AZ-500 Misc
What gets applied to documents in Azure Information Protection
Labels
What AKS setting should you use if you want the cluster to handle Authentication and Authorization
Local Accounts with Kubernetes RBAC
Where is Azure Monitor Logging data stored?
Log Analytics workspace
Where is Azure Sentinel Logging data stored?
Log Analytics workspace
How do you verify the trustworthiness of a platform and the binaries running on it in Azure?
Microsoft Azure Attestation
Where can you find hunting in Sentinel?
Microsoft Sentinel > Hunting
Where can you find incidents in Sentinel?
Microsoft Sentinel > Incidents
Where can you find Notebooks in Sentinel?
Microsoft Sentinel > Notebooks
Where can you find threat intelligence in Sentinel?
Microsoft Sentinel > Threat Intelligence
Where can you find workbooks in Sentinel?
Microsoft Sentinel > Workbooks
What action allows the read/write of a custom role?
Microsoft.Authorization/roleDefinitions/*
Where can you see the activity log?
Monitor > Activity Log
Where can you specify a data collection endpoint?
Monitor > Data Collection Endpoint
Where can you specify data collection rules?
Monitor > Data Collection Rules
What is the name of the Azure Front Door component that refers to the host name or public IP of the application that services your request
Orgin
Which Azure AD license is required for dynamic groups?
P1
Where does Azure resource manager store parameters?
Parameters File
For Azure firewall, are child or parent polices applied first?
Parent
How is DDOS Network protection priced
Per 100 IPs
How is DDOS IP Protection Priced
Per IP
When creating a custom policy, what is the name of the rule?
PolicyRule
What is the minimum spend for Azure Dedicated HSM
$5 million
What type of file is used for multi-step web tests in Application Insights
.webtest
What is the minimum priority for a custom rule
100
What is the number of custom roles can you have?
100 per organization
Azure DDoS protection network provides protection for
100 public ip addresses per tenent
What is the maximum number of conditional access policies?
195 per organization
What is the number of dynamic groups and dynamic AUs?
5,000 per organization
How many role-assignable groups can you have
500 per organization
What ports are used for WinRM
5985 & 5986
What docker isolation mode should you use when containers can share the same kernel?
Process
How should one revoke access to a storage accounts?
Regenerate Storage Account Access Keys
In defender for cloud, what should you select after the scanner has run and you want to remediate
Remediate Security Configurations
For ADFS what do you need to give a 3rd party provider for them to integrate into your SSO?
SAML Metadata File
In the context of Microsoft Identity Platform for an Angular application?
SPA
What is the --scope for a role assignment
Scope at which a role applies
What is a User Delegation SAS
Secured with an AAD Account
What table are security events stored in?
SecurityEvent
For Defender External Attack Surface Management, what is used to discover attack surface?
Seeds
Where can TDE be enabled? Server, Database or Both?
Server
What DNS record is used to map an IP Address to a DNS Name
A
What DNS record should you use in App Service for a root domain? A NS TXT CNAME
A
What should you configure in application registration, when an application needs to authenticate with a certificate?
A Client certificate
How do you export logs from a storage account?
Storage > Activity Log > Export Activity Log
What is a sentinel incident?
A container of threats and alerts
Where are service endpoints enabled for storage?
Storage > Networking > Firewalls & Virtual Networks
How do you configure a storage private networking connection?
Storage > Networking > Private Endpoint Connection
What are virtual network hubs?
A feature of Azure Firewall to centralize virtual networks
What should you configure in application registration, when an application needs to authenticate with OAuth 2
A redirect URI
Where can you set access to an AKS Cluster?
AKS > Access
What is the name of the module that detects unusual SQL DB activity in defender?
ATP
What do you change in storage to allow/disallow anonymous access?
Access Level
In a custom role, what section defines what the role can do?
Actions
What do you need to integrate an Azure SQL Severs with Azure Active Directory?
Active Directory Admin
What DB encryption method can encrypt everything at rest?
TDE
For authentication, in what case is Signature hash used for?
Android
What DNS record is used help verify ownership of the domain
TXT
What DNS record is used to verify ownership of a custom domain?
TXT
What DNS record should you use in App Service to verify ownership of a domain? A NS TXT CNAME
TXT
For Azure Identity Protection, if a user is in a include and exclude group, what takes precedence?
The Include Group
Where do you enable a service endpoint?
The Virtual Network > Subnet > Service Endpoints
Where do you configure API permissions for an application?
App Registrations > API Permissions
Where can you allow public client flows?
App Registrations > Authentication
Where can you change application branding?
App Registrations > Branding & Properties
Where can you set a Certificate or Client Secret that's used by the application to identify itself?
App Registrations > Certificates & Secrets
What do azure functions under the hood?
App Service
How do you set a certificate in App Service?
App Service > Certificate
How do you manage AKS accounts with K8s local accounts?
The command line
In a custom role, what section defines where the role can be used?
AssignableScopes
What does application proxy do?
Authentication to On-Premsises apps
Use this Microsoft Identity Platform flow for Oauth 2 integration
Authorization Code
For conditional access, what controls if a user is enrolled in MFA (assuming user MFA is not set up)?
Azure AD P1 or P2 license
What AKS setting should you use if you want Azure AD to Authentication and Authorization?
Azure AD authentication with Azure RBAC
What AKS setting should you use if you want Azure AD to handle Authentication and the cluster to handle authorization?
Azure AD authentication with Kubernetes RBAC
What service allows the management of off-azure resources?
Azure Arc
What HSM type should be used for shrink wrapped software?
Azure Dedicated HSM
What HSM type should be used if you need to be FIPS 140-2 Level-3 Compliance?
Azure Dedicated HSM
What HSM type should be used if you're doing a lift-and-shift scenario?
Azure Dedicated HSM
What HSM type can be used if you need single tenent usage?
Azure Managed HSM
What is the name of the Agent automatically installed for Microsoft's cloud services?
Azure Monitoring Agent
What is the Azure-native solution to secure traffic between containers in AKS?
Azure Network Policy Manager
Where can you check Azure policy compliance?
Azure Policy > Compliance
What is the name of Azure's DLP and Data Management?
Azure Purview
What additional subnet in addition to AzureFirewallSubent does a basic Azure Firewall require?
AzureFirewallManagementSubnet
What is the name of the subnet used for Azure firewall
AzureFirewallSubnet
Where can you set conditional access policies?
Conditional Access > Polices
What can we use to automatically apply labels to data in Azure Information Protection?
Conditions
What does Defender for Cloud require to connect to another cloud?
Connector
Where do you set customer managed keys for Azure Container Instances?
Container Instance > Advanced
What is the routing priority for Azure Networks? Of BGP, Custom and System
Custom > BGP > System
How do you send alerts in Defender ATP without SIEM?
Where can you classify permissions into low medium and high?
Enterprise Applications > Consent & Permission
Where can you set Admin Consent?
Enterprise Applications > Consent & Permission
Where can you set User Consent?
Enterprise Applications > Consent & Permission
Where can you set up permission classifications?
Enterprise Applications > Consent and Permissions
How do you specify which characters to show in a custom Dynamic Data Masking? In the form ... Prefix or ... Suffix
Exposed
For Virtual Network Gateway what name must be used for a virtual network subnet?
GatewaySubnet
What role is needed to activate PIM
Golbal Admin
What does Key Vault Premium get you?
HSM-backed resources
How do you connect an Azure App Service workload to another network (including on prem)?
Hybrid Connections
What docker isolation mode should you use when containers should not share the same kernel?
Hyper-V
Which networks can you add to an Azure firewall
In Region
Where does Azure resource manager define location?
In the template
What setting is set to configure double encryption?
Infrastructure Encryption
What Azure App Service setting is used to load certificates in code?
WEBSITE_LOAD_CERTIFICATES
When do you use a data collection endpoint in Azure Monitor?
When network isolation is required
What is the --assignee of a role assignment?
Where the role applies to
.pfx is a private certificate type
Yes
Are Azure Blobs protected by Customer Keys by default?
Yes
Are Azure Files protected by Customer Keys by default?
Yes
Can Azure IDP block access to the web service in response to a sign-in risk?
Yes
Can Azure IDP for a user to change his password in response to a user risk?
Yes
Can Azure IDP require MFA in response to a sign-in risk?
Yes
Can Azure Policy be applied to a resource?
Yes
Can Defender for cloud centrally manage firewalls?
Yes
Can Public Client/Native be used with delegated authorization?
Yes
Can Storage V1 Account's data plane be Accessed by Azure AD?
Yes
Can a B-Series VM Support Azure Disk Encryption
Yes
Can a D-Series VM Support Azure Disk Encryption
Yes
Can a VM WITH a temporary disk support Azure Disk Encryption
Yes
Can a VM with less than 4 GB of memory support Azure Disk Encryption
Yes
Can database audit logs be sent to an event grid
Yes
Can defender for cloud support other cloud enviroments?
Yes
Can multiple application gateways be deployed to the same subnet
Yes
Can the Microsoft Sentinel Contributor Account create automation playbooks?
Yes
Can you deploy an Application gateway of the same license type to the same subnet
Yes
Can you deploy application gateways to a /24 subnet
Yes
Can you deploy application gateways to a /27 subnet
Yes
Container Network Interface is used in AKS
Yes
Data collection endpoints can be deployed by region
Yes
Defender for SQL detects legitimate access from a breached computer
Yes
Do app service support .pfx certificates
Yes
Do app service support managed certificates?
Yes
Do app services support .cer cerficates?
Yes
Do function app suport TLS by default?
Yes
Do you need an ACR premium SKU for dedicated endpoints?
Yes
Do you need an ACR premium SKU for network rules?
Yes
Do you need an ACR premium SKU for private endpoints?
Yes
Do you need to install something on Server Core to set up disk encryption?
Yes
Do you need to make note of threat intelligence settings whenever you upgrade an Azure Firewall?
Yes
Does AKS Azure Network Policy Support CNI?
Yes
Does AKS Azure Network Policy Support Linux?
Yes
Does AKS Azure Network Policy Support Windows?
Yes
Does AKS Calico Network Policies Support Kubenet?
Yes
Does AKS Calico Network Policies Support Linux?
Yes
Does AKS-managed Azure AD integration on an existing AKS cluster require the creation of an AD group?
Yes
Does AKS-managed Azure AD integration on an existing AKS cluster require updating the cluster configuration?
Yes
Does Azure App Service require a dedicated subnet
Yes
Does Azure Backup support managed encrypted disks?
Yes
Does Azure Backup support support file & folder level recovery for unencrypted disks?
Yes
Does Azure Backup support unmanaged encrypted disks?
Yes
Does Azure defender for servers support JIT VM Access?
Yes
Does Azure defender for servers support adaptive application controls?
Yes
Does Azure defender for servers support adaptive network hardening?
Yes
Does Azure defender for servers support docker host hardening?
Yes
Does Azure defender for servers support file integrity monitoring?
Yes
Does Azure defender for servers support fileless attack detection?
Yes
Does Azure defender for servers support scanning for servers?
Yes
Does an Application Gateway V2 support Public ip with private IP
Yes
Does an Application Gateway V2 support Public ips
Yes
For AKS networking does CNI give each container an IP address?
Yes
For Azure Firewall, does a parent policy need to be the same region as the child policy?
Yes
Is MACsec supported for ExpressRoute?
Yes
Is SSTP supported for ExpressRoute?
Yes
Is a user delegation SAS a type of SAS
Yes
Is account a type of SAS
Yes
Is service a type of SAS
Yes
Is the following a Sentinel rule type: Anomaly
Yes
Is the following a Sentinel rule type: Fusion
Yes
Is the following a Sentinel rule type: ML
Yes
Is the following a Sentinel rule type: Microsoft Security
Yes
Is the following a Sentinel rule type: Near-real-time
Yes
Is the following a Sentinel rule type: Scheduled
Yes
Microsoft BPA is used to measure OS Security Posture
Yes
Should you assign the Application Developer role to developers who need to create applications?
Yes
To allow single sign on in Azure AD, you configure an Azure AD administrator for the database
Yes
To allow single sign on in Azure AD, you should grant a managed database access to Azure AD
Yes
Update management requires a log analytics agent
Yes
Update management requires an automation account
Yes
You can enable PIM for a Role
Yes
For authentication, in what case is Bundle ID used for?
iOS
What happens Azure Identity Protection if a medium sign-in risk is identified but per-user Azure AD MFA is disabled?
The user is blocked
What are the precedence of Azure Firewall Rules? Of threat intelligence, network and application
Threat Intelligence > Network > Application
To create a database user do you create a user from an external provider or a login from an external provider?
User
What is hunting in sentinel?
Using KQL to find threats
Where does Azure resource manager store variables?
Variables File
How do you enable Dynamic Data Masking in a Managed SQL Database?
Database > Dynamic Data Masking
How do you enable encryption on a managed SQL database?
Database Server > TDE
What Azure Monitor option allows customer managed and double-encrption?
Dedicated Cluster
Where can you check Regulatory Compliance?
Defender for Cloud
Where can you inventory assets?
Defender for Cloud
Where can you use defender for cloud to hunt for vulnerabilities?
Defender for Cloud > Cloud Security Explorer
Where can you see assets not monitored by defender?
Defender for Cloud > Inventory
Where can you see Defender for Cloud Findings?
Defender for Cloud > Recommendations
Where can you see Defender alerts?
Defender for Cloud > Security Alerts
Where can you track your secure score over time in Defender?
Defender for Cloud > Security Posture
Where can you find compliance workbooks in Defender?
Defender for Cloud > Workbooks
Is an Azure AD Premium P1 license required to create a dynamic user group?
No
Is the following a Sentinel rule type: Azure Security
No
Is the following a Sentinel rule type: Breach
No
Is the following a Sentinel rule type: IAM
No
What DNS record is used to map one DNS name to another
CNAME
What DNS record should you use in App Service for a wildcard domain? A NS TXT CNAME
CNAME
How do you use an Azure Key Vault for AKS? Azure Key Vault Provider for Secrets Store ... ...
CSI Driver
What is the open source solution to secure traffic between containers in AKS?
Calico Network Policies
How does Authentication work in Service Fabric?
Certificate in KeyVault
How do you manage AKS with Azure AD Accounts and K8s RBAC?
Cluster Admin Group
Is the following a Sentinel rule type: Policy
No
Microsoft BPA is used to measure Azure Security Posture
No
Should you assign the Application Administrator role to developers who need to create applications?
No
Should you ever share storage account keys?
No
Update management requires Azure Monitor
No
When a subscription gets moved to another directory, RBAC assignments are preserved
No
You can enable PIM for an Account
No
In a custom role, what section defines what the role can not do?
NotActions
In a custom role, what section defines what data plane actions the role does not allow?
NotDataActions
How do you send Azure SQL logs for a Database?
Database > Diagnostic Settings > Add Diagnostic Setting
When creating a policy, where can you specify the enforcement mode type?
AllowedValues
What DB encryption method can encrypt a column?
Always Encrypted
Minimum DDOS SKU for L3/L4 automatic attack mitigation
DDoS IP
Minimum DDOS SKU for integration with firewall manager
DDoS IP
Minimum DDOS SKU to protect Public IP Standard SKU
DDoS IP
Minimum DDOS SKU for DDoS Rapid Response support
DDoS Network
Minimum DDOS SKU for DDoS cost protection
DDoS Network
Minimum DDOS SKU for a WAF discount
DDoS Network
Minimum DDOS SKU to protect Public IP Basic SKU
DDoS Network
What do you use to discover data in Azure Purview
Data Catalog
What is used to manage stewardship in Azure Purview
Data Estate Insights
What is used to govern access to data in Azure Purview
Data Policy
In a custom role, what section defines what data plane actions the role allows?
DataActions
How do you enable Auditing in a Managed SQL Database?
Database > Auditing
For Managed SQL, how do you apply data discovery and classification?
Database > Data Discovery and Classification
Where can you set Providers or Phone call settings for MFA?
Multifactor Authentication
What DNS record specifies the DNS server for a domain
NS
What configurations are used to control network access in AKS?
NetworkPolicy
Azure relay supports the exposure of what sort of resources in the cloud?
On Premises
What is a temporary solution in case someone needs MFA disabled?
One-Time Code
.cer is a private certificate type
No
Application IDs are created before an application is registered
No
Are Azure Queues protected by Customer Keys by default?
No
Are Azure Tables protected by Customer Keys by default?
No
Can Azure IDP ask an administrator for help in response to a sign-in risk?
No
Can Azure IDP for a user to change his password in response to a sign-in risk?
No
Can Public Client/Native be used with application authorization?
No
Can a VM WITHOUT a temporary disk support Azure Disk Encryption
No
Can a VM with less than 1 GB of memory support Azure Disk Encryption
No
Can a VM with less than 2 GB of memory support Azure Disk Encryption
No
Can a single page app use a client secret?
No
Can access restrictions be applied to Application Gateways?
No
Can an A-Series VM Support Azure Disk Encryption
No
Can you deploy an Standard_v2 and a Standard Application gateway to the same subnet
No
Can you deploy other resources to a subnet with an application gateway
No
Can you enable JIT for a VM deployed in Classic?
No
Can you enable TLS on azure container instances in Azure?
No
Can you enable infrastructure encryption on an existing storage account?
No
Can you switch back to a server key from a customer key with cosmos DB
No
Container Network Interface is used in Docker
No
Do you need an ACR premium SKU for image signing?
No
Does AKS Azure Network Policy Support kubenet?
No
Does AKS Calico Network Policies Support CNI?
No
Does AKS Calico Network Policies Support Windows?
No
Does AKS-managed Azure AD integration on an existing AKS cluster require the creation of a service principle?
No
Does AKS-managed Azure AD integration on an existing AKS cluster require the deletion and re-creation of the cluster?
No
Does Azure App Service require a virtual network gateway
No
Does Azure Backup support support file & folder level recovery for encrypted disks?
No
Does Azure defender for servers support Azure automanage?
No
Does Azure defender for servers support identity protection?
No
Does an Application Gateway V2 support private ips without a public ip
No
Does the contributor role on a storage account provide access to the data plane?
No
For AKS networking does kubent give each container an IP address?
No
For Azure Firewall, does a parent policy need to be the same license as the child policy?
No
Is IPSec supported for ExpressRoute?
No
Is L2TP supported for ExpressRoute?
No
Is a TXT record required in App Service?
No
Is a user SAS a type of SAS
No
What is the KQL command for filtering time and dates?
ago()