Online Access Free AZ-500 Exam Questions

No.# Delegate permissions for ContosoKey1: User 1 and User 3
Configure network access to ContosoKey1: User 1 and User 4

Key Vault Contributor role definition includes Microsoft.KeyVault/*, which means it has full rights and can therefore modify network access
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-contributor

No.# A. Enable Azure Defender.

No.# Box 1: Label 2 only -
How multiple conditions are evaluated when they apply to more than one label
1. The labels are ordered for evaluation, according to their position that you specify in the policy: The label positioned first has the lowest position (least sensitive) and the label positioned last has the highest position (most sensitive).
2. The most sensitive label is applied.
3. The last sublabel is applied.
Box 2: No Label -
Automatic classification applies to Word, Excel, and PowerPoint when documents are saved, and apply to Outlook when emails are sent. Automatic classification does not apply to Microsoft Notepad.

No.# should be
1. ABLE TO CONNECT TO EAST US2
2. DROPPED (because the cidr notation is a /32 which means only one IP, which is different from the IP in the rule. so the packet would be dropped.

No.# B the Policy blade of the Azure Active Directory admin center, select Compliance

No.# Which Portal:
Azure AD and M365 Admin Center

Group type:
Security or M365 only

No.# Selected Answer: B
The Azure SQL Database firewall allows you to specify IP address ranges from which communications are accepted into SQL Database. This approach is fine for stable IP addresses that are outside the Azure private network. However, virtual machines (VMs) within the Azure private network are configured with dynamic IP addresses. Dynamic IP addresses can change when your VM is restarted and in turn invalidate the IP-based firewall rule. It would be folly to specify a dynamic IP address in a firewall rule, in a production environment.
You can work around this limitation by obtaining a static IP address for your VM. For details, see Create a virtual machine with a static public IP address using the Azure portal. However, the static IP approach can become difficult to manage, and it's costly when done at scale.
Virtual network rules are easier alternative to establish and to manage access from a specific subnet that contains your VMs.

No.# Box 1: File service and Data Lake Storage only
Box 2: Storage1, Storage2 and storage 5 only
Storage1 - Blob Storage (i.e. supported)
Storage2 - Block Blob Storage (i.e. supported)
Storage3 - Storage (i.e. not supported)
Storage4 - FileStorage (i.e. not supported)
Storage5 - General Purpose v2 (i.e. supported)

https://learn.microsoft.com/en-us/azure/storage/common/azure-defender-storage-configure?tabs=enable-subscription#availability
Supported storage types:
• Blob Storage (Standard/Premium StorageV2, including Data Lake Gen2): Activity monitoring, Malware Scanning, Sensitive Data Discovery
• Azure Files (over REST API and SMB): Activity monitoring

No.# Sign in to the Azure portal as a user administrator or global administrator.

No.# tested and Privileged Role Admin was able to perform all required tasks.

No.# b. To protect your AWS-based resources, you can connect an AWS account with either Native of Classic Cloud Connector.

Native cloud connector is the recommended way and provides an agentless connection to your AWS account that can extend with Defender for Cloud's Defender plans to secure the AWS resources.

https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings

No.# RBAC roles only apply when connecting with AD credentials :

1. Y beacause SAS gives him File Delete permission
2. N because he has only SMB File Reader, he can't delete
3. N because SAS only gives File permission, not Table

No.# C. storage1, storage2 and storage3 only

No.# No/No/No
1. Blueprint doesn't work on existing resources.
2. RG2 is read-only and "The resource group is read only and tags on the resource group can't be modified. "
3. The newly created RG2 is read-only and nothing can be changed before you changed/deleted blueprint assignment.

No.# D. Enable the Microsoft Defender for SQL plan

No.# D. KeyVault1, KeyVault2, and KeyVault3 Most Voted

No.# Explanation:
Box 1: 4 -
A container can have up to 5 stored access policies.
Maximum number of stored access policies per blob container: 5
Box 2: 1 -
Blob version supports one version-level immutability policy and one legal hold. A policy on a blob version can override a default policy specified on the account or container.

No.# https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#conditions

The condition states
"While match and notMatch are case-sensitive, all other conditions that evaluate a stringValue are case-insensitive. Case-insensitive alternatives are available in matchInsensitively and notMatchInsensitively."

This shows that the "notContains" as a string comparison is actually case-INSENSITIVE.

The other thing we have to look at is if (not same region of RG). This sums up, if we look at another perspective, is

if (RG same region AND contains "obj") -> accept
else -> deny

Therefore the answer should be Y N Y

No.# NO-YES-NO

No.# A: File Integrity Monitoring (FIM) examines operating system files, Windows registries, application software, and Linux system files for changes that might indicate an attack.