Microsoft Implementing End-to-End Security Controls for Cloud and AI Workloads - SC-500 Exam Practice Test
Question 1
You have a Microsoft Copilot Studio agent.
A Microsoft Power Platform administrator configures external threat detection for the agent by using a Microsoft Entra application.
You need to ensure that real-time protection is enabled during agent runtime.
What should you do in the Microsoft Defender portal?
A Microsoft Power Platform administrator configures external threat detection for the agent by using a Microsoft Entra application.
You need to ensure that real-time protection is enabled during agent runtime.
What should you do in the Microsoft Defender portal?
Correct Answer: A
Explanation: Only visible for Actualtests4sure members. You can sign-up / login (it's free).
Question 2
You have a Microsoft Entra tenant that has the following configurations:
- User consent for applications is disabled.
- Only administrators can grant permissions to applications.
You register an application named App1 that uses delegated Microsoft Graph permissions.
You need to configure App1 to meet the following requirements:
- Enable user sign-ins without interactive consent prompts.
- Enable App1 to access Microsoft Graph on behalf of the signed-in
user.
What should you do?
- User consent for applications is disabled.
- Only administrators can grant permissions to applications.
You register an application named App1 that uses delegated Microsoft Graph permissions.
You need to configure App1 to meet the following requirements:
- Enable user sign-ins without interactive consent prompts.
- Enable App1 to access Microsoft Graph on behalf of the signed-in
user.
What should you do?
Correct Answer: B
Explanation: Only visible for Actualtests4sure members. You can sign-up / login (it's free).
Question 3
Hotspot Question
You have an Azure Container Instances container group named CGI that has a DNS name of cg1.contoso.com. CG1 has the following configurations:
- A Linux container named container1 that serves HTTPS over TCP port
443 and hosts an application named App1
- A Linux container named contained that listens on TCP port 5000 and
is accessed only by App1
- A public IP address
A security review finds that external clients can reach TCP port 5000 by using the public IP address of CG1.
You need to meet the following requirements:
- Ensure that the external clients can access container1 only by using
TCP port 443.
- Ensure that container1 can continue to access contained.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
You have an Azure Container Instances container group named CGI that has a DNS name of cg1.contoso.com. CG1 has the following configurations:
- A Linux container named container1 that serves HTTPS over TCP port
443 and hosts an application named App1
- A Linux container named contained that listens on TCP port 5000 and
is accessed only by App1
- A public IP address
A security review finds that external clients can reach TCP port 5000 by using the public IP address of CG1.
You need to meet the following requirements:
- Ensure that the external clients can access container1 only by using
TCP port 443.
- Ensure that container1 can continue to access contained.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct Answer:
Question 4
Drag and Drop Question
You have a Microsoft 365 subscription.
You use Microsoft Entra Agent ID to manage an agent identity.
You manage AI agents from the Microsoft 365 admin center.
An autonomous agent named Agent1 runs without a signed-in user. The agent must access Microsoft Graph and read secrets from a single Azure key vault.
You need to grant Agent1 access to Microsoft Graph and Key Vault without requiring user interaction or consent at runtime.
What should you do for the agent identity? To answer, drag the appropriate actions to the correct services. Each action may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
You have a Microsoft 365 subscription.
You use Microsoft Entra Agent ID to manage an agent identity.
You manage AI agents from the Microsoft 365 admin center.
An autonomous agent named Agent1 runs without a signed-in user. The agent must access Microsoft Graph and read secrets from a single Azure key vault.
You need to grant Agent1 access to Microsoft Graph and Key Vault without requiring user interaction or consent at runtime.
What should you do for the agent identity? To answer, drag the appropriate actions to the correct services. Each action may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Correct Answer:
Question 5
You have an Azure subscription named Sub1 that contains multiple virtual machines.
You have a Microsoft 365 E5 subscription that contains devices onboarded to Microsoft Defender for Endpoint.
You have an on-premises datacenter that contains multiple servers.
You plan to onboard all existing and future on-premises servers to Azure Arc.
You need to ensure that the Azure Arc-enabled servers are protected by using the same security features as the Microsoft 365 devices immediately after the servers are onboarded. The solution must minimize administrative effort.
What should you do?
You have a Microsoft 365 E5 subscription that contains devices onboarded to Microsoft Defender for Endpoint.
You have an on-premises datacenter that contains multiple servers.
You plan to onboard all existing and future on-premises servers to Azure Arc.
You need to ensure that the Azure Arc-enabled servers are protected by using the same security features as the Microsoft 365 devices immediately after the servers are onboarded. The solution must minimize administrative effort.
What should you do?
Correct Answer: B
Explanation: Only visible for Actualtests4sure members. You can sign-up / login (it's free).
Question 6
Your organization plans to allow developers to access Azure OpenAI resources. Management wants to ensure that access permissions follow the principle of least privilege. What should you use?
Correct Answer: A
Explanation: Only visible for Actualtests4sure members. You can sign-up / login (it's free).
Question 7
A company uses Microsoft Entra ID and has enabled Conditional Access. Administrators want to reduce the risk of token theft by requiring users to authenticate with phishing-resistant methods when accessing sensitive AI workloads. Which authentication method best satisfies this requirement?
Correct Answer: B
Explanation: Only visible for Actualtests4sure members. You can sign-up / login (it's free).
Question 8
Case Study 2 - Fabrikam, Inc.
Overview
Fabrikam, Inc. is a consulting company. The company has a main office in New York City and branch offices in Amsterdam and Singapore.
Existing Environment. Network environment
The on-premises network contains a datacenter in each office.
Existing Environment. Cloud environment
Fabrikam has two Azure subscriptions named Sub1 and Sub2 and a Microsoft 365 subscription that includes Microsoft 365 E5 licenses.
All the subscriptions are linked to a Microsoft Entra tenant named fabrikam.com that contains the identities shown in the following table.
The tenant contains the groups shown in the following table.
All devices are enrolled in Microsoft Intune.
Existing Environment. Sub1 Resources
Sub1 contains a resource group named RG1 that contains the resources shown in the following table.
SQLServer1 uses Microsoft SQL Server authentication.
Sub1 has an Azure Web Application Firewall (WAF) named WAF1 that has the following types of rule sets:
- Bot Manager 1.1
- Azure-managed Default Rule Set (DRS)
Sub1 has the following compliance standards assigned in Microsoft Defender for Cloud:
- NIST SP 800-53 Rev. 4
- Microsoft cloud security benchmark (MCSB)
- System and Organization Controls (SOC) 2 Type 2
Existing Environment. Sub2 Resources
Sub2 contains a resource group named RG2.
Planned Changes and Requirements. Planned Changes
Fabrikam plans to implement the following changes:
- Deploy the following key vaults to RG1:
* AKV2 in the West Europe Azure region
* AKV3 in the Central US Azure region
* AKV4 in the East US Azure region
- Deploy the following key vaults to RG2:
* AKV5 in the East US region
- Configure VM1 to read data from storage1.
- Create function apps that have the following hosting plans:
* Fa1: Flex Consumption hosting plan
* Fa2: Consumption hosting plan
* Fa3: Dedicated hosting plan
- For WAF1, implement rate limiting rules based on the request
location.
- Enable the NIST SP 800-53 Rev. 5 compliance standard in Defender for
Cloud.
- Create a new storage account named storage2 that supports Azure Table storage.
- Enforce multifactor authentication (MFA) when database administrators access SQLdb1.
- Implement ExpressRoute circuits to the on-premises network as shown
in the following table.
- For RG1, create a new Privileged Identity Management (PIM) eligible role assignment that assigns the Contributor role to supported groups.
Planned Changes and Requirements. Technical Requirements
Fabrikam has the following technical requirements:
- If VM1 is deleted, the permissions for VM1 must be removed
automatically.
- The AKS1 managed identity must only be able to pull images from
Registry1.
- The ID1 managed identity must be able to push images to and pull
images from Registry1.
- All the data in the storage accounts must be encrypted by using
Fabrikam-managed keys.
- All outbound traffic from the function apps to the on-premises
network must use ExpressRoute circuits.
- ExpressRoute connectivity between the on-premises network and the
Azure environment must be encrypted by using Layer 2 or Layer 3
encryption.
You need to implement the planned change for storage2. The solution must meet the technical requirements for storage encryption. What should you do?
Overview
Fabrikam, Inc. is a consulting company. The company has a main office in New York City and branch offices in Amsterdam and Singapore.
Existing Environment. Network environment
The on-premises network contains a datacenter in each office.
Existing Environment. Cloud environment
Fabrikam has two Azure subscriptions named Sub1 and Sub2 and a Microsoft 365 subscription that includes Microsoft 365 E5 licenses.
All the subscriptions are linked to a Microsoft Entra tenant named fabrikam.com that contains the identities shown in the following table.
The tenant contains the groups shown in the following table.
All devices are enrolled in Microsoft Intune.
Existing Environment. Sub1 Resources
Sub1 contains a resource group named RG1 that contains the resources shown in the following table.
SQLServer1 uses Microsoft SQL Server authentication.
Sub1 has an Azure Web Application Firewall (WAF) named WAF1 that has the following types of rule sets:
- Bot Manager 1.1
- Azure-managed Default Rule Set (DRS)
Sub1 has the following compliance standards assigned in Microsoft Defender for Cloud:
- NIST SP 800-53 Rev. 4
- Microsoft cloud security benchmark (MCSB)
- System and Organization Controls (SOC) 2 Type 2
Existing Environment. Sub2 Resources
Sub2 contains a resource group named RG2.
Planned Changes and Requirements. Planned Changes
Fabrikam plans to implement the following changes:
- Deploy the following key vaults to RG1:
* AKV2 in the West Europe Azure region
* AKV3 in the Central US Azure region
* AKV4 in the East US Azure region
- Deploy the following key vaults to RG2:
* AKV5 in the East US region
- Configure VM1 to read data from storage1.
- Create function apps that have the following hosting plans:
* Fa1: Flex Consumption hosting plan
* Fa2: Consumption hosting plan
* Fa3: Dedicated hosting plan
- For WAF1, implement rate limiting rules based on the request
location.
- Enable the NIST SP 800-53 Rev. 5 compliance standard in Defender for
Cloud.
- Create a new storage account named storage2 that supports Azure Table storage.
- Enforce multifactor authentication (MFA) when database administrators access SQLdb1.
- Implement ExpressRoute circuits to the on-premises network as shown
in the following table.
- For RG1, create a new Privileged Identity Management (PIM) eligible role assignment that assigns the Contributor role to supported groups.
Planned Changes and Requirements. Technical Requirements
Fabrikam has the following technical requirements:
- If VM1 is deleted, the permissions for VM1 must be removed
automatically.
- The AKS1 managed identity must only be able to pull images from
Registry1.
- The ID1 managed identity must be able to push images to and pull
images from Registry1.
- All the data in the storage accounts must be encrypted by using
Fabrikam-managed keys.
- All outbound traffic from the function apps to the on-premises
network must use ExpressRoute circuits.
- ExpressRoute connectivity between the on-premises network and the
Azure environment must be encrypted by using Layer 2 or Layer 3
encryption.
You need to implement the planned change for storage2. The solution must meet the technical requirements for storage encryption. What should you do?
Correct Answer: D
Explanation: Only visible for Actualtests4sure members. You can sign-up / login (it's free).
Question 9
Hotspot Question
You have a Microsoft Entra tenant that contains the users shown in the following table.
You use Microsoft Security Copilot.
From Microsoft Security Store, User1 attempts to deploy a partner-built agent named Agent1 and reports that the Get agent option is unavailable.
You need to identify whether Agent1 can run in Security Copilot successfully. The solution must follow the principle of least privilege.
How should you complete the deployment? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
You have a Microsoft Entra tenant that contains the users shown in the following table.
You use Microsoft Security Copilot.
From Microsoft Security Store, User1 attempts to deploy a partner-built agent named Agent1 and reports that the Get agent option is unavailable.
You need to identify whether Agent1 can run in Security Copilot successfully. The solution must follow the principle of least privilege.
How should you complete the deployment? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct Answer:
