Q: HOTSPOT You need to ensure that the Azure AD application registration and consent configurations meet the identity and access requirements. What should you use in the Azure portal? To answer, select the appropriate options in the answer area. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/AZ-500/page_11_img_1.jpg

TO CONFIGURE THE REGISTRATION SETTINGS: AZURE AD – USER SETTINGS TO CONFIGURE THE CONSENT SETTINGS: ENTERPRISE APPLICATIONS – USER SETTINGS Explanation: The settings for managing application registrations and user consent are located in distinct areas within the Azure Active Directory portal, reflecting their different purposes. Registration Settings: The ability for non-administrator users to register custom-developed applications is a tenant-wide policy. This setting, "Users can register applications," is configured under the general Azure AD > User settings blade. This controls the creation of application objects in the directory. Consent Settings: The framework governing how and if users can permit applications (both custom and third-party) to access company data on their behalf is managed under Enterprise Applications . These settings, such as "Users can consent to apps accessing company data on their behalf," are configured on the Enterprise Applications > User settings blade (specifically within the "Consent and permissions" section). This relates to the service principal object and its permissions within the tenant.

Question 1

HOTSPOT You have an Azure key vault named KeyVault1 that contains the items shown in the following table. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/AZ-500/page_353_img_1.jpg In KeyVault1 the following events occur in sequence: • item is deleted. • ltem2 and Policy1 are deleted. For each of the following statements, select Yes if the statement is true. Otherwise, select No. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/AZ-500/page_353_img_2.jpg

Accepted Answer

NO

YES

Explanation: The behavior described in the scenario is governed by the Azure Key Vault soft-delete feature, which is enabled by default. You can recover Policy1: No. Access policies are part of the Key Vault's configuration settings, not objects stored within it like keys or secrets. The soft-delete and recovery features do not apply to access policies. Once an access policy is deleted, it is permanently gone and cannot be recovered. You can add a new key named Item1: No. When a key ( Item1 ) is deleted, it enters a soft-deleted state. While in this state, its name is reserved. You cannot create a new key with the same name until the soft-deleted item is either recovered or purged after its retention period expires. You can recover Item2: Yes. Secrets ( Item2 ), like keys, are protected by the soft-delete feature. When Item2 is deleted, it is moved to a soft-deleted state for a specific retention period (typically 90 days), during which it can be fully recovered.

Question 2

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have an Azure subscription named Sub1.
You have an Azure Storage account named sa1 in a resource group named RG1.
Users and applications access the blob service and the file service in sa1 by using several shared
access signatures (SASs) and stored access policies.
You discover that unauthorized users accessed both the file service and the blob service.
You need to revoke all access to sa1.
Solution: You regenerate the Azure storage account access keys.
Does this meet the goal?

Accepted Answer

A

Explanation: Every service- and account-level SAS or stored-access-policy signature for a Storage account is produced by hashing the request with either the primary or the secondary account key. When you regenerate an account key, its value changes; any signature that was computed with the old value can no longer be validated by Azure Storage. Consequently, all requests to the Blob and File services that rely on those SAS tokens fail, effectively revoking every previously issued SAS. Because the scenario only mentions SAS-based access, regenerating both keys blocks all unauthorized access to sa1 and fulfils the goal.

Question 3

Note: The question is included in a number of questions that depicts the identical set-up. However,
every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has an Active Directory forest with a single domain, named weylandindustries.com.
They also have an Azure Active Directory (Azure AD) tenant with the same name.
You have been tasked with integrating Active Directory and the Azure AD tenant. You intend to
deploy Azure AD Connect.
Your strategy for the integration must make sure that password policies and user logon limitations
affect user accounts that are synced to the Azure AD tenant, and that the amount of necessary
servers are reduced.
Solution: You recommend the use of password hash synchronization and seamless SSO.
Does the solution meet the goal?

Accepted Answer

B

Explanation: The proposed solution using Password Hash Synchronization (PHS) and Seamless SSO does not meet all the stated requirements. While PHS is the most lightweight option in terms of server infrastructure, it does not enforce all on-premises Active Directory policies in real-time for cloud authentications. Specifically, user logon limitations such as logon hours are not enforced by PHS because the authentication occurs against the password hash stored in Azure AD, not directly against the on-premises Active Directory. To enforce real-time policies like logon hours and ensure that password expiration policies are checked directly against the on-premises domain, Pass-through Authentication (PTA) or Active Directory Federation Services (AD FS) would be required. Therefore, the solution fails to meet the goal.

Question 4

You need to recommend which virtual machines to use to host App1. The solution must meet the technical requirements for KeyVault1. Which virtual machines should you use?

Accepted Answer

D

Explanation: Azure Key Vault–backed features (for example, Azure Disk Encryption, certificate/secret retrieval through a managed identity, or a disk-encryption set) can be used by any Azure virtual machine whose operating system is on Microsoft’s supported-OS list: • Windows Server 2008 R2 SP1 or later • Modern Linux distributions on kernel 3.4 + The scenario gives four VMs (VM1-VM4) and imposes a requirement that the VM(s) hosting App1 must be able to integrate with KeyVault1. Because every listed VM meets the supported-OS requirement and any Azure VM can be enabled for a system-assigned managed identity and granted access policies in Key Vault, all four VMs are suitable. Selecting the complete set (VM1, VM2, VM3, VM4) satisfies the Key Vault technical constraint while not excluding capacity, availability-zone, or scale considerations.

Question 5

DRAG DROP You create an Azure subscription with Azure AD Premium P2. You need to ensure that you can use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to secure Azure roles. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/AZ-500/page_98_img_1.jpg

Accepted Answer

Explanation: To enable Azure AD Privileged Identity Management (PIM), an administrator must first onboard the service for the tenant. This initial setup process follows a specific sequence. Sign up PIM for Azure AD roles : The first step is to navigate to the PIM service in the Azure portal and explicitly sign up or enable it for your Azure AD tenant. This action provisions the PIM service. Consent to PIM : After signing up, a consent prompt appears. A user with Global Administrator privileges must grant permissions for the PIM service to manage roles within the Azure AD tenant. Verify your identity by using multi-factor authentication (MFA) : Consenting to PIM is a highly privileged action. To ensure security, Azure requires the administrator granting consent to verify their identity using MFA. This check is an integral part of the consent process. The other actions, "Discover privileged roles" and "Discover resources," are management tasks performed after PIM has been successfully set up and onboarded.

Question 6

DRAG DROP You need to perform the planned changes for OU2 and User1. Which tools should you use? To answer, drag the appropriate tools to the correct resources. Each tool may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/AZ-500/page_28_img_1.jpg

Accepted Answer

Explanation: Both the creation of a new Organizational Unit (OU) and a new user account within an on-premises Active Directory Domain Services (AD DS) domain are tasks performed using on-premises management tools. OU2: An Organizational Unit is a container object that exists only within an on-premises AD DS. Therefore, it must be created and managed using a tool that directly interfaces with the on-premises domain controllers. Active Directory Users and Computers (ADUC) is the standard, long-standing Microsoft Management Console (MMC) snap-in for this purpose. User1: Since User1 is being created within an OU in the on-premises domain, its source of authority is the on-premises AD DS. Even if this user will be synchronized to Azure AD later, the initial creation and management of core attributes must happen on-premises. Active Directory Users and Computers is the appropriate tool for creating user accounts in AD DS. The Azure portal is used for managing cloud-native Azure AD objects, and Azure AD Connect is a synchronization service, not a direct management tool.

Question 7

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have an Azure subscription named Sub1.
You have an Azure Storage account named sa1 in a resource group named RG1.
Users and applications access the blob service and the file service in sa1 by using several shared
access signatures (SASs) and stored access policies.
You discover that unauthorized users accessed both the file service and the blob service.
You need to revoke all access to sa1.
Solution: You regenerate the Azure storage account access keys.
Does this meet the goal?

Accepted Answer

A

Explanation: The goal is to enable authentication to an Azure HDInsight cluster using on-premises Active Directory credentials. This is achieved by using the HDInsight Enterprise Security Package (ESP), which allows the cluster to be joined to an Active Directory domain. Azure Active Directory Domain Services (Azure AD DS) provides managed domain services (like Kerberos, NTLM, and LDAP) in Azure. In a hybrid identity scenario, Azure AD Connect synchronizes user identities and password hashes from on-premises AD to Azure AD. Azure AD DS then synchronizes these identities from Azure AD. By deploying Azure AD DS and joining the HDInsight ESP cluster to this managed domain, users can authenticate using their synchronized on-premises credentials. Therefore, the proposed solution is correct.

Question 8

DRAG DROP You have an Azure subscription that contains the following resources: A virtual network named VNET1 that contains two subnets named Subnet1 and Subnet2. A virtual machine named VM1 that has only a private IP address and connects to Subnet1. You need to ensure that Remote Desktop connections can be established to VM1 from the internet. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange then in the correct order. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/AZ-500/page_137_img_1.jpg

Accepted Answer

Explanation: To allow RDP connections from the internet to a virtual machine (VM1) that only has a private IP address, you must introduce a service that has a public IP and can forward traffic to the private VM. Azure Firewall is designed for this purpose using Destination Network Address Translation (DNAT). Create a new subnet: Azure Firewall requires its own dedicated subnet. This subnet must be named AzureFirewallSubnet . Therefore, creating this specific subnet is the first necessary step. Deploy Azure Firewall: Once the dedicated subnet is available, you can deploy the Azure Firewall into it. The firewall will be provisioned with a public IP address, which will serve as the public endpoint for incoming RDP connections. Create a NAT rule collection: After the firewall is deployed, you must configure a DNAT rule to tell the firewall how to handle the incoming RDP traffic. This is done by creating a NAT rule collection. The rule will specify that any traffic destined for the firewall's public IP on the RDP port (TCP/3389) should be translated and forwarded to VM1's private IP address on the same port. This sequence correctly establishes a secure path from the internet to the private virtual machine.

Question 9

HOTSPOT You need to ensure that the Azure AD application registration and consent configurations meet the identity and access requirements. What should you use in the Azure portal? To answer, select the appropriate options in the answer area. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/AZ-500/page_11_img_1.jpg

Accepted Answer

TO CONFIGURE THE REGISTRATION SETTINGS: AZURE AD – USER SETTINGS

TO CONFIGURE THE CONSENT SETTINGS: ENTERPRISE APPLICATIONS – USER SETTINGS

Explanation: The settings for managing application registrations and user consent are located in distinct areas within the Azure Active Directory portal, reflecting their different purposes. Registration Settings: The ability for non-administrator users to register custom-developed applications is a tenant-wide policy. This setting, "Users can register applications," is configured under the general Azure AD > User settings blade. This controls the creation of application objects in the directory. Consent Settings: The framework governing how and if users can permit applications (both custom and third-party) to access company data on their behalf is managed under Enterprise Applications . These settings, such as "Users can consent to apps accessing company data on their behalf," are configured on the Enterprise Applications > User settings blade (specifically within the "Consent and permissions" section). This relates to the service principal object and its permissions within the tenant.

Question 10

You have an Azure Kubernetes Service (AKS) cluster that will connect to an Azure Container Registry.
You need to use the automatically generated service principal for the AKS cluster to authenticate to
the Azure Container Registry.
What should you create?

Accepted Answer

D

Explanation: To authorize an Azure identity, such as the service principal used by an Azure Kubernetes Service (AKS) cluster, to access an Azure resource like an Azure Container Registry (ACR), you must use Azure Role-Based Access Control (RBAC). The correct procedure is to create a role assignment. This assignment links the identity (the AKS service principal), a role definition that specifies permissions (e.g., AcrPull), and the scope (the specific ACR instance). This grants the AKS identity the required permissions to pull container images from the registry without managing explicit credentials like passwords or keys.

Question 11

You have an Azure subscription that contains an Azure SQL server named sqlsrv1 and an Azure SQL
database named DB1. Sqlsrv1 is configured for Microsoft Entra authentication only.
You have the Microsoft Entra identities shown in the following table.
AZ-500 practice exam questions

Which users can create scoped credentials for DB1?

Accepted Answer

C

Explanation: The T-SQL statement CREATE DATABASE SCOPED CREDENTIAL requires the CONTROL DATABASE permission. We must evaluate if each user possesses this permission. 1. User1 (Microsoft Entra admin): The Microsoft Entra admin for an Azure SQL server connects to any user database with the permissions of the dbo user. The dbo user is a member of the dbowner fixed-database role, which inherently includes the CONTROL DATABASE permission. 2. User2 (Member of dbowner): The dbowner fixed-database role grants its members full control over the database, which includes the CONTROL DATABASE permission. 3. User3 (Has CONTROL DATABASE permission): This user has been explicitly granted the required permission. Since all three users have the necessary CONTROL DATABASE permission, they can all create database-scoped credentials.

Question 12

You need to ensure that users can access VM0. The solution must meet the platform protection requirements. What should you do?

Accepted Answer

D

Explanation: The platform protection requirements mandate that traffic to internal resources like VM0 must be inspected by the Azure Firewall. To enable external users to access a service on VM0 through the firewall, a Destination Network Address Translation (DNAT) rule is the correct mechanism. A DNAT rule on the Azure Firewall translates inbound traffic destined for the firewall's public IP address and a specific port to the private IP address and port of VM0. This allows the firewall to receive, inspect, and forward the traffic securely to the intended virtual machine, thereby meeting the security requirements.

Question 13

You have an Azure subscription. You configure the subscription to use a different Azure Active Directory (Azure AD) tenant. What are two possible effects of the change? Each correct answer presents a complete solution.

Accepted Answer

A, B

Explanation: When an Azure subscription is transferred to a different Azure Active Directory (Azure AD) tenant, all identity and access management configurations tied to the original tenant are affected. Azure role-based access control (RBAC) assignments are linked to principals (users, groups, service principals) in the source tenant; these assignments are permanently deleted and not moved to the new tenant. Similarly, managed identities for Azure resources are service principals in the source tenant. When the subscription moves, these identities are broken and must be re-enabled or recreated in the new tenant. The underlying Azure resources themselves are not deleted during this process.

Question 14

SIMULATION Lab Task use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password. place your cursor in the Enter password box and click on the password below. Azure Username: Userl -28681041@ExamUsers.com Azure Password: GpOAe4@lDg If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab. The following information is for technical support purposes only: Lab Instance: 28681041 Task 5 You need to ensure that only devices connected to a 131-107.0.0/16 subnet can access data in the rg1lod28681041 Azure Storage account.

Accepted Answer

THE FOLLOWING STEPS SHOULD BE PERFORMED IN THE AZURE PORTAL:

NAVIGATE TO THE RG1LOD28681041 STORAGE ACCOUNT.
IN THE LEFT-HAND MENU, UNDER SECURITY + NETWORKING, SELECT NETWORKING.
ON THE FIREWALLS AND VIRTUAL NETWORKS TAB, SELECT THE OPTION ENABLED FROM SELECTED VIRTUAL NETWORKS AND IP ADDRESSES.
UNDER THE FIREWALL SECTION, IN THE ADDRESS RANGE TEXT BOX, ENTER THE SUBNET 131.107.0.0/16.
CLICK SAVE.

Explanation: To restrict access to an Azure Storage account to a specific IP address range, you must configure the storage account's built-in firewall . By changing the default setting from "Enabled from all networks" to "Enabled from selected virtual networks and IP addresses," you establish a default-deny rule for all incoming traffic. Subsequently, adding the 131.107.0.0/16 subnet as an explicit exception in the firewall's address range list creates an "allow" rule. This ensures that only connection requests originating from devices within that specific subnet can access the data in the storage account, effectively securing the resource at the network level.

Question 15

HOTSPOT You have an Azure subscription that contains a storage account named contoso2023. You need to perform the following tasks:

• Verify that identity-based authentication over SMB is enabled.

• Only grant users access to contoso2023 in the year 2023.

Which two settings should you use? To answer, select the appropriate settings in the answer area. AZ-500 practice exam questions

Accepted Answer

ACCESS CONTROL (IAM) AND SHARED ACCESS SIGNATURE

Explanation: To fulfill the first requirement of verifying identity-based authentication, you would use Access Control (IAM) . This is the mechanism within Azure that allows you to manage who has access to Azure resources, and what they can do with those resources, which is the foundation of identity-based access. For the second requirement of granting access for a limited time frame (in this case, the year 2023), the most precise tool is the Shared access signature (SAS) . An SAS is a string containing a security token that enables delegated access to storage resources with a specific set of permissions for a specified time interval.

Free Microsoft Azure AZ-500 Actual Exam Questions