AZ-500: Microsoft Azure Security Technologies Quiz Questions and Answers

You have been tasked with applying conditional access policies for your company's current Azure Active Directory (Azure AD). The process involves assessing the risk events and risk levels. Which of the following is the risk level that should be configured for sign ins that originate from IP addresses with dubious activity?

Answer :
  • Medium

Explanation :

<p>It is very unlikely the Microsoft will require the memorization of specific risk levels given that they have changed the documentation. Previously the risk levels were very well defined, however they now provide this very vague paragraph: &quot;Microsoft doesn&#39;t provide specific details about how risk is calculated. Each level of risk brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user.&quot;</p> <p>Modern Documentation: https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection#investigate-risk</p> <p>Legacy Documentation: https://web.archive.org/web/20190419234045/https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events</p>

Your company needs to plan to create separate subscriptions for each department. Each subscription will be associated with the same Azure Active Directory (Azure AD) tenant. You need to configure each subscription to have the same role assignments. What should you use?

Answer :
  • Azure Blueprints

Explanation :

<p>Just as a blueprint allows an engineer or an architect to sketch a project&#39;s design parameters, Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization&#39;s standards, patterns, and requirements.<br /> Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:<br /> ✑ Role Assignments<br /> ✑ Policy Assignments<br /> ✑ Azure Resource Manager templates<br /> ✑ Resource Groups<br /> Reference:<br /> https://docs.microsoft.com/en-us/azure/governance/blueprints/overview</p>

Your organization uses an azure firewall for perimeter security. You want to make sure that the firewall allows windows updates traffic to travel through the firewall. What will you use to add a rule?

Answer :
  • FQDN Tags

Explanation :

An FQDN tag represents a group of fully qualified domain names (FQDNs) associated with well known Microsoft services. You can use an FQDN tag in application rules to allow the required outbound network traffic through your firewall.This can be used to allow Windows Update network traffic through your firewall, you need to create multiple application rules per the Microsoft documentation. Using FQDN tags, you can create an application rule, include the Windows Updates tag, and now network traffic to Microsoft Windows Update endpoints can flow through your firewall.

Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com. You plan to deploy Azure AD Connect and to integrate Active Directory and the Azure AD tenant. You need to recommend an integration solution that meets the following requirements: ✑ Ensures that password policies and user logon restrictions apply to user accounts that are synced to the tenant ✑ Minimizes the number of servers required for the solution. Which authentication method should you include in the recommendation?

Answer :
  • Pass-through authentication with seamless single sign-on (SSO)

Explanation :

<p>A is out; it required more servers B could be the answer but user logon restriction does not sync immediately &quot;The password expired and account locked-out states aren&#39;t currently synced to Azure AD with Azure AD Connect. When you change a user&#39;s password and set the user must change password at next logon flag, the password hash will not be synced to Azure AD with Azure AD Connect until the user changes their password.&quot; From &lt;https://learn.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn&gt;</p>

Your company has an Azure Container Registry. You have been tasked with assigning a user a role that allows for the downloading of images from the Azure Container Registry. The role assigned should not require more privileges than necessary. Which of the following is the role you should assign?

Answer :
  • AcrPull

Explanation :

<p>Question gives the condition, &quot;The role assigned should not require more privileges than necessary.&quot; Therefore, D (Acrpull) is CORRECT because it provides the least number of permissions required for downloading images from a Container Registry. Answer A (Reader): provides at least two (2) permissions, which would be one (1) more than Acrpull allows for. [Ref. https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles?tabs=azure-cli]</p>

As a cyber security engineer, you should never assume trust but instead continually validate trust. When users, devices, and data all resided inside the organization's firewall, they were assumed to be betrusted. This assumed trust allowed for easy lateral movement after a malicious hacker compromised an endpoint device. Which phenomenon is this?

Answer :
  • Zero trust model

Explanation :

Gone are the days when security focused on a strong perimeter defense to keep malicious hackers out. Anything outside the perimeter was treated as hostile, whereas inside the wall, an organization’s systems were trusted. Today's security posture is to assume breach and use the Zero Trust model. Security professionals no longer focus on perimeter defense. Modern organizations have to support access to data and services evenly from both inside and outside the corporate firewall.

You are in the process of creating an Azure Kubernetes Service (AKS) cluster. The Azure Kubernetes Service (AKS) cluster must be able to connect to an Azure Container Registry. You want to make sure that Azure Kubernetes Service (AKS) cluster authenticates to the Azure Container Registry by making use of the auto-generated service principal. Solution: You create an Azure Active Directory (Azure AD) role assignment. Does the solution meet the goal?

Answer :
  • Yes

Explanation :

<p>1. When you create an AKS cluster, Azure also creates a service principal to support cluster operations with other Azure resources. 2. This service principal can already authenticate to AAD (since it was created in AAD by Azure). 3. But it needs to be RBAC permissions on the ACR Registry to pull images. 4. To do so, you need to create an Azure AD role assignment that grants the cluster&#39;s service principal access to the container registry.</p>

Maven's organization has strict rules for data access over storage accounts. As per the policy, he needs to allow access only through VNET1. How can he implement this?

Answer :
  • Service endpoint

Explanation :

Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.

You have an Azure Active Directory (Azure AD) tenant that contains a user named Admin1. Admin1 is assigned the Application developer role. You purchase a cloud app named App1 and register App1 in Azure AD. Admin1 reports that the option to enable token encryption for App1 is unavailable. You need to ensure that Admin1 can enable token encryption for App1 in the Azure portal. What should you do?

Answer :
  • Add App1 as an enterprise application

Explanation :

<p>The Token encryption option is only available for SAML applications that have been set up from the Enterprise applications blade in the Azure portal, either from the Application Gallery or a Non-Gallery app. For other applications, this menu option is disabled. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/howto-saml-token-encryption?tabs=azure-portal</p>