Sample questions
Microsoft Azure Security Engineer Associate AZ-500 practice questions
A public web application should be protected from OWASP-style attacks and network-layer DDoS attacks. Which two Azure services are most relevant?
Trap 1: Azure Automation State Configuration
This does not meet the stated requirement as directly as the correct option.
Trap 2: Azure Files premium tier
This does not meet the stated requirement as directly as the correct option.
- A
Application Gateway WAF or Azure Front Door WAF
Correct for the stated requirement.
- B
Azure Automation State Configuration
Why wrong: This does not meet the stated requirement as directly as the correct option.
- C
Azure DDoS Protection on the virtual network where applicable
Correct for the stated requirement.
- D
Azure Files premium tier
Why wrong: This does not meet the stated requirement as directly as the correct option.
A security analyst uses Microsoft Defender for Cloud. They want to view a list of all security recommendations for their Azure subscription, prioritized by their potential impact. Which Defender for Cloud dashboard should they use?
Trap 1: Regulatory Compliance
Regulatory Compliance shows compliance status against specific standards (e.g., PCI DSS), not a general prioritized list of recommendations.
Trap 2: Inventory
Inventory shows an overview of supported Azure resources and their security posture, but does not provide a prioritized recommendation list.
Trap 3: Workload protections
Workload Protections shows security alerts and threats for your workloads, not recommendations.
- A
Secure Score
The Secure Score page lists all recommendations sorted by their impact on your security score, helping prioritize actions.
- B
Regulatory Compliance
Why wrong: Regulatory Compliance shows compliance status against specific standards (e.g., PCI DSS), not a general prioritized list of recommendations.
- C
Inventory
Why wrong: Inventory shows an overview of supported Azure resources and their security posture, but does not provide a prioritized recommendation list.
- D
Workload protections
Why wrong: Workload Protections shows security alerts and threats for your workloads, not recommendations.
A company uses Azure AD B2B collaboration to invite external vendors. They want to restrict the vendors to only be able to access a specific application, and prevent them from discovering other users or applications in the directory. Which configuration should they apply to the external users?
Trap 1: Configure a Conditional Access policy targeting guest users
Conditional Access policies control sign-in conditions and session controls (e.g., MFA), but do not limit directory discovery or application visibility.
Trap 2: Enable 'External Identities' cross-tenant access settings
Cross-tenant access settings control inbound/outbound trust for B2B collaboration, not individual guest user permissions to view directory objects.
Trap 3: Assign the Application User role to the vendor users
The Application User role is not a built-in role; app roles are used for authorization within an application, not for limiting directory visibility.
- A
Configure a Conditional Access policy targeting guest users
Why wrong: Conditional Access policies control sign-in conditions and session controls (e.g., MFA), but do not limit directory discovery or application visibility.
- B
Enable 'External Identities' cross-tenant access settings
Why wrong: Cross-tenant access settings control inbound/outbound trust for B2B collaboration, not individual guest user permissions to view directory objects.
- C
Set the 'Guest user access' level to 'Guest user access is limited to properties and memberships of directory objects'
This setting restricts guest users from browsing the directory, preventing them from seeing other users or applications beyond those they have access to.
- D
Assign the Application User role to the vendor users
Why wrong: The Application User role is not a built-in role; app roles are used for authorization within an application, not for limiting directory visibility.
A company uses Defender for Servers Plan 2. Which two capabilities are included compared with a basic posture-only configuration?
Trap 1: Azure Cost Management budget alerts
This does not meet the stated requirement as directly as the correct option.
Trap 2: Microsoft 365 message trace
This does not meet the stated requirement as directly as the correct option.
- A
Azure Cost Management budget alerts
Why wrong: This does not meet the stated requirement as directly as the correct option.
- B
File integrity monitoring or equivalent advanced server protection capabilities
Correct for the stated requirement.
- C
Endpoint detection and response integration through Microsoft Defender for Endpoint
Correct for the stated requirement.
- D
Microsoft 365 message trace
Why wrong: This does not meet the stated requirement as directly as the correct option.
A Sentinel detection should enrich alerts with business-critical asset context. Which two mechanisms are appropriate?
Trap 1: Delete low-severity incidents automatically
This does not meet the stated requirement as directly as the correct option.
Trap 2: Disable all built-in analytics templates
This does not meet the stated requirement as directly as the correct option.
- A
Join the query with a watchlist of critical assets
Correct for the stated requirement.
- B
Delete low-severity incidents automatically
Why wrong: This does not meet the stated requirement as directly as the correct option.
- C
Map entities such as Host, Account, and IP in the analytics rule
Correct for the stated requirement.
- D
Disable all built-in analytics templates
Why wrong: This does not meet the stated requirement as directly as the correct option.
A company uses Microsoft Defender for Cloud to manage its security posture. The compliance team wants to monitor the subscription's compliance with the Payment Card Industry Data Security Standard (PCI DSS). They need to view a detailed compliance report and track progress over time. What should they do in Defender for Cloud?
Trap 1: Enable the relevant Defender for Cloud plans (e.g., Defender for…
While enabling plans is required for certain assessments, it does not by itself add the PCI DSS standard to the regulatory compliance dashboard.
Trap 2: Create a custom regulatory compliance initiative based on PCI DSS…
You can create custom initiatives, but the simplest and recommended approach is to use the built-in PCI DSS standard, which is pre-configured with the appropriate controls and assessments.
Trap 3: Configure continuous export to send compliance data to a Log…
Continuous export is used to stream alerts and recommendations to other tools, not to enable or view the PCI DSS compliance dashboard.
- A
Enable the relevant Defender for Cloud plans (e.g., Defender for Servers, Defender for SQL).
Why wrong: While enabling plans is required for certain assessments, it does not by itself add the PCI DSS standard to the regulatory compliance dashboard.
- B
Add the PCI DSS standard from the regulatory compliance dashboard.
Defender for Cloud provides built-in regulatory compliance standards. Adding PCI DSS from the dashboard enables the compliance monitoring and reporting for that standard.
- C
Create a custom regulatory compliance initiative based on PCI DSS controls.
Why wrong: You can create custom initiatives, but the simplest and recommended approach is to use the built-in PCI DSS standard, which is pre-configured with the appropriate controls and assessments.
- D
Configure continuous export to send compliance data to a Log Analytics workspace.
Why wrong: Continuous export is used to stream alerts and recommendations to other tools, not to enable or view the PCI DSS compliance dashboard.
A Microsoft Sentinel rule should run with minimal delay against supported data sources and produce alerts close to event time. Which rule type should be considered?
Trap 1: Fusion rule
This does not meet the stated requirement as directly as the correct option.
Trap 2: Workbook query
This does not meet the stated requirement as directly as the correct option.
Trap 3: Threat intelligence indicator import
This does not meet the stated requirement as directly as the correct option.
- A
Fusion rule
Why wrong: This does not meet the stated requirement as directly as the correct option.
- B
Near-real-time analytics rule
Correct for the stated requirement.
- C
Workbook query
Why wrong: This does not meet the stated requirement as directly as the correct option.
- D
Threat intelligence indicator import
Why wrong: This does not meet the stated requirement as directly as the correct option.
A company has a hub-spoke network topology. The hub virtual network contains an Azure Firewall and an ExpressRoute gateway for on-premises connectivity. The spoke virtual network hosts a critical application. They need to ensure that all outbound traffic from the spoke to the internet and to on-premises networks is routed through the Azure Firewall. They configure a user-defined route (UDR) on the spoke subnet with address prefix 0.0.0.0/0 and next hop as the Azure Firewall's private IP. They also disable 'Virtual network gateway route propagation' on the spoke subnet. However, traffic to on-premises still bypasses the firewall and goes through the ExpressRoute gateway. What is the most likely cause?
Trap 1: The Azure Firewall is not in the same region as the spoke.
Azure Firewall can be in a different region than the spoke VNet. Regional differences do not affect routing if the firewall is accessible via the hub VNet.
Trap 2: The ExpressRoute gateway's BGP routes are still overriding the UDR…
Disabling gateway route propagation removes learned routes from the subnet's effective routes. If properly disabled, BGP routes should not be present. This is not the cause.
Trap 3: The route table is not associated with the spoke subnet.
If the route table were not associated with the subnet, no UDR would apply at all, and traffic would use default routes. But internet traffic was being routed through the firewall, indicating the route table is associated.
- A
The Azure Firewall is not in the same region as the spoke.
Why wrong: Azure Firewall can be in a different region than the spoke VNet. Regional differences do not affect routing if the firewall is accessible via the hub VNet.
- B
The ExpressRoute gateway's BGP routes are still overriding the UDR because gateway propagation is not fully disabled.
Why wrong: Disabling gateway route propagation removes learned routes from the subnet's effective routes. If properly disabled, BGP routes should not be present. This is not the cause.
- C
The spoke subnet does not have a route for the on-premises prefix pointing to the firewall.
The 0.0.0.0/0 UDR only applies to traffic with no more specific match. On-premises traffic has a specific address prefix. To route it through the firewall, you must add a UDR with that specific prefix and the next hop as the firewall.
- D
The route table is not associated with the spoke subnet.
Why wrong: If the route table were not associated with the subnet, no UDR would apply at all, and traffic would use default routes. But internet traffic was being routed through the firewall, indicating the route table is associated.
A company has several critical applications deployed in an Azure virtual network. The security team wants to protect the virtual network against Distributed Denial-of-Service (DDoS) attacks by enabling automatic attack mitigation, adaptive tuning, and access to DDoS Rapid Response Support. Which DDoS Protection tier should they enable for the virtual network?
Trap 1: DDoS Protection Basic (Free)
Basic is automatically enabled for all Azure services but does not offer adaptive tuning, detailed analytics, or DDoS Rapid Response Support.
Trap 2: DDoS Protection Premium
There is no 'Premium' tier for Azure DDoS Protection. The available tiers are Basic and Standard.
Trap 3: DDoS Protection Advanced
There is no 'Advanced' tier for Azure DDoS Protection. Standard is the highest tier available for virtual networks.
- A
DDoS Protection Basic (Free)
Why wrong: Basic is automatically enabled for all Azure services but does not offer adaptive tuning, detailed analytics, or DDoS Rapid Response Support.
- B
DDoS Protection Standard
Standard includes adaptive tuning, comprehensive attack mitigation, real-time telemetry, and access to DDoS Rapid Response Support for an additional cost.
- C
DDoS Protection Premium
Why wrong: There is no 'Premium' tier for Azure DDoS Protection. The available tiers are Basic and Standard.
- D
DDoS Protection Advanced
Why wrong: There is no 'Advanced' tier for Azure DDoS Protection. Standard is the highest tier available for virtual networks.
A company has an Azure virtual network with multiple subnets hosting different application tiers. They need to inspect and filter all outbound traffic from VMs to the internet, and they must be able to allow or deny traffic based on fully qualified domain names (FQDNs). Which Azure networking service should they deploy?
Trap 1: Network Security Groups (NSGs).
NSGs can only filter based on IP addresses, ports, and protocols; they do not support FQDN filtering.
Trap 2: Azure Application Gateway.
Application Gateway is a layer-7 load balancer for inbound web traffic, not outbound inspection.
Trap 3: Azure VPN Gateway.
VPN Gateway creates encrypted tunnels, not traffic inspection or filtering.
- A
Azure Firewall.
Correct. Azure Firewall provides application-level filtering based on FQDNs for outbound traffic.
- B
Network Security Groups (NSGs).
Why wrong: NSGs can only filter based on IP addresses, ports, and protocols; they do not support FQDN filtering.
- C
Azure Application Gateway.
Why wrong: Application Gateway is a layer-7 load balancer for inbound web traffic, not outbound inspection.
- D
Azure VPN Gateway.
Why wrong: VPN Gateway creates encrypted tunnels, not traffic inspection or filtering.
A company has a subscription with Azure Active Directory (Azure AD). They want to enable a conditional access policy that requires all users to use multi-factor authentication (MFA) when accessing the Azure portal. The policy should only apply to users who are members of a group called 'AllUsers'. Which assignment should they configure in the policy?
Trap 1: Assign the 'AllUsers' group to the 'Cloud apps' section and select…
Users are assigned in the 'Users' section, not 'Cloud apps'. The 'Azure portal' is a cloud app, not a user group.
Trap 2: Add a condition for 'Client apps' specifying 'Browser' only
This would limit the policy to browser access, but the main requirement is to target the group and the Azure portal; the condition is not the primary assignment.
Trap 3: Create two policies: one for users and one for the Azure portal
A single Conditional Access policy can include both user and app assignments. Two policies are not needed and could cause conflicts.
- A
Assign the 'AllUsers' group to the 'Cloud apps' section and select 'Azure portal' as the application
Why wrong: Users are assigned in the 'Users' section, not 'Cloud apps'. The 'Azure portal' is a cloud app, not a user group.
- B
Assign the 'AllUsers' group to the 'Users' section and select 'Azure portal' as the cloud app
Correct. The policy targets users in the group and applies when accessing the Azure portal cloud app.
- C
Add a condition for 'Client apps' specifying 'Browser' only
Why wrong: This would limit the policy to browser access, but the main requirement is to target the group and the Azure portal; the condition is not the primary assignment.
- D
Create two policies: one for users and one for the Azure portal
Why wrong: A single Conditional Access policy can include both user and app assignments. Two policies are not needed and could cause conflicts.
A company has several Azure virtual machines (VMs) in a VNet that host a legacy application. IT support staff need to perform remote administration using RDP. The security team wants to avoid exposing the VMs to the public internet and also enforce Azure Multi-Factor Authentication (MFA) for all RDP sessions. Which Azure service should they deploy to meet these requirements?
Trap 1: Just-in-Time (JIT) VM Access from Microsoft Defender for Cloud
JIT reduces exposure by opening ports for a limited time, but it still requires a public IP on the VM and does not itself enforce MFA. Additional configuration would be needed for MFA.
Trap 2: Network Security Groups (NSGs) with allow rules for RDP only from a…
NSGs can restrict source IPs but still require the VM to have a public IP and do not enforce MFA. This does not meet the MFA requirement.
Trap 3: Azure Firewall with DNAT rules to forward RDP traffic
Even with Azure Firewall, the VM would still be exposed via the firewall's public IP, and MFA is not natively enforced. Additional components would be needed to add MFA.
- A
Just-in-Time (JIT) VM Access from Microsoft Defender for Cloud
Why wrong: JIT reduces exposure by opening ports for a limited time, but it still requires a public IP on the VM and does not itself enforce MFA. Additional configuration would be needed for MFA.
- B
Azure Bastion
Correct. Azure Bastion provides secure RDP/SSH access without public IPs and integrates with Azure AD and Conditional Access to enforce MFA, fulfilling both requirements.
- C
Network Security Groups (NSGs) with allow rules for RDP only from a trusted IP
Why wrong: NSGs can restrict source IPs but still require the VM to have a public IP and do not enforce MFA. This does not meet the MFA requirement.
- D
Azure Firewall with DNAT rules to forward RDP traffic
Why wrong: Even with Azure Firewall, the VM would still be exposed via the firewall's public IP, and MFA is not natively enforced. Additional components would be needed to add MFA.
A company has Azure virtual machines that need to download updates from specific external websites (e.g., *.microsoft.com and *.windowsupdate.com). The security team wants to centrally manage and allow outbound HTTPS traffic only to these FQDNs, while blocking all other outbound internet access. Which Azure networking service should they deploy to achieve this?
Trap 1: Azure Application Gateway
Azure Application Gateway is a layer 7 load balancer and web application firewall for inbound HTTP/HTTPS traffic, not suitable for controlling outbound traffic from VMs.
Trap 2: Azure Front Door
Azure Front Door is a global load balancer and application delivery controller for inbound traffic, not designed to filter outbound traffic from Azure VMs.
Trap 3: Azure VPN Gateway
Azure VPN Gateway establishes secure encrypted tunnels between on-premises networks and Azure, but does not offer FQDN-based filtering for outbound traffic.
- A
Azure Firewall
Azure Firewall provides application rules that allow or deny outbound traffic based on FQDNs, making it the correct choice for this requirement.
- B
Azure Application Gateway
Why wrong: Azure Application Gateway is a layer 7 load balancer and web application firewall for inbound HTTP/HTTPS traffic, not suitable for controlling outbound traffic from VMs.
- C
Azure Front Door
Why wrong: Azure Front Door is a global load balancer and application delivery controller for inbound traffic, not designed to filter outbound traffic from Azure VMs.
- D
Azure VPN Gateway
Why wrong: Azure VPN Gateway establishes secure encrypted tunnels between on-premises networks and Azure, but does not offer FQDN-based filtering for outbound traffic.
A company has two Azure virtual networks: VNet-A and VNet-B. They peer the VNets and deploy a network virtual appliance (NVA) in VNet-A. They want to inspect all outbound traffic from VNet-B to the internet using the NVA. They configure a user-defined route (UDR) in a route table associated with the subnet in VNet-B, with a default route (0.0.0.0/0) and next hop set to the private IP of the NVA in VNet-A. However, outbound traffic from VNet-B still goes directly to the internet. What is the most likely cause?
Trap 1: The VNet peering is not configured to allow traffic from VNet-B to…
VNet peering allows traffic between VNets; no additional setting is needed to route through an NVA once UDRs and IP forwarding are in place.
Trap 2: The route table is not associated with the subnet in VNet-B.
The question states the route table is associated. If it were not, the traffic would indeed go direct, but the most likely cause given correct association is IP forwarding.
Trap 3: The NVA does not have a public IP address.
The NVA routes traffic using its private IP; a public IP is not required for this scenario.
- A
The NVA's network interface must have 'IP forwarding' enabled.
IP forwarding allows the NVA to accept and forward traffic not destined to its own IP. Without it, the NVA drops the packets.
- B
The VNet peering is not configured to allow traffic from VNet-B to route through VNet-A.
Why wrong: VNet peering allows traffic between VNets; no additional setting is needed to route through an NVA once UDRs and IP forwarding are in place.
- C
The route table is not associated with the subnet in VNet-B.
Why wrong: The question states the route table is associated. If it were not, the traffic would indeed go direct, but the most likely cause given correct association is IP forwarding.
- D
The NVA does not have a public IP address.
Why wrong: The NVA routes traffic using its private IP; a public IP is not required for this scenario.
A company uses Azure AD Identity Protection. They want to automatically block sign-ins that have a high user risk level, but only for users in the 'Finance' department. They also want to require MFA for medium user risk level for all users (including Finance) when sign-in risk is not blocked. They have already created a Conditional Access policy for the Finance department that has a condition of 'User risk level: High' and a grant control of 'Block access'. What additional configuration is needed to also require MFA for all users with medium user risk?
Trap 1: Modify the existing policy to include 'User risk level: Medium' and…
Modifying the existing policy to cover both high and medium user risk would require MFA for medium risk but would also remove the block for high risk (or require MFA for high risk, which is not the requirement). The policy cannot have different grant controls for different risk levels within the same policy.
Trap 2: Use Identity Protection's 'User risk policy' instead of Conditional…
Identity Protection's user risk policy uses the same risk levels but is applied globally. It cannot be scoped to specific departments (Finance) for the block action while requiring MFA for all users. Conditional Access is needed for the department scope.
Trap 3: Create a new Conditional Access policy with condition 'User risk…
Blocking access for medium user risk is more restrictive than required. The requirement is to require MFA, not block.
- A
Create a second Conditional Access policy targeting all users with condition 'User risk level: Medium' and grant control 'Require multi-factor authentication'
A separate policy for medium user risk applied to all users will require MFA when medium risk is detected. The existing policy will continue to block Finance users with high risk. Policy evaluation is not mutually exclusive; the block takes precedence for high risk, and the MFA requirement applies for medium risk.
- B
Modify the existing policy to include 'User risk level: Medium' and change the grant control to 'Require multi-factor authentication'
Why wrong: Modifying the existing policy to cover both high and medium user risk would require MFA for medium risk but would also remove the block for high risk (or require MFA for high risk, which is not the requirement). The policy cannot have different grant controls for different risk levels within the same policy.
- C
Use Identity Protection's 'User risk policy' instead of Conditional Access
Why wrong: Identity Protection's user risk policy uses the same risk levels but is applied globally. It cannot be scoped to specific departments (Finance) for the block action while requiring MFA for all users. Conditional Access is needed for the department scope.
- D
Create a new Conditional Access policy with condition 'User risk level: Medium' and grant control 'Block access'
Why wrong: Blocking access for medium user risk is more restrictive than required. The requirement is to require MFA, not block.
A company has an Azure virtual network with a subnet that hosts a public web application. They want to allow inbound HTTPS traffic (port 443) only from the source IP range 203.0.113.0/24, and block all other inbound traffic. They associate a network security group (NSG) with the subnet. What is the minimum number of inbound security rules required in the NSG to achieve this?
Trap 1: 0 (no additional rules needed because the default rules block all…
The default rules block traffic from the internet, so no HTTPS traffic would be allowed. An explicit allow rule is required.
Trap 2: 2 (one allow rule for HTTPS and one deny rule for all other traffic)
An explicit deny rule is unnecessary because the NSG already includes a default deny all inbound rule. Adding an explicit deny would be redundant.
Trap 3: 3 (one allow HTTPS, one allow for Azure Load Balancer health…
The default rules already allow Azure Load Balancer health probes. No additional rule is needed for that, and the explicit deny is still redundant.
- A
0 (no additional rules needed because the default rules block all inbound traffic)
Why wrong: The default rules block traffic from the internet, so no HTTPS traffic would be allowed. An explicit allow rule is required.
- B
1
One allow rule for HTTPS from the specific IP range is sufficient. The default deny rule blocks all other traffic automatically.
- C
2 (one allow rule for HTTPS and one deny rule for all other traffic)
Why wrong: An explicit deny rule is unnecessary because the NSG already includes a default deny all inbound rule. Adding an explicit deny would be redundant.
- D
3 (one allow HTTPS, one allow for Azure Load Balancer health probes, and one deny all)
Why wrong: The default rules already allow Azure Load Balancer health probes. No additional rule is needed for that, and the explicit deny is still redundant.
A company uses Azure AD Privileged Identity Management (PIM) to manage the Global Administrator role. They want to require that when a user activates the role, they must be using a device that is compliant with Intune policies (e.g., compliant device) and must provide a justification. The company already has Conditional Access policies in place for regular access. How should they enforce the device compliance requirement specifically during PIM activation?
Trap 1: Configure a Conditional Access policy that targets the 'Azure AD…
Directly targeting the PIM app in a CA policy is not supported for device compliance during activation. PIM activation occurs in the context of the Azure AD role, not the PIM app. The correct method uses authentication context.
Trap 2: In PIM settings for the Global Administrator role, enable 'Require…
Enabling MFA only requires MFA during activation, not device compliance. This does not fulfill the device compliance requirement.
Trap 3: Use Azure AD Identity Protection's user risk policy to require…
Identity Protection risk policies address user or sign-in risk, not device compliance. They are not suitable for enforcing a compliant device requirement during PIM activation.
- A
Configure a Conditional Access policy that targets the 'Azure AD Privileged Identity Management' cloud app, requiring compliant device.
Why wrong: Directly targeting the PIM app in a CA policy is not supported for device compliance during activation. PIM activation occurs in the context of the Azure AD role, not the PIM app. The correct method uses authentication context.
- B
In PIM settings for the Global Administrator role, enable 'Require Multi-Factor Authentication on activation'.
Why wrong: Enabling MFA only requires MFA during activation, not device compliance. This does not fulfill the device compliance requirement.
- C
In PIM settings for the Global Administrator role, enable 'Require Azure AD Conditional Access authentication context' and create a Conditional Access policy that requires compliant device when that authentication context is used.
Correct. This is the recommended method for integrating PIM with Conditional Access. The authentication context is signaled during activation, and a separate CA policy enforces the device compliance requirement.
- D
Use Azure AD Identity Protection's user risk policy to require device compliance when a high-risk user activates the role.
Why wrong: Identity Protection risk policies address user or sign-in risk, not device compliance. They are not suitable for enforcing a compliant device requirement during PIM activation.
A company uses Microsoft Defender for Cloud. They have assigned a custom regulatory compliance initiative that includes policies to enforce encryption on storage accounts and SQL databases. They want to automatically remediate any non-compliant resources that are discovered, without manual intervention. Which feature should they configure?
Trap 1: Enable 'Auto provisioning' for the relevant extensions
Auto provisioning installs agents, but does not automatically fix non-compliant resources like encryption settings.
Trap 2: Enable 'Just-in-time (JIT) VM access'
JIT manages network access, not policy compliance.
Trap 3: Enable 'Workflow automation' to trigger a Logic App when…
This triggers a manual or automated process, but does not automatically remediate like the built-in remediation feature.
- A
Enable 'Auto provisioning' for the relevant extensions
Why wrong: Auto provisioning installs agents, but does not automatically fix non-compliant resources like encryption settings.
- B
Enable 'Remediation' for each policy assignment in the custom initiative
When you assign a policy with 'DeployIfNotExists' effect, you can enable remediation to automatically create and run remediation tasks to fix non-compliant resources.
- C
Enable 'Just-in-time (JIT) VM access'
Why wrong: JIT manages network access, not policy compliance.
- D
Enable 'Workflow automation' to trigger a Logic App when non-compliance is detected
Why wrong: This triggers a manual or automated process, but does not automatically remediate like the built-in remediation feature.
A company has Azure AD Identity Protection enabled. The security team wants to automatically block sign-ins that are detected as coming from a known malicious IP address. They have created a Conditional Access policy and assigned it to all users. Which configuration should they add to the policy to trigger the block based on Identity Protection risk?
Trap 1: Add a condition for 'Locations' and specify the known malicious IP…
While this could block specific IPs, it is static and does not leverage Identity Protection. The requirement is to use Identity Protection's detection.
Trap 2: Add a condition for 'User risk' set to 'High' and a grant control…
User risk is related to compromised user accounts, not sign-in from malicious IPs. Also, it requires MFA, not block access.
Trap 3: Add a condition for 'Device state' set to 'Not compliant' and a…
Device state is not related to sign-in risk from malicious IPs. This would block non-compliant devices, not specific risky sign-ins.
- A
Add a condition for 'Sign-in risk' set to 'High' and a grant control of 'Block access'.
A sign-in from a known malicious IP is considered high risk by Identity Protection. Using the sign-in risk condition with 'High' and blocking access achieves the requirement.
- B
Add a condition for 'Locations' and specify the known malicious IP ranges as 'Blocked locations'.
Why wrong: While this could block specific IPs, it is static and does not leverage Identity Protection. The requirement is to use Identity Protection's detection.
- C
Add a condition for 'User risk' set to 'High' and a grant control of 'Require multi-factor authentication'.
Why wrong: User risk is related to compromised user accounts, not sign-in from malicious IPs. Also, it requires MFA, not block access.
- D
Add a condition for 'Device state' set to 'Not compliant' and a grant control of 'Block access'.
Why wrong: Device state is not related to sign-in risk from malicious IPs. This would block non-compliant devices, not specific risky sign-ins.
A company uses Azure AD B2B collaboration to invite external partner users. The security policy requires that guest users who have not signed in for more than 90 days should have their access automatically reviewed and, if not approved, removed. The company has Azure AD Premium P2 licenses. Which Azure AD feature should they configure to meet this requirement?
Trap 1: Enable automatic user deletion in the Azure AD B2B collaboration…
There is no such setting to automatically delete guest users based on inactivity. B2B settings only control invitation and redemption behavior.
Trap 2: Create a Conditional Access policy that blocks sign-ins for guest…
Conditional Access policies evaluate sign-in risk or conditions at the time of authentication. They cannot retroactively remove access for users who have already been inactive; they only prevent future sign-ins but do not remove the user from applications.
Trap 3: Use Azure AD Identity Protection to detect guest user sign-in…
Identity Protection focuses on risk detection (e.g., leaked credentials, impossible travel) but does not schedule reviews based on inactivity. Access Reviews are the appropriate governance tool.
- A
Enable automatic user deletion in the Azure AD B2B collaboration settings.
Why wrong: There is no such setting to automatically delete guest users based on inactivity. B2B settings only control invitation and redemption behavior.
- B
Create a Conditional Access policy that blocks sign-ins for guest users who haven't authenticated in 90 days.
Why wrong: Conditional Access policies evaluate sign-in risk or conditions at the time of authentication. They cannot retroactively remove access for users who have already been inactive; they only prevent future sign-ins but do not remove the user from applications.
- C
Configure an Azure AD Access Review that reviews guest user access and automatically removes access after 90 days of inactivity.
Access Reviews can be configured to run periodically (e.g., quarterly) and include only guest users. The review can be set to automatically remove users who do not respond or who are not approved, effectively removing access for inactive guests.
- D
Use Azure AD Identity Protection to detect guest user sign-in anomalies and revoke sessions.
Why wrong: Identity Protection focuses on risk detection (e.g., leaked credentials, impossible travel) but does not schedule reviews based on inactivity. Access Reviews are the appropriate governance tool.
A company manages Azure AD roles with Privileged Identity Management (PIM). They want to enforce that when a user activates the Global Administrator role, they must provide a justification and also use Multi-Factor Authentication. Which PIM settings should they configure? (Choose two.)
Trap 1: Require approval on activation.
While this is a PIM setting, it is not required by the scenario. The scenario only specifies justification and MFA.
Trap 2: Extend activation duration.
This setting controls how long the role activation lasts, not the authentication or justification requirements.
- A
Require approval on activation.
Why wrong: While this is a PIM setting, it is not required by the scenario. The scenario only specifies justification and MFA.
- B
Require Multi-Factor Authentication on activation.
This setting enforces MFA when a user activates the role, meeting the security requirement.
- C
Require justification on activation.
This setting prompts the user to provide a reason when activating the role, fulfilling the justification requirement.
- D
Extend activation duration.
Why wrong: This setting controls how long the role activation lasts, not the authentication or justification requirements.
A Defender for Cloud secure score recommendation says storage accounts allow public blob access. What remediation best addresses the root issue?
Trap 1: Enable storage account static website hosting
This does not meet the stated requirement as directly as the correct option.
Trap 2: Increase Log Analytics retention
This does not meet the stated requirement as directly as the correct option.
Trap 3: Create an Azure Front Door profile
This does not meet the stated requirement as directly as the correct option.
- A
Enable storage account static website hosting
Why wrong: This does not meet the stated requirement as directly as the correct option.
- B
Increase Log Analytics retention
Why wrong: This does not meet the stated requirement as directly as the correct option.
- C
Disable public blob access at the storage account level and review container ACLs
Correct for the stated requirement.
- D
Create an Azure Front Door profile
Why wrong: This does not meet the stated requirement as directly as the correct option.
A company uses Azure Firewall to filter outbound traffic. They want to ensure that all DNS queries from virtual machines in a spoke VNet are routed through the Azure Firewall for logging and inspection. They have already configured the firewall to use a custom DNS server. Which additional Azure Firewall feature must be enabled to ensure that the VMs use the firewall as a DNS proxy?
Trap 1: Configure a DNS forwarding rule
Incorrect. Azure Firewall does not have a DNS forwarding rule; DNS proxy is the feature that handles DNS traffic forwarding.
Trap 2: Enable Threat Intelligence DNS logging
Incorrect. This feature logs DNS queries based on threat intelligence but does not route DNS traffic through the firewall.
Trap 3: Create a NAT rule for DNS traffic
Incorrect. NAT rules are used to translate destination IP addresses/ports, not to proxy DNS queries.
- A
Enable DNS proxy on the firewall policy
Correct. DNS proxy enables the firewall to act as a DNS proxy, accepting DNS queries from VMs and forwarding them to the configured DNS server.
- B
Configure a DNS forwarding rule
Why wrong: Incorrect. Azure Firewall does not have a DNS forwarding rule; DNS proxy is the feature that handles DNS traffic forwarding.
- C
Enable Threat Intelligence DNS logging
Why wrong: Incorrect. This feature logs DNS queries based on threat intelligence but does not route DNS traffic through the firewall.
- D
Create a NAT rule for DNS traffic
Why wrong: Incorrect. NAT rules are used to translate destination IP addresses/ports, not to proxy DNS queries.
A company uses Azure AD Privileged Identity Management (PIM) for Azure AD roles. They want to require that when a user activates the Security Administrator role, they must provide a justification and the activation must be approved by a member of a specific security group. Which PIM setting should they configure?
Trap 1: Require multi-factor authentication
MFA is a separate requirement for activation, but it does not add an approval step. The requirement specifically calls for approval, not MFA.
Trap 2: Require justification
Justification is a separate setting that requires the user to enter a reason for activation. While it is required in the scenario, it does not enforce approval from an approver.
Trap 3: Require Azure AD join
Requiring Azure AD joined device is a condition for activation but does not involve approval by a security group.
- A
Require approval to activate
Correct. Enabling 'Require approval to activate' and specifying the security group as approver meets the requirement for manager approval before activation.
- B
Require multi-factor authentication
Why wrong: MFA is a separate requirement for activation, but it does not add an approval step. The requirement specifically calls for approval, not MFA.
- C
Require justification
Why wrong: Justification is a separate setting that requires the user to enter a reason for activation. While it is required in the scenario, it does not enforce approval from an approver.
- D
Require Azure AD join
Why wrong: Requiring Azure AD joined device is a condition for activation but does not involve approval by a security group.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.