[2025年04月24日] 無料Microsoft Azure Security Engineer Associate AZ-500試験問題を使おう
AZ-500問題集でMicrosoft Azure Security Engineer Associate必ず合格できる練習問題集
Microsoft AZ-500(Microsoft Azure Security Technologies)認定試験は、Microsoft Azure環境の確保に関する専門知識を証明しようとする専門家にとって不可欠な認定です。この認定試験は、セキュリティ管理の実装、セキュリティの脅威の特定と緩和、およびAzureセキュリティソリューションの管理における候補者の知識とスキルをテストするように設計されています。
質問 # 252
You have an Azure subscription that contains the following resources:
* An Azure key vault
* An Azure SQL database named Database1
* Two Azure App Service web apps named AppSrv1 and AppSrv2 that are configured to use system-assigned managed identities and access Database1 You need to implement an encryption solution for Database1 that meets the following requirements:
* The data in a column named Discount in Database1 must be encrypted so that only AppSrv1 can decrypt the data.
* AppSrv1 and AppSrv2 must be authorized by using managed identities to obtain cryptographic keys.
How should you configure the encryption settings fa Database1 To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point
正解:
解説:
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/always-encrypted-azure-key-vault-configure?tabs=azure-powershell
質問 # 253
You have five Azure subscriptions linked to a single Azure Active Directory (Azure AD) tenant.
You create an Azure Policy initiative named SecurityPolicyInitiative1.
You identify which standard role assignments must be configured on all new resource groups.
You need to enforce SecurityPolicyInitiative1 and the role assignments when a new resource group is created.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
正解:
解説:
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-portal
https://docs.microsoft.com/en-us/azure/azure-australia/azure-policy
質問 # 254
You have an Azure subscription that contains a resource group named RG1. RG1 contains a virtual machine named VM1 that uses Azure Active Directory (Azure AD) authentication.
You have two custom Azure roles named Role1 and Role2 that are scoped to RG1.
The permissions for Role1 are shown in the following JSON code.
The permissions for Role2 are shown in the following JSON code.
You assign the roles to the users shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
正解:
解説:
質問 # 255
You need to ensure that the Azure AD application registration and consent configurations meet the identity and access requirements.
What should you use in the Azure portal? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
解説:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent
質問 # 256
You need to configure a virtual network named VNET2 to meet the following requirements:
Administrators must be prevented from deleting VNET2 accidentally.
Administrators must be able to add subnets to VNET2 regularly.
To complete this task, sign in to the Azure portal and modify the Azure resources.
正解:
解説:
Locking prevents other users in your organization from accidentally deleting or modifying critical resources, such as Azure subscription, resource group, or resource.
Note: In Azure, the term resource refers to an entity managed by Azure. For example, virtual machines, virtual networks, and storage accounts are all referred to as Azure resources.
1. In the Azure portal, type Virtual Networks in the search box, select Virtual Networks from the search results then select VNET2. Alternatively, browse to Virtual Networks in the left navigation pane.
2. In the Settings blade for virtual network VNET2, select Locks.
3. To add a lock, select Add.
4. For Lock type select Delete lock, and click OK
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources
質問 # 257
You have an Azure Kubernetes Service (AKS) cluster that will connect to an Azure Container Registry.
You need to use the automatically generated service principal for the AKS cluster to authenticate to the Azure Container Registry.
What should you create?
- A. a role assignment
- B. an Azure Active Directory (Azure AD) group
- C. a secret in Azure Key Vault
- D. an Azure Active Directory (Azure AD) user
正解:A
解説:
Section: [none]
Explanation/Reference:
https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal
質問 # 258
You have an Azure key vault.
You need to delegate administrative access to the key vault to meet the following requirements:
Provide a user named User1 with the ability to set advanced access policies for the key vault.
Provide a user named User2 with the ability to add and delete certificates in the key vault.
Use the principle of least privilege.
What should you use to assign access to each user? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
解説:
Reference:
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault
質問 # 259
You have an Azure subscription named Sub1 that contains the storage accounts shown in the following table
The storage3 storage account is encrypted by using customer-managed keys.
YOU need to enable Microsoft Defender for storage to meet the following requirements.
* The storage1 and storage2 account must be include in the defender for storage requirement.
* The storage3 account must be exclude from the Defender for Storage protections.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and them in the correct order.
正解:
解説:
1 - Enable the Defender for Storage plan for Sub1.
2 - For storage 3, assign the AzDefenderPlanAutoEnable tag and set the value to off.
3 - Enable the Defender for Storage plan for RG1.
質問 # 260
You have an Azure subscription.
You plan to create two custom roles named Role1 and Role2.
The custom roles will be used to perform the following tasks:
* Members of Role1 will manage application security groups.
* Members of Role2 will manage Azure Bastion.
You need to add permissions to the custom roles.
Which resource provider should you use for each role? To answer, drag the appropriate resource providers to the correct roles. Each resource provider may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content
正解:
解説:
Explanation
質問 # 261
You have the hierarchy of Azure resources shown in the following exhibit.
You create the Azure Blueprints definitions shown in the following table.
To which objects can you assign Blueprint1 and Blueprint2? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
解説:
質問 # 262
You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the virtual machines shown in the following table.
On NIC1, you configure an application security group named ASG1.
On which other network interfaces can you configure ASG1?
- A. NIC2, NIC3, NIC4, and NIC5
- B. NIC2 only
- C. NIC2, NIC3, and NIC4 only
- D. NIC2 and NIC3 only
正解:D
解説:
Only network interfaces in NVET1, which consists of Subnet11 and Subnet12, can be configured in ASG1, as all network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in.
Reference:
https://azure.microsoft.com/es-es/blog/applicationsecuritygroups/
質問 # 263
You need to perform the planned changes for OU2 and User1.
Which tools should you use? To answer, drag the appropriate tools to the correct resources. Each tool may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
正解:
解説:
質問 # 264
You have an Azure subscription that contains the resources shown in the following table.
Transparent Data Encryption (TDE) is disabled on SQL1.
You assign polices to the resource groups as shown in the following table.
You plan to deploy Azure SQL databases by using an Azure Resource Manager (ARM) template. The databases will be configured as shown in the following table.
NOTE: Each correct selection is worth one point.
正解:
解説:
Explanation:
Graphical user interface, text, application Description automatically generated
質問 # 265
Your company has an Azure subscription named Subscription1 that contains the users shown in the following table.
The company is sold to a new owner.
The company needs to transfer ownership of Subscription1.
Which user can transfer the ownership and which tool should the user use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
解説:
Explanation:
Box 1; User2
Billing Administrator
Select Transfer billing ownership for the subscription that you want to transfer.
Enter the email address of a user who's a billing administrator of the account that will be the new owner for the subscription.
Box 2: Azure Account Center
Azure Account Center can be used.
Reference:
https://docs.microsoft.com/en-us/azure/billing/billing-subscription-transfer#transfer-billing-ownership-of-an-azure-subscription
質問 # 266
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.
You create and enforce an Azure AD Identity Protection user risk policy that has the following settings:
* Assignment: Include Group1, Exclude Group2
* Conditions: Sign-in risk of Medium and above
* Access: Allow access, Require password change
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
正解:
解説:
Explanation
Box 1: Yes
User1 is member of Group1. Sign in from unfamiliar location is risk level Medium.
Box 2: Yes
User2 is member of Group1. Sign in from anonymous IP address is risk level Medium.
Box 3: No
Sign-ins from IP addresses with suspicious activity is low.
Note:
Azure AD Identity protection can detect six types of suspicious sign-in activities:
* Users with leaked credentials
* Sign-ins from anonymous IP addresses
* Impossible travel to atypical locations
* Sign-ins from infected devices
* Sign-ins from IP addresses with suspicious activity
* Sign-ins from unfamiliar locations
These six types of events are categorized in to 3 levels of risks - High, Medium & Low:
References:
http://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-policies/
質問 # 267
You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
An administrator named Admin1 has access to the following identities:
An OpenID-enabled user account
A Hotmail account
An account in contoso.com
An account in an Azure AD tenant named fabrikam.com
You plan to use Azure Account Center to transfer the ownership of Sub1 to Admin1.
To which accounts can you transfer the ownership of Sub1?
- A. contoso.com, fabrikam.com, and Hotmail only
- B. contoso.com only
- C. contoso.com, fabrikam.com, Hotmail, and OpenID-enabled user account
- D. contoso.com and fabrikam.com only
正解:D
質問 # 268
You plan to implement JIT VM access. Which virtual machines will be supported?
- A. VM1. VM2. VM3, and VM4
- B. VM1 only
- C. VM1 and VM3 only
- D. VM2, VM3, and VM4 only
正解:C
質問 # 269
You have an Azure Storage account named storage1 and an Azure virtual machine named VM1. VM1 has a premium SSD managed disk.
You need to enable Azure Disk Encryption for VM1.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange then in the correct order.
正解:
解説:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault
質問 # 270
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.
You create a resource group named RG1.
Which users can modify the permissions for RG1 and which users can create virtual networks in RG1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
解説:
質問 # 271
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.
Azure AD Privileged Identity Management (PIM) is enabled for the tenant.
In PIM, the Password Administrator role has the following settings:
* Maximum activation duration (hours): 2
* Send email notifying admins of activation: Disable
* Require incident/request ticket number during activation: Disable
* Require Azure Multi-Factor Authentication for activation: Enable
* Require approval to activate this role: Enable
* Selected approver: Group1
You assign users the Password Administrator role as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
正解:
解説:
Reference:
https://docs.microsoft.com/bs-latn-ba/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles
質問 # 272
You have an Azure subscription named Sub1 that contains the resources shown in the following table.
You need to ensure that you can provide VM1 with secure access to a database on SQL1 by using a contained database user.
What should you do?
- A. Configure a service endpoint on SQL1.
- B. Enable a managed service identity on VM1.
- C. Create a key in KV1.
- D. Create a secret in KV1.
正解:B
解説:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql
質問 # 273
You have an Azure subscription named Sub1 that contains an Azure Log Analytics workspace named LAW1.
You have 100 on-premises servers that run Windows Server 2012 R2 and Windows Server 2016. The servers connect to LAW1. LAW1 is configured to collect security-related performance counters from the connected servers.
You need to configure alerts based on the data collected by LAW1. The solution must meet the following requirements:
Alert rules must support dimensions.
The time it takes to generate an alert must be minimized.
Alert notifications must be generated only once when the alert is generated and once when the alert is resolved.
Which signal type should you use when you create the alert rules?
- A. Metric
- B. Log (Saved Query)
- C. Activity Log
- D. Log
正解:A
解説:
Metric alerts in Azure Monitor provide a way to get notified when one of your metrics cross a threshold. Metric alerts work on a range of multi-dimensional platform metrics, custom metrics, Application Insights standard and custom metrics.
Note: Signals are emitted by the target resource and can be of several types. Metric, Activity log, Application Insights, and Log.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-metric
質問 # 274
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant.
When a developer attempts to register an app named App1 in the tenant, the developer receives the error message shown in the following exhibit.
You need to ensure that the developer can register App1 in the tenant.
What should you do for the tenant?
- A. Modify the User settings
- B. Set Enable Security default to Yes.
- C. Configure the Consent and permissions settings for enterprise applications.
- D. Modify the Directory properties.
正解:A
解説:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added
質問 # 275
You have an Azure subscription that contains an Azure Sentinel workspace.
Azure Sentinel is configured to ingest logs from several Azure workloads. A third-party service management platform is used to manage incidents.
You need to identify which Azure Sentinel components to configure to meet the following requirements:
When Azure Sentinel identifies a threat, an incident must be created.
A ticket must be logged in the service management platform when an incident is created in Azure Sentinel.
Which component should you identify for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
解説:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/create-incidents-from-alerts
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
質問 # 276
......
Microsoft AZ-500試験は、毎日Microsoft Azureと協力し、Azure Securityのスキルを向上させたいITプロフェッショナルに最適です。この認定は、クラウドソリューションの確保に関する専門知識を検証します。これは、より多くの企業がクラウドに移行しているため、ますます重要になっています。この認定は、Azure Identity Management、Azure Security Management、Azure Security Operations、Azureデータとアプリケーション保護など、幅広いセキュリティトピックをカバーしています。
Microsoft AZ-500認定試験は、クラウドセキュリティでのキャリアを促進しようとしている専門家にとって優れた選択肢です。この認定は業界で非常に尊敬されており、所有者がazure環境を効果的に確保するために必要なスキルと知識を持っていることを示しています。また、Azure Solutions Architect Expert認定など、他のAzure認定の強固な基盤を提供します。
Microsoft AZ-500実際の問題とブレーン問題集:https://jp.fast2test.com/AZ-500-premium-file.html
合格させるAZ-500試験には更新されたのはAZ-500試験問題集PDF2025:https://drive.google.com/open?id=1-3gbYeh3AFClk-XgKxJ0hvTAePI1wIQ1