Microsoft Azure Security Engineer Associate AZ-500 (AZ-500) — Questions 226300

1000 questions total · 14pages · All types, answers revealed

Page 3

Page 4 of 14

Page 5
226
MCQmedium

You are a security engineer for a company that uses Microsoft Defender for Cloud with the CSPM (Cloud Security Posture Management) plan enabled. You need to ensure that all Azure subscriptions are assessed against the Microsoft Cloud Security Benchmark (MCSB). Which action should you take?

A.Assign the CIS Microsoft Azure Foundations Benchmark initiative to each subscription.
B.Assign the MCSB initiative at the management group level.
C.No action needed; MCSB is the default security policy assigned to all subscriptions.
D.Enable regulatory compliance standards in Defender for Cloud.
AnswerC

MCSB is automatically assigned as the default initiative in Defender for Cloud.

Why this answer

Option D is correct because the default initiative assigned to all subscriptions in Defender for Cloud is the Microsoft Cloud Security Benchmark (MCSB). Option A is wrong because the CIS benchmark is a different standard and not the default. Option B is wrong because standards are assigned at the subscription level, not management group.

Option C is wrong because regulatory compliance is a separate feature and does not replace the default benchmark.

227
Multi-Selectmedium

Which TWO actions are required to enable Azure Defender for SQL on an Azure SQL Database?

Select 2 answers
A.Enable Advanced Data Security on the server.
B.Configure SQL Vulnerability Assessment.
C.Enable threat detection policies at the database level.
D.Enable Microsoft Defender for Cloud plan for SQL servers.
E.Enable SQL Auditing.
AnswersA, D

Advanced Data Security provides the foundation for Defender for SQL.

Why this answer

Azure Defender for SQL requires enabling Advanced Data Security on the server and configuring a Microsoft Defender for Cloud pricing tier. Options B and D are correct. Enabling auditing is optional for Defender.

Configuring vulnerability assessment is a separate feature. Enabling threat detection is part of the process but not listed separately as an action.

228
MCQeasy

A company deploys a public-facing web application behind Azure Application Gateway. They want to enable the Web Application Firewall (WAF) to protect against SQL injection and cross-site scripting attacks. During the initial testing phase, they want to identify malicious requests without blocking them, to tune the WAF rules before enabling full protection. Which WAF mode should they configure?

A.Prevention mode
B.Detection mode
C.Logging mode
D.Off
AnswerB

Detection mode logs alerts for matching requests but does not block them, allowing the team to tune rules without affecting live traffic.

Why this answer

Detection mode logs WAF alerts and records the full request details without blocking any traffic. This allows the security team to analyze malicious requests, tune rule exclusions, and validate that legitimate traffic is not falsely flagged before switching to Prevention mode. It is the correct choice for the initial testing phase described.

Exam trap

The trap here is that candidates may confuse Detection mode with a hypothetical 'Logging mode' or assume Prevention mode is needed for any protection, overlooking the explicit requirement to identify without blocking during tuning.

How to eliminate wrong answers

Option A is wrong because Prevention mode actively blocks malicious requests, which would disrupt testing and prevent the team from tuning rules based on observed traffic. Option C is wrong because Azure WAF does not have a 'Logging mode'; logging is a feature enabled within Detection or Prevention mode, not a standalone operational mode. Option D is wrong because Off disables the WAF entirely, providing no protection or logging of malicious requests, which defeats the purpose of the testing phase.

229
MCQmedium

A healthcare organization stores sensitive patient data in Azure SQL Database. They need to encrypt specific columns containing medical history so that even database administrators with highly privileged roles, such as 'sysadmin', cannot view the plaintext data. Additionally, they need to support complex queries on the encrypted data, including pattern matching and range comparisons. Which encryption technology should they implement?

A.Always Encrypted with secure enclaves
B.Transparent Data Encryption (TDE)
C.Dynamic Data Masking
D.Row-Level Security
AnswerA

Always Encrypted with secure enclaves provides column-level encryption and supports rich computations like pattern matching and range queries within the enclave, while preventing database administrators from seeing plaintext data.

Why this answer

Always Encrypted with secure enclaves is correct because it encrypts specific columns at the client side, ensuring that even database administrators with sysadmin privileges cannot view the plaintext data. The secure enclave feature allows computations (such as pattern matching and range comparisons) to be performed on the encrypted data inside a trusted execution environment, which is required by the question's need for complex queries on encrypted columns.

Exam trap

The trap here is that candidates often confuse Transparent Data Encryption (TDE) with column-level encryption, assuming TDE protects data from privileged users, but TDE only protects data at rest and does not prevent authorized database users from reading plaintext data.

How to eliminate wrong answers

Option B (Transparent Data Encryption) is wrong because it encrypts the entire database at rest (on disk) but does not protect data from users or administrators who have access to the database engine; the data is decrypted transparently when queried, so sysadmins can still view plaintext. Option C (Dynamic Data Masking) is wrong because it only obfuscates data in query results for unauthorized users, but the underlying data remains stored in plaintext and can be accessed by privileged users like sysadmins. Option D (Row-Level Security) is wrong because it controls access to rows based on user context but does not encrypt the data; privileged users can still read the plaintext data directly.

230
MCQmedium

Your company has a hybrid environment with on-premises servers and Azure VMs. All resources are onboarded to Microsoft Defender for Cloud. You need to receive alerts when a critical vulnerability is detected on any server. The security team wants to minimize false positives. What should you configure?

A.Enable vulnerability assessment for servers via the integrated VA solution.
B.Configure just-in-time VM access to reduce attack surface.
C.Enable adaptive application controls to detect unapproved software.
D.Enable file integrity monitoring on critical files.
AnswerA

Correct. Vulnerability assessment scans for vulnerabilities and generates security alerts.

Why this answer

Option B is correct because vulnerability assessment (VA) solutions, like the integrated Qualys or Microsoft Defender Vulnerability Management, scan for known vulnerabilities and generate alerts. Option A is wrong because adaptive application controls are for whitelisting applications, not vulnerability detection. Option C is wrong because just-in-time (JIT) VM access is for managing RDP/SSH access.

Option D is wrong because file integrity monitoring (FIM) monitors file changes, not vulnerabilities.

231
Multi-Selecthard

Your company is implementing Microsoft Defender for Cloud's Security Alerts. You need to ensure that alerts for critical severity are automatically sent to the security operations team via email and also create a ticket in ServiceNow. Which three actions should you take? (Choose three.)

Select 3 answers
A.Create a playbook in Microsoft Sentinel that triggers on alerts.
B.Install the Log Analytics agent on all VMs to collect security alerts.
C.Create a continuous export rule in Defender for Cloud to send alerts to an Event Hubs namespace.
D.Create a Logic App that listens to the Event Hubs and creates a ticket in ServiceNow.
E.Configure email notifications in Microsoft Defender for Cloud's security contacts settings for high-severity alerts.
AnswersC, D, E

Continuous export can stream alerts to Event Hubs.

Why this answer

Options A, C, and E are correct. Option A is correct because email notifications for critical alerts can be configured in Defender for Cloud. Option C is correct because a continuous export rule can send alerts to Event Hubs, which can trigger a Logic App.

Option E is correct because a Logic App can integrate with ServiceNow. Option B is wrong because the Log Analytics agent is not needed for alerts. Option D is wrong because a playbook in Sentinel is not required; the integration can be done via Logic Apps directly.

232
MCQhard

An Azure Storage account is configured with server-side encryption (SSE) using a customer-managed key stored in Azure Key Vault. The security team requires that the storage account's identity be used to authenticate to the key vault for key access. Additionally, they want the identity to be automatically deleted when the storage account is deleted. Which type of identity should they assign to the storage account?

A.System-assigned managed identity
B.User-assigned managed identity
C.Service principal
D.Azure AD user account
AnswerA

This identity is linked to the storage account and automatically managed, meeting both requirements.

Why this answer

A system-assigned managed identity is tied to the lifecycle of the Azure resource (the storage account) and is automatically deleted when the resource is deleted. This identity can be used to authenticate to Azure Key Vault for accessing the customer-managed key used in server-side encryption (SSE), satisfying the security team's requirement for automatic deletion upon storage account deletion.

Exam trap

The trap here is that candidates often confuse user-assigned managed identities with system-assigned ones, overlooking the critical lifecycle coupling requirement that system-assigned identities are automatically deleted with the parent resource, while user-assigned identities persist independently.

How to eliminate wrong answers

Option B is wrong because a user-assigned managed identity has an independent lifecycle and is not automatically deleted when the storage account is deleted; it must be manually removed. Option C is wrong because a service principal is a separate application identity that requires manual credential management (secrets or certificates) and does not automatically delete with the storage account. Option D is wrong because an Azure AD user account is a human identity that cannot be assigned to an Azure resource and would require interactive authentication, which is not suitable for automated key access.

233
MCQmedium

A company uses Azure Managed Disks for their virtual machines. They want to ensure that all managed disks are encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. They also want to automatically revoke access to the disks if the key is disabled or deleted. Which feature should they configure?

A.Azure Disk Encryption (ADE) with a Key Encryption Key (KEK)
B.Server-side encryption with customer-managed keys (SSE-CMK)
C.Azure Storage Service Encryption (SSE) with platform-managed keys
D.Azure Key Vault soft-delete and purge protection
AnswerB

SSE-CMK encrypts managed disks at rest using a CMK. When the key is disabled or deleted, the disk becomes inaccessible, meeting the revocation requirement without additional steps.

Why this answer

Server-side encryption with customer-managed keys (SSE-CMK) encrypts Azure Managed Disks at rest using a key stored in Azure Key Vault. When the key is disabled or deleted, Azure automatically revokes access to the disk by failing any I/O operations that require that key, ensuring the disk becomes inaccessible. This directly meets the requirement for both CMK-based encryption and automatic access revocation upon key loss.

Exam trap

The trap here is that candidates confuse Azure Disk Encryption (ADE) with server-side encryption (SSE-CMK), mistakenly thinking ADE provides automatic access revocation when the key is disabled, whereas ADE only encrypts at the guest OS level and does not enforce platform-level access control based on key state.

How to eliminate wrong answers

Option A is wrong because Azure Disk Encryption (ADE) with a KEK uses BitLocker (Windows) or DM-Crypt (Linux) to encrypt the OS and data disks at the VM guest OS level, not at the Azure platform level, and disabling the KEK does not automatically revoke access to the underlying managed disk; the disk remains accessible at the storage layer. Option C is wrong because Azure Storage Service Encryption (SSE) with platform-managed keys uses Microsoft-managed keys, not customer-managed keys, so it cannot meet the requirement for CMK-based encryption or allow key revocation by the customer. Option D is wrong because Azure Key Vault soft-delete and purge protection only prevents permanent deletion of keys and secrets; it does not encrypt disks or automatically revoke access to disks when a key is disabled or deleted.

234
MCQhard

A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key stored in Azure Key Vault. The Key Vault has a firewall enabled that blocks all public network access. The SQL server has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. Despite this, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required?

A.Enable the Azure SQL Database server's firewall to allow Azure services to access the server.
B.Configure the Key Vault firewall to allow trusted Microsoft services to bypass the firewall.
C.Assign a user-assigned managed identity to the SQL server instead of a system-assigned identity.
D.Change the Key Vault firewall to allow all networks.
AnswerB

This setting allows trusted Azure services, including Azure SQL Database, to access the Key Vault when using a managed identity.

Why this answer

The Key Vault firewall blocks all public network access, so even though the SQL server has the correct managed identity and role assignment, the connection is denied by the firewall. By enabling the 'Allow trusted Microsoft services to bypass this firewall' setting, Azure SQL Database (a trusted Microsoft service) can connect to the Key Vault without exposing it to the public internet. This is the required additional configuration to resolve the TDE access failure.

Exam trap

The trap here is that candidates often confuse the SQL server firewall with the Key Vault firewall, or think that a managed identity alone is sufficient without considering network-level access controls.

How to eliminate wrong answers

Option A is wrong because the issue is not about the SQL server's firewall allowing Azure services; the SQL server's firewall is irrelevant to Key Vault access. Option C is wrong because a system-assigned managed identity works perfectly for this scenario; switching to a user-assigned identity does not solve the Key Vault firewall block. Option D is wrong because allowing all networks would defeat the purpose of the Key Vault firewall and is unnecessary; the trusted services bypass is the correct, secure solution.

235
MCQmedium

Your organization has a hybrid network with an Azure VPN gateway connecting to an on-premises site. You need to ensure that traffic between Azure and on-premises is encrypted and authenticated. Which protocol should the VPN gateway use?

A.SSL/TLS
B.IPsec
C.SSH
D.HTTPS
AnswerB

IPsec provides encryption and authentication for VPN tunnels.

Why this answer

Option B is correct because IPsec is the standard for VPN encryption and authentication. Option A is wrong because SSL/TLS is for web traffic, not site-to-site VPN. Option C is wrong because SSH is for remote administration.

Option D is wrong because HTTPS is application layer, not for network tunneling.

236
MCQmedium

A company has an Azure virtual network with a subnet that hosts Azure virtual machines. They want to restrict access to an Azure SQL Database so that only traffic originating from that specific subnet is allowed. They have enabled a service endpoint for Microsoft.Sql on the subnet and configured the SQL server firewall to allow only that subnet's virtual network rule. However, connections from the VMs to the SQL database are failing with an authorization error. What is the most likely cause?

A.The service endpoint for Microsoft.Sql was not enabled on the subnet before creating the firewall rule
B.The SQL server's firewall also has a rule allowing all Azure services, which overrides the VNet rule
C.The virtual machine's operating system firewall is blocking outbound traffic
D.The subnet's NSG is blocking outbound traffic to Azure SQL
AnswerA

The service endpoint must be enabled on the subnet before or concurrently with the firewall rule. If enabled after, the rule may not work until it is updated or re-created.

Why this answer

The most likely cause is that the service endpoint for Microsoft.Sql was not enabled on the subnet before the virtual network (VNet) firewall rule was created on the SQL server. When a VNet rule is added to the SQL server firewall, Azure validates that the specified subnet has a service endpoint for Microsoft.Sql enabled. If the endpoint is not enabled at the time the rule is created, the rule will be created but will not be effective, and traffic from the subnet will not be recognized as originating from the VNet, resulting in authorization errors.

The service endpoint must be enabled first to ensure the subnet's traffic is routed through the Azure backbone and correctly identified by the SQL server firewall.

Exam trap

The trap here is that candidates assume creating a VNet firewall rule is sufficient on its own, without realizing that the service endpoint must be enabled on the subnet first for the rule to be effective.

How to eliminate wrong answers

Option B is wrong because a firewall rule allowing all Azure services would permit traffic from any Azure IP range, but it does not override a more specific VNet rule; instead, the VNet rule would take precedence for matching traffic. Option C is wrong because the question states the error is an authorization error from the SQL database, not a connection timeout or unreachable host, which would be expected if the VM's OS firewall were blocking outbound traffic. Option D is wrong because a subnet NSG blocking outbound traffic to Azure SQL would typically result in a network-level timeout or unreachable error, not an SQL authorization error, and the NSG would need to explicitly deny outbound traffic to the SQL service tag for this to occur.

237
MCQmedium

An organization uses Microsoft Defender for Cloud to protect Azure SQL databases. They want to receive alerts when a SQL database is accessed from a suspicious location. What should they enable?

A.Enable Microsoft Defender for Cloud for Azure SQL databases
B.Enable Azure Firewall on the SQL server
C.Enable Azure SQL Database Advanced Threat Protection
D.Enable Azure SQL Database Auditing
AnswerA

Defender for Cloud provides threat detection alerts for SQL databases.

Why this answer

Option D is correct because Microsoft Defender for Cloud for Azure SQL databases includes threat detection that alerts on anomalous access patterns, including suspicious locations. Option A is wrong because Advanced Threat Protection is the feature name, but it is enabled under Microsoft Defender for Cloud. Option B is wrong because Azure SQL Database auditing logs activity but does not generate alerts.

Option C is wrong because Azure Firewall logs network traffic but does not generate SQL-specific alerts.

238
MCQhard

You are designing a Microsoft Sentinel deployment for a multinational company. The company requires that data from different geographic regions be stored separately to comply with data residency laws. What is the recommended approach?

A.Deploy a single Sentinel workspace and use Azure Purview to tag data for residency.
B.Deploy a single Sentinel workspace and configure diagnostic settings to send data to separate Log Analytics workspaces.
C.Deploy a single Sentinel workspace and use data collection rules to route data to different storage accounts.
D.Deploy a separate Microsoft Sentinel workspace in each required region.
AnswerD

Each workspace stores data in its region; this meets residency requirements.

Why this answer

Option A is correct because to comply with data residency, you need separate Sentinel workspaces per region. Option B is wrong because Sentinel does not support data-level routing to different storage locations within a single workspace. Option C is wrong because using a single workspace with diagnostic settings does not separate storage.

Option D is wrong because Azure Purview is for data governance, not storage.

239
MCQeasy

A company uses Azure AD with Premium P2 licenses. They want to require that all new users register for Azure Multi-Factor Authentication (MFA) within 14 days of their first sign-in. If they do not register, they should be denied access to all cloud applications until registration is completed. Which Azure AD feature should they configure?

A.Identity Protection user risk policy
B.Conditional Access policy targeting the MFA registration
C.Azure AD Identity Protection sign-in risk policy
D.Privileged Identity Management (PIM)
AnswerB

A Conditional Access policy with the 'Require MFA registration' grant control enforces registration before access is granted.

Why this answer

The requirement to enforce MFA registration within a specific time frame and block access until registration is complete is achieved by configuring a Conditional Access policy targeting the 'Register security information' (MFA registration) user action. This policy can require users to register for MFA and, if not completed, deny access to all cloud apps. Azure AD Premium P2 licenses are required for Conditional Access.

Exam trap

The trap here is that candidates confuse Identity Protection risk policies (which handle risky sign-ins or compromised users) with Conditional Access policies that directly enforce MFA registration deadlines, leading them to select A or C instead of B.

How to eliminate wrong answers

Option A is wrong because Identity Protection user risk policy addresses user accounts with compromised credentials or risky behavior, not the enforcement of MFA registration timing. Option C is wrong because Identity Protection sign-in risk policy evaluates the risk of a specific sign-in attempt (e.g., from anonymous IP addresses) and can block or require MFA, but it does not enforce a registration deadline for new users. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not MFA registration enforcement for all users.

240
Multi-Selecthard

An Azure SQL Database must be accessed privately from workloads in a VNet and should not allow public network access. Which two configurations are required?

Select 2 answers
A.Create a Private Endpoint for the SQL server
B.Enable service endpoint only and leave public access open
C.Disable public network access or restrict firewall rules appropriately
D.Create an inbound NAT rule on Azure Load Balancer
AnswersA, C

Correct for the stated requirement.

Why this answer

A Private Endpoint assigns a private IP address from your VNet to the Azure SQL Database logical server, enabling traffic to reach the database entirely over the Microsoft backbone network without traversing the public internet. This is a fundamental requirement for private connectivity from workloads inside a VNet.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming a service endpoint alone provides private-only access, but it does not block public internet traffic unless public network access is also disabled.

241
MCQhard

Your organization uses Microsoft Entra ID and plans to deploy Microsoft Copilot for Security. You need to ensure that Copilot's access to security data is governed by the principle of least privilege and that usage is auditable. What should you implement?

A.Use Conditional Access policies to restrict Copilot access based on location and device compliance.
B.Implement Microsoft Purview for data governance and assign custom RBAC roles in Copilot for Security.
C.Enable Microsoft Entra ID Protection to detect risky usage of Copilot.
D.Assign the Copilot roles via Privileged Identity Management (PIM) with approval workflows.
AnswerB

Purview provides auditing and labeling; custom RBAC roles enforce least privilege within Copilot.

Why this answer

Option B is correct because Microsoft Purview provides the data governance framework needed to classify, label, and control access to security data, while custom RBAC roles in Copilot for Security allow granular permissions that enforce least privilege. This combination ensures that Copilot only accesses data necessary for its function and that all access is auditable through Purview's audit logs.

Exam trap

The trap here is that candidates often confuse identity-level controls (Conditional Access, PIM) with data-level governance, assuming that restricting who can access Copilot is sufficient, when the question specifically requires governing Copilot's access to security data itself.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies control authentication and access to applications based on conditions like location or device compliance, but they do not govern Copilot's internal access to security data or provide the granular data-level permissions required for least privilege. Option C is wrong because Microsoft Entra ID Protection detects and responds to identity-based risks (e.g., compromised credentials) but does not govern or audit Copilot's access to security data; it focuses on user risk, not data governance. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time elevation of privileged roles with approval workflows, but it does not address data governance or the principle of least privilege for Copilot's access to security data; PIM is for role activation, not data-level permissions.

242
MCQeasy

Your organization uses Microsoft Entra ID for identity management. You need to prevent users from using their work accounts to access corporate resources from untrusted locations unless they have registered their devices. Which conditional access policy setting should you configure?

A.Grant access, require approved client app
B.Grant access, require device to be marked as compliant
C.Block access
D.Grant access, require multi-factor authentication
AnswerB

This ensures only compliant devices from untrusted locations can access resources.

Why this answer

Option B is correct because the 'Grant access, require device to be marked as compliant' condition ensures that only devices meeting your organization's compliance policies (e.g., BitLocker enabled, antivirus running, OS patch level) can access corporate resources. When combined with a location condition (e.g., 'All trusted locations' or 'All locations' with an exclusion for trusted IPs), this setting effectively blocks access from untrusted locations unless the device is compliant, which implies it has been registered and managed in Microsoft Entra ID.

Exam trap

The trap here is that candidates often confuse 'Require multi-factor authentication' (Option D) as the solution for location-based access control, but MFA does not enforce device registration or compliance, which is the specific requirement in this scenario.

How to eliminate wrong answers

Option A is wrong because 'Require approved client app' controls which applications can be used (e.g., Microsoft Outlook, Teams) but does not enforce device registration or compliance; a user could still access from an unmanaged device using an approved app. Option C is wrong because 'Block access' is an all-or-nothing control that would prevent access from all locations, including trusted ones, unless carefully scoped; it does not provide the conditional requirement of device registration. Option D is wrong because 'Require multi-factor authentication' only adds an authentication factor (e.g., phone call, app notification) but does not verify the device's registration or compliance status; a user could authenticate from an untrusted, unregistered device.

243
MCQmedium

A security analyst uses Microsoft Defender for Cloud. They need to assess their Azure environment's compliance against the Payment Card Industry Data Security Standard (PCI DSS). Which dashboard in Defender for Cloud should they use to view the compliance status?

A.Secure Score
B.Security Alerts
C.Regulatory Compliance
D.Workbooks
AnswerC

This dashboard shows compliance status for selected regulatory standards, with detailed insights into which controls pass or fail.

Why this answer

The Regulatory Compliance dashboard in Microsoft Defender for Cloud provides a pre-built assessment of your Azure environment against specific compliance standards, including PCI DSS. It maps your security controls to the requirements of the standard and shows a compliance score based on the results of continuous assessments. This is the correct tool for viewing compliance status against PCI DSS.

Exam trap

The trap here is that candidates may confuse Secure Score (which measures general security hygiene) with regulatory compliance scoring, but Secure Score does not map to specific standards like PCI DSS, while Regulatory Compliance does.

How to eliminate wrong answers

Option A is wrong because Secure Score measures your overall security posture based on implemented security controls, not compliance with a specific regulatory standard like PCI DSS. Option B is wrong because Security Alerts lists active threats and suspicious activities, not compliance status. Option D is wrong because Workbooks are customizable visualizations that can be built from Azure Monitor data, but they do not provide a pre-built, out-of-the-box compliance assessment against PCI DSS.

244
MCQhard

You run the above PowerShell script to change the access tier of all block blobs in the 'data' container from Cool to Hot. However, you receive an error that the operation is not allowed. What is the most likely reason?

A.The script incorrectly filters for BlockBlob instead of PageBlob.
B.The storage account is using a shared access signature (SAS) token that has expired.
C.The access tier cannot be changed from Cool to Hot after 30 days of creation.
D.The storage account's firewall is blocking the request from the current IP address.
AnswerD

If the storage account firewall denies access from the source IP, the operation will fail with an error like 'This request is not authorized to perform this operation'.

Why this answer

The script does not include the -ErrorAction Stop or handle the case where the storage account firewall is blocking access. However, the most common issue is that the storage account requires Azure AD authentication and the script uses the storage account key (via context without explicit Azure AD). But the error message 'operation not allowed' suggests that the storage account has a firewall that denies the request.

Option D is correct. Option A: BlobType is correct. Option B: AccessTier change is allowed.

Option C: The script does not use SAS.

245
MCQeasy

Refer to the exhibit. You run the Azure CLI command to create a storage account. After creation, you need to ensure that the storage account can only be accessed using TLS 1.2. Does the command achieve this?

A.No, because the command does not include any TLS version parameter.
B.Yes, because the default minimum TLS version is 1.2.
C.Yes, because --min-tls-version 1.2 sets the minimum TLS version to 1.2.
D.No, because --https-only true only enforces HTTPS without specifying TLS version.
AnswerC

The parameter correctly enforces TLS 1.2 minimum.

Why this answer

Option A is correct. The --min-tls-version 1.2 parameter ensures that the minimum TLS version is 1.2, which effectively requires TLS 1.2 or higher. Option B is wrong because --https-only true enforces HTTPS but does not set a minimum TLS version.

Option C is wrong because the command does include the parameter. Option D is wrong because the command is correct.

246
Multi-Selectmedium

Your organization is using Microsoft Sentinel to centralize security data from multiple sources. You need to ensure that data from Azure Active Directory (now Microsoft Entra ID) logs is ingested. Which two of the following should you configure? (Choose two.)

Select 2 answers
A.Enable the Microsoft 365 Defender data connector in Sentinel.
B.Configure diagnostic settings in Microsoft Entra ID to stream audit and sign-in logs to a Log Analytics workspace.
C.Create a separate Log Analytics workspace for Microsoft Entra ID logs.
D.Enable the Microsoft Entra ID data connector in Sentinel.
E.Install the Log Analytics agent on domain controllers.
AnswersB, D

Diagnostic settings send logs to the workspace.

Why this answer

Option A and Option D are correct because Microsoft Entra ID logs are ingested via diagnostic settings, and the data connector in Sentinel is used to establish the connection. Option B is wrong because a Log Analytics workspace is required, not a separate one. Option C is wrong because the Log Analytics agent is for VMs, not for Entra ID logs.

Option E is wrong because there is a specific connector for Entra ID.

247
MCQmedium

Your company uses Azure SQL Managed Instance. You need to ensure that all connections from clients use TLS 1.2 or higher. What should you configure?

A.Set the 'Minimal TLS version' property to 1.2 in the Managed Instance settings
B.Configure a firewall rule to block non-TLS 1.2 connections
C.Create an Azure Policy to require TLS 1.2 for all SQL Managed Instances
D.Enable the 'Force encryption' option on the client side
AnswerA

This setting enforces the minimum TLS version for client connections.

Why this answer

Azure SQL Managed Instance enforces TLS at the gateway level. To require a minimum TLS version, you can set the 'Minimal TLS version' property to 1.2. Option B is correct.

Option A is wrong because firewall rules control IP access. Option C is wrong because encrypting connections is separate from TLS version. Option D is wrong because Azure Policy can audit but not enforce on the instance itself.

248
MCQeasy

A security administrator is troubleshooting network connectivity to an Azure virtual machine. The VM is behind a network security group (NSG) that has a deny-all inbound rule as the default. The administrator wants to quickly verify whether a specific TCP packet on port 3389 from their client IP (203.0.113.50) would be allowed or blocked by the NSG. Which Azure Network Watcher tool should they use?

A.Network Performance Monitor.
B.IP flow verify.
C.Next hop.
D.NSG diagnostics (flow logs).
AnswerB

This tool simulates a packet and evaluates NSG rules to determine if the traffic is allowed or denied. It provides immediate feedback for troubleshooting NSG issues.

Why this answer

IP flow verify is the correct tool because it tests whether a specific packet (source IP, destination IP, protocol, port) is allowed or denied by an NSG or virtual network (VNet) route. In this scenario, the administrator needs to quickly validate inbound TCP traffic on port 3389 from client IP 203.0.113.50 to the VM, and IP flow verify provides a pass/fail result along with the exact rule that caused the outcome.

Exam trap

The trap here is that candidates often confuse NSG flow logs (which provide historical traffic data) with the real-time diagnostic capability of IP flow verify, leading them to select NSG diagnostics (flow logs) instead of the correct tool for on-demand packet testing.

How to eliminate wrong answers

Option A is wrong because Network Performance Monitor is a tool for monitoring network latency, packet loss, and performance between endpoints, not for testing NSG rule evaluation for a specific packet. Option C is wrong because Next hop shows the next hop type and IP address for traffic from a VM, but it does not evaluate NSG rules or indicate whether a packet is allowed or blocked. Option D is wrong because NSG diagnostics (flow logs) record information about IP traffic flowing through an NSG after the fact, but they are not designed for real-time, on-demand verification of a single packet's allow/deny status.

249
MCQhard

You deploy Azure Private Link for an Azure SQL Database. You create a private endpoint in VNet1 and configure a private DNS zone 'privatelink.database.windows.net' linked to VNet1. Clients in VNet2 (peered to VNet1) can resolve the SQL server FQDN to the private IP, but connections fail. What is the most likely cause?

A.Private endpoint is in a 'Failed' provisioning state.
B.VNet2 does not have a route to the private endpoint's subnet.
C.Azure SQL Database's firewall rules block traffic from the private endpoint.
D.The private DNS zone is not linked to VNet2.
AnswerD

For clients in a peered VNet to resolve the private endpoint's FQDN, the private DNS zone must be linked to that VNet or they must use a custom DNS that can resolve it.

Why this answer

Private DNS zones linked to VNet1 are not automatically resolvable from peered VNets unless the DNS zone is also linked to VNet2 or VNet2 is configured to use a custom DNS server that can resolve the zone. The clients in VNet2 may resolve to the private IP, but the firewall or NSG may block traffic. However, typical issue is DNS resolution not being propagated.

250
MCQhard

A security engineer configures a Microsoft Sentinel analytics rule to detect anomalous sign-ins from unfamiliar locations. The rule uses the following KQL query: SigninLogs | where RiskLevelDuringSignIn == 'medium' or RiskLevelDuringSignIn == 'high' | summarize count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 1h). After enabling the rule, no alerts are generated even though the team expects many. What is the most likely cause?

A.The query groups by IP address and user, so true anomalies (new IPs) are not detected because they appear in separate groups.
B.The analytics rule is disabled due to a pricing tier downgrade.
C.The rule's trigger threshold is set too high (e.g., 100 events).
D.The SigninLogs data connector is not properly configured and is ingesting data with a 24-hour delay.
AnswerA

The query groups by IP, so each IP appears once; the rule doesn't compare against historical IPs.

Why this answer

Option B is correct because the query groups by UserPrincipalName, IPAddress, and hour; if the same user signs in from the same IP within the same hour, it's not anomalous. Option A is wrong because the rule is enabled. Option C is wrong because no aggregation threshold is set.

Option D is wrong because the data connector might be slow but would still generate some alerts.

251
Multi-Selecthard

Which THREE of the following are required to configure Microsoft Entra ID self-service password reset (SSPR)?

Select 3 answers
A.Microsoft Entra ID P1 or P2 license
B.Microsoft Entra ID Premium P2 license
C.Password writeback must be enabled
D.Users must register for authentication methods
E.SSPR must be enabled in the tenant
AnswersA, D, E

SSPR requires a P1 or P2 license.

Why this answer

Microsoft Entra ID self-service password reset (SSPR) requires a Microsoft Entra ID P1 or P2 license because the SSPR feature is a premium capability that is not available in the Free or Office 365 app-only licenses. Without at least a P1 license, the tenant cannot enable or use SSPR for users. The P2 license adds additional protections like Identity Protection but is not strictly required for basic SSPR functionality.

Exam trap

The trap here is that candidates often assume password writeback is always required for SSPR, but it is only necessary when integrating with on-premises Active Directory; for cloud-only users, SSPR works without it.

252
MCQhard

A company has deployed Azure Firewall in a hub virtual network with forced tunneling enabled. Spoke virtual networks are peered to the hub. The security team reports that outbound traffic from the spoke VMs is bypassing the firewall. What is the most likely reason?

A.The Azure Firewall policy has an allow-all network rule.
B.Azure Firewall is deployed in the same virtual network as the spoke VMs.
C.The spoke virtual networks are not peered to the hub.
D.The spoke subnets do not have a route table with a default route (0.0.0.0/0) pointing to the Azure Firewall.
AnswerD

Without a UDR forcing traffic to the firewall, spoke VMs will use the default internet route, bypassing the firewall.

Why this answer

Forced tunneling (default route 0.0.0.0/0 to the firewall) must be set on the spoke subnets' route tables. If the spoke VMs' subnet does not have a route forcing traffic to the firewall, outbound traffic will use the default internet route instead.

253
Matchingmedium

Match each Azure RBAC role to its typical permission scope.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Full access to all resources including delegation

Create and manage resources but cannot grant access

View resources only

Manage user access to Azure resources

Manage security policies and view security alerts

Why these pairings

RBAC roles are fundamental to access control in Azure.

254
MCQeasy

A company uses Microsoft Defender for Cloud. They want to receive email notifications when a high-severity security alert is generated for any resource in the subscription. Which configuration should they make in Defender for Cloud?

A.Configure the 'Email notifications' setting in Defender for Cloud to send alerts to the required email addresses.
B.Create a workflow automation in Defender for Cloud that sends an email when a high-severity alert is generated.
C.Enable continuous export to stream all security alerts to a Log Analytics workspace and create an alert rule to send email.
D.Enable the 'Send email alerts' option in the Azure Monitor activity log alert rule.
AnswerA

This is correct. Defender for Cloud can be configured to email security alerts to a list of recipients based on severity.

Why this answer

Option A is correct because the 'Email notifications' setting in Microsoft Defender for Cloud allows you to directly configure email recipients to receive notifications for high-severity alerts. This built-in feature sends emails to specified addresses whenever a high-severity security alert is triggered for any resource in the subscription, without requiring additional automation or external tools.

Exam trap

The trap here is that candidates often confuse workflow automation (Option B) as the primary method for email notifications, but Microsoft Defender for Cloud has a dedicated 'Email notifications' setting specifically for this purpose, making it the simplest and correct configuration.

How to eliminate wrong answers

Option B is wrong because workflow automation in Defender for Cloud is designed to trigger automated actions (e.g., Logic Apps) in response to alerts, but it does not natively send email notifications; it requires a separate Logic App to send emails, making it more complex than the direct email notification setting. Option C is wrong because continuous export streams alerts to a Log Analytics workspace, but creating an alert rule to send email involves additional configuration and latency, and it is not the simplest or intended method for direct email notifications. Option D is wrong because Azure Monitor activity log alert rules monitor activity log events, not security alerts from Defender for Cloud; security alerts are not activity log entries, so this option would not capture high-severity alerts.

255
MCQeasy

You need to ensure that external users who are invited to collaborate via Microsoft Entra B2B can only access the applications assigned to them. Which configuration should you use?

A.Require guest users to register for MFA before accessing any applications.
B.Create a Conditional Access policy that applies to guest users and targets the specific applications.
C.Configure cross-tenant access settings to block all applications except those assigned.
D.Configure SharePoint external sharing settings to limit application access.
AnswerB

Conditional Access can restrict guest access to specific apps.

Why this answer

Option B is correct because Conditional Access policies in Microsoft Entra ID can be scoped to guest/external users and specific applications, allowing you to enforce access controls such as requiring MFA or blocking access for unapproved apps. This directly meets the requirement to restrict B2B guest users to only the applications assigned to them, without affecting other sign-in behaviors or tenant-wide settings.

Exam trap

The trap here is that candidates confuse cross-tenant access settings (which manage trust and sharing at the tenant level) with per-application access control, leading them to choose Option C even though it cannot enforce app-specific restrictions for individual guest users.

How to eliminate wrong answers

Option A is wrong because requiring MFA for guest users does not restrict which applications they can access; it only adds an authentication step, not an authorization boundary. Option C is wrong because cross-tenant access settings control inbound/outbound trust and application access at the tenant level, not per-user or per-application assignment; blocking all except assigned apps would require granular app-level controls that cross-tenant settings do not provide. Option D is wrong because SharePoint external sharing settings only govern sharing of SharePoint and OneDrive content, not access to other Azure AD-integrated applications, and do not enforce application-level assignment restrictions.

256
MCQeasy

Your company uses Azure Firewall to protect a virtual network. The security team needs to allow outbound HTTPS traffic from a specific subnet to a set of FQDNs, such as '*.contoso.com', while blocking all other outbound traffic. Which type of Azure Firewall rule should they configure?

A.A network rule with destination port 443 and protocol TCP, and the destination IP address set to the resolved IPs of the FQDNs
B.An application rule with the 'Https' protocol and the target FQDNs set to '*.contoso.com'
C.A NAT rule that translates the source IP to a public IP and allows traffic to any destination on port 443
D.A DNAT rule that redirects outbound HTTPS traffic to an internal proxy server
AnswerB

Application rules are designed to allow or deny outbound traffic based on FQDNs. For HTTPS traffic, you can specify the target FQDNs and the protocol (Https). This is the correct configuration to allow traffic to specific domains while blocking others.

Why this answer

Option B is correct because Azure Firewall application rules are specifically designed to allow outbound HTTP/HTTPS traffic based on fully qualified domain names (FQDNs). By configuring an application rule with protocol 'Https' and target FQDNs set to '*.contoso.com', the firewall inspects the TLS Server Name Indication (SNI) extension to match the requested domain, allowing traffic only to the specified FQDNs while blocking all other outbound traffic.

Exam trap

The trap here is that candidates often confuse network rules (which filter by IP/port) with application rules (which filter by FQDN), leading them to choose Option A because they think resolved IPs are sufficient, ignoring the dynamic nature of FQDNs and the need for domain-level control.

How to eliminate wrong answers

Option A is wrong because network rules filter traffic based on source/destination IP addresses and ports, not FQDNs; using resolved IPs would break if the FQDNs resolve to dynamic IPs or multiple IPs, and it cannot enforce domain-level filtering. Option C is wrong because a NAT rule translates source IP addresses for outbound traffic but does not filter destinations; it would allow HTTPS traffic to any destination, not just '*.contoso.com'. Option D is wrong because a DNAT rule is used for inbound traffic (destination network address translation) to redirect incoming connections to an internal resource, not for outbound traffic filtering.

257
MCQhard

Refer to the exhibit. You are reviewing a custom Azure Policy definition that will be assigned to a subscription to audit storage accounts and Cosmos DB accounts. The policy is intended to check whether these resources use customer-managed keys (CMK) for encryption. However, when you test the policy assignment, it does not evaluate Cosmos DB accounts. What is the most likely reason?

A.The policy rule only includes 'Microsoft.Storage/storageAccounts' in the if condition; Cosmos DB is not evaluated because the policy definition is incomplete.
B.The policy mode is set to 'All', which excludes Cosmos DB resources.
C.The existence condition in 'auditIfNotExists' only checks for storage account encryption; it does not evaluate Cosmos DB encryption properties.
D.Cosmos DB does not support customer-managed keys; the policy cannot be applied to that resource type.
AnswerC

The existence condition is tied to the storage account encryption type; for Cosmos DB, the property path differs.

Why this answer

Option C is correct because the existence condition only references the storage account encryption type; it does not include a condition for Cosmos DB. Option A is wrong because Cosmos DB does support CMK. Option B is wrong because the policy mode 'All' evaluates resource types not explicitly excluded.

Option D is wrong because the policy already includes both resource types in the if condition.

258
MCQmedium

An organization uses Microsoft Defender for Cloud. They want to receive alerts when Azure virtual machines do not have disk encryption enabled. What should they configure to achieve this?

A.A custom alert rule in Microsoft Sentinel
B.A regulatory compliance standard in Defender for Cloud
C.A security policy recommendation in Defender for Cloud
D.An Azure Policy initiative
AnswerC

Defender for Cloud includes a recommendation for disk encryption. When a VM does not have encryption enabled, it appears as an unhealthy resource, triggering a security recommendation.

Why this answer

Option C is correct because Defender for Cloud's security policy recommendations include 'Disk encryption should be applied on virtual machines' as a built-in recommendation. When enabled, Defender for Cloud continuously assesses VMs against this recommendation and generates alerts for non-compliant resources. This is the native mechanism within Defender for Cloud to monitor and alert on missing disk encryption without requiring external tools or custom rules.

Exam trap

The trap here is that candidates often confuse Defender for Cloud's built-in security recommendations with Azure Policy initiatives, not realizing that Defender for Cloud automatically surfaces and alerts on missing disk encryption through its own recommendation engine, not through a separately created policy initiative.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a SIEM/SOAR tool that ingests security data from multiple sources; while it can create custom alert rules, the question specifically asks for configuration within Defender for Cloud, and Sentinel is a separate Azure service. Option B is wrong because regulatory compliance standards in Defender for Cloud map to frameworks like CIS or PCI DSS and provide compliance scores, but they do not directly generate alerts for missing disk encryption; they only show compliance status. Option D is wrong because an Azure Policy initiative can enforce or audit disk encryption, but it does not generate alerts in Defender for Cloud; Defender for Cloud uses its own security recommendations, not Azure Policy initiatives, to surface alerts.

259
MCQmedium

A security team uses Microsoft Defender for Cloud. They have enabled the integrated vulnerability assessment (VA) solution on their Azure virtual machines. They want to receive alerts when a VM has a vulnerability rated 'Critical' by the VA solution. Which Defender for Cloud plan must be enabled on the subscription?

A.Defender for Servers Plan 1
B.Defender for Servers Plan 2
C.Defender for Cloud Apps
D.Defender for Storage
AnswerB

Plan 2 includes the integrated Qualys vulnerability assessment and generates security alerts for discovered vulnerabilities, including those rated 'Critical'.

Why this answer

Defender for Servers Plan 2 is required because it includes the integrated Qualys-based vulnerability assessment (VA) solution that continuously scans Azure VMs for vulnerabilities and provides security alerts when critical vulnerabilities are found. Plan 1 only offers basic threat detection and does not include the integrated VA scanner or the ability to generate alerts based on VA findings.

Exam trap

The trap here is that candidates often confuse Defender for Servers Plan 1 with Plan 2, assuming both include the integrated VA solution, but Plan 1 only provides basic threat detection and lacks the Qualys-based vulnerability scanning and alerting capabilities.

How to eliminate wrong answers

Option A is wrong because Defender for Servers Plan 1 provides only basic threat detection and does not include the integrated Qualys vulnerability assessment solution, so it cannot generate alerts for critical vulnerabilities from VA scans. Option C is wrong because Defender for Cloud Apps is a CASB (Cloud Access Security Broker) solution focused on SaaS application security and user behavior, not VM vulnerability scanning. Option D is wrong because Defender for Storage is designed to detect threats against Azure Storage accounts (e.g., blob, file shares) and has no capability to perform vulnerability assessments on virtual machines.

260
MCQeasy

You are implementing Microsoft Entra ID Protection. You need to detect and respond to risky user behaviors such as leaked credentials and anonymous IP address usage. Which feature should you enable?

A.Privileged Identity Management
B.Conditional Access policies
C.Risk policies
D.Identity Governance
AnswerC

Risk policies in Identity Protection detect and respond to risky behaviors like leaked credentials.

Why this answer

The correct answer is D: Risk policies. Microsoft Entra ID Protection provides risk policies (user risk and sign-in risk) that automatically detect and respond to risky behaviors. Option A (Identity Governance) manages access reviews and entitlement management.

Option B (Privileged Identity Management) manages just-in-time access for privileged roles. Option C (Conditional Access policies) can use risk signals but does not detect them.

261
Multi-Selecteasy

You need to secure traffic between an on-premises network and Azure using a VPN connection. Which TWO configurations are required?

Select 2 answers
A.Create a virtual network gateway (VPN)
B.Deploy Azure Firewall
C.Assign a public IP to the local network gateway
D.Provision an ExpressRoute circuit
E.Create a local network gateway
AnswersA, E

A VPN gateway is the Azure-side endpoint.

Why this answer

Option A is correct because a VPN gateway is needed in Azure. Option C is correct because a local network gateway represents the on-premises device. Option B is wrong because ExpressRoute is a different service.

Option D is wrong because Azure Firewall is not required for VPN. Option E is wrong because a public IP on the VPN gateway is automatically assigned.

262
Drag & Dropmedium

Drag and drop the steps to enable Azure Security Center's enhanced security features for a subscription into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Enhanced security is enabled per subscription under security policy.

263
MCQmedium

A security team uses Microsoft Sentinel. They want to create a playbook that automatically adds a tag 'isolated' to any Azure virtual machine that triggers a high-severity security alert. How should they configure the automation?

A.Create an analytics rule with an automated response
B.Create a playbook in Logic Apps and attach it to the alert as an automation rule
C.Use a workbook to trigger the playbook
D.Configure a data connector
AnswerB

Correct. Automation rules are configured to run playbooks when new incidents are created. The playbook then executes the logic to add the tag.

Why this answer

Option B is correct because Microsoft Sentinel playbooks are built on Azure Logic Apps and can be triggered by automation rules. An automation rule is configured to run when a high-severity alert is generated, and it invokes the playbook, which then uses the Azure Resource Manager connector to add the 'isolated' tag to the triggering virtual machine. This is the native, supported method for automated incident response in Sentinel.

Exam trap

The trap here is confusing analytics rule automated responses (which can only trigger playbooks or change alert properties) with the ability to directly modify Azure resources, leading candidates to incorrectly choose Option A.

How to eliminate wrong answers

Option A is wrong because analytics rules define detection logic and can have automated responses, but they are limited to simple actions like changing alert severity or running a playbook; they cannot directly add tags to Azure resources without a playbook. Option C is wrong because workbooks are visualization tools that display data from queries; they cannot trigger playbooks or execute automation actions. Option D is wrong because data connectors ingest log data from sources into Sentinel; they do not perform post-detection remediation actions like tagging VMs.

264
Multi-Selectmedium

You are securing an Azure SQL Database that contains personally identifiable information (PII). The solution must prevent unauthorized access to sensitive columns by privileged users (e.g., DBAs) and ensure that data is encrypted on the wire. Which three of the following should you implement? (Choose three.)

Select 3 answers
.Enable Transparent Data Encryption (TDE) with customer-managed keys in Azure Key Vault.
.Enable Always Encrypted with column-level encryption for the sensitive PII columns.
.Configure the Azure SQL Database firewall to block all public endpoints and allow only specific virtual network subnets.
.Enable Azure SQL Database Auditing and set a retention policy of at least 90 days.
.Enforce the use of TLS 1.2 or higher for all client connections to the database.
.Create a database role with SELECT permissions on all tables and grant it to the DBA group.

Why this answer

Always Encrypted with column-level encryption is correct because it ensures that sensitive PII columns are encrypted at the client side and the encryption keys are never revealed to the database engine, preventing privileged users like DBAs from reading the plaintext data. Configuring the Azure SQL Database firewall to block public endpoints and allow only specific virtual network subnets is correct because it restricts network access to trusted sources, reducing the attack surface. Enforcing TLS 1.2 or higher for all client connections is correct because it ensures data is encrypted in transit, protecting against man-in-the-middle attacks and meeting the requirement for encryption on the wire.

Exam trap

The trap here is that candidates often confuse Transparent Data Encryption (TDE) with Always Encrypted, thinking TDE protects against privileged user access, but TDE only protects data at rest and does not prevent DBAs from viewing plaintext data when queries are executed.

265
MCQmedium

Refer to the exhibit. You assign this Azure Policy definition to a subscription containing a storage account that uses Microsoft-managed keys. What is the compliance state of the storage account?

A.Non-compliant
B.Compliant
C.Not evaluated because the policy is not assigned
D.Error: Policy effect 'audit' not supported
AnswerA

The policy requires keySource = Microsoft.Keyvault; the account has keySource = Microsoft.Storage.

Why this answer

Option B is correct because the policy audits storage accounts that do not have keySource = Microsoft.Keyvault. Since the storage account uses Microsoft-managed keys (keySource = Microsoft.Storage), it is non-compliant. Option A is wrong because it is non-compliant.

Option C is wrong because the policy is an audit effect, not deny. Option D is wrong because the policy is assigned and evaluated.

266
MCQhard

A company has two Azure virtual networks, VNet-A (hub) and VNet-B (spoke), connected via VNet peering. They deployed a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic. They configured a user-defined route (UDR) on the subnet in VNet-B that points the VNet-A address space (10.0.0.0/16) to the private IP of the NVA. However, traffic initiated from VNet-B to VNet-A still takes a direct path and bypasses the NVA. What is the most likely cause?

A.The NVA does not have IP forwarding enabled on its network interface
B.The UDR on VNet-B must also include a route for the default route (0.0.0.0/0) to force all traffic through the NVA
C.VNet peering does not support user-defined routes
D.The NVA must be deployed in the same subnet as the source VMs in VNet-B
AnswerA

When an NVA is used as a next hop in a route table, it must have IP forwarding enabled. Without it, the NVA drops packets that are not destined for its own IP, effectively preventing traffic from being routed through it.

Why this answer

The most likely cause is that the NVA's network interface does not have IP forwarding enabled. In Azure, a network interface must have the 'Enable IP forwarding' setting enabled to allow the NVA to receive traffic not destined to its own IP address and forward it to the intended destination. Without this setting, the NVA drops any traffic that is not addressed to its own IP, so even though the UDR on VNet-B directs traffic to the NVA's private IP, the NVA cannot forward it to VNet-A, and the traffic instead takes the direct VNet peering path.

Exam trap

The trap here is that candidates often assume that simply configuring a UDR is sufficient to force traffic through an NVA, overlooking the mandatory IP forwarding setting on the NVA's NIC, which is a distinct Azure-specific requirement not present in on-premises routing scenarios.

How to eliminate wrong answers

Option B is wrong because adding a default route (0.0.0.0/0) would force all internet-bound traffic through the NVA, but the issue is specifically about traffic between VNet-B and VNet-A address space (10.0.0.0/16), which is already covered by the existing UDR; the problem is not the scope of the route but the NVA's inability to forward traffic. Option C is wrong because VNet peering fully supports user-defined routes (UDRs) on subnets in peered virtual networks; UDRs are a fundamental mechanism to override default peering routes. Option D is wrong because the NVA does not need to be in the same subnet as the source VMs; it can be in a different subnet or even a different VNet (as in this hub-spoke design), as long as IP forwarding is enabled and the UDR points to its private IP.

267
MCQhard

A security team uses Microsoft Defender for Cloud's regulatory compliance dashboard to track compliance with PCI DSS. They notice that some controls are marked as 'N/A' even though they have relevant resources. What is the most likely reason?

A.The resources do not have the required custom assessment.
B.The compliance dashboard requires a Microsoft Purview Compliance Manager license.
C.The resources are in a subscription that is not included in the scope of the compliance standard.
D.The resources have not been manually claimed as compliant.
AnswerC

Scope determines which resources are assessed.

Why this answer

Option A is correct because the regulatory compliance dashboard by default only assesses resources that are in scope for the selected standard. If a subscription or resource group is not included in the scope, controls will show as 'N/A'. Option B is wrong because the dashboard only assesses resources, not manual claims.

Option C is wrong because the dashboard uses built-in assessments; it does not require custom assessments. Option D is wrong because the dashboard is available even without a compliance manager license.

268
Multi-Selecthard

Which THREE capabilities are provided by Azure Storage Service Encryption (SSE) when using customer-managed keys?

Select 3 answers
A.Auditing of key usage via Azure Key Vault logs.
B.Client-side encryption of data before upload.
C.Automatic encryption of data at rest.
D.Ability to rotate keys periodically.
E.Control access to the storage account using RBAC.
AnswersA, C, D

Key Vault logs can track key access.

Why this answer

SSE with CMK provides automatic encryption, key rotation support, and audit of key usage. Options A, C, and D are correct. Client-side encryption is separate.

Access control via RBAC is possible but not a capability of SSE itself.

269
MCQeasy

You need to ensure that only approved iOS devices can access corporate email. Which Microsoft Intune policy should you configure?

A.Enrollment restriction
B.Device configuration policy
C.App protection policy
D.Device compliance policy
AnswerD

Device compliance policies enforce rules like requiring approved iOS devices.

Why this answer

The correct answer is B: Device compliance policy. This policy defines rules for device health, including requiring devices to be jailbreak-detected and compliant. Option A is wrong because app protection policies manage data within apps, not device-level access.

Option C is wrong because configuration policies push settings. Option D is wrong because enrollment restrictions limit which devices can enroll, but compliance ensures ongoing access.

270
Multi-Selectmedium

Which TWO actions should you perform to implement Microsoft Entra ID Password Protection for an on-premises Active Directory environment? (Choose two.)

Select 2 answers
A.Install the Azure AD Password Protection DC agent on each domain controller
B.Enable password protection for the domain in the Azure portal
C.Enable password hash synchronization
D.Install Azure AD Connect
E.Configure password writeback
AnswersA, B

The DC agent is required to enforce password policies on-premises.

Why this answer

The correct answers are B and D. Password Protection requires installing the DC agent on each domain controller and enabling password protection for the domain. Option A (Install Azure AD Connect) is needed for sync but not specifically for Password Protection.

Option C (Configure password writeback) is for self-service password reset. Option E (Enable password hash sync) is for Azure AD, not on-premises enforcement.

271
MCQhard

You are designing a Microsoft Entra ID tenant for a multinational organization. The security team requires that all administrative users must use phishing-resistant MFA. Administrators are located in different regions and may use different devices. Which MFA method should you enforce?

A.FIDO2 security keys
B.SMS-based verification
C.Phone call verification
D.Microsoft Authenticator with OTP
AnswerA

FIDO2 security keys provide phishing-resistant authentication.

Why this answer

FIDO2 security keys are the only option that provides phishing-resistant MFA, as they use public-key cryptography and are bound to a specific web origin, preventing credential theft via man-in-the-middle attacks. This satisfies the security team's requirement for all administrative users, regardless of region or device, because FIDO2 keys are hardware-based and interoperable across platforms.

Exam trap

The trap here is that candidates often confuse 'multi-factor authentication' with 'phishing-resistant MFA', and select Microsoft Authenticator with OTP because it is a common MFA method, but it does not protect against real-time phishing attacks where the OTP is captured and replayed.

How to eliminate wrong answers

Option B is wrong because SMS-based verification is vulnerable to SIM-swapping and phishing attacks, and is not considered phishing-resistant. Option C is wrong because phone call verification relies on the PSTN network, which can be intercepted or spoofed, and does not provide phishing resistance. Option D is wrong because Microsoft Authenticator with OTP (time-based one-time password) is susceptible to phishing if the user is tricked into entering the OTP on a fake site, and it does not meet the phishing-resistant requirement.

272
MCQmedium

A security operations team uses Microsoft Sentinel. They need to collect Syslog messages from on-premises Linux servers for analysis. Which data connector should they use to ingest these logs into Sentinel?

A.Azure Activity Log connector
B.Syslog connector via Log Analytics agent
C.Common Event Format (CEF) connector
D.Windows Security Events connector
AnswerB

This connector uses the Log Analytics agent on Linux to collect Syslog events and send them to Sentinel.

Why this answer

The Syslog connector via Log Analytics agent is the correct choice because it allows Microsoft Sentinel to collect Syslog messages from on-premises Linux servers. The Log Analytics agent (formerly OMS agent) listens on UDP port 514 (or a custom port) for Syslog messages forwarded by the Linux rsyslog or syslog-ng daemon, then forwards them to the Log Analytics workspace. This connector is specifically designed for standard Syslog ingestion without requiring format transformation.

Exam trap

The trap here is that candidates often confuse the Syslog connector (for standard Syslog) with the CEF connector (for formatted security logs), mistakenly thinking CEF is required for any Linux Syslog ingestion, when in fact CEF is only needed for specific security appliances that output CEF-formatted logs.

How to eliminate wrong answers

Option A is wrong because the Azure Activity Log connector ingests subscription-level events from Azure's control plane (e.g., resource creation, policy changes), not Syslog messages from on-premises Linux servers. Option C is wrong because the Common Event Format (CEF) connector is used for security appliances that output CEF-formatted logs (e.g., firewalls, IDS/IPS) and requires a Syslog forwarder to parse and transform the logs, whereas standard Syslog messages do not need this transformation. Option D is wrong because the Windows Security Events connector collects Windows Event Log data (specifically Security events) from Windows machines, not Syslog messages from Linux servers.

273
Multi-Selectmedium

Your company uses Microsoft Defender for Cloud to protect Azure resources. You want to enable the 'Defender for Containers' plan to secure AKS clusters. Which two configurations are necessary? (Choose two.)

Select 2 answers
A.Assign the 'Kubernetes cluster should be accessible only through private endpoint' Azure Policy.
B.Connect the AKS cluster to Azure Arc.
C.Enable the 'Defender for Containers' plan in Microsoft Defender for Cloud.
D.Install the Log Analytics agent on each AKS node.
E.Ensure the AKS cluster's audit logs are enabled and streamed to a Log Analytics workspace.
AnswersC, E

The plan must be enabled for the subscription.

Why this answer

Options A and D are correct. Option A is correct because the Defender for Containers plan must be enabled at the subscription level. Option D is correct because the Kubernetes audit logs must be enabled and sent to a Log Analytics workspace.

Option B is wrong because Azure Policy is not required for the plan. Option C is wrong because the plan does not require a specific agent; it uses audit logs. Option E is wrong because Azure Arc is for non-Azure clusters.

274
MCQhard

A company uses Azure Kubernetes Service (AKS) with a private cluster. Developers need to access the Kubernetes API server from their on-premises workstations without exposing it to the internet. What is the most secure solution?

A.Use Azure Front Door with Private Link to access the API server.
B.Enable the API server public endpoint and restrict access to the on-premises public IP.
C.Deploy Azure Bastion in the AKS VNet and use a jump box VM to access the API server.
D.Create a site-to-site VPN from on-premises to the AKS VNet and allow access from the on-premises IP range.
AnswerC

Bastion provides secure, audited access without public exposure.

Why this answer

Option B is correct because Azure Bastion provides secure RDP/SSH access to VMs without public IPs, and can be used to access a jump box that can reach the API server. Option A is wrong because a VPN would expose the API server to the on-premises network. Option C is wrong because enabling a public endpoint defeats the private cluster purpose.

Option D is wrong because Azure Front Door is for web applications.

275
Multi-Selectmedium

Your company has a hub-spoke network topology in Azure. The hub VNet contains an Azure Firewall. Spoke VNets are peered to the hub. You need to ensure that all outbound traffic from virtual machines in a spoke VNet passes through the Azure Firewall for inspection. Which two configurations are required? (Choose two.)

Select 2 answers
A.Configure a DNAT rule on Azure Firewall to translate outbound traffic
B.Create a new VNet peering between the spoke and hub
C.Configure an application rule or network rule on Azure Firewall to allow outbound traffic
D.Enable forced tunneling on the spoke VNet
E.Add a route table to the spoke subnet with a 0.0.0.0/0 route to the Azure Firewall private IP
AnswersC, E

Firewall rules define what outbound traffic is permitted.

Why this answer

Option B is correct because a route table with a default route (0.0.0.0/0) to the Azure Firewall private IP must be associated with the spoke subnet. Option D is correct because the firewall must be configured to allow or deny outbound traffic. Option A is wrong because VNet peering is already in place; no additional peering is needed.

Option C is wrong because Azure Firewall doesn't require a public IP for outbound inspection if using private IP; also NAT rules are for inbound. Option E is wrong because forced tunneling is a different concept; the route table handles this.

276
MCQmedium

Your organization uses Microsoft Defender for Cloud's workload protection for Azure SQL databases. You notice that Defender for Cloud is not generating alerts for anomalous activities on a specific SQL database. The database is in a VNet with a service endpoint enabled for SQL. What should you verify first?

A.Ensure the service endpoint is configured correctly.
B.Enable Advanced Threat Protection on the Azure SQL Server.
C.Enable auditing on the SQL database.
D.Configure a firewall rule to allow Defender for Cloud IP addresses.
AnswerB

Correct: ATP must be enabled for alerts.

Why this answer

Option A is correct because the Advanced Threat Protection (ATP) must be enabled at the server level for Defender for Cloud to monitor it. Option B (auditing) is not required for ATP. Option C (service endpoint) does not block ATP.

Option D (firewall rules) irrelevant.

277
MCQmedium

Your company uses Azure SQL Database to store customer data. You need to ensure that database administrators cannot access sensitive columns (e.g., credit card numbers) even during maintenance. What should you implement?

A.Transparent Data Encryption
B.Dynamic Data Masking
C.Row-level security
D.Always Encrypted
AnswerD

Always Encrypted ensures encryption keys are held by the client, so DBAs cannot see plaintext.

Why this answer

Always Encrypted ensures that sensitive data is encrypted at the client side and the database engine never sees the plaintext. Option C is correct. Option A is wrong because Dynamic Data Masking masks data but can be bypassed.

Option B is wrong because Transparent Data Encryption encrypts at rest, not in use. Option D is wrong because row-level security controls access to rows, not columns.

278
MCQmedium

A company has two Azure virtual networks in different Azure regions that need to communicate with each other. The security policy mandates that all inter-region traffic must be encrypted over the public internet. Which connectivity solution should the company implement to meet this requirement?

A.VNet peering
B.Azure VPN Gateway (site-to-site connection)
C.Azure ExpressRoute
D.Azure Firewall
AnswerB

Azure VPN Gateway creates an encrypted IPSec tunnel over the public internet, ensuring data is encrypted in transit between the two VNets.

Why this answer

Azure VPN Gateway with a site-to-site (S2S) connection is the correct solution because it establishes an encrypted IPSec tunnel over the public internet between the two virtual networks. This meets the security mandate for encryption of inter-region traffic traversing the public internet, as IPSec provides confidentiality, integrity, and authentication at the network layer.

Exam trap

The trap here is that candidates often confuse VNet peering (which is private and free of charge within a region) as automatically encrypted, but it does not encrypt traffic over the public internet because it uses Azure's backbone; the question explicitly requires encryption over the public internet, which only a VPN gateway provides.

How to eliminate wrong answers

Option A is wrong because VNet peering uses the Microsoft backbone network, not the public internet, and traffic is not encrypted by default; it relies on Azure's private network infrastructure, which does not satisfy the 'encrypted over the public internet' requirement. Option C is wrong because Azure ExpressRoute uses a dedicated private connection that bypasses the public internet entirely, so it does not meet the 'over the public internet' condition, and encryption is optional (e.g., via MACsec or IPsec over ExpressRoute). Option D is wrong because Azure Firewall is a stateful network security service that filters and inspects traffic but does not provide site-to-site VPN connectivity or encryption between virtual networks; it can be used in conjunction with a VPN gateway but is not a connectivity solution itself.

279
MCQeasy

You need to ensure that only approved applications can access your Azure storage account. What should you configure?

A.Use shared access keys for all storage account access.
B.Configure firewall rules to allow only specific virtual networks and IP addresses.
C.Assign Azure RBAC roles to the storage account.
D.Use private endpoints and disable public network access.
AnswerB

Firewall rules restrict network access to approved sources.

Why this answer

Firewall and virtual network settings with service endpoints allow you to restrict access to specific VNets and IP ranges. Option B is wrong because shared access keys do not restrict by application. Option C is wrong because Azure RBAC controls user permissions, not application access.

Option D is wrong because private endpoints provide private IP connectivity but still require additional controls to restrict by application.

280
MCQmedium

Your company uses Microsoft Entra ID and Microsoft Intune for mobile device management. You need to ensure that only devices that are compliant with your security policies can access corporate email. You configure a Conditional Access policy targeting Exchange Online. Which grant control should you use?

A.Require multifactor authentication
B.Require device to be marked as compliant
C.Block access
D.Require hybrid Azure AD joined device
AnswerB

This grant control checks device compliance status from Intune.

Why this answer

Option A is correct because Require device to be marked as compliant ensures only compliant devices can access. Option B is wrong because Require MFA does not check device compliance. Option C is wrong because Require hybrid Azure AD join is for domain-joined devices.

Option D is wrong because Block access is too restrictive.

281
Multi-Selecthard

Which THREE components are required to implement a secure hybrid network that connects on-premises to Azure using ExpressRoute? (Choose three.)

Select 3 answers
A.Virtual network gateway in Azure.
B.ExpressRoute circuit.
C.Azure Firewall.
D.Azure VPN Gateway for failover.
E.Azure Front Door.
AnswersA, B, D

Required to terminate ExpressRoute connection.

Why this answer

Options A, B, and E are correct. A VPN Gateway is needed for encrypted failover, ExpressRoute circuit provides private connectivity, and VNet peering is not required but commonly used. Option C is wrong because Azure Firewall is optional.

Option D is wrong because Azure Front Door is not needed.

282
MCQeasy

Your company has deployed Microsoft Defender for Cloud in all subscriptions. You need to ensure that all Azure SQL databases are protected by Advanced Threat Protection (ATP). You want to enable ATP at the subscription level so that new databases are automatically protected. The security policy must be enforced to prevent administrators from disabling ATP on individual databases. What should you do?

A.Create an Azure Policy assignment using the built-in policy 'Advanced Threat Protection should be enabled on your SQL servers' with a 'Deny' effect.
B.Create a custom Azure Policy with a 'Deny' effect that prevents setting the Advanced Threat Protection setting to 'Disabled' on SQL databases.
C.Enable the 'Azure SQL databases' plan in Defender for Cloud at the subscription level.
D.Create an Azure Policy assignment that audits if Advanced Threat Protection is enabled on SQL databases, and remediate non-compliant resources.
AnswerB

A custom policy with Deny effect will block any attempt to disable ATP, enforcing the protection.

Why this answer

Option B is correct because it uses a custom Azure Policy with a 'Deny' effect to enforce that Advanced Threat Protection (ATP) cannot be disabled on any SQL database, including new ones. This approach ensures that the security policy is enforced at the subscription level, preventing administrators from turning off ATP on individual databases, which aligns with the requirement for automatic protection and enforcement.

Exam trap

The trap here is that candidates often confuse enabling a Defender for Cloud plan (which only activates threat detection) with enforcing a security configuration via Azure Policy, failing to realize that only a 'Deny' effect can prevent administrators from disabling ATP on individual databases.

How to eliminate wrong answers

Option A is wrong because the built-in policy 'Advanced Threat Protection should be enabled on your SQL servers' typically uses an 'AuditIfNotExists' or 'DeployIfNotExists' effect, not a 'Deny' effect, and it audits or deploys the setting rather than preventing its disablement. Option C is wrong because enabling the 'Azure SQL databases' plan in Defender for Cloud at the subscription level only activates the Defender for Cloud pricing tier and threat detection alerts, but it does not enforce ATP configuration on individual databases or prevent administrators from disabling it. Option D is wrong because auditing and remediating non-compliant resources only identifies and fixes non-compliance after the fact, but does not enforce the policy to prevent administrators from disabling ATP on individual databases.

283
Multi-Selectmedium

A company plans to implement a Zero Trust identity strategy using Microsoft Entra ID. Which TWO actions should be taken to enforce least-privilege access for administrative roles?

Select 2 answers
A.Configure Privileged Identity Management (PIM) to require approval for role activation
B.Implement Conditional Access policies requiring MFA for all administrative roles
C.Enable legacy authentication for administrative accounts
D.Set guest user permissions to the same level as employees
E.Assign permanent Global Administrator roles to all IT staff
AnswersA, B

PIM enables just-in-time access with approval, enforcing least-privilege.

Why this answer

Options B and E are correct. Using Privileged Identity Management (PIM) for just-in-time access and enabling Conditional Access policies to require MFA for administrative roles align with Zero Trust least-privilege principles. Option A is wrong because permanent role assignment contradicts just-in-time.

Option C is wrong because legacy authentication is less secure. Option D is wrong because guest users are not the focus.

284
MCQhard

Refer to the exhibit. You are reviewing a custom Microsoft Entra role for an application developer. A developer reports that they cannot register an application even though they have the 'applications/create' permission. What is the most likely cause?

A.The developer is not a Global Administrator.
B.The developer does not have permission to consent to application permissions.
C.The role needs to be assigned at the root scope.
D.The role is not assigned to the developer.
AnswerB

Creating an app registration often requires consent capability; the role lacks consent-related actions.

Why this answer

To register applications, the user must also have consent to grant permissions. The permission 'microsoft.directory/applications/create' allows creating app registrations, but the user may not have the necessary consent permissions (e.g., 'microsoft.directory/applications/update' which includes consent management). Alternatively, the user might need to be a Global Administrator to consent to permissions.

However, the role definition includes create, update, delete, so they should be able to create. Perhaps the issue is that they need to consent to the application's permissions. The most likely cause is that the developer does not have the 'Consent to applications' permission, which is a separate action.

The exhibit does not include that action.

285
MCQhard

Your company uses Azure Firewall Premium with TLS inspection to filter outbound traffic from Azure VMs. Users report that some websites are not loading. You have configured the firewall to inspect traffic to *.microsoft.com. What is the most likely cause of the issue?

A.The firewall rule for *.microsoft.com is misconfigured.
B.The firewall cannot inspect HTTPS traffic.
C.The firewall is blocking HTTP traffic.
D.The client does not trust the certificate presented by the firewall during TLS inspection.
AnswerD

TLS inspection uses a generated certificate that must be trusted by the client.

Why this answer

Option C is correct. TLS inspection requires the firewall to decrypt traffic; if the certificate chain is not trusted or the firewall generates a certificate that is not trusted by the client, the connection fails. Option A is wrong because the firewall can inspect HTTPS.

Option B is wrong because the rule allows the domain. Option D is wrong because the firewall does not block HTTP unless configured.

286
Multi-Selectmedium

Which THREE conditions can be used in a Microsoft Entra ID Conditional Access policy to control access based on sign-in risk? (Choose three.)

Select 3 answers
A.All
B.Low
C.None
D.Medium
E.High
AnswersB, D, E

Low sign-in risk is a valid condition.

Why this answer

Option B is correct because Microsoft Entra ID Conditional Access policies allow you to configure sign-in risk as a condition, and 'Low' is one of the three available risk levels (Low, Medium, High) that can be used to trigger access controls. Sign-in risk is calculated by Microsoft's identity protection service based on real-time signals such as anonymous IP addresses, atypical travel, or leaked credentials, and you can require multi-factor authentication or block access when the risk level meets or exceeds the selected threshold.

Exam trap

The trap here is that candidates may confuse the 'sign-in risk' condition with the 'user risk' condition (which also uses Low, Medium, High) or mistakenly think 'All' or 'None' are valid risk levels, when in fact only Low, Medium, and High are the specific conditions that can be selected to control access based on sign-in risk.

287
MCQhard

A company stores sensitive files in Azure Files shares. They require encryption at rest using customer-managed keys (CMK) and encryption in transit using SMB 3.0 encryption. They have created a premium Azure Files share in a storage account and configured encryption at rest with a CMK. However, clients are able to connect without enforcing SMB encryption. What additional configuration is necessary to ensure that all connections to the file share are encrypted in transit?

A.Enable the 'Secure transfer required' property on the storage account.
B.Configure a network security group (NSG) to allow only encrypted traffic.
C.Set the minimum SMB protocol version to 3.0 on the file share.
D.Create a service endpoint for the storage account.
AnswerA

Correct. Enabling 'Secure transfer required' forces clients to use SMB 3.0 with encryption (or HTTPS) when connecting to the Azure Files share, ensuring encryption in transit.

Why this answer

Enabling the 'Secure transfer required' property on the storage account enforces encryption in transit for all client connections, including SMB 3.0 encryption for Azure Files. Without this setting, clients can connect using unencrypted SMB 2.1 or SMB 3.0 without encryption, even if the file share itself supports encryption. This property is a storage account-level flag that rejects any request not using HTTPS or SMB 3.0 with encryption.

Exam trap

The trap here is that candidates confuse protocol version enforcement (Option C) with encryption enforcement, not realizing that SMB 3.0 can be used without encryption unless the 'Secure transfer required' property is explicitly enabled.

How to eliminate wrong answers

Option B is wrong because a network security group (NSG) filters traffic at the network layer based on IP addresses and ports, but cannot inspect or enforce SMB encryption at the application layer; it would only block or allow traffic on port 445, not differentiate between encrypted and unencrypted SMB connections. Option C is wrong because setting the minimum SMB protocol version to 3.0 on the file share only restricts the protocol version, but SMB 3.0 can operate without encryption (encryption is an optional feature within SMB 3.0); this does not enforce encryption in transit. Option D is wrong because creating a service endpoint for the storage account secures traffic to the Azure backbone network but does not enforce encryption in transit; it only ensures traffic stays within the Azure network, leaving the connection potentially unencrypted.

288
MCQmedium

Refer to the exhibit. You ran the PowerShell command shown. Which statement about the network interface is true?

A.The network interface is part of an availability set.
B.The network interface is associated with a public IP address.
C.The network interface is configured with application security groups.
D.The network interface is attached to a virtual machine that is not accessible from the internet.
AnswerD

Without a public IP, the VM is not directly reachable from the internet unless behind a load balancer.

Why this answer

The output shows an empty PublicIpAddress field and no application security groups or load balancer pools. The NIC is in subnet 'web' with private IP 10.0.1.4. It is not associated with a public IP.

289
MCQmedium

A company uses Microsoft Defender for Cloud to secure its hybrid environment. The security team notices that many alerts are low severity and causing alert fatigue. They want to reduce noise without missing critical threats. What should they configure?

A.Manually dismiss each low-severity alert
B.Disable low-severity alerts in Microsoft Defender for Cloud
C.Configure security policies with severity-based suppression rules
D.Enable Microsoft Entra Permissions Management
AnswerC

Severity-based suppression rules reduce noise while maintaining visibility on critical alerts.

Why this answer

Option C is correct because security policies with severity-based suppression rules allow filtering out low-severity alerts while keeping high-severity ones. Option A is wrong because disabling all low-severity alerts would miss potentially important indicators. Option B is wrong because manual suppression is not scalable.

Option D is wrong because Microsoft Entra Permissions Management is for identity permissions, not alert suppression.

290
Multi-Selecteasy

A company stores sensitive financial records in Azure Blob Storage. They want to ensure that if a blob is deleted or overwritten, it can be recovered within 30 days. They also want to protect against accidental deletion of the storage account itself. Which two configurations should they implement? (Choose two.)

Select 2 answers
A.Enable blob soft delete with a retention period of 30 days
B.Enable storage account soft delete with a retention period of 30 days
C.Enable container soft delete with a retention period of 30 days
D.Enable blob versioning
AnswersA, B

Blob soft delete preserves deleted or overwritten blob objects for the specified retention period, allowing recovery within that window.

Why this answer

Blob soft delete (Option A) protects individual blobs by retaining deleted or overwritten blobs for a specified retention period, allowing recovery within that window. Storage account soft delete (Option B) protects the entire storage account from accidental deletion by retaining the deleted account for a configurable period. Together, they address both the blob-level and account-level recovery requirements for the 30-day window.

Exam trap

The trap here is that candidates often confuse blob versioning with soft delete, assuming versioning alone provides deletion recovery, but versioning only protects against overwrites, not deletions, and lacks a configurable retention period for recovery.

291
MCQhard

You are troubleshooting an Azure virtual machine that cannot access the internet. The VM is in a subnet with a route table that has a default route (0.0.0.0/0) with next hop 'Virtual appliance' pointing to the private IP of an Azure Firewall. The Azure Firewall has a DNAT rule to allow outbound traffic. You verify that the VM's NSG allows outbound traffic. What is the most likely cause of the issue?

A.Azure Firewall does not support SNAT for outbound traffic.
B.The route table does not have a default route.
C.The VM's NSG is blocking outbound traffic.
D.The Azure Firewall does not have an allow rule for outbound internet traffic.
AnswerD

Azure Firewall denies all traffic by default; an allow rule must be configured for outbound internet.

Why this answer

Option A is correct because Azure Firewall must have the 'Allow traffic' property set to allow outbound traffic. By default, Azure Firewall blocks all traffic unless an allow rule is configured. Option B is wrong because the VM's NSG allows outbound traffic.

Option C is wrong because the route table exists and points to the firewall. Option D is wrong because Azure Firewall SNATs outbound traffic by default.

292
MCQhard

A Microsoft Sentinel rule should run with minimal delay against supported data sources and produce alerts close to event time. Which rule type should be considered?

A.Fusion rule
B.Near-real-time analytics rule
C.Workbook query
D.Threat intelligence indicator import
AnswerB

Correct for the stated requirement.

Why this answer

Near-real-time (NRT) analytics rules in Microsoft Sentinel are designed to run at 1-minute intervals, providing the minimal delay for alert generation against supported data sources. This rule type queries data with low latency, ensuring alerts are produced close to the event time, which is critical for timely threat detection.

Exam trap

The trap here is that candidates often confuse near-real-time rules with scheduled analytics rules, assuming scheduled rules can be configured for minimal delay, but NRT rules are the only type that guarantees sub-5-minute latency without custom scheduling.

How to eliminate wrong answers

Option A is wrong because Fusion rules are correlation-based and use machine learning to detect multistage attacks, not designed for minimal delay or near-real-time alerting. Option C is wrong because workbook queries are for visualization and reporting, not for generating alerts or running with minimal delay. Option D is wrong because threat intelligence indicator import is a data ingestion process for bringing in threat indicators, not a rule type that runs queries to produce alerts.

293
Multi-Selectmedium

Which THREE components are required to implement Azure Virtual WAN with secured virtual hub? (Choose three.)

Select 3 answers
A.Azure Firewall deployed in the virtual hub
B.ExpressRoute gateway in the virtual hub
C.Virtual hub
D.Network Virtual Appliance (NVA)
E.Virtual WAN resource
AnswersA, C, E

Azure Firewall provides security services in the secured virtual hub.

Why this answer

Azure Virtual WAN secured hub includes a virtual hub, Azure Firewall (for security), and VPN gateway (for connectivity). A Network Virtual Appliance (NVA) is not required as Azure Firewall is the native security service. ExpressRoute gateway is optional and not required for baseline secured hub.

294
MCQeasy

You need to provide secure remote access to Azure virtual machines for developers without exposing public IP addresses. The solution must authenticate users via Microsoft Entra ID and support multifactor authentication. Which service should you use?

A.Azure Front Door
B.Azure VPN Gateway
C.Azure Bastion
D.Azure Firewall
AnswerC

Azure Bastion provides secure, browser-based RDP/SSH without public IPs.

Why this answer

Option A is correct because Azure Bastion provides secure RDP/SSH access to VMs over TLS, with Microsoft Entra ID authentication and MFA support. Option B is wrong because Azure Front Door is a global load balancer. Option C is wrong because VPN Gateway requires public IPs and client VPN software.

Option D is wrong because Azure Firewall does not provide remote access to VMs.

295
MCQmedium

A security operations team uses Microsoft Sentinel. They want to create an automation that automatically changes the severity of an incident from 'Medium' to 'High' when a specific indicator of compromise (IOC) is observed in the incident's entities. The playbook should run immediately when the incident is created. Which type of automation rule trigger should they configure?

A.When incident is created
B.When incident is updated
C.When alert is generated
D.Scheduled
AnswerA

This trigger fires automatically as soon as a new incident is created, allowing immediate execution of the playbook.

Why this answer

Option A is correct because the requirement specifies that the automation should run immediately when the incident is created. In Microsoft Sentinel, an automation rule with the trigger 'When incident is created' executes a playbook as soon as the incident is generated, before any updates occur. This allows the playbook to evaluate the incident's entities (e.g., IP addresses, hashes) and change the severity from 'Medium' to 'High' if a specific IOC is present, meeting the real-time response need.

Exam trap

The trap here is that candidates often confuse 'When alert is generated' with incident creation, not realizing that alerts are raw signals and incidents are the correlated case that can have severity changed, leading them to pick Option C instead of A.

How to eliminate wrong answers

Option B is wrong because 'When incident is updated' triggers only after an incident has been modified (e.g., status change, comment added), not at creation time, so it would not run immediately upon incident generation. Option C is wrong because 'When alert is generated' triggers on individual alerts, not incidents; incidents can aggregate multiple alerts, and the playbook needs to run at the incident level to change incident severity. Option D is wrong because 'Scheduled' triggers run on a recurring schedule (e.g., every hour), not in real-time upon incident creation, which fails the 'immediately' requirement.

296
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) for Azure AD roles. They want to require that when a user activates the Security Administrator role, they must provide a justification and the activation must be approved by a member of a specific security group. Which PIM setting should they configure?

A.Require approval to activate
B.Require multi-factor authentication
C.Require justification
D.Require Azure AD join
AnswerA

Correct. Enabling 'Require approval to activate' and specifying the security group as approver meets the requirement for manager approval before activation.

Why this answer

Option A is correct because Azure AD PIM allows you to enforce approval workflows for role activation. By configuring 'Require approval to activate' and selecting the specific security group as the approver, you ensure that any user attempting to activate the Security Administrator role must first receive approval from a member of that group, in addition to providing a justification.

Exam trap

The trap here is that candidates often confuse 'Require justification' (a mandatory text field) with the approval workflow, thinking that providing a justification alone satisfies the approval requirement, when in fact a separate approver action is needed.

How to eliminate wrong answers

Option B is wrong because requiring multi-factor authentication (MFA) is a separate PIM setting that enforces additional authentication during activation, but it does not involve an approval workflow or a designated approver group. Option C is wrong because requiring justification is a mandatory text input during activation, but it does not introduce an approval step; the activation would proceed automatically after justification is provided. Option D is wrong because requiring Azure AD join is a device state requirement typically used for Conditional Access policies, not for PIM role activation approval workflows.

297
MCQmedium

A company wants to ensure that users can only access Microsoft 365 services (e.g., Exchange Online, SharePoint Online) from devices that are confirmed to be compliant with corporate security policies (e.g., encryption enabled, antivirus active). Which Azure AD policy type should they create?

A.Conditional Access policy with the 'Require compliant device' grant control.
B.Identity Protection policy with a sign-in risk policy.
C.Access review policy for groups.
D.Privileged Identity Management (PIM) activation policy.
AnswerA

This policy checks device compliance status (based on Intune policies) and blocks access if the device is not compliant.

Why this answer

A is correct because a Conditional Access policy with the 'Require compliant device' grant control enforces device-based access restrictions by checking the device's compliance status reported by Microsoft Intune. This ensures that only devices meeting corporate security policies (e.g., encryption enabled, antivirus active) can access Microsoft 365 services like Exchange Online and SharePoint Online.

Exam trap

The trap here is confusing device compliance (Conditional Access) with sign-in risk (Identity Protection), as both involve 'risk' or 'compliance' terminology but target fundamentally different aspects of security—device state versus authentication risk.

How to eliminate wrong answers

Option B is wrong because Identity Protection sign-in risk policies evaluate the likelihood that a sign-in attempt is unauthorized (e.g., from an anonymous IP or leaked credentials), not the compliance state of the device. Option C is wrong because Access review policies for groups manage periodic attestation of group memberships, not device compliance or access control. Option D is wrong because Privileged Identity Management (PIM) activation policies control the elevation of privileged roles (e.g., Global Admin) and do not enforce device compliance for service access.

298
MCQhard

A Conditional Access policy requiring compliant devices does not apply to Azure PowerShell access. Sign-in logs show the cloud app is excluded. What should be changed?

A.Disable device compliance in Intune
B.Convert the policy to a named location policy
C.Remove MFA from all users
D.Include the relevant cloud app or target all cloud apps after testing exclusions
AnswerD

Correct for the stated requirement.

Why this answer

Option D is correct because Conditional Access policies apply only to cloud apps explicitly included in the policy. Since Azure PowerShell is excluded, the policy does not enforce the 'Require device to be marked as compliant' condition for that app. To fix this, you must either include the specific cloud app (Microsoft Azure PowerShell) or set the policy to target 'All cloud apps' and then test exclusions to ensure the compliant device requirement is applied to Azure PowerShell access.

Exam trap

The trap here is that candidates may assume a Conditional Access policy applies to all cloud apps by default, but in reality, policies only apply to apps explicitly included, and exclusions take precedence over inclusions.

How to eliminate wrong answers

Option A is wrong because disabling device compliance in Intune would remove the compliance status altogether, breaking the policy's intent rather than fixing the exclusion issue. Option B is wrong because converting the policy to a named location policy would change the condition from device compliance to network location, which does not address the missing cloud app inclusion for Azure PowerShell. Option C is wrong because removing MFA from all users is unrelated to the cloud app exclusion; MFA is a separate control and removing it would weaken security without resolving the policy scope problem.

299
Matchingmedium

Match each Azure Sentinel feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Ingest logs from various sources

Define conditions to generate alerts

Visualize data with interactive dashboards

Group related alerts for investigation

Automate response actions using Logic Apps

Why these pairings

Azure Sentinel is a SIEM/SOAR solution for security operations.

300
MCQeasy

Your company has multiple Azure subscriptions and wants to use Microsoft Sentinel as a SIEM. You need to collect security events from all Azure VMs, including existing and future ones. What should you use?

A.Use the Azure portal to enable 'Security Center' on each VM.
B.Use Azure Automation Desired State Configuration (DSC) to push the agent.
C.Manually install the Log Analytics agent on each VM.
D.Create an Azure Policy assignment to deploy the Log Analytics agent.
AnswerD

Azure Policy can automatically deploy the agent to all VMs in scope.

Why this answer

Azure Policy with DeployIfNotExists effect can automatically deploy the Log Analytics agent to all VMs in a subscription. Option A is wrong because manual installation is not scalable. Option C is wrong because Azure Automation DSC is for configuration management, not agent deployment.

Option D is wrong because the Azure portal VM blade is manual.

Page 3

Page 4 of 14

Page 5