Download Cloud and AI Security Engineer Associate.SC-500.DumpsBase.2026-06-24.20q.tqb

Vendor: Microsoft
Exam Code: SC-500
Exam Name: Cloud and AI Security Engineer Associate
Date: Jun 24, 2026
File Size: 2 MB
Download Exam

How to open TQB files?

Files with TQB (Taurus Question Bank) extension can be opened by Taurus Exam Studio.

Download
Taurus Exam Studio

Purchase
Coupon: TAURUSSIM_20OFF

Discount: 20%

Taurus Exam Simulator Taurus Exam Simulator Taurus Exam Simulator Taurus Exam Simulator Taurus Exam Simulator

Demo Questions

Question 1
You have an Azure SQL Database logical server named Server1 that contains multiple databases.
The databases contain legacy SQL authentication logins that must no longer be usable for sign-in but must NOT be removed from the databases.
You need to ensure that SQL authentication is denied for connections.
What should you do?
  1. Run create USE
  2. .. FROM EXTERNAL PROVIDER on each database.
  3. Create a Conditional Access policy.
  4. Enable Microsoft Entra-only authentication for Server1.
  5. Assign the SQL Server Contributor role to Server1.
Correct answer: C
Question 2
You have a Microsoft Entra tenant that uses Privileged Identity Management (PIM).
You need to modify the AI Administrator role settings to meet the following requirements:
  • Elevated access must be evaluated by another administrator before it is granted.
  • Privileged access must be removed automatically after a fixed period.
Which two settings should you configure? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
  1. Expire active assignments after
  2. Require approval to activate
  3. Require justification on activation
  4. Expire eligible assignments after
  5. Activation maximum duration
Correct answer: A
Explanation:
Requiring approval to activate ensures that a designated administrator must evaluate and approve an eligible user’s elevation request before privileged access is granted. Setting an activation maximum duration makes each activated role assignment time-bound, automatically removing the elevated access when the configured activation period expires.Reference:https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-change-default-settingshttps://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-activate-role
Requiring approval to activate ensures that a designated administrator must evaluate and approve an eligible user’s elevation request before privileged access is granted. Setting an activation maximum duration makes each activated role assignment time-bound, automatically removing the elevated access when the configured activation period expires.
Reference:
https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-change-default-settings
https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-activate-role
Question 3
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. 
Correct answer: To work with this question, an Exam Simulator is required.
Explanation:
Admin1 must approve requests for the Agent ID Developer role: NoAdmin2 can approve requests for the AI Administrator role: NoAdmin3 can assign User1 a two-day active assignment for the Agent ID Developer role: YesThe Agent ID Developer role does not require approval for activation, so no approval request is generated. The AI Administrator role requires approval, but because no specific approvers are configured, only active Global Administrators and Privileged Role Administrators act as default approvers; an AI Administrator is not a default approver. Admin3 is a Privileged Role Administrator and can assign Microsoft Entra roles inPIM. The one-day activation maximum duration limits eligible-role activations, not administrator-created active assignments; active assignments for the Agent ID Developer role can last up to the configured 15-day period, so a two-day active assignment is allowed.Reference: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-change-default-settings
Admin1 must approve requests for the Agent ID Developer role: No
Admin2 can approve requests for the AI Administrator role: No
Admin3 can assign User1 a two-day active assignment for the Agent ID Developer role: Yes
The Agent ID Developer role does not require approval for activation, so no approval request is generated. The AI Administrator role requires approval, but because no specific approvers are configured, only active Global Administrators and Privileged Role Administrators act as default approvers; an AI Administrator is not a default approver. Admin3 is a Privileged Role Administrator and can assign Microsoft Entra roles in
PIM. The one-day activation maximum duration limits eligible-role activations, not administrator-created active assignments; active assignments for the Agent ID Developer role can last up to the configured 15-day period, so a two-day active assignment is allowed.
Reference: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-change-default-settings
Question 4
You have an Azure management group named MG1 that contains two subscriptions named Sub1 and Sub2. Both subscriptions are linked to a Microsoft Entra tenant that contains a security group named Group1.
You need to ensure that the members of Group1 can assign roles to the resources in Sub1 and Sub2. The solution must follow the principle of least privilege.
Which role should you assign to Group1?
  1. Contributor at the MG1 scope
  2. Contributor at the Sub1 and Sub2 scopes
  3. User Access Administrator at the MG1 scope
  4. Owner at the MG1 scope
Correct answer: C
Explanation:
The User Access Administrator role permits members of Group1 to manage role assignments without granting them permission to modify the underlying Azure resources. Assigning the role at the MG1 scope causes the permission to be inherited by both Sub1 and Sub2 and their resources, providing centralizedleast-privilege access management.Reference:https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitionshttps://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal%2Centra-audit-logshttps://learn.microsoft.com/en-us/azure/role-based-access-control/scope-overview
The User Access Administrator role permits members of Group1 to manage role assignments without granting them permission to modify the underlying Azure resources. Assigning the role at the MG1 scope causes the permission to be inherited by both Sub1 and Sub2 and their resources, providing centralized
least-privilege access management.
Reference:
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions
https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal%2Centra-audit-logs
https://learn.microsoft.com/en-us/azure/role-based-access-control/scope-overview
Question 5
You have two management groups named MG1 and MG2 that contain multiple Azure subscriptions. The subscriptions are linked to a Microsoft Entra tenant.
You have a user named User1 and a global administrator named Admin1.
You are informed that User1 created an Azure subscription named Sub1 under the MG2 management group and is the only owner of the subscription.
You need to ensure that Admin1 can remove the Owner role from User1 for Sub1.
What should you do first?
  1. Move Sub1 to MG1.
  2. Assign Admin1 the User Access Administrator role for Sub1.
  3. Instruct Admin1 to use Privileged Identity Management (PIM) to request the Security Administrator role.
  4. Instruct Admin1 to enable Access management for Azure resources.
Correct answer: D
Explanation:
Enabling Access management for Azure resources allows a Microsoft Entra Global Administrator toelevate access and receive the User Access Administrator role at the root scope. This inherited access applies to Sub1 and enables Admin1 to remove User1’s Owner role assignment from the subscription.Reference:https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal%2Centra-audit-logshttps://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
Enabling Access management for Azure resources allows a Microsoft Entra Global Administrator to
elevate access and receive the User Access Administrator role at the root scope. This inherited access applies to Sub1 and enables Admin1 to remove User1’s Owner role assignment from the subscription.
Reference:
https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal%2Centra-audit-logs
https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
Question 6
Overview
Fabrikam, Inc. is a consulting company. The company has a main office in New York City and branch offices in Amsterdam and Singapore.
Existing Environment. Network environment
The on-premises network contains a datacenter in each office.
Existing Environment. Cloud environment
Fabrikam has two Azure subscriptions named Sub1 and Sub2 and a Microsoft 365 subscription that includes Microsoft 365 E5 licenses.
All the subscriptions are linked to a Microsoft Entra tenant named fabrikam.com that contains the identities shown in the following table.
The tenant contains the groups shown in the following table.
All devices are enrolled in Microsoft Intune.
Existing Environment. Sub1 Resources
Sub1 contains a resource group named RG1 that contains the resources shown in the following table.
SQLServer1 uses Microsoft SQL Server authentication.
Sub1 has an Azure Web Application Firewall (WAF) named WAF1 that has the following types of rule sets:
  • Bot Manager 1.1
  • Azure-managed Default Rule Set (DRS)
Sub1 has the following compliance standards assigned in Microsoft Defender for Cloud:
  • NIST SP 800-53 Rev. 4
  • Microsoft cloud security benchmark (MCSB)
  • System and Organization Controls (SOC) 2 Type 2
Existing Environment. Sub2 Resources
Sub2 contains a resource group named RG2.
Planned Changes and Requirements. Planned Changes
Fabrikam plans to implement the following changes:
  • Deploy the following key vaults to RG1:
    • AKV2 in the West Europe Azure region
    • AKV3 in the Central US Azure region
    • AKV4 in the East US Azure region
  • Deploy the following key vaults to RG2:
    • AKV5 in the East US region
  • Configure VM1 to read data from storage1.
  • Create function apps that have the following hosting plans:
    • Fa1: Flex Consumption hosting plan
    • Fa2: Consumption hosting plan
    • Fa3: Dedicated hosting plan
  • For WAF1, implement rate limiting rules based on the request location.
  • Enable the NIST SP 800-53 Rev. 5 compliance standard in Defender for Cloud.
  • Create a new storage account named storage2 that supports Azure Table storage.
  • Enforce multifactor authentication (MFA) when database administrators access SQLdb1.
  • Implement ExpressRoute circuits to the on-premises network as shown in the following table.
  • For RG1, create a new Privileged Identity Management (PIM) eligible role assignment that assigns the Contributor role to supported groups.
Planned Changes and Requirements.
Technical Requirements
Fabrikam has the following technical requirements:
  • If VM1 is deleted, the permissions for VM1 must be removed automatically.
  • The AKS1 managed identity must only be able to pull images from Registry1.
  • The ID1 managed identity must be able to push images to and pull images from Registry1.
  • All the data in the storage accounts must be encrypted by using Fabrikam-managed keys.
  • All outbound traffic from the function apps to the on-premises network must use ExpressRoute circuits.
  • ExpressRoute connectivity between the on-premises network and the Azure environment must be encrypted by using Layer 2 or Layer 3 encryption.
You need to implement the planned change for SQLdb1.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
  1. Create a compliance policy.
  2. Configure Microsoft Entra authentication for SQLServer1.
  3. Create a Conditional Access policy.
  4. Configure Federated client identity for SQLdb1.
  5. Configure a user-assigned managed identity for SQLdb1
Correct answer: A
Explanation:
Microsoft Entra authentication must be configured for SQLServer1 so database administrators can authenticate to Azure SQL Database by using Microsoft Entra identities. A Conditional Access policy can then target Azure SQL Database and require multifactor authentication when administrators connect to SQLdb1.Reference:https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?view=azuresql=azure-portalhttps://learn.microsoft.com/en-us/azure/azure-sql/database/conditional-access-configure?view=azuresql
Microsoft Entra authentication must be configured for SQLServer1 so database administrators can authenticate to Azure SQL Database by using Microsoft Entra identities. A Conditional Access policy can then target Azure SQL Database and require multifactor authentication when administrators connect to SQLdb1.
Reference:
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?view=azuresql=azure-portal
https://learn.microsoft.com/en-us/azure/azure-sql/database/conditional-access-configure?view=azuresql
Question 7
You have a Microsoft Entra tenant.
You need to implement passwordless authentication.
The solution must meet the following requirements:
  • Users can sign in without a password by using a mobile device.
  • New users that sign in for the first time must use a helpdesk-issued sign-in method that expires.
Which authentication method should you enable for each requirement? To answer, drag the appropriate methods to the correct requirements. Each method may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.
Correct answer: To work with this question, an Exam Simulator is required.
Explanation:
Passwordless sign-in: Microsoft AuthenticatorFirst-time sign-in for new users: Temporary Access PassMicrosoft Authenticator supports passwordless phone sign-in, allowing users to authenticate from a registered mobile device without entering a password. Temporary Access Pass is a time-limited, helpdesk-issued passcode that enables new users to complete their initial sign-in and register passwordless authentication methods.Reference: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass
Passwordless sign-in: Microsoft Authenticator
First-time sign-in for new users: Temporary Access Pass
Microsoft Authenticator supports passwordless phone sign-in, allowing users to authenticate from a registered mobile device without entering a password. Temporary Access Pass is a time-limited, helpdesk-issued passcode that enables new users to complete their initial sign-in and register passwordless authentication methods.
Reference: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass
Question 8
You have an Azure subscription named Sub1 that contains an Azure Database for PostgreSQL instance.
Sub1 has Microsoft Defender for Cloud enabled.
You need to configure Microsoft Defender for Databases to minimize costs.
Which Defender plan should you enable?
  1. Microsoft Defender for Servers
  2. Microsoft Defender for Open-Source Relational Databases
  3. Microsoft Defender for SQL Servers on Machines
  4. Microsoft Defender for Azure SQL Databases
  5. Microsoft Defender for Storage
Correct answer: B
Explanation:
Microsoft Defender for Open-Source Relational Databases provides threat protection specifically for Azure Database for PostgreSQL. Enabling only this database-specific plan minimizes costs because Defender for Databases offerings are priced separately, and no unrelated resource protection plans are required.Reference:https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-databases-introductionhttps://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-databases-overview
Microsoft Defender for Open-Source Relational Databases provides threat protection specifically for Azure Database for PostgreSQL. Enabling only this database-specific plan minimizes costs because Defender for Databases offerings are priced separately, and no unrelated resource protection plans are required.
Reference:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-databases-introduction
https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-databases-overview
Question 9
You have a Microsoft Entra tenant that has user consent for applications disabled.
You register an application named App1 that requests the following Microsoft Graph delegated permissions:
  • User.Read
  • Mail.Read
You need to configure tenant permissions to meet the following requirements:
  • Enable users to grant consent for low-risk permissions without administrator interaction.
  • Ensure that applications requesting higher-privilege permissions require administrator approval.
What should you do?
  1. Grant tenant-wide admin consent to App1.
  2. Configure application assignments for App1.
  3. Configure Privileged Identity Management (PIM) role assignments.
  4. Create an app consent policy.
Correct answer: D
Explanation:
An app consent policy defines the conditions under which users can consent to delegated permissions, such as permitting approved low-risk permissions while withholding consent rights for higher-privilege permissions. Permissions outside the allowed policy conditions require administrator consent or approval.Reference:https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-app-consent-policies?pivots=ms-powershellhttps://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal
An app consent policy defines the conditions under which users can consent to delegated permissions, such as permitting approved low-risk permissions while withholding consent rights for higher-privilege permissions. Permissions outside the allowed policy conditions require administrator consent or approval.
Reference:
https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-app-consent-policies?pivots=ms-powershell
https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal
Question 10
You have an Azure key vault named KV1 that uses role-based access control (RBAC) authorization. KV1 stores database connection strings for an Azure App Service web app named App1.
You enable a firewall on KV1 and allow access to KV1 from only the virtual network that contains App1.
You need to ensure that App1 can retrieve secrets from KV1 without using credentials stored in the application configuration.
What should you create?
  1. an access policy for KV1
  2. an app registration for App1
  3. a private endpoint for KV1
  4. a managed identity for App1
Correct answer: D
Explanation:
A managed identity enables App1 to authenticate to Azure Key Vault through Microsoft Entra ID without storing or managing application credentials. Because KV1 uses RBAC authorization, the identity must also be assigned an appropriate Key Vault data-plane role, such as Key Vault Secrets User, to retrieve the stored connection strings.Reference:https://learn.microsoft.com/en-us/azure/key-vault/general/authenticationhttps://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttphttps://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli
A managed identity enables App1 to authenticate to Azure Key Vault through Microsoft Entra ID without storing or managing application credentials. Because KV1 uses RBAC authorization, the identity must also be assigned an appropriate Key Vault data-plane role, such as Key Vault Secrets User, to retrieve the stored connection strings.
Reference:
https://learn.microsoft.com/en-us/azure/key-vault/general/authentication
https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp
https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli
CONNECT US
HOW TO OPEN VCE FILES

Use VCE Exam Simulator to open VCE files
Avanaset

HOW TO OPEN VCEX FILES

Use ProfExam Simulator to open VCEX files
ProfExam Screen

ProfExam
ProfExam at a 20% markdown

You have the opportunity to purchase ProfExam at a 20% reduced price

Get Now!