AZ-500 : Microsoft Azure Security Technologies : Part 03
-
SIMULATION
The developers at your company plan to publish an app named App11641655 to Azure.
You need to ensure that the app is registered to Azure Active Directory (Azure AD). The registration must use the sign-on URLs of https://app.contoso.com.
To complete this task, sign in to the Azure portal and modify the Azure resources.
- See the explanation below.
Explanation:Step 1: Register the Application
1. Sign in to your Azure Account through the Azure portal.
2. Select Azure Active Directory.
3. Select App registrations.
4. Select New registration.
5. Name the application App11641655. Select a supported account type, which determines who can use the application. Under Redirect URI, select Web for the type of application you want to create. Enter the URI: https://app.contoso.com , where the access token is sent to.6. Click Register
-
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
The User administrator role is assigned to a user named Admin1.
An external partner has a Microsoft account that uses the [email protected] sign in.
Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: “Unable to invite user [email protected] Generic authorization exception.”
You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.
What should you do?
- From the Roles and administrators blade, assign the Security administrator role to Admin1.
- From the Organizational relationships blade, add an identity provider.
- From the Custom domain names blade, add a custom domain.
- From the Users blade, modify the External collaboration settings.
Explanation:
You need to allow guest invitations in the External collaboration settings. -
You have an Azure Active Directory (Azure AD) tenant.
You have the deleted objects shown in the following table.
On May 4, 2020, you attempt to restore the deleted objects by using the Azure Active Directory admin center.
Which two objects can you restore? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
- Group1
- Group2
- User2
- User1
Explanation:
Deleted users and deleted Office 365 groups are available for restore for 30 days.
You cannot restore a deleted security group. -
HOTSPOT
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.
You create an Azure role by using the following JSON file.
You assign Role1 to User1 for RG1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
-
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains a user named User1.
You plan to publish several apps in the tenant.
You need to ensure that User1 can grant admin consent for the published apps.
Which two possible user roles can you assign to User1 to achieve this goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
- Security administrator
- Cloud application administrator
- Application administrator
- User administrator
- Application developer
-
You have an Azure subscription that is associated with an Azure Active Directory (Azure AD) tenant.
When a developer attempts to register an app named App1 in the tenant, the developer receives the error message shown in the following exhibit.
You need to ensure that the developer can register App1 in the tenant.
What should you do for the tenant?
- Modify the Directory properties.
- Set Enable Security defaults to Yes.
- Configure the Consent and permissions settings for enterprise applications.
- Modify the User settings.
-
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant and a user named User1.
The App registrations settings for the tenant are configured as shown in the following exhibit.
You plan to deploy an app named App1.
You need to ensure that User1 can register App1 in Azure AD. The solution must use the principle of least privilege.
Which role should you assign to User1?
- App Configuration Data Owner for the subscription
- Managed Application Contributor for the subscription
- Cloud application administrator in Azure AD
- Application developer in Azure AD
-
You have the Azure virtual machines shown in the following table.
Each virtual machine has a single network interface.
You add the network interface of VM1 to an application security group named ASG1.
You need to identify the network interfaces of which virtual machines you can add to ASG1.
What should you identify?
- VM2 only
- VM2 and VM3 only
- VM2, VM3, VM4, and VM5
- VM2, VM3, and VM5 only
-
SIMULATION
You need to create a new Azure Active Directory (Azure AD) directory named 10317806.onmicrosoft.com. The new directory must contain a user named user10317806 who is configured to sign in by using Azure Multi-Factor Authentication (MFA).
- See the explanation below.
Explanation:To create a new Azure AD tenant:
1. Browse to the Azure portal and sign in with an account that has an Azure subscription.
2. Select the plus icon (+) and search for Azure Active Directory.3. Select Azure Active Directory in the search results.
4. Select Create.
5. Provide an Organization name (10317806) and an Initial domain name (10317806). Then select Create. This will create the directory named
10317806.onmicrosoft.com.6. After directory creation is complete, select the information box to manage your new directory.
To create the user:
1. In the Azure portal, make sure you are on the Azure Active Directory fly out.If not, select the Azure Active Directory icon from the left services navigation.
2. Under Manage, select Users.
3. Select All users and then select + New user.
4. Provide a Name and User name (user10317806) for the user. When you’re done, select Create.To enable MFA:
1. In the Azure portal, make sure you are on the Azure Active Directory fly out.If not, select the Azure Active Directory icon from the left services navigation.
2. Under Manage, select Users.
3. Click on the Multi-Factor Authentication link.
4. Tick the checkbox next to the user’s name and click the Enable link. -
You have an Azure subscription named Subcription1 that contains an Azure Active Directory (Azure AD) tenant named contoso.com and a resource group named RG1.
You create a custom role named Role1 for contoso.com.
Where you can use Role1 for permission delegation?
- contoso.com only
- contoso.com and RG1 only
- contoso.com and Subscription1 only
- contoso.com, RG1, and Subscription1
-
You have an Azure subscription.
You enable Azure Active Directory (Azure AD) Privileged Identity Management (PIM).
Your company’s security policy for administrator accounts has the following conditions:
– The accounts must use multi-factor authentication (MFA).
– The accounts must use 20-character complex passwords.
– The passwords must be changed every 180 days.
– The accounts must be managed by using PIM.You receive multiple alerts about administrators who have not changed their password during the last 90 days.
You need to minimize the number of generated alerts.
Which PIM alert should you modify?
- Roles are being assigned outside of Privileged Identity Management
- Roles don’t require multi-factor authentication for activation
- Administrators aren’t using their privileged roles
- Potential stale accounts in a privileged role
-
Your network contains an on-premises Active Directory domain named adatum.com that syncs to Azure Active Directory (Azure AD). Azure AD Connect is installed on a domain member server named Server1.
You need to ensure that a domain administrator for the adatum.com domain can modify the synchronization options. The solution must use the principle of least privilege.
Which Azure AD role should you assign to the domain administrator?
- Security administrator
- Global administrator
- User administrator
-
You have an Azure subscription that contains the users shown in the following table.
Which users can enable Azure AD Privileged Identity Management (PIM)?
- User2 and User3 only
- User1 and User2 only
- User2 only
- User1 only
-
You have an Azure subscription.
You plan to create a custom role-based access control (RBAC) role that will provide permission to read the Azure Storage account.
Which property of the RBAC role definition should you configure?
-
NotActions []
-
DataActions []
-
AssignableScopes []
-
Actions []
Explanation:
To ‘Read a storage account’, ie. list the blobs in the storage account, you need an ‘Action’ permission.
To read the data in a storage account, ie. open a blob, you need a ‘DataAction’ permission. -
-
You have an Azure subscription linked to an Azure Active Directory Premium Plan 1 tenant.
You plan to implement Azure Active Directory (Azure AD) Identity Protection.
You need to ensure that you can configure a user risk policy and a sign-in risk policy.
What should you do first?
- Purchase Azure Active Directory Premium Plan 2 licenses for all users.
- Register all users for Azure Multi-Factor Authentication (MFA).
- Enable security defaults for Azure AD.
- Upgrade Azure Security Center to the standard tier.
-
HOTSPOT
You have the hierarchy of Azure resources shown in the following exhibit.
RG1, RG2, and RG3 are resource groups.
RG2 contains a virtual machine named VM2.
You assign role-based access control (RBAC) roles to the users shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
-
HOTSPOT
You plan to implement an Azure function named Function1 that will create new storage accounts for containerized application instances.
You need to grant Function1 the minimum required privileges to create the storage accounts. The solution must minimize administrative effort.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
-
You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant.
From the Azure portal, you register an enterprise application.
Which additional resource will be created in Azure AD?
- a service principal
- an X.509 certificate
- a managed identity
- a user account
-
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant that contains the resources shown in the following table.
User2 is the owner of Group2.
The user and group settings for App1 are configured as shown in the following exhibit.
You enable self-service application access for App1 as shown in the following exhibit.
User3 is configured to approve access to App1.
You need to identify the owners of Group2 and the users of App1.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
-
HOTSPOT
You have a management group named Group1 that contains an Azure subscription named sub1. Sub1 has a subscription ID of 11111111-1234-1234-1234-1111111111.
You need to create a custom Azure role-based access control (RBAC) role that will delegate permissions to manage the tags on all the objects in Group1.
What should you include in the role definition of Role1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Explanation:
Note: Assigning a custom RBAC role as the Management Group level is currently in preview only. So, for now the answer to the assignable scope is the subscription level.