CCNA Azure Security Questions

28 of 178 questions · Page 3/3 · Azure Security topic · Answers revealed

151
MCQmedium

A retail company uses Azure Logic Apps to integrate with third-party APIs. One Logic App sends purchase orders to a supplier's HTTP endpoint. The supplier requires that the request include an OAuth 2.0 access token obtained from their authorization server. The company wants to manage the client credentials (client ID and client secret) securely and rotate them automatically. The Logic App must also log all requests for auditing. What should you do?

A.Use the built-in HTTP action with a system-assigned managed identity and request a token from the supplier's authorization server using the managed identity.
B.Use the built-in HTTP action in the Logic App, store the client secret in Azure Key Vault, and retrieve it using the Key Vault connector. Then request a token from the supplier's authorization server.
C.Use the 'Managed API' connector for the supplier, configure it with client ID and secret in the connection parameters, and enable 'Azure AD Integration' on the Logic App.
D.Use the 'HTTP + Swagger' connector, define the OAuth2 security scheme, store the client secret in Key Vault, and configure the Logic App to use a system-assigned managed identity to access Key Vault.
AnswerD

This allows secure credential storage and automatic rotation with Key Vault.

Why this answer

Option C is correct. Using HTTP + Swagger connector with managed identity and Key Vault integration allows secure storage and automatic rotation of credentials. Option A is wrong because the built-in HTTP action does not support managed identity.

Option B is wrong because the Managed API connector does not support OAuth token acquisition. Option D is wrong because the system-assigned managed identity cannot be used for external OAuth flows.

152
MCQeasy

You are developing an ASP.NET Core web app that will be deployed to Azure App Service. The app needs to authenticate users from a Microsoft Entra ID tenant. You want to minimize development effort and rely on platform features. What should you do?

A.Implement custom OAuth 2.0 middleware in the app.
B.Add Microsoft.Identity.Web NuGet package and configure it in Startup.cs to use Microsoft Entra ID.
C.Use Microsoft Entra ID App Roles and add role checks in the code.
D.Enable App Service Authentication in the Azure portal and configure Microsoft Entra ID as the identity provider.
AnswerD

EasyAuth handles authentication at the gateway, requiring no code changes.

Why this answer

Option A is correct because App Service Authentication (EasyAuth) provides built-in authentication with Microsoft Entra ID without requiring code changes. Option B is wrong because it requires code changes. Option C is wrong because it's unnecessary if EasyAuth is used.

Option D is wrong because it's for authorization, not authentication.

153
MCQmedium

You are developing a web app that authenticates users via Microsoft Entra ID. The app needs to access the Microsoft Graph API to read user profiles. Which type of permission should you request in the app registration to ensure the app can read profiles without user interaction?

A.Delegated permissions
B.Resource-based permissions
C.Consent permissions
D.Application permissions
AnswerD

Application permissions allow the app to run without a signed-in user, ideal for background services.

Why this answer

Application permissions are required for daemon or service principal scenarios where no signed-in user is present. Delegated permissions require a signed-in user.

154
MCQhard

You are deploying a containerized application to Azure Kubernetes Service (AKS). The application needs to access Azure SQL Database securely. Which approach should you use to avoid storing credentials in the container image?

A.Store the connection string in a Kubernetes Secret and mount it as an environment variable
B.Use Azure AD Pod Identity (Workload Identity) to assign a managed identity to the pod and authenticate to SQL
C.Use a service principal and store its credentials in Azure Key Vault, then use the Key Vault Secrets Store CSI driver
D.Hardcode the credentials in the Dockerfile
AnswerB

Workload Identity integrates with AKS to provide managed identities to pods, eliminating the need for stored credentials.

Why this answer

Option B is correct because Azure AD Pod Identity (now evolved into Workload Identity) allows you to assign a managed identity to a pod, which can then authenticate to Azure SQL Database without any credentials stored in the image or environment variables. This approach uses Azure AD tokens obtained via the pod's identity, eliminating the need for connection strings or secrets in the container.

Exam trap

The trap here is that candidates often choose Option A (Kubernetes Secret) because it seems like a standard Kubernetes pattern, but they overlook that the question specifically requires avoiding any credential storage in the image or environment, which a Secret still represents.

How to eliminate wrong answers

Option A is wrong because storing the connection string in a Kubernetes Secret and mounting it as an environment variable still exposes the credential in the cluster's etcd and to any pod with access to the secret, violating the 'no credentials in the image' goal. Option C is wrong because while it avoids storing credentials in the image, it introduces unnecessary complexity and still relies on a service principal secret stored in Key Vault, which must be retrieved at runtime; the question specifically asks to avoid storing credentials, and a managed identity (Option B) is the simpler, more secure approach. Option D is wrong because hardcoding credentials in the Dockerfile is a fundamental security anti-pattern that embeds secrets directly in the image, making them accessible to anyone who can pull the image.

155
Multi-Selecthard

An API receives JWT access tokens from Microsoft Entra ID. Which two token properties should the API validate before accepting a request? The architecture review board prefers a managed AWS-native control.

Select 2 answers
A.Issuer and signature are valid for the trusted tenant
B.The user's display name is present
C.Token audience matches the API application ID URI or client ID
D.The token was sent in a query string
AnswersA, C

Issuer and signature validation confirms the token came from the expected identity provider.

Why this answer

Option A is correct because the API must validate the issuer (iss) claim to ensure the token was issued by a trusted tenant (e.g., https://login.microsoftonline.com/{tenant-id}/v2.0) and verify the token's digital signature using the public keys from the OpenID Connect metadata endpoint. This prevents tokens from untrusted tenants or forged tokens from being accepted.

Exam trap

The trap here is that candidates confuse 'claims that are present in the token' (like display name) with 'claims that must be validated for security' (issuer, audience, signature), leading them to select non-essential claims as validation requirements.

156
Drag & Dropmedium

Arrange the steps to implement Azure Key Vault for storing and retrieving secrets in an application in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create Key Vault, add secret, grant access, retrieve secret, use it.

157
Multi-Selecthard

Which THREE permissions should be granted to an application's managed identity to allow it to read secrets from Azure Key Vault and use them to access Azure Storage?

Select 2 answers
A.Key Vault Crypto User role
B.Key Vault Secrets Officer role (includes all operations)
C.Key Vault Reader role
D.Key Vault Secrets User role (includes get and list)
E.Storage Blob Data Contributor role on the storage account
AnswersD, E

This role allows getting secrets.

Why this answer

Option D is correct because the Key Vault Secrets User role grants the 'get' and 'list' permissions on secrets, which is exactly what the application's managed identity needs to read secrets from Azure Key Vault. Option E is correct because the Storage Blob Data Contributor role on the storage account provides the necessary permissions to access and use the storage account (e.g., read/write blobs) after retrieving the secret (such as a connection string or key). Together, these two roles enable the managed identity to both retrieve secrets and access Azure Storage.

Exam trap

The trap here is that candidates often confuse the Key Vault Reader role (which only allows reading metadata, not secret values) with the Key Vault Secrets User role (which allows reading the actual secret content), or they mistakenly think the Key Vault Secrets Officer role is required when only read access is needed.

158
MCQeasy

Your company stores customer payment data in an Azure SQL Database. You need to ensure that only the application's managed identity can access the database, and no SQL logins or passwords are used. Which authentication method should you configure?

A.SQL Server authentication with a strong password stored in Key Vault
B.Use Microsoft Entra ID authentication with the managed identity configured as a contained database user
C.Enable Transparent Data Encryption (TDE) and use the database's certificate
D.Configure the Azure SQL firewall to allow only the application's outbound IP
AnswerB

Managed identity can be granted access to Azure SQL via Microsoft Entra ID authentication without credentials.

Why this answer

Option B is correct because configuring the managed identity as a contained database user in Azure SQL Database using Microsoft Entra ID authentication allows the application to authenticate without any SQL logins or passwords. The managed identity provides an automatically managed service principal in Entra ID, which can be mapped to a contained database user (CREATE USER [<identity-name>] FROM EXTERNAL PROVIDER). This enables token-based authentication using OAuth 2.0, ensuring that only the application's identity can access the database.

Exam trap

The trap here is that candidates often confuse network-level security (firewall rules) or data encryption (TDE) with authentication, failing to recognize that only Entra ID authentication with a managed identity eliminates the need for SQL logins and passwords entirely.

How to eliminate wrong answers

Option A is wrong because SQL Server authentication with a password stored in Key Vault still requires a SQL login and password, violating the requirement of 'no SQL logins or passwords.' Option C is wrong because Transparent Data Encryption (TDE) only encrypts data at rest and does not provide authentication or access control; it cannot replace the need for an identity-based authentication method. Option D is wrong because configuring the Azure SQL firewall to allow only the application's outbound IP does not authenticate the application; it only restricts network access by IP address, and the application would still need a SQL login or password to connect.

159
MCQmedium

You deploy an Azure App Service web app that uses a system-assigned managed identity. The app needs to read a secret stored in Azure Key Vault to connect to a third-party service. You want to grant the minimum required permissions to the managed identity. Which Azure RBAC role should you assign to the managed identity at the Key Vault scope?

A.Key Vault Reader
B.Key Vault Secrets Officer
C.Key Vault Secrets User
D.Key Vault Contributor
AnswerC

This role provides read access to secret values, meeting the requirement with the minimum permissions.

Why this answer

Option C is correct because the 'Key Vault Secrets User' role grants the minimum required permission—'Microsoft.KeyVault/vaults/secrets/getSecret/action'—for a managed identity to read a secret from Azure Key Vault. This role is specifically designed for read-only access to secrets, aligning with the principle of least privilege for the app's need to retrieve a secret for third-party service authentication.

Exam trap

The trap here is that candidates often confuse management plane roles (like 'Key Vault Contributor' or 'Key Vault Reader') with data plane roles, assuming that any 'Reader' or 'Contributor' role at the vault scope grants access to secret values, when in fact they only control the vault resource itself, not the secrets.

How to eliminate wrong answers

Option A is wrong because 'Key Vault Reader' only allows listing and reading metadata of the vault (e.g., vault properties and tags), but does not grant any permissions to read secret values. Option B is wrong because 'Key Vault Secrets Officer' includes write, delete, and restore permissions on secrets (e.g., 'Microsoft.KeyVault/vaults/secrets/setSecret/action'), which exceeds the read-only requirement. Option D is wrong because 'Key Vault Contributor' provides full management of the vault itself (e.g., creating and deleting vaults), but does not grant any data plane permissions to read secrets.

160
Matchingmedium

Match each Azure compute service to its execution model.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

IaaS with full OS control

PaaS for web and API apps

Serverless event-driven compute

Managed job scheduling for parallel workloads

Why these pairings

Azure compute services cater to different levels of control and abstraction.

161
Multi-Selecteasy

You are designing a solution to store application secrets. You need to ensure that secrets are encrypted at rest and access is audited. Which TWO Azure services should you use?

Select 2 answers
A.Azure SQL Database
B.Azure Monitor
C.Azure Key Vault
D.Azure Storage Account with encryption
E.Azure App Configuration
AnswersB, C

Monitor can collect and analyze audit logs from Key Vault.

Why this answer

Option B is correct because Azure Key Vault provides encryption and access control. Option D is correct because Azure Monitor provides auditing via diagnostics logs. Option A is wrong because App Configuration does not provide encryption by default.

Option C is wrong because Azure SQL Database is not designed for secret storage. Option E is wrong because Storage Accounts can store secrets but lack native auditing and access control.

162
MCQmedium

You have an Azure App Service web app that uses a system-assigned managed identity. The app needs to read a secret stored in Azure Key Vault. You need to grant the app the minimum required permissions to access the secret. Which RBAC role should you assign to the managed identity at the Key Vault scope?

A.Key Vault Reader
B.Key Vault Secrets User
C.Key Vault Secrets Officer
D.Contributor
AnswerB

This role grants permission to read secrets (get, list) from the vault. It is the least privileged role that allows reading secret values.

Why this answer

The Key Vault Secrets User role grants the minimum required permission to read secrets from Azure Key Vault. This role provides the 'Microsoft.KeyVault/vaults/secrets/getSecret/action' permission, which is exactly what the app needs to retrieve the secret value. It does not grant any write or management capabilities, adhering to the principle of least privilege.

Exam trap

The trap here is that candidates often confuse the Key Vault Reader role (which only allows listing vaults and reading metadata, not secret values) with the ability to read secrets, leading them to select it as the minimum permission.

How to eliminate wrong answers

Option A is wrong because Key Vault Reader only allows listing vaults and reading metadata, not reading secret values. Option C is wrong because Key Vault Secrets Officer grants full control over secrets, including create, update, delete, and restore, which exceeds the minimum required read permission. Option D is wrong because Contributor is a broad Azure RBAC role that grants full management access to all resources in the scope, far beyond the needed secret read permission.

163
MCQhard

You are developing an ASP.NET Core web API that authenticates users via Microsoft Entra ID. The API needs to call a downstream API (also secured by Microsoft Entra ID) on behalf of the signed-in user (On-Behalf-Of flow). You have already configured the web API to authenticate users with Microsoft.Identity.Web. How should you implement the token acquisition for the downstream API?

A.Use ADAL.NET's `AcquireTokenOnBehalfOf` method
B.Inject `ITokenAcquisition` and call `GetAccessTokenForUserAsync` with the scopes for the downstream API
C.Use the `Azure.Identity` library with `DefaultAzureCredential` to acquire a token
D.Manually construct an HTTP POST to the Microsoft Entra ID token endpoint with the user access token and client credentials
AnswerB

`ITokenAcquisition` from Microsoft.Identity.Web wraps MSAL.NET. `GetAccessTokenForUserAsync` performs the On-Behalf-Of flow, exchanging the user's token for a token to call the downstream API.

Why this answer

Option B is correct because Microsoft.Identity.Web provides the `ITokenAcquisition` service specifically for ASP.NET Core applications to acquire tokens for downstream APIs using the OAuth 2.0 On-Behalf-Of flow. Calling `GetAccessTokenForUserAsync` with the required scopes handles the token exchange automatically, leveraging the incoming user token and client credentials configured in the app. This is the recommended approach when using Microsoft.Identity.Web, as it abstracts the complexity of the OBO flow and integrates seamlessly with the ASP.NET Core authentication pipeline.

Exam trap

The trap here is that candidates may confuse the On-Behalf-Of flow with client credentials flow or app-only authentication, leading them to choose `DefaultAzureCredential` (Option C) or manual token endpoint calls (Option D), while forgetting that ADAL.NET (Option A) is deprecated and not part of the modern Microsoft.Identity.Web stack.

How to eliminate wrong answers

Option A is wrong because ADAL.NET is deprecated and should not be used for new development; it lacks support for modern Microsoft Entra ID features and is replaced by MSAL.NET, which is already integrated into Microsoft.Identity.Web. Option C is wrong because `DefaultAzureCredential` from Azure.Identity is designed for non-interactive scenarios (e.g., managed identities, service principals) and does not support the On-Behalf-Of flow, which requires exchanging a user token for a downstream token. Option D is wrong because manually constructing HTTP POST requests to the token endpoint is error-prone, requires handling token caching, retries, and security details that Microsoft.Identity.Web already manages; this approach is unnecessary and violates the principle of using the provided library abstractions.

164
MCQhard

A company has an Azure Storage account that stores sensitive data. They need to ensure that all access to the storage account is secured using Microsoft Entra ID authentication and that no storage account keys are used. Which configuration should be applied to enforce this?

A.Enable firewall rules
B.Disable shared key access
C.Enable advanced threat protection
D.Enable soft delete
AnswerB

Disabling shared key access ensures that only Microsoft Entra ID authentication is allowed, effectively blocking the use of storage account keys.

Why this answer

Disabling shared key access (Option B) is the correct configuration because it explicitly blocks all authentication using storage account keys (both primary and secondary), forcing all requests to use Microsoft Entra ID (formerly Azure AD) for authorization. This ensures that only identities with appropriate RBAC roles (e.g., Storage Blob Data Owner) can access the storage account, meeting the requirement to eliminate key-based access entirely.

Exam trap

The trap here is that candidates often confuse network-level security (firewall rules) with authentication enforcement, mistakenly believing that restricting network access alone prevents key-based access, when in fact shared keys can still be used from allowed networks.

How to eliminate wrong answers

Option A is wrong because enabling firewall rules restricts network-level access (IP addresses or virtual networks) but does not prevent authentication using storage account keys; a request from an allowed network could still use a shared key. Option C is wrong because enabling advanced threat protection (Azure Defender for Storage) provides security monitoring and alerts for anomalies (e.g., suspicious access patterns) but does not enforce authentication method or disable key-based access. Option D is wrong because enabling soft delete protects data from accidental deletion by retaining deleted blobs for a retention period, but it has no effect on authentication or authorization mechanisms.

165
MCQeasy

Refer to the exhibit. You run the Azure CLI command shown. What is the result?

A.Creates a key named MySecret in the vault
B.Deletes the secret named MySecret from the vault
C.Stores a secret named MySecret with the value in the vault
D.Creates a certificate named MySecret in the vault
AnswerC

The command sets a secret with the specified name and value.

Why this answer

The command creates a secret named MySecret with value "P@ssw0rd!" in the Key Vault named MyVault. Option A is wrong because the command does not create a key. Option B is wrong because it creates a secret, not a certificate.

Option C is wrong because it stores a secret, not a certificate.

166
MCQhard

You are a developer for a fintech company. Your application consists of multiple Azure Functions that process sensitive financial transactions. The functions need to access an Azure SQL Database and an Azure Storage account. Security requirements are: (1) No secrets or connection strings should be stored in application settings or code. (2) Access must be restricted to the specific resources each function needs. (3) All access must be audited. (4) The solution must support local development debugging. You have already enabled system-assigned managed identity for each function app. Which course of action should you take to meet the requirements?

A.Assign a user-assigned managed identity to each function app. Grant the identity access to Azure SQL via Microsoft Entra authentication and to Storage via RBAC. Use service principal for local development.
B.Use the system-assigned managed identity to access Key Vault, where you store the SQL connection string and storage account key. Use the Key Vault SDK in the function code to retrieve them. Enable Key Vault audit logging.
C.Store the SQL connection string and storage account key in Azure Key Vault. Use Key Vault references in function app settings to retrieve them at runtime. Enable Key Vault audit logging.
D.Grant each function app's system-assigned managed identity access to Azure SQL Database using Microsoft Entra authentication (create contained user) and to Azure Storage using RBAC (Storage Blob Data Contributor role). Enable auditing on SQL and Storage. For local development, use Azure CLI to sign in with your developer account and assign it the same RBAC roles.
AnswerD

This avoids any secrets, uses managed identity, and supports local development with developer accounts.

Why this answer

Option D is correct because it uses managed identity for Azure SQL (via Microsoft Entra authentication) and RBAC for Storage, satisfying no-secret requirement. It also enables auditing via Azure SQL Auditing and Storage analytics. For local development, you can use Azure CLI or Visual Studio with your developer account that has appropriate RBAC roles.

Option A is wrong because it stores connection strings in Key Vault and uses Key Vault references, which still involves retrieving a secret (the connection string) even though it's not in code; the requirement says no secrets should be stored anywhere. Option B is wrong because it uses connection strings in Key Vault and then retrieves them. Option C is wrong because it uses a user-assigned identity but then stores connection strings in Key Vault.

167
Multi-Selectmedium

A company is designing a secure microservices architecture on Azure Kubernetes Service (AKS). The security requirements include: encrypting secrets at rest and in transit, rotating secrets automatically, and avoiding hard-coded credentials in application code. Which THREE solutions should the company use? (Choose three.)

Select 3 answers
A.Inject secrets as environment variables from ConfigMaps.
B.Use Kubernetes Secrets with a scheduled CronJob to rotate them.
C.Use the Azure Key Vault CSI Driver to mount secrets as volumes in pods.
D.Store secrets in Azure Key Vault with soft-delete and purge protection enabled.
E.Enable AKS-managed Microsoft Entra ID integration and use pod managed identities to authenticate to Key Vault.
AnswersC, D, E

CSI driver avoids hard-coding secrets in code.

Why this answer

Options A, B, and C are correct. Azure Key Vault stores secrets encrypted at rest and provides automatic rotation. CSI Driver enables pods to mount secrets without hard-coding.

Managed identities for Pods allow Entra ID authentication to Key Vault. Option D is wrong because Kubernetes Secrets do not provide automatic rotation. Option E is wrong because environment variables expose secrets in plaintext.

168
MCQmedium

Multiple teams need different levels of access to the same Azure Key Vault: the DevOps team needs to create and rotate secrets, the application team needs read-only secret access, and the auditing team needs list-only access. The security team wants audit logs of all access decisions and the ability to manage permissions through a single system. What access model should the developer recommend?

A.Use Azure RBAC for Key Vault with role assignments scoped per team: Key Vault Secrets Officer for DevOps, Key Vault Secrets User for the app team, and Key Vault Reader for auditing
B.Create separate access policies for each team with the minimum required permissions
C.Create a separate Key Vault per team to enforce isolation between access levels
D.Issue shared access signatures for each team scoped to the operations they need
AnswerA

RBAC assignments are integrated with Azure's identity and access management plane. All access decisions are logged in Azure Activity Log, fulfilling the audit requirement. Roles can be assigned at vault scope or narrower scopes. RBAC policies are managed centrally in Azure IAM, consistent with how all other Azure resources are governed.

Why this answer

Option A is correct because Azure RBAC for Key Vault provides a unified, centralized access management system that meets all requirements. The Key Vault Secrets Officer role allows DevOps to create and rotate secrets, the Key Vault Secrets User role grants read-only access to the application team, and the Key Vault Reader role provides list-only access for auditing. Additionally, RBAC integrates with Azure Monitor to deliver audit logs of all access decisions, satisfying the security team's need for a single management plane.

Exam trap

The trap here is that candidates may confuse the older Key Vault access policies (which are vault-specific and lack centralized audit integration) with Azure RBAC, or incorrectly assume that SAS tokens can be applied to Key Vault, when in fact SAS is exclusive to Azure Storage services.

How to eliminate wrong answers

Option B is wrong because separate access policies per team would require managing permissions individually for each vault and do not provide a single system for managing permissions across teams, nor do they natively integrate audit logs of access decisions as seamlessly as RBAC. Option C is wrong because creating a separate Key Vault per team violates the requirement for a single system to manage permissions and introduces unnecessary complexity and cost, while still not providing a unified audit trail. Option D is wrong because shared access signatures (SAS) are not supported for Azure Key Vault; SAS tokens are used for Azure Storage, not for controlling access to secrets, keys, or certificates in Key Vault.

169
MCQmedium

A company uses Azure Logic Apps to orchestrate workflows that process sensitive data. They need to ensure that workflow runs are logged and auditable, and that the logs are tamper-proof. Which Azure service should they use?

A.Azure Monitor Log Analytics workspaces.
B.Microsoft Sentinel.
C.Microsoft Purview Audit (Premium).
D.Azure Blob Storage with immutable storage policy.
AnswerC

Purview Audit provides tamper-proof audit logs with long-term retention.

Why this answer

Option D is correct because Microsoft Purview provides audit logging and data governance, including tamper-proof capabilities. Option A is wrong because Azure Monitor collects logs but does not guarantee tamper-proof. Option B is wrong because Microsoft Sentinel is for SIEM, not tamper-proof logging.

Option C is wrong because Azure Storage with immutable blobs can provide tamper-proof storage, but the question asks for a service that combines logging and tamper-proof.

170
MCQhard

You are configuring a managed identity for an Azure App Service to access Azure Key Vault. The identity has been assigned, but the app receives a 403 Forbidden when trying to retrieve a secret. What is the most likely cause?

A.The app is using the wrong endpoint
B.The managed identity is not enabled in the App Service
C.The managed identity lacks an access policy or RBAC role in Key Vault
D.The Key Vault firewall is blocking the request
AnswerC

Access policies or RBAC roles are required to authorize the identity to read secrets.

Why this answer

The managed identity must be granted explicit access via an access policy or RBAC role in Key Vault. Simply assigning the identity does not grant access.

171
Multi-Selecteasy

Which TWO of the following are benefits of using Azure Key Vault to store application secrets?

Select 2 answers
A.Centralized management of secrets with access policies.
B.Improved application performance by caching secrets.
C.Integration with Azure DevOps for automatic secret rotation in pipelines.
D.Automatic encryption of secrets at rest and in transit.
E.Auditing of secret access through Azure Monitor and Log Analytics.
AnswersA, E

Key Vault centralizes secret storage.

Why this answer

Key Vault provides centralized secret management with access control and auditing. Option A and D are correct. Option B is wrong because Key Vault does not improve performance.

Option C is wrong because secrets are encrypted at rest. Option E is wrong because Key Vault is not a CI/CD tool.

172
MCQhard

You are using Azure API Management (APIM) to expose a REST API. The backend API requires mutual TLS (client certificate) for authentication. The client certificate is stored in Azure Key Vault. You need to configure APIM to use this certificate when calling the backend, without exposing the certificate contents in the policy files. Which APIM feature and policy should you use?

A.Use the authentication-certificate policy with a named value that references the Key Vault certificate.
B.Use the authentication-managed-identity policy to authenticate to the backend.
C.Upload the client certificate directly to APIM's Certificate store and reference it in the policy.
D.Use a JavaScript policy to fetch the certificate from Key Vault and attach it.
AnswerA

Named values can securely reference a certificate from Key Vault. The authentication-certificate policy uses the named value to attach the certificate to the backend request.

Why this answer

Option A is correct because the `authentication-certificate` policy in Azure API Management can reference a client certificate stored in Azure Key Vault via a named value. Named values securely store secrets and can point to Key Vault certificates without exposing the certificate contents in policy files. This allows APIM to present the certificate during mutual TLS authentication to the backend API.

Exam trap

The trap here is that candidates may confuse the `authentication-managed-identity` policy with certificate-based authentication, or assume that uploading the certificate directly to APIM is equivalent to using Key Vault, but the question explicitly requires avoiding exposure of certificate contents in policy files, which only the named value approach with Key Vault reference achieves.

How to eliminate wrong answers

Option B is wrong because `authentication-managed-identity` policy authenticates APIM to a backend using Azure AD tokens, not client certificates; it cannot satisfy mutual TLS requirements. Option C is wrong because uploading the certificate directly to APIM's Certificate store exposes the certificate contents in the APIM instance and requires manual management, whereas the requirement is to avoid exposing certificate contents in policy files and leverage Key Vault. Option D is wrong because using a JavaScript policy to fetch the certificate from Key Vault would expose the certificate contents in the policy code and is not the recommended or secure approach; APIM provides built-in integration with Key Vault via named values.

173
MCQmedium

You are developing a web app that authenticates users via Microsoft Entra ID. The app needs to call a downstream API on behalf of the signed-in user. Which OAuth 2.0 flow should you implement?

A.Client credentials flow
B.Implicit flow
C.Authorization code flow with PKCE
D.Device code flow
AnswerC

Authorization code flow with PKCE is the secure standard for user-authenticated API calls.

Why this answer

Option C is correct because the authorization code flow with PKCE is the recommended flow for single-page apps and native apps that need to call APIs on behalf of the user. Option A is wrong because the implicit flow is deprecated and less secure. Option B is wrong because client credentials is for non-user scenarios.

Option D is wrong because device code flow is for devices without browsers.

174
MCQhard

You are developing a web API hosted on Azure App Service. The API must authenticate requests using Microsoft Entra ID OAuth 2.0 bearer tokens. You want to validate the token in your ASP.NET Core API code with minimal custom validation logic. Which library should you use?

A.Microsoft Authentication Library (MSAL)
B.Azure Identity client library
C.Microsoft.Identity.Web
D.Azure Management Libraries for .NET
AnswerC

This library is designed for ASP.NET Core and simplifies the integration with Microsoft Entra ID, including token validation, claims mapping, and authorization policies.

Why this answer

Microsoft.Identity.Web is the correct choice because it provides a high-level, opinionated library that integrates directly with ASP.NET Core's authentication pipeline, handling token validation, scopes, and app roles with minimal custom code. It abstracts away the complexity of JWT bearer token validation against Microsoft Entra ID, including automatic OpenID Connect discovery and token signature verification.

Exam trap

The trap here is that candidates often confuse MSAL (for token acquisition) with Microsoft.Identity.Web (for token validation), or assume the Azure Identity library handles all authentication scenarios, when it is actually focused on service-to-service authentication and Azure SDK credentials.

How to eliminate wrong answers

Option A is wrong because MSAL is designed for acquiring tokens from Microsoft Entra ID, not for validating incoming bearer tokens in a web API. Option B is wrong because the Azure Identity client library provides credential types for authenticating to Azure services, not for validating OAuth 2.0 bearer tokens in an ASP.NET Core API. Option D is wrong because Azure Management Libraries for .NET are used for managing Azure resources (e.g., creating VMs, configuring App Service), not for token validation.

175
Matchingmedium

Match each Azure authentication mechanism to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automated identity for Azure resources without secrets

Identity for applications to access Azure resources

Delegated access token with limited permissions

Identity service for customer-facing applications

Why these pairings

These are key authentication methods in Azure.

176
MCQmedium

Your company uses Azure Key Vault to store secrets. You need to ensure that only a specific Microsoft Entra ID application can read a particular secret, while other applications are denied access. You want to apply the principle of least privilege. Which access control method should you configure?

A.Assign the application to the Key Vault Contributor RBAC role
B.Assign the application to the Key Vault Secrets User RBAC role at the secret scope
C.Use Key Vault access policies
D.Use managed identity and assign the Key Vault Secrets User role at the vault scope
AnswerB

This role allows read access to secrets. By assigning it at the individual secret scope (instead of vault scope), you restrict access to only that secret.

Why this answer

Option B is correct because Azure RBAC allows you to assign the Key Vault Secrets User role at the secret scope, which grants read access exclusively to the specified Microsoft Entra ID application for that particular secret. This aligns with the principle of least privilege by restricting access to only the necessary secret, without granting broader permissions at the vault level.

Exam trap

The trap here is that candidates often confuse vault-scoped access policies or RBAC roles with secret-scoped RBAC, mistakenly thinking they can achieve per-secret isolation with access policies, when in fact only RBAC at the secret scope provides that granularity.

How to eliminate wrong answers

Option A is wrong because the Key Vault Contributor RBAC role grants management-level permissions (e.g., creating and deleting secrets) rather than read access, violating the least privilege requirement. Option C is wrong because Key Vault access policies operate at the vault scope and cannot be scoped to an individual secret; they would grant the application access to all secrets in the vault. Option D is wrong because assigning the Key Vault Secrets User role at the vault scope grants read access to all secrets in the vault, not just the specific secret, and using a managed identity is unnecessary when a specific application identity is already specified.

177
MCQmedium

A background service must call Microsoft Graph without a signed-in user. Which Microsoft identity platform permission model is required? The design must avoid adding custom operational scripts.

A.Password hash synchronization
B.Delegated permissions only
C.Device code flow
D.Application permissions with client credentials flow
AnswerD

Application permissions allow daemon apps to act as themselves without a user context.

Why this answer

Application permissions with the client credentials flow are required because the background service must call Microsoft Graph without a signed-in user. This flow uses OAuth 2.0 client credentials grant (RFC 6749) where the service authenticates as itself using a client secret or certificate, not on behalf of a user. Delegated permissions (Option B) always require a signed-in user context, making them unsuitable for unattended background services.

Exam trap

The trap here is that candidates confuse 'delegated permissions' (which require a user) with 'application permissions' (which do not), often selecting Option B because they think 'permissions' alone suffices, ignoring the 'without a signed-in user' constraint.

How to eliminate wrong answers

Option A is wrong because password hash synchronization is an Azure AD Connect feature for syncing user password hashes to Azure AD, not a permission model for calling Microsoft Graph. Option B is wrong because delegated permissions require a signed-in user to delegate the service's access; a background service without a user cannot use delegated permissions. Option C is wrong because the device code flow is designed for devices with limited input capabilities (e.g., smart TVs, IoT) and still requires a signed-in user to authenticate interactively, not suitable for an unattended background service.

178
Multi-Selecthard

Which TWO services can be used to manage secrets and certificates for applications running on Azure? (Choose two.)

Select 2 answers
A.Azure Key Vault
B.Azure App Configuration
C.Azure Automation
D.Azure Active Directory Certificate Services
E.Azure Policy
AnswersA, B

Key Vault is the centralized secret and certificate management service.

Why this answer

Options A and D are correct. Azure Key Vault is the primary service for secrets and certificates. Azure App Configuration can also store secrets as Key Vault references or encrypted values.

Option B is wrong because Certificate Services is for issuing certificates, not management. Option C is wrong because Azure Automation stores credentials in runbooks, not a general-purpose secret store. Option E is wrong because Azure Policy is for compliance.

← PreviousPage 3 of 3 · 178 questions total

Ready to test yourself?

Try a timed practice session using only Azure Security questions.