True is correct as it is possible to add the Azure VM Antimalware extension. It is to be noted that Windows Server 2016 OS has Windows Defender built-in by default which protects against malware. However, if you run the Azure VM Antimalware extension on top of Windows Defender, the extension will apply any optional configuration policies to be used by Windows Defender and that the extension will not deploy any additional antimalware services. https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware

All of the above are correct. When deploying Microsoft antimalware for Azure applications, some of the features are: real-time protection, malware remediation, exclusion of files, processes and drives, and automatic updates to the antimalware engine and platform. https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware

Azure PowerShell, CLI and Rest API is correct and can be used to create custom RBAC roles in Azure. CMD is incorrect as this is not supported. https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

Option 1 is correct as you need to define the allowed action as restart. Option 4 is correct as you need to define the action which is not allowed, in this case it is shutdown. Option 2 is incorrect as you do not want the third party to start the VM as this is not a requirement. Option 3 is incorrect as you should make use of the shutdown parameter instead of start as you want to prohibit the shutdown of the VM, not the starting of the VM. https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-cli https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

The correct answers are:

• A. Subnet

• C. Network Interface Card (NIC)

Network Security Groups (NSGs) can be associated with subnets and individual network interfaces to control inbound and outbound network traffic.

• Subnets: When associated with a subnet, the NSG rules apply to all resources within that subnet.

• Network Interfaces: When associated with a specific network interface, the NSG rules apply only to that particular interface.

Therefore, options A and C are the correct choices.

• https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

False is correct, you cannot create your own service tag or specify which IP’s are included within a tag.https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags

Azure monitor stores data in Logs and Metrics data stores. The other answers are examples of Azure storage products. See: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform