Home Guides Blogs Your Exams Certifications

    Exam: AZ-500: Azure Security Engineer Associate

    Total Questions: 302
    Page of

    Your company recently created an Azure subscription.

    You have been tasked with making sure that a specified user is able to implement Azure AD Privileged Identity Management (PIM).

    Which of the following is the role you should assign to the user?

    A. The Global administrator role.
    B. The Security administrator role.
    C. The Password administrator role.
    D. The Compliance administrator role.
    Answer: A ✅ Explanation: -To enable and configure Azure AD Privileged Identity Management (PIM), a user must have elevated privileges because PIM controls role-based access to sensitive roles in Azure AD and Azure. ✅ Why Global Administrator is required: Only users assigned the Global Administrator role (or Privileged Role Administrator) can enable PIM for Azure AD. -The initial configuration of PIM (such as enabling the service, assigning roles, and managing role settings) requires Global Admin privileges. -After PIM is enabled, other users with roles like Privileged Role Administrator can help manage it, but setup must be done by a Global Admin. ❌ Why the other roles are incorrect: B. Security administrator: Can manage security-related tasks but cannot configure or enable PIM. C. Password administrator: Limited to resetting passwords for non-admin users. Not sufficient for PIM. D. Compliance administrator: Focuses on compliance data and reports, not role or identity management.

    You need to consider the underlined segment to establish whether it is accurate.

    You have been tasked with creating a different subscription for each of your company's divisions. However, the subscriptions will be linked to a single Azure Active

    Directory (Azure AD) tenant.

    You want to make sure that each subscription has identical role assignments.

    You make use of Azure AD Privileged Identity Management (PIM).

    Select `No adjustment required` if the underlined segment is accurate. If the underlined segment is inaccurate, select the accurate option.

    A. No adjustment required
    B. Azure Blueprints
    C. Conditional access policies
    D. Azure DevOps
    Answer: B ✅ Explanation: -The underlined segment says: -You make use of Azure AD Privileged Identity Management (PIM).” -This statement is inaccurate for the goal of ensuring each subscription has identical role assignments. ✅ Correct Option: B. Azure Blueprints Azure Blueprints allow you to standardize and automate the deployment of resources, role assignments, policies, and RBAC configurations across multiple subscriptions. -Perfect for ensuring that each new subscription has the same governance structure, including identical role assignments. ❌ Why the others are incorrect: A. No adjustment required: Incorrect, because PIM is used for just-in-time privileged access, not for copying role assignments across subscriptions. C. Conditional access policies: These are for controlling sign-in access and user conditions, not for managing role assignments. D. Azure DevOps: Focuses on CI/CD pipelines, repos, and project management—not role assignment standardization.

    Your company has an Azure Container Registry.

    You have been tasked with assigning a user a role that allows for the uploading of images to the Azure Container Registry. The role assigned should not require more privileges than necessary.

    Which of the following is the role you should assign?

    A. Owner
    B. Contributor
    C. AcrPush
    D. AcrPull
    Answer: C ✅ Explanation: ✅ Why AcrPush is the correct role: The AcrPush role is a built-in role specifically designed for uploading (pushing) container images to an -Azure Container Registry. -It allows: -Pushing images (upload) -Pulling images (read access) -It does not allow deletion of the registry or administrative actions. ❌ Why the other options are incorrect: A. Owner: Grants full control, including managing access and deleting resources—too much privilege. B. Contributor: Can manage everything except access control—still more privilege than necessary. D. AcrPull: Grants read-only access—allows pulling images, not pushing.

    Your company has an Azure Container Registry.

    You have been tasked with assigning a user a role that allows for the downloading of images from the Azure Container Registry. The role assigned should not require more privileges than necessary.

    Which of the following is the role you should assign?

    A. Reader
    B. Contributor
    C. AcrDelete
    D. AcrPull
    Answer: D ✅ Explanation: ✅ Why AcrPull is correct: -AcrPull is a built-in Azure role specifically designed for: -Pulling (downloading) container images from an Azure Container Registry. -It provides read-only access to the registry content (no push or delete rights). -This role adheres to the principle of least privilege, making it ideal for your scenario. ❌ Why the other options are incorrect: A. Reader: Can read metadata about resources but cannot pull container images from ACR. B. Contributor: Can manage all Azure resources, including pushing and deleting—too much access. C. AcrDelete: Allows deleting images from the registry—not suitable for download-only needs.

    Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

    Your Company's Azure subscription includes a virtual network that has a single subnet configured.

    You have created a service endpoint for the subnet, which includes an Azure virtual machine that has Ubuntu Server 18.04 installed.

    You are preparing to deploy Docker containers to the virtual machine. You need to make sure that the containers can access Azure Storage resources and Azure

    SQL databases via the service endpoint.

    You need to perform a task on the virtual machine prior to deploying containers.

    Solution: You create an application security group.

    Does the solution meet the goal?

    A. Yes
    B. No
    Answer: B ✅ Explanation: -The goal is to allow containers running on the VM to access Azure Storage and Azure SQL via the service endpoint configured on the subnet. -Service endpoints extend the virtual network identity to the Azure service, allowing resources in that subnet to securely access services without going through the public internet. -The service endpoint is configured on the subnet, so any VM or container within that subnet can use it, provided networking and firewall rules allow it. -Creating an Application Security Group (ASG) is primarily for grouping VMs or NICs for network security group (NSG) rules management, not for enabling or extending service endpoints. -To allow containers to use the service endpoint, you do not need to create an application security group. -Instead, ensure the containers’ network traffic flows through the VM’s network interface and the subnet with the service endpoint enabled.

    Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

    Your Company's Azure subscription includes a virtual network that has a single subnet configured.

    You have created a service endpoint for the subnet, which includes an Azure virtual machine that has Ubuntu Server 18.04 installed.

    You are preparing to deploy Docker containers to the virtual machine. You need to make sure that the containers can access Azure Storage resources and Azure

    SQL databases via the service endpoint.

    You need to perform a task on the virtual machine prior to deploying containers.

    Solution: You install the container network interface (CNI) plug-in.

    Does the solution meet the goal?

    A. Yes
    B. No
    Answer: A ✅ Explanation: -You have a service endpoint configured on the subnet where your VM resides, which allows secure access to Azure Storage and Azure SQL. -You are planning to deploy Docker containers on the VM, and you want these containers to access Azure services through the service endpoint. -To ensure that containers get proper network integration with the Azure virtual network and can use service endpoints, you need to configure the Container Network Interface (CNI). -Installing a CNI plug-in allows containers to receive IP addresses within the virtual network subnet, which means containers' traffic will flow through the subnet where the service endpoint is enabled. -This setup ensures the containers can use the service endpoint to access Azure Storage and Azure SQL securely. -Summary: -Installing the CNI plug-in on the VM hosting the containers ensures the containers are properly networked into the Azure virtual network and can utilize the subnet's service endpoint. -Without CNI, containers might use NAT and not have direct network access via the subnet’s service endpoint.

    You make use of Azure Resource Manager templates to deploy Azure virtual machines.

    You have been tasked with making sure that Windows features that are not in use, are automatically inactivated when instances of the virtual machines are provisioned.

    Which of the following actions should you take?

    A. You should make use of Azure DevOps.
    B. You should make use of Azure Automation State Configuration.
    C. You should make use of network security groups (NSG).
    D. You should make use of Azure Blueprints.
    Answer: B ✅ Explanation: -Your goal is to automatically configure Windows features on virtual machines to ensure unused features are disabled or inactivated during provisioning. -This is a configuration management task—enforcing a desired state on your VMs. -Azure Automation State Configuration is based on PowerShell Desired State Configuration (DSC), allowing you to define and enforce system configurations automatically. -You can author DSC configurations that specify which Windows features should be enabled or disabled and apply these configurations when VMs are provisioned. -Why the other options are not correct: A. Azure DevOps: Primarily for CI/CD pipelines, code repositories, and build automation; not directly for VM feature configuration. C. Network Security Groups (NSG): Control network traffic; unrelated to managing Windows features. D. Azure Blueprints: Useful for governance and deploying a set of resources/policies but does not manage the runtime configuration of Windows features on VMs.

    Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

    You are in the process of creating an Azure Kubernetes Service (AKS) cluster. The Azure Kubernetes Service (AKS) cluster must be able to connect to an Azure

    Container Registry.

    You want to make sure that Azure Kubernetes Service (AKS) cluster authenticates to the Azure Container Registry by making use of the auto-generated service principal.

    Solution: You create an Azure Active Directory (Azure AD) role assignment.

    Does the solution meet the goal?

    A. Yes
    B. No
    Answer: B

    Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

    You are in the process of creating an Azure Kubernetes Service (AKS) cluster. The Azure Kubernetes Service (AKS) cluster must be able to connect to an Azure

    Container Registry.

    You want to make sure that Azure Kubernetes Service (AKS) cluster authenticates to the Azure Container Registry by making use of the auto-generated service principal.

    Solution: You create an Azure Active Directory (Azure AD) role assignment.

    Does the solution meet the goal?

    A. Yes
    B. No
    Answer: B

    Your company has an Azure subscription that includes two virtual machines, named VirMac1 and VirMac2, which both have a status of Stopped (Deallocated).

    The virtual machines belong to different resource groups, named ResGroup1 and ResGroup2.

    You have also created two Azure policies that are both configured with the virtualMachines resource type. The policy configured for ResGroup1 has a policy definition of Not allowed resource types, while the policy configured for ResGroup2 has a policy definition of Allowed resource types.

    You then create a Read-only resource lock on VirMac1, as well as a Read-only resource lock on ResGroup2.

    Which of the following is TRUE with regards to the scenario? (Choose all that apply.)

    A. You will be able to start VirMac1.
    B. You will NOT be able to start VirMac1.
    C. You will be able to create a virtual machine in ResGroup2.
    D. You will NOT be able to create a virtual machine in ResGroup2.
    answer: BD ✅ Explanation: -Scenario Recap: -Two VMs: VirMac1 in ResGroup1 and VirMac2 in ResGroup2, both Stopped (Deallocated). -Two Azure policies: -On ResGroup1: Policy with Not allowed resource types (blocking some resource types). -On ResGroup2: Policy with Allowed resource types (allowing only certain resource types). -Locks applied: Read-only lock on VirMac1. Read-only lock on ResGroup2. -Key Concepts: Read-only lock: Prevents any modification or deletion of the resource or resource group. -Policy with Not allowed resource types: Prevents creation or update of disallowed resource types. -Policy with Allowed resource types: Only permits creation/update of allowed resource types; all others are blocked. Analyzing each option: A. You will be able to start VirMac1. VirMac1 has a Read-only lock. -Starting (powering on) a VM is a modification operation. -Read-only locks prevent any modification. -Therefore, starting VirMac1 will NOT be allowed. A is FALSE B. You will NOT be able to start VirMac1. As explained, the Read-only lock on VirMac1 prevents starting the VM. This statement is TRUE. C. You will be able to create a virtual machine in ResGroup2. ResGroup2 has: An Allowed resource types policy that restricts what resource types can be created. A Read-only lock at the resource group level. Read-only lock on a resource group prevents any create, update, or delete operation on resources in that group. Therefore, creating a VM in ResGroup2 is NOT allowed. C is FALSE D. You will NOT be able to create a virtual machine in ResGroup2. Based on the above, due to the Read-only lock on ResGroup2, creation of VMs is blocked. -The Allowed resource types policy could permit VM creation in theory, but the lock overrides this.
    Back View All Questions