Summer Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: best70

SC-500 Microsoft Certified: Cloud and AI Security Engineer Associate Questions and Answers

Questions 4

For each of the following statements, select Yes if the statement is true Otherwise, select No.

SC-500 Question 4

Options:

Buy Now
Questions 5

Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.

After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.

You have a Microsoft Sentinel workspace

You have a multi-tier Security Operations Center (SOC) team.

You need to ensure that all new security incidents are assigned immediately to the Tier 1 analysts group and flagged for triage.

Solution: You create an automation rule.

Does this meet the goal?

Options:

A.

Yes

B.

No

Buy Now
Questions 6

You need to configure the AKS1 and ID 1 managed identities to meet the technical requirements. The solution must follow the principle of least privilege.

Which role should you assign to each identity? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

SC-500 Question 6

Options:

Buy Now
Questions 7

You need to protect the applications hosted on AKS1. The solution must meet the technical requirements.

Which Defender for Cloud plan should you enable?

Options:

A.

Microsoft Defender for Servers

B.

Microsoft Defender for App Service

C.

Microsoft Defender for Containers

D.

Microsoft Defender for Resource Manager

E.

Microsoft Defender for Storage

Buy Now
Questions 8

Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.

After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.

You have an Azure subscription that contains two virtual machines named VM1 and VM2. Each virtual machine has system-assigned managed identity enabled.

You have an Azure Storage account named storage1. Public access from all networks is enabled for storage1.

You need to ensure that VM1 and VM2 can access storage1.

Solution: You create a user-assigned managed identity, assign the identity to each virtual machine, and then add each managed identity to a role on storage1.

Does this meet the goal?

Options:

A.

Yes

B.

No

Buy Now
Questions 9

Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.

After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.

You have an Azure subscription that contains two virtual machines named VM1 and VM2. Each virtual machine has system-assigned managed identity enabled.

You have an Azure Storage account named storage1. Public access from all networks is enabled for storage1.

You need to ensure that VM1 and VM2 can access storage1.

Solution: You add each virtual machine to a security group, and then add the security group to a role on storage1.

Does this meet the goal?

Options:

A.

Yes

B.

No

Buy Now
Questions 10

You need to delegate a user to implement the planned change for Defender for Cloud. The solution must follow the principle of least privilege.

Which user should you choose?

Options:

A.

Admin1

B.

Admin2

C.

Admin3

D.

Admin4

Buy Now
Questions 11

You have an Azure subscription named Sub1 that contains 50 virtual machines. Sub1 has Microsoft Defender for Cloud enabled.

Sub1 contains an Azure key vault named KV1 and an Azure policy that enforces storing all secrets in KV1.

Occasionally, the developers at your company store plaintext tokens and SSH private keys on the virtual machines.

You need to configure Defender for Cloud to detect plaintext secrets on the virtual machines. The solution must minimize administrative changes to the virtual machines.

How should you configure Defender for Cloud? To answer, select the appropriate options in the answer area

NOTE: Each correct selection is worth one point.

SC-500 Question 11

Options:

Buy Now
Questions 12

You have Microsoft Security Copilot agents that authenticate by using Microsoft Entra service principals.

You receive a Microsoft Defender alert triggered by the anomalous OAuth authentication of an agent ' s Microsoft Entra service principal.

You need to assess the impact of the agent identity and identify which resources are affected if the identity is abused for lateral movement The solution must minimize administrative effort.

What should you do?

Options:

A.

From Advanced hunting, create a query against the IdentityLogonEvents table to list all the sign-ins performed by the identity.

B.

From Attack paths, select the identity and view the blast radius.

C.

From AI Observability in Microsoft Purview Data Security Posture Management (DSPM), review the agent activity.

D.

From Microsoft Purview Audit, query the audit logs for all the role assignments granted to the identity.

E.

From Incidents, review incidents related to OAuth events reported by Microsoft Defender for Cloud Apps.

Buy Now
Questions 13

You have an Azure subscription named Sub1 that contains a storage account named storage1

Sub1 has Microsoft Defender for Storage enabled. Defender for Storage has on-upload malware scanning enabled for a monthly cap of 10,000 GB per storage account.

You use a Microsoft Sentinel workspace to monitor security events on all Azure resources.

You need to configure storage1 to use a malware scanning cap of 2.000 GB per month.

What should you do?

Options:

A.

Enable Override Defender for Storage subscription-level settings for storage1.

B.

From Microsoft Sentinel, modify the data collection rule (DCR) to restrict log ingestion from storage1.

C.

Modify the malware scanning configuration of Sub1.

D.

From the Microsoft Sentinel workspace, modify the daily cap.

Buy Now
Questions 14

You have an Azure subscription that contains a resource group named RG1.

RG1 contains a Microsoft Security Copilot deployment that is integrated with a Microsoft Sentinel workspace named Workspace1.

Analysts use the Security Copilot standalone experience to retrieve incidents by using the Microsoft Sentinel plugin.

A user named User1 can sign in to Security Copilot but cannot retrieve incidents from Workspace1. You verify that User1 lias only the Security Copilot Contributor role.

You need to ensure that User1 can retrieve the incidents. The solution must follow the principle of least privilege and NOT require any configuration changes to Security Copilot.

Which role should you assign to User1?

Options:

A.

The Security Reader role in Microsoft Entra

B.

The Microsoft Sentinel Reader role for Workspace1

C.

The Security Copilot Owner role

D.

The Security Administrator role in Microsoft Entra

E.

The Contributor role in Azure for RG1

Buy Now
Questions 15

You have a Microsoft Copilot Studio agent.

A Microsoft Power Platform administrator configures external threat detection for the agent by using a Microsoft Entra application.

You need to ensure that real-time protection is enabled during agent runtime.

What should you do in the Microsoft Defender portal?

Options:

A.

Configure Microsoft Defender for Cloud Apps session policies.

B.

Connect the Microsoft 365 app connector.

C.

Enable Global Secure Access for Agents.

D.

From Microsoft Sentinel, configure the Microsoft Purview data connector.

Buy Now
Questions 16

You have an Azure Storage account named storage1 that hosts a blob container named container1.

You have an Azure Functions app named app1 that uses a managed identity.

You need to configure app1 to read, write, and delete blobs in container1. The solution must follow the principle of least privilege.

What should you do?

Options:

A.

Assign the Storage Account Contributor role to the managed identity of app1 at the scope of storage1.

B.

Assign the Storage Blob Delegator role to the managed identity of app1 at the scope of container1.

C.

Assign the Owner role to the managed identity of app1 at the scope of container1.

D.

Assign the Storage Blob Data Contributor role to the managed identity of app1 at the scope of container1.

Buy Now
Questions 17

You have an Azure key vault named KV1 that uses role-based access control (RBAC) for data plane authorization.

You have a user named User1 and an Azure App Service web app named App1 that has a system-assigned managed identity.

You need to configure authorization to meet the following requirements:

•App1 must be able to retrieve secrets from KV1.

•User1 must manage the KV1 settings without accessing secret values.

The solution must follow the principle of least privilege.

Which role should you assign to each identity for KV1? To answer, drag the appropriate roles to the correct identities. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

SC-500 Question 17

Options:

Buy Now
Questions 18

You have a Microsoft Entra tenant that has the following configurations:

•User consent for applications is disabled.

•Only administrators can grant permissions to applications.

You register an application named App1 that uses delegated Microsoft Graph permissions.

You need to configure App1 to meet the following requirements:

•Enable user sign-ins without interactive consent prompts.

•Enable App1 to access Microsoft Graph on behalf of the signed-in user.

What should you do?

Options:

A.

Configure enterprise applications to require user assignment and assign users to App1.

B.

Modify the app registration to use application permissions instead of delegated permissions.

C.

Add the required delegated Microsoft Graph permissions to the app registration and rely on user consent during sign-in.

D.

Grant admin consent to App1 for the required delegated permissions.

Buy Now
Questions 19

You have a Microsoft Sentinel workspace

You need to collect Windows security events from 200 Azure virtual machines that run Windows Server. The solution must meet the following requirements:

•Use direct agent based data collection from each virtual machine.

•Use a supported agent for new virtual machine deployments

Which Microsoft Sentinel connector should you use?

Options:

A.

Windows Forwarded Events

B.

Windows Security Events via AMA

C.

Security Events via Legacy Agent

D.

Syslog via AMA

E.

Azure Resource Graph

Buy Now
Questions 20

You have three internet-facing Azure App Service web apps named App1, App2, and App1 Each app uses built-in authentication.

App2 hosts a backend API.

Some corporate users can sign in to App2, even though they should NOT be able to use the API.

You need to restrict App2 access to assigned Microsoft Entra users and groups.

What should you configure for App2? To answer, drag the appropriate configurations to the correct methods. Each configuration may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

SC-500 Question 20

Options:

Buy Now
Exam Code: SC-500
Exam Name: Microsoft Certified: Cloud and AI Security Engineer Associate
Last Update: Jul 1, 2026
Questions: 68

PDF + Testing Engine

$144.99

Testing Engine

$109.99

PDF (Q&A)

$94.99