Online Access Free AZ-500 Exam Questions

No.# A:
This is an audit policy with an exception for NSG1. Since Networrk Flow Log is disabled on NSG1 and NSG2 it remains disabled. You need DeployIfNotExists effect to activate NFL.
https://azure.microsoft.com/en-us/updates/nsg-flow-logs-built-in-azure-policy/
We are launching two built-in policies for deploying NSG Flow Logs
• An Audit policy: Flag NSGs without Flow logs enabled
• A DeployIfNotExists policy: Enable Flow logs on NSGs where it is disabled
Get started with our tutorial for using the above policies.

No.# D. KeyVault1 KeyVault2 and KeyVault3

No.# A. blob index tags and container names only

No.# C is correct answer. The context of the question is from a Security/Access/Identities perspective, and not from developer's perspective. Check the answer here, section "Client Secret":

https://docs.microsoft.com/en-us/azure/azure-monitor/app/availability-multistep#dealing-with-sign-in

No.# An Azure Log Analytics agent on a Linux virtual machine
Sentinel Connector

No.# ASG1 - VM2

No.# NYN

1st inter VNET Connection will take priority over default route.
2 nd yes, as there is /24 route to the subnet forwarding to NVA(Firewall)
3rd there is no default route looking towards NVA (Firewall)

No.# Box1: User1 and User3
Box2: User1 and User4

I have tested this on my lab. user4 also can modify network access

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-contributor

No.# ested with following results:
A: No
Security Admin cannot manage key vault properties
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#security-admin
B: No
Network Contributor or Key Vault Reader cannot change the key vault firewall
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#network-contributor
C: YES
Key vault contributor can do that
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-contributor
Note: "does not allow you to assign roles" - but here the question is to add access policies which works.

No.# A. Enable a managed identity on VM1.

No.# ASG constraint : All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. (Not a regional constraint)
1) NSG2 only
2) VM3 only

No.# User1 - has ownership at subscription level therefore has access to the control plane of the key vault but not to the data plane. therefore User1 can manage RBAC permissions but cannot create/access keys or secrets (unless bthey can grant themself 'Key Administrator' access and do this, which again does not show up in this RBACs listed so we cannot assume that)
- Therefore User1 has not access to the keys or secrets in this vault

User2 - Is a Key VAult Crypto officer for the KeyVault1. so according to this:https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations , they can manage keys (but not access secrets or manage permissions)

User3 - Is a Secrets officer for the KeyVault1 scope. they can access secrets data in this key vault

User4 - Here's a tricky one. while they are indeed given 'Key Vault Administrator', notice the scope is set to "../KeyVault1/Keys/Key1". So they should only be able to work with that key.

Therefore, I believe the answer is:
1st box - Only User2
2nd box - Only User3...

No.# Nick66 Highly Voted 1 year, 6 months ago
Box1 and Box2: AD DS Only
Azure Files supports identity-based authentication for Windows file shares over Server Message Block (SMB) using the Kerberos authentication protocol through the following three methods:
• On-premises Active Directory Domain Services (AD DS)
• Azure Active Directory Domain Services (Azure AD DS)
• Azure Active Directory (Azure AD) Kerberos for hybrid user identities
Note
Azure Files supports authentication for Azure AD DS with full or partial (scoped) synchronization with Azure AD. For environments with scoped synchronization present, administrators should be aware that Azure Files only honors Azure RBAC role assignments granted to principals that are synchronized. Role assignments granted to identities not synchronized from Azure AD to Azure AD DS will be ignored by the Azure Files service.

No.# Explanation:
Box 1: 4 -
A container can have up to 5 stored access policies.
Maximum number of stored access policies per blob container: 5
Box 2: 1 -
Blob version supports one version-level immutability policy and one legal hold. A policy on a blob version can override a default policy specified on the account or container.

No.# Conditions,
Grant,
Only allow access to App1 from Windows devices: Conditions Only allow devices that are marked as compliant
to access App1: Grant

No.# B. From the Policy blade of the Azure Active Directory admin center, select Compliance.

No.# I agree YNN.
Y - WebApp1 has VNI and VNET1 and VNET2 are peered
N - NSG1 is associated to Subnet1, since Subnet1 contains VM1, WebApp1 is in a different subnet (WebApps must be deployed to an empty subnet). NSG1 as far as this question goes is only associated to Subnet1.
N - WebApp2 does not have VNET integration

No.# Always Encrypted by Using Azure Key Vault

Create an Access Policy in azure Key vault

https://docs.microsoft.com/en-us/azure/azure-sql/database/always-encrypted-azure-key-vault-configure?tabs=azure-powershell#create-a-key-vault-to-store-your-keys

No.# Global Administration rights required.

I was thinking MFA, but then the question does not mention MFA, or MFA status it only mentions user 2 has Security Administrator Role. So obviously if User2 needs to implement PIM, PIM needs to be enabled, and it requires Global Administrator role.

No.# 1) Admin 3
2) Admin 1 and Admin4
User Access Administrator : Manage user access to Azure resources
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles