CCNA Identity Governance Monitoring Questions

48 of 273 questions · Page 4/4 · Identity Governance Monitoring topic · Answers revealed

226
MCQhard

Your organization has a hybrid identity infrastructure with Microsoft Entra ID and on-premises Active Directory. You plan to implement Microsoft Entra ID Protection to detect and respond to identity risks. You need to ensure that risky sign-ins from anonymous IP addresses are automatically blocked, while still allowing legitimate users to self-remediate. What should you configure?

A.Configure a sign-in risk policy in Microsoft Entra ID Protection to block access for high risk
B.Use the Identity Protection dashboard to manually review and block risky sign-ins
C.Configure a Conditional Access policy to block sign-ins from anonymous IP addresses and enable user risk policy for self-remediation
D.Configure a user risk policy to require password change for high risk users
AnswerC

Conditional Access blocks sign-in, and user risk policy allows self-remediation.

Why this answer

Option C is correct because it combines a Conditional Access policy to block sign-ins from anonymous IP addresses with a user risk policy that allows legitimate users to self-remediate by performing a password change. This ensures that high-risk sign-ins are automatically blocked while users can still recover their accounts without administrative intervention.

Exam trap

The trap here is that candidates often confuse sign-in risk policies with user risk policies, or assume that a single policy can both block and remediate, when in fact two separate policies are needed to meet the requirements of automatic blocking and self-remediation.

How to eliminate wrong answers

Option A is wrong because a sign-in risk policy configured to block access for high risk does not specifically target anonymous IP addresses; it blocks based on the overall sign-in risk level, which may not automatically block all anonymous IP sign-ins. Option B is wrong because manual review and blocking via the Identity Protection dashboard does not provide automatic blocking and self-remediation; it requires ongoing administrative effort and does not meet the requirement for automated response. Option D is wrong because a user risk policy requiring a password change for high risk users addresses user compromise but does not block sign-ins from anonymous IP addresses; it only triggers remediation after a risk is detected, not preventing the initial risky sign-in.

227
Multi-Selectmedium

You are designing an identity lifecycle management solution for a multinational company. Employees frequently change departments, and you need to automate the assignment and removal of application access based on their current department. Which THREE Microsoft Entra features should you use?

Select 3 answers
A.Dynamic membership groups
B.Microsoft Entra Privileged Identity Management
C.Microsoft Entra access reviews
D.Microsoft Entra entitlement management
E.Microsoft Entra self-service password reset
AnswersA, C, D

Automatically adds/removes users based on department attribute.

Why this answer

Dynamic membership groups (A) are correct because they automatically add or remove users based on attribute values like 'department'. When an employee changes departments, their department attribute is updated, and the group membership is recalculated, granting or revoking access to applications assigned to that group. This is the core mechanism for automating access changes based on user attributes.

Exam trap

The trap here is confusing Privileged Identity Management (PIM) with lifecycle management—PIM handles temporary elevation for admin roles, not the ongoing assignment of application access based on user attribute changes.

228
MCQmedium

A company wants to configure policies that detect risky sign-ins (e.g., from anonymous IPs or unfamiliar locations) and automatically require multi-factor authentication (MFA) when such risk is detected. Which Microsoft Entra ID feature should they use to create these policies?

A.Microsoft Entra ID Conditional Access
B.Microsoft Entra ID Identity Protection
C.Microsoft Entra ID Privileged Identity Management
D.Microsoft Entra ID Audit Logs
AnswerA

Conditional Access policies can use risk conditions such as 'Sign-in risk level' to require MFA or block access, integrating with Identity Protection.

Why this answer

Microsoft Entra ID Conditional Access is the correct feature because it allows administrators to create policies that evaluate sign-in risk signals (such as anonymous IP addresses or unfamiliar locations) and enforce access controls like requiring multi-factor authentication (MFA). Conditional Access policies can integrate with Identity Protection risk detections, but the policy itself is defined and managed within the Conditional Access blade, making it the direct tool for this requirement.

Exam trap

The trap here is that candidates often confuse Identity Protection (which detects risk) with Conditional Access (which enforces the policy), leading them to select Identity Protection as the answer when the question explicitly asks for the feature that 'creates policies' to require MFA.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Identity Protection detects and reports risky sign-ins and users (e.g., via risk events like anonymous IP address or unfamiliar sign-in properties), but it does not itself enforce access controls like requiring MFA; it relies on Conditional Access policies to act on those risk detections. Option C is wrong because Microsoft Entra ID Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not risk-based sign-in policies or MFA enforcement. Option D is wrong because Microsoft Entra ID Audit Logs provide a record of sign-in and administrative activities for monitoring and compliance, but they cannot be used to create proactive policies that detect risk and enforce MFA.

229
Multi-Selecteasy

Which TWO are valid methods to authenticate to Azure from a PowerShell script that runs unattended? (Choose two.)

Select 2 answers
A.Service principal with a certificate
B.Service principal with a client secret
C.User account with multi-factor authentication
D.User account with password and MFA
E.Managed identity for Azure resources
AnswersA, B

Certificate-based authentication is non-interactive and secure.

Why this answer

A service principal with a certificate is a valid unattended authentication method because the certificate can be securely stored (e.g., in Azure Key Vault or the local machine store) and used by the script without interactive login. The Azure PowerShell cmdlet `Connect-AzAccount -ServicePrincipal -CertificateThumbprint` or `-ApplicationId` with the certificate allows the script to authenticate using the certificate's private key, which is a non-interactive, secure approach.

Exam trap

The trap here is that candidates often confuse managed identities as a universal authentication method for any script, but they only work when the script runs on an Azure resource that supports managed identities, not from arbitrary or on-premises environments.

230
Multi-Selectmedium

Which TWO actions can be performed using Microsoft Entra ID Governance? (Choose two.)

Select 2 answers
A.Synchronize users from on-premises Active Directory
B.Manage access packages for internal and external users
C.Perform access reviews of group memberships
D.Configure network security group rules
E.Deploy virtual machines in Azure
AnswersB, C

Entitlement Management is part of Entra ID Governance.

Why this answer

Microsoft Entra ID Governance includes entitlement management, which allows administrators to create and manage access packages that bundle resources (like groups, apps, and SharePoint sites) and assign them to internal and external users. This enables automated lifecycle management of access, including expiration and renewal, making Option B correct.

Exam trap

The trap here is that candidates confuse Entra ID Governance's access review capability (Option C) with a separate feature, but both B and C are correct; the question asks for two actions, and the trap is that some might think only one of these is valid, or they might incorrectly select A because synchronization is a common identity task, but it's not a governance action.

231
Multi-Selectmedium

Which TWO are benefits of using Microsoft Entra ID Governance? (Choose two.)

Select 2 answers
A.Automate the deprovisioning of user accounts when an employee leaves the organization
B.Implement entitlement management for access request workflows
C.Enable just-in-time privileged access to Azure resources
D.Provide single sign-on to all SaaS applications
E.Provide VPN connectivity for remote users
AnswersA, B

Entra ID Governance automates deprovisioning as part of the identity lifecycle.

Why this answer

Option A is correct because Microsoft Entra ID Governance includes automated lifecycle workflows that can detect when an employee leaves the organization (e.g., via HR integration) and automatically remove or disable their user accounts, ensuring timely deprovisioning and reducing security risks. This automation is a core governance capability that enforces the principle of least privilege and helps maintain a clean identity lifecycle.

Exam trap

The trap here is that candidates confuse the overlapping capabilities of Microsoft Entra ID, Entra ID Governance, and Privileged Identity Management (PIM), mistakenly attributing JIT access or SSO to governance when they belong to separate services within the Microsoft Entra portfolio.

232
Multi-Selecthard

Which THREE conditions should be met to implement a successful Azure landing zone for a new enterprise subscription? (Choose three.)

Select 3 answers
A.A dedicated Azure Active Directory tenant.
B.A management group hierarchy that separates environments.
C.Microsoft Sentinel enabled for security monitoring.
D.A defined network topology with connectivity to on-premises.
E.A subscription vending process to automate creation.
AnswersB, D, E

Management groups help organize subscriptions and apply policies.

Why this answer

A management group hierarchy that separates environments (e.g., production, non-production, and management) is a core design principle of an Azure landing zone. It enables policy inheritance, role-based access control (RBAC) isolation, and cost tracking across different workloads, aligning with the Cloud Adoption Framework's governance best practices.

Exam trap

The trap here is that candidates often confuse optional security tools like Microsoft Sentinel or dedicated tenants as mandatory prerequisites, when the Azure landing zone's success hinges on governance structure (management groups), network connectivity (hub-spoke topology), and automation (subscription vending).

233
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID) and Microsoft Intune. They want to block all access to internal corporate applications from devices that are not enrolled in Intune and do not meet the company's compliance policies. The solution must apply to all cloud app access seamlessly. Which Microsoft Entra ID feature should they configure?

A.Microsoft Entra ID Conditional Access
B.Microsoft Entra ID Identity Protection
C.Microsoft Entra ID Privileged Identity Management
D.Microsoft Entra ID Access Reviews
AnswerA

Conditional Access policies can require that devices be compliant and managed by Intune, blocking access from non-compliant devices.

Why this answer

Microsoft Entra ID Conditional Access is the correct feature because it enables you to create policies that evaluate device compliance and enrollment status before granting access to cloud applications. By configuring a Conditional Access policy with a condition requiring devices to be marked as compliant and enrolled in Intune, you can block access from non-compliant or unenrolled devices seamlessly across all integrated cloud apps.

Exam trap

The trap here is that candidates often confuse Identity Protection (which handles risk-based conditional access) with Conditional Access (which handles broader policy conditions like device compliance), leading them to select Identity Protection when the question explicitly requires device enrollment and compliance enforcement.

How to eliminate wrong answers

Option B (Microsoft Entra ID Identity Protection) is wrong because it focuses on detecting and responding to identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs) rather than enforcing device compliance or enrollment requirements. Option C (Microsoft Entra ID Privileged Identity Management) is wrong because it manages just-in-time privileged role assignments and access reviews for administrative roles, not device-level access controls for all users. Option D (Microsoft Entra ID Access Reviews) is wrong because it automates periodic attestation of group memberships or application access, but does not enforce real-time device compliance checks at the point of authentication.

234
Matchingmedium

Match each Azure service to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DNS-based traffic routing

Global HTTP(S) load balancing with WAF

Regional layer-7 load balancer with WAF

Regional layer-4 load balancer

Site-to-site VPN connectivity

Why these pairings

These are core Azure networking services with distinct roles.

235
Multi-Selectmedium

Your company uses Microsoft Entra ID for identity management. You need to design a monitoring solution for sign-in logs to detect suspicious activity. Which TWO Azure services should you include in the design?

Select 2 answers
A.Azure Monitor
B.Microsoft Defender for Cloud Apps
C.Microsoft Sentinel
D.Microsoft Purview
E.Log Analytics workspace
AnswersB, C

Defender for Cloud Apps (part of Microsoft Defender XDR) detects suspicious sign-in activities.

Why this answer

Microsoft Defender for Cloud Apps (Option B) is correct because it provides Cloud Access Security Broker (CASB) capabilities that analyze sign-in logs for anomalous behavior, such as impossible travel, suspicious IP addresses, and credential theft. It integrates with Microsoft Entra ID to detect and respond to risky sign-in events in real time, making it a core component for monitoring suspicious activity.

Exam trap

The trap here is that candidates often select Azure Monitor or Log Analytics workspace alone, thinking they can detect suspicious activity, but they lack the built-in threat detection and analytics engines that are specific to security-focused services like Defender for Cloud Apps and Sentinel.

236
MCQhard

Refer to the exhibit. You are reviewing an Azure Resource Manager deployment configuration. The deployment is failing with a conflict error. What is the most likely cause?

A.The deployment mode is Incremental instead of Complete
B.The template is not parameterized
C.The debugSetting includes requestContent, which may cause the request to exceed size limits
D.The onError property is set to DeploymentRollback
AnswerC

Including requestContent and responseContent can result in large payloads, leading to conflicts.

Why this answer

The correct answer is C because including `requestContent` in the `debugSetting` property of an ARM template deployment causes the entire HTTP request payload to be logged. For large templates or parameter files, this can exceed the Azure Resource Manager API request size limit (typically 4 MB), resulting in a conflict error (HTTP 409) as the service rejects the oversized request.

Exam trap

The trap here is that candidates often overlook the `debugSetting` property's impact on request size, mistakenly attributing conflict errors to deployment modes or rollback settings, while the real issue is the payload exceeding Azure's API size limits.

How to eliminate wrong answers

Option A is wrong because deployment mode (Incremental vs. Complete) affects resource management behavior, not request size; a conflict error is unrelated to mode selection. Option B is wrong because parameterization is a best practice for reusability, but a non-parameterized template does not cause request size overflow or conflict errors.

Option D is wrong because `onError: DeploymentRollback` defines rollback behavior on failure, but it does not cause the initial conflict error; it only triggers after a failure occurs.

237
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to allow users to sign in to multiple SaaS applications using their Microsoft Entra ID credentials without being prompted again for each application. Which Microsoft Entra ID feature should they enable?

A.Single Sign-On (SSO)
B.Multi-Factor Authentication (MFA)
C.Conditional Access
D.Identity Protection
AnswerA

Correct. SSO provides seamless access to multiple apps after a single authentication.

Why this answer

Single Sign-On (SSO) enables users to authenticate once with Microsoft Entra ID and then access multiple SaaS applications without being prompted again. This works by using standards like SAML 2.0 or OpenID Connect to issue a session token or cookie that is reused across applications, eliminating repeated credential prompts.

Exam trap

The trap here is that candidates confuse MFA or Conditional Access with SSO, thinking that additional security features inherently reduce sign-in prompts, but in reality, SSO is the specific feature designed to eliminate repeated prompts, while MFA and Conditional Access are complementary security controls that do not provide that functionality.

How to eliminate wrong answers

Option B (Multi-Factor Authentication) is wrong because MFA adds an extra layer of security by requiring a second verification factor, but it does not eliminate repeated sign-in prompts across applications; it actually increases authentication friction. Option C (Conditional Access) is wrong because it is a policy engine that enforces access controls (e.g., requiring MFA or blocking sign-ins from untrusted locations) based on signals, but it does not provide the seamless token reuse that SSO offers. Option D (Identity Protection) is wrong because it is a risk-based detection and remediation service that identifies compromised identities and suspicious sign-ins, not a mechanism to avoid repeated authentication prompts.

238
MCQhard

Your company is designing a monitoring solution for a critical line-of-business application running on multiple Azure VMs. The application emits custom performance counters. You need to ingest these counters into Azure Monitor Metrics and create a metric alert when the average value exceeds a threshold over 5 minutes. The solution must minimize latency between counter emission and alert firing. What should you use?

A.Application Insights agent to collect counters and send to Application Insights, then create a metric alert.
B.Azure Monitor agent to collect counters and send to Azure Monitor Metrics, then create a metric alert.
C.Log Analytics agent to collect counters and send to a Log Analytics workspace, then create a log alert.
D.Azure Diagnostics extension to collect counters and send to Azure Storage, then use Azure Monitor Metrics from storage.
AnswerB

Azure Monitor agent can send performance counters directly to Metrics, enabling low-latency metric alerts.

Why this answer

The Azure Monitor agent is the correct choice because it can collect custom performance counters and send them directly to Azure Monitor Metrics, which supports near-real-time metric alerts with low latency. This minimizes the delay between counter emission and alert firing, meeting the requirement for a 5-minute evaluation window.

Exam trap

The trap here is that candidates often confuse the Log Analytics agent (which sends to Log Analytics for log alerts) with the Azure Monitor agent (which sends to Metrics for metric alerts), or they incorrectly assume that Application Insights can handle custom performance counters from VMs with low latency.

How to eliminate wrong answers

Option A is wrong because Application Insights is designed for application-level telemetry (e.g., requests, dependencies) and does not natively ingest custom performance counters from VMs into Azure Monitor Metrics; it would add unnecessary latency and complexity. Option C is wrong because the Log Analytics agent sends data to a Log Analytics workspace, which uses log alerts that have higher latency (minutes to hours) and are not optimized for near-real-time metric-based alerting. Option D is wrong because the Azure Diagnostics extension sends data to Azure Storage, which is not a real-time ingestion path; reading from storage to create metric alerts introduces significant latency and is not a supported pattern for low-latency alerting.

239
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to integrate their on-premises Active Directory with Microsoft Entra ID to enable single sign-on (SSO) for cloud applications. Users should be able to use the same password for on-premises resources and cloud applications. The company has a large on-premises user base and wants to avoid additional infrastructure for federation. Which Microsoft Entra ID feature should they implement?

A.Microsoft Entra ID Connect (Password Hash Synchronization)
B.Microsoft Entra ID Application Proxy
C.Microsoft Entra ID B2B
D.Microsoft Entra ID Domain Services
AnswerA

PHS syncs password hashes to Microsoft Entra ID, allowing users to authenticate with their on-premises credentials for cloud apps. It is simple and requires no additional federation infrastructure.

Why this answer

Password Hash Synchronization (PHS) is the correct choice because it synchronizes password hashes from on-premises Active Directory to Microsoft Entra ID, enabling users to use the same password for both on-premises and cloud resources without requiring any additional federation infrastructure. This meets the requirement for SSO to cloud applications while avoiding the complexity and cost of deploying Active Directory Federation Services (AD FS) or other federation servers.

Exam trap

The trap here is that candidates often confuse federation (e.g., AD FS) as the only way to achieve SSO with password reuse, but Password Hash Synchronization provides a simpler, infrastructure-free alternative that still meets the requirement.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Application Proxy is designed to provide secure remote access to on-premises web applications, not to synchronize identities or enable SSO via password reuse. Option C is wrong because Microsoft Entra ID B2B (Business-to-Business) is used for collaborating with external guest users from other organizations, not for integrating an on-premises AD with Entra ID for internal user SSO. Option D is wrong because Microsoft Entra ID Domain Services provides managed domain services (e.g., group policy, LDAP, Kerberos) for Azure VMs, but it does not synchronize passwords or enable SSO to cloud applications from on-premises AD.

240
MCQeasy

You need to monitor the sign-in activities of users in Microsoft Entra ID and detect risky sign-ins, such as those from anonymous IP addresses. Which service should you use?

A.Microsoft Entra Identity Protection
B.Microsoft Defender XDR
C.Azure Monitor
D.Microsoft Sentinel
AnswerA

Identity Protection uses machine learning to detect risky sign-ins and users.

Why this answer

Microsoft Entra Identity Protection is the correct service because it is specifically designed to detect and respond to risky sign-in activities, including sign-ins from anonymous IP addresses, using machine learning-based risk detection policies. It integrates directly with Microsoft Entra ID to evaluate sign-in risk in real time and can automatically block or require multi-factor authentication based on configured risk thresholds.

Exam trap

Microsoft often tests the distinction between a dedicated identity risk detection service (Identity Protection) and a broader security or monitoring platform (Defender XDR, Sentinel, or Azure Monitor), leading candidates to choose the more general tool when the question specifically asks for a service that detects risky sign-ins from anonymous IP addresses.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender XDR (Extended Detection and Response) focuses on detecting and responding to security threats across endpoints, email, and applications, not specifically on monitoring sign-in risk from anonymous IP addresses in Entra ID. Option C is wrong because Azure Monitor is a platform for collecting and analyzing telemetry from Azure resources and applications, but it does not have built-in risk detection algorithms for sign-in activities like anonymous IP addresses. Option D is wrong because Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) that ingests logs from multiple sources for advanced threat hunting and analysis, but it is not the primary service for real-time, policy-driven risky sign-in detection in Entra ID; that is the role of Identity Protection.

241
MCQeasy

You are designing a monitoring solution for a cloud-native application that uses Azure Functions, Azure Storage, and Azure Cosmos DB. The solution must provide centralized log collection and analysis, enable proactive alerting on application errors, and support long-term log retention for compliance (7 years). What should you include in the design?

A.Use Azure Storage with cool tier for logs and enable Azure Storage Analytics logs.
B.Store logs in Azure Monitor Metrics with a retention of 93 days.
C.Use Application Insights to collect logs and set retention to 90 days, then export to Azure Blob Storage for archival.
D.Configure diagnostic settings for each Azure resource to send logs and metrics to a Log Analytics workspace.
AnswerD

Log Analytics workspace provides centralized log storage, querying, and long-term retention.

Why this answer

Option A is correct because Azure Log Analytics workspace provides centralized log storage, analysis, and retention up to 7 years. Option B is wrong because Application Insights is for application performance monitoring, not long-term retention. Option C is wrong because Azure Monitor Metrics store numeric data only, not logs.

Option D is wrong because Azure Storage with archive tier is for raw log files, not analysis.

242
Multi-Selecthard

Which THREE Azure Monitor capabilities can be used to detect and diagnose performance issues in a multi-tier application?

Select 3 answers
A.Azure Monitor Workbooks
B.Azure Policy
C.Live Metrics Stream in Application Insights
D.Application Insights Profiler
E.Application Map in Application Insights
AnswersC, D, E

Live Metrics provides real-time performance monitoring.

Why this answer

Live Metrics Stream in Application Insights (Option C) provides real-time monitoring of application performance metrics, such as request rates, response times, and failure rates, with sub-second latency. This allows immediate detection of performance issues as they occur, making it ideal for diagnosing live problems in a multi-tier application.

Exam trap

The trap here is that candidates may confuse Azure Monitor Workbooks (a visualization tool) with a diagnostic capability, or think Azure Policy can monitor performance, when in fact only Application Insights features like Live Metrics Stream, Profiler, and Application Map provide real-time or deep diagnostic insights.

243
Multi-Selecthard

Which THREE components are required to implement a complete monitoring solution with Azure Monitor? (Choose three.)

Select 3 answers
A.Application Insights for every application
B.Azure Policy assignments
C.Alert rules to notify on conditions
D.A Log Analytics workspace for log storage
E.Data sources such as Azure resources and applications
AnswersC, D, E

Alerts are essential for proactive monitoring.

Why this answer

Alert rules (C) are a core component of a complete monitoring solution because they define conditions that trigger notifications or automated actions when monitored metrics or log data cross thresholds. Without alert rules, collected data remains passive and cannot proactively inform administrators of issues, making the solution incomplete.

Exam trap

The trap here is that candidates often confuse optional monitoring tools (like Application Insights) with mandatory components, or they mistakenly think governance tools (like Azure Policy) are part of the monitoring pipeline, when in fact the three required components are data sources, a Log Analytics workspace, and alert rules.

244
MCQmedium

A company uses Microsoft Entra ID to manage identities for employees and partners. They need to allow partners to self-service reset their passwords using a mobile app notification. Which feature should you enable?

A.Microsoft Entra ID Self-Service Password Reset (SSPR)
B.Microsoft Entra ID Identity Protection
C.Microsoft Intune
D.Microsoft Entra ID Privileged Identity Management
AnswerA

SSPR enables users to reset passwords via registered methods like mobile app notification.

Why this answer

Microsoft Entra ID Self-Service Password Reset (SSPR) is the correct feature because it allows users, including partners configured as external users in the tenant, to reset their own passwords without administrator intervention. SSPR supports multiple authentication methods, including mobile app notification via the Microsoft Authenticator app, which satisfies the requirement for a mobile app notification-based reset. This feature is specifically designed for password reset scenarios and can be scoped to include guest users when properly configured.

Exam trap

The trap here is that candidates often confuse Identity Protection (which deals with risk and conditional access) with SSPR, because both involve authentication methods, but Identity Protection does not enable password reset functionality.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Identity Protection is a risk-based detection and remediation tool that identifies suspicious sign-in activities and potential vulnerabilities, but it does not provide self-service password reset capabilities. Option C is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) service for managing devices and apps, not a password reset feature for user accounts. Option D is wrong because Microsoft Entra ID Privileged Identity Management (PIM) manages just-in-time privileged access and role activation, not self-service password reset for standard users or partners.

245
MCQhard

Your company uses Microsoft Entra ID (formerly Azure AD) and requires that all external guest users must be automatically reviewed for access every 90 days. The review should be performed by the guest user's manager in the partner organization. However, the partner organization does not use Microsoft Entra ID. Which solution should you implement?

A.Create a custom Azure Logic App to send email reminders and manually track access expiration.
B.Configure Microsoft Entra ID access reviews to include guest users and assign the review to the guest user's external manager.
C.Use Azure AD B2C to manage guest identities and set up a custom review process.
D.Configure Microsoft Entra ID access reviews to ask the guest user to self-attest their access every 90 days.
AnswerD

Self-attestation allows guest users to confirm their need for access, which is suitable when the partner organization does not have its own identity system.

Why this answer

Option D is correct because Microsoft Entra ID access reviews can be configured to require guest users to self-attest their access. This is the only viable solution when the guest user's organization does not use Microsoft Entra ID, as there is no external manager identity to assign the review to. The self-attestation process allows the guest user to confirm whether they still need access, and the review can be set to recur every 90 days as required.

Exam trap

The trap here is that candidates assume an external manager can be assigned as a reviewer even when the partner organization does not use Microsoft Entra ID, overlooking the fact that the reviewer must exist as an identity in the tenant or be a valid email address that can respond to the review request.

How to eliminate wrong answers

Option A is wrong because creating a custom Azure Logic App for email reminders and manual tracking is not an automated, built-in governance solution and does not meet the requirement for automatic reviews every 90 days. Option B is wrong because it is not possible to assign the review to the guest user's external manager when the partner organization does not use Microsoft Entra ID; there is no identity for that manager in the directory. Option C is wrong because Azure AD B2C is designed for customer-facing identity management, not for managing guest user access reviews in a Microsoft Entra ID tenant, and it does not provide the required automatic review scheduling.

246
MCQmedium

A company uses Microsoft Entra ID. They want to allow external business partners to request access to a specific internal application. The access must be time-limited and require approval from a manager within the partner's organization. Additionally, access should automatically expire after the defined period. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Entitlement Management
B.Microsoft Entra ID B2B Collaboration
C.Microsoft Entra ID Identity Governance
D.Microsoft Entra ID Privileged Identity Management (PIM)
AnswerA

Microsoft Entra ID Entitlement Management enables you to create access packages that external users can request. You can configure approval workflows, set time limits, and auto-expire access. It is part of Microsoft Entra ID Identity Governance.

Why this answer

Microsoft Entra ID Entitlement Management enables organizations to manage access requests for internal and external users through access packages. It supports time-limited access with automatic expiration and allows delegation of approval to a manager within the partner's organization via connected organizations. This directly meets the requirement for external partner self-service access with time-bound, approved access.

Exam trap

The trap here is that candidates often confuse Entitlement Management with B2B Collaboration, thinking B2B alone provides access control and expiration, when in fact B2B only handles identity creation and invitation, while Entitlement Management adds the governance layer for time-limited, approved access.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID B2B Collaboration provides the underlying invitation and redemption mechanism for external users but does not include built-in time-limited access, approval workflows, or automatic expiration; it requires additional configuration with Entitlement Management or other features. Option C is wrong because Microsoft Entra ID Identity Governance is an overarching category that includes Entitlement Management, access reviews, and lifecycle workflows, but it is not a specific feature that directly handles external partner access requests with time limits and manager approval. Option D is wrong because Microsoft Entra ID Privileged Identity Management (PIM) is designed for managing, controlling, and monitoring privileged roles within an organization, not for granting time-limited access to applications for external business partners.

247
MCQmedium

Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to ensure that an alert is generated when an Azure VM is created with an open inbound SSH port (22) from the internet. The solution should use existing Azure resources and minimize administrative overhead. What should you use?

A.Create a Microsoft Sentinel analytics rule using the Azure Activity data connector.
B.Create an Azure Policy with audit effect and configure a Sentinel data connector for Azure Policy.
C.Create an Azure Monitor metric alert on the 'Network In' metric.
D.Enable Microsoft Defender for Cloud and configure a continuous export to Sentinel.
AnswerA

The analytics rule can detect VM creation events and check for open ports by correlating with NSG flow logs or resource configuration.

Why this answer

Option A is correct because Microsoft Sentinel's Azure Activity data connector ingests resource logs from Azure's control plane (Azure Resource Manager). By creating an analytics rule that detects a 'Microsoft.Compute/virtualMachines/write' operation with a network security group rule allowing inbound SSH (port 22) from 'Internet' (any IP), you can generate an alert without deploying additional agents or infrastructure. This minimizes administrative overhead by using existing Sentinel resources and the built-in Activity log connector.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing Defender for Cloud or Azure Policy, thinking they need a security-specific service, when the simplest path is to use the already-connected Azure Activity data connector in Sentinel to monitor control-plane operations for risky configurations.

How to eliminate wrong answers

Option B is wrong because Azure Policy with audit effect can evaluate compliance and log to the Activity Log, but it does not natively generate Sentinel alerts; you would need a separate data connector for Azure Policy (which is not a standard Sentinel connector) and additional logic to create alerts, increasing overhead. Option C is wrong because the 'Network In' metric on Azure Monitor measures data throughput at the VM's virtual NIC, not inbound SSH port 22 access; it cannot detect open ports or security rules. Option D is wrong because enabling Microsoft Defender for Cloud and configuring continuous export to Sentinel adds unnecessary complexity and cost; while Defender for Cloud can detect open SSH ports, the question specifically requires using existing resources with minimal overhead, and the Azure Activity data connector alone suffices.

248
MCQhard

Your organization uses Microsoft Entra ID and requires that all external users invited via B2B collaboration must authenticate using multi-factor authentication (MFA). You need to enforce this for all guest users. What should you configure?

A.Microsoft Entra B2B collaboration settings
B.Microsoft Entra Identity Protection user risk policy
C.Microsoft Entra ID MFA registration policy
D.Microsoft Entra Conditional Access policy
AnswerD

Conditional Access policy can target guest users and require MFA as a grant control.

Why this answer

Option D is correct because Conditional Access policies in Microsoft Entra ID allow you to enforce MFA for guest users by targeting the 'Guest or external users' identity type and requiring MFA as a grant control. This provides granular control over authentication requirements for B2B collaboration users, unlike the other options which either lack enforcement capability or apply to different scenarios.

Exam trap

The trap here is confusing MFA registration (a prerequisite) with MFA enforcement (a runtime control), leading candidates to select Option C, which only ensures users have registered for MFA but does not require them to actually use it during sign-in.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra B2B collaboration settings only control invitation behavior (e.g., who can invite, allowed domains) and do not enforce MFA during authentication. Option B is wrong because Identity Protection user risk policy triggers based on detected risk signals (e.g., leaked credentials) and does not enforce MFA for all guest users unconditionally. Option C is wrong because the MFA registration policy only requires users to register for MFA but does not enforce MFA during sign-in; it is a prerequisite, not an enforcement mechanism.

249
MCQmedium

Your company uses Microsoft Sentinel for security monitoring. You need to design a solution that automatically responds to incidents involving high-severity alerts. The response should include creating an incident in Microsoft Teams and sending an email to the security team. What should you use?

A.Microsoft Sentinel automation rules and playbooks
B.Azure Policy with remediation tasks
C.Azure Monitor alert rules with action groups
D.Microsoft Defender for Cloud security alerts
AnswerA

Automation rules can trigger playbooks (Logic Apps) to automate response actions like creating Teams messages and sending emails.

Why this answer

Microsoft Sentinel automation rules and playbooks (built on Azure Logic Apps) are specifically designed to orchestrate automated responses to security incidents. When a high-severity alert triggers an incident, an automation rule can invoke a playbook that creates a Microsoft Teams message and sends an email via connectors like Office 365 Outlook, meeting the exact requirements.

Exam trap

The trap here is that candidates confuse Azure Monitor action groups (which can send emails/SMS for metric alerts) with Sentinel's incident-specific automation, overlooking that Sentinel requires its own automation rules and playbooks to orchestrate security response workflows.

How to eliminate wrong answers

Option B is wrong because Azure Policy with remediation tasks enforces compliance rules on Azure resources (e.g., ensuring encryption is enabled) and cannot trigger incident response workflows in Microsoft Teams or send emails based on Sentinel alerts. Option C is wrong because Azure Monitor alert rules with action groups are designed for infrastructure and application monitoring (e.g., CPU usage, HTTP errors), not for security incident response; they lack the context of Sentinel's threat intelligence and cannot create Teams incidents natively. Option D is wrong because Microsoft Defender for Cloud security alerts provide security posture recommendations and threat detections but do not include built-in automation to create Teams incidents or send emails; they rely on Sentinel or other tools for response orchestration.

250
MCQeasy

Refer to the exhibit. You assign this Azure Policy to a resource group. A user attempts to create a new Azure SQL Server without specifying an administrator login. What will happen?

A.The SQL Server is created with a default administrator login.
B.The SQL Server creation is denied.
C.The policy is ignored because the condition is not met.
D.The SQL Server is created but a compliance alert is generated.
AnswerB

The policy denies creation if administratorLogin is not set.

Why this answer

The Azure Policy assigned to the resource group includes a condition that checks if the 'administratorLogin' property is missing or null when creating a SQL Server. Since the user does not specify an administrator login, the condition evaluates to true, triggering the 'deny' effect. This prevents the creation of the SQL Server entirely, as Azure Policy enforces compliance before the resource is provisioned.

Exam trap

The trap here is that candidates may assume Azure SQL Server has a default administrator login or that the policy would only generate an alert, but Azure Policy's 'deny' effect proactively blocks non-compliant resource creation, not just reports on it.

How to eliminate wrong answers

Option A is wrong because Azure SQL Server requires an administrator login to be specified; there is no default login, and the policy explicitly denies creation when it is missing. Option C is wrong because the condition is met—the administrator login is not specified—so the policy is not ignored; it actively denies the request. Option D is wrong because the policy's 'deny' effect blocks creation before the resource is deployed, so no SQL Server is created to generate a compliance alert; alerts only occur for 'audit' or 'modify' effects, not 'deny'.

251
MCQmedium

Your company uses Microsoft Entra ID to manage identities for 5,000 employees. You plan to implement Microsoft Entra ID Governance to automate the user provisioning lifecycle for a third-party SaaS application. The application supports SCIM 2.0. You need to ensure that user accounts are automatically created, updated, and disabled in the application based on changes in Entra ID. What should you do?

A.Use Microsoft Graph API to write a custom provisioning solution
B.Configure Microsoft Entra B2B collaboration for the application
C.Publish the application using Microsoft Entra Application Proxy
D.Configure automatic provisioning in Microsoft Entra ID using the SCIM endpoint
AnswerD

SCIM provisioning automates lifecycle events.

Why this answer

Option D is correct because Microsoft Entra ID's automatic provisioning feature natively supports SCIM 2.0 endpoints, enabling automated creation, update, and deactivation of user accounts in third-party SaaS applications based on changes in Entra ID. This eliminates the need for custom code and provides a managed, scalable solution for the user provisioning lifecycle.

Exam trap

The trap here is that candidates may confuse the purpose of Application Proxy (remote access) or B2B collaboration (external identities) with provisioning automation, or assume that a custom Graph API solution is necessary when the built-in SCIM provisioning service is the correct, managed approach.

How to eliminate wrong answers

Option A is wrong because using Microsoft Graph API to write a custom provisioning solution would require significant development effort and ongoing maintenance, whereas the built-in provisioning service already handles SCIM-based automation without custom code. Option B is wrong because Microsoft Entra B2B collaboration is designed for external user access and guest identity management, not for automating the provisioning lifecycle of internal employees in a SaaS application. Option C is wrong because Microsoft Entra Application Proxy is used for secure remote access to on-premises web applications, not for provisioning user accounts to cloud SaaS applications.

252
MCQeasy

Your organization uses Microsoft Purview for data governance. You need to classify sensitive data in Azure SQL Database and automatically apply sensitivity labels. What should you configure?

A.Azure Information Protection scanner
B.Microsoft Purview Data Map with scanning and labeling
C.Microsoft Sentinel with a workbook
D.Azure Policy with built-in SQL classification policy
AnswerB

Purview Data Map can scan Azure SQL Database and apply sensitivity labels automatically.

Why this answer

Microsoft Purview Data Map with scanning and labeling is the correct solution because it integrates with Azure SQL Database to automatically scan for sensitive data types (e.g., credit card numbers, social security numbers) and apply sensitivity labels defined in Microsoft Purview Information Protection. This native integration uses the Purview scanning infrastructure to classify data at rest and propagate labels directly to the SQL database, meeting the requirement for automated classification and labeling.

Exam trap

The trap here is that candidates often confuse Azure Policy's 'SQL classification' built-in initiative (which only audits or enforces the presence of classification) with the actual scanning and labeling capability, leading them to choose Option D instead of recognizing that Purview Data Map is the service that performs the automated classification work.

How to eliminate wrong answers

Option A is wrong because Azure Information Protection (AIP) scanner is designed for on-premises file shares and SharePoint, not for Azure SQL Database; it cannot scan or label data within a PaaS database. Option C is wrong because Microsoft Sentinel is a SIEM/SOAR solution for security monitoring and threat detection, not a data classification or labeling tool; it lacks the capability to scan database schemas or apply sensitivity labels. Option D is wrong because Azure Policy with built-in SQL classification policy only enforces compliance rules (e.g., requiring classification to be enabled) but does not perform automatic scanning or labeling of sensitive data; it is a governance policy, not a classification engine.

253
MCQeasy

You need to monitor the performance and health of your Azure virtual machines, including custom metrics and logs. You also need to set up alerts based on specific thresholds. Which Azure service should you use?

A.Application Insights
B.Azure Service Health
C.Log Analytics
D.Azure Monitor
AnswerD

Azure Monitor provides full monitoring, including metrics, logs, and alerts for VMs.

Why this answer

Azure Monitor is the correct choice because it provides a comprehensive solution for collecting, analyzing, and acting on telemetry from Azure virtual machines, including custom metrics and logs. It integrates with the Azure Monitor Agent to gather performance counters and event logs, and supports metric alerts and log alerts based on specific thresholds, directly meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse Log Analytics (a data store and query tool) with Azure Monitor (the full monitoring and alerting platform), leading them to select Option C when Azure Monitor is the correct overarching service that includes Log Analytics and alerting capabilities.

How to eliminate wrong answers

Option A is wrong because Application Insights is an Application Performance Management (APM) service focused on monitoring live web applications, not infrastructure-level metrics and logs from Azure VMs. Option B is wrong because Azure Service Health provides information about Azure service-level issues and planned maintenance, not custom metrics, logs, or threshold-based alerts for individual VMs. Option C is wrong because Log Analytics is a component within Azure Monitor that stores and queries log data, but it is not the overarching service for monitoring, alerting, and metrics; Azure Monitor is the parent service that includes Log Analytics.

254
MCQmedium

Your organization is designing a monitoring solution for a critical application running on Azure VMs. You need to collect performance metrics and logs from the VMs and send them to a centralized Log Analytics workspace. You also need to visualize the data in near real-time. Which combination of services should you use?

A.Azure Monitor Agent and Azure Workbooks
B.Azure Diagnostics extension and VM Insights
C.Azure Monitor Agent and Azure Sentinel
D.Log Analytics Agent and Azure Dashboards
AnswerA

Azure Monitor Agent is the current recommended agent; Workbooks provide rich visualizations.

Why this answer

Azure Monitor Agent is the current recommended agent for collecting performance metrics and logs from Azure VMs and sending them to a Log Analytics workspace. Azure Workbooks provide interactive, near real-time visualizations by querying the workspace data. This combination meets the requirements for centralized collection and visualization without unnecessary overhead.

Exam trap

The trap here is confusing Azure Sentinel (a SIEM) with Azure Monitor (a general monitoring solution), leading candidates to select a security-focused tool for a performance monitoring requirement.

How to eliminate wrong answers

Option B is wrong because VM Insights uses the Azure Monitor Agent (or legacy Log Analytics agent) to collect data, but it is a monitoring solution focused on VM health and dependencies, not a direct tool for building custom near real-time visualizations; the Diagnostics extension is legacy and does not send data to Log Analytics by default. Option C is wrong because Azure Sentinel is a SIEM (Security Information and Event Management) tool designed for security analytics and threat detection, not for general performance monitoring and visualization. Option D is wrong because the Log Analytics Agent is legacy and being deprecated in favor of Azure Monitor Agent, and Azure Dashboards are static views that do not support interactive near real-time querying like Workbooks do.

255
MCQmedium

You are designing a monitoring solution for a critical application running on Azure virtual machines. The application must maintain an SLA of 99.99% uptime. You need to be notified within five minutes if any VM becomes unavailable. What should you configure?

A.Log Analytics workspaces
B.Azure Advisor recommendations
C.Azure Service Health alerts
D.Azure Monitor VM Insights with availability metric alerts
AnswerD

VM Insights monitors VM heartbeat and can trigger alerts within minutes.

Why this answer

Option D is correct because VM Insights with availability metric alerts monitors the heartbeat of Azure VMs and triggers an alert within five minutes if a VM becomes unavailable. This directly supports the 99.99% SLA requirement by enabling rapid notification of downtime, using the 'VM Availability Metric (Preview)' which tracks the VM's running state via the Azure Resource Health provider.

Exam trap

The trap here is confusing Azure Service Health alerts (which cover Azure platform outages) with VM-level availability monitoring, leading candidates to choose Option C instead of the correct VM Insights metric alert approach.

How to eliminate wrong answers

Option A is wrong because Log Analytics workspaces are used for collecting and analyzing log and performance data, not for real-time availability monitoring or triggering alerts within five minutes of VM unavailability. Option B is wrong because Azure Advisor provides proactive recommendations for cost, security, reliability, and performance, but does not monitor VM uptime or send alerts for availability breaches. Option C is wrong because Azure Service Health alerts notify about Azure service-level issues affecting your subscription, not about the availability of individual VMs within your environment.

256
MCQhard

Your organization is deploying a critical application in Azure that must maintain an uptime SLA of 99.99%. The application runs on Azure Virtual Machines in a single region. You need to design a monitoring solution that alerts the operations team within 5 minutes of any VM unavailability. The solution must minimize false positives and avoid alert fatigue. What should you include in the design?

A.Configure Azure Monitor VM insights with availability metric alerts set to fire when the VM is unavailable for 2 out of the last 5 minutes.
B.Create an Azure Service Health alert for the 'Virtual machine' service.
C.Create an Azure Monitor alert based on the Activity Log for 'Virtual Machine Guest OS Unresponsive' events.
D.Deploy the Log Analytics agent on each VM and create an alert for when heartbeat data is missing for 5 minutes.
AnswerA

VM insights availability metrics provide accurate unavailability detection with dynamic thresholds, reducing false positives.

Why this answer

Option D is correct because availability metrics from Azure Monitor provide accurate unavailability detection with minimal false positives, and multi-metric alerts reduce noise. Option A is wrong because Activity Log alerts only fire on configuration changes, not on VM unavailability itself. Option B is wrong because Service Health alerts cover Azure service incidents but not VM-level failures.

Option C is wrong because Log Analytics agent-based heartbeat alerts can have delays and require additional configuration, and single-metric alerts may cause alert fatigue.

257
MCQmedium

Your company uses Microsoft Intune for device management. You need to ensure that only devices that are compliant with security policies can access corporate resources. The solution must also support legacy authentication protocols. What should you implement?

A.Microsoft Defender for Endpoint
B.Device-based Conditional Access with 'Require hybrid Azure AD joined device'
C.Conditional Access policies with 'Require device to be marked as compliant'
D.Microsoft Entra application proxy
AnswerC

Conditional Access can enforce device compliance and can be configured to allow legacy authentication with appropriate conditions.

Why this answer

Option C is correct because the requirement is to enforce compliance-based access control for devices managed by Microsoft Intune, while also supporting legacy authentication protocols. Conditional Access policies with 'Require device to be marked as compliant' evaluate the device's compliance status reported by Intune and can block or allow access based on that status. This works with legacy authentication protocols (e.g., POP3, IMAP, SMTP) when combined with a compliance policy that does not require modern authentication, though legacy protocols are inherently less secure and should be used cautiously.

Exam trap

The trap here is that candidates often confuse 'device compliance' with 'hybrid Azure AD join' or 'Microsoft Defender for Endpoint', assuming that any security tool or join state can enforce access control, but only a Conditional Access policy explicitly targeting the device compliance attribute can enforce Intune-based compliance for both modern and legacy authentication.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint is a security solution for endpoint detection and response (EDR), not a policy mechanism to enforce device compliance for access control. Option B is wrong because 'Require hybrid Azure AD joined device' mandates that devices be joined to both on-premises Active Directory and Azure AD, which is not necessary for Intune-managed devices and does not directly enforce compliance policies; it also does not inherently support legacy authentication protocols. Option D is wrong because Microsoft Entra application proxy provides secure remote access to on-premises web applications via reverse proxy, but it does not enforce device compliance or control access based on Intune compliance status.

258
MCQmedium

Refer to the exhibit. You create this Azure Policy definition in a management group that contains all subscriptions. After assigning the policy, you notice that no audit events are generated when a new custom RBAC role is created. What is the most likely reason?

A.The policy should be assigned at the subscription level to audit custom role creation.
B.The 'Audit' effect with the specified details does not trigger an audit event when a custom role is created because the policy is not evaluating the correct condition.
C.The policy definition is a custom policy, and custom policies cannot audit RBAC role definitions.
D.The policy mode is set to 'All', which does not include RBAC role definitions.
AnswerB

The policy is misconfigured; it audits all role definitions but does not specifically detect creation of custom roles.

Why this answer

Option C is correct because the policy uses 'Audit' effect but the details section incorrectly references all role definitions, which does not produce an audit log entry for custom role creation. The policy should use 'AuditIfNotExists' or 'Deny' effect to detect custom roles. Option A is wrong because custom policies can audit custom roles.

Option B is wrong because the mode 'All' includes resource types like role definitions. Option D is wrong because custom RBAC roles are indeed a resource type that can be audited.

259
Multi-Selectmedium

Which TWO actions should you take to ensure that only authorized users can access sensitive data stored in Azure Blob Storage? (Choose two.)

Select 2 answers
A.Configure Azure RBAC roles to grant access to specific users.
B.Configure firewall rules to allow only specific IP addresses.
C.Enable blob versioning.
D.Enable soft delete for blobs.
E.Enable infrastructure encryption.
AnswersA, E

RBAC is the primary method to control access to Azure resources.

Why this answer

Azure RBAC roles allow you to grant granular permissions to specific users or groups, ensuring that only authorized identities can access sensitive data in Blob Storage. By assigning built-in roles like 'Storage Blob Data Reader' or 'Storage Blob Data Contributor', you enforce identity-based access control at the storage account, container, or blob level. This directly addresses the requirement of restricting access to authorized users.

Exam trap

The trap here is that candidates often confuse network-level controls (firewall rules) or data protection features (versioning, soft delete) with access control mechanisms, but only identity-based authorization (RBAC) and encryption directly ensure that only authorized users can access sensitive data.

260
MCQhard

You are designing a governance strategy for an Azure environment that includes multiple subscriptions. The security team requires that all storage accounts must have HTTPS traffic only. Any non-compliant storage account must be automatically remediated. What is the most efficient solution?

A.Create an Azure Blueprint that includes a policy initiative
B.Assign a custom RBAC role that denies creation of storage accounts without HTTPS
C.Use Azure Policy with a DeployIfNotExists effect to enable HTTPS-only traffic
D.Configure Azure Monitor alerts to notify the security team
AnswerC

DeployIfNotExists automatically remediates non-compliant resources.

Why this answer

Option C is correct because Azure Policy with a DeployIfNotExists effect can automatically remediate non-compliant storage accounts by enabling the 'HTTPS traffic only' property. This approach ensures continuous compliance without manual intervention, meeting the security team's requirement for automatic remediation.

Exam trap

The trap here is that candidates often confuse Azure Policy's DeployIfNotExists effect with Azure Blueprints, assuming Blueprints can also remediate, but Blueprints only enforce initial compliance and do not provide ongoing automatic remediation for existing resources.

How to eliminate wrong answers

Option A is wrong because Azure Blueprints are used to orchestrate the deployment of resource groups, policies, role assignments, and ARM templates, but they do not automatically remediate non-compliant resources after deployment; they only enforce initial compliance. Option B is wrong because a custom RBAC role that denies creation of storage accounts without HTTPS would only prevent new non-compliant accounts from being created, but it would not remediate existing non-compliant storage accounts. Option D is wrong because Azure Monitor alerts only notify the security team of non-compliance; they do not automatically remediate the issue, which is a core requirement of the question.

261
MCQeasy

Your organization has 500 users in Microsoft Entra ID. You need to ensure that users can only access Microsoft 365 apps from compliant devices (compliant with Intune policies). Users are already enrolled in Intune. The compliance policies are defined. You need to configure the access control mechanism. What should you do?

A.Create a Conditional Access policy that blocks all access and then create exclusions for compliant devices.
B.Configure Intune compliance policies to automatically revoke access for non-compliant devices.
C.Create a Conditional Access policy that requires device to be marked as compliant.
D.Create a Conditional Access policy that requires MFA based on location.
AnswerC

This policy enforces that only compliant devices can access Microsoft 365 apps.

Why this answer

Option C is correct because Conditional Access in Microsoft Entra ID is the mechanism that enforces access controls based on signals like device compliance. By creating a policy that requires the device to be marked as compliant, you ensure that only devices meeting Intune compliance policies can access Microsoft 365 apps. This directly addresses the requirement without blocking all access or relying on automatic revocation.

Exam trap

The trap here is that candidates confuse Intune compliance policies (which define rules) with the access control enforcement mechanism (Conditional Access), leading them to choose Option B, which incorrectly assumes compliance policies can directly revoke access without a Conditional Access policy.

How to eliminate wrong answers

Option A is wrong because blocking all access and then creating exclusions for compliant devices is an overly complex and error-prone approach; Conditional Access policies should grant access based on conditions, not block all and carve out exceptions. Option B is wrong because Intune compliance policies define the compliance criteria but do not enforce access control themselves; they rely on Conditional Access to block or allow access based on compliance status. Option D is wrong because requiring MFA based on location addresses authentication strength, not device compliance, and does not ensure that only compliant devices can access Microsoft 365 apps.

262
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID) Premium P2. They need to automatically block sign-ins from anonymous IP addresses (e.g., Tor) and force users from risky sign-ins to reset their password. They want to minimize administrative effort and use built-in features. Which Microsoft Entra ID feature should they enable?

A.Microsoft Entra ID Identity Protection risk policies (sign-in risk and user risk).
B.Conditional Access policies with locations and grant controls.
C.Microsoft Entra ID Privileged Identity Management (PIM).
D.Microsoft Entra ID Access Reviews.
AnswerA

Identity Protection includes built-in policies that automatically detect sign-in risks (including anonymous IP addresses) and user risks (e.g., leaked credentials). The sign-in risk policy can block the sign-in, and the user risk policy can require a password reset. This minimizes manual configuration.

Why this answer

Option A is correct because Microsoft Entra ID Identity Protection provides built-in risk policies that automatically detect and block sign-ins from anonymous IP addresses (e.g., Tor) via the sign-in risk policy, and force password reset for users flagged with high user risk via the user risk policy. These policies operate without manual intervention, minimizing administrative effort while leveraging Premium P2 capabilities.

Exam trap

The trap here is that candidates often confuse Conditional Access policies with Identity Protection risk policies, assuming that location-based blocking can replace dynamic risk detection, but Conditional Access lacks the built-in anonymous IP detection and automated password reset triggers that Identity Protection provides.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies with locations and grant controls can block IP ranges or require MFA, but they cannot natively detect anonymous IP addresses like Tor or automatically trigger password resets based on risk; they rely on static location definitions rather than dynamic risk signals. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews, not sign-in risk detection or password reset enforcement. Option D is wrong because Access Reviews are used for periodic attestation of group memberships or role assignments, not for real-time blocking of anonymous IPs or risk-based password resets.

263
MCQeasy

Your company is deploying a new application on Azure Kubernetes Service (AKS). You need to monitor the health and performance of the cluster, including container logs, metrics, and request rates. Which Azure service should you enable?

A.Azure Service Health
B.Azure Monitor for VMs
C.Azure Application Insights
D.Azure Monitor Container Insights
AnswerD

Specialized for AKS container monitoring.

Why this answer

Azure Monitor Container Insights is the correct service because it is specifically designed to monitor the health and performance of Azure Kubernetes Service (AKS) clusters. It collects container logs, metrics (such as CPU/memory usage), and request rates from the cluster via a containerized Log Analytics agent, providing visibility into the performance of workloads running on AKS.

Exam trap

The trap here is that candidates often confuse Azure Application Insights (which monitors application-level telemetry like requests and exceptions) with Container Insights (which monitors cluster-level health and container logs), leading them to choose C instead of D.

How to eliminate wrong answers

Option A is wrong because Azure Service Health provides a personalized dashboard of service issues, planned maintenance, and health advisories for Azure services, but it does not monitor the performance or logs of individual AKS clusters. Option B is wrong because Azure Monitor for VMs monitors the health and performance of virtual machines, not containerized workloads on AKS; it cannot collect container logs or request rates from Kubernetes pods. Option C is wrong because Azure Application Insights is an application performance management (APM) service for monitoring live web applications, not for collecting cluster-level metrics, container logs, or request rates from AKS infrastructure.

264
MCQhard

Your company has an Azure subscription with 100 virtual machines. You need to monitor the performance of these VMs and be alerted when the average CPU usage across a set of VMs exceeds 80% for 10 minutes. The set of VMs is defined by a tag (Environment=Production). Which Azure Monitor solution should you implement?

A.Use Azure Monitor VM Insights to visualize performance and set alerts per VM.
B.Create a metric alert rule with a dynamic threshold and scope it to a resource group containing Production VMs.
C.Create a metric alert rule with a static threshold of 80% for each Production VM individually.
D.Use a Log Analytics query to calculate average CPU and set a log alert.
AnswerB

Dynamic thresholds adapt to patterns and can be applied to a group of resources.

Why this answer

Option B is correct because a single metric alert rule with a static threshold can be scoped to a resource group and filtered by a tag (e.g., Environment=Production) using a dynamic threshold or static threshold, allowing you to monitor the average CPU usage across all VMs in that group without creating individual rules. This approach efficiently meets the requirement to alert when the average CPU usage across the set of VMs exceeds 80% for 10 minutes, as it aggregates metrics across the tagged VMs.

Exam trap

The trap here is that candidates often assume they need to use VM Insights (Option A) or individual alerts (Option C) for per-VM monitoring, but the question specifically asks for an alert based on the average across a set of VMs, which is best achieved by a single metric alert rule scoped to a resource group with tag filtering.

How to eliminate wrong answers

Option A is wrong because VM Insights provides per-VM performance visualization and alerts, but it does not natively support aggregating metrics across a set of VMs defined by a tag to trigger a single alert based on the average CPU usage. Option C is wrong because creating individual metric alert rules for each Production VM would require managing 100 separate rules, which is inefficient and does not aggregate the average CPU usage across the set; it would alert per VM, not based on the collective average. Option D is wrong because a Log Analytics query with a log alert would require sending performance data to Log Analytics, incurring additional ingestion costs and complexity, whereas a metric alert is simpler and more cost-effective for this scenario.

265
MCQmedium

A company must prevent non-compliant devices from accessing Exchange Online and SharePoint Online. Which design should you recommend?

A.Conditional Access policy requiring a compliant device.
B.Azure Firewall application rule.
C.Storage account network rule.
D.Resource lock on the Microsoft 365 tenant.
AnswerA

This uses device compliance as an access-control signal for cloud apps.

Why this answer

Conditional Access policies in Microsoft Entra ID (formerly Azure AD) can enforce device compliance by integrating with Microsoft Intune. When a policy requires a compliant device, it checks the device's compliance status before granting access to Exchange Online and SharePoint Online, blocking non-compliant devices at the authentication layer. This is the correct design because it directly controls access to these cloud services based on device health.

Exam trap

The trap here is that candidates may confuse network-level controls (like Azure Firewall) with identity-driven access controls (like Conditional Access), assuming a firewall can filter SaaS traffic, but Azure Firewall cannot inspect or enforce device compliance for Microsoft 365 services.

How to eliminate wrong answers

Option B is wrong because Azure Firewall is a network-layer firewall for Azure virtual networks and cannot inspect or control access to SaaS applications like Exchange Online or SharePoint Online, which are accessed over the internet. Option C is wrong because Storage account network rules control access to Azure Blob, File, Queue, and Table storage, not to Microsoft 365 services like Exchange Online or SharePoint Online. Option D is wrong because a resource lock prevents accidental deletion or modification of an Azure resource but does not enforce any access control or device compliance requirements for Microsoft 365 tenants.

266
MCQeasy

Your company uses Microsoft Entra ID for identity management. You need to ensure that only devices compliant with your company's security policies can access corporate resources. Which solution should you implement?

A.Conditional Access with device compliance policies from Microsoft Intune
B.Microsoft Purview Information Protection
C.Microsoft Sentinel
D.Microsoft Defender XDR
AnswerA

Conditional Access evaluates device compliance to allow access.

Why this answer

Conditional Access in Microsoft Entra ID allows you to enforce access controls based on conditions, including device compliance. By integrating with Microsoft Intune, you can define device compliance policies (e.g., requiring encryption, a minimum OS version, or anti-malware status) and then configure a Conditional Access policy to block or grant access only to devices that are marked as compliant. This directly ensures that only compliant devices can access corporate resources.

Exam trap

The trap here is that candidates often confuse Microsoft Defender XDR (which handles threat detection) with device compliance enforcement, not realizing that Conditional Access with Intune is the specific mechanism to gate access based on device health.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Information Protection focuses on classifying, labeling, and protecting sensitive data (e.g., via encryption and rights management), not on controlling device-level access based on compliance. Option C is wrong because Microsoft Sentinel is a Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR) solution for threat detection and incident response, not for enforcing device compliance access policies. Option D is wrong because Microsoft Defender XDR (Extended Detection and Response) provides cross-domain threat detection and response across endpoints, email, and identities, but it does not natively enforce device compliance-based access control; that is the role of Conditional Access with Intune.

267
MCQmedium

Your company is designing a governance strategy for Azure resources. The security team requires that all resource groups in the production subscription must have a specific tag (Environment=Production) applied automatically. Any resource group created without this tag must be reported within 24 hours. Which Azure policy should you implement?

A.Create a policy with effect 'audit' to report non-compliant resource groups.
B.Create a policy with effect 'append' to add the missing tag automatically.
C.Create a policy with effect 'deny' on the missing tag condition.
D.Create a policy with effect 'modify' to add the tag using a managed identity.
AnswerC

Deny prevents creation of resource groups without the required tag, ensuring compliance.

Why this answer

Option C is correct because the 'deny' effect prevents the creation of any resource group that does not include the required tag, enforcing compliance at the point of creation. The requirement to report non-compliant resource groups within 24 hours is satisfied by Azure Policy's built-in compliance evaluation, which automatically marks denied requests as non-compliant and surfaces them in the compliance dashboard. This approach ensures that no resource group can be created without the tag, eliminating the need for a separate reporting mechanism.

Exam trap

The trap here is that candidates often confuse 'audit' and 'deny' effects, thinking that reporting non-compliance is sufficient, but the requirement explicitly states the tag must be 'applied automatically', which 'deny' enforces by blocking creation, while 'audit' only reports after the fact.

How to eliminate wrong answers

Option A is wrong because the 'audit' effect only reports non-compliant resource groups after creation, but the requirement demands that the tag be applied automatically, not just reported. Option B is wrong because the 'append' effect adds the tag to existing non-compliant resources but does not prevent creation of untagged resource groups; it would also not trigger a report within 24 hours for newly created groups. Option D is wrong because the 'modify' effect requires a managed identity to add or change tags, which is unnecessary overhead for a simple tag enforcement scenario, and it does not block creation of untagged resource groups.

268
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to grant external partners access to an internal application for a limited time (30 days). The access request must be approved by a manager from the partner's organization, and after 30 days the access must automatically expire. They also want to send email reminders 7 days before expiration. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Identity Protection
B.Microsoft Entra ID Privileged Identity Management (PIM)
C.Microsoft Entra ID Entitlement Management
D.Microsoft Entra ID B2B with Conditional Access
AnswerC

Entitlement management is designed for governing access to resources, including external users, with approval workflows, time limits, and automatic expiration and reminders.

Why this answer

Microsoft Entra ID Entitlement Management enables organizations to manage access for external partners through access packages, which can include time-limited assignments, approval workflows (including manager approval from the partner's organization), and automatic expiration with email notifications. This directly meets the requirement for a 30-day access period with manager approval and 7-day reminder emails.

Exam trap

The trap here is that candidates often confuse PIM (which handles privileged role activation for internal admins) with Entitlement Management (which handles external partner access with full lifecycle governance), or assume B2B with Conditional Access alone can enforce time limits and reminders without the access package framework.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Identity Protection is a security tool for detecting and responding to identity risks (e.g., compromised credentials, sign-in anomalies), not for managing time-limited external access with approvals and expiration. Option B is wrong because Microsoft Entra ID Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and oversight for internal users, not for granting external partner access to applications with manager approval from the partner's organization. Option D is wrong because Microsoft Entra ID B2B with Conditional Access provides guest user invitations and access policies, but it lacks built-in capabilities for time-limited access packages, multi-stage approval workflows, and automatic expiration with email reminders; these require Entitlement Management.

269
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to require multi-factor authentication (MFA) for all users accessing the Azure portal, but do not want MFA to be required for other applications like Office 365. Which Microsoft Entra ID feature should they configure?

A.Microsoft Entra ID Security defaults
B.Microsoft Entra ID Conditional Access
C.Microsoft Entra ID Identity Protection
D.Microsoft Entra ID Privileged Identity Management (PIM)
AnswerB

Conditional Access policies can target specific cloud apps (e.g., Microsoft Azure Management) and require MFA only for those apps, leaving other apps unaffected.

Why this answer

Conditional Access in Microsoft Entra ID allows granular control over authentication requirements based on conditions such as application, user, location, or device state. By creating a Conditional Access policy targeting the Azure Portal application and requiring MFA, the company can enforce MFA specifically for Azure Portal access without affecting other applications like Office 365, which can be excluded from the policy.

Exam trap

The trap here is that candidates often confuse Security defaults (which enforces MFA broadly) with Conditional Access (which provides granular application-specific control), leading them to choose Security defaults when the question explicitly requires selective enforcement.

How to eliminate wrong answers

Option A is wrong because Security defaults enforces MFA for all users across all applications, including Office 365, which does not meet the requirement to restrict MFA only to the Azure portal. Option C is wrong because Identity Protection is a risk-based detection and remediation service that can trigger MFA based on user or sign-in risk, but it cannot be configured to require MFA for a specific application like the Azure portal while excluding others. Option D is wrong because Privileged Identity Management (PIM) provides just-in-time privileged access and approval workflows, not the ability to enforce MFA selectively per application.

270
MCQhard

Refer to the exhibit. You are implementing an Azure Policy to control VM SKU deployment. You assign this policy to a subscription. A developer attempts to deploy a virtual machine with SKU Standard_DS2_v2. What is the outcome?

A.The deployment is audited and logged.
B.The deployment is allowed.
C.The VM is deployed but flagged as non-compliant.
D.The deployment is denied.
AnswerD

The policy denies any VM SKU that is not Standard_D2s_v3.

Why this answer

The Azure Policy in the exhibit uses a 'deny' effect, which explicitly blocks any deployment that does not match the allowed VM SKUs. Since Standard_DS2_v2 is not in the allowed list, the policy engine evaluates the request during deployment and rejects it before any resource is created. This results in the deployment being denied entirely, not just audited or flagged.

Exam trap

The trap here is that candidates confuse the 'deny' effect with 'audit' or 'disabled', assuming the policy only logs non-compliance or allows deployment with a flag, when in fact 'deny' actively blocks the resource creation.

How to eliminate wrong answers

Option A is wrong because an 'audit' effect would log the non-compliant deployment without blocking it, but the policy uses 'deny', not 'audit'. Option B is wrong because the policy explicitly denies any SKU not in the allowed list, so the deployment is not allowed. Option C is wrong because the VM is never deployed; the 'deny' effect prevents resource creation, so there is no VM to flag as non-compliant.

271
MCQeasy

A company uses Microsoft Entra ID. They want to require users to use multi-factor authentication when accessing the Azure portal from any device. They do not want to require MFA for other applications. Which Microsoft Entra ID feature should they configure?

A.Conditional Access policy targeting Azure Portal
B.Per-user MFA (legacy)
C.Security defaults
D.Identity Protection
AnswerA

Correct. Conditional Access can be scoped to the Azure Portal application and require MFA, without affecting other apps.

Why this answer

Conditional Access policies allow granular control over authentication requirements based on conditions such as application, user, location, or device state. By creating a policy that targets the 'Microsoft Azure Management' cloud app and requires multi-factor authentication, you can enforce MFA specifically for the Azure portal without affecting other applications. This provides the precise control requested, unlike broader or legacy methods.

Exam trap

The trap here is that candidates often confuse Security defaults (which is a blanket MFA enforcement for all apps) with the ability to scope MFA to a single application, leading them to choose Security defaults instead of the more precise Conditional Access policy.

How to eliminate wrong answers

Option B (Per-user MFA) is wrong because it enables MFA for all applications and sign-ins for the assigned user, not just the Azure portal, and is a legacy feature that lacks the conditional targeting required. Option C (Security defaults) is wrong because it enforces MFA for all users and all applications, including every cloud app, which contradicts the requirement to not require MFA for other applications. Option D (Identity Protection) is wrong because it is a risk-based detection and remediation service that can trigger MFA based on sign-in risk, but it does not allow you to target a specific application like the Azure portal; it works in conjunction with Conditional Access but is not the feature to configure for this requirement.

272
Multi-Selecteasy

Which TWO are valid methods to authenticate users in a Microsoft Entra ID hybrid identity solution? (Select TWO.)

Select 2 answers
A.Cloud-only authentication
B.Password hash synchronization
C.Federation with Active Directory Federation Services (ADFS)
D.Pass-through Authentication
E.Seamless Single Sign-On
AnswersB, D

Synchronizes password hashes to cloud for authentication.

Why this answer

Password hash synchronization (B) is a valid authentication method for Microsoft Entra ID hybrid identity because it synchronizes password hashes from on-premises Active Directory to Azure AD, allowing users to authenticate using the same password without needing additional infrastructure. Pass-through authentication (D) is also valid as it validates passwords directly against on-premises Active Directory via agents, without storing password hashes in the cloud. Both methods are supported in hybrid identity scenarios and can be combined with Seamless SSO for a seamless experience.

Exam trap

The trap here is that candidates often confuse Seamless Single Sign-On (SSO) as an authentication method, when it is actually a feature that works on top of password hash sync or pass-through authentication to provide automatic sign-in, not a standalone authentication method.

273
MCQmedium

Your company plans to deploy a new application to Azure. The application will be used by external partners. You need to design an identity solution that allows partners to authenticate using their own corporate credentials while ensuring that the application can enforce conditional access policies based on partner device compliance. What should you include in the design?

A.Federate your Microsoft Entra tenant with each partner's on-premises Active Directory.
B.Create guest user accounts in your Microsoft Entra tenant and assign them application roles.
C.Configure Microsoft Entra B2C and federate with partner identity providers.
D.Configure Microsoft Entra B2B collaboration and enable conditional access policies for guest users.
AnswerD

Entra B2B allows partners to use their own identities and conditional access can evaluate device compliance.

Why this answer

Option D is correct because Microsoft Entra B2B collaboration allows you to invite external partners as guest users who can authenticate with their own corporate credentials. You can then enforce conditional access policies, including device compliance checks, on these guest users by targeting the policy to the 'Guest' user type or specific external users.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2C (for customers) with Microsoft Entra B2B (for partners), leading them to choose Option C, which cannot enforce conditional access policies based on partner device compliance.

How to eliminate wrong answers

Option A is wrong because federating your Entra tenant with each partner's on-premises Active Directory would require you to manage federation trusts for every partner, and it does not inherently enable conditional access policies based on partner device compliance; device compliance is typically evaluated against your own tenant's policies, not the partner's. Option B is wrong because creating guest user accounts and assigning application roles alone does not enable conditional access policies based on partner device compliance; guest users can authenticate, but without B2B collaboration settings, you cannot enforce device-based conditional access on their external devices. Option C is wrong because Microsoft Entra B2C is designed for customer-facing identity management with self-service sign-up, not for external partner access where partners use their own corporate credentials; B2C does not natively support conditional access policies based on device compliance for guest users.

← PreviousPage 4 of 4 · 273 questions total

Ready to test yourself?

Try a timed practice session using only Identity Governance Monitoring questions.