Pass the Microsoft Certified: Information Security Administrator Associate SC-500 Questions and answers with Dumpstech

Read, write, and delete blob access is data-plane access, and Storage Blob Data Contributor is the least-privilege built-in role for that operation set. Assigning it at the container scope keeps App1 constrained to container1 instead of the entire account. Storage Account Contributor is a management-plane role and is too broad. Storage Blob Delegator is for user delegation keys, not direct blob CRUD. Owner is also unnecessarily privileged. For this domain, least privilege means granting only the required data operation or allowing only the required network flow. The correct response avoids shared keys, broad peering, general contributor roles, or log-only controls when the scenario demands prevention, routing, event triggering, or account-specific configuration. The result is a direct exam-style implementation choice: it changes the required security behavior without relying on unrelated monitoring, manual cleanup, or excessive privilege. Official Microsoft source/topic: SC-500 Study Guide > Storage access; Microsoft Learn > Storage Blob Data Contributor role.

==============================================================

A Logic Apps Request trigger can be invoked through different authorization mechanisms. If all supported methods are enabled but only OAuth-based requests should be accepted, disabling shared access signature authentication removes the non-OAuth shared-secret URL model. Secure Inputs and Secure Outputs protect run-history data but do not control request authentication. API Management could enforce auth but adds cost and complexity, which the requirement says to minimize. The exam objective emphasizes practical identity enforcement rather than cosmetic configuration. A valid answer must identify who authenticates, what permission is granted, where the scope is applied, and whether the method continues to work without passwords or secrets. That is why the selected answer is preferred over broader administrative roles or unrelated access settings. The result is a direct exam-style implementation choice: it changes the required security behavior without relying on unrelated monitoring, manual cleanup, or excessive privilege. Official Microsoft source/topic: SC-500 Study Guide > Logic Apps security; Microsoft Learn > Request trigger SAS and OAuth authentication.

==============================================================

To access Microsoft Graph: Grant an application permission; To access Key Vault: Assign a role-based access control (RBAC) role

An autonomous agent has no signed-in user at runtime, so Microsoft Graph access must use application permissions rather than delegated permissions. Key Vault is protected through Azure RBAC, so the agent identity should receive an appropriate Key Vault role at the smallest possible scope. This avoids runtime user consent and avoids embedding secrets. Delegated permissions would fail for a background agent because there is no user context. For SC-500, the decisive distinction is whether the control authenticates an identity, grants authorization, or merely changes configuration visibility. The incorrect choices generally either grant excessive privilege, change the application model, or operate at the wrong scope. Microsoft expects the least-privilege identity path that satisfies the scenario without introducing shared secrets or unnecessary tenant-wide rights. The result is a direct exam-style implementation choice: it changes the required security behavior without relying on unrelated monitoring, manual cleanup, or excessive privilege. Official Microsoft source/topic: SC-500 Study Guide > Manage Entra Agent ID access; Microsoft Learn > Graph application permissions and Key Vault RBAC.

==============================================================

Defender for Storage can be configured at the subscription level and overridden at the individual storage account level. Because the subscription cap is 10,000 GB but storage1 needs its own 2,000 GB monthly cap, the correct action is to enable the storage-account override and configure the account-specific malware scanning limit. Sentinel ingestion caps and DCR filtering affect logs, not the malware scanning volume cap. For this domain, least privilege means granting only the required data operation or allowing only the required network flow. The correct response avoids shared keys, broad peering, general contributor roles, or log-only controls when the scenario demands prevention, routing, event triggering, or account-specific configuration. The result is a direct exam-style implementation choice: it changes the required security behavior without relying on unrelated monitoring, manual cleanup, or excessive privilege. Official Microsoft source/topic: SC-500 Study Guide > Defender for Storage configurations; Microsoft Learn > override subscription-level Defender for Storage settings.

==============================================================

Inbound from the internet: 443; Outbound to Subnet1: 3389

Azure Bastion requires inbound HTTPS access on TCP 443 from the internet to the AzureBastionSubnet so users can reach the Bastion service. For RDP to Windows virtual machines, Bastion then needs outbound access to the target subnet on TCP 3389. Port 22 would be required for SSH, but the scenario is specifically secure RDP. Other listed ports do not satisfy Bastion RDP access requirements. For this domain, least privilege means granting only the required data operation or allowing only the required network flow. The correct response avoids shared keys, broad peering, general contributor roles, or log-only controls when the scenario demands prevention, routing, event triggering, or account-specific configuration. The result is a direct exam-style implementation choice: it changes the required security behavior without relying on unrelated monitoring, manual cleanup, or excessive privilege. Official Microsoft source/topic: SC-500 Study Guide > Azure Bastion; Microsoft Learn > Azure Bastion NSG access and port requirements.

==============================================================

Attack path analysis in Defender CSPM identifies how multiple misconfigurations and risks can be chained to produce business impact. The scenario asks for potential impact of incidents that exploit multiple risks, which is exactly the attack path use case. Regulatory compliance shows framework alignment, security recommendations show individual controls, and Cloud Security Explorer is useful for querying posture data but does not automatically rank chained exploit paths. The SC-500 study guide places these tasks under security posture, event collection, Defender CSPM, EASM, Sentinel, and Security Copilot operations. The exam expects the control that minimizes analyst effort while preserving correct permissions and data flow. The selected answer reflects that service boundary and avoids a broader or merely investigative alternative. The result is a direct exam-style implementation choice: it changes the required security behavior without relying on unrelated monitoring, manual cleanup, or excessive privilege. Official Microsoft source/topic: SC-500 Study Guide > Defender CSPM; Microsoft Learn > attack path analysis.

==============================================================

A Global Administrator does not automatically have access to every Azure subscription. The first step is to enable Access management for Azure resources, which elevates the global administrator to manage Azure role assignments at the root scope. After that elevation, Admin1 can remove the Owner assignment from User1 on Sub1. Moving subscriptions or requesting Security Administrator would not provide the Azure RBAC authority needed to modify ownership. The exam objective emphasizes practical identity enforcement rather than cosmetic configuration. A valid answer must identify who authenticates, what permission is granted, where the scope is applied, and whether the method continues to work without passwords or secrets. That is why the selected answer is preferred over broader administrative roles or unrelated access settings. The result is a direct exam-style implementation choice: it changes the required security behavior without relying on unrelated monitoring, manual cleanup, or excessive privilege. Official Microsoft source/topic: SC-500 Study Guide > Azure role assignments; Microsoft Learn > elevate access to manage Azure resources.

==============================================================

Microsoft Entra role: Security Reader; Azure role: Microsoft Sentinel Responder

Assigning incidents requires Sentinel incident-management permissions, which are provided by Microsoft Sentinel Responder at the workspace scope. Because the consultant is a guest user, Security Reader in Microsoft Entra gives the security-reader context commonly needed for security operations visibility without granting administrative tenant privileges. Sentinel Reader alone would allow viewing but not assignment. Contributor-level Azure roles would be broader than necessary. In Microsoft Sentinel and Defender scenarios, collection, detection, investigation, and automation are separate functions. The selected answer maps to the function requested by the question rather than a neighboring capability. This is why analytics, hunting, workbooks, connectors, automation rules, and playbooks must not be treated as interchangeable. The result is a direct exam-style implementation choice: it changes the required security behavior without relying on unrelated monitoring, manual cleanup, or excessive privilege. Official Microsoft source/topic: SC-500 Study Guide > Assign roles in Microsoft Sentinel; Microsoft Learn > Microsoft Sentinel built-in roles.

==============================================================

Privileged pods must be rejected before they are admitted to the AKS cluster. Azure Policy for AKS integrates with admission control to enforce policies such as denying privileged containers. Runtime alerts can detect privileged activity after deployment, but the requirement is prevention. Agentless Kubernetes discovery and image vulnerability assessment provide visibility; they do not block a privileged pod specification during admission. For SC-500, compute controls are evaluated by workload type: VM, Arc server, AKS, container registry, container group, Functions, Logic Apps, App Service, and AI agent runtime. The right answer uses the Microsoft control that is native to that workload. Broad Azure roles or unrelated monitoring services would either overgrant access or fail to enforce the required security state. The result is a direct exam-style implementation choice: it changes the required security behavior without relying on unrelated monitoring, manual cleanup, or excessive privilege. Official Microsoft source/topic: SC-500 Study Guide > AKS security controls; Microsoft Learn > Azure Policy for AKS admission control.

==============================================================

User Access Administrator is the least-privilege Azure built-in role for managing role assignments without full resource ownership. Assigning it at the MG1 scope covers both Sub1 and Sub2 because management group scope flows down to child subscriptions. Contributor cannot assign Azure roles. Owner would work but grants more than role-assignment authority, violating least privilege. Assigning separately at each subscription adds unnecessary administration. For SC-500, the decisive distinction is whether the control authenticates an identity, grants authorization, or merely changes configuration visibility. The incorrect choices generally either grant excessive privilege, change the application model, or operate at the wrong scope. Microsoft expects the least-privilege identity path that satisfies the scenario without introducing shared secrets or unnecessary tenant-wide rights. The result is a direct exam-style implementation choice: it changes the required security behavior without relying on unrelated monitoring, manual cleanup, or excessive privilege. Official Microsoft source/topic: SC-500 Study Guide > manage Azure built-in role assignments; Microsoft Learn > User Access Administrator role.

==============================================================