CCNA Azure Security Questions

75 of 178 questions · Page 2/3 · Azure Security topic · Answers revealed

76
MCQmedium

You are developing an ASP.NET Core web API hosted on Azure App Service. The API needs to read secrets from Azure Key Vault at startup. You have enabled a system-assigned managed identity for the App Service. Which code should you use to create the Key Vault SecretClient?

A.new SecretClient(new Uri(keyVaultUrl), new DefaultAzureCredential())
B.new SecretClient(new Uri(keyVaultUrl), new ClientSecretCredential(tenantId, clientId, clientSecret))
C.new SecretClient(new Uri(keyVaultUrl), new ChainedTokenCredential())
D.new SecretClient(new Uri(keyVaultUrl), new InteractiveBrowserCredential())
AnswerA

DefaultAzureCredential attempts to authenticate using the environment's managed identity (among others). In an App Service with system-assigned managed identity, it will use that identity.

Why this answer

Option A is correct because `DefaultAzureCredential` automatically attempts to authenticate using the environment's managed identity when running on Azure App Service. Since a system-assigned managed identity is enabled, `DefaultAzureCredential` will chain through available credential sources and successfully use the managed identity endpoint to obtain a token for Key Vault, without requiring any explicit tenant ID, client ID, or secret.

Exam trap

The trap here is that candidates often choose `ClientSecretCredential` (Option B) because they are accustomed to using service principals with secrets, forgetting that managed identities eliminate the need for any hardcoded credentials.

How to eliminate wrong answers

Option B is wrong because `ClientSecretCredential` requires a client secret, which defeats the purpose of using a managed identity—it introduces a secret that must be stored and rotated, increasing security risk. Option C is wrong because `ChainedTokenCredential` is not a concrete credential class; it is a base class for building custom credential chains, and cannot be instantiated directly with `new`. Option D is wrong because `InteractiveBrowserCredential` is designed for interactive user authentication via a browser, which is not suitable for a server-side, unattended startup scenario in Azure App Service.

77
MCQeasy

A company stores secrets in Azure Key Vault. Developers need to retrieve secrets from a web app without storing connection strings in code. Which authentication method should the web app use?

A.Register a service principal and use a client secret
B.Enable a managed identity for the web app
C.Use a shared access signature (SAS) token
D.Use a certificate thumbprint in the app settings
AnswerB

Managed identities allow the app to authenticate to Key Vault without storing credentials.

Why this answer

Managed identities provide an automatically managed identity in Microsoft Entra ID for the app to authenticate to any service supporting Entra ID authentication, including Key Vault, without storing credentials. Option A is wrong because SAS tokens are for storage accounts, not Key Vault. Option B is wrong because service principals require managing secrets or certificates.

Option D is wrong because certificate thumbprints are used with service principals, not directly.

78
MCQmedium

A company deploys an Azure App Service web app that stores sensitive data in Azure Blob Storage. The security team requires that all access to the blob storage must be authenticated and authorized via Microsoft Entra ID, and that no anonymous access is permitted. The web app must also be able to access the storage using its managed identity. Which configuration should the company implement?

A.Create a custom RBAC role that allows full access to the storage account and assign it to the web app's service principal.
B.Enable the web app's system-assigned managed identity, assign the Storage Blob Data Contributor role to the identity, and disable anonymous access on the storage account.
C.Use storage account access keys and store them in Key Vault, then configure the web app to retrieve them at runtime.
D.Generate a shared access signature (SAS) token with read permissions, store it in App Settings, and configure the web app to use it.
AnswerB

Managed identity provides Entra ID authentication and RBAC authorization.

Why this answer

Option B is correct because enabling managed identity and assigning the Storage Blob Data Contributor role ensures the web app can access blobs via Entra ID authentication. Disabling anonymous access is a separate step. Option A is wrong because storage account keys bypass Entra ID.

Option C is wrong because SAS tokens do not use managed identity. Option D is wrong because shared access policy is not used for managed identity access.

79
MCQhard

Refer to the exhibit. You are deploying an ARM template that assigns the 'Storage Blob Data Contributor' role to the managed identity of an App Service named 'myapp' at the storage account 'mystorageacct' scope. The deployment fails with an error that 'principalId' is null. What is the most likely cause?

A.The role definition ID is incorrect.
B.The storage account name 'mystorageacct' does not exist.
C.The role assignment name is not unique.
D.The App Service 'myapp' does not have a managed identity enabled.
AnswerD

Without managed identity, principalId is null.

Why this answer

The reference function retrieves the App Service resource after it has been created, but if the App Service does not have a managed identity enabled, the 'identity.principalId' will be null. The template likely did not enable the managed identity on the App Service. Option B is correct.

Option A is wrong because the role definition ID is correct. Option C is wrong because the scope is correct. Option D is wrong because the name is unique.

80
MCQhard

Your application uses Azure Key Vault to store cryptographic keys used for signing. You need to ensure that the keys can be used by multiple applications, but only one application should be able to delete the key. What should you do?

A.Assign the 'Key Vault Crypto Officer' role to the application that needs to delete, and 'Key Vault Crypto User' to others.
B.Enable soft-delete and purge protection on the key vault.
C.Create a key rotation policy that automatically deletes old keys.
D.Configure the key vault firewall to allow only the authorized application's IP.
AnswerA

RBAC roles provide fine-grained permissions for key operations.

Why this answer

Key Vault access policies and RBAC allow granular permissions. You can assign the 'Key Vault Crypto Officer' role to the application that needs delete permissions, and assign 'Key Vault Crypto User' to other applications. Option A is correct.

Option B is wrong because key rotation does not affect delete permissions. Option C is wrong because soft-delete protects against accidental deletion but does not control who can delete. Option D is wrong because key vault firewall controls network access, not permissions.

81
MCQmedium

Your API is secured using Azure AD (now Microsoft Entra ID) tokens. You need to validate the token in your custom code. Which library should you use to validate the token's signature, issuer, and audience?

A.ASP.NET Core Identity
B.Microsoft Graph SDK
C.Microsoft Authentication Library (MSAL)
D.Microsoft.IdentityModel.Tokens and System.IdentityModel.Tokens.Jwt
AnswerD

These libraries provide token validation methods.

Why this answer

Microsoft.IdentityModel.Tokens and System.IdentityModel.Tokens.Jwt are the standard .NET libraries for JWT token validation. Option A is correct. Option B is wrong because MSAL is for acquiring tokens, not validation.

Option C is wrong because Graph API is for accessing Microsoft Graph. Option D is wrong because ASP.NET Core Identity is for user management.

82
MCQhard

Your application uses Azure Functions and needs to authenticate to a downstream API using OAuth 2.0. The function app uses a system-assigned managed identity. Which token endpoint should the function app call to get a token for the downstream API?

A.https://{function-app}.azurewebsites.net/.auth/login
B.https://{downstream-api}.azurewebsites.net/.auth/me
C.https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
D.http://169.254.169.254/metadata/identity/oauth2/token
AnswerD

This is the IMDS endpoint used by managed identities to get tokens.

Why this answer

The managed identity endpoint (http://169.254.169.254/metadata/identity/oauth2/token) is the Azure Instance Metadata Service (IMDS) endpoint that provides tokens for managed identities. Option A is wrong because the Entra ID token endpoint is for client credentials flow without managed identity. Option B is wrong because the function app's own endpoint is irrelevant.

Option D is wrong because the downstream API's endpoint is not for token acquisition.

83
Multi-Selecthard

Which THREE measures can you use to protect data at rest in Azure Cosmos DB? (Choose three.)

Select 3 answers
A.Enable encryption at rest using Microsoft-managed keys.
B.Use Azure RBAC to restrict access to the Cosmos DB account and data.
C.Configure customer-managed keys (CMK) in Azure Key Vault.
D.Enforce TLS 1.2 for all client connections.
E.Deploy Azure Firewall in front of the Cosmos DB account.
AnswersA, B, C

Cosmos DB encrypts data at rest by default.

Why this answer

Options A, B, and C are correct. Cosmos DB encrypts all data at rest by default using Microsoft-managed keys. Customer-managed keys (CMK) add an extra layer of protection.

RBAC ensures only authorized principals can access data. Option D is wrong because Azure Firewall is for network security, not data at rest. Option E is wrong because TLS protects data in transit.

84
MCQmedium

A developer is implementing Key Vault certificate retrieval. The application runs on Azure App Service and must avoid stored credentials. Which design should be used? The design must avoid adding custom operational scripts.

A.Use a shared administrator account
B.Store a client secret in source control
C.Enable managed identity and grant least-privilege access to the target resource
D.Disable authentication for the target resource
AnswerC

Managed identity lets Azure-hosted apps authenticate without stored secrets.

Why this answer

Managed identity (system-assigned or user-assigned) allows the App Service to authenticate to Key Vault without any stored credentials, because Azure automatically rotates the identity's service principal and provides an access token via the Azure Instance Metadata Service (IMDS) endpoint. By granting least-privilege access (e.g., a Key Vault access policy with only 'Get' on secrets), the design meets the requirement to avoid stored credentials and custom operational scripts.

Exam trap

The trap here is that candidates may think storing a client secret in Azure App Service application settings (Option B) is acceptable because it's not in source control, but the question explicitly requires avoiding stored credentials entirely, and managed identity is the only zero-credential solution.

How to eliminate wrong answers

Option A is wrong because using a shared administrator account requires storing credentials (username/password or certificate) in the application configuration or code, violating the 'avoid stored credentials' requirement. Option B is wrong because storing a client secret in source control is a security anti-pattern that exposes credentials in the codebase, and it still requires manual secret rotation and management. Option D is wrong because disabling authentication for the target resource (Key Vault) would allow anonymous access, which is a severe security vulnerability and contradicts the principle of least privilege.

85
MCQeasy

You need to restrict access to an Azure web app so that only traffic from a specific virtual network (VNet) can reach it. The web app is already deployed. What should you configure on the web app?

A.VNet integration
B.Access restrictions
C.Network Security Group (NSG) on the subnet
D.Point-to-Site VPN
AnswerB

Access restrictions can deny all traffic except from a specific VNet.

Why this answer

Access restrictions (also known as IP restrictions) allow you to define allow/deny rules based on source IP addresses or Virtual Network (VNet) service endpoints. By configuring a service endpoint-based rule that permits traffic only from your specific VNet, you can block all other inbound traffic to the web app. This is the correct mechanism for restricting access at the web app level without modifying the underlying infrastructure.

Exam trap

The trap here is confusing VNet integration (outbound) with access restrictions (inbound), leading candidates to select VNet integration when the question asks about restricting incoming traffic from a VNet.

How to eliminate wrong answers

Option A is wrong because VNet integration enables the web app to access resources inside a VNet (outbound connectivity), not to restrict inbound traffic from that VNet. Option C is wrong because an NSG on the subnet controls traffic to and from resources within that subnet, but it cannot directly filter traffic to an Azure App Service, which is a PaaS service not hosted in your VNet. Option D is wrong because Point-to-Site VPN is used for individual client machines to connect to a VNet, not for restricting inbound access to a web app from an entire VNet.

86
MCQmedium

Your company has an application running on Azure Virtual Machines that needs to access secrets in Azure Key Vault. You want to restrict network access to the Key Vault so that only the virtual network/subnet containing the VMs can reach it. You also want to ensure that the solution works with the least management overhead. Which configuration should you use?

A.Configure Key Vault firewall with IP-based rules that allow the VM's public IP address.
B.Configure a Private Endpoint for the Key Vault in the same virtual network as the VMs.
C.Configure Key Vault firewall to allow access from the virtual network and subnet using service endpoints.
D.Use a shared access signature (SAS) to access Key Vault secrets.
AnswerC

Enabling service endpoints on the subnet and adding the VNet/Subnet to the Key Vault firewall rules restricts traffic to only that subnet. It is easy to configure and provides secure network isolation.

Why this answer

Option C is correct because configuring Key Vault firewall with virtual network service endpoints allows you to restrict access to the Key Vault to a specific virtual network and subnet without exposing the VMs to the internet. This approach leverages Azure's backbone network for traffic, providing secure and direct connectivity with minimal management overhead, as service endpoints are automatically maintained by Azure.

Exam trap

The trap here is that candidates often confuse Private Endpoints with service endpoints, assuming Private Endpoints are always the best choice for network isolation, but service endpoints are simpler and have less management overhead when you only need to restrict access to a specific virtual network/subnet without requiring private IP connectivity.

How to eliminate wrong answers

Option A is wrong because using IP-based rules with the VM's public IP address exposes the VM to the internet and requires managing public IP changes, increasing management overhead and security risk. Option B is wrong because a Private Endpoint uses a private IP from the virtual network, which is more complex to set up and manage than service endpoints for this scenario, and it incurs additional costs for the private endpoint resource. Option D is wrong because shared access signatures (SAS) are used for granting delegated access to Azure Storage resources, not for accessing Key Vault secrets; Key Vault uses Azure AD authentication and access policies.

87
MCQeasy

Your company uses Azure Key Vault to store secrets. You need to ensure that if a secret is deleted, it can be recovered within 30 days. Which Key Vault feature should you enable?

A.Soft-delete
B.Purge protection
C.RBAC (Role-Based Access Control)
D.Access policies
AnswerA

Correct. Soft-delete retains deleted secrets for a specified period, allowing recovery.

Why this answer

Soft-delete is the correct feature because it allows you to recover a deleted secret within a configurable retention period (default 90 days, but can be set to as low as 1 day). When soft-delete is enabled, a deleted secret is marked as deleted but remains recoverable until the retention period expires. This directly meets the requirement to recover a secret within 30 days.

Exam trap

The trap here is that candidates often confuse purge protection with soft-delete, thinking that purge protection alone allows recovery, when in fact purge protection only prevents permanent deletion after soft-delete has already occurred.

How to eliminate wrong answers

Option B (Purge protection) is wrong because purge protection only prevents the permanent deletion of a soft-deleted secret until the retention period ends; it does not by itself enable recovery of a deleted secret. Option C (RBAC) is wrong because RBAC controls access permissions to Key Vault resources but has no effect on secret recovery after deletion. Option D (Access policies) is wrong because access policies define which users or applications can read, write, or delete secrets, but they do not provide any recovery capability for deleted secrets.

88
MCQeasy

You need to ensure that secrets stored in Azure Key Vault are automatically rotated every 90 days. Which feature should you configure?

A.Set an access policy for the secret
B.Enable soft delete and purge protection
C.Set a secret expiration date
D.Use Key Vault secret rotation with Event Grid and Azure Functions
AnswerD

This is the recommended approach to automate secret rotation.

Why this answer

Key Vault does not support automatic rotation natively; you need to use a manual or custom solution. However, the question asks for 'automatically', and the closest built-in feature is the 'Create a key rotation policy' for keys, but for secrets, there is no automatic rotation. The answer is that there is no built-in automatic rotation for secrets; you must use a custom solution or Azure Event Grid with a function.

But since the options must be plausible, the correct answer here is that you need to implement a custom solution using Azure Functions and Event Grid.

89
MCQhard

You are designing a solution that uses Azure Event Hubs to ingest telemetry data. The data must be encrypted at rest and in transit. Additionally, you need to ensure that only authorized applications can publish messages to the event hub. Which combination of features should you use?

A.Use managed identities for applications and enable encryption at rest using customer-managed keys.
B.Use SAS tokens or managed identities for authentication, and rely on default encryption at rest and in transit.
C.Use Azure Private Link to connect applications to Event Hubs.
D.Enable Azure Firewall on the Event Hubs namespace and use IP filtering.
AnswerB

Event Hubs encrypts at rest by default and in transit via TLS; SAS or managed identities authorize publishers.

Why this answer

Option D is correct because Event Hubs enables encryption at rest by default (Azure Storage Service Encryption) and in transit via TLS, and uses shared access signatures (SAS) or managed identities for authorization. Option A is wrong because firewall restricts network access, not authorization. Option B is wrong because private endpoints are for network isolation.

Option C is wrong because managed identity provides authorization, but encryption at rest is default.

90
MCQmedium

Refer to the exhibit. You deploy an Azure Storage account using the ARM template snippet. A developer reports that they cannot connect to the storage account from their machine with IP 10.0.0.5, even though they have the proper RBAC role. What is the most likely reason?

A.The storage account is configured to bypass Azure Services, which blocks non-Azure clients.
B.The developer does not have the Storage Blob Data Contributor role.
C.The storage account firewall is configured to deny all traffic except from the 192.168.1.0/24 IP range.
D.The minimum TLS version is set to TLS 1.2, but the developer's client uses TLS 1.0.
AnswerC

The developer's IP is not allowed.

Why this answer

Option A is correct because the network ACLs have a default deny and only allow traffic from 192.168.1.0/24. The IP 10.0.0.5 is not in that range. Option B is wrong because TLS 1.2 is a requirement, but the error is network access.

Option C is wrong because RBAC is correctly configured. Option D is wrong because Azure Services bypass is for Azure services, not the developer's machine.

91
MCQmedium

A company stores sensitive data in an Azure Storage account. They need to restrict access based on the client's IP address and require that clients use a valid SAS token. Which mechanism should they use?

A.Microsoft Entra ID authentication.
B.Shared Key.
C.SAS token with IP ACL.
D.Firewall and virtual networks.
AnswerC

Correct. A SAS token can specify an allowed IP address range.

Why this answer

A SAS token with an IP ACL (access control list) allows you to restrict access to a specific client IP address or range of IP addresses while also requiring a valid SAS token for authentication. This meets both requirements: IP-based restriction and SAS token validation. The IP ACL is specified as part of the SAS token's signed IP (sip) parameter, which enforces that requests must originate from the allowed IP range.

Exam trap

The trap here is that candidates often confuse network-level IP restrictions (firewall/VNet) with SAS-level IP restrictions, not realizing that only a SAS token with an IP ACL can enforce both a valid token and a specific client IP address simultaneously.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID authentication does not use SAS tokens; it relies on Azure AD identities and RBAC roles, which cannot enforce a client IP restriction at the SAS token level. Option B is wrong because Shared Key authentication uses the storage account key directly, which does not support IP-based restrictions and does not involve a SAS token. Option D is wrong because Firewall and virtual networks can restrict access by IP address, but they do not require a SAS token; they operate at the network layer and can be bypassed if the SAS token is not enforced.

92
MCQeasy

You need to secure a web API that is called from a single-page application (SPA). The API uses Microsoft Entra ID for authentication. Which OAuth 2.0 flow should the SPA use?

A.Authorization code flow with PKCE
B.Resource owner password credentials flow
C.Client credentials flow
D.Implicit flow
AnswerA

This flow is secure for SPAs as it uses a code exchange and PKCE to prevent interception.

Why this answer

The authorization code flow with PKCE is recommended for SPAs because it provides better security than implicit flow. Option A is wrong because client credentials flow is for server-to-server communication. Option B is wrong because implicit flow is deprecated.

Option D is wrong because resource owner password credentials flow is not recommended for SPAs.

93
MCQeasy

You are configuring an Azure App Service web app to authenticate users with Microsoft Entra ID. You need to ensure that only users from your organization's tenant can access the app. Which setting should you configure?

A.Set the Issuer URL to https://login.microsoftonline.com/common/v2.0
B.Set the Client ID to the application's Application ID.
C.Set the Allowed token audiences to include the app's Application ID URI.
D.Set the Issuer URL to https://login.microsoftonline.com/{tenant-id}/v2.0
AnswerD

This restricts authentication to the specified tenant.

Why this answer

Option B is correct because setting Issuer URL to the tenant-specific endpoint ensures only users from that tenant can sign in. Option A is wrong because Allowed token audiences control which tokens are accepted, not tenant restriction. Option C is wrong because Client ID is for the application identity.

Option D is wrong because it allows any Microsoft identity.

94
MCQeasy

You are deploying a function app that processes sensitive data. You need to ensure that all function app secrets (e.g., connection strings) are stored securely and automatically rotated. Which service should you use?

A.Azure Key Vault
B.Azure Managed Identity
C.Azure App Configuration
D.Azure DevOps Variable Groups
AnswerA

Key Vault securely stores secrets and supports automatic rotation.

Why this answer

Azure Key Vault is the service designed to securely store and manage secrets, keys, and certificates. It supports automatic rotation for secrets. Option A is correct.

Option B is wrong because App Configuration is for configuration, not secret rotation. Option C is wrong because Azure DevOps is for CI/CD. Option D is wrong because Managed Identity is an identity mechanism, not a secret store.

95
MCQhard

You are developing a .NET Core API that uses Azure AD for authentication. You want to restrict access to specific claims. Which middleware component should you use to check claims?

A.Use the UseAuthorization middleware in the pipeline
B.Use the UseAuthentication middleware to validate tokens
C.Use the [Authorize] attribute with a policy that requires a specific claim
D.Manually parse the JWT in a custom middleware
AnswerC

Policy-based authorization with claims is the standard approach in ASP.NET Core.

Why this answer

The [Authorize] attribute with policy-based authorization allows checking claims via policies configured in Startup.

96
MCQeasy

Your company stores API keys and connection strings in Azure Key Vault. You need to grant an Azure Function read access to these secrets using the principle of least privilege. Which identity type should you assign to the Function App?

A.System-assigned managed identity
B.User-assigned managed identity
C.Service principal
D.Access policy on the Key Vault
AnswerA

Correct. A system-assigned managed identity is automatically managed by Azure and can be granted precise Key Vault permissions, meeting least privilege.

Why this answer

A system-assigned managed identity is the correct choice because it is directly tied to the lifecycle of the Azure Function, automatically managed by Azure, and requires no manual credential rotation. It provides the most restrictive scope (only that specific Function App) and adheres to the principle of least privilege by granting access only to the identity that needs it, without the overhead of managing a separate identity or service principal.

Exam trap

The trap here is that candidates often confuse 'access policy' (a permission assignment) with an 'identity type,' or they incorrectly assume a user-assigned managed identity is always more flexible and thus better, overlooking that a system-assigned identity is more restrictive and simpler for a single-resource scenario.

How to eliminate wrong answers

Option B is wrong because a user-assigned managed identity is a standalone resource that can be shared across multiple Azure services, which violates the principle of least privilege by potentially granting broader access than necessary. Option C is wrong because a service principal requires manual credential management (secrets or certificates) and is typically used for external applications or automation, not for a first-party Azure resource like a Function App where a managed identity is simpler and more secure. Option D is wrong because an access policy on the Key Vault is not an identity type; it is a permission assignment mechanism that must be applied to an identity (such as a managed identity or service principal), so it cannot be the identity type itself.

97
MCQeasy

Your application uses Azure App Service and needs to authenticate users via Microsoft Entra ID. You want to minimize code changes. Which feature should you use?

A.Azure AD B2C
B.Microsoft.Identity.Web library
C.App Service Authentication (Easy Auth)
D.MSAL.js
AnswerC

Easy Auth integrates with Microsoft Entra ID with minimal code.

Why this answer

App Service Authentication (Easy Auth) provides built-in authentication with Microsoft Entra ID without requiring code changes. Option A is correct. Option B is wrong because Microsoft.Identity.Web requires code changes.

Option C is wrong because MSAL requires code. Option D is wrong because Azure AD B2C is for external identities.

98
MCQeasy

You are developing an application that stores user secrets. You need to ensure that the secrets are encrypted at rest and rotated automatically. Which Azure service should you integrate?

A.Azure Storage.
B.Azure Key Vault.
C.Azure Security Center.
D.Microsoft Entra ID.
AnswerB

Correct. Key Vault is designed for secret management with encryption and rotation capabilities.

Why this answer

Azure Key Vault is the correct choice because it provides centralized management of secrets, keys, and certificates with built-in encryption at rest using FIPS 140-2 Level 2 validated hardware security modules (HSMs). It also supports automatic rotation of secrets through integration with Azure Event Grid and Azure Functions, enabling you to schedule or trigger key rotation policies without manual intervention.

Exam trap

The trap here is that candidates often confuse Azure Storage's built-in encryption at rest with the need for a dedicated secrets management service, overlooking that Key Vault alone provides both encryption at rest and automated rotation for secrets.

How to eliminate wrong answers

Option A is wrong because Azure Storage encrypts data at rest by default using server-side encryption (SSE) but does not provide native secret rotation capabilities or a dedicated secrets management interface. Option C is wrong because Azure Security Center is a unified security management and threat protection service that monitors security posture and provides recommendations, but it does not store or rotate secrets. Option D is wrong because Microsoft Entra ID (formerly Azure AD) is an identity and access management service that handles authentication and authorization, not the storage or rotation of application secrets.

99
MCQmedium

Your application uses Azure App Configuration with Microsoft Entra ID authentication. You want to ensure that only authorized services can read configuration values. What is the recommended approach?

A.Enable public network access only from trusted IPs
B.Use access keys and rotate them frequently
C.Store connection strings in Azure Key Vault and retrieve them at runtime
D.Assign the App Configuration Data Reader role to the managed identity of the consuming service
AnswerD

This grants least-privilege access using RBAC and the service's managed identity.

Why this answer

Using managed identities with role-based access control (RBAC) is the recommended way to grant access to Azure App Configuration without managing credentials.

100
MCQmedium

Your organization uses Azure Policy to enforce compliance. You need to ensure that all Azure SQL databases have Advanced Data Security (ADS) enabled. What type of Azure Policy effect should you use to automatically enable ADS if it is not already enabled?

A.Audit
B.Modify
C.Deny
D.DeployIfNotExists
AnswerD

Deploys the ADS configuration if missing, ensuring automatic remediation.

Why this answer

DeployIfNotExists effect can deploy a resource or configuration if it does not exist. Option A is correct. Option B audits but doesn't remediate.

Option C denies non-compliant resources but does not automatically enable. Option D is for removing resources.

101
MCQmedium

You are developing an API that processes sensitive personal data. The API is exposed via Azure API Management (APIM). You need to ensure that only authorized applications can call the API, and you want to validate the token at the APIM gateway without modifying the backend code. What is the most efficient approach?

A.Implement token validation in the backend API code
B.Use APIM's OAuth 2.0 authorization server
C.Use subscription keys in APIM
D.Configure a validate-jwt policy in APIM inbound processing
AnswerD

Validates JWT token at APIM gateway without backend changes.

Why this answer

The validate-jwt policy in APIM's inbound processing validates the OAuth 2.0 token at the gateway level, ensuring only authorized applications can call the API without modifying backend code. This is the most efficient approach because it offloads token validation to APIM, reducing backend complexity and centralizing security enforcement.

Exam trap

The trap here is that candidates confuse APIM's OAuth 2.0 authorization server (which issues tokens) with the validate-jwt policy (which validates tokens), leading them to choose Option B instead of D.

How to eliminate wrong answers

Option A is wrong because implementing token validation in the backend API code requires modifying the backend, which contradicts the requirement to avoid backend changes. Option B is wrong because APIM's OAuth 2.0 authorization server is used to issue tokens, not to validate them at the gateway; validation is done via policies like validate-jwt. Option C is wrong because subscription keys provide API-level access control but do not validate token claims or enforce OAuth 2.0 authorization; they are not suitable for validating sensitive personal data access.

102
MCQeasy

Your organization has a custom application that stores customer data in Azure Cosmos DB. You need to encrypt the data at rest using a customer-managed key stored in Azure Key Vault. Which type of Cosmos DB encryption should you configure?

A.Enable Azure Disk Encryption on the Cosmos DB instance
B.Enable Transparent Data Encryption (TDE)
C.Use customer-managed keys (CMK) with Azure Key Vault
D.Implement client-side encryption using the SDK
AnswerC

Cosmos DB supports CMK for encryption at rest.

Why this answer

Option A is correct because Cosmos DB supports encryption at rest with customer-managed keys (CMK) via Azure Key Vault. Option B is wrong because TDE is for SQL Server, not Cosmos DB. Option C is wrong because client-side encryption is separate.

Option D is wrong because Azure Disk Encryption is for VMs.

103
MCQeasy

Refer to the exhibit. You created a custom RBAC role definition. A user assigned this role at the subscription scope. What can the user do?

A.Read any resource in the subscription
B.Write to Azure SQL Databases
C.Read Azure SQL Database configurations and data
D.Create new Azure SQL Databases
AnswerC

The role grants read access to databases.

Why this answer

Option A is correct. The role includes the 'read' action for Azure SQL Databases, allowing read-only access to databases. Option B is wrong because the role does not include write actions.

Option C is wrong because the role does not include server-level actions. Option D is wrong because the role only applies to SQL Database, not all resources.

104
MCQmedium

You are developing an Azure Function that processes messages from an Azure Service Bus queue. The function must use a managed identity to authenticate to the Service Bus to avoid managing secrets. Which configuration step is essential for this setup?

A.Store the Service Bus connection string in the function app settings
B.Create a Key Vault reference to the connection string
C.Enable system-assigned managed identity on the function app and assign the 'Azure Service Bus Data Receiver' role to the identity
D.Use the Service Bus SDK with a SharedAccessSignatureToken
AnswerC

This allows the function to authenticate without secrets.

Why this answer

Option C is correct because using a managed identity eliminates the need to manage secrets or connection strings. By enabling a system-assigned managed identity on the function app and assigning the 'Azure Service Bus Data Receiver' role to that identity, the function can authenticate to Azure Service Bus via Azure AD (OAuth 2.0) without any stored credentials. This is the recommended approach for secure, secretless authentication in Azure Functions.

Exam trap

The trap here is that candidates often think storing secrets in Key Vault (Option B) is sufficient for secretless authentication, but Key Vault references still involve retrieving a secret at runtime, whereas managed identity completely removes the need for any secret.

How to eliminate wrong answers

Option A is wrong because storing the Service Bus connection string in function app settings reintroduces a secret that must be managed and rotated, defeating the purpose of using a managed identity for secretless authentication. Option B is wrong because a Key Vault reference still requires the function app to retrieve a connection string (a secret) at runtime, which does not eliminate secret management and adds dependency on Key Vault access policies. Option D is wrong because using a SharedAccessSignatureToken requires generating and managing a SAS token, which is a secret that must be stored and rotated, again contradicting the goal of avoiding secret management.

105
MCQmedium

Your Azure Logic App needs to send emails using Microsoft Graph API on behalf of the signed-in user. The user is authenticated with Microsoft Entra ID. Which authentication method should you use in the Logic App?

A.Use OAuth 2.0 authorization code flow with delegated permissions
B.Use a system-assigned managed identity
C.Use client credentials flow with an app registration
D.Use Basic authentication with user credentials
AnswerA

This allows the app to act on behalf of the signed-in user.

Why this answer

Option D is correct because the Logic App connector for Microsoft Graph supports OAuth 2.0 with user delegation. Option A is wrong because managed identity cannot act on behalf of a signed-in user. Option B is wrong because Basic Auth is not supported.

Option C is wrong because client credentials flow is for app-only access.

106
MCQmedium

A developer needs to grant an Azure Function read access to secrets in Azure Key Vault without storing any credentials in the function code or configuration. Which approach should they use?

A.Service principal with a certificate
B.Managed identity
C.Access policy with a client secret
D.Shared access signature (SAS)
AnswerB

Managed identity eliminates the need for credentials entirely by providing an identity that is automatically managed and can be assigned to the Function app to access Key Vault.

Why this answer

Managed identity (B) is the correct approach because it allows the Azure Function to authenticate to Azure Key Vault without storing any credentials in code or configuration. Azure automatically manages the identity, and the function can obtain an access token from Azure AD to read secrets, eliminating the need for secrets, certificates, or keys in the application.

Exam trap

The trap here is that candidates may confuse managed identity with a service principal, thinking a certificate or client secret is always required, but managed identity eliminates the need for any stored credentials by leveraging Azure's automatic identity management.

How to eliminate wrong answers

Option A is wrong because a service principal with a certificate still requires the certificate to be stored or deployed with the function code or configuration, which violates the requirement of not storing any credentials. Option C is wrong because an access policy with a client secret requires the client secret to be stored in the function's configuration or code, directly contradicting the no-credentials requirement. Option D is wrong because a shared access signature (SAS) is used for granting delegated access to Azure Storage resources, not for authenticating to Azure Key Vault, and it would still need to be stored in the function.

107
MCQeasy

You have an Azure Function app that needs to retrieve a secret from Azure Key Vault at runtime. You want to avoid storing any credentials in code or configuration. Which mechanism should you use?

A.Service principal with client secret
B.Managed identity
C.Access key
D.Shared access signature (SAS)
AnswerB

Correct. Managed identity allows the Function app to authenticate to Azure Key Vault without any stored credentials.

Why this answer

Managed identity (B) is the correct mechanism because it allows the Azure Function app to authenticate to Azure Key Vault without storing any credentials in code or configuration. Azure automatically manages the identity and provides a token from Azure AD that the function can use to access the vault, eliminating the need for secrets or keys in the application.

Exam trap

The trap here is that candidates may confuse managed identity with a service principal, thinking a client secret is required, or incorrectly assume that an access key or SAS can be used for Key Vault authentication.

How to eliminate wrong answers

Option A is wrong because a service principal with client secret requires storing the client secret in code or configuration, which violates the requirement to avoid storing credentials. Option C is wrong because an access key is used for authenticating to Azure Functions itself, not for retrieving secrets from Key Vault. Option D is wrong because a shared access signature (SAS) is a token for granting limited access to Azure Storage resources, not for authenticating to Key Vault.

108
MCQhard

A single-page app signs in users with Microsoft Entra ID and calls a protected API. The app cannot safely keep a client secret. Which OAuth flow should be used? The team wants the control to be enforceable during normal operations.

A.Implicit flow
B.Client credentials flow
C.Resource owner password credentials flow
D.Authorization code flow with PKCE
AnswerD

PKCE protects public clients that cannot store secrets and is recommended for SPAs.

Why this answer

The authorization code flow with PKCE (Proof Key for Code Exchange) is the recommended OAuth flow for single-page apps because it prevents the client secret from being exposed by using a dynamically generated code verifier and challenge. This flow ensures that even if the authorization code is intercepted, it cannot be exchanged for tokens without the original code verifier, making it secure for public clients that cannot safely store secrets.

Exam trap

The trap here is that candidates often confuse the deprecated implicit flow (Option A) with the authorization code flow with PKCE, mistakenly thinking the implicit flow is still acceptable for SPAs, but Microsoft and OAuth standards now mandate PKCE for all public clients.

How to eliminate wrong answers

Option A is wrong because the implicit flow was deprecated by OAuth 2.0 Security Best Current Practice (BCP) due to security risks like access token leakage in the URL fragment and lack of token binding; it should not be used for new applications. Option B is wrong because the client credentials flow is designed for server-to-server (confidential client) scenarios where the app authenticates with its own credentials, not for user authentication in a single-page app. Option C is wrong because the resource owner password credentials flow requires the user to provide their username and password directly to the app, which violates security best practices and is not suitable for modern single-page apps that delegate authentication to Microsoft Entra ID.

109
MCQmedium

You are developing an Azure Function that reads secrets from Azure Key Vault. The function must not use any static credentials in configuration files. You need to authenticate to Key Vault using the function's own identity. Which Azure service feature should you enable?

A.Use storage account access keys to authenticate to Key Vault
B.Assign a managed identity to the function app and grant it access to the Key Vault
C.Generate a shared access signature (SAS) token for the Key Vault
D.Create a service principal and store its certificate in the function app's local storage
AnswerB

Managed identities allow the function app to authenticate to Key Vault without any stored credentials. The identity is automatically managed by Microsoft Entra ID.

Why this answer

Option B is correct because Azure Functions can use a system-assigned or user-assigned managed identity to authenticate to Azure Key Vault without storing any static credentials. When enabled, the function app obtains an Azure AD token from the Managed Identity endpoint (169.254.169.254) and uses it to access Key Vault secrets, eliminating the need for connection strings, keys, or certificates in configuration files.

Exam trap

The trap here is that candidates may confuse SAS tokens (which are for Storage) or service principals (which require manual certificate management) with the fully managed, credential-free authentication provided by managed identities.

How to eliminate wrong answers

Option A is wrong because storage account access keys are static credentials that must be stored in configuration files, violating the requirement to avoid static credentials, and they are used for Azure Storage, not for authenticating to Key Vault. Option C is wrong because shared access signature (SAS) tokens are used to delegate access to Azure Storage resources (blobs, queues, tables), not to authenticate to Key Vault; Key Vault uses Azure AD authentication or access policies, not SAS. Option D is wrong because creating a service principal and storing its certificate in the function app's local storage introduces a static credential (the certificate file) that must be managed and stored, contradicting the requirement to avoid static credentials; managed identities are the recommended approach for passwordless authentication.

110
MCQhard

You are designing a solution for a healthcare application that stores patient data in Azure Cosmos DB. The data must be encrypted at rest using a customer-managed key stored in Azure Key Vault. You need to ensure that the key can be rotated without downtime. Which approach should you recommend?

A.Configure Azure Security Center to automatically rotate the key.
B.After rotating the key in Key Vault, manually update the Cosmos DB account with the new key version.
C.Use the Cosmos DB account key rotation feature to regenerate the key.
D.Enable automatic key rotation on the Key Vault key and use the key's versionless identifier in Cosmos DB.
AnswerD

Versionless identifier allows Cosmos DB to automatically use the latest key version.

Why this answer

Cosmos DB supports customer-managed keys with key auto-rotation when using a Key Vault key version. By enabling automatic rotation and using the key vault key's versionless identifier, Cosmos DB will automatically use the new version when the key is rotated. Option B is correct.

Option A is wrong because regenerating the key in Cosmos DB would require re-encryption. Option C is wrong because manual update is not needed. Option D is wrong because Azure Security Center is not involved.

111
MCQmedium

You are developing an API that uses managed identity to access Azure Key Vault. The API runs in an Azure App Service with system-assigned managed identity enabled. You need to retrieve a secret value. Which API endpoint should your code call?

A.https://vault.azure.net/secrets/{secret-name}
B.https://myvault.vault.azure.net/secrets/{secret-name}?api-version=7.0
C.https://login.microsoftonline.com/{tenant}/oauth2/token
D.https://management.azure.com/subscriptions/{sub}/...
AnswerB

Correct. The format is https://{vault-name}.vault.azure.net/secrets/{secret-name} with an optional API version.

Why this answer

Option B is correct because it uses the full Key Vault REST API endpoint with the specific vault name ('myvault'), the 'secrets' resource path, the secret name, and the required 'api-version' query parameter (7.0). The managed identity in the App Service authenticates via Azure AD, and the code must call this specific endpoint to retrieve the secret value, as the vault name is part of the DNS name and the API version is mandatory.

Exam trap

The trap here is that candidates often confuse the Key Vault REST API endpoint with the Azure AD token endpoint or the Azure Resource Manager endpoint, forgetting that the vault name is part of the DNS and that an API version is required.

How to eliminate wrong answers

Option A is wrong because 'vault.azure.net' is not a valid Key Vault DNS name; the vault name must be included (e.g., 'myvault.vault.azure.net'). Option C is wrong because it is the Azure AD OAuth2 token endpoint, which is used to obtain an access token, not to directly retrieve a secret from Key Vault. Option D is wrong because it points to the Azure Resource Manager endpoint for subscription-level operations, not to the Key Vault secrets REST API.

112
MCQmedium

You have an Azure App Service that uses a system-assigned managed identity. You need to grant it permission to read a secret from Azure Key Vault. Which RBAC role should you assign at the Key Vault scope?

A.Key Vault Reader
B.Key Vault Secrets User
C.Key Vault Contributor
D.Key Vault Certificate User
AnswerB

This role grants permissions to list and read secrets, which is the minimum required for the App Service to retrieve the secret.

Why this answer

The system-assigned managed identity needs to read a secret from Azure Key Vault. The 'Key Vault Secrets User' RBAC role grants exactly that permission — the ability to read secret contents. This is the least-privilege role that allows the 'Microsoft.KeyVault/vaults/secrets/read' action, which is required for reading secret values.

Exam trap

The trap here is that candidates often confuse 'Key Vault Reader' (a management-plane role) with the data-plane role needed to actually read secret values, or they over-provision by choosing 'Key Vault Contributor' thinking it includes read access.

How to eliminate wrong answers

Option A is wrong because 'Key Vault Reader' only allows listing vaults and reading metadata (e.g., vault properties, tags), but does not grant permission to read secret values. Option C is wrong because 'Key Vault Contributor' grants full management of the vault and its objects (including secrets, keys, certificates), which is excessive for a read-only secret access scenario and violates least-privilege principles. Option D is wrong because 'Key Vault Certificate User' only allows reading certificate contents and metadata, not secrets.

113
MCQmedium

You have an Azure Storage account with a blob container. You need to grant a user read-only access to a specific blob for 24 hours without requiring them to authenticate with Microsoft Entra ID. What should you use?

A.Generate a user delegation SAS token
B.Provide the storage account access key
C.Assign the Storage Blob Data Reader role
D.Configure a stored access policy
AnswerA

User delegation SAS uses Entra ID credentials to sign the SAS and provides granular, time-limited access.

Why this answer

A shared access signature (SAS) token with a user delegation key provides time-limited, delegated access to a specific blob. Option A is wrong because an access policy is used to manage SAS tokens but does not itself grant access. Option B is wrong because RBAC requires Entra ID authentication.

Option D is wrong because storage account keys grant full access to the entire account.

114
MCQmedium

Your company stores secrets in Azure Key Vault. You need to ensure that when a secret is disabled, it does not become accessible to applications that already have a cached copy. Which additional step must you take?

A.Rotate the secret immediately
B.Delete the secret
C.Enable soft-delete and purge protection
D.Use Key Vault access policies to deny access
AnswerA

Rotating changes the secret value, thus invalidating any cached copies held by applications.

Why this answer

When a secret is disabled in Azure Key Vault, the vault itself will reject new access requests, but applications that have already retrieved and cached the secret can continue using it until the cache expires or is refreshed. To immediately invalidate the cached copy, you must rotate the secret (change its value) so that any subsequent attempt to use the old cached value fails because it no longer matches the secret stored in Key Vault. Disabling alone does not force applications to re-authenticate or re-fetch; rotation ensures the cached value becomes obsolete.

Exam trap

The trap here is that candidates assume disabling a secret immediately revokes all access, but they overlook the fact that applications may hold a cached copy that remains valid until the cache expires or the secret is rotated.

How to eliminate wrong answers

Option B is wrong because deleting the secret removes it permanently (or moves it to a soft-deleted state), but applications with a cached copy can still use the old value until they attempt to retrieve it again; deletion does not actively invalidate the cache. Option C is wrong because enabling soft-delete and purge protection only prevents accidental or malicious permanent deletion of secrets; it does not affect cached copies held by applications. Option D is wrong because Key Vault access policies control who can read or modify secrets, but they do not retroactively invalidate secrets already cached by authorized applications; once a secret is fetched, the cached copy remains usable regardless of policy changes.

115
MCQmedium

A company uses Azure Blob Storage to store sensitive documents. They want to ensure that data is encrypted at rest using customer-managed keys (CMK) stored in Azure Key Vault. They also need to be able to revoke access to the data immediately if a security breach is detected. Which feature should they enable?

A.Configure Azure Storage encryption with customer-managed keys in Azure Key Vault and enable soft delete and purge protection.
B.Enable infrastructure encryption for the storage account.
C.Use Azure Storage Service Encryption with Microsoft-managed keys.
D.Implement client-side encryption using Azure Key Vault.
AnswerA

With CMK, revoking the key in Key Vault immediately makes the data inaccessible.

Why this answer

Option D is correct because enabling double encryption with CMK and then revoking the key in Key Vault renders the data inaccessible. Option A is wrong because infrastructure encryption uses platform-managed keys, not CMK. Option B is wrong because client-side encryption is performed by the client, not server-side.

Option C is wrong because storage service encryption uses Microsoft-managed keys by default.

116
Multi-Selecthard

Which THREE of the following are true regarding Microsoft Entra ID authentication for Azure Storage?

Select 3 answers
A.SAS tokens are not supported when using Microsoft Entra ID authentication.
B.RBAC roles can be used to grant permissions to a user or service principal.
C.When Microsoft Entra ID authentication is enabled, Shared Key authorization is still allowed by default.
D.Managed identities can authenticate to Azure Storage without storing credentials.
E.The authentication process uses OAuth 2.0 access tokens.
AnswersB, D, E

RBAC roles control access to storage resources.

Why this answer

Options A, B, and D are correct. Option A is correct because RBAC roles like Storage Blob Data Contributor grant access to storage. Option B is correct because managed identities can be used for authentication.

Option D is correct because OAuth 2.0 access tokens are used. Option C is wrong because Shared Key authorization is disabled when only Microsoft Entra ID is allowed. Option E is wrong because SAS tokens can still be used even if Microsoft Entra ID is enabled, unless explicitly forbidden.

117
Multi-Selecthard

An API receives JWT access tokens from Microsoft Entra ID. Which two token properties should the API validate before accepting a request? The team wants the control to be enforceable during normal operations.

Select 2 answers
A.Issuer and signature are valid for the trusted tenant
B.The user's display name is present
C.Token audience matches the API application ID URI or client ID
D.The token was sent in a query string
AnswersA, C

Issuer and signature validation confirms the token came from the expected identity provider.

Why this answer

Option A is correct because validating the issuer and signature ensures the JWT was issued by the trusted Microsoft Entra ID tenant and has not been tampered with. The issuer claim (iss) must match the tenant-specific issuer URL (e.g., https://login.microsoftonline.com/{tenant-id}/v2.0), and the signature must be verified using the public keys from the OpenID Connect metadata endpoint. This is a fundamental security requirement for any API that accepts tokens from Entra ID.

Exam trap

The trap here is that candidates may think validating the user's display name (Option B) is necessary for authorization, but token validation is about verifying the token's authenticity and intended audience, not user attributes.

118
MCQmedium

You are developing a microservices application. Each microservice must authenticate to Azure SQL Database using its own identity. You need to minimize credential management overhead. What should you use?

A.System-assigned managed identities
B.User-assigned managed identities
C.Certificate-based authentication
D.Service principals with client secrets
AnswerA

Each Azure resource can have a system-assigned identity, providing a unique identity per microservice.

Why this answer

System-assigned managed identities are tied to the lifecycle of the Azure resource and are automatically created and deleted. They are ideal for each microservice to have its own identity without managing credentials. Option A is wrong because user-assigned managed identities are shared across resources, not per-service.

Option C is wrong because service principals require managing secrets. Option D is wrong because certificate-based authentication still requires certificate management.

119
MCQmedium

You are implementing a microservices solution on Azure Kubernetes Service (AKS). You need to securely store and retrieve connection strings to a database without hardcoding them in the application code. The solution should automatically rotate secrets every 90 days. What should you use?

A.Azure Key Vault with Key Vault Secrets Provider for AKS
B.Kubernetes Secrets with a CronJob to update them
C.Azure Managed Identity for the pod
D.Azure App Configuration with a managed identity
AnswerA

Key Vault provides secure storage and supports automatic rotation; the provider integrates with AKS.

Why this answer

Azure Key Vault with the Key Vault Secrets Provider for AKS allows mounting secrets as volumes, and Key Vault supports automatic rotation and versioning. Option A is correct because it integrates rotation. Option B lacks automatic rotation.

Option C is for non-Kubernetes environments. Option D is a service not a store.

120
MCQmedium

You are developing a serverless application using Azure Functions that processes sensitive data. The function needs to access Azure Key Vault to retrieve a secret. You want to use managed identity for authentication. What should you do first?

A.Enable the system-assigned managed identity on the function app and grant it the Key Vault Secrets User role.
B.Enable the system-assigned managed identity on the Key Vault.
C.Store the client ID and client secret of a service principal in the function app settings.
D.Create a user-assigned managed identity and assign it to the Key Vault.
AnswerA

This allows the function to authenticate to Key Vault without secrets.

Why this answer

Option D is correct because the function app must have a managed identity enabled, and then the identity needs to be granted permissions in Key Vault. Option A is wrong because managed identity does not use client secrets. Option B is wrong because the identity is assigned to the function app, not Key Vault.

Option C is wrong because enabling the identity in Key Vault is not possible.

121
Multi-Selecthard

Your company stores sensitive documents in an Azure Storage account. You need to ensure that only authorized Microsoft Entra ID users can read the documents, and that shared keys (account access keys) cannot be used. Which two steps must you take? (Choose the most appropriate single answer that describes the combined action.)

Select 2 answers
A.Disable shared key access and configure RBAC roles for Microsoft Entra ID users
B.Enable Microsoft Entra ID authentication and use SAS tokens with a stored access policy
C.Enable firewall and virtual network service endpoints, then assign RBAC roles
D.Use user-delegation SAS tokens and disable shared key access
AnswersA, D

Correct. Disabling shared key access prevents the use of account keys, and RBAC grants permissions to specific Microsoft Entra ID users, enforcing Microsoft Entra ID-only authentication.

Why this answer

Option A is correct because disabling shared key access on the Azure Storage account prevents the use of account access keys, which are shared secrets. Configuring Azure RBAC roles (e.g., Storage Blob Data Reader) for Microsoft Entra ID users ensures that only authenticated and authorized users can read the documents, enforcing identity-based access control as required.

Exam trap

The trap here is that candidates often think SAS tokens or user-delegation SAS alone satisfy the requirement, but they overlook the explicit need to disable shared key access to prevent the use of account keys.

122
MCQmedium

You have an Azure App Service web app that uses a system-assigned managed identity. The web app needs to authenticate to an Azure SQL Database to read and write data. You want to use the managed identity to avoid storing credentials in connection strings. Which steps are required to configure this access?

A.Assign the managed identity the 'SQL DB Contributor' RBAC role on the database, then use SQL authentication with the identity's client ID.
B.Create a contained database user in the SQL database mapped to the managed identity, grant required database roles, and use Microsoft Entra ID token-based authentication from the app.
C.Enable Microsoft Entra ID authentication on the SQL server, add the managed identity as an Microsoft Entra ID admin, and use integrated security in the connection string.
D.Configure the connection string with the managed identity's principal ID as the user ID and leave the password empty.
AnswerB

This is the correct procedure. The managed identity (an Microsoft Entra ID principal) must be added as a database user. The app then acquires an access token for Azure SQL Database using the managed identity and uses it to connect.

Why this answer

Option B is correct because to use a system-assigned managed identity with Azure SQL Database, you must create a contained database user mapped to the managed identity in the SQL database, grant it the necessary database roles (e.g., db_datareader, db_datawriter), and then acquire an access token for Microsoft Entra ID (formerly Azure AD) from the managed identity endpoint to authenticate. This token-based approach avoids storing credentials and leverages the managed identity's automatic credential rotation.

Exam trap

The trap here is that candidates confuse Azure RBAC roles (which manage control-plane access) with SQL database-level permissions (which manage data-plane access), leading them to incorrectly select Option A or C instead of understanding that a contained database user and token-based authentication are required.

How to eliminate wrong answers

Option A is wrong because 'SQL DB Contributor' is an Azure RBAC role that controls management-plane operations (e.g., creating databases), not data-plane access to read/write data; SQL authentication with the identity's client ID is not supported—managed identities use token-based authentication, not SQL authentication. Option C is wrong because adding the managed identity as an Entra ID admin grants server-level administrative privileges, which is overly permissive and not the recommended least-privilege approach; 'integrated security' is a Windows Authentication concept and does not apply to managed identities in Azure App Service. Option D is wrong because connection strings cannot use the managed identity's principal ID as a user ID with an empty password; managed identity authentication requires acquiring a token from the Azure Instance Metadata Service (IMDS) endpoint and passing it as a password in the connection string or using a token-based library like Microsoft.Data.SqlClient.

123
MCQeasy

Your application uses Azure Key Vault to store secrets. You need to ensure that the application can access secrets without storing any credentials in the application code or configuration files. What should you use?

A.Azure Managed Identity
B.Key Vault access policies
C.A connection string with the secret
D.A client certificate stored in the application
AnswerA

Managed Identity provides an automatically managed identity for authentication.

Why this answer

Azure Managed Identity allows Azure resources (like App Service, Functions, VMs) to authenticate to Key Vault without storing credentials. Option B is correct. Option A is wrong because Key Vault access policies control permissions, not authentication.

Option C is wrong because connection strings contain credentials. Option D is wrong because certificates are an authentication method but require certificate management.

124
MCQmedium

Refer to the exhibit. You deploy this ARM template to an App Service named 'myapp'. After deployment, users report they are able to access the app without being prompted to log in. What is the most likely reason?

A.The Azure Active Directory registration is missing the client secret.
B.The redirect URI is not configured in the Azure AD app registration.
C.The issuer URL is incorrect; it should include the tenant ID.
D.The client ID is from a different tenant.
AnswerA

Easy Auth requires a client secret for the identity provider to work.

Why this answer

The authentication settings are correct, but the App Service might not have the 'authsettingsV2' resource deployed at the correct scope. The resource type should be 'Microsoft.Web/sites/config' with name 'authsettingsV2' but the exhibit shows it correctly. However, a common issue is that the authentication is not enabled at the site level because the resource might be missing a dependency or the site is not restarted.

But the most likely reason is that the 'globalValidation' section requires the identity provider to be properly configured with a client secret. Without a client secret, the authentication might not work. In Easy Auth, if you don't specify a client secret, it uses secret-less auth which might not work for all scenarios.

Option A is correct. Option B is wrong because the issuer is valid. Option C is wrong because the redirect URI is not needed in the template.

Option D is wrong because the client ID is correct.

125
MCQhard

You have a multi-tenant application that uses Azure AD (Microsoft Entra ID) for authentication. You want to allow only specific tenants to access your app. What is the recommended approach?

A.In the application code, validate the 'tid' claim against a list of allowed tenant IDs.
B.Configure the app manifest to require user assignment and assign users from allowed tenants.
C.Validate the 'iss' claim to ensure it matches one of your allowed tenant issuer URLs.
D.Use Azure AD tenant restrictions to block all tenants except the allowed ones.
AnswerA

This is the standard pattern for multi-tenant app tenant restriction.

Why this answer

The recommended approach is to validate the 'tid' (tenant ID) claim in the token after validation, and compare it against a list of allowed tenants. Option B is correct. Option A is wrong because user assignment requires each tenant to assign users, which is not flexible.

Option C is wrong because tenant restrictions are set at the tenant level, not the app. Option D is wrong because the 'iss' claim includes the tenant ID, but it's better to use 'tid' as it's explicit.

126
MCQmedium

You are developing a serverless function using Azure Functions that needs to write logs to a Log Analytics workspace. The function uses a managed identity. Which RBAC role should you assign to the function's managed identity?

A.Log Analytics Reader
B.Monitoring Contributor
C.Log Analytics Contributor
D.Storage Blob Data Contributor
AnswerC

This role allows writing to Log Analytics workspaces.

Why this answer

The Log Analytics Contributor role is required because it grants the managed identity the necessary permissions to send data to a Log Analytics workspace, including the ability to create and manage data collection rules and write log data. This role is specifically designed for scenarios where an Azure resource, such as an Azure Function, needs to ingest logs into Log Analytics via the Data Collection API.

Exam trap

The trap here is that candidates often confuse the Log Analytics Contributor role with the Monitoring Contributor role, mistakenly thinking the latter covers log ingestion, but Monitoring Contributor lacks the specific write permissions to the Log Analytics workspace data plane.

How to eliminate wrong answers

Option A is wrong because Log Analytics Reader only allows read access to log data and monitoring settings, not the ability to write logs. Option B is wrong because Monitoring Contributor provides broader permissions to manage monitoring resources (e.g., alert rules, metrics) but does not include the specific permission to write data to a Log Analytics workspace. Option D is wrong because Storage Blob Data Contributor is for managing blob storage data, not for writing logs to Log Analytics.

127
MCQhard

You are developing an ASP.NET Core web API that authenticates users via Microsoft Entra ID. The application needs to authorize access to resources based on custom roles (e.g., 'Admin', 'Editor') that are not present in Microsoft Entra ID. The role mappings are dynamic and stored in an application database. How should you implement authorization?

A.Define the roles as Microsoft Entra ID app roles and include them in the token claims.
B.Store the role mappings in an Azure SQL Database and use a custom authorization policy that queries the database after authentication.
C.Include the roles as claims in the Microsoft Entra ID token by using a custom claim mapping policy.
D.Store the role mappings in the web.config file and read them at runtime.
AnswerB

This allows dynamic role assignments and leverages policy-based authorization in ASP.NET Core.

Why this answer

Option B is correct because the custom roles are dynamic and stored in an application database, not in Microsoft Entra ID. After authentication, a custom authorization policy can query the database to retrieve the role mappings for the authenticated user and enforce access control. This approach decouples role management from the identity provider and supports dynamic role assignments.

Exam trap

The trap here is that candidates assume custom roles must be embedded in the token via claims, overlooking that dynamic roles from a database can be evaluated post-authentication using a custom authorization policy.

How to eliminate wrong answers

Option A is wrong because defining roles as Microsoft Entra ID app roles requires static role definitions in the app registration, which cannot be dynamically updated from an external database. Option C is wrong because a custom claim mapping policy in Microsoft Entra ID can only add claims based on directory attributes or static rules, not from an external database. Option D is wrong because storing role mappings in web.config is static, insecure, and not suitable for dynamic role management; it also violates the principle of externalizing configuration from code.

128
Multi-Selecthard

Which TWO actions should you take to secure an Azure Kubernetes Service (AKS) cluster that runs a critical workload? (Choose two.)

Select 2 answers
A.Store secrets as Kubernetes secrets without encryption
B.Enable SSH access to all nodes for troubleshooting
C.Enable Azure AD integration with Kubernetes RBAC
D.Deploy Azure Firewall in the cluster VNet
E.Use network policies to restrict pod-to-pod communication
AnswersC, E

Azure AD integration provides identity-based access control.

Why this answer

Options A and D are correct. Enabling Azure AD integration and using RBAC for Kubernetes resources provide authentication and authorization. Option B is wrong because SSH access should be disabled or limited.

Option C is wrong because Kubernetes secrets are base64 encoded and not encrypted by default; use Azure Key Vault Provider. Option E is wrong because Azure Firewall is not required for AKS internal traffic.

129
MCQeasy

You need to ensure that an Azure Functions app can access a blob in Azure Storage using its system-assigned managed identity. What should you do first?

A.Configure CORS on the storage account
B.Enable the managed identity in the Function App
C.Assign the Storage Blob Data Reader role to the managed identity at the storage account scope
D.Generate a SAS token for the blob
AnswerC

This grants the identity permission to read blobs.

Why this answer

You must grant the managed identity the appropriate RBAC role on the storage account, such as Storage Blob Data Reader.

130
MCQhard

Your company uses Azure DevOps for CI/CD. The security team requires that all pull request (PR) merges to the main branch be signed with a valid code signing certificate to ensure code integrity. Which Azure DevOps feature should you enforce?

A.Set up branch protection with 'Require a merge commit' and enable 'Require signed commits'
B.Configure a service hook to validate signatures using Azure Functions
C.Use Azure Policy to require code signing on the repository
D.Add a build validation step in the PR pipeline that checks signatures
AnswerA

This enforces that each merge commit is signed, ensuring code integrity.

Why this answer

Branch policy with 'Require a merge commit' forces signed commits; the policy can require a valid signature from a trusted certificate. Option A is required for infrastructure. Option C is for governance.

Option D is for pipeline validation, not commit signing.

131
MCQhard

A company is building a microservices application on Azure Container Instances. Each microservice needs to authenticate to Azure Key Vault to retrieve secrets. They want to avoid storing any credentials in the container images or environment variables. What should they do?

A.Use Docker secrets mounted as volumes.
B.Enable managed identity for the container group and grant it access to Key Vault.
C.Use a shared access signature (SAS) token to access Key Vault.
D.Store the Key Vault URI and a client secret in environment variables.
AnswerB

Managed identity allows secure authentication without credentials.

Why this answer

Option B is correct because managed identity for Azure Container Instances allows containers to authenticate to Azure services without credentials. Option A is wrong because passing connection strings as environment variables exposes secrets. Option C is wrong because Docker secrets are not natively supported in Azure Container Instances.

Option D is wrong because SAS tokens are not suitable for container-to-Key Vault authentication.

132
MCQeasy

The team is writing an Azure Function that needs to retrieve secrets from Azure Key Vault at runtime. The security policy prohibits storing client secrets, connection strings, or certificates in application settings or source code. What is the recommended approach?

A.Enable a system-assigned managed identity on the Function App and grant it Key Vault Secrets User (or Get/List access policy) permission on the vault
B.Create an App Registration, generate a client secret, store the secret in an Application Setting, and authenticate using ClientSecretCredential
C.Generate a Key Vault SAS token and embed it in the function's connection string setting
D.Use the Key Vault REST API with the vault's access key embedded in the code
AnswerA

The managed identity removes all credential management from the developer. DefaultAzureCredential automatically detects the managed identity context and requests tokens from the Azure Instance Metadata Service. No secret is ever stored anywhere the developer can access or accidentally expose.

Why this answer

Option A is correct because a system-assigned managed identity provides a secure, credential-free way for an Azure Function to authenticate to Key Vault. Azure automatically manages the identity's lifecycle and tokens, eliminating the need to store any secrets in application settings or code. The Function App uses the managed identity to obtain an Azure AD token, which it presents to Key Vault to retrieve secrets, fully complying with the security policy.

Exam trap

The trap here is that candidates may think a client secret or SAS token is acceptable if stored in an Application Setting, but the policy explicitly prohibits storing any secrets in settings or code, making managed identity the only compliant option.

How to eliminate wrong answers

Option B is wrong because it requires storing a client secret (the App Registration's secret) in an Application Setting, which directly violates the security policy that prohibits storing client secrets in application settings or source code. Option C is wrong because Key Vault does not support SAS tokens; SAS tokens are used for Azure Storage, not Key Vault, and embedding any token in a connection string violates the policy. Option D is wrong because Key Vault does not have an 'access key'; it uses Azure AD authentication, and embedding any credential in code violates the policy.

133
MCQhard

Your application runs on Azure Kubernetes Service (AKS). It needs to access Azure Key Vault secrets. You want to avoid using a service principal. Which solution should you implement?

A.Mount secrets as a ConfigMap from Key Vault
B.Create a service principal and assign it to the AKS cluster
C.Deploy the Secrets Store CSI Driver with workload identity
D.Use a Helm chart to inject secrets
AnswerC

Workload identity allows pods to use a managed identity to access Key Vault.

Why this answer

Azure Key Vault Provider for Secrets Store CSI Driver with AAD pod identity or workload identity allows pods to access Key Vault using a managed identity, avoiding service principals. Option A is wrong because Helm charts are packaging tools. Option B is wrong because a service principal is exactly what you want to avoid.

Option D is wrong because mounting secrets via ConfigMap is insecure.

134
Multi-Selectmedium

You are designing a solution to store secrets for a microservices application running on Azure Kubernetes Service (AKS). The secrets must be automatically rotated and remain available if the Key Vault is temporarily unavailable. Which TWO options meet the requirements?

Select 2 answers
A.Have each microservice read secrets directly from Key Vault using the SDK.
B.Use the AKS add-on for Azure Key Vault (Secrets Store CSI driver) with a sync to Kubernetes secrets.
C.Assign a managed identity to each pod and use it to authenticate to Key Vault.
D.Deploy a sidecar container that periodically retrieves secrets from Key Vault and stores them in a shared volume.
E.Store secrets as plain text in Kubernetes secrets.
AnswersB, D

Provides caching and offline availability.

Why this answer

Option A is correct: AKS add-on for Key Vault (Secrets Store CSI driver) with a sync to Kubernetes secrets provides offline caching. Option D is correct: using a sidecar container that caches secrets locally in a volume also provides availability during Key Vault downtime. Option B is incorrect because reading directly from the SDK does not provide caching.

Option C is incorrect because managed identity is an authentication method, not a solution for availability. Option E is incorrect because storing secrets in plain text is insecure and violates the requirement.

135
MCQhard

Refer to the exhibit. You are creating a custom Azure RBAC role. You assign this role to a user for the Production resource group. The user needs to read the contents of a blob in a container. Which permission is necessary for the user to list the container's blobs?

A.Microsoft.Storage/storageAccounts/blobServices/containers/blobs/list
B.Microsoft.Storage/storageAccounts/read
C.Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
D.Microsoft.Storage/storageAccounts/blobServices/containers/read
AnswerA

This data action is required to list blobs within a container.

Why this answer

The role includes 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read' data action for blob read, but does not include 'Microsoft.Storage/storageAccounts/blobServices/containers/read' action to list containers. However, the question asks to list blobs within a container, which requires 'Microsoft.Storage/storageAccounts/blobServices/containers/read' to list blobs? Actually, listing blobs is a data operation: 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read' allows reading blob content and properties but not listing? Wait, listing blobs requires the data action 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/list'? The exhibit shows only read, not list. But the options: Option A is the data action for reading blobs, but listing requires 'list' action.

However, in Azure RBAC, 'list' is included in 'read' for blobs? Actually, the Microsoft documentation: 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read' allows reading blob content, but listing blobs requires 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/list'? No, listing is a separate operation. But the role only has read. The correct answer is Option D? Let's think: The user needs to read blob contents; the role already has 'blobs/read'.

But the question says 'list the container's blobs' - that is a separate permission. The role does not include it. So the user cannot list blobs.

But the options: Option A is 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read' - that is already present. Option B is 'Microsoft.Storage/storageAccounts/blobServices/containers/read' - that is for listing containers, not blobs. Option C is 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/list' - that is the correct permission for listing blobs.

Option D is 'Microsoft.Storage/storageAccounts/read' - too broad. So Option C is needed to list blobs. But the question says 'Which permission is necessary' implying that the current role lacks it.

So the user needs to add the list action. But the role already has the read action for blobs, but listing is not included. So the correct answer is Option C.

However, the stem says 'The user needs to read the contents of a blob' and 'list the container's blobs' - but the role already has read, so to list they need list. The exhibit shows the role has 'blobs/read' data action. So the missing permission is 'list'.

So Option C. But wait, the role also has 'actions' for 'containers/read' which is an ARM action, not data. That allows listing containers but not blobs.

So indeed, to list blobs, you need the data action 'list'. So Option C is correct.

136
MCQmedium

A developer is implementing least-privilege storage access. The application runs on Azure App Service and must avoid stored credentials. Which design should be used? The design must avoid adding custom operational scripts.

A.Use a shared administrator account
B.Disable authentication for the target resource
C.Store a client secret in source control
D.Enable managed identity and grant least-privilege access to the target resource
AnswerD

Managed identity lets Azure-hosted apps authenticate without stored secrets.

Why this answer

Option D is correct because Azure Managed Identity provides an automatically managed identity in Azure AD that allows the App Service to authenticate to any service supporting Azure AD authentication without storing any credentials. By granting the managed identity only the specific permissions required (least-privilege) on the target storage resource (e.g., Storage Blob Data Reader), the application avoids stored credentials and eliminates the need for custom operational scripts. This aligns with the principle of zero standing credentials and is the recommended approach for Azure App Service.

Exam trap

The trap here is that candidates may think storing a client secret in source control (Option C) is acceptable if the repository is private, but the question explicitly requires avoiding stored credentials, and any secret in source control is a security risk that violates the principle of credentialless access.

How to eliminate wrong answers

Option A is wrong because using a shared administrator account violates least-privilege (grants excessive permissions) and requires storing credentials, which contradicts the requirement to avoid stored credentials. Option B is wrong because disabling authentication for the target resource removes all access control, exposing the resource to unauthorized access and violating security best practices. Option C is wrong because storing a client secret in source control introduces a security risk (credential leak) and requires managing a secret, which does not avoid stored credentials and adds operational overhead.

137
MCQmedium

Your company uses Azure Key Vault to manage encryption keys for data at rest in Azure Storage. You need to ensure that the storage account uses a customer-managed key (CMK) stored in Key Vault. Additionally, you need to periodically rotate the key automatically. Which configuration should you implement?

A.Create a key in Key Vault, assign the storage account's managed identity access to that key, and configure a Key Vault rotation policy to automatically rotate the key regularly
B.Enable soft-delete and purge protection on the Key Vault to allow key recovery during rotation
C.Use Azure Key Vault's default key (system-managed) and rely on built-in rotation
D.Manually rotate the key every 90 days by generating a new version and updating the storage account
AnswerA

This enables customer-managed keys and automatic key rotation, meeting the requirements.

Why this answer

Option A is correct because it combines the three essential elements for using a customer-managed key (CMK) with automatic rotation in Azure Key Vault. First, you must create a key in Key Vault (not use the default system-managed key). Second, the storage account's managed identity must be granted 'Get', 'Unwrap Key', and 'Wrap Key' permissions on that key so it can encrypt/decrypt the storage account's root key.

Third, you configure a Key Vault rotation policy (using the Azure Key Vault key rotation feature) to automatically create new key versions on a schedule (e.g., every 90 days), which the storage account automatically picks up without manual intervention.

Exam trap

The trap here is that candidates often confuse enabling soft-delete/purge protection (which is required for CMK but does not enable rotation) with the actual rotation policy configuration, or they assume that system-managed keys can be used when the question explicitly requires a customer-managed key.

How to eliminate wrong answers

Option B is wrong because soft-delete and purge protection are prerequisites for Key Vault (especially when using CMK with Azure Storage) but they do not enable automatic rotation; they only protect against accidental or malicious key deletion. Option C is wrong because Azure Key Vault's default key is a system-managed key (Microsoft-managed), not a customer-managed key; the question explicitly requires a CMK, and system-managed keys cannot be rotated on a custom schedule. Option D is wrong because manual rotation every 90 days does not meet the requirement for automatic rotation; it also introduces operational overhead and risk of human error, and the storage account must be updated each time a new key version is created.

138
MCQmedium

You are developing an ASP.NET Core web API that is hosted on Azure App Service. The API needs to read secrets from Azure Key Vault at startup. You want to avoid storing any credentials in the application code or configuration. Which approach should you use?

A.Use the Key Vault SDK with a client ID and client secret stored in App Service application settings.
B.Enable the system-assigned managed identity for the App Service and configure Key Vault access policies to allow that identity.
C.Use Microsoft Entra ID application roles to assign the App Service a role that allows reading secrets.
D.Store the Key Vault URL and a connection string with the secret in the application's app.config file.
AnswerB

Correct. Managed identity allows the App Service to authenticate to Microsoft Entra ID without any credentials. The Key Vault access policy grants the identity read access to secrets.

Why this answer

Option B is correct because enabling a system-assigned managed identity for the App Service allows it to authenticate to Azure Key Vault without any credentials stored in code or configuration. The managed identity is automatically managed by Azure AD (now Microsoft Entra ID) and can be granted access to Key Vault secrets via access policies, eliminating the need for client IDs, client secrets, or connection strings.

Exam trap

The trap here is that candidates often think storing credentials in App Service application settings is acceptable because they are 'not in code,' but the question explicitly requires avoiding any stored credentials, making managed identity the only secure, credential-free approach.

How to eliminate wrong answers

Option A is wrong because storing a client ID and client secret in App Service application settings still requires credentials in configuration, violating the requirement to avoid storing any credentials. Option C is wrong because Microsoft Entra ID application roles are used for application-level permissions and RBAC, not for granting an App Service identity direct access to Key Vault secrets; Key Vault uses access policies or RBAC roles like 'Key Vault Secrets User' for managed identities. Option D is wrong because storing the Key Vault URL and a connection string with the secret in app.config places credentials in the application code/configuration, directly contradicting the requirement.

139
MCQhard

Refer to the exhibit. An administrator runs this Azure CLI command. What is the result?

A.Assigns the Contributor role to a service principal at the resource group scope
B.Assigns a managed identity to the resource group
C.Assigns the Reader role to a user at the subscription scope
D.Assigns the Reader role to a service principal at the resource group scope
AnswerD

The command correctly assigns Reader role to the service principal at the resource group scope.

Why this answer

Option C is correct. The command assigns the Reader role to the specified service principal (by object ID) at the resource group scope 'ProdRG'. Option A is wrong because the scope is the resource group, not the subscription.

Option B is wrong because the role is Reader, not Contributor. Option D is wrong because it does not assign a managed identity.

140
MCQmedium

External partners are given Shared Access Signatures to upload product images to a specific Blob Storage container named 'images'. A partner reports accidentally uploading files to the 'contracts' container, which should not be accessible. What is the most likely configuration mistake?

A.The SAS was generated at the storage account level, granting write access that applies to multiple containers rather than being scoped to the 'images' container only
B.The SAS expiry time is too long, giving partners time to discover and access other containers
C.The partner used a storage account key instead of the provided SAS token
D.The SAS was signed with a stored access policy that did not name the correct container
AnswerA

An account SAS with sr=c (container) permission and no container restriction grants access to all containers. A container SAS is generated with a specific container name in the signed resource URI (e.g., https://account.blob.core.windows.net/images?sig=...), making it impossible for the holder to use the SAS against any other container.

Why this answer

A SAS generated at the storage account level grants permissions across all containers within that account. When the SAS URI includes only the account endpoint (e.g., https://<account>.blob.core.windows.net/) and a set of permissions (like write), the token can be used to access any container, including 'contracts'. To restrict access to a single container, the SAS must be scoped to the container resource URI (e.g., https://<account>.blob.core.windows.net/images) and the signed resource type must be 'c' (container) or 'b' (blob), not 's' (service).

Exam trap

The trap here is that candidates often confuse the scope of a SAS (account-level vs. resource-level) with other SAS properties like expiry time or stored access policies, leading them to incorrectly attribute the security breach to token lifetime or policy misconfiguration rather than the fundamental lack of resource-level scoping.

How to eliminate wrong answers

Option B is wrong because a long expiry time does not enable access to other containers; it only extends the window of validity for the token, but the token's scope (which containers it can access) is determined by the resource URI and signed resource type, not the expiry. Option C is wrong because using a storage account key would grant full administrative access to the entire storage account, not just the 'images' container, but the scenario states the partner was given a SAS token, so using the key would be a different authentication method, not a configuration mistake by the developer. Option D is wrong because a stored access policy defines permissions and expiry for a specific container; if the policy did not name the correct container, the SAS would be invalid or scoped to a different container, but it would not grant access to the 'contracts' container unless the policy itself was misconfigured to allow access to multiple containers, which is not the typical behavior of a stored access policy.

141
MCQeasy

You are deploying a web app on Azure App Service that stores secrets in Azure Key Vault. The app uses managed identity to access Key Vault. During testing, you get a 403 Forbidden error when the app tries to read a secret. What is the most likely cause?

A.The managed identity is not assigned to the app.
B.The Key Vault has soft-delete enabled.
C.The Key Vault access policy does not grant the managed identity the 'Get' permission for secrets.
D.The Key Vault firewall is set to allow only selected networks.
AnswerC

Without the 'Get' permission, Key Vault returns 403 Forbidden.

Why this answer

The app's managed identity must be granted a Key Vault access policy (or RBAC role) to read secrets. Without it, Key Vault denies access with a 403 error. Option A is incorrect because enabling soft-delete doesn't affect access.

Option C is incorrect because the firewall rule would block all access, not just for the app. Option D is incorrect because the managed identity is for the app, not the user.

142
MCQeasy

You are deploying a sensitive application on Azure Kubernetes Service (AKS). You need to ensure that secrets, such as database connection strings, are encrypted at rest and in transit, and that the cluster has no static credentials. Which feature should you enable?

A.Enable etcd encryption at rest
B.Enable Azure Disk Encryption on the node pools
C.Assign a managed identity to the AKS cluster
D.Use Azure Key Vault Provider for Secrets Store CSI Driver
AnswerD

This securely mounts secrets from Key Vault without storing them in AKS.

Why this answer

Option B is correct because Azure Key Vault Provider for Secrets Store CSI Driver integrates with AKS to mount secrets as volumes without storing them in the cluster. Option A is wrong because etcd encryption is internal to Kubernetes and does not integrate with Key Vault. Option C is wrong because AKS does not offer disk encryption by default.

Option D is wrong because managed identity alone does not store secrets.

143
Multi-Selectmedium

Which TWO of the following are valid ways to authenticate an Azure function to an Azure SQL database using managed identity?

Select 2 answers
A.Create a service principal and assign it to the function app.
B.Use the function app's default connection string with a username and password.
C.Create a user-assigned managed identity, assign it to the function app, and use its client ID in the connection string.
D.Upload a client certificate to the function app and use it to authenticate.
E.Enable system-assigned managed identity on the function app and set the SQL connection string with 'Authentication=Active Directory Managed Identity'.
AnswersC, E

User-assigned managed identity is also supported.

Why this answer

System-assigned managed identity and user-assigned managed identity are both supported. Option A and D are correct. Option B is wrong because service principal is not managed identity.

Option C is wrong because connection string with username/password is not managed identity. Option E is wrong because certificate authentication is not managed identity.

144
MCQeasy

Refer to the exhibit. You run the Azure CLI command to store a secret in Key Vault. Later, you run 'az keyvault secret show --vault-name myvault --name MySecret'. What will be displayed?

A.The secret's metadata only, without the value.
B.The secret's metadata with the value masked as '*****'.
C.The secret's metadata and the value 'P@ssw0rd123'.
D.An error because you cannot retrieve a secret after it is set.
AnswerC

The show command returns the secret value in plaintext.

Why this answer

The 'az keyvault secret show' command displays the secret metadata and the value (if the user has permission). The value will be displayed as the original plaintext. Option A is correct.

Option B is wrong because the value is not masked by default. Option C is wrong because the command shows the value. Option D is wrong because the command shows the secret value.

145
MCQhard

You are reviewing an ARM template that deploys a network security group (NSG) for a web application. The exhibit shows the security rules. The web application runs on port 443. You need to ensure that HTTPS traffic from the internet can reach the web servers. What is the issue with the current configuration?

A.The SSH rule is allowing SSH from the internet, which is a security risk.
B.The SSH rule should have a higher priority (lower number) to ensure SSH access.
C.The DenyAll rule should have a lower priority (higher number) to allow more specific rules.
D.There is no rule to allow HTTPS traffic (port 443) from the internet.
AnswerD

Without an allow rule for port 443, HTTPS traffic will be blocked by the DenyAll rule.

Why this answer

The NSG has only two inbound rules: AllowSSH (port 22 from VirtualNetwork) and DenyAll (all traffic). There is no rule to allow HTTPS (port 443) from the internet. The DenyAll rule will block all traffic that does not match a higher-priority allow rule.

Therefore, Option C is correct. Option A is incorrect because the DenyAll rule is not incorrectly placed; it's needed to block other traffic. Option B is incorrect because the SSH rule is not blocking HTTPS; it's just not allowing it.

Option D is incorrect because the priority of 100 is fine.

146
MCQhard

Refer to the exhibit. You create a custom RBAC role with the shown permissions. You assign this role to a user at the resource group scope. What can the user do?

A.Read secrets from Key Vaults in the resource group
B.Assign the same role to other users
C.Delete secrets from Key Vaults in the resource group
D.Create new Key Vaults in the resource group
AnswerA

The role includes Microsoft.KeyVault/vaults/secrets/read.

Why this answer

The role includes read access to Key Vaults and secrets in the vaults. Option A is wrong because the role does not include write permissions. Option B is wrong because the role does not include delete permissions.

Option D is wrong because the role is limited to the resource group scope.

147
MCQhard

A developer accidentally deleted a secret from Azure Key Vault. Soft-delete is enabled with a retention period of 90 days. After 60 days, you attempt to recover the secret. What should you do?

A.Run the Azure CLI command: az keyvault secret recover
B.Enable purge protection on the Key Vault first, then recover the secret.
C.Recover is not possible because the retention period of 90 days has not elapsed.
D.Run the Azure CLI command: az keyvault secret undelete
AnswerA

This command restores the secret while within the soft-delete retention window (60 days out of 90).

Why this answer

Option A is correct because when soft-delete is enabled on Azure Key Vault, deleted secrets are retained for the specified retention period (90 days in this case). Since only 60 days have passed, the secret is still in a soft-deleted state and can be recovered using the `az keyvault secret recover` command, which restores the secret to an active state.

Exam trap

The trap here is that candidates may confuse the retention period with a mandatory waiting period before recovery, or mistakenly think that purge protection must be enabled first, when in fact recovery is available immediately after deletion as long as soft-delete is enabled.

How to eliminate wrong answers

Option B is wrong because purge protection is not required to recover a soft-deleted secret; it only prevents permanent deletion before the retention period ends. Option C is wrong because the retention period defines the maximum time the secret is kept before being purged, not a waiting period before recovery; recovery is possible at any point during the retention period. Option D is wrong because `az keyvault secret undelete` is not a valid Azure CLI command; the correct command is `az keyvault secret recover`.

148
MCQhard

A financial services company uses Azure Container Instances (ACI) to run batch processing jobs. Each job processes sensitive financial data and must use a custom container image stored in Azure Container Registry (ACR). The security requirements are: the ACI container must authenticate to ACR using a managed identity, the container must run as a non-root user, and all secrets must be injected via environment variables from Azure Key Vault using the managed identity. The ACI instance must also be deployed into a virtual network (VNet) to restrict network access. What configuration should you use?

A.Create a system-assigned managed identity for ACI, assign AcrPull role to the identity, and grant it Key Vault access. Deploy ACI with VNet integration.
B.Create a user-assigned managed identity, assign it to both ACI and ACR (with AcrPull role), grant it Key Vault access, and deploy ACI with the identity and VNet integration.
C.Enable ACR admin account, use admin credentials in ACI, and store secrets in Key Vault with a system-assigned managed identity for ACI.
D.Create a service principal, assign AcrPull role and Key Vault access, store the service principal secret in Key Vault, and configure ACI to use the service principal.
AnswerB

User-assigned managed identity can be reused and assigned to multiple resources.

Why this answer

Option A is correct. User-assigned managed identity can be assigned to ACI and ACR, and can also be used to access Key Vault. Enabling VNet deployment restricts network access.

Option B is wrong because system-assigned managed identity cannot be shared between ACI and ACR. Option C is wrong because service principal requires credential management. Option D is wrong because admin credentials are not secure.

149
MCQhard

A company uses Azure SQL Database and needs to encrypt sensitive columns (e.g., credit card numbers) at rest and in transit, with the ability to allow specific applications to decrypt. They want to manage encryption keys centrally in Azure Key Vault and avoid managing certificates. Which technology should they use?

A.Always Encrypted with column master key in Azure Key Vault.
B.Transparent Data Encryption (TDE) with Azure Key Vault.
C.Dynamic Data Masking (DDM) with Azure Key Vault.
D.Row-Level Security (RLS) with Azure Key Vault.
AnswerA

This provides column-level encryption and decryption by authorized applications.

Why this answer

Option B is correct because Always Encrypted with Azure Key Vault allows client-side encryption and decryption, with keys stored in Key Vault. Option A is wrong because TDE encrypts the entire database at rest but not in transit and not column-level. Option C is wrong because Row-Level Security is for access control, not encryption.

Option D is wrong because Dynamic Data Masking obscures data from non-privileged users but does not encrypt.

150
Multi-Selectmedium

Which THREE of the following are valid ways to authenticate an Azure Function to an Azure SQL Database using managed identities?

Select 3 answers
A.Enable system-assigned managed identity on the function app and grant it access to the SQL database.
B.Assign the managed identity directly to the Azure SQL Database logical server.
C.Use the managed identity's principal ID to create a contained database user in SQL Database.
D.Create a user-assigned managed identity, assign it to the function app, and grant it access to the SQL database.
E.Create a service principal and assign it to the function app.
AnswersA, C, D

System-assigned identity is a type of managed identity.

Why this answer

Options A, B, and D are correct. Option A is correct because a system-assigned managed identity can be enabled for the function app and granted access to SQL DB. Option B is correct because a user-assigned managed identity can be assigned to the function app.

Option D is correct because both system and user-assigned identities can be used; they are both managed identity types. Option C is wrong because service principal is not a managed identity. Option E is wrong because managed identity cannot be assigned directly to SQL DB; it's assigned to the function app.

← PreviousPage 2 of 3 · 178 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Azure Security questions.