CCNA Azure Security Questions

75 of 178 questions · Page 1/3 · Azure Security topic · Answers revealed

1
MCQeasy

You are deploying an Azure Kubernetes Service (AKS) cluster. You need to ensure that pods can access Azure resources (e.g., Azure Storage) using a managed identity without storing credentials. What should you configure?

A.Use Azure AD Workload Identity for Kubernetes (or aad-pod-identity) to assign managed identities to pods.
B.Configure Azure AD integration on the AKS cluster for user authentication.
C.Create a service principal and distribute its secret to pods as a Kubernetes secret.
D.Enable managed identity on the AKS cluster and use cluster-level identity.
AnswerA

This allows pods to authenticate to Azure services without secrets.

Why this answer

Option C is correct because AKS can use pod-managed identities (via aad-pod-identity or Workload Identity) to assign managed identities to pods. Option A is wrong because AKS does not have a built-in managed identity for pods; it's for the cluster. Option B is wrong because service principals require secret management.

Option D is wrong because Azure AD integration is for user authentication, not pod identity.

2
MCQmedium

A company stores sensitive data in Azure Blob Storage. They require that all access to the storage account be authenticated via Microsoft Entra ID and that users must have the 'Storage Blob Data Reader' role assigned. A developer reports being unable to read blobs using the Azure portal despite having the role assigned. What is the most likely cause?

A.The storage account firewall is blocking the user's IP address.
B.The user does not have the Azure RBAC Reader role on the storage account's resource group to view the storage account in the portal.
C.The storage account is using a system-assigned managed identity for authentication.
D.The role is assigned at the storage account scope but the user is trying to access a different storage account.
AnswerB

The portal requires Reader role to list resources, in addition to data permissions.

Why this answer

Option D is correct because the Azure portal uses both the control plane (RBAC) and data plane permissions; even with Storage Blob Data Reader, if the user lacks a Reader role at the subscription or resource group level, they cannot navigate to the storage account. Option A is wrong because managed identity is not involved. Option B is wrong because firewall settings would affect all users.

Option C is wrong because the role assignment is correct.

3
MCQeasy

Your Azure App Service app must access Azure Key Vault secrets without storing credentials in code. Which service should you use to manage identities?

A.Service principal with client secret
B.Managed identity
C.Storage account access key
D.Client certificate
AnswerB

Managed identities eliminate the need for credentials.

Why this answer

Option B is correct because managed identities provide an automatically managed identity for Azure resources to access Key Vault securely. Option A is wrong because service principals require manual credential management. Option C is wrong because certificates still require storage.

Option D is wrong because shared access keys are for storage, not Key Vault.

4
Multi-Selecthard

Your application uses Azure App Service and needs to authenticate users via Microsoft Entra ID. Which THREE components must be configured in the App Service authentication settings?

Select 3 answers
A.Client ID
B.Allowed token audiences
C.Issuer URL
D.Client secret
E.Tenant ID
AnswersA, B, C

Required to identify the application.

Why this answer

Option A is correct because the client ID identifies the application to Entra ID. Option B is correct because the issuer URL tells App Service where to validate tokens. Option D is correct because allowed token audiences ensure the token is intended for this app.

Option C is wrong because client secret is optional for some flows. Option E is wrong because tenant ID is part of the issuer URL.

5
MCQeasy

You have an Azure App Service web app with a system-assigned managed identity. You need to grant it permission to read secrets from an Azure Key Vault. Which RBAC role should you assign to the managed identity at the Key Vault scope?

A.Key Vault Secrets User
B.Key Vault Reader
C.Key Vault Crypto User
D.Contributor
AnswerA

This role allows reading secret contents, which is exactly what you need.

Why this answer

The system-assigned managed identity needs to read secrets from Key Vault. The 'Key Vault Secrets User' role grants exactly that permission — it allows the identity to perform secret read operations (Get, List) on the secrets in the vault. This is the correct RBAC role for read-only access to secrets, as opposed to keys or certificates.

Exam trap

The trap here is that candidates often confuse 'Key Vault Reader' (which only reads vault metadata, not secrets) with the actual data-plane role needed for secret access, or they mistakenly choose a broad role like 'Contributor' thinking it includes secret read permissions.

How to eliminate wrong answers

Option B is wrong because 'Key Vault Reader' only allows listing and reading the metadata of the vault itself (e.g., vault properties, tags), not the actual secret values. Option C is wrong because 'Key Vault Crypto User' grants permissions for cryptographic operations on keys (e.g., encrypt, decrypt, sign, verify), not for reading secrets. Option D is wrong because 'Contributor' is a general Azure RBAC role that grants full management access to the Key Vault resource (including creating/deleting vaults and changing access policies), which is far more permissive than needed and violates the principle of least privilege.

6
MCQmedium

You are deploying a web app to Azure App Service that must use a custom domain with TLS/SSL. You have purchased an SSL certificate from a third-party CA. How should you upload and bind the certificate to the custom domain?

A.Place the certificate files in the wwwroot folder of the app and configure the web.config.
B.Import the certificate into Azure Key Vault and reference it from App Service.
C.Upload the .cer file to the App Service and let Azure generate the private key.
D.Upload the .pfx file to the App Service TLS/SSL settings and bind it to the custom domain.
AnswerD

The .pfx format includes the private key, which is required for TLS binding.

Why this answer

Option A is correct because App Service requires the certificate to be uploaded as a .pfx file with the private key. Option B is wrong because .cer files do not contain the private key. Option C is wrong because you should not upload to the custom domain folder.

Option D is wrong because Key Vault integration is optional but not required.

7
Multi-Selecteasy

Which TWO methods can you use to authenticate an Azure App Service web app to Azure SQL Database without storing credentials in code? (Choose two.)

Select 2 answers
A.Store the SQL connection string in Azure Key Vault and use a Key Vault reference in the app settings.
B.Enable a system-assigned managed identity on the App Service and grant it access to the database.
C.Use a connection string with a SQL username and password.
D.Use a service principal with a client secret stored in app settings.
E.Use a client certificate installed on the App Service.
AnswersA, B

Credentials are retrieved securely at runtime.

Why this answer

Options B and D are correct. Managed identity allows the app to authenticate without credentials. Azure Key Vault can store credentials and the app retrieves them at runtime.

Option A is wrong because connection strings with passwords expose credentials. Option C is wrong because service principal with client secret requires storing the secret. Option E is wrong because certificate authentication requires certificate management.

8
MCQmedium

Your company uses Microsoft Defender for Cloud. You need to receive alerts when a user modifies a Key Vault access policy. What should you configure?

A.Create an Azure Policy to audit access policy changes
B.Configure Microsoft Sentinel to monitor Key Vault
C.Enable Key Vault logging and query logs
D.Set up an activity log alert on the Key Vault
AnswerD

Activity log alerts trigger on specific operations like write to access policy.

Why this answer

Azure Policy can audit or enforce specific configurations, but for real-time alerts, you should use Azure Monitor alerts on activity log events. Option A is wrong because Azure Policy can be used to audit but not to alert in real-time. Option B is wrong because Key Vault logging is for audit, not real-time alerts.

Option C is wrong because Microsoft Sentinel is a SIEM that can ingest logs but is not the simplest solution for alerting on activity log events.

9
MCQhard

Your company uses Azure API Management to expose APIs to external partners. You need to validate that each incoming request includes a valid JSON Web Token (JWT) issued by your Microsoft Entra ID tenant, and reject requests without valid tokens. What should you configure?

A.Configure an OAuth 2.0 authorization server in API Management
B.Require a subscription key for each API
C.Use an IP access restriction policy
D.Add a validate-jwt policy in the inbound processing policy
AnswerD

The validate-jwt policy validates the JWT token and rejects invalid or missing tokens.

Why this answer

Option D is correct because a validate-jwt policy in the inbound processing pipeline checks the token before the request reaches the backend. Option A is wrong because OAuth 2.0 authorization server doesn't validate tokens per request. Option B is wrong because subscription keys are not tokens.

Option C is wrong because IP filtering does not validate tokens.

10
MCQeasy

Refer to the exhibit. You have a custom RBAC role definition. A user assigned this role reports they can read, write, and delete blobs, but cannot list the containers in the storage account. What is the most likely reason?

A.The role does not grant delete permissions on containers.
B.The role lacks dataActions for reading blobs.
C.The user does not have the Reader role on the storage account to navigate in the Azure portal.
D.The role does not include the action to list containers.
AnswerC

Portal requires Reader role to list resources.

Why this answer

Option C is correct because the role includes container read permission (Microsoft.Storage/storageAccounts/blobServices/containers/read) which allows listing containers. However, the user may not have the Reader role at the storage account level to see the storage account in the portal. Option A is wrong because dataActions for blobs are included.

Option B is wrong because the role includes delete for containers and blobs. Option D is wrong because the actions include container read.

11
MCQhard

You are designing a solution for a multi-tenant SaaS application where each tenant's data is stored in separate Azure SQL databases. You need to ensure that no tenant can access another tenant's database, even if the application is compromised. What should you implement?

A.Configure a server-level firewall rule for each tenant's IP range
B.Assign each tenant a managed identity with a dedicated SQL login and database-level permissions
C.Implement connection pooling with a single identity
D.Use a single database-level login and row-level security (RLS) to filter data
AnswerB

This ensures each tenant can only access their own database.

Why this answer

Option D is correct because using a per-tenant managed identity with a separate SQL login and database-level permissions ensures isolation. Option A is wrong because a single identity with row-level security is vulnerable if the app is compromised. Option B is wrong because connection pooling does not enforce isolation.

Option C is wrong because server-level firewall does not prevent app-layer attacks.

12
MCQhard

You are building a web application that uses Microsoft Entra ID for authentication. The application needs to call Microsoft Graph API to read user profiles and send emails on behalf of the signed-in user. You want to ensure that the user's consent is obtained only once and that the application can refresh tokens silently. Which OAuth 2.0 flow should you implement?

A.OAuth 2.0 Client Credentials flow.
B.OAuth 2.0 Implicit Grant flow.
C.OAuth 2.0 Authorization Code flow with PKCE (Proof Key for Code Exchange).
D.OAuth 2.0 Resource Owner Password Credentials (ROPC) flow.
AnswerC

This flow is secure for web apps, provides refresh tokens for silent renewal, and obtains user consent during the initial authentication. It is the recommended flow by Microsoft for web applications calling APIs on behalf of users.

Why this answer

The Authorization Code flow with PKCE is the recommended OAuth 2.0 flow for public client applications (like single-page apps or mobile apps) that need delegated access to Microsoft Graph. It allows the application to obtain an authorization code, exchange it for an access token and a refresh token, and use the refresh token to silently acquire new tokens without requiring the user to re-consent. This flow ensures that user consent is obtained only once and supports silent token refresh, meeting the requirements.

Exam trap

The trap here is that candidates often confuse the Client Credentials flow (which is for app-only access) with delegated user scenarios, or they mistakenly think the Implicit Grant flow is still acceptable for modern apps, ignoring the fact that it lacks refresh token support and is deprecated by Microsoft.

How to eliminate wrong answers

Option A is wrong because the Client Credentials flow is used for server-to-server (daemon) scenarios where no user is involved, so it cannot obtain consent from a signed-in user or send emails on behalf of the user. Option B is wrong because the Implicit Grant flow is deprecated and does not support refresh tokens, making silent token refresh impossible; it also exposes tokens in the URL, posing security risks. Option D is wrong because the Resource Owner Password Credentials flow requires the user to provide their credentials directly to the application, which is not recommended for modern applications due to security concerns and does not support refresh tokens for silent renewal in all scenarios.

13
MCQmedium

You deploy a web application in Azure App Service. You need to authenticate users via Microsoft Entra ID (Microsoft Entra ID) with minimal custom code. Which App Service feature should you configure?

A.App Service Authentication (Easy Auth)
B.Microsoft Entra ID B2C
C.Application Gateway with WAF
D.App Service Managed Identity
AnswerA

Correct. App Service Authentication provides built-in authentication using Microsoft Entra ID with minimal configuration and no code changes.

Why this answer

App Service Authentication (also known as Easy Auth) is the correct choice because it provides a turnkey authentication layer that integrates directly with Microsoft Entra ID. It requires minimal custom code by handling the OAuth 2.0 authorization code flow, token validation, and session management at the App Service platform level, allowing you to simply configure the identity provider in the Azure portal.

Exam trap

The trap here is that candidates confuse Managed Identity (which is for server-to-server resource access) with user authentication, or they overcomplicate the solution by choosing B2C when the requirement is simply to authenticate against an existing Microsoft Entra ID tenant with minimal code.

How to eliminate wrong answers

Option B (Microsoft Entra ID B2C) is wrong because it is designed for customer-facing applications with external identity providers and social logins, not for authenticating users via an existing Microsoft Entra ID tenant with minimal code; it adds unnecessary complexity and custom policy configuration. Option C (Application Gateway with WAF) is wrong because it is a layer 7 load balancer and web application firewall that does not provide any authentication or token validation for Microsoft Entra ID; it focuses on traffic routing and security filtering, not identity. Option D (App Service Managed Identity) is wrong because it is used to grant the app itself an identity to securely access other Azure resources (e.g., Key Vault, Storage), not to authenticate external users; it does not handle user login or token issuance.

14
MCQmedium

Refer to the exhibit. You are deploying an Azure Key Vault using this ARM template. Your team plans to use RBAC to manage access. The vault must be accessible from Azure services (e.g., Azure VMs) without public IP addresses. After deployment, a developer reports that they cannot access secrets from a VM in the same region, even though the VM has a managed identity with the Key Vault Secrets User role. What is the most likely cause?

A.Soft delete is enabled, which prevents access to secrets until they are recovered.
B.The accessPolicies array is empty, so RBAC is not working.
C.The vault name is not unique and conflicts with another vault.
D.The vault's network ACLs block all traffic except from Azure services, but VMs are not considered Azure services.
AnswerD

VMs need to be added to virtual network rules or have a service endpoint.

Why this answer

Option B is correct because the network ACLs have defaultAction set to 'Deny' and only Azure services bypass (via 'AzureServices'), but VMs are not considered Azure services for bypass; they need a virtual network rule. Option A is wrong because RBAC is enabled and the role is assigned. Option C is wrong because soft delete is enabled and does not affect access.

Option D is wrong because the vault name is irrelevant.

15
MCQmedium

You need to restrict access to an Azure Storage account so that only a specific subnet of a virtual network can access the data. Additionally, you need to allow management access from the Azure portal (e.g., to view containers). Which configuration should you apply?

A.Configure IP firewall rules to allow the subnet IP range and add the Azure portal's public IP addresses.
B.Configure a service endpoint for Microsoft.Storage on the subnet and add a firewall rule to allow the subnet, then enable 'Allow trusted Microsoft services'.
C.Configure a private endpoint for the storage account and disable public network access.
D.Configure IP ACLs to allow the subnet and also allow all Azure services.
AnswerB

Service endpoint provides secure connectivity from the subnet. The trusted Microsoft services exception allows portal management while keeping the firewall restricted.

Why this answer

Option B is correct because configuring a service endpoint for Microsoft.Storage on the subnet ensures traffic from that subnet to the storage account stays within the Azure backbone, and the firewall rule restricts access to that subnet. Enabling 'Allow trusted Microsoft services' permits Azure portal management operations (e.g., listing containers) because the portal is a trusted service that bypasses the network rules for control-plane actions.

Exam trap

The trap here is that candidates often confuse 'Allow trusted Microsoft services' with 'Allow all Azure services' or assume that IP-based rules for the Azure portal are static, when in fact the portal uses dynamic IP ranges that are not suitable for firewall rules.

How to eliminate wrong answers

Option A is wrong because Azure portal does not have a fixed set of public IP addresses; they can change, making this approach unreliable and not a supported pattern for management access. Option C is wrong because a private endpoint with public network access disabled would block all internet-based access, including the Azure portal, preventing management from the portal entirely. Option D is wrong because 'Allow all Azure services' is a legacy setting that broadly permits traffic from any Azure service, not just the specific subnet, violating the requirement to restrict access to only that subnet.

16
MCQmedium

Refer to the exhibit. You are configuring a Key Vault key using an ARM template. What does this configuration achieve?

A.The key can only be used for encryption
B.The key size is 4096 bits
C.The key will be rotated 90 days before expiration
D.The key will be rotated 90 days after creation
AnswerD

timeAfterCreate: P90D triggers rotation 90 days after creation.

Why this answer

The rotation policy specifies that the key should be rotated 90 days after creation. Option A is wrong because the key has both encrypt and decrypt operations. Option B is wrong because the key size is 2048 bits, not 4096.

Option C is wrong because the policy triggers rotation based on time after creation, not expiration. Option D is correct.

17
MCQhard

A single-page app signs in users with Microsoft Entra ID and calls a protected API. The app cannot safely keep a client secret. Which OAuth flow should be used? The design must avoid adding custom operational scripts.

A.Implicit flow
B.Client credentials flow
C.Resource owner password credentials flow
D.Authorization code flow with PKCE
AnswerD

PKCE protects public clients that cannot store secrets and is recommended for SPAs.

Why this answer

The authorization code flow with PKCE (Proof Key for Code Exchange) is the recommended OAuth 2.0 flow for single-page applications (SPAs) that cannot securely store a client secret. PKCE uses a dynamically generated cryptographic code verifier and challenge, ensuring that even if the authorization code is intercepted, it cannot be exchanged for tokens without the original verifier. This flow is designed for public clients (like SPAs) and avoids the need for custom operational scripts.

Exam trap

The trap here is that candidates often confuse the deprecated implicit flow with the modern authorization code flow with PKCE, mistakenly believing that SPAs must use the implicit flow because they cannot store a secret, but the correct answer is the PKCE-enhanced authorization code flow.

How to eliminate wrong answers

Option A is wrong because the implicit flow is deprecated by the OAuth 2.0 Security Best Current Practice (BCP) RFC 8252 due to security risks like access token leakage in the browser history and lack of token binding. Option B is wrong because the client credentials flow is intended for server-to-server (confidential client) scenarios, not for user authentication in a single-page app; it requires a client secret and cannot represent an interactive user. Option C is wrong because the resource owner password credentials flow (ROPC) is highly discouraged for modern apps as it exposes the user's credentials to the client, violates security best practices, and is not suitable for SPAs; it also requires custom scripting to handle credential collection.

18
MCQhard

Your company uses Microsoft Sentinel for security information and event management (SIEM). You need to detect and automatically respond to a potential credential theft attack where an anomalous number of failed logins are followed by a successful login from a different geographic location. Which Microsoft Sentinel feature should you use?

A.Microsoft Sentinel Data Connectors
B.An analytics rule with an automated response
C.Microsoft Defender for Identity
D.Microsoft Sentinel playbooks
AnswerB

Analytics rules detect the pattern; automated response (e.g., disable user) can be configured as part of the rule.

Why this answer

An analytics rule in Microsoft Sentinel can be configured to detect patterns like anomalous failed logins followed by a successful login from a different geography. The rule can then trigger an automated response, such as running a playbook or creating an incident, to remediate the threat in near real-time. This combines detection and automated action within a single rule, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates often confuse 'playbooks' (the automation component) with the complete detection-and-response feature, forgetting that an analytics rule is required to trigger the playbook and that the rule itself can include an automated response directly.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel Data Connectors are used to ingest log data from various sources (e.g., Azure AD, firewalls) but do not perform detection or automated response. Option C is wrong because Microsoft Defender for Identity is a separate security product focused on on-premises Active Directory identity threats, not a native Sentinel feature for creating custom detection rules with automated responses. Option D is wrong because Microsoft Sentinel playbooks are automated workflows (based on Azure Logic Apps) that can be triggered by analytics rules, but they are not the detection mechanism themselves; the question asks for the feature that both detects and automatically responds, which is the analytics rule with an automated response.

19
MCQmedium

You are developing a serverless function app that processes credit card payments. The function app must securely store the payment gateway API key. Which Azure service should you use to store the key?

A.Store the key in an Azure Storage queue and read it at runtime.
B.Store the key in Azure Key Vault and retrieve it using a managed identity.
C.Store the key in Azure Cosmos DB with client-side encryption.
D.Store the key in the function app's application settings.
AnswerB

Key Vault provides secure, audited storage for secrets, and managed identity allows secure access without hardcoding credentials.

Why this answer

Option C is correct because Azure Key Vault is designed to securely store secrets like API keys, certificates, and connection strings. Option A is wrong because App Service application settings are not encrypted at rest by default and are visible in the portal. Option B is wrong because Azure Cosmos DB is a database, not a secrets store.

Option D is wrong because Azure Storage queues are for messaging, not secure storage.

20
MCQhard

A single-page app signs in users with Microsoft Entra ID and calls a protected API. The app cannot safely keep a client secret. Which OAuth flow should be used?

A.Implicit flow
B.Client credentials flow
C.Resource owner password credentials flow
D.Authorization code flow with PKCE
AnswerD

PKCE protects public clients that cannot store secrets and is recommended for SPAs.

Why this answer

The authorization code flow with PKCE (Proof Key for Code Exchange) is the recommended OAuth flow for single-page apps that cannot securely store a client secret. PKCE ensures that even if the authorization code is intercepted, it cannot be exchanged for tokens without the original code verifier, mitigating the risk of code injection attacks. This flow aligns with Microsoft's best practices for native and browser-based applications using Microsoft Entra ID.

Exam trap

The trap here is that candidates often confuse the implicit flow (which was historically used for SPAs) as still valid, but Microsoft and OAuth standards now mandate the authorization code flow with PKCE for all public clients, including single-page apps.

How to eliminate wrong answers

Option A is wrong because the implicit flow is deprecated by the OAuth 2.0 Security Best Current Practice (BCP) and Microsoft Entra ID due to security risks like access token leakage in the browser history and lack of PKCE support. Option B is wrong because the client credentials flow is designed for server-to-server (daemon) applications without a user context, not for single-page apps that need to sign in users and call APIs on their behalf. Option C is wrong because the resource owner password credentials flow requires the app to handle user credentials directly, which is insecure for browser-based apps and violates the principle of not exposing passwords to the client.

21
MCQhard

A background data pipeline runs on a schedule and must read user profile data from Microsoft Graph. No user is present during execution. The service authenticates to Microsoft Entra ID and calls the Graph API. Which permission type and OAuth 2.0 flow are correct for this scenario?

A.Application permissions with the client credentials flow, authenticating with the app's client ID and secret (or certificate)
B.Delegated permissions with the authorization code flow, initiating a browser redirect to collect user consent
C.Delegated permissions with the device code flow, prompting a user to authenticate on a separate device
D.Application permissions with the on-behalf-of flow, passing the calling user's token to the Graph API
AnswerA

Application permissions are granted by an admin via the app registration manifest. The client credentials flow does not require user interaction — the service presents its own credentials to the token endpoint and receives a token scoped to the application. This is the standard pattern for background services, daemons, and scheduled jobs that call Microsoft Graph.

Why this answer

This scenario requires a background service to access Microsoft Graph without any user interaction. Application permissions are designed for such non-interactive, service-to-service calls, and the client credentials OAuth 2.0 flow (defined in RFC 6749 section 4.4) allows the app to authenticate using its own identity (client ID and secret or certificate) to obtain an access token. Delegated permissions would be incorrect because they require a signed-in user context, which is absent here.

Exam trap

The trap here is that candidates often confuse application permissions with delegated permissions, mistakenly thinking a user context is always required for Graph API calls, but the client credentials flow is the correct choice for any background service that operates without a signed-in user.

How to eliminate wrong answers

Option B is wrong because delegated permissions require a signed-in user and the authorization code flow involves a browser redirect for user consent, which cannot occur in an unattended background pipeline. Option C is wrong because the device code flow is designed for devices with limited input capabilities and still requires a user to authenticate interactively on a separate device, not suitable for a fully automated service. Option D is wrong because the on-behalf-of flow (OAuth 2.0 On-Behalf-Of) is used to pass a user's delegated token to a downstream API, requiring an initial user token, which does not exist in this no-user scenario.

22
Multi-Selecthard

Which TWO actions should you take to securely store and access secrets for a legacy application that cannot be modified? The application runs on an Azure Virtual Machine and needs to read a database connection string. The solution must use Azure Key Vault and adhere to the principle of least privilege.

Select 2 answers
A.Create a new VM and install the Key Vault extension during provisioning.
B.Configure the application to read the connection string from a local file that is updated by the Key Vault extension.
C.Assign a managed identity to the legacy application.
D.Use a user-assigned managed identity and assign it to the VM.
E.Enable the Azure Key Vault VM extension for the virtual machine.
AnswersB, E

The extension can write the secret to a local file, which the app reads.

Why this answer

Option A is correct because Key Vault VM extension automatically syncs certificates and secrets as files, but for connection strings, the application still needs to read the file. Option C is correct because the application can be configured to read the connection string from a local file that is synced by the extension. Option B is wrong because managed identity is assigned to the VM, not the app; the extension uses the VM's identity.

Option D is wrong because enabling the extension with a system-assigned managed identity is sufficient; a user-assigned identity is not required. Option E is wrong because the extension can be enabled on existing VMs.

23
MCQmedium

Refer to the exhibit. You are reviewing an Azure Policy definition. When applied to a subscription, what is the effect of this policy?

A.Audit resources in locations other than eastus or westus
B.Append a tag to resources in eastus or westus
C.Deny deployment of resources in eastus or westus
D.Deny deployment of resources in locations other than eastus or westus
AnswerD

The policy denies if location is not in the allowed list.

Why this answer

Option B is correct. The policy denies any resource deployment if the location is not in the allowedLocations parameter (eastus or westus). Option A is wrong because it audits, not denies.

Option C is wrong because it denies if the location is in the list, not outside. Option D is wrong because it does not append tags.

24
MCQmedium

You are designing a solution where an Azure Logic App needs to send emails via Microsoft Graph. The Logic App should authenticate without user interaction. What authentication method should you use?

A.Use a user-assigned managed identity and grant it the Mail.Send application permission
B.Use OAuth 2.0 authorization code grant with a user account
C.Use a service principal and store its client secret in the Logic App configuration
D.Use basic authentication with an email account password
AnswerA

A managed identity with the appropriate application permission allows the Logic App to send mail without user interaction.

Why this answer

Managed identity allows the Logic App to authenticate to Microsoft Graph without credentials, using the system-assigned identity.

25
MCQeasy

You are deploying a multi-tier application: a frontend web app (Azure App Service) that calls a backend API (another Azure App Service). Both apps use Microsoft Entra ID for authentication. The frontend needs to authenticate to the backend on behalf of the signed-in user. You need to configure the OAuth 2.0 flow correctly. You have already registered both applications in Microsoft Entra ID. Which configuration should you apply?

A.In the frontend app registration, grant API permissions for the backend using the 'Delegated permissions' type. In the backend app registration, expose an API scope. The frontend uses the on-behalf-of flow (OBO) to exchange the user's token for a token to call the backend.
B.In the frontend app registration, enable the implicit grant flow for access tokens. The frontend gets a token for the backend directly from the authorization endpoint.
C.In the frontend app registration, set the redirect URI to the backend URL. The frontend uses the authorization code flow to get a token for the backend directly.
D.In the frontend app registration, grant API permissions for the backend using the 'Application permissions' type. In the backend app registration, expose an API scope. The frontend uses the client credentials flow to get a token for the backend.
AnswerA

OBO flow allows the frontend to act on behalf of the user.

Why this answer

Option B is correct because the on-behalf-of flow (OBO) is designed for this scenario: the frontend receives a token for the user, then exchanges it for a token to call the backend. This requires exposing an API in the backend app registration and granting API permissions from the frontend. Option A is wrong because the client credentials flow is for non-interactive scenarios, not on behalf of a user.

Option C is wrong because the authorization code flow alone does not allow the frontend to pass the user's identity to the backend. Option D is wrong because the implicit grant flow is deprecated.

26
MCQhard

You are developing an ASP.NET Core web API that uses Microsoft Entra ID for authentication via Microsoft.Identity.Web. The application needs to authorize actions based on custom roles such as "Editor" and "Reviewer". These roles are not defined in Microsoft Entra ID app roles or directory roles; instead, they are stored in an application database and can be assigned dynamically by administrators. You need to implement authorization with minimal impact on performance and without modifying the application's authentication flow. Which approach should you use?

A.Add custom claims to the token via Microsoft Entra ID custom claims policies
B.Implement a custom authorization filter that reads the user's roles from the database on each request and caches them
C.Use Microsoft Entra ID app roles and assign them to users or groups
D.Use a custom middleware to modify the User principal after authentication, adding role claims from the database
AnswerD

This adds role claims to the principal early in the pipeline, supports caching, and makes the roles available for all authorization policies without altering the authentication flow.

Why this answer

Option D is correct because it allows you to add role claims from the application database to the User principal after authentication via custom middleware, without altering the authentication flow. This approach leverages the existing Microsoft.Identity.Web authentication pipeline and caches the role claims in the principal, minimizing performance impact by avoiding repeated database lookups on every request.

Exam trap

The trap here is that candidates often confuse custom middleware with authorization filters, assuming both run at the same point in the pipeline, but middleware modifies the principal before authorization runs, while filters run after authentication and can cause redundant database calls if not designed carefully.

How to eliminate wrong answers

Option A is wrong because custom claims policies in Microsoft Entra ID are used to add claims to tokens issued by Entra ID, but they cannot dynamically read roles from an external database; they are static and defined at the tenant level, not suitable for application-specific dynamic roles. Option B is wrong because implementing a custom authorization filter that reads roles from the database on each request would cause a database call for every authorization check, significantly impacting performance even with caching, as the filter runs after authentication and does not modify the principal for downstream use. Option C is wrong because Microsoft Entra ID app roles are static and must be defined in the app manifest and assigned to users or groups in the portal, which does not support dynamically assigning roles from an application database without administrative intervention.

27
MCQhard

Refer to the exhibit. You run the Azure CLI command to retrieve a secret from Azure Key Vault. The output shows the secret metadata but not the secret value. The command returns without error. What is the most likely cause?

A.The secret has expired.
B.The user does not have the Key Vault Secrets Officer role.
C.The secret is in a soft-deleted state.
D.The command output only shows metadata by default; you must specify --query "value" to retrieve the secret value.
AnswerD

The Azure CLI hides secret values by default.

Why this answer

The Azure CLI `az keyvault secret show` command returns the secret metadata (including attributes like id, enabled, created, updated) by default, but does not include the secret value unless you explicitly request it using the `--query "value"` parameter. Since the command completed without error and only metadata was shown, the most likely cause is that the output was not filtered to retrieve the secret value.

Exam trap

The trap here is that candidates assume the command output includes the secret value by default, but Azure CLI intentionally omits it for security, requiring an explicit `--query "value"` to retrieve the actual secret.

How to eliminate wrong answers

Option A is wrong because an expired secret would still return its value if queried; the command would show an error or the secret would be disabled, not silently omit the value. Option B is wrong because the Key Vault Secrets Officer role is required to manage secrets (set, delete, etc.), but reading a secret value requires the Key Vault Secrets User role; a permissions issue would result in a 403 Forbidden error, not a successful command with metadata only. Option C is wrong because a soft-deleted secret would not be returned by the standard `show` command; you would need to use `az keyvault secret show --id <id> --include-soft-deleted` to see it, and the command would not succeed without that flag.

28
MCQmedium

Your web app running on Azure App Service requires access to a storage account using managed identity. You enable the system-assigned managed identity on the App Service and assign the 'Storage Blob Data Contributor' role at the storage account scope. However, the app receives 403 errors when trying to read blobs. What is the most likely cause?

A.The managed identity token is being requested with the wrong audience. You need to specify 'https://storage.azure.com' as the resource.
B.Managed identity is not supported for Azure App Service; use a connection string instead.
C.The role assignment has not propagated yet; wait 30 minutes.
D.The storage account has a firewall rule that blocks the App Service outbound IPs.
AnswerA

App Service's default token endpoint uses Azure Resource Manager audience; storage requires a specific audience.

Why this answer

Option A is correct because when using managed identity with Azure Storage, the access token must be requested with the correct audience (resource). For Azure Blob Storage, the audience must be 'https://storage.azure.com'. If the app requests the token with a different audience (e.g., the default Azure Resource Manager endpoint 'https://management.azure.com'), the token will be rejected by the storage service, resulting in a 403 error despite the role assignment being in place.

Exam trap

The trap here is that candidates assume the role assignment alone is sufficient, overlooking that the token's audience must match the target service (storage vs. management), which is a subtle but critical detail in managed identity authentication flows.

How to eliminate wrong answers

Option B is wrong because managed identity is fully supported for Azure App Service; it is a recommended best practice over connection strings for security. Option C is wrong because role assignments for managed identities typically propagate within a few minutes, not 30 minutes; waiting 30 minutes is unnecessary and not the cause of the 403 error. Option D is wrong because firewall rules blocking outbound IPs would cause a network-level failure (e.g., timeout or connection refused), not a 403 authorization error; a 403 indicates the request reached the storage account but was denied due to invalid credentials or permissions.

29
Multi-Selectmedium

You need to design a solution to securely store and access secrets (e.g., API keys, connection strings) for a set of Azure Functions. The solution must minimize administrative overhead and avoid storing secrets in code or configuration files. Which THREE should you include? (Choose three.)

Select 3 answers
A.Store secrets in Azure Key Vault
B.Store secrets in application settings as plain text
C.Use Azure App Configuration for feature flags
D.Assign a managed identity to each function app
E.Enable Key Vault soft-delete and purge protection
AnswersA, D, E

Key Vault is the recommended service for storing secrets securely.

Why this answer

Azure Key Vault is the correct service for securely storing secrets like API keys and connection strings because it provides centralized, hardware-backed secret management with access policies and auditing. By referencing Key Vault secrets from Azure Functions via a managed identity, you avoid storing secrets in code or configuration files, which aligns with the requirement to minimize administrative overhead and eliminate plaintext secrets.

Exam trap

The trap here is that candidates often confuse Azure App Configuration with a secret store, but App Configuration is for feature flags and non-sensitive configuration, while Key Vault is the dedicated service for secrets, and managed identities are required to access it securely without storing credentials.

30
MCQmedium

You are developing a serverless API using Azure Functions. The API should only be accessible from a specific virtual network. You need to configure network security. What should you do?

A.Place the Functions in Azure API Management and configure IP restrictions.
B.Configure IP address restrictions on the Function App to allow only the VNet's public IP range.
C.Deploy the Function App in a Premium plan and configure VNet integration, then use a Network Security Group to restrict traffic.
D.Configure a private endpoint for the Function App and disable public access.
AnswerC

VNet integration allows the function app to access resources in the VNet and restrict inbound traffic.

Why this answer

Azure Functions Premium plan supports VNet integration. You can enable VNet integration and then use network security groups (NSG) or service endpoints to restrict access. Option C is correct.

Option A is wrong because Azure API Management is a separate service. Option B is wrong because App Service access restrictions can be used but VNet integration is more appropriate. Option D is wrong because private endpoints are for inbound access from a VNet, but Functions Premium also supports VNet integration.

31
MCQeasy

You have an Azure Storage account that hosts blobs for a public website. You need to grant a partner application read-only access to a specific container for 24 hours without using a storage account key. What should you create?

A.A shared access signature (SAS) URI with read permission and expiry set to 24 hours
B.An access policy for the container with read permission
C.A storage account key
D.A managed identity for the partner application
AnswerA

SAS provides time-limited, scoped access without exposing account key.

Why this answer

A shared access signature (SAS) URI with read permission and a 24-hour expiry provides time-limited, delegated access to a specific container without exposing the storage account key. This meets the requirement for read-only access for exactly 24 hours, as the SAS token can be scoped to a single container and its permissions set to read.

Exam trap

The trap here is that candidates often confuse a stored access policy (Option B) with a SAS, not realizing that a policy alone does not grant access—it only defines constraints that a SAS must reference, and without a SAS token, no access is provided.

How to eliminate wrong answers

Option B is wrong because an access policy (stored access policy) alone does not grant access; it must be combined with a SAS to enforce permissions and expiry, and it cannot be used directly to grant time-limited access without a SAS token. Option C is wrong because using a storage account key would grant full administrative access to the entire storage account, not read-only access to a specific container, and violates the requirement to avoid using a storage account key. Option D is wrong because a managed identity is used for Azure resources to authenticate to Azure services without credentials, but it cannot be assigned to an external partner application and does not provide a time-limited, scoped access token for a specific container.

32
Multi-Selecthard

An API receives JWT access tokens from Microsoft Entra ID. Which two token properties should the API validate before accepting a request?

Select 2 answers
A.Issuer and signature are valid for the trusted tenant
B.The user's display name is present
C.Token audience matches the API application ID URI or client ID
D.The token was sent in a query string
AnswersA, C

Issuer and signature validation confirms the token came from the expected identity provider.

Why this answer

Option A is correct because the API must validate that the JWT's issuer (iss) claim matches the trusted tenant's issuer URL (e.g., https://login.microsoftonline.com/{tenant-id}/v2.0) and that the token's cryptographic signature is valid, ensuring the token was issued by Microsoft Entra ID and hasn't been tampered with. This prevents token forgery and tokens from untrusted tenants.

Exam trap

The trap here is that candidates confuse optional user claims (like display name) with mandatory security claims (iss, aud, signature), or think token transport method (query string vs. header) is a validation property rather than a security best practice.

33
MCQeasy

You are building an API that needs to validate JWT tokens issued by Microsoft Entra ID. The API is registered as an application in Entra ID. Which endpoint should the API use to obtain the signing keys?

A.https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
B.https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
C.https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
D.https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys
AnswerD

This endpoint returns the public keys used to sign tokens.

Why this answer

The OpenID Connect discovery endpoint (well-known/openid-configuration) provides metadata, including the jwks_uri, which points to the keys endpoint. Option A is wrong because the authorize endpoint is for user authentication. Option B is wrong because the token endpoint issues tokens.

Option D is wrong because the metadata endpoint for Microsoft Entra ID is correct but the question asks for the endpoint to get signing keys; the jwks_uri is obtained from the discovery endpoint.

34
MCQeasy

You are a developer for a startup that is building a real-time chat application on Azure. The application uses Azure Web PubSub to broadcast messages to clients. The security team requires that only authenticated users can connect to the Web PubSub service. You plan to use Microsoft Entra ID for authentication. The application backend is an Azure Function that generates access tokens. What is the correct course of action to secure the Web PubSub service?

A.Configure the Web PubSub service to use a shared access key and distribute it to clients via the Function.
B.Enable managed identity for the Azure Function, assign it the 'Web PubSub Service Owner' role, and use the Web PubSub SDK to generate a client access token after authenticating the user.
C.Set the Web PubSub service's 'Anonymous mode' to 'Allow anonymous connections' and authenticate users at the application level.
D.Use the Web PubSub connection string (access key) in the Function to generate a client token, and store the connection string in Azure Key Vault.
AnswerB

This uses Entra ID authentication and generates a scoped token for the client.

Why this answer

Option A is correct. Using managed identity for the Function to get Entra ID tokens and then generating a client token with the Web PubSub SDK ensures authenticated connections. Option B is wrong because the access key does not use Entra ID.

Option C is wrong because shared access keys are not tied to user identities. Option D is wrong because anonymous connections are not authenticated.

35
MCQeasy

You are developing a web app that uses Azure AD B2C for customer identity. The app must allow users to sign in with their social media accounts like Facebook and Google. Which Azure AD B2C policy type should you configure?

A.Profile editing policy
B.Sign-up and sign-in policy
C.Password reset policy
D.Conditional access policy
AnswerB

Sign-up and sign-in policies allow users to sign up or sign in with social identity providers.

Why this answer

The sign-up and sign-in policy (now called a user flow in the Azure portal) is the correct choice because it is the Azure AD B2C policy type specifically designed to handle both user registration and authentication in a single flow. This policy can be configured to include social identity providers like Facebook and Google, allowing users to sign in using those accounts. It orchestrates the OAuth 2.0 and OpenID Connect protocols to redirect users to the social provider's authorization endpoint and then process the returned tokens.

Exam trap

The trap here is that candidates often confuse the sign-up and sign-in policy with separate sign-up or sign-in policies, or mistakenly think a password reset policy can handle social logins, but Azure AD B2C requires the combined policy to support multiple identity providers in a single authentication journey.

How to eliminate wrong answers

Option A is wrong because a profile editing policy is used only for allowing authenticated users to modify their account attributes (e.g., display name, city), not for initial sign-in or registration with social providers. Option C is wrong because a password reset policy is specifically for resetting a forgotten password via email verification or other methods; it does not handle social identity provider authentication. Option D is wrong because conditional access policy is a security feature that evaluates risk signals (e.g., location, device state) to grant or block access after authentication, not a policy type for configuring sign-in with social identity providers.

36
MCQmedium

Your company uses Microsoft Entra ID for identity management. You need to ensure that users accessing a line-of-business application from unmanaged devices must complete a multi-factor authentication (MFA) challenge. What should you configure?

A.Create a Conditional Access policy that requires MFA for users accessing the application, with a condition for 'Device state' set to 'Unmanaged'.
B.Configure a device compliance policy in Microsoft Intune.
C.Create a Conditional Access policy that requires MFA for all users.
D.Enable risk-based Conditional Access in Microsoft Entra ID Protection.
AnswerA

Conditional Access can target specific applications and device states.

Why this answer

Conditional Access policies in Microsoft Entra ID allow you to enforce MFA based on device compliance. Option C is the correct approach. Option A (Intune) is used for device management but not directly for MFA enforcement.

Option B (Privileged Identity Management) is for just-in-time access. Option D (identity protection) is for risk-based policies, not device state.

37
MCQmedium

A background service must call Microsoft Graph without a signed-in user. Which Microsoft identity platform permission model is required?

A.Password hash synchronization
B.Delegated permissions only
C.Device code flow
D.Application permissions with client credentials flow
AnswerD

Application permissions allow daemon apps to act as themselves without a user context.

Why this answer

Option D is correct because when a background service or daemon calls Microsoft Graph without a signed-in user, it must authenticate as itself using application permissions (app roles) rather than delegated permissions. The client credentials flow (OAuth 2.0 grant type) allows the service to obtain an access token using its own credentials (client ID and client secret or certificate), without any user interaction. This flow is designed for server-to-server scenarios where the application acts on its own behalf.

Exam trap

The trap here is that candidates often confuse delegated permissions (which require a user) with application permissions (which do not), and mistakenly choose the device code flow thinking it works without a user, when in fact it still requires user authentication via a browser.

How to eliminate wrong answers

Option A is wrong because password hash synchronization is an Azure AD Connect feature for syncing user password hashes to Azure AD for hybrid identity, not a permission model for calling Microsoft Graph. Option B is wrong because delegated permissions require a signed-in user to delegate the application's permissions to act on the user's behalf, which contradicts the requirement of no signed-in user. Option C is wrong because the device code flow is an OAuth 2.0 flow designed for devices with limited input capabilities (e.g., IoT, CLI) that still requires a signed-in user to authenticate via a browser; it does not support unattended background service scenarios.

38
MCQmedium

A background service must call Microsoft Graph without a signed-in user. Which Microsoft identity platform permission model is required? The team wants the control to be enforceable during normal operations.

A.Password hash synchronization
B.Delegated permissions only
C.Device code flow
D.Application permissions with client credentials flow
AnswerD

Application permissions allow daemon apps to act as themselves without a user context.

Why this answer

Option D is correct because the scenario requires an unattended background service to call Microsoft Graph without a signed-in user. Application permissions, combined with the client credentials flow (OAuth 2.0 grant type), allow the service to authenticate as itself using a client ID and client secret or certificate, obtaining an access token with pre-authorized application-level permissions. This model enforces control during normal operations because the permissions are granted directly to the application and cannot be delegated by a user, ensuring consistent access regardless of user presence.

Exam trap

The trap here is that candidates often confuse delegated permissions (which require a user) with application permissions (which do not), and mistakenly choose the device code flow thinking it works without a user, when in fact it still requires interactive user authentication.

How to eliminate wrong answers

Option A is wrong because password hash synchronization is an Azure AD Connect feature for syncing user password hashes for hybrid identity, not a permission model for calling Microsoft Graph. Option B is wrong because delegated permissions require a signed-in user to delegate their privileges to the app; they cannot be used in a background service without a user context. Option C is wrong because the device code flow is designed for devices with limited input capabilities and still requires a signed-in user to authenticate interactively on another device, making it unsuitable for an unattended background service.

39
MCQhard

Your company has several Azure subscriptions, and you need to create a custom role that allows security engineers to start and stop Azure virtual machines but not delete them or modify their network interfaces. The role must be scoped to a specific resource group. How should you define this custom role?

A.Assign the built-in Contributor role to the resource group.
B.Create a custom role with allowed actions for start and stop, and explicitly deny delete actions using NotActions.
C.Use Azure Policy to prevent deletion of VMs in that resource group.
D.Add the engineers to an Microsoft Entra ID administrative unit and assign permissions for VM operations.
AnswerB

A custom role can include 'Microsoft.Compute/virtualMachines/start/action' and 'stop/action' in the 'Actions' list, and 'Microsoft.Compute/virtualMachines/delete' in 'NotActions' to deny deletion. This provides exactly the required permissions.

Why this answer

Option B is correct because custom roles in Azure RBAC allow you to define granular permissions using Actions and NotActions. By specifying start and stop actions (e.g., Microsoft.Compute/virtualMachines/start/action and Microsoft.Compute/virtualMachines/deallocate/action) and excluding delete actions via NotActions (e.g., Microsoft.Compute/virtualMachines/delete), you can precisely control what security engineers can do. Scoping the role to a specific resource group ensures the permissions apply only to that resource group, meeting the requirement.

Exam trap

The trap here is that candidates often confuse Azure Policy with RBAC, thinking Policy can control runtime actions like start/stop, when in fact Policy only governs resource configuration and compliance, not operational permissions.

How to eliminate wrong answers

Option A is wrong because the built-in Contributor role grants full management access, including the ability to delete VMs and modify network interfaces, which violates the requirement to prevent deletion and network interface changes. Option C is wrong because Azure Policy is used to enforce compliance rules (e.g., tagging, location restrictions) and cannot directly grant or deny RBAC permissions for specific actions like start/stop; it audits or prevents resource creation but does not control runtime operations. Option D is wrong because Microsoft Entra ID administrative units manage administrative scope for user and group management, not Azure resource permissions; RBAC roles are required for VM operations, and administrative units do not provide a mechanism to assign start/stop permissions.

40
MCQhard

You need to restrict access to an Azure Storage blob container so that only users from your Microsoft Entra tenant can read blobs, and deny all other access including anonymous traffic. What should you configure?

A.Generate a shared access signature (SAS) for the container
B.Set public access level to private and assign RBAC roles to users
C.Configure a network firewall to allow only your tenant's IP range
D.Use storage account access keys and distribute them to users
AnswerB

This ensures only authenticated users from your tenant can access blobs.

Why this answer

Option D is correct because disabling anonymous access and enabling Azure AD authentication with RBAC ensures only authenticated users from your tenant can access blobs. Option A is wrong because SAS tokens can be shared externally. Option B is wrong because firewall rules do not authenticate users.

Option C is wrong because access keys provide full access, not user-specific.

41
MCQhard

A company has an Azure Kubernetes Service (AKS) cluster. They want to ensure that pods can securely access Azure SQL Database without using connection strings or secrets. The solution must use the principle of least privilege. What should they implement?

A.Use the Azure Key Vault Provider for Secrets Store CSI Driver to mount secrets into the pod.
B.Store the SQL connection string in a Kubernetes secret and mount it as a volume in the pod.
C.Enable Azure AD Workload Identity for AKS and assign a managed identity to the pod that has access to Azure SQL Database.
D.Configure Azure SQL Database firewall to allow the AKS cluster's IP addresses.
AnswerC

Pod-managed identity allows the pod to authenticate to Azure SQL without secrets, using a managed identity.

Why this answer

Option D is correct because AKS pod-managed identity (or Azure AD Workload Identity) allows pods to assume a managed identity, which can be granted access to Azure SQL Database via Microsoft Entra authentication. Option A is wrong because Kubernetes secrets are not encrypted at rest by default and require manual management. Option B is wrong because Azure Key Vault with CSI driver still requires a secret to access Key Vault unless combined with managed identity, but the question asks to avoid connection strings/secrets entirely.

Option C is wrong because cluster IP addresses are not a secure method for database authentication.

42
Multi-Selectmedium

Which TWO actions should you take to secure an Azure Function app that is triggered by an HTTP request? (Choose two.)

Select 2 answers
A.Use function-level authorization keys (function or admin keys) for all HTTP triggers.
B.Enable App Service Authentication and configure Microsoft Entra ID as the identity provider.
C.Store connection strings and secrets in Azure Key Vault and reference them from the function app settings using Key Vault references.
D.Set the function app's public access to 'Off' and use virtual network integration.
E.Enable Cross-Origin Resource Sharing (CORS) with allowed origins set to '*'.
AnswersB, C

This ensures only authenticated users can invoke the function.

Why this answer

Options A and C are correct. Enabling App Service Authentication with Microsoft Entra ID ensures only authenticated users can call the function. Using Azure Key Vault references for secrets prevents secrets from being stored in plaintext in configuration.

Option B is wrong because function-level authorization keys are less secure than Entra ID. Option D is wrong because public access is not a security feature. Option E is wrong because enabling CORS does not authenticate users.

43
MCQhard

You need to create a custom RBAC role that allows a security group to start and stop Azure virtual machines in a specific resource group, but not delete them or modify their network interfaces. Which set of actions should you include in the role definition?

A.Microsoft.Compute/virtualMachines/start/action and Microsoft.Compute/virtualMachines/deallocate/action
B.Microsoft.Compute/virtualMachines/start/action and Microsoft.Compute/virtualMachines/powerOff/action
C.Microsoft.Compute/virtualMachines/restart/action and Microsoft.Compute/virtualMachines/deallocate/action
D.Microsoft.Compute/virtualMachines/start/action and Microsoft.Compute/virtualMachines/write
AnswerA

These actions allow starting and deallocating (stopping) VMs without allowing deletion or network interface changes.

Why this answer

Option A is correct because the custom RBAC role needs to allow starting and stopping (deallocating) VMs without permitting deletion or network interface modifications. The actions Microsoft.Compute/virtualMachines/start/action and Microsoft.Compute/virtualMachines/deallocate/action precisely grant the ability to start a VM and deallocate it (which stops and releases resources), while excluding delete or write permissions on the VM or its network interfaces.

Exam trap

The trap here is that candidates confuse 'powerOff' (which stops the VM but keeps it allocated and billable) with 'deallocate' (which stops and releases resources), leading them to choose Option B instead of the correct deallocate action.

How to eliminate wrong answers

Option B is wrong because Microsoft.Compute/virtualMachines/powerOff/action only stops the VM but does not deallocate it, leaving the VM in a 'stopped' state that still incurs compute costs; the question requires the ability to stop (deallocate) the VM to release resources. Option C is wrong because Microsoft.Compute/virtualMachines/restart/action is not a stop operation—it restarts the VM, which does not fulfill the requirement to stop the VM. Option D is wrong because Microsoft.Compute/virtualMachines/write grants the ability to modify the VM resource, including deleting it or changing its configuration, which violates the requirement to prevent deletion or modification of network interfaces.

44
MCQmedium

You have multiple Azure virtual machines that need to access the same Azure Key Vault to retrieve certificates. You want to minimize administrative overhead while ensuring each VM can authenticate without managing credentials. Which identity type should you use?

A.System-assigned managed identity on each VM
B.User-assigned managed identity assigned to each VM
C.Service principal with client secret stored in each VM
D.Storage account key
AnswerB

A single user-assigned identity can be assigned to all VMs. You grant Key Vault access once, reducing overhead.

Why this answer

Option B is correct because a user-assigned managed identity can be created once and then assigned to multiple Azure VMs, allowing all of them to authenticate to the same Key Vault without storing any credentials. This minimizes administrative overhead compared to managing separate system-assigned identities or service principals, as the identity is independent of any single VM's lifecycle and can be reused across resources.

Exam trap

The trap here is that candidates often choose system-assigned managed identities (Option A) because they seem simpler per-VM, but they overlook the administrative overhead of managing separate access policies for each VM when multiple VMs require identical access to the same Key Vault.

How to eliminate wrong answers

Option A is wrong because system-assigned managed identities are tied to the lifecycle of each individual VM, meaning you would need to configure Key Vault access policies separately for each VM's identity, increasing administrative overhead when multiple VMs need identical access. Option C is wrong because storing a service principal's client secret on each VM reintroduces credential management overhead and security risks, contradicting the goal of minimizing administrative overhead and avoiding credential management. Option D is wrong because a storage account key is used for authenticating to Azure Storage, not Azure Key Vault, and it would require storing and rotating a shared secret across all VMs, which is insecure and high-overhead.

45
MCQmedium

Your company uses Azure App Service to host a web application. You need to allow only authenticated users from your Microsoft Entra ID tenant to access the app, without writing any authentication code. Which feature should you configure?

A.Azure App Service Authentication (EasyAuth) with Microsoft Entra ID as identity provider.
B.IP restrictions in the app’s web.config.
C.Client certificate authentication.
D.Shared access signatures (SAS) for the app URL.
AnswerA

EasyAuth integrates with Microsoft Entra ID and other providers, automatically handling token validation and session management, requiring no code changes.

Why this answer

Azure App Service Authentication (EasyAuth) is the correct feature because it provides a built-in, code-free way to authenticate users by integrating with Microsoft Entra ID (formerly Azure AD). When configured, the App Service automatically validates tokens and redirects unauthenticated users to the identity provider, enforcing authentication at the platform level without requiring any changes to the application code.

Exam trap

The trap here is that candidates often confuse network-level access controls (like IP restrictions) with identity-based authentication, or mistakenly think SAS tokens can secure a web app URL, when in fact SAS are strictly for Azure Storage access and have no role in user authentication for App Service.

How to eliminate wrong answers

Option B is wrong because IP restrictions in web.config control network-level access based on source IP addresses, not user authentication; they cannot verify a user's identity or enforce Entra ID authentication. Option C is wrong because client certificate authentication requires the application to explicitly validate the certificate in code and does not integrate with Microsoft Entra ID for user authentication. Option D is wrong because Shared Access Signatures (SAS) are used to grant delegated access to Azure Storage resources (e.g., blobs, queues), not to authenticate users accessing a web application URL.

46
Drag & Dropmedium

Arrange the steps to create and use a shared access signature (SAS) for an Azure Storage blob in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create storage and container, upload blob, generate SAS, construct URL, then access.

47
MCQmedium

A company stores secrets (e.g., connection strings) in Azure Key Vault and needs them automatically rotated every 90 days. Which solution should they implement?

A.Configure Key Vault access policies to enforce rotation
B.Enable Key Vault firewall to limit access
C.Use Event Grid to trigger an Azure Function or Automation runbook that rotates the secret
D.Enable soft-delete on the vault
AnswerC

This is the recommended pattern; Event Grid can emit events when a secret is near expiration, invoking a rotation logic.

Why this answer

Option C is correct because Azure Key Vault does not natively support automatic secret rotation; you must implement a custom solution using Event Grid to detect expiration events and trigger an Azure Function or Automation runbook that generates a new secret and updates the vault. This pattern leverages Key Vault's eventing capabilities to automate the rotation workflow without manual intervention.

Exam trap

The trap here is that candidates assume Key Vault has a built-in rotation feature, but Azure Key Vault only stores secrets and requires an external automation trigger (Event Grid + Azure Function) to implement rotation logic.

How to eliminate wrong answers

Option A is wrong because Key Vault access policies control permissions (who can read/write secrets), not rotation logic; they cannot enforce a schedule or automate secret renewal. Option B is wrong because enabling the Key Vault firewall restricts network access to the vault for security, but does not implement any rotation mechanism. Option D is wrong because soft-delete protects against accidental deletion by retaining deleted secrets for a configurable retention period, but it does not automate rotation or renewal of secrets.

48
MCQmedium

A developer is implementing Key Vault certificate retrieval. The application runs on Azure App Service and must avoid stored credentials. Which design should be used?

A.Use a shared administrator account
B.Store a client secret in source control
C.Enable managed identity and grant least-privilege access to the target resource
D.Disable authentication for the target resource
AnswerC

Managed identity lets Azure-hosted apps authenticate without stored secrets.

Why this answer

Option C is correct because Azure App Service supports Managed Identity, which allows the application to authenticate to Key Vault without storing any credentials in code or configuration. By enabling a system-assigned or user-assigned managed identity and granting it least-privilege access (e.g., via an access policy with `Get` permission for secrets), the app can securely retrieve certificates using the Azure Identity SDK's `DefaultAzureCredential` class, which automatically obtains an access token from Azure AD.

Exam trap

The trap here is that candidates might think storing a client secret in source control is acceptable if the repo is private, but Azure explicitly forbids this in security best practices, and the question requires 'avoid stored credentials' entirely.

How to eliminate wrong answers

Option A is wrong because using a shared administrator account violates the principle of least privilege and introduces a security risk; credentials would need to be stored or hardcoded, defeating the goal of avoiding stored credentials. Option B is wrong because storing a client secret in source control exposes it to unauthorized access, breaches security best practices, and contradicts the requirement to avoid stored credentials. Option D is wrong because disabling authentication for the target resource (Key Vault) would allow anonymous access, which is a severe security vulnerability and not a valid design for production workloads.

49
MCQhard

A healthcare organization uses Azure API Management (APIM) to expose FHIR APIs to external partners. The FHIR backend is an Azure API for FHIR that requires OAuth 2.0 tokens from Microsoft Entra ID. APIM must validate tokens before forwarding requests to the backend. The organization also needs to rate-limit requests per subscription key and log all requests to Azure Monitor for audit. Which combination of APIM policies should be implemented?

A.Use validate-jwt, set-header to add the subscription key, and log-to-event-hub.
B.Use check-header to verify the token, rate-limit to throttle requests, and log-to-event-hub to send logs.
C.Use validate-jwt to validate the token, rate-limit to throttle requests per subscription key, and log-to-event-hub to send logs.
D.Use validate-jwt to validate the token, quota to limit total requests, and log-to-event-hub.
AnswerC

This combination meets all requirements.

Why this answer

Option D is correct because validate-jwt ensures token validation, rate-limit enforces throttling per subscription key, and log-to-event-hub sends logs to Azure Monitor via Event Hubs. Option A is wrong because check-header is not for JWT validation. Option B is wrong because quota limits total calls, not rate.

Option C is wrong because set-header is not for validation.

50
MCQmedium

A developer is implementing least-privilege storage access. The application runs on Azure App Service and must avoid stored credentials. Which design should be used?

A.Use a shared administrator account
B.Disable authentication for the target resource
C.Store a client secret in source control
D.Enable managed identity and grant least-privilege access to the target resource
AnswerD

Managed identity lets Azure-hosted apps authenticate without stored secrets.

Why this answer

Managed identity in Azure App Service allows the application to authenticate to Azure Storage without storing any credentials in code or configuration. By enabling a system-assigned or user-assigned managed identity, the app obtains an Azure AD token automatically, which is used to access the storage resource. Granting the managed identity only the required permissions (e.g., 'Storage Blob Data Reader' for read-only access) enforces least-privilege access, eliminating the need for stored secrets.

Exam trap

The trap here is that candidates may think storing a client secret in a configuration file (Option C) is acceptable if it's encrypted or in a secure location, but the question explicitly requires avoiding stored credentials, making managed identity the only correct choice.

How to eliminate wrong answers

Option A is wrong because using a shared administrator account violates least-privilege principles and requires storing credentials, which contradicts the requirement to avoid stored credentials. Option B is wrong because disabling authentication for the target resource would expose the storage to anonymous access, breaking security and least-privilege requirements. Option C is wrong because storing a client secret in source control is a security anti-pattern; it exposes the secret to anyone with repository access and violates the 'no stored credentials' requirement.

51
MCQhard

You are developing a web API that must authenticate requests using Microsoft Entra ID (Microsoft Entra ID) and OAuth 2.0 bearer tokens. You want to validate the token in your API code. Which library should you use?

A.Microsoft Authentication Library (MSAL)
B.Microsoft.Identity.Web
C.ADAL.NET
D.Azure.Identity
AnswerB

Microsoft.Identity.Web provides middleware and helper classes to validate Microsoft Entra ID tokens in ASP.NET Core APIs.

Why this answer

Microsoft.Identity.Web is the recommended library for integrating ASP.NET Core web APIs with Microsoft Entra ID. It provides built-in token validation, policy enforcement, and handles the OAuth 2.0 bearer token flow, including JWT validation, issuer signing keys, and audience checks, without requiring manual configuration of middleware.

Exam trap

The trap here is that candidates confuse token acquisition libraries (MSAL, Azure.Identity) with token validation libraries, leading them to pick MSAL because it is commonly associated with Entra ID authentication, even though it does not validate bearer tokens in an API.

How to eliminate wrong answers

Option A is wrong because MSAL is a client-side library used for acquiring tokens (e.g., from users or daemons), not for validating incoming bearer tokens in a web API. Option C is wrong because ADAL.NET is deprecated and uses the older Azure AD v1.0 endpoint; it lacks support for modern features like Microsoft Entra ID and the Microsoft identity platform. Option D is wrong because Azure.Identity is a credential abstraction library for authenticating to Azure services (e.g., DefaultAzureCredential), not for validating OAuth 2.0 bearer tokens in an API.

52
MCQhard

A developer deleted a secret from Azure Key Vault with soft-delete and purge protection enabled (retention 90 days). After 50 days, the secret is needed again. What is the correct recovery method?

A.Purge the secret and then restore from a backup
B.Recover the secret using Azure CLI 'az keyvault secret recover'
C.Recreate the secret with the same name
D.Use an Azure Resource Manager template to undelete the secret
AnswerB

Correct. Soft-delete allows recovery within the retention period using the recover command.

Why this answer

Option B is correct because Azure Key Vault with soft-delete and purge protection enabled retains deleted secrets for the specified retention period (90 days in this case). Since only 50 days have passed, the secret is still in a soft-deleted state and can be recovered using the 'az keyvault secret recover' command, which restores the secret to its original state without data loss.

Exam trap

The trap here is that candidates may confuse soft-delete recovery with backup/restore or assume that recreating the secret with the same name is possible, not realizing that soft-deleted secrets block name reuse until purged or the retention period ends.

How to eliminate wrong answers

Option A is wrong because purging the secret permanently deletes it, making recovery impossible without a backup; the correct action is to recover the soft-deleted secret, not purge it. Option C is wrong because recreating the secret with the same name would fail due to a naming conflict with the soft-deleted secret, which still exists in a hidden state. Option D is wrong because Azure Resource Manager templates cannot undelete secrets; they are used for infrastructure deployment, not for recovering soft-deleted Key Vault objects.

53
MCQmedium

A company uses Azure App Service to host a web application. They need to ensure that only authenticated users from their Microsoft Entra ID tenant can access the app. They also want to prevent unauthenticated requests from reaching the app code. Which configuration should they implement?

A.Configure IP restrictions in the web.config to allow only the company's office IP range.
B.Implement a custom middleware in the app to validate tokens from Microsoft Entra ID.
C.Assign users to Microsoft Entra ID App Roles and check roles in the app.
D.Enable App Service Authentication with Microsoft Entra ID as the identity provider and set 'Action to take when request is not authenticated' to 'Log in with Microsoft Entra ID'.
AnswerD

This configuration ensures all unauthenticated requests are redirected to login, and the authentication module validates tokens before the request reaches the app.

Why this answer

Option B is correct because the App Service Authentication feature, when configured to require authentication (e.g., 'Log in with Microsoft Entra ID'), blocks unauthenticated requests before they reach the app code. Option A is wrong because IP restrictions only block based on IP, not authentication. Option C is wrong because the built-in Microsoft Entra ID authentication module in App Service (EasyAuth) is specifically designed to offload authentication and reject unauthenticated requests.

Option D is wrong because Microsoft Entra ID App Roles are for authorization, not authentication enforcement at the gateway.

54
MCQmedium

A background service must call Microsoft Graph without a signed-in user. Which Microsoft identity platform permission model is required? The architecture review board prefers a managed AWS-native control.

A.Password hash synchronization
B.Delegated permissions only
C.Device code flow
D.Application permissions with client credentials flow
AnswerD

Application permissions allow daemon apps to act as themselves without a user context.

Why this answer

For a background service calling Microsoft Graph without a signed-in user, the application must authenticate as itself, not on behalf of a user. Application permissions, combined with the client credentials flow (OAuth 2.0), allow the service to obtain an access token using its own identity (client ID and client secret or certificate), without any user interaction. This is the only model that supports non-interactive, daemon-style access to Microsoft Graph.

Exam trap

The trap here is that candidates confuse 'no signed-in user' with 'no user at all' and incorrectly choose delegated permissions or device code flow, forgetting that application permissions with client credentials flow are the only way to authenticate a service identity without user interaction.

How to eliminate wrong answers

Option A is wrong because password hash synchronization is an Azure AD Connect feature for syncing user password hashes for hybrid identity, not a permission model for calling Microsoft Graph. Option B is wrong because delegated permissions require a signed-in user to delegate authority to the app; they cannot be used for background services that run without a user context. Option C is wrong because the device code flow is designed for devices with limited input capabilities (e.g., IoT, CLI) and still requires a signed-in user to complete the authentication interactively; it does not support unattended background service scenarios.

55
Multi-Selecthard

Your company is deploying a multi-tier application on Azure. The application consists of a web front end, an API layer, and a database. You need to ensure secure communication between tiers. Which TWO actions should you take? (Choose two.)

Select 2 answers
A.Enable HTTPS on the web front end
B.Enable Azure Storage encryption at rest
C.Use TLS for all internal service-to-service communication
D.Use managed identities to authenticate between tiers
E.Configure network security groups (NSGs) to allow only the web layer to access the API layer, and only the API layer to access the database
AnswersC, E

TLS ensures encryption between API and database, and between web and API.

Why this answer

Option C is correct because TLS (Transport Layer Security) encrypts data in transit between application tiers, preventing eavesdropping and man-in-the-middle attacks. For internal service-to-service communication, using TLS ensures that sensitive data passed between the web front end, API layer, and database remains confidential and tamper-proof, which is a fundamental security best practice for multi-tier applications.

Exam trap

The trap here is that candidates often confuse authentication (managed identities) with encryption (TLS), thinking that authenticating between tiers automatically secures the communication channel, when in fact encryption is required to protect data in transit.

56
Multi-Selecthard

You are developing a serverless application using Azure Functions that processes sensitive data. The function is triggered by an Azure Storage queue. You need to ensure that data in transit between the function and the storage account is encrypted using a customer-managed key (CMK) and that the storage account's firewall only allows access from the function's virtual network. Which two actions should you take? (Choose two.)

Select 2 answers
A.Configure a customer-managed key in Azure Key Vault and associate it with the storage account.
B.Configure the storage account firewall to allow access only from the function's virtual network.
C.Enable 'Secure transfer required' on the storage account.
D.Enable VNet integration on the function app to route traffic through a virtual network.
AnswersB, C

Restricts network access to the storage account.

Why this answer

To enforce CMK for data in transit, you need to use HTTPS and also require secure transfer. However, CMK for data in transit is not supported; CMK is for data at rest. The question asks for data in transit encryption using CMK, but that is not a standard feature.

The best interpretation is to ensure encryption in transit (HTTPS) and restrict network access. Option A is correct: enable 'Secure transfer required' on the storage account to enforce HTTPS. Option C is correct: configure the storage account firewall to allow access only from the function's virtual network (via service endpoint or private endpoint).

Option B is wrong because configuring CMK in Key Vault does not encrypt data in transit. Option D is wrong because VNet integration for the function app does not directly restrict storage access.

57
Multi-Selecthard

An API receives JWT access tokens from Microsoft Entra ID. Which two token properties should the API validate before accepting a request? The design must avoid adding custom operational scripts.

Select 2 answers
A.Issuer and signature are valid for the trusted tenant
B.The user's display name is present
C.Token audience matches the API application ID URI or client ID
D.The token was sent in a query string
AnswersA, C

Issuer and signature validation confirms the token came from the expected identity provider.

Why this answer

Option A is correct because the API must validate that the JWT's issuer (iss claim) matches the trusted tenant's issuer URL (e.g., https://login.microsoftonline.com/{tenant-id}/v2.0) and that the token's cryptographic signature is valid using the public keys from the OpenID Connect discovery endpoint. This ensures the token was genuinely issued by Microsoft Entra ID for the expected tenant and has not been tampered with.

Exam trap

The trap here is that candidates often think validating the user's identity (e.g., display name or UPN) is a security requirement, but token validation is purely about cryptographic and structural checks (issuer, signature, audience, expiration) — not user attributes.

58
MCQeasy

Refer to the exhibit. You are using Azure CLI to list blobs in a container. The command fails with an authorization error. The storage account has firewall rules enabled, and you are running the CLI from a machine that is not on the allowed network list. What is the most likely cause of the failure?

A.The storage account firewall is blocking the request because your IP is not in the allow list
B.You do not have the 'Storage Blob Data Reader' role assigned
C.The container name is misspelled
D.The storage account requires TLS 1.2 and your CLI uses an older version
AnswerA

Firewall rules explicitly deny traffic from non-allowed IPs, causing authorization failure.

Why this answer

Firewall rules deny access from non-allowed IPs. Option A is correct. Option B is for data plane operations that require RBAC? However, the CLI can use storage account key or SAS; the error is likely due to firewall.

Option C is about TLS, which would give a different error. Option D is about container level, but the command syntax is correct.

59
MCQmedium

Your organization uses Azure Key Vault to store secrets. Developers need to retrieve secrets during application runtime. You want to minimize latency and avoid network overhead. Which approach should you recommend?

A.Enable the Key Vault firewall and allow only trusted Azure services.
B.Store the secrets directly in application configuration files.
C.Implement caching of secrets in the application with a short time-to-live (TTL) and use Key Vault as the source of truth.
D.Enable Key Vault soft-delete to ensure secrets are recoverable.
AnswerC

Caching reduces latency and load on Key Vault.

Why this answer

Option B is correct because Key Vault secret caching in the application (e.g., using IMemoryCache with expiration) reduces calls to Key Vault. Option A is wrong because storing secrets in app settings is insecure. Option C is wrong because Key Vault firewall does not reduce latency.

Option D is wrong because soft-delete is for recovery, not performance.

60
Multi-Selecthard

A company uses Azure Functions to process sensitive customer data. The functions are triggered by Service Bus messages. The security requirements mandate that all function code must be encrypted in transit and at rest, and that access to the function must be authenticated using Microsoft Entra ID. Which TWO configurations should be implemented? (Choose two.)

Select 2 answers
A.Enable 'App Service Authentication' and set the action to 'Allow anonymous requests'.
B.Configure the function app's authentication to 'Microsoft Entra ID' with 'Require authentication' set to 'On'.
C.Set the function app's 'HTTPS Only' setting to 'On' to enforce encryption in transit.
D.Use Service Bus managed identity with access keys for authentication.
E.Set the function app's 'HTTP version' to 'HTTP/2' to improve encryption.
AnswersB, C

This ensures only Entra ID-authenticated requests are accepted.

Why this answer

Options A and C are correct. Enforcing HTTPS ensures encryption in transit. Restricting function access to Entra ID meets authentication requirement.

Option B is wrong because Service Bus access keys are not Entra ID. Option D is wrong because HTTP-only functions can still be called via HTTP. Option E is wrong because anonymous access allows unauthenticated requests.

61
MCQmedium

You are developing an ASP.NET Core web app that uses Azure SQL Database. The SQL connection string contains a password that must be rotated every 30 days. The app runs on Azure App Service. You want to store the connection string securely and enable automatic rotation without redeploying the app. Which approach should you use?

A.Store the connection string in an App Setting and use Key Vault references. Configure a Key Vault policy to automatically rotate the secret.
B.Store the connection string in an App Setting as a plain text value and use deployment slots to swap when the password changes.
C.Use a managed identity to access the SQL database directly, bypassing the connection string entirely.
D.Store the connection string in Azure Key Vault and use an ARM template with a secret reference at deployment time.
AnswerA

This approach uses a Key Vault reference in the App Setting, which the runtime resolves automatically. The secret can have an expiration date, and you can automate its renewal using Azure automation or functions, enabling rotation without redeployment.

Why this answer

Option A is correct because Azure App Service supports Key Vault references in App Settings, allowing you to securely store the connection string in Key Vault and reference it without exposing the password. By configuring a Key Vault policy to automatically rotate the secret (e.g., using a scheduled rotation or event-driven trigger), the password can be rotated every 30 days without redeploying the app, as the App Service runtime resolves the reference at runtime.

Exam trap

The trap here is that candidates often confuse Key Vault references with ARM template secret references, assuming both are resolved at runtime, but ARM template references are only evaluated during deployment, not dynamically.

How to eliminate wrong answers

Option B is wrong because storing the connection string as plain text in an App Setting exposes the password in the Azure portal and configuration files, violating security best practices, and deployment slots do not automate rotation—they only swap environments, requiring manual password updates. Option C is wrong because managed identity can authenticate to Azure SQL Database without a password, but it does not eliminate the need for a connection string entirely; the connection string still contains the server and database name, and managed identity does not support automatic rotation of a password (it uses certificate-based authentication). Option D is wrong because ARM template secret references are resolved at deployment time, not at runtime, so rotating the secret in Key Vault would require a new deployment to update the connection string, failing the requirement to avoid redeployment.

62
MCQhard

Your application uses Azure Key Vault to store cryptographic keys. You need to ensure that keys are automatically rotated every 90 days without any manual intervention. Which Key Vault feature should you configure?

A.Set a key rotation policy
B.Configure a Key Vault firewall
C.Enable soft-delete on the key vault
D.Use a managed HSM instead of a standard vault
AnswerA

Key rotation policy automates key rotation based on defined schedule.

Why this answer

Key Vault key rotation policy allows automatic rotation of keys based on a time interval or expiration. Option A is wrong because Key Vault firewall controls network access, not rotation. Option B is wrong because soft-delete is for recovery, not rotation.

Option D is wrong because managed HSM supports rotation but requires more configuration and is not the standard feature for automatic rotation; the built-in rotation policy is the correct answer.

63
Multi-Selectmedium

Which THREE components are required to implement Azure AD B2C custom policies for sign-up and sign-in? (Choose three.)

Select 3 answers
A.A user journey definition
B.An Azure AD (Microsoft Entra ID) tenant for employee identities
C.An Azure subscription
D.A trust framework policy (XML)
E.A relying party application registration
AnswersA, D, E

User journeys define the orchestration steps.

Why this answer

Options A, B, and D are correct. A trust framework policy (the XML base), a user journey (steps), and a relying party application (the app) are required. Option C is wrong because Azure AD is the identity provider for employees, not customers.

Option E is wrong because B2C uses a tenant, not a subscription.

64
Multi-Selectmedium

You need to secure access to an Azure Storage account that contains sensitive data. Which TWO of the following are recommended best practices?

Select 2 answers
A.Rotate storage account keys every 24 hours
B.Use managed identities to access storage from Azure services
C.Configure firewall rules to restrict access to specific IP addresses or VNets
D.Use SAS tokens with long expiry dates
E.Enable anonymous public access for all containers
AnswersB, C

Managed identities avoid storing credentials.

Why this answer

Option B is correct because limiting network access reduces attack surface. Option C is correct because using managed identities avoids storing credentials. Option A is wrong because SAS tokens with long expiry increase risk.

Option D is wrong because public access should be disabled except for specific containers when needed. Option E is wrong because storage account keys should be rotated regularly, but not necessarily every 24 hours.

65
MCQmedium

Twenty Azure Functions across different teams all need read access to the same Azure Cosmos DB account. The security team wants to revoke or modify this access for all twenty functions at once without visiting each Function App individually. What managed identity design satisfies this requirement?

A.Create one user-assigned managed identity, attach it to all twenty Function Apps, and grant it the Cosmos DB Built-in Data Reader role
B.Enable a system-assigned managed identity on each Function App and grant each identity the Cosmos DB Built-in Data Reader role
C.Create a service principal, store its client secret in Key Vault, and reference the secret from all twenty Function Apps via Key Vault references
D.Store the Cosmos DB connection string in Azure App Configuration and reference it from all twenty Function Apps
AnswerA

The role assignment on the user-assigned identity propagates instantly to all twenty Function Apps that reference it. Revoking the role assignment revokes access everywhere simultaneously. Adding a new Function App just requires attaching the existing identity — no new role grants are needed.

Why this answer

Option A is correct because a single user-assigned managed identity can be created once and then attached to all twenty Function Apps. Granting that identity the Cosmos DB Built-in Data Reader role at the Cosmos DB account scope means that revoking or modifying the role assignment centrally affects all functions simultaneously, without needing to visit each app individually.

Exam trap

The trap here is that candidates often confuse system-assigned managed identities (which are tied to a single resource) with user-assigned managed identities (which can be shared across resources), leading them to choose Option B because they think 'managed identity' automatically means system-assigned, missing the central management requirement.

How to eliminate wrong answers

Option B is wrong because each system-assigned managed identity is unique per Function App, so you would have to grant the Cosmos DB role to each identity individually, and revoking or modifying access would require updating each role assignment separately. Option C is wrong because using a service principal with a client secret stored in Key Vault introduces secret management overhead and does not leverage managed identities; revoking access would require rotating the secret or modifying the service principal, not a single role assignment. Option D is wrong because storing the Cosmos DB connection string in App Configuration and referencing it from each Function App does not provide a central point to revoke or modify access—each app still uses the same static connection string, and revoking access would require changing the connection string and redeploying or updating each app's configuration reference.

66
MCQeasy

You need to secure access to an Azure Storage account that hosts sensitive data. The requirement is to restrict access to only requests originating from a specific virtual network. Which feature should you configure?

A.Customer-managed keys (CMK)
B.Azure AD authentication
C.Shared access signatures (SAS)
D.Storage firewall and virtual network rules
AnswerD

These rules allow you to limit access to specific VNets and subnets.

Why this answer

Storage firewalls and virtual networks allow you to restrict access to specific VNets and IPs.

67
MCQeasy

You are developing an API that will be hosted on Azure API Management (APIM). The API must be accessible only to clients that present a valid JSON Web Token (JWT) issued by Microsoft Entra ID. Which APIM policy should you use to validate the JWT?

A.<cors allow-credentials="true" />
B.<authenticate-basic />
C.<validate-jwt header-name="Authorization" failed-validation-httpcode="401" />
D.<check-header name="Authorization" failed-check-httpcode="401" />
AnswerC

The validate-jwt policy validates the JWT token.

Why this answer

Option B is correct because the validate-jwt policy is designed to check the validity of a JWT token. Option A is wrong because check-header only checks for the existence of a header, not validation. Option C is wrong because authenticate-basic is for basic authentication.

Option D is wrong because cors is for cross-origin requests.

68
MCQhard

A company uses Azure API Management (APIM) to expose APIs to external partners. They want to validate JSON Web Tokens (JWTs) from partners' Microsoft Entra ID tenants before requests reach the backend. The solution must support multiple partner tenants and minimize latency. What should you implement?

A.Use Azure AD B2C as a token broker between partners and the API.
B.Configure OAuth 2.0 authorization server in APIM for each partner tenant.
C.Use client certificate authentication in APIM to map certificates to partner tenants.
D.Use APIM inbound policy with validate-jwt and specify openid-config URL for each partner tenant.
AnswerD

This validates JWTs from multiple issuers efficiently.

Why this answer

Option C is correct because APIM inbound policy with validate-jwt can use openid-config to dynamically fetch signing keys from multiple issuers. Option A is wrong because client certificates are for certificate-based auth, not JWT. Option B is wrong because OAuth2 in APIM is for authorization server integration but does not validate JWT for multiple tenants easily.

Option D is wrong because Azure AD B2C is for customer identities, not partner tenants.

69
Multi-Selecteasy

Your company wants to implement a zero-trust security model for its Azure resources. Which THREE practices should you adopt? (Choose three.)

Select 3 answers
A.Implement just-in-time (JIT) access for administrative roles
B.Require multi-factor authentication (MFA) for all users
C.Place all resources behind a firewall
D.Enable micro-segmentation between application tiers
E.Use a VPN to connect to the corporate network
AnswersA, B, D

JIT reduces standing privileges, aligning with zero-trust.

Why this answer

Option A is correct because just-in-time (JIT) access for administrative roles reduces the attack surface by granting elevated permissions only when needed and for a limited time. In Azure, JIT is implemented via Azure AD Privileged Identity Management (PIM), which enforces activation requests, approval workflows, and automatic deactivation. This aligns with the zero-trust principle of 'never trust, always verify' by minimizing standing privileges.

Exam trap

The trap here is that candidates often confuse traditional network security controls (like firewalls and VPNs) with zero-trust principles, mistakenly thinking perimeter defenses are sufficient, while zero-trust requires identity-based, least-privilege access and micro-segmentation regardless of network location.

70
MCQmedium

You are developing a web application that will be deployed to Azure App Service. The application allows users to upload files, which are stored in Azure Blob Storage. You need to ensure that only authenticated users can upload files and that each user can only see their own files. You plan to use shared access signatures (SAS) for secure access. The application uses Microsoft Entra ID for authentication. You want to generate SAS tokens on the server after the user authenticates. Which approach should you use?

A.After user authentication, have the client generate a SAS token using the storage account key retrieved from a secure endpoint.
B.After user authentication, use the server-side code to generate a user delegation SAS for a specific blob container path that includes the user's identifier. Store the SAS in the user's session and return it to the client. The client then uses the SAS to upload the file directly to Blob Storage.
C.After user authentication, use the server-side code to generate a service SAS for the entire blob container. Return the SAS to the client. The client uploads the file, and the server later moves the file to a user-specific folder.
D.After user authentication, use the server to upload the file to Blob Storage using the storage account key. Then return the URL of the uploaded blob to the client.
AnswerB

User delegation SAS is scoped to the user and can be generated without exposing the account key.

Why this answer

Option A is correct because generating a user delegation SAS with the user's identity ensures that the SAS token is scoped to that user. Storing the SAS in the user's session and returning it to the client for direct upload is secure and efficient. Option B is wrong because a service SAS is not tied to the user's identity and would allow cross-user access.

Option C is wrong because using the storage account key directly from the server is a security risk and does not tie the SAS to the user. Option D is wrong because client-side generation of SAS tokens requires the storage account key to be exposed to the client.

71
MCQhard

You are designing an ASP.NET Core web API that authenticates users via Microsoft Entra ID. The application needs to authorize access to resources based on custom roles (e.g., 'Admin', 'Editor') that are not defined in Microsoft Entra ID app roles or groups. The role mappings are dynamic and stored in an application database. How should you implement authorization in the API?

A.Define the roles as Microsoft Entra ID app roles and assign them to users. This is the standard way to handle roles.
B.Use the OnTokenValidated event in OpenID Connect middleware to query the database and add custom role claims to the identity.
C.Store the roles in the Microsoft Entra ID token by customizing the token issuance in Microsoft Entra ID.
D.Use the [Authorize] attribute with a custom authorization filter that checks the database on every request without modifying the claims.
AnswerB

Correct. By subscribing to the OnTokenValidated event, you can retrieve roles from the database and add them as claims to the principal. Then you can use standard authorization policies based on those claims.

Why this answer

Option B is correct because it uses the OnTokenValidated event in OpenID Connect middleware to enrich the user's identity with custom role claims from the application database after token validation. This approach allows dynamic role mappings stored externally to be injected into the ClaimsPrincipal, which can then be evaluated by the standard [Authorize] attribute with role policies. It avoids modifying Entra ID configuration and keeps role management flexible within the application.

Exam trap

The trap here is that candidates often assume Entra ID app roles or groups are the only way to implement role-based authorization, overlooking the flexibility of the OnTokenValidated event to inject custom claims from external sources.

How to eliminate wrong answers

Option A is wrong because defining roles as Entra ID app roles requires static assignment in the directory, which contradicts the requirement for dynamic role mappings stored in an application database. Option C is wrong because customizing token issuance in Entra ID is not feasible for dynamic, database-driven roles; Entra ID tokens are issued based on directory configuration, not external databases. Option D is wrong because using a custom authorization filter that checks the database on every request without modifying claims is inefficient and bypasses the standard claims-based authorization pipeline, leading to poor performance and complexity.

72
MCQmedium

You are developing a web app that authenticates users via Microsoft Entra ID. The app needs to read the user's profile and send emails on their behalf. You want to minimize user consent prompts. Which OAuth 2.0 grant type should you use?

A.Authorization code flow with PKCE
B.Client credentials flow
C.Resource owner password credentials
D.Implicit flow
AnswerA

Correct. This flow is secure, supports delegated permissions, and with PKCE it reduces consent prompts through silent token refresh.

Why this answer

The authorization code flow with PKCE (Proof Key for Code Exchange) is the recommended OAuth 2.0 grant type for public clients (like a web app) that need delegated user authentication and consent. It allows the app to obtain an access token to read the user's profile and a refresh token to send emails on their behalf, while minimizing consent prompts by using a single consent request for both permissions. PKCE adds a cryptographic challenge to prevent authorization code interception attacks, making it secure for web apps without a client secret.

Exam trap

The trap here is that candidates often choose the client credentials flow (B) thinking it minimizes prompts because it doesn't involve user interaction, but they overlook that the app needs to act on behalf of a specific user, which requires delegated permissions and user consent, not application permissions.

How to eliminate wrong answers

Option B is wrong because the client credentials flow is designed for server-to-server (daemon) scenarios where no user is present; it cannot act on behalf of a specific user to read their profile or send emails as them. Option C is wrong because the resource owner password credentials flow requires the user to provide their username and password directly to the app, which is insecure and not recommended for modern apps; it also does not minimize consent prompts as it bypasses the consent UI entirely. Option D is wrong because the implicit flow is deprecated in OAuth 2.0 Security Best Current Practice (BCP) due to security risks like access token leakage in the browser; it also cannot issue refresh tokens, so the app would need repeated consent prompts for long-lived access.

73
MCQhard

You are a security engineer for a large enterprise that uses Microsoft Entra ID. The company deploys a custom web application in Azure that authenticates users via the OAuth 2.0 authorization code flow with PKCE. The application is registered in Microsoft Entra ID. Recently, security auditors discovered that a compromised client secret was used to obtain tokens without user consent. You must update the application registration to prevent this type of attack. The application should still work with the authorization code flow and PKCE. You need to ensure that only interactive user authentication can obtain tokens, and that client secrets cannot be used to request tokens directly. Which option meets these requirements?

A.Remove the client secret from the app registration and configure the application to use a client certificate for authentication. Set the application type to 'Public client/native' and disable 'Allow public client flows' (if needed).
B.Keep the client secret but enable 'Allow public client flows' and set the redirect URI to use a custom scheme.
C.Change the authentication flow to client credentials grant and assign a managed identity to the application.
D.Increase the client secret expiration to 2 years and rotate the secret monthly.
AnswerA

Removing the secret eliminates the compromised secret. Using a certificate ensures secure authentication, and setting as public client (with PKCE) prevents use of client secrets.

Why this answer

Option A is correct: By disabling the 'Allow public client flows' setting and removing the client secret, the application becomes a confidential client that still uses the authorization code flow, but the client secret is not used because PKCE with client assertion (certificate) replaces it. However, the key point is to prevent client secret misuse. In Microsoft Entra ID, you can mark the application as a public client (which disables client secrets) or use client certificates instead.

Option A describes removing the secret and using a certificate, which ensures that only interactive flows (which require user authentication) are possible. Option B is incorrect because enabling 'Allow public client flows' would allow non-interactive flows. Option C is incorrect because using client credentials grant is for non-interactive scenarios.

Option D is incorrect because adjusting token lifetime does not prevent client secret misuse.

74
MCQmedium

Refer to the exhibit. You have an Azure Policy definition as shown. Your team creates a storage account with network rules set to 'Deny' by default, and then adds an IP rule to allow traffic from a specific IP range. What compliance state will this storage account be reported as?

A.Error
B.Compliant
C.Exempt
D.Non-compliant
AnswerB

Condition is not met (defaultAction is 'Deny'), so audit effect does not apply.

Why this answer

The policy audits if the storage account type is 'Microsoft.Storage/storageAccounts' AND defaultAction equals 'Allow'. Since the defaultAction is 'Deny', the condition is false, so the resource is compliant. Option B is correct.

75
MCQhard

A single-page app signs in users with Microsoft Entra ID and calls a protected API. The app cannot safely keep a client secret. Which OAuth flow should be used? The architecture review board prefers a managed AWS-native control.

A.Implicit flow
B.Client credentials flow
C.Resource owner password credentials flow
D.Authorization code flow with PKCE
AnswerD

PKCE protects public clients that cannot store secrets and is recommended for SPAs.

Why this answer

The authorization code flow with PKCE (Proof Key for Code Exchange) is the correct choice because it is designed for public clients (like single-page apps) that cannot securely store a client secret. PKCE uses a dynamically generated cryptographic code verifier and challenge to prevent authorization code interception attacks, making it the recommended OAuth 2.0 flow for SPAs calling protected APIs in Microsoft Entra ID.

Exam trap

The trap here is that candidates often confuse the implicit flow (which was historically used for SPAs) with the modern PKCE-enhanced authorization code flow, not realizing that the implicit flow is now deprecated and the authorization code flow with PKCE is the current best practice for public clients.

How to eliminate wrong answers

Option A is wrong because the implicit flow is deprecated by OAuth 2.0 Security Best Current Practice (BCP) and Microsoft Entra ID recommends against it for SPAs due to security risks like access token leakage in the browser history. Option B is wrong because the client credentials flow is intended for server-to-server (confidential client) scenarios where no user is involved, not for a single-page app that signs in users. Option C is wrong because the resource owner password credentials flow requires the app to handle user credentials directly, which is insecure and violates the principle of delegated authentication; it is also not recommended by Microsoft Entra ID for modern applications.

Page 1 of 3 · 178 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Azure Security questions.