HOTSPOT
You have an Azure subscription that contains the following resources:
An Azure key vault
An Azure SQL database named Database1
Two Azure App Service web apps named AppSrv1 and AppSrv2 that are configured to use system-assigned managed
identities and access Database1
You need to implement an encryption solution for Database1 that meets the following requirements:
The data in a column named Discount in Database1 must be encrypted so that only AppSrv1 can decrypt the data.
AppSrv1 and AppSrv2 must be authorized by using managed identities to obtain cryptographic keys.
How should you configure the encryption settings for Database1? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Hot Area:
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/always-encrypted-azure-key-vault-configure?tabs=azure-
powershell
DRAG DROP
You have an Azure subscription.
You plan to create a storage account.
You need to use customer-managed keys to encrypt the tables in the storage account.
From Azure Cloud Shell, which three cmdlets should you run in sequence? To answer, move the appropriate cmdlets from
the list of cmdlets to the answer area and arrange them in the correct order.
Select and Place:
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-key-vault?tabs=powershell
You have an Azure subscription that contains an Azure SQL database named sql1.
You plan to audit sql1.
You need to configure the audit log destination. The solution must meet the following requirements:
Support querying events by using the Kusto query language. Minimize administrative effort.
What should you configure?
C
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/tutorial-log-analytics-wizard
You have a web app named WebApp1.
You create a web application firewall (WAF) policy named WAF1.
You need to protect WebApp1 by using WAF1.
What should you do first?
A
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/frontdoor/quickstart-create-front-door
SIMULATION
You need to ensure that the rg1lod1234578n1 Azure Storage account is encrypted by using a key stored in the
KeyVault12345678 Azure key vault.
To complete this task, sign in to the Azure portal.
See the explanation below.
Explanation:
Step 1: To enable customer-managed keys in the Azure portal, follow these steps:
1. Navigate to your storage account rg1lod1234578n1
2. On the Settings blade for the storage account, click Encryption. Select the Use your own key option, as shown in the
following figure.
Step 2: Specify a key from a key vault
To specify a key from a key vault, first make sure that you have a key vault that contains a key. To specify a key from a key
vault, follow these steps:
4. Choose the Select from Key Vault option.
5. Choose the key vault KeyVault1234578 containing the key you want to use.
6. Choose the key from the key vault.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-encryption-keys-portal
DRAG DROP
Your network contains an on-premises Active Directory domain named contoso.com. The domain contains a user named
User1.
You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant named contoso.com. The
tenant contains an Azure Storage account named storage1. Storage1 contains an Azure file share named share1.
Currently, the domain and the tenant are not integrated.
You need to ensure that User1 can access share1 by using his domain credentials.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the
answer area and arrange them in the correct order.
Select and Place:
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable
SIMULATION
You need to prevent HTTP connections to the rg1lod1234578n1 Azure Storage account.
To complete this task, sign in to the Azure portal.
See the explanation below.
Explanation:
The "Secure transfer required" feature is now supported in Azure Storage account. This feature enhances the security of
your storage account by enforcing all requests to your account through a secure connection. This feature is disabled by
default.
1. In Azure Portal select you Azure Storage account rg1lod12345678n1.
2. Select Configuration, and Secure Transfer required.
Reference:
https://techcommunity.microsoft.com/t5/Azure/quot-Secure-transfer-required-quot-is-available-in-Azure-Storage/m-p/82475
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named contoso1812.onmicrosoft.com that contains the users shown
in the following table.
You create an Azure Information Protection label named Label1. The Protection settings for Label1 are configured as shown
in the exhibit. (Click the Exhibit tab.)
Label1 is applied to a file named File1.
For each of the following statements, select Yes if the statement is true, Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
HOTSPOT
You have an Azure subscription that contains the resources shown in the following table.
User1 is a member of Group1. Group1 and User2 are assigned the Key Vault Contributor role for Vault1.
On January 1, 2019, you create a secret in Vault1. The secret is configured as shown in the exhibit. (Click the Exhibit tab.)
User2 is assigned an access policy to Vault1. The policy has the following configurations:
Key Management Operations: Get, List, and Restore
Cryptographic Operations: Decrypt and Unwrap Key
Secret Management Operations: Get, List, and Restore
Group1 is assigned an access policy to Vault1. The policy has the following configurations:
Key Management Operations: Get and Recover
Secret Management Operations: List, Backup, and Recover
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
You have an Azure subscription named Sub1 that contains the Azure key vaults shown in the following table:
In Sub1, you create a virtual machine that has the following configurations:
Name: VM1
Size: DS2v2
Resource group: RG1
Region: West Europe
Operating system: Windows Server 2016
You plan to enable Azure Disk Encryption on VM1.
In which key vaults can you store the encryption key for VM1?
A
Explanation:
In order to make sure the encryption secrets dont cross regional boundaries, Azure Disk Encryption needs the Key Vault
and the VMs to be co-located in the same region. Create and use a Key Vault that is in the same region as the VM to be
encrypted.
Reference:
https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-prerequisites
You have an Azure subscription named Sub1 that contains the resources shown in the following table.
You need to ensure that you can provide VM1 with secure access to a database on SQL1 by using a contained database
user.
What should you do?
B
You have an Azure subscription that contains a virtual machine named VM1.
You create an Azure key vault that has the following configurations:
Name: Vault5
Region: West US
Resource group: RG1
You need to use Vault5 to enable Azure Disk Encryption on VM1. The solution must support backing up VM1 by using Azure
Backup.
Which key vault settings should you configure?
A
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault
DRAG DROP
You have an Azure subscription named Sub1. Sub1 contains an Azure virtual machine named VM1 that runs Windows
Server 2016.
You need to encrypt VM1 disks by using Azure Disk Encryption.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the
answer area and arrange them in the correct order.
Select and Place:
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/encrypt-disks
You have an Azure subscription that contains four Azure SQL managed instances.
You need to evaluate the vulnerability of the managed instances to SQL injection attacks.
What should you do first?
B
HOTSPOT
You have an Azure subscription that contains an Azure key vault named ContosoKey1.
You create users and assign them roles as shown in the following table.
You need to identify which users can perform the following actions:
Delegate permissions for ContosoKey1.
Configure network access to ContosoKey1.
Which users should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Explanation:
Reference: https://docs.microsoft.com/en-gb/azure/key-vault/general/rbac-guide