Microsoft SC-500 Dumps V8.02: Prepare for Cloud and AI Security Engineer Associate Exam 2026

1. Question Set 2



You have an Azure SQL Database logical server named Server1 that contains multiple databases.

The databases contain legacy SQL authentication logins that must no longer be usable for sign-in but must NOT be removed from the databases.

You need to ensure that SQL authentication is denied for connections.

What should you do?

2. You have a Microsoft Entra tenant that uses Privileged Identity Management (PIM).

You need to modify the AI Administrator role settings to meet the following requirements:

- Elevated access must be evaluated by another administrator before it is granted.

- Privileged access must be removed automatically after a fixed period.

Which two settings should you configure? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

3. HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:

4. You have an Azure management group named MG1 that contains two subscriptions named Sub1 and Sub2. Both subscriptions are linked to a Microsoft Entra tenant that contains a security group named Group1.

You need to ensure that the members of Group1 can assign roles to the resources in Sub1 and Sub2. The solution must follow the principle of least privilege.

Which role should you assign to Group1?

5. You have two management groups named MG1 and MG2 that contain multiple Azure subscriptions. The subscriptions are linked to a Microsoft Entra tenant.

You have a user named User1 and a global administrator named Admin1.

You are informed that User1 created an Azure subscription named Sub1 under the MG2 management group and is the only owner of the subscription.

You need to ensure that Admin1 can remove the Owner role from User1 for Sub1.

What should you do first?

6. Testlet 1



Overview

Fabrikam, Inc. is a consulting company. The company has a main office in New York City and branch offices in Amsterdam and Singapore.



Existing Environment. Network environment

The on-premises network contains a datacenter in each office.



Existing Environment. Cloud environment

Fabrikam has two Azure subscriptions named Sub1 and Sub2 and a Microsoft 365 subscription that includes Microsoft 365 E5 licenses.



All the subscriptions are linked to a Microsoft Entra tenant named fabrikam.com that contains the identities shown in the following table.







The tenant contains the groups shown in the following table.





All devices are enrolled in Microsoft Intune.



Existing Environment. Sub1 Resources

Sub1 contains a resource group named RG1 that contains the resources shown in the following table.





SQLServer1 uses Microsoft SQL Server authentication.



Sub1 has an Azure Web Application Firewall (WAF) named WAF1 that has the following types of rule sets:

• Bot Manager 1.1

• Azure-managed Default Rule Set (DRS)



Sub1 has the following compliance standards assigned in Microsoft Defender for Cloud:

• NIST SP 800-53 Rev. 4

• Microsoft cloud security benchmark (MCSB)

• System and Organization Controls (SOC) 2 Type 2



Existing Environment. Sub2 Resources

Sub2 contains a resource group named RG2.



Planned Changes and Requirements. Planned Changes

Fabrikam plans to implement the following changes:

• Deploy the following key vaults to RG1:

o AKV2 in the West Europe Azure region

o AKV3 in the Central US Azure region

o AKV4 in the East US Azure region

• Deploy the following key vaults to RG2:

o AKV5 in the East US region

• Configure VM1 to read data from storage1.

• Create function apps that have the following hosting plans:

o Fa1: Flex Consumption hosting plan

o Fa2: Consumption hosting plan

o Fa3: Dedicated hosting plan

• For WAF1, implement rate limiting rules based on the request location.

• Enable the NIST SP 800-53 Rev. 5 compliance standard in Defender for Cloud.

• Create a new storage account named storage2 that supports Azure Table storage.

• Enforce multifactor authentication (MFA) when database administrators access SQLdb1.

• Implement ExpressRoute circuits to the on-premises network as shown in the following table.





• For RG1, create a new Privileged Identity Management (PIM) eligible role assignment that assigns the Contributor role to supported groups.



Planned Changes and Requirements.

Technical Requirements

Fabrikam has the following technical requirements:

• If VM1 is deleted, the permissions for VM1 must be removed automatically.

• The AKS1 managed identity must only be able to pull images from Registry1.

• The ID1 managed identity must be able to push images to and pull images from Registry1.

• All the data in the storage accounts must be encrypted by using Fabrikam-managed keys.

• All outbound traffic from the function apps to the on-premises network must use ExpressRoute circuits.

• ExpressRoute connectivity between the on-premises network and the Azure environment must be encrypted by using Layer 2 or Layer 3 encryption.



You need to implement the planned change for SQLdb1.

Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

7. DRAG DROP

You have a Microsoft Entra tenant.

You need to implement passwordless authentication.

The solution must meet the following requirements:

- Users can sign in without a password by using a mobile device.

- New users that sign in for the first time must use a helpdesk-issued sign-in method that expires.

Which authentication method should you enable for each requirement? To answer, drag the appropriate methods to the correct requirements. Each method may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

8. You have an Azure subscription named Sub1 that contains an Azure Database for PostgreSQL instance.

Sub1 has Microsoft Defender for Cloud enabled.

You need to configure Microsoft Defender for Databases to minimize costs.

Which Defender plan should you enable?

9. You have a Microsoft Entra tenant that has user consent for applications disabled.

You register an application named App1 that requests the following Microsoft Graph delegated permissions:

- User.Read

- Mail.Read

You need to configure tenant permissions to meet the following requirements:

- Enable users to grant consent for low-risk permissions without administrator interaction.

- Ensure that applications requesting higher-privilege permissions require administrator approval.

What should you do?

10. You have an Azure key vault named KV1 that uses role-based access control (RBAC) authorization. KV1 stores database connection strings for an Azure App Service web app named App1.

You enable a firewall on KV1 and allow access to KV1 from only the virtual network that contains App1.

You need to ensure that App1 can retrieve secrets from KV1 without using credentials stored in the application configuration.

What should you create?

11. You need to implement the planned change for storage2. The solution must meet the technical requirements for storage encryption.

What should you do?

12. You have an Azure subscription named Sub1 that contains a storage account named storage1. Sub1 has Microsoft Defender for Storage enabled. Defender for Storage has malware scanning enabled.

You need to configure a solution that automates the remediation of malware detected in storage1.

What should you include in the solution?

13. Testlet 1


Overview

Contoso, Ltd. is a consulting company that has a main office in San Francisco and a branch office in Dallas.

Contoso has a hybrid environment that contains on-premises servers connected to Azure, a Microsoft 365 E5 subscription, and an Azure subscription named Sub1.


Existing Environment. Microsoft Entra tenant

Contoso has a Microsoft Entra tenant named contoso.com that contains the users shown in the following table.


Existing Environment. On-premises environment

The on-premises network contains an Active Directory Domain Services (AD DS) forest that syncs with contoso.com. The forest contains a server named Server1 that runs Windows Server.


Existing Environment. Azure subscription

Sub1 contains the storage accounts shown in the following table.


Sub1 contains the virtual networks shown in the following table.


Sub1 contains the virtual machines shown in the following table.


The network interface of VM1 is associated with an application security group named ASG1.


Sub1 contains the resources shown in the following table.


Vault1 stores the objects shown in the following table.


Existing Environment. Privileged Identity Management (PIM) configuration

You manage privileged roles by using Privileged Identity Management (PIM).

The PIM role settings are configured as shown in the following table.


Existing Environment. Microsoft Sentinel configuration

Contoso has a Microsoft Sentinel workspace that contains the following tables.


Requirements. Planned changes

Contoso plans to implement the following changes:

- Integrate AKS1 with Vault1.

- Enable Microsoft Entra Kerberos authentication for all supported storage.

- Configure auditing for sql1 by using the Azure portal and store audit logs in a centralized location.


Requirements. Technical requirements

Contoso identifies the following technical requirements:

- Protect Server1 by using file integrity monitoring.

- Protect AKS1 by using Microsoft Defender for Cloud.

- Configure Microsoft Sentinel to retain data for the maximum supported duration without changing the tier.

- Store objects used for authentication and encryption in Vault1 and ensure that Vault1 regenerates the objects every 30 days, whenever possible.


HOTSPOT

User1 has requested to use the AI Administrator role.

Which approvers can approve the request, and how long will User1 be an AI administrator after the role is approved? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

14. HOTSPOT

You have an Azure key vault named KV1 that uses role-based access control (RBAC) for data plane authorization.

You have a user named User1 and an Azure App Service web app named App1 that has a system-assigned managed identity.

You need to configure authorization to meet the following requirements:

- App1 must be able to retrieve secrets from KV1.

- User1 must manage the KV1 settings without accessing secret values.

The solution must follow the principle of least privilege.

Which role should you assign to each identity for KV1? To answer, drag the appropriate roles to the correct identities. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Select and Place:

15. HOTSPOT

You have an Azure subscription named Sub1 that contains 50 virtual machines. Sub1 has Microsoft Defender for Cloud enabled.

Sub1 contains an Azure key vault named KV1 and an Azure policy that enforces storing all secrets in KV1.

Occasionally, the developers at your company store plaintext tokens and SSH private keys on the virtual machines.

You need to configure Defender for Cloud to detect plaintext secrets on the virtual machines. The solution must minimize administrative changes to the virtual machines.

How should you configure Defender for Cloud? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

16. HOTSPOT

You have an Azure subscription.

You need to create and deploy an Azure policy that meets the following requirements:

- When a new virtual machine is deployed, automatically install a custom security extension.

- Trigger an autogenerated remediation task for non-compliant virtual machines to install the extension.

What should you include in the policy? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

17. You have a management group named MG1 that contains two subscriptions named Sub1 and Sub2.

Sub1 contains a resource group named RG-Exception and a resource group named RG1 that hosts Microsoft Foundry resources.

You need to assign an Azure policy to force new Foundry deployments in MG1 to use private endpoints.

The solution must NOT restrict deployments in RG-Exception.

How should you configure the policy?

18. Question Set 2



You have an Azure SQL Database logical server named Server1 that contains a database named DB1.

You need to configure authentication for Server1 to meet the following requirements:

- SQL authentication cannot be used for any databases on Server1.

- The solution must be enforced centrally at the server level.

What should you do?

19. You have a Microsoft Entra tenant that has the following configurations:

- User consent for applications is disabled.

- Only administrators can grant permissions to applications.

You register an application named App1 that uses delegated Microsoft Graph permissions.

You need to configure App1 to meet the following requirements:

- Enable user sign-ins without interactive consent prompts.

- Enable App1 to access Microsoft Graph on behalf of the signed-in user.

What should you do?

20. You have an Azure Storage account named storage1 that contains Azure Files shares.

You have an application named App1 that uses a system-assigned managed identity to access the shares.

Administrators access the shares by using storage account keys.

You need to ensure that App1 access the shares without using the storage account keys.

What should you do on storage1?