Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Design security solutions for infrastructure practice sets

SC-100 Design security solutions for infrastructure • Complete Question Bank

SC-100 Design security solutions for infrastructure — All Questions With Answers

Complete SC-100 Design security solutions for infrastructure question bank — all 0 questions with answers and detailed explanations.

231
Questions
Free
No signup
Certifications/SC-100/Practice Test/Design security solutions for infrastructure/All Questions
Question 1mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization uses Microsoft Sentinel to monitor hybrid workloads. You need to design a solution to detect lateral movement attempts from compromised on-premises servers to Azure VMs. Which data connector should you prioritize?

Question 2easymultiple choice
Read the full Design security solutions for infrastructure explanation →

A company plans to use Microsoft Defender for Cloud to secure a multi-cloud environment including Azure, AWS, and GCP. What is the first step to enable multi-cloud visibility?

Question 3hardmultiple choice
Study the full Python automation breakdown →

You are designing a secure DevOps pipeline using GitHub Advanced Security and Microsoft Defender for Cloud. The development team uses a mix of Python and JavaScript. Which tool should you integrate to detect secrets (e.g., API keys) committed to the repository?

Question 4mediummulti select
Read the full Design security solutions for infrastructure explanation →

Which TWO Azure policies should you assign to enforce secure configuration of Azure SQL Database? (Select two.)

Question 5easymulti select
Read the full Design security solutions for infrastructure explanation →

Which THREE features of Microsoft Defender for Cloud help secure Azure Kubernetes Service (AKS) clusters? (Select three.)

Question 6hardmulti select
Read the full Design security solutions for infrastructure explanation →

Which TWO actions should you take to improve the security posture of an Azure subscription using Microsoft Defender for Cloud? (Select two.)

Question 7mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You are reviewing an Azure Policy definition. What does this policy accomplish?

Exhibit

{
  "properties": {
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
      },
      "then": {
        "effect": "deny",
        "details": {
          "field": "properties.destinationPortRange",
          "notIn": ["22", "3389"]
        }
      }
    }
  }
}
Question 8easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You need to ensure that the storage account 'seccorpstorage' is only accessible from a specific Azure virtual network. What should you do?

Exhibit

Storage account name: seccorpstorage
Property: publicNetworkAccess = Disabled
Property: defaultAction = Deny
Property: networkRules.defaultAction = Deny
Property: networkRules.ipRules = []
Property: networkRules.virtualNetworkRules = []
Question 9hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You are deploying an ARM template for a network security group. What is the security implication of this configuration?

Exhibit

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {},
  "resources": [
    {
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2020-06-01",
      "name": "nsg-frontend",
      "properties": {
        "securityRules": [
          {
            "name": "AllowHTTPS",
            "properties": {
              "protocol": "Tcp",
              "sourcePortRange": "*",
              "destinationPortRange": "443",
              "sourceAddressPrefix": "Internet",
              "destinationAddressPrefix": "10.0.1.0/24",
              "access": "Allow",
              "priority": 100,
              "direction": "Inbound"
            }
          }
        ]
      }
    }
  ]
}
Question 10mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only approved applications can run on corporate devices. Which Intune feature should you configure?

Question 11easymultiple choice
Read the full Design security solutions for infrastructure explanation →

You need to design a solution to protect Azure VMs from malware and vulnerabilities. Which Microsoft service should you use?

Question 12hardmultiple choice
Read the full DNS explanation →

Your company uses Azure Firewall to filter outbound traffic from a virtual network. You need to allow only HTTP and HTTPS traffic to specific FQDNs, while blocking all other outbound traffic. Which Azure Firewall rule type should you use?

Question 13mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a secure hybrid network connectivity solution between an on-premises datacenter and Azure. The requirement is to have encrypted traffic and high availability. Which service should you use?

Question 14easymultiple choice
Read the full Design security solutions for infrastructure explanation →

You need to ensure that Azure SQL Database always encrypts data at rest and in transit. Which features should you enable?

Question 15hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization uses Microsoft Sentinel for security operations. You need to design a solution to automatically respond to a confirmed compromise of a domain controller by isolating the affected VM. Which automation feature should you use?

Question 16mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization uses Microsoft Sentinel to monitor hybrid workloads. You need to design a solution to detect lateral movement attempts using pass-the-hash attacks. Which data source should you prioritize for ingestion?

Question 17hardmultiple choice
Read the full VPN explanation →

Your company is designing a Zero Trust network for a hybrid workforce. Remote users connect via VPN to on-premises resources, while cloud apps use Microsoft Entra ID. You need to enforce conditional access based on device compliance and user risk. Which Microsoft security solution should you integrate with Entra ID to provide real-time device posture signals?

Question 18easymultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a secure infrastructure for an e-commerce platform hosted on Azure. The platform must meet PCI DSS compliance. Which Azure service should you use to centrally manage and monitor security policies across subscriptions?

Question 19mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses Microsoft Entra ID with hybrid identities. They need to design a solution that automatically remediates risky sign-ins without user intervention. Which feature should you enable?

Question 20hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a solution that automatically creates an incident in Sentinel when a Defender XDR alert fires. Which integration should you configure?

Question 21easymultiple choice
Review the full subnetting walkthrough →

Your company is migrating to Azure and needs to secure virtual networks with network segmentation. You need to design a solution that filters traffic between subnets based on application requirements. Which Azure service should you use?

Question 22mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization uses Microsoft Defender for Cloud to assess security posture. You need to design a solution that automatically applies a security baseline to new Azure VMs. Which feature should you use?

Question 23hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company uses Microsoft Intune to manage devices. You need to design a solution that prevents users from installing unauthorized applications on corporate Windows 10 devices. Which Intune policy should you configure?

Question 24easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization uses Microsoft Purview to classify data assets. You need to design a solution that automatically scans data sources in Azure SQL Database for sensitive information. Which Purview scanner should you configure?

Question 25mediummulti select
Read the full Design security solutions for infrastructure explanation →

Which TWO actions should you take to secure an Azure Kubernetes Service (AKS) cluster using Microsoft Defender for Cloud?

Question 26hardmulti select
Read the full Design security solutions for infrastructure explanation →

Which THREE components are required to implement a Zero Trust network architecture using Microsoft Entra Internet Access (formerly Microsoft 365 Network Connectivity)?

Question 27easymulti select
Read the full Design security solutions for infrastructure explanation →

Which TWO Azure services should you use to implement a defense-in-depth strategy for protecting Azure virtual machines?

Question 28mediummultiple choice
Read the full VPN explanation →

You are designing a hybrid identity solution for an organization that uses Microsoft Entra ID and an on-premises Active Directory. The organization requires that users who are located in a remote office without a direct VPN connection to the main office can authenticate against on-premises resources using their Entra ID credentials. The solution must minimize latency and support passwordless authentication. Which feature should you implement?

Question 29hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization is designing a secure network infrastructure for a multi-cloud environment that includes Azure, AWS, and on-premises datacenters. The security team requires that all traffic between these environments be inspected for threats and that any malicious traffic be automatically blocked. The solution must minimize complexity and use a single pane of glass for policy management. Which Azure service should you use as the central hub?

Question 30easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure resources. The security team wants to ensure that all virtual machines are covered by Defender for Cloud's vulnerability assessment capabilities. Which plan must be enabled?

Question 31mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization is deploying Azure Kubernetes Service (AKS) and plans to use Azure Policy to enforce security controls on the cluster. The security team wants to automatically audit and deny the creation of privileged containers. Which Azure Policy initiative should you assign?

Question 32hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a secure access solution for an on-premises application that uses legacy authentication protocols. The organization plans to migrate to Microsoft Entra ID but the application vendor has not yet provided a modern authentication update. The solution must enable single sign-on (SSO) and support multifactor authentication (MFA) for this application without modifying the application code. Which approach should you recommend?

Question 33easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization uses Microsoft Intune to manage endpoints. The security team wants to ensure that devices that cannot be enrolled in Intune (e.g., unmanaged BYOD devices) are still subject to security policies when accessing corporate resources. Which Microsoft Entra ID feature should you use?

Question 34mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a security solution for a critical Azure SQL Database that must be protected against data exfiltration by a compromised admin account. The solution must ensure that even a database administrator cannot copy data to an external storage account. Which Azure service should you configure?

Question 35hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization is planning to use Microsoft Sentinel for security information and event management (SIEM). The security team wants to ensure that Sentinel can ingest logs from on-premises servers that are not connected to the internet. The solution must use Azure Arc for management. Which data connector should you use?

Question 36hardmulti select
Read the full Design security solutions for infrastructure explanation →

Which TWO Azure services can you use to implement a zero-trust network architecture that verifies identity and device compliance before granting access to on-premises applications? (Choose two.)

Question 37mediummulti select
Read the full Design security solutions for infrastructure explanation →

Which THREE components are required to implement a Microsoft Sentinel solution that collects security logs from a multi-cloud environment including AWS and Azure? (Choose three.)

Question 38easymulti select
Read the full Design security solutions for infrastructure explanation →

Which TWO of the following are valid methods to enforce multifactor authentication (MFA) for users accessing Microsoft 365 services? (Choose two.)

Question 39mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a secure hybrid network architecture for a company that uses Azure and an on-premises datacenter. The company requires that all traffic between Azure and on-premises traverses Microsoft's backbone network and never the public internet. Additionally, the solution must provide automatic failover if the primary connection fails. Which Azure service should you include in the design?

Question 40easymultiple choice
Read the full Design security solutions for infrastructure explanation →

A company is planning to deploy a multi-tier application in Azure. The web tier must be accessible from the internet, while the database tier must be accessible only from the web tier and management jump boxes. The solution should minimize exposure to the internet. Which Azure architecture should you recommend?

Question 41hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company has a Microsoft Defender for Cloud environment with Azure Arc-enabled on-premises servers. The security team wants to ensure that all servers have the Log Analytics agent installed and that missing updates are automatically remediated for critical vulnerabilities. Which policy initiative should you assign to the management group containing these servers?

Question 42mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is designing a secure access solution for remote employees using company-managed devices. The solution must enforce device compliance before granting access to corporate resources, support single sign-on (SSO) for SaaS applications, and provide conditional access policies based on risk. Which combination of Microsoft security products should you recommend?

Question 43easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization is implementing a zero-trust network strategy. You need to ensure that all network traffic between Azure virtual machines is encrypted and authenticated at the IP layer, regardless of the virtual network they are in. Which Azure feature should you configure?

Question 44hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You are reviewing an Azure Policy definition that is assigned to a subscription. What is the primary effect of this policy?

Exhibit

Refer to the exhibit.

{
  "properties": {
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      "then": {
        "effect": "modify",
        "details": {
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.diskEncryptionSet.id",
              "value": "/subscriptions/12345/resourceGroups/rg-keys/providers/Microsoft.Compute/diskEncryptionSets/des-production"
            }
          ]
        }
      }
    }
  }
}
Question 45mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company uses Microsoft Sentinel as its SIEM. You need to design a solution to detect lateral movement attempts within the corporate network using Windows Event Logs collected from domain controllers and workstations. Which data source and analytic rule type should you use?

Question 46easymultiple choice
Read the full Design security solutions for infrastructure explanation →

You need to secure Azure Kubernetes Service (AKS) clusters by ensuring that only approved container images from a private Azure Container Registry (ACR) can be deployed. The solution should enforce this at admission time. Which Azure Policy effect should you use?

Question 47hardmultiple choice
Read the full Ansible explanation →

Your company is migrating to a cloud-native security operations center (SOC) using Microsoft Sentinel. You need to design a solution that automatically investigates and remediates common incidents like brute-force attacks on Azure VMs. The solution should use playbooks triggered by analytics rules. Which Microsoft service should you use to create the playbooks, and what is the recommended authentication method?

Question 48mediummulti select
Read the full Design security solutions for infrastructure explanation →

A company is designing a secure baseline for Azure VMs using Azure Policy and Microsoft Defender for Cloud. Which TWO recommendations should you include to ensure VMs are protected against common threats?

Question 49hardmulti select
Read the full Design security solutions for infrastructure explanation →

You are designing a secure access strategy for Azure SQL Database. The solution must use Microsoft Entra authentication and ensure that only specific client IP addresses can connect. Additionally, all connections must be encrypted in transit. Which THREE components should you configure?

Question 50easymulti select
Read the full Design security solutions for infrastructure explanation →

Your company uses Microsoft Defender for Endpoint and Microsoft Intune to manage endpoints. You need to ensure that devices are healthy before they can access corporate resources. Which TWO settings should you configure in Microsoft Intune compliance policies to enforce device health?

Question 51mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You are reviewing a PowerShell script that configures network security. What is the effect of the NSG rule created in this script?

Exhibit

Refer to the exhibit.

$rg = 'rg-network'
$vnet = 'vnet-prod'
$subnet = 'snet-app'
$nic = 'nic-app1'
$nsg = 'nsg-app'

# Create NSG
$nsgParams = @{
    ResourceGroupName = $rg
    Name = $nsg
    Location = 'eastus'
}
$nsgObj = New-AzNetworkSecurityGroup @nsgParams

# Add rule to deny inbound from internet
$ruleParams = @{
    Name = 'DenyInternetInbound'
    Access = 'Deny'
    Priority = 100
    Direction = 'Inbound'
    Protocol = '*' 
    SourceAddressPrefix = 'Internet'
    SourcePortRange = '*'
    DestinationAddressPrefix = '*' 
    DestinationPortRange = '*'
    NetworkSecurityGroup = $nsgObj
}
Add-AzNetworkSecurityRuleConfig @ruleParams | Set-AzNetworkSecurityGroup

# Associate NSG with subnet
$vnetObj = Get-AzVirtualNetwork -ResourceGroupName $rg -Name $vnet
$subnetObj = $vnetObj.Subnets | Where-Object {$_.Name -eq $subnet}
$subnetObj.NetworkSecurityGroup = $nsgObj
Set-AzVirtualNetwork -VirtualNetwork $vnetObj
Question 52hardmultiple choice
Read the full VPN explanation →

Refer to the exhibit. You are reviewing an ARM template for an Azure App Service configuration. What is the effect of the ipSecurityRestrictions array?

Exhibit

Refer to the exhibit.

{
  "type": "Microsoft.Web/sites/config",
  "apiVersion": "2022-03-01",
  "name": "webapp-config",
  "properties": {
    "ftpsState": "FtpsOnly",
    "minTlsVersion": "1.2",
    "http20Enabled": true,
    "siteAuthSettings": {
      "enabled": true,
      "defaultProvider": "AzureActiveDirectory",
      "clientId": "12345-abcde-..."
    },
    "ipSecurityRestrictions": [
      {
        "ipAddress": "192.168.0.0/24",
        "action": "Allow",
        "priority": 100,
        "name": "AllowCorporateNetwork",
        "description": "Allow corporate IP range"
      },
      {
        "ipAddress": "Any",
        "action": "Deny",
        "priority": 200,
        "name": "DenyAll",
        "description": "Deny all other traffic"
      }
    ]
  }
}
Question 53mediummulti select
Read the full Design security solutions for infrastructure explanation →

Your organization has deployed Microsoft Defender for Cloud with the CSPM (Cloud Security Posture Management) plan enabled. You need to ensure that all Azure subscriptions are covered and that security recommendations are automatically remediated for critical findings. Which two actions should you take? (Choose two.)

Question 54mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization plans to use Microsoft Defender for Cloud to protect a hybrid environment with servers in Azure and on-premises. You need to ensure that security policies are consistently applied across all servers. What should you configure?

Question 55hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You are designing a security solution for Azure SQL Database. The exhibit shows an Azure Policy definition. When this policy is assigned, which problem might occur?

Exhibit

Refer to the exhibit.

{
  "properties": {
    "policyRule": {
      "if": {
        "field": "Microsoft.Sql/servers/auditingSettings/state",
        "equals": "Disabled"
      },
      "then": {
        "effect": "DeployIfNotExists",
        "details": {
          "type": "Microsoft.Sql/servers/auditingSettings",
          "existenceCondition": {
            "field": "Microsoft.Sql/servers/auditingSettings/state",
            "equals": "Enabled"
          },
          "deployment": {
            "properties": {
              "mode": "Incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "resources": [
                  {
                    "type": "Microsoft.Sql/servers/auditingSettings",
                    "name": "[concat(parameters('serverName'), '/default')]",
                    "apiVersion": "2021-02-01-preview",
                    "properties": {
                      "state": "Enabled",
                      "storageEndpoint": "[parameters('storageEndpoint')]"
                    }
                  }
                ]
              }
            }
          }
        }
      }
    },
    "parameters": {
      "storageEndpoint": {
        "type": "String",
        "metadata": {
          "displayName": "Storage Endpoint"
        }
      },
      "serverName": {
        "type": "String",
        "metadata": {
          "displayName": "SQL Server Name"
        }
      }
    }
  }
}
Question 56easymultiple choice
Read the full Design security solutions for infrastructure explanation →

A company uses Azure Firewall to protect their virtual network. They need to allow outbound HTTPS traffic to a specific external website while blocking all other outbound traffic. What should they configure?

Question 57mediummultiple choice
Read the full NAT/PAT explanation →

You are designing a secure hybrid network for a multinational company. They require encrypted communication between on-premises data centers and Azure, with high availability and no single point of failure. Which solution should you recommend?

Question 58hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You run the PowerShell script to check compliance of the 'RequireSQLEncryption' policy assignment. The script returns no output. What is the most likely reason?

Exhibit

Refer to the exhibit.

$rg = Get-AzResourceGroup -Name 'InfrastructureRG'
$policy = Get-AzPolicyAssignment -Name 'RequireSQLEncryption'
$compliance = $policy.Properties.Scope | Get-AzPolicyState -ResourceGroupName $rg.ResourceGroupName
$compliance | Where-Object {$_.ComplianceState -eq 'NonCompliant'} | Format-Table ResourceId, ComplianceState
Question 59easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company uses Microsoft Entra ID for identity management. You need to implement a solution to automatically detect and remediate risky sign-ins using machine learning. What should you configure?

Question 60mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a security solution for Azure Kubernetes Service (AKS). You need to ensure that only authorized container images from a private container registry can run in the cluster. What should you configure?

Question 61hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. You run the PowerShell script to apply an NSG to a subnet. However, connectivity tests show that the NSG rule is not being applied. What is the most likely reason?

Exhibit

Refer to the exhibit.

Set-AzContext -Subscription 'Production'
$vnet = Get-AzVirtualNetwork -Name 'VNet-Prod' -ResourceGroupName 'RG-Prod'
$subnet = Get-AzVirtualNetworkSubnetConfig -Name 'Subnet-DB' -VirtualNetwork $vnet
$config = New-AzNetworkSecurityGroup -Name 'NSG-DB' -ResourceGroupName 'RG-Prod' -Location 'eastus'
$rule = New-AzNetworkSecurityRuleConfig -Name 'AllowSQL' -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix '10.0.1.0/24' -SourcePortRange * -DestinationAddressPrefix '10.0.2.0/24' -DestinationPortRange 1433
$config | Add-AzNetworkSecurityRuleConfig -NetworkSecurityRule $rule
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $config
Set-AzVirtualNetworkSubnetConfig -Name 'Subnet-DB' -VirtualNetwork $vnet -NetworkSecurityGroup $config
$vnet | Set-AzVirtualNetwork
Question 62easymultiple choice
Read the full Design security solutions for infrastructure explanation →

You need to secure Azure Blob Storage by encrypting data at rest using customer-managed keys stored in Azure Key Vault. What should you configure?

Question 63mediummulti select
Read the full Design security solutions for infrastructure explanation →

Which TWO actions should you take to protect Azure Virtual Machines from ransomware? (Choose two.)

Question 64hardmulti select
Read the full Design security solutions for infrastructure explanation →

Which THREE components are required to implement a secure Azure DevOps CI/CD pipeline that scans for secrets in code? (Choose three.)

Question 65easymulti select
Read the full Design security solutions for infrastructure explanation →

Which TWO Microsoft Purview solutions should you use to protect sensitive data in Microsoft 365? (Choose two.)

Question 66mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing security for a multi-region Azure application. You need to ensure that traffic between virtual networks in different regions is encrypted and uses Microsoft backbone. What should you implement?

Question 67hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You are deploying an ARM template for a Windows VM. The adminPassword parameter references a secret in Key Vault. However, the deployment fails with an access denied error. What is the most likely cause?

Exhibit

Refer to the exhibit.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "adminPassword": {
      "reference": {
        "keyVault": {
          "id": "/subscriptions/.../resourceGroups/RG-KV/providers/Microsoft.KeyVault/vaults/KV-Prod"
        },
        "secretName": "VMAdminPassword"
      }
    }
  }
}
Question 68easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company is deploying Microsoft Sentinel to centralize security logs from Azure, on-premises, and other clouds. You need to ensure logs are ingested cost-effectively while maintaining search performance for the last 30 days. What should you configure?

Question 69mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization is deploying a new web application in Azure and needs to secure it against common web attacks like SQL injection and cross-site scripting. You need to configure a solution that provides centralized protection at the network edge. Which Azure service should you use?

Question 70hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a secure hybrid network architecture that connects an on-premises data center to Azure. The requirements include: encrypted traffic, high availability across two Azure regions, and automatic failover. You need to recommend a connectivity solution that meets these requirements. What should you use?

Question 71easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company uses Azure Virtual Machines (VMs) running Windows Server. You need to ensure that only approved applications can run on the VMs. Which Azure security feature should you use?

Question 72mediummultiple choice
Read the full NAT/PAT explanation →

You are designing a security solution for containers running on Azure Kubernetes Service (AKS). The requirements include: scanning container images for vulnerabilities, enforcing runtime security, and generating alerts for suspicious activities. Which combination of services should you use?

Question 73hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization has a Microsoft 365 E5 subscription and uses Microsoft Entra ID for identity. You need to implement a solution to secure privileged access to Azure resources, requiring just-in-time access and approval workflows. What should you configure?

Question 74mediummulti select
Read the full Design security solutions for infrastructure explanation →

You are designing a security solution for Azure SQL Database. The requirements include: encrypting data at rest and in transit, and masking sensitive data from non-privileged users. Which two features should you implement? (Choose two.)

Question 75easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company uses Azure DevOps to manage CI/CD pipelines. You need to ensure that secrets such as API keys are securely stored and automatically injected into pipeline tasks without being exposed in logs. What should you use?

Question 76hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a security solution for Azure API Management. The requirements include: protecting APIs from abuse, throttling requests, and validating JSON payloads. Which combination of features should you use?

Question 77mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization is migrating on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can authenticate to on-premises resources using their Entra ID credentials. Which feature should you implement?

Question 78easymultiple choice
Read the full Design security solutions for infrastructure explanation →

You need to design a solution to protect Azure VMs from malware and provide security recommendations. Which Azure service should you enable?

Question 79hardmulti select
Read the full Design security solutions for infrastructure explanation →

You are designing a secure access solution for an Azure App Service web application that authenticates users via Microsoft Entra ID. The requirements include: only allowing users from a specific Entra ID tenant, and blocking access from certain countries. Which two features should you combine? (Choose two.)

Question 80mediummulti select
Read the full Design security solutions for infrastructure explanation →

Your company uses Azure Backup to protect VMs. You need to ensure that backup data is encrypted at rest and during transit. Which features should you enable? (Choose three.)

Question 81mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You are reviewing an Azure Policy definition. What is the effect of this policy?

Exhibit

Refer to the exhibit.
{
  "properties": {
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.enableAutomaticUpdates",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}
Question 82hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You review a PowerShell script that configures an NSG rule. What is the likely security issue with this rule?

Exhibit

Refer to the exhibit.
$rg = Get-AzResourceGroup -Name 'ProductionRG'
$nsg = Get-AzNetworkSecurityGroup -ResourceGroupName $rg.ResourceGroupName -Name 'WebNSG'
$nsg | Add-AzNetworkSecurityRuleConfig -Name 'AllowHTTP' -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix 'Internet' -SourcePortRange * -DestinationAddressPrefix 'VirtualNetwork' -DestinationPortRange 80 -Description 'Allow HTTP'
$nsg | Set-AzNetworkSecurityGroup
Question 83easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. A KQL query in Microsoft Sentinel is used to detect potential brute-force attacks. What does this query detect?

Exhibit

Refer to the exhibit.
SecurityEvent
| where TimeGenerated > ago(7d)
| where AccountType == "User"
| where Activity == "4624"
| where LogonType == 10
| summarize LogonAttempts = count() by Account, IPAddress
| where LogonAttempts > 10
Question 84mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

A company is designing a security solution for their hybrid infrastructure that includes on-premises servers and Azure virtual machines. They need to ensure that all administrative access to servers is just-in-time (JIT) and just-enough-administration (JEA). Which Azure service should they use?

Question 85hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

A global enterprise uses Azure Firewall and Azure Virtual Network Manager (AVNM) to manage network security. They want to deploy a new spoke virtual network that must be isolated from all other spokes except one specific shared services hub. The hub uses Azure Firewall to inspect traffic. What is the most secure and scalable way to enforce this isolation?

Question 86easymultiple choice
Read the full Design security solutions for infrastructure explanation →

A company plans to migrate their on-premises Active Directory to Microsoft Entra ID. They need to ensure that legacy applications using NTLM authentication continue to work during the transition. What should they configure?

Question 87mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

An organization uses Microsoft Sentinel to monitor their hybrid infrastructure. They need to detect brute-force attacks against their on-premises Windows servers. Which data source should they connect to Sentinel?

Question 88hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is designing a secure infrastructure for their Azure Kubernetes Service (AKS) clusters. They require network policies to restrict pod-to-pod communication based on namespaces and label selectors. They also need to integrate with Azure Policy for compliance. Which network policy engine should they use?

Question 89easymultiple choice
Read the full Design security solutions for infrastructure explanation →

A small business uses Microsoft 365 Business Premium and wants to secure their Windows 10 devices with Microsoft Intune. They need to ensure that only devices compliant with the company's security policies can access corporate email. What should they configure?

Question 90mediummultiple choice
Read the full NAT/PAT explanation →

A company uses Azure Front Door to publish a web application globally. They need to protect against DDoS attacks and web application attacks (SQL injection, XSS). Which two services should they enable in combination?

Question 91hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

A financial services company is designing a secure infrastructure for their Azure SQL Database. They need to encrypt data at rest using customer-managed keys (CMK) stored in a key vault with soft-delete and purge protection enabled. The encryption must be transparent to applications. What should they configure?

Question 92easymultiple choice
Read the full Design security solutions for infrastructure explanation →

A company uses Microsoft Defender for Cloud to assess the security posture of their Azure subscriptions. They want to receive alerts when a resource is deployed without encryption enabled. What should they configure?

Question 93mediummulti select
Read the full Design security solutions for infrastructure explanation →

Which TWO actions should you take to secure Azure SQL Database against SQL injection attacks?

Question 94hardmulti select
Read the full Design security solutions for infrastructure explanation →

Which THREE components are required to implement a zero-trust network architecture in Azure using Microsoft security solutions?

Question 95mediummulti select
Read the full Design security solutions for infrastructure explanation →

Which TWO Azure services can be used to protect a virtual network from inbound DDoS attacks at the network layer?

Question 96hardmultiple choice
Study the full multicast explanation →

Refer to the exhibit. An administrator is reviewing a just-in-time (JIT) access request in Microsoft Entra Privileged Identity Management (PIM) for Azure resources. The request was approved. What does the roleDefinitionId 'b24988ac-6180-42a0-ab88-20f7382dd24c' correspond to?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "status": "Active",
    "activationMessage": "Approve access to Storage Account",
    "approvalType": "Temporary",
    "duration": "PT2H",
    "justification": "Emergency troubleshooting",
    "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c",
    "startDateTime": "2024-03-01T10:00:00Z",
    "expirationDateTime": "2024-03-01T12:00:00Z",
    "memberType": "Direct",
    "principalId": "12345678-1234-1234-1234-123456789abc",
    "scope": "/subscriptions/abc123-def456-7890-abcd-ef1234567890/resourceGroups/Production/providers/Microsoft.Storage/storageAccounts/corpstorage"
  }
}
```
Question 97easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. A security analyst runs the following KQL query in Microsoft Sentinel. What is the purpose of this query?

Exhibit

Refer to the exhibit.
```kql
SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == 4625
| where AccountType == "User"
| summarize Count = count() by Account, Computer, IpAddress
| where Count > 10
| project Account, Computer, IpAddress, Count
```
Question 98mediummultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. An administrator is deploying an Azure Firewall using the ARM template snippet. After deployment, traffic from the 10.0.0.0/16 subnet to www.microsoft.com on HTTPS is allowed. What is a potential security issue with this configuration?

Exhibit

Refer to the exhibit.
```json
{
  "type": "Microsoft.Network/azureFirewalls",
  "apiVersion": "2023-02-01",
  "name": "hub-firewall",
  "location": "eastus",
  "properties": {
    "sku": {
      "name": "AZFW_VNet",
      "tier": "Standard"
    },
    "applicationRuleCollections": [
      {
        "name": "allow-web",
        "priority": 100,
        "action": {
          "type": "Allow"
        },
        "rules": [
          {
            "name": "allow-msft",
            "sourceAddresses": ["10.0.0.0/16"],
            "targetFqdns": ["*.microsoft.com"],
            "protocols": [
              {
                "protocolType": "Http",
                "port": 80
              },
              {
                "protocolType": "Https",
                "port": 443
              }
            ]
          }
        ]
      }
    ],
    "networkRuleCollections": [],
    "natRuleCollections": []
  }
}
```
Question 99easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization uses Microsoft Defender for Cloud to secure a hybrid environment. You need to ensure that virtual machines running on-premises are assessed for security misconfigurations. What should you deploy?

Question 100mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company plans to use Microsoft Sentinel to manage security incidents. You need to design a solution that reduces alert fatigue by grouping related alerts into incidents. Which feature should you enable?

Question 101hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization has a Microsoft Defender for Cloud Apps policy that detects suspicious OAuth app permissions. You need to ensure that when a high-risk app is detected, the app is automatically disabled and the user is notified. What is the most efficient design?

Question 102easymultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a secure remote access solution for on-premises web applications using Microsoft Entra ID. The solution must support multifactor authentication (MFA) and conditional access. Which service should you use?

Question 103mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company uses Microsoft Intune to manage devices. You need to ensure that corporate data is wiped from a device if it reports a jailbroken status. What is the best approach?

Question 104hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a privileged access solution for your Azure infrastructure. You need to ensure that just-in-time (JIT) access is required for all administrative actions on Azure VMs. What should you configure?

Question 105easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization uses Microsoft Purview to classify sensitive data in Azure storage. You need to ensure that a file containing PII is automatically protected when uploaded to an Azure Blob Storage account. What should you use?

Question 106mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company plans to use Microsoft Sentinel to detect threats across multiple Azure subscriptions. You need to design a cost-effective solution that ingests logs from all subscriptions. What should you use?

Question 107hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You are reviewing an Azure Policy definition in JSON. What does this policy do?

Exhibit

{
  "properties": {
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "field": "Microsoft.Sql/servers/administrators/type",
            "equals": "ActiveDirectory"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}
Question 108mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You run the PowerShell cmdlet and see that EnabledForDiskEncryption is false. You need to ensure that this key vault can be used for Azure Disk Encryption. What should you do?

Exhibit

Get-AzKeyVault -VaultName 'ContosoVault' | Select-Object Name, ResourceGroup, Location, EnabledForDeployment, EnabledForDiskEncryption, EnabledForTemplateDeployment
Question 109hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You are reviewing a KQL query in Microsoft Sentinel. What is the primary purpose of this query?

Exhibit

SecurityEvent
| where TimeGenerated > ago(1h)
| where AccountType == 'User'
| summarize count() by Account, Computer, EventID
Question 110easymulti select
Read the full Design security solutions for infrastructure explanation →

Which TWO of the following are features of Microsoft Defender for Cloud that help secure infrastructure? (Choose two.)

Question 111mediummulti select
Read the full Design security solutions for infrastructure explanation →

Which THREE of the following are best practices for securing Azure Kubernetes Service (AKS) clusters? (Choose three.)

Question 112hardmulti select
Read the full Design security solutions for infrastructure explanation →

Which TWO of the following are requirements for implementing Azure Disk Encryption on Windows VMs? (Choose two.)

Question 113easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization uses Microsoft Defender for Office 365. You need to design a solution to protect users from malicious links in email. What should you configure?

Question 114hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization is designing a hybrid identity infrastructure with Microsoft Entra ID. You need to ensure that users can access on-premises applications using passwordless authentication and that the solution minimizes latency for authentication requests. What should you implement?

Question 115easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company plans to deploy Microsoft Defender for Cloud to secure a multi-cloud environment that includes Azure, AWS, and GCP. You need to ensure that security recommendations from all three cloud providers are centrally visible. What should you configure?

Question 116mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You are reviewing an Azure Policy definition that denies deployment of virtual machines without encryption at host enabled. A developer reports they cannot deploy a VM that already has encryption at host enabled. What is the most likely cause?

Exhibit

{
  "properties": {
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      "then": {
        "effect": "deny",
        "details": {
          "anyOf": [
            {
              "field": "Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost",
              "equals": "false"
            }
          ]
        }
      }
    }
  }
}
Question 117easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization is deploying Microsoft Intune to manage Windows 11 devices. You need to ensure that devices automatically receive security updates and that users cannot defer updates. Which configuration profile setting should you configure?

Question 118hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a network security architecture for an Azure application that uses Azure Front Door and Azure Application Gateway. The application must be protected from DDoS attacks and common web exploits. Application traffic should be inspected by a web application firewall (WAF) before reaching the backend. What is the recommended deployment order?

Question 119mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You run the PowerShell command to retrieve information about a Managed HSM in Azure. The output shows that the HSM is in 'Provisioned' state and has two security domains. What is the purpose of the security domains?

Exhibit

Get-AzKeyVaultManagedHsm -HsmName 'contoso-hsm' -ResourceGroupName 'RG1'
Question 120easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company uses Microsoft Sentinel for security operations. You need to detect brute-force attacks against Azure VMs by correlating failed sign-in events from multiple sources. Which data connector should you enable?

Question 121hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a zero-trust network architecture for a hybrid environment using Azure Virtual WAN. You need to secure all traffic between on-premises sites and Azure virtual networks using Microsoft's security services. The solution should include next-generation firewall capabilities and TLS inspection. What should you deploy?

Question 122mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You are reviewing an ARM template that deploys a storage account. The compliance team requires that all storage accounts use TLS 1.2 or higher. Does this template meet the requirement?

Exhibit

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2023-01-01",
      "name": "[parameters('storageAccountName')]",
      "location": "[resourceGroup().location]",
      "kind": "StorageV2",
      "sku": {
        "name": "Standard_GRS"
      },
      "properties": {
        "minimumTlsVersion": "TLS1_2",
        "supportsHttpsTrafficOnly": true
      }
    }
  ]
}
Question 123mediummulti select
Read the full Design security solutions for infrastructure explanation →

Your organization is planning to deploy Microsoft Defender for Cloud Apps (formerly Cloud App Security). You need to discover shadow IT usage and control access to cloud apps. Which TWO capabilities should you enable? (Choose TWO.)

Question 124hardmulti select
Read the full Design security solutions for infrastructure explanation →

Your company is designing a secure baseline for Azure Linux virtual machines using Azure Policy. You need to ensure that all Linux VMs have SSH access restricted, disk encryption enabled, and vulnerability assessments installed. Which THREE built-in policies should you assign? (Choose THREE.)

Question 125easymulti select
Read the full Design security solutions for infrastructure explanation →

You are designing a backup strategy for Azure virtual machines using Azure Backup. The solution must support cross-region restore and provide 10 years of retention for compliance. Which THREE features should you enable? (Choose THREE.)

Question 126mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company uses Microsoft Purview to govern data across Azure and on-premises. You need to classify sensitive data such as credit card numbers in Azure SQL Database and apply automatic retention labels. What should you configure?

Question 127hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a security solution for an Azure Kubernetes Service (AKS) cluster that runs containerized workloads. The cluster must be integrated with Microsoft Defender for Cloud for threat detection, and you need to ensure that container images are scanned for vulnerabilities before deployment. What should you configure?

Question 128easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization is implementing a security baseline for Windows 11 devices using Microsoft Intune. You need to ensure that BitLocker encryption is enabled on all devices and that recovery keys are stored in Microsoft Entra ID. Which policy type should you configure?

Question 129mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company is designing a hybrid identity solution using Microsoft Entra ID. You need to ensure that users can access on-premises applications using modern authentication methods. The solution must support multi-factor authentication and Conditional Access policies. What should you implement?

Question 130easymultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a network security solution for a multi-tier application hosted in Azure. The front-end web tier must be accessible from the internet, but the back-end database tier must only accept traffic from the front-end tier. Which Azure service should you use to enforce this restriction?

Question 131hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization uses Microsoft Defender for Cloud to secure a hybrid environment. You need to ensure that security recommendations are automatically remediated for virtual machines. The solution must use Azure Policy and must be deployed at scale. What should you configure?

Question 132mediummultiple choice
Read the full NAT/PAT explanation →

You are designing a security solution for containers in Azure Kubernetes Service (AKS). The solution must scan container images for vulnerabilities before deployment and enforce runtime security. Which combination of Microsoft Defender for Cloud features should you enable?

Question 133hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company is implementing a zero-trust network architecture in Azure. You need to ensure that all network traffic between virtual machines is encrypted and authenticated, regardless of the virtual network they reside in. What should you implement?

Question 134easymultiple choice
Read the full Design security solutions for infrastructure explanation →

You need to design a backup and disaster recovery solution for Azure virtual machines that meets a recovery time objective (RTO) of 15 minutes and a recovery point objective (RPO) of 1 hour. Which Azure service should you use?

Question 135mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to design a solution to detect brute-force attacks against Azure virtual machines. The solution should use Azure Activity Logs and Windows Security Events. What should you configure in Sentinel?

Question 136hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a security solution for an Azure SQL Database that stores sensitive customer data. The solution must encrypt the database at rest and in transit, and also mask sensitive columns from non-privileged users. Which combination of features should you implement?

Question 137easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company plans to migrate on-premises servers to Azure. You need to ensure that the migrated servers are protected against malware and vulnerabilities. Which Microsoft Defender for Cloud plan should you enable for the Azure VMs?

Question 138mediummulti select
Read the full Design security solutions for infrastructure explanation →

You are designing a secure access solution for on-premises applications using Microsoft Entra ID. The solution must support modern authentication, single sign-on (SSO), and Conditional Access. Which TWO technologies should you implement?

Question 139hardmulti select
Read the full Design security solutions for infrastructure explanation →

Your organization is implementing Microsoft Defender for Identity to protect on-premises Active Directory. Which THREE activities does Defender for Identity monitor?

Question 140mediummulti select
Read the full Design security solutions for infrastructure explanation →

You are designing a security solution for Azure resources using Azure Policy. You need to ensure that all storage accounts enforce HTTPS traffic and that only certain virtual networks can access them. Which THREE policy effects can you use to achieve this?

Question 141mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You are reviewing an Azure Policy definition. What does this policy do?

Exhibit

{
  "properties": {
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk",
            "exists": "true"
          }
        ]
      },
      "then": {
        "effect": "deny",
        "details": {
          "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.storageAccountType",
          "notIn": ["Standard_LRS", "Premium_LRS"]
        }
      }
    },
    "parameters": {}
  }
}
Question 142hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You run the PowerShell command against an Azure SQL Database. The command returns a baseline object for rule VA2108. What does this indicate about the database's vulnerability assessment configuration?

Exhibit

Get-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline -ResourceGroupName 'rg-sql' -ServerName 'sqlsrv01' -DatabaseName 'sqldb01' -BaselineName 'default' -RuleId 'VA2108'
Question 143easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You are deploying an ARM template that creates a network security group (NSG) named nsg-backend. What is the effect of this NSG on inbound traffic?

Exhibit

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2021-02-01",
      "name": "nsg-backend",
      "location": "[resourceGroup().location]",
      "properties": {
        "securityRules": [
          {
            "name": "DenyAllInbound",
            "properties": {
              "protocol": "*",
              "sourcePortRange": "*",
              "destinationPortRange": "*",
              "sourceAddressPrefix": "*",
              "destinationAddressPrefix": "*",
              "access": "Deny",
              "priority": 1000,
              "direction": "Inbound"
            }
          },
          {
            "name": "AllowHTTPFromFrontend",
            "properties": {
              "protocol": "Tcp",
              "sourcePortRange": "*",
              "destinationPortRange": "80",
              "sourceAddressPrefix": "10.0.1.0/24",
              "destinationAddressPrefix": "*",
              "access": "Allow",
              "priority": 100,
              "direction": "Inbound"
            }
          }
        ]
      }
    }
  ]
}
Question 144mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization plans to deploy Microsoft Defender for Cloud to protect hybrid workloads. You need to design the agentless scanning deployment for Azure VMs running SQL Server. What should you configure?

Question 145hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a secure access strategy for a manufacturing plant using Azure IoT Hub and Azure Defender for IoT. The plant has unpatched legacy PLCs that cannot be updated. What is the best approach to prevent these devices from being compromised and used as an entry point into the corporate network?

Question 146easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate Exchange Online mailboxes. Which conditional access policy setting should you configure?

Question 147mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a backup strategy for a Microsoft 365 tenant. You need to ensure that Exchange Online mailbox items deleted by users can be recovered up to 30 days after deletion, without using third-party tools. What should you configure?

Question 148hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a secure solution for an Azure Kubernetes Service (AKS) cluster that hosts a critical application. You need to ensure that pods can only communicate with specific back-end services and that traffic is encrypted. What should you implement?

Question 149mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization is migrating on-premises Active Directory to Microsoft Entra ID. You need to design the authentication method to support hybrid identities with seamless single sign-on (SSO) for legacy applications that require Kerberos authentication. What should you implement?

Question 150easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company uses Microsoft Sentinel as a SIEM. You need to ensure that all Azure subscription activity logs are ingested into Sentinel. What is the most efficient way to configure this?

Question 151hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a secure DevOps pipeline for a critical application using GitHub Actions and Microsoft Defender for Cloud. You need to ensure that container images are scanned for vulnerabilities before being deployed to Azure Kubernetes Service (AKS). What should you implement?

Question 152mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that devices must have a minimum OS version and cannot be jailbroken. Which configuration profile type should you assign?

Question 153mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You are reviewing an Azure Policy definition. What will this policy do when assigned to a subscription?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.storageAccountType",
            "notEquals": "Premium_LRS"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}
```
Question 154hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You are reviewing a Microsoft Sentinel analytics rule in your workspace. The output shows the rule 'MFA Disabled' is enabled with severity Medium. The query returns events where MFA is absent. What is the primary issue with this rule?

Exhibit

Refer to the exhibit.

```
$workspace = Get-AzOperationalInsightsWorkspace -ResourceGroupName 'RG-Sentinel' -Name 'LAW-Sentinel'
$analyticsRule = Get-AzSentinelAlertRule -ResourceGroupName 'RG-Sentinel' -WorkspaceName $workspace.Name -RuleName 'MFA Disabled'
$analyticsRule | Format-List

RuleName         : MFA Disabled
Enabled          : True
Severity         : Medium
Query            : IdentityLogonEvents | where MfaDetail == "none"
TriggerThreshold : 5
TriggerOperator  : GreaterThan
```
Question 155easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You are reviewing a Bicep template for deploying an Azure SQL Database server. Which security best practice is violated?

Exhibit

Refer to the exhibit.

```bicep
resource sqlServer 'Microsoft.Sql/servers@2021-11-01' = {
  name: 'sql-${uniqueString(resourceGroup().id)}'
  location: resourceGroup().location
  properties: {
    administratorLogin: 'adminuser'
    administratorLoginPassword: 'P@ssw0rd1234'
    minimalTlsVersion: '1.2'
    publicNetworkAccess: 'Disabled'
  }
}
```
Question 156mediummulti select
Read the full Design security solutions for infrastructure explanation →

Which TWO actions should you take to protect Azure Virtual Machines from ransomware attacks? (Choose two.)

Question 157hardmulti select
Read the full VPN explanation →

Which THREE components are required to implement a secure hybrid network architecture using Azure VPN Gateway? (Choose three.)

Question 158easymulti select
Read the full Design security solutions for infrastructure explanation →

Which TWO features of Microsoft Defender for Cloud help you identify and remediate misconfigurations in your Azure environment? (Choose two.)

Question 159easymultiple choice
Review the full routing breakdown →

Your organization is planning to deploy a new web application on Azure VMs. The security team requires that all incoming traffic to the VMs be inspected by a network virtual appliance (NVA) before reaching the VMs. Which Azure networking solution should you use to route traffic through the NVA?

Question 160mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

A company uses Azure Arc to manage on-premises servers. The security team wants to enforce that all servers (on-premises and Azure) have Microsoft Defender for Endpoint installed and running. Which solution should you use to ensure compliance across hybrid environments?

Question 161hardmultiple choice
Review the full routing breakdown →

Your organization has a multi-region Azure deployment with ExpressRoute connections to on-premises. You need to design a solution that ensures all traffic between on-premises and Azure is inspected by a firewall for both inbound and outbound connections. The solution must minimize latency and avoid a single point of failure. What design should you recommend?

Question 162mediummultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. The NSG is applied to a subnet containing a web server. The web server is not receiving HTTP traffic. What is the most likely cause?

Exhibit

{
  "type": "Microsoft.Network/networkSecurityGroups",
  "apiVersion": "2023-09-01",
  "name": "nsg-web",
  "properties": {
    "securityRules": [
      {
        "name": "AllowHTTP",
        "properties": {
          "protocol": "Tcp",
          "sourcePortRange": "*",
          "destinationPortRange": "80",
          "sourceAddressPrefix": "Internet",
          "destinationAddressPrefix": "*",
          "access": "Allow",
          "priority": 100,
          "direction": "Inbound"
        }
      },
      {
        "name": "DenyAllOther",
        "properties": {
          "protocol": "*",
          "sourcePortRange": "*",
          "destinationPortRange": "*",
          "sourceAddressPrefix": "*",
          "destinationAddressPrefix": "*",
          "access": "Deny",
          "priority": 1000,
          "direction": "Inbound"
        }
      }
    ]
  }
}
Question 163easymultiple choice
Read the full Design security solutions for infrastructure explanation →

A company is implementing a zero-trust network for their Azure environment. They want to ensure that only authenticated and authorized users can access specific VMs, regardless of network location. Which Azure service should they use?

Question 164hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization uses Microsoft Sentinel to monitor security events. You need to design a solution that alerts when a user account is created and then used to log in from a different country within 1 hour. Which KQL query structure should you use?

Question 165mediummultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. The NSG is applied to a subnet containing Azure SQL databases. You notice that traffic from the internet to the databases is not being denied. What is the most likely reason?

Exhibit

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2023-09-01",
      "name": "nsg-db",
      "properties": {
        "securityRules": [
          {
            "name": "DenySQLFromInternet",
            "properties": {
              "protocol": "Tcp",
              "sourcePortRange": "*",
              "destinationPortRange": "1433",
              "sourceAddressPrefix": "Internet",
              "destinationAddressPrefix": "VirtualNetwork",
              "access": "Deny",
              "priority": 100,
              "direction": "Inbound"
            }
          }
        ]
      }
    }
  ]
}
Question 166easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company uses Azure DevOps to deploy infrastructure. You need to ensure that all deployed resources have specific tags for cost tracking. Which Azure policy effect should you use to prevent deployment of untagged resources?

Question 167hardmultiple choice
Read the full NAT/PAT explanation →

A global company with branches worldwide wants to secure access to Azure resources using a zero-trust approach. They require that all access requests be authenticated, authorized, and encrypted, and that the user's device must be compliant with corporate policies. Which combination of services should they use?

Question 168mediummulti select
Read the full Design security solutions for infrastructure explanation →

Which TWO of the following are valid methods to secure Azure Kubernetes Service (AKS) workloads?

Question 169hardmulti select
Read the full Design security solutions for infrastructure explanation →

Which THREE of the following are best practices for designing a secure hybrid network architecture with Azure?

Question 170easymulti select
Read the full Design security solutions for infrastructure explanation →

Which TWO of the following are features of Azure DDoS Protection?

Question 171mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. A company applies this Azure Policy to their subscription. An administrator tries to create a VM with a public IP address. What will happen?

Exhibit

{
  "properties": {
    "displayName": "Deny public IP on NICs",
    "policyType": "Custom",
    "mode": "All",
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkInterfaces"
          },
          {
            "field": "Microsoft.Network/networkInterfaces/ipConfigurations[*].publicIPAddress.id",
            "exists": "true"
          }
        ]
      },
      "then": {
        "effect": "Deny"
      }
    }
  }
}
Question 172hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization uses Azure SQL Database with Azure AD authentication. You need to ensure that database administrators (DBAs) can only perform management tasks from a specific Azure region and only during business hours. Which solution should you use?

Question 173easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You need to ensure that user passwords are synchronized securely and that password changes on-premises are reflected in the cloud quickly. Which tool should you configure?

Question 174mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization is deploying Microsoft Defender for Cloud to secure a hybrid environment with workloads in Azure and on-premises. You need to ensure that all servers are covered by Defender for Cloud's plans. Which two actions should you take?

Question 175hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a network security solution for a multi-tier application in Azure that must meet PCI DSS compliance. You need to restrict traffic between tiers to only necessary ports and protocols. You also need to log all denied traffic for auditing. What is the most efficient design?

Question 176easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You are reviewing an Azure Policy definition. What does this policy do?

Exhibit

{
  "properties": {
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      "then": {
        "effect": "deny",
        "details": {
          "field": "Microsoft.Compute/virtualMachines/networkProfile.networkInterfaces[*].id"
        }
      }
    }
  }
}
Question 177mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company uses Microsoft Defender for Cloud to manage security across multiple subscriptions. You need to ensure that all subscriptions have at least one Defender plan enabled, and you want to enforce this centrally using Azure Policy. What is the best approach?

Question 178hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization is planning to use Azure Bastion for secure RDP/SSH access to Azure VMs. You need to ensure that Bastion can reach the VMs in a spoke virtual network that is connected to a hub via VNet peering. The hub has an Azure Firewall. What is the minimal configuration required?

Question 179easymultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a secure access solution for an Azure Kubernetes Service (AKS) cluster that hosts a critical application. You need to ensure that only authorized users can access the Kubernetes API server. Which authentication method should you use?

Question 180mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization uses Microsoft Defender for Identity (MDI) to protect on-premises Active Directory. You need to integrate MDI with Microsoft Sentinel to centralize detection and response. What is the required configuration?

Question 181hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You are designing a solution to protect against password spray attacks. You need to implement a solution that can detect and block malicious authentication attempts in real-time. What should you use?

Question 182mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a secure CI/CD pipeline for Azure using GitHub Actions. You need to ensure that secrets (e.g., Azure service principal credentials) are stored securely and accessed only by authorized actions. What should you use?

Question 183mediummulti select
Read the full Design security solutions for infrastructure explanation →

Your organization is designing a Microsoft Sentinel workspace for a multi-region deployment. You need to optimize cost while ensuring that security data is available for investigation in the primary region. Which TWO actions should you take?

Question 184hardmulti select
Read the full Design security solutions for infrastructure explanation →

You are designing a secure data exfiltration protection solution for Azure Storage accounts. You need to prevent data from being copied to unauthorized external locations. Which THREE controls should you implement?

Question 185easymulti select
Read the full Design security solutions for infrastructure explanation →

Your company is planning to use Microsoft Intune for mobile device management (MDM). You need to ensure that devices are compliant before accessing corporate resources. Which TWO components should you configure?

Question 186hardmultiple choice
Read the full VPN explanation →

You are a security architect for a large financial services company. The company has a hybrid identity infrastructure with on-premises Active Directory and Microsoft Entra ID (Azure AD). They have recently suffered a password spray attack that compromised several accounts. Management wants to implement a Zero Trust security model and has mandated the following requirements: 1. All user authentication must be protected by phishing-resistant MFA. 2. Legacy authentication protocols must be blocked. 3. All sign-in risks must be detected and automatically remediated. The current environment includes: - Microsoft 365 E5 licenses for all users. - Microsoft Entra ID P2 licenses. - On-premises Active Directory with password hash sync. - Azure AD Application Proxy for publishing on-premises apps. - A third-party VPN solution for remote access. You need to design a solution that meets the requirements. What should you do?

Question 187mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

You are a security architect for a software development company. The company uses GitHub for source control and Azure DevOps for CI/CD. They have a large number of repositories and want to ensure that secrets (e.g., API keys, connection strings) are never committed to code. They also want to scan pull requests for secrets before merging. The company has Microsoft Defender for Cloud and Microsoft Purview available. You need to design a solution that prevents secret leaks. What should you use?

Question 188easymultiple choice
Read the full Design security solutions for infrastructure explanation →

You are a security architect for a retail company that uses Microsoft 365 and Azure. The company has a large number of remote employees who use both company-managed and personal devices. You need to design a solution to ensure that only compliant devices can access corporate email (Exchange Online) and files (SharePoint Online). The company has Microsoft Intune and Microsoft Entra ID P1 licenses. You need to implement device-based conditional access. What should you do?

Question 189mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization plans to use Microsoft Defender for Cloud to protect hybrid workloads across Azure and on-premises servers. You need to ensure that security policies are consistently applied and that compliance status is monitored centrally. What should you configure?

Question 190hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

A company uses Microsoft Sentinel for SIEM and SOAR. You need to design a solution to detect and automatically respond to ransomware attacks involving mass file encryption on Windows servers. The response must include isolating the compromised server from the network, creating a backup of affected files, and resetting the user account's password. Which automation approach minimizes manual intervention?

Question 191easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company is deploying Azure Kubernetes Service (AKS) and needs to secure container workloads. You must ensure that only approved container images from a trusted Azure Container Registry (ACR) can be deployed. What should you implement?

Question 192mediummultiple choice
Read the full network assurance explanation →

You are designing a secure access solution for a manufacturing company's IoT devices that send telemetry to Azure IoT Hub. The devices run on a private network with no internet access except through a firewall. You need to ensure that device-to-cloud communication is authenticated and encrypted, and that device credentials are rotated regularly. What should you include in the design?

Question 193hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses Microsoft Entra ID for identity and Microsoft Defender for Cloud Apps for SaaS app governance. The security team wants to deploy a conditional access policy that blocks access from untrusted locations for all cloud apps except Microsoft 365, which should only be blocked if the device is not compliant. How should you configure the policy?

Question 194easymultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a secure remote access solution for employees using Windows 10/11 devices that are managed by Microsoft Intune. The solution must enforce device compliance before allowing access to corporate resources and must support single sign-on (SSO). Which technology should you use?

Question 195mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization uses Azure SQL Database and needs to protect sensitive data from being exported by unauthorized users. You must implement a solution that prevents users from copying data to clipboard or taking screenshots of query results, while allowing legitimate business operations. What should you implement?

Question 196hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

A company is migrating its on-premises Active Directory to Microsoft Entra ID. They have line-of-business applications that use Windows Integrated Authentication. You need to design a solution that allows users to access these applications from domain-joined devices without prompting for credentials, while also supporting hybrid identity. What should you implement?

Question 197easymultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a backup strategy for Azure virtual machines that host a mission-critical application. The solution must support daily backups with a retention of 30 days for daily backups, weekly backups retained for 12 weeks, and monthly backups retained for 3 years. What should you use?

Question 198mediummulti select
Read the full Design security solutions for infrastructure explanation →

Your organization uses Microsoft Sentinel for security operations. You need to design a solution to detect and respond to lateral movement using pass-the-hash attacks. Which TWO data sources should you enable for ingestion into Microsoft Sentinel to detect such attacks?

Question 199hardmulti select
Read the full Design security solutions for infrastructure explanation →

You are designing a secure CI/CD pipeline for deploying infrastructure as code (ARM templates) to Azure. The solution must detect drift from the desired state and prevent deployment of non-compliant resources. Which THREE Azure services should you incorporate?

Question 200easymulti select
Read the full Design security solutions for infrastructure explanation →

A company wants to secure its Azure Kubernetes Service (AKS) cluster. They need to ensure that pods cannot communicate with each other unless explicitly allowed, and that secrets are encrypted at rest. Which TWO security controls should they implement?

Question 201hardmultiple choice
Study the full multicast explanation →

Your organization is a large financial services company with a hybrid infrastructure consisting of on-premises servers and Azure IaaS. You are tasked with designing a security solution for infrastructure that meets the following requirements: - All administrative access to Azure resources must be just-in-time (JIT) and just-enough-access (JEA). - All on-premises servers must be managed centrally with consistent security policies. - All network traffic between on-premises and Azure must be encrypted and inspected for threats. - All privileged access must be monitored and audited. You have the following services available: Microsoft Entra ID, Microsoft Defender for Cloud, Azure Firewall, Azure Bastion, Microsoft Sentinel, Azure Arc, Azure Policy, Microsoft Defender for Identity, and Microsoft Entra Privileged Identity Management (PIM). Which combination of services should you use to meet all requirements?

Question 202mediummultiple choice
Read the full NAT/PAT explanation →

You are a security architect for a healthcare organization that is adopting Microsoft 365 and Azure. The organization must comply with HIPAA and has the following requirements: - All users must use multi-factor authentication (MFA) when accessing Microsoft 365 from outside the corporate network. - Mobile devices must be managed and must be compliant before accessing email. - Access to Azure virtual machines must be limited to specific admin users and must be audited. - All sensitive data stored in Azure SQL Database must be encrypted at rest and in transit. You have the following technologies: Microsoft Entra ID, Microsoft Intune, Azure SQL Database, Azure Policy, Azure Key Vault, Microsoft Defender for Cloud, and Azure Bastion. Which combination of services and configurations should you implement?

Question 203easymultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a security solution for a small business that uses Azure App Services to host a web application. The business has the following requirements: - The web application must be protected against common web vulnerabilities like SQL injection and cross-site scripting (XSS). - All traffic to the application must be encrypted. - The solution should be cost-effective and require minimal management overhead. - The application must be able to scale automatically based on demand. Which Azure service should you use to meet these requirements?

Question 204mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization is planning to deploy Microsoft Defender for Cloud to protect a hybrid environment that includes on-premises servers and Azure virtual machines. You need to ensure that the security recommendations and threat detections are consistently applied across all resources. What should you configure?

Question 205hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company uses Azure Firewall to secure outbound traffic from a hub virtual network that contains multiple spoke virtual networks. You need to implement a solution that allows traffic from specific spoke VMs to reach a specific external SaaS endpoint, while blocking all other outbound traffic. The SaaS endpoint uses a dynamic set of IP addresses that change frequently. What should you do?

Question 206easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization is deploying a new application on Azure Kubernetes Service (AKS). You need to ensure that only authorized containers can run in the cluster and that any unauthorized containers are automatically blocked. What should you configure?

Question 207mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Refer to the exhibit. You are reviewing an Azure Policy definition that is assigned to a subscription containing several virtual machines. After the assignment, users report that they cannot create new VMs. What is the most likely reason?

Exhibit

{
  "properties": {
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}
Question 208mediummulti select
Read the full Design security solutions for infrastructure explanation →

Your company plans to use Microsoft Defender for Cloud to protect its Azure resources. You need to enable just-in-time (JIT) VM access to reduce the attack surface. Which TWO configurations are required to implement JIT access?

Question 209hardmulti select
Read the full Design security solutions for infrastructure explanation →

Your organization is implementing a defense-in-depth strategy for a multi-tier application hosted on Azure. You need to secure the network layers. Which THREE measures should you implement?

Question 210easymulti select
Read the full Design security solutions for infrastructure explanation →

You are designing a secure infrastructure for an Azure Kubernetes Service (AKS) cluster that will host sensitive workloads. Which TWO configurations should you implement to secure the cluster?

Question 211hardmulti select
Read the full Design security solutions for infrastructure explanation →

Your company is planning to use Azure Policy to enforce security compliance across multiple subscriptions. You need to define a set of policies that will be applied to all subscriptions. Which THREE components should you include in your policy assignment?

Question 212hardmultiple choice
Review the full routing breakdown →

You are the security architect for a company that has a hybrid identity infrastructure with Microsoft Entra ID (formerly Azure AD) and an on-premises Active Directory Domain Services (AD DS) forest. The company is planning to migrate several line-of-business (LOB) applications to Azure Virtual Machines. The applications currently use Windows Integrated Authentication (WIA) and rely on Kerberos delegation. You need to design a solution that allows the Azure VMs to authenticate on-premises users and access on-premises resources using Kerberos constrained delegation (KCD) without exposing on-premises-domain controllers to the internet. The solution must minimize latency and administrative overhead. You have configured Azure ExpressRoute for connectivity between the on-premises network and Azure. What should you do?

Question 213mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization is using Microsoft Defender for Cloud to manage security across multiple Azure subscriptions. You need to ensure that all virtual machines in the subscriptions are monitored by Defender for Cloud and that security alerts are sent to the security operations team. You also need to enforce that any new VMs are automatically onboarded to Defender for Cloud. You have a Log Analytics workspace in the central subscription. What should you do?

Question 214easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company is deploying a critical application on Azure App Service. You need to secure the application by restricting access to only users within your organization. The application should be accessible from both corporate-managed devices and personal devices that are enrolled in Microsoft Intune. You want to use Microsoft Entra ID for authentication and require that users authenticate using multi-factor authentication (MFA). What should you configure?

Question 215hardmultiple choice
Read the full NAT/PAT explanation →

Your organization uses Azure SQL Database for a sensitive financial application. You need to implement a defense-in-depth strategy to protect the database. The requirements are: (1) All connections to the database must be encrypted in transit. (2) Only specific Azure services and on-premises IP ranges should be allowed to connect. (3) Database administrators should be able to view the database schema but not the actual data. (4) Auditing must be enabled for all data access. What combination of features should you implement?

Question 216mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company has an Azure subscription that contains multiple virtual machines (VMs) running Windows Server. You need to ensure that all VMs are compliant with your organization's security baseline. The security baseline includes specific registry key settings, password policies, and service configurations. You want to continuously monitor and automatically remediate non-compliant VMs. What should you implement?

Question 217easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization is using Microsoft Sentinel to collect security logs from multiple sources, including Azure Activity Logs, Office 365 Audit Logs, and on-premises Windows Event Logs. You need to ensure that security incidents are automatically created when a user from a specific IP address attempts to access a sensitive application. You have already configured the data connectors. What should you create?

Question 218mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company has a Microsoft 365 E5 subscription and uses Microsoft Defender for Office 365. You need to protect users from phishing attacks that use malicious links in email messages. The solution should allow users to report suspicious emails to the security team for analysis. You also want to automatically block repeated phishing attempts from the same sender. What should you configure?

Question 219easymulti select
Read the full Design security solutions for infrastructure explanation →

Your organization uses Microsoft Sentinel for security operations. You need to design a solution to detect and respond to lateral movement attempts using pass-the-hash attacks. Which TWO data sources should you enable in Microsoft Sentinel to best detect this activity?

Question 220mediummulti select
Read the full Design security solutions for infrastructure explanation →

Your company is deploying Microsoft Sentinel in a government agency that requires strict data residency. You need to ensure that all Sentinel data is stored within the United States. Which THREE actions must you take to meet this requirement?

Question 221hardmulti select
Read the full Design security solutions for infrastructure explanation →

Your organization is migrating from on-premises Active Directory to Microsoft Entra ID. You need to design a solution for hybrid identity that supports seamless SSO for legacy applications that require Kerberos authentication. Which THREE components should you include in your design?

Question 222mediummulti select
Read the full Design security solutions for infrastructure explanation →

Your company uses Microsoft Intune to manage Windows 10 devices. You need to design a security baseline that ensures devices meet the organization's security requirements, including BitLocker encryption, Windows Defender Firewall rules, and Microsoft Defender for Endpoint settings. Which TWO Intune features should you use to apply these configurations?

Question 223easymulti select
Read the full VPN explanation →

Your organization is adopting a Zero Trust security model. You need to design a solution for secure remote access to on-premises applications that eliminates VPNs. Which TWO Microsoft technologies should you use?

Question 224hardmulti select
Read the full Design security solutions for infrastructure explanation →

Your organization uses Azure Kubernetes Service (AKS) for containerized workloads. You need to design a security solution that includes network segmentation, threat detection, and secret management. Which THREE Azure services should you include?

Question 225mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

You are a security architect at a global manufacturing company. The company uses a hybrid infrastructure with on-premises Active Directory and Azure. They have recently deployed Microsoft Sentinel as their SIEM. The security team wants to detect and investigate ransomware attacks that spread via SMB. The CISO has requested a solution that can automatically block malicious IPs at the network level and provide forensic evidence. You need to design a solution that meets these requirements with minimal manual intervention. What should you include in your design?

Question 226hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

You are designing a security solution for a financial services company that uses Microsoft 365 E5 and Azure. They have 10,000 users and 500 servers. They need to implement a Zero Trust network strategy that includes microsegmentation, identity-based access, and continuous monitoring. The solution must work across on-premises and cloud workloads. They also require that all access to critical servers is logged and audited. What should you include in your design?

Question 227easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization uses Microsoft Intune to manage iOS and Android devices. You need to ensure that corporate data on these devices is protected in case the device is lost or stolen. The security policy requires that corporate data be automatically removed from the device when it is reported lost, while personal data remains intact. The devices are enrolled in Intune with user affinity. What should you configure?

Question 228mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company is designing a secure DevOps pipeline using Azure DevOps. You need to ensure that secrets (e.g., API keys) are stored securely and scanned for leaks in code repositories. The solution must integrate with Azure Policy to prevent deployment if secrets are exposed. You also need to enforce that only approved branches can deploy to production. What should you implement?

Question 229hardmultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization is deploying Azure SQL Managed Instance (SQL MI) with sensitive financial data. You need to design a security solution that includes data encryption at rest and in transit, threat detection, and fine-grained access control. The solution must also ensure that database administrators (DBAs) cannot access the data. What should you include?

Question 230easymultiple choice
Read the full Design security solutions for infrastructure explanation →

Your company uses Microsoft 365 Defender (XDR) for endpoint detection and response. You need to design a solution to automatically remediate malware infections on Windows 10 devices. The solution should isolate the device from the network, run a full antivirus scan, and reset the device if the infection cannot be cleaned. What should you configure?

Question 231mediummultiple choice
Read the full Design security solutions for infrastructure explanation →

Your organization is implementing a privileged access workstation (PAW) strategy for administrators managing Azure resources. The PAWs are Windows 11 devices enrolled in Intune. You need to ensure that only approved applications can run on PAWs, and that device users cannot disable security features. The solution must also enforce that PAWs are used exclusively for administrative tasks. What should you configure?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SC-100 Practice Test 1 — 10 Questions→SC-100 Practice Test 2 — 10 Questions→SC-100 Practice Test 3 — 10 Questions→SC-100 Practice Test 4 — 10 Questions→SC-100 Practice Test 5 — 10 Questions→SC-100 Practice Exam 1 — 20 Questions→SC-100 Practice Exam 2 — 20 Questions→SC-100 Practice Exam 3 — 20 Questions→SC-100 Practice Exam 4 — 20 Questions→Free SC-100 Practice Test 1 — 30 Questions→Free SC-100 Practice Test 2 — 30 Questions→Free SC-100 Practice Test 3 — 30 Questions→SC-100 Practice Questions 1 — 50 Questions→SC-100 Practice Questions 2 — 50 Questions→SC-100 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Design solutions that align with security best practices and prioritiesDesign security operations, identity, and compliance capabilitiesDesign security solutions for infrastructureDesign a Zero Trust strategy and architectureDesign security solutions for applications and dataEvaluate GRC and security operations strategiesDesign security for infrastructureDesign a strategy for data and applicationsRecommend security best practices and priorities

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Design security solutions for infrastructure setsAll Design security solutions for infrastructure questionsSC-100 Practice Hub