Capstone and Practice Exam (AZ-500) Practice Exam Answers
In this article i am gone to share Coursera Course: Capstone and Practice Exam (AZ-500) | Week 3 Quiz | Capstone and Practice Exam (AZ-500) Practice Exam Answers with you..
Enrol Link: Capstone and Practice Exam (AZ-500)
Note: It is recommended to use the Microsoft Edge Browser before taking the exam. Google Chrome may experience issues during the examination.
Capstone and Practice Exam (AZ-500) Practice Exam Answers
Instructions
Overview
The Practice Exam is designed to reflect on your proficiency in the topics covered.
- No. of questions: 40
- Time estimate: 120 minutes
- No. of attempts: Unlimited
Note: This practice exam carries 40 points and counts for 80% weightage in the overall grade for the course.
Question 1)
You’ve recently been introduced to Azure Active Directory (Azure AD) and are curious about its features. As you explore its capabilities, you come across some statements related to Azure AD features.
Which of the following statements are accurate regarding the features of Azure Active Directory (Azure AD)? Select all that apply.
- Azure AD focuses on managing user access to Microsoft 365 applications.
- Azure AD is primarily designed for managing access to on-premises applications.
- Azure AD helps you generate access and usage reports
- Azure AD supports seamless single sign-on (SSO) for cloud applications, eliminating the need for multiple passwords.
- Conditional Access policies in Azure AD can only be used to allow access, not to enforce additional authentication.
Question 2)
When creating and managing users in Azure Active Directory (Azure AD), which of the following actions are essential to ensure proper user account management? Select all that apply.
- Specifying the user’s display name and contact information
- Associating users with relevant security groups
- Setting up user access permissions for Azure resources
- Granting global administrator privileges to all user accounts
- The following question contains 4 dropdown responses.
Question 3)
You are a cloud administrator responsible for managing user access and collaboration within your organization’s Azure environment. Match each Azure AD B2B collaboration purpose to its corresponding description based on the provided scenario.
Answer:
Purpose | Description |
To share resources and collaborate with users from other organizations | Your organization is partnering with a third-party vendor for a joint project. You need to grant their team access to specific Azure resources without requiring them to create new accounts. |
To allow external users to manage Azure subscriptions. | You want to grant external consultants temporary access to your Azure environment to set up and manage specific virtual machines for a limited time. |
To synchronize on-premises Active Directory with Azure AD | Your organization has a subsidiary with its own on-premises Active Directory. You need to ensure that user accounts and groups are synchronized between the on-premises AD and Azure AD. |
To provide access to Azure services exclusively for internal employees | You want to restrict access to certain Azure services, such as databases containing sensitive information, to only employees within your organization. |
Question 4)
You are a security administrator responsible for enhancing the access controls in your organization’s Azure Active Directory (Azure AD) environment. You must identify the valid methods for implementing secure access controls in Azure AD.
Based on the scenario, which of the following options are valid methods for implementing secure access controls in Azure Active Directory (Azure AD)?
- Disabling multifactor authentication to simplify the sign-in process
- Storing sensitive data in clear text within Azure AD for efficient retrieval
- Granting external partners unrestricted access to Azure AD resources
- Assigning specific permissions to users and groups using role-based access control (RBAC)
- Allowing users to authenticate once and access multiple cloud applications using single sign-on (SSO)
Question 5)
You are a cloud administrator responsible for implementing hybrid identities in your Azure environment. It would help if you determined the authentication option that offers users a seamless single sign-on experience, enabling them to access both on-premises and cloud resources using the same credentials.
Based on the scenario, which authentication option should you choose to provide users with a seamless single sign-on experience, allowing them to access on-premises and cloud resources with the same credentials?
- Federation with Active Directory Federation Services (AD FS)
- Direct authentication to on-premises Active Directory (AD)
- Password hash synchronization (PHS)
- Pass-through authentication (PTA)
Question 6)
You are the security administrator for a multinational organization that relies heavily on cloud services, including Microsoft Azure. To safeguard your organization’s identities, you’ve decided to leverage the capabilities of Azure Active Directory Identity Protection. As part of your strategy, do you need to identify the key features of this service?
Based on the scenario, which of the following features are provided by Azure Active Directory Identity Protection? Select all that apply.
- Integration with third-party social media platforms
- Automatic enforcement of strict password policies for all users
- Complete prevention of all phishing attempts
- Customizable notifications for risk events and suspicious activities
- Real-time risk assessment and alerts for compromised accounts
Question 7)
You are the IT Security Manager for a large financial institution that operates critical services on Microsoft Azure. Your organization has strict security and compliance requirements due to the sensitive nature of financial data. As part of your role, you are responsible for ensuring privileged access is managed effectively using Azure Privileged Identity Management (PIM).
Please review the following statements based on the scenario and indicate whether they are accurate or not.
- Once a privileged role is activated, it remains active indefinitely in Azure PIM.
- Privileged Identity Management (PIM) allows administrators to have permanent elevated access to Azure resources.
- With Azure PIM, administrators can activate privileged roles without any approval process.
- Azure PIM enables organizations to review and audit all privileged role activations.
- Azure PIM can be used to assign read-only access to resources for auditors.
- Azure PIM is solely focused on managing user identities and authentication.
Question 8)
Does the Password Administrator role within Azure Active Directory encompass the necessary privileges for effectively configuring and managing the access controls, approval workflows, and time-bound access associated with Azure AD Privileged Identity Management (PIM)?
- Yes
- No
Question 9)
You are the chief information officer (CIO) of a multinational company that operates across various industries. As part of your responsibilities, you are tasked with designing an enterprise governance strategy to ensure consistent principles and policies are followed throughout the organization’s IT infrastructure and operations.
Please review the following statements based on the scenario and indicate which options accurately reflect key considerations when designing an effective enterprise governance strategy.
- Continuous Monitoring: Regular monitoring and auditing of compliance with governance policies are unnecessary and can be omitted.
- Governance scope: Your organization’s governance strategy should encompass only the IT department’s operations to avoid unnecessary complexity.
- Centralized decision-making: All decision-making authority should be centralized at the CIO level to streamline governance.
- Risk management: A well-designed governance strategy should include mechanisms to identify, assess, and mitigate risks associated with IT operations.
- Clear policies: Clearly defined and communicated policies are not essential for an enterprise governance strategy.
- Adaptability: An ideal governance strategy should be rigid and resistant to change to maintain stability.
- Training and Awareness: Training programs and awareness campaigns for employees on governance policies are not important and can be skipped.
Question 10)
You are an Azure administrator responsible for managing access to resources within your organization’s Azure environment. You must implement role-based access control (RBAC) to ensure proper resource access. Which of the following statements accurately describe the key aspects of RBAC in Azure? Select all that apply.
- Role assignments in RBAC consist of a principal, a role definition, and a scope.
- RBAC allows you to assign multiple roles to a user for fine-grained access control.
- Custom RBAC roles can be created by modifying built-in Azure roles.
- RBAC can only be applied to virtual machines and storage accounts in Azure.
- RBAC enables you to grant permissions directly to individual users only.
Question 11)
You are the lead cloud administrator for a rapidly expanding organization that heavily relies on Microsoft Azure for its infrastructure. As part of your responsibilities, you must ensure effective management and security of Azure resources using resource locks and Azure Blueprints.
Based on the scenario, which statements accurately describe the use of resource locks and Azure Blueprints for managing and securing Azure resources? Select all that apply.
- Resource locks and Azure Blueprints both focus on managing user access and permissions.
- Azure Blueprints provide a mechanism to apply custom labels to Azure resources.
- Resource locks can be used to prevent all changes to a resource, including its deletion.
- Azure Blueprints allow you to define a repeatable set of resources and policies for an environment.
- Resource locks can be applied to resource groups and individual resources.
Question 12)
You must maintain a secure and well-organized environment as an Azure infrastructure manager well-organized environment. Which statements accurately describe the concepts of resource locks and Azure Blueprints in managing and securing Azure resources? Select all that apply.
- Azure Blueprints provide a way to tag resources for easy categorization and reporting.
- Resource locks ensure that no changes can be made to a resource, including its properties or configuration.
- Azure Blueprints enable you to enforce compliance by automatically auditing resource configurations.
- Azure Blueprints allow you to deploy virtual machines and networking components with a single click.
- Resource locks are solely designed to prevent unauthorized users from accessing Azure resources.
- Resource locks can be bypassed by any user with Owner permissions on a resource.
Question 13)
You are the chief information security officer (CISO) of a rapidly growing e-commerce company. Your online platform has become a target for cyberattacks, particularly distributed denial of service (DDoS) attacks. Your team must implement effective DDoS protection measures to ensure the website’s availability and stability. Choose the most appropriate actions to enable DDoS protection. Which actions are essential to enable DDoS protection for your e-commerce website? Select all that apply.
- Use anomaly detection.
- Deploy an Azure Web Application Firewall (WAF).
- Use Load Balancing.
- Implement rate limiting.
- Open all network ports.
Question 14)
You are a network administrator configuring security groups for a cloud-based infrastructure. You need to ensure proper network security settings to protect your resources. Which of the following statements accurately describes the purpose and behavior of network security groups (NSGs) in a cloud environment?
- Network security groups are virtual machines that encrypt data in transit.
- Network security groups are hardware appliances that monitor network traffic for anomalies.
- Network security groups are used to manage user access and authentication.
- Network security groups control inbound and outbound traffic to network interfaces and subnets.
Question 15)
Which statements are true regarding configuring and managing Azure Front Door? Select all that apply.
- Azure Front Door can only route traffic to Azure-based backends.
- Azure Front Door provides global load balancing for your applications.
- Secure Socket Layer (SSL) termination can only be performed at the backend server with Azure Front Door.
- Azure Web Application Firewall (WAF) in Azure Front Doorcan help protect against common web vulnerabilities.
Question 16)
Your company has an Azure Container Registry (ACR). You have been tasked with assigning a user a role allowing uploading images to the ACR. The role assigned should not require more privileges than necessary. Which one of the following roles should you assign?
- Contributor role
- Reader role
- Owner
- AcrPush role
Question 17)
You have been tasked with managing access to an Azure Kubernetes Service (AKS) using Azure role-based access control (RBAC). You must assign appropriate permissions to different team members based on their roles. Which Azure RBAC roles are commonly used to manage access to an Azure Kubernetes Service (AKS)? Select all that apply.
- AKS Operator role
- Contributor role
- Reader role
- Owner role
- The following question contains 4 dropdown responses.
Question 18)
Private links are a secure way to connect to services within a virtual network. Select the steps involved in deploying private links.
Answer:
Steps | Description |
Step 1 | Create a private endpoint. |
Step 2 | Configure network rules. |
Step 3 | Create a private link service. |
Step 4 | Update Domain Name System (DNS) configuration. |
Question 19
John is a software developer working on a new application deployment strategy for his company. He is considering using Azure Kubernetes Service (AKS) to manage containerized applications. He wants to understand how AKS works to make an informed decision. How does Azure Kubernetes Service (AKS) manage and orchestrate containerized applications?
- AKS automatically scales application instances based on CPU and memory usage.
- AKS deploys applications in traditional virtual machines for enhanced isolation and security.
- AKS is a standalone container runtime without orchestration features.
- AKS relies on manual configuration and doesn’t support automated scaling.
Question 20)
You have an Azure virtual machine (Azure VM) that runs Windows Server. You plan to deploy and configure an Azure Key Vault and enable Azure Disk Encryption for the VM. Which of the following is true regarding Azure Disk Encryption for a Windows VM?
- It is supported for VMs configured with software-based Redundant Array of Inexpensive/Independent Disks (RAID) systems.
- It is supported for basic tier VMs.
- It is supported for standard-tier VMs.
- It is supported for VMs configured with Storage Spaces Direct (S2D).
Question 21)
You are a software developer working on a web application that needs to integrate with the Microsoft Identity platform for user authentication and authorization. Your application will allow users to sign in using their Microsoft accounts. You have been tasked with implementing the authentication flow using Microsoft Authentication Library (MSAL) in your application. Which steps involve implementing user authentication using Microsoft Authentication Library (MSAL) for your web application? Select all that apply.
- Using MSAL to request an access token for your application’s API resources
- Generating a client secret and embedding it in your application’s source code.
- Redirecting the user to the Microsoft login page to enter their credentials
- Storing user passwords in your application’s database for seamless sign-in
- Register your application in the Azure Active Directory portal.
- Implementing the OpenID Connect protocol to initiate the authentication flow
- The following question contains 3 dropdown responses.
Question 22)
When setting up an Azure AD tenant and configuring registration for your application, which of the following steps is typically part of the process?
Answers:
Steps | Description |
Step 1 | Create an Azure AD tenant. |
Step 2 | Register your application in Azure AD. |
Step 3 | Configure authentication and authorization settings for your application. |
Question 23
Which Microsoft Graph service provides functionality for managing user identities, authenticating users, and authorizing access to resources?
- Microsoft Graph OneNote
- Microsoft Graph Teams
- Microsoft Graph security
- Microsoft Graph Identity
- The following question contains 7 dropdown responses.
Question 24)
System-assigned managed identity empowers your applications and services with a hassle-free and secure way to access various resources seamlessly. Identify the correct sequence of steps to manage service identities with Azure virtual machines (VM).
Anwer:
Steps | Description |
Step 1 | Azure Resource Manager receives a request to enable the system-assigned managed identity on a VM. |
Step 2 | Azure Resource Manager creates a service principal in Azure AD. |
Step 3 | Azure Resource Manager configures the identity on the VM. |
Step 4 | Use the service principal information to grant the VM access to Azure resources. |
Step 5 | The running code on the VM can request a token from the Azure Instance Metadata service endpoint. |
Step 6 | A call is made to Azure AD to request an access token. |
Step 7 | Your code sends the access token on a call to a service that supports Azure AD authentication. |
Question 25)
John is in the process of developing a web application and requires a certificate to ensure the communication between the application and its users is secure. His chosen method involves implementing the Transport Layer Security (TLS) protocol. Among the following statements, which one accurately reflects the role of web application certificates?
- Web application certificates are dispensable to ensure secure communication.
- Web application certificates offer authentication and validate the server’s identity.
- Web application certificates serve as a repository for sensitive user information.
- Web application certificates play a role in the encryption and decryption of user data.
Question 26)
Emily is a software developer working on a project that securely stores sensitive information such as API keys, passwords, and connection strings for an Azure-based application. Her team has decided to use Azure Key Vault to manage these secrets. She wants to ensure that she follows the guidelines for using Azure Key Vault effectively and securely. What is the recommended approach for authenticating and authorizing applications to access secrets stored in Azure Key Vault?
- Use managed identities or service principals for authentication and authorization.
- Embed secrets directly within the application code.
- Use a master key stored within the application code for authentication.
- Share the Azure Key Vault URL publicly for easy access.
Question 27
Why should you create diagnostic settings for Azure resources in Log Analytics workspaces? Select all that apply.
- To specify the pricing tier for data collection
- To enable Azure Monitor Virtual Machine Insights
- To automate data export to external reporting tools
- To configure retention settings for log data
- To establish encryption settings for log data
- To send resource logs to the Log Analytics workspace
Question 28
Imagine you are an Azure security engineer entrusted with meticulously monitoring and safeguarding your organization’s expansive cloud infrastructure. You must identify the latest activities performed on critical virtual machines within the Azure environment. To fulfill this responsibility, you will leverage the power of Kusto Query Language (KQL). Using KQL, you can create queries that expose the latest activities on these vital virtual machines.
Match each Kusto Query Language (KQL) statement to its corresponding description. Please note that you don’t have to use all the descriptions.
Answer:
KQL statement | Description |
Let | Breaks a lengthy query into smaller, named components for better comprehension |
Tabular expression | Involves data manipulation and transformation using various operators and is the core of KQL’s data transformation capabilities |
Pattern | Involves users in the query name resolution process and exposes the query language |
Query parameters | Safeguards against injection attacks |
Question 29)
You work as a security manager at a healthcare company that manages sensitive patient data in the cloud. Your primary responsibility is to ensure that the company’s cloud infrastructure adheres to strict regulatory standards and maintains high security.
Match each security task with the best solution and its prerequisite.
Answer:
Task | Solution | Prerequisite |
Restrict access to management ports when not in use. | Enable JIT VM access. | Enable Microsoft Defender for Cloud. |
Customize Azure subscription requirements. | Integrate Microsoft Defender for Cloud with Azure Policy. | Understand workload types and data sensitivity. |
Monitor the security posture of your virtual machines. | Enable Microsoft Antimalware for Azure. | Add the appropriate Defender for Cloud extension to the resources. |
Protect AWS/GCP machines. | Deploy Defender for Servers. | Set up a connector and disable unnecessary plans. |
Question 30)
During a routine analysis, you identify an incident where an unsuspecting employee in your organization opened a malicious email attachment. This action triggered a chain of events that led to a compromised system. Which phase of the Cyber Kill Chain model is associated with this type of attack?
- Reconnaissance
- Installation
- Delivery
- Weaponization
Question 31)
You are a cybersecurity analyst responsible for managing security incidents in a large financial institution. You want to streamline your incident response process. How can you automate the actions that must be taken when specific security events occur?
- Using a resource lock automation rule
- Using a scheduled automation rule
- Using a playbook
- Using a custom analytics rule
Question 32)
As the lead security analyst for a multinational technology company, you oversee the management of security incidents in Microsoft Sentinel. While performing routine security monitoring, you encounter an unusual event in the logs. Upon investigation, you realize that the event is related to a minor configuration change made by a network administrator. The change did not result in any security breach or immediate threat, but it was still relevant to your overall security posture. What severity level would you assign to such incidents?
- Low
- Medium
- Informational
- High
Question 33)
A mission-critical application with financially sensitive operations that must be completed for the upcoming IPO release is running on a virtual machine (VM). To prevent any disruption that could impact the IPO timeline, you need to set up proactive alerts to monitor the VM’s functionality. Which metric should you select to be notified when the VM becomes unresponsive or experiences downtime?
- VM Cached IOPS Consumed Percentage
- VM Availability Metric (Preview)
- VM Cached Used Burst IO Credits Percentage
- VM Uncached IOPS Consumed Percentage
Question 34)
Imagine you are the Azure security engineer for a financial institution that stores sensitive customer data in an Azure SQL Database. You are implementing data encryption to ensure the highest level of protection for this sensitive information. You decide to use Column Master Keys (CMKs) and Column Encryption Keys (CEKs) for added security. Which encryption mechanism involves using CMKs and CEKs?
- SQL data masking
- Transparent data encryption (TDE)
- Client-side encryption with Azure-managed keys
- Always Encrypted
- The following question contains 3 dropdown responses.
Question 35)
A pharmaceutical company utilizes Azure Storage to securely store its research data. The company wants to collaborate with a partner research organization for three months, from October 1, 2023 to December 31, 2023. During this period, the partner organization should be able to upload and modify research data within a designated Blob container.
Identify the access control mechanism that they should use for this requirement. Also, identify the parameters specified while using the access control mechanism and the scope of access.
Access control mechanism
Parameters to specify
Answers:
Access control mechanism | Parameters to specify | Scope of access |
Shared access signatures (SAS) | Permissions, start and expiry times | Container level |
Question 36)
You are an Azure security engineer for a financial institution that stores sensitive customer financial records in Azure Blob Storage. Data security is a top priority, and you evaluate different encryption options for your storage solution.
In securing data at rest in Azure Blob Storage, which encryption approach allows customers to manage their encryption keys while utilizing Azure’s encryption mechanisms?
- Always Encrypted feature
- Storage service encryption with customer-managed keys
- Transparent data encryption (TDE)
- Client-side encryption with Azure-managed keys
- The following question contains 4 dropdown responses.
Question 37
You are the security engineer for a financial institution that stores sensitive customer financial data in Azure Blob Storage. To ensure proper data security, you are configuring access and roles using Azure Active Directory (Azure AD) integration. The following table lists users, their roles in the organization, and their responsibilities.
User | Role | Responsibilities |
Ken | Financial analyst | Retrieving financial reports from specific containers and reviewing them |
Emily | Data engineer | Uploading large datasets into Azure Blob Storage for data processing |
Eva | Compliance officer | Reviewing access logs, ensuring compliance with data protection regulations, and generating compliance reports |
Jay | IT administrator | Managing access controls, setting up and configuring storage accounts and containers |
Managing access controls, setting up and configuring storage accounts and containers
Match each user with the appropriate role that would allow them to fulfill their responsibilities securely within Azure Blob Storage.
Please note. You can use a role more than once. Also, you don’t need to use all the roles. Follow the principle of minimum privilege.
Answer:
User | Role |
Ken | Storage Blob Data Reader |
Emily | Storage Blob Data Contributor |
Eva | Storage Blob Data Reader |
Jay | Storage Blob Data Owner |
Question 38)
Imagine you are an Azure security engineer for a multinational corporation that stores sensitive customer information in various Azure services. You consider implementing advanced security initiatives within your Azure environment.
Categorize each security initiative as one of the following security features: data discovery and classification, vulnerability assessment, or advanced threat protection.
Please note. You can use a security feature more than once. Also, you don’t need to use all the security features.
Answers:
Review and label columns containing sensitive information to ensure proper data protection within Azure SQL Database. | Data discovery and classification |
Deploy routine security scans using Azure SQL Database’s built-in rules to identify and rectify potential security weaknesses in the database and server configurations. | Vulnerability assessment |
Implement a process to identify and apply appropriate protection to sensitive data columns within the Azure SQL Database environment. | Data discovery and classification |
Establish a real-time monitoring system to identify and respond to anomalous behavior within the database environment, offering timely security notifications and guidance for investigation and resolution. | Advanced threat protection |
Question 39)
Your organization deals with sensitive customer information and financial data. The organization uses Microsoft Defender for Cloud. You are aware that Defender for Cloud continually assesses your resources, subscriptions, and organization for security issues. You want to view an aggregated score of all findings so that you can take initiatives to lower the identified risk level. Which is the most relevant section in the Microsoft Defender for Cloud Overview dashboard that can provide you with the required information?
- Regulatory compliance
- Security posture
- Inventory
- Workload protections
Question 40)
Imagine you are an Azure security engineer in a healthcare organization. The organization manages patient data, including contact information and medical history. The clinical staff members require access to patient medical records to provide appropriate medical care and treatment. However, they do not need access to patient contact numbers. For instance, a doctor needs to access a patient’s medical history, medications, and test results but need not require the patient’s contact number to make medical decisions.
Problem: An incident recently occurred where staff members could view the complete contact numbers of several patients. This breach of privacy has led to concerns about patient trust and compliance with data protection regulations.
Solution: You propose implementing the Always Encrypted feature to ensure that complete contact numbers are not visible to staff members when they view the patient details.
Does the proposed solution effectively address the issue?
- No, you should use transparent data encryption (TDE) to perform real-time encryption and decryption so that the phone number is displayed to the relevant staff members.
- No, you should use dynamic data masking with a partial masking rule for contact numbers to solve the problem.
- Yes, you can use the Always Encrypted feature to ensure that some digits of the patient’s phone number are not visible when staff members view the patient’s details.
- Yes, you can use the Always Encrypted feature to ensure that the phone number field is not displayed on the screen when staff members view the patient details.