Implement Azure security

You have multiple Azure virtual machines that need to access the same Azure Key Vault to retrieve certificates. You want to minimize administrative overhead while ensuring each VM can authenticate without managing credentials. Which identity type should you use?

A developer accidentally deleted a secret from Azure Key Vault. Soft-delete is enabled with a retention period of 90 days. After 60 days, you attempt to recover the secret. What should you do?

A company stores sensitive data in an Azure Storage account. They need to restrict access based on the client's IP address and require that clients use a valid SAS token. Which mechanism should they use?

You are developing an application that stores user secrets. You need to ensure that the secrets are encrypted at rest and rotated automatically. Which Azure service should you integrate?

You have an Azure Function app that needs to retrieve a secret from Azure Key Vault at runtime. You want to avoid storing any credentials in code or configuration. Which mechanism should you use?

A developer deleted a secret from Azure Key Vault with soft-delete and purge protection enabled (retention 90 days). After 50 days, the secret is needed again. What is the correct recovery method?

A developer needs to grant an Azure Function read access to secrets in Azure Key Vault without storing any credentials in the function code or configuration. Which approach should they use?

A company has an Azure Storage account that stores sensitive data. They need to ensure that all access to the storage account is secured using Microsoft Entra ID authentication and that no storage account keys are used. Which configuration should be applied to enforce this?

A company stores secrets (e.g., connection strings) in Azure Key Vault and needs them automatically rotated every 90 days. Which solution should they implement?

Your company uses Azure Key Vault to store secrets. You need to ensure that if a secret is deleted, it can be recovered within 30 days. Which Key Vault feature should you enable?

Your company stores sensitive documents in an Azure Storage account. You need to ensure that only authorized Microsoft Entra ID users can read the documents, and that shared keys (account access keys) cannot be used. Which two steps must you take? (Choose the most appropriate single answer that describes the combined action.)

You deploy a web application in Azure App Service. You need to authenticate users via Microsoft Entra ID (Microsoft Entra ID) with minimal custom code. Which App Service feature should you configure?

Your company stores API keys and connection strings in Azure Key Vault. You need to grant an Azure Function read access to these secrets using the principle of least privilege. Which identity type should you assign to the Function App?

You are developing an Azure Function that reads secrets from Azure Key Vault. The function must not use any static credentials in configuration files. You need to authenticate to Key Vault using the function's own identity. Which Azure service feature should you enable?

Your company stores customer payment data in an Azure SQL Database. You need to ensure that only the application's managed identity can access the database, and no SQL logins or passwords are used. Which authentication method should you configure?

Your company uses Azure Key Vault to manage encryption keys for data at rest in Azure Storage. You need to ensure that the storage account uses a customer-managed key (CMK) stored in Key Vault. Additionally, you need to periodically rotate the key automatically. Which configuration should you implement?

Your company uses Azure App Service to host a web application. You need to allow only authenticated users from your Microsoft Entra ID tenant to access the app, without writing any authentication code. Which feature should you configure?

Your company stores secrets in Azure Key Vault. You need to ensure that when a secret is disabled, it does not become accessible to applications that already have a cached copy. Which additional step must you take?

You are developing a web API that must authenticate requests using Microsoft Entra ID (Microsoft Entra ID) and OAuth 2.0 bearer tokens. You want to validate the token in your API code. Which library should you use?

You are developing a web API hosted on Azure App Service. The API must authenticate requests using Microsoft Entra ID OAuth 2.0 bearer tokens. You want to validate the token in your ASP.NET Core API code with minimal custom validation logic. Which library should you use?

Your company uses Azure Key Vault to store secrets. You need to ensure that only a specific Microsoft Entra ID application can read a particular secret, while other applications are denied access. You want to apply the principle of least privilege. Which access control method should you configure?

You need to restrict access to an Azure Storage account so that only a specific subnet of a virtual network can access the data. Additionally, you need to allow management access from the Azure portal (e.g., to view containers). Which configuration should you apply?

You are developing an ASP.NET Core web API that authenticates users via Microsoft Entra ID. The application needs to authorize access to resources based on custom roles (e.g., 'Admin', 'Editor') that are not present in Microsoft Entra ID. The role mappings are dynamic and stored in an application database. How should you implement authorization?

You are developing an ASP.NET Core web API that authenticates users via Microsoft Entra ID. The API needs to call a downstream API (also secured by Microsoft Entra ID) on behalf of the signed-in user (On-Behalf-Of flow). You have already configured the web API to authenticate users with Microsoft.Identity.Web. How should you implement the token acquisition for the downstream API?

You are developing an ASP.NET Core web API that is hosted on Azure App Service. The API needs to read secrets from Azure Key Vault at startup. You want to avoid storing any credentials in the application code or configuration. Which approach should you use?

You are designing an ASP.NET Core web API that authenticates users via Microsoft Entra ID. The application needs to authorize access to resources based on custom roles (e.g., 'Admin', 'Editor') that are not defined in Microsoft Entra ID app roles or groups. The role mappings are dynamic and stored in an application database. How should you implement authorization in the API?

You are developing an ASP.NET Core web app that uses Azure SQL Database. The SQL connection string contains a password that must be rotated every 30 days. The app runs on Azure App Service. You want to store the connection string securely and enable automatic rotation without redeploying the app. Which approach should you use?

You are using Azure API Management (APIM) to expose a REST API. The backend API requires mutual TLS (client certificate) for authentication. The client certificate is stored in Azure Key Vault. You need to configure APIM to use this certificate when calling the backend, without exposing the certificate contents in the policy files. Which APIM feature and policy should you use?

You are developing an ASP.NET Core web API hosted on Azure App Service. The API needs to read secrets from Azure Key Vault at startup. You have enabled a system-assigned managed identity for the App Service. Which code should you use to create the Key Vault SecretClient?

You have an Azure App Service web app that uses a system-assigned managed identity. The app needs to read a secret stored in Azure Key Vault. You need to grant the app the minimum required permissions to access the secret. Which RBAC role should you assign to the managed identity at the Key Vault scope?

You deploy an Azure App Service web app that uses a system-assigned managed identity. The app needs to read a secret stored in Azure Key Vault to connect to a third-party service. You want to grant the minimum required permissions to the managed identity. Which Azure RBAC role should you assign to the managed identity at the Key Vault scope?

You are developing an ASP.NET Core web API that uses Microsoft Entra ID for authentication via Microsoft.Identity.Web. The application needs to authorize actions based on custom roles such as "Editor" and "Reviewer". These roles are not defined in Microsoft Entra ID app roles or directory roles; instead, they are stored in an application database and can be assigned dynamically by administrators. You need to implement authorization with minimal impact on performance and without modifying the application's authentication flow. Which approach should you use?

Your company has an application running on Azure Virtual Machines that needs to access secrets in Azure Key Vault. You want to restrict network access to the Key Vault so that only the virtual network/subnet containing the VMs can reach it. You also want to ensure that the solution works with the least management overhead. Which configuration should you use?

Your company has several Azure subscriptions, and you need to create a custom role that allows security engineers to start and stop Azure virtual machines but not delete them or modify their network interfaces. The role must be scoped to a specific resource group. How should you define this custom role?

You have an Azure App Service web app that uses a system-assigned managed identity. The web app needs to authenticate to an Azure SQL Database to read and write data. You want to use the managed identity to avoid storing credentials in connection strings. Which steps are required to configure this access?

You are building a web application that uses Microsoft Entra ID for authentication. The application needs to call Microsoft Graph API to read user profiles and send emails on behalf of the signed-in user. You want to ensure that the user's consent is obtained only once and that the application can refresh tokens silently. Which OAuth 2.0 flow should you implement?

You have an Azure App Service that uses a system-assigned managed identity. You need to grant it permission to read a secret from Azure Key Vault. Which RBAC role should you assign at the Key Vault scope?

You need to create a custom RBAC role that allows a security group to start and stop Azure virtual machines in a specific resource group, but not delete them or modify their network interfaces. Which set of actions should you include in the role definition?

You have an Azure App Service web app with a system-assigned managed identity. You need to grant it permission to read secrets from an Azure Key Vault. Which RBAC role should you assign to the managed identity at the Key Vault scope?

You are developing an API that uses managed identity to access Azure Key Vault. The API runs in an Azure App Service with system-assigned managed identity enabled. You need to retrieve a secret value. Which API endpoint should your code call?

You are developing a web app that authenticates users via Microsoft Entra ID. The app needs to read the user's profile and send emails on their behalf. You want to minimize user consent prompts. Which OAuth 2.0 grant type should you use?

A developer is implementing Key Vault certificate retrieval. The application runs on Azure App Service and must avoid stored credentials. Which design should be used?

A single-page app signs in users with Microsoft Entra ID and calls a protected API. The app cannot safely keep a client secret. Which OAuth flow should be used?

An API receives JWT access tokens from Microsoft Entra ID. Which two token properties should the API validate before accepting a request?

A background service must call Microsoft Graph without a signed-in user. Which Microsoft identity platform permission model is required?

A developer is implementing least-privilege storage access. The application runs on Azure App Service and must avoid stored credentials. Which design should be used?

A single-page app signs in users with Microsoft Entra ID and calls a protected API. The app cannot safely keep a client secret. Which OAuth flow should be used? The design must avoid adding custom operational scripts.

An API receives JWT access tokens from Microsoft Entra ID. Which two token properties should the API validate before accepting a request? The design must avoid adding custom operational scripts.

A background service must call Microsoft Graph without a signed-in user. Which Microsoft identity platform permission model is required? The design must avoid adding custom operational scripts.

A developer is implementing Key Vault certificate retrieval. The application runs on Azure App Service and must avoid stored credentials. Which design should be used? The design must avoid adding custom operational scripts.

A single-page app signs in users with Microsoft Entra ID and calls a protected API. The app cannot safely keep a client secret. Which OAuth flow should be used? The architecture review board prefers a managed AWS-native control.

An API receives JWT access tokens from Microsoft Entra ID. Which two token properties should the API validate before accepting a request? The architecture review board prefers a managed AWS-native control.

A background service must call Microsoft Graph without a signed-in user. Which Microsoft identity platform permission model is required? The architecture review board prefers a managed AWS-native control.

A developer is implementing least-privilege storage access. The application runs on Azure App Service and must avoid stored credentials. Which design should be used? The design must avoid adding custom operational scripts.

A single-page app signs in users with Microsoft Entra ID and calls a protected API. The app cannot safely keep a client secret. Which OAuth flow should be used? The team wants the control to be enforceable during normal operations.

An API receives JWT access tokens from Microsoft Entra ID. Which two token properties should the API validate before accepting a request? The team wants the control to be enforceable during normal operations.

A background service must call Microsoft Graph without a signed-in user. Which Microsoft identity platform permission model is required? The team wants the control to be enforceable during normal operations.