Microsoft Azure Security Engineer Associate AZ-500 (AZ-500) — Questions 175

1000 questions total · 14pages · All types, answers revealed

Page 1 of 14

Page 2
1
Multi-Selecteasy

You need to secure an Azure Storage account that will host sensitive data. Which TWO configurations should you implement?

Select 2 answers
A.Generate a shared access signature (SAS)
B.Enable 'Secure transfer required'
C.Allow public network access from all networks
D.Enable Azure Files
E.Configure a private endpoint
AnswersB, E

Enforces HTTPS for all requests to the storage account.

Why this answer

Option A and Option C are correct. Enabling 'Secure transfer required' enforces HTTPS. Using private endpoint ensures traffic stays within Microsoft network.

Option B is wrong because a SAS token is for delegated access, not a security configuration. Option D is wrong because public network access should be disabled for sensitive data. Option E is wrong because Azure Files is a service, not a security configuration.

2
MCQhard

A company uses Azure SQL Database with Transparent Data Encryption (TDE) and a customer-managed key stored in Azure Key Vault. The Key Vault is configured with a firewall that denies all public access. The SQL server must be able to access the key. What additional configuration is necessary?

A.Enable trusted Microsoft services on the Key Vault firewall
B.Create a private endpoint for Key Vault
C.Assign the SQL server's managed identity to the Key Vault
D.Configure a service endpoint on the SQL server
AnswerA

Correct. Enabling 'Allow trusted Microsoft services to bypass the firewall' on the Key Vault allows Azure SQL Database to access the key even with the firewall enabled.

Why this answer

When Azure Key Vault's firewall denies all public access, enabling 'Allow trusted Microsoft services' is necessary because Azure SQL Database's TDE key retrieval is considered a trusted service operation. This setting bypasses the firewall for specific Azure services like SQL Database that are authenticated and authorized to access the vault, without requiring a private endpoint or service endpoint.

Exam trap

The trap here is that candidates often confuse the authentication/authorization step (assigning managed identity) with the network connectivity step (firewall bypass), assuming that granting permissions alone is sufficient when the Key Vault firewall is blocking all traffic.

How to eliminate wrong answers

Option B is wrong because creating a private endpoint for Key Vault would provide private connectivity from a virtual network, but the SQL server is a platform-as-a-service resource that does not reside in a VNet by default; while possible, it is not the simplest or required configuration for TDE key access when the firewall is enabled. Option C is wrong because assigning the SQL server's managed identity to Key Vault is necessary for authentication and authorization (to grant the SQL server permissions to the key), but it does not bypass the Key Vault firewall; the firewall must still allow the request. Option D is wrong because configuring a service endpoint on the SQL server is not applicable; service endpoints are used for VNet integration, and Azure SQL Database does not have a service endpoint that directly controls Key Vault access.

3
MCQeasy

You need to restrict access to an Azure Storage account so that only traffic from a specific virtual network is allowed. What should you configure?

A.Azure Firewall application rule
B.Storage account firewall and virtual network settings
C.Private endpoint connection
D.Network security group (NSG) on the subnet
AnswerB

You can add a rule to allow access only from a specific VNet.

Why this answer

Option C is correct because Azure Storage firewalls and virtual networks allow you to restrict access to specific VNets. Option A is wrong because NSGs apply to subnets, not to storage accounts directly. Option B is wrong because Azure Firewall is for network traffic filtering, not for storage access control.

Option D is wrong because private endpoints provide private connectivity but do not restrict access by default.

4
MCQhard

Your organization is using Microsoft Defender for Cloud to protect Azure SQL databases. You need to enable Advanced Threat Protection (ATP) for all existing and future Azure SQL databases in a subscription. The solution must minimize administrative effort. What should you do?

A.Configure Microsoft Sentinel to monitor Azure SQL databases.
B.Enable the Azure SQL databases plan in Microsoft Defender for Cloud at the subscription level.
C.Create an Azure Policy to deploy Advanced Threat Protection on Azure SQL databases.
D.Enable Advanced Threat Protection on each Azure SQL database individually.
AnswerB

Correct. Enabling the plan at the subscription level applies to all current and future resources.

Why this answer

Option B is correct because enabling Defender for Cloud at the subscription level with the SQL servers on machines plan (or Azure SQL databases plan) will automatically enable ATP for all supported resources, including future ones. Option A is wrong because enabling per database is not scalable. Option C is wrong because Azure Policy can be used but is not the most efficient direct method.

Option D is wrong because Microsoft Sentinel is not for enabling ATP.

5
MCQhard

Your organization has a complex Azure environment with multiple subscriptions, each containing hundreds of VMs and PaaS services. You are responsible for ensuring that all resources are monitored for security threats using Microsoft Defender for Cloud. The environment includes: - Subscription A: Production workloads, requires the highest security posture. - Subscription B: Development environment, has a lower security budget. - Subscription C: Shared services (e.g., DNS, Active Directory). You need to implement the most cost-effective security monitoring solution that meets the following requirements: - All subscriptions must be covered by Defender for Cloud. - Production subscription must have vulnerability assessment for VMs. - Development subscription does not need vulnerability assessment but must have basic CSPM. - Shared services subscription must have advanced threat protection for Azure SQL databases. - You must minimize administrative overhead and ensure that security policies are centrally managed. What should you do?

A.Enable all Defender plans on the management group to cover all subscriptions, then disable vulnerability assessment on Subscription B via policy.
B.Enable the 'Defender Cloud Security Posture Management' (CSPM) plan on the management group that contains all subscriptions. Then, on Subscription A, enable the 'Defender for Servers' plan with vulnerability assessment. On Subscription C, enable the 'Defender for Azure SQL' plan. Leave Subscription B with only the CSPM plan.
C.Enable the 'Defender for Servers' plan on Subscription A, 'Defender for Azure SQL' on Subscription C, and disable Defender for Cloud on Subscription B.
D.Enable only the free tier of Defender for Cloud on all subscriptions, then manually configure vulnerability assessment for VMs in Subscription A and advanced threat protection for SQL in Subscription C.
AnswerB

CSPM provides basic posture management; specific plans can be added per subscription.

Why this answer

Option A is correct because enabling the Defender CSPM plan provides basic CSPM and allows enabling specific plans per subscription. Option B is wrong because enabling all plans on Subscription A is not cost-effective for Dev. Option C is wrong because using only free tier does not meet the vulnerability assessment requirement.

Option D is wrong because disabling Defender for Cloud on Dev is not allowed; they need basic CSPM.

6
MCQmedium

A company uses Microsoft Defender for Cloud. The security team wants to receive a weekly email digest that includes the current Secure Score, the number of healthy and unhealthy resources, and a list of top recommendations. Which Defender for Cloud feature should they configure?

A.Regulatory Compliance dashboard
B.Security policies
C.Email notifications for alerts and weekly digests
D.Continuous Export
AnswerC

Under Defender for Cloud's settings, you can configure email notifications. This includes a weekly digest that contains the Secure Score, resource health summary, and top recommendations. You can specify recipients.

Why this answer

Option C is correct because Microsoft Defender for Cloud provides a built-in 'Email notifications for alerts and weekly digests' feature that allows security teams to configure a weekly email containing the current Secure Score, the number of healthy and unhealthy resources, and a list of top recommendations. This feature is specifically designed to deliver a summary of the security posture directly to recipients without requiring manual export or custom automation.

Exam trap

The trap here is that candidates often confuse the weekly digest feature with Continuous Export, assuming that exporting data to a third-party system is the only way to get a summary, but Defender for Cloud has a native email notification feature specifically for this purpose.

How to eliminate wrong answers

Option A is wrong because the Regulatory Compliance dashboard displays compliance posture against standards (e.g., SOC 2, ISO 27001) and does not generate weekly email digests with Secure Score or resource health counts. Option B is wrong because Security policies define the rules and initiatives that govern resource compliance (e.g., enabling MFA or encryption), but they do not include any notification or email delivery mechanism for weekly summaries. Option D is wrong because Continuous Export streams security data (e.g., alerts, recommendations) to Log Analytics or Event Hubs for external processing, but it does not natively generate or send weekly email digests with Secure Score and resource health summaries.

7
MCQmedium

A security analyst is using Microsoft Sentinel to investigate a security incident. The analyst needs to view all related events, alerts, and entities (users, IPs, hosts) in a single, interactive graph to understand the full scope of the attack. Which Microsoft Sentinel feature should they use?

A.Incident timeline
B.Investigation graph
C.Hunting
D.Analytics rules
AnswerB

The investigation graph allows analysts to visually explore entities and alerts related to an incident. It shows connections and helps identify the scope of an attack.

Why this answer

The Investigation graph in Microsoft Sentinel provides an interactive, visual map that correlates all related events, alerts, and entities (such as users, IPs, and hosts) for a given incident. This allows the analyst to explore the full scope of an attack by dragging and dropping entities to uncover hidden relationships, making it the correct feature for this scenario.

Exam trap

The trap here is that candidates often confuse the Incident timeline (which shows a linear history) with the Investigation graph (which shows relational connections), leading them to choose the timeline option when the question explicitly asks for an interactive graph to understand the full scope of an attack.

How to eliminate wrong answers

Option A is wrong because the Incident timeline shows a chronological list of activities and changes for an incident, but it does not provide an interactive graph with entities and relationships. Option C is wrong because Hunting is a proactive search for threats using queries and bookmarks, not a tool for viewing all related events and entities in a single graph for an existing incident. Option D is wrong because Analytics rules are used to create detection logic that generates alerts and incidents, not to visualize or investigate the relationships between events and entities in an existing incident.

8
Multi-Selectmedium

Which TWO actions can be performed using Microsoft Defender for Cloud's 'Regulatory Compliance' dashboard?

Select 2 answers
A.Upload evidence documents for manual controls.
B.Automatically remediate non-compliant resources.
C.View compliance score against a specific regulatory standard.
D.Configure continuous export of compliance data.
E.Integrate with third-party GRC tools directly from the dashboard.
AnswersA, C

Dashboard allows uploading evidence for manual controls.

Why this answer

Options A and D are correct. The dashboard shows compliance against standards and allows manual evidence upload. Option B is wrong because remediation is done via policy.

Option C is wrong because continuous export is a separate setting. Option E is wrong because the dashboard doesn't directly integrate with external tools.

9
MCQhard

A company has two Azure virtual networks, VNet-A (hub) and VNet-B (spoke), connected via VNet peering. They deploy a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic between the VNets. They configure a user-defined route (UDR) on the subnet in VNet-B with the destination address space of VNet-A (10.0.0.0/16) and the next hop set to the private IP of the NVA. However, traffic from VNet-B to VNet-A still bypasses the NVA and takes a direct path. What is the most likely cause?

A.The NVA's private IP address is not reachable from VNet-B
B.VNet peering system routes override user-defined routes
C.The UDR must be applied to the gateway subnet of VNet-B
D.The NVA network interface does not have IP forwarding enabled
AnswerD

IP forwarding must be enabled on the NVA's NIC for it to forward traffic destined to other IPs. Without it, the NVA will drop the traffic, and the peering path remains active.

Why this answer

Option D is correct because a network virtual appliance (NVA) requires IP forwarding to be enabled on its network interface to forward traffic not destined for itself. Without this setting, the NVA drops packets that arrive with a destination IP other than its own, causing the traffic to bypass the NVA and follow the default VNet peering route. Enabling IP forwarding allows the NVA to act as a router and forward traffic between VNets as specified by the user-defined route.

Exam trap

The trap here is that candidates often assume a UDR alone is sufficient to force traffic through an NVA, overlooking the mandatory IP forwarding setting on the NVA's NIC, which is a common misconfiguration in Azure networking.

How to eliminate wrong answers

Option A is wrong because if the NVA's private IP were unreachable from VNet-B, the traffic would fail entirely, not bypass the NVA; the issue is that the NVA receives but drops the traffic. Option B is wrong because user-defined routes (UDRs) override VNet peering system routes for traffic within the same virtual network or between peered VNets when the next hop is explicitly set; system routes are only used when no UDR matches. Option C is wrong because the UDR must be applied to the subnet containing the source VMs in VNet-B, not the gateway subnet, which is used for VPN/ExpressRoute traffic, not for VNet peering traffic.

10
MCQeasy

A company uses Azure Active Directory and has guest users invited via B2B collaboration. The security team wants to require that all guest users from specific external organizations must complete multi-factor authentication (MFA) when accessing the company's SaaS applications. Which Conditional Access policy configuration should they use?

A.Create a policy that applies to 'All users' with a condition for 'Guest or external users' and a grant control of 'Require multi-factor authentication'.
B.Create a policy that applies to 'Guest or external users' with a condition for 'External tenants' specifying the organizations, and a grant control of 'Require multi-factor authentication'.
C.Create a policy that applies to 'All guest users' and assign it to the SaaS applications. Use a session control 'Use app enforced restrictions'.
D.Create a policy that applies to 'Guest or external users' with a condition for 'Sign-in risk' set to 'Medium and above' and a grant control of 'Block access'.
AnswerB

This correctly scopes the policy to guest users from specific external tenants and enforces MFA as a grant control.

Why this answer

Option B is correct because it uses the 'External tenants' condition within a Conditional Access policy targeting 'Guest or external users' to specify the exact organizations from which guests must complete MFA. This directly meets the requirement to scope MFA enforcement to specific external organizations, not all guests. The 'Require multi-factor authentication' grant control ensures MFA is enforced for those guests when accessing SaaS applications.

Exam trap

The trap here is that candidates confuse the broad 'Guest or external users' identity with the granular 'External tenants' condition, mistakenly thinking that selecting 'Guest or external users' alone is sufficient to scope MFA to specific organizations.

How to eliminate wrong answers

Option A is wrong because applying the policy to 'All users' would include internal users, not just guests from specific external organizations, and the 'Guest or external users' condition alone does not filter by specific organizations. Option C is wrong because 'All guest users' applies to all guests regardless of their home organization, and 'Use app enforced restrictions' is a session control that relies on the application itself to enforce restrictions, not a grant control for MFA. Option D is wrong because 'Sign-in risk' condition targets risky sign-ins based on Microsoft's risk detection, not specific external organizations, and 'Block access' prevents access entirely rather than requiring MFA.

11
MCQeasy

A company has several critical applications deployed in an Azure virtual network. The security team wants to protect the virtual network against Distributed Denial-of-Service (DDoS) attacks by enabling automatic attack mitigation, adaptive tuning, and access to DDoS Rapid Response Support. Which DDoS Protection tier should they enable for the virtual network?

A.DDoS Protection Basic (Free)
B.DDoS Protection Standard
C.DDoS Protection Premium
D.DDoS Protection Advanced
AnswerB

Standard includes adaptive tuning, comprehensive attack mitigation, real-time telemetry, and access to DDoS Rapid Response Support for an additional cost.

Why this answer

DDoS Protection Standard is the correct tier because it provides automatic attack mitigation, adaptive tuning based on traffic patterns, and access to DDoS Rapid Response Support (DRRS) for Azure virtual networks. The Basic tier only offers always-on traffic monitoring and basic mitigation without adaptive tuning or DRRS, while Premium and Advanced are not valid Azure DDoS Protection tiers.

Exam trap

The trap here is that candidates may confuse the non-existent 'Premium' or 'Advanced' tiers with the actual Standard tier, or assume the free Basic tier includes advanced features like adaptive tuning and DRRS, which are exclusive to the paid Standard tier.

How to eliminate wrong answers

Option A is wrong because DDoS Protection Basic is free but only provides always-on traffic monitoring and basic mitigation based on Azure's global network capacity; it does not include adaptive tuning or DDoS Rapid Response Support. Option C is wrong because DDoS Protection Premium is not a valid Azure DDoS Protection tier; Azure offers only Basic and Standard tiers. Option D is wrong because DDoS Protection Advanced is not a valid Azure DDoS Protection tier; the correct name for the paid tier is DDoS Protection Standard.

12
MCQeasy

You need to securely connect two Azure virtual networks in the same region to allow VM-to-VM communication using private IP addresses. The solution must minimize latency and administrative overhead. What should you use?

A.VNet peering
B.Azure VPN Gateway
C.Azure Front Door
D.ExpressRoute
AnswerA

Direct, low-latency, simple.

Why this answer

Option C is correct because VNet peering provides low-latency, private IP connectivity between VNets in the same region with minimal configuration. Option A is wrong because VPN gateway adds latency. Option B is wrong because ExpressRoute is for on-premises.

Option D is wrong because Azure Front Door is for global HTTP(S) load balancing.

13
Multi-Selecthard

An enterprise app requests tenant-wide admin consent for Microsoft Graph permissions. Security wants to prevent unreviewed user consent while allowing approved apps. Which two controls help meet this requirement?

Select 2 answers
A.Configure admin consent workflow
B.Allow all users to grant consent to any app
C.Restrict user consent settings and review publisher verification/permissions
D.Disable service principals globally
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because the admin consent workflow allows users to request admin approval for apps they want to consent to, ensuring that no unreviewed user consent is granted while still enabling approved apps. This workflow routes consent requests to designated administrators for review, meeting the security requirement of preventing unreviewed user consent.

Exam trap

The trap here is that candidates often confuse the admin consent workflow with simply blocking all user consent, but the workflow allows controlled approval of specific apps, which is the precise requirement for preventing unreviewed consent while still enabling approved apps.

14
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Security Administrator' role. They want to require that activation of this role must be approved by a designated group of security engineers before it becomes active. Which PIM role setting should they configure?

A.Activation maximum duration (hours)
B.MFA on activation
C.Require approval
D.Require justification on activation
AnswerC

Enabling 'Require approval' in the PIM role settings means a user's activation request must be approved by designated approvers. This ensures that role activation is reviewed by a security team.

Why this answer

Option C is correct because Azure AD PIM's 'Require approval' setting enforces that a designated group of approvers must authorize each activation request before the role becomes active. This directly meets the requirement for approval by security engineers, ensuring that role activation is gated by explicit consent rather than being automatic.

Exam trap

The trap here is that candidates often confuse 'Require justification' or 'MFA on activation' with approval workflows, but neither introduces a separate approval step by a designated group—they only add authentication or logging requirements.

How to eliminate wrong answers

Option A is wrong because 'Activation maximum duration (hours)' controls how long a role can remain active after approval, not the approval process itself. Option B is wrong because 'MFA on activation' enforces multi-factor authentication during activation but does not introduce a separate approval step by a designated group. Option D is wrong because 'Require justification on activation' mandates a reason for activation but does not require approval from another party.

15
MCQhard

Your on-premises network is connected to Azure via a Site-to-Site VPN. You have a production virtual network (VNet1) and a development VNet (VNet2) in the same region. VNet1 has a network virtual appliance (NVA) from the Azure Marketplace. You need to ensure that traffic from VNet2 to an on-premises server is inspected by the NVA in VNet1. Which routing configuration should you implement?

A.Add a user-defined route (UDR) to the gateway subnet of VNet2 with destination 0.0.0.0/0 and next hop set to the private IP of the NVA in VNet1.
B.Configure Azure Route Server on VNet1 and enable VNet peering between VNet1 and VNet2.
C.Create a forced tunneling configuration on the VPN gateway to send all traffic to the NVA.
D.Peer VNet1 and VNet2 and use Azure Firewall in VNet1 as the next hop for all traffic.
AnswerA

A UDR on VNet2's gateway subnet can redirect all internet-bound or on-premises traffic to the NVA via VNet peering, ensuring inspection.

Why this answer

Option C is correct because user-defined routes (UDRs) with the NVA as next hop are needed to redirect traffic. Forcing tunnel via Azure Firewall is not specified, and Azure Route Server doesn't force traffic through an NVA. VPN gateway can't forward to NVA directly.

16
MCQmedium

Refer to the exhibit. A Conditional Access policy is configured to block legacy authentication for Office 365. However, users are still able to access Exchange Online using Outlook (modern authentication). What is the most likely reason?

A.The policy only blocks legacy protocols, not modern authentication
B.The policy does not include Exchange Online
C.The policy does not apply to all users
D.The policy is not enabled
AnswerA

Modern authentication is not classified as 'other'.

Why this answer

The Conditional Access policy is configured to block legacy authentication, which targets protocols like POP3, IMAP, SMTP, and Exchange ActiveSync that do not support modern authentication. Modern authentication (used by Outlook with OAuth 2.0) is not affected by this policy, so users can still access Exchange Online via Outlook. The policy explicitly allows modern authentication flows, making option A correct.

Exam trap

The trap here is that candidates assume 'block legacy authentication' means blocking all older clients, but it specifically targets authentication protocols, not client applications, so modern authentication clients like Outlook (with OAuth) are still allowed.

How to eliminate wrong answers

Option B is wrong because the policy is scoped to Office 365 cloud apps, which includes Exchange Online by default. Option C is wrong because the question does not indicate any user exclusion; even if it applied to all users, the policy would still not block modern authentication. Option D is wrong because if the policy were not enabled, it would not block any authentication at all, but the question states the policy is configured and users are still accessing via modern authentication, implying the policy is active but not blocking the intended traffic.

17
MCQeasy

You manage a multi-tier application in Azure with a web tier, application tier, and database tier. The web tier must be accessible from the internet, but the application and database tiers must only be accessible from the web tier. Which Azure networking feature should you use to isolate the tiers?

A.Virtual network peering between tiers.
B.Azure Firewall with application rules.
C.Network security groups (NSGs) on each subnet.
D.Application security groups (ASGs) within the same subnet.
AnswerC

NSGs allow you to define rules to permit or deny traffic between subnets, effectively isolating tiers.

Why this answer

Option A is correct because network security groups (NSGs) can be applied to subnets to control inbound and outbound traffic between tiers. The other options either don't provide isolation (VNet peering) or are not cost-effective (Azure Firewall for simple rules).

18
MCQhard

Refer to the exhibit. You are implementing an Azure Policy to enforce encryption on managed disks. A user reports that they cannot create a VM even though they specified a disk encryption set. What is the most likely reason?

A.The user did not have permission to assign a disk encryption set.
B.The disk encryption set is in a different region than the VM.
C.The disk encryption set is not enabled for encryption.
D.The user specified the disk encryption set in the VM properties but not on the disk resource.
AnswerD

The policy checks the disk resource; the encryption set must be set on the disk itself.

Why this answer

The policy checks that the property 'diskEncryptionSet.id' exists on the OS disk. If the user specifies the encryption set at the VM level rather than the disk level, the property may not be present on the disk resource itself. Option B is correct.

Option A is incorrect because the policy allows creation if the property exists. Option C is incorrect because the policy does not check for key validity. Option D is incorrect because the policy applies to all regions.

19
Multi-Selectmedium

You are designing security for an Azure SQL Database that will store personally identifiable information (PII). The database will be accessed by multiple applications, some of which are legacy and cannot use Azure AD authentication. Your requirements include: encrypting data at rest, encrypting data in transit, and dynamically masking PII columns for non-privileged users. Which THREE features should you implement?

Select 3 answers
A.Configure Dynamic Data Masking (DDM) for the PII columns.
B.Implement Always Encrypted for the PII columns.
C.Set the 'Minimum TLS Version' to 1.2 on the Azure SQL Server.
D.Enable Transparent Data Encryption (TDE) for the Azure SQL Database.
E.Apply Azure Information Protection labels to the database.
AnswersA, C, D

DDM masks PII for non-privileged users, meeting the masking requirement.

Why this answer

Option A: Transparent Data Encryption (TDE) encrypts data at rest. Option C: Dynamic Data Masking (DDM) masks PII columns for non-privileged users. Option D: Enforce minimal TLS version 1.2 ensures data in transit is encrypted.

Option B (Always Encrypted) is client-side encryption but not required if TDE is used and the client does not support it. Option E (Azure Information Protection) is not for database-level encryption.

20
MCQeasy

You need to securely connect an on-premises network to an Azure virtual network. The connection must use the internet and provide authenticated and encrypted communication. Which Azure service should you use?

A.Azure VPN Gateway
B.Azure ExpressRoute
C.Azure Application Gateway
D.Azure Virtual WAN
AnswerA

Azure VPN Gateway enables site-to-site VPN over the internet with encryption and authentication.

Why this answer

Azure VPN Gateway provides site-to-site VPN connections over the internet with IPsec/IKE encryption, meeting the requirements for authenticated and encrypted communication.

21
MCQhard

A company uses Azure Disk Encryption (ADE) on Windows virtual machines. They use a key encryption key (KEK) stored in Azure Key Vault to wrap the disk encryption key. The security policy requires that the KEK be automatically rotated every 90 days. They need to ensure that after rotation, the OS and data disks of running VMs automatically get re-wrapped with the new KEK version. Which configuration should they implement?

A.Enable soft-delete and purge protection on the Key Vault.
B.Use Key Vault key auto-rotation with a 90-day rotation period, and configure the disk encryption set to use the latest key version (empty string).
C.Create a new KEK every 90 days and modify the disk encryption set to point to the new key version.
D.Use Azure Policy to enforce automatic key rotation.
AnswerB

Key Vault key auto-rotation creates new key versions on schedule. By setting the key version to empty in the disk encryption set, the VMs automatically re-wrap their disks with the latest key version after rotation.

Why this answer

Option B is correct because Azure Key Vault supports automatic key rotation with a configurable rotation period, and when a disk encryption set (DES) is configured with an empty string as the key version, it automatically uses the latest version of the KEK. This ensures that after the KEK is rotated every 90 days, the running VMs' OS and data disks are re-wrapped with the new KEK version without manual intervention or VM restart.

Exam trap

The trap here is that candidates may confuse Azure Policy (which enforces compliance) with actual key rotation and re-wrapping mechanisms, or mistakenly believe that manual key version updates in the DES are sufficient for automatic re-wrapping of running VMs.

How to eliminate wrong answers

Option A is wrong because enabling soft-delete and purge protection on the Key Vault is a data protection and recovery feature, not a mechanism for automatic key rotation or re-wrapping of disks. Option C is wrong because manually creating a new KEK every 90 days and updating the DES to point to the new key version is a manual process that does not meet the requirement for automatic rotation and re-wrapping. Option D is wrong because Azure Policy can enforce compliance rules but cannot directly trigger automatic key rotation or re-wrapping of disks; it is a governance tool, not a key lifecycle management feature.

22
MCQmedium

A company is setting up a site-to-site VPN between an on-premises network and an Azure virtual network using an Azure VPN gateway. The security policy mandates that the VPN tunnel must use the strongest available encryption and authentication. Which IPsec/IKE parameter combination should they configure on both sides?

A.IKEv2 with AES256
B.IKEv1 with DES
C.IKEv2 with 3DES
D.IKEv1 with AES128
AnswerA

This combination offers the strongest encryption and key exchange protocol supported by Azure VPN Gateway.

Why this answer

Option A is correct because IKEv2 is the most secure and modern IPsec/IKE protocol, supporting stronger encryption algorithms like AES256. AES256 provides the highest level of encryption strength among the options, meeting the mandate for the strongest available encryption and authentication. IKEv2 also offers improved resilience and security features over IKEv1, such as built-in NAT traversal and mobility support.

Exam trap

The trap here is that candidates often assume IKEv2 is always the best choice regardless of the encryption algorithm, but the question specifically requires the strongest encryption, so AES256 is mandatory, not just IKEv2.

How to eliminate wrong answers

Option B is wrong because IKEv1 is an older, less secure protocol that lacks support for modern encryption algorithms, and DES is a weak, deprecated encryption standard (56-bit key) that is easily broken. Option C is wrong because while IKEv2 is secure, 3DES is a legacy encryption algorithm (168-bit effective key strength) that is considered weak and is not recommended for strong security; AES256 is far superior. Option D is wrong because IKEv1 is outdated and AES128, while better than DES or 3DES, does not provide the strongest encryption available; AES256 is required for the highest security.

23
MCQmedium

A company has an Azure virtual network with two subnets: App and Data. The App subnet hosts web servers, and the Data subnet hosts SQL databases. Security policy requires that only HTTPS traffic from the App subnet is allowed to the Data subnet, and all other inbound traffic to the Data subnet must be blocked. The solution must use a single network security group (NSG) associated to the Data subnet. Which NSG inbound rule configuration meets the requirement?

A.Allow HTTPS from App subnet priority 100, then Deny All priority 200
B.Deny All priority 100, then Allow HTTPS from App subnet priority 200
C.Allow HTTPS from App subnet priority 100, and Deny All from any source priority 100 (duplicate priority)
D.Allow HTTPS from App subnet priority 100, no other rules
AnswerA

Correct. The Allow rule has higher priority (100) than the Deny All rule (200), so HTTPS from App subnet is allowed and all other traffic is blocked.

Why this answer

Option A is correct because NSG rules are evaluated in priority order, with lower numbers processed first. By placing the Allow HTTPS rule at priority 100, it matches and permits traffic from the App subnet to the Data subnet. The subsequent Deny All rule at priority 200 then blocks all other inbound traffic, satisfying the security policy with a single NSG on the Data subnet.

Exam trap

The trap here is that candidates may think a Deny All rule is unnecessary because NSGs have an implicit deny at the end, but the explicit Deny All at a lower priority ensures that any traffic not matching the Allow rule is explicitly blocked, which is required by the policy and avoids reliance on the implicit default.

How to eliminate wrong answers

Option B is wrong because the Deny All rule at priority 100 would block all inbound traffic, including HTTPS from the App subnet, before the Allow rule at priority 200 is ever evaluated, making the Allow rule ineffective. Option C is wrong because duplicate priority values (100) are not allowed in NSG rules; Azure requires unique priority numbers, and even if allowed, the order of evaluation would be ambiguous. Option D is wrong because without a Deny All rule, any traffic not matching the Allow HTTPS rule (e.g., other protocols or sources) would be permitted by the default implicit deny, but the requirement explicitly states all other inbound traffic must be blocked, and the implicit deny only applies after all explicit rules; however, the explicit Deny All ensures no unintended traffic is allowed, which is necessary for strict compliance.

24
MCQmedium

A company is deploying Azure Bastion to provide secure RDP/SSH access to VMs in a virtual network. The security requirement is that all administrative access must be logged and audited. What additional configuration is needed to meet this requirement?

A.Enable NSG flow logs on the subnet containing the target VMs.
B.Enable diagnostic settings on Azure Bastion to send logs to a Log Analytics workspace.
C.Enable Azure Activity Log for the Bastion resource.
D.Configure diagnostic settings on the target VMs to send logs to Log Analytics.
AnswerB

Bastion diagnostics provide logs about user connections, including source IP, username, and session duration.

Why this answer

Option D is correct because Azure Bastion integrates with Azure Monitor to capture logs of connections (e.g., who connected, from where, and duration). Option A is wrong because NSG flow logs do not capture Bastion activity; they log traffic to/from VMs. Option B is wrong because Azure Activity Log captures management plane operations, not data plane RDP/SSH sessions.

Option C is wrong because enabling diagnostics on the VM itself would log OS-level events, but Bastion sessions are proxied; the VM logs would not include Bastion metadata.

25
Multi-Selecthard

You are securing an Azure Kubernetes Service (AKS) cluster that runs a microservices application. You need to ensure that pods can only communicate with other pods in the same namespace, and that all egress traffic from the cluster is inspected for malicious content. Which three components should you include in the solution?

Select 3 answers
A.Azure Application Gateway
B.Kubernetes Network Policies
C.Azure DDoS Protection
D.User-defined route (UDR) to force-tunnel egress traffic to Azure Firewall
E.Azure Firewall
AnswersB, D, E

Controls pod-to-pod communication.

Why this answer

Option A is correct because Network Policies in AKS control pod-to-pod communication. Option C is correct because Azure Firewall can inspect egress traffic. Option D is correct because the egress traffic must be routed through the firewall.

Option B (Azure DDoS Protection) is for DDoS attacks, not content inspection. Option E (Application Gateway) is for inbound traffic, not egress inspection.

26
MCQmedium

A company uses Azure SQL Database to store customer data, including credit card numbers. The security policy requires that database administrators (DBAs) must not be able to view the credit card numbers in plaintext. The column containing the credit card numbers must be encrypted at rest and in transit, and only a specific application (using a dedicated client library) should be able to decrypt the data. Which technology should they implement?

A.Transparent Data Encryption (TDE) with a customer-managed key stored in Azure Key Vault.
B.Dynamic Data Masking (DDM) for the credit card column.
C.Always Encrypted with a client-side encryption key stored in Azure Key Vault.
D.Row-Level Security (RLS) to restrict DBA access to the credit card column.
AnswerC

Correct. Always Encrypted encrypts the data on the client side, so the SQL Database never sees the plaintext. Only the client application with access to the encryption key can decrypt the data, preventing DBAs from viewing sensitive columns.

Why this answer

Always Encrypted ensures that sensitive data, such as credit card numbers, is encrypted on the client side before being sent to Azure SQL Database, and the encryption keys are never revealed to the database engine. This prevents DBAs or any server-side administrators from viewing the plaintext data, as decryption can only occur using the client-side encryption key stored in Azure Key Vault and accessed by the dedicated application library.

Exam trap

The trap here is that candidates often confuse Dynamic Data Masking (DDM) with encryption, not realizing that DDM only masks output and does not protect the underlying plaintext from privileged users or direct database access.

How to eliminate wrong answers

Option A is wrong because Transparent Data Encryption (TDE) encrypts data at rest but does not protect data from DBAs who have access to the database; the database engine can still decrypt the data in memory and in transit unless additional measures are taken, and it does not enforce client-side-only decryption. Option B is wrong because Dynamic Data Masking (DDM) only obfuscates data in query results for unauthorized users, but the underlying plaintext is still stored in the database and can be accessed by privileged users or through direct queries. Option D is wrong because Row-Level Security (RLS) restricts access to rows based on predicates but does not encrypt the data; DBAs with elevated permissions can bypass RLS or still view the plaintext column values.

27
MCQhard

Refer to the exhibit. The JSON snippet shows a network rule from an Azure Firewall policy. You have a subnet with IP range 10.0.1.0/24 that needs to connect to Azure SQL Database in Southeast Asia. However, connections are failing. What is the most likely reason?

A.The protocol should be UDP instead of TCP
B.The destination port should be 1434 instead of 1433
C.Network rules do not support service tags as destination addresses
D.The rule priority is too low and may be overridden
AnswerC

Network rules require explicit IP addresses; service tags are only supported in application rules or with certain features.

Why this answer

Option A is correct because the destination address 'AzureCloud.southeastasia' is a service tag, but Azure Firewall network rules require an IP address or CIDR, not service tags. Service tags are only supported in application rules (FQDN filtering) or when using Azure Firewall Premium with IDPS. Option B is wrong because the protocol TCP is correct for SQL.

Option C is wrong because the port 1433 is correct. Option D is wrong because the priority 100 is fine.

28
MCQeasy

You need to ensure that only users with a valid Azure AD token can invoke an Azure Function app. No other authentication methods should be allowed. What should you configure?

A.Enable App Service Authentication and set the action to 'Log in with Azure AD' but allow anonymous requests.
B.Configure function-level authorization and require function keys.
C.Enable App Service Authentication with Azure AD as the provider and set 'Action to take when request is not authenticated' to 'Log in with Azure AD'.
D.Configure IP restrictions to allow only known IP ranges.
AnswerC

This ensures only authenticated requests with a valid Azure AD token are accepted.

Why this answer

Option D is correct because the Function app can be configured to require authentication via Azure AD (EasyAuth) and disable anonymous access. Option A (function keys) allows anonymous access. Option B (App Service Authentication) can be set to Azure AD, but must also disable unauthenticated access.

Option C (IP restriction) does not enforce token authentication.

29
MCQmedium

A company uses Azure AD B2B collaboration to invite external partner users. The security policy requires that guest users who have not signed in for more than 90 days should have their access automatically reviewed and, if not approved, removed. The company has Azure AD Premium P2 licenses. Which Azure AD feature should they configure to meet this requirement?

A.Enable automatic user deletion in the Azure AD B2B collaboration settings.
B.Create a Conditional Access policy that blocks sign-ins for guest users who haven't authenticated in 90 days.
C.Configure an Azure AD Access Review that reviews guest user access and automatically removes access after 90 days of inactivity.
D.Use Azure AD Identity Protection to detect guest user sign-in anomalies and revoke sessions.
AnswerC

Access Reviews can be configured to run periodically (e.g., quarterly) and include only guest users. The review can be set to automatically remove users who do not respond or who are not approved, effectively removing access for inactive guests.

Why this answer

Option C is correct because Azure AD Access Reviews, available with Azure AD Premium P2 licenses, allow you to create recurring reviews that specifically target guest users who have not signed in for a specified period (e.g., 90 days). The review can be configured to automatically remove access if the reviewer does not approve, directly meeting the requirement for automatic review and removal after 90 days of inactivity.

Exam trap

The trap here is that candidates often confuse blocking sign-ins via Conditional Access (Option B) with actually removing access, but Conditional Access only prevents future authentication and does not revoke existing permissions or trigger a review workflow.

How to eliminate wrong answers

Option A is wrong because Azure AD B2B collaboration settings do not include an 'automatic user deletion' feature; user deletion must be performed manually or via automated scripts, and there is no built-in inactivity-based deletion in those settings. Option B is wrong because a Conditional Access policy can block sign-ins based on sign-in frequency or risk, but it cannot automatically remove guest user access or trigger a review process; it only prevents future sign-ins without addressing existing access. Option D is wrong because Azure AD Identity Protection is designed to detect and respond to sign-in anomalies and risky behaviors, not to manage inactivity-based access reviews or removals for guest users.

30
MCQmedium

Refer to the exhibit. You are reviewing a custom Azure Policy definition used in Microsoft Defender for Cloud. The policy is intended to deploy a vulnerability assessment solution on SQL Managed Instances that do not have one. However, the policy is not being evaluated for any resources. What is the most likely reason?

A.The policy type is set to 'Custom' instead of 'BuiltIn'.
B.The role definition ID specified in the deployment details does not have the necessary permissions to deploy the vulnerability assessment.
C.The resource type in the policy condition is incorrect.
D.The policy condition checks for the existence of vulnerability assessment, but it should check for non-existence.
AnswerB

DeployIfNotExists requires a managed identity with appropriate roles; incorrect role ID would cause failure.

Why this answer

Option C is correct because the policy uses 'DeployIfNotExists' effect, which requires a managed identity with permissions to deploy the vulnerability assessment. The roleDefinitionIds must grant the necessary permissions. If the role definition ID is incorrect or the managed identity does not have permissions, the policy will not deploy.

Option A is wrong because the policy condition checks for the absence of vulnerability assessment, so it should apply. Option B is wrong because the policy type is Custom, but custom policies can be assigned. Option D is wrong because the policy uses 'Microsoft.Sql/managedInstances' which is correct.

31
MCQmedium

A company stores sensitive financial documents in Azure Blob Storage. The security team needs to maintain an immutable log of all changes to the blob content, including the previous versions and the identity of the user who made the changes, for forensic analysis. Which Azure Storage feature should they enable on the storage account to meet this requirement?

A.Azure Blob Storage soft delete.
B.Azure Blob Storage versioning.
C.Blob Storage change feed.
D.Azure Storage analytics logs.
AnswerC

The change feed records all modifications to blobs in an immutable event log. It can be used with Azure Diagnostics logs to correlate user identity (from storage analytics) to understand who performed the action.

Why this answer

The Blob Storage change feed provides an immutable, append-only log of all changes (create, update, delete) to blobs and blob metadata, including the previous version and the identity of the user who made the change via the requestor's object ID. This meets the forensic requirement for a complete audit trail of blob content changes.

Exam trap

The trap here is that candidates often confuse versioning (which preserves previous versions for recovery) with the change feed (which provides an immutable audit log of changes), leading them to select versioning when the requirement explicitly calls for a forensic log with user identity.

How to eliminate wrong answers

Option A is wrong because soft delete only preserves deleted blobs for a retention period and does not log changes to existing blob content or track user identity. Option B is wrong because versioning maintains previous versions of blobs but does not provide a chronological log of changes with user identity; it is a point-in-time recovery feature, not an audit trail. Option D is wrong because Storage analytics logs (now deprecated in favor of Azure Monitor resource logs) capture storage service operations but are not immutable by default and do not include previous blob content or a guaranteed append-only log.

32
Multi-Selectmedium

A company uses Azure Key Vault to store keys and secrets. They want to ensure that even if an administrator accidentally deletes a key, it can be recovered for up to 90 days. Additionally, they want to prevent anyone from permanently purging the key during that period. Which two features must be enabled?

Select 2 answers
A.Soft-delete and purge protection
B.Soft-delete and resource locks
C.Purge protection and access policies
D.Soft-delete and backup
AnswersA, B

Correct. Soft-delete enables recovery; purge protection prevents permanent deletion during the retention period.

Why this answer

Soft-delete must be enabled to retain a deleted key for a configurable retention period (default 90 days), allowing recovery. Purge protection must be enabled to prevent permanent deletion (purging) of the key during that retention period, even by administrators. Together, these two features ensure the key can be recovered and cannot be permanently deleted for up to 90 days.

Exam trap

The trap here is that candidates often confuse resource locks (which protect the vault resource) with purge protection (which protects the deleted key within the vault), or assume that backup alone provides the same recovery guarantee as soft-delete with purge protection.

33
MCQhard

You are designing a secure database solution for a financial application using Azure SQL Database. The database contains highly sensitive columns (e.g., credit card numbers). Which combination of features should you implement to protect data at rest, in transit, and in use, while minimizing performance impact?

A.Always Encrypted with secure enclaves, TDE, and enforce TLS 1.2.
B.Dynamic Data Masking, TDE, and enforce TLS 1.2.
C.Always Encrypted (with deterministic encryption for equality searches), TDE, and enforce TLS 1.2.
D.Column-level encryption using Azure Key Vault, TDE, and enforce TLS 1.2.
AnswerC

Always Encrypted protects data in use and at rest on the server; TDE encrypts at rest; TLS enforces in-transit encryption.

Why this answer

Option C is correct because Always Encrypted protects data in use and at rest on the server, transparent data encryption (TDE) protects data at rest, and TLS enforces encryption in transit. Column-level encryption alone (Option A) does not encrypt at rest automatically. Dynamic Data Masking (Option B) only obfuscates in query results, not encryption.

Option D (Always Encrypted with enclaves) is for richer queries but may have performance overhead.

34
MCQhard

Your security operations center (SOC) uses Microsoft Sentinel. You need to create a custom analytics rule that detects when a user signs in from a country not in the allowed list and then accesses a high-value SharePoint site within 10 minutes. The rule should generate an incident only if both conditions occur. Which KQL operator should you use in the rule query?

A.summarize
B.join
C.union
D.where
AnswerB

Correct: join can combine sign-in and SharePoint access events on user and time.

Why this answer

Option C is correct because 'join' allows combining two event streams on a common key (e.g., user ID) and time window. Option A is wrong because 'union' combines rows, not conditionally. Option B is wrong because 'summarize' aggregates.

Option D is wrong because 'where' filters a single table.

35
MCQeasy

You are configuring Microsoft Sentinel data connectors. Which data connector should you use to ingest logs from Microsoft Entra ID (Azure AD) audit logs and sign-in logs?

A.Office 365 connector
B.Microsoft Defender XDR connector
C.Azure Activity connector
D.Microsoft Entra ID connector
AnswerD

This connector ingests audit and sign-in logs from Microsoft Entra ID.

Why this answer

Option C is correct because the Microsoft Entra ID connector in Sentinel specifically ingests audit logs and sign-in logs. Option A is wrong because the Azure Activity connector ingests Azure resource logs, not Entra ID logs. Option B is wrong because the Office 365 connector ingests Exchange and SharePoint logs.

Option D is wrong because the Microsoft Defender XDR connector ingests security alerts from Defender products.

36
Multi-Selecthard

Which THREE are valid data connectors in Microsoft Sentinel? (Choose three.)

Select 3 answers
A.Microsoft Defender for Cloud
B.Azure Firewall Manager
C.Amazon Web Services (AWS)
D.Azure Active Directory (now Microsoft Entra ID)
E.Syslog
AnswersC, D, E

AWS CloudTrail can be connected via the AWS connector.

Why this answer

Amazon Web Services (AWS) is a valid data connector in Microsoft Sentinel because Sentinel supports ingesting logs from AWS CloudTrail via the AWS S3 connector. This allows security events from AWS environments to be collected, normalized, and analyzed alongside Azure-native data, enabling multi-cloud threat detection and investigation.

Exam trap

The trap here is that candidates often confuse Azure Firewall Manager with the actual Azure Firewall data connector, or they mistakenly think Microsoft Defender for Cloud is a connector when it is actually a source of security alerts that are ingested through separate connectors.

37
MCQmedium

A storage account contains legal evidence that must not be modified or deleted for seven years. Which feature should be configured?

A.Soft delete only
B.Lifecycle management to archive tier
C.Customer-managed keys
D.Immutable blob storage with a time-based retention policy
AnswerD

Correct for the stated requirement.

Why this answer

Immutable blob storage with a time-based retention policy (WORM – Write Once, Read Many) is the correct choice because it enforces a strict seven-year retention period during which blobs cannot be modified or deleted, even by account administrators. This is achieved through a policy that locks the data at the storage level, ensuring compliance with legal hold requirements for evidence preservation.

Exam trap

The trap here is that candidates often confuse soft delete (which only protects against accidental deletion for a short period) with immutable storage (which enforces a hard, non-negotiable retention lock against both modification and deletion for a specified duration).

How to eliminate wrong answers

Option A is wrong because soft delete only provides protection against accidental deletion for a configurable retention period (default 7 days), but it does not prevent modifications or enforce a fixed seven-year legal hold; data can still be overwritten or deleted permanently after the soft-delete period expires. Option B is wrong because lifecycle management to the archive tier is designed for cost optimization by moving data to cooler storage tiers, not for preventing modification or deletion; data in the archive tier can still be deleted or overwritten by authorized users. Option C is wrong because customer-managed keys (CMK) control encryption at rest using Azure Key Vault, but they do not impose any retention or immutability constraints; data remains fully mutable and deletable regardless of key management.

38
Multi-Selecthard

Which TWO features are available in Microsoft Entra ID Privileged Identity Management (PIM) for managing Azure AD roles? (Choose two.)

Select 2 answers
A.Self-service password reset
B.Just-in-time activation
C.Multi-factor authentication enforcement
D.Automatic role assignment based on group membership
E.Approval workflow for role activation
AnswersB, E

JIT activation allows temporary privileged access.

Why this answer

Just-in-time activation is a core feature of Microsoft Entra ID PIM that allows users to request temporary, time-bound assignments to privileged Azure AD roles, reducing standing access and the associated security risk. This activation can be configured to require approval and multi-factor authentication, ensuring that privileged access is granted only when needed and under controlled conditions.

Exam trap

The trap here is that candidates often confuse features that are integrated with PIM (like MFA enforcement and self-service password reset) as being features of PIM itself, when in fact PIM's core capabilities are just-in-time activation and approval workflows for role activation.

39
MCQhard

Your organization uses Azure Cosmos DB with API for MongoDB. You need to encrypt data at rest using a customer-managed key stored in Azure Key Vault, and you must ensure that the key is automatically rotated every year. What should you do?

A.Enable server-side encryption with Microsoft-managed keys.
B.Configure a customer-managed key in Key Vault and set the key rotation policy to auto-rotate annually.
C.Use a customer-managed key and manually rotate it every year.
D.Enable infrastructure encryption on the Cosmos DB account.
AnswerB

CMK with auto-rotation meets both encryption and rotation requirements.

Why this answer

Cosmos DB supports customer-managed keys with automatic rotation in Key Vault. Option A is wrong because Cosmos DB does not have infrastructure encryption. Option B is wrong because CMK with manual rotation does not meet automatic requirement.

Option D is wrong because Microsoft-managed keys do not allow customer control.

40
MCQmedium

A company runs a public-facing web application on Azure App Service in the West US region. They want to protect against network-layer (Layer 3/4) DDoS attacks and have a single web application. Which Azure DDoS Protection tier should they use?

A.DDoS Protection Basic (default)
B.DDoS Protection Standard
C.Azure Web Application Firewall (WAF) on Application Gateway
D.Azure Front Door with DDoS Protection Standard
AnswerA

DDoS Protection Basic is always on for all Azure resources and provides automatic detection and mitigation of common network-layer DDoS attacks. No configuration is needed, and it is adequate for a single web app.

Why this answer

DDoS Protection Basic is automatically enabled for all Azure resources at no additional cost, providing always-on traffic monitoring and real-time mitigation of common network-layer (Layer 3/4) attacks, such as SYN floods, UDP floods, and reflection attacks. Since the company has a single web application and only needs protection against Layer 3/4 DDoS attacks, the Basic tier is sufficient and requires no configuration or extra cost.

Exam trap

The trap here is that candidates often assume DDoS Protection Standard is always required for any DDoS protection, overlooking that Basic is automatically enabled and sufficient for Layer 3/4 attacks on a single resource, while Standard is an enhanced add-on for complex, multi-resource environments needing advanced features.

How to eliminate wrong answers

Option B is wrong because DDoS Protection Standard is a paid tier designed for larger, multi-resource deployments that require adaptive tuning, attack analytics, and SLA-backed mitigation; it is overkill and unnecessary for a single web application needing only basic Layer 3/4 protection. Option C is wrong because Azure Web Application Firewall (WAF) on Application Gateway operates at Layer 7 (application layer) to protect against HTTP-specific attacks like SQL injection and cross-site scripting, not Layer 3/4 DDoS attacks. Option D is wrong because Azure Front Door with DDoS Protection Standard combines global load balancing and WAF capabilities but still requires the Standard tier for enhanced DDoS protection, which is not needed for this single-app scenario and adds unnecessary complexity and cost.

41
MCQmedium

You are designing a network security solution for a multi-tier application running in Azure. The front-end VMs must only accept traffic from Azure Front Door. Back-end VMs must only accept traffic from the front-end tier. You plan to use NSGs and ASGs. Which configuration should you use to meet these requirements with minimal administrative overhead?

A.Create NSG rules that allow traffic from the Front Door service tag and from the front-end VM IP addresses.
B.Use service tags for Azure Front Door and for the front-end subnet.
C.Use VNet peering between the front-end and back-end subnets, and configure route tables.
D.Place front-end VMs in an ASG, back-end VMs in another ASG. Configure NSG rules referencing these ASGs.
AnswerD

ASGs simplify management by grouping VMs and referencing them in NSG rules.

Why this answer

Option C is correct because using Application Security Groups (ASGs) allows you to define network security policies based on application groups, and you can reference an ASG as the source or destination in NSG rules. By placing front-end VMs in an ASG and back-end VMs in another ASG, you can create NSG rules that restrict traffic accordingly. Option A is wrong because using individual VM IP addresses is not scalable.

Option B is wrong because service tags for Azure Front Door exist, but they don't cover front-end VMs. Option D is wrong because VNet peering alone does not provide traffic filtering.

42
Multi-Selecteasy

Which TWO features are available in Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) capabilities? (Choose two.)

Select 2 answers
A.Attack path analysis
B.Security governance and compliance scoring
C.Just-in-time VM access
D.User and Entity Behavior Analytics (UEBA)
E.Vulnerability assessment for VMs
AnswersA, B

Attack path analysis is a CSPM feature that identifies critical risks and attack paths.

Why this answer

Options A and D are correct. CSPM includes attack path analysis and security governance. Option B is wrong because vulnerability assessment is part of workload protection.

Option C is wrong because JIT access is a workload protection feature. Option E is wrong because UEBA is part of Microsoft Sentinel or Defender for Identity.

43
Multi-Selecthard

Your company is using Microsoft Sentinel for security operations. You need to create a threat intelligence (TI) feed that allows Sentinel to match indicators from an external source. Which three actions should you take? (Choose three.)

Select 3 answers
A.Create a watchlist containing the indicators.
B.Enable the Fusion rule to correlate TI indicators with other events.
C.Upload threat intelligence indicators using the Threat Intelligence API or portal.
D.Enable the 'Threat Intelligence - TAXII' data connector to receive indicators from external sources.
E.Configure an analytics rule with a TI mapping to generate alerts.
AnswersC, D, E

Indicators are added to Sentinel's TI.

Why this answer

Options A, C, and D are correct. Option A is correct because TI indicators must be ingested into Sentinel's TI. Option C is correct because analytics rules can be configured to match TI.

Option D is correct because the TI data connector is used for ingestion. Option B is wrong because watchlists are for reference data, not TI. Option E is wrong because Fusion rules are for correlation, not TI matching.

44
MCQhard

You are deploying an Azure Storage account using the ARM template snippet shown. After deployment, you need to allow access from a specific public IP address. What should you do?

A.Create a private endpoint and assign it to the storage account.
B.Add an IP rule to the ipRules array with the public IP address.
C.Configure a service endpoint for the storage account.
D.Update the defaultAction to Allow and set ipRules to deny the IP.
AnswerB

IP rules allow specific public IPs to bypass the deny default.

Why this answer

The template sets default action to Deny and has no ipRules. To allow a specific IP, you must add an IP rule. Option A is correct.

Service endpoints are for virtual networks, not public IPs. Private endpoints provide private connectivity. Changing default action to Allow would allow all traffic.

45
MCQeasy

You need to securely store connection strings and secrets for an Azure function app. The solution must automatically rotate the secrets every 90 days and provide audit logs for access. What should you use?

A.Azure SQL Database with Always Encrypted
B.Azure Key Vault with key rotation policy and diagnostic logging
C.Azure Cosmos DB with encryption at rest
D.Azure App Service application settings with slot-sticky settings
AnswerB

Provides secure storage, rotation, and auditing.

Why this answer

Option A is correct: Azure Key Vault with automatic rotation and audit logging. Option B (App Service application settings) stores secrets in plaintext. Option C (Azure Cosmos DB) is not for secrets.

Option D (Azure SQL Database) is not appropriate.

46
MCQhard

You are reviewing the Azure Policy definition shown in the exhibit. This policy is assigned to a subscription. Several VMs are non-compliant. What is the most likely reason for the non-compliance?

A.The VMs are not backed up to Azure Backup.
B.The VMs do not have the Azure Disk Encryption extension installed.
C.The VMs have encryption at host enabled but not Azure Disk Encryption.
D.The VMs are missing critical Windows security patches.
AnswerB

Correct. The policy audits for the presence of the AzureDiskEncryption extension on VMs without encryption settings.

Why this answer

Option C is correct because the policy audits if Azure Disk Encryption is not enabled on VMs without encryption settings. The condition checks if encryptionSettings does not exist, and then expects the AzureDiskEncryption extension. If the extension is missing, the VM is non-compliant.

Option A is wrong because the policy does not check for Windows patch status. Option B is wrong because the policy does not check for encryption at host. Option D is wrong because the policy is about disk encryption, not backup.

47
MCQeasy

A company has an Azure virtual network with multiple subnets hosting different tiers of an application. The security team requires inspection of all traffic between subnets for malicious patterns and the ability to allow or deny traffic based on fully qualified domain names (FQDNs). Which Azure networking service should they implement?

A.Azure Network Security Group (NSG)
B.Azure Firewall
C.Azure Application Gateway
D.Azure VPN Gateway
AnswerB

Azure Firewall is a stateful firewall with application (FQDN) and network rules, enabling inspection and filtering of traffic between subnets.

Why this answer

Azure Firewall is a managed, cloud-based network security service that provides full Layer 3–7 inspection and can filter traffic based on FQDNs in network and application rules. It can inspect all traffic between subnets in a virtual network (via forced tunneling or routing) and supports threat intelligence-based filtering for malicious patterns, making it the correct choice for this requirement.

Exam trap

The trap here is that candidates often confuse NSGs with Azure Firewall, assuming NSGs can filter based on FQDNs or inspect traffic for malicious patterns, but NSGs lack Layer 7 inspection and FQDN support, which are exclusive to Azure Firewall in this context.

How to eliminate wrong answers

Option A is wrong because Network Security Groups (NSGs) operate at Layers 3 and 4 only, filtering based on source/destination IP, port, and protocol; they cannot inspect traffic for malicious patterns or filter based on FQDNs. Option C is wrong because Azure Application Gateway is a Layer 7 load balancer with a Web Application Firewall (WAF) that inspects HTTP/HTTPS traffic for web application attacks, but it does not provide general inter-subnet traffic inspection or FQDN-based filtering for non-web protocols. Option D is wrong because Azure VPN Gateway is used for encrypted site-to-site or point-to-site connectivity over the public internet; it does not perform traffic inspection or FQDN-based filtering between subnets within a virtual network.

48
MCQeasy

You are deploying a web application that stores user-uploaded files in Azure Blob Storage. You need to ensure that only authenticated users can upload files, and that uploaded files are automatically scanned for malware. What should you use?

A.Use Azure Event Grid to trigger a function for malware scanning
B.Enable Azure AD authentication for the storage account and enable Microsoft Defender for Storage
C.Configure Azure Firewall to allow only the web app's IP address
D.Use shared access signatures (SAS) with stored access policies
AnswerB

Provides user authentication and malware scanning.

Why this answer

Option D is correct: Azure AD authentication for the storage account ensures only authenticated users can access, and Microsoft Defender for Storage provides malware scanning. Option A (SAS tokens) are shared access signatures, not user-specific. Option B (Event Grid) is for event handling, not authentication.

Option C (Azure Firewall) is network-level, not application-level.

49
MCQmedium

An organization wants to export Defender for Cloud recommendations and alerts into a central Log Analytics workspace for retention and hunting. Which feature should they use?

A.Microsoft Defender External Attack Surface Management
B.Continuous export
C.Microsoft Entra access reviews
D.Azure Monitor autoscale
AnswerB

Correct for the stated requirement.

Why this answer

Continuous export is the correct feature because it allows you to stream Defender for Cloud security alerts and recommendations to a Log Analytics workspace for long-term retention and custom hunting queries. This feature supports both real-time and scheduled export of security data, enabling centralized monitoring and compliance auditing. It directly addresses the requirement to export Defender for Cloud data into a Log Analytics workspace without additional third-party tools.

Exam trap

The trap here is that candidates may confuse 'Continuous export' with 'Azure Monitor autoscale' or 'External Attack Surface Management' because they all involve monitoring or scaling, but only continuous export directly addresses the requirement to export Defender for Cloud data to Log Analytics.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender External Attack Surface Management (EASM) is a service for discovering and mapping an organization's external attack surface, not for exporting Defender for Cloud alerts or recommendations to Log Analytics. Option C is wrong because Microsoft Entra access reviews are used for managing identity governance, such as reviewing group memberships and application access, and have no capability to export security alerts or recommendations. Option D is wrong because Azure Monitor autoscale is a feature that automatically adjusts the number of compute resources based on demand, and it does not handle the export of security data to Log Analytics.

50
MCQhard

An AKS cluster needs to pull container images from a private Azure Container Registry (ACR). The security policy requires that the AKS cluster identity should not have direct access to the ACR; instead, a service principal with the AcrPull role should be used, with credentials stored as a Kubernetes secret. Which authentication method should be configured on the AKS cluster?

A.AKS managed identity
B.ACR admin account
C.Kubernetes pull secret using a service principal
D.Azure AD pod identity
AnswerC

A pull secret with service principal credentials limits access to specific pods and adheres to the policy.

Why this answer

The correct answer is C because the scenario explicitly requires that the AKS cluster identity not have direct access to ACR, and instead mandates using a service principal with AcrPull role whose credentials are stored as a Kubernetes secret. A Kubernetes pull secret of type 'docker-registry' stores the service principal's client ID and client secret, which kubelet uses to authenticate to ACR when pulling images. This method decouples the AKS cluster's managed identity from ACR access, satisfying the security policy.

Exam trap

The trap here is that candidates often confuse 'AKS managed identity' with the requirement for a service principal secret, mistakenly thinking managed identity is always the best practice, but the question explicitly prohibits direct cluster identity access to ACR.

How to eliminate wrong answers

Option A is wrong because AKS managed identity would grant the cluster's own identity direct access to ACR, which violates the policy that the cluster identity should not have direct access. Option B is wrong because the ACR admin account is a shared, static credential with full access to the registry, and it is not a service principal; it also bypasses the requirement to use a service principal with AcrPull role. Option D is wrong because Azure AD pod identity is used to assign Azure AD identities to pods for accessing Azure resources, but it does not store credentials as a Kubernetes secret; it relies on Azure AD authentication and would still involve the cluster identity or pod-level managed identities, not a service principal secret stored in the cluster.

51
MCQhard

A company uses Azure AD Privileged Identity Management (PIM) for the Security Administrator role. The security policy requires that when a user activates the Security Administrator role, they must: 1) Provide a justification, 2) Get approval from a designated security group, and 3) The activation must last a maximum of 4 hours. Which combination of PIM settings should they configure?

A.Enable 'Require justification', 'Require approval', and set 'Maximum activation duration' to 4 hours. Assign the security group as the approver.
B.Enable 'Require justification', 'Require ticket information', and set 'Maximum activation duration' to 8 hours.
C.Enable 'Require approval' and set 'Maximum activation duration' to 4 hours. Do not require justification.
D.Enable 'Require Azure MFA on activation', 'Require justification', and set 'Maximum activation duration' to 4 hours.
AnswerA

This meets all three requirements: justification is required, approval from the security group is required, and the activation duration is limited to 4 hours.

Why this answer

Option A is correct because Azure AD PIM allows you to enforce all three requirements: justification, approval from a specified security group, and a maximum activation duration. By enabling 'Require justification' and 'Require approval' and setting the 'Maximum activation duration' to 4 hours, you meet the security policy exactly. The approval step requires assigning a designated security group as the approver, which is supported in PIM role settings.

Exam trap

The trap here is that candidates often confuse 'Require justification' with 'Require ticket information' or assume that MFA is always required for activation, but the question explicitly lists only three requirements—justification, approval, and 4-hour duration—so any extra or missing settings make the option incorrect.

How to eliminate wrong answers

Option B is wrong because it includes 'Require ticket information' instead of 'Require approval', and sets the maximum activation duration to 8 hours instead of the required 4 hours. Option C is wrong because it omits 'Require justification', which is a mandatory policy requirement. Option D is wrong because it includes 'Require Azure MFA on activation' (not required by the policy) and omits 'Require approval', which is explicitly required.

52
MCQmedium

A security team uses Microsoft Sentinel. They want to create a custom analytics rule that generates an incident whenever a user from a list of known malicious IP addresses attempts to sign in to any Azure AD app. They have imported the IP list into Sentinel using Threat Intelligence. Which rule type should they use?

A.Scheduled query rule
B.Near-real-time (NRT) rule
C.Microsoft Security rule
D.Anomaly rule
AnswerA

Scheduled query rules run your KQL query periodically and can generate incidents based on matches. They support matching against threat intelligence tables.

Why this answer

A scheduled query rule is the correct choice because it allows you to run a KQL query at a defined interval (e.g., every 5 minutes) to match sign-in events from IP addresses in a Threat Intelligence indicator. This rule type supports alert grouping and incident creation based on the query results, making it ideal for correlating Azure AD sign-in logs with a known malicious IP list imported via Threat Intelligence.

Exam trap

The trap here is that candidates often confuse NRT rules with scheduled queries, assuming 'near-real-time' is always better for threat intelligence matching, but NRT rules lack the ability to join against the ThreatIntelligenceIndicator table, making scheduled queries the only viable option for this use case.

How to eliminate wrong answers

Option B (NRT rule) is wrong because NRT rules run continuously with a near-real-time latency of 1-2 minutes but cannot reference Threat Intelligence indicators directly; they are designed for high-frequency, low-latency detection on streaming data without the ability to join against static or dynamic indicator lists. Option C (Microsoft Security rule) is wrong because it is used to create incidents from alerts generated by Microsoft security products (e.g., Microsoft Defender for Cloud, Microsoft 365 Defender), not from custom KQL queries against imported threat intelligence. Option D (Anomaly rule) is wrong because anomaly rules use machine learning to detect unusual patterns in data over time, not to match specific known malicious IP addresses from a predefined list.

53
MCQmedium

A security analyst uses Microsoft Sentinel. They have created a playbook that tags Azure VMs as 'isolated' when a high-severity malware alert is triggered. They want this playbook to run automatically whenever a related alert is generated. Which feature should they configure?

A.Automation rule.
B.Scheduled analytics rule.
C.Incident creation rule.
D.Workbook.
AnswerA

Correct. Automation rules can be set to run a playbook automatically when an incident is created or updated, based on alert conditions.

Why this answer

Automation rules in Microsoft Sentinel allow you to define triggers that automatically run playbooks when specific alerts or incidents are created. In this scenario, the playbook tags Azure VMs as 'isolated' upon a high-severity malware alert, and an automation rule can be configured to run that playbook automatically whenever such an alert is generated, without manual intervention.

Exam trap

The trap here is that candidates often confuse automation rules with analytics rules, mistakenly thinking that scheduled analytics rules can directly trigger playbooks, but analytics rules only generate alerts and do not natively invoke automated responses.

How to eliminate wrong answers

Option B is wrong because scheduled analytics rules are used to periodically query data and generate alerts based on predefined schedules, not to trigger automated responses like running playbooks. Option C is wrong because incident creation rules are not a native feature in Microsoft Sentinel; incidents are created automatically from alerts, and there is no separate rule type for incident creation that triggers playbooks. Option D is wrong because workbooks are visualization tools for dashboards and reports, not mechanisms for automating response actions like running playbooks.

54
MCQhard

A Sentinel watchlist contains high-value administrator accounts. Which KQL pattern best uses it in a detection rule?

A.Load the watchlist with _GetWatchlist() and join or filter SigninLogs by the account identifier
B.Export the watchlist to CSV and manually compare it after alerts fire
C.Use the watchlist as a replacement for the SigninLogs table
D.Attach the watchlist to a workbook without changing the detection query
AnswerA

Correct for the stated requirement.

Why this answer

Option A is correct because the `_GetWatchlist()` function in KQL allows you to dynamically load a Sentinel watchlist into a query. By joining or filtering `SigninLogs` against the watchlist's account identifier field, you can create a detection rule that triggers only when a high-value administrator account (defined in the watchlist) performs a sign-in, enabling precise, automated alerting without manual intervention.

Exam trap

The trap here is that candidates confuse a watchlist as a static data source that can replace log tables, rather than understanding it as a reference dataset that must be explicitly joined or filtered within a KQL query to be useful in detection rules.

How to eliminate wrong answers

Option B is wrong because exporting a watchlist to CSV and manually comparing it after alerts fire defeats the purpose of automation and real-time detection; it introduces latency and human error, which is not a valid KQL pattern for a detection rule. Option C is wrong because a watchlist is a reference dataset (a list of values), not a log table like `SigninLogs`; it cannot replace a table that contains event data, and attempting to use it as such would result in a query error or no meaningful results. Option D is wrong because attaching a watchlist to a workbook only visualizes data in a dashboard; it does not integrate the watchlist into the detection query logic, so the detection rule would not use the watchlist to filter or alert on high-value accounts.

55
Multi-Selectmedium

Which TWO actions should you take to ensure that an Azure Storage account is only accessible over HTTPS and that data in transit is encrypted?

Select 2 answers
A.Configure a custom domain with HTTPS enabled.
B.Set 'Secure transfer required' to Enabled.
C.Deploy Azure Firewall in front of the storage account.
D.Set the minimum TLS version to 1.2.
E.Use Azure Private Link to connect to the storage account.
AnswersB, D

This enforces HTTPS for all requests.

Why this answer

Option A and Option D are correct. Option A: Setting 'Secure transfer required' to Enabled ensures that the storage account rejects HTTP requests. Option D: Enabling 'Minimum TLS version' to 1.2 ensures that only TLS 1.2 or higher is accepted.

Option B is wrong because Azure Firewall is for network filtering, not encryption. Option C is wrong because HTTPS is already enforced by Option A, not an additional requirement. Option E is wrong because Private Endpoint provides private connectivity but does not enforce HTTPS.

56
MCQmedium

A security team uses Microsoft Defender for Cloud. They have assigned a custom regulatory compliance initiative that includes policies to enforce encryption on storage accounts and SQL databases. They want to automatically remediate any non-compliant resources as soon as they are created, without manual intervention. Which feature should they configure?

A.Security policies (assignments)
B.Azure Policy with a 'DeployIfNotExists' effect
C.Just-in-time VM access
D.Adaptive application controls
AnswerB

The 'DeployIfNotExists' effect ensures that non-compliant resources are automatically modified to meet the policy requirement upon creation.

Why this answer

The 'DeployIfNotExists' effect in Azure Policy automatically deploys a resource (e.g., encryption configuration) when a non-compliant resource is created or updated, without manual intervention. This aligns with the requirement to remediate non-compliant storage accounts and SQL databases as soon as they are provisioned, as part of a custom regulatory compliance initiative assigned via Defender for Cloud.

Exam trap

The trap here is that candidates often confuse 'DeployIfNotExists' with 'AuditIfNotExists' or assume that simply assigning a policy (Option A) will automatically fix non-compliant resources, but only 'DeployIfNotExists' provides automatic remediation without manual steps.

How to eliminate wrong answers

Option A is wrong because Security policies (assignments) in Defender for Cloud only define which initiatives and standards are applied to a scope; they do not perform automatic remediation of non-compliant resources. Option C is wrong because Just-in-time VM access is a security control for managing VM inbound traffic and has no role in enforcing encryption on storage accounts or SQL databases. Option D is wrong because Adaptive application controls are used to create allowlists for running applications on Azure VMs, not for deploying encryption configurations to storage or SQL resources.

57
MCQmedium

You are using Microsoft Defender for Cloud to protect Azure Kubernetes Service (AKS) clusters. You need to receive alerts about suspicious activities within the cluster, such as privilege escalations. What should you enable?

A.Microsoft Defender for Containers
B.Microsoft Sentinel with AKS data connector
C.Azure Policy for AKS
D.Azure Security Center (classic)
AnswerA

Provides threat detection and alerts for AKS clusters.

Why this answer

Option A is correct because Microsoft Defender for Containers provides threat detection for AKS clusters, including privilege escalation alerts. Option B is wrong because Azure Policy for AKS enforces security configurations but does not generate alerts. Option C is wrong because Microsoft Sentinel is a separate SIEM that can ingest logs but is not the primary alerting mechanism within Defender for Cloud.

Option D is wrong because Azure Security Center, now Defender for Cloud, includes container protections.

58
MCQeasy

You need to ensure that security alerts from Microsoft Defender for Cloud are sent to a central SIEM system. What should you configure?

A.Create a playbook that forwards alerts to the SIEM
B.Configure diagnostic settings for the subscription
C.Assign an Azure Policy to export alerts
D.Enable continuous export to Event Hubs
AnswerD

Continuous export streams alerts to Event Hubs for SIEM integration.

Why this answer

Option A is correct because continuous export allows streaming alerts to Event Hubs for integration with SIEMs. Option B is wrong because diagnostic settings are for logs, not alerts. Option C is wrong because playbooks are for response, not export.

Option D is wrong because Azure Policy is for governance.

59
MCQmedium

You have an Azure Cosmos DB account with multiple containers. You need to ensure that only specific Azure AD identities can access the data and that all access is logged. What should you use?

A.Use primary keys for authentication and enable audit logging
B.Use Azure AD authentication and RBAC roles, and enable diagnostic logs
C.Configure managed identities for Azure resources and enable diagnostic logs
D.Configure an Azure Cosmos DB firewall and enable diagnostic logs
AnswerB

RBAC allows fine-grained access control and diagnostic logs capture all requests.

Why this answer

Azure Cosmos DB supports Azure AD authentication for control plane and data plane. For fine-grained access, use RBAC roles. Enable diagnostic logs for auditing.

Option C is correct. Option A is wrong because firewall rules restrict network access. Option B is wrong because primary keys grant full access.

Option D is wrong because managed identities are for services, not for user access control.

60
MCQeasy

You run the PowerShell command shown in the exhibit. After execution, you check the Log Analytics workspace in the Azure portal. The workspace is created successfully. However, when you try to onboard the workspace to Microsoft Sentinel, you receive an error that Sentinel cannot be enabled on this workspace. What is the most likely cause?

A.The SKU is set to PerGB2018, which is not compatible with Sentinel.
B.The resource group location is different from the workspace location.
C.The workspace is in a region that does not support Microsoft Sentinel.
D.The retention period is set to 365 days, which exceeds the maximum for Sentinel.
AnswerC

Correct. Sentinel is not available in all regions.

Why this answer

Option C is correct because Sentinel requires the Log Analytics workspace to be on a Pay-as-you-go (PerGB2018) pricing tier, but it also requires the workspace to be in a supported region. If the region is not supported, Sentinel cannot be enabled. Option A is wrong because the retention is set to 365 days, which is fine.

Option B is wrong because the PerGB2018 tier is correct. Option D is wrong because resource group location does not affect Sentinel enablement.

61
Matchingmedium

Match each Azure network security component to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Filters traffic at subnet or NIC level

Groups VMs by application workload for rule application

Protects against distributed denial-of-service attacks

Secure RDP/SSH access to VMs without public IP

Extends VNet identity to Azure services over optimized route

Why these pairings

These components secure network traffic in Azure.

62
MCQeasy

A company uses Azure SQL Database and wants to periodically scan the database for vulnerabilities such as misconfigurations, excessive permissions, and missing patches. The scans should generate actionable reports that the security team can use to remediate issues. Which built-in Azure feature should they enable?

A.Azure Defender for SQL
B.SQL Vulnerability Assessment
C.SQL Auditing
D.Azure SQL Insights
AnswerB

Correct. Vulnerability Assessment is the dedicated tool that scans for SQL database vulnerabilities and generates actionable reports.

Why this answer

SQL Vulnerability Assessment is the correct choice because it is a built-in Azure SQL Database feature specifically designed to discover, track, and remediate potential database vulnerabilities such as misconfigurations, excessive permissions, and missing patches. It runs periodic scans and generates actionable reports with remediation steps, directly matching the requirement.

Exam trap

The trap here is that candidates often confuse Azure Defender for SQL (which includes vulnerability assessment as a sub-feature) with the standalone SQL Vulnerability Assessment, but the question explicitly asks for the feature that 'periodically scans for vulnerabilities and generates actionable reports,' which is the core function of SQL Vulnerability Assessment, not the broader threat protection service.

How to eliminate wrong answers

Option A is wrong because Azure Defender for SQL provides advanced threat protection and anomaly detection (e.g., SQL injection alerts), but it does not perform periodic vulnerability scanning or generate actionable reports for misconfigurations and missing patches. Option C is wrong because SQL Auditing tracks database events and changes for compliance and forensic analysis, but it does not scan for vulnerabilities or produce remediation reports. Option D is wrong because Azure SQL Insights is a monitoring and performance diagnostic tool that uses intelligent insights to optimize query performance and resource usage, not a vulnerability scanner.

63
MCQeasy

Your organization uses Microsoft Entra ID and needs to implement a policy that blocks all sign-ins from countries that are not approved. What should you configure?

A.Enable multi-factor authentication for all users
B.Create a Conditional Access policy with a location condition set to block
C.Review sign-in logs and manually block IPs
D.Configure an Identity Protection risk policy
AnswerB

Location condition allows blocking by country.

Why this answer

A Conditional Access policy in Microsoft Entra ID allows you to define location conditions based on IP ranges, countries, or regions. By configuring the location condition to include all countries except the approved ones and setting the access control to 'Block access', you can effectively block sign-ins from non-approved countries. This is the native, policy-driven approach to enforce geographic restrictions without manual intervention.

Exam trap

The trap here is that candidates often confuse location-based blocking with risk-based policies or MFA, assuming that adding authentication factors or reviewing logs can achieve geographic restrictions, but only a Conditional Access policy with a location condition provides a direct, automated block based on country.

How to eliminate wrong answers

Option A is wrong because enabling multi-factor authentication (MFA) for all users does not block sign-ins based on location; it only adds an additional verification step, which does not prevent access from unapproved countries. Option C is wrong because manually reviewing sign-in logs and blocking IPs is not scalable, does not cover dynamic IP ranges, and is not a policy-based solution; it also fails to address the requirement for a continuous, automated block. Option D is wrong because an Identity Protection risk policy focuses on detecting and responding to risky user behavior (e.g., leaked credentials, anonymous IP addresses) rather than enforcing static geographic restrictions based on country.

64
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Security Administrator' role. They want a user to be able to activate this role for a maximum of 2 hours per activation. Which PIM setting should they configure?

A.Set the 'Activation maximum duration' to 2 hours in the role settings for Security Administrator.
B.Set the 'Expire eligible assignments after' to 2 hours in the role settings.
C.Enable 'Require justification' and 'Require approval' to ensure the role is not misused.
D.Set the 'Activation maximum duration' to 1 hour and the user can activate twice.
AnswerA

This setting directly controls the maximum time a role can be active after activation.

Why this answer

Option A is correct because the 'Activation maximum duration' setting in Azure AD PIM role settings directly controls the maximum time a user can remain active in an eligible role after activation. By setting this to 2 hours, the user will be able to activate the Security Administrator role for up to 2 hours per activation, after which the role assignment expires automatically.

Exam trap

The trap here is confusing 'Activation maximum duration' (the time a role is active after activation) with 'Expire eligible assignments after' (the time a user remains eligible to activate), leading candidates to incorrectly choose Option B.

How to eliminate wrong answers

Option B is wrong because 'Expire eligible assignments after' controls how long a user can remain eligible for the role before their eligibility expires, not the duration of an activation. Option C is wrong because 'Require justification' and 'Require approval' are additional security controls that do not limit the activation duration; they enforce auditing and approval workflows but do not set a time limit. Option D is wrong because setting the 'Activation maximum duration' to 1 hour would limit each activation to 1 hour, and the user activating twice does not achieve a 2-hour continuous activation; the maximum duration per activation is a single session limit, not a cumulative allowance.

65
MCQhard

Refer to the exhibit. A Microsoft Entra ID Conditional Access policy is defined as shown. You observe that the policy is blocking all users from accessing email via Exchange ActiveSync, but users can still access email via Outlook for iOS. What is the most likely reason?

A.The policy is not assigned to any locations
B.The policy does not include all applications
C.The policy does not include all users
D.Outlook for iOS uses a client app type not blocked by the policy
AnswerD

Outlook for iOS uses modern authentication (mobileAppsAndDesktopClients), not the legacy types blocked.

Why this answer

The policy blocks Exchange ActiveSync (EAS) client app type, which is used by native mail clients and older mobile apps. Outlook for iOS uses the Microsoft Authenticator and modern authentication (OAuth 2.0) with the 'Mobile apps and desktop clients' app type, not EAS. Therefore, the policy does not apply to Outlook for iOS, allowing it to access email.

Exam trap

The trap here is that candidates assume 'Exchange ActiveSync' blocks all mobile email access, but Microsoft Entra ID distinguishes between legacy EAS protocol and modern authentication clients, so Outlook for iOS bypasses the EAS-specific block.

How to eliminate wrong answers

Option A is wrong because location assignment is not required for a policy to block access; if no locations are specified, the policy applies to all locations by default. Option B is wrong because the exhibit shows the policy targets 'Office 365 Exchange Online' as the cloud app, which includes email; the issue is not about missing applications but about the client app type filter. Option C is wrong because the policy is blocking all users (as stated in the observation), so user assignment is not the limiting factor; the policy applies to all users, but the client app type condition exempts Outlook for iOS.

66
MCQmedium

You are designing a backup strategy for Azure VMs running critical workloads. The VMs have Azure Disk Encryption enabled with Azure Key Vault. You need to ensure that backups can be restored securely. What should you configure?

A.Create a separate Key Vault for backup vault and copy the keys there.
B.Disable encryption before backup and re-enable after restore.
C.Configure Azure Backup with the same Key Vault that holds the encryption keys and allow Backup service access to Key Vault.
D.Export the encryption keys to a secure location and import them during restore.
AnswerC

This enables seamless backup and restore of encrypted VMs.

Why this answer

Option A is correct because Azure Backup supports backing up encrypted VMs with KEK and BEK. During restore, you can specify the same Key Vault to restore the keys. Option B (separate Key Vault) complicates restore.

Option C (disable encryption) is not secure. Option D (export keys) is risky.

67
MCQmedium

An organization is deploying Microsoft Sentinel to centrally collect and analyze security events. They need to ingest logs from multiple on-premises Windows servers located behind a firewall. Which agent should they deploy on those servers?

A.Azure Monitor Agent (AMA)
B.Log Analytics agent (Microsoft Monitoring Agent)
C.Azure Security Center agent
D.Azure Automation Agent
AnswerA

AMA is the modern agent that collects logs and metrics from Windows and Linux machines and is fully supported by Sentinel with Data Collection Rules.

Why this answer

The Azure Monitor Agent (AMA) is the correct choice because it is the current, unified data-collection agent for Microsoft Sentinel and Azure Monitor, designed to collect logs from Windows servers behind firewalls via outbound HTTPS (port 443) to the Log Analytics workspace. It supports data-collection rules (DCRs) for flexible, scalable ingestion and is the recommended replacement for the legacy Log Analytics agent. AMA can be deployed on-premises Windows servers using Azure Arc for management, ensuring secure log forwarding to Sentinel.

Exam trap

The trap here is that candidates often confuse the legacy Log Analytics agent (option B) as still being the primary agent for Sentinel, but Microsoft has deprecated it in favor of AMA, and the exam expects knowledge of the current recommended agent.

How to eliminate wrong answers

Option B is wrong because the Log Analytics agent (Microsoft Monitoring Agent) is legacy and deprecated for new deployments in Microsoft Sentinel as of August 2024; it lacks support for advanced data-collection rules and is being phased out. Option C is wrong because the Azure Security Center agent (now part of Defender for Cloud) is specifically for security posture and threat detection, not for general log ingestion into Sentinel; it does not replace the log-collection agent. Option D is wrong because the Azure Automation Agent (Hybrid Runbook Worker) is designed to run automation runbooks on-premises, not to collect and forward security logs to Sentinel; it serves a completely different purpose.

68
MCQmedium

Your organization uses Azure Storage to host sensitive financial data. You need to ensure that all access to the storage account is encrypted in transit and that access keys are rotated automatically every 90 days. You also need to prevent access from public IP addresses. Which combination of configurations should you implement?

A.Configure a network firewall rule to block all traffic, enable 'Secure transfer required', and rotate keys manually every 90 days
B.Enable 'Allow trusted Microsoft services', configure key rotation policy, and disable 'Allow storage account key access'
C.Enable 'Secure transfer required', configure key rotation policy, and disable 'Allow Blob public access'
D.Enable 'Secure transfer required', configure key rotation policy, and set 'Public network access' to 'Disabled'
AnswerD

This enforces HTTPS, rotates keys, and blocks public access.

Why this answer

Option B is correct because enabling 'Secure transfer required' enforces HTTPS, automatic key rotation can be configured in the storage account settings, and the 'Selected networks' firewall with a deny-all default rule blocks public IPs. Option A is wrong because disabling public network access alone does not enforce HTTPS. Option C is wrong because firewall rules do not enforce HTTPS.

Option D is wrong because disabling anonymous access does not enforce HTTPS.

69
MCQmedium

Your organization uses Microsoft Defender for Cloud to secure a multi-cloud environment that includes Azure, AWS, and GCP resources. You need to ensure that all resources are assessed against a consistent set of security standards. What should you configure first?

A.In Defender for Cloud, add a regulatory compliance standard such as 'Azure CIS 1.4.0' and enable continuous export for all connected clouds.
B.Connect the AWS and GCP accounts to AWS Security Hub and Google Security Command Center respectively, then enable Defender for Cloud's multicloud connector.
C.Create Azure Policy initiatives and assign them to the management groups that contain the multicloud resources.
D.Configure Microsoft Sentinel to ingest security findings from AWS and GCP, then create custom alerts for compliance deviations.
AnswerA

Defender for Cloud supports applying Azure compliance standards to multicloud resources via connectors.

Why this answer

Option B is correct because regulatory compliance standards such as Azure CIS 1.4.0 can be applied across multicloud resources in Defender for Cloud. Option A is wrong because AWS Security Hub is a separate service, not integrated natively. Option C is wrong because Azure Policy is for Azure-only.

Option D is wrong because Microsoft Sentinel is for SIEM, not compliance standards.

70
MCQhard

An Azure SQL Database contains salary data. Support analysts need to query employee records but must not see full salary values. Which feature is most appropriate when the application cannot be changed immediately?

A.Transparent Data Encryption
B.Dynamic data masking
C.Geo-replication
D.Accelerated database recovery
AnswerB

Correct for the stated requirement.

Why this answer

Dynamic data masking (DDM) is the correct choice because it obfuscates sensitive data in query results without modifying the underlying database or requiring application changes. The support analysts can still query employee records, but the salary column is masked according to a defined masking rule (e.g., showing only the last four digits or replacing with zeros). This meets the requirement of preventing full salary exposure while the application remains unchanged.

Exam trap

The trap here is confusing data-at-rest encryption (TDE) with data-masking at query time—candidates often assume encryption alone prevents unauthorized viewing, but encryption does not affect what authorized users see when they run SELECT queries.

How to eliminate wrong answers

Option A is wrong because Transparent Data Encryption (TDE) encrypts data at rest on disk and in backups, but it does not control what users see when querying the database—authorized users still see full salary values. Option C is wrong because geo-replication provides disaster recovery by maintaining a readable secondary replica in a different region, but it does not restrict data visibility in query results. Option D is wrong because accelerated database recovery (ADR) improves transaction rollback speed and database availability after failures, but it has no effect on data masking or access control.

71
MCQhard

Your company, Contoso Ltd., has a hybrid network with an on-premises data center in Chicago and an Azure subscription with a single virtual network (VNet1) in the East US region. VNet1 has multiple subnets: Web, App, and Data. The Web subnet hosts a load-balanced web application accessible from the internet via a public IP. The App subnet contains application servers that communicate with an on-premises database server in Chicago. The Data subnet contains Azure SQL databases. You have an ExpressRoute circuit connecting Chicago to East US with private peering. Recently, the security team discovered that some traffic from the App subnet to the on-premises database is bypassing the ExpressRoute and traversing the internet, causing latency and security concerns. You must ensure all traffic between VNet1 and the on-premises network uses the ExpressRoute connection. Additionally, you need to restrict inbound internet traffic to only the Web subnet, and all outbound internet traffic from the App and Data subnets must be inspected by an Azure Firewall deployed in a new subnet called AzureFirewallSubnet in VNet1. You have the following requirements: 1. All traffic to/from on-premises must use ExpressRoute. 2. Only the Web subnet should be directly accessible from the internet. 3. Outbound internet traffic from App and Data subnets must be routed through Azure Firewall. 4. Minimize management overhead. Which of the following is the most appropriate course of action?

A.Create a new Azure Firewall policy that blocks all outbound traffic except through ExpressRoute.
B.Add a user-defined route (UDR) to the App and Data subnets with destination 0.0.0.0/0 and next hop set to the Azure Firewall private IP. Ensure the route to on-premises via ExpressRoute is present (system route or UDR).
C.Remove the default 0.0.0.0/0 route from all subnets and add a route for on-premises via ExpressRoute.
D.Deploy a VPN Gateway and configure forced tunneling to send all traffic to on-premises for inspection.
AnswerB

UDR on App and Data subnets forces internet traffic through Azure Firewall; on-premises traffic uses ExpressRoute via system routes.

Why this answer

Option B is correct because system routes already have a 0.0.0.0/0 route to the internet, and a route to the on-premises network via ExpressRoute. To force all outbound internet traffic through Azure Firewall, you need a UDR on the App and Data subnets with next hop to the firewall. For on-premises traffic, the system route via ExpressRoute should be sufficient, but if traffic is bypassing, you may need to propagate more specific routes.

Option A is wrong because removing the 0.0.0.0/0 system route is not allowed. Option C is wrong because VPN Gateway adds complexity and cost. Option D is wrong because Azure Firewall alone does not enforce ExpressRoute usage.

72
MCQhard

Refer to the exhibit. You are reviewing a scheduled analytics rule in Microsoft Sentinel that uses the KQL query shown. The rule is configured to run every hour. A security analyst reports that the rule is generating too many incidents. What is the most likely cause?

A.The rule is configured to run too frequently.
B.The query does not filter out known safe IP addresses sufficiently.
C.The query uses 'ago(1h)' which includes data from the previous hour, causing duplicate incidents.
D.The query has a syntax error that causes all sign-ins to match.
AnswerB

Only two IPs are excluded, so many legitimate disabled account sign-ins cause incidents.

Why this answer

Option B is correct because the query filters sign-in attempts from disabled accounts (ResultType 50057) in the last hour, but it only excludes two specific IP addresses. This means all other IP addresses (including legitimate ones) will trigger incidents, leading to many false positives. Option A is wrong because the query runs every hour, not too frequently.

Option C is wrong because the query is valid. Option D is wrong because the query already filters by time.

73
MCQmedium

Your organization has an Azure virtual network with a subnet hosting a SQL Managed Instance. You need to ensure that only traffic from Azure services (like Azure Data Factory) can reach the SQL Managed Instance, but you must not allow any public internet traffic. What is the most secure configuration?

A.Enable a service endpoint for Microsoft.Sql on the subnet.
B.Create a private endpoint for the SQL Managed Instance.
C.Configure a network security group (NSG) with a deny-all inbound rule and an allow rule for the Azure Data Factory IP range.
D.Deploy Azure Firewall and create a rule to allow traffic from Azure Data Factory.
AnswerA

Service endpoints restrict traffic to Azure services only, blocking public internet.

Why this answer

Option B is correct because a service endpoint for Microsoft.Sql on the subnet allows only Azure service traffic to the SQL Managed Instance while blocking public internet traffic. Option A is wrong because NSG rules are limited and can be bypassed. Option C is wrong because a private endpoint is used for PaaS resources, not for SQL Managed Instance which is IaaS-based.

Option D is wrong because Azure Firewall would introduce complexity and potentially allow other traffic.

74
MCQhard

Your company is migrating a legacy on-premises application to Azure VMs. The application writes log files to a local folder. You need to collect these logs centrally for security analysis using Microsoft Sentinel. The application runs on Windows Server 2022 and is expected to generate about 50 GB of logs per day. The security team requires that logs be encrypted at rest and in transit, and that log collection has minimal latency. You set up Azure Monitor Agent (AMA) on the VM and configure a Data Collection Rule (DCR) to stream custom logs to a Log Analytics workspace. However, after 24 hours, no custom logs appear in the workspace. The AMA is reporting as healthy. You need to troubleshoot and resolve the issue. What is the most likely cause?

A.The DCR does not include the correct table name for the custom log, or the table does not exist in the Log Analytics workspace.
B.The custom log file path specified in the DCR is a local path, but AMA requires a network share for custom log collection.
C.The log file format is not JSON, but AMA only supports custom logs in JSON format.
D.The VM does not have local administrator privileges required for the AMA to read the log files.
AnswerA

The DCR must reference an existing custom log table; a mismatch prevents ingestion.

Why this answer

Option B is correct: The DCR must reference the custom log table created in the Log Analytics workspace; if the table name does not match, logs will not be ingested. Option A: AMA can collect custom logs from a file path; the path does not need to be a network share. Option C: The agent does not require local admin privileges for custom log collection.

Option D: The log file format is not limited to JSON; AMA can collect plain text logs with a defined pattern.

75
MCQeasy

A company wants to require that users perform multi-factor authentication (MFA) when accessing a critical enterprise application, but only when they are outside the corporate network. They have Azure Active Directory Premium P1 licenses. Which feature should they use to enforce this requirement?

A.Azure AD Identity Protection
B.Conditional Access policy
C.Azure AD Privileged Identity Management (PIM)
D.Azure AD Application Proxy
AnswerB

A Conditional Access policy can be scoped to the application and configured with a location condition to require MFA only when the user's IP address is outside the corporate network.

Why this answer

Conditional Access policies in Azure AD Premium P1 allow you to enforce MFA based on conditions such as network location. By configuring a policy that targets the critical enterprise application and includes a condition for 'Locations' set to 'All trusted locations' (or 'Not trusted locations'), you can require MFA only when users access the app from outside the corporate network. This directly meets the requirement without needing additional licensing or services.

Exam trap

The trap here is that candidates often confuse Azure AD Identity Protection (which requires P2 licenses) with Conditional Access (available in P1), assuming risk-based policies are needed for location-based MFA, when in fact Conditional Access alone with location conditions is sufficient.

How to eliminate wrong answers

Option A is wrong because Azure AD Identity Protection is a P2 feature that uses risk signals (e.g., leaked credentials, anonymous IP addresses) to trigger policies like MFA or password reset, but it cannot enforce MFA based solely on network location without a Conditional Access policy. Option C is wrong because Azure AD Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews, not location-based MFA enforcement for end-user application access. Option D is wrong because Azure AD Application Proxy provides secure remote access to on-premises web applications but does not enforce MFA based on network location; it relies on pre-authentication with Azure AD, which can be combined with Conditional Access, but the proxy itself is not the feature that enforces the MFA requirement.

Page 1 of 14

Page 2