build and stand up and you environments with trust that they are building within the organization of compliance with a side of building components such as networking to speed up development and delivery.

You have an Azure subscription named Subscription1 and an Azure Active Directory (Azure AD) tenant named PreparationLabs.com. You configure the Subscription1 to use a different Azure AD tenant. What are possible effects of the change? Role assignments at the subscription level are lost. Virtual Machine managed identities are lost. Virtual machine disk snapshots are lost existing azure resources are deleted. Azure Key vaults will be inaccessible.

Role assignments at the subscription level are lost. Virtual Machine managed identities are lost. Azure Key vaults will be inaccessible.

Stored access policy provides an additional level of control over...

Service level SAS Shared access signatures on the server side Establishing a start access policy serves to group shared access signatures and provide additional restrictions for signatures that are down by the policy. You can use a stored access policy to change the start time x-ray time or permissions from signature or to revoke it after it has been issued issued

The requirement is - A new custom RBAC role named Role1 must be used to delegate the administration of the managed disks in RG1. Role1 must be available only for RG1.

So, role assignment must be scoped to resource group RG1 and to manage disks, permissions must be compute/disks

You have an Azure subscription named Subscription1.You deploy a Linux virtual machine named VM1 to Subscription1. You need to monitor the metrics and the logs of VM1. What should you use? ​ the AzurePerformanceDiagnostics extension Azure HD Insight Linux Diagnostic Extension (LAD) 3.0 Azure analysis services

The Linux Diagnostic Extension helps a user monitor the health of a Linux VM running on Microsoft Azure

What does Just in time access Dramatically reduce?

The attack footprint against commonly use management course by blocking traffic to the ports by default. Courts are only open upon submitting an access request using as your portable power show earth rest API.

rule based assignment

The resource owner create a group and uses a rule to define which users are assigned to a specific resource. The rule is based on attributes that are assigned to individual users. The resource owner manages the rule, determining which attributes and values are required to allow access to the resource. Do you want to add an azure A.D. group to contribute to a Roth and a water to find group membership to keep administration activities minimal and for fill a requirement of an auto assignment of a member to a group

You need to configure SQLDB1 to meet the data and application requirements. Which three actions should you recommend be performed in sequence? Data and Application Requirements for SQL DB1 is - The users in Group2 must be able to authenticate to SQLDB1 by using their Azure AD credentials.

The steps to follow to acheive this requirement are In Azure Portal, create an Azure AD Administrator for PreparationLabsSQLServer Connect to SQLDB1 using SSMS (SQL Server Management Studio) In SQLDB1, create contained database users

If A guest user triggers the identity protection user risk policy to force password reset, they will be ...

They will be blocked. The block is due to the inability to reset passwords in the resource directory. Guest users do not appear in the risky user report

Your company has an Azure subscription named Subscription1 that contains the users shown in the following table. The company is sold to a new owner.The company needs to transfer ownership of Subscription1.Which user can transfer the ownership and which tool should the user use? To answer, select the appropriate options in the answer area. answer area: Question 1: user: User 1 User 2 User 3 User 4 Question 2: Tool: Azure account center Azure cloud shell azure powershell azure security center

User 2, Azure Account Center

Microsoft Anti Malware - how to install and what can you exclude

VM > extensions > Add Microsoft anti malware extension. can exclude files and locations, excluded file extensions, exclude processes from scanning. real time protection enablement, scheduled scans (full or quick). Open windows defender to kick off scan.

What does the virtual machine administrator login roll allow?

View virtual machines in azure portal and login as administrator.

Requirement for security operations team is preparations that must be able to customize the operating system security configurations in azure security center when is this possible only ?

When you have the standard tier of security center.

you have a registered app named from preparation labs in as her active directory with delegated permissions to users.Readwrite.all. A user administrator named admin one logged into the preparation lab application. Can admin one update EAD profiles of every user in the organization?

Yes. For delegated permissions the effective permissions of your app will be the intersection of the delegated permissions of the app has been granted via consent and the privilege is of the currently signed in user. Your Apple never have more privileges than the sign and user.

You plan to use Azure Resource Manager templates to perform multiple deployments of identically configured Azure virtual machines. The password for the administrator account of each deployment is stored as a secret in different Azure key vaults. You need to identify a method to dynamically construct a resource ID that will designate the key vault containing the appropriate secret during each deployment. The name of the key vault and the name of the secret will be provided as inline parameters. What should you use to construct the resource ID? a key value access policy a linked template a parameters file an automation account

a linked template In some scenarios, you need to reference a key vault secret that varies based on the current deployment. Or, you may want to pass parameter values to the template rather than create a reference parameter in the parameter file. In either case, you can dynamically generate the resource ID for a key vault secret by using a linked template.

You have created an Azure SQL database named SQLDatabase1. The SQLDatabase1 will be used by a couple of developers who usually work from home. You need to allow developers to connect to SQLDatbase1 from their homes. What should you do from the Azure portal? The solution must minimize Azure-related costs. add internet ip range add a bastion service add private endpoint add client ips add service endpoint

add client ips You can configure Server or database firewalls on Azure SQL. Connection attempts from the internet and Azure must pass through the firewall before they reach your server or database.

Data Plane

allows you to work with the data stored in a key vault. You can add, delete, and modify keys, secrets, and certificates.

You are configuring an Azure Kubernetes Service (AKS) cluster that will connect to an Azure Container Registry. You need to use the auto-generated service principal to authenticate to the Azure Container Registry. What should you create? An Azure AD group an azure AD role assignment an Azure AD user a secret in azure key vault

an azure AD role assignment When you create an AKS cluster in the Azure portal or using the az aks create command, Azure can automatically generate a service principal. When you're using Azure Container Registry (ACR) with Azure Kubernetes Service (AKS), an authentication mechanism needs to be established. You need to assigns the AcrPull role to the service principal associated to the AKS Cluster

You have Azure Resource Manager templates that you use to deploy Azure virtual machines. You need to disable unused Windows features automatically as instances of the virtual machines are provisioned. What should you use? Device configuration policies in microsoft intune an azure desired state configuration virtual machine extension application security groups security policies in azure security center

an azure desired state configuration virtual machine extension

Your company has an Azure Subscription named Subscription1 and an Azure Active Directory (Azure AD) tenant named PreparationLabs.com. You plan to create several security alerts by using Azure Monitor. You need to prepare the Subscription1 for the alerts. What should you create first? azure storage account azure log analytics workspace azure event hub azure automation account

azure log analytics workspace Azure Monitor stores log data in a Log Analytics workspace, which is an Azure resource and a container where data is collected, aggregated, and serves as an administrative boundary

You are the Owner for a subscription named Subscription1. A new team member named user1 joined the security operations team. User1 needs access to view data, manage incidents, dashboards and other Azure Sentinel resources. Which of the below built-in azure roles you would add user1 providing the least privileged access? reader azure sentinel reader azure sentinel contributor azure sentinel responder

azure sentinel responder

Azure DDoS Protection - tiers and what they include

basic automatically enabled. active traffic montioring, automatic attack mitigations, azure region availability guarentee, mitigation policies tuned to azure traffic region volume. best effort support and azure region sla. standard, active traffic monitoring, automatic attack mitigations, application availability guarantee, real time attack metrics & diagnostic logs via azure monitor, tuned for application traffic volume, post attack mitigation reports, nrt log stream for SIEM integration, engage ddos reports., mitigation policy customization engage ddos experts, access to ddos experts during active attack, sla application guarantee and cost protection.

You need to ensure that you can use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to secure Azure AD roles. Which three actions should you perform in sequence? Discover Privileged roles sign up PIM for azure ad roles consent to PIM discover resources verify your identity by using MFA

consent to PIM verify your identity using mfa sign up PIM for azure AD roles

You are designing a solution to secure a company's Azure resources. The Azure environment is used by 10 teams. Each team manages a project and has a manager, a virtual machine (VM) operator, developers, and contractors. Project managers must be able to manage everything except access and authentication for users. You need to recommend a role for Project Managers.What should you recommend? owner contributor reader vm contributor

contributor

Azure Firewall Service - advantages

control traffic at layer 3 and layer 7 (network and application). automatic threat intelligence against VNet. network address translation. NSGs uses source and destination where azure firewall can filter traffic by a fully qualified domain name. managed service inside of VNet.

Your company has deployed several applications into Azure App Service with backend as Azure SQL Service. Your administrator would like to collect detailed resource logs for monitoring health and availability of Azure resources. Which of the following actions you should perform to send logs to Log Analytics? create ___________ enable _______ Select_______ Select_____

create a log analytics workspace enable diagnostic settings Select logs categories Select send to log analytics

Your customer is planning to deploy several business critical internet facing applications in Azure. Your customer is concerned about protecting business critical applications from malicious attacks. You are asked to implement a solution as quickly as possible with minimum implementation effort. What should be your approach?

create a web application firewall with azure policy Azure Web Application Firewall (WAF) combined with Azure Policy can help enforce organizational standards and assess compliance at-scale for WAF resources.

You have an Azure subscription named Subscription1. Subscription1 contains an Azure virtual machine named VM1 that runs Windows Server 2016. You need to encrypt VM1 disks by using Azure Disk Encryption. Which three actions should you perform in sequence? Create configure run

create an azure key vault configure access policies for azure key vault run set-azVMDiskEncryptionExtension

A Site-to-Site VPN connection is used to what do you need to have ? the subnets on on prem network must not... what is the vpn gateway resource you created in azure used for? are there different skus for azure vpn gateway, if so whats the reason?

establish a secure connection between an on-premise network and an Azure network via the Internet. On the on-premise side, you need to have a VPN device that can route traffic via the Internet onto the VPN gateway in Azure. The VPN device can be a hardware device like a Cisco router or a software device ( e.g Windows Server 2016 running Routing and Remote services). The VPN device needs to have a publically routable IP address. The subnets in your on-premise network must not overlap with the subnets in your Azure virtual network The Site-to-Site VPN connection uses an IPSec tunnel to encrypt the traffic. The VPN gateway resource you create in Azure is used to route encrypted traffic between your on-premise data center and your Azure virtual network. There are different SKU's for the Azure VPN gateway service. Each SKU has a different pricing and attributes associated with it - Reference - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings

A Point-to-Site VPN connection is used to? what do you need to have in place? what do you need to generate and how?

establish a secure connection between multiple client machines an an Azure virtual network via the Internet. This sort of connection is based off certificates for authentication. You need to have a root certificate in place that needs to be uploaded to Azure for the point-to-site connection. A client certificate needs to be generated from the root certificate. This client certificate needs to be on each client computer that needs to connect to the Azure virtual network via the Point-to-Site connection. To generate the certificates, you can use a Certificate authority or generate a self-signed certificate using PowerShell. Some commands are given below

Things inside Hub vnet

firewall, vpn gateway, azure bastion.

Microsoft Antimalware is a

free real-time protection system that helps identiy and remove viruses, spyware and other malicious software.

You have an Azure subscription named Subscription1 that contains a virtual machine (VM) named VM1. You enable just in time (JIT) VM access to VM1. You need to connect to VM1 by using Remote Desktop. What should you do first?

from Azure portal select VM1, select connect and then select request access. Explanation You can request access to a JIT-enabled VM from the Azure portal (in Security Center or Azure Virtual machines) or programmatically. When a VM has a JIT enabled, you have to request access to connect to it. You can request access in any of the supported ways, regardless of how you enabled JIT

how do you allocate DDOS protection plan against your vnet?

go to Vnet and choose ddos protection. choose option of standard for ddos protection. create new ddos protection plan and save.

Risk levels in Azure Identity Protection (6 types of suspcisious sign-in activities) assign risk that identity protection gives it (high, med, low). Users with leaked credentials sign-ins from anonymous IP addresses impossible travel to atypical locations sign-ins from infected devices sign-ins from ip addresses with suspicious activity sign-ins from unfamiliar locations.

high med med med low med

How do you enable antimalware on VMs? what will it apply on windows server 2016?

install an extension. Microsoft antimalware on windows server 2016 only as built in. if you apply extension on windows server 2016 it will apply any optional configuration policies used by windows defender

Management plane

is where you manage Key Vault itself and it is the interface used to create and delete vaults. You can also read key vault properties and manage access policies.

contributor role allows you to

manage everything except providing or removing access to other users.

Hub and Spoke - Azure Firewall Service

one central network that acts as HUB and looks at all the traffic. the azure firewall instance, its separate and only used for hosting azure firewall service. other networks will behave as spoke network. so all traffic routed by(coming from) internet or subnetwork will have to flow via hub network . route table puts all traffic onto azure firewall, but you have to disable virtual network gateway propagation if you have site to site VPN on network. then you need route table for HUB network that points to firewall ip address as the next hop for the spoke network.

You have an application connected to a key vault named keyvault1 in Azure subscription named mysubscription1. This application creates certificates that are valid for two years. You are planning to move keyvault1 to another subscription named subscription2. The subscription2 has a policy assignment that blocks the creation of certificates that are valid for longer than one year. What will be the impact on the application post moving keyvault1? operation to create a certificate that is valid for two years will be blocked by an azure policy assignment operation to create certificate that is valid for two years will be allowed operation to create a certificate will be allowed but certificate creates for one year only.

operation to create a certificate that is valid for two years will be blocked by an azure policy assignment

3 steps azure bastion setup

own subnet for azure bastion, expand vnets address space, create bastion vm.

Azure firewall Application Rules

rule to allow traffic on fully qualified domain name FQDN (URL). source will be production VM machine - private IP address. protocol http,https, target FWDN www.microsoft.com. so when you go to this application after rule creation it will route to site.

Azure Bastion

service you can use to securely login into internal vms wihtout need of having public ip address assigned to VM. uses private ip address.

Your network contains an on-premises Active Directory and an Azure Active Directory (Azure AD) tenant. You deploy Azure AD Connect and configure pass-through authentication. Your Azure subscription contains several applications that are accessed from the Internet. You plan to enable Azure Multi-Factor Authentication (MFA) for the Azure tenant. You need to recommend a solution to prevent users from being prompted for Azure MFA when they access the applications from the on-premises network. What should you include in the recommendation? a site-to-site VPN between on prem network and azure an azure policy an azure express route circuit trusted ips

trusted ips The Trusted IPs feature of Azure Multi-Factor Authentication bypasses multi-factor authentication prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments to when users are in one of those locations, there's no Azure Multi-Factor Authentication prompt.