Microsoft Azure Security Engineer Associate AZ-500 (AZ-500) — Questions 376450

1000 questions total · 14pages · All types, answers revealed

Page 5

Page 6 of 14

Page 7
376
Multi-Selectmedium

You are planning a migration of on-premises servers to Azure. You need to ensure that the Azure virtual network can communicate with the on-premises network securely and with high bandwidth. The on-premises network has a 1 Gbps internet connection. Which TWO options meet the requirements?

Select 2 answers
A.Site-to-site VPN over the internet.
B.Point-to-site VPN from on-premises to Azure.
C.Azure Firewall with forced tunneling.
D.VNet peering between on-premises and Azure.
E.Azure ExpressRoute with private peering.
AnswersA, E

S2S VPN provides encrypted connectivity over the internet, though bandwidth is limited to the internet connection speed.

Why this answer

Options A and D are correct. ExpressRoute provides high bandwidth and private connectivity. Site-to-site VPN over the internet is secure but limited by internet bandwidth.

Point-to-site is for individual clients. VNet peering is Azure-to-Azure. Azure Firewall is not a connectivity method.

377
Multi-Selectmedium

Your company plans to deploy a set of Azure virtual machines (VMs) running a critical application. The security team requires that all operating system disks and temporary disks be encrypted, and that encryption keys are never stored in Azure but are managed in an on-premises HSM. Which three of the following actions should you take? (Choose three.)

Select 3 answers
.Enable Azure Disk Encryption (ADE) on the VMs using Azure Key Vault with a key encryption key (KEK).
.Use Azure Dedicated HSM to generate and store the encryption keys for ADE.
.Configure the VMs to use Azure Disk Encryption with a passphrase-only approach (no KEK).
.Set the Key Vault firewall to allow only trusted Microsoft services to access the vault.
.Create a Key Vault access policy that grants the Azure Disk Encryption service principal the 'Wrap Key' and 'Unwrap Key' permissions.
.Deploy the VMs with Azure Premium SSD managed disks and enable encryption at host.

Why this answer

Azure Disk Encryption (ADE) uses Azure Key Vault to protect encryption keys. To meet the requirement that keys are never stored in Azure but managed in an on-premises HSM, you must use Azure Dedicated HSM, which is a physical HSM appliance that you control and that can be integrated with on-premises key management. Additionally, you must configure a Key Vault access policy granting the Azure Disk Encryption service principal the 'Wrap Key' and 'Unwrap Key' permissions so that ADE can use the key encryption key (KEK) stored in the HSM.

Enabling ADE with a KEK ensures that the disk encryption keys are wrapped (encrypted) by the KEK, and the KEK itself is stored and managed in the on-premises HSM via Azure Dedicated HSM.

Exam trap

The trap here is that candidates often confuse Azure Key Vault Managed HSM (which stores keys in Azure) with Azure Dedicated HSM (which allows on-premises key management), or they mistakenly think that enabling encryption at host or using a passphrase-only approach satisfies the requirement for keys to never reside in Azure.

378
MCQeasy

You need to allow a specific IP address (203.0.113.5) to access an Azure Storage account over the internet. All other internet traffic must be denied. You have enabled the storage account firewall. What should you configure?

A.Create a private endpoint for the storage account.
B.Add the IP address to the firewall rules of the storage account.
C.Configure an NSG on the subnet to allow the IP address.
D.Add a service endpoint for Microsoft.Storage to the subnet.
AnswerB

Storage account firewall supports IP-based access rules.

Why this answer

Option C is correct because storage account firewall allows you to whitelist specific IP addresses. Option A is wrong because service endpoints are for VNet access, not specific IPs. Option B is wrong because NSGs apply to the subnet, not the storage account.

Option D is wrong because Private Link is for private connectivity, not IP whitelisting.

379
MCQhard

Your company uses Azure SQL Database and wants to protect sensitive data stored in a column named 'CreditCardNumber'. You need to ensure that the data is encrypted at rest and that only authorized users can decrypt the data at the application layer. Additionally, you want to prevent unauthorized administrators from accessing the plaintext. Which solution should you implement?

A.Enable Transparent Data Encryption (TDE) and store the encryption key in Azure Key Vault
B.Use Dynamic Data Masking to mask the credit card column for non-privileged users
C.Implement Azure SQL Database's Always Encrypted with enclaves
D.Implement Always Encrypted and store the column encryption key in Azure Key Vault
AnswerD

Always Encrypted encrypts data at the client side, ensuring only authorized applications can decrypt. Administrators cannot access plaintext because they do not have the column encryption key.

Why this answer

Option D is correct because Always Encrypted ensures data is encrypted at rest and in transit, and only client applications with the column encryption key can decrypt it; server administrators cannot access plaintext. Option A is wrong because TDE protects at rest but server administrators can still access plaintext. Option B is wrong because Dynamic Data Masking masks data but does not encrypt it.

Option C is wrong because Transparent Data Encryption alone does not prevent server administrators from reading data.

380
Multi-Selecthard

Which THREE are prerequisites for integrating Microsoft Sentinel with Microsoft Defender XDR? (Choose three.)

Select 3 answers
A.Appropriate permissions (Security Administrator or Global Administrator)
B.The Microsoft 365 Defender data connector must be enabled in Sentinel
C.The Microsoft Monitoring Agent installed on all endpoints
D.A valid license for Microsoft 365 Defender (or individual workloads)
E.An Azure Sentinel workspace in the same region as the Microsoft 365 tenant
AnswersA, B, D

Correct: Required to enable the connector.

Why this answer

Options B, C, and D are correct. You need appropriate permissions (B), a valid license for Microsoft 365 Defender (C), and the data connector must be enabled in Sentinel (D). Option A is wrong because you don't need an Azure Sentinel workspace in a specific region; any region works.

Option E is wrong because you don't need to install agents on endpoints; Defender XDR collects data automatically.

381
Multi-Selectmedium

Which TWO Azure services can be used to filter inbound internet traffic to a virtual network? (Choose two.)

Select 2 answers
A.Azure Firewall
B.Azure Bastion
C.Azure Front Door
D.Network security group (NSG)
E.VPN gateway
AnswersA, D

Stateful firewall for inbound and outbound traffic.

Why this answer

Options A and C are correct. NSGs filter traffic at the subnet/NIC level. Azure Firewall provides centralized filtering.

Option B is wrong because Azure Front Door is a global load balancer. Option D is wrong because VPN gateway encrypts traffic but does not filter. Option E is wrong because Azure Bastion is a jump server.

382
MCQmedium

A company uses Azure Active Directory (Azure AD) and has a conditional access policy that requires multi-factor authentication (MFA) for all external users accessing SharePoint Online. However, the security team wants to enforce that external users must re-authenticate every 30 minutes when accessing SharePoint. Which control should they configure in a new conditional access policy targeting SharePoint Online?

A.Assign the policy to 'All cloud apps' and use a grant control to require multi-factor authentication.
B.Configure a condition for sign-in risk level and set it to 'High'.
C.Add a session control and set 'Sign-in frequency' to 30 minutes.
D.Configure a session control to use 'App enforced restrictions' for SharePoint.
AnswerC

Session controls allow you to enforce re-authentication after a specified time. Setting sign-in frequency to 30 minutes meets the requirement.

Why this answer

Option C is correct because the 'Sign-in frequency' session control in a Conditional Access policy allows administrators to enforce re-authentication at a specified interval. By setting this to 30 minutes and targeting the SharePoint Online app, external users will be prompted to re-authenticate every 30 minutes, meeting the security team's requirement. This control is independent of MFA and specifically addresses the frequency of authentication sessions.

Exam trap

The trap here is that candidates often confuse 'Sign-in frequency' with 'Grant controls' (like MFA) or 'Conditions' (like risk), not realizing that session controls specifically manage the duration of authentication sessions rather than the method of authentication.

How to eliminate wrong answers

Option A is wrong because assigning the policy to 'All cloud apps' and requiring MFA does not enforce a re-authentication frequency; it only mandates MFA at initial sign-in, not every 30 minutes. Option B is wrong because configuring a condition for sign-in risk level set to 'High' triggers MFA or block based on risk, not a fixed 30-minute re-authentication interval. Option D is wrong because 'App enforced restrictions' is a session control that delegates session management to the application (e.g., SharePoint), but it does not enforce a specific re-authentication frequency like 30 minutes.

383
MCQmedium

A security team uses Microsoft Sentinel. They want to create a custom analytics rule that detects when a user account is created in Azure AD and then within 5 minutes attempts to access a sensitive SharePoint site. What should they use to correlate these two events?

A.KQL query with join on UserId
B.Watchlist
C.Automation rule
D.Playbook
AnswerA

KQL allows joining tables on common fields to correlate events across data sources, which is exactly what this scenario requires.

Why this answer

Option A is correct because a KQL query with a join on UserId allows you to correlate two separate tables—such as AuditLogs for user creation and SharePoint access logs—based on a common field (UserId) within a specified time window (5 minutes). This is the standard method in Microsoft Sentinel for creating multi-event detection rules that require temporal correlation between distinct activities.

Exam trap

The trap here is that candidates may confuse a Watchlist (used for static lookups) with a correlation mechanism, or mistakenly think Automation rules or Playbooks can perform event correlation, when in fact only KQL queries with joins can correlate multiple events in a single detection rule.

How to eliminate wrong answers

Option B is wrong because a Watchlist is a static list of items (e.g., IP addresses or account names) used for reference or filtering, not for correlating dynamic events across time. Option C is wrong because an Automation rule in Sentinel triggers a response (e.g., incident creation or playbook execution) based on a single alert or incident, not for correlating two separate events. Option D is wrong because a Playbook is a set of automated actions (often using Azure Logic Apps) triggered by an alert, not a mechanism to correlate events in a detection query.

384
MCQeasy

You need to prioritize security recommendations in Microsoft Defender for Cloud. Your compliance team requires a framework that maps to regulatory standards. What should you use?

A.Regulatory compliance standards
B.Azure Policy compliance dashboard
C.Inventory feature
D.Secure score
AnswerA

Regulatory compliance standards directly map recommendations to frameworks.

Why this answer

Option D is correct because regulatory compliance standards in Defender for Cloud map recommendations to specific frameworks. Option A is wrong because secure score is for overall posture. Option B is wrong because Azure Policy is the underlying engine.

Option C is wrong because inventory lists resources.

385
MCQmedium

A company has two application tiers: web servers and application servers. They want to allow traffic from the web servers to the application servers on port 8080, but only for a specific set of web servers. They have deployed the web servers in an Availability Set and want to use a single NSG rule to allow traffic from any web server that is part of that application tier. Which component should they use?

A.Application security group
B.Service tag
C.Source IP address range
D.Virtual network peering
AnswerA

Correct. An ASG can be used as the source in an NSG rule to represent a group of VMs.

Why this answer

An Application Security Group (ASG) allows you to group virtual machines logically by their application roles (e.g., web servers) and then use that ASG as the source in a single NSG rule. Since the web servers are in an Availability Set, you can assign the same ASG to their NICs, and the NSG rule will dynamically include all current and future VMs in that ASG. This meets the requirement to allow traffic from any web server in that tier to the application servers on port 8080 without maintaining individual IP addresses.

Exam trap

The trap here is that candidates often confuse Application Security Groups with Network Security Groups themselves, or mistakenly think Service Tags can be used to group custom sets of VMs, when in fact Service Tags are only for Azure services or broad network scopes.

How to eliminate wrong answers

Option B is wrong because a Service Tag (e.g., 'VirtualNetwork') represents a predefined group of IP addresses from Azure services or the entire virtual network, not a custom set of specific VMs like the web servers in an Availability Set. Option C is wrong because using a Source IP address range would require you to list the individual private IPs of each web server, which is not dynamic and would break the requirement to use a single rule for any web server in the tier. Option D is wrong because Virtual Network Peering connects two virtual networks at the network layer, but it does not provide granular control to filter traffic from a specific subset of VMs within a peered network; it simply enables connectivity between the entire VNets.

386
Multi-Selecthard

Your company has a Microsoft Entra ID tenant with 10,000 users. You need to implement a secure authentication strategy that satisfies the following requirements: - Users must not be able to bypass security verification using alternate authentication methods. - Passwordless authentication should be used where possible. - Legacy authentication protocols must be blocked. Which THREE actions should you take? (Choose three.)

Select 3 answers
A.Create a Conditional Access policy to block legacy authentication protocols.
B.Configure per-user MFA to require verification.
C.Enable FIDO2 security keys as an authentication method and configure passwordless sign-in.
D.Enable the 'Security defaults' feature in Microsoft Entra ID.
E.Disable SMS and voice call authentication methods in Microsoft Entra ID.
AnswersA, C, E

Blocks insecure protocols like POP, IMAP, SMTP.

Why this answer

Option A is correct because a Conditional Access policy can explicitly block legacy authentication protocols (such as POP3, IMAP, SMTP, and older Office clients) by targeting 'Exchange ActiveSync' and 'Other clients' in the client apps condition. This prevents users from bypassing modern authentication requirements and ensures that only modern authentication flows (e.g., OAuth 2.0) are allowed, which is a key requirement to block legacy protocols.

Exam trap

The trap here is that candidates often assume Security defaults is the simplest way to block legacy authentication and enforce MFA, but they overlook that Security defaults cannot be customized to selectively enable FIDO2 or disable specific methods, making it incompatible with the requirement for passwordless authentication and granular control.

387
MCQhard

You are configuring Microsoft Sentinel to use a playbook for automated response to incidents. The playbook needs to block the source IP address of a malicious sign-in on the Azure Firewall. Which Microsoft Sentinel feature should the playbook use?

A.Azure Automation runbooks
B.Azure Functions
C.Azure Logic Apps
D.KQL queries
AnswerC

Playbooks are built on Azure Logic Apps.

Why this answer

Option B is correct because Azure Logic Apps is the engine that runs playbooks. Option A is wrong because KQL is a query language, not an automation tool. Option C is wrong because Azure Functions can be used within logic apps but are not the primary playbook runner.

Option D is wrong because Azure Automation runbooks are not directly integrated with Sentinel playbooks.

388
MCQmedium

An organization is required to comply with the Health Insurance Portability and Accountability Act (HIPAA). They use Microsoft Defender for Cloud to manage their Azure security posture. Which feature in Defender for Cloud should they use to view their current compliance status against HIPAA controls?

A.Regulatory compliance dashboard.
B.Security posture dashboard.
C.Recommendations dashboard.
D.Inventory dashboard.
AnswerA

Correct. This dashboard shows compliance status against selected regulatory frameworks.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud provides a pre-built view of your compliance posture against various standards, including HIPAA. It continuously assesses your Azure environment against HIPAA controls and displays the current compliance status, enabling you to track and improve adherence to regulatory requirements.

Exam trap

The trap here is that candidates often confuse the Security posture dashboard (which shows overall security health) with the Regulatory compliance dashboard, mistakenly thinking the former includes compliance status against specific standards like HIPAA.

How to eliminate wrong answers

Option B is wrong because the Security posture dashboard focuses on the overall security state of your resources (e.g., secure score, attack paths) rather than mapping to specific regulatory frameworks like HIPAA. Option C is wrong because the Recommendations dashboard lists actionable security recommendations to improve your secure score, but it does not organize them by compliance standard or show compliance status against HIPAA controls. Option D is wrong because the Inventory dashboard provides a list of all monitored resources and their configurations, not a compliance-specific view against regulatory standards.

389
MCQmedium

A security team uses Microsoft Defender for Cloud to monitor the security posture of their Azure environment. They want to ensure that the Log Analytics agent is automatically installed on all new Azure virtual machines as soon as they are provisioned, to collect security logs. Which feature should they enable in Defender for Cloud?

A.Data Collection Rules (DCR) in Azure Monitor.
B.Auto-provisioning of the Log Analytics agent in Defender for Cloud's environment settings.
C.Azure Policy 'Deploy Log Analytics agent for Linux/Windows VM'.
D.Use Azure Automation State Configuration.
AnswerB

This setting automatically installs the agent on new VMs and monitors for compliance.

Why this answer

Option B is correct because Defender for Cloud's auto-provisioning feature is specifically designed to automatically install the Log Analytics agent on all existing and new Azure VMs to collect security logs. When enabled in the environment settings, it ensures that any new VM provisioned in the subscription gets the agent installed without manual intervention, directly addressing the requirement for automatic installation on new VMs.

Exam trap

The trap here is that candidates often confuse Azure Policy-based deployment (Option C) with Defender for Cloud's native auto-provisioning, but the question specifically asks for the feature within Defender for Cloud's environment settings, which is auto-provisioning, not a separate policy assignment.

How to eliminate wrong answers

Option A is wrong because Data Collection Rules (DCRs) in Azure Monitor are used to define data collection for the Azure Monitor Agent (AMA), not for the Log Analytics agent, and they do not automatically install agents on new VMs. Option C is wrong because the Azure Policy 'Deploy Log Analytics agent for Linux/Windows VM' is a built-in policy that can deploy the agent, but it requires assignment and evaluation, and it does not automatically trigger on new VM provisioning without policy compliance checks; it is a policy-based remediation, not a native auto-provisioning feature of Defender for Cloud. Option D is wrong because Azure Automation State Configuration is used for managing PowerShell DSC configurations and ensuring VM state compliance, not for automatically installing the Log Analytics agent for security log collection.

390
MCQhard

Your company uses Microsoft Defender for Cloud's regulatory compliance dashboard to track compliance with PCI DSS. After assigning the PCI DSS v4.0 initiative, several controls show as 'Not started' even though your resources are compliant. What is the most likely cause?

A.The regulatory compliance dashboard does not support custom initiatives.
B.The PCI DSS initiative has not been assigned to the subscription.
C.The PCI DSS initiative is built-in and cannot be assigned manually.
D.The subscription is on the Free tier of Defender for Cloud.
AnswerB

The initiative must be assigned to the subscription for evaluation.

Why this answer

Option C is correct because the PCI DSS initiative includes policies that must be assigned and evaluated; if not assigned, controls show 'Not started'. Option A is wrong because the dashboard includes custom initiatives. Option B is wrong because pricing tier doesn't affect policy assignment.

Option D is wrong because Azure Policy assigns initiatives, not Defender for Cloud directly.

391
MCQhard

Refer to the exhibit. You are assigned a policy that deploys the Log Analytics agent to Linux VMs. After assigning this policy to a subscription, you notice that existing Linux VMs are not getting the agent deployed, but newly created VMs receive the agent. What is the most likely reason?

A.The policy assignment requires a remediation task to be created for existing non-compliant VMs
B.The policy only applies to VMs in specific regions
C.The workspace ID parameter was not specified during assignment
D.The policy requires a managed identity to deploy the extension
AnswerA

DeployIfNotExists effect only deploys on new resources; existing resources need a remediation task.

Why this answer

Option A is correct because the policy uses 'deployIfNotExists' effect, which requires remediation tasks to be triggered on existing resources; the policy assignment does not automatically remediate existing VMs. Option B is wrong because the policy evaluates all VMs regardless of region. Option C is wrong because the policy does not require a managed identity for deployment; the 'deployIfNotExists' effect uses the system-assigned identity.

Option D is wrong because the workspace ID is a required parameter, and if not provided, the assignment would fail.

392
MCQhard

Your organization uses Azure Files shares. You need to enforce access control using on-premises Active Directory (AD) credentials. The Azure Files share is already created. What should you do?

A.Enable Azure AD Domain Services authentication and join the storage account to the managed domain.
B.Assign RBAC roles (e.g., Storage File Data SMB Share Contributor) to AD users at the share level.
C.Enable AD DS authentication for the storage account, sync identities with Azure AD Connect, and configure NTFS permissions on the share.
D.Use storage account keys to mount the share and rely on Windows ACLs.
AnswerC

This allows on-prem AD authentication.

Why this answer

Option A is correct because Azure Files supports identity-based authentication using on-premises AD DS. You need to enable AD DS authentication on the storage account and assign NTFS permissions on the file share. Option B is wrong because Azure AD DS is a separate service, not on-premises AD.

Option C is wrong because Azure RBAC provides share-level permissions but not NTFS. Option D is wrong because storage account keys provide full access, not granular control.

393
MCQeasy

Refer to the exhibit. You are reviewing a Conditional Access policy JSON definition. What is the MOST likely result of this policy?

A.Users with low sign-in risk accessing Office 365 from trusted locations will be blocked.
B.Only external guest users accessing Office 365 from any location will be blocked.
C.All users accessing Office 365 from trusted locations will be required to perform MFA.
D.All users accessing Office 365 from trusted locations will be blocked.
AnswerD

The policy blocks access from trusted locations for Office 365 apps.

Why this answer

Option B is correct: The policy targets Office 365 applications and blocks access from trusted locations, which is the opposite of typical security requirements. Option A is wrong because the policy blocks access, not requires MFA. Option C is wrong because external identities are not explicitly included; the policy applies to 'All' users.

Option D is wrong because low sign-in risk is not a condition here.

394
MCQeasy

You are configuring Microsoft Entra ID Connect to synchronize on-premises Active Directory identities to the cloud. You need to ensure that password hashes are synchronized to enable Microsoft Entra ID Password Protection and Identity Protection. Which option should you enable?

A.Pass-through authentication
B.Federation with AD FS
C.Password hash synchronization
D.Azure AD Connect Health
AnswerC

PHS syncs password hashes for Identity Protection and Password Protection.

Why this answer

Password hash synchronization (PHS) is the correct option because it is the specific feature that synchronizes password hashes from on-premises Active Directory to Microsoft Entra ID. This enables Microsoft Entra ID Password Protection (which blocks weak passwords by comparing against a global banned password list) and Identity Protection (which detects leaked credentials by comparing synchronized hashes against known compromised password databases). Without PHS, these cloud-based security features have no access to the on-premises password hashes.

Exam trap

The trap here is that candidates often confuse Pass-through authentication with Password hash synchronization, assuming that any password validation method that touches on-premises AD will automatically provide hash data for cloud security features, but only PHS actually stores the hashes in Microsoft Entra ID.

How to eliminate wrong answers

Option A is wrong because Pass-through authentication validates passwords directly against on-premises AD without storing password hashes in the cloud, so it does not provide the hash data needed for Password Protection or Identity Protection. Option B is wrong because Federation with AD FS relies on on-premises authentication and does not synchronize password hashes to Microsoft Entra ID, making it incompatible with cloud-only password analysis features. Option D is wrong because Azure AD Connect Health is a monitoring and diagnostics tool for the synchronization infrastructure, not a mechanism for synchronizing password hashes.

395
Multi-Selectmedium

Your organization uses Microsoft Entra ID and has a hybrid identity with Microsoft Entra Connect. You need to ensure that all user password changes and resets are synchronized to the cloud within 30 minutes. Which TWO actions should you take? (Choose two.)

Select 2 answers
A.Configure federation with AD FS.
B.Set the Azure AD Connect synchronization frequency to 30 minutes.
C.Enable password writeback in Microsoft Entra Connect.
D.Enable Azure AD Connect Health to monitor synchronization.
E.Configure pass-through authentication for user sign-ins.
AnswersB, C

This ensures password changes are synced every 30 minutes.

Why this answer

Option B is correct because the Azure AD Connect synchronization frequency can be configured to run every 30 minutes (the minimum supported interval) to ensure password changes and resets are synchronized to the cloud within that timeframe. Option C is correct because enabling password writeback in Microsoft Entra Connect allows password changes and resets initiated in the cloud to be written back to the on-premises directory, ensuring bidirectional synchronization within the 30-minute window.

Exam trap

The trap here is that candidates often confuse password writeback (which writes cloud changes to on-premises) with password hash synchronization (which syncs on-premises changes to the cloud), but both are required for bidirectional password sync within the specified time window.

396
MCQmedium

A company has Azure AD Identity Protection enabled. The security team wants to automatically block sign-ins that are detected as coming from a known malicious IP address. They have created a Conditional Access policy and assigned it to all users. Which configuration should they add to the policy to trigger the block based on Identity Protection risk?

A.Add a condition for 'Sign-in risk' set to 'High' and a grant control of 'Block access'.
B.Add a condition for 'Locations' and specify the known malicious IP ranges as 'Blocked locations'.
C.Add a condition for 'User risk' set to 'High' and a grant control of 'Require multi-factor authentication'.
D.Add a condition for 'Device state' set to 'Not compliant' and a grant control of 'Block access'.
AnswerA

A sign-in from a known malicious IP is considered high risk by Identity Protection. Using the sign-in risk condition with 'High' and blocking access achieves the requirement.

Why this answer

Option A is correct because Identity Protection detects sign-ins from known malicious IP addresses and assigns a 'Sign-in risk' level (e.g., High). By adding a condition for 'Sign-in risk' set to 'High' and a grant control of 'Block access', the Conditional Access policy will automatically block those sign-ins. This directly uses Identity Protection's risk detection to enforce the block without needing to manually maintain IP address lists.

Exam trap

The trap here is that candidates often confuse 'Sign-in risk' (based on the sign-in event's characteristics like IP) with 'User risk' (based on user account compromise likelihood), leading them to incorrectly choose Option C or to think that manually listing IPs in Locations (Option B) is the correct approach.

How to eliminate wrong answers

Option B is wrong because specifying known malicious IP ranges as 'Blocked locations' in the Locations condition would require manual maintenance of IP lists and does not leverage Identity Protection's dynamic risk detection; it also does not use the 'Sign-in risk' condition. Option C is wrong because 'User risk' is based on user behavior patterns (e.g., leaked credentials), not on the IP address of the sign-in, and 'Require multi-factor authentication' does not block access. Option D is wrong because 'Device state' set to 'Not compliant' checks device compliance status, not the IP address or sign-in risk, and is unrelated to Identity Protection's malicious IP detection.

397
MCQeasy

You need to securely connect to an Azure SQL Database from an on-premises application without exposing the database to the public internet. Which solution should you use?

A.Configure a firewall rule to allow the on-premises public IP address
B.Use Azure Private Link to connect via a private endpoint
C.Enable Always Encrypted on the database
D.Use a virtual network service endpoint for Azure SQL Database
AnswerB

Private Link provides a private IP address in your virtual network, accessible from on-premises via VPN/ExpressRoute, without public internet exposure.

Why this answer

Option A is correct because Azure Private Link creates a private endpoint in a virtual network, allowing on-premises connectivity via VPN or ExpressRoute without public exposure. Option B is wrong because firewall rules with public IP still expose the database to the internet. Option C is wrong because always encrypted does not affect network access.

Option D is wrong because service endpoints still use a public IP for the service, though traffic stays on the backbone.

398
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Security Administrator' role. They want to require that when a user activates this role, they must provide a support ticket number and a brief justification. Additionally, the activation should have a maximum duration of 4 hours. Which PIM role setting should they configure?

A.Require approval
B.Require MFA
C.Require justification on activation
D.Require Azure AD Identity Protection
AnswerC

Enabling 'Require justification' prompts the user to enter a reason and support ticket number during activation. Duration is set separately, but this directly addresses the requirement for justification and ticket number.

Why this answer

Option C is correct because the 'Require justification on activation' setting in Azure AD PIM allows you to mandate that users provide a support ticket number and a brief justification when activating a role. This setting enforces the collection of business-specific details during activation, which aligns with the requirement. The maximum activation duration of 4 hours is configured separately via the 'Activation maximum duration' setting, not through justification.

Exam trap

The trap here is that candidates confuse 'Require justification on activation' with 'Require approval', mistakenly thinking that a support ticket number implies an approval workflow, but justification is a mandatory input field, not an approval step.

How to eliminate wrong answers

Option A is wrong because 'Require approval' enforces a workflow where a designated approver must approve the activation request, which is not the same as requiring a support ticket number and justification; it adds an approval step rather than a mandatory input field. Option B is wrong because 'Require MFA' enforces multi-factor authentication during activation, which addresses security verification but does not collect a support ticket number or justification. Option D is wrong because 'Require Azure AD Identity Protection' is not a valid PIM role setting; Azure AD Identity Protection is a separate service for risk-based policies and does not apply to PIM activation requirements.

399
MCQeasy

A security analyst uses Microsoft Defender for Cloud. They want to view a list of all security recommendations for their Azure subscription, prioritized by their potential impact. Which Defender for Cloud dashboard should they use?

A.Secure Score
B.Regulatory Compliance
C.Inventory
D.Workload protections
AnswerA

The Secure Score page lists all recommendations sorted by their impact on your security score, helping prioritize actions.

Why this answer

The Secure Score dashboard in Microsoft Defender for Cloud provides a prioritized list of security recommendations based on their potential impact on your overall security posture. Each recommendation is assigned a score contribution, allowing you to focus on the actions that will most improve your secure score. This directly matches the requirement to view recommendations prioritized by impact.

Exam trap

The trap here is that candidates often confuse the Secure Score dashboard with the Regulatory Compliance dashboard, thinking compliance standards inherently prioritize recommendations, but Secure Score is the only dashboard that explicitly ranks recommendations by their potential impact on your security score.

How to eliminate wrong answers

Option B (Regulatory Compliance) is wrong because it focuses on compliance with specific standards (e.g., SOC 2, ISO 27001) and does not prioritize recommendations by impact on secure score. Option C (Inventory) is wrong because it lists all resources in your Azure environment but does not provide security recommendations or prioritization. Option D (Workload protections) is wrong because it shows alerts and threats for specific workloads (e.g., servers, databases) rather than a prioritized list of security recommendations.

400
MCQhard

You manage a multi-tenant environment using Azure Lighthouse. You need to use Microsoft Defender for Cloud to monitor security posture across customer tenants. However, you cannot see the regulatory compliance dashboard for customer subscriptions. What is the most likely reason?

A.Azure Lighthouse is not configured for the customer tenants.
B.Defender for Cloud is not enabled on the customer subscriptions.
C.The Log Analytics agent is not deployed.
D.The 'Guest Configuration' extension is not installed on the customer's VMs.
AnswerD

Correct: needed for compliance.

Why this answer

Option B is correct because the regulatory compliance dashboard requires the Azure Policy Guest Configuration extension, which may not be auto-provisioned in delegated subscriptions. Option A (Azure Lighthouse not configured) is possible but less specific. Option C (tier) is not the issue.

Option D (Log Analytics) is not required.

401
MCQeasy

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can sign in using a one-time passcode sent to their mobile device, without requiring any additional app or software installation. Which authentication method should you enable?

A.One-time passcode (OTP)
B.Microsoft Authenticator app
C.FIDO2 security keys
D.Certificate-based authentication
AnswerA

Built-in feature sending passcode via SMS or email.

Why this answer

Option A is correct because the one-time passcode (OTP) authentication method in Microsoft Entra ID allows users to sign in with a temporary code sent via SMS to their mobile device, requiring no additional app or software installation. This method is specifically designed for scenarios where users cannot or should not install the Microsoft Authenticator app, such as for guest users or in bring-your-own-device (BYOD) environments. The OTP is generated by Entra ID and delivered over the mobile network, satisfying the requirement of no extra software.

Exam trap

The trap here is that candidates often confuse the 'one-time passcode' option with the Microsoft Authenticator app's push notification or time-based code feature, but the question explicitly requires no additional app installation, making the SMS-based OTP the only correct choice.

How to eliminate wrong answers

Option B is wrong because the Microsoft Authenticator app requires installation of a mobile application on the user's device, which contradicts the requirement of 'without requiring any additional app or software installation.' Option C is wrong because FIDO2 security keys are hardware-based devices that must be physically plugged in or used via NFC, and they require additional software (browser support and platform attestation) to function, not meeting the no-software-installation condition. Option D is wrong because certificate-based authentication requires digital certificates to be provisioned and installed on the user's device, which involves software (certificate store, enrollment) and is not a simple one-time passcode delivered via SMS.

402
MCQeasy

You need to restrict access to an Azure Storage account so that only requests from a specific Azure Virtual Network are allowed. What should you configure?

A.Assign an RBAC role to the VNet's managed identity
B.Configure a service endpoint for the storage account
C.Configure the storage account firewall to allow access only from the VNet
D.Configure an Azure Private Endpoint for the storage account
AnswerC

Firewall rules with VNet rules restrict access to that VNet.

Why this answer

Azure Storage firewalls and virtual network rules allow you to restrict access to specific VNets. Option B is correct. Option A is wrong because private endpoints provide private connectivity but do not automatically block other traffic.

Option C is wrong because service endpoints are used for other services. Option D is wrong because RBAC controls who can access, not where from.

403
MCQmedium

Refer to the exhibit. You are configuring a PIM role setting for an Azure AD role. The exhibit shows the activation settings. A user activates the role and provides a justification. An approver from the Security Team does not see any pending requests. What is the most likely reason?

A.The role is permanently assigned
B.The activation duration is set to 0 days
C.The user did not provide a justification
D.The user is a member of the approver group
AnswerD

If the user is in the Security Team, they cannot self-approve; the request may be hidden.

Why this answer

Option D is correct because the user who activated the role is a member of the approver group. In Azure AD Privileged Identity Management (PIM), when a user is both the requester and a member of the approver group, the approval request is automatically approved and does not appear as a pending request for other approvers. This self-approval behavior prevents the request from being visible in the pending requests queue.

Exam trap

The trap here is that candidates assume the issue is with the activation settings or justification, but the real cause is the self-approval behavior when the user is a member of the approver group, which automatically completes the request without leaving a pending item.

How to eliminate wrong answers

Option A is wrong because a permanently assigned role does not require activation at all, so there would be no pending request to see. Option B is wrong because the activation duration cannot be set to 0 days; the minimum activation duration in PIM is 30 minutes (0.5 days), and a 0-day setting would be invalid. Option C is wrong because the user did provide a justification, as stated in the question, so the absence of justification is not the reason the approver sees no pending requests.

404
MCQeasy

A security team uses Microsoft Sentinel. They have created a playbook in Azure Logic Apps that automatically isolates a compromised VM by modifying a network security group. They want the playbook to run automatically whenever an incident of type 'VM Isolation' is created. Which Microsoft Sentinel feature should they use to trigger the playbook automatically?

A.Automation rules.
B.Scheduled analytics rules.
C.Fusion rules.
D.Workbooks.
AnswerA

Correct. Automation rules trigger playbooks when incidents are created or updated.

Why this answer

Automation rules in Microsoft Sentinel are designed to trigger automated responses, such as running a playbook, when an incident is created or updated. In this scenario, the rule can be configured to match incidents of type 'VM Isolation' and automatically execute the Logic Apps playbook to isolate the compromised VM. This is the correct feature for incident-triggered automation without requiring a separate analytics rule.

Exam trap

The trap here is that candidates often confuse automation rules with analytics rules, thinking that a scheduled query rule is needed to trigger a playbook, but automation rules are the dedicated feature for incident-based automation without requiring a separate alert generation rule.

How to eliminate wrong answers

Option B (Scheduled analytics rules) is wrong because they generate alerts based on periodic queries of log data, not directly trigger playbooks on incident creation; they can be used with automation rules but are not the trigger themselves. Option C (Fusion rules) is wrong because they are a correlation engine that combines multiple alerts into a single incident using machine learning, not a mechanism to trigger playbooks automatically. Option D (Workbooks) is wrong because they are for visualizing and analyzing data, not for triggering automated responses or playbooks.

405
MCQmedium

Your organization uses Microsoft Sentinel to monitor for data exfiltration. You have configured a scheduled analytics rule that detects when an external IP address downloads more than 100 MB of data from an Azure Storage account within 5 minutes. The rule triggers, but the incident created has a severity of 'Low', while your team wants it to be 'High' for all such incidents. What should you do?

A.Create a playbook that changes the severity of incidents created by that rule and attach it via an automation rule.
B.Add an entity mapping for the storage account so that the severity is inherited from the entity.
C.Edit the analytics rule and change the 'Severity' setting to 'High' in the 'Incident settings' tab.
D.Create an automation rule that triggers on incident creation and sets the severity to 'High' for all incidents from that rule.
AnswerC

The severity is configurable in the rule.

Why this answer

Option A is correct because you can set the severity in the analytics rule wizard under 'Incident settings'. Option B is wrong because incident severity is set in the rule, not in the playbook. Option C is wrong because automation rules can change severity but only after incident creation; it's better to set it in the rule.

Option D is wrong because the entity mapping does not affect severity.

406
MCQhard

You are designing a secure data solution for a financial application. The data must be encrypted at rest, in transit, and in use. You choose Azure SQL Database. Which combination of features should you implement?

A.Transparent Data Encryption, enforce TLS, and Always Encrypted
B.Azure Information Protection, Dynamic Data Masking, and column-level security
C.Always Encrypted, Azure Active Directory authentication, and Azure Information Protection
D.Transparent Data Encryption, Dynamic Data Masking, and Azure Active Directory authentication
AnswerA

TDE for at rest, TLS for in transit, Always Encrypted for in use.

Why this answer

To encrypt data at rest, use Transparent Data Encryption (TDE). For in-transit, enforce TLS. For in-use, use Always Encrypted.

Option C is correct. Option A is wrong because Dynamic Data Masking is for masking, not encryption. Option B is wrong because Azure Active Directory authentication is not encryption.

Option D is wrong because column-level security is for access control.

407
MCQmedium

Your organization uses Microsoft Sentinel and wants to create a custom analytics rule to detect failed logon attempts from a specific IP address. The rule should run every hour and look for the event in the SecurityEvent table. However, the rule never triggers even though the events exist. What is the most likely cause?

A.The entity mapping in the rule is incomplete.
B.The Log Analytics agent is not installed on the machines generating the events.
C.The analytics rule does not have the required permissions to query the workspace.
D.The rule query uses a time range that is too short.
AnswerB

Correct: agent must be installed to ingest SecurityEvent.

Why this answer

Option A is correct because the SecurityEvent table requires the Log Analytics agent to be installed on the source machines, and if not, events won't be sent. Option B (permissions) would show an error. Option C (time range) is possible but unlikely.

Option D (entity mapping) is not required for triggering.

408
Multi-Selecthard

Which THREE are best practices for securing network traffic in Azure? (Choose three.)

Select 3 answers
A.Use private endpoints for Azure services
B.Assign public IP addresses to every VM
C.Allow direct outbound internet access from VMs
D.Implement just-in-time (JIT) VM access
E.Use service tags in NSG rules
AnswersA, D, E

Keeps traffic within Microsoft backbone.

Why this answer

Private endpoints assign a private IP address from your virtual network to an Azure service (e.g., Azure Storage, SQL Database), effectively bringing the service into your VNet. This ensures traffic to the service traverses the Microsoft backbone network rather than the public internet, eliminating data exposure to the public endpoint and reducing the attack surface. It is a core network segmentation best practice for securing PaaS resources.

Exam trap

The trap here is that candidates often confuse 'just-in-time VM access' (which controls RDP/SSH access) with network traffic security, but it is indeed a best practice for reducing the attack surface of management ports, so it is correct; the real distractors are the obviously insecure options B and C that test your understanding of exposure minimization.

409
MCQeasy

You need to filter inbound internet traffic to an Azure web application based on source IP address and geographic location. Which Azure service should you use?

A.Network Security Group
B.Azure Web Application Firewall (WAF) on Azure Front Door
C.Azure DDoS Protection
D.Azure Firewall
AnswerB

WAF on Front Door allows geo-filtering and IP-based access control via custom rules.

Why this answer

Azure Web Application Firewall (WAF) on Azure Front Door or Application Gateway can filter traffic based on source IP and geo-location using custom rules. WAF provides layer 7 protection.

410
MCQhard

A company uses Azure AD Identity Protection. They want to automatically block sign-ins that have a high user risk level, but only for users in the 'Finance' department. They also want to require MFA for medium user risk level for all users (including Finance) when sign-in risk is not blocked. They have already created a Conditional Access policy for the Finance department that has a condition of 'User risk level: High' and a grant control of 'Block access'. What additional configuration is needed to also require MFA for all users with medium user risk?

A.Create a second Conditional Access policy targeting all users with condition 'User risk level: Medium' and grant control 'Require multi-factor authentication'
B.Modify the existing policy to include 'User risk level: Medium' and change the grant control to 'Require multi-factor authentication'
C.Use Identity Protection's 'User risk policy' instead of Conditional Access
D.Create a new Conditional Access policy with condition 'User risk level: Medium' and grant control 'Block access'
AnswerA

A separate policy for medium user risk applied to all users will require MFA when medium risk is detected. The existing policy will continue to block Finance users with high risk. Policy evaluation is not mutually exclusive; the block takes precedence for high risk, and the MFA requirement applies for medium risk.

Why this answer

Option A is correct because Azure AD Conditional Access policies are evaluated independently, and a separate policy is needed to require MFA for medium user risk across all users. The existing policy blocks high-risk sign-ins for Finance only, but does not address medium risk for any user. Creating a second policy targeting all users with 'User risk level: Medium' and grant control 'Require multi-factor authentication' satisfies the requirement without conflicting with the existing block policy, as Conditional Access policies are combined (unless explicitly excluded).

Exam trap

The trap here is that candidates often think a single policy can handle multiple risk levels with different grant controls, but Conditional Access policies enforce a single grant control per policy, so separate policies are required for different risk level actions.

How to eliminate wrong answers

Option B is wrong because modifying the existing policy to include 'User risk level: Medium' and changing the grant control to 'Require multi-factor authentication' would remove the block for high-risk Finance users, violating the requirement to block high-risk sign-ins for Finance. Option C is wrong because Identity Protection's 'User risk policy' is a legacy, tenant-wide risk-based policy that cannot target specific departments like Finance; it also does not support the granularity of Conditional Access for combining risk levels with other conditions. Option D is wrong because creating a new policy with 'User risk level: Medium' and grant control 'Block access' would block medium-risk users instead of requiring MFA, which contradicts the requirement to require MFA for medium risk.

411
MCQhard

Your organization uses Azure Kubernetes Service (AKS) for containerized workloads. You need to ensure that only approved container images from a private Azure Container Registry (ACR) can run in the cluster. The solution must also enforce that pods run with least privilege. What should you configure?

A.Create a Kubernetes NetworkPolicy to restrict pod-to-pod communication and use Secrets for image pull
B.Configure ACR tasks to scan images for vulnerabilities and use AKS pod security policies
C.Use Azure AD pod-managed identities to authenticate to ACR and assign RBAC roles
D.Apply Azure Policy with built-in initiatives 'Kubernetes cluster containers should only use allowed images' and 'Kubernetes cluster pods should use specified service account'
AnswerD

Enforces allowed image sources and pod security.

Why this answer

Option C is correct because Azure Policy for AKS can enforce image source from ACR and restrict pod security policies (via built-in initiatives). Option A is wrong because ACR tasks are for building images, not enforcement. Option B is wrong because Azure AD pod-managed identities are for authentication, not image enforcement.

Option D is wrong because Kubernetes network policies control traffic, not image source or privileges.

412
Multi-Selectmedium

You are a Security Engineer for a company that is migrating critical workloads to Azure. You need to ensure the security of compute, storage, and databases. Which of the following actions should you take? (Choose four.)

Select 4 answers
.Enable Azure Defender for SQL to receive security alerts and vulnerability assessments for Azure SQL databases.
.Use Azure Disk Encryption (ADE) to encrypt managed disks attached to virtual machines using BitLocker (Windows) or DM-Crypt (Linux).
.Configure a storage account firewall to restrict access to only specific virtual networks and trusted Azure services.
.Enable Azure Defender for Storage to detect anomalies and potential threats to your blob storage, Azure Files, and Data Lake Storage.
.Implement Azure Front Door WAF policies to protect against SQL injection and cross-site scripting attacks on virtual machines.
.Use Azure Backup for virtual machines without enabling soft delete to ensure immediate permanent deletion of backup data.

Why this answer

Enabling Azure Defender for SQL provides security alerts and vulnerability assessments for Azure SQL databases, which is essential for securing database workloads. This action directly addresses the requirement to ensure the security of databases by detecting threats and identifying misconfigurations.

Exam trap

The trap here is that candidates may confuse Azure Front Door WAF with network security groups (NSGs) or Azure Firewall, thinking it can protect VMs directly, but WAF is specifically for web applications and does not secure compute instances like virtual machines.

413
MCQeasy

A company is deploying Microsoft Sentinel in a new Azure subscription. The security team wants to ingest Windows security events from on-premises servers. Which data connector should they use?

A.Windows Security Events via AMA (Azure Monitor Agent)
B.Office 365 connector
C.Azure Active Directory connector
D.Common Event Format (CEF) connector
AnswerA

The AMA-based connector is the modern method to collect Windows security events.

Why this answer

Option A is correct because the Windows Security Events via AMA connector is the current recommended method for streaming Windows security events to Azure Sentinel using the Azure Monitor Agent. Option B is wrong because the Azure Active Directory connector is for Microsoft Entra ID logs, not Windows events. Option C is wrong because the Office 365 connector is for Office logs.

Option D is wrong because the Common Event Format (CEF) connector is for syslog from security appliances, not Windows security events.

414
MCQmedium

You are designing network security for a hybrid application that uses Azure Front Door and Azure Application Gateway. The application must block malicious requests at the edge before they reach the backend. You need to implement Web Application Firewall (WAF) protection with the lowest latency and the ability to inspect traffic at the application layer. Which solution should you use?

A.Enable Azure DDoS Protection on the virtual network.
B.Apply WAF policy on Azure Application Gateway only.
C.Apply WAF policy on Azure Front Door.
D.Use Azure Firewall with threat intelligence-based filtering.
AnswerC

WAF on Front Door inspects traffic at the edge, blocking malicious requests before they reach the gateway, with low latency.

Why this answer

Option B is correct because WAF policy on Azure Front Door operates at the edge, inspecting traffic at the application layer (HTTP/HTTPS) before it reaches the Application Gateway, providing the lowest latency and early threat blocking. Option A is wrong because WAF on Application Gateway inspects traffic after it passes Front Door, adding latency. Option C is wrong because Azure Firewall is a stateful firewall that operates at layers 3-7 but is not optimized for application-layer inspection like WAF.

Option D is wrong because DDoS Protection protects against volumetric attacks, not application-layer threats.

415
Multi-Selecteasy

Which two options are valid methods to authenticate to Azure Storage from on-premises servers?

Select 2 answers
A.Microsoft Entra ID authentication.
B.Storage account access keys.
C.X.509 certificate authentication.
D.SAS tokens generated from the storage account.
E.Azure CLI login.
AnswersA, B

Supported for Azure Storage.

Why this answer

Correct: B and D. Shared access keys and Entra ID authentication are both supported. Option A (X.509 certificates) is not supported for storage.

Option C (SAS tokens) is a form of shared access, but not a primary authentication method. Option E (Azure CLI) is a command-line tool, not an authentication method per se.

416
Multi-Selecteasy

Which TWO data sources can be connected to Microsoft Sentinel using built-in data connectors? (Choose two.)

Select 2 answers
A.Amazon Web Services (AWS) CloudTrail
B.Microsoft 365 Defender incidents
C.Azure Active Directory (Microsoft Entra ID) logs
D.MySQL audit logs
E.On-premises Windows Firewall logs
AnswersB, C

Sentinel has a built-in connector for M365 Defender incidents.

Why this answer

Sentinel has built-in connectors for Azure Active Directory (Entra ID) and Microsoft 365 Defender. Option A and B are correct. Option C (AWS CloudTrail) requires a connector via AWS but is not built-in (requires AWS S3).

Option D (MySQL audit logs) is not a built-in connector. Option E (On-premises Windows Firewall) requires a Log Analytics agent or AMA, not a built-in connector.

417
MCQhard

A company has two Azure virtual networks, VNet-A and VNet-B, connected via VNet peering. They want all traffic between the VNets to be inspected by a network virtual appliance (NVA) deployed in a subnet in VNet-A. They have configured a user-defined route (UDR) on the subnet in VNet-B that points the destination address space of VNet-A to the private IP of the NVA. However, traffic between the VNets is still not passing through the NVA. What is the most likely cause?

A.The UDR is not associated with the subnet in VNet-B.
B.The NVA's network interface (NIC) does not have IP forwarding enabled.
C.The VNet peering connection is not in a 'Connected' state.
D.The NVA is deployed in the same subnet as the source VMs.
AnswerB

IP forwarding must be enabled on the NVA's NIC so that the NVA can accept packets not addressed to itself and forward them. This is a common configuration step that is often missed.

Why this answer

The most likely cause is that the NVA's network interface (NIC) does not have IP forwarding enabled. Even with a correctly configured UDR on VNet-B pointing traffic to the NVA's private IP, the NVA will drop any traffic not destined for its own IP unless IP forwarding is enabled on its NIC. This setting allows the NVA to accept packets with a destination other than itself and forward them based on its routing table, which is essential for traffic inspection scenarios.

Exam trap

The trap here is that candidates often focus on UDR configuration or peering state, overlooking the critical NIC-level IP forwarding setting that is required for any NVA to function as a transit hop in Azure.

How to eliminate wrong answers

Option A is wrong because the question explicitly states that a UDR has been configured on the subnet in VNet-B, implying it is associated; if it were not associated, the UDR would have no effect, but the core issue here is the NVA's inability to forward traffic. Option C is wrong because if the VNet peering were not in a 'Connected' state, no traffic would flow between the VNets at all, but the question indicates traffic is still passing (just not through the NVA), so peering is functional. Option D is wrong because the NVA being in the same subnet as source VMs does not inherently prevent traffic inspection; UDRs can still direct traffic to the NVA, but the NVA's NIC must have IP forwarding enabled to process and forward that traffic.

418
Multi-Selecthard

Which THREE measures should you implement to secure a Linux virtual machine running a web application on Azure?

Select 3 answers
A.Enable Azure Disk Encryption for OS and data disks
B.Configure network security groups to allow only HTTP and HTTPS
C.Deploy Microsoft Defender for Servers
D.Configure Azure Backup for the VM
E.Enable just-in-time VM access in Microsoft Defender for Cloud
AnswersA, C, E

Encrypts data at rest using BitLocker or DM-Crypt.

Why this answer

Option A (just-in-time VM access) reduces exposure by opening ports only when needed. Option C (Azure Disk Encryption) encrypts OS and data disks at rest. Option E (Microsoft Defender for Servers) provides threat detection and vulnerability management.

Option B is incorrect because NSGs filter traffic but do not encrypt data. Option D is incorrect because Azure Backup protects against data loss but does not encrypt disks themselves; backup encryption is separate.

419
Multi-Selecthard

A SOC team uses Microsoft Sentinel. They want to create an analytics rule that detects excessive failed logons from a single IP address. The rule must run every 5 minutes and look back 1 hour. Which THREE components are required to configure this scheduled query rule?

Select 3 answers
A.Fusion rule
B.Kusto Query Language (KQL) query
C.Alert threshold (number of results)
D.Incident configuration (e.g., grouping)
E.Playbook
AnswersB, C, D

The query defines the detection logic.

Why this answer

Options A, C, and E are correct. A KQL query defines the detection logic (A). An incident configuration is required to create incidents from alerts (C).

An alert threshold (e.g., 'Generate alert based on number of results') is required to specify the number of failed logons that trigger an alert (E). Option B is wrong because a playbook is optional, not required. Option D is wrong because a fusion rule is a different type of analytics rule, not a component of a scheduled query rule.

420
MCQmedium

Your organization uses Microsoft Sentinel to detect and respond to threats. You need to create an automation rule that automatically closes low-severity incidents after 24 hours of inactivity. The rule should apply to all analytics rules. What should you configure?

A.Create a playbook that runs on a schedule and closes incidents with low severity.
B.Use an Azure Logic App to query Sentinel for low-severity incidents older than 24 hours and close them.
C.Modify each analytics rule to set the incident expiration to 24 hours.
D.Create an automation rule with condition 'Severity equals Low' and action 'Close incident' after 24 hours.
AnswerD

Automation rules can close incidents based on conditions and time triggers.

Why this answer

Option B is correct because automation rules can trigger on incident creation or update, and you can set conditions (e.g., severity equals Low) and actions (e.g., close incident). The rule should be applied to all analytics rules by not specifying a specific rule. Option A is wrong because playbooks are used for complex automation, but the simple close action can be done directly in automation rules.

Option C is wrong because the 'expiration' setting is for scheduled rules, not for closing incidents. Option D is wrong because Azure Logic Apps is not directly integrated into Sentinel automation rules without a playbook.

421
MCQmedium

A company uses Microsoft Defender for Cloud. They have assigned a custom regulatory compliance initiative that includes policies to enforce encryption on storage accounts and SQL databases. They want to automatically remediate any non-compliant resources that are discovered, without manual intervention. Which feature should they configure?

A.Enable 'Auto provisioning' for the relevant extensions
B.Enable 'Remediation' for each policy assignment in the custom initiative
C.Enable 'Just-in-time (JIT) VM access'
D.Enable 'Workflow automation' to trigger a Logic App when non-compliance is detected
AnswerB

When you assign a policy with 'DeployIfNotExists' effect, you can enable remediation to automatically create and run remediation tasks to fix non-compliant resources.

Why this answer

Option B is correct because the 'Remediation' setting on a policy assignment in Azure Policy (used by Defender for Cloud custom initiatives) creates a managed identity and a remediation task that automatically applies the required encryption configuration to non-compliant resources. This ensures that when a storage account or SQL database is found without encryption, the policy engine triggers a deployment to enforce encryption without manual intervention.

Exam trap

The trap here is that candidates confuse 'Auto provisioning' (which installs agents for data collection) with automatic remediation of compliance policies, or they assume 'Workflow automation' directly fixes non-compliance when it only triggers a notification or custom action.

How to eliminate wrong answers

Option A is wrong because 'Auto provisioning' in Defender for Cloud installs extensions (like the Log Analytics agent) on VMs to collect security data, not to remediate encryption policies on storage or SQL resources. Option C is wrong because 'Just-in-time (JIT) VM access' controls network access to VMs by opening ports temporarily, which is unrelated to enforcing encryption compliance on storage accounts and SQL databases. Option D is wrong because 'Workflow automation' triggers a Logic App when non-compliance is detected, but it does not automatically remediate the resource; it only sends notifications or runs custom actions, requiring additional setup to perform remediation.

422
Multi-Selecthard

A web app uses Azure App Service and must access Azure SQL over a private IP without exposing SQL to the public internet. Which two components are required?

Select 2 answers
A.Private Endpoint for Azure SQL
B.Inbound NAT rule on Azure Load Balancer
C.DDoS Protection Basic only
D.Private DNS configuration for the privatelink SQL zone
AnswersA, D

Correct for the stated requirement.

Why this answer

A is correct because a Private Endpoint for Azure SQL assigns a private IP from your virtual network to the Azure SQL logical server, allowing the App Service to connect over a private IP without exposing the database to the public internet. This is the core component that brings the Azure SQL service into your virtual network privately.

Exam trap

The trap here is that candidates often think a Load Balancer or DDoS protection is needed for private connectivity, but the actual requirement is a Private Endpoint paired with proper Private DNS resolution to avoid public internet exposure.

423
MCQhard

You are the security engineer for a healthcare company that uses Azure to store electronic health records (EHR) in Azure Blob Storage. Compliance requires that all data be encrypted at rest with customer-managed keys stored in a hardware security module (HSM), that the storage account be accessible only from a specific virtual network, and that all access to the storage account be logged and sent to a central security information and event management (SIEM) system. Additionally, you must ensure that any blobs containing protected health information (PHI) are automatically labeled with a sensitivity label that prevents them from being shared externally. You have decided to use Azure Key Vault Managed HSM for key storage, Azure Private Endpoint for network access, and Azure Monitor for logging. However, you are unsure how to automatically apply sensitivity labels to blobs based on content inspection. Which service should you use to achieve automatic labeling of PHI data in Azure Blob Storage?

A.Microsoft Defender for Storage with sensitivity labeling integration
B.Azure Policy with custom policies to tag blobs containing PHI
C.Microsoft Purview Information Protection with auto-labeling policies for Azure Blob Storage
D.Microsoft Sentinel with analytics rules to detect PHI and apply labels via automation
AnswerC

Purview can scan blob content and automatically apply sensitivity labels based on data classification.

Why this answer

Microsoft Purview Information Protection can automatically classify and label sensitive data in Azure Blob Storage using content scanning and machine learning. Option C is correct. Option A is incorrect because Azure Policy enforces rules but does not inspect content for labeling.

Option B is incorrect because Microsoft Sentinel is a SIEM, not a labeling service. Option D is incorrect because Microsoft Defender for Storage provides threat detection but does not apply sensitivity labels.

424
MCQmedium

A company wants to use Microsoft Defender for Cloud to continuously assess their Azure resources against the Microsoft cloud security benchmark (MCSB). They need to view the current compliance score and specific recommendations for failing controls. Which feature in Defender for Cloud should they use?

A.Security Policy
B.Regulatory Compliance dashboard
C.Secure Score
D.Workload Protections
AnswerB

The Regulatory Compliance dashboard (sometimes called Compliance) provides a view of compliance against standards like MCSB, including a score and detailed recommendations for controls that are not compliant.

Why this answer

The Regulatory Compliance dashboard in Microsoft Defender for Cloud is specifically designed to assess resources against compliance standards like the Microsoft cloud security benchmark (MCSB). It provides a current compliance score, a breakdown of failing controls, and actionable recommendations to remediate those controls, directly meeting the company's requirement.

Exam trap

The trap here is confusing Secure Score (which shows overall security posture) with Regulatory Compliance (which shows adherence to a specific benchmark), leading candidates to pick Secure Score when the question explicitly asks for compliance against MCSB.

How to eliminate wrong answers

Option A is wrong because Security Policy defines the rules and initiatives applied to resources (e.g., allowed VM SKUs), but it does not display a compliance score or specific failing controls against a benchmark. Option C is wrong because Secure Score aggregates security posture based on security recommendations, but it is not tied to a specific compliance standard like MCSB and does not show per-control compliance status. Option D is wrong because Workload Protections focuses on advanced threat detection and protection for workloads (e.g., servers, databases), not on compliance assessment against benchmarks.

425
MCQmedium

You need to protect Azure VM disks from unauthorized snapshot creation. Which configuration should you implement?

A.Assign the 'Reader' role to all users on the disk.
B.Apply a 'CanNotDelete' resource lock on the disk resource.
C.Configure Azure Backup for the VM.
D.Use Azure Policy to audit snapshot creation.
AnswerB

Resource locks prevent deletion and modification, including snapshot creation.

Why this answer

Azure Resource Locks prevent deletion or modification of resources, including snapshot creation. Option B is wrong because Azure Backup does not prevent snapshots. Option C is wrong because RBAC can allow snapshot creation if permissions are granted.

Option D is wrong because Azure Policy can audit but not prevent.

426
MCQmedium

You executed the PowerShell script shown in the exhibit to set a token lifetime policy for an application. What is the effect on users accessing the application?

A.Session tokens expire after 1 hour
B.The policy applies to all applications in the tenant
C.Access tokens expire after 2 hours
D.Users are forced to reauthenticate every hour
AnswerC

The policy sets AccessTokenLifetime to 2 hours.

Why this answer

The PowerShell script sets an access token lifetime of 2 hours via the `New-AzureADPolicy` cmdlet with `TokenLifetimePolicy` type. This policy is then assigned to a specific service principal (application) using `Add-AzureADServicePrincipalPolicy`. Therefore, for users accessing that application, access tokens will expire after 2 hours, requiring a new token to be obtained once the lifetime is exceeded.

Exam trap

The trap here is that candidates confuse access token lifetime with session token lifetime or assume the policy applies tenant-wide, when in fact the `Add-AzureADServicePrincipalPolicy` cmdlet binds it to a specific application.

How to eliminate wrong answers

Option A is wrong because session tokens are not configured in this script; the `TokenLifetimePolicy` specifically controls access token lifetime, not session token lifetime, and the value set is 2 hours, not 1 hour. Option B is wrong because the policy is assigned to a single service principal via `Add-AzureADServicePrincipalPolicy`, making it application-specific, not tenant-wide. Option D is wrong because the policy does not force reauthentication; it only sets the access token lifetime to 2 hours, meaning users may still have a valid session token that allows silent token refresh without reauthentication.

427
MCQhard

Refer to the exhibit. You are assigning this Azure Policy to a management group. The goal is to automatically deploy the Azure Monitor Agent to Windows VMs that do not have it. However, after assignment, you notice that the policy is not deploying the agent. What is the most likely reason?

A.The effect parameter is set to 'AuditIfNotExists'.
B.The policy mode should be 'All' instead of 'Indexed'.
C.The policy is a built-in policy and cannot be assigned.
D.The policy definition is incomplete; it lacks the deployment specification for the DeployIfNotExists effect.
AnswerD

A DeployIfNotExists policy requires a 'deployment' block with the template to deploy the agent.

Why this answer

Option D is correct because the policy rule only checks if the resource type is a virtual machine, but it does not check whether the agent is already installed or not; it will attempt to deploy on every VM, but the deployment action is missing from the policy definition. The policy snippet only shows the condition and effect, but the actual deployment task (the 'deployment' property) is not included. Option A is wrong because the policy is built-in and includes all details.

Option B is wrong because the policy mode 'Indexed' is correct for VMs. Option C is wrong because the effect 'DeployIfNotExists' is allowed.

428
Multi-Selecteasy

Which TWO of the following are valid authentication methods in Microsoft Entra ID?

Select 2 answers
A.Temporary Access Pass
B.App registration
C.FIDO2 security key
D.Managed identity
E.Azure AD Connect
AnswersA, C

Temporary Access Pass is a time-limited password used for onboarding.

Why this answer

Temporary Access Pass (TAP) is a valid authentication method in Microsoft Entra ID that allows users to register passwordless methods (like FIDO2 or Microsoft Authenticator) by providing a time-limited passcode. It is designed for scenarios where users have forgotten their credentials or need to onboard new devices without a password. TAP is configured via the Authentication methods policy in Entra ID and supports both one-time use and configurable lifetimes.

Exam trap

The trap here is that candidates confuse identity infrastructure tools (like Azure AD Connect) or workload identities (like Managed identities) with user authentication methods, leading them to select options that are related to identity but not valid for user sign-in.

429
MCQhard

A company has multiple Azure virtual networks connected via VNet peering. They want to ensure that all traffic between the peered VNets is encrypted and that no traffic can bypass the encryption. Which configuration is required?

A.Enable Service Endpoint Policies
B.Use VPN Gateway with IPsec between VNets
C.VNet peering does not support encryption; use Global VNet peering
D.Enable Azure Firewall
AnswerB

Correct. A VPN Gateway configured with IPsec tunnel provides encrypted communication between VNets, ensuring data is encrypted in transit.

Why this answer

VNet peering does not encrypt traffic between virtual networks by default. To enforce encryption for all traffic, you must use a VPN Gateway with IPsec/IKE policy configured between the peered VNets. This ensures that all traffic crossing the peering is encrypted and that no unencrypted path exists, meeting the requirement that no traffic can bypass encryption.

Exam trap

The trap here is that candidates assume VNet peering inherently encrypts traffic because it uses Microsoft's private backbone, but Azure does not enable encryption by default on peering; you must explicitly configure VPN Gateway with IPsec to achieve encrypted transit.

How to eliminate wrong answers

Option A is wrong because Service Endpoint Policies control access to Azure PaaS services (e.g., Storage, SQL) from specific subnets, not encryption of traffic between peered VNets. Option C is wrong because VNet peering does support encryption when combined with VPN Gateway IPsec; Global VNet peering extends peering across regions but still does not encrypt traffic by default. Option D is wrong because Azure Firewall provides network-level filtering and logging but does not encrypt traffic between VNets; it can inspect but not enforce encryption of transit traffic.

430
MCQeasy

An organization requires that all Azure SQL Database connections from non-corporate networks must be blocked unless initiated through Azure Bastion. Which Microsoft Entra ID Conditional Access policy setting should be configured?

A.Block access
B.Require sign-in frequency
C.Require multifactor authentication (MFA)
D.Require device to be marked as compliant
AnswerA

Block access combined with a network location policy can block all access from non-corporate networks.

Why this answer

Option A is correct because the requirement is to block all Azure SQL Database connections from non-corporate networks unless they go through Azure Bastion. In Microsoft Entra ID Conditional Access, the 'Block access' control explicitly denies authentication requests that match the policy conditions. By configuring a policy that targets the Azure SQL Database application and includes conditions for non-corporate network locations, the 'Block access' grant effectively enforces the restriction, allowing only connections routed through Azure Bastion (which originates from a corporate network or a trusted IP).

Exam trap

The trap here is that candidates often confuse network-based access control with authentication or device compliance controls, mistakenly selecting 'Require multifactor authentication' or 'Require device to be marked as compliant' instead of the explicit 'Block access' grant that directly enforces the network restriction.

How to eliminate wrong answers

Option B is wrong because 'Require sign-in frequency' controls how often users must re-authenticate, not whether access is permitted from specific networks; it does not block connections from non-corporate networks. Option C is wrong because 'Require multifactor authentication (MFA)' adds an additional authentication factor but does not prevent access from non-corporate networks; users could still connect from those networks after completing MFA. Option D is wrong because 'Require device to be marked as compliant' enforces device health policies but does not restrict access based on network location; a compliant device on a non-corporate network would still be allowed.

431
MCQeasy

You need to protect Azure VMs from ransomware by ensuring that encrypted file systems cannot be read by attackers. Which solution should you implement?

A.Apply network security groups (NSGs) to block unauthorized access.
B.Configure Azure Backup for the VMs.
C.Enable Azure Disk Encryption on the VMs.
D.Enable Microsoft Defender for Cloud on the subscription.
AnswerC

Azure Disk Encryption encrypts disks at rest, mitigating ransomware impact.

Why this answer

Azure Disk Encryption uses BitLocker (Windows) or DM-Crypt (Linux) to encrypt the OS and data disks, protecting against offline attacks. Option B is wrong because Defender for Cloud is for threat detection, not encryption. Option C is wrong because Azure Backup provides recovery, not encryption.

Option D is wrong because NSGs control network traffic, not disk encryption.

432
MCQeasy

Your company is using Microsoft Sentinel to monitor security events. You need to ensure that all incidents generated in Sentinel are automatically sent to a third-party ticketing system via a webhook. Which Sentinel feature should you configure?

A.Create an automation rule that runs a playbook when an incident is created.
B.Use a watchlist to map incidents to ticketing system IDs.
C.Create a workbook that exports incidents to the ticketing system.
D.Configure a data connector to the ticketing system.
AnswerA

Automation rules can trigger playbooks that use webhooks.

Why this answer

Option B is correct because Automation rules can trigger a playbook that uses a webhook. Option A is wrong because workbooks are for visualization. Option C is wrong because Data connectors ingest data.

Option D is wrong because Watchlists are for reference data.

433
MCQhard

An analyst investigates a Defender for Cloud alert for suspicious process execution on a VM. Which next step best preserves evidence while enabling deeper endpoint investigation?

A.Delete the VM immediately to stop the process
B.Pivot to Microsoft Defender for Endpoint device timeline and isolate the device if containment is required
C.Disable all analytics rules in Sentinel
D.Rotate every subscription key before reviewing the process tree
AnswerB

Correct for the stated requirement.

Why this answer

Option B is correct because pivoting to the Microsoft Defender for Endpoint device timeline allows the analyst to investigate the suspicious process execution in a forensically sound manner without disrupting the live environment. Isolating the device from the network, if needed, contains the threat while preserving volatile evidence such as running processes, memory, and registry state. This approach aligns with incident response best practices and leverages Defender for Endpoint's deep endpoint visibility.

Exam trap

The trap here is that candidates may confuse immediate containment with evidence preservation, mistakenly choosing to delete or disable resources instead of using the platform's native investigation and isolation capabilities.

How to eliminate wrong answers

Option A is wrong because deleting the VM immediately destroys all volatile evidence (memory, running processes, network connections) and prevents any forensic analysis or root cause determination. Option C is wrong because disabling analytics rules in Microsoft Sentinel does not preserve evidence or aid investigation; it only stops future alert generation, potentially allowing the threat to propagate undetected. Option D is wrong because rotating subscription keys is a credential hygiene action unrelated to endpoint investigation and does not preserve process execution evidence or enable containment.

434
MCQhard

A company has two Azure virtual networks (VNet-A and VNet-B) connected via VNet peering. They need to ensure that all traffic between the two VNets is encrypted using IPsec and that no traffic can bypass the encryption. The security team has enabled the 'Use remote virtual network gateways' setting on the peering. However, traffic is still flowing unencrypted. What additional configuration is required to enforce encryption for all traffic between the VNets?

A.Enable 'Azure virtual network encryption' on both VNets and configure the encryption policy.
B.Deploy an Azure VPN Gateway in each VNet and create a site-to-site VPN connection between them.
C.Configure a network security group (NSG) rule on each subnet to deny traffic that is not IPsec encapsulated.
D.Enable 'Allow gateway transit' on VNet-A and 'Use remote virtual network gateways' on VNet-B, and then create a VPN gateway in VNet-A.
AnswerA

Azure virtual network encryption (currently in preview) encrypts all traffic between VNets using IPsec. Enabling it on both sides ensures traffic is encrypted.

Why this answer

Option A is correct because Azure Virtual Network Encryption provides a platform-level encryption mechanism that encrypts all traffic between virtual networks, including VNet peering traffic, without requiring a VPN gateway. Enabling this feature on both VNets and configuring the encryption policy ensures that all inter-VNet traffic is encrypted using IPsec, and since it is enforced at the infrastructure level, no traffic can bypass the encryption. The 'Use remote virtual network gateways' setting alone does not encrypt traffic; it only allows a VNet to use a remote gateway for transit routing.

Exam trap

The trap here is that candidates often assume that enabling 'Use remote virtual network gateways' on VNet peering automatically encrypts traffic, when in fact it only allows gateway transit and does not provide any encryption; the real solution is Azure Virtual Network Encryption, which is a separate feature that must be explicitly enabled.

How to eliminate wrong answers

Option B is wrong because deploying Azure VPN Gateways and creating a site-to-site VPN connection would encrypt traffic between the VNets, but it does not prevent unencrypted traffic from flowing through the VNet peering if the peering is still active; the question requires that no traffic can bypass encryption, and a VPN gateway does not disable the existing peering path. Option C is wrong because NSG rules operate at the network layer and cannot inspect or enforce IPsec encapsulation; they can only filter based on IP addresses, ports, and protocols, not the presence of IPsec headers, so they cannot ensure that all traffic is encrypted. Option D is wrong because enabling 'Allow gateway transit' and 'Use remote virtual network gateways' allows a VNet to use a VPN gateway in another VNet for outbound connectivity, but it does not encrypt traffic between the VNets themselves; the peering traffic remains unencrypted unless Azure Virtual Network Encryption or a direct VPN connection is configured.

435
Multi-Selectmedium

Which TWO actions should you take to secure a virtual network in Azure? (Choose two.)

Select 2 answers
A.Apply network security groups (NSGs) to subnets.
B.Configure Azure DNS zones.
C.Deploy Azure Bastion for VM access.
D.Implement Azure Firewall for perimeter control.
E.Set up Azure Monitor alerts.
AnswersA, D

NSGs filter traffic at the subnet/NIC level.

Why this answer

Options A and D are correct because NSGs and Azure Firewall are key network security controls. Option B is wrong because Azure DNS does not secure the network. Option C is wrong because Azure Bastion is for secure access, not network security.

Option E is wrong because Azure Monitor is for monitoring, not security.

436
MCQmedium

Your organization uses Microsoft Defender for Cloud with the CSPM plan enabled. You need to ensure that all Azure subscriptions have Microsoft Defender for Cloud's auto-provisioning enabled for the Log Analytics agent. Which Azure Policy initiative should you assign?

A.Configure backup on virtual machines
B.CIS Microsoft Azure Foundations Benchmark
C.Azure Security Benchmark
D.Deploy Log Analytics agent for Microsoft Defender for Cloud
AnswerD

This initiative contains policies to deploy the Log Analytics agent automatically to VMs for Defender for Cloud.

Why this answer

The Azure Policy initiative 'Deploy Log Analytics agent for Microsoft Defender for Cloud' includes policies to auto-provision the Log Analytics agent on VMs. Option B is correct. Option A is a built-in initiative for general security configuration, not specifically for auto-provisioning.

Option C is for regulatory compliance. Option D is for Azure Backup.

437
MCQmedium

Your organization has deployed a multi-region web application using Azure Front Door with WAF policies. The backend origins are Azure App Services in two regions. Recently, a security audit revealed that the WAF is not blocking certain SQL injection attacks. You have identified that the WAF policy is configured in 'Detection' mode instead of 'Prevention' mode. However, the application team is concerned that changing to 'Prevention' mode might block legitimate traffic. You need to switch to 'Prevention' mode while minimizing false positives. Additionally, you want to ensure that any blocked requests are logged for analysis. What should you do?

A.Change the WAF policy to Prevention mode and enable logging.
B.Use the WAF policy's Bot Protection rule set and Prevention mode.
C.Enable rate limiting in the WAF policy and switch to Prevention mode.
D.Create a custom WAF policy with SQL injection rules in Prevention mode, and enable diagnostic logs.
AnswerD

Custom rules allow tuning to reduce false positives, and logs capture blocked requests.

Why this answer

Option D is correct because using a WAF policy with prevention mode and custom rules for the SQL injection signatures allows fine-tuning, and enabling diagnostic logs captures blocked requests. Option A is wrong because rate limiting does not address SQL injection. Option B is wrong because changing mode without custom rules may cause false positives.

Option C is wrong because Bot Protection does not address SQL injection.

438
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) to manage access to Azure resources. They want to enforce that when a user activates the Contributor role for a specific resource group, they must provide a ticket number as justification and the activation is limited to 4 hours. Which PIM settings should they configure?

A.Configure the role settings for the Contributor role under the resource group in PIM
B.Create a Conditional Access policy for the Privileged Role Administrator role
C.Use Azure AD access reviews to review active role assignments
D.Modify the Azure AD tenant-wide role activation settings
AnswerA

Role settings in PIM are per-role per-scope. By editing the settings for the Contributor role on that resource group, you can require justification and set a maximum activation duration.

Why this answer

Option A is correct because Azure AD PIM allows role settings to be configured at the resource group scope. By editing the role settings for the Contributor role under that specific resource group, you can require justification (e.g., a ticket number) and set a maximum activation duration (e.g., 4 hours). These settings apply only when users activate the role for that resource group via PIM.

Exam trap

The trap here is that candidates confuse Azure AD role activation settings (tenant-wide) with Azure resource role activation settings (scope-specific), leading them to incorrectly select Option D, which only applies to Azure AD administrative roles, not Azure RBAC roles like Contributor on a resource group.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies are used to enforce access controls like MFA or device compliance during sign-in, not to configure PIM activation requirements like justification or duration. Option C is wrong because Azure AD access reviews are for periodic review of role assignments, not for setting activation parameters such as ticket number or time limit. Option D is wrong because Azure AD tenant-wide role activation settings apply to Azure AD roles (e.g., Global Administrator), not to Azure resource roles like Contributor at the resource group level.

439
MCQeasy

A company uses Microsoft Defender for Cloud to protect their Azure virtual machines. They have enabled the integrated vulnerability assessment (VA) solution on all VMs. The security team wants to receive an alert when a VM is found to have a vulnerability rated as 'Critical' by the VA solution. Which Defender for Cloud plan must be enabled on the subscription?

A.Defender for Servers Plan 1
B.Defender for Servers Plan 2
C.Defender for SQL
D.Defender for App Service
AnswerB

Plan 2 includes the integrated VA solution and provides alerts for critical vulnerabilities.

Why this answer

Defender for Servers Plan 2 is required because it includes the integrated vulnerability assessment (VA) solution powered by Qualys, which provides continuous scanning and alerts for critical vulnerabilities. Plan 1 only offers basic threat detection and does not include the VA solution or the ability to generate alerts based on vulnerability severity ratings.

Exam trap

The trap here is that candidates often confuse Defender for Servers Plan 1 with Plan 2, assuming both include the integrated VA solution, but Plan 1 only offers basic threat detection without vulnerability assessment capabilities.

How to eliminate wrong answers

Option A is wrong because Defender for Servers Plan 1 provides only basic threat detection and does not include the integrated vulnerability assessment (VA) solution; it cannot generate alerts for critical vulnerabilities. Option C is wrong because Defender for SQL is designed to protect Azure SQL databases, not Azure virtual machines, and does not include a VA solution for VMs. Option D is wrong because Defender for App Service is focused on protecting web applications running on Azure App Service, not virtual machines, and lacks the VM-specific vulnerability assessment capabilities.

440
MCQmedium

Your company uses Microsoft Entra ID with P2 licenses. You need to implement a policy that automatically revokes access for users who are detected as high risk by Microsoft Entra ID Protection. The policy must allow users to self-remediate by performing MFA. What should you configure?

A.Enable the 'Require password change' user risk policy in ID Protection.
B.Create a Conditional Access policy that requires MFA for users with high user risk.
C.Configure a sign-in risk policy in Microsoft Entra ID Protection to require MFA.
D.Configure a user risk policy in Microsoft Entra ID Protection to block access.
AnswerB

Allows high-risk users to satisfy MFA and regain access, while blocking if they fail MFA.

Why this answer

A Conditional Access policy with 'Require multifactor authentication' grant and 'High risk' user risk condition allows users to self-remediate via MFA while blocking access if high risk is detected. Option A is wrong because user risk policy in ID Protection triggers automatic remediation or block, not user self-remediation. Option C is wrong because session risk policy focuses on sign-in risk, not user risk.

Option D is wrong because it blocks access without self-remediation.

441
Multi-Selecthard

Your company has an Azure subscription with multiple virtual networks (VNets) connected via VNet peering. You need to filter traffic between VNets based on source IP addresses and ports. You want a managed solution that provides stateful inspection and centralized logging. Which TWO solutions meet the requirements?

Select 2 answers
A.Azure Firewall
B.Network Security Groups (NSGs)
C.Azure VPN Gateway
D.Network Virtual Appliance (NVA) from a partner
E.Azure Front Door
AnswersA, D

Azure Firewall is a managed, stateful firewall with centralized logging and network filtering.

Why this answer

Option A is correct because Azure Firewall provides stateful inspection, network filtering based on IP/port, and centralized logging. Option C is correct because Network Virtual Appliances (NVAs) from partners can provide similar capabilities. Option B is wrong because NSGs are stateful but not managed centrally for cross-VNet traffic.

Option D is wrong because Azure Front Door is a global load balancer, not for VNet-to-VNet filtering. Option E is wrong because VPN Gateway is for encrypted connectivity, not filtering.

442
MCQmedium

Your company hosts a web application on Azure Virtual Machines. You need to ensure that all disks attached to the VMs are encrypted. You plan to use Azure Disk Encryption. What should you configure first?

A.Assign a system-assigned managed identity to the VMs
B.Configure a network security group to allow encryption traffic
C.Create an Azure Key Vault and configure a key encryption key
D.Enable Azure Backup on the VMs
AnswerC

Azure Disk Encryption requires a Key Vault to store the encryption keys or secrets.

Why this answer

Azure Disk Encryption requires a Key Vault and a key encryption key (KEK) or secret. Option B is correct. Option A is wrong because Managed Identities are used for authentication, not for encryption.

Option C is wrong because network security groups are unrelated. Option D is wrong because Azure Backup is for backup, not encryption.

443
Multi-Selecteasy

Your company uses Microsoft Defender for Cloud to protect Azure resources. You need to enable the enhanced security features (formerly Azure Defender) for all supported resource types. Which TWO plans should you enable? (Choose TWO that apply.)

Select 2 answers
A.Servers
B.Azure Active Directory
C.Microsoft 365 Defender
D.Microsoft Sentinel
E.Cloud Security Posture Management (CSPM)
AnswersA, E

Correct. The Servers plan provides threat protection for VMs.

Why this answer

Option A and D are correct. The 'Servers' plan covers Azure VMs and on-premises servers. The 'Cloud Security Posture Management (CSPM)' plan is the foundational plan that includes secure score, recommendations, and compliance.

Option B is wrong because 'Azure Active Directory' is not a separate plan within Defender for Cloud; identity protection is covered by Microsoft Defender for Identity. Option C is wrong because 'Microsoft Sentinel' is a separate service. Option E is wrong because 'Microsoft 365 Defender' is a separate product.

444
MCQhard

A Sentinel rule using a threat intelligence table fires on stale indicators that expired last week. What should be added to the query?

A.A union with Usage
B.A sort by Description
C.A project-away of ConfidenceScore
D.A filter for active indicators whose expiration time is in the future
AnswerD

Correct for the stated requirement.

Why this answer

The rule fires on stale indicators because the query lacks a filter to exclude expired threat intelligence entries. Adding a filter for active indicators whose expiration time is in the future ensures that only current, valid indicators trigger the rule, preventing false positives from outdated data.

Exam trap

The trap here is that candidates may think removing a column (project-away) or sorting data addresses the root cause of stale data, rather than recognizing that a row-level filter is required to exclude expired indicators.

How to eliminate wrong answers

Option A is wrong because a union with Usage would combine data from the Usage table, which tracks billing or resource consumption, not threat intelligence expiration, and does not filter out stale indicators. Option B is wrong because sorting by Description merely reorders results without excluding expired indicators; it does not affect which rows are returned. Option C is wrong because projecting away ConfidenceScore removes a column but does not filter rows; the query would still return stale indicators regardless of confidence score.

445
MCQeasy

Your security team wants to use Microsoft Defender for Cloud's 'Just-In-Time (JIT) VM access' to reduce the attack surface. Which Azure policy must be enabled on the subscription to use JIT?

A.Microsoft Defender for Databases
B.Microsoft Defender for Servers
C.Microsoft Defender for Storage
D.Microsoft Defender for Key Vault
AnswerB

JIT VM access is part of Defender for Servers.

Why this answer

JIT VM access is a feature of Microsoft Defender for Cloud's Cloud Workload Protection Platform (CWPP) and requires the 'Servers' plan to be enabled. Option A is correct. Option B is for databases.

Option C is for storage. Option D is for Key Vault.

446
MCQeasy

A company deploys Azure virtual machines in a virtual network. A security policy requires that only Remote Desktop Protocol (RDP) traffic from the corporate VPN's public IP address (203.0.113.0/26) is allowed. All other inbound RDP traffic must be denied. Which configuration should be applied to the network security group (NSG) associated with the VM subnet?

A.Add an inbound rule to allow RDP from the Internet and a deny rule for RDP from the corporate IP.
B.Add an inbound rule to deny RDP from the corporate IP and a default deny all inbound.
C.Add an inbound rule to allow RDP from the corporate IP range, and add a default deny rule for all other inbound RDP traffic.
D.No additional rules are needed because the default NSG rules already deny RDP.
AnswerC

This correctly allows RDP from the corporate IP and denies RDP from all other sources. The deny rule should have a higher priority number (lower priority) than the allow rule.

Why this answer

Option C is correct because the requirement is to allow RDP (TCP port 3389) only from the corporate VPN's public IP range (203.0.113.0/26) and deny all other inbound RDP traffic. An NSG processes rules in priority order; by adding an inbound allow rule for the corporate IP range with a high priority (e.g., 100) and relying on the default deny rule (which denies all inbound traffic not explicitly allowed), only RDP from the specified range is permitted. This matches the security policy precisely.

Exam trap

The trap here is that candidates often forget that NSGs have default rules that allow inbound traffic from the virtual network and Azure load balancer, and they mistakenly think a default deny rule already blocks all RDP, when in fact you must explicitly allow the specific source IP and rely on the default deny to block everything else.

How to eliminate wrong answers

Option A is wrong because it allows RDP from the Internet (which violates the policy) and then denies RDP from the corporate IP (which would block the allowed traffic). Option B is wrong because it denies RDP from the corporate IP (the only source that should be allowed) and relies on a default deny all inbound, which would block all RDP traffic entirely. Option D is wrong because the default NSG rules allow inbound RDP from the virtual network and Azure load balancer, but not from the Internet; they do not restrict RDP to a specific public IP range, so additional rules are required.

447
Multi-Selecthard

Which THREE of the following can be used to provide just-in-time (JIT) privileged access to Azure resources?

Select 3 answers
A.Conditional Access
B.Privileged Access Groups (PAG)
C.Azure Bastion with just-in-time access
D.Microsoft Entra Privileged Identity Management (PIM)
E.Azure RBAC role assignment
AnswersB, C, D

PAG allows JIT membership.

Why this answer

Privileged Access Groups (PAG) allow you to manage just-in-time (JIT) access by assigning users to a group that has time-bound, activated roles. When a user activates their membership in a PAG via Microsoft Entra Privileged Identity Management (PIM), they receive the necessary permissions for a specified duration, providing JIT privileged access to Azure resources.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access conditions) with just-in-time elevation, or think that any RBAC assignment can be made JIT, when in fact only PIM-based activation (including PAG) provides the time-bound, approval-based elevation required for JIT privileged access.

448
Multi-Selecthard

A Defender for Cloud alert indicates possible credential theft on a VM. Which two response actions are sensible early containment steps?

Select 2 answers
A.Isolate the affected endpoint or restrict network access if business impact allows
B.Delete all Log Analytics workspaces
C.Reset or revoke suspected compromised credentials
D.Disable Microsoft Defender for Endpoint onboarding
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because isolating the affected VM or restricting its network access is a fundamental containment step that prevents the attacker from using the compromised credentials to move laterally or exfiltrate data. In Defender for Cloud, this can be achieved by applying a Just-In-Time (JIT) VM access policy or by using network security groups (NSGs) to block all inbound/outbound traffic to the VM, effectively stopping the attack in its tracks while preserving forensic evidence.

Exam trap

The trap here is that candidates may confuse 'containment' with 'remediation' and choose to delete workspaces or disable security tools, which are destructive or counterproductive actions, rather than the correct containment step of network isolation.

449
MCQhard

Your organization uses Microsoft Entra ID and has several applications registered. You need to ensure that only specific applications can call a particular web API. The web API is also registered in Microsoft Entra ID. What should you configure?

A.Configure an app role assignment policy for the web API.
B.Set a token lifetime policy on the web API to accept tokens only from approved client applications.
C.Create a Conditional Access policy targeting the web API and require that the client application is managed.
D.In the web API's application registration, configure the 'expose an API' blade to define scopes, and then pre-authorize the specific client applications in the web API's manifest.
AnswerD

Pre-authorization allows the API to accept tokens from specified client apps.

Why this answer

Option D is correct because pre-authorizing specific client applications in the web API's manifest (via the 'expose an API' blade) explicitly grants those clients permission to call the API without requiring user consent. This ensures that only the listed applications can acquire tokens for the API, as the API's application registration defines the scopes and pre-authorizations that control access.

Exam trap

The trap here is that candidates often confuse Conditional Access policies (which control user access) with application-level permission restrictions, leading them to select Option C, even though Conditional Access cannot filter which client applications can call an API.

How to eliminate wrong answers

Option A is wrong because an app role assignment policy controls which users or groups can be assigned to app roles, not which client applications can call the API. Option B is wrong because token lifetime policies control the lifespan of tokens (e.g., access or refresh tokens), not which client applications are allowed to call the API. Option C is wrong because Conditional Access policies control user access conditions (e.g., device compliance, location) and cannot restrict which client applications can call an API; they apply to users and sign-in risk, not to application-level permissions.

450
MCQeasy

You are evaluating Microsoft Defender for Cloud's cloud security posture management (CSPM) capabilities. You need to identify misconfigurations across your Azure, AWS, and GCP environments. What should you enable?

A.Ingest logs from AWS and GCP into Microsoft Sentinel.
B.Create Azure Policy assignments for AWS and GCP resources.
C.Deploy Azure Arc on VMs in AWS and GCP.
D.Enable the 'Defender for Cloud' multicloud connector for AWS and GCP.
AnswerD

This allows CSPM for AWS and GCP resources alongside Azure.

Why this answer

Defender for Cloud's multicloud environment settings allow you to connect AWS and GCP accounts to Azure for unified CSPM. Option B is wrong because Azure Arc is for on-premises, not other clouds. Option C is wrong because Microsoft Sentinel is a SIEM, not CSPM.

Option D is wrong because Policy is Azure-only.

Page 5

Page 6 of 14

Page 7