Microsoft Azure Security Engineer Associate AZ-500 (AZ-500) — Questions 151225

1000 questions total · 14pages · All types, answers revealed

Page 2

Page 3 of 14

Page 4
151
MCQhard

A KQL hunting query joins SecurityIncident with SecurityAlert but returns duplicate rows for incidents with multiple alerts. What KQL approach best preserves one row per incident while summarizing alert details?

A.Use order by TimeGenerated desc only
B.Replace join with union
C.Use take 1 before the join
D.Use summarize make_set() or arg_max() grouped by IncidentNumber
AnswerD

Correct for the stated requirement.

Why this answer

Option D is correct because `summarize make_set()` or `arg_max()` grouped by `IncidentNumber` collapses multiple alert rows into a single incident row while preserving alert details in an array or the most recent alert. This directly addresses the duplicate rows caused by a one-to-many join between SecurityIncident and SecurityAlert, ensuring one row per incident without data loss.

Exam trap

The trap here is that candidates often confuse sorting or limiting rows (options A and C) with deduplication, or incorrectly think a union can replace a join, missing the fundamental need to aggregate after a one-to-many relationship.

How to eliminate wrong answers

Option A is wrong because `order by TimeGenerated desc` only sorts the results and does not remove duplicate rows; it leaves the duplicates intact. Option B is wrong because `union` combines rows from two tables without any join logic, which would not correlate incidents with their alerts and would produce a completely different, incorrect result set. Option C is wrong because `take 1` before the join arbitrarily limits the input rows before the join, which can discard relevant alerts and still produce duplicates if the incident has multiple alerts in the remaining data.

152
MCQeasy

You are responsible for securing an Azure environment using Microsoft Defender for Cloud. You need to reduce the number of false positive security alerts for a specific Azure SQL Database. The database is regularly scanned by a legitimate security tool that generates alerts. What should you do?

A.Disable the security alert rule for SQL databases in Defender for Cloud.
B.Exclude the database from the vulnerability assessment solution.
C.Create a suppression rule for the specific alert type and source IP address.
D.Modify the Azure SQL Database firewall rules to allow the scanning tool's IP.
AnswerC

Suppression rules allow targeted suppression based on alert properties.

Why this answer

Option C is correct because creating a suppression rule in Defender for Cloud allows you to suppress alerts based on specific criteria like IP address or alert title, reducing false positives. Option A is wrong because disabling the alert rule would miss real threats. Option B is wrong because excluding the database from vulnerability assessment would also miss real vulnerabilities.

Option D is wrong because modifying the firewall rules is not related to alert suppression.

153
Drag & Dropmedium

Drag and drop the steps to configure Azure AD Privileged Identity Management (PIM) for a role into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

PIM requires enabling the service first, then selecting roles, configuring settings, and finally assigning users as eligible.

154
MCQhard

A company uses Azure AD Privileged Identity Management (PIM) to manage access to critical roles. They want to require that users who are eligible for the 'Security Administrator' role must provide a support ticket number in the justification when activating the role. Additionally, they want to set a maximum activation duration of 4 hours. Which PIM role setting should they configure?

A.Activation settings
B.Notification settings
C.Approval settings
D.Assignment settings
AnswerA

In the activation settings for the role, you can set maximum duration (4 hours) and require justification with a ticket number field.

Why this answer

Option A is correct because the 'Activation settings' in Azure AD PIM allow you to configure the maximum activation duration (in hours) and require justification, including a support ticket number, when a user activates an eligible role. These settings directly control the conditions under which role activation occurs, such as duration and mandatory justification fields.

Exam trap

The trap here is that candidates often confuse 'Assignment settings' (which control the duration of an eligible or active assignment) with 'Activation settings' (which control the duration and conditions of activation for eligible users), leading them to incorrectly select Option D.

How to eliminate wrong answers

Option B is wrong because 'Notification settings' control who receives email alerts when roles are activated or assigned, not the activation duration or justification requirements. Option C is wrong because 'Approval settings' require designated approvers to approve activation requests, but they do not enforce a maximum activation duration or a support ticket number in the justification. Option D is wrong because 'Assignment settings' define whether a role assignment is eligible or active, and the duration of the assignment itself, not the activation duration or justification content for eligible users.

155
MCQeasy

You are troubleshooting why a user cannot sign in to a custom line-of-business application that is federated with Microsoft Entra ID. The user reports that they are repeatedly prompted for credentials and then receive an error. The application is configured for SAML-based SSO. What is the most likely cause?

A.The user's browser cookies are disabled
B.The application is not registered in the app gallery
C.The SAML certificate has expired or the configuration has a mismatch
D.The user does not have a license for Microsoft Entra ID
AnswerC

Common SAML SSO issue.

Why this answer

When a SAML-based SSO application repeatedly prompts for credentials and then fails, the most common cause is an expired or misconfigured SAML signing certificate. The certificate is used by Microsoft Entra ID to sign SAML assertions; if it has expired, or if the thumbprint, audience URI, or reply URL in the Entra ID configuration does not match what the application expects, the application will reject the assertion and force re-authentication or display an error.

Exam trap

The trap here is that candidates often confuse a SAML certificate expiration/mismatch with a licensing issue or browser configuration problem, but the repeated credential prompt followed by an error is the hallmark of a failed SAML assertion validation, not a missing license or disabled cookies.

How to eliminate wrong answers

Option A is wrong because disabled browser cookies would typically cause session persistence issues or repeated prompts, but they would not directly cause a SAML assertion validation failure with a specific error; the error described is characteristic of a token trust issue, not a cookie storage issue. Option B is wrong because an application does not need to be in the Microsoft Entra ID app gallery to function with SAML SSO; custom line-of-business applications can be registered as non-gallery applications and work identically. Option D is wrong because Microsoft Entra ID licensing is not required for a user to authenticate via SAML federation; free tier Entra ID supports SAML-based SSO for up to 10 applications per tenant, and the error is unrelated to license assignment.

156
Drag & Dropmedium

Drag and drop the steps to configure Azure Defender for SQL on an Azure SQL Database into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Defender for SQL is enabled per database under security settings, requiring storage for scans.

157
Multi-Selectmedium

An AKS cluster must reduce risk from untrusted container images. Which two controls are most appropriate?

Select 2 answers
A.Enable anonymous image pulls
B.Scan container images for vulnerabilities before deployment
C.Restrict image pulls to trusted registries such as ACR with proper RBAC
D.Store Kubernetes secrets in plain text ConfigMaps
AnswersB, C

Correct for the stated requirement.

Why this answer

Option B is correct because scanning container images for vulnerabilities before deployment ensures that known security issues are identified and remediated before the images run in the cluster. This is a critical preventive control that directly reduces the risk of exploiting vulnerabilities in untrusted images. Azure Security Center and Azure Defender for container registries can automatically scan images in ACR and provide actionable findings.

Exam trap

The trap here is that candidates might think enabling anonymous pulls is a valid way to reduce risk by simplifying access, but it actually removes authentication and exposes the registry to unauthorized access.

158
Multi-Selecthard

You are configuring security for an Azure Functions app that processes credit card numbers. You need to ensure that the function can securely access a storage account without storing any credentials in code or configuration, and that all data in the storage account is encrypted with a customer-managed key. Which three actions should you take?

Select 3 answers
A.Assign the 'Storage Blob Data Contributor' role to the function app's managed identity
B.Configure the storage account to use customer-managed keys for encryption
C.Store the storage account connection string in an application setting
D.Enable system-assigned managed identity on the function app
E.Use a Key Vault reference in the function app configuration to retrieve the storage account key
AnswersA, B, D

Grants access to storage account.

Why this answer

Option A is correct: managed identity allows the function to authenticate without credentials. Option C is correct: RBAC assignment allows the function to access the storage account. Option E is correct: CMK encryption at rest.

Option B (connection string) is not secure. Option D (Key Vault reference) still requires a secret, but managed identity is better.

159
MCQmedium

Your security operations center (SOC) uses Microsoft Sentinel. You need to ensure that an incident is automatically created when a specific type of alert fires from Microsoft Defender for Cloud. What is the most efficient way to configure this?

A.Create a playbook that triggers on alert and generates an incident via API.
B.Configure the Microsoft Defender for Cloud data connector in Sentinel and enable incident creation.
C.Design a workbook to monitor alerts and manually create incidents.
D.Write a scheduled analytics rule that queries Defender for Cloud logs.
AnswerB

Data connectors automatically create incidents from alerts.

Why this answer

Option A is correct because the data connector for Microsoft Defender for Cloud ingests alerts and automatically creates incidents based on the analytics rule. Option B is wrong because a playbook runs after incident creation, not before. Option C is wrong because a workbook is for visualization.

Option D is wrong because a scheduled rule queries logs but doesn't directly connect to Defender alerts.

160
MCQhard

A Sentinel data connector based on Azure Monitor Agent stops collecting Windows Security Events after migration from the legacy agent. What should the engineer verify first?

A.A Data Collection Rule is associated with the target machines and includes the required event streams
B.The workspace has a saved KQL function named SecurityEvent
C.The machines are assigned an Azure Policy initiative for tags
D.The analytics rule is configured as near-real-time
AnswerA

Correct for the stated requirement.

Why this answer

After migrating from the legacy Log Analytics Agent to the Azure Monitor Agent (AMA), data collection is governed by Data Collection Rules (DCRs). If the DCR is not associated with the target machines or does not include the required Windows Security Event data streams (e.g., `Microsoft-Event` or `SecurityEvent`), the Sentinel connector will stop receiving events. This is the most common root cause because AMA relies entirely on DCRs for configuration, unlike the legacy agent which used workspace settings directly.

Exam trap

The trap here is that candidates often assume the legacy agent's workspace configuration persists after migration, but AMA requires explicit Data Collection Rules to be created and associated, and missing or misconfigured DCRs are the primary cause of data loss.

How to eliminate wrong answers

Option B is wrong because a saved KQL function named `SecurityEvent` is a query artifact, not a prerequisite for data ingestion; the connector ingests raw events into the `SecurityEvent` table regardless of saved functions. Option C is wrong because Azure Policy initiatives for tags manage resource governance and compliance, not data collection or agent configuration. Option D is wrong because analytics rules define detection logic and alerting, not the underlying data ingestion pipeline; near-real-time configuration affects alert latency, not whether events are collected.

161
MCQmedium

A company has an Azure virtual network with a subnet hosting internal web applications. The security team needs to allow inbound HTTPS traffic only from the company's corporate network IP range (203.0.113.0/24). All other inbound traffic must be denied. They want to use a network security group (NSG) associated with the subnet. Which inbound security rule configuration meets this requirement?

A.One inbound rule: Allow HTTPS from 203.0.113.0/24 with priority 100. No other rules. Rely on the default deny-all rule.
B.Two inbound rules: Allow HTTPS from 203.0.113.0/24 with priority 100, and Deny All from Any with priority 110.
C.Two inbound rules: Deny All from Any with priority 100, and Allow HTTPS from 203.0.113.0/24 with priority 110.
D.One inbound rule: Deny All from Any with priority 100. No allow rules. Use application security groups.
AnswerB

The allow rule (priority 100) permits HTTPS from the corporate IP. The deny rule (priority 110) blocks all other inbound traffic. Since the deny rule has a lower priority number (higher priority) than any default rules, it effectively blocks everything except the allowed HTTPS traffic.

Why this answer

Option B is correct because NSGs process rules in priority order, and the default implicit deny rule only applies if no explicit rule matches. By placing an explicit 'Deny All from Any' rule with a higher priority number (110) after the explicit 'Allow HTTPS' rule (priority 100), traffic from 203.0.113.0/24 on HTTPS is allowed, and all other inbound traffic is explicitly denied, ensuring no unintended implicit allow or bypass.

Exam trap

The trap here is that candidates often assume the default deny rule is sufficient, but Azure explicitly requires an explicit deny rule to override the default implicit allow for outbound traffic or to ensure logging and control for inbound traffic, and they may misorder rules by placing the deny before the allow.

How to eliminate wrong answers

Option A is wrong because relying solely on the default deny-all rule leaves a gap: if any other rule (e.g., a future higher-priority allow rule) is added, it could inadvertently allow traffic; also, the default deny is implicit and does not provide explicit logging or control for all denied traffic. Option C is wrong because placing 'Deny All from Any' at priority 100 would block all traffic, including HTTPS from 203.0.113.0/24, before the allow rule at priority 110 is evaluated, resulting in no allowed HTTPS traffic. Option D is wrong because a single 'Deny All from Any' rule with no allow rule would block all inbound traffic, including the desired HTTPS traffic, and application security groups do not override the need for explicit allow rules.

162
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Global Administrator' role. The security team wants to ensure that when a user activates the role, they must provide a justification, and the activation request must be approved by a specific group of security administrators. They have already configured the role for activation with a maximum duration of 8 hours. Which additional PIM settings should they configure?

A.Enable 'Require approval to activate' and select the security group as approver
B.Set 'Require Azure Multi-Factor Authentication' to 'On'
C.Set 'Require justification on activation' to 'On' and also enable 'Require ticket information'
D.Create a separate PIM request workflow using Azure Logic Apps
AnswerA

This setting ensures that an activation request must be approved by members of the designated security group before the role is activated.

Why this answer

Option A is correct because the scenario requires both justification and approval for role activation. PIM allows you to enforce 'Require justification on activation' and 'Require approval to activate' as separate settings. By enabling 'Require approval to activate' and selecting the security group as the approver, you meet the requirement for approval.

Justification is already a default requirement in PIM when approval is enabled, but you must also explicitly set 'Require justification on activation' to 'On' if not already enforced; however, the question states they have already configured the role for activation with a maximum duration, so the missing piece is the approval configuration.

Exam trap

The trap here is that candidates may think 'Require justification on activation' alone satisfies the requirement, but the question explicitly asks for approval by a specific group, which requires the separate 'Require approval to activate' setting.

How to eliminate wrong answers

Option B is wrong because requiring Azure Multi-Factor Authentication (MFA) is a separate security control that does not enforce approval or justification; it only adds an authentication step during activation. Option C is wrong because while 'Require justification on activation' is needed, the scenario also requires approval by a specific group, which is not addressed by justification or ticket information alone. Option D is wrong because Azure Logic Apps are not a native PIM setting for role activation approval; PIM has built-in approval workflows that do not require custom Logic Apps.

163
Multi-Selecthard

Which THREE of the following are required to enable network traffic flow between two peered Azure virtual networks in different Azure regions?

Select 3 answers
A.Both VNets must have the Allow virtual network access setting enabled for the peering.
B.If using a network virtual appliance, the Allow forwarded traffic setting must be enabled.
C.Gateway transit must be enabled in at least one VNet.
D.An NSG rule must allow traffic between the VNets.
E.The address spaces of the VNets must not overlap.
AnswersA, B, E

Required for connectivity.

Why this answer

Options A, B, and D are correct. Global VNet peering requires both peerings to be enabled, non-overlapping address spaces, and the Allow forwarded traffic setting if using NVAs. Option C (Gateway transit) is optional and only needed if using a gateway.

Option E (NSG allow rules) is optional if default allow is used.

164
MCQhard

A company has an Azure virtual network (VNet) with multiple subnets. They deploy Azure Firewall in a hub VNet and peer spoke VNets. They want to force-tunnel all outbound traffic from a specific spoke subnet to the firewall for inspection. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall's private IP as the next hop. However, traffic is still bypassing the firewall. What is the most likely cause?

A.The Azure Firewall subnet is missing a route table entry for the 0.0.0.0/0 route
B.The route table on the spoke subnet has 'Propagate gateway routes' enabled, causing a conflicting route from the hub's VPN gateway
C.The VNet peering does not allow forwarded traffic from the spoke to the firewall
D.The Azure Firewall is not configured with the 'Allow outbound traffic' rule
AnswerB

When gateway propagation is enabled, any routes from the hub's VPN/ExpressRoute gateway are automatically added. These routes can override the custom 0.0.0.0/0 route, especially if the hub has a default route learned via VPN. Disabling propagation resolves the conflict.

Why this answer

Option B is correct because when 'Propagate gateway routes' is enabled on the spoke subnet's route table, the VNet peering with the hub (which may have a VPN or ExpressRoute gateway) injects a system route for 0.0.0.0/0 with a next hop of the virtual gateway. This system route has a lower (better) route preference than the user-defined route (UDR) pointing to the Azure Firewall, causing traffic to bypass the firewall and go directly to the gateway.

Exam trap

The trap here is that candidates assume a UDR always overrides system routes, but Azure's route selection logic gives system routes (including gateway-propagated routes) higher priority than UDRs for the 0.0.0.0/0 prefix.

How to eliminate wrong answers

Option A is wrong because the Azure Firewall subnet itself does not require a 0.0.0.0/0 route; the firewall handles routing internally, and adding such a route could actually break traffic inspection. Option C is wrong because VNet peering allows forwarded traffic by default; the issue is not peering configuration but conflicting routes. Option D is wrong because the firewall's 'Allow outbound traffic' rule is a network rule or application rule that permits traffic, but the problem here is that traffic never reaches the firewall due to routing, not that it is blocked by a missing rule.

165
MCQhard

A company has an Azure virtual network that uses Azure Firewall as the central traffic inspection point. They have a spoke VNet peered to the hub VNet. The spoke VNet contains a subnet with virtual machines. The security team wants to ensure that all outbound traffic from those virtual machines to the internet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) to the Azure Firewall's private IP. However, traffic from the VMs is still going directly to the internet. What is the most likely cause?

A.The route table is not associated to the subnet.
B.The Azure Firewall is not configured with a default route.
C.The virtual machines have public IP addresses assigned.
D.The VNet peering is not configured properly.
AnswerC

When a VM has a public IP, Azure performs default outbound SNAT using that IP, bypassing the route table and the firewall.

Why this answer

When a virtual machine in Azure has a public IP address assigned, Azure's default routing logic gives it a 'default outbound access' path that bypasses any user-defined route (UDR) pointing to the Azure Firewall. This is because Azure prefers the host's public IP route over a UDR for internet-bound traffic, unless the VM is explicitly configured to use a NAT gateway or Azure Firewall as the next hop. Therefore, even with the route table correctly associated, the VM will send traffic directly to the internet via its public IP.

Exam trap

The trap here is that candidates assume a UDR with 0.0.0.0/0 to the firewall will always override all outbound traffic, but they overlook the special case where a VM with a public IP has a higher-priority system route that sends internet traffic directly out.

How to eliminate wrong answers

Option A is wrong because the question states the route table has been configured on the spoke subnet, and if it were not associated, the symptom would be no routing change at all, but the traffic is still going to the internet—indicating the route table is likely associated but overridden. Option B is wrong because the Azure Firewall does not need a default route on itself for the spoke VMs to route through it; the firewall's routing is handled by its own subnet's route table, and the issue is on the VM side, not the firewall. Option D is wrong because VNet peering is required for the spoke VNet to reach the hub VNet where the firewall resides, and if peering were misconfigured, the traffic would not reach the firewall at all, but the symptom here is that traffic goes directly to the internet, not that it fails to reach the firewall.

166
MCQhard

Your organization is migrating to Azure and needs to protect against advanced threats like fileless malware. You must use a solution that provides real-time protection and integrates with Microsoft Defender for Cloud. What should you deploy on Azure VMs?

A.Microsoft Antimalware for Azure
B.Microsoft Defender for Endpoint (Microsoft Defender XDR)
C.Azure Monitor Agent (AMA)
D.Azure Security Center (free tier)
AnswerB

Defender for Endpoint provides real-time protection against fileless malware.

Why this answer

Option B is correct because Microsoft Defender for Endpoint (now part of Defender XDR) provides real-time protection and integrates with Defender for Cloud. Option A is wrong because AMA is an agent, not a security solution. Option C is wrong because Microsoft Antimalware does not cover fileless malware.

Option D is wrong because Azure Security Center is the same as Defender for Cloud, not an endpoint protection.

167
MCQhard

A company uses Microsoft Defender for Cloud's Just-In-Time (JIT) VM access to manage RDP connections to a critical jump-box virtual machine. The company has a CI/CD pipeline running on Azure DevOps agent pools that needs to periodically RDP into this VM to deploy software. The agent pool's source IP addresses are dynamic and change frequently. They want the pipeline to automatically request JIT access before each deployment without manual intervention. Which approach should they implement?

A.Use the Azure REST API with a managed identity assigned to the DevOps agent to request JIT access, specifying the agent's current source IP address
B.Create a JIT access rule in Defender for Cloud with a scheduled time window that matches the pipeline's deployment schedule
C.Configure a PowerShell script in the pipeline to modify the network security group (NSG) to allow the agent's IP during deployment
D.Assign a static public IP to the Azure DevOps agent and add that IP to the JIT allowed list permanently
AnswerA

The REST API endpoint for JIT allows programmatic requests. A managed identity on the agent (or virtual machine running the agent) provides secure authentication without secrets. The pipeline can fetch its current outbound IP and request JIT access for the required time.

Why this answer

Option A is correct because it uses the Azure REST API with a managed identity to dynamically request JIT VM access, specifying the agent's current source IP address. This approach allows the CI/CD pipeline to authenticate without secrets and automatically obtain time-bound RDP access, even though the agent's IP changes frequently. The managed identity provides secure, automated authentication to Azure Resource Manager, enabling the pipeline to call the JIT policy endpoint and grant access for the deployment duration.

Exam trap

The trap here is that candidates may think scheduled JIT rules (Option B) exist or that permanently whitelisting an IP (Option D) is acceptable, but Azure JIT is designed for dynamic, on-demand access requests, not static schedules or permanent allowances.

How to eliminate wrong answers

Option B is wrong because scheduled JIT access rules do not exist; JIT access is request-based and time-bound, not scheduled, and a fixed time window cannot accommodate dynamic IP changes or unpredictable deployment schedules. Option C is wrong because directly modifying the NSG bypasses Defender for Cloud's JIT access control, defeating the purpose of using JIT for security and auditability, and it would require additional permissions and manual cleanup. Option D is wrong because assigning a static public IP to the Azure DevOps agent is often impractical or impossible (agents may be in a dynamic pool or behind a NAT), and adding it permanently to the JIT allowed list eliminates the just-in-time security benefit, leaving the VM exposed continuously.

168
MCQmedium

A security team uses Microsoft Defender for Cloud to monitor the security posture of a hybrid environment that includes on-premises servers connected via Azure Arc. They want to enable a vulnerability assessment solution that automatically scans all servers (both Azure VMs and on-premises Arc-enabled servers) for OS vulnerabilities. Which solution should they enable directly from Defender for Cloud?

A.Enable the integrated vulnerability assessment solution (Qualys) in Defender for Cloud
B.Enable Microsoft Defender for Endpoint and integrate it with Defender for Cloud
C.Configure Azure Update Management to assess missing patches
D.Use Azure Policy to deploy the Log Analytics agent and manually enable scanning
AnswerA

The built-in VA solution (Qualys) is available at no additional cost in Defender for Cloud. It can be deployed to both Azure VMs and Arc-enabled servers through the integration, providing automatic OS vulnerability scanning.

Why this answer

The integrated vulnerability assessment (VA) solution in Defender for Cloud, powered by Qualys, is the correct choice because it is a native, built-in capability that can be automatically enabled for both Azure VMs and Azure Arc-enabled on-premises servers. It requires no additional licensing or external configuration, and it automatically discovers and scans OS vulnerabilities without manual intervention, directly from the Defender for Cloud portal.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Endpoint's threat and vulnerability management (TVM) with a dedicated vulnerability assessment solution, but the question specifically asks for a solution that can be enabled directly from Defender for Cloud for automatic OS vulnerability scanning, which is the integrated Qualys-based VA solution.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Endpoint (MDE) is an endpoint detection and response (EDR) solution focused on threat detection and response, not a dedicated vulnerability assessment scanner; while MDE includes threat and vulnerability management (TVM), the question specifically asks for a solution that automatically scans for OS vulnerabilities directly from Defender for Cloud, and the integrated Qualys solution is the one that meets this requirement natively. Option C is wrong because Azure Update Management is designed to manage and deploy OS patches, not to assess vulnerabilities; it reports missing updates but does not perform vulnerability scanning or provide a vulnerability score. Option D is wrong because deploying the Log Analytics agent and manually enabling scanning is not a built-in vulnerability assessment solution; it requires custom configuration and does not provide the automated, integrated scanning that the Qualys-based solution offers directly from Defender for Cloud.

169
MCQmedium

Your company has a Microsoft Sentinel workspace that ingests logs from multiple sources, including Azure Active Directory (now Microsoft Entra ID), Azure Firewall, and Microsoft 365 Defender. You are asked to create an analytics rule that detects when a user account is deleted from Microsoft Entra ID and then, within 24 hours, a large number of Azure resources are deleted in the same tenant. You have the following requirements: - The rule must use KQL to correlate events across two tables: AuditLogs (for user deletion) and ActivityLogs (for resource deletion). - The rule should trigger an incident only if more than 10 resources are deleted within 24 hours after the user deletion. - The incident severity should be set to 'High'. - The rule should run every hour and look back 24 hours. Which of the following is the correct KQL query for the analytics rule? (Choose the best option.)

A.AuditLogs | where OperationName == 'Delete user' | extend DeletionTime = TimeGenerated | join kind=inner (ActivityLogs | where OperationName == 'Delete resource') on UserPrincipalName | where TimeGenerated between (DeletionTime .. DeletionTime + 24h) | summarize ResourceCount = count() by UserPrincipalName | where ResourceCount > 10
B.AuditLogs | where OperationName == 'Delete user' | join kind=inner (ActivityLogs) on $left.Caller == $right.Caller | where TimeGenerated < ActivityLogs_TimeGenerated and TimeGenerated + 24h > ActivityLogs_TimeGenerated | summarize ResourceCount = count() by UserPrincipalName | where ResourceCount > 10
C.AuditLogs | where OperationName == 'Delete user' | join kind=inner (ActivityLogs | where OperationName == 'Delete resource') on Caller | where TimeGenerated + 24h > ActivityLogs_TimeGenerated | summarize ResourceCount = count() by Caller | where ResourceCount > 10
D.let deletionTime = AuditLogs | where OperationName == 'Delete user' | project DeletionTime = TimeGenerated, UserPrincipalName; deletionTime | join kind=inner (ActivityLogs | where OperationName == 'Delete resource') on UserPrincipalName | where ActivityLogs_TimeGenerated between (DeletionTime .. DeletionTime + 24h) | summarize ResourceCount = count() by UserPrincipalName | where ResourceCount > 10
AnswerD

Correctly defines deletion time and joins with resource deletions within 24h.

Why this answer

Option B is correct because it uses 'let' to define the user deletion time, then joins with ActivityLogs to count resource deletions within 24 hours. Option A is wrong because it does not filter for resource deletion operations. Option C is wrong because it uses 'summarize' incorrectly.

Option D is wrong because it does not handle the time window correctly.

170
MCQhard

You are the Azure Security Engineer for a financial services company. The company has a multi-tier application deployed on Azure Virtual Machines (VMs) in a hub-spoke network topology. The application consists of web servers, application servers, and database servers. The database servers run SQL Server on Windows Server 2022 and store sensitive financial data. Compliance requires that all data at rest be encrypted using customer-managed keys (CMK) stored in Azure Key Vault. Additionally, all network traffic between tiers must be encrypted, and the database must be accessible only from the application servers. You have the following resources: a Key Vault with an HSM-backed key (key1) for disk encryption, and a Key Vault with a software-protected key (key2) for SQL Server TDE. Current configuration: The web servers are in subnet A, application servers in subnet B, and database servers in subnet C. Network Security Groups (NSGs) allow traffic from subnet B to subnet C on TCP 1433. The database servers are not using TDE. You need to implement the required security controls. What should you do first?

A.Enable Transparent Data Encryption (TDE) on the SQL Server instance using a service-managed key, then rotate to use key2 from Key Vault
B.Enable Azure Disk Encryption on the database VMs using key1 from the HSM-backed Key Vault
C.Configure SQL Server to use SQL authentication and create a login for the application servers
D.Implement Always Encrypted for the sensitive columns using key2 from Key Vault
AnswerA

TDE with customer-managed key meets the compliance requirement for data at rest encryption.

Why this answer

Option C is correct because to use customer-managed keys for SQL Server TDE, you must first enable TDE with a service-managed key, then switch to the customer-managed key stored in Key Vault. Option A is wrong because Azure Disk Encryption encrypts the OS disk, not SQL Server data files. Option B is wrong because enabling SQL authentication does not provide encryption.

Option D is wrong because Always Encrypted encrypts specific columns, not the entire database.

171
MCQmedium

Your organization uses Azure Storage for sensitive financial data. You need to restrict access to storage accounts based on the client's IP address. Which Azure Storage service feature should you configure?

A.Firewalls and virtual networks
B.Shared access signatures (SAS)
C.Azure Private Link
D.Azure AD role-based access control
AnswerA

Firewalls and virtual networks allow you to create IP rules to restrict access to storage accounts.

Why this answer

Firewalls and virtual networks allow you to restrict access to storage accounts based on IP rules. Option B is correct. Option A (SAS) is for delegated access, not IP restriction.

Option C (Private Link) is for private network access. Option D (Azure AD RBAC) controls data plane operations but not IP-level filtering.

172
MCQmedium

A team wants to automatically deploy Defender for Cloud settings across new subscriptions under a management group. Which Azure capability should they use?

A.Application security groups
B.Conditional Access templates
C.Sentinel workbooks
D.Azure Policy initiative assignment
AnswerD

Correct for the stated requirement.

Why this answer

Azure Policy initiative assignments allow you to bundle multiple policy definitions (such as those for Defender for Cloud) and assign them at the management group scope. This ensures that all new subscriptions under that management group automatically inherit and enforce the Defender for Cloud settings, including enabling security monitoring and threat detection. This is the correct approach because Azure Policy provides continuous compliance evaluation and remediation at scale across the entire resource hierarchy.

Exam trap

The trap here is that candidates often confuse Azure Policy with Azure Blueprints or think that Defender for Cloud settings can only be configured per subscription manually, missing that Policy initiatives at the management group level provide automatic, scalable enforcement for new subscriptions.

How to eliminate wrong answers

Option A is wrong because Application security groups are used to group virtual machines and define network security rules based on those groups, not to deploy or enforce security settings across subscriptions. Option B is wrong because Conditional Access templates are part of Azure AD and control access to applications based on conditions like location or device state; they do not deploy Defender for Cloud settings. Option C is wrong because Sentinel workbooks are visualization tools for security data within Azure Sentinel, not a mechanism to automatically deploy or enforce security configurations across subscriptions.

173
MCQmedium

Your company has a Microsoft Entra ID tenant with 10,000 users. You need to implement a secure authentication method that reduces password-related risks. The solution must support users signing in from unmanaged devices without installing any software. Which authentication method should you prioritize?

A.Windows Hello for Business
B.Certificate-based authentication (CBA)
C.FIDO2 security keys
D.Passwordless phone sign-in (Microsoft Authenticator)
AnswerD

Works on unmanaged devices with app installation.

Why this answer

Passwordless phone sign-in with Microsoft Authenticator is correct because it allows users to sign in from unmanaged devices without installing any additional software (the Authenticator app is already installed on their personal phone). It eliminates password risks by using a biometric or PIN gesture tied to a key stored on the device, and it works on any device with the Authenticator app, including unmanaged ones. This method supports the requirement of no software installation on the signing-in device itself, as the authentication happens via the phone.

Exam trap

The trap here is that candidates often choose FIDO2 security keys (Option C) because they are strongly passwordless, but they overlook the 'without installing any software' requirement—FIDO2 keys require a physical device and often driver support on the signing-in device, whereas phone sign-in uses a device the user already owns without any installation on the target machine.

How to eliminate wrong answers

Option A is wrong because Windows Hello for Business requires Windows 10/11 devices that are either joined to Entra ID or hybrid-joined, and it does not support unmanaged devices without domain join or registration. Option B is wrong because certificate-based authentication (CBA) requires certificates to be provisioned to the device, which typically involves device management (e.g., Intune) or manual installation, and it does not work on unmanaged devices without software or certificate enrollment. Option C is wrong because FIDO2 security keys require a physical USB or NFC key to be plugged into the signing-in device, which is not a 'no software' solution but rather a hardware dependency, and unmanaged devices may not support the necessary drivers or protocols.

174
MCQeasy

You need to backup Azure SQL Managed Instance databases to a separate region for disaster recovery. Which Azure service should you use?

A.Active geo-replication
B.Geo-redundant storage (GRS) for Azure Storage
C.Azure Site Recovery
D.Azure Backup with geo-redundant storage
AnswerD

Azure Backup provides geo-restore capability.

Why this answer

Option B is correct because Azure Backup supports long-term retention and geo-restore for SQL Managed Instance. Option A is wrong because active geo-replication is for continuous replication, not backup. Option C is wrong because Azure Site Recovery is for VM replication.

Option D is wrong because Azure Storage replication is for storage accounts, not SQL.

175
MCQhard

You executed the PowerShell script shown in the exhibit. What is the result?

A.All users are removed from the Global Administrator role
B.All users are added to the Global Administrator role
C.No users are added because of an error
D.Only users with the Global Administrator role are listed
AnswerB

The script iterates over all users and adds them to the Global Administrator role.

Why this answer

Option D is correct. The script adds all users with @contoso.com suffix to the Global Administrator role, which is a security risk. Option A is wrong because it doesn't remove.

Option B is wrong because it doesn't filter by role. Option C is wrong because it does add them.

176
MCQeasy

A company deploys multiple Azure virtual machines across several subnets in a virtual network. The VMs are grouped by application tiers: web, application, and database. The security team wants to apply network security group (NSG) rules that target all VMs in a specific tier, and they need a way to easily add or remove VMs from these groups without updating NSG rules. Which Azure feature should they use to define these logical VM groups?

A.Network security group (NSG) with multiple IP address ranges.
B.Application Security Group (ASG).
C.Azure Resource Manager tags.
D.Virtual Network peering.
AnswerB

ASGs enable you to define logical groups of VMs based on their function. You can reference an ASG in NSG rules, and as VMs are added or removed from the ASG, the rule applies to the current members automatically.

Why this answer

Application Security Groups (ASGs) allow you to group VMs logically by application tier (e.g., web, application, database) without relying on IP addresses or subnet boundaries. NSG rules can reference ASGs as source or destination, so adding or removing a VM from an ASG automatically updates the effective security policy without modifying the NSG rules themselves.

Exam trap

The trap here is that candidates often confuse Azure Resource Manager tags with ASGs, thinking tags can be used in NSG rules, but NSG rules only support IP addresses, service tags, and application security groups, not tags.

How to eliminate wrong answers

Option A is wrong because NSGs with multiple IP address ranges require manual updates to the IP list whenever VMs are added or removed, which does not provide the dynamic, logical grouping the scenario requires. Option C is wrong because Azure Resource Manager tags are metadata labels that cannot be directly referenced in NSG rules; they are used for resource organization, cost tracking, and policy enforcement, not for defining network security group membership. Option D is wrong because Virtual Network peering connects separate virtual networks at the network layer and does not create logical groups of VMs within a single VNet or across subnets.

177
MCQhard

You are the security engineer for a financial services company that has multiple Azure subscriptions. The company uses Azure Virtual WAN with a secured hub containing Azure Firewall. Recently, the compliance team identified that traffic between two spoke virtual networks (SpokeA and SpokeB) is bypassing the firewall. Investigation shows that SpokeA and SpokeB are directly peered and have not been routed through the hub. The requirement is that all inter-spoke traffic must be inspected by Azure Firewall. You need to enforce this without disrupting existing applications. Also, the company uses Azure Firewall Manager for policy management and wants to use Azure Policy to prevent future direct peering. What should you do first?

A.Remove the VNet peering between SpokeA and SpokeB.
B.Disable 'Use remote virtual network gateways' on both spokes.
C.Create an Azure Policy to deny VNet peering between spokes.
D.Add a user-defined route in SpokeA and SpokeB pointing to the Azure Firewall for inter-spoke traffic.
AnswerA

Removing peering forces traffic through the Virtual WAN hub and firewall.

Why this answer

Option B is correct because the immediate issue is the direct peering bypassing the firewall. Removing the peering forces traffic to go through the hub via Virtual WAN routing. Option A is wrong because a UDR would not override the peering.

Option C is wrong because Azure Policy prevents future peering but does not fix existing. Option D is wrong because disabling routing would break connectivity.

178
Multi-Selecteasy

Which TWO of the following are supported ways to connect an on-premises network to Azure?

Select 2 answers
A.Azure Bastion
B.Azure ExpressRoute
C.Point-to-Site VPN
D.Site-to-Site VPN
E.Azure Front Door
AnswersB, D

Dedicated private connection.

Why this answer

Azure ExpressRoute (B) is correct because it provides a dedicated, private connection from an on-premises network to Azure, bypassing the public internet for enhanced reliability, lower latency, and higher security. Site-to-Site VPN (D) is correct because it uses IPsec/IKE to create an encrypted tunnel over the internet between an on-premises VPN device and an Azure VPN gateway, enabling secure hybrid connectivity. Both are explicitly supported methods for connecting on-premises networks to Azure.

Exam trap

The trap here is confusing Azure Bastion (a secure access service for VMs) with a network connectivity solution, or assuming Point-to-Site VPN can connect an entire on-premises network when it only supports individual client connections.

179
MCQmedium

Your organization runs a critical application on Azure Virtual Machines (VMs) that processes credit card transactions. Compliance with PCI DSS requires that all cardholder data be encrypted at rest and that the encryption keys be stored in a FIPS 140-2 Level 3 validated hardware security module (HSM). You have chosen to use Azure Disk Encryption with customer-managed keys stored in Azure Key Vault Managed HSM. During a security review, you discover that the VMs are using unmanaged disks. You need to migrate them to managed disks without downtime and ensure that encryption is applied. You also need to maintain the existing encryption keys and ensure that the encryption set is in the same region as the VMs. What should you do?

A.Copy the unmanaged disks to managed disks using AzCopy and then attach them to the VM while it is running.
B.Stop the VM, convert the unmanaged disks to managed disks using Azure CLI, then enable Azure Disk Encryption with the existing DES.
C.Create a new VM with managed disks, attach the unmanaged disks as data disks, and enable Azure Disk Encryption with the existing DES.
D.Take a backup of the VMs using Azure Backup, restore them to managed disks, and enable encryption with a new DES.
AnswerB

Conversion requires the VM to be stopped; after conversion, you can enable encryption with the DES.

Why this answer

Azure Disk Encryption with managed disks requires a Disk Encryption Set (DES) that references the key in the HSM. You can convert unmanaged disks to managed disks by stopping the VM and using Azure CLI or PowerShell, then attaching the managed disk. To avoid downtime, you should perform the conversion during a maintenance window.

Ensure the DES is in the same region as the VM. Option B is correct. Option A is incorrect because you cannot directly use Azure Disk Encryption on unmanaged disks with a DES; you must convert to managed disks first.

Option C is incorrect because Azure Backup does not help with disk type conversion. Option D is incorrect because copying disks would create duplicates and require reconfiguration.

180
MCQhard

Your company has a Microsoft Sentinel workspace that ingests logs from Azure AD, Azure Activity, and Azure Firewall. You are investigating an incident where an attacker gained access to a user's credentials and logged in from an unusual location. The sign-in log shows that the user passed MFA. You suspect that the attacker might have used a phishing attack to bypass MFA. Which Microsoft 365 Defender feature should you enable to detect such attacks?

A.Microsoft Defender for Office 365's anti-phishing policies.
B.Microsoft Entra Conditional Access policies with session control.
C.Microsoft Entra Identity Protection with user risk policy.
D.Microsoft 365 Defender's Attack simulation training.
AnswerD

Attack simulation training allows testing user susceptibility to phishing.

Why this answer

Option D is correct because 'Attack simulation training' in Microsoft 365 Defender allows you to simulate phishing attacks and identify users who are vulnerable. Option A is wrong because 'Conditional Access policies' are for enforcing MFA, not detecting phishing. Option B is wrong because 'Identity Protection' detects risky sign-ins but does not simulate attacks.

Option C is wrong because 'Microsoft Defender for Office 365' includes anti-phishing but not simulation.

181
Multi-Selectmedium

A company has an Azure SQL Database server. They want to allow an Azure Function with a system-assigned managed identity to access the database by using Azure Active Directory (Azure AD) authentication. Which two configurations are required to grant this access? (Choose two.)

Select 2 answers
A.Assign the managed identity the 'db_datareader' role in the database.
B.Create a contained database user for the managed identity in the SQL database.
C.Add the managed identity as an Azure AD admin for the SQL server.
D.Enable Azure AD-only authentication on the SQL server.
AnswersA, B

This grants the necessary read permissions to the managed identity within the database.

Why this answer

Option A is correct because assigning the managed identity the 'db_datareader' role in the database grants it read permissions on all tables and views, which is a common requirement for an Azure Function accessing data. Option B is correct because a contained database user must be created for the managed identity in the SQL database, mapping the Azure AD identity to a database principal that can be granted permissions. Without this contained user, the managed identity cannot authenticate to the database via Azure AD.

Exam trap

The trap here is that candidates often confuse server-level Azure AD admin assignment (Option C) with the necessary database-level contained user creation, assuming admin rights are required for any Azure AD authentication, when in fact a contained user with minimal roles is sufficient and more secure.

182
MCQmedium

A company stores sensitive job processing messages in Azure Queue Storage. They have a web application running on an Azure virtual machine in a VNet that reads and writes to the queue. The security team requires that only the web application's VM can access the queue, and all access from the public internet must be blocked. Which configuration should they implement?

A.Configure a service endpoint for Azure Storage on the VNet subnet and add a firewall rule allowing the VNet.
B.Deploy a private endpoint for the storage account in the same VNet and disable public network access on the storage account.
C.Route all traffic from the VNet through an Azure Firewall and create a NAT rule to the storage account.
D.Generate a shared access signature (SAS) token with narrow permissions and require the web app to use that token.
AnswerB

Correct. A private endpoint gives the storage account a private IP in the VNet. Disabling public network access ensures that only traffic via the private endpoint is allowed, blocking all internet traffic.

Why this answer

Option B is correct because deploying a private endpoint for the storage account in the same VNet assigns the storage account a private IP from the VNet, effectively bringing the service into the VNet. Disabling public network access then ensures that all traffic to the queue must traverse the private endpoint, blocking any public internet access. This meets the requirement that only the web application's VM can access the queue, as the private endpoint is accessible only from within that VNet.

Exam trap

The trap here is that candidates often confuse service endpoints (which only extend VNet identity but leave the public endpoint exposed) with private endpoints (which fully remove public exposure), leading them to choose option A instead of B.

How to eliminate wrong answers

Option A is wrong because a service endpoint for Azure Storage on the VNet subnet only extends the VNet identity to the storage account but does not remove the public endpoint; the storage account remains accessible from the public internet unless additional firewall rules explicitly block all other traffic, which is not specified. Option C is wrong because routing traffic through an Azure Firewall with a NAT rule does not inherently block public internet access to the storage account; the storage account's public endpoint would still be reachable from the internet, and the NAT rule only translates traffic, not restrict source. Option D is wrong because a shared access signature (SAS) token with narrow permissions does not restrict network-level access; the storage account's public endpoint remains accessible from the internet, and any client with the SAS token (including potentially malicious actors) could access the queue from anywhere.

183
MCQhard

Your company uses Microsoft Entra ID with a third-party identity provider (IdP) for federation. Users report that sometimes they are unable to sign in even though the IdP is healthy. You suspect the issue is related to token signing certificate rotation. What should you do to resolve this proactively?

A.Download the new certificate from the IdP and upload it to Microsoft Entra ID manually.
B.Configure automatic certificate rollover in Microsoft Entra ID by enabling 'Federation certificate management' and using Graph API to sync changes.
C.Set up alerts for sign-in failures and manually update the certificate when alerted.
D.Switch to pass-through authentication to bypass federation.
AnswerB

Automation ensures that certificate changes are propagated without manual intervention.

Why this answer

Option B is correct because Microsoft Entra ID supports automatic certificate rollover for federated domains when the third-party IdP publishes updated token-signing certificates via a federation metadata endpoint. By enabling 'Federation certificate management' and using the Microsoft Graph API to sync changes, Entra ID can automatically detect and apply new certificates before the old ones expire, preventing sign-in disruptions without manual intervention.

Exam trap

The trap here is that candidates often assume manual certificate upload (Option A) is the only reliable method, overlooking Entra ID's built-in automatic rollover capability that leverages the federation metadata endpoint for proactive, zero-touch certificate management.

How to eliminate wrong answers

Option A is wrong because manually downloading and uploading the new certificate is reactive and error-prone; it does not proactively prevent outages and contradicts the goal of automated certificate rotation. Option C is wrong because setting up alerts for sign-in failures and manually updating the certificate is a reactive approach that still allows users to experience downtime before the manual update occurs. Option D is wrong because switching to pass-through authentication bypasses federation entirely, which is an architectural change that may not be desired or feasible, and does not address the root cause of certificate rotation issues.

184
MCQmedium

You are a security administrator for a healthcare organization that uses Microsoft Entra ID and Microsoft 365. The organization must comply with HIPAA regulations, which require that access to protected health information (PHI) is logged and monitored. You need to configure access reviews for all users who have access to SharePoint Online sites containing PHI. The reviews must occur quarterly and be assigned to the respective site owners. Additionally, you need to ensure that inactive guest accounts are automatically removed after 90 days of inactivity. Which actions should you take?

A.Enable Microsoft Entra ID Protection to automatically block guest accounts after 90 days of inactivity. Create manual access reviews for each site using PowerShell.
B.Use Microsoft Purview to create an auto-labeling policy for PHI data. Assign site owners as reviewers and manually remove inactive guests.
C.Create an access review for the security group containing users with access to PHI sites. Assign reviewers as group owners (site owners). Set frequency to quarterly. Configure external collaboration settings to automatically remove guest accounts that have not signed in for 90 days.
D.Create a PIM access review for the SharePoint administrator role. Set frequency to quarterly. Configure Microsoft Entra ID to automatically delete guest accounts after 90 days of inactivity.
AnswerC

Access reviews for groups allow site owners to review access. Inactive guest removal is configured in external settings.

Why this answer

Option A is correct because access reviews can be configured for groups and applications, assigned to site owners, and set to quarterly frequency. Inactive guest cleanup is configured in Entra ID external settings. Option B is wrong because PIM access reviews are for privileged roles, not general access to SharePoint sites.

Option C is wrong because Identity Protection does not manage access reviews. Option D is wrong because manual removal of guests is not automated and does not scale.

185
MCQhard

Your company, Contoso Ltd., has a hybrid environment with 500 on-premises Windows servers and 200 Azure VMs. The Azure VMs are spread across multiple subscriptions. You need to implement a centralized security monitoring solution using Microsoft Sentinel. The requirements are: - Collect security events from all on-premises servers. - Collect Azure activity logs and VM logs from all Azure subscriptions. - Detect and respond to threats using built-in and custom analytics. - Automatically remediate common threats such as disabling compromised user accounts. - Ensure compliance with regulatory standards (e.g., NIST 800-53). - Minimize administrative overhead and cost. What should you do?

A.Install Microsoft Monitoring Agent on on-premises servers and connect to a Log Analytics workspace. Enable Sentinel. Use Azure Automation runbooks for remediation.
B.Enable Microsoft Defender for Cloud on all subscriptions and install Defender for Endpoint on all servers. Forward logs to a third-party SIEM.
C.Create a Log Analytics workspace and enable Sentinel on the Free tier. Use KQL queries for detection and manual remediation.
D.Deploy Azure Arc on all on-premises servers. Use Azure Monitor Agent with Data Collection Rules to collect security events. Enable Microsoft Sentinel on a Log Analytics workspace. Configure analytics rules and automation rules with playbooks for remediation.
AnswerD

Azure Arc extends Azure management to on-premises; Azure Monitor Agent is the current standard; Sentinel provides analytics and automation.

Why this answer

Option A is correct because it meets all requirements: deploy Azure Arc agent for on-premises servers to enable Azure Monitor Agent, use DCRs to collect logs, enable Sentinel analytics, and use automation rules with playbooks for remediation. Option B is wrong because legacy MMA is deprecated and doesn't support DCRs; also, Azure Automation runbooks are more complex than playbooks. Option C is wrong because enabling Defender for Cloud on all subscriptions is expensive and doesn't provide the same analytics as Sentinel.

Option D is wrong because the Sentinel Free tier has limited features and no automation.

186
MCQmedium

You are a security engineer for a large enterprise using Microsoft Sentinel. You have multiple workspaces deployed across different Azure regions to meet data residency requirements. You need to query data across all workspaces from a single query. You have set up a workspace as the 'central' workspace for cross-workspace queries. The central workspace has the necessary permissions to access the other workspaces. Which KQL operator should you use to include data from other workspaces in your query?

A.where
B.union
C.join
D.project
AnswerB

The union operator allows you to combine tables from multiple workspaces using workspace('...').

Why this answer

The 'union' operator can be used with a workspace expression to combine data from multiple workspaces. Option A is correct. Option B is for joining tables.

Option C is for filtering. Option D is for creating subsets.

187
MCQeasy

A company has an Azure virtual network with a subnet that hosts a public web application. They want to allow inbound HTTPS traffic (port 443) only from the source IP range 203.0.113.0/24, and block all other inbound traffic. They associate a network security group (NSG) with the subnet. What is the minimum number of inbound security rules required in the NSG to achieve this?

A.0 (no additional rules needed because the default rules block all inbound traffic)
B.1
C.2 (one allow rule for HTTPS and one deny rule for all other traffic)
D.3 (one allow HTTPS, one allow for Azure Load Balancer health probes, and one deny all)
AnswerB

One allow rule for HTTPS from the specific IP range is sufficient. The default deny rule blocks all other traffic automatically.

Why this answer

Option B is correct because NSGs include default inbound rules that already block all inbound traffic not explicitly allowed. By adding a single inbound rule to allow HTTPS (port 443) from the source IP range 203.0.113.0/24, all other inbound traffic is implicitly denied by the default deny-all rule (rule 65000). No explicit deny rule is needed, and no additional rules for Azure Load Balancer health probes are required unless the application is behind a load balancer, which is not specified in the scenario.

Exam trap

The trap here is that candidates often think they need an explicit deny rule to block all other traffic, forgetting that NSGs have a built-in default deny-all rule that automatically handles this.

How to eliminate wrong answers

Option A is wrong because default rules do not block all inbound traffic; they allow traffic within the virtual network and from Azure load balancers, so additional rules are needed to restrict access to only the specified IP range. Option C is wrong because an explicit deny rule is unnecessary; the default deny-all rule (priority 65000) already blocks all traffic not matched by a higher-priority allow rule. Option D is wrong because Azure Load Balancer health probes are only relevant if a load balancer is used, and the scenario does not mention one; adding such a rule would be unnecessary and not the minimum.

188
Multi-Selectmedium

Which TWO of the following are methods to enforce MFA in Microsoft Entra ID?

Select 2 answers
A.Identity Protection user risk policy
B.Password Protection
C.Security defaults
D.Conditional Access policy
E.Self-service password reset
AnswersC, D

Security defaults enforce MFA for all users.

Why this answer

Security defaults (Option C) is a method to enforce MFA because it automatically enables MFA for all users in a tenant, along with other baseline security policies, without requiring additional configuration. Conditional Access policy (Option D) is a method to enforce MFA because it allows granular, policy-driven MFA requirements based on conditions such as user, location, device state, or risk level, using the Microsoft Entra ID Conditional Access engine.

Exam trap

The trap here is that candidates often confuse Identity Protection user risk policy (Option A) as a direct MFA enforcement method, but it only detects risk and requires a Conditional Access policy to actually enforce MFA as a control.

189
MCQmedium

An organization uses Microsoft Defender for Cloud. They want to allow specific administrators to temporarily open RDP (port 3389) to a virtual machine only when needed, and for a limited time, while minimizing management overhead. Which Defender for Cloud feature should they use?

A.Azure Bastion
B.Just-in-time (JIT) VM access
C.Azure AD Privileged Identity Management (PIM)
D.Network Security Groups (NSGs)
AnswerB

JIT VM access allows you to request time-limited access to VMs via NSG rules, meeting the requirement.

Why this answer

Just-in-time (JIT) VM access in Microsoft Defender for Cloud allows administrators to temporarily open RDP (port 3389) to a virtual machine for a limited time, reducing exposure to brute-force attacks. It integrates with Azure Network Security Groups (NSGs) and Azure Firewall to automatically lock down inbound traffic when not in use, minimizing management overhead by eliminating the need for manual NSG rule changes.

Exam trap

The trap here is that candidates confuse Azure Bastion (persistent secure access) with JIT (time-limited port opening), or mistakenly think PIM controls network access rather than role activation.

How to eliminate wrong answers

Option A is wrong because Azure Bastion provides persistent, secure RDP/SSH access via TLS over the Azure portal without exposing public IPs, but it does not offer time-limited, on-demand port opening; it is always available once deployed. Option C is wrong because Azure AD Privileged Identity Management (PIM) manages just-in-time activation of Azure AD roles and Azure resource roles (e.g., Contributor), not network-level port access to VMs. Option D is wrong because Network Security Groups (NSGs) are the underlying mechanism to allow or deny traffic, but they require manual rule creation and removal, which increases management overhead and does not provide automated, time-limited access.

190
MCQhard

Your organization uses Microsoft Entra ID to manage access for employees and partners. You need to implement a solution that allows partners to self-service request access to specific applications, with approval from their manager, and access expires after 30 days. Which feature should you use?

A.Entitlement Management access packages
B.Azure AD B2B collaboration
C.Privileged Identity Management (PIM)
D.Conditional Access with session restrictions
AnswerA

Provides self-service access with approval and expiration.

Why this answer

Entitlement Management access packages are designed to allow external partners to request access to specific applications through a self-service portal. The feature supports approval workflows (e.g., manager approval) and automatically enforces time-bound access, such as a 30-day expiration. This directly matches the requirement for partner self-service with approval and expiration.

Exam trap

The trap here is that candidates often confuse Azure AD B2B collaboration (which handles identity provisioning) with Entitlement Management (which handles the full lifecycle of access requests, approvals, and expiration), leading them to pick B2B collaboration as the answer.

How to eliminate wrong answers

Option B (Azure AD B2B collaboration) is wrong because it only provides the mechanism to invite external users into the tenant and assign them access, but it does not include built-in self-service request workflows, approval processes, or automatic expiration policies. Option C (Privileged Identity Management (PIM)) is wrong because it is focused on just-in-time privileged role activation for administrators and does not handle self-service access requests for non-privileged applications or partner scenarios. Option D (Conditional Access with session restrictions) is wrong because it enforces access policies (e.g., session timeouts) on already authenticated users, but it does not provide any self-service request, approval, or expiration lifecycle management for partner access.

191
MCQeasy

You are configuring Microsoft Sentinel to ingest logs from Azure Active Directory. Which two data connectors are necessary to collect sign-in logs and audit logs?

A.Azure Activity and Azure Active Directory Audit logs
B.Office 365 and Azure Active Directory Sign-in logs
C.Azure Active Directory Sign-in logs and Azure Active Directory Audit logs
D.Security Events and Azure Active Directory Sign-in logs
AnswerC

These two connectors cover the required log types.

Why this answer

Option A is correct because Azure Active Directory logs require two connectors: one for Sign-in logs and one for Audit logs. Option B is wrong because the Office 365 connector does not include Azure AD logs. Option C is wrong because the Azure Activity connector is for Azure subscription management logs.

Option D is wrong because the Security Events connector is for VMs.

192
Multi-Selectmedium

Your company is implementing an Azure AD B2B collaboration strategy for external partners. Which three of the following statements about Azure AD B2B collaboration are correct? (Choose three.)

Select 3 answers
.External users can use their own Azure AD or Microsoft account to sign in
.External users are represented as guest users in the tenant directory
.Conditional Access policies can be applied to guest users
.Azure AD B2B collaboration requires an Azure AD Premium P2 license for each guest user
.Guest users cannot access SharePoint Online sites
.External users must have an Azure AD tenant in their own organization

Why this answer

Azure AD B2B collaboration allows external users to sign in using their own Azure AD, Microsoft account (e.g., Outlook.com), or other identity providers (e.g., Google, SAML/WS-Fed IdPs). These users are represented as guest user objects in the tenant directory, which enables them to be managed like internal users. Conditional Access policies can be applied to guest users at the tenant or application level, allowing organizations to enforce MFA, device compliance, or sign-in risk policies for external collaborators.

Exam trap

The trap here is that candidates often assume Azure AD B2B collaboration requires each guest user to have an Azure AD Premium license or their own Azure AD tenant, but in reality, Azure AD B2B is free for guest users and supports a wide range of identity providers beyond Azure AD.

193
MCQhard

A security operations team uses Microsoft Sentinel to monitor sign-in logs. They receive frequent false positive alerts for 'Anonymous IP address sign-in' from a specific external IP range used by a trusted partner. The analysts want to suppress these alerts without reducing detection coverage. What is the most efficient approach?

A.Add the trusted IP range to a watchlist and reference it in the analytics rule query
B.Use an automation rule to close the incidents automatically
C.Create an alert suppression rule for the specific IP range in the analytics rule
D.Disable the analytics rule that generates the alert
AnswerC

Alert suppression rules allow filtering out specific entities (e.g., IPs) from triggering alerts while retaining detection.

Why this answer

Option C is correct because creating an alert suppression rule in Microsoft Sentinel allows analysts to suppress alerts from specific IP ranges without modifying the underlying analytics rule. Option A is wrong because disabling the analytics rule removes detection entirely. Option B is wrong because watchlists are used for correlation, not suppression.

Option D is wrong because automation rules can run actions but not suppress alerts directly; suppression is a built-in feature of analytics rules.

194
Drag & Dropmedium

Drag and drop the steps to implement Azure AD Identity Protection to detect risky sign-ins into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Identity Protection policies are configured under Security, with user risk policy settings.

195
MCQhard

Refer to the exhibit. The JSON shows an Azure Policy initiative assignment. You have a subnet that needs to allow private endpoints. You created a Private Endpoint but it fails to provision. What is the most likely reason?

A.The Private Endpoint requires a service endpoint to be configured
B.The subnet's privateEndpointNetworkPolicies property is set to 'Enabled' (default)
C.The policy is disabled
D.The policy is not assigned to the correct subscription
AnswerB

The policy mandates 'Disabled'; if it's 'Enabled', the policy denies the private endpoint creation.

Why this answer

Option A is correct because the policy requires that the subnet's 'privateEndpointNetworkPolicies' property is set to 'Disabled', but if it is not, the policy in 'Prevent' mode will deny the creation of the private endpoint. Option B is wrong because the policy applies to virtual networks, not just to the subscription level. Option C is wrong because the policy does not specify a service endpoint.

Option D is wrong because the policy is enabled.

196
MCQmedium

A company has enabled Microsoft Defender for Cloud on all subscriptions. The security team wants to ensure that all virtual machines have vulnerability assessment solutions installed. What should they configure?

A.Enable Azure Update Management for all VMs
B.Enable the Vulnerability Assessment solution in Defender for Cloud and set it to 'On'
C.Create an Azure Policy to audit VMs without vulnerability assessment
D.Use Azure Automation to run a script that installs a vulnerability scanner
AnswerB

Defender for Cloud can auto-provision vulnerability assessment on supported VMs.

Why this answer

Option C is correct because Defender for Cloud's Vulnerability Assessment solution can be enforced via policy to auto-install on VMs. Option A is wrong because Azure Policy can enforce compliance but not automatically install. Option B is wrong because Azure Update Management is for OS updates, not vulnerability assessment.

Option D is wrong because Azure Automation can run scripts but is not the recommended Defender solution.

197
MCQeasy

You need to ensure that all Azure storage accounts in your subscription are encrypted at rest using customer-managed keys (CMK). Which Azure Policy initiative should you assign to audit compliance?

A.NIST SP 800-53 Rev. 5
B.Azure Security Benchmark
C.ISO 27001:2013
D.CIS Microsoft Azure Foundations Benchmark
AnswerB

Azure Security Benchmark includes policy to audit storage accounts using CMK.

Why this answer

Option A is correct because Azure Security Benchmark includes a policy to audit storage accounts for CMK encryption. Option B is wrong because ISO 27001 doesn't specifically cover CMK. Option C is wrong because NIST SP 800-53 doesn't have a direct CMK audit policy.

Option D is wrong because CIS Microsoft Azure Foundations Benchmark has a different scope.

198
MCQhard

Refer to the exhibit. You are reviewing user sign-in activity using Microsoft Graph API. The user has not performed an interactive sign-in since December 1, but had a non-interactive sign-in on December 5. You need to determine if the user should be considered inactive for a policy that defines inactivity as no interactive sign-in for 30 days. Today is December 15. What should you do?

A.Check if the user has any sign-in in the last 30 days; since there is a non-interactive sign-in, the user is active.
B.Use the lastNonInteractiveSignInDateTime as the last sign-in time, so the user is not inactive.
C.Use the lastSignInDateTime of December 1, which is only 14 days ago, so the user is not inactive.
D.The user is inactive because the account is enabled but there is no interactive sign-in in the last 30 days.
AnswerC

The policy uses interactive sign-ins, and 14 days < 30 days.

Why this answer

Option C is correct because the policy defines inactivity as no interactive sign-in for 30 days. The user's last interactive sign-in was on December 1, which is only 14 days ago as of December 15, so the user is not inactive. Microsoft Graph API's lastSignInDateTime property specifically tracks interactive sign-ins, while non-interactive sign-ins are tracked separately via lastNonInteractiveSignInDateTime and do not reset the interactive inactivity timer.

Exam trap

The trap here is that candidates confuse 'any sign-in' with 'interactive sign-in' and incorrectly assume non-interactive sign-ins reset the inactivity timer, when the policy explicitly specifies only interactive sign-ins count.

How to eliminate wrong answers

Option A is wrong because the policy explicitly defines inactivity based on interactive sign-ins, not any sign-in; non-interactive sign-ins (e.g., token refreshes, service-to-service calls) do not count toward the interactive inactivity threshold. Option B is wrong because lastNonInteractiveSignInDateTime is irrelevant for a policy that only considers interactive sign-ins; using it would incorrectly treat the user as active when they have not performed an interactive sign-in for 30 days. Option D is wrong because the user is not inactive—the last interactive sign-in was only 14 days ago, which is within the 30-day window, so the account being enabled does not change the inactivity status.

199
MCQmedium

A company is deploying Azure Virtual Machines for a batch processing workload. The VMs process highly sensitive data and must ensure that the data on the OS and data disks is encrypted using a customer-managed key stored in Azure Key Vault. Which encryption option meets the requirement?

A.Encryption at host
B.Azure Storage Service Encryption
C.Server-side encryption (SSE) with customer-managed keys
D.Azure Disk Encryption (ADE)
AnswerD

ADE encrypts the OS and data disks using BitLocker/DM-Crypt and integrates with Key Vault for key management.

Why this answer

Azure Disk Encryption (ADE) uses BitLocker (Windows) or DM-Crypt (Linux) to encrypt OS and data disks with keys managed in Key Vault. Option B is correct. Option A (SSE with CMK) encrypts managed disks at the storage layer but not the OS disk guest OS.

Option C (encryption at host) encrypts temp disks and caches but not the guest OS. Option D (Azure Storage Service Encryption) is the same as SSE.

200
MCQhard

Your organization uses Microsoft Sentinel and has enabled User and Entity Behavior Analytics (UEBA). You need to investigate a possible insider threat where a user is accessing sensitive data from unusual locations. Which Sentinel feature should you use to visualize the user's activities and related entities?

A.Hunting queries
B.UEBA investigation insights and entity pages
C.Analytics rules
D.Workbooks
AnswerB

Correct: UEBA provides entity pages with timelines and related entities.

Why this answer

Option D is correct because UEBA provides investigation insights and entity pages that show user activities and related entities. Option A is wrong because Workbooks are for custom dashboards. Option B is wrong because Hunting queries are for proactive searches.

Option C is wrong because Analytics rules are for alert creation.

201
MCQmedium

You have an Azure subscription with multiple VNets connected via VNet peering. You need to ensure that traffic between VNets is encrypted. What should you do?

A.Configure Azure Firewall to enforce encryption.
B.Apply NSGs to block unencrypted traffic.
C.No additional configuration is needed; VNet peering traffic is encrypted by default.
D.Deploy a VPN gateway in each VNet and configure site-to-site VPN connections.
AnswerC

Microsoft backbone encrypts all VNet peering traffic.

Why this answer

Option C is correct because VNet peering traffic over the Microsoft backbone is encrypted by default using MACsec. Option A is wrong because VPN gateways are not needed for VNet peering. Option B is wrong because NSGs do not encrypt traffic.

Option D is wrong because Azure Firewall does not encrypt traffic between VNets.

202
MCQmedium

A company is enabling Azure Disk Encryption (ADE) on Windows virtual machines. They have enabled soft-delete on Azure Key Vault and configured a Key Encryption Key (KEK). However, the disk encryption fails with an error indicating that the key vault does not have the required permissions. What is the most likely missing configuration?

A.The Key Vault access policy does not grant the Azure Disk Encryption service principal the 'unwrap key' and 'wrap key' permissions.
B.The Key Vault firewall is blocking the Azure platform.
C.The VM does not have a managed identity assigned.
D.The KEK is in a different Azure region than the VM.
AnswerA

Correct. ADE requires the Azure Disk Encryption service principal to have these permissions to wrap and unwrap the disk encryption key using the KEK.

Why this answer

Azure Disk Encryption (ADE) requires the Azure Disk Encryption service principal (also known as the Azure Disk Encryption service) to have 'unwrap key' and 'wrap key' permissions on the Key Vault. These permissions allow the service to encrypt and decrypt the disk encryption keys using the Key Encryption Key (KEK). Without these specific cryptographic permissions, the encryption operation fails, even if soft-delete and a KEK are correctly configured.

Exam trap

The trap here is that candidates often confuse the required permissions for ADE with general Key Vault access policies (e.g., 'get' and 'list') or mistakenly think a managed identity or firewall configuration is the root cause, rather than recognizing the need for explicit 'wrap key' and 'unwrap key' permissions for the Azure Disk Encryption service principal.

How to eliminate wrong answers

Option B is wrong because the Key Vault firewall, if enabled, would block external access, but the error message specifically indicates a permissions issue, not a network connectivity problem. Option C is wrong because a managed identity is not required for ADE on Windows VMs; ADE uses the Azure Disk Encryption service principal, not the VM's identity, to access the Key Vault. Option D is wrong because the KEK can be in a different region than the VM; ADE supports cross-region key references as long as the Key Vault is in the same Azure subscription and the service principal has the required permissions.

203
MCQmedium

Your company uses Azure Managed Disks for VMs running a production database. The disks are encrypted with Azure Disk Encryption (ADE) using Azure Key Vault. Security policy requires that all encryption keys be rotated every 90 days. You have automated key rotation in Key Vault. However, after rotating the key, you find that the disks are still using the old key. You need to ensure that the disks use the new key after rotation. What should you do?

A.Disable encryption on the VM, then re-enable ADE specifying the new key version.
B.Delete the old key version from Key Vault to force the disk to use the new key.
C.No action is needed; ADE automatically re-encrypts disks with the new key after rotation.
D.Update the disk encryption set to reference the new key version; the disk will automatically use it.
AnswerA

Re-enabling encryption forces the disk to be re-encrypted with the new key.

Why this answer

Option B is correct: ADE does not automatically re-encrypt disks after key rotation. You must disable encryption on the VM and then re-enable it with the new key version to force re-encryption. Option A: ADE does not support automatic re-encryption.

Option C: Deleting the old key would break the VM. Option D: Updating the disk encryption set only affects new disks, not existing ones.

204
MCQmedium

A company uses Azure Bastion to provide secure RDP and SSH access to Azure VMs without public IPs. Recently, a security audit recommended logging all connections to Bastion. What should you enable?

A.Azure Monitor alerts for Bastion resource health
B.Azure Activity Logs for the Bastion resource
C.Network Security Group flow logs on the subnet containing Bastion
D.Diagnostic settings on the Bastion resource to stream Bastion logs to a Log Analytics workspace
AnswerD

Diagnostic settings enable collection of Bastion diagnostic logs, including connection events.

Why this answer

Azure Bastion integrates with Azure Diagnostic Logs to capture connection logs. Enabling diagnostic settings on the Bastion resource sends logs to a Log Analytics workspace, Storage account, or Event Hub.

205
MCQhard

Your organization uses Azure Front Door (AFD) with WAF policy to protect a web application. Recently, a DDoS attack targeted the application endpoint. You need to mitigate the attack while minimizing latency for legitimate users. What should you do?

A.Increase the rate limit threshold in the WAF policy.
B.Enable Azure DDoS Network Protection on the AFD origin and configure DDoS protection on AFD.
C.Migrate the application to Azure Application Gateway with WAF.
D.Disable caching in AFD to reduce resource consumption.
AnswerB

DDoS Network Protection and AFD's built-in mitigation work together to absorb attacks.

Why this answer

Option C is correct because Azure DDoS Network Protection combined with AFD's DDoS mitigation provides layered defense. Option A is wrong because rate limiting alone does not stop volumetric DDoS. Option B is wrong because moving to App Gateway does not improve latency.

Option D is wrong because disabling caching does not mitigate DDoS.

206
MCQmedium

A storage account should be reachable only from a specific subnet over the Microsoft backbone, while keeping the public endpoint firewall restricted. Which feature should be used?

A.Application Security Group
B.Azure Bastion
C.Service endpoint for Microsoft.Storage with storage firewall rules
D.Public IP prefix
AnswerC

Correct for the stated requirement.

Why this answer

A service endpoint for Microsoft.Storage extends your virtual network private address space and the identity of your VNet to the Azure Storage service over the Microsoft backbone. By combining the service endpoint with a storage firewall rule that restricts access to only that specific subnet, you ensure the storage account is reachable only from that subnet while keeping the public endpoint firewall restricted to deny all other traffic.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, but the question explicitly requires keeping the public endpoint firewall restricted, which is exactly what service endpoints support by allowing selective subnet access through firewall rules without creating a private IP connection.

How to eliminate wrong answers

Option A is wrong because an Application Security Group is a logical grouping of VMs based on application workloads for network security group filtering, not a mechanism to restrict storage account access to a specific subnet. Option B is wrong because Azure Bastion provides secure RDP/SSH connectivity to VMs directly in the Azure portal over SSL, without exposing public IPs, but it does not control access to storage accounts. Option D is wrong because a Public IP prefix reserves a contiguous range of public IP addresses for your Azure resources, but it does not restrict storage account access to a specific subnet or enforce routing over the Microsoft backbone.

207
MCQmedium

A company stores sensitive healthcare data in Azure SQL Database. They need to encrypt specific columns containing patient diagnosis codes so that even database administrators with the 'sysadmin' role cannot view the plaintext. The application must be able to perform equality searches (WHERE clauses) on the encrypted columns. Which encryption technology should they implement?

A.Transparent Data Encryption (TDE)
B.Always Encrypted (deterministic encryption)
C.Row-Level Security (RLS)
D.Dynamic Data Masking (DDM)
AnswerB

Always Encrypted encrypts column data such that the encryption keys are stored on the client and never revealed to the database engine. Deterministic encryption supports equality searches, making it suitable for this requirement.

Why this answer

Always Encrypted with deterministic encryption ensures that sensitive columns are encrypted at the client side, so the encryption keys are never revealed to the database engine, including sysadmin roles. Deterministic encryption generates the same ciphertext for the same plaintext, enabling equality searches (WHERE clauses) on encrypted columns without exposing plaintext data to the server.

Exam trap

The trap here is that candidates confuse encryption at rest (TDE) with client-side column-level encryption, failing to recognize that TDE does not protect data from privileged users who can run queries, while Always Encrypted does by keeping keys off the server.

How to eliminate wrong answers

Option A is wrong because Transparent Data Encryption (TDE) encrypts the entire database at rest (pages on disk) but does not protect data from database administrators who have access to the decrypted data in memory or via queries. Option C is wrong because Row-Level Security (RLS) controls access to rows based on user predicates but does not encrypt data; it relies on database permissions and can be bypassed by privileged users. Option D is wrong because Dynamic Data Masking (DDM) obfuscates data in query results for non-privileged users but does not encrypt the underlying data; privileged users like sysadmin can still view plaintext by querying directly.

208
MCQmedium

Your security team wants to use Microsoft Sentinel to investigate a compromised user account. They need to see the user's recent sign-in activity, Azure AD audit logs, and related alerts in a single dashboard. What feature in Sentinel should they use?

A.Create a workbook that queries sign-in logs and audit logs.
B.Navigate to the user's entity page in Sentinel.
C.Use the Investigation graph to visually explore the user's activities.
D.Create an analytics rule to detect user anomalies.
AnswerC

Investigation graph provides a visual map of entities and related events.

Why this answer

Sentinel's investigation graph allows pivoting from a user entity to see related alerts, events, and activities. Option A is wrong because workbooks are custom dashboards, not entity-specific. Option B is wrong because analytics rules are for detection.

Option D is wrong because the entity page is a static view, not a graph.

209
MCQmedium

A company uses Azure SQL Database for a critical application. Security policy requires that all client connections to the database use at least TLS 1.2 encryption. What configuration change must be made to enforce this requirement?

A.Configure the minimum TLS version in the SQL server's settings.
B.Enable Transparent Data Encryption (TDE).
C.Update the server firewall rules to allow only specific IP addresses.
D.Implement Always Encrypted for all sensitive columns.
AnswerA

The minimum TLS version setting directly controls which TLS versions are accepted for client connections. Setting it to 1.2 enforces the policy.

Why this answer

To enforce that all client connections to Azure SQL Database use at least TLS 1.2, you must configure the minimum TLS version at the SQL server level. This setting overrides the default behavior, which allows older, less secure TLS versions, and ensures that any connection attempt using TLS 1.0 or 1.1 is rejected. The configuration is made in the Azure portal under the SQL server's 'Connectivity' settings or via the 'Minimal TLS Version' property in ARM templates or PowerShell.

Exam trap

The trap here is that candidates often confuse encryption at rest (TDE) or column-level encryption (Always Encrypted) with encryption in transit, leading them to select options that do not enforce the TLS protocol version.

How to eliminate wrong answers

Option B is wrong because Transparent Data Encryption (TDE) encrypts data at rest, not data in transit, so it does not enforce TLS version requirements. Option C is wrong because firewall rules control network access by IP address, not the encryption protocol or TLS version used for the connection. Option D is wrong because Always Encrypted protects sensitive columns with client-side encryption, but it does not enforce a minimum TLS version for the overall connection; it can even work over TLS 1.0 if the server allows it.

210
MCQmedium

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. What is the effect of this policy?

A.The policy requires all guest users to use MFA and a compliant device to access Office 365.
B.The policy requires service provider guest users accessing Office 365 to either use MFA or have a compliant device.
C.The policy requires all users accessing Office 365 to use MFA and a compliant device.
D.The policy blocks all external users from accessing Office 365.
AnswerB

The guestOrExternalUserTypes is set to ServiceProvider, and grant controls use OR.

Why this answer

The policy targets 'Guest users' and 'Service provider guest users' specifically, not all users. It applies to the Office 365 cloud app and grants access only if the user satisfies either the MFA requirement or the compliant device requirement (using an OR condition). Option B correctly identifies that service provider guest users must meet one of the two controls to access Office 365.

Exam trap

The trap here is that candidates often misread the grant control logic as 'require all' (AND) when the policy explicitly uses 'require one of the selected controls' (OR), leading them to choose an option that incorrectly mandates both conditions.

How to eliminate wrong answers

Option A is wrong because it incorrectly states that both MFA and a compliant device are required (AND condition), but the policy uses an OR condition (require one of the selected controls). Option C is wrong because the policy targets only guest users and service provider guest users, not all users. Option D is wrong because the policy does not block access; it grants access conditionally based on MFA or compliant device.

211
MCQeasy

A security team wants to receive a weekly email summary of the security posture of all their Azure subscriptions, including the Secure Score, top recommendations, and the number of healthy resources. Which Microsoft Defender for Cloud feature should they configure?

A.Continuous export to a Log Analytics workspace
B.Email notifications for weekly digest
C.Automation rules to trigger a Logic App on a schedule
D.Workflow automation to export data daily
AnswerB

In Defender for Cloud's email notifications blade, you can enable a 'Send weekly digest' option that emails the Secure Score, top recommendations, and healthy resource count.

Why this answer

Option B is correct because the 'Email notifications for weekly digest' feature in Microsoft Defender for Cloud is specifically designed to send a weekly summary of security posture, including Secure Score, top recommendations, and healthy resources, directly to specified email recipients. This feature is configured under Defender for Cloud's 'Email notifications' settings, where you can enable the weekly digest and define the recipients.

Exam trap

The trap here is that candidates confuse the weekly digest with workflow automation or continuous export, assuming any automated export can be scheduled to send emails, but only the dedicated 'Email notifications for weekly digest' feature provides the exact preformatted summary without custom Logic App development.

How to eliminate wrong answers

Option A is wrong because Continuous export to a Log Analytics workspace is used for streaming security data (e.g., alerts, recommendations) to a workspace for custom analysis or retention, not for sending a preformatted weekly email summary. Option C is wrong because Automation rules trigger actions (e.g., Logic Apps) based on specific events like new alerts or recommendations, not on a schedule for a weekly digest; scheduling requires a separate Logic App trigger. Option D is wrong because Workflow automation triggers Logic Apps or runbooks in response to Defender for Cloud events (e.g., when a recommendation is created), not for scheduled daily exports; daily exports to email are not a native feature.

212
MCQeasy

A security analyst receives a high-severity alert in Microsoft Sentinel indicating a potential brute-force attack against an Azure VM. The analyst wants to automatically block the attacker IP for 24 hours. What is the most efficient way to achieve this?

A.Create an automation rule in Sentinel that runs a playbook to add a deny NSG rule.
B.Enable Just-in-Time VM access to restrict all RDP traffic.
C.Create an Azure Policy to deny all traffic from the attacker IP.
D.Manually add a deny rule to the NSG attached to the VM's subnet.
AnswerA

Correct: automated response via playbook.

Why this answer

Option D is correct because Sentinel automation rules can trigger a playbook that runs a script to add a network security group (NSG) rule to deny the IP. Option A (manual NSG rule) is not automatic. Option B (Azure Policy) is not designed for real-time blocking.

Option C (JIT access) controls access, not blocking specific IPs.

213
MCQeasy

You have an Azure virtual machine that hosts a web application. You need to allow inbound HTTP (80) and HTTPS (443) traffic from the internet to this VM only. You also need to allow outbound traffic to the internet from the VM. You want to use a managed Azure service with minimal configuration. What should you use?

A.Azure Application Gateway
B.Azure Firewall
C.Network Security Group (NSG)
D.Azure Bastion
AnswerC

An NSG attached to the VM's subnet or NIC can allow inbound HTTP/HTTPS and default outbound internet access. It is simple, managed, and cost-effective.

Why this answer

A Network Security Group (NSG) is the correct choice because it is a managed Azure service that provides a stateful, layer-3/4 firewall for filtering inbound and outbound traffic to a virtual machine. With minimal configuration, you can create inbound rules to allow HTTP (TCP/80) and HTTPS (TCP/443) from the internet (source 'Internet' or 'Any') and an outbound rule to allow all traffic to the internet (default outbound rule already allows this). NSGs are directly associated with a VM's subnet or network interface, making them the simplest managed solution for this scenario.

Exam trap

The trap here is that candidates often overthink and choose Azure Firewall or Application Gateway for simple traffic filtering, forgetting that an NSG is the most lightweight, cost-effective, and minimal-configuration managed service for basic inbound/outbound access control on a single VM.

How to eliminate wrong answers

Option A is wrong because Azure Application Gateway is a layer-7 load balancer and web application firewall (WAF) that requires additional configuration for routing rules, health probes, and SSL termination; it is overkill for simply allowing inbound HTTP/HTTPS and outbound internet traffic to a single VM. Option B is wrong because Azure Firewall is a fully managed, centralized network security service designed for hub-and-spoke topologies and enterprise-level traffic inspection, not for minimal configuration on a single VM; it introduces unnecessary complexity and cost. Option D is wrong because Azure Bastion is a managed service for secure RDP/SSH access to VMs via the Azure portal, not for allowing HTTP/HTTPS inbound traffic or general outbound internet traffic.

214
MCQhard

Your organization has deployed Azure Front Door Premium with Web Application Firewall (WAF) policy in front of an Azure App Service. You need to ensure that only traffic from Azure Front Door is allowed to reach the App Service, and all other traffic is blocked. Which configuration should you implement?

A.Configure IP restrictions on the App Service to allow only the Azure Front Door service tag AzureFrontDoor.Backend.
B.Configure the App Service to require client certificates and configure Azure Front Door to present a certificate.
C.Set the App Service access restrictions to deny all and then add a rule to allow the Azure Front Door service tag AzureFrontDoor.Frontend.
D.Configure a WAF policy to block all requests that do not contain the X-Azure-FDID header.
AnswerA

Using the service tag ensures only traffic from Azure Front Door's backend IP ranges is allowed, providing the primary restriction.

Why this answer

Restricting App Service access to only Azure Front Door's backend IP addresses using service tags (AzureFrontDoor.Backend) is the recommended approach. Additionally, configuring Azure Front Door to send the X-Azure-FDID header and validating it in the App Service provides an extra layer of security against spoofed traffic.

215
MCQmedium

You have an Azure SQL Database that contains sensitive customer data. You need to ensure that database administrators (DBAs) cannot view the data in the 'CreditCard' column. What should you implement?

A.Enable Transparent Data Encryption (TDE) on the database.
B.Use Always Encrypted with column encryption key stored in Azure Key Vault.
C.Implement Azure SQL Auditing for the database.
D.Configure Dynamic Data Masking for the 'CreditCard' column.
AnswerB

Always Encrypted encrypts column data so that even DBAs cannot view plaintext.

Why this answer

Dynamic Data Masking (DDM) obfuscates sensitive data to non-privileged users, while DBAs with elevated permissions can still see the unmasked data unless excluded. Option B is wrong because Always Encrypted protects data from DBAs. Option C is wrong because TDE encrypts at rest, not at query time.

Option D is wrong because auditing tracks access but does not prevent viewing.

216
Multi-Selectmedium

Which TWO are benefits of using Microsoft Sentinel's automation rules? (Choose two.)

Select 2 answers
A.Aggregate multiple incidents into a single incident.
B.Create new analytics rules based on incident patterns.
C.Automatically query external threat intelligence feeds.
D.Trigger a playbook when an incident is created or updated.
E.Automatically assign incidents to a specific analyst or team.
AnswersD, E

Correct: Automation rules can trigger playbooks.

Why this answer

Option A and D are correct. Automation rules can automatically assign incidents to analysts (A) and trigger playbooks based on conditions (D). Option B is wrong because automation rules do not create analytics rules.

Option C is wrong because automation rules do not aggregate incidents; they can suppress or create tasks. Option E is wrong because automation rules do not query external threat intelligence feeds.

217
MCQhard

You are a security analyst using Microsoft Sentinel. You need to create an analytics rule that triggers an incident when more than 10 failed sign-ins occur from the same IP address within 5 minutes. The rule should use a KQL query. Which query should you use?

A.SigninLogs | where ResultType !in ("0","50125") // failed attempts | summarize Count = count() by IPAddress, bin(TimeGenerated, 5m) | where Count > 10
B.SigninLogs | where ResultType != "0" | make-series Count=count() default=0 on TimeGenerated from ago(5m) to now() step 5m by IPAddress
C.SigninLogs | where ResultType == "0" | summarize Count = count() by IPAddress, bin(TimeGenerated, 5m) | where Count > 10
D.SigninLogs | where ResultType == "0" | summarize Count = count() by IPAddress, bin(time-generated, 5m) | where Count > 10
AnswerA

This query correctly groups failed sign-ins by IP and 5-minute bin, and filters for >10.

Why this answer

Option A is correct because it groups failed sign-ins by IP address, counts them within a 5-minute time window, and filters for counts greater than 10. Option B is wrong because it uses time-generated, which is not a standard column; the correct column is TimeGenerated. Option C is wrong because it incorrectly uses 'make-series' which is for time series analysis, not simple aggregation.

Option D is wrong because it filters only successful sign-ins.

218
Multi-Selectmedium

A hub-and-spoke Azure network uses Azure Firewall for egress inspection. Which two settings are typically required on spoke workloads?

Select 2 answers
A.Public IP addresses on every VM
B.UDRs that send default traffic to the firewall next hop
C.NSG rules that allow all inbound internet traffic
D.DNS/routing design that prevents direct internet bypass
AnswersB, D

Correct for the stated requirement.

Why this answer

In a hub-and-spoke topology with Azure Firewall for egress inspection, spoke workloads must not be able to bypass the firewall. A User Defined Route (UDR) with address prefix 0.0.0.0/0 and next hop type VirtualAppliance pointing to the firewall's private IP forces all outbound traffic through the firewall. Additionally, DNS and routing design must prevent direct internet access—for example, by using Azure Private DNS zones or custom DNS servers that resolve only internal names, ensuring that no traffic can exit the spoke without firewall inspection.

Exam trap

The trap here is that candidates often think only a UDR is needed, forgetting that DNS and routing design must also prevent direct internet bypass—for example, if spoke VMs use Azure's default DNS (168.63.129.16), they can still resolve public names and potentially bypass the firewall via outbound UDP 53 traffic if not explicitly routed through the firewall.

219
Multi-Selecthard

A team wants to deploy Sentinel content consistently across workspaces. Which two approaches are appropriate?

Select 2 answers
A.Manually copy screenshots of rules
B.Use Content Hub solutions where available
C.Store incidents in Azure Key Vault
D.Use infrastructure-as-code or automation for analytic rules and workbooks
AnswersB, D

Correct for the stated requirement.

Why this answer

Content Hub solutions in Azure Sentinel provide pre-packaged content (analytic rules, workbooks, playbooks) that can be installed consistently across multiple workspaces via the Azure portal or API. This ensures standardized deployment without manual errors, leveraging Microsoft's curated content for common scenarios.

Exam trap

The trap here is that candidates may confuse 'storing incidents' (operational data) with 'deploying content' (configuration), leading them to incorrectly select Azure Key Vault as a deployment mechanism for Sentinel rules.

220
MCQmedium

A company stores sensitive data in Azure Blob Storage. They use customer-managed keys (CMK) stored in Azure Key Vault for encryption at rest. The security policy requires that the encryption keys be automatically rotated every 90 days. Which configuration should they implement to meet this requirement without manual intervention?

A.Enable key auto-rotation in Key Vault by setting a rotation policy on the key.
B.Use a custom Azure Automation runbook to rotate the key.
C.Set a key expiration date of 90 days and manually renew.
D.Enable versioning on the storage account and manually create a new key version.
AnswerA

Correct. Key Vault's rotation policy automates key rotation at the specified interval.

Why this answer

Azure Key Vault supports automatic key rotation by configuring a rotation policy on the key. When you enable auto-rotation, Key Vault automatically creates a new key version at the specified interval (e.g., every 90 days) without any manual intervention. This directly satisfies the requirement for automatic rotation of customer-managed keys used for Azure Storage encryption at rest.

Exam trap

The trap here is that candidates may think custom automation (Option B) is required for key rotation, but Azure Key Vault's built-in auto-rotation feature directly meets the requirement without additional overhead.

How to eliminate wrong answers

Option B is wrong because using a custom Azure Automation runbook introduces unnecessary complexity and potential failure points; Key Vault natively supports automatic rotation, making a custom solution redundant. Option C is wrong because setting a key expiration date only marks the key as expired after 90 days but does not automatically rotate it; manual renewal is required, which violates the 'without manual intervention' requirement. Option D is wrong because enabling versioning on the storage account only allows storing multiple blob versions, not key rotation; manually creating a new key version in Key Vault still requires manual action and does not automate the rotation process.

221
MCQmedium

Your organization is deploying Microsoft Sentinel in a multi-region environment. You need to design a workspace architecture that minimizes data egress costs while ensuring that data from all regions is available for queries and incident investigation. The security team is centralized in the US. What should you do?

A.Deploy Sentinel workspaces in the US and Europe and use Azure Lighthouse to unify querying.
B.Deploy a Sentinel workspace in each region and use Azure Data Explorer for centralized analytics.
C.Deploy a Sentinel workspace in each region and use cross-workspace queries.
D.Deploy a single Sentinel workspace in the US and stream logs from all regions to that workspace.
AnswerD

A single workspace minimizes egress costs and simplifies management.

Why this answer

Option B is correct because using a single workspace in the US centralizes data and minimizes costs, as data from other regions can be collected via diagnostic settings without egress fees for Azure-to-Azure traffic within the same continent. Option A is wrong because multiple workspaces increase egress costs and complexity. Option C is wrong because it does not reduce egress costs.

Option D is wrong because using multiple workspaces with cross-workspace queries increases egress costs.

222
MCQeasy

You need to prevent data from being exfiltrated from an Azure SQL Database by unauthorized users. Which Microsoft Purview feature should you use?

A.Microsoft Purview Insider Risk Management
B.Microsoft Purview Information Protection
C.Microsoft Purview Data Loss Prevention
D.Microsoft Purview eDiscovery
AnswerC

DLP policies can be used to prevent data exfiltration from SQL Database.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) policies can be applied to SQL Database to detect and prevent sensitive data exfiltration. Option B is correct. Information Protection focuses on classification and labeling.

Insider Risk Management detects risky user activities. eDiscovery is for legal discovery.

223
MCQhard

You are configuring Microsoft Defender for Cloud's 'Workload protections' for a Kubernetes cluster that is already using Azure Kubernetes Service (AKS). The cluster has 'Azure Policy' enabled. You need to enable the 'Microsoft Defender for Containers' plan to protect the cluster. You have already enabled the plan at the subscription level. However, the cluster is not showing as protected in the 'Inventory' blade. You have confirmed that the 'Azure Policy for Kubernetes' add-on is installed. What should you do to ensure the cluster is protected?

A.Install the 'Defender profile' on the AKS cluster.
B.Enable the 'Azure Policy for Kubernetes' add-on on the cluster.
C.Wait for 24 hours for the protection to automatically apply.
D.Install the Log Analytics agent on the cluster nodes.
AnswerA

The Defender profile is required to enable protection on the AKS cluster.

Why this answer

Even with the subscription-level plan enabled, you need to install the 'Defender profile' on the AKS cluster. Option D is correct. Option A is incorrect because the cluster is not protected yet.

Option B is incorrect because enabling Azure Policy for Kubernetes is a separate step. Option C is incorrect because the agents are deployed via the Defender profile.

224
Multi-Selecthard

A company uses Azure SQL Database. They want to ensure that all data at rest is encrypted using a customer-managed key (CMK) stored in Azure Key Vault. They also require that the key is automatically rotated every 12 months. Which two actions must be configured to meet this requirement? (Select two.)

Select 2 answers
A.Enable Transparent Data Encryption (TDE) with a customer-managed key.
B.Configure Key Vault to automatically rotate the key on a schedule.
C.Configure Azure SQL Database auditing to log key usage.
D.Enable Azure Information Protection for the database.
AnswersA, B

This must be configured to use a customer-managed key stored in Azure Key Vault for encrypting the database at rest.

Why this answer

Option A is correct because Transparent Data Encryption (TDE) with a customer-managed key (CMK) stored in Azure Key Vault is the mechanism that encrypts Azure SQL Database data at rest using a key you control. This meets the requirement for CMK-based encryption. Option B is correct because Azure Key Vault supports automatic key rotation on a schedule; by configuring a rotation policy (e.g., every 12 months), the key used for TDE is automatically replaced, satisfying the rotation requirement.

Exam trap

The trap here is that candidates often confuse Azure SQL Database auditing (which logs activity) with key management, or mistakenly think Azure Information Protection can encrypt database data at rest, when it only applies classification and labeling to files and emails.

225
MCQmedium

You are designing a privileged access strategy for Microsoft Entra ID. Your organization requires that all users who are assigned to the Global Administrator role must perform a privileged elevation only when needed, and the elevation must be approved by a security officer. Which feature should you implement?

A.Microsoft Entra Identity Governance – Privileged Identity Management
B.Azure AD administrative units
C.Conditional Access with session control
D.Microsoft Entra ID protection risk policies
AnswerA

PIM enables JIT activation with approval workflows.

Why this answer

Microsoft Entra Privileged Identity Management (PIM) provides just-in-time (JIT) privileged elevation for roles like Global Administrator, requiring approval from designated approvers (e.g., a security officer) before activation. This directly meets the requirement of elevation only when needed with approval, as PIM manages time-bound role assignments and approval workflows.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls sign-in access) with PIM (which controls role activation), leading them to select Option C because they think session controls can enforce approval for elevation, but Conditional Access cannot manage role activation workflows.

How to eliminate wrong answers

Option B is wrong because Azure AD administrative units restrict administrative scope to specific organizational units (e.g., departments) but do not provide JIT elevation or approval workflows for role activation. Option C is wrong because Conditional Access with session control enforces policies during sign-in (e.g., requiring MFA or device compliance) but cannot control role activation or require approval for elevation. Option D is wrong because Microsoft Entra ID Protection risk policies detect and respond to user or sign-in risks (e.g., blocking risky sign-ins) but do not manage privileged role elevation or approval processes.

Page 2

Page 3 of 14

Page 4