Regular update

Our experts are working hard to perfect every detail in our research center. Once they find it possible to optimize the SC-500 study guide, they will test it for many times to ensure the stability and compatibility. Under a series of strict test, the updated version will be soon delivered to every customer's email box. If you have changed your email address, please tell our online workers in order to miss our newest version of the SC-500 exam torrent: Implementing End-to-End Security Controls for Cloud and AI Workloads. Also, you are supposed to check the email regularly and carefully in case you delete our email mistakenly. In addition, the updated version is totally free of charge.

Reasonable price

The price of our SC-500 training materials is completely reasonable. Our price is set through scientific calculation. Ordinary people can afford for it. We have tried hard to reduce the manufacturing cost of the study materials. Also, we have introduced the most advanced management system on SC-500 study guide, which saves a large amount of money. So the whole company is running efficiently. That is why our price of the SC-500 exam torrent: Implementing End-to-End Security Controls for Cloud and AI Workloads is so competitive in the market. The money you have invested on updating yourself is worthwhile. The knowledge you have learned is priceless. You can obtain many useful skills on our SC-500 study guide, which is of great significance in your daily work. Never feel sorry to invest yourself. Our study materials deserve your choice. You only need to pay for the study guide once, but it belongs to you forever. If you still cannot make decisions, you can try our free demo of the SC-500 training materials.

In the 21st century, you must make the best use of internet technology to enrich yourself. Our SC-500 training materials have won great success in the market. Almost half candidates are learning on our test engine. First of all, our study materials cover all related tests about computers. It will be easy for you to find your prepared test material. If you are suspicious of our SC-500 exam torrent: Implementing End-to-End Security Controls for Cloud and AI Workloads, you can download the free demo from our official websites. All in all, it is up to you to make a decision. We are looking forward to your coming.

Real test environment

If you are the first time to take part in the exam. We strongly advise you to buy our SC-500 training materials. One of the most advantages is that our study materials are simulating the real exam environment. Many candidates usually feel nervous in the real exam. If you purchase our study materials, you do not need to worry about making mistakes when you take the real exam. In addition, you have plenty of time to practice on our SC-500 exam torrent: Implementing End-to-End Security Controls for Cloud and AI Workloads. The time you have spent on our study materials will finally pay off. Our design and research are totally based on offering you the best help. We hope that learning can be a pleasant and relaxing process. If you really want to pass the exam and get the certificate, just buy our SC-500 study guide. The real test environment will completely beyond your imagination. Your ability will be enhanced quickly. Let us witness the miracle of the moment!

Microsoft Implementing End-to-End Security Controls for Cloud and AI Workloads Sample Questions:

1. Case Study 2 - Fabrikam, Inc.
Overview
Fabrikam, Inc. is a consulting company. The company has a main office in New York City and branch offices in Amsterdam and Singapore.
Existing Environment. Network environment
The on-premises network contains a datacenter in each office.
Existing Environment. Cloud environment
Fabrikam has two Azure subscriptions named Sub1 and Sub2 and a Microsoft 365 subscription that includes Microsoft 365 E5 licenses.
All the subscriptions are linked to a Microsoft Entra tenant named fabrikam.com that contains the identities shown in the following table.

The tenant contains the groups shown in the following table.

All devices are enrolled in Microsoft Intune.
Existing Environment. Sub1 Resources
Sub1 contains a resource group named RG1 that contains the resources shown in the following table.

SQLServer1 uses Microsoft SQL Server authentication.
Sub1 has an Azure Web Application Firewall (WAF) named WAF1 that has the following types of rule sets:
- Bot Manager 1.1
- Azure-managed Default Rule Set (DRS)
Sub1 has the following compliance standards assigned in Microsoft Defender for Cloud:
- NIST SP 800-53 Rev. 4
- Microsoft cloud security benchmark (MCSB)
- System and Organization Controls (SOC) 2 Type 2
Existing Environment. Sub2 Resources
Sub2 contains a resource group named RG2.
Planned Changes and Requirements. Planned Changes
Fabrikam plans to implement the following changes:
- Deploy the following key vaults to RG1:
* AKV2 in the West Europe Azure region
* AKV3 in the Central US Azure region
* AKV4 in the East US Azure region
- Deploy the following key vaults to RG2:
* AKV5 in the East US region
- Configure VM1 to read data from storage1.
- Create function apps that have the following hosting plans:
* Fa1: Flex Consumption hosting plan
* Fa2: Consumption hosting plan
* Fa3: Dedicated hosting plan
- For WAF1, implement rate limiting rules based on the request
location.
- Enable the NIST SP 800-53 Rev. 5 compliance standard in Defender for
Cloud.
- Create a new storage account named storage2 that supports Azure Table storage.
- Enforce multifactor authentication (MFA) when database administrators access SQLdb1.
- Implement ExpressRoute circuits to the on-premises network as shown
in the following table.

- For RG1, create a new Privileged Identity Management (PIM) eligible role assignment that assigns the Contributor role to supported groups.
Planned Changes and Requirements. Technical Requirements
Fabrikam has the following technical requirements:
- If VM1 is deleted, the permissions for VM1 must be removed
automatically.
- The AKS1 managed identity must only be able to pull images from
Registry1.
- The ID1 managed identity must be able to push images to and pull
images from Registry1.
- All the data in the storage accounts must be encrypted by using
Fabrikam-managed keys.
- All outbound traffic from the function apps to the on-premises
network must use ExpressRoute circuits.
- ExpressRoute connectivity between the on-premises network and the
Azure environment must be encrypted by using Layer 2 or Layer 3
encryption.
You need to delegate a user to implement the planned change for Defender for Cloud. The solution must follow the principle of least privilege. Which user should you choose?

A) Admin2
B) Admin4
C) Admin1
D) Admin3

2. You have an Azure Storage account named storage1 that contains Azure Files shares.
You have an application named App1 that uses a system-assigned managed identity to access the shares.
Administrators access the shares by using storage account keys.
You need to ensure that App1 access the shares without using the storage account keys.
What should you do on storage1?

A) Store the storage account access keys in Azure Key Vault and regenerate them periodically.
B) Assign the Storage File Data Privileged Reader role to the managed identity of App1.
C) Set Allow storage account key access to Disabled.
D) Select Default to Microsoft Entra authorization in the Azure portal.

3. Case Study 2 - Fabrikam, Inc.
Overview
Fabrikam, Inc. is a consulting company. The company has a main office in New York City and branch offices in Amsterdam and Singapore.
Existing Environment. Network environment
The on-premises network contains a datacenter in each office.
Existing Environment. Cloud environment
Fabrikam has two Azure subscriptions named Sub1 and Sub2 and a Microsoft 365 subscription that includes Microsoft 365 E5 licenses.
All the subscriptions are linked to a Microsoft Entra tenant named fabrikam.com that contains the identities shown in the following table.

The tenant contains the groups shown in the following table.

All devices are enrolled in Microsoft Intune.
Existing Environment. Sub1 Resources
Sub1 contains a resource group named RG1 that contains the resources shown in the following table.

SQLServer1 uses Microsoft SQL Server authentication.
Sub1 has an Azure Web Application Firewall (WAF) named WAF1 that has the following types of rule sets:
- Bot Manager 1.1
- Azure-managed Default Rule Set (DRS)
Sub1 has the following compliance standards assigned in Microsoft Defender for Cloud:
- NIST SP 800-53 Rev. 4
- Microsoft cloud security benchmark (MCSB)
- System and Organization Controls (SOC) 2 Type 2
Existing Environment. Sub2 Resources
Sub2 contains a resource group named RG2.
Planned Changes and Requirements. Planned Changes
Fabrikam plans to implement the following changes:
- Deploy the following key vaults to RG1:
* AKV2 in the West Europe Azure region
* AKV3 in the Central US Azure region
* AKV4 in the East US Azure region
- Deploy the following key vaults to RG2:
* AKV5 in the East US region
- Configure VM1 to read data from storage1.
- Create function apps that have the following hosting plans:
* Fa1: Flex Consumption hosting plan
* Fa2: Consumption hosting plan
* Fa3: Dedicated hosting plan
- For WAF1, implement rate limiting rules based on the request
location.
- Enable the NIST SP 800-53 Rev. 5 compliance standard in Defender for
Cloud.
- Create a new storage account named storage2 that supports Azure Table storage.
- Enforce multifactor authentication (MFA) when database administrators access SQLdb1.
- Implement ExpressRoute circuits to the on-premises network as shown
in the following table.

- For RG1, create a new Privileged Identity Management (PIM) eligible role assignment that assigns the Contributor role to supported groups.
Planned Changes and Requirements. Technical Requirements
Fabrikam has the following technical requirements:
- If VM1 is deleted, the permissions for VM1 must be removed
automatically.
- The AKS1 managed identity must only be able to pull images from
Registry1.
- The ID1 managed identity must be able to push images to and pull
images from Registry1.
- All the data in the storage accounts must be encrypted by using
Fabrikam-managed keys.
- All outbound traffic from the function apps to the on-premises
network must use ExpressRoute circuits.
- ExpressRoute connectivity between the on-premises network and the
Azure environment must be encrypted by using Layer 2 or Layer 3
encryption.
You need to implement the planned change for SQLdb1.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A) Configure a user-assigned managed identity for SQLdb1
B) Configure Microsoft Entra authentication for SQLServer1.
C) Configure Federated client identity for SQLdb1.
D) Create a Conditional Access policy.
E) Create a compliance policy.

4. You have a management group named MG1 that contains two subscriptions named Sub1 and Sub2.
Sub1 contains a resource group named RG-Exception and a resource group named RG1 that hosts Microsoft Foundry resources.
You need to assign an Azure policy to force new Foundry deployments in MG1 to use private endpoints. The solution must NOT restrict deployments in RG-Exception.
How should you configure the policy?

A) Assign the policy to MG1 and exclude RG-Exception.
B) Assign the policy to MG1 and RG-Exception.
C) Assign the policy to Sub1 and RG-Exception.
D) Assign the policy to Sub1 and exclude RG-Exception.

5. You have an Azure subscription that contains a user named User1 and an Azure Container Registry named ContReg1.
You enable content trust for ContReg1.
You need to ensure that User1 can create trusted images in ContReg1. The solution must use the principle of least privilege.
Which two roles should you assign to User1? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A) AcrQuarantineWriter
B) AcrImageSigner
C) AcrPush
D) Contributor
E) AcrQuarantineReader

Solutions: