Exam AZ-500: Microsoft Azure Security Technologies
Candidates for this exam are Microsoft Azure security engineers who implement
security controls, maintain the security posture, manages identity and access,
and protects data, applications, and networks. Candidates identify and remediate
vulnerabilities by using a variety of security tools, implements threat
protection, and responds to security incident escalations. As a Microsoft Azure
security engineer, candidates often serve as part of a larger team dedicated to
cloud-based management and security and may also secure hybrid environments as
part of an end-to-end infrastructure.
Candidates for this exam should have strong skills in scripting and automation,
a deep understanding of networking, virtualization, and cloud N-tier
architecture, and a strong familiarity with cloud capabilities, Microsoft Azure
products and services, and other Microsoft products and services. Less
Fulfills requirements for: Microsoft Certified: Azure Security Engineer
Associate
Languages: English, Japanese, Chinese (Simplified), Korean
This exam measures your ability to accomplish the following technical tasks:
manage identity and access; implement platform protection; manage security
operations; and secure data and applications.
Manage identity and access (20-25%)
Configure Microsoft Azure Active Directory for workloads
create App registration
configure App registration permission scopes
manage App registration permission consent
configure multi-factor authentication settings
manage Microsoft Azure AD directory groups
manage Microsoft Azure AD users
install and configure Microsoft Azure AD Connect
configure authentication methods
implement conditional access policies
configure Microsoft Azure AD identity protection
Configure Microsoft Azure AD Privileged Identity Management
monitor privileged access
configure access reviews
activate Privileged Identity Management
Configure Microsoft Azure tenant security
transfer Microsoft Azure subscriptions between Microsoft Azure AD tenants
manage API access to Microsoft Azure subscriptions and resources
Implement platform protection (35-40%)
Implement network security
configure virtual network connectivity
configure Network Security Groups (NSGs)
create and configure Microsoft Azure firewall
create and configure application security groups
configure remote access management
configure baseline
configure resource firewall
Implement host security
configure endpoint security within the VM
configure VM security
harden VMs in Microsoft Azure
configure system updates for VMs in Microsoft Azure
configure baseline
Configure container security
configure network
configure authentication
configure container isolation
configure AKS security
configure container registry
configure container instance security
implement vulnerability management
Implement Microsoft Azure Resource management security
create Microsoft Azure resource locks
manage resource group security
configure Microsoft Azure policies
configure custom RBAC roles
configure subscription and resource permissions
Manage security operations (15-20%)
Configure security services
configure Microsoft Azure monitor
configure Microsoft Azure log analytics
configure diagnostic logging and log retention
configure vulnerability scanning
Configure security policies
configure centralized policy management by using Microsoft Azure Security Center
configure Just in Time VM access by using Microsoft Azure Security Center
Manage security alerts
create and customize alerts
review and respond to alerts and recommendations
configure a playbook for a security event by using Microsoft Azure Security
Center
investigate escalated security incidents
Secure data and applications (30-35%)
Configure security policies to manage data
configure data classification
configure data retention
configure data sovereignty
Configure security for data infrastructure
enable database authentication
enable database auditing
configure Microsoft Azure SQL Database threat detection
configure access control for storage accounts
configure key management for storage accounts
create and manage Shared Access Signatures (SAS)
configure security for HDInsights
configure security for Cosmos DB
configure security for Microsoft Azure Data Lake
Configure encryption for data at rest
implement Microsoft Azure SQL Database Always Encrypted
implement database encryption
implement Storage Service Encryption
implement disk encryption
implement backup encryption
Implement security for application delivery
implement security validations for application development
configure synthetic security transactions
Configure application security
configure SSL/TLS certs
configure Microsoft Azure services to protect web apps
create an application security baseline
Configure and manage Key Vault
manage access to Key Vault
manage permissions to secrets, certificates, and keys
manage certificates
manage secrets
configure key rotation
Click here to
view complete Q&A of AZ-500 exam
Certkingdom Review,
Certkingdom PDF Torrents
Best Microsoft AzureAZ-500 Certification, Microsoft Azure AZ-500 Training at certkingdom.com
QUESTION 2
You need to ensure that User2 can implement PIM.
What should you do first?
A. Assign User2 the Global administrator role.
B. Configure authentication methods for contoso.com.
C. Configure the identity secure score for contoso.com.
D. Enable multi-factor authentication (MFA) for User2.
Answer: A
Explanation/Reference:
To start using PIM in your directory, you must first enable PIM.
1. Sign in to the Azure portal as a Global Administrator of your directory.
You must be a Global Administrator with an organizational account (for example, @yourdomain.com), not a
Microsoft account (for example, @outlook.com), to enable PIM for a directory.
Scenario: Technical requirements include: Enable Azure AD Privileged Identity Management (PIM) for
contoso.com
References:
https://docs.microsoft.com/bs-latn-ba/azure/active-directory/privileged-identity-management/pim-gettingstarted
QUESTION 3
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have an Azure Subscription named Sub1.
You have an Azure Storage account named Sa1 in a resource group named RG1.
Users and applications access the blob service and the file service in Sa1 by using several shared access
signatures (SASs) and stored access policies.
You discover that unauthorized users accessed both the file service and the blob service.
You need to revoke all access to Sa1.
Solution: You generate new SASs.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation/Reference:
Instead you should create a new stored access policy.
To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier.
Changing the signed identifier breaks the associations between any existing signatures and the stored access
policy. Deleting or renaming the stored access policy immediately affects all of the shared access signatures
associated with it.
References:
https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
QUESTION 4
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have an Azure Subscription named Sub1.
You have an Azure Storage account named Sa1 in a resource group named RG1.
Users and applications access the blob service and the file service in Sa1 by using several shared access
signatures (SASs) and stored access policies.
You discover that unauthorized users accessed both the file service and the blob service.
You need to revoke all access to Sa1.
Solution: You create a new stored access policy.
Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation/Reference:
To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier.
Changing the signed identifier breaks the associations between any existing signatures and the stored access
policy. Deleting or renaming the stored access policy immediately effects all of the shared access signatures
associated with it.
References:
https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy
QUESTION 5
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a hybrid configuration of Azure Active Directory (Azure AD).
You have an Azure HDInsight cluster on a virtual network.
You plan to allow users to authenticate to the cluster by using their on-premises Active Directory credentials.
You need to configure the environment to support the planned authentication.
Solution: You deploy the On-premises data gateway to the on-premises network.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation/Reference:
Instead, you connect HDInsight to your on-premises network by using Azure Virtual Networks and a VPN
gateway.
Note: To allow HDInsight and resources in the joined network to communicate by name, you must perform the
following actions:
Create Azure Virtual Network.
Create a custom DNS server in the Azure Virtual Network.
Configure the virtual network to use the custom DNS server instead of the default Azure Recursive
Resolver.
Configure forwarding between the custom DNS server and your on-premises DNS server.
References:
https://docs.microsoft.com/en-us/azure/hdinsight/connect-on-premises-network
