Exam AZ-500 Microsoft Azure Security Technologies

Exam AZ-500: Microsoft Azure Security Technologies

Candidates for this exam are Microsoft Azure security engineers who implement security controls, maintain the security posture, manages identity and access, and protects data, applications, and networks. Candidates identify and remediate vulnerabilities by using a variety of security tools, implements threat protection, and responds to security incident escalations. As a Microsoft Azure security engineer, candidates often serve as part of a larger team dedicated to cloud-based management and security and may also secure hybrid environments as part of an end-to-end infrastructure.

Candidates for this exam should have strong skills in scripting and automation, a deep understanding of networking, virtualization, and cloud N-tier architecture, and a strong familiarity with cloud capabilities, Microsoft Azure products and services, and other Microsoft products and services. Less

Fulfills requirements for: Microsoft Certified: Azure Security Engineer Associate

Languages: English, Japanese, Chinese (Simplified), Korean

This exam measures your ability to accomplish the following technical tasks: manage identity and access; implement platform protection; manage security operations; and secure data and applications.


Manage identity and access (20-25%)

Configure Microsoft Azure Active Directory for workloads

create App registration
configure App registration permission scopes
manage App registration permission consent
configure multi-factor authentication settings
manage Microsoft Azure AD directory groups
manage Microsoft Azure AD users
install and configure Microsoft Azure AD Connect
configure authentication methods
implement conditional access policies
configure Microsoft Azure AD identity protection

Configure Microsoft Azure AD Privileged Identity Management

monitor privileged access
configure access reviews
activate Privileged Identity Management

Configure Microsoft Azure tenant security

transfer Microsoft Azure subscriptions between Microsoft Azure AD tenants
manage API access to Microsoft Azure subscriptions and resources

Implement platform protection (35-40%)

Implement network security

configure virtual network connectivity
configure Network Security Groups (NSGs)
create and configure Microsoft Azure firewall
create and configure application security groups
configure remote access management
configure baseline
configure resource firewall

Implement host security

configure endpoint security within the VM
configure VM security
harden VMs in Microsoft Azure
configure system updates for VMs in Microsoft Azure
configure baseline

Configure container security

configure network
configure authentication
configure container isolation
configure AKS security
configure container registry
configure container instance security
implement vulnerability management

Implement Microsoft Azure Resource management security

create Microsoft Azure resource locks
manage resource group security
configure Microsoft Azure policies
configure custom RBAC roles
configure subscription and resource permissions

Manage security operations (15-20%)

Configure security services

configure Microsoft Azure monitor
configure Microsoft Azure log analytics
configure diagnostic logging and log retention
configure vulnerability scanning

Configure security policies

configure centralized policy management by using Microsoft Azure Security Center
configure Just in Time VM access by using Microsoft Azure Security Center

Manage security alerts

create and customize alerts
review and respond to alerts and recommendations
configure a playbook for a security event by using Microsoft Azure Security Center
investigate escalated security incidents
Secure data and applications (30-35%)

Configure security policies to manage data

configure data classification
configure data retention
configure data sovereignty

Configure security for data infrastructure

enable database authentication
enable database auditing
configure Microsoft Azure SQL Database threat detection
configure access control for storage accounts
configure key management for storage accounts
create and manage Shared Access Signatures (SAS)
configure security for HDInsights
configure security for Cosmos DB
configure security for Microsoft Azure Data Lake

Configure encryption for data at rest

implement Microsoft Azure SQL Database Always Encrypted
implement database encryption
implement Storage Service Encryption
implement disk encryption
implement backup encryption

Implement security for application delivery

implement security validations for application development
configure synthetic security transactions

Configure application security

configure SSL/TLS certs
configure Microsoft Azure services to protect web apps
create an application security baseline

Configure and manage Key Vault

manage access to Key Vault
manage permissions to secrets, certificates, and keys
manage certificates
manage secrets
configure key rotation

Click here to view complete Q&A of AZ-500 exam
Certkingdom Review
, Certkingdom PDF Torrents

MCTS Training, MCITP Trainnig

Best Microsoft AzureAZ-500 Certification, Microsoft Azure AZ-500 Training at certkingdom.com

QUESTION 2
You need to ensure that User2 can implement PIM.
What should you do first?

A. Assign User2 the Global administrator role.
B. Configure authentication methods for contoso.com.
C. Configure the identity secure score for contoso.com.
D. Enable multi-factor authentication (MFA) for User2.

Answer: A

Explanation/Reference:
To start using PIM in your directory, you must first enable PIM.
1. Sign in to the Azure portal as a Global Administrator of your directory.
You must be a Global Administrator with an organizational account (for example, @yourdomain.com), not a
Microsoft account (for example, @outlook.com), to enable PIM for a directory.
Scenario: Technical requirements include: Enable Azure AD Privileged Identity Management (PIM) for
contoso.com
References:
https://docs.microsoft.com/bs-latn-ba/azure/active-directory/privileged-identity-management/pim-gettingstarted


QUESTION 3
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have an Azure Subscription named Sub1.
You have an Azure Storage account named Sa1 in a resource group named RG1.
Users and applications access the blob service and the file service in Sa1 by using several shared access
signatures (SASs) and stored access policies.
You discover that unauthorized users accessed both the file service and the blob service.
You need to revoke all access to Sa1.
Solution: You generate new SASs.
Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation/Reference:
Instead you should create a new stored access policy.
To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier.
Changing the signed identifier breaks the associations between any existing signatures and the stored access
policy. Deleting or renaming the stored access policy immediately affects all of the shared access signatures
associated with it.
References:
https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy


QUESTION 4
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have an Azure Subscription named Sub1.
You have an Azure Storage account named Sa1 in a resource group named RG1.
Users and applications access the blob service and the file service in Sa1 by using several shared access
signatures (SASs) and stored access policies.
You discover that unauthorized users accessed both the file service and the blob service.
You need to revoke all access to Sa1.
Solution: You create a new stored access policy.
Does this meet the goal?

A. Yes
B. No

Answer: A

Explanation/Reference:
To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier.
Changing the signed identifier breaks the associations between any existing signatures and the stored access
policy. Deleting or renaming the stored access policy immediately effects all of the shared access signatures
associated with it.
References:
https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy


QUESTION 5
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a hybrid configuration of Azure Active Directory (Azure AD).
You have an Azure HDInsight cluster on a virtual network.
You plan to allow users to authenticate to the cluster by using their on-premises Active Directory credentials.
You need to configure the environment to support the planned authentication.
Solution: You deploy the On-premises data gateway to the on-premises network.
Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation/Reference:
Instead, you connect HDInsight to your on-premises network by using Azure Virtual Networks and a VPN
gateway.
Note: To allow HDInsight and resources in the joined network to communicate by name, you must perform the
following actions:
Create Azure Virtual Network.
Create a custom DNS server in the Azure Virtual Network.
Configure the virtual network to use the custom DNS server instead of the default Azure Recursive
Resolver.
Configure forwarding between the custom DNS server and your on-premises DNS server.
References:
https://docs.microsoft.com/en-us/azure/hdinsight/connect-on-premises-network

Exam AZ-500 Microsoft Azure Security Technologies
Scroll to top