Microsoft Azure Security Engineer Associate AZ-500 (AZ-500) — Questions 301375

1000 questions total · 14pages · All types, answers revealed

Page 4

Page 5 of 14

Page 6
301
MCQmedium

A security operations team uses Microsoft Sentinel. They want to create a custom analytics rule that detects when an Azure virtual machine is created with a public IP address that is not in an approved list. Which type of rule should they use?

A.Scheduled query rule
B.NRT rule
C.Anomaly rule
D.Fusion rule
AnswerA

Correct. Scheduled query rules allow you to run a KQL query on a schedule and create incidents based on the results. This is ideal for checking new VM creations against an approved IP list.

Why this answer

A scheduled query rule is the correct choice because it allows you to define a KQL query that runs on a recurring schedule (e.g., every 5 minutes) to detect when an Azure VM is created with a public IP not in an approved list. This rule type is designed for custom detection logic that requires periodic evaluation of log data, such as AzureActivity logs or Azure Resource Graph, making it ideal for this scenario.

Exam trap

The trap here is that candidates confuse NRT rules with scheduled query rules, assuming NRT's lower latency is always better, but NRT rules lack the ability to reference external data sources like watchlists for dynamic approved IP comparisons.

How to eliminate wrong answers

Option B (NRT rule) is wrong because near-real-time rules are designed for low-latency detection (up to 2 minutes) but do not support the complex KQL logic needed to cross-reference a dynamic approved list; they are better suited for simple, high-frequency patterns. Option C (Anomaly rule) is wrong because anomaly rules use machine learning to detect unusual patterns in time-series data, not static comparisons against an approved list. Option D (Fusion rule) is wrong because fusion rules are prebuilt for multi-stage attack detection across different data sources, not for custom single-condition checks like VM creation with an unapproved public IP.

302
MCQhard

You are managing a Microsoft Entra ID tenant with external collaboration enabled. You need to restrict external user access to only the groups and applications they are explicitly granted. You also want to prevent external users from seeing other external users in the tenant directory. Which settings should you configure?

A.Set 'Guest user access restrictions' to 'Guest users have limited access...' and configure 'External collaboration settings' to restrict external user visibility
B.Use Microsoft Entra entitlement management to create access packages for external users
C.Configure cross-tenant access settings to block all external collaboration
D.Set 'Guest user access restrictions' to 'Guest users have same access as members'
AnswerA

This limits guest users to only objects they are assigned and prevents them from seeing other external users.

Why this answer

Option D is correct because collaboration restrictions limit external user visibility to groups and apps they are assigned, and external users can be restricted from seeing other users. Option A is wrong because guest user access restrictions control permissions but not visibility. Option B is wrong because cross-tenant access settings are for inbound/outbound trust.

Option C is wrong because entitlement management is for access packages.

303
MCQmedium

You are deploying an Azure Disk Encryption set with the above ARM template snippet. What is the result of this configuration?

A.The disk uses only customer-managed key encryption
B.The disk encryption will fail because keyversion is empty
C.The disk uses only platform-managed key encryption
D.The disk uses double encryption with both platform-managed and customer-managed keys
AnswerD

Infrastructure encryption adds platform-managed encryption layer.

Why this answer

Option A is correct: The `keySource` is `Microsoft.Keyvault`, indicating a customer-managed key. `infrastructureEncryption` is `Enabled`, meaning double encryption (platform-managed + customer-managed). Option B is wrong because `infrastructureEncryption` is enabled. Option C is wrong because keySource is Keyvault.

Option D is wrong because infrastructure encryption is enabled.

304
MCQmedium

A company has an Azure SQL Database that stores personally identifiable information (PII) in columns. They need to encrypt those columns so that only authorized applications can decrypt the data, and even database administrators cannot view the plaintext. Additionally, they need to support equality comparisons (WHERE clauses) on the encrypted columns. Which encryption technology should they use?

A.Always Encrypted with deterministic encryption
B.Always Encrypted with randomized encryption
C.Transparent Data Encryption (TDE)
D.Dynamic Data Masking
AnswerA

Deterministic encryption supports equality comparisons because the same plaintext always produces the same ciphertext, allowing the database to perform WHERE clauses.

Why this answer

Always Encrypted with deterministic encryption is the correct choice because it encrypts PII columns at the client side, ensuring that even database administrators cannot view plaintext data. Deterministic encryption generates the same ciphertext for the same plaintext, which allows equality comparisons (WHERE clauses) on encrypted columns, meeting the requirement for query support.

Exam trap

The trap here is that candidates often confuse Always Encrypted with TDE, thinking TDE provides client-side encryption and column-level query support, but TDE only encrypts data at rest and does not prevent database administrators from seeing plaintext data in memory or during queries.

How to eliminate wrong answers

Option B is wrong because Always Encrypted with randomized encryption does not support equality comparisons; it produces different ciphertext for the same plaintext, making WHERE clauses impossible on encrypted columns. Option C is wrong because Transparent Data Encryption (TDE) encrypts data at rest (the entire database file) but does not protect data from database administrators who have access to the database engine, and it does not support column-level encryption or client-side key control. Option D is wrong because Dynamic Data Masking only obfuscates data at query results for unauthorized users, but the underlying data remains in plaintext in storage and can be accessed by administrators or through direct queries.

305
Matchingmedium

Match each Azure policy effect to its behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Prevents resource creation or update that violates policy

Creates a warning event in activity log but allows request

Adds additional fields to the resource during creation or update

Adds, updates, or removes properties on a resource

Policy rule is ignored (used for testing)

Why these pairings

Policy effects determine how compliance is enforced.

306
MCQeasy

A company uses Microsoft Defender for Cloud. They want to receive alerts when a virtual machine has a vulnerability that is rated 'Critical' by the integrated vulnerability assessment solution. Which Defender for Cloud plan must be enabled?

A.Defender for Servers plan (P2 or P1)
B.Defender for Cloud's free foundational CSPM
C.Defender for Storage plan
D.Defender for SQL plan
AnswerA

The Defender for Servers plan enables the integrated vulnerability assessment tool that scans VMs and generates alerts for critical vulnerabilities.

Why this answer

The integrated vulnerability assessment solution in Microsoft Defender for Cloud relies on the Qualys or Microsoft Defender Vulnerability Management (MDVM) agent, which is only available with the Defender for Servers plan. The P2 tier includes the full vulnerability assessment capabilities, while P1 provides foundational coverage; both can generate alerts for critical vulnerabilities. Without this plan, the vulnerability assessment engine is not active, so no critical alerts will be produced.

Exam trap

The trap here is that candidates often assume the free foundational CSPM includes vulnerability alerting because it provides a 'secure score' and recommendations, but it does not include the agent-based scanning required to generate critical vulnerability alerts.

How to eliminate wrong answers

Option B is wrong because the free foundational CSPM provides only basic security posture assessments and compliance checks, not the agent-based vulnerability scanning required to detect critical vulnerabilities. Option C is wrong because the Defender for Storage plan is designed to detect threats against Azure Blob, Azure Files, and Data Lake Storage, not to assess OS-level vulnerabilities on virtual machines. Option D is wrong because the Defender for SQL plan focuses on SQL database-specific threats (e.g., SQL injection, brute force) and does not include the vulnerability assessment agent for virtual machines.

307
Multi-Selectmedium

You are a security engineer for a large enterprise. The company uses Azure Firewall Premium to inspect traffic. You need to enable TLS inspection for outbound HTTPS traffic from a subnet containing line-of-business applications. Which TWO configurations are required to accomplish this? (Choose two.)

Select 2 answers
A.Enable the TLS inspection feature in the Azure Firewall configuration.
B.Upload a trusted root certificate authority (CA) certificate to Azure Firewall.
C.Configure a custom DNS server on the Azure Firewall.
D.Disable SNAT on the Azure Firewall for the application subnet.
E.Create a firewall policy with a TLS inspection rule and associate it with the Azure Firewall.
AnswersB, E

Required for Azure Firewall to re-encrypt traffic after inspection.

Why this answer

Option A is correct: A root CA certificate must be uploaded to Azure Firewall for TLS inspection. Option B is correct: A firewall policy with TLS inspection rule must be created and associated. Option C is incorrect because TLS inspection does not require disabling SNAT.

Option D is incorrect because Azure Firewall does not support custom DNS for TLS inspection configuration. Option E is incorrect because the feature is not disabled by default; it requires explicit configuration.

308
MCQmedium

A cloud security team wants Defender for Cloud to assess AWS accounts and GCP projects from the same portal used for Azure posture management. What should they configure?

A.Environment settings with multicloud connectors
B.Azure Arc-enabled Kubernetes only
C.Microsoft Sentinel data connector for AWS CloudTrail only
D.Azure Lighthouse delegation
AnswerA

Correct for the stated requirement.

Why this answer

Option A is correct because Defender for Cloud's multicloud connectors allow you to onboard AWS accounts and GCP projects directly into the Azure portal, enabling unified security posture management across all three cloud environments. This feature integrates with AWS Security Hub and GCP Security Command Center to aggregate findings and assessments into a single dashboard, without requiring any migration of workloads.

Exam trap

The trap here is that candidates confuse Defender for Cloud's multicloud posture assessment with Microsoft Sentinel's SIEM data connectors, assuming any cloud integration must go through Sentinel, when in fact Defender for Cloud has its own dedicated multicloud connector for posture management.

How to eliminate wrong answers

Option B is wrong because Azure Arc-enabled Kubernetes only extends Azure management to Kubernetes clusters running outside Azure, not to AWS accounts or GCP projects for cloud posture assessment. Option C is wrong because Microsoft Sentinel's data connector for AWS CloudTrail is designed for security information and event management (SIEM) ingestion, not for continuous cloud security posture assessment and compliance monitoring. Option D is wrong because Azure Lighthouse delegation is used for managing multiple Azure tenants from a single control plane, not for integrating non-Azure cloud providers like AWS or GCP.

309
MCQmedium

A privileged administrator should activate the Security Administrator role only for approved work and for a limited time. What should be configured?

A.Permanent active assignment in Microsoft Entra ID
B.Eligible assignment with activation controls in Privileged Identity Management
C.Owner role at the subscription root
D.Conditional Access session persistence
AnswerB

Correct for the stated requirement.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID allows you to configure eligible assignments for roles like Security Administrator. This means the user must activate the role on demand, with time-bound activation controls (e.g., maximum activation duration, approval, MFA), ensuring the role is used only for approved work and for a limited time. This directly meets the requirement of just-in-time (JIT) access and temporary activation.

Exam trap

The trap here is that candidates often confuse permanent active assignments (Option A) with eligible assignments, mistakenly thinking that permanent assignment is sufficient if the user is trusted, but the question explicitly requires 'limited time' activation, which only PIM can enforce.

How to eliminate wrong answers

Option A is wrong because a permanent active assignment grants the role continuously without any time limit or activation requirement, violating the principle of limited-time access. Option C is wrong because the Owner role at the subscription root is an Azure RBAC role, not a Microsoft Entra ID administrative role, and it does not provide the Security Administrator permissions needed for identity security tasks; it also lacks time-bound activation controls. Option D is wrong because Conditional Access session persistence controls how long a user stays signed in (e.g., browser session persistence), not the activation or duration of a privileged role assignment.

310
Multi-Selectmedium

You are designing network security for a three-tier application. You need to isolate each tier (web, application, data) and control traffic between them. Which TWO Azure services should you use to achieve this? (Choose two.)

Select 2 answers
A.Network Security Groups (NSGs)
B.VNet peering
C.Azure Policy
D.Azure Firewall
E.Application Security Groups (ASGs)
AnswersA, E

NSGs filter traffic between subnets or NICs.

Why this answer

Options A and C are correct. NSGs provide traffic filtering at the subnet or NIC level. ASGs allow grouping of VMs and referencing them in NSG rules.

Option B is wrong because Azure Firewall is a centralized firewall, but for simple tier isolation, NSGs and ASGs suffice. Option D is wrong because VNet peering connects VNets, not tiers within a VNet. Option E is wrong because Azure Policy does not enforce network traffic rules.

311
Multi-Selecthard

You are designing a secure network architecture for a multi-region application. You need to ensure that traffic between virtual networks in different Azure regions is encrypted and uses the Microsoft backbone network, and you must minimize latency. Which TWO configurations should you implement?

Select 1 answer
A.Enable 'Gateway transit' on the peering to use a VPN gateway if needed, but not required for encryption.
B.Configure VNet peering between the virtual networks.
C.Use Azure ExpressRoute with Microsoft peering.
D.Deploy Azure VPN Gateway in each region and connect them via site-to-site VPN.
E.Place an Azure Firewall in each region to inspect cross-region traffic.
AnswersB

VNet peering connects VNets using the Microsoft backbone and can be enabled globally.

Why this answer

Options A and B are correct. VNet peering uses Microsoft backbone and supports encryption. Global VNet peering connects across regions.

Azure VPN Gateway would route over the internet, and ExpressRoute is an alternative but not required. Azure Firewall is for inspection, not connectivity.

312
Multi-Selectmedium

Which TWO of the following are valid methods to secure outbound traffic from an Azure virtual network to the internet?

Select 2 answers
A.Azure Firewall
B.Azure NAT Gateway
C.Private endpoints
D.Service endpoints
E.Azure VPN Gateway
AnswersA, B

Can inspect and control outbound traffic.

Why this answer

Azure Firewall is a fully managed, cloud-native network security service that provides stateful inspection of outbound traffic. It can enforce application and network rules based on FQDN, IP addresses, ports, and protocols, making it a valid method to secure outbound internet traffic from an Azure virtual network.

Exam trap

The trap here is that candidates often confuse Azure NAT Gateway (which only provides outbound SNAT without security filtering) with Azure Firewall (which provides both SNAT and stateful inspection), or mistakenly think Service endpoints or Private endpoints can control outbound internet traffic.

313
MCQmedium

You have configured the Conditional Access policy shown in the exhibit. Users report that they can still access Exchange Online using legacy authentication protocols. What is the most likely reason?

A.The policy should use 'Require MFA' instead of 'Block'
B.The policy does not include the correct client app types
C.The policy state is set to reporting mode
D.The policy should include 'mobileAppsAndDesktopClients' instead
AnswerC

Reporting mode does not enforce the block.

Why this answer

Option B is correct. The policy state is 'enabledForReportingButNotEnforced', meaning it only reports without blocking. Option A is wrong because legacy authentication is included.

Option C is wrong because other clients are included. Option D is wrong because it is a valid block policy.

314
MCQmedium

You are deploying a web application in Azure that must be accessible only from your corporate network via HTTPS. You have an Azure Application Gateway with a Web Application Firewall (WAF) policy. Your corporate network uses public IP addresses from a specific range. Which configuration should you use to restrict access?

A.Configure a WAF policy with a custom rule to allow traffic only from the corporate IP range and deny all other traffic.
B.Create a network security group (NSG) on the subnet hosting the application gateway and allow only the corporate IP range.
C.Use Azure Front Door with a WAF policy and geo-filtering to allow only your country.
D.Set up a private endpoint for the application gateway and disable public access.
AnswerA

WAF custom rules can be used to whitelist source IP ranges, effectively restricting access to only the corporate network.

Why this answer

Option B is correct because Azure Application Gateway supports IP-based access control through WAF policies or network security groups. The other options either don't apply at the application gateway level or use incorrect methods.

315
Drag & Dropmedium

Drag and drop the steps to configure Azure AD Conditional Access policy to require MFA for all users into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Conditional Access policies require defining users and access controls before enabling.

316
MCQmedium

Your organization uses Microsoft Entra ID. You need to manage access to a line-of-business application that supports SAML 2.0. The application should be integrated as an enterprise application in Entra ID. What steps must you take?

A.Configure user consent settings for the application
B.Register the application in App Registrations and configure SAML
C.Create a new enterprise application as a non-gallery app, configure SAML, assign users, and test
D.Add the application from the Azure AD gallery
AnswerC

This is the standard process for custom SAML apps.

Why this answer

Option C is correct because to integrate a line-of-business application that supports SAML 2.0 as an enterprise application in Microsoft Entra ID, you must create a new enterprise application using the 'Non-gallery application' option, configure SAML-based sign-on with the application's metadata, assign users or groups, and test the integration. This process allows you to define custom SAML attributes and claims specific to the application, which is necessary for non-gallery apps that are not pre-integrated.

Exam trap

The trap here is that candidates confuse App Registrations (used for OAuth/OpenID Connect) with Enterprise applications (used for SAML and gallery apps), leading them to choose Option B instead of correctly selecting the non-gallery enterprise application creation path.

How to eliminate wrong answers

Option A is wrong because configuring user consent settings controls whether users can consent to permissions for applications, but it does not create or integrate the enterprise application itself; consent settings are a separate administrative control. Option B is wrong because registering the application in App Registrations creates a service principal for custom-developed apps, but enterprise applications for SAML integration are created directly under 'Enterprise applications' in the portal, not via App Registrations; App Registrations is for OAuth/OpenID Connect apps, not SAML. Option D is wrong because adding the application from the Azure AD gallery is only possible if the application is pre-integrated and listed in the gallery; for a custom line-of-business application that supports SAML 2.0 but is not in the gallery, you must use the non-gallery option.

317
MCQmedium

A company uses Microsoft Sentinel as its SIEM. The security team wants to automatically respond to phishing emails detected by Microsoft Defender XDR. They want to create a playbook that, when triggered, will delete the email from all recipients' mailboxes. Which integration should the playbook use?

A.Microsoft Graph API
B.Microsoft Power Automate
C.Exchange Online PowerShell
D.Microsoft 365 Defender API
AnswerA

Graph API can perform actions like deleting emails from mailboxes.

Why this answer

Option C is correct because Microsoft Graph API allows actions like deleting emails from mailboxes, and Sentinel playbooks can call Graph API. Option A is wrong because Microsoft 365 Defender API is for threat data, not mailbox actions. Option B is wrong because Exchange Online PowerShell is not directly callable from Sentinel playbooks.

Option D is wrong because Microsoft Power Automate is the platform, not the integration.

318
MCQmedium

A Defender for Cloud secure score recommendation says storage accounts allow public blob access. What remediation best addresses the root issue?

A.Enable storage account static website hosting
B.Increase Log Analytics retention
C.Disable public blob access at the storage account level and review container ACLs
D.Create an Azure Front Door profile
AnswerC

Correct for the stated requirement.

Why this answer

The secure score recommendation indicates that storage accounts allow public blob access, which is a security risk. The root cause is that anonymous access is enabled at the storage account level, and individual container ACLs may also permit public access. Disabling public blob access at the storage account level (via the 'AllowBlobPublicAccess' property) immediately blocks all anonymous requests, and reviewing container ACLs ensures no residual permissions exist.

This directly addresses the vulnerability by enforcing a deny-by-default posture.

Exam trap

The trap here is that candidates may confuse the storage account-level public access setting with container-level ACLs, thinking that disabling one automatically disables the other, or they may mistakenly believe that enabling static website hosting or using Front Door can override or mitigate the public access vulnerability.

How to eliminate wrong answers

Option A is wrong because enabling static website hosting does not affect public blob access settings; it only serves static content from a specific container ($web) and does not remediate the security recommendation. Option B is wrong because increasing Log Analytics retention only extends the storage duration of diagnostic logs, which does not change access permissions or block anonymous blob access. Option D is wrong because creating an Azure Front Door profile is a content delivery and acceleration service that does not modify storage account access policies or disable public blob access.

319
MCQhard

Refer to the exhibit. You have an Azure Application Gateway WAF policy with the above JSON configuration. A user from IP address 10.1.2.3 reports they cannot access the web application. What is the most likely cause?

A.The WAF policy is in prevention mode and detected a SQL injection.
B.The WAF policy is set to detection mode and logs the request.
C.The custom rule is disabled due to a syntax error.
D.The custom rule blocks all private IP addresses.
AnswerD

Rule blocks RFC 1918 addresses including 10.0.0.0/8.

Why this answer

Option D is correct because the WAF policy blocks traffic from private IP ranges (RFC 1918). The user's IP is in the 10.0.0.0/8 range, so it is blocked. Option A is wrong because the rule is custom.

Option B is wrong because the action is Block, not redirect. Option C is wrong because the rule is not disabled.

320
MCQhard

You have configured Microsoft Sentinel to ingest logs from Azure Active Directory (now Microsoft Entra ID). You notice that sign-in logs for external guest users are not appearing in Sentinel. What is the most likely cause?

A.The diagnostic settings in Microsoft Entra ID are not configured to stream sign-in logs to the Log Analytics workspace used by Sentinel.
B.Microsoft Sentinel does not support ingestion of external guest user sign-in logs.
C.The Microsoft Sentinel Entra ID connector requires a separate connector for guest users.
D.Guest user sign-ins are not logged in Microsoft Entra ID.
AnswerA

To ingest sign-in logs, you must configure diagnostic settings in Entra ID to send logs to the workspace.

Why this answer

Sentinel ingestion of Entra ID logs requires diagnostic settings to be configured on the Entra ID tenant. By default, diagnostic settings are not enabled for external guest user sign-ins. Option C is correct.

Option A is not a requirement. Option B is incorrect because guest user sign-ins are logged but need diagnostic settings. Option D is incorrect because the connector does not filter by user type.

321
MCQmedium

You manage Azure Storage accounts for a healthcare organization. To comply with HIPAA, you need to ensure that all data at rest is encrypted and that access keys are rotated automatically every 90 days. What should you implement?

A.Configure Azure RBAC roles for storage accounts.
B.Enable infrastructure encryption for storage accounts.
C.Generate new storage account access keys manually every 90 days.
D.Use customer-managed keys (CMK) in Azure Key Vault with automatic key rotation.
AnswerD

CMK with automatic rotation meets encryption and rotation requirements.

Why this answer

Customer-managed keys (CMK) with Azure Key Vault allow automatic key rotation. Option A is wrong because Azure RBAC doesn't handle encryption keys. Option B is wrong because infrastructure encryption is for double encryption, not key rotation.

Option D is wrong because shared access keys are not rotated automatically.

322
Multi-Selecteasy

Which TWO Microsoft Defender for Cloud plans specifically provide threat detection for Azure Storage?

Select 2 answers
A.Defender for Storage
B.Defender for Servers
C.Defender for SQL
D.Defender for App Service
E.Defender for Storage (classic)
AnswersA, E

Correct: new plan for storage.

Why this answer

Option B is correct: Defender for Storage. Option D is correct: Defender for Storage (classic). Option A (Defender for Servers) is for VMs; Option C (Defender for SQL) is for databases; Option E (Defender for App Service) is for web apps.

323
MCQhard

You are deploying an Azure SQL Database with a security alert policy as shown in the exhibit. Which statement is true?

A.Alerts are enabled and notifications are sent to both account admins and admin@contoso.com.
B.Email notifications are sent only to admin@contoso.com.
C.Alerts are not retained because retentionDays is set to 30.
D.All alerts are disabled because disabledAlerts is empty.
AnswerA

State is Enabled, emailAccountAdmins true, and emailAddresses includes admin@contoso.com.

Why this answer

The policy enables alerts, sends email to admins and a specific address, and retains alerts for 30 days. Option D is correct. Option A is wrong because retentionDays is 30, not 0.

Option B is wrong because emailAccountAdmins is true. Option C is wrong because disabledAlerts is empty, so all alerts are enabled.

324
Multi-Selecteasy

Which TWO are valid connection methods for Azure VPN Gateway? (Choose two.)

Select 2 answers
A.Point-to-Site
B.VNet-to-VNet
C.Site-to-Site
D.Azure Bastion
E.ExpressRoute
AnswersA, C

Connects individual clients to VNet via SSTP or IKEv2.

Why this answer

Point-to-Site (P2S) is a valid connection method for Azure VPN Gateway because it allows individual client computers to connect securely to an Azure virtual network from anywhere using the SSTP, IKEv2, or OpenVPN protocols. This method is ideal for remote workers who need encrypted access without requiring a site-level VPN device.

Exam trap

The trap here is that candidates often confuse VNet-to-VNet as a distinct connection method when it is actually a specific use case of Site-to-Site, and they may also mistakenly think Azure Bastion or ExpressRoute are VPN gateway connection types when they are separate Azure services with different purposes.

325
MCQmedium

A company runs a public-facing web application on Azure App Service in the West US region. They want to protect against network-layer (Layer 3/4) DDoS attacks. The application consists of a single App Service instance. Which Azure DDoS Protection tier should they enable to meet this requirement while minimizing cost?

A.Basic
B.Standard
C.Premium
D.No protection is needed because Azure App Service is inherently protected against DDoS attacks.
AnswerA

DDoS Protection Basic is free and automatically included for all Azure resources. It provides protection against common network-layer attacks, making it the simplest and most cost-effective choice for a single web application.

Why this answer

Azure DDoS Protection Basic is automatically enabled at no additional cost for all Azure services, including App Service. It provides always-on traffic monitoring and real-time mitigation of common network-layer (Layer 3/4) attacks, such as SYN floods, UDP floods, and reflection attacks, which meets the requirement to protect the public-facing web application. Since the company wants to minimize cost and only needs Layer 3/4 protection for a single App Service instance, the Basic tier is sufficient.

Exam trap

The trap here is that candidates often assume Azure App Service has no built-in DDoS protection and that they must purchase a paid tier, but Azure DDoS Protection Basic is automatically enabled and free, making it the correct choice for cost-effective Layer 3/4 protection.

How to eliminate wrong answers

Option B is wrong because Azure DDoS Protection Standard is a paid tier that provides enhanced mitigation capabilities, including adaptive tuning, attack analytics, and protection for virtual networks, but it is not required for a single App Service instance and would incur unnecessary cost. Option C is wrong because Azure DDoS Protection does not have a Premium tier; the only two tiers are Basic and Standard. Option D is wrong because while Azure App Service benefits from the always-on Basic DDoS protection, it is not inherently protected beyond that baseline; the statement that 'no protection is needed' is misleading because Basic protection is already active and meets the requirement, but the option implies no protection exists, which is incorrect.

326
MCQhard

Your organization uses Azure Storage blobs to store sensitive documents. You need to enforce that all blob access must be via HTTPS and that storage account keys are rotated every 90 days. Which two actions should you take? (Each correct answer presents part of the solution.)

A.Configure an Azure Policy to require HTTPS
B.Use a PowerShell script to regenerate storage account keys every 90 days
C.Generate a shared access signature (SAS) with HTTPS only
D.Store storage account keys in Azure Key Vault and enable automatic rotation
E.Enable 'Secure transfer required' on the storage account
AnswerB, E

Scripted regeneration can rotate keys on a schedule.

Why this answer

To enforce HTTPS, enable 'Secure transfer required' in storage account settings. To rotate keys, use the storage account key regeneration feature. Option B and Option D are correct.

Option A is wrong because Azure Policy can audit but not automatically rotate keys. Option C is wrong because SAS tokens are not for key rotation. Option E is wrong because Azure Key Vault can store keys but does not automatically rotate storage account keys.

327
MCQeasy

You are deploying a virtual machine that will host a legacy application. The application writes temporary files to the local disk. You must ensure that any data written to the temporary disk is encrypted at rest with a platform-managed key. What should you do?

A.Enable encryption at host on the VM
B.Enable Azure Disk Encryption on the VM
C.Configure storage service encryption on the managed disk
D.Use Always Encrypted with secure enclaves
AnswerA

Encrypts temporary disk with platform-managed key.

Why this answer

Option A is correct because Azure Disk Encryption encrypts OS and data disks, but the temporary disk (D: drive) is not encrypted by default. EncryptingHostVmWithCustomerManagedKey is a VM feature that encrypts the temporary disk with a customer-managed key. However, the question specifies a platform-managed key.

Actually, the correct answer is to use a VM with encryption at host enabled, which uses platform-managed keys by default. Option A (Azure Disk Encryption) does not encrypt temporary disk. Option B (encryption at host) encrypts temporary disk with PMK.

Option C is for storage account. Option D is for SQL.

328
MCQeasy

A company has an Azure virtual network with subnets SubnetA and SubnetB. They deploy a network virtual appliance (NVA) in a subnet called NVA_Subnet. They want all traffic between SubnetA and SubnetB to be routed through the NVA for inspection. What is the minimum number of route tables and routes required?

A.One route table with a route for each subnet via the NVA
B.Two route tables, each with a route to the other subnet via the NVA
C.No route tables needed; enable IP forwarding on the NVA
D.One route table with a single default route (0.0.0.0/0) via the NVA
AnswerB

Each subnet requires its own route table with a custom route that directs traffic destined for the other subnet to the NVA. This ensures all inter-subnet traffic is inspected.

Why this answer

Option B is correct because Azure route tables are associated with subnets, not the virtual network as a whole. To force traffic between SubnetA and SubnetB through the NVA, you need two separate route tables: one for SubnetA with a route to SubnetB's address space with the next hop set to the NVA's private IP, and one for SubnetB with a route to SubnetA's address space with the next hop set to the NVA's private IP. This ensures bidirectional traffic is inspected.

Exam trap

The trap here is that candidates assume a single route table can be applied to multiple subnets or that a default route (0.0.0.0/0) will force inter-subnet traffic through the NVA, when in fact Azure requires explicit routes for each subnet's destination address space and separate route table associations per subnet.

How to eliminate wrong answers

Option A is wrong because a single route table cannot be associated with both subnets simultaneously; each subnet can have only one route table, and a single route table with routes for both subnets would require associating it with both subnets, which is not possible in Azure. Option C is wrong because IP forwarding on the NVA is necessary but not sufficient; without custom routes, Azure's default system routes would allow direct communication between SubnetA and SubnetB, bypassing the NVA. Option D is wrong because a default route (0.0.0.0/0) via the NVA would send all internet-bound traffic through the NVA, not specifically traffic between the two subnets, and would not force inter-subnet traffic through the NVA unless the subnets' address spaces are also covered by the default route, which is not the intended design.

329
Multi-Selectmedium

You need to ensure that Microsoft Sentinel can detect threats across your Azure environment, including virtual machines, network traffic, and user activities. Which TWO data sources should you connect?

Select 2 answers
A.Windows Security Events via AMA
B.Azure DNS
C.Office 365
D.Azure Firewall
E.Azure Activity
AnswersA, E

Provides OS-level events from VMs.

Why this answer

Option A and Option B are correct because Azure Activity logs provide management plane activities, and Windows Security Events provide OS-level events from VMs. Option C is wrong because Azure DNS logs are not a standard Sentinel connector. Option D is wrong because Azure Firewall logs are for specific firewall traffic, not broad network traffic.

Option E is wrong because Office 365 logs are for Microsoft 365, not Azure VMs.

330
Multi-Selectmedium

Your organization uses Microsoft Sentinel to monitor security events. You need to configure automated response actions for incidents. Which TWO of the following can be used to trigger automated responses in Microsoft Sentinel?

Select 2 answers
A.Workbooks
B.Watchlists
C.Hunting queries
D.Automation rules
E.Playbooks (Azure Logic Apps)
AnswersD, E

Automation rules allow you to centrally manage automated responses for incidents.

Why this answer

Option A (Playbooks) are automated workflows that can be triggered from analytics rules. Option B (Automation rules) centrally manage automated responses. Option C (Workbooks) are visualizations, not automated responses.

Option D (Watchlists) are data sources. Option E (Hunting queries) are proactive searches, not automated responses.

331
MCQmedium

A company uses Microsoft Defender for Cloud to manage its security posture. The compliance team wants to monitor the subscription's compliance with the Payment Card Industry Data Security Standard (PCI DSS). They need to view a detailed compliance report and track progress over time. What should they do in Defender for Cloud?

A.Enable the relevant Defender for Cloud plans (e.g., Defender for Servers, Defender for SQL).
B.Add the PCI DSS standard from the regulatory compliance dashboard.
C.Create a custom regulatory compliance initiative based on PCI DSS controls.
D.Configure continuous export to send compliance data to a Log Analytics workspace.
AnswerB

Defender for Cloud provides built-in regulatory compliance standards. Adding PCI DSS from the dashboard enables the compliance monitoring and reporting for that standard.

Why this answer

Option B is correct because the regulatory compliance dashboard in Microsoft Defender for Cloud allows you to add built-in compliance standards like PCI DSS. Once added, the dashboard automatically assesses your subscription against the standard's controls, provides a detailed compliance report, and tracks progress over time with a compliance score and historical trend. This is the direct method to monitor PCI DSS compliance without needing to enable specific Defender plans or create custom initiatives.

Exam trap

The trap here is that candidates often confuse enabling Defender plans (which provide threat detection) with adding a compliance standard (which provides a compliance assessment), leading them to select Option A instead of the correct dashboard action in Option B.

How to eliminate wrong answers

Option A is wrong because enabling Defender for Cloud plans (e.g., Defender for Servers, Defender for SQL) provides security alerts and advanced threat protection but does not by itself add or display a PCI DSS compliance report; the regulatory compliance dashboard must be explicitly configured with the standard. Option C is wrong because creating a custom regulatory compliance initiative based on PCI DSS controls is unnecessary and more complex; Microsoft provides a built-in PCI DSS initiative that is automatically updated and maintained, and custom initiatives are typically used for organization-specific controls, not for adopting a standard already available in the dashboard. Option D is wrong because configuring continuous export to a Log Analytics workspace sends raw security data (e.g., alerts, recommendations) for external analysis or retention, but it does not generate or display the PCI DSS compliance report or track progress within Defender for Cloud's dashboard.

332
MCQhard

Refer to the exhibit. The JSON shows an NSG rule set applied to a subnet. The subnet contains a web server that should be accessible from the internet on port 443. Users report they cannot connect. What is the most likely cause?

A.There is no rule allowing HTTPS traffic
B.The 'AllowVNetInbound' rule allows traffic from the internet
C.The 'DenyInternetInbound' rule has a lower priority than 'AllowVNetInbound'
D.The 'DenyInternetInbound' rule blocks all internet traffic
AnswerD

This rule denies all inbound traffic from the Internet, so HTTPS is blocked.

Why this answer

Option B is correct because the 'DenyInternetInbound' rule denies all inbound traffic from the Internet, including HTTPS. Although there is an 'AllowVNetInbound' rule, it only allows traffic from within the VNet. No rule allows internet traffic.

Option A is wrong because the 'AllowVNetInbound' rule does not allow internet traffic. Option C is wrong because there is no explicit rule for port 443. Option D is wrong because the Deny rule has higher priority (200 > 100, so lower priority) but still applies if no allow rule matches.

Since no allow rule matches internet traffic, the Deny rule blocks it.

333
Multi-Selectmedium

A Sentinel detection should enrich alerts with business-critical asset context. Which two mechanisms are appropriate?

Select 2 answers
A.Join the query with a watchlist of critical assets
B.Delete low-severity incidents automatically
C.Map entities such as Host, Account, and IP in the analytics rule
D.Disable all built-in analytics templates
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because watchlists in Microsoft Sentinel allow you to store and reference a curated set of critical asset identifiers (e.g., hostnames, IPs, account SIDs). By joining your analytics rule query with a watchlist, you can automatically enrich alerts with business-critical context, ensuring that incidents involving high-value assets are flagged with additional metadata. Option C is correct because mapping entities like Host, Account, and IP in the analytics rule definition enables Sentinel to extract and normalize these identifiers from raw log fields, which then allows playbooks, investigations, and threat intelligence to correlate alerts with asset context.

Exam trap

The trap here is that candidates often confuse incident management actions (like auto-deletion) with enrichment mechanisms, or they mistakenly think disabling templates is a valid configuration step, when in fact both options fail to provide the contextual data needed for alert enrichment.

334
MCQhard

Your organization uses Microsoft Entra ID and requires that all accesses to sensitive applications be approved by the application owner. You need to implement a solution where users can request access to these applications, and the request is automatically routed to the owner for approval. What should you configure?

A.Microsoft Entra roles and administrative units
B.Entitlement management access packages
C.Privileged Identity Management for groups
D.Cross-tenant access settings
AnswerB

Access packages can require custom approvals from specified approvers.

Why this answer

Option D is correct. Microsoft Entra entitlement management allows you to create access packages requiring approval from the application owner. Option A is wrong because it is for role activation.

Option B is wrong because it is for administrative roles. Option C is wrong because it is for external collaboration.

335
MCQhard

Your organization has multiple Azure subscriptions connected via a hub-spoke topology using Azure Firewall in the hub. You need to ensure that traffic between spoke VNets is routed through the firewall for inspection. You configure user-defined routes (UDRs) on the spoke subnets. However, traffic between spokes is still bypassing the firewall. What is the most likely reason?

A.Azure Firewall does not support traffic between spoke VNets.
B.The UDR on the firewall subnet does not include the spoke address spaces.
C.The 'Allow gateway transit' setting is disabled on the spoke peering.
D.The 'Use remote gateway' setting is disabled on the spoke VNet peering.
AnswerD

Spoke VNets must use remote gateway to route traffic through the hub firewall.

Why this answer

Option D is correct because for VNet peering, the 'Use remote gateway' setting on the spoke peering must be enabled to route traffic through the hub firewall. Without this, peered traffic may bypass the firewall. Option A is wrong because Azure Firewall can handle traffic between spokes.

Option B is wrong because 'Allow gateway transit' is needed on the hub side. Option C is wrong because the firewall subnet does not need a UDR for spoke-to-spoke traffic; the spokes' UDRs point to the firewall's private IP.

336
Multi-Selectmedium

You have an Azure virtual network that hosts a critical application. You need to protect the virtual network from DDoS attacks. Which THREE actions should you take to implement a defense-in-depth approach?

Select 3 answers
A.Configure network security groups (NSGs) with deny-all inbound rules by default, then allow only necessary traffic.
B.Use Azure Private Endpoints for all Azure services to remove public endpoints.
C.Use Azure Web Application Firewall (WAF) on Application Gateway to protect web applications.
D.Deploy Azure Firewall with threat intelligence-based filtering.
E.Enable Azure DDoS Network Protection on the virtual network.
AnswersA, C, E

NSGs reduce attack surface by blocking unwanted traffic.

Why this answer

Options A, C, and D are correct. Azure DDoS Network Protection provides mitigation at the network layer. NSGs filter unwanted traffic, and WAF protects web applications.

Azure Firewall is for general traffic inspection, not specifically DDoS. Private endpoints help with exposure but not DDoS.

337
MCQeasy

Your organization needs to securely connect an on-premises data center to Azure for disaster recovery. The connection must be encrypted and use the public internet. Which Azure service should you use?

A.Azure Front Door.
B.Azure ExpressRoute with private peering.
C.Azure VPN Gateway.
D.Azure DNS.
AnswerC

VPN Gateway provides encrypted site-to-site VPN over the internet.

Why this answer

Option D is correct because Azure VPN Gateway supports site-to-site VPN connections over the internet. Option A is wrong because Azure ExpressRoute uses private connections, not the internet. Option B is wrong because Azure Front Door is for web applications.

Option C is wrong because Azure DNS is for domain name resolution.

338
MCQmedium

Your company uses Azure SQL Database for a multitenant SaaS application. You need to ensure that one tenant cannot access another tenant's data, even if the application code has a bug. Which Azure SQL Database feature should you implement?

A.Dynamic Data Masking (DDM)
B.Azure SQL Database Auditing
C.Always Encrypted
D.Row-Level Security (RLS)
AnswerC

Always Encrypted ensures that sensitive data is encrypted at the client and never exposed to the database engine, preventing unauthorized access from the database side.

Why this answer

Always Encrypted ensures that the database engine never sees plaintext data; even if the app code is compromised, tenants cannot read each other's encrypted data. Option B is correct. Option A (Row-Level Security) is bypassed by app code.

Option C (Dynamic Data Masking) does not prevent access. Option D (Auditing) only tracks access.

339
MCQhard

You are designing a network security strategy for an Azure Kubernetes Service (AKS) cluster. You need to restrict egress traffic from the cluster to only allow connections to specific Azure services (e.g., Microsoft Container Registry, Azure Key Vault). The solution must minimize administrative overhead. What should you use?

A.Configure Azure Policy to deny egress to non-approved destinations.
B.Deploy Azure Firewall and use FQDN tags to allow traffic to Azure services.
C.Use Kubernetes network policies for egress.
D.Define NSG rules to allow outbound traffic to the service IP ranges.
AnswerB

FQDN tags simplify allowing traffic to popular Azure services without managing IPs.

Why this answer

Option D is correct because Azure Firewall with FQDN tags can allow traffic to Azure services by tag, simplifying management. Option A is wrong because NSGs do not support allowlisting by FQDN. Option B is wrong because AKS does not natively support network policies for egress to Azure services.

Option C is wrong because Azure Policy can audit but not enforce egress rules.

340
MCQeasy

A company deploys Azure Firewall to inspect and control outbound traffic from a virtual network. The security team wants to allow outbound HTTPS traffic only to specific FQDNs such as *.microsoft.com and *.windowsupdate.com, while blocking all other outbound internet access. Which type of rule should they configure in Azure Firewall to achieve this filtering?

A.Network Rule
B.Application Rule
C.NAT Rule
D.DNAT Rule
AnswerB

Application rules are designed to filter outbound traffic based on FQDNs, making them the correct choice for allowing traffic only to specific domains like *.microsoft.com.

Why this answer

Azure Firewall uses Application Rules to filter outbound traffic based on fully qualified domain names (FQDNs) for HTTP/HTTPS protocols. Since the requirement is to allow HTTPS traffic to specific FQDNs like *.microsoft.com and *.windowsupdate.com, an Application Rule is the correct choice because it can inspect the TLS Server Name Indication (SNI) extension to match the target FQDN, enabling granular allow/deny decisions for web traffic.

Exam trap

The trap here is that candidates often confuse Network Rules with Application Rules, mistakenly thinking that port 443 and IP addresses can achieve FQDN-based filtering, but Network Rules lack the ability to inspect the application layer (FQDN) and can only filter by IP/port, which is insufficient for domain-specific allowlisting.

How to eliminate wrong answers

Option A is wrong because Network Rules filter traffic based on source/destination IP addresses, ports, and protocols (TCP/UDP), not FQDNs, so they cannot selectively allow HTTPS to specific domain names. Option C is wrong because NAT Rules (Destination Network Address Translation) are used to translate inbound traffic to internal resources, not to filter outbound traffic. Option D is wrong because DNAT Rules are synonymous with NAT Rules in Azure Firewall and serve the same inbound translation purpose, not outbound FQDN filtering.

341
MCQhard

Refer to the exhibit. You assign this policy to a subscription that already has a security contact configured with email 'admin@contoso.com'. What will be the outcome?

A.The policy will not modify the existing security contact because it already exists.
B.The policy will fail because the security contact already exists.
C.The subscription will become non-compliant because the email does not match.
D.The policy will overwrite the existing security contact with the one in the policy.
AnswerA

The existence condition checks for a contact with non-empty email; since one exists, no deployment occurs.

Why this answer

Option A is correct because the policy only deploys if no security contact exists with a non-empty email. Since a contact exists, the policy will not modify it. Option B is wrong because the policy uses deployIfNotExists with existence check.

Option C is wrong because the policy won't fail. Option D is wrong because the policy is not evaluated as non-compliant.

342
MCQhard

A company stores sensitive files in Azure Files shares. They require that data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault, and that all client connections use SMB 3.0 encryption for end-to-end encryption in transit. They create a premium Azure Files share in a storage account and configure encryption at rest with a CMK. However, clients are unable to connect without SMB encryption. What additional configuration is necessary to enforce SMB encryption for all connections?

A.No additional configuration is needed; Azure Files uses SMB encryption by default and cannot be disabled.
B.Enable 'Secure transfer required' in the storage account's configuration to enforce SMB 3.0 encryption.
C.Configure a network security group (NSG) rule to block SMB traffic on port 445 that does not use encryption.
D.Set the Azure Files share to use the 'Premium' performance tier; encryption is only available on premium shares.
AnswerB

When 'Secure transfer required' is enabled, the storage account accepts only encrypted connections (HTTPS and SMB 3.0 with encryption). For Azure Files, this means clients must use SMB 3.0 encryption to connect.

Why this answer

Option B is correct because enabling 'Secure transfer required' on the storage account enforces that all client connections use SMB 3.0 with encryption, which is necessary for end-to-end encryption in transit. Even though encryption at rest is configured with a CMK, the storage account does not automatically require encrypted connections; this setting explicitly denies unencrypted SMB 2.1 or SMB 3.0 without encryption.

Exam trap

The trap here is that candidates assume encryption at rest (CMK) automatically implies encryption in transit, but Azure requires a separate explicit setting ('Secure transfer required') to enforce SMB 3.0 encryption for all client connections.

How to eliminate wrong answers

Option A is wrong because Azure Files does not enforce SMB encryption by default; SMB 3.0 encryption is available but must be explicitly required via the 'Secure transfer required' setting, and it can be disabled. Option C is wrong because NSG rules block traffic at the network layer based on port and protocol, but they cannot inspect or enforce SMB encryption; they would block all SMB traffic on port 445 regardless of encryption status. Option D is wrong because SMB encryption is not limited to premium shares; it is supported on standard Azure Files shares as well, and the premium tier does not automatically enforce encryption.

343
MCQhard

An organization uses Microsoft Defender for Cloud. They want to implement just-in-time (JIT) VM access for a set of production VMs. However, the security team needs to ensure that JIT access requests are always approved by a manager before opening ports. Which configuration should they use?

A.Enable JIT in Defender for Cloud and configure a logic app to send approval emails
B.Use Azure AD Privileged Identity Management (PIM) for JIT activation
C.Enable JIT and configure a custom workflow automation with an approval step
D.Use Conditional Access with session controls
AnswerC

Defender for Cloud allows you to create automation rules that trigger Logic Apps. You can design the Logic App to require an approval (e.g., from a manager) before the JIT policy opens ports.

Why this answer

Option C is correct because Microsoft Defender for Cloud's JIT VM access can be integrated with a custom workflow automation that includes an approval step. This allows the security team to enforce manager approval before ports are opened, meeting the requirement for a formal approval process. The workflow automation can trigger an Azure Logic App or other action that requires a designated approver to authorize the request.

Exam trap

The trap here is confusing Azure AD PIM (which manages role activation) with JIT VM access (which manages network port openings), leading candidates to incorrectly select PIM for VM-level access control.

How to eliminate wrong answers

Option A is wrong because while a logic app can send approval emails, it does not enforce a mandatory approval step before JIT access is granted; the JIT request would still be automatically approved unless the logic app is configured to block it, which is not a native capability. Option B is wrong because Azure AD PIM is designed for managing and approving privileged role activations, not for controlling JIT VM access requests to specific ports on VMs. Option D is wrong because Conditional Access with session controls governs access to applications and data based on conditions like location or device compliance, not for approving JIT port openings on VMs.

344
MCQmedium

A company uses Azure AD Conditional Access. They want to require multi-factor authentication (MFA) for all users accessing the Azure portal, but only when the sign-in risk level is medium or above. Which configuration should they use in the Conditional Access policy?

A.Assignments > Cloud apps > Include > Microsoft Azure Management, Conditions > Sign-in risk > Medium and above, Grant > Require MFA.
B.Assignments > Users > All users, Cloud apps > All cloud apps, Conditions > User risk > Medium, Grant > Require MFA.
C.Assignments > Conditions > Locations > All trusted locations, Grant > Require MFA.
D.Assignments > Cloud apps > Include > All cloud apps, Conditions > Device platforms > iOS, Grant > Require MFA.
AnswerA

This correctly targets the Azure portal and uses sign-in risk condition to trigger MFA.

Why this answer

Option A is correct because it specifically targets the Azure portal via 'Microsoft Azure Management' in Cloud apps, sets the sign-in risk condition to 'Medium and above', and requires MFA. This matches the requirement exactly: MFA is triggered only when accessing the Azure portal and the sign-in risk level is medium or higher.

Exam trap

The trap here is confusing 'User risk' with 'Sign-in risk' — user risk is a persistent score based on past user behavior, while sign-in risk is a session-level assessment, and the question explicitly requires the latter for the current sign-in event.

How to eliminate wrong answers

Option B is wrong because it uses 'User risk' instead of 'Sign-in risk' — user risk is based on historical user behavior, not the current sign-in session, and it applies to all cloud apps, not just the Azure portal. Option C is wrong because it uses 'Locations' with 'All trusted locations', which would require MFA from trusted locations regardless of risk, and does not target the Azure portal or sign-in risk. Option D is wrong because it targets 'All cloud apps' and 'Device platforms > iOS', which would require MFA for all iOS devices accessing any cloud app, not specifically the Azure portal based on sign-in risk.

345
MCQmedium

Your organization stores sensitive documents in Azure Blob Storage. You need to prevent data exfiltration by ensuring that authorized users can only access blobs from within the corporate network, and that any attempt to download blobs from outside the network is blocked. What should you configure?

A.Configure a storage account firewall to allow only the corporate IP range and deny all other traffic
B.Apply Azure Information Protection sensitivity labels to the blobs
C.Generate SAS tokens with a short expiration and distribute them to users
D.Assign Azure RBAC roles to users and require multi-factor authentication
AnswerA

Directly blocks access from outside the corporate network.

Why this answer

Storage account firewalls and virtual network service endpoints allow you to restrict access to specific IP ranges or virtual networks. Option A is correct. Option B is incorrect because SAS tokens can be used from anywhere if not restricted.

Option C is incorrect because Azure RBAC controls permissions but does not enforce network location. Option D is incorrect because Azure Information Protection labels classify but do not block access based on network.

346
Drag & Dropmedium

Drag and drop the steps to create an Azure Key Vault firewall rule to allow access from a specific virtual network into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The firewall configuration is under networking, and you must add the virtual network to allow traffic.

347
Multi-Selecthard

Which three security configurations should you apply to an Azure SQL Database to meet a requirement for data protection at rest and in transit?

Select 3 answers
A.Enable Microsoft Defender for Azure SQL.
B.Use Always Encrypted for sensitive columns.
C.Enable Transparent Data Encryption (TDE).
D.Configure firewall rules to allow only trusted IP addresses.
E.Enable Azure SQL Auditing.
AnswersB, C, D

Encrypts data in transit to the application.

Why this answer

Correct: A, B, D. TDE encrypts at rest, firewall rules protect network access, and Always Encrypted protects sensitive columns in transit. Option C (auditing) is for monitoring, not encryption.

Option E (threat detection) is for detection, not protection.

348
MCQhard

Your organization has an Azure SQL Database that stores credit card numbers. The compliance team requires that credit card numbers be encrypted at rest and that only authorized applications can decrypt the data. The applications access the database using different service principals. You decide to implement Always Encrypted with secure enclaves. You create a column master key (CMK) in Azure Key Vault and a column encryption key (CEK) for the credit card column. You configure the column with deterministic encryption. However, after deployment, the applications report that they cannot insert or query the encrypted column. The error indicates that the column cannot be decrypted. You verify that the applications have the necessary permissions to access the CMK in Key Vault. What is the most likely cause of the issue?

A.The service principals do not have the 'Get' and 'Decrypt' permissions on the CMK in Key Vault.
B.The applications are using an older version of the SQL client driver that does not support Always Encrypted with secure enclaves.
C.Deterministic encryption is not supported with secure enclaves; you must use randomized encryption.
D.The CMK is stored in a Key Vault in a different region than the SQL Database.
AnswerB

Always Encrypted with enclaves requires a compatible client driver.

Why this answer

Option D is correct: Applications must use a client driver that supports Always Encrypted with secure enclaves, such as the latest Microsoft.Data.SqlClient or .NET Framework with the enclave type configured. Option A: The CMK does not need to be in the same region. Option B: Both deterministic and randomized encryption can be used with secure enclaves.

Option C: Even with permissions, the driver must support the enclave protocol.

349
MCQhard

A company uses Azure SQL Database with Transparent Data Encryption (TDE) and a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall that blocks all public access. The SQL server is a managed service that needs to access the key to perform TDE operations. The Key Vault is in the same Azure region as the SQL server. Which additional configuration is needed?

A.Enable 'Allow trusted Microsoft services to bypass this firewall' in the Key Vault firewall settings
B.Configure a service endpoint for Microsoft.KeyVault on the SQL server's subnet
C.Assign the SQL server's server identity the 'Contributor' role on the Key Vault
D.Create a private endpoint for the Key Vault in the SQL server's virtual network
AnswerA

This setting allows trusted Azure services, including Azure SQL Database, to access the Key Vault even when the firewall is enabled, provided the SQL server has appropriate RBAC or access policy permissions.

Why this answer

When Azure Key Vault has a firewall that blocks all public access, Azure services like SQL Database that need to access the key for TDE operations must be explicitly allowed. Enabling 'Allow trusted Microsoft services to bypass this firewall' permits the SQL server's managed service identity to authenticate and retrieve the CMK from Key Vault, even when public network access is denied. This setting is required because the SQL server, as a platform-as-a-service (PaaS) resource, does not reside in a virtual network by default and cannot use a private endpoint or service endpoint without additional networking configuration.

Exam trap

The trap here is that candidates often assume a private endpoint or service endpoint is always required for secure access, but for PaaS services like Azure SQL Database that use managed identities, the 'Allow trusted Microsoft services' setting is the simplest and correct solution when the Key Vault firewall blocks public access.

How to eliminate wrong answers

Option B is wrong because configuring a service endpoint for Microsoft.KeyVault on the SQL server's subnet is not applicable—Azure SQL Database is a PaaS service that does not have a subnet in a virtual network by default; service endpoints are used for VNet-integrated resources like VMs or App Service, not for SQL Database's managed identity access to Key Vault. Option C is wrong because assigning the 'Contributor' role on the Key Vault grants excessive permissions (e.g., ability to modify keys) and is not required; the SQL server's identity only needs the 'Get' and 'Unwrap Key' permissions on the key itself, which are granted via a Key Vault access policy, not RBAC roles. Option D is wrong because creating a private endpoint for Key Vault in the SQL server's virtual network would require the SQL server to be integrated into a VNet, which is not the default configuration for Azure SQL Database; private endpoints are used for network isolation but do not solve the firewall bypass issue for a managed service that needs to reach Key Vault over the public endpoint.

350
Multi-Selecthard

A company uses Microsoft Defender for Cloud's workload protection for Azure Storage. They want to receive alerts when there is suspicious access to blob storage. Which TWO features should they enable?

Select 2 answers
A.Azure Storage Firewall
B.Azure Defender for Storage
C.Azure Storage Encryption
D.Microsoft Defender for Cloud for Storage
E.Diagnostic settings to send storage logs to a Log Analytics workspace
AnswersD, E

Provides threat detection alerts for storage.

Why this answer

Option B and Option C are correct because Microsoft Defender for Cloud for Storage includes threat detection that alerts on suspicious access patterns, and enabling logging to the Log Analytics workspace provides detailed data for analysis. Option A is wrong because Azure Storage Firewall restricts access but does not generate alerts. Option D is wrong because Azure Storage Encryption protects data at rest, not access monitoring.

Option E is wrong because Azure Defender is the old name; the correct name is Microsoft Defender for Cloud.

351
MCQhard

You are a security engineer for a multinational company with 5000 Azure VMs across multiple subscriptions. You have deployed Microsoft Sentinel to ingest logs from all VMs via the Log Analytics agent. You need to create a detection rule that identifies potential cryptocurrency mining activity based on network traffic patterns. The rule should trigger an incident when any single VM communicates with a known mining pool IP address over port 3333, 4444, or 8333 within a 5-minute window. Additionally, to reduce noise, the rule should only trigger if the same VM sends more than 10 such connections in that window. You have a custom KQL function that extends the CommonSecurityLog table with an 'IsMiningPool' boolean column. Which of the following approaches should you use to create the rule?

A.Use a scheduled query rule with the query: CommonSecurityLog | where DestinationPort in (3333,4444,8333) | summarize ConnectionCount = count() by SourceIP | where ConnectionCount > 10.
B.Use a scheduled query rule with the query: CommonSecurityLog | where IsMiningPool == true | summarize UniqueDestIPs = dcount(DestinationIP) by SourceIP | where UniqueDestIPs > 10.
C.Use a scheduled query rule with the query: CommonSecurityLog | where IsMiningPool == true | summarize ConnectionCount = count() by SourceIP, DestinationPort | where ConnectionCount > 10.
D.Use an NRT query rule with the query: CommonSecurityLog | where IsMiningPool == true | where count() > 10.
AnswerC

Correctly filters, aggregates by source IP, and uses threshold.

Why this answer

Option A is correct because it uses the custom function to filter, sums connections per VM, and uses threshold of 10. Option B is wrong because it uses a simple threshold without aggregation. Option C is wrong because it looks for 10 different IPs, not connections.

Option D is wrong because it doesn't use the custom function and instead uses a list, which is less maintainable.

352
Multi-Selectmedium

Your organization uses Azure AD Privileged Identity Management (PIM) to manage admin roles. Which three of the following are valid configurations for role activation? (Choose three.)

Select 3 answers
.Require Azure AD Multi-Factor Authentication (MFA) during activation
.Set a maximum activation duration in hours
.Require approval from designated approvers
.Disable activation during weekends
.Automatically assign the role without activation
.Require a ticket number from an external ticketing system

Why this answer

Azure AD PIM allows organizations to enforce just-in-time (JIT) access for privileged roles. Requiring Azure AD MFA during activation ensures the user's identity is verified before role elevation. Setting a maximum activation duration (e.g., 1–8 hours) limits the window of elevated privilege.

Requiring approval from designated approvers adds a secondary authorization layer, preventing unauthorized or accidental role assignments.

Exam trap

The trap here is that candidates may confuse PIM's activation settings with Azure AD Conditional Access policies or general role assignment options, leading them to select features like disabling activation on weekends or requiring external ticket numbers, which are not supported in PIM.

353
MCQhard

You are a security engineer for a company that uses Microsoft Entra ID. You need to implement a solution that automatically blocks sign-ins from users detected as compromised credentials. The solution should work in real-time and require no manual intervention. What should you use?

A.Azure AD Identity Protection weekly digest
B.Conditional Access policy with sign-in risk policy
C.Microsoft Defender for Cloud Apps session policy
D.User risk policy in Microsoft Entra ID Protection
AnswerD

User risk policy automatically blocks users with high risk due to compromised credentials.

Why this answer

Option B is correct. Microsoft Entra ID Protection automatically detects and blocks compromised credentials using user risk policies. Option A is wrong because it is not real-time.

Option C is wrong because it is not specific to compromised credentials. Option D is wrong because it is a reporting tool.

354
MCQhard

A company uses Microsoft Defender for Cloud to assess the security posture of its Azure resources. The security team notices that the secure score is lower than expected because many recommendations are marked as 'Unhealthy' for resources that are not yet deployed (planned resources). How should you ensure that the secure score accurately reflects only deployed resources?

A.Create custom Azure Policy initiatives that exclude non-deployed resources.
B.Disable the recommendations for resources that are not yet deployed.
C.Assign Azure Policy to audit only deployed resources and create exemptions for planned resources.
D.Ensure that only resources with a specific tag are assessed.
AnswerC

Exemptions allow you to exclude specific resources from compliance evaluation, improving secure score accuracy.

Why this answer

Option D is correct because assigning Azure Policy at the management group scope with a 'DeployIfNotExists' or 'AuditIfNotExists' effect can enforce governance on deployed resources only, and using exemptions for non-deployed resources. Option A is wrong because disabling recommendations affects all resources. Option B is wrong because the secure score automatically considers only assessed resources, but the issue might be with planned resources being assessed incorrectly.

Option C is wrong because creating custom initiatives does not filter out non-deployed resources automatically.

355
MCQeasy

You run the PowerShell cmdlet shown in the exhibit for an Azure SQL Database. What is the security implication?

A.Auditing of database queries is not configured.
B.The database is not protected against anomalous activities.
C.The database firewall allows all public IP addresses.
D.Transparent data encryption is not enabled.
AnswerB

ATP is disabled, so threat detection is not active.

Why this answer

Advanced Threat Protection (ATP) is disabled, meaning the database is not monitored for anomalous activities. Option A is correct. ATP is separate from firewall, TDE, and auditing.

356
MCQeasy

Your organization uses Microsoft Defender for Cloud to assess regulatory compliance. You need to ensure that the compliance dashboard reflects the latest standards and that custom assessments are included. What should you do?

A.Configure Microsoft Purview compliance portal to include Azure subscriptions.
B.Use Azure Policy to apply custom definitions and assign to management groups.
C.Create an Azure Blueprint with custom policies.
D.Add a custom regulatory compliance standard in Defender for Cloud.
AnswerD

Correct. You can add custom standards and initiatives to the compliance dashboard.

Why this answer

Option C is correct because the regulatory compliance dashboard in Defender for Cloud allows you to add custom initiatives and standards, including custom assessments. Option A is wrong because Azure Blueprints are deprecated and not the correct tool. Option B is wrong because Azure Policy alone does not integrate with the compliance dashboard.

Option D is wrong because Microsoft Purview compliance portal is for data governance, not cloud security compliance assessment.

357
MCQmedium

Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure resources. A recent assessment shows that a standard-tier storage account (storageaccount1) used for backup data has the following findings: 1) 'Storage account should use a private endpoint' is unhealthy; 2) 'Storage account should use customer-managed keys (CMK) for encryption' is healthy; 3) 'Storage account should restrict network access' is unhealthy; 4) 'Storage account should enable soft delete for blobs' is healthy. Management requires that all storage accounts used for backup be protected against accidental deletion and have network access restricted to a specific virtual network (vnet-backup). Currently, the storage account is accessible from all networks. You need to remediate the unhealthy findings while maintaining the healthy status of the other controls. Which combination of actions should you take?

A.Enable a service endpoint for Microsoft.Storage on vnet-backup and configure the firewall to allow only that subnet, then create a private endpoint as well.
B.Create a private endpoint in the vnet-backup subnet for the storage account and set the public network access to 'Disabled'.
C.Enable a service endpoint for Microsoft.Storage on the vnet-backup subnet and update the storage account firewall to allow access only from that subnet.
D.Configure the storage account firewall to allow access only from the vnet-backup subnet's public IP range.
AnswerB

Private endpoint satisfies the private endpoint recommendation; disabling public access satisfies the network access restriction.

Why this answer

Option C is correct: Enabling a private endpoint and disabling public network access will remediate both the private endpoint and network access findings. Soft delete is already enabled, and CMK is already in place. Option A: Enabling a service endpoint does not remediate the private endpoint finding and may not satisfy the recommendation.

Option B: Configuring firewall rules allows public IPs, which does not meet the private endpoint recommendation. Option D: Enabling a service endpoint and firewall rules does not address the private endpoint requirement.

358
MCQeasy

You need to ensure that an Azure Storage account only allows access from a specific virtual network. Which configuration should you use?

A.Enable Azure Private Link and assign a private endpoint.
B.Configure a service endpoint for Azure Storage and add the virtual network subnet to the firewall rules.
C.Configure firewall rules to allow only the virtual network's public IP range.
D.Generate new storage account access keys and share them only with the virtual network.
AnswerB

Service endpoints allow restricting access to the storage account from a specific VNet.

Why this answer

Service endpoints allow restricting access to Azure services from a specific virtual network. Option C is correct. Firewalls and IP rules are for public IP addresses, not VNets.

Private endpoints provide private IP connectivity but do not block public access by default. Access keys don't restrict network access.

359
MCQhard

Refer to the exhibit. You are reviewing an Azure Policy initiative definition in Microsoft Defender for Cloud. The initiative includes a policy definition with reference ID 'CIS-1.1'. The policy definition ID is '/providers/Microsoft.Authorization/policyDefinitions/abc123'. You need to verify that the policy definition exists and is correctly assigned. Which Azure CLI command should you run?

A.az policy assignment list --query "[?policyDefinitionId=='/providers/Microsoft.Authorization/policyDefinitions/abc123']"
B.az policy set-definition show --name "CIS Benchmark v1.1.0"
C.az policy definition list --query "[?id=='/providers/Microsoft.Authorization/policyDefinitions/abc123']"
D.az policy definition show --id /providers/Microsoft.Authorization/policyDefinitions/abc123
AnswerD

Shows the details of the specified policy definition.

Why this answer

Option A is correct because 'az policy definition show' retrieves details of a policy definition by ID. Option B is wrong because 'az policy assignment list' lists assignments, not definitions. Option C is wrong because 'az policy set-definition show' shows initiative definitions, not individual definitions.

Option D is wrong because 'az policy definition list' lists all definitions, not a specific one.

360
MCQeasy

A security team uses Microsoft Defender for Cloud. They want to automatically enable the 'vulnerability assessment' solution on all existing and future Azure SQL Database servers that are not already configured. Which Defender for Cloud feature should they use to enforce this configuration across the subscription?

A.Workflow automation
B.Continuous export
C.Azure Policy integration
D.Security policies (initiatives)
AnswerC

Azure Policy (integrated in Defender for Cloud) can enforce compliance and automatically deploy settings (like vulnerability assessment) via DeployIfNotExists policies.

Why this answer

Azure Policy integration is the correct feature because it allows you to create and assign policies that audit or enforce configurations across Azure resources. By using a built-in policy like 'Vulnerability assessment should be enabled on SQL servers', you can automatically remediate non-compliant resources, including future ones, at the subscription scope. This ensures that all existing and new Azure SQL Database servers have the vulnerability assessment solution enabled without manual intervention.

Exam trap

The trap here is confusing the policy definition (initiative) with the enforcement mechanism (Azure Policy integration), leading candidates to select 'Security policies (initiatives)' when the question specifically asks for the feature that enforces the configuration across the subscription.

How to eliminate wrong answers

Option A is wrong because Workflow automation in Defender for Cloud triggers actions (e.g., sending email or creating a ticket) based on alerts or recommendations, but it does not enforce or remediate configurations proactively across resources. Option B is wrong because Continuous export streams security alerts and recommendations to Log Analytics or Event Hubs for external analysis, but it cannot enforce or enable a vulnerability assessment solution on SQL servers. Option D is wrong because Security policies (initiatives) are the high-level definitions of compliance requirements, but they are implemented through Azure Policy; the question asks for the feature that enforces the configuration, which is Azure Policy integration, not the policy definitions themselves.

361
Multi-Selectmedium

Which TWO security features can be enabled on an Azure SQL Database to protect sensitive data from unauthorized access by database administrators? (Choose two.)

Select 2 answers
A.Transparent Data Encryption (TDE)
B.Always Encrypted
C.Row-Level Security (RLS)
D.Azure SQL Database firewall rules
E.Auditing
AnswersB, C

Always Encrypted encrypts data on the client side, so DBAs cannot decrypt it without the column encryption key.

Why this answer

Options A and D are correct. Option A: Always Encrypted ensures that database administrators cannot see plaintext data because the encryption keys are controlled by the client. Option D: Row-Level Security restricts access to rows based on user context, preventing admins from viewing data they shouldn't.

Option B is wrong because TDE protects at rest but admins can still query data. Option C is wrong because firewall rules control network access, not data access. Option E is wrong because auditing logs access but does not prevent it.

362
MCQhard

A security analyst reports that Microsoft Sentinel is not receiving Windows Security Events from Azure VMs that have the Log Analytics agent installed. The agent shows as connected, and other data sources (e.g., performance counters) are flowing. What is the most likely cause?

A.The Microsoft Sentinel solution is not installed on the VM.
B.The Azure VM has a network security group blocking port 443.
C.The Log Analytics workspace key is incorrect.
D.The Windows Security Events connector is not configured to collect the required event IDs.
AnswerD

Correct. The connector must be configured to collect specific event IDs; otherwise, security events are not sent.

Why this answer

Option D is correct because the Windows Security Events connector in Sentinel requires specific event IDs to be collected; if the data collection rule or agent configuration does not include the required event IDs, the events won't be sent. Option A is wrong because the Log Analytics workspace key or certificate issue would affect all data, not just security events. Option B is wrong because if the agent is connected, network connectivity is fine.

Option C is wrong because the Microsoft Sentinel solution is installed at the workspace level, not per VM.

363
MCQhard

Refer to the exhibit. You are reviewing the output of the Get-AzureADGroup PowerShell cmdlet. You need to create a Conditional Access policy that dynamically includes users based on their department attribute set to 'Finance'. Which group should you use in the policy?

A.All Users
B.Sales Team
C.Administrators
D.Finance Team
AnswerD

This group is static, but you can use it to assign access, but for dynamic inclusion based on department, you should create a dynamic group with rule user.department -eq 'Finance'. However, of the given groups, only this one is finance-related.

Why this answer

Option D is correct because the 'Finance Team' group is a dynamic group configured with a membership rule that automatically includes users whose department attribute equals 'Finance'. Conditional Access policies can target dynamic groups, and using this group ensures that only users with the 'Finance' department attribute are included in the policy without manual updates.

Exam trap

The trap here is that candidates may assume any group can be used for dynamic inclusion, but only a dynamic group with the correct membership rule (e.g., department equals 'Finance') will automatically include users based on the attribute, whereas static groups like 'Sales Team' or 'Administrators' require manual membership changes.

How to eliminate wrong answers

Option A is wrong because 'All Users' would include every user in the tenant, not just those with the 'Finance' department attribute, which violates the requirement for dynamic inclusion based on department. Option B is wrong because 'Sales Team' is a static group that contains users from the Sales department, not Finance, so it would not include the intended users. Option C is wrong because 'Administrators' is a role-based group that includes privileged users, not users filtered by the 'Finance' department attribute.

364
Multi-Selecteasy

You are configuring network security for a multi-tier application in Azure. The web tier must accept HTTPS traffic from the internet. The application tier should only accept traffic from the web tier. The data tier should only accept traffic from the application tier. Which THREE Azure features should you use to implement this?

Select 3 answers
A.Azure Firewall
B.Application Security Groups (ASGs)
C.Azure Front Door
D.Azure Traffic Manager
E.Network Security Groups (NSGs)
AnswersA, B, E

Azure Firewall provides centralized logging and can be used for additional filtering.

Why this answer

Option A is correct because NSGs provide inbound/outbound filtering for subnets or NICs. Option B is correct because ASGs allow you to group VMs and reference them in NSG rules, simplifying rule creation. Option C is correct because Azure Firewall can be used for centralized logging and additional filtering.

Option D is wrong because Azure Front Door is for global load balancing, not internal traffic segmentation. Option E is wrong because Azure Traffic Manager is for DNS-based traffic routing.

365
MCQeasy

You need to grant a group of users the ability to read Microsoft Entra ID sign-in logs in the Azure portal. Which role should you assign?

A.Security Reader
B.Reports Reader
C.Global Reader
D.Global Administrator
AnswerB

Reports Reader can read sign-in logs.

Why this answer

The Reports Reader role is specifically designed to grant read-only access to monitoring data, including Microsoft Entra ID sign-in logs and audit logs, without granting broader read permissions to the entire directory. This role is the least-privileged option that directly meets the requirement to read sign-in logs in the Azure portal.

Exam trap

The trap here is that candidates often confuse the Security Reader role (which covers security center and security policies) with the Reports Reader role (which specifically covers sign-in and audit logs), leading them to choose Security Reader because it sounds security-focused.

How to eliminate wrong answers

Option A is wrong because the Security Reader role provides read access to security-related data (e.g., security policies, security alerts) but does not include read access to sign-in logs or audit logs. Option C is wrong because the Global Reader role grants read access to all directory resources, which is overly permissive and not the least-privileged role for reading only sign-in logs. Option D is wrong because the Global Administrator role has full administrative access to all directory features, including the ability to modify settings and manage users, which far exceeds the required read-only access to sign-in logs.

366
Multi-Selecthard

You are designing a security baseline for Microsoft Entra ID. Which THREE settings are recommended by Microsoft as part of the identity security baseline?

Select 3 answers
A.Enable risk-based Conditional Access policies
B.Allow self-service group management for all users
C.Set sign-in session timeout to 8 hours
D.Enable MFA for all Global Administrators
E.Block legacy authentication protocols
AnswersA, D, E

Automatically respond to risky sign-ins and users.

Why this answer

Option A is correct because risk-based Conditional Access policies are a core recommendation in the Microsoft identity security baseline. These policies automatically respond to detected user or sign-in risks (e.g., anonymous IP, leaked credentials) by requiring MFA or blocking access, aligning with the Zero Trust principle of continuous verification. Microsoft explicitly includes risk-based policies in its security baseline to proactively mitigate identity threats.

Exam trap

The trap here is that candidates often confuse Microsoft's general best practices (like self-service group management) with the specific, hardened settings in the identity security baseline, which prioritizes risk-based controls and blocking legacy protocols over convenience features.

367
MCQhard

You are deploying a critical application on Azure Virtual Machines that must remain highly available. You need to implement a security solution that ensures the application can recover from a ransomware attack that encrypts all data disks. What is the most cost-effective approach?

A.Configure Azure Backup with immutable vault and soft delete.
B.Use Azure Files share with snapshots for the application data.
C.Enable Azure Site Recovery for the virtual machines.
D.Take daily snapshots of the disks and store them in the same storage account.
AnswerA

Immutable vault prevents modification/deletion of backups; soft delete provides additional protection.

Why this answer

Azure Backup with immutable vault and soft delete protects against ransomware by preventing deletion and allowing recovery. Option B is correct. Azure Site Recovery is for disaster recovery, not ransomware recovery.

Snapshots alone can be deleted by malware. Azure Files share backup is not applicable to VM disks.

368
MCQmedium

A company stores critical business data in an Azure Storage account (Blob Storage). They want to ensure that all data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. They also need to be able to revoke access to the data quickly if a breach is suspected. Which feature should they enable on the storage account to enforce CMK?

A.Enable infrastructure encryption for the storage account
B.Enable Azure Storage encryption with customer-managed keys
C.Enable soft delete for blobs
D.Enable versioning for blobs
AnswerB

This configures the storage account to use a CMK from Key Vault. Revocation is done by disabling the key in Key Vault, making the data inaccessible.

Why this answer

Option B is correct because enabling Azure Storage encryption with customer-managed keys (CMK) allows you to use your own key stored in Azure Key Vault to encrypt all data at rest in the storage account. This also provides the ability to revoke access to the data quickly by disabling, deleting, or rotating the key in Key Vault, which renders the data inaccessible until the key is restored.

Exam trap

The trap here is that candidates often confuse infrastructure encryption (which adds a second encryption layer but uses Microsoft-managed keys) with customer-managed key encryption, or they mistakenly think soft delete or versioning can enforce encryption key control and revocation.

How to eliminate wrong answers

Option A is wrong because infrastructure encryption provides an additional layer of encryption at the infrastructure level using platform-managed keys, not customer-managed keys, and does not support revocation via Key Vault. Option C is wrong because soft delete for blobs protects against accidental deletion by retaining deleted data for a specified retention period, but it does not enforce encryption with customer-managed keys or provide revocation capabilities. Option D is wrong because versioning for blobs preserves previous versions of blobs for data recovery and point-in-time restore, but it does not relate to encryption key management or revocation.

369
MCQmedium

Refer to the exhibit. You are configuring an Entitlement Management access package. The policy allows any existing user to request access without approval, and access expires after 30 days. However, security requirements dictate that all access to Finance applications must be reviewed by the finance team manager every quarter. What should you add to the policy?

A.Add a connected organization for external users
B.Set 'isApprovalRequiredForAdd' to true
C.Set 'durationInDays' to 90
D.Enable access reviews and assign the finance team manager as reviewer
AnswerD

Adds periodic review as required.

Why this answer

Option D is correct because the security requirement mandates quarterly reviews by the finance team manager, which is exactly what an access review does in Entitlement Management. Access reviews allow you to require periodic attestation of access by a designated reviewer, ensuring ongoing compliance even though the initial request does not require approval. The policy already sets a 30-day expiration, but a quarterly review adds a separate recurring governance check that overrides the shorter duration for compliance purposes.

Exam trap

The trap here is that candidates confuse 'approval at request time' with 'periodic review after access is granted' — the question explicitly says no approval is needed for the initial request, so adding approval (Option B) is incorrect, but the quarterly review (Option D) is a separate governance control that satisfies the security requirement without changing the request flow.

How to eliminate wrong answers

Option A is wrong because a connected organization is used to allow external users from a specific partner or tenant to request access; the scenario specifies 'any existing user' (internal users), so external user configuration is irrelevant. Option B is wrong because setting 'isApprovalRequiredForAdd' to true would require approval at the time of request, but the question explicitly states the policy allows access without approval; adding approval would contradict the requirement. Option C is wrong because setting 'durationInDays' to 90 would extend the access expiration to 90 days, but the requirement is to keep the 30-day expiration and add a quarterly review; changing the duration does not enforce periodic review by the finance team manager.

370
MCQmedium

You have an Azure Web Application Firewall (WAF) policy associated with an Azure Front Door instance. You want to block requests from a specific country (e.g., Country X) unless the request includes a valid API key. How should you configure this?

A.Use a geo-match custom rule to allow all countries except Country X, and use a rate limit rule to block Country X.
B.Configure IP restriction on the origin to block Country X IPs.
C.Configure the WAF policy to use 'Prevention' mode and add a managed rule set that includes the country block.
D.Use a geo-match custom rule to block Country X, and create a separate custom rule with higher priority to allow traffic from Country X if the request contains the API key header.
AnswerD

This order ensures that requests with the API key bypass the block. The allow rule must have a higher priority than the block rule.

Why this answer

WAF custom rules can use conditions like 'Geo Match' to block traffic from a country, and then use 'Rate Limit' or 'Match Condition' to allow if a header matches. The correct approach is to create a custom rule that blocks traffic from Country X, and then create a higher-priority rule that allows traffic from Country X if it contains the API key header.

371
Multi-Selectmedium

Which TWO of the following are valid ways to integrate Microsoft Sentinel with Microsoft Defender XDR?

Select 2 answers
A.Configure the Microsoft Defender XDR data connector
B.Use Azure Lighthouse to connect Defender XDR to Sentinel
C.Deploy a playbook that polls Defender XDR APIs
D.Enable automatic incident creation in the Microsoft Defender XDR connector
E.Create a custom log analytics workspace query
AnswersA, D

The data connector ingests alerts and incidents.

Why this answer

Options A and C are correct. Option A is correct because the data connector for Microsoft Defender XDR ingests alerts. Option C is correct because enabling automatic incident creation in the connector creates incidents.

Option B is wrong because playbooks are for automation, not integration. Option D is wrong because cross-tenant integration requires Lighthouse. Option E is wrong because custom logs do not integrate automatically.

372
MCQhard

Refer to the exhibit. You are reviewing the JSON output of an Azure Storage account encryption configuration. What can you conclude about the encryption settings?

A.The storage account uses a customer-managed key from Azure Key Vault.
B.The encryption configuration is incomplete because keyVersion is '1'.
C.Only blob storage is encrypted; file storage is not.
D.The storage account uses platform-managed keys (SSE).
AnswerA

keySource: Microsoft.Keyvault indicates CMK.

Why this answer

Option C is correct. The JSON shows 'keySource': 'Microsoft.Keyvault' indicating customer-managed keys (CMK). The key name, version, and vault URI are provided.

Option A is wrong because platform-managed keys use 'Microsoft.Storage' as keySource. Option B is wrong because the configuration shows both blob and file encryption enabled. Option D is wrong because the configuration uses CMK, not SSE (which uses Microsoft-managed keys).

373
MCQhard

Refer to the exhibit. A user is eligible for a role in PIM. When they activate the role, how long will the activation last?

A.8 hours
B.1 hour
C.24 hours
D.Indefinite
AnswerA

PT8H means 8 hours.

Why this answer

In Azure AD Privileged Identity Management (PIM), the default maximum activation duration for an eligible role is 8 hours. This is configurable by administrators, but the question refers to the standard default setting. When a user activates a role, the activation lasts for this predefined period unless a different duration is explicitly set in the role settings.

Exam trap

The trap here is that candidates may confuse the default activation duration with the default assignment duration (which is permanent by default) or assume the activation lasts indefinitely until deactivated, but PIM always enforces a finite, configurable time limit.

How to eliminate wrong answers

Option B (1 hour) is wrong because while PIM allows activation durations as low as 1 hour, the default maximum is 8 hours, not 1 hour. Option C (24 hours) is wrong because 24 hours is not the default; it is a possible custom value but exceeds the standard default of 8 hours. Option D (Indefinite) is wrong because PIM activations always have a finite duration; indefinite activation would defeat the purpose of just-in-time privileged access and is not supported by default.

374
MCQhard

A company wants to deploy an Azure VPN Gateway in active-active mode to ensure high availability for their site-to-site VPN connection. They have two on-premises VPN devices, each with a distinct public IP address. What is the minimum configuration required for the Azure VPN Gateway to utilize both on-premises devices?

A.Create two local network gateways, each with one on-premises public IP, and connect each to a different IP of the VPN gateway.
B.Create one local network gateway that includes both on-premises IP addresses and enable BGP on the connection.
C.Use active-passive mode and configure a second VPN gateway in the same virtual network.
D.Deploy two separate VPN gateways in different Azure regions.
AnswerA

This configuration allows the active-active gateway to route traffic through both on-premises devices.

Why this answer

Option A is correct because active-active mode requires two distinct IP addresses on the Azure VPN gateway, and each on-premises VPN device must be represented by its own local network gateway. By creating two local network gateways (one per on-premises public IP) and connecting each to a different Azure VPN gateway IP, you establish two independent IPsec tunnels, achieving high availability. This configuration ensures that if one on-premises device or one Azure instance fails, traffic can still flow through the other tunnel.

Exam trap

The trap here is that candidates often think a single local network gateway can hold multiple on-premises IPs or that BGP alone can handle dual tunnels, but Azure requires a separate local network gateway per on-premises device to establish distinct IPsec SAs in active-active mode.

How to eliminate wrong answers

Option B is wrong because a single local network gateway can only define one on-premises public IP address; including both IPs in one gateway is not supported, and enabling BGP does not solve the need for separate tunnels to each on-premises device. Option C is wrong because active-passive mode uses only one active tunnel at a time, so it cannot utilize both on-premises devices simultaneously; deploying a second VPN gateway in the same VNet is not a valid configuration (only one gateway per VNet is allowed). Option D is wrong because deploying two VPN gateways in different Azure regions creates a multi-region disaster recovery setup, not an active-active site-to-site VPN within a single region, and it does not leverage both on-premises devices for the same connection.

375
MCQmedium

A company stores sensitive customer data in an Azure Storage account. The security policy requires that all data be encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. They also need the ability to disable the key in case of a security breach and have the data become inaccessible immediately. Which feature should they enable on the storage account to achieve this?

A.Enable Azure Storage encryption with customer-managed keys (CMK)
B.Use service-managed keys (SSE) with platform-managed keys
C.Enable Azure Disk Encryption on VMs that access the storage account
D.Configure Azure Information Protection for the storage account
AnswerA

CMK allows you to manage the key used for encryption in your own Key Vault. You can disable or delete the key to revoke access to the data, though there is a short delay.

Why this answer

Option A is correct because enabling Azure Storage encryption with customer-managed keys (CMK) allows the customer to use their own key stored in Azure Key Vault for encrypting the storage account data at rest. The key can be disabled or revoked in Key Vault, which immediately renders the data inaccessible because Azure Storage uses the key to wrap the data encryption key; without access to the CMK, decryption cannot occur.

Exam trap

The trap here is that candidates often confuse Azure Disk Encryption (which encrypts VM disks) with storage account encryption, or assume that platform-managed keys (SSE) provide the same revocation capability as customer-managed keys.

How to eliminate wrong answers

Option B is wrong because service-managed keys (SSE) with platform-managed keys do not allow the customer to control or disable the key; Microsoft manages the keys, so the customer cannot revoke access in a breach scenario. Option C is wrong because Azure Disk Encryption encrypts the OS and data disks of VMs, not the data stored in Azure Storage accounts; it does not provide encryption at rest for the storage account itself. Option D is wrong because Azure Information Protection is a classification and labeling service for documents and emails, not a storage encryption mechanism; it does not encrypt data at rest in Azure Storage accounts.

Page 4

Page 5 of 14

Page 6