CCNA Identity Governance Monitoring Questions

75 of 273 questions · Page 3/4 · Identity Governance Monitoring topic · Answers revealed

151
MCQmedium

Your company runs a mission-critical application on Azure Virtual Machines in a single region. You need to design a monitoring solution that provides proactive alerts for performance degradation and allows the operations team to analyze historical trends. The solution must minimize cost and operational overhead. You have an existing Log Analytics workspace. What should you include in the design?

A.Enable VM insights in Azure Monitor and use its live map and performance views for historical analysis.
B.Configure Azure Autoscale for the VMs based on CPU metrics and use Azure Monitor for logging.
C.Deploy Application Insights on each VM and use its built-in alerts for performance.
D.Enable Azure Monitor on all VMs using the Azure Monitor agent. Create metric alerts for high CPU and memory usage. Use Log Analytics to query and analyze historical performance data.
AnswerD

This provides proactive alerts and historical analysis with low overhead.

Why this answer

Option D is correct because it uses the Azure Monitor agent to collect performance data from VMs, enabling metric alerts for proactive notification of high CPU and memory usage, while leveraging the existing Log Analytics workspace for cost-effective historical analysis. This approach minimizes operational overhead by using a single agent and native Azure Monitor features without additional services or complex configurations.

Exam trap

The trap here is that candidates may confuse VM insights (which offers rich visualizations but limited historical analysis) with the full monitoring solution required, or mistakenly think Application Insights is appropriate for VM-level performance monitoring when it is designed for application telemetry.

How to eliminate wrong answers

Option A is wrong because VM insights provides live map and performance views for real-time monitoring but is not designed for deep historical trend analysis, and its prebuilt performance charts have limited retention without Log Analytics. Option B is wrong because Azure Autoscale is for automatically scaling VM instances based on metrics, not for monitoring performance degradation or analyzing historical trends; it also does not address the requirement for proactive alerts and historical analysis. Option C is wrong because Application Insights is primarily for application-level monitoring (e.g., web apps, APIs) and requires instrumenting each application, which adds cost and complexity; it is not suitable for OS-level performance metrics like CPU and memory on VMs.

152
MCQmedium

A company wants workload deployments to access Azure resources without storing client secrets in CI/CD variables. The pipeline runs from GitHub Actions. Which identity design should be used?

A.A shared user account with MFA disabled
B.A storage account access key
C.Workload identity federation with Microsoft Entra ID
D.A long-lived app registration client secret
AnswerC

Workload identity federation allows external workloads such as GitHub Actions to exchange trusted tokens without stored secrets.

Why this answer

Workload identity federation with Microsoft Entra ID allows GitHub Actions to exchange an OpenID Connect (OIDC) token for an Azure access token, eliminating the need to store client secrets in CI/CD variables. This design uses short-lived tokens and federated identity credentials, aligning with the principle of zero-trust and secretless authentication.

Exam trap

The trap here is that candidates may choose a long-lived client secret (Option D) thinking it is the standard way to authenticate, overlooking the requirement to avoid storing secrets and the modern OIDC-based federation approach.

How to eliminate wrong answers

Option A is wrong because a shared user account with MFA disabled violates security best practices and does not eliminate secrets; it still requires storing credentials in CI/CD variables. Option B is wrong because a storage account access key is a static secret that must be stored in CI/CD variables, and it provides broad, unmonitored access to the storage account. Option D is wrong because a long-lived app registration client secret is a static secret that must be stored in CI/CD variables, defeating the requirement to avoid storing secrets.

153
MCQmedium

Your organization uses Microsoft Entra ID and Azure Key Vault. You need to ensure that a custom application can securely access secrets in Key Vault without storing credentials in code. The application runs on an Azure Virtual Machine. What should you use?

A.Store the Key Vault URL and connection string in the application configuration
B.Create a service principal and upload a certificate to the VM
C.Assign a system-assigned managed identity to the VM
D.Use a shared access signature (SAS) token
AnswerC

Managed identity provides a secure way to access Key Vault without credentials.

Why this answer

Option C is correct because a system-assigned managed identity for Azure Virtual Machines allows the application to authenticate to Azure Key Vault without storing any credentials in code. Azure automatically manages the identity's lifecycle and tokens, enabling the VM to obtain an access token from Azure AD (now Microsoft Entra ID) to call Key Vault's REST API. This aligns with the principle of zero-trust and eliminates the need for service principals or certificates in the application.

Exam trap

The trap here is that candidates may confuse SAS tokens (used for Azure Storage) with Key Vault authentication, or mistakenly think that a service principal with a certificate is the most secure option, overlooking the fully managed, credential-less nature of managed identities.

How to eliminate wrong answers

Option A is wrong because storing the Key Vault URL and connection string in application configuration still exposes credentials (the connection string) in code or config files, violating the requirement to avoid storing credentials. Option B is wrong because creating a service principal and uploading a certificate to the VM requires manual certificate management, rotation, and storage of the certificate on the VM, which introduces credential management overhead and security risks. Option D is wrong because a shared access signature (SAS) token is used for delegating access to Azure Storage resources, not for authenticating to Azure Key Vault; Key Vault does not support SAS tokens for authentication.

154
Multi-Selectmedium

Your company has an Azure subscription that contains 100 virtual machines (VMs). You are designing a monitoring solution that must meet the following requirements: - Alert when any VM's CPU usage exceeds 90% for 15 minutes. - Alert when any VM's available memory drops below 1 GB. - Provide a centralized dashboard showing real-time performance metrics for all VMs. Which TWO Azure services should you include in the solution? (Choose two.)

Select 2 answers
A.Azure Policy
B.Microsoft Sentinel
C.Azure Monitor
D.Azure Monitor Workbooks
E.Azure Automation
AnswersC, D

Azure Monitor collects performance metrics and supports metric alerts for CPU and memory thresholds.

Why this answer

Azure Monitor is the core service for collecting, analyzing, and acting on telemetry from Azure resources. It can collect CPU and memory metrics from VMs via the Azure Monitor Agent, and its alerting engine can trigger actions when CPU exceeds 90% for 15 minutes or available memory drops below 1 GB, meeting both alerting requirements.

Exam trap

The trap here is that candidates often confuse Azure Monitor Workbooks with Azure Dashboards or Power BI, but Workbooks are the correct service for creating a centralized, real-time performance dashboard that integrates directly with Azure Monitor alerts and metrics.

155
MCQeasy

Your organization plans to use Azure Policy to enforce tagging on all resources. The tags must include 'CostCenter' and 'Environment'. Resources that do not have these tags should be automatically remediated. What should you use?

A.A policy with 'append' effect
B.A policy with 'audit' effect
C.A policy with 'deployIfNotExists' effect and a remediation task
D.A policy with 'deny' effect
AnswerC

DeployIfNotExists can deploy a remediation task to add missing tags to existing resources.

Why this answer

The 'deployIfNotExists' effect is correct because it allows Azure Policy to evaluate resources for missing tags and then deploy a remediation task that automatically adds the required tags. This effect is specifically designed for scenarios where non-compliance can be corrected by deploying or modifying resources, such as adding tags via a policy definition that triggers a remediation task.

Exam trap

The trap here is that candidates often confuse 'append' with 'deployIfNotExists', thinking that 'append' can remediate existing resources, but 'append' only applies during resource creation or update, not to already deployed resources.

How to eliminate wrong answers

Option A is wrong because the 'append' effect adds tags only during resource creation or update, but it does not automatically remediate existing resources that are already missing the tags. Option B is wrong because the 'audit' effect only logs non-compliance without any automatic remediation, requiring manual intervention. Option D is wrong because the 'deny' effect prevents creation or update of resources that do not have the required tags, but it does not remediate existing non-compliant resources.

156
Multi-Selectmedium

You are designing an identity solution for a multinational company that has a Microsoft Entra ID tenant. The company plans to acquire a smaller company that currently uses an on-premises Active Directory (AD) forest. The acquired company's users need to access Microsoft 365 applications and Azure resources. The solution must minimize identity management overhead. Which TWO actions should you include in the design? (Choose two.)

Select 2 answers
A.Configure Microsoft Entra Connect Sync to synchronize users from the on-premises AD to the new Entra ID tenant.
B.Federate the on-premises AD with the existing Microsoft Entra ID tenant.
C.Create a new Microsoft Entra ID tenant for the acquired company.
D.Establish a cross-tenant trust between the existing and new Entra ID tenants.
E.Use Microsoft Entra B2B collaboration to invite users from the acquired company.
AnswersA, C

Sync brings identities to the cloud without federation complexity.

Why this answer

Option A is correct because configuring a new Microsoft Entra tenant for the acquired company isolates identity management and minimizes overhead. Option C is correct because synchronizing users using Microsoft Entra Connect Sync brings on-premises identities to the cloud. Option B is wrong because a cross-tenant trust between Entra ID tenants is not supported for authentication.

Option D is wrong because federation requires additional infrastructure and overhead. Option E is wrong because B2B collaboration is for external users, not for employees of an acquired company.

157
MCQmedium

Your organization uses Microsoft Entra ID. You need to enforce multifactor authentication (MFA) for all guest users accessing a specific SharePoint Online site. What is the most efficient way to achieve this?

A.Use SharePoint site permissions to require MFA.
B.Create a Conditional Access policy targeting guest users and the SharePoint Online app.
C.Enable MFA per-user for each guest account.
D.Configure Microsoft Entra Entitlement Management to require MFA.
AnswerB

Conditional Access can enforce MFA for guest users and specific apps.

Why this answer

Option B is correct because Conditional Access policies in Microsoft Entra ID allow you to enforce MFA specifically for guest users when they access the SharePoint Online app. This is the most efficient approach as it targets the exact user group (guests) and the specific application (SharePoint Online) without requiring per-user configuration or additional licensing overhead.

Exam trap

The trap here is that candidates often confuse SharePoint site permissions with identity-level security controls, assuming that MFA can be enforced at the site level, when in fact MFA must be enforced through Entra ID Conditional Access policies.

How to eliminate wrong answers

Option A is wrong because SharePoint site permissions control access at the site level but cannot enforce MFA; MFA is an identity-level security requirement managed by Entra ID, not SharePoint. Option C is wrong because enabling MFA per-user for each guest account is inefficient, requires manual management, and does not scale; it also lacks the granularity to target only the specific SharePoint Online site. Option D is wrong because Microsoft Entra Entitlement Management manages access packages and approval workflows, not MFA enforcement; it can require MFA as part of an access package policy, but that is not the most efficient or direct method for enforcing MFA on a single SharePoint site.

158
MCQmedium

Your company has multiple Azure subscriptions. You need to create a single query that aggregates resource utilization metrics across all subscriptions and visualizes them in a dashboard. Which combination of Azure services should you use?

A.Azure Monitor Log Analytics workspace and Azure Dashboards
B.Azure Policy and Azure Monitor Alerts
C.Azure Resource Graph and Azure Monitor Workbooks
D.Microsoft Sentinel and Azure Playbooks
AnswerC

Resource Graph can query across subscriptions, Workbooks can visualize.

Why this answer

Azure Resource Graph (ARG) can query across multiple subscriptions, resource groups, and resource types in a single query, making it ideal for aggregating utilization metrics. Azure Monitor Workbooks then provide a flexible, interactive canvas to visualize those query results in a dashboard, supporting rich visualizations and parameterized inputs.

Exam trap

The trap here is confusing Azure Resource Graph (which queries resource metadata and properties across subscriptions) with Azure Monitor Log Analytics (which queries log data within a single workspace), leading candidates to choose Option A for cross-subscription queries.

How to eliminate wrong answers

Option A is wrong because Log Analytics workspaces are scoped to a single workspace and cannot natively query across multiple subscriptions in a single query; Azure Dashboards can display data from multiple sources but lack the cross-subscription query capability. Option B is wrong because Azure Policy is used for governance and compliance (e.g., enforcing tags or allowed locations), not for querying or aggregating utilization metrics; Azure Monitor Alerts are for notification on conditions, not visualization. Option D is wrong because Microsoft Sentinel is a SIEM/SOAR solution focused on security event analysis and threat detection, not resource utilization metrics; Azure Playbooks (automation runbooks) are for automated responses, not dashboards.

159
MCQhard

You are reviewing a JSON policy for Microsoft Entra Privileged Identity Management (PIM) that governs activation of a privileged role for an Azure App Service. You notice that the policy has the configuration shown in the exhibit. You need to ensure that only members of the 'group-app-admins@contoso.com' group can activate the role and that activations are limited to 8 hours with approval required. However, users report that they cannot activate the role even though they are members of the group. What is the most likely cause?

A.The group 'group-app-admins@contoso.com' has an expiration policy that has expired.
B.The PIM role has not been scoped to the 'myapp' App Service resource.
C.The group 'group-app-admins@contoso.com' is a mail-enabled security group, which is not supported for PIM.
D.The approval required setting is incorrectly configured and requires a global administrator as approver.
AnswerB

Without proper scoping, the policy may not apply to the resource.

Why this answer

Option C is correct because PIM role assignments must be scoped to the specific resource (e.g., the App Service) in order for the policy to apply. Without proper scoping, the policy may not be accessible. Option A is wrong because the policy does not specify an expiration for the group membership.

Option B is wrong because PIM does not require global admin approval by default. Option D is wrong because there is no indication that the group is a mail-enabled security group.

160
Multi-Selecthard

Which THREE components are required to monitor and audit Azure resource changes using Azure Monitor?

Select 3 answers
A.An Application Insights resource
B.A Log Analytics workspace
C.Diagnostic settings on resources to send logs to the workspace
D.Azure Activity Log export to the workspace
E.Azure Policy with audit effect
AnswersB, C, D

Log Analytics workspace stores log data for querying and alerting.

Why this answer

A Log Analytics workspace is required because it serves as the central repository where Azure Monitor collects and stores log data from various sources, including diagnostic settings and activity logs. Without a workspace, there is no destination for the logs to be ingested, queried, or analyzed, making it an essential component for monitoring and auditing resource changes.

Exam trap

The trap here is that candidates often confuse Azure Policy’s audit effect as a direct logging mechanism, when in fact it only evaluates compliance and requires diagnostic settings to send its data to a Log Analytics workspace for auditing.

161
MCQhard

Refer to the exhibit. You run the KQL query in Azure Monitor Log Analytics. Which user accounts should you investigate first?

A.Users with the highest number of sign-in attempts.
B.Users who had sign-ins from anonymous IP addresses.
C.Users who have unfamiliar features in their sign-ins.
D.Users with more than 5 medium-risk sign-ins in the last day.
AnswerD

Exactly what the query returns.

Why this answer

Option D is correct because the KQL query filters for sign-ins where RiskLevelDuringSignIn equals 'medium' and then summarizes by UserPrincipalName, counting occurrences. Users with more than 5 medium-risk sign-ins in the last day indicate a pattern of suspicious activity that warrants immediate investigation, as medium-risk sign-ins often correspond to atypical travel, anonymous IPs, or unfamiliar properties, but the query specifically targets the count threshold as the trigger for escalation.

Exam trap

The trap here is that candidates may focus on the specific risk detection types (anonymous IPs, unfamiliar features) instead of recognizing that the query's explicit filter on RiskLevelDuringSignIn and the count threshold is the direct basis for the answer, not the underlying risk reasons.

How to eliminate wrong answers

Option A is wrong because the query does not count total sign-in attempts; it counts only medium-risk sign-ins, so a high number of total attempts is irrelevant to the query's output. Option B is wrong because while anonymous IP addresses can contribute to risk, the query does not filter by anonymous IPs; it filters by RiskLevelDuringSignIn equals 'medium', which may include anonymous IPs but is not limited to them. Option C is wrong because unfamiliar features are a specific risk detection type, but the query aggregates all medium-risk sign-ins regardless of the underlying risk reason, so unfamiliar features are not isolated or prioritized.

162
MCQmedium

You are designing a governance solution for a Microsoft Azure environment that contains multiple subscriptions. You need to ensure that all resources are compliant with corporate security policies. The solution must automatically remediate non-compliant resources. What should you include in the design?

A.Azure RBAC custom roles
B.Azure Policy with DeployIfNotExists effect
C.Azure Resource Graph queries
D.Azure Blueprints
AnswerB

Azure Policy with DeployIfNotExists can automatically remediate non-compliant resources.

Why this answer

Azure Policy with the DeployIfNotExists effect is the correct choice because it automatically remediates non-compliant resources by triggering a deployment (e.g., via a template) when a resource is created or updated and does not meet the policy condition. This ensures continuous compliance with corporate security policies without manual intervention, as the effect can also be assigned a remediation task to fix existing resources.

Exam trap

The trap here is that candidates often confuse Azure Policy's audit-only effects (like AuditIfNotExists) with the automatic remediation capability, or they mistakenly think Azure Blueprints can handle ongoing compliance enforcement, when in fact Blueprints are a one-time deployment orchestration tool and do not provide continuous remediation.

How to eliminate wrong answers

Option A is wrong because Azure RBAC custom roles control who can access and manage resources (authorization), not what configurations those resources must comply with (governance), and they cannot automatically remediate non-compliant resources. Option C is wrong because Azure Resource Graph queries are used for exploring and querying resources across subscriptions at scale, but they are read-only and cannot enforce or remediate compliance. Option D is wrong because Azure Blueprints are used to orchestrate the deployment of resource groups, policies, role assignments, and ARM templates as a package, but they do not automatically remediate non-compliant resources after deployment; remediation requires Policy effects like DeployIfNotExists.

163
MCQhard

Refer to the exhibit. You are reviewing an Azure Policy definition. Which virtual machines will be denied?

A.No virtual machines because the condition is invalid
B.All virtual machines regardless of SKU
C.Only virtual machines with SKU Standard_DS2_v2
D.All virtual machines except those with SKU Standard_DS2_v2
AnswerD

The deny effect applies when the SKU is not equal to Standard_DS2_v2.

Why this answer

The Azure Policy definition uses a 'deny' effect with a condition that checks if the virtual machine's SKU field is not equal to 'Standard_DS2_v2'. This means any VM whose SKU does not match 'Standard_DS2_v2' will be denied. Only VMs with the exact SKU 'Standard_DS2_v2' will be allowed, making option D correct.

Exam trap

The trap here is that candidates may misinterpret 'notEquals' as denying the specified SKU, when in fact it denies everything except that SKU, leading them to incorrectly choose option C.

How to eliminate wrong answers

Option A is wrong because the condition 'notEquals' is a valid Azure Policy condition operator, so the policy is not invalid. Option B is wrong because the policy specifically denies VMs that do not match the specified SKU, not all VMs. Option C is wrong because the policy denies VMs that are not 'Standard_DS2_v2', not only those with that SKU; it actually allows VMs with that SKU.

164
MCQhard

You are designing an identity solution for a multinational company that uses Microsoft Entra ID. The company has a requirement that all users must authenticate using biometrics or FIDO2 security keys. Which Entra ID feature should you configure?

A.Passwordless authentication
B.Identity Protection
C.Entra Verified ID
D.Conditional Access policies
AnswerD

Conditional Access can require FIDO2 or Windows Hello for Business.

Why this answer

Option D is correct because Conditional Access policies in Microsoft Entra ID allow you to enforce authentication strength requirements, such as requiring biometrics or FIDO2 security keys, by targeting specific user groups or applications. This is achieved by configuring a Conditional Access policy with the 'Require multifactor authentication' control and integrating with authentication methods like Windows Hello for Business or FIDO2 security keys, ensuring that only passwordless authentication methods meeting the company's biometric or FIDO2 requirement are permitted.

Exam trap

The trap here is that candidates confuse the authentication method itself (passwordless authentication) with the policy mechanism (Conditional Access) that enforces its use, leading them to select Option A instead of D.

How to eliminate wrong answers

Option A is wrong because Passwordless authentication is a category of authentication methods (e.g., Windows Hello, FIDO2, Microsoft Authenticator) but not a feature that enforces a requirement; it must be combined with Conditional Access policies to mandate its use. Option B is wrong because Identity Protection is a risk-based detection and remediation service (e.g., detecting leaked credentials or risky sign-ins) and does not enforce specific authentication methods like biometrics or FIDO2. Option C is wrong because Entra Verified ID is a decentralized identity solution for verifiable credentials (e.g., digital IDs for employees or customers) and is unrelated to enforcing authentication method requirements.

165
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to automate the process of granting users access to a specific application only during business hours and revoking it automatically. The access should be based on a request-approval workflow. Which Microsoft Entra ID feature should they use?

A.Privileged Identity Management (PIM)
B.Conditional Access
C.Access Reviews
D.Entitlement Management
AnswerD

Entitlement Management enables creation of access packages with policies for time-limited access, approval workflows, and automatic revocation, meeting all requirements.

Why this answer

Entitlement Management (D) is correct because it provides automated access lifecycle management through access packages, which can include time-bound assignments (e.g., business hours) and require approval workflows. This allows you to define policies that grant access to the application only during specified hours and automatically revoke it when the policy expires or conditions change, without manual intervention.

Exam trap

The trap here is confusing Conditional Access (which controls access at authentication time) with Entitlement Management (which provisions and deprovisions access over time), leading candidates to pick B because they focus on the 'business hours' condition rather than the automated lifecycle workflow.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged role activation (e.g., Global Administrator) and does not support time-bound access to non-privileged applications or request-approval workflows for standard users. Option B is wrong because Conditional Access enforces real-time access policies based on signals (e.g., location, device state) but cannot automate granting or revoking access through a request-approval workflow; it is a gate, not a provisioning mechanism. Option C is wrong because Access Reviews only provide periodic attestation of existing access (e.g., recertification) and do not automate the initial granting or time-bound revocation of access based on a request-approval process.

166
Multi-Selectmedium

You are designing a monitoring solution for a multi-region application deployed on Azure Virtual Machines and Azure SQL Database. The solution must provide a unified view of metrics and logs from all resources, detect anomalies using machine learning, and send alerts to the operations team. Which TWO capabilities should you include in the design?

Select 2 answers
A.Azure Service Health
B.Azure Application Insights
C.Azure Security Center
D.Azure Monitor
E.Azure Log Analytics
AnswersB, D

Application Insights, part of Azure Monitor, provides application performance monitoring and anomaly detection.

Why this answer

Azure Monitor is the core platform for collecting, analyzing, and acting on telemetry from Azure resources, including metrics and logs from VMs and SQL Database. Application Insights extends Azure Monitor with application performance management (APM) and built-in machine learning anomaly detection (e.g., Smart Detection) for proactive alerting. Together, they provide a unified monitoring view with ML-driven insights.

Exam trap

The trap here is that candidates often confuse Azure Log Analytics as a separate monitoring service rather than recognizing it as a component of Azure Monitor, leading them to select it as an independent capability instead of Azure Monitor itself.

167
MCQmedium

Your company operates in a highly regulated industry and must retain all sign-in logs for 7 years. The logs must be immutable and cannot be modified or deleted by administrators. You need to design a monitoring solution that stores sign-in logs in a cost-effective manner while meeting compliance requirements. The solution should also allow for real-time analysis of sign-in activity. What should you include in the design?

A.Stream sign-in logs to Log Analytics for real-time analysis and simultaneously archive them to an Azure Storage account with immutable blob policy (WORM).
B.Stream sign-in logs to Azure Event Hubs and then to cold storage in Azure Blob with lifecycle management.
C.Stream sign-in logs to Log Analytics workspace with 7-year retention and use Azure Policy to restrict deletion.
D.Use Azure Data Explorer to store logs for 7 years and configure a purge policy to prevent deletion.
AnswerA

Log Analytics provides real-time query; immutable storage ensures compliance.

Why this answer

Option A is correct because it meets both compliance and real-time analysis requirements. Streaming sign-in logs to Log Analytics enables real-time monitoring and querying, while simultaneously archiving them to an Azure Storage account with an immutable blob policy (WORM) ensures the logs cannot be modified or deleted for the required 7-year retention period. This combination provides cost-effective long-term storage (Azure Blob is cheaper than Log Analytics for long-term retention) and satisfies regulatory immutability mandates.

Exam trap

The trap here is that candidates often assume Log Analytics retention alone suffices for compliance, but Log Analytics does not provide immutable storage, and Azure Policy cannot prevent data modification within the workspace; the correct approach requires separate immutable archival in Azure Storage.

How to eliminate wrong answers

Option B is wrong because Azure Event Hubs is a real-time ingestion service, but cold storage in Azure Blob with lifecycle management does not provide immutability; lifecycle management can delete blobs based on rules, which violates the requirement that logs cannot be modified or deleted by administrators. Option C is wrong because Log Analytics workspace retention of 7 years does not guarantee immutability; Azure Policy can restrict deletion of the workspace but cannot prevent data modification or deletion within the workspace itself, and Log Analytics does not natively support WORM (Write Once, Read Many) compliance. Option D is wrong because Azure Data Explorer (ADX) is designed for interactive analytics, not long-term immutable archival; a purge policy is used to delete data, not to prevent deletion, and ADX does not provide WORM capabilities required for regulatory compliance.

168
MCQmedium

Your organization is implementing a zero-trust security model. You need to ensure that all access to corporate resources from mobile devices is conditional based on device compliance, user risk, and location. Which Microsoft Entra ID feature should you use?

A.Identity Protection
B.Microsoft Intune
C.Conditional Access policies
D.Microsoft Defender XDR
AnswerC

Conditional Access integrates with Intune compliance and Identity Protection to enforce granular access policies.

Why this answer

Conditional Access policies in Microsoft Entra ID are the correct choice because they allow you to enforce access controls based on conditions such as device compliance (via integration with Microsoft Intune), user risk (via integration with Identity Protection), and location (via IP ranges or named locations). This directly supports the zero-trust principle of 'never trust, always verify' by evaluating signals before granting access to corporate resources.

Exam trap

The trap here is that candidates often confuse Microsoft Intune (which manages device compliance) with the policy engine that enforces access decisions, failing to realize that Conditional Access is the orchestration layer that consumes compliance, risk, and location signals to enforce zero-trust access.

How to eliminate wrong answers

Option A is wrong because Identity Protection is a feature within Entra ID that detects and responds to identity-based risks (e.g., leaked credentials, anonymous IP addresses), but it does not itself enforce access decisions or combine multiple conditions like device compliance and location—it only provides risk signals that Conditional Access policies can consume. Option B is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) service that manages device compliance policies (e.g., requiring encryption, PIN), but it does not evaluate user risk or location, nor does it enforce conditional access decisions at the authentication gateway—it only reports device compliance status to Entra ID. Option D is wrong because Microsoft Defender XDR is a unified security incident and response platform that correlates alerts across endpoints, email, and identities, but it does not enforce real-time access control policies based on device compliance, user risk, or location at the authentication layer—it focuses on threat detection and response, not conditional access enforcement.

169
MCQmedium

A company uses Microsoft Entra ID. They want to block all access to corporate applications from devices that are not managed by their organization. They require that only devices enrolled in Microsoft Intune and compliant with company policies can access company resources. Which Microsoft Entra ID feature should they use?

A.Conditional Access policy requiring device compliance
B.Identity Protection with user risk policy
C.Privileged Identity Management (PIM)
D.Microsoft Entra ID Join process
AnswerA

Correct. Conditional Access evaluates device compliance (from Intune) and can block or grant access accordingly.

Why this answer

Option A is correct because Conditional Access policies in Microsoft Entra ID can enforce device compliance as a condition for granting access. By configuring a policy that requires devices to be marked as compliant in Microsoft Intune, only devices enrolled and meeting company policies can access corporate applications, effectively blocking unmanaged devices.

Exam trap

The trap here is that candidates may confuse Identity Protection's user risk policies with device-based controls, or assume that simply joining a device to Entra ID (Option D) is sufficient to enforce compliance, when in fact a Conditional Access policy is required to block non-compliant devices.

How to eliminate wrong answers

Option B is wrong because Identity Protection with user risk policy focuses on detecting and responding to risky user behavior (e.g., leaked credentials, anonymous IP addresses) rather than evaluating device management or compliance status. Option C is wrong because Privileged Identity Management (PIM) provides just-in-time privileged access and role activation controls, not device-level access restrictions. Option D is wrong because Microsoft Entra ID Join is a device identity registration process that enables devices to authenticate with Entra ID, but it does not by itself enforce compliance policies or block non-compliant devices; it must be combined with a Conditional Access policy to achieve the described requirement.

170
MCQhard

You are designing a monitoring solution for a hybrid environment with on-premises servers and Azure VMs. You need to collect performance data from all servers and visualize it in a single dashboard. Which Azure service should you use?

A.Azure Service Health
B.Azure Workbooks
C.Azure Arc
D.Azure Monitor
AnswerD

Azure Monitor can collect data from hybrid environments and create dashboards.

Why this answer

Azure Monitor is the correct service because it provides a unified platform for collecting, analyzing, and visualizing performance data from both on-premises servers and Azure VMs. By deploying the Azure Monitor agent on all servers, you can send metrics and logs to a single Log Analytics workspace and then use Azure Workbooks or Metrics Explorer to create a consolidated dashboard.

Exam trap

The trap here is that candidates often confuse Azure Workbooks (a visualization tool) with a monitoring solution, forgetting that Workbooks are just a presentation layer and require a data source like Azure Monitor to function.

How to eliminate wrong answers

Option A is wrong because Azure Service Health is a service that provides personalized alerts and guidance for Azure service issues and planned maintenance, not for collecting or visualizing server performance data. Option B is wrong because Azure Workbooks is a visualization tool that can create rich dashboards, but it is not a data collection service; it relies on data already in Azure Monitor (e.g., Log Analytics or Metrics). Option C is wrong because Azure Arc extends Azure management and governance to on-premises and multi-cloud resources, but it does not itself collect performance data or provide a dashboard; it can enable Azure Monitor agents on those servers, but the monitoring and visualization are still done by Azure Monitor.

171
MCQeasy

Your company uses Azure Policy to enforce tagging standards. You need to ensure that any new resource group automatically inherits the 'CostCenter' tag from its subscription. Which Azure Policy effect should you use?

A.modify
B.deny
C.audit
D.append
AnswerA

Modify effect can add or update tags, including inheriting from subscription.

Why this answer

The 'modify' effect is correct because it enables Azure Policy to add, update, or remove tags on resources and resource groups during creation or update. When combined with a 'deployIfNotExists' policy that targets resource groups, the 'modify' effect can automatically apply the 'CostCenter' tag from the subscription to any new resource group at creation time, ensuring inheritance without manual intervention.

Exam trap

The trap here is that candidates often confuse 'append' with 'modify', assuming 'append' can dynamically inherit tags, but 'append' only adds static values and cannot reference the subscription's tag or trigger remediation tasks.

How to eliminate wrong answers

Option B is wrong because 'deny' blocks the creation or update of a resource that does not comply with the policy, but it does not automatically add or inherit tags; it only prevents non-compliant resources from being created. Option C is wrong because 'audit' only logs non-compliant resources for evaluation without taking any automatic remediation action, so tags would not be inherited. Option D is wrong because 'append' adds fields to a resource during creation or update but cannot modify existing tags or handle complex inheritance logic; it is limited to adding new properties and does not support the 'deployIfNotExists' remediation task required for tag inheritance.

172
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to allow external business partners to request access to a specific application. The access must be time-limited and require approval from the partner's manager. Additionally, access must automatically expire after the defined period. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Privileged Identity Management (PIM)
B.Microsoft Entra ID Entitlement Management
C.Microsoft Entra ID Identity Protection
D.Microsoft Entra ID Access Reviews
AnswerB

Entitlement Management allows administrators to create catalogs of access packages, which can include external users, with approval workflows and automatic expiration and removal.

Why this answer

Microsoft Entra ID Entitlement Management enables organizations to manage access for external business partners through access packages. These packages can enforce time-limited access, require manager approval, and automatically expire access after a defined period, directly meeting all the stated requirements.

Exam trap

The trap here is that candidates often confuse Entitlement Management with PIM because both involve time-limited access, but PIM is strictly for privileged roles within the organization, not for external partner application access with manager approval.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and oversight, not for granting time-limited access to applications for external partners. Option C is wrong because Identity Protection focuses on detecting and responding to identity-based risks, such as compromised credentials or suspicious sign-ins, not on managing access requests or approvals. Option D is wrong because Access Reviews are used to periodically audit and confirm existing access assignments, not to handle initial access requests with manager approval and automatic expiration.

173
MCQmedium

Your company has a Microsoft Entra ID tenant with 10,000 users. You are designing an identity governance solution to automate user access reviews for critical applications. The compliance team requires that access reviews be conducted quarterly and that any reviewer who does not respond within 7 days have their decisions auto-approved. You need to implement the solution using Microsoft Entra ID Governance. What should you do?

A.Use Microsoft Entra Privileged Identity Management (PIM) to require activation for access to critical applications.
B.Create an access review with 'Auto deny' after 7 days of no response.
C.Create a recurring campaign in Microsoft Purview Compliance Manager.
D.Create an access review with 'Auto approve' after 7 days of no response.
AnswerD

Auto-approve meets the requirement to approve if no response within 7 days.

Why this answer

Option B is correct because access reviews with auto-approve after 7 days meets the requirement. Option A is wrong because auto-deny would revoke access, not approve. Option C is wrong because PIM is for privileged roles, not general access reviews.

Option D is wrong because recurring campaigns in Microsoft Purview are for data classification, not access reviews.

174
MCQmedium

A company wants to automatically detect sign-in attempts from anonymous IP addresses and sign-ins from unfamiliar locations. When such a risk is detected, they want to require multi-factor authentication (MFA) or block the sign-in in real time. Additionally, they need a dashboard that shows risk events and allows generating weekly risk reports. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Identity Protection
B.Microsoft Entra ID Conditional Access
C.Microsoft Entra ID Privileged Identity Management
D.Microsoft Entra ID Identity Governance
AnswerA

Identity Protection detects risky sign-ins and user behavior and allows automated responses (MFA, block) along with risk reporting.

Why this answer

Microsoft Entra ID Identity Protection is the correct feature because it specifically detects sign-in risks such as anonymous IP addresses and unfamiliar locations, and it can automatically enforce conditional access policies like requiring MFA or blocking sign-ins in real time. It also provides a dashboard for risk events and supports generating weekly risk reports, directly matching all stated requirements.

Exam trap

The trap here is that candidates often confuse Conditional Access as the detection mechanism, but it is only the enforcement layer; Identity Protection is the service that actually detects the risks and provides the risk signals that Conditional Access uses.

How to eliminate wrong answers

Option B is wrong because Conditional Access is a policy engine that enforces access controls based on conditions, but it does not itself detect risks like anonymous IPs or unfamiliar locations; it relies on Identity Protection to provide risk signals. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role assignments and access reviews, not risk detection or sign-in anomaly monitoring. Option D is wrong because Identity Governance focuses on access lifecycle management, entitlement reviews, and compliance, not real-time risk detection or MFA enforcement during sign-in.

175
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID) for identity management. They want to enforce that only devices compliant with security policies (e.g., BitLocker enabled, antivirus running) can access corporate cloud applications (Microsoft 365 and custom SaaS apps). They also need a dashboard to monitor device compliance status. Which Microsoft Entra ID feature(s) should they configure?

A.Conditional Access policies with device compliance conditions, and Microsoft Intune for compliance management
B.Microsoft Entra ID Identity Protection with user risk policies
C.Microsoft Entra ID Access Reviews
D.Microsoft Entra ID Device Registration only
AnswerA

Conditional Access enforces device compliance for access. Intune defines and monitors compliance policies. The Intune console provides compliance dashboards.

Why this answer

Option A is correct because Conditional Access policies in Microsoft Entra ID can enforce device compliance as a condition for granting access to cloud applications, while Microsoft Intune provides the device compliance policies (e.g., BitLocker, antivirus) and the dashboard to monitor compliance status. Together, they ensure only compliant devices can access corporate resources and provide visibility into device health.

Exam trap

The trap here is that candidates often confuse Identity Protection (user risk) with device compliance, or assume Device Registration alone is sufficient, missing the need for Intune to define and monitor compliance policies.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Identity Protection focuses on user and sign-in risk (e.g., leaked credentials, anonymous IP addresses), not device compliance status or enforcement. Option C is wrong because Microsoft Entra ID Access Reviews are used for periodic attestation of group memberships, application access, and role assignments, not for device compliance monitoring or conditional access based on device state. Option D is wrong because Microsoft Entra ID Device Registration only registers devices in the directory, but without Intune or Conditional Access, it cannot enforce compliance policies or provide a compliance dashboard.

176
MCQhard

Refer to the exhibit. You assign this Azure Policy to a management group. A user creates a new virtual machine without any tags. What will happen?

A.The policy is not evaluated because the resource is new.
B.The virtual machine is created with the 'Environment' tag automatically added.
C.The virtual machine creation is denied.
D.The virtual machine is created without the tag, and a compliance alert is generated.
AnswerB

The 'modify' effect adds the tag during resource creation.

Why this answer

The Azure Policy in the exhibit uses the 'DeployIfNotExists' effect, which automatically deploys a tag (e.g., 'Environment') to resources that lack it during creation or update. Since the policy is assigned at the management group level, it applies to all child subscriptions and resources, including new virtual machines. When a user creates a VM without tags, the policy evaluates the resource and adds the missing tag without denying the creation or requiring manual intervention.

Exam trap

The trap here is that candidates confuse 'DeployIfNotExists' with 'Deny' or 'Audit', assuming a missing tag will block creation or only generate an alert, rather than understanding that 'DeployIfNotExists' automatically remediates the non-compliance.

How to eliminate wrong answers

Option A is wrong because Azure Policy evaluates all resources, including new ones, at creation time; the 'DeployIfNotExists' effect specifically triggers on new resources. Option C is wrong because the policy uses 'DeployIfNotExists', not 'Deny', so the VM creation is allowed and the tag is added automatically. Option D is wrong because the policy does not generate a compliance alert; it actively remediates the missing tag by deploying it, and compliance is reported as non-compliant until remediation completes.

177
MCQhard

A company uses Microsoft Entra ID (Microsoft Entra ID) Premium P2. They need to automatically detect users whose credentials have been leaked and require them to reset their password at their next sign-in. Additionally, they want to block sign-ins from anonymous IP addresses (e.g., Tor network). Which combination of Microsoft Entra ID features should they enable to meet both requirements?

A.Conditional Access with MFA policy and Identity Protection sign-in risk policy
B.Identity Protection user risk policy and sign-in risk policy
C.Privileged Identity Management and Conditional Access
D.Microsoft Entra ID Connect Health and Identity Protection
AnswerB

Identity Protection user risk policy can detect leaked credentials and force password change on sign-in. The sign-in risk policy can block sign-ins from anonymous IP addresses, meeting both requirements.

Why this answer

Option B is correct because Identity Protection user risk policy can automatically detect leaked credentials and force a password reset at next sign-in, while the sign-in risk policy can block sign-ins from anonymous IP addresses (e.g., Tor). These two policies together address both requirements without needing additional Conditional Access or MFA policies.

Exam trap

The trap here is that candidates confuse Conditional Access with Identity Protection risk policies, not realizing that leaked credential detection and anonymous IP blocking are native Identity Protection risk policies, not Conditional Access controls.

How to eliminate wrong answers

Option A is wrong because Conditional Access with MFA policy does not detect leaked credentials or block anonymous IPs; it only enforces MFA based on conditions, not risk. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged access and does not detect leaked credentials or block anonymous IPs; Conditional Access alone cannot detect leaked credentials without Identity Protection. Option D is wrong because Microsoft Entra ID Connect Health monitors synchronization health and does not provide user risk or sign-in risk policies for leaked credentials or anonymous IP blocking.

178
MCQmedium

Your organization has multiple Azure subscriptions. You need to create a central view of policy compliance across all subscriptions. What should you use?

A.Azure Monitor
B.Azure Policy compliance dashboard
C.Azure Resource Graph
D.Azure Blueprints
AnswerB

The compliance dashboard shows policy compliance across subscriptions.

Why this answer

Option B is correct because Azure Policy compliance dashboard shows compliance across subscriptions. Option A is wrong because Azure Monitor is for telemetry. Option C is wrong because Azure Resource Graph is for querying resources.

Option D is wrong because Azure Blueprints is for deploying environments.

179
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to generate periodic reports of user sign-ins and audit activities for compliance. They want to store the logs for 1 year. Which Azure service should they use?

A.Microsoft Entra ID sign-in logs and audit logs with retention set to 1 year in the Azure portal
B.Azure Monitor Log Analytics workspace with Microsoft Entra ID diagnostic settings
C.Azure Storage account with lifecycle management
D.Azure Event Hubs for streaming
AnswerB

Diagnostic settings send logs to Log Analytics, which allows configurable retention up to 2 years (or more).

Why this answer

Option B is correct because Microsoft Entra ID sign-in and audit logs are retained for only 30 days by default. To store them for 1 year, you must route the logs via diagnostic settings to an Azure Monitor Log Analytics workspace, which allows configurable retention up to 2 years (or more with a commitment tier). This is the only native Azure service that supports long-term retention of Entra ID logs for compliance reporting.

Exam trap

The trap here is that candidates assume the Azure portal's retention slider for Entra ID logs can be extended beyond 30 days, but Microsoft intentionally limits it to 30 days to force the use of diagnostic settings and Log Analytics for long-term retention.

How to eliminate wrong answers

Option A is wrong because the Azure portal's retention setting for Entra ID sign-in and audit logs only allows a maximum of 30 days; you cannot set it to 1 year directly in the portal. Option C is wrong because while an Azure Storage account with lifecycle management can store logs for 1 year, it does not support querying or generating periodic compliance reports—it is a cold storage solution, not a reporting tool. Option D is wrong because Azure Event Hubs is a real-time streaming service for log ingestion, not a storage or reporting solution; it cannot retain logs for 1 year or generate periodic reports.

180
MCQhard

Refer to the exhibit. You are reviewing a Bicep template for a storage account. You need to ensure that the storage account is only accessible via HTTPS and uses TLS 1.2. Which property validates this requirement?

A.type: Microsoft.Storage/storageAccounts
B.accessTier: Hot
C.supportsHttpsTrafficOnly: true and minimumTlsVersion: TLS1_2
D.name: stprod001
AnswerC

These properties enforce HTTPS and TLS 1.2.

Why this answer

Option C is correct because the `supportsHttpsTrafficOnly` property enforces that all traffic to the storage account must use HTTPS, and the `minimumTlsVersion` property set to `TLS1_2` ensures that only TLS 1.2 or higher is accepted. Together, these two properties satisfy the requirement of HTTPS-only access with TLS 1.2, as defined in the Azure Storage security baseline.

Exam trap

The trap here is that candidates often confuse `supportsHttpsTrafficOnly` with a simple boolean toggle and forget that `minimumTlsVersion` is a separate, required property to enforce the specific TLS version, leading them to select an option that only partially addresses the requirement.

How to eliminate wrong answers

Option A is wrong because the `type` property only declares the resource provider and type (`Microsoft.Storage/storageAccounts`), not any security settings for HTTPS or TLS. Option B is wrong because `accessTier: Hot` controls the storage tier (Hot, Cool, Archive) for blob data, not transport security protocols. Option D is wrong because the `name` property simply assigns the storage account name (`stprod001`) and has no effect on HTTPS or TLS enforcement.

181
MCQeasy

You need to design a solution to monitor the performance of an Azure SQL Database. You want to create a dashboard that shows the top 10 queries by CPU usage over the last hour. What should you use?

A.Azure Monitor Workbooks
B.Power BI
C.Azure SQL Analytics
D.Log Analytics
AnswerC

Azure SQL Analytics provides pre-built performance monitoring dashboards.

Why this answer

Azure SQL Analytics is a dedicated monitoring solution for Azure SQL Database that provides built-in views and dashboards for top queries by CPU, duration, and other performance metrics. It leverages the Query Store and DMVs to surface the top 10 queries by CPU usage over the last hour without requiring custom queries or additional configuration.

Exam trap

The trap here is that candidates confuse Azure SQL Analytics (a dedicated monitoring solution) with Log Analytics (the underlying data platform) or Azure Monitor Workbooks (a general-purpose dashboard tool), assuming any of them can provide the same pre-built top queries view without additional effort.

How to eliminate wrong answers

Option A is wrong because Azure Monitor Workbooks are customizable, interactive dashboards but do not provide pre-built, out-of-the-box views for top queries by CPU; they require manual configuration of KQL queries to extract that data. Option B is wrong because Power BI is a business analytics service for creating reports from various data sources, not a native Azure SQL monitoring tool, and it would require complex data export and transformation to replicate the built-in top queries view. Option D is wrong because Log Analytics is the underlying data store and query engine for Azure Monitor logs, but it does not offer a ready-made dashboard for top queries by CPU; you would need to write custom KQL queries and build visualizations from scratch.

182
MCQmedium

You are designing a monitoring solution for a hybrid environment with on-premises servers and Azure VMs. You need to collect security events and performance data centrally, and create custom alerts. The solution must use the same agent for both environments. Which agent should you deploy?

A.Log Analytics agent (MMA)
B.Azure Monitor Agent
C.Microsoft Dependency Agent
D.Azure Diagnostics extension
AnswerB

Unified agent for all environments, collects security and performance data.

Why this answer

Azure Monitor Agent (AMA) is the correct choice because it is the next-generation agent that replaces the legacy Log Analytics agent (MMA) and supports both Windows and Linux machines in hybrid and Azure environments. It collects security events and performance data into a single Log Analytics workspace and enables custom alert rules via data collection rules (DCRs), all with a single agent deployment.

Exam trap

The trap here is that candidates often confuse the Log Analytics agent (MMA) as the 'standard' hybrid agent, not realizing it is being replaced by Azure Monitor Agent, which is the only agent that meets the 'same agent for both environments' requirement with unified data collection rules.

How to eliminate wrong answers

Option A is wrong because the Log Analytics agent (MMA) is legacy and will be deprecated by August 2024; it requires separate agents for different data types and does not support the same unified data collection rules as Azure Monitor Agent. Option C is wrong because the Microsoft Dependency Agent is used exclusively for service map and VM insights topology data, not for general security event or performance data collection, and it must be paired with another agent (MMA or AMA) to function. Option D is wrong because the Azure Diagnostics extension is designed for Azure VMs only, collecting boot diagnostics and guest OS metrics to Azure Storage or Event Hubs, not for hybrid on-premises servers, and it does not support custom alerts via Log Analytics workspaces.

183
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to automatically detect sign-ins from users with leaked credentials and prompt those users to reset their password during the next sign-in. Which Microsoft Entra ID feature should they enable?

A.Microsoft Entra ID Identity Protection
B.Conditional Access
C.Privileged Identity Management (PIM)
D.Microsoft Entra ID B2B
AnswerA

Identity Protection detects risks like leaked credentials and can trigger automated remediation such as password reset.

Why this answer

Microsoft Entra ID Identity Protection includes a 'Leaked Credentials' detection capability that continuously monitors for credentials exposed in known data breaches. When a user's credentials are detected as leaked, Identity Protection can automatically trigger a password reset during the next sign-in, ensuring the compromised credentials are no longer usable.

Exam trap

The trap here is that candidates often confuse Conditional Access (which can enforce password changes via a 'Require password change' grant control) with Identity Protection, but Conditional Access alone cannot detect leaked credentials—it only enforces policies after a risk is detected by Identity Protection.

How to eliminate wrong answers

Option B (Conditional Access) is wrong because Conditional Access enforces access policies based on signals like location or device compliance, but it does not natively detect leaked credentials or trigger password resets. Option C (Privileged Identity Management) is wrong because PIM manages just-in-time privileged role activation and access reviews, not credential compromise detection. Option D (Microsoft Entra ID B2B) is wrong because B2B is designed for external user collaboration and guest access, not for detecting leaked credentials or enforcing password resets.

184
MCQeasy

Your organization uses Microsoft Purview to govern data across Azure and on-premises sources. You need to ensure that sensitive data, such as credit card numbers, is automatically detected and classified in Azure Blob Storage. Which Purview feature should you configure?

A.Microsoft Sentinel
B.Data catalog search
C.Data classification scanning with built-in sensitive information types
D.Data lineage tracking
AnswerC

Purview scans data sources and applies classification labels based on sensitive types like credit card numbers.

Why this answer

Option C is correct because Microsoft Purview's data classification scanning can be configured to automatically detect sensitive data like credit card numbers using built-in sensitive information types (e.g., Credit Card Number). When a scan is run against Azure Blob Storage, Purview identifies and classifies the data based on these predefined patterns, enabling governance and compliance.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with Purview's classification capabilities, or assume data lineage or catalog search can perform content inspection, when only classification scanning with sensitive information types can automatically detect sensitive data.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a Security Information and Event Management (SIEM) tool for threat detection and response, not for data classification or governance. Option B is wrong because Data catalog search is a feature for discovering and searching assets already registered in Purview, not for automatically detecting or classifying sensitive data. Option D is wrong because Data lineage tracking captures how data moves and transforms across systems, but it does not perform content inspection or classification of sensitive information.

185
MCQeasy

A company wants to collect metrics and logs from all Azure resources in their subscription, including custom metrics from their applications, and create dashboards and alerts. Which Azure service should they use as the primary monitoring platform?

A.Azure Monitor
B.Azure Log Analytics
C.Azure Application Insights
D.Azure Service Health
AnswerA

Azure Monitor is the unified platform for collecting, analyzing, and acting on telemetry from Azure resources, including custom metrics and logs. It provides dashboards and alerting.

Why this answer

Azure Monitor is the correct primary monitoring platform because it serves as the single, unified ingestion and analysis service for all metrics and logs across Azure resources, including custom metrics from applications via the Application Insights SDK or the custom metrics API. It provides a consolidated workspace for creating dashboards, setting alerts, and querying data, making it the foundational service for observability in Azure.

Exam trap

The trap here is that candidates often confuse Azure Monitor with its sub-services like Log Analytics or Application Insights, failing to recognize that Azure Monitor is the umbrella service that encompasses both metrics and logs, while the others are specialized components within it.

How to eliminate wrong answers

Option B (Azure Log Analytics) is wrong because it is a component within Azure Monitor that stores and queries log data, not the overarching monitoring platform; it lacks native support for metrics and dashboards without Azure Monitor as the parent. Option C (Azure Application Insights) is wrong because it is a subset of Azure Monitor focused specifically on application performance monitoring (APM) for live web apps, not a platform for collecting infrastructure metrics or logs from all Azure resources. Option D (Azure Service Health) is wrong because it only provides personalized alerts and guidance for Azure service issues and planned maintenance, not the collection of metrics, logs, or custom application data.

186
MCQeasy

Your company is migrating on-premises applications to Azure. The identity team wants to synchronize on-premises Active Directory Domain Services (AD DS) to Microsoft Entra ID. You need to recommend a solution that ensures users can authenticate with their corporate credentials and that password changes are synchronized immediately. What should you recommend?

A.Microsoft Entra Connect with federation (AD FS)
B.Microsoft Entra Connect with pass-through authentication (PTA)
C.Microsoft Entra Connect with cloud sync
D.Microsoft Entra Connect with password hash synchronization (PHS)
AnswerD

PHS synchronizes password hashes to Microsoft Entra ID, enabling immediate password change synchronization.

Why this answer

Password hash synchronization (PHS) is the correct choice because it synchronizes password hashes from on-premises AD DS to Microsoft Entra ID, enabling immediate password change synchronization. This ensures users can authenticate with their corporate credentials without requiring additional infrastructure like federation servers, and password changes are propagated in near real-time (typically within minutes).

Exam trap

The trap here is that candidates often confuse 'immediate password change synchronization' with pass-through authentication or federation, not realizing that PHS is the only option that actually synchronizes password hashes to the cloud for immediate use.

How to eliminate wrong answers

Option A is wrong because federation (AD FS) does not synchronize password hashes; it redirects authentication to on-premises AD DS, so password changes are not synchronized to the cloud and immediate sync is not a feature of federation. Option B is wrong because pass-through authentication (PTA) validates passwords directly against on-premises AD DS without storing hashes in the cloud, so password changes are not synchronized to Microsoft Entra ID. Option C is wrong because cloud sync is designed for lightweight sync of users and groups from multiple forests, but it does not support immediate password change synchronization; it relies on periodic sync cycles.

187
MCQmedium

Your organization uses Microsoft Entra ID and has a hybrid identity deployment with Active Directory Domain Services (AD DS) on-premises. You need to synchronize user identities to Microsoft Entra ID, but you must ensure that password hashes are never stored in the cloud. Which synchronization method should you use?

A.Password Hash Sync
B.Federation with AD FS
C.Pass-through Authentication (PTA)
D.Azure AD Connect Cloud Sync
AnswerC

PTA authenticates users against on-premises AD without storing password hashes in the cloud.

Why this answer

Pass-through Authentication (PTA) is the correct choice because it validates user passwords directly against on-premises Active Directory without ever storing password hashes in Azure AD. This meets the requirement that password hashes are never stored in the cloud, as PTA uses an agent on-premises to authenticate users, and only the validation result is sent to Azure AD.

Exam trap

The trap here is that candidates often confuse Pass-through Authentication with Password Hash Sync, assuming that any synchronization method must store password hashes in the cloud, but PTA avoids this by performing real-time validation without hash storage.

How to eliminate wrong answers

Option A is wrong because Password Hash Sync synchronizes a hash of the user's password to Azure AD, which directly violates the requirement that password hashes are never stored in the cloud. Option B is wrong because Federation with AD FS does not store password hashes in Azure AD, but it introduces a separate federation infrastructure and is not primarily a synchronization method; the question asks for a synchronization method, and AD FS is an identity federation service, not a synchronization tool. Option D is wrong because Azure AD Connect Cloud Sync uses Password Hash Sync by default and can also support Pass-through Authentication, but it is a lightweight synchronization agent that still stores password hashes in the cloud if Password Hash Sync is enabled; the question requires a method that ensures password hashes are never stored, which is not guaranteed by Cloud Sync alone.

188
MCQmedium

Refer to the exhibit. You have an Azure Policy definition as shown. The policy is assigned at the subscription scope. What is the result when a user tries to create a VM with SKU Standard_D8s_v3?

A.The VM is created successfully.
B.The VM is created but flagged as non-compliant.
C.The VM SKU is automatically changed to Standard_D4s_v3.
D.The VM creation is denied.
AnswerD

Standard_D8s_v3 is not in the allowed list.

Why this answer

The Azure Policy definition shown uses a 'Deny' effect for VM SKUs that do not match the allowed list. Since Standard_D8s_v3 is not in the allowed list (which includes Standard_D2s_v3, Standard_D4s_v3, and Standard_D8s_v3), the policy denies the VM creation. The 'Deny' effect prevents the resource from being created and logs a denial event in the activity log.

Exam trap

The trap here is that candidates may confuse the 'Deny' effect with 'Audit' or 'Modify', assuming non-compliant resources are either flagged or auto-corrected, rather than understanding that 'Deny' blocks creation outright.

How to eliminate wrong answers

Option A is wrong because the 'Deny' effect explicitly blocks creation of non-compliant resources, so the VM cannot be created successfully. Option B is wrong because the 'Deny' effect prevents creation entirely; the 'Audit' effect would allow creation and flag non-compliance, but this policy uses 'Deny'. Option C is wrong because Azure Policy does not automatically modify SKUs; it only enforces compliance through effects like Deny, Audit, or Modify, and the 'Modify' effect is not used here.

189
MCQhard

A multinational company uses Microsoft Entra ID with a custom domain. They need to implement a governance strategy for Microsoft 365 groups, ensuring that group expiration policies are enforced and that group owners receive renewal notifications. What should you configure?

A.Microsoft Purview compliance portal – Data Lifecycle Management
B.Microsoft Entra ID – Group settings (Expiration policy)
C.Microsoft Intune – Device compliance policies
D.Microsoft Sentinel – Analytics rules
AnswerB

Expiration policies for Microsoft 365 groups are configured in Entra ID under Group settings.

Why this answer

Option B is correct because Microsoft Entra ID's Group settings include an expiration policy specifically designed to enforce lifecycle management for Microsoft 365 groups. This policy allows administrators to set a group expiration period (e.g., 180, 365 days) and automatically sends renewal notification emails to group owners before expiration, enabling them to renew the group if needed. This directly meets the requirement for enforcing group expiration and renewal notifications.

Exam trap

The trap here is that candidates often confuse Microsoft Purview's data lifecycle management with group lifecycle management, or mistakenly think Intune or Sentinel can handle group expiration policies, when in fact only Microsoft Entra ID's group settings provide the specific expiration and renewal notification functionality.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview compliance portal – Data Lifecycle Management focuses on retention and deletion of content (e.g., emails, documents) based on labels, not on managing the lifecycle of Microsoft 365 groups or sending renewal notifications to group owners. Option C is wrong because Microsoft Intune – Device compliance policies are used to enforce security and compliance requirements on managed devices (e.g., requiring encryption, PIN), not to manage group expiration or renewal notifications. Option D is wrong because Microsoft Sentinel – Analytics rules are used for security detection and threat hunting by analyzing logs and alerts, not for configuring group expiration policies or sending renewal notifications.

190
MCQhard

A company has multiple Azure subscriptions and wants to enforce that all administrators must use multi-factor authentication (MFA) when accessing the Azure portal. They also want to monitor and report on any policy changes that affect this enforcement. Which combination of Azure services should they use?

A.Azure Policy with built-in policy to enforce MFA and Azure Activity Log to monitor changes.
B.Microsoft Entra ID Conditional Access policy to require MFA for Azure management and Azure Monitor with Log Analytics for monitoring.
C.Microsoft Entra ID Identity Protection to enforce MFA and Azure Sentinel for monitoring.
D.Azure Policy to assign built-in policy 'MFA should be enabled on accounts with write permissions' and Azure Security Center for monitoring.
AnswerB

Conditional Access policies are the appropriate way to enforce MFA for accessing Azure Portal (Azure Management cloud app). Azure Monitor can collect Activity Logs from Microsoft Entra ID and Azure subscriptions to track changes to Conditional Access policies or other critical resources, and Log Analytics can be used for querying and alerting.

Why this answer

Option B is correct because Microsoft Entra ID Conditional Access policies can enforce MFA specifically for Azure management (including the Azure portal), and Azure Monitor with Log Analytics provides the monitoring and reporting of policy changes via the Azure Activity Log. This combination directly addresses both requirements: enforcing MFA for administrators and auditing changes to the Conditional Access policy itself.

Exam trap

The trap here is confusing Azure Policy (which enforces resource configuration) with Conditional Access (which enforces user authentication), leading candidates to incorrectly choose Azure Policy for MFA enforcement on the Azure portal.

How to eliminate wrong answers

Option A is wrong because Azure Policy enforces compliance of Azure resources (e.g., requiring MFA on VMs), not user authentication behavior like MFA for portal access; the built-in policy 'MFA should be enabled on accounts with write permissions' is a guest configuration policy that checks account settings, not a real-time enforcement mechanism. Option C is wrong because Microsoft Entra ID Identity Protection is designed to detect and respond to identity risks (e.g., leaked credentials), not to enforce MFA for all administrators accessing the Azure portal; it can trigger MFA via Conditional Access but is not the primary enforcement service. Option D is wrong because Azure Policy's built-in policy 'MFA should be enabled on accounts with write permissions' is a compliance audit policy, not an enforcement mechanism, and Azure Security Center (now Microsoft Defender for Cloud) focuses on security posture and threat protection, not on monitoring policy changes for Conditional Access or MFA enforcement.

191
MCQeasy

A company uses Microsoft Entra ID for identity management. They want to ensure that users accessing sensitive data from unmanaged devices are prompted for multifactor authentication (MFA) and must accept a terms-of-use. Which policy should be configured?

A.Terms-of-use policy
B.Conditional Access policy
C.Identity Protection policy
D.Privileged Identity Management (PIM) policy
AnswerB

Conditional Access can target unmanaged devices and require MFA and terms-of-use.

Why this answer

Conditional Access policies in Microsoft Entra ID allow granular control over access based on conditions such as device state (managed vs. unmanaged). By configuring a policy that targets unmanaged devices, you can enforce MFA and require acceptance of a terms-of-use before granting access to sensitive data. This directly meets the requirement without needing separate policies for MFA and terms-of-use.

Exam trap

The trap here is that candidates often confuse a standalone Terms-of-use policy (Option A) with the ability to enforce it conditionally, not realizing that Conditional Access is required to tie the terms-of-use acceptance to a specific condition like unmanaged devices.

How to eliminate wrong answers

Option A is wrong because a Terms-of-use policy alone only creates and displays the terms document; it cannot enforce MFA or trigger based on device state. Option C is wrong because Identity Protection policies focus on risk-based signals (e.g., leaked credentials, sign-in anomalies) and do not natively enforce terms-of-use acceptance or device-based conditions. Option D is wrong because Privileged Identity Management (PIM) policies manage just-in-time access and approval workflows for privileged roles, not general user access conditions like device state or MFA enforcement.

192
MCQeasy

Your company is migrating on-premises applications to Azure. You need to ensure that users can sign in using their existing on-premises Active Directory credentials without duplicating accounts. Which identity solution should you recommend?

A.Microsoft Entra B2B collaboration
B.Microsoft Entra External ID
C.Microsoft Entra Connect
D.Microsoft Entra Domain Services
AnswerC

Entra Connect synchronizes on-premises AD with Microsoft Entra ID, allowing users to sign in with their existing credentials.

Why this answer

Microsoft Entra Connect (formerly Azure AD Connect) is the correct solution because it synchronizes on-premises Active Directory identities to Microsoft Entra ID, enabling users to sign in with their existing credentials via password hash synchronization, pass-through authentication, or federation. This avoids duplicating accounts by maintaining a single identity source of truth, with optional seamless single sign-on (SSO) for a transparent experience.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Domain Services (which provides domain-join capabilities for Azure VMs) with identity synchronization, but it does not sync user credentials for cloud app authentication.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra B2B collaboration is designed for external guest users (e.g., partners or vendors) to access your applications using their own identities, not for synchronizing existing on-premises AD users. Option B is wrong because Microsoft Entra External ID is a customer-facing identity platform for external consumer or customer scenarios, not for integrating an organization's own on-premises Active Directory. Option D is wrong because Microsoft Entra Domain Services provides managed domain services (e.g., LDAP, Kerberos, NTLM) for Azure VMs without domain-joining them to an on-premises DC, but it does not synchronize user credentials from on-premises AD for cloud app sign-in.

193
MCQeasy

You need to configure a monitoring solution for Azure virtual machines that collects performance counters, event logs, and enables alerting based on CPU usage exceeding 90%. Which Azure service should you use?

A.Azure Policy
B.Microsoft Sentinel
C.Azure Monitor
D.Azure Update Manager
AnswerC

Azure Monitor collects performance counters, event logs, and supports metric alerts.

Why this answer

Azure Monitor is the correct service because it provides a unified platform for collecting performance counters and event logs from Azure VMs via the Log Analytics agent or Azure Monitor Agent, and it supports metric-based alert rules that can trigger when CPU usage exceeds a defined threshold (e.g., 90%). This directly meets the requirements for monitoring, log collection, and alerting without additional services.

Exam trap

The trap here is that candidates often confuse Azure Monitor with Microsoft Sentinel because both involve log collection and alerts, but Sentinel is specifically for security incidents, not general performance monitoring and threshold-based alerting on metrics like CPU usage.

How to eliminate wrong answers

Option A is wrong because Azure Policy is a governance tool used to enforce compliance rules (e.g., requiring specific VM SKUs or tags) and does not collect performance counters, event logs, or generate CPU-based alerts. Option B is wrong because Microsoft Sentinel is a Security Information and Event Management (SIEM) solution focused on security threat detection and incident response, not general performance monitoring and alerting for CPU usage. Option D is wrong because Azure Update Manager is designed solely for managing OS updates and patches on VMs, with no capability to collect performance counters, event logs, or alert on CPU utilization.

194
MCQhard

You are designing a monitoring solution for a critical application hosted on Azure Virtual Machines. The application experiences intermittent high CPU usage that lasts for 10 minutes. You need to be notified within 5 minutes of the start of each occurrence. The solution must minimize false alerts. What should you use?

A.Azure Monitor log alert querying Perf table every 1 minute
B.Create an Azure Monitor action group that sends email
C.Azure Monitor metric alert with a dynamic threshold and 5-minute frequency, alert on 2 consecutive breaches
D.Azure Monitor metric alert with a static threshold of 90% CPU
AnswerC

Dynamic threshold adapts to patterns, and requiring 2 consecutive breaches reduces false alerts.

Why this answer

Option C is correct because it uses a dynamic threshold that adapts to normal CPU patterns, reducing false alerts, and the 5-minute frequency with a requirement for 2 consecutive breaches ensures that the 10-minute event is detected within 5 minutes of its start (since the first breach triggers the second evaluation after 5 minutes, and if the second consecutive breach occurs, the alert fires). This matches the requirement for notification within 5 minutes while minimizing false positives.

Exam trap

The trap here is that candidates often choose a static threshold (Option D) or a high-frequency log query (Option A) without considering the need to minimize false alerts, overlooking the dynamic threshold and consecutive breach requirement that directly address the 10-minute duration and 5-minute notification window.

How to eliminate wrong answers

Option A is wrong because a log alert querying the Perf table every 1 minute would generate excessive noise and potential false alerts from transient spikes, and it does not inherently minimize false alerts as it lacks a consecutive breach requirement. Option B is wrong because an action group is just a notification channel (e.g., email, SMS) and does not define the alert condition or detection logic; it must be attached to an alert rule to be useful. Option D is wrong because a static threshold of 90% CPU would likely trigger false alerts from brief spikes that do not represent the sustained 10-minute event, and it does not include a consecutive breach requirement to filter out transient noise.

195
MCQeasy

Your company uses Azure Policy to enforce compliance. You need to ensure that all storage accounts use HTTPS only. The policy should automatically remediate non-compliant storage accounts by enabling HTTPS-only. What policy effect should you use?

A.Deny
B.AuditIfNotExists
C.Append
D.DeployIfNotExists
AnswerD

DeployIfNotExists can deploy a template to set the storage account property to enable HTTPS-only.

Why this answer

The DeployIfNotExists effect is correct because it not only evaluates whether storage accounts have the 'HTTPS only' setting enabled but also automatically deploys a remediation task to enable it when non-compliance is detected. This ensures continuous compliance without manual intervention, which aligns with the requirement for automatic remediation.

Exam trap

The trap here is that candidates often confuse 'Deny' (which blocks non-compliant new resources) with 'DeployIfNotExists' (which remediates existing resources), missing the key requirement for automatic remediation of already deployed storage accounts.

How to eliminate wrong answers

Option A is wrong because Deny blocks the creation or update of a resource that doesn't meet the policy condition, but it does not remediate existing non-compliant storage accounts. Option B is wrong because AuditIfNotExists only audits whether a related resource (like a diagnostic setting) exists, not the property of the storage account itself, and it provides no remediation. Option C is wrong because Append adds fields to a resource during creation or update but cannot modify existing storage account properties like 'HTTPS only' after the resource is deployed.

196
MCQhard

You have an Azure subscription that contains a virtual network named VNet1. You need to monitor all network security group (NSG) flow logs. Which three components must you enable? (Select THREE.)

A.Azure Network Watcher
B.Log Analytics workspace
C.Network security group flow logs
D.Traffic Analytics
E.A storage account
AnswerC, D, E

NSG flow logs must be enabled to capture traffic.

Why this answer

Network security group flow logs must be explicitly enabled on the NSG to capture IP traffic data. Without enabling this feature, no flow log data is generated regardless of other components. The question asks which components must be enabled, and enabling NSG flow logs is the direct action that starts logging.

Exam trap

The trap here is that candidates often assume Azure Network Watcher must be manually enabled, but it is regionally auto-enabled, and they may also confuse the optional Traffic Analytics and Log Analytics workspace as mandatory components for basic flow log collection.

How to eliminate wrong answers

Option A is wrong because Azure Network Watcher is a regional service that is automatically enabled in every region when you create a virtual network; you do not need to manually enable it as a component for NSG flow logs. Option B is wrong because a Log Analytics workspace is only required if you want to use Traffic Analytics to analyze flow logs; it is not a mandatory component for enabling or storing the raw flow logs themselves.

197
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to automatically remove guest users who have not signed in for 60 days. Additionally, they must generate a report of all guest access for auditors. Which Microsoft Entra ID feature should they implement?

A.Access Reviews
B.Entitlement Management
C.Identity Protection
D.Terms of Use
AnswerA

Correct. Access Reviews can automate the removal of inactive guest users and provide audit reports.

Why this answer

Access Reviews in Microsoft Entra ID allow administrators to create recurring reviews that automatically remove guest users who have not signed in within a specified period (e.g., 60 days) by configuring the 'Inactive users (in days)' setting. Additionally, Access Reviews generate a detailed report of all guest access decisions, which can be exported for auditors, meeting both requirements directly.

Exam trap

The trap here is that candidates often confuse Entitlement Management (which handles access packages) with Access Reviews (which handles periodic attestation and automated removal), missing that only Access Reviews directly support inactivity-based removal and audit reporting.

How to eliminate wrong answers

Option B (Entitlement Management) is wrong because it manages access packages and catalogs for resource provisioning but does not natively provide automated removal based on sign-in inactivity or generate audit reports for guest access. Option C (Identity Protection) is wrong because it focuses on detecting and remediating identity risks (e.g., compromised accounts, sign-in anomalies) rather than automating guest user lifecycle or producing access review reports. Option D (Terms of Use) is wrong because it enforces user consent to policies but lacks any capability to automatically remove inactive users or generate audit reports for guest access.

198
Drag & Dropmedium

Drag and drop the steps to implement Azure AD Privileged Identity Management (PIM) for a role into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Select role, configure settings, assign eligible members, set notifications, then test activation.

199
MCQhard

A company uses Microsoft Entra ID B2B to collaborate with external vendors. They want to enforce that external users must use multi-factor authentication (MFA) and access company resources only from compliant devices (e.g., managed by Intune). They also want to require a session timeout of 1 hour. Which combination of Microsoft Entra ID features should they use?

A.A
B.B
C.C
D.D
AnswerB

Microsoft Entra ID Conditional Access policies can require MFA, require device to be marked as compliant (via Intune), and include session controls to set sign-in frequency (session timeout).

Why this answer

Option B is correct because it combines Conditional Access policies with session controls to enforce MFA, device compliance (via Intune), and a 1-hour session timeout. Conditional Access policies evaluate sign-in risk and require MFA and compliant devices, while the session control 'Sign-in frequency' can be set to 1 hour to enforce reauthentication. This meets all three requirements without relying on deprecated or separate features.

Exam trap

The trap here is that candidates often confuse Conditional Access session controls with token lifetime policies or think that Identity Protection alone can enforce device compliance, but only Conditional Access policies can combine MFA, device compliance, and session timeout in a single policy.

How to eliminate wrong answers

Option A is wrong because it uses Azure AD Identity Protection, which is designed for risk-based policies (e.g., risky sign-ins) but does not natively enforce device compliance or session timeout; it lacks the session control for a 1-hour timeout. Option C is wrong because it relies on Azure AD Privileged Identity Management (PIM), which manages just-in-time privileged access and does not enforce MFA or device compliance for external users accessing general resources. Option D is wrong because it uses Azure AD Terms of Use, which only requires acceptance of a policy document and cannot enforce MFA, device compliance, or session timeout.

200
MCQhard

You are designing a monitoring solution for a critical application that runs on Azure Virtual Machines. The application generates custom performance counters. You need to alert when the custom counter exceeds a threshold and trigger an Azure Automation runbook to remediate. Which two Azure services should you combine? (Select TWO.)

A.Azure Event Grid
B.Azure Monitor
C.Log Analytics
D.Azure Automation
AnswerB, D

Azure Monitor can alert on metrics and trigger actions.

Why this answer

Azure Monitor is the correct choice because it collects and analyzes custom performance counters from Azure VMs, enabling metric-based alert rules. When a threshold is exceeded, Azure Monitor can trigger an action group that invokes an Azure Automation runbook, providing automated remediation. This combination directly addresses the requirement to alert on custom counters and execute a runbook in response.

Exam trap

The trap here is that candidates often confuse Log Analytics as a direct alerting and remediation service, when in fact it is a data repository that requires Azure Monitor to evaluate alerts and trigger actions via action groups.

How to eliminate wrong answers

Option A is wrong because Azure Event Grid is a pub-sub event routing service for handling discrete events (e.g., resource state changes), not for continuous metric monitoring or threshold-based alerting on custom performance counters. Option C is wrong because Log Analytics is a data storage and query platform for log and performance data; it does not natively trigger alerts or runbooks directly—it relies on Azure Monitor for alerting and action groups to invoke Automation runbooks.

201
MCQhard

You are designing a monitoring solution for an Azure function app that processes messages from Azure Service Bus. The function app is critical and must be highly available. You need to monitor for poison messages and trigger an alert when the dead-letter queue count exceeds 100. What should you use?

A.Azure Service Bus Explorer
B.Azure Monitor metric alert on the dead-letter message count
C.Azure Log Analytics workspace querying Service Bus logs
D.Azure Application Insights availability tests
AnswerB

Metric alerts can monitor the dead-letter queue count and trigger actions.

Why this answer

Azure Monitor metric alerts can directly monitor the 'Dead-letter message count' metric for a Service Bus namespace or entity. When this count exceeds 100, the alert triggers, enabling automated response to poison messages without additional query overhead. This is the most efficient and native monitoring solution for real-time threshold-based alerts on Service Bus metrics.

Exam trap

The trap here is that candidates may overthink and choose Log Analytics (Option C) for its querying flexibility, but the question specifically asks for a threshold-based alert on a single metric, which is exactly what Azure Monitor metric alerts are designed for.

How to eliminate wrong answers

Option A is wrong because Azure Service Bus Explorer is a manual tool for browsing queues and dead-letter queues, not an automated monitoring or alerting mechanism. Option C is wrong because Log Analytics queries require logs to be sent to a workspace, which adds latency and cost; metric alerts are simpler and more immediate for threshold-based monitoring. Option D is wrong because Application Insights availability tests monitor HTTP endpoint availability, not Service Bus dead-letter queue metrics.

202
MCQhard

Refer to the exhibit. You are an Azure administrator for a company that enforces a policy that no virtual networks or network security groups can be created. However, a developer reports that they successfully created a virtual network. What is the most likely reason the policy did not block the creation?

A.The policy definition contains a syntax error.
B.The policy only applies to network security groups, not virtual networks.
C.The policy was assigned to a scope that does not include the subscription or resource group where the virtual network was created.
D.The policy effect should be 'append' instead of 'deny'.
AnswerC

Policy assignment scope must cover the resource's location.

Why this answer

Option C is correct because Azure Policy assignments are scoped to a specific management group, subscription, or resource group. If the policy was assigned to a scope that does not include the subscription or resource group where the developer created the virtual network, the policy would not apply, and the creation would succeed. The policy definition itself may be valid, but without proper assignment scope, it cannot enforce the deny effect.

Exam trap

The trap here is that candidates may assume a policy definition automatically applies to all resources in the tenant, but Azure Policy requires explicit assignment to a scope, and without proper scope coverage, the policy has no effect.

How to eliminate wrong answers

Option A is wrong because a syntax error in the policy definition would cause the policy to fail at evaluation time, typically resulting in an error message or the policy being non-functional, but it would not allow the virtual network creation to succeed silently; the policy would either not apply or produce an error. Option B is wrong because the question states the policy enforces that 'no virtual networks or network security groups can be created,' implying the policy definition explicitly includes both resource types; if it only applied to network security groups, the developer would not have been able to create a virtual network, but the scenario says they successfully created a virtual network, which contradicts the policy's stated scope. Option D is wrong because the 'append' effect is used to add additional properties or tags to a resource during creation or update, not to block creation; to deny creation, the correct effect is 'deny', and using 'append' would not prevent the virtual network from being created.

203
MCQhard

Your organization has a complex Azure environment with multiple subscriptions. You need to design a governance strategy that ensures: 1) All resources must have specific tags (CostCenter, Environment, Owner). 2) Any resource without required tags must be reported to the compliance team weekly. 3) Virtual machines must not be deployed in certain regions due to data sovereignty. 4) The solution must be automated and use native Azure services. You already have an Azure Log Analytics workspace and a central automation account. What should you include in the design?

A.Use Azure Resource Graph queries to find untagged resources and export to CSV manually each week.
B.Use Azure Blueprints to define tags and region restrictions; use Azure Monitor alerts to report non-compliance.
C.Use Azure Policy with 'deny' effect for missing tags and an Azure Automation runbook to add tags weekly.
D.Use Azure Policy with 'audit' effect for missing tags and region restriction; use Azure Logic Apps triggered by a schedule to query Azure Resource Graph and email the compliance report.
AnswerD

Policy enforces and audits, Logic App automates weekly reporting.

Why this answer

Option D is correct because it uses Azure Policy with 'audit' effect to detect missing tags and region violations without blocking deployment, which satisfies the reporting requirement. Azure Logic Apps, triggered on a schedule, queries Azure Resource Graph to identify non-compliant resources and sends an email report to the compliance team weekly, fulfilling the automation and native service criteria without manual intervention.

Exam trap

The trap here is that candidates often choose 'deny' effect (Option C) thinking it enforces compliance, but the question explicitly requires reporting non-compliance, not blocking resources, making 'audit' the correct effect for this scenario.

How to eliminate wrong answers

Option A is wrong because manually exporting to CSV each week violates the 'automated' requirement and does not use native Azure services for reporting. Option B is wrong because Azure Blueprints cannot enforce runtime region restrictions or tag requirements; they only define initial resource templates, and Azure Monitor alerts are not designed to query resource compliance or generate tag-based reports. Option C is wrong because using Azure Policy with 'deny' effect would block deployment of untagged resources, but the requirement is to report non-compliance, not prevent it; additionally, an Automation runbook adding tags weekly does not address the region restriction or the weekly reporting to the compliance team.

204
MCQhard

You are designing a governance strategy for a multi-subscription Azure environment. Your compliance team requires that any resource group created in the production subscription must have a specific naming convention: it must start with 'prod-' and be followed by a three-letter department code and a two-digit number. Any resource group not following this convention should be automatically prevented from creation. Which Azure policy definition should you use?

A.Use a policy with 'like' constraint on the 'name' field.
B.Use a policy with 'match' constraint on the 'name' field.
C.Use a policy with 'contains' constraint on the 'name' field.
D.Use a policy with 'pattern' constraint on the 'name' field.
AnswerD

The 'pattern' constraint supports regex, allowing validation of the naming convention.

Why this answer

Option D is correct because Azure Policy's 'pattern' constraint uses regular expressions to enforce complex naming conventions. The requirement for resource groups to start with 'prod-', followed by a three-letter department code and a two-digit number, is a pattern that can be precisely defined with a regex like '^prod-[a-z]{3}\d{2}$'. The 'pattern' constraint is the only option that supports regex-based validation, making it suitable for this multi-part naming rule.

Exam trap

The trap here is that candidates confuse 'match' (which uses simple wildcards like '*' and '?') with 'pattern' (which uses regex), leading them to choose option B when the requirement demands a structured format that only regex can enforce.

How to eliminate wrong answers

Option A is wrong because the 'like' constraint uses wildcard matching (e.g., 'prod-???') but cannot enforce exact character types or lengths for the department code and number; it would allow any three characters and two digits, including invalid characters like symbols. Option B is wrong because the 'match' constraint is used for simple string matching with wildcards (e.g., 'prod-*'), not for enforcing a structured pattern with specific character classes and lengths. Option C is wrong because the 'contains' constraint checks if a substring exists anywhere in the name, which cannot enforce the required prefix or the exact format after it; a name like 'test-prod-abc12' would incorrectly pass.

205
MCQeasy

Your company has multiple Azure subscriptions. You need to ensure that all security-related logs from Azure resources are centralized in a single Log Analytics workspace for analysis. Which Azure service should you use to collect and route these logs?

A.Azure Monitor
B.Microsoft Sentinel
C.Azure Policy
D.Azure Event Hubs
AnswerC

Azure Policy can enforce diagnostic settings to send logs to a central Log Analytics workspace.

Why this answer

Azure Policy is correct because it can enforce the deployment of a diagnostic setting on all Azure resources, automatically routing security-related logs (such as Activity Logs, resource logs, and audit logs) to a single Log Analytics workspace. This ensures centralized collection and analysis without manual configuration per resource, meeting the requirement for a governance-driven approach.

Exam trap

The trap here is that candidates often confuse Azure Policy with Azure Monitor or Sentinel, thinking that monitoring or SIEM tools handle log routing, when in fact Azure Policy is the governance tool that enforces the configuration to centralize logs.

How to eliminate wrong answers

Option A is wrong because Azure Monitor is the platform that collects and analyzes telemetry, but it does not itself route or enforce the collection of logs from multiple subscriptions; it relies on diagnostic settings or other services to ingest data. Option B is wrong because Microsoft Sentinel is a SIEM that uses Log Analytics as its underlying data store, but it is not the service that collects or routes logs—it consumes data already in the workspace. Option D is wrong because Azure Event Hubs is a real-time data streaming service used for high-throughput ingestion, not for centralized log storage or analysis; it would require additional configuration to forward logs to Log Analytics.

206
MCQhard

You are tasked with ensuring that all VMs in the subscription have Azure Hybrid Benefit enabled for Windows Server. You create the Azure Policy shown in the exhibit. However, after assignment, the compliance report shows that some D-series VMs are still non-compliant. What is the most likely cause?

A.The 'deny' effect is incorrectly configured; it should be 'audit' to show compliance.
B.The policy does not apply to existing resources; it only blocks new or updated ones.
C.The 'like' operator does not match standard D-series SKUs.
D.The policy is scoped to a management group that excludes the resource group containing the VMs.
AnswerB

The 'deny' effect only prevents creation or update of non-compliant resources; existing VMs remain non-compliant.

Why this answer

Azure Policy with the 'deny' effect only blocks new or updated resources that violate the policy; it does not automatically remediate existing non-compliant resources. The D-series VMs were likely created before the policy was assigned, so they remain non-compliant until they are redeployed or a remediation task is triggered. To enforce compliance on existing resources, you would need to use a 'deployIfNotExists' or 'modify' effect with a remediation task.

Exam trap

The trap here is that candidates often assume Azure Policy automatically applies to all resources in scope, but they overlook the fundamental difference between 'deny' (only blocks new/updated resources) and 'deployIfNotExists'/'modify' (can remediate existing resources).

How to eliminate wrong answers

Option A is wrong because changing the effect from 'deny' to 'audit' would not make existing VMs compliant; it would only change the compliance state from 'Non-compliant' to 'Non-compliant' (audit reports non-compliance without blocking). Option B is correct as explained. Option C is wrong because the 'like' operator with pattern 'Standard_D*' correctly matches all D-series SKUs (e.g., Standard_D2s_v3, Standard_D4s_v5), as the wildcard '*' matches any suffix.

Option D is wrong because if the policy were scoped to a management group that excludes the resource group, the VMs would not be evaluated at all and would not appear in the compliance report as non-compliant; they would simply be out of scope.

207
MCQhard

A SaaS application must allow external partner users to sign in with their own organization credentials while the company controls application access. What should be used?

A.Create local cloud-only accounts for every partner user
B.Share one account per partner company
C.Use Azure DNS private zones
D.Microsoft Entra External ID/B2B collaboration with Conditional Access
AnswerD

External identities allow partner users to authenticate with their own identity provider while the resource tenant enforces access policies.

Why this answer

Microsoft Entra External ID (formerly Azure AD B2B) enables external partner users to sign in using their own organization's credentials (their existing Azure AD or Microsoft account) while the company retains control over application access. By combining B2B collaboration with Conditional Access policies, the company can enforce MFA, device compliance, or location-based controls on guest users without managing their identities or passwords.

Exam trap

The trap here is that candidates confuse Azure DNS private zones (a networking feature) with identity federation, or assume that creating local accounts or sharing accounts is acceptable for external collaboration, ignoring the security and manageability requirements of the scenario.

How to eliminate wrong answers

Option A is wrong because creating local cloud-only accounts for every partner user defeats the purpose of federated identity, introduces password management overhead, and violates the requirement that partners use their own credentials. Option B is wrong because sharing one account per partner company eliminates individual accountability, violates security best practices (no audit trail per user), and cannot enforce per-user Conditional Access policies. Option C is wrong because Azure DNS private zones are a networking feature for resolving custom domain names within virtual networks; they have no role in identity federation or external authentication.

208
MCQmedium

You are a solutions architect for a large healthcare organization that uses Microsoft 365 and Azure. The organization has a Microsoft Entra ID tenant with 15,000 users. The security team requires that all users use multi-factor authentication (MFA) when accessing cloud applications. Currently, only 60% of users have registered for MFA. The organization wants to enforce MFA registration for all users within 30 days. The solution must minimize user disruption and allow users to register their MFA methods during their normal work hours. The organization uses Microsoft Intune for mobile device management and has a conditional access policy that requires MFA for all cloud apps. You need to design a solution to enforce MFA registration. What should you do?

A.Modify the existing conditional access policy to require MFA for all cloud apps and block access if MFA is not registered.
B.Deploy an Intune compliance policy that requires MFA enrollment on mobile devices.
C.Configure a Microsoft Entra ID MFA registration campaign to target all users and require registration within 14 days.
D.Use Microsoft Entra ID password reset policy to force users to register MFA during password reset.
AnswerC

Registration campaigns nudge users to register without blocking access.

Why this answer

Option A is correct because Microsoft Entra ID's MFA registration campaign is designed to nudge users to register without blocking access, minimizing disruption. Option B is wrong because requiring MFA via conditional access without registration will block users who haven't registered. Option C is wrong because Intune compliance policies enforce device compliance, not MFA registration.

Option D is wrong because resetting passwords does not force MFA registration.

209
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID) Premium P2. They want to enforce that users accessing sensitive cloud applications from outside the corporate network must use multi-factor authentication (MFA). Which Microsoft Entra ID feature should they configure?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management
D.Access Reviews
AnswerA

Correct. Conditional Access policies can require MFA for specific users, apps, and locations.

Why this answer

Conditional Access is the correct feature because it allows administrators to define policies that enforce MFA based on specific conditions, such as network location (outside corporate network) and cloud app sensitivity. By configuring a Conditional Access policy targeting 'All cloud apps' or specific sensitive apps with the condition 'Locations: All trusted/untrusted networks', you can require MFA for external access. This directly meets the requirement without needing additional licenses or features beyond Entra ID Premium P2.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based MFA triggers with Conditional Access's location-based MFA, assuming Identity Protection alone can enforce MFA for external access, but Identity Protection only suggests or triggers MFA via risk policies that require Conditional Access to actually enforce the block or MFA prompt.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because it focuses on detecting and remediating identity risks (e.g., leaked credentials, sign-ins from anonymous IPs) and can trigger MFA via risk-based policies, but it does not natively enforce MFA based solely on network location; it requires integration with Conditional Access for enforcement. Option C (Privileged Identity Management) is wrong because it manages just-in-time privileged role activation and approval workflows, not general user access to cloud apps or MFA enforcement. Option D (Access Reviews) is wrong because it is used for periodic recertification of group memberships and application access, not for real-time authentication enforcement like MFA.

210
MCQmedium

Your company is migrating on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can authenticate using their existing on-premises passwords and that password changes are synchronized immediately. The solution must minimize latency and avoid storing password hashes in the cloud. What should you implement?

A.Implement Microsoft Entra Pass-through Authentication
B.Implement password hash synchronization with password writeback
C.Create cloud-only user accounts in Microsoft Entra ID
D.Federate with Active Directory Federation Services (AD FS)
AnswerB

Password hash synchronization syncs password changes immediately and writeback allows changes to be written back to on-premises AD. Hashing is stored but using salt prevents plaintext exposure.

Why this answer

Option B is correct because password hash synchronization with password writeback meets the requirement to synchronize password changes immediately while avoiding storing password hashes in the cloud. However, the question explicitly states 'avoid storing password hashes in the cloud,' which contradicts password hash synchronization (which does store hashes). The correct solution for immediate password change sync without cloud hash storage is Microsoft Entra Pass-through Authentication (Option A), which validates passwords on-premises without storing hashes in Azure AD.

The exam trap is that password writeback is for cloud-to-on-premises sync, not immediate on-premises-to-cloud sync.

Exam trap

The trap here is that candidates confuse password writeback (cloud-to-on-premises) with immediate on-premises-to-cloud password synchronization, and overlook that password hash synchronization inherently stores hashes in the cloud, directly contradicting the 'avoid storing password hashes' requirement.

How to eliminate wrong answers

Option A is wrong because Pass-through Authentication does not synchronize password changes immediately; it validates passwords on-premises but does not replicate password changes to Azure AD. Option B is wrong because password hash synchronization stores password hashes in the cloud, which violates the requirement to avoid storing password hashes in the cloud. Option C is wrong because creating cloud-only user accounts does not use existing on-premises passwords and requires users to set new passwords.

Option D is wrong because federating with AD FS does not synchronize password changes immediately and still requires a federation trust, which introduces latency and complexity.

211
MCQhard

A company uses Microsoft Entra ID Privileged Identity Management (PIM) to control access to administrator roles. They want to implement a monitoring solution that sends an email to the security team whenever a user activates the Global Administrator role outside of standard business hours (9 AM–5 PM). They also need to track all activation history for quarterly audits. Which solution should they implement?

A.Configure PIM to send notifications for role activations and stream PIM audit logs to Azure Log Analytics, then create an alert rule for activations outside business hours
B.Use Microsoft Entra ID Identity Protection to detect risky activations and trigger a Logic App
C.Enable Microsoft Entra ID diagnostic settings to send logs to Event Hubs and process with Azure Stream Analytics
D.Use Azure Sentinel with a built-in connector for PIM and create a scheduled analytics rule
AnswerA

Correct. PIM notifications for baseline, but time-based filtering requires log analytics alert rule on audit logs.

Why this answer

Option A is correct because PIM can be configured to send email notifications for role activations, and by streaming PIM audit logs to Azure Log Analytics, you can create alert rules that trigger when the Global Administrator role is activated outside business hours. This meets both the real-time email alert requirement and the long-term audit trail requirement, as Log Analytics retains logs for up to two years by default and supports custom queries for quarterly audits.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing a full SIEM like Azure Sentinel or a streaming pipeline like Event Hubs, when the simpler combination of PIM notifications and Log Analytics alerts fully satisfies both the real-time alert and audit requirements.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Identity Protection is designed to detect risky sign-ins and user behavior, not to monitor PIM role activations or trigger alerts based on time-based conditions; it cannot send emails for out-of-hours activations. Option C is wrong because streaming logs to Event Hubs and processing with Azure Stream Analytics is an overengineered, real-time streaming solution that adds unnecessary complexity and cost; it does not natively provide the simple email alert or long-term audit storage that Log Analytics offers out of the box. Option D is wrong because Azure Sentinel is a full SIEM solution that requires significant setup, cost, and ongoing management; while it can monitor PIM activations, it is not the simplest or most cost-effective solution for this specific requirement, and the question does not mention a need for advanced threat detection or incident response.

212
MCQmedium

Refer to the exhibit. You are reviewing the output of an Azure Key Vault secret listing command. The application team reports that a secret is not accessible. What is the most likely reason?

A.The secret is tagged as production but the application is in development
B.The secret has expired
C.The Key Vault is in a soft-deleted state
D.The secret is disabled
AnswerB

The exp attribute indicates expiration, and if past, the secret is invalid.

Why this answer

The secret listing output shows an 'expires' field with a date in the past, indicating the secret has expired. Azure Key Vault enforces expiration by preventing access to secrets whose expiration date has passed, returning a 403 Forbidden error. This is the most likely reason the application cannot access the secret.

Exam trap

The trap here is that candidates may overlook the 'expires' field in the output and instead focus on tags or assume a disabled state, but Azure Key Vault explicitly blocks access to expired secrets regardless of other settings.

How to eliminate wrong answers

Option A is wrong because tags are metadata labels and do not enforce access control; Azure RBAC or access policies govern access, not tags. Option C is wrong because a soft-deleted Key Vault would not appear in the listing output at all, or would show a 'recovery level' indicating soft-delete; the output shows the vault is active. Option D is wrong because a disabled secret would show an 'enabled' field set to 'false' in the listing output, but the exhibit does not show that field; the presence of an expiration date in the past is the clear indicator.

213
MCQmedium

A company has Microsoft Entra ID Premium P2 licenses and wants to ensure that privileged roles (e.g., Global Administrator) are only activated when needed and with approval. They also need to regularly review who has access to these roles. Which combination of features should they use?

A.Privileged Identity Management (PIM) and Microsoft Entra ID Access Reviews
B.Identity Protection and Conditional Access
C.Entitlement Management and Conditional Access
D.Microsoft Entra ID Access Reviews and Identity Protection
AnswerA

PIM enables time-bound, approved activation of privileged roles, and Access Reviews can be configured to recertify assignments regularly.

Why this answer

Privileged Identity Management (PIM) provides just-in-time (JIT) activation of privileged roles with approval workflows, meeting the requirement for activation only when needed and with approval. Microsoft Entra ID Access Reviews then enable recurring certification of role assignments, ensuring that access is regularly reviewed and stale or inappropriate assignments are removed. Together, they form the correct combination for managing and governing privileged roles.

Exam trap

The trap here is that candidates often confuse Identity Protection (risk-based detection) with PIM (role activation and governance), leading them to select options that include Identity Protection instead of PIM for privileged role management.

How to eliminate wrong answers

Option B is wrong because Identity Protection focuses on detecting and remediating identity-based risks (e.g., compromised credentials, sign-in anomalies) and Conditional Access enforces access policies based on signals; neither provides JIT activation with approval or recurring access reviews for privileged roles. Option C is wrong because Entitlement Management manages access packages and resource access for external users and groups, not specifically privileged role activation with approval; Conditional Access does not provide role activation or review capabilities. Option D is wrong because while Access Reviews are correct, Identity Protection does not offer JIT activation or approval workflows for privileged roles, leaving the core requirement unmet.

214
MCQeasy

Your company uses Microsoft Entra ID and has recently deployed Microsoft Sentinel. You need to design a monitoring solution to detect brute-force attacks against user accounts. The solution should use built-in analytics rules where possible and must trigger an automated response to temporarily disable the affected account. What should you include in the design?

A.Use the built-in 'Brute force attack against an Entra ID account' analytics rule in Microsoft Sentinel and connect a playbook to disable the user.
B.Use Microsoft Entra Identity Protection to detect brute-force and configure a conditional access policy to block sign-ins.
C.Stream sign-in logs to Log Analytics and create a scheduled query that alerts on multiple failures, then manually disable accounts.
D.Create a custom KQL query in Microsoft Sentinel and configure an automation rule to disable the account.
AnswerA

Built-in rule and playbook provide automated detection and response.

Why this answer

Option A is correct because Microsoft Sentinel includes a built-in analytics rule specifically for detecting brute-force attacks against Microsoft Entra ID accounts. By connecting a playbook to this rule, you can automate the response to temporarily disable the affected user account, meeting the requirement for an automated response without custom development.

Exam trap

The trap here is that candidates may confuse Microsoft Entra Identity Protection's ability to block sign-ins with the requirement to disable the user account, or they may overlook the 'use built-in analytics rules where possible' constraint and opt for a custom KQL query.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Identity Protection detects risk events like brute-force but uses Conditional Access policies to block sign-ins, not to disable user accounts; disabling accounts requires a different mechanism. Option C is wrong because it relies on manually disabling accounts, which does not meet the requirement for an automated response. Option D is wrong because it suggests creating a custom KQL query and automation rule, but the question specifies using built-in analytics rules where possible, making a custom query unnecessary and less efficient.

215
MCQeasy

A company wants to allow remote users to access an internal web application hosted on-premises without opening inbound firewall ports. They need seamless single sign-on (SSO) using Microsoft Entra ID credentials. Which Azure service should they use?

A.Microsoft Entra ID Application Proxy
B.Microsoft Entra ID B2C
C.Microsoft Entra ID Domain Services
D.Microsoft Entra ID Connect
AnswerA

Application Proxy acts as a reverse proxy that allows users to access on-premises apps from anywhere without opening inbound ports. It also supports Microsoft Entra ID SSO.

Why this answer

Microsoft Entra ID Application Proxy provides secure remote access to on-premises web applications without requiring inbound firewall ports. It works by establishing an outbound connection from the on-premises Application Proxy connector to the Entra ID service, then routing user traffic through that tunnel. It integrates with Entra ID for pre-authentication and supports seamless SSO using the user's existing Entra ID credentials via Kerberos constrained delegation (KCD) or header-based authentication.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID Application Proxy with a VPN or DirectAccess solution, but the key differentiator is that Application Proxy requires no inbound firewall rules and uses outbound-only connectivity, which is a common exam scenario for secure remote access.

How to eliminate wrong answers

Option B (Microsoft Entra ID B2C) is wrong because it is designed for customer-facing identity management with social or local accounts, not for providing secure remote access to internal on-premises applications. Option C (Microsoft Entra ID Domain Services) is wrong because it provides managed domain services (e.g., LDAP, Kerberos) for Azure VMs but does not offer a reverse proxy or remote access capability for on-premises apps. Option D (Microsoft Entra ID Connect) is wrong because it is a synchronization tool that syncs on-premises AD objects to Entra ID; it does not provide any application proxy or remote access functionality.

216
Multi-Selectmedium

Which TWO actions should you take to design a monitoring solution for a multi-tier application running on Azure VMs? (Select TWO.)

Select 2 answers
A.Deploy VM Insights on each VM
B.Configure Azure Monitor Agent to collect metrics and logs from each tier
C.Create a Log Analytics workspace and connect all VMs
D.Instrument the application with Application Insights
E.Enable Azure Monitor for VMs on all VMs
AnswersB, D

Collects infrastructure data from all VMs.

Why this answer

Option B is correct because Azure Monitor Agent is the modern, unified agent that collects metrics and logs from Azure VMs and sends them to Azure Monitor, Log Analytics workspaces, and other destinations. For a multi-tier application, collecting data from each tier is essential for end-to-end monitoring. Option D is correct because Application Insights provides application performance monitoring (APM) by instrumenting the application code itself, capturing telemetry like request rates, dependency calls, and exceptions, which is critical for understanding the behavior of a multi-tier application.

Exam trap

The trap here is that candidates confuse 'VM Insights' (a feature that provides visualizations and dependency mapping) with the underlying agent installation, or they think that creating a Log Analytics workspace is a primary monitoring action rather than a prerequisite, leading them to select options A, C, or E instead of the correct combination of agent-based collection and application instrumentation.

217
MCQmedium

Your organization uses Microsoft Sentinel for security monitoring. You need to create a rule that triggers an incident when a user from a specific IP address performs more than 10 failed sign-ins within an hour. Which rule type should you use?

A.Microsoft Security rule
B.Scheduled query rule
C.Anomaly detection rule
D.Fusion rule
AnswerB

Scheduled rules can aggregate events and alert on threshold.

Why this answer

A scheduled query rule is the correct choice because it allows you to define a custom KQL query that counts failed sign-in events from a specific IP address over a 1-hour window and triggers an incident when the count exceeds 10. This rule type is designed for user-defined detection logic based on log data, such as SigninLogs, and supports aggregation and threshold-based alerting.

Exam trap

The trap here is that candidates confuse scheduled query rules with anomaly detection rules, assuming any threshold-based alert is 'anomaly detection,' but anomaly detection requires baseline learning and cannot enforce a static numeric threshold like 10.

How to eliminate wrong answers

Option A is wrong because Microsoft Security rules are prebuilt templates from Microsoft security products (e.g., Microsoft Defender for Cloud) and cannot be customized to count specific IP addresses or set custom thresholds like 10 failed sign-ins per hour. Option C is wrong because anomaly detection rules use machine learning to identify unusual patterns in baseline behavior, not fixed thresholds on a specific IP address. Option D is wrong because Fusion rules correlate multiple low-fidelity alerts from different sources to detect advanced multi-stage attacks, not single-condition threshold-based triggers.

218
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to enable users to reset their own passwords without contacting the help desk. They also want to enforce multi-factor authentication (MFA) during the password reset process. Which Microsoft Entra ID feature should they enable?

A.Microsoft Entra ID Identity Protection
B.Microsoft Entra ID Privileged Identity Management (PIM)
C.Microsoft Entra ID Self-Service Password Reset (SSPR)
D.Microsoft Entra ID Conditional Access
AnswerC

SSPR enables users to reset their own passwords, and it can be integrated with MFA to verify identity during the reset process.

Why this answer

Option C is correct because Microsoft Entra ID Self-Service Password Reset (SSPR) enables users to reset their own passwords without help desk intervention. When combined with Microsoft Entra ID Conditional Access, SSPR can enforce multi-factor authentication (MFA) during the password reset process, meeting both requirements.

Exam trap

The trap here is that candidates often confuse Conditional Access as the sole solution for password reset, but Conditional Access only enforces policies on top of SSPR; without SSPR enabled, users cannot reset their own passwords at all.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Identity Protection is a risk-based detection and remediation tool that identifies potential vulnerabilities and suspicious activities, but it does not directly enable self-service password reset or enforce MFA during password reset. Option B is wrong because Microsoft Entra ID Privileged Identity Management (PIM) manages just-in-time privileged access and role activation, not self-service password reset or MFA enforcement for end users. Option D is wrong because Microsoft Entra ID Conditional Access is a policy engine that enforces access controls (like MFA) based on conditions, but it does not provide the self-service password reset capability itself; it can only be used to secure the SSPR process.

219
MCQmedium

A multinational company uses Microsoft Entra ID for identity. They need to grant external partners access to specific SharePoint Online sites. The access must be time-limited and require approval from a resource owner. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Entitlement Management.
B.Microsoft Entra ID B2C.
C.Microsoft Entra ID Conditional Access.
D.Microsoft Entra ID Identity Protection.
AnswerA

Entitlement Management enables creation of access packages with approvals and time-limited access. It is designed for governing external user access to resources like SharePoint Online.

Why this answer

Microsoft Entra ID Entitlement Management (A) is the correct feature because it enables organizations to manage external partner access to resources like SharePoint Online sites through access packages. These access packages can enforce time-limited access and require approval from designated resource owners, directly meeting the scenario's requirements.

Exam trap

The trap here is that candidates may confuse Entitlement Management (which handles external user access governance) with B2C (which is for customer-facing apps) or Conditional Access (which is a security policy layer, not a provisioning workflow).

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID B2C (Business-to-Consumer) is designed for customer-facing identity management with social logins, not for granting external partners access to internal resources like SharePoint sites. Option C is wrong because Microsoft Entra ID Conditional Access enforces policies based on signals like location or device state, but it does not provide time-limited access or approval workflows for external partner access. Option D is wrong because Microsoft Entra ID Identity Protection focuses on detecting and remediating identity risks (e.g., leaked credentials), not on managing external user access with time limits and approvals.

220
MCQeasy

You are designing a monitoring solution for Azure SQL Database. The requirement is to track query performance metrics such as CPU usage, data IO, and wait statistics over time. You need to identify performance bottlenecks and provide historical data for analysis. Which Azure service should you use?

A.Azure Monitor Metrics for Azure SQL Database
B.Azure SQL Analytics (preview) in Azure Monitor
C.Azure SQL Database Intelligent Insights
D.Query Performance Insight for Azure SQL Database
AnswerD

Query Performance Insight provides detailed query metrics and wait statistics.

Why this answer

Query Performance Insight for Azure SQL Database is the correct choice because it provides built-in, intelligent analysis of top queries by CPU, data IO, and wait statistics over time, enabling you to identify performance bottlenecks and review historical data. It is specifically designed for Azure SQL Database and offers a customizable time range for trend analysis, directly meeting the requirement to track query performance metrics and analyze historical data.

Exam trap

The trap here is that candidates often confuse Azure SQL Analytics (a broader monitoring solution) with Query Performance Insight (a focused query-level tool), or they assume Azure Monitor Metrics provides query-level details when it only offers aggregate resource metrics.

How to eliminate wrong answers

Option A is wrong because Azure Monitor Metrics for Azure SQL Database provides platform-level metrics (e.g., DTU/CPU percentage, storage) but does not offer per-query performance details like wait statistics or historical query-level analysis. Option B is wrong because Azure SQL Analytics (preview) in Azure Monitor is a broader monitoring solution that aggregates metrics and logs across multiple Azure SQL databases, but it does not provide the granular, query-specific historical performance data and wait statistics that Query Performance Insight offers. Option C is wrong because Azure SQL Database Intelligent Insights uses built-in intelligence to automatically detect and alert on performance issues, but it does not provide the detailed, customizable historical query performance metrics (CPU, IO, wait stats) that are needed for manual bottleneck analysis.

221
MCQhard

Refer to the exhibit. You are a security administrator reviewing a custom Azure Policy assignment. The policy definition with ID 'abc123' is an initiative containing two policies: one that audits storage accounts with blob public access enabled and one that deploys a diagnostic setting for network security groups. The scope includes a production resource group. However, the compliance state shows 'Non-compliant' for several resources. What is the most likely reason for the non-compliance?

A.The scope is incorrectly targeting the resource group, missing the subscription.
B.The audit policy is preventing the creation of storage accounts with public access.
C.The enforcement mode is set to 'Default' which disables policy evaluation.
D.The diagnostic setting deployment policy requires a remediation task to bring non-compliant resources into compliance.
AnswerD

DeployIfNotExists policies need remediation tasks to apply the configuration; until then, resources remain non-compliant.

Why this answer

Option D is correct because the policy that deploys a diagnostic setting for network security groups is a 'DeployIfNotExists' (DINE) policy. DINE policies do not automatically remediate existing non-compliant resources; they require a remediation task to be created and run, which will deploy the diagnostic settings to bring the resources into compliance. The audit-only policy for storage accounts does not require remediation, but the DINE policy's non-compliance indicates that the diagnostic settings are missing and need to be deployed via a remediation task.

Exam trap

The trap here is that candidates often assume all policy effects (like 'DeployIfNotExists') automatically remediate non-compliant resources, but in reality, they only mark non-compliance and require a separate remediation task to deploy the required configuration.

How to eliminate wrong answers

Option A is wrong because the scope includes the production resource group, which is a valid scope for policy assignment; missing the subscription is not an issue as policies can be assigned at the management group, subscription, or resource group level. Option B is wrong because an audit policy only evaluates and reports compliance; it does not prevent creation or enforce any action, so it cannot be the reason for non-compliance. Option C is wrong because the 'Default' enforcement mode does not disable policy evaluation; it enables evaluation and enforcement, whereas 'Disabled' mode would disable evaluation.

222
MCQhard

A large enterprise wants to enforce zero-trust conditional access policies that use real-time user risk, sign-in risk, and device compliance. Which combination of Microsoft Entra ID features should they use?

A.Microsoft Entra ID Identity Protection and Conditional Access
B.Microsoft Entra ID Privileged Identity Management and Access Reviews
C.Microsoft Entra ID B2B and External Identities
D.Microsoft Entra ID Domain Services and Managed Identities
AnswerA

Correct. Identity Protection detects risks like leaked credentials and unusual sign-ins, and Conditional Access uses these risks to enforce adaptive policies for a zero-trust model.

Why this answer

Microsoft Entra ID Identity Protection provides real-time risk detection for users and sign-ins, while Conditional Access policies can enforce access controls based on those risk signals and device compliance. Together, they enable zero-trust conditional access by blocking or requiring MFA when user or sign-in risk is high, and ensuring only compliant devices can access resources.

Exam trap

The trap here is that candidates confuse Privileged Identity Management (PIM) with risk-based conditional access, but PIM only manages role activation and does not evaluate user/sign-in risk or device compliance in real time.

How to eliminate wrong answers

Option B is wrong because Privileged Identity Management (PIM) and Access Reviews focus on just-in-time privileged role activation and periodic attestation, not on real-time user/sign-in risk or device compliance. Option C is wrong because B2B and External Identities are designed for guest user collaboration and identity federation, not for enforcing risk-based conditional access policies on internal users. Option D is wrong because Azure AD Domain Services provides managed domain services (like LDAP, Kerberos) for legacy apps, and Managed Identities are used for Azure resource authentication, neither of which offer risk detection or conditional access enforcement.

223
MCQhard

You are a cloud architect for a multinational corporation. The company has a single Azure tenant with a management group hierarchy: Root MG -> Corp MG -> (Finance, HR, IT, Marketing) child management groups. Each child management group contains multiple subscriptions. The IT governance team wants to enforce a policy that all Azure resources must have a 'CostCenter' tag. However, the Finance department has legacy resources that cannot be modified and must be exempt from this policy. You need to design a solution that meets the following requirements: (1) The policy should be applied to all subscriptions in the Corp MG except those in the Finance MG. (2) The policy should audit non-compliant resources but not deny them. (3) The solution must use Azure Policy and minimize administrative overhead. What should you do?

A.Assign the policy at the Root management group and exclude all child management groups except Corp.
B.Assign the policy at the Corp management group scope and exclude the Finance management group.
C.Assign the policy at each child management group except Finance.
D.Assign the policy to each subscription individually, excluding those in Finance.
AnswerB

Assigning at Corp MG with exclusion for Finance MG meets all requirements with minimal overhead.

Why this answer

Assigning the policy at the Corp management group scope and excluding the Finance management group meets all requirements: it applies the policy to all subscriptions under Corp (including Finance, HR, IT, Marketing) while the exclusion removes Finance from policy evaluation. Using the 'audit' effect ensures non-compliant resources are flagged but not denied, and this single assignment minimizes administrative overhead.

Exam trap

The trap here is that candidates mistakenly think they must assign the policy at the Root management group and then exclude all non-Corp children, but that would require multiple exclusions and could accidentally exclude the Corp management group itself, whereas a single assignment at Corp with one exclusion is simpler and correct.

How to eliminate wrong answers

Option A is wrong because excluding all child management groups except Corp would remove the policy from all child management groups (Finance, HR, IT, Marketing), leaving only the Corp management group itself (which contains no subscriptions directly) — thus the policy would not apply to any subscriptions. Option C is wrong because assigning the policy at each child management group except Finance requires four separate assignments, increasing administrative overhead unnecessarily. Option D is wrong because assigning the policy to each subscription individually, even excluding Finance subscriptions, creates excessive administrative overhead and does not leverage the management group hierarchy for inheritance.

224
MCQmedium

Your organization uses Azure Policy to enforce tagging standards. You need to ensure that any resource created without the required 'CostCenter' tag is automatically remediated by adding the tag with a default value. Which policy effect should you use?

A.append
B.deny
C.modify
D.audit
AnswerC

Modify can automatically add the tag with a default value during creation and supports remediation for existing resources.

Why this answer

Option C is correct because the 'modify' effect can add tags to resources during creation or on existing resources via remediation. Option A is wrong because 'deny' blocks creation. Option B is wrong because 'audit' only logs non-compliance.

Option D is wrong because 'append' adds the tag at creation but does not support remediation for existing resources.

225
Multi-Selectmedium

Which TWO actions should you take to implement a least-privilege identity strategy for Azure resources?

Select 2 answers
A.Assign Global Administrator role to all cloud architects
B.Store service principal passwords in Azure Key Vault and retrieve at runtime
C.Enable self-service password reset for all users
D.Use managed identities for Azure resources instead of service principals
E.Use Privileged Identity Management (PIM) to activate roles just-in-time
AnswersD, E

Managed identities remove the need to manage secrets.

Why this answer

Option D is correct because managed identities for Azure resources eliminate the need to store and manage credentials. Azure automatically rotates the identity's principal in Azure AD, and the resource can obtain an access token directly from the Azure Instance Metadata Service (IMDS) endpoint without any secrets. This aligns with the least-privilege principle by removing static, long-lived credentials and reducing the attack surface.

Exam trap

The trap here is that candidates often confuse storing secrets securely (Option B) with eliminating secrets entirely (Option D), or they overlook that PIM (Option E) is a core least-privilege tool for role activation, not just a monitoring feature.

← PreviousPage 3 of 4 · 273 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Identity Governance Monitoring questions.