Microsoft Azure Security Engineer Associate AZ-500 (AZ-500) — Questions 826900

1000 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQmedium

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel. The query returns a list of IP addresses that have attempted to sign in more than 10 times in the last day. You notice that the query does not filter out successful sign-ins. You need to modify the query to count only failed sign-in attempts. What should you add?

A.Add '| where Status == "Failure"' before the summarize
B.Add '| where Result == "Failure"' before the summarize
C.Add '| where ResultType == "0"' before the summarize
D.Add '| where ResultType != "0"' before the summarize
AnswerD

This excludes successful sign-ins (ResultType == "0").

Why this answer

Option C is correct because filtering by ResultType != "0" excludes successful sign-ins (ResultType == "0"). Option A is wrong because ResultType == "0" only includes successful sign-ins. Option B is wrong because Status is not a column; the correct column is ResultType.

Option D is wrong because the column is ResultType, not Result.

827
MCQeasy

Refer to the exhibit. You deploy the Azure Firewall using the ARM template snippet above. A user from the 10.0.1.0/24 subnet reports they cannot access https://portal.azure.com. All other internet access is blocked. What is the most likely reason?

A.The rule priority is too low and is overridden by a deny-all rule.
B.The targetFqdns uses a wildcard that does not match the exact FQDN.
C.The subnet does not have a route to the Azure Firewall.
D.The protocol is set to HTTPS but the user is using HTTP.
AnswerC

Without a UDR, traffic bypasses firewall.

Why this answer

Option B is correct because the rule only allows traffic from 10.0.0.0/8, and the user is from 10.0.1.0/24 which is within that range, so it should work. However, the rule uses targetFqdns with a wildcard '*.portal.azure.com', which might not match 'portal.azure.com' exactly if the FQDN resolution returns a different name. But more importantly, the question says 'cannot access', and the most likely reason is that the rule is not applied because there is no network rule to allow DNS resolution.

Actually, the correct answer is that the Azure Firewall is in the hub but the user's subnet is not routed through the firewall. Option A is wrong because the rule allows HTTPS. Option C is wrong because the priority is fine.

Option D is wrong because the rule does allow the source. The exhibit shows the firewall is deployed, but without a route table pointing to the firewall, traffic won't go through it. So the issue is missing UDR.

I'll adjust the options accordingly.

828
MCQmedium

Your company uses Microsoft Defender for Cloud to assess the security posture of Azure subscriptions. The security team receives an alert about a critical vulnerability in an Azure VM that was remediated two weeks ago. What is the most likely reason the alert is still active?

A.The VM has not been rescanned after the remediation was applied.
B.The alert is a false positive due to a known issue in the vulnerability assessment engine.
C.The alert has a 30-day retention period and cannot be dismissed before that.
D.Silent Remediation was enabled, preventing the alert from being dismissed.
AnswerA

Defender for Cloud alerts are based on the last vulnerability scan; a new scan is needed to clear the alert.

Why this answer

Option C is correct because Defender for Cloud alerts are based on the latest vulnerability assessment scans; if the VM hasn't been rescanned since remediation, the alert remains. Option A is wrong because default policies don't suppress alerts. Option B is wrong because Silent Remediation suppresses alerts after remediation.

Option D is wrong because alerts are not automatically dismissed after a time period.

829
MCQmedium

A security team uses Microsoft Defender for Cloud. They want to receive a weekly email summary of the Secure Score, top recommendations, and new alerts for their subscription. Which feature should they configure?

A.Enable the 'Weekly email summary' option in the Defender for Cloud email notifications settings.
B.Configure continuous export to export all security data to a Log Analytics workspace and use a workbook to create a summary.
C.Create a workflow automation that triggers on a schedule and uses a Logic App to send an email summary.
D.Enable the 'Security Policy' default initiative to automatically send reports.
AnswerA

Defender for Cloud can email a summary report on a weekly or daily basis with Secure Score, recommendations, and alerts.

Why this answer

Option A is correct because Defender for Cloud includes a built-in 'Email notifications' settings page where you can enable a weekly email summary that automatically delivers the Secure Score, top recommendations, and new alerts. This feature is designed specifically for periodic, high-level security posture summaries without requiring custom infrastructure.

Exam trap

The trap here is that candidates confuse the built-in 'Weekly email summary' with custom automation solutions (Logic Apps, continuous export) or policy-based reporting, assuming a scheduled email requires external orchestration when Defender for Cloud already provides a native, one-click configuration.

How to eliminate wrong answers

Option B is wrong because continuous export to a Log Analytics workspace is used for real-time streaming of security data for custom analytics or retention, not for generating a pre-built weekly email summary; it requires additional manual setup (e.g., workbooks, scheduled queries) to produce an email. Option C is wrong because workflow automation in Defender for Cloud triggers on specific events (e.g., alert generation, recommendation state change), not on a schedule; using a Logic App on a schedule would be a custom workaround, not the native feature designed for this purpose. Option D is wrong because the 'Security Policy' default initiative (e.g., Azure Security Benchmark) defines compliance controls and remediation logic, but it does not include any capability to automatically send reports or email summaries.

830
MCQmedium

A company enabled Azure Disk Encryption on Windows virtual machines using Azure Key Vault to store encryption keys. They have enabled soft-delete and purge protection on the Key Vault. After a user accidentally deletes a key, the company tries to recover it but the recovery operation fails. What is the most likely reason for the recovery failure?

A.The key vault is in a different Azure region than the VM.
B.The key vault firewall is blocking access from the VM's virtual network.
C.The key was not created with soft-delete enabled.
D.The VM's managed identity does not have 'Key Vault Crypto Service Encryption User' permission.
AnswerB

If the Key Vault firewall is enabled and does not allow traffic from the VM's VNet, the VM cannot communicate with the Key Vault for key recovery operations. This is a common configuration issue.

Why this answer

The key recovery operation fails because the Key Vault firewall is blocking the recovery request from the VM's virtual network. Even though soft-delete and purge protection are enabled, the firewall rules prevent the VM from communicating with the Key Vault to perform the recovery. The recovery operation requires network access to the Key Vault endpoint, and if the firewall is configured to deny traffic from the VM's subnet, the operation will fail.

Exam trap

The trap here is that candidates assume soft-delete and purge protection alone guarantee recovery, overlooking that network-level restrictions like Key Vault firewalls can block the recovery operation even when the key is still in a recoverable state.

How to eliminate wrong answers

Option A is wrong because Azure Key Vault and Azure VMs can be in different regions; Azure Disk Encryption supports cross-region scenarios as long as the Key Vault is in the same Azure subscription and the VM can access the Key Vault endpoint. Option C is wrong because soft-delete is enabled on the Key Vault, and the key itself inherits this setting; keys created after soft-delete is enabled are automatically protected. Option D is wrong because the VM's managed identity permission is used for encryption/decryption operations, not for recovering deleted keys; recovery is a Key Vault management operation that requires 'Key Vault Contributor' or equivalent RBAC role on the Key Vault, not the Crypto Service Encryption User role.

831
MCQhard

Your organization uses Microsoft Intune for mobile device management. You need to implement a conditional access policy that only allows access to corporate email from devices that are enrolled in Intune and compliant with security policies. However, the policy is not working for some users who report that they cannot access email even though their devices are compliant. You discover that the users have multiple devices and are signing in from a device that is not enrolled. What should you do?

A.Enroll all devices in Intune
B.Remove the conditional access policy
C.Use app protection policies instead
D.Ensure users sign in only from compliant devices
AnswerD

This resolves the issue by enforcing device compliance during sign-in.

Why this answer

The correct answer is D: Configure the conditional access policy to apply the session control 'Require device to be marked as compliant' and ensure the users sign in only from compliant devices. Users with multiple devices may inadvertently sign in from a non-compliant device. Option A (Remove the conditional access policy) would remove protection.

Option B (Enroll all devices) may not be practical. Option C (Use app protection policies) addresses app-level protection but not device-level compliance.

832
MCQhard

You are designing a solution to store sensitive documents in Azure Blob Storage. The documents must be encrypted at rest using a customer-managed key that is automatically rotated every 90 days. Microsoft Entra ID must be used to control access to the key. What should you use?

A.Azure Storage Service Encryption (SSE) with platform-managed keys.
B.Azure Storage encryption with infrastructure encryption enabled.
C.Azure Storage Service Encryption (SSE) with a customer-managed key stored in Azure Key Vault and configure key rotation.
D.Client-side encryption (CSE) using Azure Key Vault.
AnswerC

Customer-managed keys in Key Vault allow control and automatic rotation.

Why this answer

Azure Key Vault with customer-managed keys and automatic rotation via Azure Policy or key rotation configuration meets the requirements. Option D is correct. SSE with PMK does not allow customer-managed keys.

CSE uses client-side encryption, not server-side. Infrastructure encryption is additional encryption but does not involve customer key management.

833
MCQmedium

Your company uses Microsoft Intune for mobile device management. You need to ensure that only devices that are compliant with company policies can access corporate resources. You have configured compliance policies in Intune. What additional step is required to enforce access control based on device compliance?

A.Create a Conditional Access policy that requires device to be marked as compliant
B.Enable certificate-based authentication for all devices
C.Deploy device configuration profiles to all devices
D.Configure app protection policies in Microsoft Defender for Cloud Apps
AnswerA

Conditional Access evaluates device compliance and allows or blocks access to corporate resources.

Why this answer

Option B is correct because Conditional Access policies in Entra ID enforce access based on device compliance status. Option A is wrong because device configuration profiles apply settings but do not enforce access. Option C is wrong because app protection policies manage data within apps.

Option D is wrong because certificates are for authentication, not compliance enforcement.

834
MCQhard

Your organization uses Microsoft Sentinel to manage security incidents. You need to configure automated response to block a user account when a high-severity incident is triggered. The response should be automatically executed when the incident is created. What should you create?

A.An analytics rule
B.A playbook
C.An automation rule that triggers a playbook
D.A workbook
AnswerC

Automation rules can automatically run playbooks when incidents are created.

Why this answer

Option C is correct because an automation rule in Microsoft Sentinel can trigger a playbook when an incident is created. Option A is wrong because a playbook alone does not automatically trigger on incident creation; it needs an automation rule. Option B is wrong because analytics rules generate alerts, not automated responses.

Option D is wrong because a workbook is a visualization tool.

835
MCQmedium

You are configuring Microsoft Sentinel to detect a new type of ransomware that encrypts files and changes file extensions. You need to create a detection rule that generates an incident when the same pattern of file changes occurs on multiple hosts within a short time. Which rule type should you use?

A.Microsoft Security incident creation rule (ML behavior analytics).
B.Scheduled query rule.
C.Fusion rule (advanced multistage attack detection).
D.NRT (Near-Real-Time) query rule.
AnswerD

NRT rules run every minute and can correlate events across multiple hosts in near real-time.

Why this answer

NRT rules run queries every minute with near real-time latency and can correlate events across multiple hosts. Option A is wrong because scheduled rules run on a schedule and may miss correlation. Option C is wrong because ML behavior analytics is for UEBA.

Option D is wrong because Fusion is for multi-stage attacks.

836
Multi-Selecthard

Which THREE of the following are capabilities of Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) plan? (Select three.)

Select 3 answers
A.Continuous assessment of security configurations.
B.Secure score tracking and improvement.
C.Just-in-time (JIT) VM access.
D.Security recommendations based on the Microsoft Cloud Security Benchmark.
E.File Integrity Monitoring (FIM).
AnswersA, B, D

CSPM continuously scans for misconfigurations.

Why this answer

Options B, C, and D are correct. CSPM provides security recommendations, continuous assessment, and a secure score. Option A is wrong because file integrity monitoring is part of Defender for Servers, not CSPM.

Option E is wrong because JIT VM access is part of Defender for Servers Plan 2.

837
MCQhard

You are designing a secure compute solution for a critical application that must comply with PCI DSS. The application runs on Azure Virtual Machines with sensitive data. You need to ensure that ephemeral disks are encrypted at the host level. Which Azure Disk Encryption option should you use?

A.Server-side encryption (SSE) with platform-managed keys
B.Azure Disk Encryption (ADE) with Key Vault
C.Double encryption (SSE with CMK and ADE)
D.Encryption at host
AnswerD

Encryption at host encrypts the temp disk and disk caches, meeting PCI DSS requirements.

Why this answer

Encryption at host encrypts the temp disk and OS/data disk caches, which is required for PCI DSS. Option C is correct. Option A (Azure Disk Encryption) encrypts OS/data disks but not temp disks.

Option B (Server-side encryption with PMK) is default but does not encrypt temp disks. Option D (double encryption) encrypts at two layers but still does not cover temp disk unless host encryption is used.

838
MCQeasy

A security analyst uses Microsoft Defender for Cloud to monitor the security posture of their Azure subscription. They want to receive an email notification whenever a high-severity security alert is generated for any of their Azure resources. What should they configure in Defender for Cloud?

A.Create an alert rule in Azure Monitor that triggers an email when a security alert is raised.
B.Configure email notifications in the Defender for Cloud settings under 'Notifications'.
C.Use a Logic Apps playbook to send an email when a new alert is generated.
D.Set up a workflow automation rule in Microsoft Sentinel to forward alerts to email.
AnswerB

Defender for Cloud's email notification feature is specifically designed to send alerts to designated email addresses. You can set the severity level and recipients directly in the portal.

Why this answer

Option B is correct because Microsoft Defender for Cloud has a built-in 'Email notifications' setting under its environment settings that allows you to configure email recipients for high-severity alerts directly, without needing external services. This feature sends real-time email notifications for security alerts based on severity levels you define, making it the simplest and most direct method for this requirement.

Exam trap

The trap here is that candidates often confuse Defender for Cloud's native email notification settings with Azure Monitor alert rules or Logic Apps playbooks, assuming that security alerts must be routed through external services to trigger email, when in fact Defender for Cloud provides a direct configuration option for this purpose.

How to eliminate wrong answers

Option A is wrong because Azure Monitor alert rules can trigger on metrics or logs, but they cannot directly consume Defender for Cloud security alerts as a signal source; security alerts are managed within Defender for Cloud's own alert pipeline, not Azure Monitor metric/log alerts. Option C is wrong because Logic Apps playbooks are typically used for automated response actions (e.g., remediation) triggered by Defender for Cloud alerts, but they require additional configuration and are not the native email notification mechanism for alert generation. Option D is wrong because Microsoft Sentinel workflow automation rules are designed for incident creation and orchestration within Sentinel, not for forwarding Defender for Cloud alerts to email; Sentinel can ingest Defender for Cloud alerts, but email notification for those alerts is not a direct feature of Sentinel's automation rules.

839
MCQmedium

A security team uses Microsoft Sentinel. They want to automatically assign a severity level and an owner to every incident that is created from a specific analytics rule. The owner should be a specific security operations group. Which Microsoft Sentinel feature should they configure to achieve this automation?

A.Modify the analytics rule to include a custom script that runs upon alert generation.
B.Create an automation rule that triggers when an incident is created and sets the severity and owner fields.
C.Use a Logic Apps playbook connected to the analytics rule's alert generation trigger.
D.Configure a workbook to filter and manually assign incidents.
AnswerB

Automation rules are designed to perform actions (such as changing severity, assigning owner, or running playbooks) automatically when specific conditions are met (e.g., incident creation from a specific analytics rule).

Why this answer

Automation rules in Microsoft Sentinel allow you to centrally manage incident handling by triggering actions when incidents are created or updated. By configuring an automation rule that triggers on incident creation from the specific analytics rule, you can automatically set the severity and assign the incident to a security operations group (via an Azure AD group or user) without custom scripting or manual intervention.

Exam trap

The trap here is that candidates often confuse automation rules with playbooks, assuming that any automation requires a Logic Apps playbook, but automation rules are the correct, lightweight feature for simple field assignments like severity and owner.

How to eliminate wrong answers

Option A is wrong because analytics rules do not support embedding custom scripts directly; they generate alerts or incidents, and automation is handled separately via automation rules or playbooks. Option C is wrong because while a Logic Apps playbook can be triggered by an analytics rule, it is typically used for complex, multi-step orchestration (e.g., enrichment or response actions), not for simply setting severity and owner fields, which is more efficiently done with an automation rule. Option D is wrong because workbooks are visualization and reporting tools, not automation mechanisms; they cannot assign severity or ownership to incidents.

840
MCQeasy

Your organization has multiple Azure subscriptions and wants to centrally manage Azure Firewall policies across all subscriptions. What should you use?

A.Azure Policy to enforce firewall rules
B.Azure Firewall Manager
C.Azure Resource Manager templates
D.Azure Network Watcher
AnswerB

Azure Firewall Manager enables central management of firewall policies across multiple subscriptions.

Why this answer

Azure Firewall Manager provides a centralized place to manage firewall policies across multiple subscriptions and regions. It supports hierarchical policies and can be applied to multiple Azure Firewall instances.

841
MCQeasy

You are configuring a conditional access policy to block access from untrusted locations. The policy should apply to all cloud apps except Microsoft Entra ID Administration. How should you configure the policy?

A.Include 'All cloud apps' and set 'Block access'
B.Include 'Select apps' and choose all apps except admin
C.Include 'All cloud apps' and exclude 'Microsoft Entra ID Administration'
D.Include 'All cloud apps' and exclude 'Office 365'
AnswerC

Excludes the admin portal from blocking.

Why this answer

Option C is correct because the requirement is to block access from untrusted locations for all cloud apps except Microsoft Entra ID Administration. In Conditional Access, you include 'All cloud apps' to cover every app, then explicitly exclude 'Microsoft Entra ID Administration' to exempt it from the block. This ensures the policy applies broadly while honoring the exclusion.

Exam trap

The trap here is that candidates often confuse 'Microsoft Entra ID Administration' with 'Office 365' or think they must manually select all apps, missing the efficient 'All cloud apps' plus exclusion pattern.

How to eliminate wrong answers

Option A is wrong because including 'All cloud apps' and setting 'Block access' would block all cloud apps, including Microsoft Entra ID Administration, which violates the requirement to exclude it. Option B is wrong because 'Select apps' requires manually picking each app, which is impractical for 'all cloud apps except one' and does not dynamically cover future apps. Option D is wrong because excluding 'Office 365' does not match the requirement to exclude 'Microsoft Entra ID Administration'; Office 365 is a different app set and would incorrectly block the admin portal.

842
MCQmedium

A company deploys a web application on Azure VMs behind an Azure Load Balancer (Standard SKU). They want to protect the application from common web attacks like SQL injection and cross-site scripting. Which Azure service should they enable?

A.Azure Application Gateway with Web Application Firewall (WAF) policy.
B.Azure Firewall.
C.Network Security Groups on the VM subnet.
D.Azure DDoS Protection.
AnswerA

WAF is designed to inspect HTTP traffic and block common web attacks. Application Gateway provides Layer 7 load balancing with WAF capabilities.

Why this answer

Azure Application Gateway with a Web Application Firewall (WAF) policy is the correct choice because it operates at Layer 7 (HTTP/HTTPS) and provides centralized, inbound protection against common web attacks such as SQL injection and cross-site scripting (XSS). The WAF policy uses OWASP Core Rule Sets (CRS) to inspect HTTP request payloads and headers, blocking malicious traffic before it reaches the backend VMs behind the Load Balancer.

Exam trap

The trap here is that candidates confuse Azure Firewall (a Layer 3-4 network firewall) with a web application firewall, mistakenly believing it can inspect HTTP payloads, when in fact only a Layer 7 WAF (like Application Gateway WAF or Azure Front Door WAF) can protect against SQL injection and XSS.

How to eliminate wrong answers

Option B (Azure Firewall) is wrong because it is a stateful, Layer 3-4 network firewall that filters traffic based on IP addresses, ports, and protocols, but it does not inspect HTTP application-layer payloads for SQL injection or XSS patterns. Option C (Network Security Groups on the VM subnet) is wrong because NSGs provide stateless or stateful Layer 3-4 filtering (IP/port rules) and cannot perform deep packet inspection at the application layer to detect web attack signatures. Option D (Azure DDoS Protection) is wrong because it only mitigates volumetric DDoS attacks at the network layer (Layer 3-4) and does not inspect or block application-layer threats like SQL injection or XSS.

843
MCQmedium

You are configuring Microsoft Sentinel to ingest logs from Azure Active Directory (now Microsoft Entra ID). You need to collect sign-in logs and audit logs. Which data connector should you enable?

A.Azure AD Identity Protection
B.Office 365
C.Azure AD Authentication
D.Azure Active Directory (now Microsoft Entra ID)
AnswerD

This connector ingests sign-in logs and audit logs from Azure AD.

Why this answer

Option A is correct because the 'Azure Active Directory' data connector is specifically designed to ingest both sign-in logs and audit logs. Option B is wrong because the Azure AD Identity Protection connector only brings in risky user and sign-in events, not full audit logs. Option C is wrong because the Office 365 connector brings in Exchange, SharePoint, and Teams logs, not Azure AD logs.

Option D is wrong because the Azure AD Authentication connector is not a standard Microsoft Sentinel data connector.

844
MCQhard

Your organization has Microsoft Sentinel deployed in the East US region. You need to ensure that security logs are retained for 2 years to meet compliance requirements. The workspace retention policy is set to 90 days. What should you do?

A.Configure data retention for the specific tables that need long-term retention
B.Change the workspace retention setting to 730 days
C.Use Azure Policy to enforce retention on the Log Analytics workspace
D.Export logs to an Azure Storage account and set a lifecycle management policy
AnswerA

Table-level retention allows setting different retention periods per table, up to 2 years.

Why this answer

Option A is correct because you can configure data retention for specific tables up to 2 years using the Azure portal or API. Option B is wrong because archiving to a storage account would require additional configuration and is not a direct retention setting. Option C is wrong because changing the workspace retention policy to 2 years is possible but may incur high costs; however, it is a valid option.

But the question implies a cost-effective solution: table-level retention. Option A is more precise. Option D is wrong because Azure Policy does not change retention settings.

845
MCQhard

You have an Azure Kubernetes Service (AKS) cluster that needs to communicate with an on-premises database over a site-to-site VPN. The AKS cluster is in a spoke VNet, and the VPN gateway is in the hub VNet. You configure VNet peering between hub and spoke. However, pods cannot reach the on-premises database. What is the most likely cause?

A.The VNet peering is not established correctly
B.The network security group on the pod subnet blocks outbound traffic
C.The pod subnet does not have a route to the on-premises network via the VPN gateway
D.The AKS cluster is using kubenet network plugin
AnswerC

AKS pods need a UDR pointing to the VPN gateway for on-premises access.

Why this answer

Option B is correct because AKS pods use a different IP range than the VNet, and user-defined routes (UDRs) are needed to route pod traffic through the VPN gateway. Option A is wrong because peering is configured. Option C is wrong because Azure CNI uses pod IPs from the VNet, but routing still needs UDRs.

Option D is wrong because NSGs can block but are not the likely cause here.

846
Multi-Selecthard

A security team is reviewing risky OAuth applications in Microsoft Entra ID. Which two actions reduce future consent risk?

Select 2 answers
A.Restrict user consent to verified publishers and low-risk permissions
B.Grant tenant-wide admin consent to all existing apps
C.Delete all enterprise applications including Microsoft first-party apps
D.Use admin consent workflow for permissions requiring review
AnswersA, D

Correct for the stated requirement.

Why this answer

Option A is correct because restricting user consent to verified publishers and low-risk permissions reduces the likelihood of users approving malicious or overly permissive OAuth apps. This policy, configured in Microsoft Entra ID (Azure AD), ensures that only apps from verified publishers requesting low-risk permissions can be consented to by users, thereby mitigating consent-based attacks like OAuth consent phishing.

Exam trap

The trap here is that candidates may think admin consent to all apps (Option B) is a security measure, but it actually bypasses user consent controls and increases exposure to risky apps.

847
MCQhard

A SOC wants a Sentinel rule to include account, host, and IP entities so analysts can pivot during investigation. What should be configured in the analytics rule?

A.Custom details only
B.Entity mapping
C.Suppression rules
D.Workbook parameters
AnswerB

Correct for the stated requirement.

Why this answer

Entity mapping is the correct configuration because it explicitly links the analytics rule's results to known entity types (account, host, IP) in Microsoft Sentinel. This enables analysts to pivot directly from an alert to related entities in the investigation graph, enriching context without manual cross-referencing. Without entity mapping, the rule would generate alerts but lack the structured entity data needed for seamless pivot actions.

Exam trap

The trap here is that candidates confuse 'custom details' with 'entity mapping' because both involve extracting data from query results, but custom details only add flat key-value pairs to the alert, whereas entity mapping creates structured, pivotable objects that the investigation graph can traverse.

How to eliminate wrong answers

Option A is wrong because custom details only allow you to extract and display specific fields from the query results in the alert, but they do not create structured entity objects (account, host, IP) that Sentinel's investigation graph can use for pivoting. Option C is wrong because suppression rules are used to temporarily stop generating alerts for a rule after a certain number of occurrences, which is unrelated to entity enrichment or pivot capabilities. Option D is wrong because workbook parameters are used to customize visualizations in Azure Workbooks, not to define entities within an analytics rule for investigation pivoting.

848
MCQmedium

A security team uses Microsoft Defender for Cloud. They want to ensure that all Azure virtual machines have the guest configuration extension installed to apply a security baseline automatically. They need to remediate non-compliant VMs without manual intervention. Which Defender for Cloud feature should be configured?

A.Assign a security policy (built-in initiative) that includes a policy with DeployIfNotExists effect
B.Enable automatic provisioning of the Log Analytics agent
C.Create an Automation rule that triggers a runbook when a recommendation appears
D.Configure a workflow automation scheduled task
AnswerA

Such policies automatically deploy the required extension (like Guest Configuration) to VMs that are missing it, without manual intervention.

Why this answer

Option A is correct because the guest configuration extension is deployed automatically via a DeployIfNotExists policy effect within a built-in initiative (such as the Azure Security Benchmark). This effect evaluates VMs for the extension and, if missing, deploys it without manual intervention, ensuring the security baseline is applied. Defender for Cloud uses this policy-driven approach to remediate non-compliant resources at scale.

Exam trap

The trap here is that candidates confuse automatic provisioning of the Log Analytics agent (which collects logs) with the guest configuration extension (which applies baselines), or they assume that Automation rules or scheduled tasks can proactively deploy extensions, when only a DeployIfNotExists policy can enforce deployment without manual steps or external triggers.

How to eliminate wrong answers

Option B is wrong because automatic provisioning of the Log Analytics agent collects security data but does not install the guest configuration extension or apply a security baseline. Option C is wrong because an Automation rule triggers a runbook only after a recommendation appears, requiring the recommendation to exist first and introducing latency; it is not a proactive, policy-driven deployment. Option D is wrong because a workflow automation scheduled task runs on a timer, not in response to compliance state, and cannot deploy extensions dynamically based on policy evaluation.

849
MCQhard

A team wants Sentinel to ingest firewall logs from an appliance that emits Common Event Format over Syslog. Which connector pattern is most appropriate?

A.CEF connector using a Linux log forwarder or AMA-supported collection path
B.Azure Activity connector
C.Microsoft Entra ID Protection connector
D.Office 365 connector
AnswerA

Correct for the stated requirement.

Why this answer

The Common Event Format (CEF) over Syslog is a standard logging format used by many security appliances. Sentinel's CEF connector is specifically designed to ingest these logs, typically using a Linux log forwarder (rsyslog or syslog-ng) or the Azure Monitor Agent (AMA) with a Data Collection Rule to parse and forward the CEF messages to the Log Analytics workspace.

Exam trap

The trap here is that candidates confuse CEF with other log formats (e.g., Windows Event Log or JSON) and select a connector that ingests cloud-native logs instead of recognizing that CEF over Syslog requires a dedicated forwarder or AMA-based collection path.

How to eliminate wrong answers

Option B is wrong because the Azure Activity connector ingests Azure subscription-level operational logs (e.g., resource creation, policy changes), not third-party firewall syslog data. Option C is wrong because the Microsoft Entra ID Protection connector ingests risk detection and user risk events from Entra ID, not firewall logs. Option D is wrong because the Office 365 connector ingests audit and activity logs from Exchange, SharePoint, and Teams, not syslog-based firewall events.

850
MCQeasy

You need to enable transparent data encryption (TDE) for an Azure SQL Managed Instance. What is the prerequisite?

A.Configure a backup policy for the managed instance.
B.Enable a service endpoint for Azure SQL.
C.No additional configuration is needed; TDE is enabled by default.
D.Create an Azure Key Vault and configure a customer-managed key.
AnswerC

Azure SQL Managed Instance has TDE enabled by default with a service-managed key.

Why this answer

TDE at rest is enabled by default with a service-managed key. Option A is correct. Bring your own key (BYOK) requires Key Vault but is optional.

TDE does not require a specific backup policy. Service endpoints are not required.

851
MCQhard

Your company has multiple Azure subscriptions managed through Azure Firewall Manager. You need to deploy Azure Firewall policies that apply to all subscriptions in a region. What is the most efficient way to manage this?

A.Create a separate firewall policy for each subscription
B.Use Azure Firewall Manager to create a parent policy and assign it to all firewalls
C.Use Azure Policy to enforce firewall rules across subscriptions
D.Deploy a single network security group (NSG) to all VNets
AnswerB

Firewall Manager centralizes policy management across subscriptions.

Why this answer

Option D is correct because Azure Firewall Manager allows creating policy-based firewalls that can be applied across multiple subscriptions. Option A is wrong because each firewall has its own policy; you would need to duplicate. Option B is wrong because Azure Policy can enforce compliance but not directly manage firewall rules.

Option C is wrong because NSGs are per-subnet, not cross-subscription.

852
MCQhard

You are responsible for securing Azure resources using Microsoft Defender for Cloud. You receive a recommendation that your Azure Kubernetes Service (AKS) cluster has a vulnerability in a container image. The recommendation is labeled 'Container images should be scanned for vulnerabilities'. What action should you take to remediate this recommendation?

A.Enable the 'Vulnerability assessment solutions should be enabled on your VMs' recommendation.
B.Rebuild the container image using an updated base image and redeploy.
C.Enable Microsoft Defender for Cloud Apps for the AKS cluster.
D.Disable the vulnerability scanner for that repository.
AnswerB

This fixes the vulnerability by using a patched image.

Why this answer

Option A is correct because the recommendation indicates vulnerabilities found by Defender for Containers. Remediation involves updating the base image and rebuilding the container. Option B is wrong because turning off the scanner does not fix the vulnerability.

Option C is wrong because the recommendation is not about Defender for Cloud Apps. Option D is wrong because the recommendation is already enabled; you need to fix the image.

853
MCQmedium

You are a security engineer for a company that uses Microsoft Defender for Cloud. You need to ensure that all Azure subscriptions are continuously assessed against the Microsoft cloud security benchmark (MCSB). The solution must automatically assign compliance standards to new subscriptions. What should you do?

A.Assign the MCSB standard to the management group that contains all subscriptions.
B.Enable the 'Foundational CSPM' plan in Defender for Cloud at the management group scope.
C.Assign the MCSB standard to each subscription individually using the Defender for Cloud regulatory compliance dashboard.
D.Create an Azure Policy initiative that enforces MCSB and assign it to the root management group.
AnswerA

Assigning at the management group scope automatically applies to all current and future subscriptions under that group.

Why this answer

Option D is correct because Microsoft Defender for Cloud allows you to assign regulatory compliance standards, including MCSB, at the management group level, which automatically applies to all subscriptions under that group. Option A is wrong because Azure Policy can enforce standards, but the question specifically asks about MCSB in Defender for Cloud. Option B is wrong because assigning at the subscription level does not cover new subscriptions automatically.

Option C is wrong because Defender for Cloud plans enable features but do not assign compliance standards.

854
Multi-Selecteasy

Which TWO actions can be taken using Azure Network Watcher?

Select 2 answers
A.Diagnose whether a security rule is blocking traffic to a VM.
B.Create and manage private endpoints.
C.Configure WAF policies on Application Gateway.
D.Determine the next hop for traffic from a VM.
E.Configure Azure Firewall rules.
AnswersA, D

IP flow verify checks if traffic is allowed or denied by NSG rules.

Why this answer

Options A and D are correct. Network Watcher provides IP flow verify and next hop. Option B is wrong because configuring Azure Firewall rules is done via Firewall Manager.

Option C is wrong because WAF policies are configured separately. Option E is wrong because private endpoints are created via Private Link Center.

855
MCQeasy

You need to grant a user the ability to reset passwords for all users in the finance department. The finance department users are in a specific organizational unit (OU) in on-premises Active Directory, which syncs to Microsoft Entra ID. What is the most secure way to delegate this?

A.Add the user to the Password Administrator role
B.Create an administrative unit containing the finance users and assign the Helpdesk Administrator role scoped to that unit
C.Assign the User Access Administrator role to the user
D.Assign the Global Administrator role to the user
AnswerB

Administrative units allow scoped delegation of roles like Helpdesk Administrator.

Why this answer

Option B is correct because it uses Administrative Units (AUs) in Microsoft Entra ID to scope the Helpdesk Administrator role to only the finance department users. This provides the least-privilege delegation for password reset, as the user can only reset passwords for the specific synced users in that AU, not all users in the tenant. The Helpdesk Administrator role includes the 'Reset password' permission, and scoping it to an AU ensures the delegated user cannot affect users outside the finance OU.

Exam trap

The trap here is that candidates often assume the Password Administrator role is the most secure because it is specifically named for password resets, but they overlook the need for scoping via Administrative Units to restrict the delegation to only the finance department users.

How to eliminate wrong answers

Option A is wrong because the Password Administrator role can reset passwords for all users in the tenant, including non-finance users, which violates the principle of least privilege and is not scoped to the finance department. Option C is wrong because the User Access Administrator role is designed to manage user access to Azure resources (e.g., assigning RBAC roles), not to reset passwords, and it does not include the password reset permission. Option D is wrong because the Global Administrator role provides full, unrestricted access to all Entra ID settings and resources, which is far too permissive for the simple task of resetting passwords for a subset of users.

856
MCQeasy

Your company has multiple Azure subscriptions. You need to centralize security alerts and incidents in a single dashboard for the security operations center (SOC) team. The solution should provide advanced analytics and threat detection. Which service should you use?

A.Azure Monitor
B.Microsoft Sentinel
C.Microsoft 365 Defender
D.Microsoft Defender for Cloud
AnswerB

Correct. Sentinel is a SIEM that centralizes alerts and provides advanced analytics.

Why this answer

Option C is correct because Microsoft Sentinel is a cloud-native SIEM and SOAR solution that centralizes security data and provides advanced analytics. Option A is wrong because Azure Monitor is for monitoring, not SIEM. Option B is wrong because Microsoft Defender for Cloud provides security posture management and threat detection but does not centralize alerts from multiple sources as a SIEM.

Option D is wrong because Microsoft 365 Defender is for Microsoft 365 security, not multi-subscription Azure alerts.

857
MCQeasy

You are designing a solution for Azure Blob Storage that must prevent data from being overwritten or deleted for a specified retention period. Which feature should you enable?

A.Blob versioning
B.Immutable storage with time-based retention policy
C.Lifecycle management policies
D.Soft delete for blobs
AnswerB

Immutable storage ensures data cannot be modified or deleted during the retention period.

Why this answer

Option A is correct because immutability policies (WORM) prevent data modification or deletion for a set period. Option B is wrong because soft delete recovers deleted data but does not prevent deletion. Option C is wrong because versioning keeps multiple versions but allows deletion.

Option D is wrong because lifecycle management automates tiering, not protection.

858
MCQmedium

Your security team detects a series of failed sign-ins from multiple IP addresses for a privileged user account in Microsoft Entra ID. You need to automatically create an incident in Microsoft Sentinel and block the user account. What should you configure?

A.Create a playbook in Microsoft Sentinel that triggers on the sign-in logs
B.Use Microsoft Entra ID Protection to automatically remediate risk
C.Configure automated investigation and remediation in Microsoft Defender XDR
D.Set up a detection rule in Microsoft Sentinel that sends an email to security admins
AnswerC

Defender XDR can automatically block accounts based on alerts.

Why this answer

Option B is correct because Microsoft Defender XDR provides automated investigation and remediation. Option A is wrong because a playbook can create incidents but not automatically block. Option C is wrong because Azure AD Identity Protection only provides risk detection.

Option D is wrong because a detection rule triggers alerts but not automated response.

859
MCQmedium

Your organization uses Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps. You want to detect and block sign-ins from non-compliant devices to a critical SaaS application. The solution must work for both managed (Microsoft Intune enrolled) and unmanaged devices. What should you use?

A.Deploy Microsoft Entra application proxy and require pre-authentication.
B.Use Conditional Access with device compliance condition and session control via Defender for Cloud Apps.
C.Configure Intune compliance policies and require compliant device in Conditional Access.
D.Enable Microsoft Entra ID Protection and set sign-in risk policy to block medium and above.
AnswerB

Device compliance covers managed devices; Defender for Cloud Apps session control can block unmanaged devices.

Why this answer

Option B is correct because it combines Conditional Access with a device compliance condition to evaluate device state for both managed (Intune-enrolled) and unmanaged devices, and then uses session control via Defender for Cloud Apps to block sign-ins from non-compliant devices. This approach works for unmanaged devices by leveraging device compliance signals from Intune or third-party MDM, and the session control enforces real-time blocking at the app level.

Exam trap

The trap here is that candidates often think Intune compliance policies alone (Option C) can cover unmanaged devices, but they forget that unmanaged devices cannot be evaluated for compliance without a session-level control like Defender for Cloud Apps.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra application proxy is designed for secure remote access to on-premises apps, not for detecting or blocking sign-ins based on device compliance, and pre-authentication alone does not evaluate device state. Option C is wrong because configuring Intune compliance policies and requiring a compliant device in Conditional Access only works for managed (Intune-enrolled) devices; it cannot enforce compliance on unmanaged devices, which is a requirement in the question. Option D is wrong because Microsoft Entra ID Protection sign-in risk policy focuses on user and sign-in risk (e.g., anonymous IP, leaked credentials), not on device compliance, so it cannot block non-compliant devices.

860
Multi-Selectmedium

Which TWO of the following are valid data sources for Microsoft Sentinel's UEBA (User and Entity Behavior Analytics)? (Select two.)

Select 2 answers
A.Microsoft Entra ID sign-in logs.
B.Microsoft Entra ID audit logs.
C.Azure SQL Database audit logs.
D.Azure Activity Logs.
E.Azure Firewall logs.
AnswersA, B

UEBA uses sign-in logs for user behavior.

Why this answer

Options A and D are correct. Azure Active Directory (now Microsoft Entra ID) sign-in logs and audit logs are key sources for UEBA. Option B is wrong because Azure Activity Logs are for resource operations, not user behavior.

Option C is wrong because Azure SQL Database audit logs are not a default source for UEBA. Option E is wrong because Azure Firewall logs are network logs, not user behavior.

861
MCQhard

Refer to the exhibit. You run the PowerShell cmdlet Get-AzureADPolicy for a tenant. Based on the output, what is the access token lifetime for this policy?

A.24 hours
B.1 hour
C.6 hours
D.12 hours
AnswerB

AccessTokenLifetime is set to 01:00:00, which is 1 hour.

Why this answer

The output of Get-AzureADPolicy shows a policy definition with 'TokenLifetime' set to '1.00:00:00', which represents 1 day. However, the question asks for the access token lifetime. In Azure AD, the default access token lifetime is 1 hour, and the policy shown overrides the default token lifetime settings.

Since the policy definition includes 'TokenLifetime' of 1 day, but access tokens have a separate configurable lifetime, and the default access token lifetime is 1 hour unless explicitly overridden by a policy that targets access tokens. The correct answer is 1 hour because the policy shown does not specify an access token lifetime override; it only sets a general token lifetime, which applies to refresh and session tokens, not access tokens. Therefore, the access token lifetime remains the default of 1 hour.

Exam trap

The trap here is that candidates see 'TokenLifetime' set to 1 day in the policy output and incorrectly assume it applies to access tokens, but Azure AD's default access token lifetime remains 1 hour unless explicitly overridden with the 'AccessTokenLifetime' property.

How to eliminate wrong answers

Option A is wrong because 24 hours is the default lifetime for refresh tokens, not access tokens, and the policy's 'TokenLifetime' of 1 day applies to refresh/session tokens, not access tokens. Option C is wrong because 6 hours is not a default or commonly configured access token lifetime in Azure AD; the default is 1 hour. Option D is wrong because 12 hours is not the default access token lifetime; it could be a custom value but is not indicated by the policy output, which shows a 1-day token lifetime for other token types.

862
MCQmedium

A company uses Azure AD. They want to ensure that all users enroll in Azure Multi-Factor Authentication (MFA) within 14 days of their first sign-in. After 14 days, any user who has not enrolled must be blocked from accessing applications. Which configuration should they implement?

A.Use Azure AD Identity Protection to create a sign-in risk policy that requires MFA registration for medium and above risks.
B.Create a Conditional Access policy targeting all users and all cloud apps, with the grant control 'Require multi-factor authentication registration' and configure the grace period in the MFA registration settings.
C.Enable security defaults for the directory.
D.Configure the Azure AD audit logs to send an alert when a user has not registered for MFA after 14 days, then manually block them.
AnswerB

Correct. This policy forces users to register for MFA when they sign in. The grace period (time before blocking) is configured in the Azure AD MFA registration settings, allowing 14 days.

Why this answer

Option B is correct because it combines a Conditional Access policy requiring MFA registration with a configured grace period in the MFA registration settings. The 'Require multi-factor authentication registration' grant control forces users to register during sign-in, and the grace period (set in the MFA service settings) allows up to 14 days before blocking access. This meets the requirement to block unregistered users after 14 days.

Exam trap

The trap here is that candidates confuse the MFA registration grace period (set in MFA settings) with the Conditional Access grant control, thinking they are separate features, when in fact they work together to enforce the deadline.

How to eliminate wrong answers

Option A is wrong because Azure AD Identity Protection sign-in risk policies evaluate risk levels (e.g., medium and above) to trigger MFA, but they do not enforce a registration deadline or block users who haven't registered within a specific timeframe. Option C is wrong because security defaults enforce MFA registration for all users within 14 days, but they do not allow customization of the grace period or granular control over blocking behavior; they apply a fixed 14-day grace period and cannot be tailored to block after exactly 14 days. Option D is wrong because relying on audit logs and manual blocking is not automated, does not enforce the 14-day deadline, and contradicts the requirement for an automated configuration.

863
MCQmedium

A company uses Azure SQL Database for a critical application. Security policy requires that all client connections use at least TLS 1.2 encryption and that connections not meeting this requirement are rejected. Which configuration should they implement on the Azure SQL Server?

A.Configure firewall rules to allow only trusted IP addresses
B.Enable Transparent Data Encryption (TDE)
C.Set the 'Minimum TLS version' on the SQL server
D.Enable Advanced Threat Protection (ATP)
AnswerC

This setting enforces that all connections use at least TLS 1.2. Connections using older versions are rejected, meeting the security requirement.

Why this answer

Option C is correct because Azure SQL Server allows you to enforce a minimum TLS version for all client connections. By setting the 'Minimum TLS version' to 1.2, the server will reject any connection attempt using TLS 1.0 or 1.1, ensuring compliance with the security policy that requires at least TLS 1.2 encryption.

Exam trap

The trap here is that candidates often confuse encryption in transit (TLS) with encryption at rest (TDE) or network access controls (firewall rules), leading them to select options that address different security layers rather than the specific requirement to enforce a minimum TLS version.

How to eliminate wrong answers

Option A is wrong because firewall rules control network access based on IP addresses, not encryption protocol version; they cannot enforce TLS 1.2. Option B is wrong because Transparent Data Encryption (TDE) encrypts data at rest, not data in transit; it does not affect the TLS version used for client connections. Option D is wrong because Advanced Threat Protection (ATP) provides security monitoring and alerts for suspicious activities, but it does not enforce encryption protocols or reject connections based on TLS version.

864
MCQhard

A security team uses Microsoft Sentinel. They create a scheduled analytics rule that queries Azure Activity Logs to detect virtual machines deployed in non-approved regions. The rule generates an incident. The team wants the incident to be automatically assigned to the 'Infrastructure' team and its severity set to 'High' when it is created. Which automation feature should they use?

A.Create an automation rule with trigger 'When incident is created' and actions to assign the incident to an owner and set severity
B.Create a playbook triggered by alert creation that performs the assignment and severity change
C.Use an automation rule with trigger 'When incident is updated' and condition on alert type
D.Configure the analytics rule directly to set severity and owner
AnswerA

Automation rules are designed for these simple incident management actions. They run immediately upon incident creation without needing a playbook.

Why this answer

Option A is correct because automation rules in Microsoft Sentinel allow you to define triggers such as 'When incident is created' and then perform actions like assigning the incident to an owner and setting its severity. This is the native, no-code way to automate incident management without requiring a playbook or modifying the analytics rule itself.

Exam trap

The trap here is that candidates often confuse playbooks (which are triggered by alerts and require Logic Apps) with automation rules (which are triggered by incident lifecycle events and are simpler to configure), leading them to select Option B instead of the correct automation rule approach.

How to eliminate wrong answers

Option B is wrong because playbooks are triggered by alerts, not by incident creation, and they require additional configuration and logic apps, making them more complex than necessary for simple assignment and severity changes. Option C is wrong because the trigger 'When incident is updated' would not fire at incident creation time, so the assignment and severity would not be applied automatically when the incident is first generated. Option D is wrong because analytics rules do not have native settings to directly assign an owner or set severity; those properties are managed at the incident level, not within the rule definition.

865
MCQmedium

You are designing network security for a multi-tier application deployed in Azure. The application consists of a front-end web tier, a middle-tier API, and a back-end database. All tiers must be isolated from the internet except the front-end, which must accept HTTPS traffic from the internet. You need to ensure that no traffic can bypass the network security controls. What should you implement?

A.Place all tiers in the same virtual network and use Azure Front Door with WAF for the web tier, and rely on NSGs for internal traffic.
B.Deploy Network Security Groups (NSGs) on each subnet and allow only necessary traffic between tiers.
C.Deploy Azure Firewall in a hub virtual network and route all traffic between tiers through the firewall for inspection.
D.Use Azure Application Gateway with Web Application Firewall (WAF) in front of the web tier, and use NSGs for the other tiers.
AnswerC

Azure Firewall provides centralized traffic filtering and logging, ensuring all east-west traffic is inspected.

Why this answer

Option D is correct because Azure Firewall provides centralized network traffic filtering and can inspect traffic between tiers, while NSGs are for subnet/NIC-level filtering. Option A is wrong because NSGs alone cannot inspect east-west traffic if rules are misconfigured. Option B is wrong because Application Gateway is for inbound HTTP/S, not for filtering east-west traffic.

Option C is wrong because Azure Front Door is for global load balancing, not internal traffic filtering.

866
Multi-Selecthard

You are configuring Microsoft Defender for Cloud to protect an Azure Kubernetes Service (AKS) cluster. The cluster runs sensitive workloads. You need to enable threat detection and vulnerability assessment for the AKS environment. Which THREE of the following should you enable?

Select 3 answers
A.Microsoft Defender for Containers plan
B.Microsoft Defender for Servers plan
C.Vulnerability assessment for container images in Defender for Cloud
D.Continuous export of security alerts to Log Analytics
E.Azure Policy add-on for AKS
AnswersA, C, D

This plan provides threat detection for AKS clusters.

Why this answer

Option A (Defender for Containers) is the correct plan for AKS threat detection. Option B (Defender for Servers) is for VMs, not containers. Option C (Microsoft Defender for Cloud's vulnerability assessment for container images) is part of Defender for Containers.

Option D (Azure Policy add-on for AKS) enables policy enforcement but is not threat detection. Option E (Microsoft Defender for Cloud's continuous export) is for exporting alerts, not detection.

867
MCQmedium

A security team uses Microsoft Sentinel. They have created a playbook that isolates a virtual machine by modifying a network security group rule. They want this playbook to execute automatically whenever a new incident of type 'Suspicious VM activity' is created. Which Microsoft Sentinel feature should they use to trigger the playbook?

A.Analytics rule
B.Automation rule
C.Playbook
D.Hunt
AnswerB

Automation rules can be configured to trigger on incident creation and run a specified playbook as an action.

Why this answer

Automation rules in Microsoft Sentinel allow you to define triggers that automatically run playbooks when incidents are created or updated. In this scenario, the automation rule can be configured to trigger on incident creation with the condition 'Suspicious VM activity' and then execute the playbook that modifies the NSG rule to isolate the VM. This is the correct mechanism because automation rules are designed specifically for incident-based triggers, unlike analytics rules which generate alerts or incidents.

Exam trap

The trap here is confusing the playbook (the action) with the trigger (automation rule), leading candidates to select 'Playbook' as the trigger instead of recognizing that automation rules are the mechanism to invoke playbooks automatically on incident creation.

How to eliminate wrong answers

Option A is wrong because analytics rules are used to generate alerts or incidents from data sources, not to trigger playbooks in response to existing incidents. Option C is wrong because a playbook is the set of actions (like modifying an NSG rule) that runs, not the trigger mechanism itself; playbooks must be invoked by an automation rule or manually. Option D is wrong because Hunts are manual, ad-hoc investigations to find threats, not automated triggers for incident response.

868
MCQmedium

A security team uses Microsoft Sentinel. They want to create a custom detection rule that identifies a potential data exfiltration scenario: when a user signs in from an unusual location and then, within 30 minutes, performs a large download from Azure Blob Storage. They need to correlate sign-in logs from Azure AD with storage diagnostic logs. Which type of analytics rule should they create in Microsoft Sentinel?

A.A scheduled query rule using KQL
B.An NRT (near-real-time) rule
C.A fusion rule
D.A machine learning-based analytics rule
AnswerA

Scheduled rules can run KQL queries that join multiple tables (e.g., SigninLogs and StorageBlobLogs) to correlate events and trigger alerts when the pattern is detected.

Why this answer

A scheduled query rule is correct because it allows you to write a KQL query that joins Azure AD sign-in logs (SigninLogs) with Azure Storage diagnostic logs (StorageBlobLogs) based on a user identifier, and then uses a time window (e.g., 30 minutes) to correlate the two events. This is the only rule type that supports custom KQL logic for multi-table joins and time-based correlation, which is essential for detecting the described exfiltration pattern.

Exam trap

The trap here is that candidates often confuse NRT rules with scheduled queries, assuming NRT's low latency is better for time-sensitive correlations, but NRT rules cannot handle multi-table joins or extended time windows, making scheduled queries the only viable option for this scenario.

How to eliminate wrong answers

Option B is wrong because NRT (near-real-time) rules run every minute with a 1-minute lookback and cannot perform complex joins across multiple tables or use time windows longer than a few minutes, making them unsuitable for correlating sign-in and storage logs over a 30-minute window. Option C is wrong because fusion rules are based on Microsoft's built-in machine learning models that correlate alerts from multiple products, not custom KQL queries; they cannot be tailored to join specific Azure AD sign-in logs with storage diagnostic logs. Option D is wrong because ML-based analytics rules use pre-built anomaly detection models (e.g., for unusual sign-in patterns) and do not support custom correlation logic across different data sources like sign-in logs and storage logs.

869
Multi-Selecteasy

Your organization wants to use Microsoft Sentinel to detect and respond to threats. You need to ensure that Sentinel can ingest data from Azure Firewall logs. Which three components are required? (Choose three.)

Select 3 answers
A.Enable diagnostic logs on Azure Firewall.
B.A Log Analytics workspace.
C.Assign an Azure Policy to enforce diagnostic logs on all firewalls.
D.Install the Log Analytics agent on the Azure Firewall.
E.The Azure Firewall data connector in Sentinel.
AnswersA, B, E

Diagnostic settings stream logs to a workspace.

Why this answer

Options A, D, and E are correct. Option A is correct because Azure Firewall must have diagnostic logs enabled. Option D is correct because a Log Analytics workspace is needed to store the logs.

Option E is correct because the Azure Firewall data connector in Sentinel pulls the logs. Option B is wrong because the Log Analytics agent is not used for Azure Firewall; it uses diagnostic settings. Option C is wrong because Azure Policy is not required for ingestion.

870
MCQmedium

Your company uses Microsoft Entra ID and Microsoft Intune for mobile device management. You need to ensure that only devices that are compliant with your security policies can access Exchange Online. The solution must require users to reauthenticate every 12 hours. What should you configure?

A.Create a Conditional Access policy that requires MFA for Exchange Online and set sign-in frequency to 12 hours.
B.Create a Conditional Access policy that grants access to Exchange Online only if the device is compliant, and set session sign-in frequency to 12 hours.
C.Create an app protection policy for Exchange Online that requires device compliance and sets sign-in frequency.
D.Configure a device compliance policy for all devices and enable 'Reauthenticate every 12 hours' in the compliance policy.
AnswerB

This enforces both device compliance and reauthentication frequency.

Why this answer

Option B is correct because a Conditional Access policy can enforce device compliance as a grant control for Exchange Online, ensuring only compliant devices can access the service. Setting the session sign-in frequency to 12 hours forces users to reauthenticate at that interval, meeting the requirement without requiring MFA. This combines device compliance enforcement with session lifetime control in a single policy.

Exam trap

The trap here is that candidates confuse device compliance policies with Conditional Access session controls, assuming sign-in frequency can be set directly in a compliance policy, when it is actually a separate Conditional Access setting.

How to eliminate wrong answers

Option A is wrong because requiring MFA does not enforce device compliance; it only adds an authentication factor, so non-compliant devices could still access Exchange Online. Option C is wrong because app protection policies (MAM) manage data protection within apps, not device-level compliance, and they do not support a sign-in frequency setting. Option D is wrong because a device compliance policy itself does not include a 'Reauthenticate every 12 hours' setting; sign-in frequency is a Conditional Access session control, not a compliance policy setting.

871
MCQmedium

Your security team receives an alert from Microsoft Defender for Cloud indicating 'Suspicious PowerShell script detected' on a virtual machine. The VM is running a critical application, and you need to investigate without disrupting the service. Which action should you take first?

A.Disconnect the VM from the virtual network.
B.Take a VM snapshot and analyze it offline.
C.Restart the VM to clear any malicious processes.
D.Initiate a live response session from Microsoft Defender for Cloud.
AnswerD

Live response allows investigation without VM disruption.

Why this answer

Option B is correct because live response allows you to collect forensic data and investigate the VM without shutting it down. Option A is wrong because disconnecting the VM from the network might disrupt the application. Option C is wrong because taking a snapshot is forensic but doesn't allow live investigation.

Option D is wrong because restarting the VM could destroy volatile data and disrupt service.

872
MCQmedium

A security team uses Microsoft Sentinel. They want to create a custom analytic rule that triggers an incident when more than 10 failed Azure Active Directory sign-ins occur from the same source IP address within any 5-minute window. Which type of rule should they use?

A.Scheduled query rule
B.Near-Real-Time (NRT) rule
C.Fusion rule
D.Anomaly rule
AnswerA

Scheduled query rules run on a schedule (e.g., every 5 minutes) and support aggregation over time windows. They are ideal for counting events and setting thresholds.

Why this answer

A scheduled query rule is correct because it allows you to define a KQL query that counts failed Azure AD sign-ins grouped by source IP address within a 5-minute sliding window, and then triggers an incident when the count exceeds 10. This rule type supports custom aggregation and threshold-based alerting, which is exactly what the scenario requires.

Exam trap

The trap here is that candidates often confuse NRT rules with scheduled queries, assuming NRT rules can handle aggregation over time windows, but NRT rules only evaluate individual events in near real-time and cannot perform the required 5-minute grouping or threshold counting.

How to eliminate wrong answers

Option B is wrong because Near-Real-Time (NRT) rules run every minute and process events as they arrive, but they cannot perform aggregation over a 5-minute window or set a threshold like 'more than 10' — they are designed for single-event pattern matching with minimal latency. Option C is wrong because Fusion rules use machine learning to correlate multiple low-fidelity alerts across different products into a single high-fidelity incident, not for counting sign-in failures from a single IP. Option D is wrong because Anomaly rules detect deviations from baseline behavior using machine learning models, not static thresholds like 'more than 10 failed sign-ins'.

873
MCQhard

A company stores business records in Azure Blob Storage. Due to a legal investigation, they must prevent any modification or deletion of the blobs for an indefinite period until the legal hold is released. They also need to ensure that even storage account owners cannot alter the data during the hold. Which blob storage feature should they enable?

A.Time-based retention policy
B.Legal hold
C.Soft delete
D.Blob versioning
AnswerB

Legal hold is a policy that keeps blobs in an immutable state for an indefinite period until the hold is removed. It is designed for legal and compliance scenarios.

Why this answer

Legal hold (option B) is the correct choice because it is designed to protect blobs from any modification or deletion for an indefinite period, even by storage account owners. Unlike time-based retention policies, a legal hold has no expiration and cannot be removed until explicitly cleared by an authorized user, making it ideal for indefinite legal investigations.

Exam trap

The trap here is that candidates often confuse time-based retention policies (which have a fixed duration) with legal holds (which are indefinite), or assume that soft delete or versioning can prevent modification or deletion by privileged users, when in fact they only provide recovery options and do not block destructive operations.

How to eliminate wrong answers

Option A is wrong because a time-based retention policy enforces a fixed retention period (e.g., 1–146,000 days) and automatically expires, which does not meet the indefinite hold requirement. Option C is wrong because soft delete only protects against accidental deletion by retaining deleted blobs for a configurable retention period (default 7 days), but it does not prevent modification or allow indefinite holds, and storage account owners can still permanently delete blobs if soft delete is disabled. Option D is wrong because blob versioning preserves previous versions of blobs but does not prevent modification or deletion of the current version; storage account owners can still overwrite or delete blobs, and versioning alone cannot enforce an indefinite legal hold.

874
MCQeasy

You are the identity security engineer for a multinational company that uses Microsoft Entra ID. The company has recently experienced a security breach where an attacker compromised a non-administrator user account and then used that account to enumerate all users in the tenant. The attacker then attempted to brute-force passwords for high-privilege accounts. To prevent such attacks, management requires the following: - Users with administrative roles must use phishing-resistant MFA. - Any sign-in from a risky IP address must be blocked. - Users must not be able to enumerate directory information via the Graph API unless they have a specific role. - The solution should be implemented using built-in Microsoft Entra ID features. What should you configure?

A.Enable Security defaults and configure Identity Protection user risk policy to block high-risk users.
B.Configure Conditional Access policy with authentication strength for admins requiring phishing-resistant MFA. Configure Identity Protection sign-in risk policy to block risky sign-ins. Restrict access to the Graph API by requiring a specific role assignment.
C.Configure Conditional Access policy for admins to require phishing-resistant MFA. Use PIM to require approval. Enable Identity Protection sign-in risk policy.
D.Configure PIM for all admin roles. Create access reviews for all users. Enable Identity Protection to detect risky sign-ins.
AnswerB

Authentication strength enforces phishing-resistant MFA. Sign-in risk policy blocks risky IPs. Restricting Graph API access prevents unauthorized enumeration.

Why this answer

Option C is correct. Phishing-resistant MFA can be enforced via Conditional Access with authentication strength. Sign-in risk policies in Identity Protection can block sign-ins from risky IPs.

To prevent directory enumeration, you can restrict access to the Graph API using Conditional Access or application permissions. Option A is wrong because Security defaults enforce MFA but do not block all enumeration. Option B is wrong because PIM does not block enumeration.

Option D is wrong because access reviews do not block enumeration.

875
Drag & Dropmedium

Drag and drop the steps to configure Azure Application Gateway with SSL termination using a Key Vault certificate into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

SSL termination requires a certificate from Key Vault, configured on the listener.

876
MCQmedium

A company uses Azure AD Conditional Access. They want to block sign-ins from countries where the company does not have offices. They have a list of allowed countries. Which condition should they configure in the Conditional Access policy?

A.Device platforms
B.Locations
C.Client apps
D.Sign-in risk
AnswerB

The Locations condition allows you to specify named locations by IP ranges or countries, and can be used to block or allow based on geographic region.

Why this answer

The Locations condition in Azure AD Conditional Access allows you to define named locations by IP address ranges or country/region. By configuring a policy with the Locations condition set to 'All trusted locations' or a specific list of allowed countries, you can block access from all other countries. This directly meets the requirement to block sign-ins from countries without company offices.

Exam trap

The trap here is that candidates may confuse 'Locations' with 'Sign-in risk' because both involve IP addresses, but Sign-in risk evaluates behavioral anomalies (e.g., impossible travel) rather than allowing or blocking specific countries.

How to eliminate wrong answers

Option A is wrong because Device platforms condition filters based on the operating system of the device (e.g., Windows, iOS, Android), not geographic location. Option C is wrong because Client apps condition controls access based on the application type (e.g., browser, mobile app, legacy authentication), not the country of origin. Option D is wrong because Sign-in risk condition uses Azure AD Identity Protection to detect risky sign-in behavior (e.g., anonymous IP, atypical travel), not to block specific countries.

877
MCQmedium

A company stores highly sensitive data in Azure Blob Storage. The security policy requires that all data is encrypted at rest using a key that is stored in Azure Key Vault, and that the storage account uses its system-assigned managed identity to access the key. Which encryption configuration should they use?

A.Server-side encryption with service-managed keys
B.Server-side encryption with customer-managed keys (CMK)
C.Client-side encryption
D.Azure Disk Encryption
AnswerB

SSE-CMK uses a key from Azure Key Vault that the customer controls. The storage account's system-assigned managed identity can authenticate to Key Vault to access the key.

Why this answer

Server-side encryption with customer-managed keys (CMK) is required because the security policy mandates that the encryption key be stored in Azure Key Vault and that the storage account uses its system-assigned managed identity to access that key. CMK allows you to bring your own key (BYOK) into Key Vault and grants the storage account access via a managed identity, ensuring the key is under your control and not managed by Azure. Service-managed keys (option A) use Microsoft-managed keys, which do not satisfy the requirement for customer-controlled key storage.

Exam trap

The trap here is that candidates confuse 'encryption at rest' with 'client-side encryption' or 'Azure Disk Encryption', failing to recognize that the requirement for a managed identity to access a Key Vault key directly points to server-side CMK, not client-side or disk-level encryption.

How to eliminate wrong answers

Option A is wrong because server-side encryption with service-managed keys uses keys managed entirely by Microsoft, not stored in the customer's Azure Key Vault, and does not involve a managed identity for access. Option C is wrong because client-side encryption encrypts data before it is sent to Azure Blob Storage, meaning the storage account never accesses the key via its managed identity; the key is managed on the client side. Option D is wrong because Azure Disk Encryption is used to encrypt virtual machine disks (OS and data disks) using BitLocker or DM-Crypt, not Azure Blob Storage data.

878
MCQeasy

Your company uses Azure SQL Database for a line-of-business application. The security team requires that all queries executed against the database be audited, including the actual query text, and that the audit logs be retained for one year. You configure auditing to store logs in an Azure Storage account with a retention policy of 365 days. However, after some time, you notice that the audit logs are being deleted after only 30 days. You verify that the storage account's retention policy is set to 365 days and that the audit configuration is correct. What is the most likely cause of the logs being deleted prematurely?

A.The audit log retention period in Azure SQL Database auditing settings is set to 30 days.
B.The storage account has soft delete enabled, which deletes logs after 30 days.
C.A lifecycle management policy is deleting blobs after 30 days.
D.The storage account's immutable storage policy is overriding the retention setting.
AnswerA

The retention setting in Azure SQL auditing controls how long logs are kept, separate from the storage account policy.

Why this answer

Audit logs for Azure SQL Database can be stored in a storage account, but the retention policy for audit logs is configured within the Azure SQL auditing settings, not the storage account's default retention policy. If the retention period in the audit log settings is set to 30 days, logs will be deleted after that period even if the storage account has a longer retention. Option C is correct.

Option A is incorrect because lifecycle management policies are not enabled by default. Option B is incorrect because the storage account retention policy does not apply to blob storage for audit logs unless specifically configured. Option D is incorrect because soft delete does not delete logs; it protects them.

879
MCQhard

Your company is implementing a zero-trust security model. You need to ensure that all access to cloud applications is continuously verified based on user identity, device health, and location. Which combination of Microsoft security solutions should you use?

A.Microsoft Sentinel and Azure Policy
B.Microsoft Entra ID Protection and Privileged Identity Management
C.Azure Active Directory Domain Services and Azure Firewall
D.Microsoft Entra ID Conditional Access, Microsoft Intune, and Microsoft Defender for Cloud Apps
AnswerD

This combination provides identity, device, and cloud app verification for zero trust.

Why this answer

Option D is correct because the zero-trust requirement for continuous verification of user identity, device health, and location is met by combining Microsoft Entra ID Conditional Access (enforces policies based on user, device, and location signals), Microsoft Intune (manages device compliance and health), and Microsoft Defender for Cloud Apps (provides continuous session-level monitoring and control of cloud app access). This trio delivers the real-time, policy-driven access checks that zero trust demands.

Exam trap

The trap here is that candidates often pick Option B (Identity Protection + PIM) because they associate identity protection with zero trust, but they miss the critical need for device health verification (Intune) and continuous session monitoring (Defender for Cloud Apps) that are explicitly required by the question.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a SIEM/SOAR for threat detection and response, not an access control solution, and Azure Policy enforces resource compliance at the Azure infrastructure layer, not user/device/location-based access to cloud apps. Option B is wrong because Microsoft Entra ID Protection focuses on risk-based detection and remediation of compromised identities, and Privileged Identity Management (PIM) manages just-in-time privileged role activation; neither continuously verifies device health or location for all cloud app access. Option C is wrong because Azure Active Directory Domain Services provides managed domain services (e.g., LDAP, Kerberos) for legacy apps, not modern conditional access, and Azure Firewall is a network-layer firewall that cannot evaluate user identity, device health, or application-level signals.

880
MCQeasy

You need to provide secure remote access to Azure virtual machines without assigning them public IP addresses. Which Azure service should you use?

A.Azure VPN Gateway
B.Azure Firewall
C.Azure Bastion
D.Azure Front Door
AnswerC

Bastion provides secure RDP/SSH access via the Azure portal without public IP.

Why this answer

Option B is correct because Azure Bastion provides secure RDP/SSH access to VMs via the Azure portal without public IPs. Option A is wrong because VPN Gateway is for site-to-site or point-to-site VPN, not direct VM access. Option C is wrong because Azure Firewall is a network firewall.

Option D is wrong because Azure Front Door is a global load balancer.

881
MCQhard

A company uses Azure AD Privileged Identity Management (PIM) for the Global Administrator role. They have configured the role activation to require approval from a specific security group. When a user attempts to activate the role, they are immediately approved without any approval request being sent. The user is a member of the same security group that is configured as the approver. What is the most likely cause?

A.The activation approval requirement is not supported for the Global Administrator role
B.The user is a member of the approver group and is self-approving the request
C.The PIM policy has not been activated for the Global Administrator role
D.The role activation duration is set to zero, causing immediate activation
AnswerB

PIM allows approvers to approve their own activation requests unless the 'Disable approver approval' policy setting is enabled. Since the user is in the approver group, they can self-approve.

Why this answer

Option B is correct because when a user is a member of the approver security group in Azure AD PIM, they can approve their own activation request. PIM does not prevent self-approval by default; the approval workflow sends the request to all members of the approver group, and if the requesting user is also a member, they can approve it themselves, resulting in immediate activation without any external approval.

Exam trap

The trap here is that candidates assume PIM automatically prevents self-approval, but Azure AD PIM does not enforce separation of duties between requesters and approvers unless explicitly configured with separate groups or conditional access policies.

How to eliminate wrong answers

Option A is wrong because the Global Administrator role fully supports activation approval in PIM; it is one of the most common roles for which approval is configured. Option C is wrong because the PIM policy is already active (the user can activate the role), but the issue is the approval bypass due to self-approval, not a policy activation failure. Option D is wrong because the role activation duration cannot be set to zero; the minimum duration is 30 minutes, and a zero duration would not cause immediate activation—it would be invalid.

882
MCQeasy

A company uses Microsoft Sentinel to centralize security logs. They need to ensure that incidents from Microsoft Defender XDR are synchronized into Sentinel. Which data connector should they enable?

A.Office 365 connector
B.Windows Security Events connector
C.Microsoft Defender XDR connector
D.Azure Activity connector
AnswerC

This connector synchronizes incidents and alerts from Defender XDR.

Why this answer

Option B is correct because the Microsoft Defender XDR connector ingests incidents and alerts from Defender XDR into Sentinel. Option A is wrong because the Office 365 connector is for Office logs. Option C is wrong because the Azure Activity connector is for Azure resource logs.

Option D is wrong because the Windows Security Events connector is for Windows events.

883
MCQmedium

You are configuring Microsoft Defender for Cloud's continuous export feature. You need to export security alerts and recommendations to a Log Analytics workspace for long-term retention and custom analysis. The export should include only high-severity alerts and recommendations. What should you do?

A.Set up Microsoft Sentinel to ingest Defender for Cloud alerts and then export to the workspace.
B.Enable continuous export in Defender for Cloud and select high-severity alerts and recommendations.
C.Configure diagnostic settings on each Azure resource to send logs to the workspace.
D.Use Azure Event Hubs to stream security alerts to the workspace.
AnswerB

Correct. Continuous export allows filtering by severity and exports to Log Analytics.

Why this answer

Option C is correct because continuous export allows you to export alerts and recommendations to a Log Analytics workspace, and you can filter by severity using the export settings. Option A is wrong because diagnostic settings on individual resources would be inefficient and not filter by severity globally. Option B is wrong because Azure Event Hubs is for streaming, not Log Analytics.

Option D is wrong because Microsoft Sentinel is not needed for this export.

884
MCQmedium

A security administrator needs to enable just-in-time (JIT) VM access for all Azure VMs in a subscription using Microsoft Defender for Cloud. What are the minimum permissions required to enable JIT on the VMs?

A.Security Admin on the subscription
B.Contributor on the subscription
C.Reader on the subscription
D.Owner on the subscription
AnswerA

Security Admin can enable JIT and manage security policies.

Why this answer

Option B is correct because the Security Admin role can manage security policies and enable JIT. Option A is wrong because Contributor can manage VMs but not security policies. Option C is wrong because Reader cannot make changes.

Option D is wrong because Owner has more permissions than needed, but the question asks for minimum.

885
MCQhard

A company wants to enable Azure Disk Encryption (ADE) on their Windows virtual machines using a Key Encryption Key (KEK) stored in Azure Key Vault. They have created the Key Vault with soft-delete enabled and a key. However, the encryption fails. What is the most likely missing configuration that prevents ADE from using the KEK?

A.The Key Vault does not have the 'Azure Disk Encryption for Azure VMs' access policy.
B.The Key Vault does not allow access from the Azure platform.
C.The Key Vault firewall is enabled and blocking access from Azure services.
D.The Key Vault does not have the system-assigned managed identity of the VM enabled.
AnswerA

Correct. ADE requires this access policy to allow the Azure platform to access the KEK for encryption operations.

Why this answer

Azure Disk Encryption (ADE) requires the Key Vault to have an explicit access policy granting the 'Azure Disk Encryption for Azure VMs' service principal (or the equivalent Azure RBAC role) permission to wrap and unwrap keys. Without this policy, the ADE extension cannot use the KEK to protect the encryption keys, even if the Key Vault itself is correctly configured with soft-delete and a key.

Exam trap

The trap here is that candidates often confuse the Key Vault firewall or VM managed identity as the cause, but the specific access policy for the Azure Disk Encryption service principal is a mandatory prerequisite that is frequently overlooked.

How to eliminate wrong answers

Option B is wrong because allowing access from the Azure platform is a legacy setting that is not required for ADE; ADE uses the service principal or managed identity, not the platform. Option C is wrong because while a firewall could block access, the question states the Key Vault was created with soft-delete enabled and a key, implying the firewall is not the issue; moreover, ADE can work with firewall rules if 'Allow trusted Microsoft services' is enabled, but the access policy is the primary missing configuration. Option D is wrong because the system-assigned managed identity of the VM is used for authentication to Key Vault only when using Azure RBAC or when the VM needs to retrieve secrets; ADE itself does not require the VM's managed identity to be enabled—it uses the Azure Disk Encryption service principal to access the Key Vault.

886
MCQhard

Your organization uses Microsoft Entra ID and has a hybrid identity setup with password hash synchronization. You need to implement a solution that detects password changes on-premises and forces re-authentication for active sessions within minutes. Which feature should you enable?

A.Azure AD Connect Health
B.Password Writeback with password change notification
C.Azure AD Domain Services
D.Seamless SSO
AnswerB

Synchronizes password changes and can trigger re-authentication via Conditional Access.

Why this answer

Option B, Password Writeback with password change notification, is correct because it enables on-premises password changes to be synchronized back to Microsoft Entra ID in near real-time. When a password is changed on-premises, the password change notification triggers a re-authentication requirement for active sessions within minutes, ensuring that users with stale tokens are forced to re-authenticate using the new password.

Exam trap

The trap here is that candidates often confuse Password Writeback with Seamless SSO, thinking that SSO handles password changes, when in fact Seamless SSO only provides silent authentication and does not detect or propagate password changes to force re-authentication.

How to eliminate wrong answers

Option A is wrong because Azure AD Connect Health monitors the health of the synchronization infrastructure but does not detect password changes or force re-authentication. Option C is wrong because Azure AD Domain Services provides managed domain services (e.g., LDAP, Kerberos) but does not handle password change detection or session re-authentication from on-premises. Option D is wrong because Seamless SSO provides automatic sign-in for users on domain-joined devices but does not detect password changes or force re-authentication for active sessions.

887
MCQmedium

A company has an Azure virtual network with multiple subnets hosting different application tiers. They need to inspect and filter all outbound traffic from VMs to the internet, and they must be able to allow or deny traffic based on fully qualified domain names (FQDNs). Which Azure networking service should they deploy?

A.Azure Firewall.
B.Network Security Groups (NSGs).
C.Azure Application Gateway.
D.Azure VPN Gateway.
AnswerA

Correct. Azure Firewall provides application-level filtering based on FQDNs for outbound traffic.

Why this answer

Azure Firewall is a managed, cloud-based network security service that can inspect and filter outbound traffic from Azure virtual networks to the internet. It supports application rules based on fully qualified domain names (FQDNs), allowing or denying traffic by FQDN, which directly meets the requirement. Unlike simpler filtering options, Azure Firewall provides stateful inspection and integrates with Azure Monitor for logging.

Exam trap

The trap here is that candidates often confuse Network Security Groups (NSGs) with Azure Firewall, assuming NSGs can filter by FQDN because they support service tags, but service tags are IP-based and do not allow granular FQDN-level control.

How to eliminate wrong answers

Option B is wrong because Network Security Groups (NSGs) filter traffic based on source/destination IP addresses, ports, and protocols, but they cannot filter by FQDN; they lack application-layer inspection for domain names. Option C is wrong because Azure Application Gateway is a Layer 7 load balancer that routes HTTP/HTTPS traffic based on URL paths or host headers, but it is not designed for general outbound internet traffic inspection or FQDN-based filtering for all protocols. Option D is wrong because Azure VPN Gateway is used to create encrypted tunnels between on-premises networks and Azure, not for inspecting or filtering outbound internet traffic.

888
Multi-Selectmedium

Which TWO actions should you take to secure an Azure Cosmos DB account? (Choose two.)

Select 2 answers
A.Configure IP firewall rules to restrict access to trusted IP ranges
B.Use Azure AD and managed identities to authenticate to Cosmos DB
C.Use a private endpoint and disable key-based authentication
D.Set the default consistency level to Strong
E.Enable public network access from all networks
AnswersA, B

IP firewall rules limit access to specific IP addresses, reducing exposure.

Why this answer

Options A and D are correct. Option A: Using managed identities avoids storing keys in applications. Option D: IP firewall restricts network access.

Option B is wrong because private endpoint does not replace key-based auth; you still need to disable key-based auth or use AAD. Option C is wrong because enabling public network access is not a security best practice. Option E is wrong because changing consistency level does not affect security.

889
Multi-Selecthard

A KQL query in Microsoft Sentinel detects impossible travel but returns many false positives from known VPN egress IP addresses. Which two changes would best reduce noise while preserving useful detections?

Select 2 answers
A.Join or filter against a watchlist of approved VPN egress IPs
B.Disable the SigninLogs connector for the tenant
C.Exclude events where the source IP is in the approved network list
D.Raise the query frequency from 1 hour to 24 hours
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because integrating a watchlist of known VPN egress IPs allows the KQL query to filter out these trusted IPs, reducing false positives from impossible travel detections. Option C is also correct because excluding events where the source IP is in an approved network list directly removes noise from legitimate VPN traffic, preserving detection of truly anomalous sign-ins. Both approaches leverage Sentinel's watchlist or allowlist capabilities to maintain detection fidelity while minimizing alert fatigue.

Exam trap

The trap here is that candidates may confuse reducing alert frequency (Option D) with reducing false positives, or think disabling a data connector (Option B) is a valid noise-reduction technique, when in fact both actions cripple detection capability rather than refining it.

890
MCQmedium

A virtual network has a Frontend subnet (web servers) and a Backend subnet (Azure SQL Database). The security team requires that no internet traffic can reach the Backend subnet directly, but the Frontend subnet must be able to communicate with the Backend subnet on port 1433. Which solution should they implement?

A.Azure Firewall with a routing table
B.Network Security Groups (NSGs)
C.Service Endpoints
D.Virtual Network Peering
AnswerB

NSGs provide stateful filtering at the subnet or NIC level, allowing you to explicitly allow/deny traffic from specific sources.

Why this answer

Network Security Groups (NSGs) are the correct solution because they provide stateful, layer-3/4 traffic filtering at the subnet or NIC level. By applying an NSG to the Backend subnet with a rule that denies all inbound internet traffic (deny all from Internet) and a higher-priority rule that allows inbound traffic from the Frontend subnet on TCP port 1433, you enforce the required isolation while permitting necessary SQL communication.

Exam trap

The trap here is that candidates often confuse Service Endpoints with network security filtering, but Service Endpoints only provide a secure direct path to Azure services, not traffic filtering or internet isolation for the subnet itself.

How to eliminate wrong answers

Option A is wrong because Azure Firewall is a managed, stateful firewall service that inspects traffic at layers 3-7, but it is overkill for this simple subnet-to-subnet filtering requirement and introduces unnecessary cost and complexity; a routing table alone cannot filter traffic. Option C is wrong because Service Endpoints secure traffic from a virtual network to Azure PaaS services (like Azure SQL Database) over the Azure backbone, but they do not filter or block internet traffic to the subnet itself—they only ensure traffic to the PaaS service stays on the Microsoft network. Option D is wrong because Virtual Network Peering connects two separate virtual networks, not subnets within the same VNet, and does not provide traffic filtering or internet isolation.

891
MCQmedium

Refer to the exhibit. You are creating a custom role in Microsoft Entra ID. You want to grant read-only access to application registrations and service principals, but you need to ensure that the role cannot be assigned at the root scope. What change is required?

A.Change assignableScopes to ["/tenant-id"]
B.Add microsoft.directory/applications/allProperties/read to actions.
C.Modify the roleName to include 'Read-Only'.
D.Add dataActions for application data.
AnswerA

Restricts assignable scopes to a specific tenant, preventing root scope assignment.

Why this answer

Option A is correct because in Microsoft Entra ID custom roles, the assignableScopes property defines where the role can be assigned. To prevent assignment at the root scope (i.e., the entire tenant), you must specify a specific scope such as a management group, subscription, resource group, or resource. Using ["/tenant-id"] is not a valid scope for Entra ID roles; the correct approach is to omit the root scope or use a specific scope like a management group or subscription.

However, the question states the role cannot be assigned at the root scope, so you must set assignableScopes to a scope that is not the root, such as a specific management group or subscription. The answer option A is marked as correct in the prompt, but note that for Entra ID custom roles, the assignableScopes must be set to a valid scope like a management group or subscription, not a tenant ID. The core reasoning is that by restricting assignableScopes to a non-root scope, you prevent the role from being assigned at the tenant root level.

Exam trap

The trap here is that candidates often confuse assignableScopes with permissions, thinking that modifying the actions or dataActions will control where the role can be assigned, when in fact only the assignableScopes property determines the assignment scope.

How to eliminate wrong answers

Option B is wrong because adding microsoft.directory/applications/allProperties/read to actions would grant read access to all properties of applications, but it does not address the requirement to prevent assignment at the root scope; it only modifies permissions. Option C is wrong because modifying the roleName to include 'Read-Only' is purely cosmetic and has no effect on the assignable scopes or the ability to assign the role at the root scope. Option D is wrong because dataActions are used for data plane permissions (e.g., reading application data), not for controlling the scope of role assignment; they do not affect where the role can be assigned.

892
MCQmedium

Your company uses Azure Files shares to store business documents. You need to ensure that access to the shares is restricted to users who have been granted explicit permissions. What should you configure?

A.Configure a firewall rule to allow only corporate IP ranges.
B.Use storage account access keys to mount the file share.
C.Enable identity-based authentication for Azure Files using Microsoft Entra ID and set share-level permissions.
D.Generate a shared access signature (SAS) with read permissions.
AnswerC

Identity-based authentication maps users to share permissions.

Why this answer

Identity-based authentication using Microsoft Entra ID allows per-user access control based on Microsoft Entra ID permissions. Option D is correct. Access keys provide full access to the share.

SAS tokens grant time-limited access but not user-specific. Firewall rules only restrict network.

893
MCQhard

A security analyst uses Microsoft Defender for Cloud. They need to continuously monitor the security posture of their Azure subscription against the Microsoft cloud security benchmark (MCSB). They want to see the current compliance score and specific recommendations for failing controls. Which Defender for Cloud feature should they use?

A.Regulatory compliance dashboard
B.Security posture
C.Workbooks
D.Advanced hunting
AnswerA

Correct. The Regulatory compliance dashboard provides a view of compliance against selected standards like MCSB, showing scores and detailed recommendations for non-compliant controls.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud is specifically designed to track compliance against standards like the Microsoft cloud security benchmark (MCSB). It provides a current compliance score and lists specific recommendations for failing controls, enabling continuous monitoring and remediation tracking. This dashboard aggregates assessment results from the secure score and maps them to the controls defined in the selected regulatory standard.

Exam trap

The trap here is that candidates often confuse the 'Security posture' feature (which shows a general secure score) with the 'Regulatory compliance dashboard' (which maps that score to a specific regulatory standard like MCSB), leading them to choose the wrong option because they overlook the requirement for standard-specific compliance tracking.

How to eliminate wrong answers

Option B (Security posture) is wrong because the Security posture feature focuses on the overall secure score and security recommendations based on best practices, not on mapping to a specific regulatory standard like MCSB. Option C (Workbooks) is wrong because Workbooks are customizable Azure Monitor dashboards that can visualize data from multiple sources, but they do not natively provide the out-of-the-box compliance score and control mapping against MCSB. Option D (Advanced hunting) is wrong because Advanced hunting is a query-based threat hunting tool in Microsoft 365 Defender for investigating security incidents, not for monitoring compliance posture or regulatory benchmarks.

894
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) for the Global Administrator role. They want to ensure that when a user activates the role, the activation request must be approved by a member of the 'Global Admin Approvers' group, and the activation should be time-bound with a maximum of 4 hours. Which PIM settings should they configure?

A.Set the activation maximum duration to 4 hours and require approval from the 'Global Admin Approvers' group.
B.Set the activation maximum duration to 4 hours and enable MFA on activation.
C.Set the activation to require a ticket number justification and set the maximum duration to 8 hours.
D.Set the role to be permanently active but with a just-in-time approval workflow.
AnswerA

This directly configures the required duration and an approval workflow with the designated group.

Why this answer

Option A is correct because Azure AD PIM allows you to configure role activation settings, including an activation maximum duration (which can be set to 4 hours) and requiring approval from a specified group (in this case, 'Global Admin Approvers'). These settings directly meet the requirement for time-bound activation with approval.

Exam trap

The trap here is that candidates may confuse 'require approval' with 'require MFA' or 'require justification', not realizing that approval is a distinct setting that must be explicitly configured to meet the requirement for a designated approver group.

How to eliminate wrong answers

Option B is wrong because enabling MFA on activation does not satisfy the requirement for approval from the 'Global Admin Approvers' group; MFA is an additional security measure, not a substitute for approval. Option C is wrong because requiring a ticket number justification does not enforce approval, and setting the maximum duration to 8 hours exceeds the required 4-hour limit. Option D is wrong because setting the role to be permanently active contradicts the requirement for time-bound activation, and just-in-time approval workflow does not enforce a maximum duration.

895
Multi-Selectmedium

Your company has deployed an Azure Firewall in a hub virtual network to inspect traffic from spoke virtual networks. You need to ensure that all outbound traffic from a spoke virtual network to the internet is forced through the Azure Firewall. Which three of the following actions are required? (Choose three.)

Select 3 answers
.Create a route table in the spoke virtual network with a default route (0.0.0.0/0) pointing to the Azure Firewall private IP as the next hop.
.Associate the route table to the subnets in the spoke virtual network that need to send traffic through the firewall.
.Enable forced tunneling on the Azure Firewall to route traffic through an on-premises network.
.Configure the Azure Firewall policy with appropriate network and application rules to allow or deny outbound traffic.
.Deploy a Network Virtual Appliance (NVA) in the spoke virtual network to handle outbound traffic.
.Set the Azure Firewall to 'Drop' mode for all outbound traffic by default.

Why this answer

To force all outbound traffic from a spoke virtual network through Azure Firewall, you must create a route table in the spoke with a default route (0.0.0.0/0) pointing to the Azure Firewall's private IP as the next hop. This route table must be associated with the subnets in the spoke that need to send traffic through the firewall. Additionally, you must configure the Azure Firewall policy with appropriate network and application rules to allow or deny outbound traffic, as the firewall itself does not automatically permit traffic without explicit rules.

Exam trap

The trap here is that candidates often think they need to enable forced tunneling on the Azure Firewall itself, but forced tunneling is a separate feature for routing the firewall's own traffic, not for forcing spoke traffic through the firewall.

896
MCQeasy

You are configuring an Azure Kubernetes Service (AKS) cluster. You need to ensure that pods can securely access Azure Container Registry (ACR) without storing image pull secrets in the pod specification. What should you do?

A.Create a service principal and store the secret in a Kubernetes secret, then reference it in the pod spec
B.Enable admin account on ACR and use the admin username and password in the pod spec
C.Enable managed identity on AKS and assign the AcrPull role to the kubelet identity
D.Use the storage account key of the attached Azure storage account
AnswerC

Managed identity allows the AKS cluster to authenticate to ACR without managing secrets; the kubelet identity pulls images automatically.

Why this answer

Option B is correct because AKS can use managed identities to authenticate to ACR, and the kubelet can be assigned a managed identity with AcrPull role. Option A is wrong because admin credential is not recommended and requires managing secrets. Option C is wrong because a service principal requires managing a secret.

Option D is wrong because using the default storage account credential is not for container registry authentication.

897
MCQmedium

A security engineer wants Defender for Cloud to detect threats against Azure SQL Database and SQL Server on Azure VMs. Which plan should be enabled?

A.Defender for Storage
B.Defender for Databases or Defender for SQL coverage as presented in the portal
C.Defender for App Service only
D.Defender External Attack Surface Management
AnswerB

Correct for the stated requirement.

Why this answer

Defender for Databases (or the Defender for SQL coverage option in the portal) is the correct plan because it provides threat detection specifically for Azure SQL Database and SQL Server on Azure VMs. This plan monitors anomalous activities such as SQL injection, brute-force attacks, and unusual access patterns using Microsoft's threat intelligence and machine learning models. It is the only plan that directly covers both PaaS and IaaS SQL workloads as described.

Exam trap

The trap here is that candidates may confuse 'Defender for Storage' with protecting SQL databases because SQL databases store data, but Defender for Storage is specifically for blob, file, and data lake storage, not for relational database engines like SQL Server or Azure SQL Database.

How to eliminate wrong answers

Option A is wrong because Defender for Storage is designed to detect threats against Azure Blob Storage, Azure Files, and Data Lake Storage, not against SQL databases or SQL Server instances. Option C is wrong because Defender for App Service only protects web applications running on Azure App Service, not SQL databases or SQL Server on VMs. Option D is wrong because Defender External Attack Surface Management focuses on discovering and monitoring an organization's external internet-facing assets and attack surfaces, not on detecting threats within Azure SQL Database or SQL Server on VMs.

898
MCQeasy

You need to ensure that all Azure subscriptions in your tenant are automatically assessed for security misconfigurations and compliance against Microsoft cloud security benchmark. What should you configure?

A.Deploy Microsoft Sentinel with automatic data connectors
B.Assign an initiative via Azure Policy to all subscriptions
C.Enable continuous export in Microsoft Defender for Cloud
D.Create a blueprint definition and assign it to management group
AnswerC

Continuous export in Defender for Cloud automatically assesses all subscriptions.

Why this answer

The correct answer is A. Microsoft Defender for Cloud's continuous export feature automatically assesses all subscriptions for security misconfigurations and compliance. Option B is wrong because Azure Policy initiative assignment is used for compliance but not continuous assessment.

Option C is wrong because Azure Blueprints are deprecated. Option D is wrong because Microsoft Sentinel is for SIEM, not continuous assessment.

899
MCQeasy

Your organization wants to use Microsoft Sentinel to automatically respond to high-severity incidents. Which feature should you configure?

A.Create an analytics rule with a high severity.
B.Create an automation rule that triggers a playbook on incident creation.
C.Create a workbook to visualize incidents.
D.Enable entity behavior analytics.
AnswerB

Automation rules can automatically respond to incidents.

Why this answer

Option B is correct because automation rules in Sentinel can trigger playbooks or other responses automatically based on incident conditions. Option A is wrong because analytic rules generate alerts, not automated responses. Option C is wrong because workbooks are for visualization.

Option D is wrong because entity behavior analytics is for detection, not response.

900
MCQmedium

Refer to the exhibit. You are querying the sys.column_master_keys view in an Azure SQL Database. What is the purpose of this query?

A.To check the Dynamic Data Masking policies.
B.To retrieve the column master key configuration for Always Encrypted.
C.To verify the configuration of Transparent Data Encryption (TDE).
D.To list the encryption keys used for column-level encryption.
AnswerB

sys.column_master_keys stores Always Encrypted keys.

Why this answer

Option B is correct. The view sys.column_master_keys returns information about column master keys used in Always Encrypted, including the key store provider (e.g., Azure Key Vault) and key path. Option A is wrong because TDE does not use column master keys.

Option C is wrong because Dynamic Data Masking does not use keys. Option D is wrong because column-level encryption (non-Always Encrypted) uses server-side keys, not column master keys.

Page 11

Page 12 of 14

Page 13