After-sale service guarantee

We provide 24-hour online service for all customers who have purchased SC-500 test guide. You can send us an email to ask questions at anytime, anywhere. For any questions you may have during the use of SC-500 exam questions, our customer service staff will be patient to help you to solve them. At the same time, if you have problems with downloading and installing, Implementing End-to-End Security Controls for Cloud and AI Workloads torrent prep also has dedicated staff that can provide you with remote online guidance. In order to allow you to use our products with confidence, SC-500 test guide provide you with a 100% pass rate guarantee. Once you unfortunately fail the exam, we will give you a full refund, and our refund process is very simple.

SC-500 study materials can solve all your problems

We have dedicated staff to update all the content of SC-500 exam questions every day. So you don't need to worry about that you buy the materials so early that you can't learn the last updated content. And even if you failed to pass the exam for the first time, as long as you decide to continue to use Implementing End-to-End Security Controls for Cloud and AI Workloads torrent prep, we will also provide you with the benefits of free updates within one year and a half discount more than one year. SC-500 test guide use a very easy-to-understand language. So even if you are a newcomer, you don't need to worry that you can't understand the contents. Industry experts hired by SC-500 exam questions also explain all of the difficult professional vocabulary through examples, forms, etc. You can completely study alone without the help of others.

Flexible learning time

If you buy online classes, you will need to sit in front of your computer on time at the required time; if you participate in offline counseling, you may need to take an hour or two of a bus to attend class. But if you buy SC-500 test guide, things will become completely different. Unlike other learning materials on the market, Implementing End-to-End Security Controls for Cloud and AI Workloads torrent prep has an APP version. You can download our app on your mobile phone. And then, you can learn anytime, anywhere. Whatever where you are, whatever what time it is, just an electronic device, you can do exercises. With Implementing End-to-End Security Controls for Cloud and AI Workloads torrent prep, you no longer have to put down the important tasks at hand in order to get to class; with SC-500 exam questions, you don't have to give up an appointment for study.

It is not hard to know that Implementing End-to-End Security Controls for Cloud and AI Workloads torrent prep is compiled by hundreds of industry experts based on the syllabus and development trends of industries that contain all the key points that may be involved in the examination. Therefore, with SC-500 exam questions, you no longer need to purchase any other review materials, and you also don't need to spend a lot of money on tutoring classes. At the same time, SC-500 test guide will provide you with very flexible learning time in order to help you pass the exam.

DOWNLOAD DEMO

Microsoft Implementing End-to-End Security Controls for Cloud and AI Workloads Sample Questions:

1. You have an Azure Storage account named storage1 that hosts a blob container named container1.
You have an Azure Functions app named app1 that uses a managed identity.
You need to configure app1 to read, write, and delete blobs in container1. The solution must follow the principle of least privilege.
What should you do?

A) Assign the Owner role to the managed identity of App1 at the scope of container1.
B) Assign the Storage Account Contributor role to the managed identity of app1 at the scope of storage1.
C) Assign the Storage Blob Delegator role to the managed identity of App1 at the scope of container1.
D) Assign the Storage Blob Data Contributor role to the managed identity of App1 at the scope of container1.

2. Case Study 2 - Fabrikam, Inc.
Overview
Fabrikam, Inc. is a consulting company. The company has a main office in New York City and branch offices in Amsterdam and Singapore.
Existing Environment. Network environment
The on-premises network contains a datacenter in each office.
Existing Environment. Cloud environment
Fabrikam has two Azure subscriptions named Sub1 and Sub2 and a Microsoft 365 subscription that includes Microsoft 365 E5 licenses.
All the subscriptions are linked to a Microsoft Entra tenant named fabrikam.com that contains the identities shown in the following table.

The tenant contains the groups shown in the following table.

All devices are enrolled in Microsoft Intune.
Existing Environment. Sub1 Resources
Sub1 contains a resource group named RG1 that contains the resources shown in the following table.

SQLServer1 uses Microsoft SQL Server authentication.
Sub1 has an Azure Web Application Firewall (WAF) named WAF1 that has the following types of rule sets:
- Bot Manager 1.1
- Azure-managed Default Rule Set (DRS)
Sub1 has the following compliance standards assigned in Microsoft Defender for Cloud:
- NIST SP 800-53 Rev. 4
- Microsoft cloud security benchmark (MCSB)
- System and Organization Controls (SOC) 2 Type 2
Existing Environment. Sub2 Resources
Sub2 contains a resource group named RG2.
Planned Changes and Requirements. Planned Changes
Fabrikam plans to implement the following changes:
- Deploy the following key vaults to RG1:
* AKV2 in the West Europe Azure region
* AKV3 in the Central US Azure region
* AKV4 in the East US Azure region
- Deploy the following key vaults to RG2:
* AKV5 in the East US region
- Configure VM1 to read data from storage1.
- Create function apps that have the following hosting plans:
* Fa1: Flex Consumption hosting plan
* Fa2: Consumption hosting plan
* Fa3: Dedicated hosting plan
- For WAF1, implement rate limiting rules based on the request
location.
- Enable the NIST SP 800-53 Rev. 5 compliance standard in Defender for
Cloud.
- Create a new storage account named storage2 that supports Azure Table storage.
- Enforce multifactor authentication (MFA) when database administrators access SQLdb1.
- Implement ExpressRoute circuits to the on-premises network as shown
in the following table.

- For RG1, create a new Privileged Identity Management (PIM) eligible role assignment that assigns the Contributor role to supported groups.
Planned Changes and Requirements. Technical Requirements
Fabrikam has the following technical requirements:
- If VM1 is deleted, the permissions for VM1 must be removed
automatically.
- The AKS1 managed identity must only be able to pull images from
Registry1.
- The ID1 managed identity must be able to push images to and pull
images from Registry1.
- All the data in the storage accounts must be encrypted by using
Fabrikam-managed keys.
- All outbound traffic from the function apps to the on-premises
network must use ExpressRoute circuits.
- ExpressRoute connectivity between the on-premises network and the
Azure environment must be encrypted by using Layer 2 or Layer 3
encryption.
You need to implement the function apps to meet the technical requirements. Which apps should you include in the implementation?

A) Fa2 and Fa3 only
B) Fa1 and Fa3 only
C) Fa1 and Fa2 only
D) Fa1, Fa2, and Fa3

3. Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.
After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.
You have an Azure subscription that contains two virtual machines named VM1 and VM2. Each virtual machine has system-assigned managed identity enabled.
You have an Azure Storage account named storage1. Public access from all networks is enabled for storage1.
You need to ensure that VM1 and VM2 can access storage1.
Solution: You add each virtual machine to a role on storage1.
Does this meet the goal?

A) No
B) Yes

4. You have an Azure SQL Database logical server named Server1 that contains multiple databases.
The databases contain legacy SQL authentication logins that must no longer be usable for sign-in but must NOT be removed from the databases.
You need to ensure that SQL authentication is denied for connections.
What should you do?

A) Run create USER ... FROM EXTERNAL PROVIDER on each database.
B) Create a Conditional Access policy.
C) Assign the SQL Server Contributor role to Server1.
D) Enable Microsoft Entra-only authentication for Server1.

5. Case Study 2 - Fabrikam, Inc.
Overview
Fabrikam, Inc. is a consulting company. The company has a main office in New York City and branch offices in Amsterdam and Singapore.
Existing Environment. Network environment
The on-premises network contains a datacenter in each office.
Existing Environment. Cloud environment
Fabrikam has two Azure subscriptions named Sub1 and Sub2 and a Microsoft 365 subscription that includes Microsoft 365 E5 licenses.
All the subscriptions are linked to a Microsoft Entra tenant named fabrikam.com that contains the identities shown in the following table.

The tenant contains the groups shown in the following table.

All devices are enrolled in Microsoft Intune.
Existing Environment. Sub1 Resources
Sub1 contains a resource group named RG1 that contains the resources shown in the following table.

SQLServer1 uses Microsoft SQL Server authentication.
Sub1 has an Azure Web Application Firewall (WAF) named WAF1 that has the following types of rule sets:
- Bot Manager 1.1
- Azure-managed Default Rule Set (DRS)
Sub1 has the following compliance standards assigned in Microsoft Defender for Cloud:
- NIST SP 800-53 Rev. 4
- Microsoft cloud security benchmark (MCSB)
- System and Organization Controls (SOC) 2 Type 2
Existing Environment. Sub2 Resources
Sub2 contains a resource group named RG2.
Planned Changes and Requirements. Planned Changes
Fabrikam plans to implement the following changes:
- Deploy the following key vaults to RG1:
* AKV2 in the West Europe Azure region
* AKV3 in the Central US Azure region
* AKV4 in the East US Azure region
- Deploy the following key vaults to RG2:
* AKV5 in the East US region
- Configure VM1 to read data from storage1.
- Create function apps that have the following hosting plans:
* Fa1: Flex Consumption hosting plan
* Fa2: Consumption hosting plan
* Fa3: Dedicated hosting plan
- For WAF1, implement rate limiting rules based on the request
location.
- Enable the NIST SP 800-53 Rev. 5 compliance standard in Defender for
Cloud.
- Create a new storage account named storage2 that supports Azure Table storage.
- Enforce multifactor authentication (MFA) when database administrators access SQLdb1.
- Implement ExpressRoute circuits to the on-premises network as shown
in the following table.

- For RG1, create a new Privileged Identity Management (PIM) eligible role assignment that assigns the Contributor role to supported groups.
Planned Changes and Requirements. Technical Requirements
Fabrikam has the following technical requirements:
- If VM1 is deleted, the permissions for VM1 must be removed
automatically.
- The AKS1 managed identity must only be able to pull images from
Registry1.
- The ID1 managed identity must be able to push images to and pull
images from Registry1.
- All the data in the storage accounts must be encrypted by using
Fabrikam-managed keys.
- All outbound traffic from the function apps to the on-premises
network must use ExpressRoute circuits.
- ExpressRoute connectivity between the on-premises network and the
Azure environment must be encrypted by using Layer 2 or Layer 3
encryption.
You need to implement the planned change for SQLdb1.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A) Configure Microsoft Entra authentication for SQLServer1.
B) Configure a user-assigned managed identity for SQLdb1
C) Create a Conditional Access policy.
D) Create a compliance policy.
E) Configure Federated client identity for SQLdb1.

Solutions: