Microsoft Azure Security Engineer Associate AZ-500 (AZ-500) — Questions 676750

1000 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQeasy

A company needs to demonstrate compliance with the Payment Card Industry Data Security Standard (PCI DSS) for their Azure workloads. They use Microsoft Defender for Cloud for security management. Which feature should they use to view their current compliance status against PCI DSS controls and track progress over time?

A.Security policy
B.Recommendations
C.Regulatory compliance dashboard
D.Security incidents
AnswerC

Correct. The Regulatory compliance dashboard provides a detailed view of compliance with regulations like PCI DSS, showing which controls pass and fail, and offers ongoing assessments.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud provides a pre-built view of compliance posture against standards like PCI DSS. It maps Azure resource configurations to specific PCI DSS controls, shows pass/fail status per control, and tracks compliance score over time, enabling continuous monitoring and evidence collection for auditors.

Exam trap

The trap here is that candidates may confuse the Recommendations blade (which shows individual security findings) with the Regulatory compliance dashboard (which aggregates those findings into a compliance framework view), leading them to select Recommendations instead of the correct dashboard.

How to eliminate wrong answers

Option A is wrong because Security policy defines rules and initiatives for resource compliance but does not provide a dashboard to view current compliance status or track progress against PCI DSS controls. Option B is wrong because Recommendations are individual security findings that suggest actions to improve security posture, but they do not aggregate or map to PCI DSS controls in a compliance dashboard format. Option D is wrong because Security incidents are alerts about detected threats or attacks, not a compliance tracking tool for standards like PCI DSS.

677
MCQhard

A company plans to use Azure Private Endpoint to securely connect to an Azure SQL Database from an on-premises network via ExpressRoute. The private endpoint is deployed in a hub virtual network. The on-premises network is connected to the hub via ExpressRoute. What additional configuration is needed to ensure on-premises clients can resolve the private endpoint's DNS name?

A.Configure a DNS forwarder on-premises to forward the private link domain to Azure DNS.
B.Configure a network security group to allow inbound traffic from on-premises to the private endpoint.
C.Deploy a VPN gateway in the hub VNet for additional encryption.
D.Add a public DNS record for the SQL Database pointing to the private endpoint IP.
AnswerA

On-premises DNS must be able to resolve the private endpoint's FQDN to its private IP. Forwarding the privatelink domain to Azure DNS (or a custom resolver) achieves this.

Why this answer

Private endpoints require DNS configuration to resolve the private IP address. Azure Private DNS zones can be linked to the hub VNet, and on-premises DNS servers must forward queries for the private endpoint's domain (e.g., privatelink.database.windows.net) to Azure or use a custom DNS server that resolves the private IP.

678
MCQhard

A security analyst receives a Defender for Cloud alert indicating 'Malicious SQL injection attempt' on an Azure SQL Database. The analyst wants to immediately block the attacker's IP address at the network level using a just-in-time (JIT) VM access policy, but the SQL Database is not behind a VM. What should the analyst do to block the IP?

A.Create a firewall rule in Azure SQL Database's server-level firewall to deny the IP
B.Add a network rule in Azure Firewall to deny the IP
C.Create a JIT VM access policy for the SQL Database server
D.Change the SQL Database's connection policy to 'Redirect'
AnswerA

Server-level firewall rules can block specific IP addresses from accessing Azure SQL Database.

Why this answer

Option D is correct because creating a firewall rule in Azure SQL Database's server-level firewall effectively blocks the IP. Option A is wrong because JIT VM access applies only to VMs. Option B is wrong because Azure Firewall is for virtual networks, not direct SQL access.

Option C is wrong because changing the SQL Database's connection policy does not block specific IPs.

679
MCQhard

Your organization uses Microsoft Sentinel to monitor for ransomware attacks. You need to create a custom analytics rule that detects when a large number of files are encrypted within a short time window. Which KQL query should you use as the rule logic?

A.AzureActivity | where OperationName contains 'encrypt' | summarize count() by Resource
B.SecurityEvent | where EventID == 4688 | summarize count() by Computer, bin(TimeGenerated, 5m)
C.CommonSecurityLog | where DeviceEventClassID == 'ransomware' | summarize count() by DeviceName
D.FileCreationEvents | where FileName endswith '.encrypted' | summarize count() by Computer, UserName, bin(TimeGenerated, 5m)
AnswerD

FileCreationEvents logs file creations; encrypted files often have .encrypted extension.

Why this answer

Option D is correct because FileCreationEvents can capture file encryption events, and the query groups by host and user to detect a spike. Option A is wrong because SecurityEvent doesn't include file creation details. Option B is wrong because CommonSecurityLog is for firewall logs.

Option C is wrong because AzureActivity doesn't capture file-level operations.

680
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You need to implement a solution that automatically detects and remediates identity risks such as leaked credentials and impossible travel. The solution must use built-in Microsoft Entra capabilities without additional licensing beyond Microsoft Entra ID P2. What should you configure?

A.Enable Privileged Identity Management (PIM) for role activation.
B.Create Conditional Access policies requiring MFA for all users.
C.Set up Access Reviews for guest users.
D.Configure Identity Protection policies for sign-in risk and user risk.
AnswerD

Identity Protection detects risks like leaked credentials and impossible travel, and can auto-remediate.

Why this answer

Option A is correct because Identity Protection is a Microsoft Entra ID P2 feature that detects and remediates identity risks automatically. Option B is wrong because Conditional Access policies enforce access decisions but do not detect risks. Option C is wrong because Privileged Identity Management manages privileged roles, not risk detection.

Option D is wrong because Access Reviews are for attesting access, not risk detection.

681
MCQmedium

A company uses Azure AD Identity Protection. They have detected a user with a 'High' user risk level due to suspicious activity. The security team wants to automatically block sign-ins for this user only when the sign-in comes from a location that is not in the company's list of trusted IPs. They have created a Conditional Access policy. Which configuration should they use?

A.Assign the user to the policy, set condition 'User risk level: High' and condition 'Locations: All locations except trusted', and set 'Grant' to 'Block access'
B.Assign the user to the policy, set condition 'Sign-in risk level: High' and condition 'Locations: All trusted locations', and set 'Grant' to 'Block access'
C.Assign the user to the policy, set condition 'User risk level: High' and set 'Grant' to 'Require multi-factor authentication'
D.Create a risk detection policy in Identity Protection that triggers a user risk policy, and have Conditional Access use the risk policy
AnswerA

This configuration ensures that the block applies only when both conditions are met: high user risk and an untrusted location.

Why this answer

Option A is correct because it combines the 'User risk level: High' condition (triggered by Identity Protection's user risk detection) with the 'Locations: All locations except trusted' condition, and sets 'Grant' to 'Block access'. This ensures that only sign-ins from untrusted locations are blocked when the user's risk is high, meeting the requirement to allow sign-ins from trusted IPs even for high-risk users.

Exam trap

The trap here is confusing 'User risk level' (associated with the user account's overall risk) with 'Sign-in risk level' (associated with a specific authentication attempt), leading candidates to incorrectly choose Option B which uses sign-in risk and targets trusted locations.

How to eliminate wrong answers

Option B is wrong because it uses 'Sign-in risk level: High' instead of 'User risk level: High', and it targets 'All trusted locations' which would block sign-ins from trusted IPs, the opposite of the requirement. Option C is wrong because it sets 'Grant' to 'Require multi-factor authentication' instead of 'Block access', which does not block sign-ins but only prompts for MFA, failing the requirement to block sign-ins from untrusted locations. Option D is wrong because it describes creating a separate risk detection policy in Identity Protection; Conditional Access policies directly use user risk and sign-in risk conditions without needing an additional risk policy, and this approach adds unnecessary complexity without achieving the specific location-based block.

682
MCQhard

A company uses Azure AD Privileged Identity Management (PIM) to manage the Global Administrator role. They want to require that when a user activates the role, they must be using a device that is compliant with Intune policies (e.g., compliant device) and must provide a justification. The company already has Conditional Access policies in place for regular access. How should they enforce the device compliance requirement specifically during PIM activation?

A.Configure a Conditional Access policy that targets the 'Azure AD Privileged Identity Management' cloud app, requiring compliant device.
B.In PIM settings for the Global Administrator role, enable 'Require Multi-Factor Authentication on activation'.
C.In PIM settings for the Global Administrator role, enable 'Require Azure AD Conditional Access authentication context' and create a Conditional Access policy that requires compliant device when that authentication context is used.
D.Use Azure AD Identity Protection's user risk policy to require device compliance when a high-risk user activates the role.
AnswerC

Correct. This is the recommended method for integrating PIM with Conditional Access. The authentication context is signaled during activation, and a separate CA policy enforces the device compliance requirement.

Why this answer

Option C is correct because Azure AD PIM can integrate with Conditional Access via authentication context. By enabling 'Require Azure AD Conditional Access authentication context' in the PIM role settings and then creating a Conditional Access policy that targets that authentication context with the 'Require compliant device' grant control, you enforce device compliance specifically during role activation. This approach ensures the device compliance check is applied only when the user activates the Global Administrator role, not during regular access.

Exam trap

The trap here is that candidates often confuse applying a Conditional Access policy to the 'Azure AD Privileged Identity Management' cloud app (which controls access to the PIM portal) with enforcing conditions during the actual role activation process, which requires authentication context integration.

How to eliminate wrong answers

Option A is wrong because targeting the 'Azure AD Privileged Identity Management' cloud app in a Conditional Access policy applies the policy to the PIM service itself (e.g., accessing the PIM portal), not to the role activation process; it would not enforce device compliance during activation. Option B is wrong because enabling 'Require Multi-Factor Authentication on activation' only adds an MFA requirement, not a device compliance check; it does not address the device compliance requirement. Option D is wrong because Azure AD Identity Protection's user risk policy evaluates user risk and can require MFA or password change, but it cannot directly enforce device compliance; it is designed for risk-based remediation, not for role activation-specific device compliance.

683
MCQeasy

You need to enable Microsoft Defender for Cloud's workload protection for Azure Kubernetes Service (AKS) clusters. Which Defender plan should you enable?

A.Enable the foundational Cloud Security Posture Management (CSPM) plan.
B.Enable Defender for SQL.
C.Enable Defender for Containers.
D.Enable Defender for Servers.
AnswerC

Defender for Containers provides threat protection for AKS clusters.

Why this answer

Option A is correct because the 'Defender for Containers' plan provides threat protection for AKS, including runtime threat detection. Option B is wrong because Defender for Cloud's foundational CSPM is free and does not provide advanced workload protection. Option C is wrong because Defender for Servers applies to VMs, not AKS.

Option D is wrong because Defender for SQL applies to databases.

684
Multi-Selecteasy

Which TWO security controls are automatically provided by enabling Microsoft Defender for Cloud's foundational CSPM (Cloud Security Posture Management) capabilities? (Choose two.)

Select 2 answers
A.Azure Firewall Manager integration.
B.Just-in-time (JIT) VM access.
C.Continuous assessment of Azure resources against the Microsoft cloud security benchmark.
D.Security recommendations for Azure resources.
E.Vulnerability assessment for VMs.
AnswersC, D

Foundational CSPM includes continuous assessment.

Why this answer

Foundational CSPM provides continuous assessment and compliance against benchmarks like Azure Security Benchmark, and security recommendations for resources. Option C is wrong because JIT is part of enhanced security, not foundational. Option D is wrong because Firewall Manager is a separate service.

Option E is wrong because vulnerability assessment requires enabling Defender plans.

685
MCQmedium

A company has a hub-spoke network topology in Azure. The spoke virtual networks contain Azure virtual machines that need to access the internet. The security team requires that all outbound internet traffic from the spoke VMs passes through the Azure Firewall deployed in the hub virtual network for inspection and logging. Which configuration should be implemented to ensure this traffic is routed through the firewall?

A.Configure an Azure Load Balancer in the hub to distribute traffic from spokes to the firewall.
B.Create a user-defined route (UDR) in the spoke subnet with 0.0.0.0/0 pointing to the private IP of the Azure Firewall.
C.Use Azure Firewall Manager to automatically enforce a global default route on all spokes. This is the only configuration needed.
D.Enable IP forwarding on the NICs of the spoke VMs so they forward traffic to the firewall.
AnswerB

The UDR with default route pointing to the firewall's private IP ensures that all outbound internet traffic from the spoke VMs is forwarded to the firewall for inspection and logging.

Why this answer

Option B is correct because a user-defined route (UDR) with the 0.0.0.0/0 prefix and the next hop set to the private IP address of the Azure Firewall forces all outbound internet traffic from the spoke subnet to be routed through the firewall in the hub. This ensures the traffic passes through the firewall for inspection and logging, as required by the security team.

Exam trap

The trap here is that candidates often confuse Azure Firewall Manager's ability to propagate routes in a virtual WAN with the need for explicit UDRs in a traditional hub-spoke topology using a hub virtual network, leading them to incorrectly select option C as a one-click solution.

How to eliminate wrong answers

Option A is wrong because an Azure Load Balancer distributes inbound traffic and does not route outbound traffic; it cannot force spoke VMs to send internet-bound traffic through the firewall. Option C is wrong because Azure Firewall Manager can enforce a default route via a virtual WAN secured hub, but in a hub-spoke topology using a hub virtual network (not a virtual WAN), a UDR must be explicitly configured on the spoke subnets; Firewall Manager alone does not automatically apply the route to all spokes in this topology. Option D is wrong because IP forwarding on the NICs of the spoke VMs is used to allow a VM to act as a router for traffic passing through it, not to direct outbound traffic from the same VM to a firewall; the spoke VMs are the source of the traffic, not intermediate routers.

686
MCQeasy

Your company has a hybrid environment with on-premises servers and Azure VMs. You want to use Microsoft Defender for Cloud to assess the security posture of both environments. What do you need to install on the on-premises servers to enable Defender for Cloud monitoring?

A.Azure Arc agent
B.Microsoft Monitoring Agent (MMA)
C.Azure Security Center agent
D.Log Analytics agent
AnswerA

Correct: Azure Arc connects on-premises servers to Azure for management and security monitoring.

Why this answer

Option A is correct because Azure Arc enables non-Azure machines to be managed by Azure and monitored by Defender for Cloud. Option B is wrong because the MMA is legacy and being replaced by Azure Monitor Agent. Option C is wrong because the Log Analytics agent is similar to MMA.

Option D is wrong because the Azure Security Center agent is not a standalone agent.

687
Multi-Selectmedium

You need to protect Azure SQL Database from SQL injection attacks. Which TWO measures should you implement?

Select 2 answers
A.Enable Transparent Data Encryption (TDE)
B.Implement Azure Web Application Firewall (WAF)
C.Configure Azure SQL Database firewall rules
D.Use parameterized queries in application code
E.Enable Always Encrypted for sensitive columns
AnswersB, D

WAF can detect and block SQL injection patterns.

Why this answer

Option B and Option C are correct. Using parameterized queries prevents SQL injection by separating data from code. Web Application Firewall (WAF) can filter malicious input before it reaches the database.

Option A is wrong because TDE encrypts data at rest, not preventing injection. Option D is wrong because firewall rules control network access, not injection. Option E is wrong because Always Encrypted encrypts columns but does not prevent injection.

688
MCQeasy

You need to ensure that external users who are invited to your Microsoft Entra ID tenant via B2B collaboration can only access a specific SaaS application. What should you configure?

A.Configure SharePoint Online external sharing settings.
B.Create a Conditional Access policy targeting 'All cloud apps' and include guest users.
C.Create a Conditional Access policy targeting the SaaS application and apply it to 'Guest or external users'.
D.Use Microsoft Entra application proxy.
AnswerC

Restricts access to the specific app for external users.

Why this answer

Option C is correct because a Conditional Access policy can be scoped to a specific SaaS application and applied to 'Guest or external users'. This ensures that only invited B2B collaboration users are subject to the access control for that application, while all other users and apps remain unaffected. The policy enforces authentication and authorization rules exclusively for the targeted SaaS app and guest identity type.

Exam trap

The trap here is that candidates often confuse broad Conditional Access policies (targeting 'All cloud apps') with application-specific policies, mistakenly thinking that including guest users in a blanket policy achieves the same restriction, when in fact it would block or require MFA for guest users across all apps, not just the target SaaS application.

How to eliminate wrong answers

Option A is wrong because SharePoint Online external sharing settings control sharing of documents and sites, not access to a specific SaaS application; they operate at the SharePoint level, not at the Entra ID application layer. Option B is wrong because targeting 'All cloud apps' would apply the policy to every application in the tenant, including Microsoft services and other SaaS apps, which is overly broad and does not restrict access to only the specific SaaS application. Option D is wrong because Microsoft Entra application proxy is used to publish on-premises web applications externally, not to control access for B2B guest users to a SaaS application; it does not provide granular access restriction per application for external identities.

689
MCQhard

A Defender for Cloud recommendation is valid for most subscriptions but not for a legacy subscription with an approved exception. The team wants secure score to reflect the exception without disabling the recommendation everywhere. What should they do?

A.Delete the built-in initiative from the management group
B.Change the recommendation severity to Low
C.Create an exemption for the affected scope with a justification
D.Disable Defender for Cloud on the legacy subscription
AnswerC

Correct for the stated requirement.

Why this answer

Option C is correct because Azure Policy exemptions allow you to exclude a specific scope (e.g., a subscription or resource group) from a policy or initiative effect while still having the policy enforced elsewhere. By creating an exemption for the legacy subscription with a justification, the Defender for Cloud recommendation remains active for all other subscriptions, and the secure score calculation will correctly reflect the exception without disabling the recommendation globally.

Exam trap

The trap here is that candidates often confuse 'exemption' with 'disabling' or 'removing' the policy, leading them to choose options that either globally disable the recommendation (A or D) or incorrectly assume severity changes can create exceptions (B), when in fact Azure Policy exemptions are the precise mechanism to exclude a specific scope while preserving the policy for all others.

How to eliminate wrong answers

Option A is wrong because deleting the built-in initiative from the management group would remove the policy from all subscriptions under that management group, not just the legacy subscription, and would prevent the secure score from reflecting the recommendation at all. Option B is wrong because changing the recommendation severity to Low does not create an exception; it only adjusts the weight of the recommendation in the secure score, but the recommendation would still apply to the legacy subscription and could generate alerts or compliance failures. Option D is wrong because disabling Defender for Cloud on the legacy subscription would turn off all security monitoring and recommendations for that subscription, which is an overly broad action that goes beyond creating a single exception and could leave the subscription unprotected.

690
MCQeasy

A developer needs to securely connect to an Azure Storage account from a private virtual network without exposing the storage account to the public internet. Which Azure service should be used?

A.Azure VPN Gateway
B.Azure Private Link
C.Azure Firewall
D.Azure Service Endpoints
AnswerB

Private Link creates a private endpoint in the VNet, making the storage account accessible over a private IP address.

Why this answer

Azure Private Link enables private connectivity from a virtual network to Azure PaaS services, including Storage, without using public endpoints. Option C is correct. Option A (Service Endpoints) provides connectivity over the Microsoft backbone but still uses a public endpoint.

Option B (Azure Firewall) is a network security service, not for private connectivity. Option D (VPN Gateway) is for on-premises connectivity.

691
Multi-Selecthard

A storage account contains regulated records. Which two features help protect against accidental or malicious deletion?

Select 2 answers
A.Blob soft delete and versioning
B.Disabling all encryption
C.Public container access
D.Immutable storage retention policies
AnswersA, D

Correct for the stated requirement.

Why this answer

Blob soft delete protects against accidental deletion by retaining deleted blobs for a specified retention period, allowing recovery. Versioning preserves previous versions of blobs, enabling restoration to an earlier state if malicious overwrites or deletions occur. Together, they provide a layered defense against both accidental and intentional data loss.

Exam trap

The trap here is that candidates may confuse immutable storage retention policies (which prevent modification/deletion but are designed for compliance, not recovery from accidental deletion) with soft delete and versioning, which specifically address recovery after deletion.

692
MCQhard

A Sentinel analytics rule creates a new incident every time the same brute-force activity is detected for the same account within an hour. The SOC wants one incident that continues to group related alerts. What should be changed?

A.Disable entity mapping for the account entity
B.Configure incident grouping in the scheduled analytics rule
C.Change the rule query to use project-away on TimeGenerated
D.Run the rule as a near-real-time rule
AnswerB

Correct for the stated requirement.

Why this answer

Option B is correct because incident grouping in a scheduled analytics rule allows multiple alerts triggered by the same entity (e.g., the same account) within a specified time window to be combined into a single incident. By configuring the 'Group related alerts into a single incident' setting and setting the grouping window to one hour, the SOC ensures that all brute-force alerts for the same account are merged into one incident, reducing alert fatigue and providing a consolidated view of the attack.

Exam trap

The trap here is that candidates often confuse incident grouping with alert suppression or think that disabling entity mapping will reduce noise, but entity mapping is actually required for grouping to work correctly.

How to eliminate wrong answers

Option A is wrong because disabling entity mapping for the account entity would prevent the rule from identifying the specific account involved, breaking the grouping logic and potentially causing alerts to not be correlated at all. Option C is wrong because using project-away on TimeGenerated would remove the timestamp column from the query results, which is essential for time-based grouping and would break the rule's ability to correctly evaluate the 1-hour window. Option D is wrong because running the rule as a near-real-time rule (NRT) does not support incident grouping; NRT rules run every few minutes and create separate incidents for each detection, which is the opposite of what the SOC wants.

693
MCQhard

You work for a financial institution that uses Azure Cosmos DB with API for NoSQL to store transaction data. The security requirements mandate: (1) All data at rest must be encrypted using customer-managed keys (CMK) stored in Azure Key Vault. (2) The encryption keys must be automatically rotated every 60 days. (3) Network access to the Cosmos DB account must be restricted to only specific virtual networks. (4) Access to the keys must be logged and monitored. (5) The Cosmos DB account must be configured to use private endpoints. You have configured the Cosmos DB account with CMK and private endpoints. However, after setting up automatic key rotation in Key Vault, the Cosmos DB account starts returning 403 (Forbidden) errors for some requests. What is the most likely cause?

A.The private endpoint connection is not approved.
B.The key vault access policy does not grant the Cosmos DB account necessary permissions on the new key version.
C.The Cosmos DB account's key version property is outdated and must be updated manually.
D.The firewall rules are blocking the Cosmos DB account from accessing Key Vault.
AnswerB

Cosmos DB needs permissions on each key version when rotation occurs.

Why this answer

Option D is correct because when using CMK with automatic key rotation, the Cosmos DB account must have access to the new key version. If the account does not have the correct permissions (e.g., get, wrap, unwrap) on the new key version, it will fail. Option A is wrong because private endpoints do not cause 403 errors.

Option B is wrong because firewall rules are separate from CMK. Option C is wrong because Cosmos DB does not have a 'key version' property to update manually.

694
Multi-Selectmedium

Your company is deploying a new application on Azure Kubernetes Service (AKS). The application needs to read and write data to an Azure Storage account. Security requirements mandate that no storage account keys or connection strings be stored in the application code or configuration files. Which TWO actions should you take?

Select 2 answers
A.Generate a shared access signature (SAS) token and embed it in the application code.
B.Configure the storage account firewall to allow access only from the AKS cluster's virtual network and subnet.
C.Assign the 'Storage Account Key Operator Service Role' RBAC role to the AKS cluster.
D.Enable Azure Active Directory Pod Identity (or Workload Identity) for the AKS cluster and assign the managed identity to the pod.
E.Create a service principal with a client secret and use that secret in the application configuration.
AnswersB, D

Network restriction reduces attack surface.

Why this answer

Option A: Using a managed identity for the pod (via AAD Pod Identity or Workload Identity) allows the pod to authenticate without secrets. Option D: Setting the storage account firewall to allow access only from the AKS cluster's VNet provides network-level security. Option B (service principal with client secret) still requires a secret.

Option C (SAS token) also requires a secret. Option E (RBAC with storage account key) is not possible; RBAC does not use keys.

695
MCQmedium

A security operations team uses Microsoft Sentinel. They want to automatically assign incidents to different tiers of analysts based on severity when incidents are created. Which feature should they configure?

A.Fusion - Advanced Multistage Attack Detection
B.Analytics rules with scheduled queries
C.Automation rules
D.Playbooks
AnswerC

Automation rules allow you to automatically trigger actions like assigning an incident to a specific user or team, changing severity, adding tags, or running a playbook. This is the correct feature to automatically assign incidents based on severity.

Why this answer

Automation rules in Microsoft Sentinel allow you to automatically assign incidents to specific analysts or teams based on criteria such as severity. When an incident is created, the automation rule triggers and can set the owner (assignee) to a predefined user or group, enabling tiered assignment without manual intervention.

Exam trap

The trap here is that candidates often confuse automation rules with playbooks, assuming playbooks are required for any automated action, but automation rules are the correct feature for simple, rule-based incident assignment without the overhead of a full Logic App workflow.

How to eliminate wrong answers

Option A is wrong because Fusion - Advanced Multistage Attack Detection is a correlation engine that detects multistage attacks by combining alerts, not a mechanism for incident assignment. Option B is wrong because analytics rules with scheduled queries generate alerts based on log queries, but they do not include incident assignment or ownership logic. Option D is wrong because playbooks are automated workflows (often using Azure Logic Apps) that can respond to incidents, but they are triggered by automation rules or analytics rules and are not the feature used to directly assign incidents to analysts.

696
Multi-Selectmedium

You are securing an Azure Kubernetes Service (AKS) cluster. You need to restrict network traffic between pods and to external services using Azure network policies. Which three of the following options are valid considerations or steps? (Choose three.)

Select 3 answers
.Enable the Azure Network Policy Manager (Azure NPM) when creating the AKS cluster.
.Define Kubernetes NetworkPolicy objects that use selectors to allow or deny traffic between pods.
.Use Azure Firewall to enforce egress traffic rules for the AKS cluster.
.Configure an NSG directly on the AKS node subnet to filter pod-to-pod traffic.
.Set the AKS cluster to use Calico network policies instead of Azure NPM for better performance.
.Assign public IP addresses to each pod for direct internet access without a load balancer.

Why this answer

Azure Network Policy Manager (Azure NPM) is a required add-on for enforcing Kubernetes NetworkPolicy objects in an AKS cluster. It translates Kubernetes network policies into Azure-specific configurations to filter pod-to-pod traffic. Without enabling Azure NPM (or an alternative like Calico), standard Kubernetes NetworkPolicy objects will not be enforced by Azure.

Exam trap

The trap here is that candidates often confuse NSGs with Kubernetes network policies, thinking NSGs can filter pod-to-pod traffic, but NSGs operate at the subnet level and cannot see pod IPs, making them ineffective for pod-level segmentation.

697
MCQmedium

Refer to the exhibit. You are creating a Microsoft Sentinel scheduled analytics rule using the KQL query shown. The rule is set to run every hour. What will this rule detect?

A.Successful logins from a single IP address
B.Accounts that have more than 10 failed logins from a specific IP address in the last hour
C.Total failed logins in the last 24 hours
D.Accounts with more than 10 failed logins from any IP address
AnswerB

Correct: The query groups by both Account and IpAddress and filters for >10.

Why this answer

Option D is correct because the query counts failed logins (EventID 4625) per account and IP address in the last hour, then filters for more than 10. Option A is wrong because it's about failed logins, not successful. Option B is wrong because it's per account and IP, not just per account.

Option C is wrong because it's per hour, not cumulative across days.

698
Multi-Selecthard

Which THREE benefits does Azure DDoS Protection Standard provide over Basic?

Select 3 answers
A.Always-on monitoring and mitigation of layer 3/4 attacks.
B.Adaptive tuning based on application traffic patterns.
C.Cost protection for scaled resources during an attack.
D.Mitigation of attacks using Azure's global network capacity.
E.Access to DDoS Rapid Response (DRR) team.
AnswersB, C, E

Standard learns normal traffic patterns and adjusts thresholds.

Why this answer

Options A, C, and D are correct. DDoS Protection Standard provides adaptive tuning, cost protection, and access to DDoS Rapid Response. Option B is wrong because always-on monitoring is a Basic feature.

Option E is wrong because both tiers use Azure's global network capacity.

699
MCQhard

You have an Azure application that uses a private endpoint for Azure SQL Database. Users report intermittent connectivity failures. You need to diagnose whether the private endpoint DNS resolution is working correctly. Which tool should you use?

A.tracert
B.netstat
C.ping
D.nslookup
AnswerD

nslookup queries DNS to resolve names to IP addresses.

Why this answer

Option B is correct because nslookup queries DNS servers and can verify if the private endpoint FQDN resolves to a private IP. Option A is wrong because ping tests ICMP, which may be blocked. Option C is wrong because tracert shows the route but not DNS.

Option D is wrong because netstat shows active connections, not resolution.

700
Multi-Selectmedium

Which TWO actions should you take to secure an Azure Storage account that contains sensitive data? (Choose two.)

Select 2 answers
A.Disable public network access
B.Enable soft delete for blobs
C.Enable geo-redundant storage (GRS)
D.Enable Azure AD authentication for blob and queue data
E.Generate a shared access signature (SAS) token with full permissions
AnswersA, B

Disabling public network access prevents access from the internet, reducing attack surface.

Why this answer

Options B and D are correct. Disabling public network access (B) ensures the storage account is not accessible from the internet. Enabling soft delete for blobs (D) protects against accidental deletion.

Option A (SAS tokens) does not increase security. Option C (Azure AD authentication) is good but not a required action for securing the account; it's a data plane control. Option E (replication) does not improve security.

701
MCQmedium

A security operations team uses Microsoft Sentinel. They create a playbook that changes the severity of an incident from 'Medium' to 'High' when a specific indicator of compromise (IOC) is detected within the incident's entities. The team wants this playbook to run automatically as soon as the incident is created, without manual intervention. Which type of automation rule trigger should they configure to invoke the playbook?

A.When incident is created
B.When incident is updated
C.When alert is created
D.On a time schedule
AnswerA

This trigger runs the automation rule immediately when a new incident is generated. The rule can check conditions and then run the playbook to change the severity.

Why this answer

Option A is correct because the 'When incident is created' trigger in Microsoft Sentinel automation rules is designed to invoke a playbook immediately upon incident generation, without requiring any manual action. This matches the requirement for automatic execution as soon as the incident is created, allowing the playbook to evaluate entities and change severity from 'Medium' to 'High' based on the IOC detection.

Exam trap

The trap here is that candidates may confuse 'When alert is created' with incident creation, not realizing that incidents are higher-level constructs that can aggregate multiple alerts, and the playbook must run at the incident scope to change severity based on entities across all alerts.

How to eliminate wrong answers

Option B is wrong because 'When incident is updated' triggers only after an incident is modified (e.g., status change or comment), not at creation time, so it would not run automatically on the initial creation. Option C is wrong because 'When alert is created' triggers on alert generation, not incident creation; incidents can aggregate multiple alerts, and the playbook needs to run at the incident level, not per alert. Option D is wrong because 'On a time schedule' is a recurring trigger (e.g., every hour) that does not respond to real-time incident creation events, making it unsuitable for immediate automated response.

702
MCQmedium

Refer to the exhibit. You are analyzing a Conditional Access policy JSON. The policy requires MFA for Office 365 applications. However, users report that they are still able to access Office 365 without MFA. What is the most likely reason?

A.The policy excludes some Office 365 apps
B.The 'grantControls' section is empty
C.The 'authenticationStrength' property is not a valid Conditional Access policy property
D.The policy does not include all users
AnswerC

The correct property is 'grantControls' with 'builtInControls'.

Why this answer

The 'authenticationStrength' property is not a valid property in a Conditional Access policy JSON schema. Conditional Access policies use 'grantControls' with 'builtInControls' (e.g., 'mfa') to enforce MFA. An unrecognized property like 'authenticationStrength' would be ignored by Azure AD, causing the policy to not enforce MFA as intended.

Exam trap

The trap here is that candidates assume any property in a JSON snippet is valid, but Azure AD silently ignores unrecognized properties, so the policy does not enforce MFA despite appearing correctly configured.

How to eliminate wrong answers

Option A is wrong because excluding some Office 365 apps would still require MFA for the included apps, not allow all Office 365 access without MFA. Option B is wrong because an empty 'grantControls' section would cause the policy to fail validation or not apply, but the JSON shown does not have an empty 'grantControls'; the issue is the invalid property. Option D is wrong because not including all users would only exempt those specific users, but the policy would still enforce MFA for included users; the reported behavior is that all users can bypass MFA, indicating a policy-wide failure.

703
Multi-Selecthard

You are designing a Microsoft Sentinel deployment for a multinational company. The company requires that all security logs be retained for at least seven years for compliance. The solution must be cost-effective. Which THREE actions should you take?

Select 3 answers
A.Use continuous export to Azure Event Hubs for long-term storage.
B.Store logs in Azure SQL Database for seven years.
C.Configure the Log Analytics workspace retention to two years for interactive queries.
D.Use Azure Archive Storage for logs older than two years.
E.Export logs to Azure Blob Storage for long-term retention beyond two years.
AnswersC, D, E

Correct. Sentinel uses Log Analytics with up to two years interactive retention.

Why this answer

Option A, B, and E are correct. Enabling sentinel in the Log Analytics workspace allows interactive retention of up to two years. After that, you can set up Azure Blob Storage or Azure Data Lake Storage for long-term retention at lower cost.

You can also use Azure Archive Storage for even cheaper storage. Option C is wrong because continuous export to Event Hubs is for real-time streaming, not long-term retention. Option D is wrong because Azure SQL Database is expensive for log storage and not designed for this purpose.

704
Multi-Selectmedium

Your company plans to use Azure SQL Managed Instance to store customer data. You need to comply with regulatory requirements for data encryption at rest and in transit, and you must ensure that only authorized applications can access the database. Which TWO actions should you take? (Choose two.)

Select 2 answers
A.Enable Transparent Data Encryption (TDE) with customer-managed keys
B.Configure a virtual network rule to allow only specific subnets
C.Set the connection string to use 'Encrypt=True' and 'TrustServerCertificate=False'
D.Enable Always Encrypted for sensitive columns
E.Configure Azure AD authentication for the managed instance
AnswersA, C

Encrypts the entire database at rest.

Why this answer

Options B and D are correct. Transparent Data Encryption (TDE) encrypts data at rest. 'Force encryption' in the connection string ensures data in transit is encrypted. Option A is wrong because Always Encrypted protects specific columns, not the entire database at rest.

Option C is wrong because Azure AD authentication provides identity, not encryption. Option E is wrong because VNet rules control network access, not encryption.

705
MCQhard

A Sentinel playbook fails to update incidents even though the Logic App runs successfully. The playbook uses a managed identity. What is the most likely missing configuration?

A.The managed identity lacks Microsoft Sentinel Responder or Contributor permissions on the workspace
B.The analytics rule does not include MITRE ATT&CK tactics
C.The Log Analytics workspace is not linked to Azure Monitor Private Link
D.The incident title does not contain an entity mapping
AnswerA

Correct for the stated requirement.

Why this answer

The managed identity assigned to the Logic App must have at least Microsoft Sentinel Responder or Contributor permissions on the workspace to update incidents. Without these RBAC roles, the Logic App's API calls to modify incident properties (e.g., status, severity) are denied, even if the Logic App itself runs without errors.

Exam trap

The trap here is that candidates assume a successful Logic App run means permissions are correct, but the playbook can complete without errors while the incident update silently fails due to missing RBAC on the managed identity.

How to eliminate wrong answers

Option B is wrong because MITRE ATT&CK tactics are metadata for rule classification and do not affect the playbook's ability to update incidents. Option C is wrong because Azure Monitor Private Link controls network access to the workspace, not authorization for managed identity actions. Option D is wrong because entity mappings are used for alert enrichment, not for granting permissions to modify incidents.

706
Multi-Selectmedium

You are designing a secure hybrid network that connects an on-premises datacenter to Azure. The solution must provide high availability and encrypt all traffic between the two sites. Which three of the following should you consider? (Choose three.)

Select 3 answers
.Deploy two or more Azure VPN Gateway instances in an active-active configuration.
.Use IPsec/IKE policy with strong encryption parameters for the VPN tunnels.
.Implement Azure ExpressRoute with Microsoft peering as the primary connectivity.
.Configure a second VPN tunnel from the on-premises device to a different Azure region for redundancy.
.Use Azure Front Door to load balance traffic between the on-premises network and Azure.
.Set up a point-to-site VPN for all on-premises users to access Azure resources.

Why this answer

Deploying two or more Azure VPN Gateway instances in an active-active configuration provides high availability by ensuring that if one gateway instance fails, traffic continues to flow through the other. Using IPsec/IKE policy with strong encryption parameters (e.g., AES256, SHA256, DH Group 14 or higher) ensures all traffic between the on-premises datacenter and Azure is encrypted to meet security compliance. Configuring a second VPN tunnel from the on-premises device to a different Azure region adds geographic redundancy, protecting against a regional Azure outage.

Exam trap

The trap here is that candidates often assume ExpressRoute inherently encrypts traffic or that Azure Front Door can replace a VPN gateway, but ExpressRoute requires additional IPsec for encryption and Front Door is an application-layer service, not a network-layer VPN solution.

707
MCQhard

Refer to the exhibit. You have an Azure Storage account with the encryption configuration shown. Users report that they cannot upload files to the storage account. What is the most likely cause?

A.The storage account does not have permissions to access the key vault.
B.The key version is pinned; if the key was rotated, the old version may be disabled.
C.The key vault URI is incorrect.
D.The encryption key source is set to Microsoft.Keyvault but should be Microsoft.Storage.
AnswerB

Pinned key versions can cause issues if the key is rotated.

Why this answer

The key version is pinned to a specific version. If the key is rotated, the old version may be disabled or deleted, causing access failures. Option A is wrong because the key source is Key Vault, not Microsoft-managed.

Option B is wrong because the key vault URI is valid. Option D is wrong because key permissions are not directly indicated.

708
Multi-Selectmedium

Which TWO of the following are valid configurations for Microsoft Entra ID Conditional Access policies?

Select 2 answers
A.Include all users and exclude specific groups
B.Force password change on next sign-in
C.Target a specific cloud application
D.Block access for users without MFA registered
E.Assign licenses to users based on location
AnswersA, C

Valid assignment.

Why this answer

Option A is correct because Conditional Access policies allow you to include all users as a baseline and then exclude specific groups (e.g., break-glass emergency accounts) to ensure critical access is never blocked. Option C is correct because you can target a specific cloud application (e.g., Microsoft Azure Management, SharePoint Online) to apply granular access controls only to that app, leaving other apps unaffected.

Exam trap

The trap here is that candidates confuse user risk remediation actions (like forcing a password change) with Conditional Access grant controls, or mistakenly think that Conditional Access can directly enforce MFA registration or license assignment, which are separate administrative functions.

709
MCQeasy

A company has an Azure virtual network with a subnet that hosts a web application. The security team wants to allow inbound HTTPS traffic (port 443) from the internet to the web servers, but block all other inbound traffic. They have a network security group (NSG) associated with the subnet. What is the minimal set of inbound rules required?

A.A rule allowing HTTPS from Internet, and a default deny all rule.
B.A rule allowing HTTPS from Internet, and no other rules (default deny all inbound).
C.A rule allowing HTTPS from Internet, and a rule explicitly denying all other inbound traffic.
D.A rule allowing HTTPS from any source, and a rule denying all other traffic with lower priority.
AnswerB

Correct. The default NSG rules deny all inbound internet traffic. Adding only an allow rule for HTTPS is sufficient.

Why this answer

Network security groups (NSGs) in Azure have a default deny-all inbound rule (rule 65500) that is automatically applied to all inbound traffic. Therefore, you only need to add an explicit allow rule for HTTPS (port 443) from the Internet. No additional deny rule is required because the default rule already blocks all other inbound traffic.

Exam trap

The trap here is that candidates often think they must add an explicit deny rule to block all other traffic, not realizing that Azure NSGs already include a default deny-all inbound rule that is automatically applied at the lowest priority.

How to eliminate wrong answers

Option A is wrong because it suggests adding a default deny all rule, but Azure NSGs already include a built-in default deny all inbound rule (rule 65500) that cannot be removed or overridden by a lower-priority rule, making an explicit deny unnecessary. Option C is wrong because it proposes an explicit deny all inbound rule, which is redundant and not minimal; the default deny rule already handles this. Option D is wrong because it suggests a rule allowing HTTPS from 'any source' (which is functionally the same as from Internet) and a lower-priority deny rule, but the default deny rule already exists at the lowest priority, so an explicit deny rule is not needed and would be redundant.

710
MCQmedium

You need to design a network security solution for a hub-spoke topology. The hub contains Azure Firewall and Azure Bastion. Spoke VNets contain application workloads. You need to ensure that all traffic from the spokes to the internet is routed through the Azure Firewall. What should you configure?

A.Add a user-defined route (UDR) on the spoke subnets with 0.0.0.0/0 next hop to the Azure Firewall private IP.
B.Use service endpoints for internet-bound traffic.
C.Enable BGP on the spoke VNets and advertise a default route from the hub.
D.Configure the Azure Firewall to have a default route to the internet.
AnswerA

UDRs force traffic from the spoke to the firewall.

Why this answer

Option B is correct because user-defined routes (UDRs) with 0.0.0.0/0 next hop to the firewall force traffic to the firewall. Option A is wrong because Azure Firewall Manager can propagate routes but the spoke must have a route. Option C is wrong because BGP is for dynamic routing, not for forced tunneling.

Option D is wrong because service endpoints do not route through the firewall.

711
Multi-Selectmedium

Which TWO are features of Microsoft Defender for Cloud's workload protection for Azure SQL databases? (Select two.)

Select 2 answers
A.File integrity monitoring (FIM)
B.Adaptive network hardening
C.Just-in-time VM access
D.Advanced threat protection (ATP)
E.Vulnerability assessment
AnswersD, E

ATP detects anomalous activities on SQL databases.

Why this answer

Options A and D are correct. Defender for SQL includes vulnerability assessment and advanced threat protection (ATP) for detecting anomalies. Option B is wrong because adaptive network hardening is for VMs, not SQL.

Option C is wrong because just-in-time VM access is for VMs. Option E is wrong because file integrity monitoring is for VMs and servers.

712
MCQhard

A critical application uses Azure Functions with an Azure Storage account for input and output. The security team requires that all data in transit between the function app and storage be encrypted using a customer-managed key. Which configuration should you implement?

A.Enable 'HTTPS Only' on the function app and use Azure Files for the function code with encryption in transit (SMB 3.0+)
B.Configure a site-to-site VPN between the function app and storage account
C.Enable 'HTTPS Only' and use Key Vault references for storage connection strings
D.Use App Service managed certificates for the function app
AnswerA

Azure Files with SMB encryption ensures data in transit is encrypted. HTTPS Only enforces HTTPS for the function app endpoints.

Why this answer

Azure Functions runs on an App Service plan. To enforce HTTPS and use customer-managed keys for data in transit, configure the function app to require HTTPS and use Azure Files (for the function code) with encryption in transit using SMB over QUIC, but for blob storage, use HTTPS with customer-managed keys on the storage account (though HTTPS always uses TLS, not CMK for in-transit). Actually, the best answer is to require HTTPS and use Azure Private Link with service endpoints, but none of the options mention that.

The correct answer is to require HTTPS and use Azure Key Vault references for connection strings. However, the question asks for data in transit encryption with CMK - which is not standard. The intended answer: use Azure Storage encryption with customer-managed keys and enforce HTTPS.

Option C is correct: enable 'HTTPS Only' on the function app and use a connection string that includes 'Encrypt=true' and a managed identity to access the storage account with CMK enabled. But the options are simpler. Option A (enable 'HTTPS Only' and use Azure Files with encryption) - Azure Files supports encryption in transit via SMB 3.0+.

Option B: use VPN gateway - not needed. Option C: enable 'HTTPS Only' and use Key Vault references for storage connection strings - this ensures the function app uses HTTPS and the storage access uses managed identity, but doesn't enforce CMK for in-transit. Option D: use App Service managed certificates - irrelevant.

The best answer is A, as Azure Files with SMB encryption uses encryption in transit, and the function code can be stored on Azure Files with SMB encryption. However, the typical answer is to enable 'HTTPS Only' and use Azure Storage with encryption in transit (which is always enabled for HTTPS). Given the options, A mentions Azure Files with encryption in transit.

I'll go with A.

713
MCQeasy

A company has an Azure virtual network with a single subnet that hosts web servers. The security team needs to allow inbound HTTPS traffic from the internet to the web servers, but block all other inbound traffic. They want to use a single Azure resource to accomplish this at the subnet level. Which resource should they configure?

A.Azure Firewall
B.Azure Front Door
C.Network Security Group (NSG)
D.Application Security Group (ASG)
AnswerC

An NSG contains inbound and outbound security rules that can be associated with a subnet or a network interface. By creating an allow rule for HTTPS (TCP 443) from Internet and a default deny-all rule, the requirement is met efficiently.

Why this answer

A Network Security Group (NSG) is the correct resource because it can be associated with a subnet to filter inbound traffic at Layer 3/4. By creating a rule that allows TCP port 443 (HTTPS) from the Internet service tag and a default deny-all rule, the NSG blocks all other inbound traffic while permitting HTTPS. This meets the requirement of a single Azure resource operating at the subnet level.

Exam trap

The trap here is that candidates often confuse Azure Firewall (a centralized, stateful service) with a simple subnet-level ACL, or they mistakenly think an Application Security Group can independently filter traffic, when in fact it only works as a source or destination in an NSG rule.

How to eliminate wrong answers

Option A is wrong because Azure Firewall is a managed, stateful firewall service that operates at the network and application layers (Layer 3-7) and is typically used for centralized traffic inspection, logging, and advanced filtering across multiple subnets or virtual networks; it is overkill and not the simplest single resource for a basic subnet-level ACL. Option B is wrong because Azure Front Door is a global, Layer 7 load balancer and application delivery controller that routes HTTP/HTTPS traffic based on the closest point of presence; it does not filter traffic at the subnet level and cannot block all other inbound traffic to the subnet. Option D is wrong because an Application Security Group (ASG) is a logical grouping of virtual machines by application workload, used in conjunction with NSG rules to simplify rule management; it is not a standalone filtering resource and cannot be directly associated with a subnet to enforce inbound traffic rules.

714
MCQeasy

Refer to the exhibit. You are assigning a built-in Azure Policy definition to a subscription using Azure CLI. The policy is 'Audit VMs that do not use managed disks'. After assignment, you check in Microsoft Defender for Cloud and see that the policy is not generating any recommendations. What is the most likely reason?

A.The policy effect is set to 'Audit', but it should be 'Deny' to generate recommendations.
B.The policy requires a managed identity to run.
C.The policy is not part of a Defender for Cloud security initiative.
D.The policy is assigned to the wrong subscription.
AnswerC

Defender for Cloud only displays recommendations for policies within its assigned initiatives.

Why this answer

Option B is correct because Defender for Cloud only shows recommendations for policies that are part of its regulatory compliance or security benchmarks. A custom or built-in policy assigned directly via Azure Policy may not appear in Defender for Cloud unless it is included in a security initiative. Option A is wrong because the policy scope is correct.

Option C is wrong because the policy effect is 'Audit', which generates compliance results. Option D is wrong because the policy assignment should work regardless of resource existence; it audits existing resources.

715
MCQeasy

Your organization uses Microsoft Defender for Cloud to protect Azure SQL databases. You need to enable Advanced Threat Protection (ATP) for Azure SQL. Where should you configure this?

A.In the Azure SQL server blade under Security
B.In the Microsoft Defender for Cloud subscription settings
C.In the Azure resource group where the SQL server resides
D.In the Azure SQL database blade under Security
AnswerA

Correct: ATP for Azure SQL is configured at the server level.

Why this answer

Option C is correct because ATP for Azure SQL is enabled at the server level, not the database level. Option A is wrong because it's at server level. Option B is wrong because it's not a subscription-level setting.

Option D is wrong because it's not a resource group setting.

716
MCQmedium

You need to ensure that an Azure Storage account is accessible only from a specific virtual network (VNet) and only over HTTPS. You also want to deny access from any public IP. What should you configure?

A.Generate a SAS token and require HTTPS.
B.Configure storage firewall rules to deny all public IPs, add the VNet as a service endpoint, and enable 'Secure transfer required' (HTTPS).
C.Configure a Network Security Group (NSG) on the subnet to deny all inbound traffic.
D.Configure a private endpoint for the storage account and disable public network access.
AnswerB

Firewall blocks public access, service endpoint allows VNet, and 'Secure transfer required' enforces HTTPS.

Why this answer

Option D is correct because you can configure firewall rules to deny all public IPs, add the VNet as a service endpoint, and enable the 'Secure transfer required' property. Option A is wrong because NSG on the subnet is not sufficient to block public internet access to the storage account. Option B is wrong because private endpoint creates a private IP, but you also need to block public access.

Option C is wrong because SAS token does not restrict network location.

717
MCQmedium

Your company uses Microsoft Defender for Cloud to assess the security posture of Azure subscriptions. You notice that a critical recommendation 'Vulnerabilities in virtual machines should be remediated' is showing a healthy status of 0% compliance. Which action should you take first to enable vulnerability assessment for all VMs?

A.Install the Azure Monitor Agent on each VM and configure log collection.
B.Enable the 'Defender for Servers' plan P2 on the subscription.
C.Create a policy assignment to deploy the 'Configure machines to receive a vulnerability assessment provider' initiative.
D.Enable the 'Vulnerability assessment for VMs' setting in Defender for Cloud's environment settings.
AnswerD

This directly enables the integrated Qualys or Microsoft Defender vulnerability assessment solution for all VMs in the subscription.

Why this answer

Enabling the integrated Qualys or Microsoft Defender vulnerability assessment solution at the subscription level will automatically onboard all current and future VMs. Option A is wrong because manual installation is not scalable. Option B is wrong because enabling Defender for Servers plan P2 includes vulnerability assessment but may be more costly than needed.

Option D is wrong because it only addresses a subset of VMs.

718
Multi-Selectmedium

You are configuring Azure AD Conditional Access policies for a company that uses Microsoft Intune for mobile device management. Which three of the following conditions can be used to enforce access controls in a Conditional Access policy? (Choose three.)

Select 3 answers
.Device compliance status
.User sign-in risk level
.Application sensitivity labels
.Azure AD role membership
.Network location based on public IP address
.Operating system version of the client device

Why this answer

Device compliance status is a correct condition because Conditional Access can evaluate whether a device is marked as compliant by Intune, enforcing access only from managed devices. User sign-in risk level is correct as it leverages Azure AD Identity Protection to detect compromised credentials or anomalous sign-in behavior. Application sensitivity labels are correct because Conditional Access can integrate with Microsoft Information Protection to restrict access based on the sensitivity label applied to a document or email, controlling actions like download or edit.

Exam trap

The trap here is that candidates confuse 'conditions' with 'controls' or 'assignments' — for example, Azure AD role membership is an assignment (who the policy applies to), not a condition (what triggers the policy), and operating system version is a compliance detail, not a native Conditional Access condition.

719
MCQhard

A company has a hub-spoke network topology with Azure Firewall deployed in the hub virtual network. Spoke virtual networks are peered to the hub. The security team needs to ensure that all outbound internet traffic from virtual machines in a spoke subnet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall private IP address. However, traffic from spoke VMs is still bypassing the firewall and going directly to the internet. What is the most likely reason?

A.The route table is not associated with the spoke subnet.
B.Azure Firewall is not configured with DNAT rules for outbound traffic.
C.The spoke VNet peering does not allow gateway transit.
D.The route table has a higher priority than system routes.
AnswerA

Correct. Without explicit association, the subnet uses system routes and traffic bypasses the firewall. The route table must be associated to the subnet to take effect.

Why this answer

The most likely reason is that the route table containing the default route (0.0.0.0/0) pointing to the Azure Firewall private IP has not been associated with the spoke subnet. Without this association, the subnet continues to use system routes, which include a default route to the internet via the Azure default gateway, allowing traffic to bypass the firewall. Associating the route table with the subnet is a required step to override the system default route.

Exam trap

The trap here is that candidates often assume creating a route table with the correct route is sufficient, forgetting that the route table must be explicitly associated with the subnet to take effect.

How to eliminate wrong answers

Option B is wrong because DNAT rules are used for inbound traffic (destination network address translation), not for controlling outbound traffic routing; outbound traffic through Azure Firewall is handled by forced tunneling via the route table, not DNAT. Option C is wrong because gateway transit is a setting for VPN/ExpressRoute gateway sharing in VNet peering, not for directing outbound internet traffic through a firewall in a hub; the spoke VNet does not need gateway transit to use a user-defined route pointing to the firewall's private IP. Option D is wrong because user-defined routes (UDRs) always have a higher priority than system routes by default; the issue is not priority but the lack of association of the route table to the subnet.

720
MCQmedium

You are reviewing the ARM template for an Azure Disk Encryption Set. The template includes the JSON snippet shown. You notice that the key version is empty. What is the consequence?

A.The encryption set will use a platform-managed key.
B.The encryption set will automatically use the latest version of the key.
C.The encryption set will use the key name without any version, causing it to fail.
D.The deployment will fail because a key version is required.
AnswerB

An empty key version means automatic use of latest version.

Why this answer

An empty key version means the encryption set will automatically use the latest version of the key. Option C is correct. It does not cause failure; it enables automatic rotation.

It does not use a platform-managed key. The key name is specified.

721
Multi-Selecthard

A SQL workload needs to protect sensitive column values from database administrators who should not see plaintext. Which two features may be relevant depending on the query requirement?

Select 2 answers
A.Always Encrypted
B.Transparent Data Encryption only
C.Secure enclaves with Always Encrypted for richer operations
D.Basic server firewall rule
AnswersA, C

Correct for the stated requirement.

Why this answer

Always Encrypted (Option A) is correct because it ensures that sensitive column data is encrypted at the client side and never exposed in plaintext to the database engine, preventing database administrators from viewing the actual values. This feature protects data at rest and in transit between the client and server, making it ideal for scenarios where DBAs should not see plaintext column values.

Exam trap

The trap here is that candidates often confuse Transparent Data Encryption (TDE) with column-level encryption, assuming TDE protects against DBA access, when in fact TDE only encrypts data at rest and does not prevent authorized users from reading plaintext data via queries.

722
Multi-Selecthard

Which THREE are valid Microsoft Defender for Cloud plans? (Choose three.)

Select 3 answers
A.Defender for Identity
B.Defender for Office 365
C.Defender for SQL
D.Defender for Storage
E.Defender for Servers
AnswersC, D, E

Correct: Defender for SQL is a plan in Defender for Cloud.

Why this answer

Options A, C, and E are correct. Defender for Cloud plans include Defender for Servers (A), Defender for SQL (C), and Defender for Storage (E). Option B is wrong because Defender for Office is part of Microsoft 365 Defender, not Defender for Cloud.

Option D is wrong because Defender for Identity is a separate Microsoft 365 Defender product.

723
MCQmedium

Your company uses Azure SQL Database. You need to ensure that all queries are audited for compliance. Which feature should you enable?

A.Enable SQL Vulnerability Assessment.
B.Enable SQL Auditing on the server and configure the audit log destination.
C.Configure Dynamic Data Masking.
D.Enable Advanced Threat Protection.
AnswerB

SQL Auditing logs database events, including queries, to a storage account, Log Analytics, or Event Hubs.

Why this answer

Azure SQL Auditing tracks database events and writes them to an audit log. Option A is correct. Vulnerability assessment identifies vulnerabilities.

Advanced Threat Protection detects anomalous activities. Dynamic Data Masking hides sensitive data from non-privileged users.

724
MCQmedium

Your company uses Microsoft Entra ID with a hybrid identity model. You need to implement a solution that allows you to block legacy authentication attempts while still allowing modern authentication protocols. What should you use?

A.Create a Conditional Access policy to block legacy authentication
B.Enable Security defaults
C.Use Identity Protection to detect legacy authentication
D.Configure MFA for all users
AnswerA

Conditional Access can block legacy authentication while allowing modern authentication protocols.

Why this answer

Conditional Access policies in Microsoft Entra ID allow you to explicitly block legacy authentication protocols (such as POP3, IMAP, SMTP, and basic auth) while permitting modern authentication (OAuth 2.0, OpenID Connect). By targeting the 'Client apps' condition and selecting 'Exchange ActiveSync clients' and 'Other clients', you can block all legacy auth attempts without affecting modern protocol traffic. This is the precise, granular control required for a hybrid identity model.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based detection with the ability to block legacy authentication, or assume that enabling MFA alone will prevent legacy auth, when in fact legacy clients can still authenticate with just a password if the protocol is not explicitly blocked.

How to eliminate wrong answers

Option B is wrong because Security defaults enforces a blanket set of security baselines (including blocking legacy authentication for all users) but cannot be customized; it would block legacy auth for all users without the ability to selectively allow modern protocols or exclude specific accounts. Option C is wrong because Identity Protection detects and responds to risky sign-ins (e.g., leaked credentials, anonymous IP addresses) but does not block legacy authentication protocols; it is a risk-based detection tool, not a protocol-level enforcement mechanism. Option D is wrong because configuring MFA for all users forces multifactor authentication but does not inherently block legacy authentication; legacy clients that do not support MFA would still be able to authenticate using basic auth unless explicitly blocked.

725
MCQhard

A SOC analyst needs a Sentinel query that detects multiple failed sign-ins followed by a successful sign-in for the same user. Which table is the best primary source?

A.SecurityAlert
B.AzureActivity
C.DeviceNetworkEvents
D.SigninLogs
AnswerD

Correct for the stated requirement.

Why this answer

SigninLogs is the correct primary source because it captures both failed and successful user sign-in events from Azure AD, including interactive and non-interactive logins. This table provides the necessary fields like ResultType (e.g., 0 for success, 50125 for failure) and UserPrincipalName to build a KQL query that detects a sequence of failed sign-ins followed by a successful one for the same user.

Exam trap

The trap here is that candidates often confuse AzureActivity (which logs administrative actions) with sign-in logs, or assume SecurityAlert contains raw event data, when in fact only SigninLogs provides the granular authentication events needed for this detection pattern.

How to eliminate wrong answers

Option A is wrong because SecurityAlert contains pre-built security alerts (e.g., from Microsoft Defender for Cloud), not raw sign-in event logs, so it cannot be used to query individual sign-in success/failure sequences. Option B is wrong because AzureActivity logs control plane operations (e.g., resource creation, RBAC changes) and does not include user authentication events like sign-ins. Option C is wrong because DeviceNetworkEvents logs network-level events (e.g., connections, DNS queries) from Microsoft Defender for Endpoint, not Azure AD authentication events.

726
Multi-Selecteasy

Which TWO of the following are valid methods to authenticate users in Microsoft Entra ID?

Select 2 answers
A.SMS text message one-time passcode
B.Certificate-based authentication
C.Password hash synchronization
D.Facebook account federation
E.Hardware OTP tokens
AnswersB, C

Certificate-based authentication is supported for smart card and certificate-based logins.

Why this answer

Certificate-based authentication (CBA) is a valid method in Microsoft Entra ID that allows users to authenticate using X.509 certificates issued by a trusted public key infrastructure (PKI). This method is commonly used for smart card or device-based authentication, and it supports both user and device scenarios without requiring passwords.

Exam trap

The trap here is that candidates often confuse multi-factor authentication methods (like SMS OTP or hardware tokens) with primary authentication methods, leading them to incorrectly select options that are only valid as secondary factors.

727
Multi-Selectmedium

You are a security engineer for a global enterprise that uses Microsoft Entra ID (formerly Azure Active Directory). The company requires that all administrative access to Azure resources be secured using Privileged Identity Management (PIM) and that access reviews are conducted regularly. You need to implement a solution that meets the following requirements: - Administrators must be able to activate their roles only during approved time windows. - All role activations must require Azure AD Multi-Factor Authentication (MFA). - Role activations must be limited to a maximum of 4 hours. - Access reviews must be performed every 90 days for all privileged roles. Which four of the following actions should you take to meet the requirements? (Choose four.)

Select 4 answers
.Configure a role-assignable group in Entra ID and add it to the privileged role.
.In PIM settings for each privileged role, set the activation maximum duration to 4 hours.
.Configure an access review in Entra ID that reviews members of the privileged roles every 90 days.
.In PIM settings for each privileged role, require Azure AD MFA on activation.
.Create an Entra ID Conditional Access policy that requires MFA for all users when accessing Azure Resource Manager.
.In PIM settings for each privileged role, configure an approval workflow and define a time window for activation.

Why this answer

Configuring the activation maximum duration to 4 hours in PIM settings directly enforces the requirement that role activations are limited to a maximum of 4 hours. Requiring Azure AD MFA on activation in PIM settings ensures that all role activations are protected by MFA. Configuring an access review every 90 days for privileged roles meets the access review requirement.

Defining an approval workflow with a time window for activation in PIM settings allows administrators to activate roles only during approved time windows, fulfilling that specific requirement.

Exam trap

The trap here is that candidates may confuse a broad Conditional Access policy requiring MFA for Azure Resource Manager with the PIM-specific MFA requirement on activation, or think that a role-assignable group can enforce activation time windows and duration limits, which it cannot.

728
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users accessing sensitive data from unmanaged devices are required to use a compliant device. What should you configure?

A.Configure a device registration policy
B.Configure a Conditional Access policy that requires that the device be marked as compliant
C.Configure an Identity Protection policy for user risk
D.Configure a Conditional Access policy that requires multi-factor authentication
AnswerB

This enforces device compliance for access to sensitive data.

Why this answer

Option B is correct because Conditional Access policies can enforce device compliance requirements. Option A is incorrect because MFA alone does not enforce device compliance. Option C is incorrect because Identity Protection focuses on risk, not device state.

Option D is incorrect because device registration does not enforce compliance checks.

729
MCQmedium

A company has an Azure virtual network with multiple subnets. They want to centrally inspect and log all outbound traffic to the internet. They also need to allow or deny traffic based on domain names (FQDNs). Which Azure resource should they deploy?

A.Azure Firewall
B.Network Virtual Appliance (NVA) from Azure Marketplace
C.Azure Application Gateway with Web Application Firewall (WAF)
D.Azure Network Security Groups (NSGs)
AnswerA

Azure Firewall can inspect outbound traffic, log it via diagnostic settings, and use application rules to allow/deny based on FQDNs. It is fully managed and integrates with Azure Monitor for logging.

Why this answer

Azure Firewall is a managed, cloud-native network security service that provides centralized outbound traffic inspection and logging. It supports application rules based on fully qualified domain names (FQDNs), enabling allow or deny decisions for outbound traffic to the internet using Layer 7 (application layer) filtering, which meets both requirements directly.

Exam trap

The trap here is that candidates often confuse Azure Firewall with Network Security Groups, mistakenly thinking NSGs can filter by domain names because they associate 'network security' with all traffic control, but NSGs lack Layer 7 capabilities and cannot inspect or filter based on FQDNs.

How to eliminate wrong answers

Option B (NVA from Azure Marketplace) is wrong because, while an NVA can inspect and log traffic and filter by FQDNs, it is not a native Azure managed service; it requires manual deployment, maintenance, and scaling, and does not provide the same level of integrated logging and central management as Azure Firewall for this specific use case. Option C (Azure Application Gateway with WAF) is wrong because it is designed for inbound HTTP/HTTPS traffic load balancing and web application protection, not for outbound traffic inspection or domain-based filtering of all outbound internet traffic. Option D (Azure Network Security Groups) is wrong because NSGs operate at Layer 3/4 (network and transport layers) and cannot filter traffic based on domain names (FQDNs); they only support source/destination IP addresses, ports, and protocols.

730
Multi-Selectmedium

You are designing a network security solution for a multi-tier application. The web tier must be accessible from the internet, but the application and database tiers must be isolated. Which TWO configurations should you implement?

Select 2 answers
A.Use network security groups (NSGs) on each subnet
B.Deploy each tier in a separate VNet
C.Deploy each tier in a separate subnet
D.Use VNet peering to connect the tiers
E.Place all VMs in the same subnet
AnswersA, C

NSGs filter traffic between subnets.

Why this answer

Option A is correct because NSGs can be used to restrict traffic between tiers. Option D is correct because isolating VMs in separate subnets allows granular NSG rules. Option B is wrong because a single subnet would not isolate tiers.

Option C is wrong because VNet peering is for connecting VNets, not isolating tiers. Option E is wrong because a single VNet is fine, but subnets should be used.

731
MCQhard

A company uses Microsoft Entra ID and has an application registered that exposes scopes. An external partner organization needs to authenticate and access a specific scope. The partner's tenant is not federated. What is the most secure way to provide access without creating user accounts?

A.Set the application to be multitenant and allow any user to sign in
B.Create a service principal and share the client secret
C.Create guest users in the tenant and assign licenses
D.Configure an enterprise application with 'Users and groups' assignment and set 'Assignment required?' to Yes
AnswerD

This allows external users to authenticate without dedicated user accounts.

Why this answer

The correct answer is B: Configure an enterprise application with 'Users and groups' assignment and set 'Assignment required?' to Yes. This allows the partner to authenticate via their own credentials without creating user accounts. Option A is wrong because it creates guest users.

Option C is wrong because it bypasses access control. Option D is wrong because it exposes the app to all users.

732
MCQhard

You have an Azure subscription with multiple VNets connected via VNet peering. You need to audit all network traffic between two specific VNets for compliance. The solution must capture traffic metadata (source/destination IP, ports, protocol) without affecting performance. What should you use?

A.Route all traffic through Azure Firewall and enable logs.
B.Enable NSG flow logs and use Network Watcher traffic analytics.
C.Use Network Watcher packet capture on the VMs.
D.Enable Azure Monitor metrics on the VNet peering.
AnswerB

Captures metadata with minimal performance impact.

Why this answer

Option C is correct because Network Watcher traffic analytics uses NSG flow logs to capture metadata and provides insights. Option A is wrong because Azure Monitor metrics don't capture flow data. Option B is wrong because Azure Firewall logs would require routing traffic through it.

Option D is wrong because packet capture is for troubleshooting, not continuous auditing.

733
Multi-Selectmedium

Which THREE of the following are valid methods to secure service principals in Microsoft Entra ID?

Select 3 answers
A.Use certificate-based credentials instead of client secrets
B.Assign the service principal to the Global Administrator role to monitor its activity
C.Configure Conditional Access for workload identities to restrict sign-in conditions
D.Enable Azure Multi-Factor Authentication for the service principal sign-in
E.Use Managed Identities for Azure resources to avoid managing credentials
AnswersA, C, E

Certificates provide stronger security than client secrets.

Why this answer

A, C, and E are correct. Option A is correct because certificate-based credentials are more secure than client secrets. Option B is wrong because managed identities are not 'assigning roles to a service principal' but rather an identity for Azure resources.

Option D is wrong because enabling MFA for service principals is not supported; service principals are non-interactive. Option E is correct because Conditional Access for workload identities can restrict service principal access based on conditions.

734
MCQmedium

A security analyst is using Microsoft Sentinel to detect multi-stage attacks. They want to create an analytics rule that correlates a user sign-in from an unusual location with a subsequent data exfiltration attempt from Azure Blob Storage within one hour. Which type of analytics rule should they use?

A.Scheduled query rule with entity mapping.
B.Fusion rule.
C.Microsoft Security incident rule.
D.Anomaly rule.
AnswerA

Correct. Scheduled rules allow custom KQL to correlate events from different data sources within a time window.

Why this answer

A scheduled query rule with entity mapping is correct because it allows the security analyst to write a KQL query that correlates two distinct events—a sign-in from an unusual location and a subsequent data exfiltration from Azure Blob Storage—within a defined time window (one hour). Entity mapping enables the rule to link these events by common entities (e.g., user account or IP address), which is essential for detecting multi-stage attacks. This rule type runs on a schedule, making it ideal for time-bound correlation queries.

Exam trap

The trap here is that candidates often confuse Fusion rules (which also correlate events) with scheduled queries, but Fusion rules are limited to pre-built correlations from Microsoft security products, whereas scheduled queries allow custom KQL logic across any data source.

How to eliminate wrong answers

Option B (Fusion rule) is wrong because Fusion rules are designed to automatically correlate alerts from multiple Microsoft security products (e.g., Microsoft Defender for Cloud Apps, Azure AD Identity Protection) into a single incident, not to run custom KQL queries that correlate raw log data like sign-in logs and storage logs. Option C (Microsoft Security incident rule) is wrong because it creates incidents from alerts generated by Microsoft security services (e.g., Microsoft Defender for Endpoint), not from custom log analytics queries. Option D (Anomaly rule) is wrong because anomaly rules use machine learning to detect unusual patterns in a single data source over time, not to correlate two specific event types across different data sources within a fixed time window.

735
MCQeasy

You run the above PowerShell script. What is the effect on the storage account?

A.Block blobs with the prefix 'logs' are deleted after 30 days
B.Block blobs with the prefix 'logs' are deleted after 90 days
C.All block blobs are deleted after 30 days
D.Block blobs with the prefix 'logs' are moved to cool tier after 30 days
AnswerA

Matches the policy.

Why this answer

Option B is correct: the script creates a management policy rule that deletes block blobs with prefix 'logs' after 30 days since last modification. Option A is wrong because it deletes after 30 days, not 90. Option C is wrong because the action is delete, not tier.

Option D is wrong because it applies only to block blobs with prefix 'logs'.

736
MCQhard

An organization wants to detect when a privileged Azure role assignment is created outside the approved change window. Which log source should a Sentinel rule query?

A.Heartbeat
B.AzureActivity
C.Perf
D.StorageBlobLogs
AnswerB

Correct for the stated requirement.

Why this answer

AzureActivity logs capture all control-plane operations on Azure resources, including role assignment creations (e.g., 'Microsoft.Authorization/roleAssignments/write'). By querying AzureActivity in a Sentinel rule, you can detect when a privileged role assignment is made outside an approved change window. Heartbeat, Perf, and StorageBlobLogs do not record Azure RBAC changes.

Exam trap

The trap here is that candidates may confuse data-plane logs (StorageBlobLogs) or agent health logs (Heartbeat, Perf) with control-plane activity logs, failing to recognize that only AzureActivity captures RBAC changes at the subscription scope.

How to eliminate wrong answers

Option A is wrong because Heartbeat logs are used for agent health monitoring and do not contain Azure RBAC activity. Option C is wrong because Perf logs contain performance counters (CPU, memory, disk) and have no role assignment data. Option D is wrong because StorageBlobLogs record data-plane operations on blob storage (e.g., reads, writes) and not control-plane role assignments.

737
MCQmedium

You manage a Microsoft Entra ID tenant for a multinational company. Users in the European office report that they cannot access the company's custom line-of-business application during peak hours, while users in the US office have no issues. The application uses OAuth 2.0 authentication with Conditional Access policies applied. What is the most likely cause?

A.The application's service principal has been accidentally disabled in the European tenant location.
B.The Conditional Access policy requires compliant devices, and European devices are taking longer to report compliance during peak hours.
C.The Conditional Access policy requires multi-factor authentication for all users, and the MFA session token expired for European users.
D.The token lifetime policy for the application is set too low, causing European users to reauthenticate more frequently.
AnswerB

Device compliance checks can be delayed due to network load, affecting access.

Why this answer

Option C is correct because users in different regions may experience different authentication latency if the Conditional Access policy is configured to require compliant devices, and the device compliance evaluation may take longer during peak hours due to network congestion. Option A is wrong because MFA timeout is typically uniform per policy. Option B is wrong because token lifetime policies are applied globally.

Option D is wrong because session revocation is not triggered by peak hours.

738
MCQeasy

Your organization wants to ensure that users accessing Office 365 from outside the corporate network must use MFA. What is the most efficient way to enforce this?

A.Enable MFA for all users in Microsoft Entra ID.
B.Create a Conditional Access policy for all cloud apps with location condition.
C.Use Conditional Access with device compliance condition.
D.Create a Conditional Access policy for Office 365 with location condition and require MFA.
AnswerD

Efficiently applies MFA only for external access.

Why this answer

Option D is correct because it specifically targets Office 365 cloud apps and uses the location condition to restrict MFA enforcement to access from outside the corporate network. This is the most efficient approach as it applies only to the relevant application and network location, minimizing user friction while meeting the requirement exactly.

Exam trap

The trap here is that candidates often choose a broad policy (Option B) thinking it covers all scenarios, but the question specifically asks for Office 365, so the most efficient solution targets only that app to avoid unnecessary MFA prompts on other cloud services.

How to eliminate wrong answers

Option A is wrong because enabling MFA for all users globally forces MFA on every sign-in, including from inside the corporate network, which is overly broad and inefficient. Option B is wrong because creating a Conditional Access policy for all cloud apps with a location condition would enforce MFA on every cloud app (e.g., Azure Portal, Dynamics 365), not just Office 365, which is unnecessary and may disrupt non-Office 365 workflows. Option C is wrong because using a device compliance condition enforces MFA based on device health rather than network location, failing to address the specific requirement of enforcing MFA only for external access.

739
MCQmedium

Refer to the exhibit. You are reviewing the encryption configuration of an Azure Log Analytics workspace used by Microsoft Sentinel. The configuration shows infrastructure encryption enabled and customer-managed key (CMK) from Azure Key Vault. What additional step must be taken to ensure that the CMK is used for all data?

A.Enable double encryption on Sentinel
B.Enable purge protection on the Key Vault
C.Grant the Log Analytics workspace access to the Key Vault key
D.Ensure the Key Vault is in a different region than the workspace
AnswerC

Correct: The workspace needs permissions to use the key.

Why this answer

Option C is correct because when using CMK with Log Analytics, you must grant the Log Analytics service principal (or managed identity) access to the Key Vault key. Option A is wrong because Sentinel itself does not directly use the key. Option B is wrong because the key must be in the same region as the workspace.

Option D is wrong because soft-delete must be enabled, not purge protection specifically.

740
MCQhard

You are a security architect for a global company. The company uses Azure Front Door to publish web applications. You need to ensure that only traffic from Azure Front Door's backend IP ranges can reach the origin servers. The origin servers are behind Azure Application Gateway. You have already configured Access Restrictions on the Application Gateway to allow only Azure Front Door's backend IP ranges. However, you discover that the Application Gateway is still receiving traffic from other sources. You need to implement a defense-in-depth approach to ensure only Azure Front Door traffic reaches the origin. What should you do?

A.Enable Web Application Firewall (WAF) on the Application Gateway to block non-Front Door traffic.
B.Configure Azure Front Door Premium with Private Link origin to the Application Gateway.
C.Add a network security group (NSG) on the Application Gateway subnet to deny all traffic except from Front Door's IP ranges.
D.Use Azure Front Door geo-filtering to block all countries except the home country.
AnswerB

Private Link ensures traffic from Front Door to the origin is private and only from Front Door.

Why this answer

Option A is correct: Private Link with Front Door Private Endpoint ensures traffic from Front Door to the origin goes over the Microsoft backbone and is not exposed to the internet. This, combined with Access Restrictions, provides defense-in-depth. Option B is incorrect because WAF does not restrict source IPs.

Option C is incorrect because the origin is already behind Application Gateway, and adding NSG at the subnet does not prevent traffic from other sources that are allowed through Application Gateway. Option D is incorrect because geo-filtering does not restrict to Front Door IPs.

741
MCQmedium

You are the security administrator for a company that is integrating a third-party SaaS application (AppA) with Microsoft Entra ID for single sign-on (SSO). The application requires the following permissions: read all users, read all groups, and sign in users. The security team is concerned about over-privileged applications. They require that: - The application must not be able to read users or groups without an admin's explicit consent. - Users should be able to sign in to the application without admin consent for basic profile access. - Admin consent must be granted only for the minimal permissions required. - You must be able to review and audit all permissions granted to applications. What should you do?

A.In Microsoft Entra ID, configure user consent settings to require admin consent for permissions classified as 'high risk' (e.g., User.Read.All, Group.Read.All). Allow user consent for low-risk permissions. Grant admin consent for the required Graph permissions.
B.Allow user consent for all permissions. Grant admin consent for Graph permissions.
C.Block all user consent and require admin consent for all permissions. Grant admin consent for all required permissions.
D.Block all OAuth 2.0 applications and use SAML-based SSO instead.
AnswerA

This meets requirements by allowing user consent for basic profile and requiring admin consent for high-risk permissions.

Why this answer

Option A is correct because you can configure user consent settings to require admin consent for high-risk permissions (User.Read.All, Group.Read.All) while allowing user consent for low-risk permissions like profile access. Admin consent must be granted for Graph permissions. Option B is wrong because blocking all user consent would prevent users from signing in for basic profile.

Option C is wrong because allowing all user consent would allow users to consent to high-risk permissions. Option D is wrong because blocking all OAuth apps is too restrictive.

742
MCQmedium

A company uses Microsoft Defender for Cloud to monitor its security posture. The compliance team wants to receive email notifications immediately when a control in the ISO 27001 regulatory compliance standard fails. They want to be alerted only when specific controls change from 'compliant' to 'non-compliant'. Which feature should they configure?

A.Security Alerts from Microsoft Defender for Cloud
B.Regulatory Compliance dashboard with continuous export
C.Workflow automation based on regulatory compliance assessment changes
D.Custom recommendations in Microsoft Defender for Cloud
AnswerC

Workflow automation rules in Defender for Cloud can trigger actions (such as email notifications) when a regulatory compliance assessment changes, enabling proactive alerts for control failures.

Why this answer

Option C is correct because workflow automation in Microsoft Defender for Cloud can be configured to trigger based on regulatory compliance assessment changes, specifically when a control transitions from 'compliant' to 'non-compliant'. This allows the compliance team to receive immediate email notifications for ISO 27001 control failures without manual polling or dashboard monitoring.

Exam trap

The trap here is that candidates often confuse Security Alerts (which are threat-focused) with compliance state change notifications, or assume the Regulatory Compliance dashboard's continuous export can directly send real-time email alerts, but it only exports data to external sinks without built-in notification logic.

How to eliminate wrong answers

Option A is wrong because Security Alerts in Defender for Cloud are triggered by threat detection events (e.g., suspicious activities, vulnerabilities), not by regulatory compliance control state changes. Option B is wrong because the Regulatory Compliance dashboard with continuous export sends data to Log Analytics or Event Hubs for archival and analysis, but it does not natively support immediate email notifications based on specific control state transitions. Option D is wrong because custom recommendations are used to define additional security best practices or policies, not to trigger notifications on compliance control changes.

743
MCQhard

Your organization is implementing a zero-trust security model using Microsoft Entra ID. You need to ensure that all access requests to sensitive applications are evaluated in real-time based on user behavior and device posture before granting access. Which Microsoft Entra ID feature should you use?

A.Privileged Identity Management (PIM) with approval workflow
B.Conditional Access with session controls
C.Continuous Access Evaluation (CAE)
D.Identity Protection with sign-in risk policy
AnswerC

Provides real-time token validation and policy enforcement.

Why this answer

Continuous Access Evaluation (CAE) is the correct feature because it enforces real-time access revocation based on critical events such as user behavior changes (e.g., account disablement, password change) and device posture shifts (e.g., device non-compliance). Unlike periodic token validation, CAE uses a near-real-time event-driven model via the Microsoft Entra ID event service and OAuth 2.0 token claims to immediately block access to sensitive applications when risk is detected.

Exam trap

The trap here is that candidates often confuse Conditional Access session controls (which are applied only at initial sign-in) with Continuous Access Evaluation (which provides real-time, event-driven enforcement throughout the session), leading them to choose Option B incorrectly.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) with approval workflow manages just-in-time privileged role activation and requires manual approval; it does not evaluate user behavior or device posture in real-time for every access request. Option B is wrong because Conditional Access with session controls enforces policies at initial authentication and can apply session restrictions (e.g., app-enforced restrictions), but it does not provide continuous real-time evaluation after token issuance; it relies on token lifetime and does not react to mid-session changes in user behavior or device posture. Option D is wrong because Identity Protection with sign-in risk policy evaluates risk only at sign-in time based on historical signals and machine learning models; it does not continuously monitor user behavior or device posture during an active session.

744
MCQhard

Your company has an Azure subscription with a hub-spoke network topology. The hub contains an Azure Firewall and a VPN gateway for on-premises connectivity. The spoke virtual network hosts a critical application. You need to ensure that all outbound traffic from the spoke to the internet and on-premises networks flows through the Azure Firewall. You configure a user-defined route (UDR) on the spoke subnet with the default route (0.0.0.0/0) pointing to the Azure Firewall private IP. However, traffic to on-premises still bypasses the firewall. What is the most likely cause?

A.The on-premises traffic uses a more specific route learned via BGP from the VPN gateway, which overrides the UDR
B.The UDR must be applied to the subnet that hosts the Azure Firewall
C.The spoke subnet does not have 'GatewaySubnet' route propagation enabled
D.The Azure Firewall is not configured with a route to the on-premises network
AnswerA

BGP-learned routes for on-premises networks are more specific than 0.0.0.0/0. They will be used even if a UDR for 0.0.0.0/0 exists. To force through firewall, you must either disable BGP route propagation or create specific UDRs for on-premises ranges.

Why this answer

The most likely cause is that the on-premises traffic uses a more specific route learned via BGP from the VPN gateway, which overrides the user-defined route (UDR). In Azure, when a UDR and a BGP-propagated route both match traffic, the route with the most specific prefix (longest prefix match) wins. Since on-premises networks are typically advertised with specific IP prefixes (e.g., 10.0.0.0/16) rather than 0.0.0.0/0, the BGP-learned routes take precedence, causing traffic to bypass the Azure Firewall.

Exam trap

The trap here is that candidates assume a default route (0.0.0.0/0) UDR will always override all other routes, but Azure's route selection uses longest prefix match, so more specific BGP-learned routes for on-premises networks will take precedence over the default UDR.

How to eliminate wrong answers

Option B is wrong because the UDR must be applied to the subnet where the workload (spoke) resides, not to the Azure Firewall subnet; the firewall subnet itself uses system routes or BGP for its own traffic. Option C is wrong because 'GatewaySubnet' route propagation is not a property of the spoke subnet; it is a setting on the virtual network gateway subnet, and disabling it would not affect UDR precedence over BGP routes. Option D is wrong because the Azure Firewall does not need a specific route to the on-premises network; it only needs to be the next hop for traffic, and the issue is that traffic is not reaching the firewall due to BGP route override, not a missing route on the firewall.

745
MCQmedium

You manage multiple Azure subscriptions with VNets that need to communicate with each other. You want to centrally manage and enforce security policies across all VNets. Which Azure service should you use?

A.Azure Network Watcher.
B.Azure Policy.
C.Azure Blueprints.
D.Azure Firewall Manager.
AnswerD

Firewall Manager centralizes firewall policies across subscriptions.

Why this answer

Option C is correct because Azure Firewall Manager provides centralized security policy management for Azure Firewall across multiple subscriptions. Option A is wrong because Azure Policy is for resource compliance, not network traffic management. Option B is wrong because Azure Blueprints is for environment definition.

Option D is wrong because Network Watcher is for monitoring.

746
MCQhard

You deploy the Bicep template shown in the exhibit. After deployment, you check Microsoft Sentinel and find it is not enabled. The Log Analytics workspace and Defender for Cloud pricing plan are created successfully. What is the most likely reason Sentinel is not enabled?

A.The Defender for Cloud pricing tier is set to 'Standard' but should be 'Free' for Sentinel.
B.The workspace retention is set to 90 days, but Sentinel requires at least 180 days.
C.The Log Analytics workspace SKU is set to 'PerGB2018' but Sentinel requires 'PerNode'.
D.The sentinel resource does not reference the workspace, so it is not linked.
AnswerD

Correct. The sentinel onboarding resource must be associated with the workspace.

Why this answer

Option D is correct because the sentinel resource (onboardingStates) is defined but it is not linked to the workspace resource. In Bicep, you need to create a dependency or reference the workspace ID to link Sentinel to that workspace. Without a dependency, the resources are deployed but Sentinel is not onboarded to the workspace.

Option A is wrong because the pricing tier is Standard, which is correct. Option B is wrong because the SKU is PerGB2018, which is correct. Option C is wrong because retention is 90 days, which is allowed.

747
Multi-Selecteasy

Which TWO of the following are valid data connectors in Microsoft Sentinel?

Select 2 answers
A.Microsoft SQL Server
B.Google Cloud Platform
C.VMware vCenter
D.Azure Active Directory (Microsoft Entra ID)
E.Amazon Web Services S3
AnswersD, E

Entra ID connector is built-in.

Why this answer

Options A and D are correct. Option A is correct because Amazon Web Services S3 connector is available. Option D is correct because Azure Active Directory (now Microsoft Entra ID) connector is available.

Option B is wrong because there is no direct connector for Google Cloud Platform; it requires a custom solution. Option C is wrong because Microsoft SQL Server connector does not exist directly; it uses Windows Event Forwarding. Option E is wrong because VMware vCenter connector is not a built-in connector.

748
MCQeasy

You are configuring Azure Private Link for a SQL Database. You want to ensure that all traffic from your virtual network to the SQL Database stays within the Microsoft Azure backbone network. What is the primary benefit of using Azure Private Link over a service endpoint?

A.Private Link provides higher throughput than service endpoints.
B.Private Link assigns a private IP address to the SQL Database within your virtual network, preventing exposure to the public internet.
C.Private Link enables access to the SQL Database from on-premises via VPN/ExpressRoute without traversing the internet.
D.Private Link allows you to use NSGs to filter traffic to the SQL Database.
AnswerB

Private Link uses a private endpoint with a private IP, eliminating public internet exposure.

Why this answer

Option C is correct because Private Link provides private IP connectivity, ensuring traffic does not traverse the public internet. Option A is wrong because both can be secured with NSGs. Option B is wrong because service endpoints also use the Azure backbone.

Option D is wrong because Private Link does not necessarily provide higher throughput.

749
Multi-Selectmedium

Which TWO actions can be performed using Microsoft Defender for Cloud's security alerts? (Choose two.)

Select 2 answers
A.Directly modify the affected Azure resource's configuration from the alert.
B.Export alerts to a third-party SIEM using continuous export.
C.Change the severity of an alert after it is generated.
D.Create suppression rules to automatically dismiss alerts that meet specific criteria.
E.Trigger a logic app playbook automatically when an alert is generated.
AnswersD, E

Suppression rules allow you to suppress alerts based on conditions.

Why this answer

Options A and B are correct. Defender for Cloud alerts support suppression rules and automated response via playbooks. Option C is wrong because Defender for Cloud does not directly modify resources; it triggers actions via playbooks.

Option D is wrong because alerts can be dismissed. Option E is wrong because alert severity is set by Defender for Cloud, not by users.

750
MCQeasy

You need to restrict access to a web app hosted on Azure App Service so that only traffic from a specific virtual network (VNet) is allowed. Which Azure service should you configure?

A.Azure Application Gateway
B.Azure Front Door
C.App Service access restrictions
D.Azure Firewall
AnswerC

App Service access restrictions allow IP-based and VNet-based access control directly on the web app.

Why this answer

Option B is correct because Azure App Service access restrictions allow you to block or allow traffic based on source IP addresses or VNet service endpoints. Option A is wrong because Azure Front Door is a global load balancer, not a network restriction feature for App Service. Option C is wrong because Azure Firewall is a managed firewall service, but not directly used to restrict App Service access; it would be an intermediary.

Option D is wrong because Azure Application Gateway is a layer 7 load balancer that can provide WAF but not native App Service access restrictions.

Page 9

Page 10 of 14

Page 11