Online Access Free AZ-500 Exam Questions

No.# ASG constraint : All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. (Not a regional constraint)
1) NSG2 only
2) VM3 only

No.# C. Enable the Microsoft Defender for SQL plan.

No.# D and C support customer-managed keys.

Azure Table storage and Azure Queue storage do not support encryption with customer-managed keys. They are encrypted with service-managed keys by default.

No.# correction its NYY

No.# User1 - has ownership at subscription level therefore has access to the control plane of the key vault but not to the data plane. therefore User1 can manage RBAC permissions but cannot create/access keys or secrets (unless bthey can grant themself 'Key Administrator' access and do this, which again does not show up in this RBACs listed so we cannot assume that)
- Therefore User1 has not access to the keys or secrets in this vault

User2 - Is a Key VAult Crypto officer for the KeyVault1. so according to this:https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations , they can manage keys (but not access secrets or manage permissions)

User3 - Is a Secrets officer for the KeyVault1 scope. they can access secrets data in this key vault

User4 - Here's a tricky one. while they are indeed given 'Key Vault Administrator', notice the scope is set to "../KeyVault1/Keys/Key1". So they should only be able to work with that key.

Therefore, I believe the answer is:
1st box - Only User2
2nd box - Only User3...

No.# tested in lab
Correct answers should be:

Email: XXXX ==> Default masking function is used (and not email function)
Birthday: 1900-01-01 ==> as explained in the documentation for date type using default

No.# Just tested in Lab environment:
1. In case if rule 100 is deleted manually the access will not work. So the answer is - YES
2. RDP is not blocked because rule 100 is in place and we should consider it as it is. - NO
3. Azure Bastion host is not enabling RDP from the internet. This is the key feature of Bastion - allowing access to VMs which does not have a public IP address. So the answer is - NO

No.# Azure Security Center's Regulatory compliance assessment is more focused on predefined regulatory standards, not custom initiatives.

No.# B. Enable Azure Network Watcher:

Network Watcher is a prerequisite for NSG flow logs.
It provides network monitoring and diagnostic tools, including the capability to enable and manage NSG flow logs.

D. Enable NSG flow logs:

NSG flow logs provide detailed information about IP traffic flowing through Network Security Groups.
They can be stored directly in an Azure Storage account, which matches your requirement.

No.# C, Initiative1, Initiative2
Microsoft Defender for Cloud applies security initiatives to the subscriptions.
So when you go to Environment Settings of Defender for Cloud you will be able to assign Initiative1 (inheritied from TRG) and 2 to Sub1.

MG1 does not have an Subscription so it wont even be an available option in Environment Settings.

No.# Confirmed in lab. Correct answer is Box1: Conditions (User & Sign-in Risk, device platforms, locations, etc) & Box2: Grant (Block or Grant access for MFA, Compliant, hybrid joined devices, etc)

No.# NO: VM1 is suppressed, examplae maintenance
YES: Rule is OK
NO: Tags not Administrative operations

No.# Service Principals: Managed1, VM1, and App1 only
Identities: Managed1, VM1, App1, and Group1

No.# B. Flow logs will be disabled for NSG1 and NSG2. Most Voted

No.# Logs analytics agent and Sentinel data connector

No.# B. Initiative1 and Initiative2 only

No.# 2
VM1 is attached to RG1, and RG1 is attached to subscription 1
VM2 is attached to RG2, and RG2 is attached to subscription 1

NSGs can only be applied at the subnet or VM level.
the question is poorly posed or is missing info ?
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

No.# B. From the Policy blade of the Azure Active Directory admin center, select Compliance.

No.# b. When you create a custom initiative the policy get automatically assigned to the scope. In the Azure policy page you can find those custom initiative named [Assigned by MDC]

No.# Box1: Admin3 Only
Box2: Admin1 and Admin4 only