Microsoft SC-500 - Implementing End-to-End Security Controls for Cloud and AI Workloads Exam
Page: 2 / 14
Total 67 questions
Question #6 (Topic: Exam A)
You have two management groups named MG1 and MG2 that contain multiple Azure subscriptions. The subscriptions are linked to a Microsoft Entra tenant.
You have a user named User1 and a global administrator named Admin1.
You are informed that User1 created an Azure subscription named Sub1 under the MG2 management group and is the only owner of the subscription.
You need to ensure that Admin1 can remove the Owner role from User1 for Sub1.
What should you do first?
You have a user named User1 and a global administrator named Admin1.
You are informed that User1 created an Azure subscription named Sub1 under the MG2 management group and is the only owner of the subscription.
You need to ensure that Admin1 can remove the Owner role from User1 for Sub1.
What should you do first?
A. Move Sub1 to MG1.
B. Assign Admin1 the User Access Administrator role for Sub1.
C. Instruct Admin1 to use Privileged Identity Management (PIM) to request the Security Administrator role.
D. Instruct Admin1 to enable Access management for Azure resources.
Answer: D
Question #7 (Topic: Exam A)
You have a management group named MG1 that contains two subscriptions named Sub1 and Sub2.
Sub1 contains a resource group named RG-Exception and a resource group named RG1 that hosts Microsoft Foundry resources.
You need to assign an Azure policy to force new Foundry deployments in MG1 to use private endpoints. The solution must NOT restrict deployments in RG-Exception.
How should you configure the policy?
Sub1 contains a resource group named RG-Exception and a resource group named RG1 that hosts Microsoft Foundry resources.
You need to assign an Azure policy to force new Foundry deployments in MG1 to use private endpoints. The solution must NOT restrict deployments in RG-Exception.
How should you configure the policy?
A. Assign the policy to MG1 and exclude RG-Exception.
B. Assign the policy to Sub1 and RG-Exception.
C. Assign the policy to MG1 and RG-Exception.
D. Assign the policy to Sub1 and exclude RG-Exception.
Answer: A
Question #8 (Topic: Exam A)
You have an Azure key vault named KV1 that uses role-based access control (RBAC) authorization. KV1 stores database connection strings for an Azure App Service web app named App1.
You enable a firewall on KV1 and allow access to KV1 from only the virtual network that contains App1.
You need to ensure that App1 can retrieve secrets from KV1 without using credentials stored in the application configuration.
What should you create?
You enable a firewall on KV1 and allow access to KV1 from only the virtual network that contains App1.
You need to ensure that App1 can retrieve secrets from KV1 without using credentials stored in the application configuration.
What should you create?
A. an access policy for KV1
B. an app registration for App1
C. a private endpoint for KV1
D. a managed identity for App1
Answer: D
Question #9 (Topic: Exam A)
DRAG DROP
You have a Microsoft Entra tenant.
You need to implement passwordless authentication. The solution must meet the following requirements:
Users can sign in without a password by using a mobile device.
New users that sign in for the first time must use a helpdesk-issued sign-in method that expires.
Which authentication method should you enable for each requirement? To answer, drag the appropriate methods to the correct requirements. Each method may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
You have a Microsoft Entra tenant.
You need to implement passwordless authentication. The solution must meet the following requirements:
Users can sign in without a password by using a mobile device.
New users that sign in for the first time must use a helpdesk-issued sign-in method that expires.
Which authentication method should you enable for each requirement? To answer, drag the appropriate methods to the correct requirements. Each method may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Answer: 
Question #10 (Topic: Exam A)
You have a Microsoft Entra tenant that has user consent for applications disabled.
You register an application named App1 that requests the following Microsoft Graph delegated permissions:
User.Read
Mail.Read
You need to configure tenant permissions to meet the following requirements:
Enable users to grant consent for low-risk permissions without administrator interaction.
Ensure that applications requesting higher-privilege permissions require administrator approval.
What should you do?
You register an application named App1 that requests the following Microsoft Graph delegated permissions:
User.Read
Mail.Read
You need to configure tenant permissions to meet the following requirements:
Enable users to grant consent for low-risk permissions without administrator interaction.
Ensure that applications requesting higher-privilege permissions require administrator approval.
What should you do?
A. Grant tenant-wide admin consent to App1.
B. Configure application assignments for App1.
C. Configure Privileged Identity Management (PIM) role assignments.
D. Create an app consent policy.
Answer: D
