Microsoft Azure Security Engineer Associate AZ-500 (AZ-500) — Questions 76150

1000 questions total · 14pages · All types, answers revealed

Page 1

Page 2 of 14

Page 3
76
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Entra ID Protection?

Select 2 answers
A.Conditional Access session controls
B.Sign-in risk policy
C.User risk policy
D.Access reviews
E.Role-based access control (RBAC)
AnswersB, C

Sign-in risk policy automates response to risky sign-ins.

Why this answer

Microsoft Entra ID Protection provides two risk-based policies: a sign-in risk policy (Option B) and a user risk policy (Option C). The sign-in risk policy evaluates the likelihood that an authentication request is not legitimate based on real-time signals such as anonymous IP addresses, atypical travel, or malware-linked IPs, and can automatically block or require multi-factor authentication (MFA). The user risk policy assesses the probability that a user's credentials have been compromised, based on events like leaked credentials or suspicious activity, and can force a password reset or block sign-in.

Exam trap

The trap here is that candidates often confuse the risk-based policies of Entra ID Protection (sign-in risk and user risk) with Conditional Access session controls or other Entra ID features like Access Reviews and RBAC, because all are part of the broader Entra ID suite but serve distinct functions.

77
MCQmedium

A company uses Azure Key Vault to store secrets. They want to grant developers the ability to read secrets, but only for specific secret names (e.g., 'App--ConnectionString'). They also want to use Azure RBAC instead of the Key Vault access policy model. Which RBAC role should they assign, and at which scope?

A.Assign the 'Key Vault Secrets User' role at the secret scope
B.Assign the 'Key Vault Secrets User' role at the vault scope
C.Assign the 'Key Vault Reader' role at the secret scope
D.Assign the 'Key Vault Secrets Officer' role at the secret scope
AnswerA

The 'Key Vault Secrets User' role permits reading secret content. When scoped to an individual secret, it restricts access to that specific secret only. Azure RBAC supports data plane roles at the secret, key, or certificate level.

Why this answer

Option A is correct because the 'Key Vault Secrets User' role, when assigned at the individual secret scope (e.g., /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.KeyVault/vaults/{vault}/secrets/{secretName}), grants read-only access to that specific secret. This satisfies the requirement to use Azure RBAC (instead of the legacy access policy model) and to limit developers to reading only secrets with a specific name, such as 'App--ConnectionString'.

Exam trap

The trap here is that candidates often assume RBAC roles can only be assigned at the vault scope, forgetting that Azure RBAC supports fine-grained scoping down to the individual secret level, which is essential for least-privilege access control.

How to eliminate wrong answers

Option B is wrong because assigning the 'Key Vault Secrets User' role at the vault scope would grant read access to all secrets in the vault, not just the specific secret name required. Option C is wrong because the 'Key Vault Reader' role only allows listing vaults and reading metadata (e.g., vault properties), not reading secret values; it does not include the 'Microsoft.KeyVault/vaults/secrets/read' action needed to retrieve secret content. Option D is wrong because the 'Key Vault Secrets Officer' role includes write and delete permissions (e.g., 'Microsoft.KeyVault/vaults/secrets/write' and 'delete'), which exceeds the required read-only access and violates the principle of least privilege.

78
MCQmedium

A company uses Azure SQL Database with Transparent Data Encryption (TDE) using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server has a system-assigned managed identity assigned the 'Key Vault Crypto Service Encryption User' role. However, TDE operations are failing because the SQL server cannot access the Key Vault. What additional configuration is needed?

A.Enable the Key Vault firewall to allow trusted Microsoft services
B.Create a private endpoint for the SQL server to access the Key Vault
C.Enable public network access on the Key Vault
D.Assign the SQL server's managed identity the 'Reader' role on the Key Vault
AnswerA

This option allows Azure SQL Database (as a trusted Microsoft service) to access Key Vault through the firewall, enabling TDE operations with the CMK.

Why this answer

When Azure Key Vault has its firewall enabled to deny all public network access, it blocks all traffic, including requests from Azure SQL Database. By enabling the 'Allow trusted Microsoft services' exception, Azure Key Vault permits specific Azure platform services (like Azure SQL Database) to bypass the firewall, provided the service authenticates using a managed identity with appropriate permissions. This setting is essential for TDE with CMK because the SQL server's system-assigned managed identity must reach the Key Vault to unwrap the encryption key, even when public access is disabled.

Exam trap

The trap here is that candidates often assume a private endpoint is required for any cross-service communication when firewalls are involved, but Azure's 'Allow trusted Microsoft services' exception is a simpler, first-line configuration that enables necessary platform-level access without exposing the Key Vault to the internet.

How to eliminate wrong answers

Option B is wrong because creating a private endpoint for the SQL server to access the Key Vault would require the SQL server to initiate a connection through a private IP, but the SQL server itself does not support outbound private endpoints to Key Vault; private endpoints are configured on the Key Vault side, not the SQL server side, and the scenario already has the Key Vault firewall denying all public access, so a private endpoint on the Key Vault would be needed, but that is not listed as an option and would not resolve the immediate firewall block without the trusted services exception. Option C is wrong because enabling public network access on the Key Vault would defeat the security purpose of the firewall and is unnecessary; the trusted services exception allows the required access without exposing the Key Vault to the public internet. Option D is wrong because the 'Reader' role on the Key Vault only grants read access to the vault's metadata and secrets list, not the cryptographic permissions needed for TDE operations; the 'Key Vault Crypto Service Encryption User' role is already assigned and provides the necessary unwrap key permission, so adding 'Reader' is irrelevant.

79
MCQeasy

You need to block inbound traffic from the internet to a specific subnet except for TCP port 443. Which Azure service should you use?

A.Azure Web Application Firewall (WAF)
B.Azure Firewall
C.Network security group (NSG)
D.Azure DDoS Protection
AnswerC

NSGs can filter inbound traffic based on port and source.

Why this answer

Option A is correct because NSGs can have inbound rules to allow or deny traffic by port. Option B is wrong because Azure Firewall is a network/application firewall but NSGs are simpler for subnet-level filtering. Option C is wrong because WAF is for HTTP/HTTPS at the application layer.

Option D is wrong because DDoS Protection does not filter by port.

80
Matchingmedium

Match each Azure Key Vault feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Recover deleted vaults and objects within retention period

Prevents permanent deletion until retention period ends

Periodically replace cryptographic keys

Grant permissions to users, groups, or applications

Use Azure RBAC to manage access to vaults

Why these pairings

Key Vault features ensure secure key and secret management.

81
MCQmedium

Your company uses Microsoft Entra ID Governance features for access reviews. You need to ensure that guest users who do not sign in for 90 days are automatically removed from access to a critical application. The removal should happen without manual intervention. What should you configure?

A.Use an Azure Automation runbook to disable users after 90 days
B.Enable 'Inactive users' policy in Identity Protection
C.Configure an access review with 'Auto-apply results' enabled
D.Create a dynamic group based on sign-in activity
AnswerC

Automatically removes users after review.

Why this answer

Option C is correct because configuring an access review with 'Auto-apply results' enabled in Microsoft Entra ID Governance allows you to automatically remove guest users who have not signed in for 90 days from the critical application's access. The access review can be set to evaluate sign-in activity and, upon completion, automatically apply the results (e.g., remove access) without manual intervention, fulfilling the requirement for automated removal.

Exam trap

The trap here is that candidates often confuse Identity Protection's 'Inactive users' policy (which focuses on risk detection) with access reviews (which focus on governance and automated removal based on inactivity), leading them to select Option B instead of C.

How to eliminate wrong answers

Option A is wrong because Azure Automation runbooks are not designed to natively evaluate Entra ID sign-in activity or automatically remove access based on inactivity; they require custom scripting and lack the built-in governance policies for access reviews. Option B is wrong because the 'Inactive users' policy in Identity Protection is used to detect and remediate risky sign-ins, not to automatically remove access based on a 90-day inactivity period for guest users. Option D is wrong because dynamic groups based on sign-in activity cannot directly remove access; they can only manage group membership, and removing a user from a group does not automatically revoke application access unless the application is configured to use that group for access control, which is not the described scenario.

82
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Security Administrator' role. They want to ensure that when a user activates the role, they must provide a ticket number as justification, and the activation must be approved by a designated approver group. The role activation duration should be limited to 4 hours. Which PIM settings should be configured?

A.Enable 'Require approval' for the role and set 'Approvers' to the designated group. Also, set 'Activation maximum duration' to 4 hours.
B.Enable 'Require justification on activation' and set 'Activation maximum duration' to 4 hours. No approval configuration is needed.
C.Enable 'Require approval' and set 'Approvers' to the designated group. Also, enable 'Require ticket information on activation' and set 'Activation maximum duration' to 4 hours.
D.Enable 'Require ticket information on activation' and set 'Activation maximum duration' to 4 hours. Approval is not required because the ticket number serves as justification.
AnswerC

This configures all required settings: approval, ticket information, and duration.

Why this answer

Option C is correct because the scenario requires both approval and ticket-based justification. In Azure AD PIM, 'Require approval' enforces that a designated approver group must approve the activation, while 'Require ticket information on activation' ensures the user provides a ticket number as justification. Setting 'Activation maximum duration' to 4 hours limits the role activation time.

These three settings together satisfy all requirements.

Exam trap

The trap here is that candidates may confuse 'justification' with 'ticket information' and assume that enabling justification alone satisfies the ticket number requirement, or they may think that a ticket number inherently serves as approval, leading them to omit the approval configuration.

How to eliminate wrong answers

Option A is wrong because it omits the requirement for ticket information on activation; the scenario explicitly requires a ticket number as justification, not just any justification. Option B is wrong because it does not include approval configuration; the scenario requires activation to be approved by a designated approver group, which is not addressed by just enabling justification. Option D is wrong because it incorrectly assumes that a ticket number alone serves as sufficient justification and that approval is not needed; the scenario requires both a ticket number and approval from a designated group.

83
MCQeasy

Refer to the exhibit. You have a VNet with two subnets, each with a different NSG. Both NSGs have default rules. What is the default connectivity between VMs in subnetA and subnetB?

A.Traffic is blocked by default.
B.Traffic is allowed only if the VNet has peering.
C.Traffic is allowed by default.
D.Traffic is allowed only if the subnets are in the same region.
AnswerC

Default rules permit all internal VNet traffic.

Why this answer

Option B is correct because by default, NSGs allow all traffic within a VNet, including between subnets. Option A is wrong because there is no default block. Option C is wrong because default rules allow traffic.

Option D is wrong because default rules allow traffic.

84
MCQhard

A company has an Azure Storage account with infrastructure encryption enabled. They configure the storage account to use customer-managed keys (CMK) stored in Azure Key Vault for encryption at rest. Despite this configuration, newly uploaded blobs are still encrypted with Microsoft-managed keys. What is the most likely cause?

A.The storage account was created before infrastructure encryption was generally available
B.The customer-managed key in Key Vault is disabled or expired
C.The storage account's encryption type is set to Microsoft-managed keys
D.The blob container has a policy that overrides the encryption setting
AnswerC

The storage account must have its encryption type explicitly set to 'Customer-managed keys'. If it is set to 'Microsoft-managed keys', all blobs are encrypted with Microsoft-managed keys regardless of the key vault configuration.

Why this answer

Option C is correct because the storage account's encryption type must be explicitly set to 'Customer-managed keys' to use CMK from Azure Key Vault. If the encryption type remains at the default 'Microsoft-managed keys', newly uploaded blobs will continue to be encrypted with Microsoft-managed keys regardless of the CMK configuration in Key Vault. Infrastructure encryption is a separate feature that encrypts data at the hardware level and does not affect the key management type.

Exam trap

The trap here is that candidates often assume that simply configuring a customer-managed key in Key Vault automatically changes the storage account's encryption type, but Azure requires an explicit configuration step to switch the encryption type from 'Microsoft-managed keys' to 'Customer-managed keys'.

How to eliminate wrong answers

Option A is wrong because infrastructure encryption is a separate feature that encrypts data at the storage infrastructure level (before the data is written to disk) and does not influence the choice between Microsoft-managed and customer-managed keys; the storage account's creation date does not prevent CMK from being applied. Option B is wrong because if the customer-managed key in Key Vault is disabled or expired, the storage account would fail to encrypt new blobs with CMK and would likely throw an error or fall back to Microsoft-managed keys only if the account is configured to allow that fallback, but the question states the blobs are still encrypted with Microsoft-managed keys without error, indicating the encryption type was never set to CMK. Option D is wrong because blob containers do not have policies that can override the storage account's encryption setting; encryption at rest is configured at the storage account level and applies to all blobs uniformly.

85
Multi-Selecthard

A Conditional Access policy should reduce account takeover risk for administrators without blocking normal low-risk access. Which two signals or controls are most appropriate?

Select 2 answers
A.Require phishing-resistant MFA or strong authentication for privileged roles
B.Allow legacy authentication for administrator accounts
C.Use sign-in risk or user risk conditions from Microsoft Entra ID Protection
D.Exclude all Global Administrators from the policy
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because requiring phishing-resistant MFA (e.g., FIDO2 security keys or certificate-based authentication) for privileged roles directly mitigates account takeover by preventing credential theft and replay attacks. This aligns with the principle of using strong authentication for high-value accounts, as specified in Microsoft's Conditional Access guidance for administrators.

Exam trap

The trap here is that candidates often confuse 'reducing risk' with 'blocking all access' and may incorrectly choose to exclude admins (Option D) to avoid disruption, missing that the policy should use risk-based conditions (Option C) to allow normal low-risk access while blocking high-risk attempts.

86
MCQmedium

You are the security administrator for a company that uses Microsoft Entra ID. You need to configure a Conditional Access policy that applies to all users except the emergency break-glass accounts. The policy must require multi-factor authentication (MFA) when accessing the Azure portal from a location that is not trusted. What should you include in the policy?

A.Include all users, exclude break-glass accounts, require MFA for Azure portal, and use 'Locations' condition to specify untrusted locations
B.Include all users, require MFA for Azure portal, and exclude all administrators
C.Include break-glass accounts, require MFA for Azure portal, and block access from untrusted locations
D.Include all users, require MFA for Azure portal, and exclude break-glass accounts
AnswerA

This correctly includes all users except break-glass accounts and uses location condition to require MFA only from untrusted locations.

Why this answer

Option A is correct because it includes all users, excludes the emergency break-glass accounts to ensure they remain accessible during outages, requires MFA for the Azure portal, and uses the 'Locations' condition to target untrusted locations. This configuration aligns with the requirement to enforce MFA only when accessing Azure portal from untrusted locations, while preserving access for break-glass accounts.

Exam trap

The trap here is that candidates often forget to include the 'Locations' condition to scope the MFA requirement to untrusted locations, leading them to choose Option D which requires MFA for all Azure portal access, not just from untrusted locations.

How to eliminate wrong answers

Option B is wrong because it excludes all administrators, which is too broad and would leave administrative accounts unprotected from untrusted locations, violating the requirement to apply the policy to all users except break-glass accounts. Option C is wrong because it includes break-glass accounts, which should be excluded to maintain their availability during emergencies, and it blocks access from untrusted locations instead of requiring MFA, which is overly restrictive. Option D is wrong because it lacks the 'Locations' condition to specify untrusted locations, so the policy would require MFA for all Azure portal access regardless of location, not just from untrusted locations.

87
MCQeasy

You are designing a secure network architecture for a three-tier application. The web tier must be accessible from the internet, while the application and database tiers must only be accessible from the web tier. Which Azure service should you use to isolate the tiers most securely?

A.Azure Firewall with application rules
B.Azure Front Door with Web Application Firewall
C.Network security groups (NSGs) on subnets
D.VNet peering between tiers
AnswerC

NSGs allow fine-grained inbound/outbound rules between subnets.

Why this answer

Option A is correct because NSGs with subnet-level rules can restrict traffic between tiers. Option B is wrong because Azure Firewall is a centralized firewall, but for simple tier isolation, NSGs are more appropriate and cost-effective. Option C is wrong because VNet peering connects networks, not isolates tiers.

Option D is wrong because Azure Front Door is for global load balancing, not tier isolation.

88
Multi-Selecthard

Which THREE components are required to enable Azure Disk Encryption for Windows VMs using Azure Key Vault? (Choose three.)

Select 3 answers
A.Azure Key Vault with an access policy granting permissions to the Azure Disk Encryption service
B.A key encryption key (KEK) in Azure Key Vault
C.A Recovery Services vault
D.A storage account to store the encryption logs
E.The Azure Disk Encryption extension installed on the VM
AnswersA, B, E

Key Vault stores the encryption keys and must have appropriate access policies.

Why this answer

Options A, B, and D are correct. Option A: A Key Vault is required to store encryption keys. Option B: The VM must have a key encryption key (KEK) or be configured to use a BEK.

Option D: The VM must have the AzureDiskEncryption extension installed. Option C is wrong because a recovery vault is for Azure Backup, not disk encryption. Option E is wrong because a storage account is not required; Azure Disk Encryption uses managed disks.

89
MCQmedium

You are a security engineer for Contoso Ltd., a multinational company that uses Azure extensively. The company has a custom line-of-business application hosted on Azure VMs. The application stores sensitive customer data in Azure SQL Database. The security policy requires: (1) All data at rest must be encrypted using customer-managed keys stored in Azure Key Vault. (2) Encryption keys must be rotated automatically every 90 days. (3) Access to the keys must be audited. (4) The application must not have direct access to the key vault; only Azure services should access keys on behalf of the application. You need to recommend a solution. What should you do?

A.Use Azure Storage Service Encryption with Microsoft-managed keys for the database backup.
B.Enable Azure Disk Encryption on the VMs and store keys in Azure Key Vault.
C.Configure Azure SQL Database Transparent Data Encryption (TDE) with customer-managed keys in Azure Key Vault and set key rotation policy to auto-renew every 90 days.
D.Implement Always Encrypted with column encryption keys stored in Azure Key Vault.
AnswerC

TDE with CMK meets all requirements.

Why this answer

Option C is correct because Transparent Data Encryption (TDE) with customer-managed keys in Key Vault meets all requirements: encryption at rest, automatic rotation with Key Vault's key rotation policy, and access by Azure SQL Database without application direct access. Option A is wrong because Always Encrypted encrypts columns but requires the application to handle encryption keys. Option B is wrong because Azure Disk Encryption encrypts VM disks, not SQL database.

Option D is wrong because server-side encryption with service-managed keys does not use customer-managed keys.

90
MCQmedium

A company wants to allow external business partners to access specific SharePoint Online sites using their own corporate credentials. They do not want to manage partner accounts in their own Azure AD tenant. Which Azure AD feature should they use?

A.Azure AD B2C
B.Azure AD External Identities
C.Conditional Access
D.Privileged Identity Management
AnswerB

External Identities (B2B) enables collaboration with external users who use their own organizational identities.

Why this answer

Azure AD External Identities (specifically B2B collaboration) allows you to invite external business partners to access your SharePoint Online sites using their own corporate credentials (their home Azure AD or identity provider). This eliminates the need to manage partner accounts in your tenant, as identities remain in their home directory and are authenticated via federation or SAML/WS-Fed protocols.

Exam trap

The trap here is confusing Azure AD B2C (customer-facing) with Azure AD External Identities B2B (business-to-business), as both involve 'external' users but serve fundamentally different scenarios and identity providers.

How to eliminate wrong answers

Option A is wrong because Azure AD B2C is designed for customer-facing applications where users sign up with social or local accounts, not for business-to-business collaboration with existing corporate identities. Option C is wrong because Conditional Access is a policy engine that enforces access controls (e.g., MFA, device compliance) on already-authenticated users, not a feature for inviting external partners or managing their identities. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role assignments for users within your own tenant, not for external partner identity federation or guest access.

91
MCQeasy

You need to assign the 'Security Administrator' role in Microsoft Entra ID to a user named User1. The role assignment must be eligible, and User1 must provide a justification when activating the role. What should you use?

A.Direct role assignment in Azure AD roles and administrators
B.Privileged Identity Management (PIM)
C.Global Administrator role with custom activation policy
D.User Administrator role with access reviews
AnswerB

PIM supports eligible roles with activation justification.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID is the only service that supports time-bound, eligible role assignments with activation justification. By configuring a PIM policy for the Security Administrator role, you can require User1 to provide a business justification before the role is activated for a specified duration.

Exam trap

The trap here is that candidates confuse direct role assignment (which is permanent and active) with PIM's eligible assignment (which is time-bound and requires activation), leading them to choose Option A instead of B.

How to eliminate wrong answers

Option A is wrong because direct role assignment in Azure AD roles and administrators makes the role permanently active, not eligible, and does not enforce activation justification. Option C is wrong because the Global Administrator role cannot be assigned with a custom activation policy; activation policies are configured per role in PIM, not via a separate role assignment. Option D is wrong because the User Administrator role does not control activation justification for other roles; it manages user attributes and group memberships, not PIM activation policies.

92
MCQmedium

A company enables Azure Disk Encryption (ADE) on Windows virtual machines using a key encryption key (KEK) stored in Azure Key Vault. They want the KEK to be automatically rotated every 30 days to meet compliance requirements. Which Azure Key Vault feature should they enable?

A.Key rotation policy
B.Key expiration date
C.Soft-delete
D.Purge protection
AnswerA

Key rotation policy enables automatic rotation of keys at a specified interval, such as every 30 days.

Why this answer

A key rotation policy in Azure Key Vault allows you to define automatic rotation rules for keys, including a rotation interval (e.g., every 30 days) and a rotation time window. This feature ensures that the KEK is automatically replaced with a new key version at the specified interval without manual intervention, meeting compliance requirements for periodic key rotation.

Exam trap

The trap here is that candidates often confuse key expiration (which only invalidates a key) with key rotation (which creates a new version and keeps the old one valid for a time), leading them to select 'Key expiration date' instead of 'Key rotation policy'.

How to eliminate wrong answers

Option B is wrong because a key expiration date sets a fixed end-of-life date for a key, after which it becomes invalid, but it does not automatically rotate the key; it only marks it as expired. Option C is wrong because soft-delete is a recovery feature that retains deleted keys for a configurable retention period, but it does not perform any automatic rotation of keys. Option D is wrong because purge protection prevents permanent deletion of soft-deleted keys, but it has no role in key rotation or lifecycle management.

93
MCQmedium

Your organization uses Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) to assess security posture. You notice that a critical recommendation for enabling diagnostic logs on Azure Key Vault is not appearing for a specific subscription. You have confirmed that the subscription is onboarded to Defender for Cloud. What is the most likely cause?

A.The Log Analytics workspace linked to Defender for Cloud does not contain the Key Vault diagnostics schema.
B.Diagnostic logs are disabled by default in the Azure subscription's activity log settings.
C.The subscription is not enrolled in the Defender Cloud Security Posture Management (CSPM) plan.
D.Key Vault does not support diagnostic logs; therefore, the recommendation is not applicable.
AnswerC

The CSPM plan must be enabled to get full recommendations.

Why this answer

Option A is correct because if the subscription is not using the Defender Cloud Security Posture Management (CSPM) plan, some recommendations may be missing. Option B is wrong because diagnostic logs are not disabled by default in the subscription. Option C is wrong because the recommendation is not based on Log Analytics.

Option D is wrong because Key Vault diagnostics are a standard recommendation.

94
MCQeasy

A company plans to migrate on-premises SQL Server databases to Azure SQL Managed Instance. The security team requires that all data at rest be encrypted using customer-managed keys stored in Azure Key Vault. Which feature should be enabled?

A.Row-Level Security
B.Dynamic Data Masking
C.Always Encrypted with secure enclaves
D.Transparent Data Encryption (TDE) with customer-managed keys in Azure Key Vault
AnswerD

TDE with CMK encrypts the database at rest using keys managed by the customer in Key Vault.

Why this answer

Transparent Data Encryption (TDE) with customer-managed keys (CMK) in Azure Key Vault is the feature for encrypting Azure SQL data at rest with customer-controlled keys. Option A is correct. Option B (Always Encrypted) encrypts data in use and at rest, but does not use Key Vault for TDE.

Option C (Dynamic Data Masking) masks data to non-privileged users. Option D (Row-Level Security) restricts row access.

95
MCQmedium

Your organization uses Azure Storage for sensitive customer data. You need to ensure that data at rest is encrypted using a customer-managed key (CMK) stored in Azure Key Vault. Additionally, you want to automatically rotate the key every 90 days. What should you configure?

A.Enable Azure Disk Encryption on the storage account and store the key in Key Vault with rotation policy.
B.Enable server-side encryption with a platform-managed key and use Azure Policy to enforce rotation.
C.Use client-side encryption with .NET client library and implement custom rotation logic.
D.Enable Azure Storage encryption with a customer-managed key and configure a key rotation policy in Azure Key Vault.
AnswerD

Azure Storage supports CMK from Key Vault with automatic rotation policy.

Why this answer

Option A is correct because Azure Storage encryption with CMK supports automatic key rotation via Key Vault key rotation policy. Option B is wrong because SSE with platform-managed key cannot use CMK. Option C is wrong because Azure Disk Encryption is for VMs, not storage accounts.

Option D is wrong because client-side encryption shifts responsibility to the client and does not leverage Azure Key Vault automatic rotation.

96
MCQeasy

Your organization uses Microsoft Entra ID. You need to ensure that users can reset their own passwords without contacting IT. Which feature should you enable?

A.Identity Protection
B.Self-service password reset (SSPR)
C.Multifactor authentication
D.Password Protection
AnswerB

SSPR allows users to reset their own passwords.

Why this answer

Self-service password reset (SSPR) is the correct feature because it allows users to reset their own passwords without IT intervention. SSPR integrates with Microsoft Entra ID and can be configured to require verification methods such as email, phone, or security questions before allowing a password change. This directly meets the requirement of enabling users to reset passwords independently.

Exam trap

The trap here is that candidates often confuse Multifactor Authentication (MFA) with SSPR, thinking MFA alone allows password resets, when in fact MFA is only a verification step within SSPR and does not provide the self-service reset functionality itself.

How to eliminate wrong answers

Option A is wrong because Identity Protection is a risk-based conditional access and detection tool that identifies potential vulnerabilities and suspicious sign-ins, but it does not provide password reset capabilities. Option C is wrong because Multifactor Authentication (MFA) adds an extra layer of security during sign-in but does not enable self-service password changes; it can be used as a verification method within SSPR but is not the feature itself. Option D is wrong because Password Protection is a feature that blocks weak or compromised passwords from being used in the directory, but it does not allow users to reset their own passwords.

97
MCQmedium

Refer to the exhibit. A Microsoft Sentinel analytics rule uses this KQL query. What is the primary purpose of this rule?

A.Detect users who have never signed in from the US before.
B.Detect users with multiple risky sign-ins from non-US countries.
C.Detect impossible travel patterns between the US and other countries.
D.Detect users whose sign-in count is higher than the average for their region.
AnswerB

The query counts risky sign-ins from non-US countries per user and alerts if more than 3.

Why this answer

Option B is correct because the query filters for risky sign-ins from countries other than the US, and then counts them per user; limiting to >3 detects users with multiple risky sign-ins from non-US countries. Option A is wrong because it doesn't compare to previous behavior. Option C is wrong because it doesn't compare to other users.

Option D is wrong because it doesn't look for impossible travel.

98
MCQmedium

A company wants Defender for Cloud to recommend fixes for container image vulnerabilities stored in Azure Container Registry. Which capability is most relevant?

A.Container vulnerability assessment in Defender for Containers
B.Azure SQL auditing
C.Microsoft Entra access reviews
D.Application Gateway rewrite rules
AnswerA

Correct for the stated requirement.

Why this answer

Defender for Containers includes a container vulnerability assessment capability that scans container images stored in Azure Container Registry (ACR) for known vulnerabilities. This assessment integrates with Defender for Cloud to provide actionable recommendations for fixing identified vulnerabilities, directly addressing the company's requirement.

Exam trap

The trap here is that candidates may confuse general container security features (like runtime protection) with the specific vulnerability assessment capability, or mistakenly think that Azure SQL auditing or access reviews could be repurposed for image scanning.

How to eliminate wrong answers

Option B is wrong because Azure SQL auditing is a database auditing feature for tracking database events and changes, not for scanning container images for vulnerabilities. Option C is wrong because Microsoft Entra access reviews are used to manage user access rights and certifications, not for vulnerability scanning of container images. Option D is wrong because Application Gateway rewrite rules are used to modify HTTP request/response headers and URLs in web traffic, not for assessing container image security.

99
MCQmedium

You have an Azure Storage account that contains sensitive documents. You need to generate a time-limited, secure URL that allows a specific user to download a file without requiring storage account keys. What should you use?

A.Azure Front Door custom domain
B.Storage account access key
C.Shared Access Signature (SAS)
D.Azure RBAC role assignment
AnswerC

SAS provides time-limited delegated access to specific resources.

Why this answer

Option A is correct because a shared access signature (SAS) token provides delegated access with time-limited permissions. Option B is wrong because a storage account key grants full access and cannot be time-limited. Option C is wrong because Azure RBAC does not generate URLs.

Option D is wrong because Azure Front Door is a global load balancer, not a mechanism for generating secure URLs.

100
MCQmedium

You configure Azure Bastion to allow secure RDP access to VMs in a VNet. However, users report that they cannot connect to a specific VM, while other VMs in the same VNet are accessible. The VM is running and has a public IP. What is the most likely cause?

A.The user does not have 'Reader' role on the VM.
B.The NSG on the VM's subnet does not allow inbound RDP from the AzureBastionSubnet.
C.The VM is located in a different region than the Bastion host.
D.The VM has a public IP assigned, which interferes with Bastion connectivity.
AnswerB

Bastion requires the NSG to allow inbound RDP from the Bastion subnet's address prefix.

Why this answer

Azure Bastion does not require a public IP on the target VM; it connects to the private IP. However, if the VM has a public IP, Bastion might still work, but the issue could be that the VM's RDP port (3389) is not open in the NSG for the Bastion subnet. Bastion uses a specific set of public IPs to connect, and the NSG on the VM's subnet must allow inbound RDP from the Bastion subnet.

101
MCQmedium

A company has an Azure virtual network with a subnet that hosts a web application. They want to allow inbound HTTPS traffic from any source on the internet (0.0.0.0/0) and block all other inbound traffic. They associate a network security group (NSG) with the subnet. What is the minimum number of inbound security rules required to achieve this?

A.One inbound rule allowing HTTPS from Internet, and one inbound rule DenyAllInbound.
B.One inbound rule allowing HTTPS from Internet.
C.Two inbound rules: one allowing HTTPS from Internet, one allowing HTTP from Internet.
D.Two inbound rules: one allowing HTTPS from Internet, one allowing RDP from Internet.
AnswerB

The default NSG rules deny all inbound traffic; adding an allow rule for HTTPS is sufficient.

Why this answer

Option B is correct because an NSG includes a set of default security rules that already block all inbound traffic not explicitly allowed. By adding a single inbound rule that allows HTTPS (TCP port 443) from the Internet (0.0.0.0/0), the default deny rule (DenyAllInbound) will block all other inbound traffic. Therefore, only one custom inbound rule is required to achieve the stated goal.

Exam trap

The trap here is that candidates often forget about the default NSG rules, especially the 'DenyAllInbound' rule, and incorrectly assume they must add an explicit deny rule to block all other traffic.

How to eliminate wrong answers

Option A is wrong because it suggests adding an explicit DenyAllInbound rule, which is redundant since the default NSG rule already denies all inbound traffic not explicitly permitted. Option C is wrong because it includes an unnecessary rule allowing HTTP (TCP port 80), which is not required and would violate the requirement to block all other inbound traffic. Option D is wrong because it includes an unnecessary rule allowing RDP (TCP port 3389), which is not required and would also violate the requirement to block all other inbound traffic.

102
MCQeasy

You need to secure traffic between two VNets in different Azure regions. The VNets contain virtual machines that must communicate over private IP addresses. Which Azure service should you use?

A.Azure Firewall
B.VNet peering
C.Azure VPN Gateway
D.ExpressRoute
AnswerB

VNet peering allows private IP communication across regions.

Why this answer

Option C is correct because VNet peering enables connectivity between VNets over the Microsoft backbone network using private IP addresses. Option A is wrong because Azure VPN Gateway provides encrypted tunnels but uses public IPs for the gateway. Option B is wrong because ExpressRoute connects on-premises to Azure, not VNet-to-VNet.

Option D is wrong because Azure Firewall is a security service, not a connectivity service.

103
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) to manage access to the 'Security Administrator' role. They want a specific user to be able to activate the role only when needed, rather than having standing access. The user should not have the role active at all times. Which type of assignment should they configure for this user in PIM?

A.Assign the user as 'Active' for the role.
B.Assign the user as 'Eligible' for the role.
C.Assign the user as 'Permanent' for the role.
D.Add the user as a 'Guest' in the directory.
AnswerB

An eligible assignment requires the user to activate the role for a specified duration. This provides just-in-time access without permanent privileges.

Why this answer

In Azure AD Privileged Identity Management (PIM), an 'Eligible' assignment means the user does not have permanent access to the role. They must activate the role on-demand through a time-bound activation process, which may require approval and multi-factor authentication. This directly meets the requirement of having no standing access, as the role is inactive until the user explicitly activates it.

Exam trap

The trap here is confusing 'Active' (permanent standing access) with 'Eligible' (just-in-time activation), as candidates often think 'Active' means the user can activate the role, when in fact it means the role is always active.

How to eliminate wrong answers

Option A is wrong because an 'Active' assignment grants the user standing access to the role at all times, which contradicts the requirement for on-demand activation. Option C is wrong because 'Permanent' is not a valid assignment type in PIM; roles are either 'Active' (permanent) or 'Eligible' (requiring activation). Option D is wrong because adding the user as a 'Guest' in the directory does not assign any Azure AD role; it only provides external collaboration access without any privileged role permissions.

104
MCQhard

An Application Gateway WAF blocks legitimate requests because a managed rule detects a known false positive. The team wants to keep the rule set enabled. What should they configure?

A.A narrowly scoped WAF exclusion for the affected variable or rule
B.Disable WAF prevention mode for the entire gateway
C.Remove TLS from the listener
D.Move the application behind an internal load balancer only
AnswerA

Correct for the stated requirement.

Why this answer

A narrowly scoped WAF exclusion is the correct approach because it allows the team to keep the managed rule set enabled while preventing false positives. By configuring an exclusion for the specific variable (e.g., RequestHeaderNames, RequestCookieNames, RequestArgNames) or rule ID that triggers the false positive, the WAF will skip inspection on that particular element without weakening the overall security posture. This maintains protection against other threats while resolving the blocking of legitimate traffic.

Exam trap

The trap here is that candidates may think disabling prevention mode or removing TLS is a quick fix, but the correct solution requires a precise, rule-level exclusion to maintain security while addressing the false positive.

How to eliminate wrong answers

Option B is wrong because disabling WAF prevention mode for the entire gateway would switch the WAF to detection mode only, which logs alerts but does not block any malicious traffic, thereby removing protection entirely instead of targeting the false positive. Option C is wrong because removing TLS from the listener would expose traffic in plaintext, breaking encryption requirements and not addressing the WAF rule false positive issue. Option D is wrong because moving the application behind an internal load balancer only would restrict access to internal networks, which does not resolve the WAF false positive and may not be suitable for internet-facing applications.

105
MCQmedium

A company has a hub-and-spoke network topology in Azure. The hub virtual network contains an Azure Firewall and a VPN gateway. Spoke virtual networks are peered to the hub. The security team wants to ensure that all outbound internet traffic from VMs in the spokes flows through the Azure Firewall. What should be configured?

A.Create a route table with a default route (0.0.0.0/0) to the Azure Firewall private IP and associate it with the spoke subnets.
B.Configure forced tunneling on the VPN gateway to route all traffic through the Azure Firewall.
C.Create a route table with a default route to the VPN gateway and associate it with the hub subnet.
D.Configure an NSG on the spoke subnets with a rule that sends traffic to the Azure Firewall.
AnswerA

Route tables override the default system route and force traffic through the firewall.

Why this answer

Option B is correct because a route table with a default route (0.0.0.0/0) pointing to the Azure Firewall as the next hop, applied to the subnets in the spoke VNets, forces all outbound traffic through the firewall. Option A is wrong because Azure Firewall does not support network security group (NSG) next hops. Option C is wrong because the route table must be associated with the spoke subnets, not the hub subnet.

Option D is wrong because VPN gateway does not filter traffic; Azure Firewall is needed.

106
MCQeasy

You need to ensure that Azure SQL Database connections are encrypted and the server's identity is verified. Which connection string parameter should be required?

A.Encrypt=Optional
B.Encrypt=True; TrustServerCertificate=False
C.TrustServerCertificate=True
D.Encrypt=False
AnswerB

Encrypt=True forces encryption, and TrustServerCertificate=False ensures the server certificate is validated.

Why this answer

The 'Encrypt=True' parameter ensures that the connection is encrypted, and 'TrustServerCertificate=False' (or not setting it) verifies the server certificate against a trusted CA. Option A is correct. Option B disables encryption.

Option C (Encrypt=Optional) does not force encryption. Option D (TrustServerCertificate=True) bypasses certificate validation.

107
MCQmedium

Your organization uses Azure Storage accounts with blob containers. You need to ensure that only authorized applications can access the storage account, without using shared keys or shared access signatures. What should you configure?

A.Use a stored access policy with a shared access signature
B.Configure a firewall on the storage account to allow only the application's IP address
C.Enable a private endpoint for the storage account
D.Use Azure AD authentication with managed identities
AnswerD

Managed identities provide an automatically managed identity in Azure AD, allowing applications to authenticate to storage without storing credentials.

Why this answer

Option A is correct because Azure Storage supports managed identities for Azure resources, allowing applications to authenticate without storing keys. Option B is wrong because firewall rules control network access, not application identity. Option C is wrong because private endpoints provide network isolation, not application authentication.

Option D is wrong because SAS tokens still require managing secrets.

108
MCQmedium

A company uses Azure AD Identity Protection and Conditional Access. They want to automatically block user access to cloud applications when Identity Protection detects that a user's sign-in risk level is high. Which configuration should they use in a Conditional Access policy?

A.Include 'User risk' level 'High' and set Grant to 'Require multi-factor authentication'.
B.Include 'Sign-in risk' level 'High' and set Grant to 'Block access'.
C.Include 'Device platforms' 'All' and set Grant to 'Require managed device'.
D.Include 'Locations' 'All trusted locations' and set Grant to 'Block access'.
AnswerB

This configuration blocks the specific sign-in if the risk is high, directly preventing access.

Why this answer

Option B is correct because Conditional Access policies can evaluate sign-in risk levels detected by Azure AD Identity Protection. When the sign-in risk level is 'High', setting the Grant control to 'Block access' directly prevents the user from accessing cloud applications, meeting the requirement to automatically block access based on a high sign-in risk.

Exam trap

The trap here is confusing 'User risk' with 'Sign-in risk'; candidates often select Option A because they think high user risk should trigger MFA, but the question specifically requires blocking access based on sign-in risk, not user risk.

How to eliminate wrong answers

Option A is wrong because it uses 'User risk' (which reflects the likelihood that a user's identity is compromised) and sets Grant to 'Require multi-factor authentication' instead of blocking access; this would prompt MFA rather than blocking. Option C is wrong because it targets 'Device platforms' and requires a managed device, which does not address sign-in risk levels at all. Option D is wrong because it includes 'All trusted locations' and sets Grant to 'Block access', which would block access from trusted locations rather than blocking based on sign-in risk.

109
MCQmedium

An application hosted on an Azure VM needs to read secrets from Key Vault without storing credentials. Which identity pattern should be used?

A.System-assigned managed identity with Key Vault access granted by RBAC or access policy
B.Client secret stored in appsettings.json
C.Shared access signature stored as an environment variable
D.A user account excluded from MFA
AnswerA

Correct for the stated requirement.

Why this answer

A system-assigned managed identity enables an Azure VM to authenticate to Azure Key Vault without storing any credentials in code or configuration. Azure automatically creates a service principal for the VM in Azure AD, and the VM can obtain an access token from the Azure Instance Metadata Service (IMDS) endpoint (169.254.169.254) to authenticate to Key Vault. Access to secrets is then controlled by assigning RBAC roles (e.g., Key Vault Secrets User) or configuring a Key Vault access policy for that identity, eliminating the need for any stored secrets.

Exam trap

The trap here is that candidates may confuse managed identities with other credential-based patterns (like client secrets or SAS tokens) and fail to recognize that the question explicitly requires 'without storing credentials,' which only a managed identity satisfies.

How to eliminate wrong answers

Option B is wrong because storing a client secret in appsettings.json directly violates the requirement of not storing credentials; it introduces a security risk of secret exposure in configuration files. Option C is wrong because a shared access signature (SAS) is used for delegating access to Azure Storage resources, not for authenticating to Key Vault, and storing it as an environment variable still requires managing a credential. Option D is wrong because a user account excluded from MFA does not provide an identity pattern for a VM to access Key Vault; it is a human identity that would require interactive sign-in and credential storage, and excluding MFA weakens security without solving the credential storage problem.

110
MCQeasy

A security analyst uses Microsoft Defender for Cloud. They need to view the current compliance status of their Azure subscription against the Payment Card Industry Data Security Standard (PCI DSS). Which feature in Defender for Cloud should they use?

A.Security posture dashboard
B.Regulatory compliance dashboard
C.Vulnerability assessment solutions
D.Workflow automation
AnswerB

The regulatory compliance dashboard in Defender for Cloud displays compliance status for various standards such as PCI DSS, SOC, ISO, etc. It provides a detailed view of controls, assessments, and recommendations.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud provides a pre-built view of your Azure subscription's compliance posture against specific standards like PCI DSS. It continuously assesses your resources against the controls defined in the selected compliance framework and displays a compliance score, passed/failed controls, and remediation steps. This is the dedicated feature for tracking regulatory compliance, not general security posture or vulnerability management.

Exam trap

The trap here is that candidates confuse the general Security posture dashboard (which shows a security score) with the Regulatory compliance dashboard, which is the only place to see compliance against specific standards like PCI DSS, SOC 2, or ISO 27001.

How to eliminate wrong answers

Option A is wrong because the Security posture dashboard shows an overall security score based on security recommendations, but it does not map to specific regulatory frameworks like PCI DSS. Option C is wrong because Vulnerability assessment solutions (e.g., integrated Qualys or Microsoft Defender Vulnerability Management) focus on identifying software vulnerabilities in VMs and containers, not on compliance with regulatory standards. Option D is wrong because Workflow automation is used to trigger automated responses (e.g., sending notifications or creating tickets) based on security alerts or recommendations, not to view compliance status.

111
MCQeasy

You need to securely connect an on-premises network to Azure over the internet with encrypted traffic. The connection must be site-to-site and use IPsec. Which Azure service should you use?

A.Azure VPN Gateway
B.Azure ExpressRoute
C.Azure Virtual WAN
D.Azure Bastion
AnswerA

VPN Gateway provides IPsec site-to-site VPN over the internet.

Why this answer

Option C is correct because Azure VPN Gateway supports site-to-site IPsec VPN connections. Option A is wrong because Azure ExpressRoute is a private dedicated connection, not over the internet. Option B is wrong because Azure Virtual WAN is a networking service that can include VPN but is more complex than needed.

Option D is wrong because Azure Bastion is for RDP/SSH to VMs without public IP.

112
MCQmedium

A security team uses Microsoft Sentinel. They want to detect a potential privilege escalation scenario: when a user is added to the Global Administrator role in Azure AD (audit log) and within 10 minutes that user signs in from a suspicious location (sign-in log). Which type of analytics rule should they create to correlate these two different log sources?

A.Fusion rule
B.Scheduled query rule
C.Anomaly rule
D.NRT rule (Near Real-Time)
AnswerB

Scheduled query rules allow you to write custom KQL queries that can join logs from different tables, enabling correlation events across data sources.

Why this answer

A scheduled query rule is the correct choice because it allows you to define a KQL query that joins the AuditLogs table (for role assignment events) with the SigninLogs table (for sign-in events) and then uses a time window (e.g., 10 minutes) to correlate the two disparate log sources. This rule type supports cross-table joins and custom time-based correlation, which is exactly what is needed to detect a user added to Global Administrator followed by a suspicious sign-in.

Exam trap

The trap here is that candidates confuse Fusion rules (which correlate alerts) with the need to correlate raw log entries, or they mistakenly think NRT rules can handle multi-table joins with custom time windows, when in fact only scheduled query rules provide the necessary KQL flexibility for this scenario.

How to eliminate wrong answers

Option A is wrong because Fusion rules use machine learning to correlate multiple alerts from different security products, not to join raw audit and sign-in logs with a custom time window. Option C is wrong because Anomaly rules are designed to detect unusual patterns in a single data source using baselines, not to correlate two different log sources with a specific temporal condition. Option D is wrong because NRT (Near Real-Time) rules run every minute but do not support cross-table joins or custom time windows longer than a few minutes; they are intended for single-table, low-latency detection.

113
MCQmedium

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. What is the purpose of this query?

A.To list all alerts with severity 'High' in the last 7 days.
B.To list the top 10 most frequent alert names along with their severity over the last 7 days.
C.To list all alerts generated in the last 7 days.
D.To list the count of alerts per severity for the last 7 days.
AnswerB

The query groups by name and severity and shows top 10 by count.

Why this answer

Option A is correct because the query summarizes the count of alerts by AlertName and AlertSeverity and returns the top 10 by count descending. Option B is wrong because the query does not filter by severity. Option C is wrong because it returns top 10, not all.

Option D is wrong because it does not filter by time beyond the initial 7 days.

114
MCQeasy

Your organization uses Microsoft Entra ID to manage identities. You need to ensure that users can reset their own passwords without help desk intervention, but they must register for self-service password reset (SSPR) first. Which configuration is required?

A.Configure Microsoft Entra Password Protection
B.Enable Privileged Identity Management for SSPR
C.Enable SSPR and set the registration campaign to require registration at next sign-in
D.Enable combined registration for SSPR and Microsoft Entra ID Protection
AnswerC

Registration campaign ensures users register before using SSPR.

Why this answer

Option A is correct. SSPR requires users to register authentication methods before they can reset passwords. Option B is wrong because combined registration is not mandatory.

Option C is wrong because password protection is unrelated. Option D is wrong because it applies to administrators.

115
MCQhard

Your company uses Microsoft Sentinel to correlate data from multiple sources. You need to create an analytics rule that triggers an incident when a user signs in from an unfamiliar location and then performs a high-risk action in Azure. What is the best approach?

A.Run a custom anomaly detection job
B.Create a Scheduled analytics rule with a KQL query
C.Create a Near-Real-Time (NRT) analytics rule
D.Create a Fusion analytics rule
AnswerD

Fusion rules correlate multiple alerts from different sources.

Why this answer

Option A is correct because the best approach is to create a fusion rule, which uses machine learning to correlate multiple signals like unfamiliar sign-in and Azure activity. Option B is wrong because scheduled query rules require writing KQL and can correlate but fusion is simpler for this scenario. Option C is wrong because NRT rules are for near-real-time single events.

Option D is wrong because anomaly rules detect outliers but not multi-step correlation.

116
MCQmedium

Your organization uses Azure Private Link to access Azure SQL Database privately from a VNet. You need to ensure that only your VNet can access the private endpoint. What should you configure?

A.Set the subnet's privateEndpointNetworkPolicies property to 'Disabled'
B.Associate a network security group to the private endpoint
C.Enable service endpoints on the subnet
D.Configure an application security group on the private endpoint
AnswerA

This allows the private endpoint to work correctly.

Why this answer

Option D is correct because the private endpoint's network policy, 'privateEndpointNetworkPolicies', must be set to 'Disabled' on the subnet to allow private endpoint traffic. Option A is wrong because application security groups are for VMs, not private endpoints. Option B is wrong because service endpoints are different.

Option C is wrong because the private endpoint itself does not have an NSG; the subnet NSG affects traffic.

117
Multi-Selectmedium

You are designing a backup strategy for Azure virtual machines. You need to ensure that backups are encrypted at rest and can be restored in a different Azure region in case of a regional disaster. Which two configurations should you use?

Select 2 answers
A.Configure Azure Site Recovery for the VMs
B.Enable encryption at rest for the Recovery Services vault using platform-managed keys
C.Enable Cross-Region Restore (CRR) for the Recovery Services vault
D.Enable Azure Disk Encryption on the VMs
E.Use geo-redundant storage (GRS) for the Recovery Services vault
AnswersB, C

Backup data is encrypted at rest.

Why this answer

Option A is correct: Azure Backup uses encryption at rest by default. Option C is correct: Cross-region restore (CRR) allows restoring in a different region. Option B (geo-redundant storage) is used by Recovery Services vault but is not a restore option.

Option D (Azure Site Recovery) is for disaster recovery, not backup. Option E (Azure Disk Encryption) is for VM disks, not backup.

118
Multi-Selecthard

You are designing a backup strategy for Azure Virtual Machines. Which THREE features should you enable to ensure recoverability and security?

Select 3 answers
A.Soft delete for backup data
B.Azure Backup
C.Geo-redundant storage (GRS)
D.Azure Site Recovery
E.Encryption at rest using Azure Disk Encryption
AnswersA, B, E

Soft delete protects backups from accidental or malicious deletion.

Why this answer

Option A, Option B, and Option D are correct. Azure Backup provides automated backups. Soft delete prevents malicious deletion of backups.

Encryption at rest secures backup data. Option C is wrong because geo-redundant storage (GRS) is a replication option, not a backup feature. Option E is wrong because Azure Site Recovery is for disaster recovery, not backup.

119
MCQmedium

Your company uses Microsoft Sentinel to monitor Azure resources. A new analytics rule is created to detect anomalous access to storage accounts. The rule runs every 5 minutes and looks at the last 15 minutes of data. After deploying, the rule generates no alerts even though you suspect there are anomalies. What is the most likely issue?

A.The rule is not enabled.
B.The rule query logic is incorrect or the entities are not properly mapped.
C.The rule severity is set too low.
D.The rule query frequency is longer than the data lookback period.
AnswerB

If the query does not match the data or entity mapping is wrong, alerts may not be generated.

Why this answer

Option B is correct because the query runs every 5 minutes looking at 15 minutes of data, so there is overlap and data should be captured; however, the rule may be misconfigured with an incorrect query or entities. Option A is wrong because the query frequency and data lookback are compatible. Option C is wrong because the rule is enabled.

Option D is wrong because rule severity does not affect alert generation.

120
MCQmedium

Your company uses Microsoft Defender for Cloud to secure its Azure resources. The security team receives alerts about a potential brute-force attack on a Linux virtual machine. You need to verify whether the attack was successful and take immediate remediation actions. Which two Defender for Cloud features should you use together?

A.Configure adaptive application controls to whitelist allowed applications
B.Enable vulnerability assessment and review the findings
C.Enable Just-in-Time (JIT) VM access for the affected VM
D.Enable Azure DDoS Protection on the virtual network
E.Use File Integrity Monitoring (FIM) to check for changes to system files
AnswerC, E

JIT blocks unauthorized access attempts by restricting inbound traffic to specific IPs and ports, preventing brute-force attacks.

Why this answer

Option B is correct because Just-in-Time VM access can block brute-force attempts by allowing only authorized IPs and ports. Option C is correct because the File Integrity Monitoring (FIM) feature can detect changes to critical system files, indicating a successful compromise. Option A is wrong because vulnerability assessment is for checking known vulnerabilities, not real-time attack verification.

Option D is wrong because adaptive application controls whitelist applications, not directly related to brute-force detection. Option E is wrong because Azure DDoS Protection is for network-level DDoS, not brute-force attacks.

121
MCQeasy

A company has a virtual network with a subnet hosting Azure VMs. They want to restrict all inbound traffic to only allow HTTPS (port 443) from the internet, but also allow SSH (port 22) only from a specific management IP address range (e.g., 203.0.113.0/24). Which Azure service should they use to achieve this filtering?

A.Azure Firewall
B.Network Security Group (NSG) rule
C.Azure DDoS Protection
D.Azure Bastion
AnswerB

NSG rules can be configured to allow inbound HTTPS (443) from any source and SSH (22) from the specific management IP range. NSGs provide basic stateful packet filtering at the subnet or NIC level.

Why this answer

A Network Security Group (NSG) rule is the correct choice because NSGs provide stateful, granular inbound and outbound filtering at the subnet or NIC level. You can create a rule to allow HTTPS (TCP/443) from any source (Internet) and a separate rule to allow SSH (TCP/22) only from the specific management IP range 203.0.113.0/24, while implicitly denying all other inbound traffic. NSGs are the native Azure service for this type of traffic filtering and do not require additional cost or deployment.

Exam trap

The trap here is that candidates often choose Azure Firewall because they think it is required for any IP-based filtering, but NSGs are the correct and simpler service for subnet-level inbound port and source IP filtering without needing a centralized firewall appliance.

How to eliminate wrong answers

Option A is wrong because Azure Firewall is a managed, centralized network security service used for advanced filtering across multiple VNets, outbound traffic inspection, and application rules, but it is overkill and more expensive for simple inbound port filtering on a single subnet; NSGs are the appropriate and simpler solution. Option C is wrong because Azure DDoS Protection is designed to protect against volumetric distributed denial-of-service attacks at the network layer, not to filter specific ports or IP addresses for legitimate traffic. Option D is wrong because Azure Bastion provides secure, browser-based RDP/SSH connectivity to VMs without exposing public IPs, but it does not filter inbound traffic to VMs; it replaces the need for SSH/RDP exposure entirely.

122
MCQhard

You are troubleshooting connectivity between two Azure VMs in the same virtual network. VM1 can ping VM2, but VM1's application cannot connect to VM2's application on port 8080. Both VMs have NSGs that allow inbound traffic on port 8080. What is the most likely cause?

A.The VNet is peered with another VNet that has a conflicting address space.
B.An Azure Load Balancer is directing traffic away from VM2.
C.The NSG on VM2's subnet has a deny rule for port 8080.
D.The guest OS firewall on VM2 is blocking inbound port 8080.
AnswerD

Guest OS firewall can block traffic even if NSGs allow.

Why this answer

Option B is correct because Windows Firewall runs inside the OS and can block application ports even if Azure NSGs allow traffic. Option A is wrong because ICMP (ping) works. Option C is wrong because NSGs allow the port.

Option D is wrong because a load balancer would not affect direct traffic.

123
MCQeasy

You are designing a secure network for a three-tier application. The web tier must be accessible from the internet on port 443. The application tier should only be reachable from the web tier. The database tier should only be reachable from the application tier. Which Azure service should you use to enforce these restrictions?

A.Azure VPN Gateway.
B.Network security groups (NSGs) on each subnet.
C.Azure Front Door.
D.Azure Firewall in the hub.
AnswerB

NSGs can restrict traffic based on source and destination IP/port.

Why this answer

Option A is correct because NSGs can be applied to subnets or NICs to control inbound/outbound traffic. Option B is wrong because Azure Firewall is a managed network security service typically used for perimeter traffic. Option C is wrong because a VPN gateway is for site-to-site connectivity.

Option D is wrong because Azure Front Door is a global load balancer.

124
MCQeasy

You have an Azure virtual machine that hosts a custom web application. You need to restrict inbound internet traffic to only HTTPS (port 443) from any source. Which Azure resource should you configure?

A.Application Security Group (ASG)
B.Azure Bastion
C.Azure Firewall
D.Network Security Group (NSG)
AnswerD

NSG with inbound rule allowing HTTPS from Internet blocks other traffic.

Why this answer

Option B is correct because a Network Security Group (NSG) with an inbound rule allowing HTTPS traffic from any source while denying all other traffic meets the requirement. Option A is wrong because Azure Firewall is overkill and more expensive for a single VM. Option C is wrong because Azure Bastion is for RDP/SSH access, not web traffic.

Option D is wrong because Application Security Groups (ASGs) are used to group VMs, not to define inbound rules directly.

125
MCQhard

A security team uses Microsoft Defender for Cloud to protect Azure virtual machines. They want to implement application allowlisting to prevent execution of unauthorized software on a set of Windows Server VMs. They need to create a baseline of allowed applications and then enforce the allowlist. Which Defender for Cloud feature should they enable?

A.Adaptive application controls
B.Just-in-time VM access
C.File integrity monitoring
D.Adaptive network hardening
AnswerA

Correct. Adaptive application controls provide application allowlisting based on behavioral learning and enforcement.

Why this answer

Adaptive application controls (AAC) in Microsoft Defender for Cloud is the correct feature because it specifically provides application allowlisting for Azure VMs. AAC uses machine learning to analyze processes running on a VM, generate a baseline of allowed applications, and then enforce that allowlist by blocking execution of any unauthorized software. This directly meets the requirement to create a baseline and enforce it on Windows Server VMs.

Exam trap

The trap here is that candidates often confuse adaptive application controls with file integrity monitoring, thinking both prevent unauthorized software, but FIM only detects changes after the fact and does not block execution.

How to eliminate wrong answers

Option B (Just-in-time VM access) is wrong because it controls network access to management ports (e.g., RDP, SSH) by locking down inbound traffic, not application execution on the VM. Option C (File integrity monitoring) is wrong because it monitors changes to critical files, registry keys, and software installations, but it does not block unauthorized software execution—it only alerts on changes. Option D (Adaptive network hardening) is wrong because it recommends and enforces network security group (NSG) rules based on traffic patterns, not application-level allowlisting on the VM.

126
Multi-Selectmedium

Which TWO actions should you take to implement a zero-trust identity model using Microsoft Entra ID? (Choose two.)

Select 2 answers
A.Configure password expiration policies to force frequent changes
B.Enable password hash synchronization to Azure AD
C.Configure Privileged Identity Management to require approval for role activation
D.Assign permanent Global Administrator roles to IT staff
E.Implement Conditional Access policies that require MFA and device compliance
AnswersC, E

Enforces just-in-time access.

Why this answer

Options B and D are correct. B is correct because Conditional Access policies are a core component of zero-trust, verifying identity and device health. D is correct because PIM enforces just-in-time access, reducing standing privileges.

A is incorrect because password expiration does not enhance zero-trust. C is incorrect because permanent role assignments oppose zero-trust. E is incorrect because synchronization alone does not enforce zero-trust.

127
MCQmedium

A company has an Azure virtual network with a subnet hosting web servers. The security policy requires that all inbound HTTP traffic must be sourced from a specific IP address range (203.0.113.0/24). All other inbound traffic must be denied. The subnet is associated with a network security group (NSG). Which set of inbound rules should they configure?

A.Allow HTTP from 203.0.113.0/24 (priority 100), then Deny all inbound (priority 200)
B.Deny all inbound (priority 100), then Allow HTTP from 203.0.113.0/24 (priority 200)
C.Allow HTTP from any (priority 100), then Deny all inbound (priority 200)
D.Only Allow HTTP from 203.0.113.0/24 (priority 100) with no explicit deny
AnswerA

Correct. The allow rule has a lower priority number (100) and is evaluated first. The subsequent deny-all rule (priority 200) blocks any traffic not matching the allow rule.

Why this answer

Option A is correct because NSG rules are evaluated in priority order (lowest number first). The Allow rule for HTTP from 203.0.113.0/24 at priority 100 permits the desired traffic, and the subsequent Deny all inbound rule at priority 200 blocks all other traffic, including HTTP from any other source. This satisfies the security policy of allowing only HTTP from the specified IP range and denying everything else.

Exam trap

The trap here is that candidates often think a single Allow rule with no explicit Deny is sufficient, forgetting that NSGs have default implicit allow rules (e.g., AllowVNetInBound) that would permit other traffic unless explicitly denied.

How to eliminate wrong answers

Option B is wrong because the Deny all inbound rule at priority 100 would block all traffic, including HTTP from 203.0.113.0/24, before the Allow rule at priority 200 is evaluated, resulting in no allowed traffic. Option C is wrong because allowing HTTP from any source at priority 100 permits inbound HTTP traffic from all IP addresses, violating the policy that restricts HTTP to only the 203.0.113.0/24 range. Option D is wrong because without an explicit Deny all inbound rule, any traffic not matching the Allow rule (e.g., HTTP from other IPs or other protocols) would be implicitly allowed by the default NSG rules, failing to deny all other inbound traffic as required.

128
Multi-Selectmedium

Your organization uses Microsoft Entra ID and wants to implement a secure passwordless authentication strategy. Which TWO solutions can be used natively in Microsoft Entra ID for passwordless sign-in?

Select 2 answers
A.FIDO2 security keys
B.Microsoft Authenticator app with OTP
C.Third-party password managers
D.Windows Hello for Business
E.Duo Security push notifications
AnswersA, D

Supported natively for passwordless sign-in.

Why this answer

FIDO2 security keys are a native passwordless authentication method in Microsoft Entra ID, leveraging the WebAuthn standard to provide phishing-resistant, hardware-based credential verification. They eliminate passwords entirely by using public-key cryptography, where the private key never leaves the device, ensuring strong security against credential theft.

Exam trap

The trap here is that candidates confuse multi-factor authentication methods (like OTP or push notifications) with true passwordless authentication, which requires eliminating the password as a primary factor entirely, not just adding a second factor.

129
MCQmedium

A company wants to detect exposed internet-facing assets that are not yet known in its Azure inventory. Which Microsoft Defender capability is most relevant?

A.Defender for SQL vulnerability assessment
B.Microsoft Entra Permissions Management
C.Defender External Attack Surface Management
D.Azure Monitor VM insights
AnswerC

Correct for the stated requirement.

Why this answer

Defender External Attack Surface Management (EASM) is specifically designed to discover and inventory internet-facing assets (e.g., domains, IPs, open ports, certificates) that are not yet known to an organization's Azure inventory. It continuously scans public attack surfaces to identify unknown or unmanaged resources, making it the most relevant capability for detecting exposed assets outside the current Azure footprint.

Exam trap

The trap here is that candidates may confuse Defender EASM with Microsoft Entra Permissions Management (CIEM), assuming both deal with 'unknown assets' when in fact CIEM focuses on permissions and identity risks, not external asset discovery.

How to eliminate wrong answers

Option A is wrong because Defender for SQL vulnerability assessment focuses on identifying and remediating database-specific vulnerabilities (e.g., misconfigurations, missing patches) within known Azure SQL resources, not on discovering unknown internet-facing assets. Option B is wrong because Microsoft Entra Permissions Management (formerly CloudKnox) is a Cloud Infrastructure Entitlement Management (CIEM) tool that analyzes and manages permissions across multi-cloud environments, but it does not perform external asset discovery or attack surface scanning. Option D is wrong because Azure Monitor VM insights provides performance monitoring and dependency mapping for existing virtual machines, but it has no capability to discover unknown or external internet-facing assets.

130
Multi-Selectmedium

A security team wants to use Microsoft Sentinel to detect potential data exfiltration events from Azure Blob Storage. Which two logs should they ingest to best identify unauthorized read access and data transfer activities? (Choose two.)

Select 2 answers
A.Storage account audit logs (e.g., StorageReadKey, GetBlob)
B.Azure Activity log for storage account write operations
C.Azure AD sign-in logs
D.Azure Key Vault audit logs
AnswersA, B

These logs record data access operations on blobs, critical for detecting exfiltration.

Why this answer

Option A is correct because Storage account audit logs (e.g., StorageReadKey, GetBlob) capture detailed data-plane operations, including read access to blobs and keys, which directly indicates potential data exfiltration. Option B is correct because the Azure Activity log for storage account write operations records management-plane events like storage account key regeneration, which can be used to bypass existing access controls and exfiltrate data. Together, these logs provide visibility into both the data access and the administrative actions that could enable exfiltration.

Exam trap

The trap here is that candidates often confuse Azure AD sign-in logs with storage-specific audit logs, mistakenly thinking authentication logs alone can detect data exfiltration, when in fact they lack the data-plane operation details needed to identify unauthorized read or transfer activities.

131
Multi-Selectmedium

You are designing an Azure RBAC role assignment strategy for a subscription. Which three of the following practices are recommended for secure role management? (Choose three.)

Select 3 answers
.Assign roles at the management group level to reduce the number of assignments
.Use custom roles with the least privilege principle when built-in roles are too permissive
.Assign roles to Azure AD groups rather than to individual users
.Assign the Contributor role at the resource group level for all developers
.Use the User Access Administrator role to grant users access to resources
.Create multiple role assignments for the same scope to the same user

Why this answer

Assigning roles at the management group level reduces the number of assignments because permissions are inherited by all child subscriptions, simplifying management and reducing the risk of misconfiguration. Using custom roles with the least privilege principle ensures that users have only the permissions they need when built-in roles are too broad, minimizing the attack surface. Assigning roles to Azure AD groups rather than individual users enables centralized management of permissions through group membership, making it easier to audit and update access without modifying role assignments directly.

Exam trap

The trap here is that candidates often confuse the User Access Administrator role (which grants permission to assign roles) with a role that grants direct resource access, leading them to select it as a valid practice for granting access to resources.

132
MCQhard

You have an Azure SQL Database that stores financial data. You need to prevent unauthorized access by encrypting specific columns containing credit card numbers. The solution must allow authorized applications to query the data transparently. What should you implement?

A.Azure Storage service encryption
B.Transparent Data Encryption (TDE)
C.Dynamic Data Masking
D.Always Encrypted
AnswerD

Always Encrypted encrypts specific columns and allows authorized applications to decrypt transparently.

Why this answer

Option D is correct because Always Encrypted encrypts sensitive columns and allows authorized applications to decrypt transparently using the client driver. Option A is wrong because TDE encrypts the entire database at rest but does not provide column-level granularity or transparent querying for applications. Option B is wrong because Dynamic Data Masking only masks data but does not encrypt it.

Option C is wrong because Azure Storage encryption applies to Azure Storage, not SQL Database.

133
MCQhard

Your organization uses Microsoft Sentinel to monitor hybrid environments. You have a Log Analytics workspace that collects Windows security events. You need to create an analytics rule that triggers when a user account is created on any server, but you only want to generate an incident if the account creation occurs outside of business hours (9 AM - 5 PM). How should you configure the rule query?

A.Use SecurityEvent where EventID = 4720 and TimeGenerated !between (9:00 and 17:00).
B.Use SecurityEvent where AccountCreated and TimeGenerated !between (9:00 and 17:00).
C.Use SecurityEvent where AccountCreated and TimeGenerated between 9:00 and 17:00.
D.Use SecurityEvent where AccountCreated and then schedule the rule to run only during non-business hours.
AnswerB

This filters events outside business hours.

Why this answer

Option C is correct because the query filters events where the hour is not between 9 and 17 (24-hour format). Option A is wrong because it would trigger for any time. Option B is wrong because it filters for business hours only.

Option D is wrong because it uses a different event ID.

134
MCQmedium

Your organization has multiple Azure subscriptions managed by Microsoft Defender for Cloud. You need to ensure that all subscriptions have the same security policies applied, and that any new subscription automatically inherits these policies. What should you do?

A.Create an Azure Blueprint and assign it to each subscription
B.Assign a policy initiative to a resource group and then move subscriptions into that group
C.Assign a policy initiative to each subscription individually
D.Assign a policy initiative at the management group level
AnswerD

Subscriptions inherit policies from their management group, including new ones.

Why this answer

Option B is correct because assigning a policy initiative at the management group level ensures all subscriptions under that group inherit the policy, including new ones. Option A is wrong because assigning at the subscription level would require manual assignment for each subscription and won't automatically apply to new ones. Option C is wrong because Azure Blueprints are being deprecated and are not the recommended approach.

Option D is wrong because Azure Policy does not support inheritance from a resource group to a subscription.

135
MCQmedium

A security operations team uses Microsoft Sentinel. They want to create a rule that generates an incident when an Azure virtual machine is deployed with a public IP address that is not in a predefined approved list. The rule should run every hour and query Azure Activity logs. Which type of analytics rule should they create?

A.Scheduled query rule
B.NRT (Near-Real-Time) rule
C.Anomaly rule
D.Fusion rule
AnswerA

Scheduled query rules are ideal for running queries on a fixed schedule (e.g., every hour) against log data to detect patterns and generate incidents.

Why this answer

A scheduled query rule is correct because the requirement specifies a rule that runs every hour and queries Azure Activity logs. Scheduled query rules in Microsoft Sentinel are designed for periodic, time-based queries against log data, such as Azure Activity logs, and can generate incidents based on predefined conditions like detecting a VM deployment with an unapproved public IP. This aligns perfectly with the need for a recurring, non-real-time check.

Exam trap

The trap here is that candidates confuse the frequency requirement (every hour) with the near-real-time label, assuming NRT rules can be configured for any interval, when in fact NRT rules are hard-limited to 1-minute intervals and cannot be set to hourly runs.

How to eliminate wrong answers

Option B (NRT rule) is wrong because near-real-time rules run at intervals of 1 minute or less, not every hour, and are designed for low-latency detection, not scheduled hourly checks. Option C (Anomaly rule) is wrong because anomaly rules use machine learning to detect unusual patterns over time, not static conditions like a predefined approved IP list. Option D (Fusion rule) is wrong because Fusion rules correlate alerts from multiple security products to detect multi-stage attacks, not single-event conditions like VM deployment with a specific IP.

136
MCQmedium

Your security team is investigating a potential data exfiltration incident. They have identified that a user has been downloading large amounts of data from Azure Blob Storage to an external IP address. You need to create a Microsoft Sentinel analytics rule that triggers when more than 1 GB of data is downloaded from a storage account in a single hour. Which KQL query should be the basis of the rule?

A.StorageBlobLogs | where OperationName == 'GetBlob' | summarize TotalGB = sum(ResponseBodySize) / 1073741824 by bin(TimeGenerated, 1h) | where TotalGB > 1
B.StorageBlobLogs | where OperationName == 'GetBlob' | summarize avg(ResponseBodySize) by bin(TimeGenerated, 1h) | where avg_ResponseBodySize > 1073741824
C.StorageBlobLogs | where OperationName == 'GetBlob' and ResponseBodySize > 1073741824
D.StorageBlobLogs | where OperationName == 'GetBlob' | summarize count() by bin(TimeGenerated, 1h) | where count_ > 1000
AnswerA

Correctly sums total size in GB and filters correctly.

Why this answer

Option D is correct because it sums the response body size in bytes and converts to GB, then filters above 1 GB. Option A is wrong because it uses average instead of sum. Option B is wrong because it uses count instead of sum.

Option C is wrong because it only checks if any single operation exceeds 1 GB.

137
MCQmedium

A company has an Azure virtual network with a subnet that hosts a web application. They need to allow inbound HTTP (port 80) and HTTPS (port 443) traffic from a specific source IP range (203.0.113.0/24) to the web servers. Additionally, they need to allow inbound RDP (port 3389) traffic from a management subnet (10.0.1.0/24). They want to block all other inbound traffic. They are using a network security group (NSG) associated with the subnet. What is the minimum number of inbound security rules required?

A.3
B.4
C.5
D.2
AnswerA

Three allow rules (HTTP, HTTPS, RDP) are sufficient. The default deny rule handles all other inbound traffic.

Why this answer

The correct answer is A (3 rules) because an NSG includes default rules that already block all inbound traffic by default. You only need explicit allow rules for the three permitted traffic types: HTTP (port 80) from 203.0.113.0/24, HTTPS (port 443) from 203.0.113.0/24, and RDP (port 3389) from 10.0.1.0/24. The default deny rule handles blocking all other traffic, so no additional deny rule is required.

Exam trap

The trap here is that candidates often think they need an explicit deny rule to block all other traffic, forgetting that the default 'DenyAllInBound' rule already accomplishes this, leading them to overcount the required rules.

How to eliminate wrong answers

Option B (4) is wrong because it assumes a separate deny-all rule is needed, but the default deny rule already blocks all unmatched traffic. Option C (5) is wrong because it might incorrectly count separate rules for HTTP and HTTPS plus an explicit deny rule, or mistakenly include a rule for the management subnet's outbound traffic. Option D (2) is wrong because it would require combining HTTP and HTTPS into a single rule, but NSG rules cannot have multiple destination ports in a single rule unless using a port range, and port 80 and 443 are not contiguous; thus, two separate rules are needed for HTTP and HTTPS, plus one for RDP, totaling three.

138
MCQeasy

A company has Azure AD with Premium P2 licenses. They want to enforce Azure Multi-Factor Authentication (MFA) for all users accessing the Azure portal from untrusted networks, but only after the user has successfully entered their password. Which Conditional Access grant control should they configure?

A.Require multi-factor authentication
B.Require device to be marked as compliant
C.Require approved client app
D.Require domain join
AnswerA

This grant control requires users to complete MFA before accessing the resource, which meets the requirement of enforcing MFA after password authentication.

Why this answer

Option A is correct because the 'Require multi-factor authentication' grant control in Conditional Access enforces MFA after password authentication, which aligns with the requirement to prompt for MFA only after the user has successfully entered their password. This control is applied based on the condition of 'untrusted networks' (e.g., using the 'Locations' condition to target all locations except trusted IPs), ensuring that MFA is triggered specifically for Azure portal access from untrusted networks.

Exam trap

The trap here is that candidates often confuse 'Require multi-factor authentication' with 'Require device to be marked as compliant' or 'Require domain join', mistakenly thinking device state controls can enforce MFA step-up, when in fact only the MFA grant control triggers the additional authentication challenge after password entry.

How to eliminate wrong answers

Option B is wrong because 'Require device to be marked as compliant' enforces device compliance (e.g., Intune policy) but does not enforce MFA after password entry; it blocks or grants access based on device health, not authentication step-up. Option C is wrong because 'Require approved client app' restricts access to specific client applications (e.g., Microsoft Authenticator) but does not enforce MFA after password entry; it is used for app-level restrictions, not authentication step-up. Option D is wrong because 'Require domain join' enforces hybrid Azure AD join or domain-joined devices, which does not enforce MFA after password entry; it is a device state control, not an authentication enforcement.

139
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) for Azure AD roles. They want to require that users must perform multi-factor authentication (MFA) when activating a role. Which PIM setting should they configure?

A.Require Azure AD Multi-Factor Authentication on activation
B.Require approval to activate
C.Require justification on activation
D.Require ticket information on activation
AnswerA

This setting enforces MFA every time a user activates a role, adding an extra layer of security.

Why this answer

To enforce multi-factor authentication during role activation in Azure AD Privileged Identity Management (PIM), you must configure the 'Require Azure AD Multi-Factor Authentication on activation' setting. This ensures that before a user’s role assignment is activated, they must complete an MFA challenge, adding an extra layer of security against unauthorized access.

Exam trap

The trap here is that candidates often confuse 'Require approval to activate' with MFA enforcement, but approval is a separate authorization step that does not verify the user’s identity through a second factor.

How to eliminate wrong answers

Option B is wrong because 'Require approval to activate' enforces a workflow where one or more approvers must authorize the activation, but it does not mandate MFA. Option C is wrong because 'Require justification on activation' only prompts the user to provide a business reason for activation, not an MFA challenge. Option D is wrong because 'Require ticket information on activation' asks for a support ticket number for auditing purposes, which is unrelated to multi-factor authentication.

140
Multi-Selecthard

A company uses Azure AD Privileged Identity Management (PIM) to manage access to Azure AD roles. They want to require that users who activate the Global Administrator role must get approval from their manager before activation, and that the approval must be time-bound (maximum 8 hours). Which two PIM configurations should they set?

Select 2 answers
A.Set the activation maximum duration to 8 hours.
B.Enable approval workflow by adding the manager as an approver.
C.Require multi-factor authentication on activation.
D.Require justification on activation.
AnswersA, B

This limits how long the role can be active, meeting the time-bound requirement.

Why this answer

Option A is correct because setting the activation maximum duration to 8 hours enforces the time-bound requirement, ensuring that once a user activates the Global Administrator role, the activation automatically expires after 8 hours. Option B is correct because enabling the approval workflow and adding the manager as an approver ensures that the manager must approve each activation request, meeting the requirement for manager approval. Together, these two configurations satisfy both the time-bound and approval constraints.

Exam trap

The trap here is that candidates often confuse 'justification' or 'MFA' with approval and time-bound constraints, but justification and MFA are separate security controls that do not satisfy the specific requirements for manager approval and a maximum duration.

141
MCQhard

You are a security engineer for Contoso. The company uses Azure Firewall for all inbound and outbound traffic. To prevent misconfiguration, you assign the Azure Policy shown in the exhibit at the management group scope. After assignment, a network administrator reports that they cannot create a new subnet in an existing virtual network. The subnet creation fails with a 'deny' policy error. You need to allow subnet creation while still blocking NSG rule changes. What should you do?

A.Change the effect to 'audit' instead of 'deny'.
B.Modify the policy rule to remove the subnet condition from the anyOf array.
C.Add an exemption for the virtual network resource group.
D.Remove the policy assignment and create a custom role to block subnet creation.
AnswerB

Correct. Removing the subnet condition allows subnet creation while still blocking NSG rule changes.

Why this answer

The policy currently denies both NSG rule changes and subnet creation because the if condition uses anyOf. To allow subnet creation, you need to remove the subnet condition from the policy rule. Option A correctly updates the policy rule to only check for NSG security rules.

Option B would still deny subnet creation because the condition remains unchanged. Option C does not address the subnet issue. Option D removes the entire policy, which is too permissive.

142
Multi-Selecteasy

Your company wants to implement a least-privilege model for administrative roles in Microsoft Entra ID. Which TWO features should you use?

Select 2 answers
A.Azure RBAC roles
B.Custom roles in Microsoft Entra ID
C.Conditional Access policies
D.Microsoft Entra B2B external identities
E.Privileged Identity Management (PIM)
AnswersB, E

Allows defining roles with specific permissions.

Why this answer

Custom roles in Microsoft Entra ID allow you to define roles with precisely the permissions needed for specific administrative tasks, enabling a least-privilege model by granting only the required actions on specific resources. Privileged Identity Management (PIM) complements this by providing just-in-time (JIT) activation, time-bound assignments, and approval workflows for those custom roles, ensuring that elevated privileges are only used when necessary and are automatically revoked.

Exam trap

The trap here is that candidates often confuse Azure RBAC roles (which manage Azure resources) with Microsoft Entra ID roles (which manage directory objects), leading them to incorrectly select Azure RBAC roles as a feature for Entra ID least-privilege administration.

143
MCQmedium

A company uses Azure Blob Storage to store sensitive documents. The security policy requires that the storage account can only be accessed from a specific Azure virtual network (VNet) and that all access must use Azure Active Directory (Azure AD) authentication. They want to block any access that uses storage account keys or shared access signatures (SAS). Which configuration should they implement?

A.Configure the storage account firewall to allow access from the specific VNet, and disable 'Allow storage account key access'.
B.Configure a private endpoint for the storage account and disable 'Allow storage account key access'.
C.Configure the storage account firewall to deny all networks, and set 'Allow storage account key access' to 'Disabled'.
D.Configure the storage account firewall to allow access from the specific VNet, and enable 'Require secure transfer' (HTTPS only).
AnswerA

This restricts access to the VNet and disables key-based authorization, enforcing Azure AD authentication as required.

Why this answer

Option A is correct because it combines two essential controls: the storage account firewall restricts access to only the specified VNet, and disabling 'Allow storage account key access' enforces Azure AD authentication by blocking all requests that use account keys or SAS tokens. This ensures that only authenticated Azure AD identities from the allowed VNet can access the storage account, meeting the security policy requirements.

Exam trap

The trap here is that candidates often confuse 'Require secure transfer' (which only mandates HTTPS) with authentication enforcement, or assume that a private endpoint alone blocks key-based access, when in fact it only secures network connectivity.

How to eliminate wrong answers

Option B is wrong because while a private endpoint restricts network access to a specific VNet, disabling 'Allow storage account key access' alone does not block SAS tokens—SAS can still be generated and used unless explicitly disabled via other settings. Option C is wrong because denying all networks in the firewall blocks all traffic, including from the specific VNet, making the storage account inaccessible even with Azure AD authentication. Option D is wrong because enabling 'Require secure transfer' enforces HTTPS but does not block storage account keys or SAS tokens; it only ensures encrypted transport, not authentication method enforcement.

144
Multi-Selecteasy

Which TWO features of Azure Database for PostgreSQL ensure data security at rest?

Select 2 answers
A.Firewall rules
B.Infrastructure double encryption
C.Transparent Data Encryption (TDE)
D.Advanced Threat Protection
E.Auto-tuning
AnswersB, C

Double encryption provides two layers of encryption at rest.

Why this answer

Transparent Data Encryption (TDE) and SSL/TLS encryption for data in transit (not at rest). Options B and C are correct. Firewall rules control network access.

Advanced Threat Protection detects threats. Auto-tuning is for performance.

145
MCQhard

Your organization uses Microsoft Defender for Cloud to manage security posture. You have an Azure SQL Database that stores PII. You need to ensure that all sensitive columns are automatically discovered and classified. Additionally, you want to audit access to these columns. What should you configure?

A.Azure SQL Database Advanced Threat Protection and Azure SQL Database auditing
B.Microsoft Defender for Cloud's data discovery and classification and Azure SQL Database auditing
C.Azure Purview Data Map and Azure SQL Database auditing
D.Azure SQL Database Vulnerability Assessment and Azure SQL Database auditing
AnswerB

Provides automatic discovery and auditing.

Why this answer

Option B is correct: Microsoft Defender for Cloud includes data discovery and classification for Azure SQL Database, and auditing can be enabled to track access. Option A (Azure Purview) is for broader data governance but not directly for SQL Database auditing. Option C (Azure SQL Database Vulnerability Assessment) checks for vulnerabilities, not classification.

Option D (Azure SQL Database Advanced Threat Protection) detects threats, not classification.

146
MCQmedium

A security team uses Microsoft Sentinel. They want to automatically isolate a compromised virtual machine by applying a network security group (NSG) rule. They have created a playbook in Azure Logic Apps that modifies the NSG. How should they trigger this playbook when an incident of type 'Suspicious VM activity' is created?

A.Create an automation rule in Microsoft Sentinel that is triggered when an incident is created, and set the action to run the playbook.
B.Configure a data connector to send all alerts to the playbook.
C.Enable the playbook as a response action in the analytics rule.
D.Use a logic app trigger that polls Sentinel incidents every minute.
AnswerA

Automation rules can respond to incident creation and execute a playbook, making them ideal for automated response scenarios.

Why this answer

Option A is correct because Microsoft Sentinel automation rules are designed to trigger playbooks automatically when incidents are created, updated, or closed. By configuring an automation rule with the condition 'When incident is created' and the action 'Run playbook', the playbook that modifies the NSG will execute immediately upon the creation of a 'Suspicious VM activity' incident, achieving the desired automated isolation without manual intervention.

Exam trap

The trap here is that candidates often confuse analytics rule response actions (which trigger on alert generation) with automation rules (which trigger on incident creation), leading them to incorrectly select Option C when the question explicitly requires incident-based triggering.

How to eliminate wrong answers

Option B is wrong because data connectors ingest raw logs and alerts into Sentinel, but they do not trigger playbooks; playbooks are triggered by automation rules or analytics rule response actions, not by data connectors. Option C is wrong because analytics rules can have automated responses, but those responses run when an alert is generated, not when an incident is created; the question specifies triggering on incident creation, which requires an automation rule. Option D is wrong because polling every minute introduces latency and inefficiency, and Sentinel provides event-driven triggers (via automation rules) that react instantly to incident creation, making polling unnecessary and suboptimal.

147
MCQmedium

Refer to the exhibit. An Azure Firewall Policy snippet is shown. A security administrator deploys this policy to the Azure Firewall. However, they receive reports that some VMs can still access the internet. What is the most likely reason?

A.The destination "Internet" is not a valid service tag; it should be "*" for all destinations.
B.The action type "Deny" is misspelled; it should be "Deny".
C.The sourceAddresses field uses "*" which is not supported for outbound rules.
D.There is another rule collection with a higher priority that allows traffic.
AnswerD

Rule collections are evaluated in priority order; a higher priority allow rule can override a lower priority deny rule.

Why this answer

Option C is correct. In Azure Firewall Policy, rules within a rule collection are evaluated in priority order, but a rule collection group contains multiple rule collections. If there is another rule collection with a higher priority (lower number) that allows traffic, that rule will be evaluated first and the traffic will be allowed, bypassing the deny rule.

Additionally, the rule collection group itself must be assigned to the firewall policy. Option A is wrong because the source address "*" covers all VMs. Option B is wrong because the destination "Internet" is a valid service tag.

Option D is wrong because the rule explicitly uses the Deny action.

148
MCQmedium

A security operations team uses Microsoft Sentinel. They are investigating a security incident that involves multiple alerts from different Azure resources. They need to see the entire attack timeline and all related entities (such as user accounts, IP addresses, and hosts) in a single, visual graph to understand the scope of the attack. Which Microsoft Sentinel feature should they use?

A.Investigation graph
B.Incident dashboard
C.Entity behavior analytics (UEBA)
D.Threat hunting blade
AnswerA

The investigation graph displays entities and their connections, allowing analysts to visually explore relationships and understand the full attack timeline within an incident.

Why this answer

The Investigation graph in Microsoft Sentinel is specifically designed to visually map the relationships between alerts, entities (such as user accounts, IP addresses, and hosts), and the attack timeline. It allows security analysts to explore the scope of an incident by interactively expanding nodes and viewing connections, which directly meets the requirement for a single visual graph showing the entire attack timeline and related entities.

Exam trap

The trap here is that candidates often confuse the Incident dashboard (which shows a list of incidents) with the Investigation graph (which provides the interactive visual graph of entities and timeline), leading them to select the dashboard option because it sounds like the place to 'see' incident details.

How to eliminate wrong answers

Option B (Incident dashboard) is wrong because it provides a high-level summary of incidents (e.g., severity, status, count) but does not offer a visual graph of entity relationships or an attack timeline. Option C (Entity behavior analytics / UEBA) is wrong because it focuses on profiling and detecting anomalous behavior of individual entities over time, not on mapping the relationships and timeline of multiple alerts in a single incident. Option D (Threat hunting blade) is wrong because it is used for proactive, query-based searches for potential threats across large datasets, not for visualizing the scope and relationships of an already identified incident.

149
Multi-Selecthard

Which THREE of the following are capabilities of Microsoft Defender for Cloud's workload protection plans?

Select 3 answers
A.Adaptive application controls
B.DDoS protection
C.Data Loss Prevention (DLP)
D.File Integrity Monitoring (FIM)
E.Just-in-time (JIT) VM access
AnswersA, D, E

Adaptive application controls whitelist applications.

Why this answer

Options A, B, and D are correct. Option A is correct because Just-in-time VM access is a feature. Option B is correct because file integrity monitoring is included.

Option D is correct because adaptive application controls are part of workload protection. Option C is wrong because DDoS protection is a separate service. Option E is wrong because data loss prevention is part of Microsoft Purview.

150
MCQhard

Your organization uses Microsoft Entra ID with Privileged Identity Management (PIM). You need to ensure that all privileged role activations are approved by a manager and require a ticket number. What should you configure in PIM?

A.Role settings for the privileged role
B.Audit history
C.Alerts
D.Access reviews
AnswerA

Role settings allow you to require approval and justification.

Why this answer

Option A is correct because role settings in PIM allow you to configure approval and justification. Option B is wrong because access reviews are for periodic reviews. Option C is wrong because alerts are for notifications.

Option D is wrong because audit history is for logging.

Page 1

Page 2 of 14

Page 3