Microsoft Azure Security Engineer Associate AZ-500 (AZ-500) — Questions 9761000

1000 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQeasy

You need to ensure that Microsoft Defender for Cloud automatically provisions the Log Analytics agent (AMA) on all new Azure VMs in a subscription. What should you configure?

A.Use Azure Automation State Configuration to enforce agent installation.
B.Install the Log Analytics agent as a VM extension on each VM manually.
C.Create an Azure Policy initiative that deploys the Log Analytics agent.
D.Enable auto-provisioning in the Defender for Cloud environment settings.
AnswerD

Auto-provisioning automatically installs the Log Analytics agent on new VMs.

Why this answer

Option A is correct because Defender for Cloud has an auto-provisioning setting for the Log Analytics agent. Option B is wrong because Azure Policy can be used but is not the default mechanism. Option C is wrong because VM extensions can be installed manually but not automatically for all new VMs.

Option D is wrong because Azure Automation is not designed for this purpose.

977
MCQmedium

Your company uses Azure Virtual WAN with a secured virtual hub (Azure Firewall). You have branch offices connected via ExpressRoute. You need to ensure that traffic from a branch to a VNet in the same region is inspected by the firewall. You configure the default route (0.0.0.0/0) advertisement from the hub to the branch, but the traffic is not being inspected. What is the most likely reason?

A.The 'Inter-hub' setting is disabled.
B.The branch does not have a route table associated with the connection.
C.Routing intent for private traffic is not enabled.
D.The VNet has a network virtual appliance (NVA) that overrides the firewall.
AnswerC

Routing intent must be configured to force private traffic (including branch-to-VNet) through the firewall.

Why this answer

Azure Virtual WAN secures traffic via routing intent. If routing intent is not configured, the firewall may not be in the path. The default route advertisement might direct traffic to the hub, but without routing intent, the firewall won't inspect inter-VNet or branch-to-VNet traffic; it only inspects internet-bound traffic.

978
MCQhard

You have a hub-spoke network with Azure Firewall in the hub. Spoke VNet1 contains a VM that needs to communicate with a VM in Spoke VNet2. Both spoke VNets are peered to the hub. You configure Azure Firewall DNAT rules to forward traffic to specific VMs, but the communication fails. You verify that the firewall rules allow the traffic and that the VMs can reach each other's private IPs if the firewall is bypassed. What is the most likely issue?

A.The spoke VNets have overlapping IP address spaces.
B.The firewall's Threat Intelligence mode is blocking the traffic.
C.The firewall's Outbound SNAT is disabled for the spoke VNet ranges.
D.Azure Firewall does not support DNAT between spoke VNets.
AnswerC

Without SNAT, the source IP remains the original VM IP; return traffic may not go through the firewall, breaking flow.

Why this answer

When using DNAT, the firewall changes the destination IP and port. For return traffic, the firewall must perform SNAT (source NAT) to ensure the return traffic goes back through the firewall. If SNAT is not enabled (or disabled), the return traffic may go directly from the destination VM to the source VM's private IP, bypassing the firewall and causing asymmetric routing.

979
MCQmedium

You are reviewing an NSG rule as shown in the exhibit. This rule is applied to a subnet containing web servers. What is the security implication of this rule?

A.It restricts inbound traffic to TCP only.
B.It allows all inbound traffic, creating a security risk.
C.It blocks all inbound traffic except HTTP.
D.It restricts inbound traffic to HTTP only.
AnswerB

The rule allows any inbound traffic from any source, which is insecure.

Why this answer

Option B is correct because the rule allows all inbound traffic from any source to any destination port and IP, which is overly permissive and exposes the subnet to potential attacks. Option A is wrong because the rule allows all traffic, not just HTTP. Option C is wrong because the rule allows inbound traffic, not outbound.

Option D is wrong because the rule does not specify a protocol; 'Any' includes all protocols.

980
MCQhard

A company uses Azure AD Privileged Identity Management (PIM) for the Security Administrator role. They want the activation of this role to require approval from a specific group of senior security engineers before the role becomes active. They also want the approvers to receive an email notification when an activation request is submitted. Which PIM configuration must be set?

A.Set the activation maximum duration to 1 hour.
B.Require justification on activation.
C.Require approval to activate.
D.Configure notification emails for role activation.
AnswerC

Enabling 'Require approval' ensures that activation requests go to designated approvers. Notifications are sent automatically to approvers when a request is made.

Why this answer

Option C is correct because Azure AD PIM requires the 'Require approval to activate' setting to enforce that activation requests for a role must be approved by designated approvers before the role becomes active. This setting also automatically triggers email notifications to the configured approvers when a request is submitted, fulfilling both the approval and notification requirements.

Exam trap

The trap here is that candidates often confuse 'Configure notification emails for role activation' (Option D) with the approval workflow, not realizing that notifications are automatically sent when approval is required, and that the approval setting itself is the key to both the approval and notification requirements.

How to eliminate wrong answers

Option A is wrong because setting the activation maximum duration to 1 hour only limits how long the role can remain active after approval, but does not enforce an approval workflow or send notifications to approvers. Option B is wrong because requiring justification on activation only mandates the user to provide a reason for activation, but does not introduce an approval step or notify approvers. Option D is wrong because configuring notification emails for role activation only controls who receives alerts about activations, but does not require approval; notifications are a separate setting that can be enabled independently of the approval workflow.

981
Multi-Selecthard

You are responsible for securing a multi-region Azure environment. The environment includes virtual networks in three regions: East US, West Europe, and Southeast Asia. You need to ensure that all traffic between these virtual networks is encrypted and travels over the Microsoft backbone network. Additionally, you must minimize latency for cross-region traffic. Which TWO configurations should you implement? (Choose two.)

Select 2 answers
A.Enable global VNet peering on the peering connections.
B.Set up ExpressRoute circuits from each region to Microsoft.
C.Deploy Azure Firewall in each virtual network and route traffic through it.
D.Deploy Azure VPN Gateway in each virtual network and configure site-to-site VPN connections.
E.Configure VNet peering between each pair of virtual networks.
AnswersA, E

Global VNet peering enables peering across regions over the Microsoft backbone.

Why this answer

Option A is correct: VNet peering connects virtual networks over the Microsoft backbone. Option D is correct: Global VNet peering allows peering across regions and uses the Microsoft backbone. Option B is incorrect because Azure VPN Gateway encrypts traffic but does not use the Microsoft backbone (it uses the internet).

Option C is incorrect because ExpressRoute connects on-premises, not VNets. Option E is incorrect because Azure Firewall does not provide cross-region connectivity.

982
MCQhard

Your company has deployed Azure Virtual WAN with secured virtual hubs. You need to enforce that all traffic between on-premises sites and Azure virtual networks (VNets) passes through the Azure Firewall in the hub. You have configured routing accordingly. However, traffic from an on-premises site to a VNet is still bypassing the firewall. What is the most likely cause?

A.The on-premises site has forced tunneling enabled.
B.The virtual network (spoke) is propagating the default route (0.0.0.0/0) learned from the hub via BGP, causing traffic to be sent directly to the on-premises network.
C.The Azure Firewall is deployed in a separate spoke VNet instead of the hub.
D.The Azure Firewall is not in the same virtual hub as the VPN gateway.
AnswerB

When a VNet learns a default route from the hub, it may route traffic to on-premises directly via the VPN gateway instead of the firewall.

Why this answer

Option B is correct because propagating the default route (0.0.0.0/0) from the hub to the VNet can cause the VNet to route traffic directly to the on-premises site via the VPN/ExpressRoute gateway, bypassing the firewall. Option A is wrong because disabling BGP would break connectivity. Option C is wrong because the firewall should be in the hub, not a spoke.

Option D is wrong because forced tunneling is for outbound internet traffic, not for on-premises traffic.

983
MCQhard

You are troubleshooting an issue where users are unable to access a sensitive application protected by a Conditional Access policy. The policy requires MFA from trusted locations, but users are reporting that they are prompted for MFA even when connecting from the corporate office, which is defined as a trusted location. What is the most likely cause?

A.The corporate office's public IP address is not correctly defined in the trusted location
B.The policy is configured to require MFA for all locations regardless of trust
C.The policy is set to 'Require MFA' instead of 'Require MFA from trusted locations'
D.Users are not assigned to the policy
AnswerA

The location might have changed or been misconfigured.

Why this answer

Option A is correct because the most likely cause is that the corporate office's public IP address is not correctly defined in the trusted location. Conditional Access policies evaluate location based on named locations configured in Azure AD, which must include the exact public IP ranges (CIDR notation) of the trusted network. If the IP address is missing, misconfigured, or the user's outbound IP differs (e.g., due to a VPN or proxy), the policy treats the location as untrusted and enforces MFA.

Exam trap

The trap here is that candidates may assume the policy is misconfigured to require MFA for all locations (Option B) or that the policy type is wrong (Option C), but the real issue is a misalignment between the actual public IP and the defined trusted location, which is a common oversight in real-world deployments.

How to eliminate wrong answers

Option B is wrong because if the policy were configured to require MFA for all locations regardless of trust, users would be prompted for MFA everywhere, not just from the corporate office, and the question specifies the issue is only from the corporate office. Option C is wrong because the policy setting 'Require MFA' versus 'Require MFA from trusted locations' is not a distinct toggle; Conditional Access policies use grant controls like 'Require multi-factor authentication' combined with a condition for locations, so this option misrepresents the configuration. Option D is wrong because if users were not assigned to the policy, they would not be prompted for MFA at all, contradicting the reported behavior.

984
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Security Administrator' role. They want users who activate this role to provide a justification and a support ticket number, and they want the activation to expire after a maximum of 4 hours. Which PIM role settings should they configure?

A.Configure the activation maximum duration only
B.Configure the requirement for justification only
C.Configure the requirement for ticket information only
D.Configure the activation maximum duration, require justification, and require ticket information in the role settings
AnswerD

This combination enforces all three requirements: maximum duration of 4 hours, justification, and ticket information, as specified in the scenario.

Why this answer

Option D is correct because the scenario requires all three conditions: a maximum activation duration of 4 hours, mandatory justification, and mandatory ticket information. In Azure AD PIM, these are independent settings within the role settings configuration, and all must be enabled to meet the stated requirements. Without configuring all three, the activation would not enforce the specified controls.

Exam trap

The trap here is that candidates might think justification and ticket information are a single combined requirement, or that duration is automatically enforced, when in fact each setting must be explicitly configured in PIM role settings.

How to eliminate wrong answers

Option A is wrong because configuring only the activation maximum duration ignores the requirements for justification and ticket information, leaving those controls unenforced. Option B is wrong because requiring only justification omits the ticket information and duration limit, so users could activate without a ticket and for longer than 4 hours. Option C is wrong because requiring only ticket information misses the justification and duration limit, allowing activations without a reason and for an indefinite or default duration.

985
MCQhard

Your company uses Azure SQL Database. You need to ensure that all queries from a specific application use Always Encrypted to protect sensitive columns. The application is developed in C#. What must you configure in the application and database?

A.Enable Transparent Data Encryption (TDE) on the database and use integrated security.
B.Configure Dynamic Data Masking and use ODBC driver.
C.Define column master key and column encryption key in the database, and update the connection string to include 'Column Encryption Setting=enabled'.
D.Use Azure Information Protection labels and configure the application to enforce protection.
AnswerC

This enables Always Encrypted in the client driver.

Why this answer

Option D is correct because Always Encrypted requires column master key definitions in the database and client-side driver support (e.g., .NET Framework 4.6.1+ with column encryption setting=enabled). Option A is wrong because Transparent Data Encryption (TDE) encrypts the entire database at rest, not columns at query time. Option B is wrong because Dynamic Data Masking only obfuscates results, not encryption.

Option C is wrong because Azure Information Protection is for classification, not SQL encryption.

986
MCQhard

A multinational corporation uses Microsoft Defender for Cloud to assess security posture across multiple subscriptions. The security team wants to ensure that all resources in a specific management group are compliant with a custom set of security standards. What should they do?

A.Assign a built-in or custom regulatory compliance standard to the management group in Defender for Cloud
B.Configure Defender for Cloud's security policy for each subscription individually
C.Use the Secure Score API to monitor compliance
D.Create an Azure Policy initiative and assign it to the management group
AnswerA

Regulatory compliance standards can be assigned at management group scope.

Why this answer

Option A is correct because regulatory compliance standards can be assigned at the management group level in Defender for Cloud. Option B is wrong because Azure Policy assignments are for individual policies, not security standards. Option C is wrong because security policies in Defender for Cloud are applied per subscription, not management group.

Option D is wrong because Secure Score is a metric, not a compliance standard.

987
MCQmedium

A company uses Microsoft Sentinel to monitor Azure resources. They have a custom analytic rule that generates an incident when a user creates a new Azure SQL Database. The incident is assigned to the security team. However, they want to automatically notify the database administration team via email when such an incident is created. What should they configure?

A.Create a playbook in Azure Logic Apps that sends an email and attach it to the analytic rule
B.Configure a Microsoft Teams connector in the analytic rule
C.Create an automation rule in Sentinel that runs a playbook to send an email
D.Create an Azure Monitor alert rule that triggers on the same query
AnswerC

Automation rules can trigger playbooks when incidents are created.

Why this answer

Option B is correct because automation rules in Sentinel can trigger playbooks that send emails. Option A is wrong because Azure Monitor alerts are for metrics/logs, not Sentinel incidents. Option C is wrong because Logic Apps can send emails but need to be triggered by an automation rule.

Option D is wrong because Microsoft Teams integration would require a playbook, not a direct connector.

988
MCQeasy

Your organization has Microsoft Entra ID P2 licenses. You want to automatically detect and respond to compromised identities by requiring MFA when a sign-in risk is medium or above. Which policy should you configure?

A.Enable self-service password reset
B.Configure a Conditional Access policy with sign-in risk condition
C.Configure an Identity Protection user risk policy to require MFA
D.Configure an Identity Protection sign-in risk policy
AnswerC

User risk policy can require MFA when risk is medium or higher.

Why this answer

Option A is correct because Identity Protection user risk policy can automatically trigger MFA based on risk level. Option B is incorrect because sign-in risk policy is for sign-in risk, not user risk. Option C is incorrect because Conditional Access is the foundation but the policy type is Identity Protection.

Option D is incorrect because it requires user action.

989
MCQmedium

Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to create a custom analytics rule that detects when a user account is created in Microsoft Entra ID and then, within 24 hours, that account is granted a privileged role (e.g., Global Administrator). You have set up the necessary data connectors to ingest Microsoft Entra ID audit logs and sign-in logs into Sentinel. The rule should trigger an incident with high severity when this sequence occurs. Which KQL query should you use in the analytics rule?

A.AuditLogs | where OperationName == "Add user" | join kind=inner (AuditLogs | where OperationName contains "Add member to role") on $left.TargetResources[0].id == $right.TargetResources[0].id | where TimeGenerated <= 24h
B.AuditLogs | where OperationName == "Add user" | join kind=inner (AuditLogs | where OperationName contains "Add member to role") on $left.TargetResources[0].id == $right.TargetResources[0].id | where TimeGenerated > 24h
C.AuditLogs | where OperationName == "Add user" | join kind=leftouter (AuditLogs | where OperationName contains "Add member to role") on $left.TargetResources[0].id == $right.TargetResources[0].id | where TimeGenerated > 24h
D.AuditLogs | where OperationName == "Add user" | join kind=inner (AuditLogs | where OperationName contains "Add member to role") on $left.TargetResources[0].displayName == $right.TargetResources[0].displayName | where TimeGenerated <= 24h
AnswerA

This query joins user creation events with role assignment events on the same user ID within 24 hours, correctly detecting the sequence.

990
Multi-Selectmedium

Your company uses Microsoft Entra ID (P2 licensed) and requires that all user logins from untrusted networks be blocked unless the user's device is marked as compliant by Microsoft Intune. You need to implement this requirement. Which TWO components should you use together to achieve this? (Choose two.)

Select 2 answers
A.Privileged Identity Management (PIM)
B.Microsoft Entra Identity Protection
C.Conditional Access policy with device compliance condition
D.Microsoft Intune Device Compliance policy
E.Microsoft Entra Access Reviews
AnswersC, D

Conditional Access can block access from untrusted networks if device is not compliant.

Why this answer

Correct: B (Conditional Access) and D (Device Compliance policy). Conditional Access evaluates conditions like network location and device compliance. Device Compliance policy in Intune defines what constitutes a compliant device.

Option A is wrong because Identity Protection detects risks but does not enforce device compliance. Option C is wrong because PIM manages privileged roles. Option E is wrong because Access Reviews attest access after the fact.

991
Multi-Selectmedium

Your organization uses Microsoft Defender for Cloud to monitor Azure resources. You need to ensure that security recommendations are automatically remediated for non-compliant resources. Which TWO options can you use to achieve this?

Select 2 answers
A.Create a Logic Apps playbook that runs on a schedule.
B.Assign an Azure Policy with a DeployIfNotExists effect that deploys the required configuration.
C.Configure Microsoft Sentinel to automatically remediate based on alerts.
D.Enable 'Quick Fix!' for supported recommendations in Defender for Cloud.
E.Use Azure Automation runbooks to manually run remediation.
AnswersB, D

Correct. DeployIfNotExists automatically remediates non-compliant resources.

Why this answer

Option A and B are correct. Quick Fix! remediation can be enabled for recommendations that support it, allowing automatic remediation when the recommendation is triggered. Azure Policy with DeployIfNotExists effect can also automatically remediate non-compliant resources by deploying required configurations.

Option C is wrong because Logic Apps playbooks are for manual or scheduled remediation, not automatic. Option D is wrong because Azure Automation runbooks can be used but require custom setup and are not automatic by default. Option E is wrong because Microsoft Sentinel is for SIEM, not automatic remediation.

992
Multi-Selecthard

A public web application should be protected from OWASP-style attacks and network-layer DDoS attacks. Which two Azure services are most relevant?

Select 2 answers
A.Application Gateway WAF or Azure Front Door WAF
B.Azure Automation State Configuration
C.Azure DDoS Protection on the virtual network where applicable
D.Azure Files premium tier
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because both Azure Application Gateway WAF and Azure Front Door WAF provide managed rule sets (e.g., OWASP Core Rule Set 3.2) that protect against common web vulnerabilities such as SQL injection and cross-site scripting. Option C is correct because Azure DDoS Protection, when enabled on the virtual network hosting the application, mitigates network-layer DDoS attacks (e.g., SYN floods, UDP floods) by leveraging Azure's global infrastructure to absorb and scrub attack traffic.

Exam trap

The trap here is that candidates may confuse Azure Automation State Configuration (a DevOps tool) with a security service, or assume Azure Files premium tier offers built-in attack protection, when in fact only WAF and DDoS Protection directly address the specified OWASP and DDoS threats.

993
MCQhard

Your company uses Azure Front Door to globally distribute traffic to a web app. You need to ensure that only traffic from Front Door can reach the web app, and all other traffic is blocked. The web app is behind an Azure Application Gateway. What is the most secure and reliable configuration?

A.Place the web app behind a private endpoint and connect Front Door via private link.
B.Use an NSG on the Application Gateway subnet with a deny-all rule and allow the AzureFrontDoor.Backend service tag.
C.Configure an NSG on the Application Gateway subnet to allow traffic only from the Front Door backend IP ranges.
D.Restrict the Application Gateway to only accept traffic from the Front Door frontend IP.
AnswerC

Front Door publishes backend IP ranges that can be used in NSGs.

Why this answer

Option D is correct because Front Door's backend IP ranges are documented and can be used in an NSG to allow only Front Door traffic. Option A is wrong because the Application Gateway's frontend IP is not static and can change. Option B is wrong because Front Door's service tag is AzureFrontDoor.Backend, but the question requires using the Application Gateway, and the service tag might not be sufficient for the application gateway's backend.

Option C is wrong because private endpoints are for PaaS, not for Application Gateway.

994
Matchingmedium

Match each Azure encryption concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data is encrypted when stored on disk

Data is encrypted during network transmission

Azure encrypts data before writing to storage

Data encrypted by client before sending to Azure

Encrypts OS and data disks using BitLocker/DM-Crypt

Why these pairings

Encryption is key to data protection in Azure.

995
Multi-Selectmedium

You are planning a network security strategy for a multi-tier application deployed on Azure virtual machines. You need to ensure that traffic between the web tier and the application tier is encrypted and that the application tier is not directly accessible from the internet. Which three of the following should you implement? (Choose three.)

Select 3 answers
.Deploy an Azure Application Gateway with SSL/TLS termination in front of the web tier.
.Configure a network security group (NSG) on the application tier subnet to deny all inbound traffic from the internet.
.Enable end-to-end TLS encryption between the web tier and the application tier using certificates.
.Use Azure Front Door to route traffic between the web tier and the application tier.
.Assign public IP addresses to the application tier virtual machines for monitoring purposes.
.Configure a site-to-site VPN between the web tier and the application tier subnets.

Why this answer

Deploying an Azure Application Gateway with SSL/TLS termination in front of the web tier ensures that incoming client traffic is encrypted at the edge, and the gateway can then forward traffic to the web tier. Configuring an NSG on the application tier subnet to deny all inbound traffic from the internet directly protects the application tier from external access. Enabling end-to-end TLS encryption between the web tier and the application tier using certificates ensures that traffic within the virtual network remains encrypted, meeting the requirement for encrypted inter-tier communication.

Exam trap

The trap here is that candidates often confuse Azure Front Door (a global service) with Azure Application Gateway (a regional service) and incorrectly assume Front Door can handle internal tier routing, or they think a site-to-site VPN is needed for intra-VNet encryption when end-to-end TLS is the correct approach.

996
MCQeasy

A company has multiple on-premises web applications that need to be securely published for remote employees. The company uses Azure AD for identity management and wants to apply Conditional Access policies, including multi-factor authentication, to these applications. The security team wants to avoid exposing the on-premises infrastructure to the internet directly. Which Azure service should they deploy to meet these requirements?

A.Azure Application Gateway
B.Azure Front Door
C.Azure AD Application Proxy
D.Azure VPN Gateway
AnswerC

Azure AD Application Proxy publishes on-premises web applications externally with Azure AD pre-authentication, allowing integration with Conditional Access policies and MFA without exposing the on-premises network.

Why this answer

Azure AD Application Proxy is the correct service because it provides secure remote access to on-premises web applications without requiring a VPN or opening inbound firewall ports. It integrates natively with Azure AD, enabling Conditional Access policies such as multi-factor authentication (MFA) to be applied to these applications. The service works by establishing an outbound-only connection from the on-premises Application Proxy connector to Azure AD, ensuring the on-premises infrastructure is never directly exposed to the internet.

Exam trap

The trap here is that candidates often confuse Azure AD Application Proxy with Azure Application Gateway or Azure Front Door, assuming any reverse proxy can secure on-premises apps, but only Application Proxy uses an outbound-only connector that keeps the internal network completely hidden from the internet.

How to eliminate wrong answers

Option A is wrong because Azure Application Gateway is a layer 7 load balancer and web application firewall (WAF) that typically requires the backend applications to be internet-facing or accessible via a public IP, which violates the requirement to avoid direct internet exposure. Option B is wrong because Azure Front Door is a global load balancer and content delivery network (CDN) that also requires the backend to be publicly reachable or connected via private link, but it does not provide the outbound-only connector model needed to keep on-premises infrastructure hidden. Option D is wrong because Azure VPN Gateway creates a site-to-site or point-to-site VPN tunnel, which exposes the on-premises network to the internet via the VPN endpoint and does not natively integrate with Azure AD Conditional Access or MFA for individual web applications.

997
MCQeasy

Your security team uses Microsoft Sentinel's UEBA (User and Entity Behavior Analytics) to detect insider threats. To enable UEBA, which data source must be connected to Sentinel?

A.Microsoft Entra ID data connector
B.Azure Key Vault data connector
C.Office 365 data connector
D.Azure Activity log data connector
AnswerA

Correct: provides identity data for UEBA.

Why this answer

Option C is correct because UEBA in Sentinel requires the Microsoft Entra ID (Azure AD) data connector to ingest user identity and sign-in logs. Option A (Azure Activity) provides subscription-level logs. Option B (Azure AD) is correct.

Option D (Office 365) is not required for UEBA.

998
MCQeasy

You need to allow an Azure VM to access an on-premises SQL Server database securely. The on-premises network is connected to Azure via a site-to-site VPN. You want to minimize latency and avoid traversing the internet. What should you use?

A.Service endpoint for SQL.
B.Azure Private Link.
C.VNet peering.
D.Site-to-site VPN connection.
AnswerD

A site-to-site VPN connects on-premises to Azure over an encrypted tunnel.

Why this answer

Option D is correct. A site-to-site VPN creates an encrypted tunnel over the internet, but it is not as low-latency as ExpressRoute. However, among the options, it is the only one that provides connectivity without traversing the public internet (the VPN tunnel is encrypted, but it still uses the internet).

Actually, the best answer is ExpressRoute, but it's not listed. Option A is wrong because Private Link requires the SQL Server to be in Azure. Option B is wrong because VNet peering is for Azure VNets.

Option C is wrong because service endpoints are for Azure services. Since site-to-site VPN is the only option that connects on-premises to Azure, it is the correct choice.

999
MCQhard

You are troubleshooting connectivity from an on-premises network to an Azure VM. The connection uses a site-to-site VPN. The VM can be pinged from on-premises, but an application running on the VM cannot connect to an on-premises database server. The database server's firewall is configured to allow connections from the Azure VPN gateway public IP. What is the most likely cause of the issue?

A.An NSG on the VM's subnet is blocking outbound traffic.
B.The VPN tunnel is not established.
C.The effective routes on the VM are misconfigured.
D.The on-premises firewall is allowing the wrong IP address. The Azure VPN gateway's private IP should be allowed.
AnswerD

Azure VPN gateway uses its private IP for traffic to on-premises, not the public IP.

Why this answer

Option C is correct because traffic from Azure to on-premises uses the VPN gateway's private IP from the gateway subnet, not its public IP. The on-premises firewall should allow the VPN gateway's private IP address range. Option A is wrong because the VPN tunnel is established.

Option B is wrong because NSG rules affect traffic within Azure, not outbound to on-premises. Option D is wrong because route tables could affect routing but the database is on-premises.

1000
MCQhard

A company uses Azure AD Privileged Identity Management (PIM) for the Security Administrator role. They have configured the role activation to require Azure Multi-Factor Authentication and a support ticket number. However, users are reporting that they can activate the role without entering a ticket number. What is the most likely cause?

A.The 'Require ticket information on activation' setting is not enabled in the role settings
B.Users are activating through the Azure AD overview page instead of the PIM blade
C.The activation policy requires approval but the approvers ignore the ticket field
D.The role is configured for 'Active' assignment instead of 'Eligible'
AnswerA

This setting must be explicitly enabled for PIM to prompt for a ticket number during activation. Without it, the ticket field is not shown.

Why this answer

Option A is correct because the 'Require ticket information on activation' setting is a separate toggle in the PIM role settings that must be explicitly enabled. Even if the support ticket number field is displayed in the activation form, the system will not enforce its entry unless this specific setting is turned on. Without it, users can leave the field blank and still successfully activate the role.

Exam trap

The trap here is that candidates assume the presence of a ticket number field in the activation form means it is required, but PIM separates the UI display from the enforcement toggle, so the setting must be explicitly enabled for the field to be mandatory.

How to eliminate wrong answers

Option B is wrong because the Azure AD overview page does not provide role activation capabilities; all PIM activations must go through the PIM blade or the Azure AD Roles and Administrators blade, and the enforcement of ticket information is controlled by the role settings regardless of the entry point. Option C is wrong because if the activation policy requires approval, the approver's behavior does not override the system's enforcement of the ticket field; the system itself would block activation if the setting were enabled. Option D is wrong because the assignment type (Active vs.

Eligible) determines whether the user needs to activate the role at all, but it does not affect the enforcement of ticket information during activation; an Eligible assignment is required for PIM activation, but the ticket setting is independent.

Page 13

Page 14 of 14