AZ-500認定で究極のガイド [2024年更新]
AZ-500練習試験と学習ガイドは厳密検証された
Microsoft AZ-500試験は、Microsoft Azureテクノロジーのセキュリティに関する個人のスキルを認証するための試験です。この試験は、Azureで作業し、クラウドベースのソリューションのセキュリティを担当するITプロフェッショナルを対象としています。 AZ-500試験は、Microsoft Azureでセキュリティコントロールを実装し、脆弱性を特定して修復し、アイデンティティとアクセスを管理し、データとアプリケーションを保護するスキルと知識を持つ候補者をテストします。
AZ-500認定試験は、Microsoft Certified: Azure Security Engineer Associate認定パスの一部です。この試験に合格すると、この認定を取得し、Azureにおけるセキュリティ管理および管理の専門知識を証明します。この認定は、クラウドベースのワークロードを管理およびセキュリティ保護する責任があるセキュリティプロフェッショナルにとって理想的です。
Microsoft AZ-500認定試験は、Microsoft Azureの経験を持ち、クラウドセキュリティのキャリアを進めたい専門家を対象としています。この試験は、セキュリティエンジニア、セキュリティアナリスト、セキュリティアーキテクト、およびAzure環境をセキュリティ対策する責任を持つ他のITプロフェッショナルを対象としています。認定試験は、Azure Active Directory、Azure Security Center、Azure Key Vault、Azure Monitor、Azure Log Analyticsなど、さまざまなトピックをカバーしています。
質問 # 144
You have an Azure subscription that contains an Azure key vault named Vault1.
In Vault1, you create a secret named Secret1.
An application developer registers an application in Azure Active Directory (Azure AD).
You need to ensure that the application can use Secret1.
What should you do?
- A. In Azure Key Vault, create a key.
- B. In Azure AD, create a role.
- C. In Azure AD, enable Azure AD Application Proxy.
- D. In Azure Key Vault, create an access policy.
正解:B
解説:
Azure Key Vault provides a way to securely store credentials and other keys and secrets, but your code needs
to authenticate to Key Vault to retrieve them.
Managed identities for Azure resources overview makes solving this problem simpler, by giving Azure services
an automatically managed identity in Azure Active Directory (Azure AD). You can use this identity to
authenticate to any service that supports Azure AD authentication, including Key Vault, without having any
credentials in your code.
Example: How a system-assigned managed identity works with an Azure VM
After the VM has an identity, use the service principal information to grant the VM access to Azure resources.
To call Azure Resource Manager, use role-based access control (RBAC) in Azure AD to assign the appropriate
role to the VM service principal. To call Key Vault, grant your code access to the specific secret or key in Key
Vault.
References:
https://docs.microsoft.com/en-us/azure/key-vault/quick-create-net
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
質問 # 145
You have an Azure subscription named Sub 1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.
Each user is assigned an Azure AD Premium P2 license.
You plan lo onboard and configure Azure AD identity Protection.
Which users can onboard Azure AD Identity Protection, remediate users, and configure policies? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point
正解:
解説:
質問 # 146
You have a hybrid configuration of Azure Active Directory (Azure AD). You have an Azure SQL Database instance that is configured to support Azure AD authentication.
Database developers must connect to the database instance and authenticate by using their on-premises Active Directory account.
You need to ensure that developers can connect to the instance by using Microsoft SQL Server Management Studio. The solution must minimize authentication prompts.
Which authentication method should you recommend?
- A. Active Directory - Universal with MFA support
- B. SQL Server Authentication
- C. Active Directory - Integrated
- D. Active Directory - Password
正解:D
解説:
Explanation
Use Active Directory password authentication when connecting with an Azure AD principal name using the Azure AD managed domain.
Use this method to authenticate to SQL DB/DW with Azure AD for native or federated Azure AD users. A native user is one explicitly created in Azure AD and being authenticated using user name and password, while a federated user is a Windows user whose domain is federated with Azure AD. The latter method (using user & password) can be used when a user wants to use their windows credential, but their local machine is not joined with the domain (for example, using a remote access). In this case, a Windows user can indicate their domain account and password and can authenticate to SQL DB/DW using federated credentials.
質問 # 147
You have a network security group (NSG) bound to an Azure subnet.
You run Get-AzureRmNetworkSecurityRuleConfig and receive the output shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
正解:
解説:
Explanation
Box 1: able to connect to East US 2
The StorageEA2Allow has DestinationAddressPrefix {Storage/EastUS2}
Box 2: allowed
TCP Port 21 controls the FTP session. Contoso_FTP has SourceAddressPrefix {1.2.3.4/32} and DestinationAddressPrefix {10.0.0.5/32} Note:
The Get-AzureRmNetworkSecurityRuleConfig cmdlet gets a network security rule configuration for an Azure network security group.
Security rules in network security groups enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group
質問 # 148
You plan to use Azure Log Analytics to collect logs from 200 servers that run Windows Server 2016.
You need to automate the deployment of the Microsoft Monitoring Agent to all the servers by using an Azure Resource Manager template.
How should you complete the template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
解説:
Explanation
References:
https://blogs.technet.microsoft.com/manageabilityguys/2015/11/19/enabling-the-microsoft-monitoring-agent-in-w
質問 # 149
You need to deploy AKS1 to meet the platform protection requirements.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
正解:
解説:
Explanation
Scenario: Azure AD users must be to authenticate to AKS1 by using their Azure AD credentials.
Litewire plans to deploy AKS1, which is a managed AKS (Azure Kubernetes Services) cluster.
Step 1: Create a server application
To provide Azure AD authentication for an AKS cluster, two Azure AD applications are created. The first application is a server component that provides user authentication.
Step 2: Create a client application
The second application is a client component that's used when you're prompted by the CLI for authentication.
This client application uses the server application for the actual authentication of the credentials provided by the client.
Step 3: Deploy an AKS cluster.
Use the az group create command to create a resource group for the AKS cluster.
Use the az aks create command to deploy the AKS cluster.
Step 4: Create an RBAC binding.
Before you use an Azure Active Directory account with an AKS cluster, you must create role-binding or cluster role-binding. Roles define the permissions to grant, and bindings apply them to desired users. These assignments can be applied to a given namespace, or across the entire cluster.
Reference:
https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration
質問 # 150
You have a Microsoft Sentinel deployment.
You need to connect a third-party security solution to the deployment. The third-party solution will send Common Event Format (CER-formatted messages.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
解説:
質問 # 151
You have two Azure virtual machines in the East US2 region as shown in the following table.
You deploy and configure an Azure Key vault.
You need to ensure that you can enable Azure Disk Encryption on VM1 and VM2.
What should you modify on each virtual machine? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
解説:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/generation-2#generation-1-vs-generation-2-capabilities
質問 # 152
You have an Azure subscription. The subscription contains Azure virtual machines that run Windows Server 2016.
You need to implement a policy to ensure that each virtual machine has a custom antimalware virtual machine extension installed.
How should you complete the policy? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
解説:
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects
質問 # 153
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain.
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to deploy Azure AD Connect and to integrate Active Directory and the Azure AD tenant.
You need to recommend an integration solution that meets the following requirements:
* Ensures that password policies and user logon restrictions apply to user accounts that are synced to the tenant
* Minimizes the number of servers required for the solution.
Which authentication method should you include in the recommendation?
- A. federated identity with Active Directory Federation Services (AD FS)
- B. password hash synchronization with seamless single sign-on (SSO)
- C. pass-through authentication with seamless single sign-on (SSO)
正解:B
解説:
Section: [none]
Explanation:
Password hash synchronization requires the least effort regarding deployment, maintenance, and infrastructure. This level of effort typically applies to organizations that only need their users to sign in to Office
365, SaaS apps, and other Azure AD-based resources. When turned on, password hash synchronization is part of the Azure AD Connect sync process and runs every two minutes.
Incorrect Answers:
A: A federated authentication system relies on an external trusted system to authenticate users. Some companies want to reuse their existing federated system investment with their Azure AD hybrid identity solution. The maintenance and management of the federated system falls outside the control of Azure AD. It's up to the organization by using the federated system to make sure it's deployed securely and can handle the authentication load.
C: For pass-through authentication, you need one or more (we recommend three) lightweight agents installed on existing servers. These agents must have access to your on-premises Active Directory Domain Services, including your on-premises AD domain controllers. They need outbound access to the Internet and access to your domain controllers. For this reason, it's not supported to deploy the agents in a perimeter network.
Pass-through Authentication requires unconstrained network access to domain controllers. All network traffic is encrypted and limited to authentication requests.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta
質問 # 154
You suspect that users are attempting to sign in to resources to which they have no access.
You need to create an Azure Log Analytics query to identify failed user sign-in attempts from the last three days. The results must only show users who had more than five failed sign-in attempts.
How should you configure the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
解説:
Explanation
The following example identifies user accounts that failed to log in more than five times in the last day, and when they last attempted to log in.
let timeframe = 1d;
SecurityEvent
| where TimeGenerated > ago(1d)
| where AccountType == 'User' and EventID == 4625 // 4625 - failed log in
| summarize failed_login_attempts=count(), latest_failed_login=arg_max(TimeGenerated, Account) by Account
| where failed_login_attempts > 5
| project-away Account1
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/examples
質問 # 155
You are configuring network connectivity for two Azure virtual networks named VNET1 and VNET2.
You need to implement VPN gateways for the virtual networks to meet the following requirements:
* VNET1 must have six site-to-site connections that use BGP.
* VNET2 must have 12 site-to-site connections that use BGP.
* Costs must be minimized.
Which VPN gateway SKI) should you use for each virtual network? To answer, drag the appropriate SKUs to the correct networks. Each SKU may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point
正解:
解説:
Explanation
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways#gwsku
質問 # 156
You have an Azure subscription that contains 100 virtual machines. Azure Diagnostics is enabled on all the virtual machines.
You are planning the monitoring of Azure services in the subscription.
You need to retrieve the following details:
Identify the user who deleted a virtual machine three weeks ago.
Query the security events of a virtual machine that runs Windows Server 2016.
What should you use in Azure Monitor? To answer, drag the appropriate configuration settings to the correct details. Each configuration setting may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
正解:
解説:
Reference:
https://docs.microsoft.com/en-us/azure/security/azure-log-audit
質問 # 157
You have an Azure Sentinel workspace that has the following data connectors:
* Azure Active Directory Identity Protection
* Common Event Format (CEF)
* Azure Firewall
You need to ensure that data is being ingested from each connector.
From the Logs query window, which table should you query for each connector? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
解説:
Explanation
Graphical user interface, application, table Description automatically generated
質問 # 158
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
The tenant contains the named locations shown in the following table.
You create the conditional access policies for a cloud app named App1 as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
正解:
解説:
質問 # 159
Use the following login credentials as needed:
To enter your username, place your cursor in the Sign in box and click on the username below.
To enter your password, place your cursor in the Enter password box and click on the password below.
Azure Username: [email protected]
Azure Password: Ag1Bh9!#Bd
The following information is for technical support purposes only:
Lab Instance: 10598168
You need to create a new Azure Active Directory (Azure AD) directory named 10598168.onmicrosoft.com.
The new directory must contain a user named [email protected] who is configured to sign in by using Azure Multi-Factor Authentication (MFA).
To complete this task, sign in to the Azure portal.
正解:
解説:
See the explanation below.
Explanation
Step 1: Create an Azure Active Directory tenant
1. Browse to the Azure portal and sign in with an account that has an Azure subscription.
2. Select the plus icon (+) and search for Azure Active Directory.
3. Select Azure Active Directory in the search results.
4. Select Create.
5. Provide an Organization name and an Initial domain name (10598168). Then select Create. Your directory
is created.
6. After directory creation is complete, select the information box to manage your new directory.Next, you're going to add tenant users.
Step 2: Create an Azure Active Directory tenant user
7. In the Azure portal, make sure you are on the Azure Active Directory fly out.
8. Under Manage, select Users.
9. Select All users and then select + New user.
10. Provide a Name and User name (user1) for the regular user tenant You can also show the temporary password. When you're done, select Create.
Name: user1
User name: [email protected]
Reference:
https://docs.microsoft.com/en-us/power-bi/developer/create-an-azure-active-directory-tenant
質問 # 160
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains three security groups named Group1, Group2, and Group3 and the users shown in the following table.
Group3 is a member of Group2.
In contoso.com, you register an enterprise application named App1 that has the following settings:
Owners: User1
Users and groups: Group2
You configure the properties of App1 as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select no.
NOTE: Each correct selection is worth one point.
正解:
解説:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal
質問 # 161
You have an Azure subscription that contains a resource group named RG1 and a security group serverless RG1 contains 10 virtual machine, a virtual network VNET1, and a network security group (NSG) named NSG1. ServerAdmins can access the virtual machines by using RDP.
You need to ensure that NSG1 only RDP connections to the virtual for a maximum of 60 minutes when a member of ServerAdmins requests access.
What should you configure?
- A. an Azure Active Directory (Azure AD) Privileged identity Management (PIM) role assignment.
- B. an Azure Bastion host on VNET1.
- C. a just in time (JIT) VM access policy in Azure Security Center
- D. an azure policy assigned to RG1.
正解:A
質問 # 162
You have the role assignments shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
正解:
解説:
質問 # 163
You have an Azure Sentinel workspace that has an Azure Active Directory (Azure AD) data connector.
You are threat hunting suspicious traffic from a specific IP address.
You need to annotate an intermediate event stored in the workspace and be able to reference the IP address when navigating through the investigation graph.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
正解:
解説:
1 - From the Azure Sentinel workspace...
2 - Select a query result.
3 - Add a bookmark and map an entity.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/bookmarks
質問 # 164
You are evaluating the security of the network communication between the virtual machines in Sub2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
正解:
解説:
質問 # 165
......
究極のガイドはAZ-500最新時間限定!今すぐダウンロード!:https://www.goshiken.com/Microsoft/AZ-500-mondaishu.html
2024年最新のな厳密検証されたAZ-500学習合格ガイドでベズトお試しセット:https://drive.google.com/open?id=10eV7n2mgHEZmKglcfK2Tx_Ze7kqOvQmh